Traffic not returning to remote VPN connections
I've successfully setup remote VPN connections to my ASA using vpnc as the client and everything behaves as expected. I'm trying to test the official Cisco client and I'm unable to make the same SSH connections across the VPN as I was using vpnc.
The ASA shows connections the IKE and IPSec connections forming, and shows connections being built for the SSH traffic across the VPN.
tcpdump shows the host listening on SSH behind the ASA receiving the traffic and sending ACKs in reply. They don't appear to be arriving back
at the remote client though, and SSH connections timeout without connecting.
Any idea what might be stopping the return traffic? I thought it might be some policy the ASA is pushing out to the Cisco client but not to vpnc but I can't spot anything obvious.
Is the internal SSH host you are connecting to sending ACKS (as you've stated), or SYN/ACKs?
It might be nice to know if the TCP three way handshake is being completed, and subsequent packets are the issue, or if it's the initial TCP setup that is the issue.
Perhaps there would be some benefit in confirming whether these packets are making it through the IPSec tunnel, though the ASA un-encapsulated, or not through the ASA at all.
You could use Wireshark to look for un-encapsulated packets exiting the ASA.
You could use Wireshark to capture the "pre-encapsulated" traffic being sent to the far side, and the "post-decapsulation" traffic returning from the far side, by capturing on the Cisco VPN Client virtual interface (Windows installation).
Perhaps examine IPSec SA details on the ASA and look for errors.
Perhaps logging on the internal interface ACL (log any packets denied) to identify whether the returning packets are being dropped.
Similar Messages
-
Hello Guys
i created three different Remote VPN connections with three different networks . i can make them one but for some reasons i don't mix all.
and iam using Cisco asa 5505 with Shrew Soft VPN software , so my problem is
- i connected Shrew soft remote vpn , if i try to connected another remote vpn connection this will not accept the second connection , so please can any one give me a remote vpn connection software that accepts more than one connectionHi,
Since you mention the ASA and the VPN I presume you are trying to connect by VPN Client to the same ASA?
Why would you want to have several VPN client connections at the same time? (Though I think that isnt even possible)
What are you trying to accomplish by these 3 different VPN Client configurations configured on the same ASA?
Isnt it just possible to configure one VPN Client connection to the ASA that would handle all the traffic of these 3 VPN Client connections?
- Jouni -
One other thing - I had a problem with the key pairing so I rebuilt the rsa 1024 and the unit started working. Unfortunately I reloaded without the config in place and now I cannot get it to work again. Any help will be greatly apprecaited although I did review a dozen other posts of people having similar problems and for some reason there is never any conclusion as to the solution and I am not sure why.
Some other info from the client end:
I just ran the stats on the client and packets are being encrypted BUT none are decrypted.
Also Tunnel received 0 and sent 115119
Encryption is 168-bit 3-DES
Authentication is HMAC-SHA1
also even though the allow LAN is selected in the Cisco VPN client it states the local LAN is disabled in the client stats
also Transparent tunneling is selcted but in the stats it states it is inactive
I am connecting with the Cisco VPN Client Ver 5.0.07.0440
This config works. It is on the internal net 192.168..40.x and all users obtain dhcp and surf the web. It has required ports opened.The problem is that you can connect remotely via the VPN and you receive an IP address from the remote-vpn pool but you cannot see any machines on the internal network. The pix is at 40.2 and you cannot ping the pix and the pix from the remote PC connecting via the VPN and youcannot ping the remote PC from the PIX console when the remote is connected and receives the first IP address in the VPN pool of 192.168.40.25
I need to see the internal network and map network drives. I have another friend that is running the same config and it works but his computer is on a linksys wireless and has an IP of 192.168.1.x and the IP he receives from the VPN pool is 192.168.1.25 so I do not know if the same network is allowing this config to work even if there is an error in the config. In my present case I obtain the ip of 192.168.40.25 from the VPN pool and my connecting pc on 192.168.1.x I really am not sure how the VPN virtual adapter works. I am assuming it routes all traffic from your connecting PC to and from the virtual adapater but I really do not know for sure.
Other people have had similar issues with accessing the internal network from the VPN. One solution was the split-tunnel, another was the natting and another had to do with the encrption where there and an issue with the encrypt and ecrypt which was stopping the communicaton via the VPN.
I still cannot seem to find the issue with this config and any help will be greatly appreciated.
