SRX Using DHCP on UNTRUST (BRANCH)-- Connected to Static VTI Cisco Router (HQ)

Similar Messages

• How to use both wired and wireless connection with static addresses

  Now that I have setup my home network with static addresses (router, mini1, mini2 and PC) in the way I want, (big thanks to BDAqua http://discussions.apple.com/thread.jspa?threadID=1271635&tstart=0) I would like to understand some more advanced network concepts.
  I would like to change the network so that I use both the wireless connection and the built-in ethernet connection at the same time in my Mac mini1. I would like to connect my PC to my Mac mini by using the wired ethernet connection so that I reach the Internet from my PC as well. I would also like to be in control of all the addresses therefore I want to assign the addresses manually.
  The question: What addresses should I use between mini1 and PC? Should I use the same wireless address space as I already use between the wireless router and the other computers (router: 192.168.1.1, mini1: 192.168.1.101, mini2: 192.168.1.103) or should I use something totally different like 10.X.X.X? What should I put in ethernet connection "Router"-field, the same as in Airport (192.168.1.1)? What about DNS, same as in Airport?

  If I understand this correctly, you wish your Mini to perform Internet Sharing for your PC, correct!?
  If so you'll pretty much have to let the Mini handle DHCP & NAT on the Ethernet port. You also want to be sure Airport is dragged to the top of Network>Show:>Network Port Configurations, that's what position the Mini will use 1st for Internet itself.
  On the Mini turn on both Web Sharing & Internet Sharing. The PC once connected will have the Mini's Ethernet IP as it's Gateway addy.

• Help with connecting MacBook Pro with Cisco Routing and Switches?

  I'm running a CiscoASA 5510 router with several Cisco WS-C2960-48TT-L switches on a local network to connect with MacBook Pro. I need to be able to restrict access to specific users via their computer MAC address. ie: Joe Blow is limited to connecting through Switch 1 on port 10 and anywhere else he tries to plug in will simply not work.

  You need to look at the documentation that came with your router and switches. Or ask your network admin to set it up. Your question has nothing to do with your Macbook Pro configuration. MAC filtering is done in the router not in the computers/devices connecting to the router.

• Using an AirPort Extreme as a client to a Cisco AP?

  We have a single computer and network printer in a separate building that we'd like to connect wirelessly to the main building. We have an existing Cisco 1310 access point on the main building. The plan is to connect the remote computer and printer to the switch on the AirPort, and have the Airport connect wirelessly to the Cisco 1310. We successfully tested the wireless link by connecting a MacBook Pro to the Cisco, so we know they are within range.
  computer/printer <--wired--> AirPortExtreme <----wireless 11g, wpa2 psk----> Cisco1310
  The Cisco uses WPA2 with a pre-shared key. I configured the Airport as a bridge to extend the network. The Cisco log seems to show that the AirPort is connecting:
  DOT11-6-ASSOC: Interface Dot11Radio0, Station 001e.527a.0000 Associated KEY_MGMT[WPAv2 PSK]
  The AirPort, however, does not seem to be routing packets across the wireless connection. The indicator light is blinking amber.
  First, is this a configuration that should work (using the AirPort as a client on a Cisco network)?
  Second, if it should work, what are the critical configuration settings?
  Thanks for any suggestions.

  What is the difference then between "Extend a wireless network" and "Participate in a WDS network" wireless modes? I wasn't familiar with WDS, so I have been trying the "Extend" mode.
  The "Extend a wireless network" is a new feature that came out with the new 802.11n AirPort Extreme Base Stations (AEBSn), which allows for extending the 802.11n network (wirelessly) by using a second AEBSn. WDS, on the other hand, operates in the 802.11b/g radio band and allows the ability to extend a wireless network with other non-"n" AirPort (& a very few non-Apple) routers.
  Just to clarify:
  I'm using an AirPort Extreme, not Express.
  I don't want the AirPort to work as an access point itself. I just want it to work as a bridge between its own wired ethernet switch, and the Cisco AP.
  Sorry, for my confusion. To operate as a "bridge" in this configuration, the AEBSn would still need to be connected via Ethernet to the Cisco router. The AEBSn, unlike the AX, does not offer a "wireless client" mode nor can you use it's "Extend" or "WDS" capabilities with the Cisco router.

