SA 540 General VPN Question
Going to put down the trusty old PIX 506e and considering replacing it with a SA540. Are there any know VPN configuration 'gotchas' on the SA540 when the IPS assigned WAN address is static pppoe?
Hi Bob, Trust me on this one...there is no way on this earth you're ever going to see these SA540's even get within a whisper of touching the levels on a 5510 with web VPN, even if they're were not the buggy POS's that they are.
I'm going through the same pains...been on many a webinar with the SEs from Cisco talking about how great these SA540s are....but they obviously have to real experience with them. If I were you (and I might as well be, I've been in the exact same boat for a couple of months with some of my clients) I would STRONGLY advise you do not try and use the 540 as a replacement for an ASA....you and you're client will be extremely pissed with the results. If your clients needs are large enough to require a 5510 nothing in the SBM space would be an adiquate substitue anyway.
As a SBM Select reseller of many years I cannot say how DEEPLY disappointed I am in Cisco right now. Between having firewalls on back order for three months, lack of taking ownership of the many problems, and just plain lying about this product, I'm beginning to question how much longer I can recommend them to my client base.
Right now the best (Cisco based) option I could recommend is to replace the units with Cisco IOS routers for your web VPN options. Keep in mind, Cisco has recently changed to a licensing model for WebVPN even on the IOS routers...so you'll want to check out that SKU for your quotes
Similar Messages
-
VPN Question (match interesting traffic)
Dear guys
A vpn question see below text diagram
inside-------ASA-1-----CHINATELECOM------ASA-2---------CHINAUNICOM----------ASA-3------inside
ipsec vpn tunnel ipsec vpn tunnel
we have configured interesting traffic on ASA-2 for each other on 2 side.
we can ping asa-2 inside network from asa-3 and asa-1 but Why ASA-3 inside can not access ASA-1 inside network ?Hi Yun,
Step 1: Create site-to-site vpn tunnel between ASA1 to ASA2 and ASA2 to ASA3, however there is NO direct tunnel between ASA1 and ASA3 you need.
Step 2: Now include ASA3's inside network segment in the crypto ACL to between the tunnel ASA1 and ASA2 and do NOT include ASA3's and 1's inside network segment for no-nat on inside interface on ASA2
Step 3: Now include ASA1 inside network segment in the crypto ACL to between the tunnel ASA2 and ASA3, and do NOT include ASA1's and 3's inside network segment for no-nat on inside interface on ASA2.
Step 4: Create no-nat on ASA2 for outside interface and this no-nat must includes ASA1's inside network segment and ASA3's inside network segment. See example below.
only an example, you change it to fit your network segment.
object-group network ASA1-inside
network-object 192.168.100.0 255.255.255.0
object-group network ASA3-inside
network-object 192.168.200.0 255.255.255.0
access-list nonat-outside extended permit ip object-group ASA1-inside object-group ASA3-inside
access-list nonat-outside extended permit ip object-group ASA3-inside object-group ASA1-inside
nat (outside) 0 access-list nonat-outside
Please let me know, how this coming along.
thanks
Rizwan Rafeek -
hello dreamweavers.
im a newbie going to use dreamweaver from next week and beyond,so id like to ask the following:
should i design the website in photoshop and then import it into dreamwevaer,in order to code it?
is dreamwevaer flexible in design point of view,or is it mostly getting finished designs such as headers,footers,flash banners,
and then building up the site where things so and such.
thank you.Hello Nancy.
seems like an informative website,i can see it is easy to understand the
basics.
Στις 23 Μαρτίου 2012 4:29 π.μ., ο χρήστης Nancy O. <[email protected]>έγραψε:
Re: general dreamwevaer question created by Nancy O.<http://forums.adobe.com/people/Nancy+O.>in
Dreamweaver - View the full discussion<http://forums.adobe.com/message/4283588#4283588 -
Hi All
The question is pretty simple. I can successfully connect to my ASA 5505 firewall via cisco vpn client 64 bit , i can ping any ip address on the LAN behind ASA but none of the LAN computers can see or ping the IP Address which is assigned to my vpn client from the ASA VPN Pool.