This is the config
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password somepassword
hostname hostname
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network internal_trusted_net
network-object 192.168.40.0 255.255.255.0
object-group icmp-type icmp_outside
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
icmp-object source-quench
access-list OutToIn permit icmp any xxx.xxx.xxx.0 255.255.255.248 object-group icmp_outside
access-list no_nat_inside permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list split_tunnel permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list OutToIn permit ip any any
access-list outbound permit ip any any
(NOTE: I had many more entries in the access list but removed them. Even with the above two allowing everything it does not work)
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.248
ip address inside 192.168.40.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_client_pool 192.168.40.25-192.168.40.30
pdm history enable
arp timeout 14400
global (outside) 1 interface
I had this statement missing from the previous posted config but even with the nat (inside) 0 access-list no_nat_inside it still does not work.
nat (inside) 0 access-list no_nat_inside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_outside_in in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.40.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community $XXXXXX$
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set 3des_strong esp-3des esp-sha-hmac
crypto dynamic-map clientmap 50 set transform-set 3des_strong
crypto map vpn 50 ipsec-isakmp dynamic clientmap
crypto map vpn client configuration address initiate
crypto map vpn client configuration address respond
crypto map vpn client authentication LOCAL
crypto map vpn interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local vpn_client_pool outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remote-vpn split-tunnel split_tunnel
vpngroup remote-vpn idle-time 10800
vpngroup remote-vpn password ANOTHER PASSWORD
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.40.0 255.255.255.0 inside
ssh timeout 30
console timeout 60
dhcpd address 192.168.40.100-192.168.40.131 inside
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
username AUSER password PASSWORD privilege 15
terminal width 80
****************** End of config
I have been searching docs and other people's postings trying to obtain the info to make this work. It appears pretty much boiler plate but I believe my problem is in the natting. I am using a range in the internal network for the VPN pool and I have tried switching this to other networks but this has not helped. Unfortunately I have been unable to get the PDM to work and I believe this is a PC config thing and I did not want to waste the time on it. I read a post where a person using the PDM interface with the same problem (not being able to access the internal network) was able to go to a section in the VPN wizard and set the Address Exeption Translation. They said they originally set the VPN subnet when they did not have to. Many of the other blogs I read also stated that if the natting is not proper for the VPN pool- that it will not work but I am confused by the examples. They show as I do the complete range for an access-list called no_nat_inside but I believe it should only have the VPN pool IP range and not the entire network since the others do require natting - not sure if my thought process is correct here. Any help will be greatly apprecaited. Also this morning I just tried a boiler plate example from CISCO and it also did not do what I need for it to do. And I also connect a PC to obtain an IP to see if I can see it - no good. The PC can ping the PIX and viceversa but no one can ping the remote PC that connects via the CISCO Remote VPN client even though it receive an address from the vpnpool. Also include LAN is checked off on the client. This was mentioned in anther post.
Thank you once again.Hi,
PIX501 is a very very old Cisco firewall that has not been sold for a long time to my understanding. It also doesnt support even close to new software levels.
If you wanted to replace the PIX501 the corresponding model nowadays would be ASA5505 which is the smallest Cisco ASA firewall with 8 switch port module. There is already a new ASA5500-X Series (while ASA5505 is of the original ASA 5500 Series) but they have not yet introduced a replacing model for this model nor have they stopped selling this unit. I have a couple of them at home. Though naturally they are more expensive than your usual consumer firewalls.
But if you wanted to replace your PIX firewall then I would probably suggest ASA5505. Naturally you could get some other models too but the cost naturally rises even more. I am not sure at what price these are sold as used.
I used some PIX501 firewalls at the start of my career but have not used them in ages since ASA5505 is pretty much the firewall model we use when we need a firewall/vpn device for a smaller network/branch site.
Here is a PDF of the original ASA5500 Series.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
Here is a PDF of the new ASA5500-X Series
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
I am afraid that its very hard for me atleast to troubleshoot this especially since I have not seen any outputs yet. Also the very old CLI and lack of GUI (?) make it harder to see what the problem is.
Could you provide the requested outputs?
From the PIX after connection test
show crypto ipsec sa
Screen captures of the VPN Client routing and statistics sections.
- Jouni -
Can not ping between remote vpn site ???
site A is l2l vpn, site B is network-extend vpn, both connect to same vpn device 5510 at central office and work well. I can ping from central office to both remote sites, But i can not ping between these two vpn sites ? Tried debug icmp, i can see the icmp from side A does reach central office but then disappeared! not sending to side B ?? Please help ...
