Secure login client is not working in VPN
Hi,
We have scenario where users connect to office network though VPN and access SSO. When users connect through VPN, users are not able to login in SLC and hence not receiving X.509 user certificate. It shows the following error when try to login in SLC.
"There are currently no logon servers available to service the logon request"
But the same SLC is working when users connect directly (ex LAN or WI-FI) to the network.
We have enabled secure login client trace and found the below errors in the trace when user is connected through VPN.
SLC trace file
[2014.04.23 14:23:24.531][ERROR][sbus.exe ][BASE ][ 6060] ERROR(0xA0100017) in CRYPT->sec_crypt_cipher_get_cipher_len(): An attribute is missing
[2014.04.23 14:23:39.578][WARN ][sbus.exe ][Kerberos ][ 6056] Getting kerberos ticket for 'HTTP/ssodev' with algorithm 23 returned error
[2014.04.23 14:23:39.578][WARN ][sbus.exe ][Kerberos ][ 6056] 0/C000005E There are currently no logon servers available to service the logon request.
[2014.04.23 14:23:39.578][WARN ][sbus.exe ][Kerberos ][ 6056] Getting kerberos ticket for 'HTTP/ssodev' with algorithm 3 returned error
[2014.04.23 14:23:39.578][WARN ][sbus.exe ][Kerberos ][ 6056] 0/C000005E There are currently no logon servers available to service the logon request.
[2014.04.23 14:23:39.578][WARN ][sbus.exe ][Kerberos ][ 6056] Getting kerberos ticket for 'HTTP/ssodev' failed (user name is [email protected])
[2014.04.23 14:23:39.578][ERROR][sbus.exe ][Kerberos ][ 6056] ERROR(0xA2600202) in KERBEROS->sec_kerberos_clientGetTicket(): No Kerberos ticket for the requested service
[2014.04.23 14:23:39.578][ERROR][sbus.exe ][Kerberos ][ 6056] ERROR(0xA2600202) in KERBEROS->sec_kerberos_spnego_CreateToken(): No Kerberos ticket for the requested service
[2014.04.23 14:23:39.578][WARN ][sbus.exe ][Kerberos ][ 6056] Getting kerberos ticket for 'HTTP/[email protected]' with algorithm 23 returned error
[2014.04.23 14:23:39.578][WARN ][sbus.exe ][Kerberos ][ 6056] 0/C000005E There are currently no logon servers available to service the logon request.
[2014.04.23 14:23:39.578][WARN ][sbus.exe ][Kerberos ][ 6056] Getting kerberos ticket for 'HTTP/[email protected]' with algorithm 3 returned error
[2014.04.23 14:23:39.578][WARN ][sbus.exe ][Kerberos ][ 6056] 0/C000005E There are currently no logon servers available to service the logon request.
[2014.04.23 14:23:39.578][WARN ][sbus.exe ][Kerberos ][ 6056] Getting kerberos ticket for 'HTTP/[email protected]' failed (user name is [email protected])
[2014.04.23 14:23:39.578][ERROR][sbus.exe ][Kerberos ][ 6056] ERROR(0xA2600202) in KERBEROS->sec_kerberos_clientGetTicket(): No Kerberos ticket for the requested service
[2014.04.23 14:23:39.578][ERROR][sbus.exe ][Kerberos ][ 6056] ERROR(0xA2600202) in KERBEROS->sec_kerberos_spnego_CreateToken(): No Kerberos ticket for the requested service
[2014.04.23 14:28:38.171][TRACE][sbus.exe ][sbusslogin.d][ 6056] { CSecureLogin_Protocol_2_0::Send_DeleteSession
Anyone suggest us to fix this issue.
Regards,
Yogesh Kumar D
Hello,
which kind of VPN do you use?
Does this guarantee full network access to the domain servers?
Is the VPN network IPv4 or IPv6 based?
thanks for the information
best regards
Alexander Gimbel
Similar Messages
-
Hi All,
We are having a project to implement NW SSO for NWBC for HTML, Citrix XenApp will be used as the desktop environment. The requirement is that no Java allowed to be installed on the web browser.
According to PAM, Secure Login Client is not support Microsoft Application Virtualization (App-V), so how can we deploy the Secure Login Client to Citrix environment?
If we want to use Secure Login Web Client instead of Secure Login Client, does Secure Login Web Client requires Java installed on users' web browsers? In the latest Secure Login implementation guide (SSO 2.0), it does not mentioned anything about Java runtime. However, because as far as I understand, Secure Login Web Client is a feature of Secure Login Server, while Secure Login Server is pure Java application, I suspect that Secure Login Web Client also require Java runtime to run. Is that true?