The LAN behind ASA is 192.168.0.0 and the VPN Pool for the cisco vpn client is 192.168.30.0
I would appreciate some help pls
Here is the config:
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password J7NxNd4NtVydfOsB encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.11 EXCHANGE
name x.x.x.x WAN
name 192.168.30.0 VPN_POOL2
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address WAN 255.255.255.252
interface Ethernet0/0
switchport access vlan 2
<--- More --->
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list nk-acl extended permit tcp any interface outside eq smtp
access-list nk-acl extended permit tcp any interface outside eq https
access-list customerVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 VPN_POOL2 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list VPN_NAT extended permit ip VPN_POOL2 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_POOL2 192.168.30.10-192.168.30.90 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list VPN_NAT outside
static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
static (inside,outside) tcp interface https EXCHANGE https netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group nk-acl in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
snmp-server host inside 192.168.0.16 community public
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd dns 217.27.32.196
dhcpd address 192.168.0.100-192.168.0.200 inside
dhcpd dns 192.168.0.10 interface inside
dhcpd enable inside
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy customerVPN internal
group-policy customerVPN attributes
dns-server value 192.168.0.10
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value customerVPN_splitTunnelAcl
default-domain value customer.local
username xxx password 8SYsAcRU4s6DpQP1 encrypted privilege 0
username xxx attributes
vpn-group-policy TUNNEL1
username xxx password C6M4Xy7t0VOLU3bS encrypted privilege 0
username xxx attributes
vpn-group-policy PAPAGROUP
username xxx password RU2zcsRqQAwCkglQ encrypted privilege 0
username xxx attributes
vpn-group-policy customerVPN
username xxx password zfP8z5lE6WK/sSjY encrypted privilege 15
tunnel-group customerVPN type ipsec-ra
tunnel-group customerVPN general-attributes
address-pool VPN_POOL2
default-group-policy customerVPN
tunnel-group customerVPN ipsec-attributes
pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:a4dfbb82008f78756fe4c7d029871ec1
: end
ciscoasa#Well lots of new features have been hinted at for ASA 9.2 but I've not seen anything as far as an Engineering Commit or Customer Commit for that feature.
Site-site VPN in multiple context mode was added in 9.0(1) and I have customers have been asking for the remote access features as well.
I will remember to ask about that at Cisco Live next month. -
Some Site to Site VPN questions
When you have an ASA to ASA Site to Site VPN, you do have to configure the routes you want to transverse the tunnel in the routing table with a gateway of the device on the other side correct?
Also does each side have to match the exact subnets within the crypto domain? For instance if I have defined two subnets 10.10.10.0/24 and 10.100.100.0/24, the other side should have those exact subnets, not just a 10.0.0.0/8 correct? If that makes sense?Hi,
When we consider routing and L2L VPN connections then we generally can presume that they are built through the interface which has the default route. We can also presume that you are not configuring a L2L VPN for a remote network that overlaps with your LAN networks. Considering both of the mentioned things we can determine that naturally any network that is not in your local network will follow the default route when the ASA is making decision about where to forward the traffic.
So generally you wont need to manually configure any additional routes on the ASA for any remote VPN networks. VPN Client connections adds routes automatically for the VPN Pool IP that is assigned to the VPN Client user. On L2L VPN connections you can configure the ASA to add the routes based on the L2L VPN connections ACL that tells the local and remote networks. In this case you will have to add the following configuration for a given L2L VPN connections
crypto map set reverse-route
This will add a route on the ASAs routing table though this wont show in the "route" configurations on the ASA.
With regards to your questions about the local/remote subnets I actually have to say that I am not 100% sure. To my understanding your ACL can have lines/rules that dont match the other side but the ACL does have to have matching local/remote subnets. Any extra lines in the ACL to my understanding dont matter, just that there is a match between the VPN peers.
I have personally never had the need to make very broad local/remote network definitions for the L2L VPN. I have always been for being as specific as I can be. Naturally a very large environment might dictate to follow another approach but I have not run into anything like that myself.