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network SITE-A
network-object 192.168.42.0 255.255.255.0
object-group network SITE-B
network-object 192.168.46.0 255.255.255.0
access-list OUTSIDE extended permit icmp any any
access-list HOLT-VPN-ACL extended permit ip object-group CBO-NET object-group SITE-A
nat (outside,outside) source static SITE-A SITE-A destination static SITE-B SITE-B
crypto map VPN-MAP 50 match address HOLT-VPN-ACL
crypto map VPN-MAP 50 set peer *.*.56.250
crypto map VPN-MAP 50 set ikev1 transform-set AES-256-SHA
crypto map VPN-MAP interface outside
group-policy REMOTE-NETEXTENSION internal
group-policy REMOTE-NETEXTENSION attributes
dns-server value *.*.*.*
vpn-idle-timeout none
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value REMOTE-NET2
default-domain value *.org
nem enable
tunnel-group REMOTE-NETEXTENSION type remote-access
tunnel-group REMOTE-NETEXTENSION general-attributes
authentication-server-group (inside) LOCAL
default-group-policy REMOTE-NETEXTENSION
tunnel-group REMOTE-NETEXTENSION ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group *.*.56.250 type ipsec-l2l
tunnel-group *.*.56.250 ipsec-attributes
ikev1 pre-shared-key *****
ASA-5510# show route | include 192.168.42
S 192.168.42.0 255.255.255.0 [1/0] via *.*.80.1, outside
ASA-5510# show route | include 192.168.46
S 192.168.46.0 255.255.255.0 [1/0] via *.*.80.1, outside
ASA-5510#
Username : layson-ne Index : 10
Assigned IP : 192.168.46.0 Public IP : *.*.65.201
Protocol : IKEv1 IPsecOverNatT
License : Other VPN
Encryption : 3DES Hashing : SHA1
Bytes Tx : 11667685 Bytes Rx : 1604235
Group Policy : REMOTE-NETEXTENSION Tunnel Group : REMOTE-NETEXTENSION
Login Time : 08:19:12 EST Thu Feb 12 2015
Duration : 6h:53m:29s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
ASA-5510# show vpn-sessiondb l2l
Session Type: LAN-to-LAN
Connection : *.*.56.250
Index : 6 IP Addr : *.*.56.250
Protocol : IKEv1 IPsec
Encryption : 3DES AES256 Hashing : SHA1
Bytes Tx : 2931026707 Bytes Rx : 256715895
Login Time : 02:02:41 EST Thu Feb 12 2015
Duration : 13h:10m:03sHi Rico,
You need to dynamic-nat (to available IP address) for both side for each remote subset to access the other remote side subnet and so they can access each other subnet as if both originating the traffic from your central location.
example:
Lets say this IP (10.10.10.254) is unused IP at central office, permitted to access remote tunnel "A" and site "B".
object-group network SITE-A
network-object 192.168.42.0 255.255.255.0
object-group network SITE-B
network-object 192.168.46.0 255.255.255.0
nat (outside,outside) source dynamic SITE-A 10.10.10.254 destination
static SITE-B SITE-B
nat (outside,outside) source dynamic SITE-B 10.10.10.254 destination
static SITE-A SITE-A
Hope this helps
Thanks
Rizwan Rafeek -
Mouse Not Working in Remote Desktop Connection
Hello,
I am connecting from a work computer running Windows 7 Enterprise to my home computer running Windows 8.1 Pro. I am able to connect and the keyboard works just fine, but the mouse is not visible or usable in the
remote system. Any ideas?
Thank you in advance!
JoshHi Josh,
As the link provided by Arnav Sharma, please take a check to see if the mouse pointer shadow is truned on.
If yes, turn the mouse pointer shadow off on the remote side.
Check the article below fro the detailed steps to disable the mouse pointer shadow:
how do i turn off the shadow cursor which scatters typing on screen?
Best regards
Michael Shao
TechNet Community Support -
HT4623 Internet traffic not disconnecting from LTE when connected to WIFI
IPAD is using 5 GB in 5 days. Only use device for corporate email.
How is that advice convenient and acceptable? I have a family with 6 children and 5 of them have Galaxy devices and they do not have to turn their Cellular data plans off when on my WIFI network.