Best regards,
DuyHello Duy,
The Product Availability Matrix states that Secure Login Web Client needs a Java runtime in the browser. See the footer of the Secure Login Web Client pages for Windows and Linux/MAC OS browser platform support. It says the following:
For Windows: SupportedJava Runtime: Oracle (Sun) JSE 6, 7 and8, 32bit
For Linux/MAC OS: Supported Java Runtime: Oracle (Sun) JSE 6.0 and7.0, 32bit/64bit depending on browser
Best regards,
Martin -
I have created my site with Muse and have uploaded to an external ftp hosting, now my secure log in will not work because I am not using BC. Is there a way to create a secure log in that will work with out being forced to use BC?
Hi
Secure Zone login feature will only work if you host your website with Business catalyst.
Please take a look to this as an alternative
Password Protect Pages Widget for Adobe Muse
Also, check this thread,
Re: Can I create a login/password protection in Muse for a HTML5 page or two? -
BPC 7.5 Admin Client Links Not Working
I am working in BPC 7.5 SP15 NW. I have recently upgraded to Windows 7 64-bit and now the links in the action pane in the desktop admin client are not working. The cursor does not change from the nornal pointer to the hand. That would indicate that the admin client is no longer recognizing them as links. The links work fine in the desktop Excel client. I am using 32-bit Excel 2010 with no other version of Office installed.
Has anyone heard of this behavior and how to correct for it?Hi Kannan,
i think this is a Osoft web site configuration issue, the error indicates that you have one duplicate section in the web site configuration file (web.config).
If you didn't alter the web.config file then the problem may occur because when you use framework 4.0, the machine config already has some of the sections defined that were used in previous ASP.NEt versions.
You should check which version of the MS Framework is configured for the application pool of the web site, change it to v2.
Let me know if this solves the issue. Or if you need more help to resolve it.
Kindest regards, -
[solved] NFS client will not work correctly
I have all my $HOME on an NFS Server. So long I used suse and debian, now I want switch to arch but the nfs-client ist not working correctly:
I start "portmap nfslock nfsd netfs" over rc.conf. When I do a "rpcinfo -p <ip-arch-system>" I got the following
stefan:/home/stefan # rpcinfo -p 192.168.123.3
Program Vers Proto Port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100021 1 udp 32768 nlockmgr
100021 3 udp 32768 nlockmgr
100021 4 udp 32768 nlockmgr
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 tcp 48988 nlockmgr
100021 3 tcp 48988 nlockmgr
100021 4 tcp 48988 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100005 3 udp 891 mountd
100005 3 tcp 894 mountd
As you see "status" is missing, so the statd is not running. It sould look like the result on my suse box:
stefan:/home/stefan # rpcinfo -p 192.168.123.2
Program Vers Proto Port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 32768 status
100021 1 udp 32768 nlockmgr
100021 3 udp 32768 nlockmgr
100021 4 udp 32768 nlockmgr
100024 1 tcp 35804 status
100021 1 tcp 35804 nlockmgr
100021 3 tcp 35804 nlockmgr
100021 4 tcp 35804 nlockmgr
There is the "status" line and so the statd is running.
How can I fix that problem, so that statd ist running on my arch box too?
Last edited by stka (2007-06-10 15:59:48)The Problem ist solved.
I use ldap for authentication. During the setup of the ldapclient I copied the nsswitch.ldap to nsswitch.conf. But the line for "hosts:" was:
hosts: dns ldap
but in my dns ist no localhost entry. After I changed this line to:
hosts: files dns ldap
everything was ok. The statd is now running and I can start to migrate to archlinux ;-) -
Maverick update now my login screen does not work please help.
Hello hope you can help. I have a 24 inch Mid 2007 Intel iMac. It has been great until now. I recently did the Maverick update and now my login screen does not work. When I wake the computer up the screen appars with my picture icon. When I click on it nothing happens. If I click on it a second or third time the beach ball appears and nothing happens. I have to shut the unit down with the power button and when the unit powers back up everything works normally. Are there any suggestions out there? I have updated the software without resolution. Is this computer too old? Do I have to buy a new one?
Thank youYour iMac can support Mavericks according to the requirements > OS X Mavericks: System Requirements
Try a Safe Mode boot. That deletes some system caches that may help.
Startup your Mac in Safe Mode
A Safe Mode boot takes much longer than a normal boot so be patient.
Once you are in Safe Mode, click Restart from the Apple () menu.
See if there's an improvement for the login screen. -
my login password is not working when i try to log in to my macbook air. what should I do?
Thanks, DeboraYou can reset the password.