• Setting up new imac on network using dhcp nut not getting a valid ip address. Same happens when I try to connect via wi-fi. IP address being assigned is 10.45.190.195

  Have new Imac that I'm setting up. Company is using DHCP to manage IP addresses. Mac is plugged into netgear hub along with a PC. Mac is getting an invalid IP address of 10.45.190.195. PC is working fine. I've powered the hub on and off. I've renewed th DHCP lease on the Mac many times but IP address always comes back as 10.45.190.195. I've plugged the network cable directly in the network port bypassing the hub. Same result.
  Having the same issue when trying to connect via Wi-Fi,
  Anyone experiencing this issue?

  I see what you are saying. When I lived in the dorms, I was set up in bridge mode because we had that type of modem. My question now is do I distribute a range of static IP's or share a public? Either of these settings give me errors where the starting and ending DHCP addresses conflict. I use 10.0.1.1 and 10.0.1.100 and this error no longer seems to persist, but then I am not able to connect to the internet and the amber light keeps flashing- along with my computer showing that I am still connected to the TM.
  Thank you for your support so far.

• Unable to connect to internet using DHCP with WRT54G behind ISA 2004

  Hello,
  For starters, the Linksys WRT54G is located behind the ISA 2004 Sever firewall. The gateway for the LAN and internet segment is set at 192.168.1.1 and 192.168.2.1 for the WLAN segment on the ISA box. All the proper network rules and access rules have been created. If I set the adapter card on the lap top with a static IP, e.g. ip address as 192.168.2.3, subnet mask: 255.255.255.0 default gateway: 192.168.2.1 and primary DNS: 192.168.1.1 the lap top can connect to the internet through the WLAN segment. At this point the WRT54G is set for internet connection type as automatic configuration DHCP, local IP address as 192.168.2.2 subnet mask as 255.255.255.0 and DHCP server disabled
  When using DHCP on the WRT54G by enabling it and setting the Starting IP address to 192.168.2.3, I cannot connect to the internet. When using the CMD prompt and doing a ipconfig /all this is the result
  I get       DHCP enabled: yes
                 Autoconfiguration Enabled: yes
               IP Address: 192.168.2.3
                 Subnet Mask: 255.255.255.0
                 Default Gateway: 192.168.2.2
                 DHCP Server: 192.168.2.2
                 DNS Server: 192.168.2.2
  Is it possible to configure the WRT54G so that the default gateway can be set? Each time I change the Local IP address of the WRT54G e.g. 192.168.2.10, the default gateway gets the same IP address.
  Any help would be much appreciated.
  Thanks
  Karl

  In the 54g, setup an extra route to the other default gateway.
  ie; route 192.168.2.2 mask 255.255.255.2 gate 192.168.2.1

• WPAD file using DHCP

  We would like to push out the proxy setting using DHCP and a wpad.dat file.
  I have created a wpad.dat file that is hosted on a web server in the main office. If I setup option 252 on the dhcp server and point it to the webserver
  http://test/wpad.dat the head office can connect to the internet using that file. If I setup my branch offices dhcp server to use that same file that is hosted at the main office it says page cannot be displayed. Everything
  is the wpad.dat file is correct to say if your in this ip range and trying to go to the internet sites use proxy server.
  On all branch office systems, if I open up IE and go to
  http://test/wpad.dat they are able to download the file. What would be causing the branch office to not be able to get on the internet using the wpad.dat file? THe IE automatic detect setting Is checked off in all IE browsers so that is not the issue.
  Also when using the wpad.dat file using dhcp from any system, does it copy the wpad.dat file to the local pc or does it send each request where the file is hosted and then that server pushes request to the proxy server?