- Jouni -
ASA 5520 site-to-site VPN question
Hello,
We have a Cisco 5520 ASA 8.2(1) connected to a Cisco RVS4000 router via an IPsec Site-to-Site VPN. The RVS4000 is located at a branch office. The tunnel works beautifully. When computers at the remote site are turned on the tunnel is established, and data is transferred back and forth.
The only issue I'm having is being able to Remote Desktop to the branch office computers, or ping for that matter. I can ping and Remote Desktop from the branch office computers to computers at the main site where the ASA is located.
After doing some research, I came across the this command;
sysopt connection permit-vpn
I haven't tried entering the command yet, but was wondering if this is something that I can try initially to see it it resolves the problem.
Thanks,
JohnWhat are your configs and network diagrams at each location? What are you doing for DNS? I can help quicker with that info. Also, here are some basic site to site VPN examples if it helps.
hostname cisco
domain-name cisco.com
enable password XXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
names
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.2 255.255.255.0
interface Ethernet0/2
nameif backup
security-level 0
no ip address
interface Ethernet0/3
nameif outsidetwo
security-level 0
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.com
same-security-traffic permit intra-interface
access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list XXX extended permit ip 10.0.10.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list XXX extended permit ip 10.0.2.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list XXX extended permit ip 10.0.4.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list XXX extended permit ip 10.90.238.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list XXX extended permit ip 10.90.238.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list nonat extended permit ip 10.0.10.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list nonat extended permit ip 10.0.2.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list nonat extended permit ip 10.0.4.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list split standard permit 10.0.0.0 255.255.255.0
access-list split standard permit 10.90.238.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 1048576
logging buffered errors
logging trap notifications
logging asdm informational
logging class vpn buffered debugging
mtu outside 1500
mtu inside 1500
mtu backup 1500
mtu outsidetwo 1500
mtu management 1500
ip local pool vpnpool 10.0.10.100-10.0.10.200
ip audit name Inbound-Attack attack action alarm drop
ip audit name Inbound-Info info action alarm
ip audit interface outside Inbound-Info
ip audit interface outside Inbound-Attack
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address XXX
crypto map outside_map 1 set peer XXX.XXX.XXX.XXX
crypto map outside_map 1 set transform-set myset
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address XXX2
crypto map outside_map 2 set peer XXX.XXX.XXX.XXX
crypto map outside_map 2 set transform-set myset
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 3 match address XXX3
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer XXX.XXX.XXX.XXX
crypto map outside_map 3 set transform-set myset
crypto map outside_map 3 set security-association lifetime seconds 28800
crypto map outside_map 3 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy XXXgroup internal
group-policy XXXgroup attributes
dns-server value XXX.XXX.XXX.XXX
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value domain.local
username XXX24 password XXXX encrypted privilege 15
username admin password XXXX encrypted
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key XXXXXXXXXX
tunnel-group XXXgroup type remote-access
tunnel-group XXXgroup general-attributes
address-pool vpnpool
default-group-policy rccgroup
tunnel-group XXXgroup ipsec-attributes
pre-shared-key XXXXXXXXXX
isakmp ikev1-user-authentication none
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key XXXXXXXXXX
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key XXXXXXXXXX
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily -
Dual ISP on ASA VPN question.
Hi all.
My question is very simple is there any way or feature that could allow us to have a backup VPN tunnel on at the secondary ISP at the asa 5520?
Lets assume if the primary isp goes down is there any way for the VPN tunnel come online at the backup isp ?
Config:
crypto isakmp enable outside
crypto isakmp enable backup
tunnel-group 200.200.2.1 type ipsec-l2l
tunnel-group 200.200.2.1 ipsec-attributes
pre-shared-key CISCO
tunnel-group 200.200.1.1 type ipsec-l2l
tunnel-group 200.200.1.1 ipsec-attributes
pre-shared-key CISCO
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
crypto map VPN 10 match address VLAN121_TO_VLAN23
crypto map VPN 10 set peer 200.200.1.1
crypto map VPN 10 set transform-set 3DES_MD5
crypto map VPN 20 match address VLAN121_TO_VLAN23
crypto map VPN 20 set peer 200.200.2.1
crypto map VPN 20 set transform-set 3DES_MD5
! Apply crypto-map and enable VPN traffic to bypass ACLs
crypto map VPN interface outside
crypto map VPN interface backup
sysopt connection permit-vpn
Thank you.We are not abble to make a loop back on the ASA.