How you do it though depends on the version of OS X you are running.
On Lion or Mountain Lion, you use the following technique to reset the Administrators password:
Boot to your Recovery Partition, by holding down the Option key while starting, and then selecting the Recovery HD as the boot choice.
Once booted, at the top of the screen is a menu ..., select Utilities / Terminal from the menu bar.
In the Terminal window, type “resetpassword” (without the quotes) and press return. A “Reset Password” window will open. Select your boot volume (your SSD drive) if it is not already selected. Select your administrators username from the menu labeled “Select the user account” if it is not already selected. Follow the prompts to reset the password. Restart the computer from the apple menu.
If you are using the Keychain, you will lose your existing one, and have to start a new one, unless you remember the old password. -
WSX Login Cred. Not Working In Win. 7
Hello,
I have workstation 10 on a windows 7 machine which runs serveral VM's very well. I moved one of them over to the shared VM section and installed WSX server on the same machine to try it out. The install went fine and i can connect to the WSX server on the same machine and any other machine on the network but the windows login credentials do not work. I have two admin accounts and neither of the logins work.....however, when i make a brand new admin account and try to login into WSX it works fine. As soon as the machine restarts though that same login stops working. I have no idea what is going on, you guys have any ideas?
Thanks,
BrandonI have the same issue. I attempted the resolution by BlazerGT with no success. I have found the issue to be persistent with both domain and local accounts. For local accounts simply deleting the account and re-adding it was a workable solution but I have not found one with the domain accounts. If there is a log for failed authentication I would love for a developer to let me know where this is as it would be greatly helpful to be able to diagnose.
-
Secure Login Client 2.0 SP04 Silent Installtion
Hi Experts,
I would like to seek assistance with mass roll-out of the secure login client. Is it possible to perform silent installation of the secure login client?
Thank you.
Regards,
TomHi Thomas,
you may start SapSetupSLC.exe with parameter "/silent".
This installs SecureLoginClient (SLC) with it's default settings (all components except "Secure Login Server Support").
For a customized installation it's required to use the SAP Installation Server.
If your company is using SAP GUI there is possibly an Installation Server in place. SAPGUI and SLC are "SAPSetup"-packages hence it's possibly to integrate SLC into the SAPGUI package and distribute them together.
The Installation Server is also part of the SecureLoginClient package.
After extracting SapSetupSLC.exe with command line:C:\> SapSetupSLC.exe /x:C:\slc
you find SAP Setup Guide.pdf which describes ho to setup and configure the installation server.
You also find useful hints in the Secure Login Implementation Guide
chapter 2.1.1 Unattended Installation with SAPSetup Installation Server
Grüße / Kind regards,
Frank -
Revision: 5036
Author: [email protected]
Date: 2009-02-23 06:24:31 -0800 (Mon, 23 Feb 2009)
Log Message:
Bug: BLZ-347 - Secure amf polling channel not working correctly on IE in BlazeDS/3.x branch.
QA: Yes
Doc: No
Checkintests: Pass
Details: This is BlazeDS part of the fix. For MSIE over HTTPS, we need to add additional Cache-Control headers.
Ticket Links:
http://bugs.adobe.com/jira/browse/BLZ-347
Modified Paths:
blazeds/branches/3.x/modules/core/src/java/flex/messaging/endpoints/AbstractEndpoint.javaRevision: 5036
Author: [email protected]
Date: 2009-02-23 06:24:31 -0800 (Mon, 23 Feb 2009)
Log Message:
Bug: BLZ-347 - Secure amf polling channel not working correctly on IE in BlazeDS/3.x branch.
QA: Yes
Doc: No
Checkintests: Pass
Details: This is BlazeDS part of the fix. For MSIE over HTTPS, we need to add additional Cache-Control headers.
Ticket Links:
http://bugs.adobe.com/jira/browse/BLZ-347
Modified Paths:
blazeds/branches/3.x/modules/core/src/java/flex/messaging/endpoints/AbstractEndpoint.java -
Juniper Java Secure Application Manager does not work with Snow Leopard
Anyone else having issues as well? I'm not using a client - its basically the Java based application manager for VPN connections to work (so I can remote desktop to my work PC).
Once logged in, it gives a "Restart your browser" error.
Thanks for your helpOK - so I got it to work. Here's what I did. Let me know if it works for you:
I wasn't able to follow the instructions exactly as noted in the original link I posted above.
The terminal command, specifically wget would not work - there is no wget.
I manually downloaded the Java 1.5 version, by following the link (just clicked on it). I 'unzipped' it and moved it into the library/frameworks/JavaVM.framework/versions folder.