  Hi,
  It almost sounds like the branch office clients are getting the file, but they are not allowed to use the proxy server in the file? If you configure the client manually to use the Proxy in the wpad file, does it work then?
  I am also guessing that you mean that the IE automatic detect setting is checked and not off. :)
  The WPAD settings is cached in ie as you can see in this article.
  http://support.microsoft.com/kb/271361/sv
  /Johan
  Microsoft Certified Trainer
  MCSE: Desktop, Server, Private Cloud, Messaging
  Blog: http://365lab.net

• Remote access VPN with ASA 5510 using DHCP server

  Hi,
  Can someone please share your knowledge to help me find why I am not able to receive an IP address on remote access VPN connection while I can get an IP address on local DHCP pool?
  I am trying to setup remote access VPN with ASA 5510. It works with local dhcp pool but doesn't seem to work when I tried using an existing DHCP server. It is being tested in an internal network as follows:
  ASA Version 8.2(5)
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 10.6.0.12 255.255.254.0
  ip local pool testpool 10.6.240.150-10.6.240.159 mask 255.255.248.0 !(worked with this)
  route inside 0.0.0.0 0.0.0.0 10.6.0.1 1
  crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map dyn1 1 set transform-set FirstSet
  crypto map mymap 1 ipsec-isakmp dynamic dyn1
  crypto map mymap interface inside
  crypto isakmp enable inside
  crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 43200
  vpn-addr-assign aaa
  vpn-addr-assign dhcp
  group-policy testgroup internal
  group-policy testgroup attributes
  dhcp-network-scope 10.6.192.1
  ipsec-udp enable
  ipsec-udp-port 10000
  username testlay password *********** encrypted
  tunnel-group testgroup type remote-access
  tunnel-group testgroup general-attributes
  default-group-policy testgroup
  dhcp-server 10.6.20.3
  tunnel-group testgroup ipsec-attributes
  pre-shared-key *****
  I got following output when I test connect to ASA with Cisco VPN client 5.0
  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDO
  4024 bytesR copied in 3.41 0 secs (1341 by(tes/sec)13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 853
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing SA payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ISA_KE payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing nonce payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received xauth V6 VID
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received DPD VID
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Fragmentation VID
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received NAT-Traversal ver 02 VID
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Cisco Unity client VID
  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, Connection landed on tunnel_group testgroup
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing IKE SA payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA Proposal # 1, Transform # 9 acceptable  Matches global IKE entry # 1
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ISAKMP SA payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ke payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing nonce payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for Responder...
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing hash payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Cisco Unity VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing xauth V6 VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing dpd vid payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Traversal VID ver 02 payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Fragmentation VID + extended capabilities payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440
  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Received Cisco Unity client VID
  Jan 16 15:39:21 [IKEv1]: Group = testgroup, I
  [OK]
  kens-mgmt-012# P = 10.15.200.108, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing blank hash payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing qm hash payload
  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
  Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 87
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): Enter!
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing MODE_CFG Reply attributes.
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = cleared
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = cleared
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary WINS = cleared
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary WINS = cleared
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: IP Compression = disabled
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling Policy = Disabled
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Setting = no-modify
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
  Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, User (testlay) authenticated.
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
  Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
  Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg ACK attributes
  Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=49ae1bb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 182
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg Request attributes
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 address!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 net mask!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DNS server address!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for WINS server address!
  Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Received unsupported transaction mode attribute: 5
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Banner!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Save PW setting!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Default Domain Name!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split Tunnel List!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split DNS!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for PFS setting!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Browser Proxy Setting!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for backup ip-sec peer list!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Application Version!
  Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Client Type: WinNT  Client Application Version: 5.0.07.0440
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for FWTYPE!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DHCP hostname for DDNS is: DEC20128!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for UDP Port!
  Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected.  No last packet to retransmit.
  Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=b04e830f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
  Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload
  Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload
  Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected.  No last packet to retransmit.
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE received response of type [] to a request from the IP address utility
  Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Cannot obtain an IP address for remote peer
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE TM V6 FSM error history (struct &0xd8030048)  <state>, <event>:  TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE AM Responder FSM error history (struct &0xd82b6740)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b terminating:  flags 0x0945c001, refcnt 0, tuncnt 0
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending delete/delete with reason message
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing IKE delete payload
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
  Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=9de30522) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
  Regards,
  Lay

