Show vpn-session remote

Similar Messages

• ASDM 7.1(1)52 device dashboard shows ghost VPN Sessions

  Hi,
  I just upgraded one of our 5520 ASA to serve ASDM 7.1(1)52 and noticed something interesting.
  When I look Device Dashboard / VPN Sessions, I see example 14 IPSec connections.
  BUT, If I Click Details, I only get 10 Real IPsec connections shown.
  I do not recall seen this earlier, with older ASDM versions.
  Anyone seen similar or has any idea, why this is happening ?
  Cheers;
  -jra

  Looked Around other ASA boxes and these ghost sessions seems truly come with new ASDM software.
  All boxes, which has ASDM 6.2 shows correct count of IPSec connections on main screen.
  All boxes, which has ASDM 7.1 shows 5 - 15 more IPSec connectios, than details page / CLI shows.

• VPN session established but cannot access trusted LAN segment on the ASA

  Just a roundup of my Cisco ASA configuration...
  1) Configure remote access IPSec VPN
  2) Group Policies - vpntesting
  3) AES256 SHA DH group 5
  4) Configure local user vpntesting
  5) Configure dhcp pool - 10.27.165.2 to 10.27.165.128 mask /24
  6) open access on outside interface
  7) IKE group - vpntesting
  A) Did I miss anything?
  B) For example, there is a LAN segment - 10.27.40.x/24  on the trusted leg of the Cisco ASA but I can't access it. Do I need to  create access lists to allow my VPN session to access the trust LANs?
  C) Any good guide for configuring remote access VPN using ASDM?