So now the 1.5.0 is not an alias (as it is by default in SL), but the older version of Java.
I then followed the instruction related to changing the order in JAVA PREFERENCES.
The final stop - and I think this is key, is that I forced Safari to start in 32 bit mode. You can do this by going to Applications, highlighting Safari and hitting CMD-I. Then check the 32 bit option.
Start Safari, go to the appropriate URL and login. The Java Secure Application Manager should then start as it used to do in Leopard. You should be all set.
Hope this helps - let me know if someone has questions. -
Cisco 1841 as PPTP client Does not work
Dear All,
I have Cisco 1841 router running the below roles
1) SSL VPN Server
2) PPTP Server
3) Site to Site Connection with Sonicwall router
I want the router to be configured a pptp client to internet vpn server (so that i will get a fixed public ip )
Once i get this ip address i want to use this connection to accept in coming connection and forward ports to internal host,
I went through below
http://www.mreji.eu/content/cisco-router-pptp-client
https://supportforums.cisco.com/thread/2167562
But it does not work as i do not have the option for the below 2 commands in vpdn-group 2 section.(Please see section in blue)
protocol pptp
rotary-group 4
Please Advise and Help
Regards
Hasan Reza
My Current Config is as below
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.06.09 17:55:23 =~=~=~=~=~=~=~=~=~=~=~=
exit
Gateway#show run |
Building configuration...
Current configuration : 25109 bytes
! Last configuration change at 13:33:57 UTC Sun Jun 9 2013 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Gateway
boot-start-marker
boot system flash c1841-advsecurityk9-mz.151-2.T1.bin
boot-end-marker
logging buffered 4096
no logging console
enable secret 5 $1$SciF$TlX1tR5qaG9ZE7pdZHcRJ/
no aaa new-model
dot11 syslog
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.236.5.1 10.236.5.20
ip dhcp excluded-address 10.236.5.21 10.236.5.50
ip dhcp excluded-address 172.21.51.2 172.21.51.50
ip dhcp pool ContosoPool
network 10.236.5.0 255.255.255.0
default-router 10.236.5.254
dns-server 213.42.20.20 195.229.241.222
ip dhcp pool DMZ
network 172.21.51.0 255.255.255.0
dns-server 172.21.51.10
default-router 172.21.51.1
domain-name contoso.local
ip cef
ip domain name contoso.local
ip name-server 213.42.20.20
ip name-server 195.229.241.22
ip name-server 195.229.241.222
ip ddns update method dyndns
HTTP
add http://xxxxxx:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://xxxxxx:yyyyy@@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 0 1 0 0
multilink bundle-name authenticated
vpdn enable
vpdn-group 2
request-dialin
protocol l2tp
initiate-to ip 173.195.0.42
vpdn-group RAS-VPN
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15
crypto pki token default removal timeout 0
crypto pki trustpoint TP.StartSSL.CA
enrollment terminal pem
revocation-check none
crypto pki trustpoint TP.StartSSL-vpn
enrollment terminal pem
usage ssl-server
serial-number none
fqdn ssl.spktelecom.com
ip-address none
revocation-check crl
rsakeypair RSA.StartSSL-vpn
crypto pki trustpoint TP-self-signed-1981248591
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1981248591
revocation-check none
rsakeypair TP-self-signed-1981248591
crypto pki trustpoint VMWare
enrollment terminal
revocation-check crl
crypto pki trustpoint OWA
enrollment terminal pem
revocation-check crl
crypto pki certificate chain TP.StartSSL.CA
certificate ca 01
(removed the certificate info for clarity)
quit
crypto pki certificate chain TP.StartSSL-vpn
certificate 0936E1
(removed the certificate info for clarity)9
quit
certificate ca 18
(removed the certificate info for clarity)
quit
crypto pki certificate chain TP-self-signed-1981248591
certificate self-signed 01
(removed the certificate info for clarity)
quit
crypto pki certificate chain VMWare
certificate ca 008EDCE6DBCE6B
(removed the certificate info for clarity)
quit
crypto pki certificate chain OWA
(removed the certificate info for clarity)
license udi pid CISCO1841 sn FCZ122191TW
archive
log config
hidekeys
username admin privilege 15 password 7 1304131F02023B7B7977
username ali password 7 06070328
redundancy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 84000
crypto isakmp key admin_123 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set vpnset esp-3des esp-sha-hmac
crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
crypto dynamic-map mydyn 10
set transform-set strongsha
crypto map Dxb-Auh 1000 ipsec-isakmp dynamic XXXXXXXXXX
interface FastEthernet0/0
description Internal Network (Protected Interface)
ip address 10.236.5.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
interface BRI0/1/0
no ip address
encapsulation hdlc
shutdown
interface Virtual-Template1
ip unnumbered Dialer1
peer default ip address dhcp-pool ContosoPool
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2 eap
interface Dialer1
ip ddns update hostname XXXXXXX.dyndns.org
ip ddns update dyndns
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1450
dialer pool 1
ppp pap sent-username vermam password 7 13044E155E0913323B
crypto map Dxb-Auh
interface Dialer2
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer string 123
dialer vpdn
dialer-group 2
ppp pfc local request
ppp pfc remote apply
ppp encrypt mppe auto
ppp authentication ms-chap ms-chap-v2 callin
ppp eap refuse
ppp chap hostname hasanreza
ppp chap password 7 070E2541470726544541
interface Dialer995
no ip address
ip local pool webssl 10.236.6.10 10.236.6.30
ip forward-protocol nd
ip http server
ip http secure-server
ip nat inside source list nat interface Dialer1 overload
ip nat inside source static tcp 10.236.5.12 25 interface Dialer1 25
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 172.21.51.0 255.255.255.0 10.236.5.253
ip access-list extended internal
permit ip any 10.236.5.0 0.0.0.255
ip access-list extended nat
deny ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
deny ip 10.236.5.0 0.0.0.255 172.19.19.0 0.0.0.255
permit ip 10.236.5.0 0.0.0.255 any
ip access-list extended nonat
permit ip 10.236.5.0 0.0.0.255 172.19.19.0 0.0.0.255
permit ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
ip access-list extended sslacl
ip access-list extended webvpn
permit tcp any any eq 443
logging esm config
access-list 101 permit ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
control-plane
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
login local
transport preferred ssh
transport input telnet ssh
line vty 5 15
exec-timeout 0 0
login local
transport preferred ssh
transport input telnet ssh
scheduler allocate 20000 1000
webvpn gateway gateway1
ip interface Dialer1 port 443
ssl encryption rc4-md5
ssl trustpoint TP.StartSSL-vpn
inservice
webvpn install svc flash:/webvpn/anyconnect-win-3.1.00495-k9.pkg sequence 1
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context webvpn
ssl authenticate verify all
url-list "Webservers"
heading "SimpleIT Technologies NBNS Servers"
url-text "Google" url-value "www.google.com"
url-text "Mainframe" url-value "10.236.5.2"
url-text "Mainframe2" url-value "https://10.236.5.2"
nbns-list "ContosoServer"
nbns-server 10.236.5.10
nbns-server 10.236.5.11
nbns-server 10.236.5.12
port-forward "PortForwarding"
local-port 3389 remote-server "10.236.5.10" remote-port 3389 description "Server-DC01"
policy group policy1
url-list "Webservers"
port-forward "PortForwarding"
nbns-list "ContosoServer"
functions file-access
functions file-browse
functions file-entry
functions svc-enabled
svc address-pool "webssl"
svc default-domain "Contoso.Local"
svc keep-client-installed
svc split include 10.236.5.0 255.255.255.0
svc split include 10.236.6.0 255.255.255.0
svc split include 172.31.1.0 255.255.255.0
svc split include 172.21.51.0 255.255.255.0
svc dns-server primary 172.21.51.10
default-group-policy policy1
gateway gateway1
inservice
end
Gateway#Dear All,
I have Cisco 1841 router running the below roles
1) SSL VPN Server
2) PPTP Server
3) Site to Site Connection with Sonicwall router
I want the router to be configured a pptp client to internet vpn server (so that i will get a fixed public ip )
Once i get this ip address i want to use this connection to accept in coming connection and forward ports to internal host,
I went through below
http://www.mreji.eu/content/cisco-router-pptp-client
https://supportforums.cisco.com/thread/2167562
But it does not work as i do not have the option for the below 2 commands in vpdn-group 2 section.(Please see section in blue)
protocol pptp
rotary-group 4
Please Advise and Help
Regards
Hasan Reza
My Current Config is as below
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.06.09 17:55:23 =~=~=~=~=~=~=~=~=~=~=~=
exit
Gateway#show run |
Building configuration...