  For RADIUS you need a aaa-server-definition:
  aaa-server NPS-RADIUS protocol radius
  aaa-server NPS-RADIUS (inside) host 10.10.18.12
    key *****   
    authentication-port 1812
    accounting-port 1813
  and tell your tunnel-group to ask that server:
  tunnel-group VPN general-attributes
    authentication-server-group NPS-RADIUS LOCAL
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Advise on using DBMS_XA with multiple branches under one global transaction

  Dear all
  I need some advise on using DBMS_XA from PL/SQL with tightly coupled multiple branches under one global transaction. Basically, I've successfully written some PL/SQL code that in 3 different sessions attaches to 3 different branches of one global transaction and before ending each branch they can see each others uncommitted data. So far so good.
  However, I'm not sure I completely understand how each branch must call xa_end, xa_prepare and xa_commit correctly using two phase commit and my calls result in errors like:
  ORA-24767: transaction branch prepare returns read-only (XA error code 3 = Transaction was read-only and has been committed)
  ORA-24756: transaction does not exist (XA error code -4 = XID is not valid)
  ORA-02051: another session or branch in same transaction failed or finalized
  This is the structure of my programs (3 SQL*Plus sessions):
  main: Uses xid 123|0 (branch 0 of global transaction 123). This should be the coordinator that commits using two phase commit across the 3 branches
  m1.xa_start tmnoflags
  m2.DML
  m3.Wait for thread A + B to manually be started and run xa_end
  m4.xa_end tmsuccess
  m5.xa_prepare
  m6.xa_commit false
  thread A: Uses xid 123|A (branch A of global transaction 123)
  a1.xa_start tmnoflags
  a2.DML -- thread A can see main and thread B's data
  a3.xa_end tmsuccess
  a4.xa_prepare -- required?
  a5.Should we also call xa_commit false?
  thread B: Uses xid 123|B (branch B of global transaction 123)
  b1.xa_start tmnoflags
  b2.DML -- thread B can see main and thread A's data
  b3.xa_end tmsuccess
  b4.xa_prepare -- required?
  b5.Should we also call xa_commit false?
  The failing steps are:
  m5
  m6
  a4
  a5
  b4
  b5
  Before starting calling xa_end I see 3 rows in V$GLOBAL_TRANSACTION, eg (hex 7B = decimal 123):
  FORMATID GLOBALID BRANCHID BRANCHES REFCOUNT PREPARECOUNT STATE FLAGS COUPLING
  203348753 0000007B 00000000000000000000000000000000 3 3 0 ACTIVE 0 TIGHTLY COUPLED
  203348753 0000007B 0000000000000000000000000000000A 3 3 0 ACTIVE 0 TIGHTLY COUPLED
  203348753 0000007B 0000000000000000000000000000000B 3 3 0 ACTIVE 0 TIGHTLY COUPLED
  Thanks a lot in advance.
  Cheers
  Finn

  OK, I've figured it out. This is poorly documented as it's not well explained how to handle the various return codes. Turns out that all but the last xa_prepare calls return dbms_xa.xa_rdonly (tightly coupled branches are combined -- "read only" optimization), the last one returns dbms_xa.xa_ok and this is when you should call xa_commit.
  Now my next problem is that DBMS_XA doesn't work from within jobs (DBMS_JOB and DBMS_SCHEDULER), which makes it very difficult to use DBMS_XA. My purpose of using DBMS_XA is to coordinate work across multiple sessions in one transaction but if I can't easily create the multiple sessions, I'm stuck.
  When called from a job, xa_start throws:
  ORA-24789: start not allowed in recursive call
  on Oracle 11.2. In Oracle 11.1 it works, but xa_end fails with
  ORA-25352: no current transaction
  so I guess in fact the xa_start call didn't really work either, even though it returned tm_ok.
  I'm now trying to find a workaround on how to use DBMS_XA from within jobs, please comment if you have any suggestions. Or if you have any suggestions on other means of establishing the concurrent sessions (I wouldn't like to resort to external programs that need username/password to connect as password management would be a security issue).
  Thanks in advance.
  Cheers
  Finn

• I'm hooked up to the ethernet using DHCP with manual address. It's running (green) but my internet (Safari, messenger, email) doesn't work! Help!