-
Good morning everyone,
At my last position I was IT Director whose area of expertise was database and application development. All of the company's networking planning and maintainence I entrusted to my sysadmin, Salvadore. Back in 2004 we began implementing major changes in the network. Salvadore recommended SonicWALL firewalls. He did a fantastic job of securing our valuable server assets. Among the many improvements Salvadore established VPN access to the datacenter assets for mobile employees. What I remember especially well was the ease-of-use: start the VPN Client then RDP to a server or connect with SQL Server, in addition to connecting to all devices on my home network. It was absolutely beautiful!
Fast forward to today. I have since retired. I do a little bit of daytrading on the side for entertainment. I leased a dedicated server to run an application that runs continuously 24 hours a day, 5 days a week. I contacted Salvadore to do a security audit on the server. As expected the server was under constant assault by bots trying to hack the RDP port. Salvadore recommended a firewall. The datacenter host offered us two choices of Cisco firewalls, one of which we chose: ASA 5505.
Today I have a secure server which pleases me. The one thing that bothers me however is that I lose access to my home network devices while the VPN Client is connected. Here are the symptoms:
I cannot send an email with Outlook as I normally do by relaying off of my Internet provider's SMTP server.
I cannot connect to the TradeStation servers with my TradeStation application using login credentials that are authorized for my home network only.
I cannot access my Seagate network storage drive.
This is what I discovered:
My wireless adapter (which I use from this laptop) identifies itself as "Wireless LAN adapter Wireless Network Connection" in IPCONFIG. IPv4 address is 192.168.0.5. Default Gateway: 192.168.0.1.
After I connect the VPN Client, IPCONFIG reports a new adapter: "Ethernet adapter Local Area Connection 2". IPv4 address is 10.0.10.4. Default Gateway: 10.0.10.1.
When I launch Windows Task Manager and click on the Networking tab, I see those two adapters.
When launch IE and go to bandwidthplace.com to run a test, I see all of the network traffic going over "Ethernet adapter Local Area Connection 2".
When I disconnect VPN and then rerun the bandwidth test, I see that all of the network traffic now goes over "Wireless LAN adapter Wireless Network Connection".
This explains all of the symptoms:
My Internet Provider will only allow me to relay off of their email servers if I am connected to their network.
TradeStation refuses connection to their network because my credentials do not match my network address.
There is no Seagate network storage device on the remote server network.
My questions to the Cisco Support Community are:
Is this the best I can hope for?
Must all traffic be routed through the VPN connection?
Is there any way to route traffic destined for 10.0.*.* through VPN and everything else through the default connection?
Thank you everyone for your help. I would be happy to provide additional detailed information.Hi Brian,
you can route traffic destined to 10.0.*.* over the VPN and keep normal internet traffic unencrypted over the default connection - this setup is known as VPN Split Tunnelling.
This doc shows how to setup the access control list and apply this to the tunnel policy.
Hope this helps
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml -
Asa 5505 Remote VPN Can't access with my local network
Hello Guys ,, i have a problem with my asa 5505 Remote VPN Connection with local network access , the VPn is working fine and connected , but the problem is i can't reach my inside network connection of 192.168.30.x , here is my configuration , please can you help me
ASA Version 8.2(1)
interface Vlan1
nameif inside
security-level 100
ip address 192.168.30.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 155.155.155.10 255.255.255.0
interface Vlan5
no nameif
no security-level
no ip address
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.240
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn-Pool 192.168.100.1-192.168.100.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy mull internal
group-policy mull attributes
vpn-tunnel-protocol IPSec
username xxx password eKJj9owsQwAIk6Cw encrypted privilege 0
vpn-group-policy Mull
tunnel-group mull type remote-access
tunnel-group mull general-attributes
address-pool vpn-Pool
default-group-policy mull
tunnel-group mull ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname contextHey Jennifer i did every thing you mention it , but still i can't reach my inside network (LOCAL network) iam using Shrew Soft VPN Access Manager for my vpn connection
here is my cry ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 155.155.155.1
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.1/255.255.255.255/0/0)
current_peer:155.155.155.1, username: Thomas
dynamic allocated peer ip: 192.168.100.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 155.155.155.1/4500, remote crypto endpt.: 155.155.155.20/4500
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 73FFAB96
inbound esp sas:
spi: 0x1B5FFBF1 (459275249)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 2894
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x73FFAB96 (1946135446)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 2873
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001 -
Remote VPN ! site-to-site
Remoe VPN client cannot get across L2L (site-to-site) tunnel after making connection.