  I have couple of issues with my EasyVPN server and Cisco VPN Client on Win7.
  1: Sometimes, clients are connected, connection shows established but no traffic or pings can be made to corp network. I might have to do with NAT settings to except VPN traffic from being NATed.
  2: VPN Clients don't pick the same IP address from local address pool even though I specified "RECYLE" option.
  I would apprecaite if you look at my configuration and advise any mis-config or anything that needs to be corrected.
  Thank you so much.
  Configuration:
  TQI-WN-RT2911#sh run
  Building configuration...
  Current configuration : 7420 bytes
  ! Last configuration change at 14:49:13 UTC Fri Oct 12 2012 by admin
  ! NVRAM config last updated at 14:49:14 UTC Fri Oct 12 2012 by admin
  ! NVRAM config last updated at 14:49:14 UTC Fri Oct 12 2012 by admin
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname TQI-WN-RT2911
  boot-start-marker
  boot-end-marker
  logging buffered 51200 warnings
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa authorization network default local
  aaa session-id common
  no ipv6 cef
  ip source-route
  ip cef
  ip dhcp remember
  ip domain name telquestintl.com
  multilink bundle-name authenticated
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-2562258950
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-2562258950
  revocation-check none
  rsakeypair TP-self-signed-2562258950
  crypto pki certificate chain TP-self-signed-2562258950
  certificate self-signed 01
              quit
  license udi pid CISCO2911/K9 sn ##############
  redundancy
  track 1 ip sla 1 reachability
  delay down 10 up 20
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key ############## address 173.161.255.###
  255.255.255.240
  crypto isakmp client configuration group EASY_VPN
  key ##############
  dns 10.10.0.241 10.0.0.241
  domain domain.com
  pool EZVPN-POOL
  acl VPN+ENVYPTED_TRAFFIC
  save-password
  max-users 50
  max-logins 10
  netmask 255.255.255.0
  crypto isakmp profile EASY_VPN_IKE_PROFILE1
     match identity group EASY_VPN
     client authentication list default
     isakmp authorization list default
     client configuration address respond
     virtual-template 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec profile EASY_VPN_IPSec_PROFILE1
  set security-association idle-time 86400
  set transform-set ESP-3DES-SHA
  set isakmp-profile EASY_VPN_IKE_PROFILE1
  crypto map VPN_TUNNEL 10 ipsec-isakmp
  description ***TUNNEL-TO-FAIRFIELD***
  set peer 173.161.255.241
  set transform-set ESP-3DES-SHA
  match address 105
  interface Loopback1
  ip address 10.10.30.1 255.255.255.0
  interface Tunnel1
  ip address 172.16.0.2 255.255.255.0
  ip mtu 1420
  tunnel source GigabitEthernet0/0
  tunnel destination 173.161.255.241
  tunnel path-mtu-discovery
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  description Optonline  WAN secondary
  ip address 108.58.179.### 255.255.255.248 secondary
  ip address 108.58.179.### 255.255.255.248
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map VPN_TUNNEL
  interface GigabitEthernet0/1
  description T1 WAN Link
  ip address 64.7.17.### 255.255.255.240
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface GigabitEthernet0/2
  description LAN
  ip address 10.10.0.1 255.255.255.0 secondary
  ip address 10.10.0.3 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface Virtual-Template1 type tunnel
  ip unnumbered Loopback1
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile EASY_VPN_IPSec_PROFILE1
  router eigrp 1
  network 10.10.0.0 0.0.0.255
  network 10.10.30.0 0.0.0.255
  network 172.16.0.0 0.0.0.255
  router odr
  router bgp 100
  bgp log-neighbor-changes
  ip local pool EZVPN-POOL 10.10.30.51 10.10.30.199 recycle delay
  65535
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source route-map OPTIMUM-ISP interface
  GigabitEthernet0/0 overload
  ip nat inside source route-map T1-ISP interface GigabitEthernet0/1
  overload
  ip nat inside source static tcp 10.10.0.243 25 108.58.179.### 25
  extendable
  ip nat inside source static tcp 10.10.0.243 80 108.58.179.### 80
  extendable
  ip nat inside source static tcp 10.10.0.243 443 108.58.179.### 443
  extendable
  ip nat inside source static tcp 10.10.0.220 3389 108.58.179.### 3389
  extendable
  ip nat inside source static tcp 10.10.0.17 12000 108.58.179.###
  12000 extendable
  ip nat inside source static tcp 10.10.0.16 80 108.58.179.### 80
  extendable
  ip nat inside source static tcp 10.10.0.16 443 108.58.179.### 443
  extendable
  ip nat inside source static tcp 10.10.0.16 3389 108.58.179.### 3389
  extendable
  ip route 0.0.0.0 0.0.0.0 108.58.179.### track 1
  ip route 0.0.0.0 0.0.0.0 64.7.17.97 ##
  ip access-list extended VPN+ENVYPTED_TRAFFIC
  permit ip 10.10.0.0 0.0.0.255 any
  permit ip 10.0.0.0 0.0.0.255 any
  permit ip 10.10.30.0 0.0.0.255 any
  ip sla 1
  icmp-echo 108.58.179.### source-interface GigabitEthernet0/0
  threshold 100
  timeout 200
  frequency 3
  ip sla schedule 1 life forever start-time now
  access-list 1 permit 10.10.0.0 0.0.0.255
  access-list 2 permit 10.10.0.0 0.0.0.255
  access-list 100 permit ip 10.10.0.0 0.0.0.255 any
  access-list 105 remark ***GRE-TRAFFIC TO FAIRFIELD***
  access-list 105 permit gre host 108.58.179.### host 173.161.255.###
  route-map T1-ISP permit 10
  match ip address 100
  match interface GigabitEthernet0/1
  route-map OPTIMUM-ISP permit 10
  match ip address 100
  match interface GigabitEthernet0/0
  control-plane
  line con 0
  line aux 0
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  line vty 0 4
  privilege level 15
  transport input telnet ssh
  line vty 5 15
  privilege level 15
  transport input telnet ssh
  scheduler allocate 20000 1000
  end
  TQI-WN-RT2911#

• VPN session in cisco ASA reflect a different source public ip

  Hi all,
  I tested and manage to establish vpn on my cisco asa 5520 successfully.
  On my syslog i can see "anyconnect parent session started" upon my vpn establishment and "webvpn session terminated" upon terminating my vpn session
  where the correct public ip used to establish the vpn is reflected. However after the "webvpn session terminated" line, i can see other lines in my syslog, example "Group=vpngroup, username=test, ip = x.x.x.x, session disconnected, session type:anyconnect parent, duration 0h:00m23s, bytes xmt: 0, bytes rcv:0, reason: user requested" where x.x.x.x is not the ip address used to establish my remote access vpn, neither is it the ip related to my vpn infra. I am very sure that the ip x.x.x.x did not establish any vpn to my cisco asa5520. Hence why is it reflected in my cisco asa logs? Pls advise, TIA!