  I'm running an iMac with Mountain Lion. Not only do we do accounting work on this computer with AccountEdge, but the computer functions as a server to another computer in a different state.
  Anyway, I set a static IP address (Using DHCP with manual address) on it (to allow for a VPN to the computer in the different state) and it is connected (green dot) - meaning that the other computer in the different state can connect to us via that ethernet line - but for some reason Safari, Messanger, and Apple Email won't work.
  But if I switch a dynamic IP (DHCP auto), I can use the internet (Safari, messanger, email), but the computer in the different state can't connect to this computer.
  How can I fix this so that the computer in the different state can connect to this computer and that the internet (Safari, messanger, and email) can work at the same time?
  Much thanks!

  No but if they are using a VPN Tunnel for the connection that restricts all internet traffic over the tunnel. Which means you can't use that same computer to broswe the internet or connect to other computers or devices on your LAN.
  I'd need to see the actual setup, router and the IP addresses you are using.
  Networking and remote networking is fairly easy when you are in front of the systems you are working on. Doing it over the internet on a forum is almost impossible. Tha is why I suggested you get local help, like the person that originally set it up.

• How to use "DHCP Server"?

  Hi,
  I don't know how to use DHCP Server.
  #Features > Networking > Network Management > DHCP Server
  There seems to be no item to setting a DHCP Server in the Administrative Tools.
  Is there function to which installation is necessary to use DHCP Server.
  Thanks,

  DHCP server role is typically for Windows Server, but you can get some DHCP capability when you enable Internet Connection Sharing -http://answers.microsoft.com/en-us/windows/forum/windows_7-networking/make-windows-7-act-as-a-dhcp-server/8ff345f2-99b5-4670-bb6f-32d7bb63de3c
  Sean Liming - Book Author: Starter Guide SIM (WEI), Pro Guide to WE8S & WES 7, Pro Guide to POS for .NET - www.annabooks.com / www.seanliming.com

• Using ip-helper without using DHCP functionality

  Hello,
  I am fairly new to Cisco, and am after a bit of help.
  My scenario:
  We have a new domain setup on a new VLAN (3), seperate from our current infrastructure VLAN (2).
  The new domain controllers provide DHCP for our new servers, and I would also like them to handle DHCP for wireless clients.
  We have one DHCP scope 10.0.0.0 255.255.0.0, and I would like to assign all wireless clients an IP in the 10.0.6.0 range.
  My thinking on the best way to do this, is with a DHCP policy, that looks at the relay agent information.
  I would then set the ip-helper address, on the port the wireless access point is connected to on the Cisco, to point to the DHCP server.
  Then for that same port, I would seb a subscriber id in the relay agent information, and use this string to set the IP assigned to that device.
  Looking into doing this, it seems the Ciscos DHCP functionality has to be turned on in order to use ip-helper.
  In my config, I cannot tell if DHCP is enabled or not, I can see neither "service dhcp", nor "no service dhcp" in the config.
  Assuming I were to turn it on using "service dhcp", can I then leave the actual functionality turned off? i.e. turn on the DHCP service, but not have it assign IP addresses?
  Also, does turning it on cause any downtime or disruption?
  I think I have to run these commands:
  conf t
  service dhcp
  interface GigabitEthernet2/40
  Ip helper-address 10.0.0.1
  Ip dhcp relay information option-insert
  Ip dhcp relay information option subscriber-id “wireless”
  I know these are probably simple questions, so please forgive my ignorance.
  James