The routing with SLA is working fine the problem is when local network goes to remote network always try to get at the first tunnel with was setup for first isp ip adddrs. -
Cisco ASA VPN question: %ASA-4-713903: IKE Receiver: Runt ISAKMP packet
Dear community,
quite frequently I am now receiving the following error message in my ASA 5502's log:
Oct 17 12:52:17 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
Oct 17 12:52:22 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
Oct 17 12:52:27 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
The VPN Clients (in the last case: A linux vpnc) disconnect with message
vpnc[7736]: connection terminated by dead peer detection
The ASA reports for that <some_ip> at around the same time:
Oct 17 12:52:32 <myASA> %ASA-4-113019: Group = blah, Username = johndoe, IP = <some_ip>, Session disconnected. Session Type: IPSecOverNatT, Duration: 2h:40m:35s, Bytes xmt: 2410431, Bytes rcv: 23386708, Reason: User Requested
A google search did not reveal any explanation to the "%ASA-4-713903: IKE Receiver: Runt ISAKMP packet..." message -- so my questions would be
1) What does the message exactly mean -- I know runts as a L2 problem so I d suppose it means the same: The ISAKMP packet is somehow
crippled (I d suppose this happens during rekeying) ?
2) Any idea where to look for the cause of this
WAN related (however I d assume no -- why does this happen in these regular time frames as show above)?
SW related (vpnc bug)?
Thanks in advance for any pointer...
JoachimYes. You need to eliminate the things I've said to eliminate with the other side. Ensure your configs are matching exactly. They probably are, whatever, just make sure of it because it's easy. You both need to run packet captures on your interfaces both in and out to even begin to have an idea of where to look.
The more info you can have just one person responsible for the better. What I mean by that is, it's typically a nice step for the 'bigger end' to have the 'smaller end's' config file to look at.
If you are seeing packets come in your inside, leave your outside, and never make it to his inside, then take it a step at a time.
If you're seeing them come in his interface and never come back out, you know where to look.
Set your caps to a single host to single host if need be, and generate traffic accordingly.
You need to narrow down where NOT to look so that you know where TO look. I would say then, and only then, do you get the ISP involved. Once you're sure the problem exists between his edge device and your edge device.
I do exactly this for a living on a daily basis...day after day after day. I'm responsible for over 200 IPSec s2s connections and thousands of SSL VPN sessions. I always start the exact same way...from the very bottom. -
We've been asked some general questions by our agents that I have been unable to find answers for, (although 4 and 5 are likely working as designed). We are running IPCC Express 7.0(1)SR05_Build504 and these are all phone agents. We do not run the agent desktop client. Any assistance in answering these questions would be greatly appreciated.
1. TransfertoVM softkey "grayed out" while on a CSQ call. Can it be enabled?
2. While logged in to CSQ, is there a way to start dialing prior to
lifting the receiver?
3. Is it possible to handle more than one CSQ call at a time, e.g. put a call on hold and answer
another CSQ call.
4. Upon selecting Agent Login (single-button login), can the agent automatically be put into Ready?
5. Upon Logout, can the phone be returned to the main screen, rather than getting the manual agent login screen?
Again, any assistance in answering these questions would be greatly appreciated.
Thanks,
RogerHi
1) Isn't that an IPMA softkey? Never tried it, but whilst it's not in the 'unsupported' list, I wouldn't expect using any IPMA features in conjunction with CAD would get you good results. If it doesn't cause you stuck/ghost calls, I would expect erroneous reports...
2) Being logged into a CSQ doesn't affect the way the phone works.
- You can dial the number then either lift the handset or hit dial (for speakerphone)
- You can press speakerphone or headset then dial
I guess what you are referring to is if you are using the IP Phone Agent in conjunction with a headset? If you are, then the IPPA usually obscures the 'new call' and 'end call' softkeys that you might use if you leave the headset button lit. I guess this isn't the case, as you refer to lifting the receiver? Unless you have motorized lifters.. If that's what you have, you can try getting users to either :
- Manage their onhook/offhook state using the headset key as if it was the speakerphone key (i.e. press it to hang up or pickup)
- Use a headset/phone combination that supports HHC
- Switch to CAD, or CAD-BE if you can't install PC software for some reason.