  Hi,
  Think I remember some posting about a similiar issue in the past. Did a couple of google searches and the following BugID was mentioned in the discussion.
  syslog 113019 reports invalid address when VPN client disconnects.
  CSCub72545
  Description
  Symptom:
  Syslog reports an invalid IP Address.
  Conditions:
  This condition occurs when a VPN Client is disconnected.
  Workaround:
  There is no mention of a workaround. Just mention of software versions that should correct the problem
  The link to the actual page/document is the following
  https://tools.cisco.com/bugsearch/bug/CSCub72545
  Perhaps this is the bug you are running into or something similiar.
  - Jouni

• VPN session remains up but can no longer get to internal devices

  Our remote users in Germany are provided with a mixture of Vodafone 3G Mobile Connect Cards (PCMCIA) and "USB sticks" for cellular broadband access. Installed on their laptops is Vodafone's Mobile Connect Client & Cisco VPN client version 5.
  To connect, they first connect to Vodafone's "VPN access point" -- Vodafone's VPN only service offering. Once connected, they VPN into the network with the Cisco client. All users connect to a Cisco 3020 Concentrator.
  Users are able to access network resources, however, they lose connectivity after 5-10min. What's unusual is, it doesn't look like the VPN session drops since the padlock in the right hand corner remains locked; they just can't access network resources.
  To troubleshoot...
  a) We had a user establish a VPN session then immediately start a continuous ping to an internal device's IP address. The connection stayed up for 20min before requests started timing out.
  b) We enabled "IPSec over TCP" on the client and Concentrator side, no change.
  What could possibly be causing this behavior?

  Does Vodafone use Venturi Transport Protocol clients for Windows like Verizon's does with their EvDO cards? If so, we had to turn off and eventually uninstall the Venturi client software because it detrimentally interfered with IPsec traffic.
  -Gary

• Can AnyConnect VPN Session Surviving a Logoff ?

  I see that AnyConnect is a Service. We sometimes have issues with remotes losing their Windows passwords. When this happens, we have them log in locally, (with a non-domain account), then connect to the VPN, then logoff, (the Contivity VPN Session will stay established), then we reset their password, and they log in with their new password. Some VPNs use a feature called 'Logoff at Connect' to accomplish this. Any information would be greatly appreciated.

  To log off all AnyConnect Client and SSL VPN sessions, use the vpn-sessiondb logoff svc command in global configuration mode:
  vpn-sessiondb logoff svc. In response, the system asks you to confirm that you want to log off the VPN sessions. To confirm press Enter or type y. Entering any other key cancels the logging off.
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect22/administration/guide/22admin6.html#wp999635

• Monitoring VPN Sessions

  Hi,
  I have configured Remote Access IPSEC VPNS on my Cisco 5510 Security plus firewall now i need to monitor all remote access VPN session records and activities of VPN users as its need.
  Kindly suggest the best solution.
  Regards,
  Arshad Ahmed

  Arshad,
  Just to add my two cents, to Collin´s post (5 stars).
  ASA/PIX: Pass-through Traffic Accounting for VPN Clients Using ACS Configuration Example
  Managing Accounting in NPS
  HTH.
  Portu.
  Please rate any helpful posts and mark this question as answered if you do not have any further questions.