  Ok here goes.
  On my domain controller/DHCP server, I have a scope setup of 10.0.0.0 255.255.0.0, and is set with an IP range of 10.0.0.1 - 10.0.6.253
  I have various reservations in place, and a working policy to assign thin clients an IP of 10.0.2.X based on their MAC address.
  I have then created a second policy, that should be assigning IPs in the 10.0.6.0 range, based on relay agent information, subscriber ID. This is a HEX value, so whatever string I enter on the Cisco, has to be converted to HEX.
  This DHCP server is on the same VLAN 3. The VLAN interface on the Cisco has IP of 10.0.0.254 255.255.0.0
  The wireless clients are getting IP addresses, but not within the range specified by the policy, so they are getting any address between 10.0.0.1 and 10.0.6.253 that is not already in use.
  Image 1 shows the vlan interface, where I have set the helper address, relay information option-insert, and subscriber id of "wireless".
  Image 2 shows the config on the port that my access point is connected to.
  Image 3 shows the value of the policy on the DHCP server, based on subscriber ID
  Image 4 shows the string "wireless" converted to HEX
  Image 5 shows the IP range that the policy should be using
  Image 6 shows "Edss-iPhone" as have an IP not within the correct range
  Hopefully that helps.

• Why can't Windows 7 be forced to use DHCP broadcast lease renewal?

  I have been going to this coffee shop for 11 years. It still has the same ADSL-based wireless internet service (an old wireless access point connected to the internet through ADSL).
  The ONLY way to communicate with the DHCP server in this wireless AP is via broadcast - lease renewal requests to the DHCP server via direct IP address are IGNORED. On top of that, the DHCP IP assignment pool is rather small, so to compensate the DHCP lease
  time is set to expire every 10 minutes. This is no problem normally, because an active DHCP client will request a lease renewal at half the lease time, or 5 minutes before the lease expires.
  Here is my problem: I had my registry setup to force DHCP broadcast and all was happy - UNTIL Microsoft decided to have an update ADD a "toggle broadcast" flag to the registry and make it impossible to override (so far, in spite of the kb928233
  page that supposedly tells you how to do so). Ever since then, I lose my DHCP lease (and therefore my internet connection) EVERY 10 MINUTES.
  BTW, the KB928233 page has manual registry editing instructions that are so poorly written that at least 2 or 3 different interpretations of those instructions exist. I tried at least 3 different interpretations of those instructions - none worked. A good
  part of the problem is no examples were given of what the resulting key tree should look like in regedit.
  I have invested at least 2 days in Google searches and various attempts to get these flags set the right way again - all to no avail. If I can't figure out how to solve this problem in 2 days of trying something is dreadfully wrong. Again, with emphasis,
  this USED TO WORK until somebody decided to put in a windows update that broke it.
  All I want to know is: for a particular wireless connection how to force broadcast DHCP lease renewal. Some update in the last several months seriously broke that, making it nearly impossible to force broadcast mode.  Oh yeah, it does a broadcast renewal
  request EVENTUALLY - AFTER THE CONNECTION WAS TERMINATED! That is useless - I just lost my remote terminal session or file transfer. I need it to do the broadcast request BEFORE the lease terminates.

  About 3 years ago (IIRC), when I first encountered this problem I used Wireshark to see what was going on. In the link you gave, the second bullet point under item 1 states that a broadcast DHCP renewal request would be given at 87.5 percent of the lease
  time. Wireshark never indicated that such a broadcast renewal went out. It did show the directed request at the 50% point.
  There is one other thing that may be relevant: at the time this problem re-appeared several months ago, a new registry flag also appeared: DhcpConnEnableBcastFlagToggle which was set to 1. I didn't put it there, so I surmise it came from a Microsoft update.
  At this same time the DhcpConnForceBroadcastFlag that I had set to 1 to fix my problem had been reset to 0, thus re-creating my problem.
  I have not looked at the traffic with Wireshark this time around, but I do know that I could use regedit to set the DhcpConnForceBroadcastFlag to 1, but 10 minutes later (at the exact second of the DHCP lease expiration) the connection was momentarily interrupted
  and when I did a regedit refresh, DhcpConnForceBroadcastFlag was now reset to 0 with a new lease expiration and *start* time.
  I suspect Windows rather than the access point for this reason: on a hunch last night, I tried stopping the DHCP client service, using regedit to set the DhcpConnForceBroadcastFlag to 1, then starting the DHCP client service. After this, at the DHCP lease
  expiration time there was no interruption of the connection, the DhcpConnForceBroadcastFlag was still 1 afterwards, and the DHCP lease time had been extended another 10 minutes with no new DHCP lease start time.
  So now my problem appears to be solved once again - and hopefully not temporarily this time.
  The laptop I am using has Windows 7 Home Premium edition with SP1 on it with all the latest updates. It does not appear to me to behave in the manner given in your TechNet note on Lease Renewals. If it would behave that way, I would not have had this problem.
  I am fully aware that the KB I list is for Vista - it was the only information I could find in what otherwise appears to be a void of information.