Current configuration : 25109 bytes
! Last configuration change at 13:33:57 UTC Sun Jun 9 2013 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Gateway
boot-start-marker
boot system flash c1841-advsecurityk9-mz.151-2.T1.bin
boot-end-marker
logging buffered 4096
no logging console
enable secret 5 $1$SciF$TlX1tR5qaG9ZE7pdZHcRJ/
no aaa new-model
dot11 syslog
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.236.5.1 10.236.5.20
ip dhcp excluded-address 10.236.5.21 10.236.5.50
ip dhcp excluded-address 172.21.51.2 172.21.51.50
ip dhcp pool ContosoPool
network 10.236.5.0 255.255.255.0
default-router 10.236.5.254
dns-server 213.42.20.20 195.229.241.222
ip dhcp pool DMZ
network 172.21.51.0 255.255.255.0
dns-server 172.21.51.10
default-router 172.21.51.1
domain-name contoso.local
ip cef
ip domain name contoso.local
ip name-server 213.42.20.20
ip name-server 195.229.241.22
ip name-server 195.229.241.222
ip ddns update method dyndns
HTTP
add http://xxxxxx:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://xxxxxx:yyyyy@@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 0 1 0 0
multilink bundle-name authenticated
vpdn enable
vpdn-group 2
request-dialin
protocol l2tp
initiate-to ip 173.195.0.42
vpdn-group RAS-VPN
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15
crypto pki token default removal timeout 0
crypto pki trustpoint TP.StartSSL.CA
enrollment terminal pem
revocation-check none
crypto pki trustpoint TP.StartSSL-vpn
enrollment terminal pem
usage ssl-server
serial-number none
fqdn ssl.spktelecom.com
ip-address none
revocation-check crl
rsakeypair RSA.StartSSL-vpn
crypto pki trustpoint TP-self-signed-1981248591
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1981248591
revocation-check none
rsakeypair TP-self-signed-1981248591
crypto pki trustpoint VMWare
enrollment terminal
revocation-check crl
crypto pki trustpoint OWA
enrollment terminal pem
revocation-check crl
crypto pki certificate chain TP.StartSSL.CA
certificate ca 01
(removed the certificate info for clarity)
quit
crypto pki certificate chain TP.StartSSL-vpn
certificate 0936E1
(removed the certificate info for clarity)9
quit
certificate ca 18
(removed the certificate info for clarity)
quit
crypto pki certificate chain TP-self-signed-1981248591
certificate self-signed 01
(removed the certificate info for clarity)
quit
crypto pki certificate chain VMWare
certificate ca 008EDCE6DBCE6B
(removed the certificate info for clarity)
quit
crypto pki certificate chain OWA
(removed the certificate info for clarity)
license udi pid CISCO1841 sn FCZ122191TW
archive
log config
hidekeys
username admin privilege 15 password 7 1304131F02023B7B7977
username ali password 7 06070328
redundancy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 84000
crypto isakmp key admin_123 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set vpnset esp-3des esp-sha-hmac
crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
crypto dynamic-map mydyn 10
set transform-set strongsha
crypto map Dxb-Auh 1000 ipsec-isakmp dynamic XXXXXXXXXX
interface FastEthernet0/0
description Internal Network (Protected Interface)
ip address 10.236.5.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
interface BRI0/1/0
no ip address
encapsulation hdlc
shutdown
interface Virtual-Template1
ip unnumbered Dialer1
peer default ip address dhcp-pool ContosoPool
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2 eap
interface Dialer1
ip ddns update hostname XXXXXXX.dyndns.org
ip ddns update dyndns
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1450
dialer pool 1
ppp pap sent-username vermam password 7 13044E155E0913323B
crypto map Dxb-Auh
interface Dialer2
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer string 123
dialer vpdn
dialer-group 2
ppp pfc local request
ppp pfc remote apply
ppp encrypt mppe auto
ppp authentication ms-chap ms-chap-v2 callin
ppp eap refuse
ppp chap hostname hasanreza
ppp chap password 7 070E2541470726544541
interface Dialer995
no ip address
ip local pool webssl 10.236.6.10 10.236.6.30
ip forward-protocol nd
ip http server
ip http secure-server
ip nat inside source list nat interface Dialer1 overload
ip nat inside source static tcp 10.236.5.12 25 interface Dialer1 25
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 172.21.51.0 255.255.255.0 10.236.5.253
ip access-list extended internal
permit ip any 10.236.5.0 0.0.0.255
ip access-list extended nat
deny ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
deny ip 10.236.5.0 0.0.0.255 172.19.19.0 0.0.0.255
permit ip 10.236.5.0 0.0.0.255 any
ip access-list extended nonat
permit ip 10.236.5.0 0.0.0.255 172.19.19.0 0.0.0.255
permit ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
ip access-list extended sslacl
ip access-list extended webvpn
permit tcp any any eq 443
logging esm config
access-list 101 permit ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