3) No. The system is designed specifically so that this should never happen.
4) No.
5) Again, no... you can't customize the BIPPA service... If you use CAD or CAD-BE this wouldn't be an issue.
Regards
Aaron
Please rate helpful posts... -
Workflow and General Use Questions
Hello,
I'll apologize right off the bat for these novice question because I'm sure the information is probably somewhere in the forum, I just haven't been able to find it. I just purchased Aperture after completing the demo as my library is getting too large to manage using standard file folders. I'm now trying to figure out the best practices for workflow and general use before I invest some serious time into importing and keywording all my pictures.
1) Store files in the there current location, or in the Aperture Library? It seems to me that once they are moved to the Aperture library, you can only access them from within Aperture. I'm thinking I would be better off leaving them in their current location. For one, if I want to quickly grab a picture as an attachment to an email or something it seems easier to grab it from the standard folders. Second (and more important) I do not have room to keep all my pictures on my Macbook, thus most of them are stored on the Time Capsule.
So... Keeping photos in their current location appears to be the best choice for me even though it adds an additional step every time I bring in new photos from my camera. Does this sound right?
2) Is there a way to mark the photos that I have uploaded to my website (Smugmug)? Ideally, I would like to badge photos that have already been uploaded so I can quickly recognize them and ensure I'm not duplicating. I've considered using the rating, or keywords to indicate that a photo has been uploaded but both methods have disadvantages.
3) Any suggestions for general workflow and organization resources (tutorials, books, websites, etc.)? I've looked at the videos on Apple's site but they obviously didn't get that detailed.
Thanks for the help, sorry for the length.I recommend to Manage by Reference with Master image files stored on external hard drives (note that Aperture defaults to a Managed-Library configuration rather than a Referenced-Masters Library). Especially important for iMacs and laptops with a single internal drive. The workflow as described below in an earlier post of mine uses a Referenced-Masters Library.
I feel pretty strongly that card-to-Aperture or camera-to-Aperture handling of original images puts originals at unnecessary risk. I suggest this workflow, first using the Finder (not Aperture) to copy images from CF card to computer hard drive:
• Remove the memory card from the camera and insert it into a memory card reader. Faster readers and faster cards are preferable.
• Finder-copy images from memory card to a labeled folder on the intended permanent Masters location hard drive.
• Eject memory card.
• Burn backup hard drive or DVD copies of the original images (optional strongly recommended recommended backup step).
• Eject backup hard drive(s) or DVDs.
• From within Aperture, import images from the hard drive folder into Aperture selecting "Store files in their current location." This is called "referenced images." During import is the best time to also add keywords, but that is another discussion.
• Review pix for completeness (e.g. a 500-pic shoot has 500 valid images showing in Aperture).
• Reformat memory card in camera, and archive originals off site on hard drives and/or on DVDs.
Note that the "eject" steps above are important in order to avoid mistakenly working on removable media/backups.
Also note with a Referenced-Masters Library that use of the "Vault" backup routine backs up the Library only, not the Masters. Masters should be separately backed up, IMO a good thing from a workflow and data security standpoint.
Max out RAM in your MB and keep the internal drive less than 70% full.
Good luck!
-Allen Wicks -
General BADi question:Call BADi in background job/batch input. Possible?
Hi out there,
i'm using thoe following BADi: /SAPSLL/CTRL_SD0C_R3 (Global Trade Service).
But also, this question is a general question.
If we are calling on screen the transaction VF01, the BADi is called correctly.
But unfortunately it seemes that the BADi is NOT called (im not really sure, cause i can't debug the background task) when we are calling a batch input sequence wth f.e. form bdc_transaction VF01 nothing happens.
Maybe BADi cannot be called in a background task? If it's possible, how could it be monitored. Thare isw no spool entry or anything like that!
Any answer can help.
Thank you in advance!