• GUI issues with VPN server / remote settings - SR520 UC540

  Kinda new to the CCA world, but not new to the game. So far I am finding the limitations a bit frustrating, but here's the main issue at the moment:
  Attempting to set up a simple network with a UC540 at HQ, with an SR520 at a SOHO site. I can get the remote VPN working fine, also get a VPN to the SR520 for remote administration working. Actually had everything working fine, saved the config and rebooted to test prior to shipping it to out.
  However, when I go back to look at the settings, trouble starts.The remote VPN settings don't show - the CCA tells me changes have been made in the CLI (not). The display for the VPN Server also seems buggy as it will not always display the settings for the VPN itself or the networks listed under split tunnels.Changes to either VPN setup appear to bork the other.
  As this is going to a site far, far away I need to be very sure that the VPN setup is solid, at least for remote access. I have a sneaking suspicion that some of the settings are shared and changes to one setup affect the other, but after going from everything working > save > reload > not working, I can't see what is wrong.
  Short version - need SOHO to communicate with HQ over site-to-site VPN, with remote access from 3d location to CCA.
  Any hints?

  Hi,
  To resolve your issue as soon as possible, please post your question on the Forefront TMG forum:
  http://social.technet.microsoft.com/Forums/en-US/home?forum=Forefrontedgegeneral
  Steven Lee
  TechNet Community Support

• Time Capsule Occassionally Reboots During Cisco VPN Sessions

  I have a Time Capsule and an AirPort Extreme Base Station in a Wireless Distribution System (WDS) configuration at my home. The Time Capsule is connected to the DSL Modem. The devices work without issue the vast majority of the time.
  However, I have noticed that occassionally, and seemingly randomly, my Time Capsule will reboot whenever I have a Windows desktop client Cisco VPN session established through the device and back to my workplace's remote access VPN concentrators. It occurs often enough for me to correlate it with the VPN sessions, but not often enough that I can create the steps to reproduce the failure. However, ancedotally, I would say that it occurs about once for every 2 hours or so of actual VPN useage (not that I'm saying it's time or duration based, but rather to give some scale to the occurance). It is very annoying as I have to wait for the Time Capsule to reboot, for my wireless connectivity to re-establish, and thereafter to re-establish the VPN session and any further office connectivity (ie, exchange, filesshares, sharepoint, etc.).
  I was curious if anyone else has experienced this problem, as I didn't readily find any other comments on the discussions forums. I'm not at home at the moment, so I can't confirm exact revisions, but this problem occurred both with the prior firmware as well as the most recent firmware which was just upgraded on the device in the past few weeks (I was hoping the new firmware might have resolved the issue, but it apparently did not).

  two suggestions:
  1) make sure the firmware is current
  2) can you disable WDS temporarily to see if it's WDS related?

• ASA 5505 site-to-site VPN tunnel and client VPN sessions

  Hello all
  I have several years of general networking experience, but I have not yet had to set up an ASA from the ground up, so please bear with me.
  I have a client who needs to establish a VPN tunnel from his satellite office (Site A) to his corporate office (Site Z).  His satellite office will have a single PC sitting behind the ASA.  In addition, he needs to be able to VPN from his home (Site H) to Site A to access his PC.
  The first question I have is about the ASA 5505 and the various licensing options.  I want to ensure that an ASA5505-BUN-K9 will be able to establish the site-to-site tunnel as well as allow him to use either the IPsec or SSL VPN client to connect from Site H to Site A.  Would someone please confirm or deny that for me?
  Secondly, I would like to verify that no special routing or configuration would need to take place in order to allow traffic not destined for Site Z (i.e., general web browsing or other traffic to any resource that is not part of the Site Z network) to go out his outside interface without specifically traversing the VPN tunnel (split tunneling?)
  Finally, if the client were to establish a VPN session from Site H to Site A, would that allow for him to connect directly into resources at Site Z without any special firewall security rules?  Since the VPN session would come in on the outside interface, and the tunnel back to Site Z goes out on the same interface, would this constitute a split horizon scenario that would call for a more complex config, or will the ASA handle that automatically without issue?
  I don't yet have the equipment in-hand, so I can't provide any sample configs for you to look over, but I will certainly do so once I've got it.
  Thanks in advance for any assistance provided!