control-plane
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
login local
transport preferred ssh
transport input telnet ssh
line vty 5 15
exec-timeout 0 0
login local
transport preferred ssh
transport input telnet ssh
scheduler allocate 20000 1000
webvpn gateway gateway1
ip interface Dialer1 port 443
ssl encryption rc4-md5
ssl trustpoint TP.StartSSL-vpn
inservice
webvpn install svc flash:/webvpn/anyconnect-win-3.1.00495-k9.pkg sequence 1
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context webvpn
ssl authenticate verify all
url-list "Webservers"
heading "SimpleIT Technologies NBNS Servers"
url-text "Google" url-value "www.google.com"
url-text "Mainframe" url-value "10.236.5.2"
url-text "Mainframe2" url-value "https://10.236.5.2"
nbns-list "ContosoServer"
nbns-server 10.236.5.10
nbns-server 10.236.5.11
nbns-server 10.236.5.12
port-forward "PortForwarding"
local-port 3389 remote-server "10.236.5.10" remote-port 3389 description "Server-DC01"
policy group policy1
url-list "Webservers"
port-forward "PortForwarding"
nbns-list "ContosoServer"
functions file-access
functions file-browse
functions file-entry
functions svc-enabled
svc address-pool "webssl"
svc default-domain "Contoso.Local"
svc keep-client-installed
svc split include 10.236.5.0 255.255.255.0
svc split include 10.236.6.0 255.255.255.0
svc split include 172.31.1.0 255.255.255.0
svc split include 172.21.51.0 255.255.255.0
svc dns-server primary 172.21.51.10
default-group-policy policy1
gateway gateway1
inservice
end
Gateway# -
Hello, I am a software engineer and have been trying to connect to my client's VPN using the AnyConnect Secure Mobility Client (version 3.1.04066) and keep receiving the error "The VPN client driver encountered an error. Please try again or restart your system."
I am on a Windows 7 system with an intel i7-2670QM cpu. My computer model is an HP Pavilion dv7.
I have tried uninstalling the software, re-installing it. I've tried restarting my system multiple times through the process. I've checked the registry and made sure the name was setup correctly. I have checked and made sure that the correct services are not enabled. I have also tried what was suggested on the support page and checked the integrity of catroot2 as well as renaming it and regenerating the folder. None of these have been able to fix my problem.
For information, this is the message history when I try to connect:
[12/8/2014 8:55:49 AM] Ready to connect.
[12/8/2014 9:27:19 AM] Contacting vpn.[hostaddressremoved].com.
[12/8/2014 9:27:22 AM] Please enter your username and password.
[12/8/2014 9:27:29 AM] User credentials entered.
[12/8/2014 9:27:30 AM] Please respond to banner.
[12/8/2014 9:27:31 AM] User accepted banner.
[12/8/2014 9:27:31 AM] Establishing VPN session...
[12/8/2014 9:27:32 AM] Checking for profile updates...
[12/8/2014 9:27:32 AM] Checking for product updates...
[12/8/2014 9:27:32 AM] Checking for customization updates...
[12/8/2014 9:27:32 AM] Performing any required updates...
[12/8/2014 9:27:32 AM] Establishing VPN session...
[12/8/2014 9:27:32 AM] Establishing VPN - Initiating connection...
[12/8/2014 9:27:33 AM] Establishing VPN - Examining system...
[12/8/2014 9:27:33 AM] Establishing VPN - Activating VPN adapter...
[12/8/2014 9:27:33 AM] Establishing VPN - Attempting to repair VPN adapter...
[12/8/2014 9:27:33 AM] Disconnect in progress, please wait...
[12/8/2014 9:28:22 AM] Connection attempt has failed.
[12/8/2014 9:28:24 AM] Ready to connect.
I have tried every kind of search I can think of to find any other solutions to try, and I cannot find anything else. Does anyone have any other recommendations of what to try in order to be able to connect to my client?
-TheJayDudeYes, I am sorry to say that several people have seen the same issue. It seems like the issue is specific to Yosemite and Anyconnect. My very technical staff and I have tried many things. The default route is missing and the file /var/run/resolv.conf is also missing which means that both the route and DNS server are messed up. We re-added the default route manually which allows us to ping the servers and even access them via the IP address
Run the command below before starting the VPN to get the default route
netstat -nr | grep default
Then run the following to re-add the default route.
route add default xxx.xxx.xxx.xxx
BUT there is no way that I can find to fix the DNS entry.
We tried re-adding the DNS entries in the /var/run/resolv.conf and then restarting the DNS service
$ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.discoveryd.plist
Password:
$ sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.discoveryd.plist
BUT THIS DOES NOT WORK!
If anyone can help us solve the DNS issue, at least we have a work-around for our technical people until Cisco and/or Apple can resolve it.