Regards,
Timo
Edited by: Timo Ehl on Apr 14, 2009 7:27 PMHi,
generally BADIs are called in background mode. You can use the following trick to debug your BADI. You just need to create an infinite loop in your BADI implementation. Something like this.
DATA: l_a TYPE c.
WHILE l_a IS INITIAL.
ENDWHILE.
Obviously when your BADI is called in background mode then program will get into infinite loop. You can easily connect and debug running programs from transaction SM50. You need to select your background process and go to Program/Session -> Program -> Debugging. You will jump directly into your BADI methos with infinite loop. Then you will just set value to l_a and you will start debugging your BADI. If you can not find any process then your BADI is not called in background mode.
Cheers -
Hi
I have a general OOP design question, and am wondering if someone could relate an answer to the following design?
I have a class called MediaFolderImport(); - it's designed to build a window with various editing tools in it.
Within it's constructor, I'm calling a bunch of functions to build the window...
createTitle();
createInstructions();
createToolPanel();
createDataGrid ();
createOpen();
createSave();
In my document class, I instantiate it...
public var File_Folder_Import:MediaFolderImport=new MediaFolderImport();
and then...
addChild(File_Folder_Import);
Voila! - the window appears. I WAS very proud of myself.
Now I want to access something inside the window. Specifically, there's a radio button that was created in createToolPanel(); - I want to update it to be selected or not selected when I receieve the user's preference from an xml settings file at start up (xml is loaded into the doc class).
General question:
What is the best practice, smart way to have designed this?
- call createToolPanel(); from the doc class instead of within MediaFolderImport();, and somehow (magically) have access to the radio button?
- leave the design as is, but add some sort of listener within MediaFolderImport that listens for changes to the xml in the doc class, and updates accordingly?
- do it the way I'm trying to, ie try to access the radio button directly from the doc class (which isn't working):
File_Folder_Import.myRadioButton.selected = true;
- a better way someone can briefly explain the concept of?
Another way to explain my design is...
- a bunch of different windows, each created by a different class
- xml file loads preferences, which need to be applied to different tools (radio buttons, check boxes, text fields etc) in the different windows
I read a lot of posts that talk about how public vars are mostly bad practice. So if you are making your class vars private, what is the best way to do the kind of inter-class communicating I'm talking about here?
I think someone throwing light on this will help me solidify my understanding of OOP.
Thank you for your time and help.You're already very used to using properties for the built-in AS classes and that's the best practice means of configuring your class. It's a "state" that you want to simply expose. The get/set method moccamaximum mentioned is the ideal route.
The main reason you want to use get/set functions is validation. You want your class to act properly if you send an invalid value. Especially if anyone else besides yourself is going to use the class. Plan for the worst.
The general concept is, make a private variable for any 'state' you want to remember using an underscore in the variable name to easily identify it as a private var, then make get/set functions with the same name with any required validation without the underscore.
e.g.
package
public class MyClass
// property called 'mode' to track something with an int
private var _mode:int = 0;
public function MyClass() {} // empty constructor
// get (type enforced)
public function get mode():int { return mode; }
// set, requiring a value
public function set isChecked(modeVal:int):void
// if no value is sent, ignore
if (!modeVal) { return; }
_mode = modeVal;
Your validation will go a long way to easily debugging your classes as they grow in size. Eventually they should throw exceptions and errors if they're not valid. Then you will be best practice. Do note that if your validation requires quite a bit of logic it's common to upgrade the property to a public method. get/set should be reserved for simple properties. -
General Eclipse Question (Not a NetBeans vs Eclipse Thread!)
I am going to play around with Vaadin, and I am going to use Eclipse and the Vaadin plugin for this play.
In reading the Book of Vaadin, the author actually recommend downloading Eclipse, unZIPping it, and running it from that unZIPped archive instead of "installing" it. The author mentions more control and less aggravation in the long run.
Now, I don't use Eclipse much at all (I use NetBeans usually). What I have done in the past with BOTH NetBeans and Eclipse is:
1) Install from repo, run as my account for work, run as root to do updates and install plugins.
2) Install from repo, run as my account for work AND plugin installs/updates.