  First question:
  Yes, 5505 will be able to establish site-to-site tunnel, and he can use IPSec vpn client, and SSL VPN (it comes with 2 default SSL VPN license).
  Second question:
  Yes, you are right. No special routing is required. All you need to configure is site-to-site VPN between Site A and Site Z LAN, and the internet traffic will be routed via Site A internet. Assuming you have all the NAT statement configured for that.
  Last question:
  This needs to be configured, it wouldn't automatically allow access to Site Z when he VPNs in to Site A.
  Here is what needs to be configured:
  1) Split tunnel ACL for VPN Client should include both Site Z and Site A LAN subnets.
  2) On site A configures: same-security-traffic permit intra-interface
  3) Crypto ACL for the site-to-site tunnel between Site Z and Site A needs to include the VPN Client pool subnet as follows:
  On Site Z:
  access-list permit ip
  On Site A:
  access-list permit ip
  4) NAT exemption on site Z needs to include vpn client pool subnet as well.
  Hope that helps.
  Message was edited by: Jennifer Halim

• TS1741 I have two apple TV's and they both show in the remote App but I have to inplug to get them to respond. Both of them.

  I have installed a second Apple TV.  Both show in my remote App.  But both will not wake up or connect unless I reboot them.  Then they work fine until the next day.  They both are doing this.  I had no problems until I installed the second.  Could that be an issue?  I'm just tired of restarting them every time.

  Hi richardwilliams51,
  If you are having difficulty connecting to the Internet using your Apple TV, I would suggest troubleshooting using the steps in this article -
  Apple TV (2nd and 3rd generation): Troubleshooting Wi-Fi networks and connections
  http://support.apple.com/kb/TS4546
  If that does not completely fix your Apple TV, you may need to restore it, using this article -
  Apple TV (2nd and 3rd generation): Restoring your Apple TV
  http://support.apple.com/kb/HT4367
  Thanks for using Apple Support Communities.
  Best,
  Brett L

• Simple jsp to show if session state is being correctly replicated ?

            Hello,
            I am making a simple jsp to show if session state is being correctly replicated.
            I just remembered seeing one somewhere before.
            It showed the server-name, and the number of request so far in the session. And
            maybe a nice bea logo.
            Does anyone know where such a thing might be available ?
            thanks!
            JM
            

            Hi ,
            checkout bea samples there is such jsp in cluster/sessionrep or something like
            this /bea_home/samples/sever...
            "Marmelstein" <[email protected]> wrote:
            >
            >Hello,
            >I am making a simple jsp to show if session state is being correctly
            >replicated.
            >I just remembered seeing one somewhere before.
            >It showed the server-name, and the number of request so far in the session.
            >And
            >maybe a nice bea logo.
            >Does anyone know where such a thing might be available ?
            >thanks!
            >JM
            

• When you expand to show local and remote sites, in DW CS6 how do I get the local to be on the left?

  When you expand to show local and remote sites, in the previous verions of DW, the files type (local or remote) selected when not seeing both, automatically came up on the left.  I liked local when I am editing and when I am ready to upload I expand to see both local in remote.  Before, the one you had selected, in my case local, was always displayed on the left.  Now in CS6 when I have local selected before I expand, the local is on the right and remote on the left. For me that is not correct.  I find that having local on the left works best for me like reading, left to right, I want the local on the LEFT so I can put the updated from left to the remote on the right. 
  -->In DW CS6 how do I get the local to be on the left?

  Thank you so much!  That did it! 

• How to end RDP sessions remotely from different network?

  Hi
  How to end RDP sessions remotely for windows 2008r2 server from different network?
  not from local LAN
  Thanks

  Hi
  what ports need to be open to successfully connect to server behind firewall?
  from WAN to LAN using :
  net use \\servername_or_IP /USER:username “password“
  or
  qwinsta /server:ServerIP
  Thanks

• WRVS4400N breaks VPN session during https connection to a LAN host

  Hello,
  here comes the incident description:
  WRVS4400N breaks established VPN session if I am trying to connect to any LAN host via HTTPS.
  Did anyone experience similar issue?
  What a workaround could be?
  Many thanks in advance, appreciate your time.
  Solved!
  Go to Solution.

  These products are being handled by the Cisco Small Business Support Community. (URL: https://supportforums.cisco.com/community/netpro/small-business )