Here is a link to the same issue at Cisco.
https://supportforums.cisco.com/discussion/12334071/cisco-anyconnect-secure-mobi lity-client-os-x-yosemite-vpn-not-working-if-mac -
Mail, iCal Server and iChat server will not work over VPN
I have an Airport Extreme Base Station at the office running the network. Behind it sits a Mac Mini Snow Leopard server running 10.6.3. The ports necessary for Mail, iCal Server and iChat work fine through that external connection. I can also connect with VPN from my 10.6.3 clients.
HOWEVER, when I connect with the VPN clients, I am suddenly unable to access the Mail, iCal Server, Wiki server and iChat server. All connections time out. I can ping the server and I can do other things that do NOT work on the public Airport like ssh or VNC. ssh and VNC are closed at the airport extreme.
So it's pretty odd. When I'm connected via the VPN, all ports that are forwarded to the Snow Leopard server time out over the VPN.
I've tried various and sundry configurations with the VPN client. This includes trying to send all traffic over the VPN, moving it up in the service order, etc. etc. Nothing fixes it. DNS resolution is working fine, however when I do a wireshark capture of ppp0 traffic, I notice that SSL and TLSv1 handshakes appear to occur on the public IP address instead of the private network IP address... and they're all resets.
Has anyone gotten this to work successfully? Like I said, all ports that are NOT forwarded through the Airport work fine over the VPN, but will not work when connected to the VPN. It's really bizarre.New data: any ports that are normally forwarded on the Airport Extreme to the Mac Mini server will not work when connected to the VPN.
For instance, if I have imaps/993 forwarded from the Airport Extreme to the Mac Mini, it works fine over the Internet. If I connect to the VPN, I can connect to all OTHER services on the Mac Mini, but Mail, for instance, will not work. -
Client provisioning not working on ISE after 1.2 Migration
Working on an initial piloted roleout of ISE with a customer. We initially had a single server setup as a pilot using 1.1.1.4 to pilot things like client supplicant provision, and then stood up a new VM as a secondary and upgraded that to 1.2. Today we tested client provisioning that work fine before, and it is failing for iOS (we haven't gotten to the other OS'es yet). What occurs is the user authenticates using PEAP and the client gets the request to install the root certificate. After this the client accepts the root certificate the connection drops. When you click the SSID to start the process again we see the redirect to the mydevices portal, but before you can click to register the client it redirected to accept the root certificate again, creating an endless loop. Has anyone else run into this bug?
Please update the patch useing the below details and try it.
To upload offline client provisioning resources, complete the following steps:
Step 1 Go to the Download Software web page at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You may need to provide login credentials.
Step 2 Navigate to Products > Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software.
Choose from the following Off-Line Installation Packages available for download:
•win_spw--isebundle.zip— Off-Line SPW Installation Package for Windows
•mac-spw-.zip — Off-Line SPW Installation Package for Mac OS X
•compliancemodule--isebundle.zip — Off-Line Compliance Module Installation Package
•macagent--isebundle.zip — Off-Line Mac Agent Installation Package
•nacagent--isebundle.zip — Off-Line NAC Agent Installation Package
•webagent--isebundle.zip — Off-Line Web Agent Installation Package
Step 3 Click Download or Add to Cart.
Maybe you are looking for
-
Material deletion flag at storage location level is not working
I have a material that is created in some plants and also in some storage locations within each plant. If I mark the deletion flag at plant level I am not able to create a PO -> Me051 error message appears. Whereas if I mark the deletion flag at stor
-
IPod classic freezes when plugged in
Whenever I plug my iPod into the computer, it freezes at the "Connected, Eject before disconnecting." screen. The actual iPod freezes and I have to reset it to use it again. Details: 1. My main computer is a PC with Windows XP. I've tried 2 different
-
SRM PO not updated with BBP_PD_PO_UPDATE
Hello, I want to updated payment terms from Vendor details to my PO through Z report, I'm following below steps 1. BBP_PD_PO_GETDETAIL 2. BBP_PD_PO_UPDATE - I"m getting e_changes = 'X' 3. BBP_PD_PO_SAVE - Passing current GUD which is updated 4. BBP_P
-
What do i do to position the text ?
Hi everyone, i'm new to dreamweaver and coding in general. i am making my first web page using photoshop and dreamweaver and it seems that so far i have made good progress on this but the problem is that i can't position the text where i want. see th
-
Can only use headphone's speaker as a mic on Macbook 2,1
An external mic plugged into line-in does not work. But if I plug in my headphone's speaker, and speak into those, it works. Funny thing. Although I understand technically, why such a thing is possible, I don't understand, why the microphone refuses