I prefer #2 as it's less of an issue to just "blow away" all the plugins and start again if I need to.
My bottom-line question is: "Does running Eclipse from my 'local' /home/xxx without actually 'installing' it really make that much difference compared to #2 above?"
I'm hoping someone that has more experience with this can render an opinion. Also, if any of you have experience with Vaadin, do you have any tips for a noob?!?One consideration with running Eclipse from a local unzipped install is being able to create multiple instances, with a different mix plugins. I keep three core versions going for Java, Python, and Android development. I've found some plugins do not always play well with others in Eclipse. At least that was my experience with Ganymede and Helios. My Java instance is loaded up with a bunch of enterprise junk, like JBoss Drools and Spring plugins, so it can sometimes get bogged down at start up when connecting to remote resources over VPN.
I've found that limiting the number of plugins I keep in any instance I use is helpful in keeping it stable. Note that you'll also need separate workspaces for each instance. Also, to keep your sanity, tarball a backup before installing or updating any plugins. Probably not for everyone, but it works for me. -
Best Font for Subtitles? and other General Subtitling questions?
I've never had to use subtitles, until my current project, so I am looking for some general advice and suggestions.
I will be using PPCS3 (on XPpro) as the subtitles (as in the kind that translate a foreign language) will be permanent.
So here are my questions:
1. What is the best font and or what is the most standard font for subtitles? (Font size and other characteristics may be worth mentioning here too.)
2. Is it possible to have an outline around the text as opposed to shadow?
3. What are some general rules of thumb for subtitles that apply to broadcast and cinematic productions?
Thank you.See also:
FAQ:Why are my titles blurry/wrong?
Cheers
Eddie
PremiereProPedia (
RSS feed)
- Over 300 frequently answered questions
- Over 250 free tutorials
- Maintained by editors like
you
Forum FAQ -
Writing games for US wireless carriers - general newbie question
I am a newbie to kvm and j2me so excuse me if these question are very basic or if i'm asking the wrong questions.
I have been asked to quickly research writing games in java for US wireless carriers. Ideally I'd like to pick a carrier (e.g. Verizonwireless) and find out more about writing for them. How should I go about researching this?
My research so far has found:
General j2me info:
I did some initial searching in the forum and found that the following link will give me a basic guide to j2me:
http://access1.sun.com/SRDs/access1_srds.html.
If I look at the documentation for -
- Java 2 Micro Edition (J2ME)
- Mobile Information Device Profile 1.0.1 (MIDP)
Is this still the best place to look at online?
Specific wireless carrier info:
I had no luck finding where I should look for information on specific
wireless carriers. Any suggestions? Also am I approaching this the right way or should I be looking at the specific java enabled mobile phones rather than the wireless carrier? Or is it a combination of the two?
Thanks for any help.If the games are going to be networked then you should find out what type of network the carrier has (TDMA,CDMA,GSM with or without GPRS, etc. what bandwidths.... WAP or I-Mode). Regardless, you should be also concerned with what are the phones available on the carrier and what is their Java support.
shmoove
Maybe you are looking for
-
Mouse 'clicks' itself! Help!
My Macbook's "mouse" clicks itself! Sometimes when I'm typing, my Macbook's "mouse" will click itself and put the cursor wherever the mouse happens to be at the time. If it is behind it, it highlights everything I have already typed, and when I type
-
Hello, we have already implemented WM. We want to use now RFID. During the picking (with RF), we want to put a tag on small bags. These small bags are packed in boxes that have also tag. Then the boxes are put on a pallet.We need to keep the informat
-
Is there a solution for client mail certificates and ISA 2006 server
This problem is driving me nuts for days now. My company recently migrated to isa2006 and exchange 2007. Before that my iPhone was syncing away nicely withActivesync. After the upgrade I am unable to get a connection to the server. Find enclosed the
-
How do I alphabetize in Pages?
I need to create numbered lists that I can then alphabetize. I tried it in Numbers and it was a mess! I would much rather do it in Pages anyway. I have the numbered list but I can't find any "sort" or "alphabetize" choice.
-
Error loading player no playable sources found
How does one fix this issue it happens in safari and google chrome