• How to manually configure and then use DHCP

  I'm having problems with internet connectivity. If I try to configure in Airport Utility, there are two choices - manual or use DHCP. If I allow AU to renew the DCHP lease, I end up with a bad IP address (one of those 169.... ones). If I configure manually and put in the IP address my service provide gave me, then I can input the address, but without the lease renewal, it won't connect. Put in the address in manual, switch to renew the lease, the bad address shows up.
  Obviously, since I'm writing this on-line I have connectivity, via the Ethernet port in the back of my iMac, which has the correct IP address I had to type in and is also using DHCP.
  So, what's the difference? Why won't Airport line up things just as the Ethernet network will?

  It sounds like your cable/DSL modem is not properly recognizing the AirPort Express Base Station (AX). Most of the time this can be remedied by just performing a complete power recycle when changing network configurations ... like when you switch what is connected to the modem.
  Try the following, in order, checking for Internet access after each step, until resolved:
  1. If the modem has a reset switch, use it to reset the modem. Wait at least 5-10 minutes for the modem to initialize.
  2. Remove power from the modem. If it has a backup battery, remove this as well. Wait 5-10 minutes. Replace the battery, and add power back to the modem.
  3. Perform a complete power recycle of your network components as follows:
  Modem/Router Power Recycling - Quick
  o Power-off the modem, AX, & computer(s); Wait at least 5 minutes.
  o Power-on the modem; Wait at least 5 minutes.
  o Power-on the AX; Wait at least 5 minutes.
  o Power-on the computer(s)
  If this fails to get the modem to "recognize" the Internet router, then try the "Full" version.
  Modem/Router Power ReCycling - Full
  o Power-off the modem, AX, & computer(s). (Wait at least 30 minutes. If possible, leave the modem off overnight.)
  o Power-on the modem; Wait at least 15 minutes.
  o Power-on the AX; Wait at least 5 minutes.
  o Power-on the computer(s)
  4. Contact your ISP to have them perform a "modem reset."

• "sticking" IP address using DHCP

  I have a problem of a "sticking" IP address when using DHCP to connect to the wi-fi network in my office. Every time I connect I get assigned the same IP address, usually a high number like 192.168.1.182 or 240. My connection then gets progressively slower and slower.
  When I can't take it any longer a I use DHCP with manual address to force a lower number, and then my connection speeds up for a while. The MBP eventually sets itself back to DHCP, however, and then the problem begins anew. Sometimes I then cannot connect at all, until I delete the network and re-add it, putting in its password again. Any ideas what the problem is?

  I suspect it's not the IP address per se but your changing of it that "speeds" up your network access, and it's likely because of interference or other environmental factors.
  The issue with Wi-Fi connections is the transmit rate constantly changes as interference and other factors do.
  The next time you connect, click the AirPort menu bar icon while holding down the option key and note the value shown for "transmit rate." Later, when your connection slows down, do the same and see if it's changed drastically.
  Also note that "forcing" a lower number is likely wreaking havoc on your network, as you're in all likelihood stealing an IP address from the router's DHCP range that it doesn't know is in use and therefore it may assign it to some future client.
  I'm sure your IT folks, if any, would also have an issue with what you're doing for the same reason.