Topology:
[remote]->[ASA1]-><L2L}->[ASA2]->LAN2
The problem is at the remote client, which is using Cisco VPN client.
Remote client connection is made fine to [ASA1].
Problem is that remote client does not know route to network LAN2 and dumps traffic off to its default gateway rather than directing it to [ASA1] for forwarding to [ASA2]. ([ASA1] and [ASA2], of course, know about each other.)
Cisco VPN client has capability of being "told" subsequent routes (Status->statistics->Route details).
As I see it, the client must get this info from the ASA to which it makes its remote VPN connection.
The advice I am hoping for is the CLI or ASDM syntax I need to apply to get the ASA to provide this route information.
TIAAdam, thank you for the comprehensive reply ... unfortunately it's not working.
1. The statements you list above were already there to facilitate the L2L.
2. I turned-off split tunneling (or think I did) and ran a test ... no joy.
This took me back to my original premise that the remote client doesn't know how to send the traffic (bound for L2L) down the remote tunnel and dumps it of to its default gateway (to the WWW).
If you're willing to look at it, I have attached screen shots of the client ipconfig and the Cisco VPN client - showing its routes.
The ipconfig seems to say that the remote connection has its default gateway, and the tunnel has none.
The VPN client screen shows it knows a route (192.168.5.0/24) to the ASA, but nothing beyond. The ASA does, in fact, know about the network (10.64.0.0/16) at the other end of the L2L.
As I see it, if I can find a way to get the ASA to advertise this route to the VPN client, the problem might be solved. The client will then know to forward the traffic to the ASA instead of dumping it to the default gateway.
TIA -
IPad2, Verizon 3G, VPN Connectivity Issues
Greetings all. I am the systems administrator for my corporation and have seen an issue that I wish to present to the community for discussion.
For those enterprise users that have an iPad2 with Verizons 3G, are you experiencing connectivity issues while trying to connect to your VPNs from the 3G network? If so, have you found any work around to allow connectivity or does it work fine for you?
Here's a summary of my issues:
We have a VPN server built on Debian Linux that has been in operation for over four years. It handles remote VPN connections from Windows, Linux, Android, OS X, iOS, and from many different devices including multiple flavors of Apple products (iMacs, Minis, MacBooks, iPads, etc.). To date, it has performed flawlessly with assorted devices connecting to it through broadband and assorted 3G networks.
Recently I purchased an iPad2 with Verizon 3G. I was able to set up the VPN connection using PPTP and connect using a Wi-Fi connection. When I turned off the Wi-Fi and attempted the same connection via Verizon 3G, it fails. I then took an associates iPad1 using AT&T 3G, set up the same connection, and was able to connect. I don't have access to an iPad2 on AT&T 3G so, I can't speak for that.
Here's the logs from the VPN server while connecting from my iPad2:
Wi-Fi
Jul 27 05:20:43 localhost pppd[31694]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Jul 27 05:20:43 localhost pppd[31694]: pptpd-logwtmp: $Version$
Jul 27 05:20:43 localhost pppd[31694]: pppd 2.4.4 started by root, uid 0
Jul 27 05:20:43 localhost pppd[31694]: Using interface ppp2
Jul 27 05:20:43 localhost pppd[31694]: Connect: ppp2 <--> /dev/pts/4
Jul 27 05:20:46 localhost pppd[31694]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) received
Jul 27 05:20:46 localhost pppd[31694]: found interface eth1 for proxy arp
Jul 27 05:20:46 localhost pppd[31694]: local IP address 192.168.1.69
Jul 27 05:20:46 localhost pppd[31694]: remote IP address 192.168.1.82
Jul 27 05:20:46 localhost pppd[31694]: pptpd-logwtmp.so ip-up ppp2 scott XXX.XXX.XXX.XXX (removed external IP for security reasons)
Quick connect, able to utilize VPN connection normally. No issues.
Verizon 3G
Jul 27 05:20:29 localhost pppd[31682]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Jul 27 05:20:29 localhost pppd[31682]: pptpd-logwtmp: $Version$
Jul 27 05:20:29 localhost pppd[31682]: pppd 2.4.4 started by root, uid 0
Jul 27 05:20:29 localhost pppd[31682]: Using interface ppp2
Jul 27 05:20:29 localhost pppd[31682]: Connect: ppp2 <--> /dev/pts/4
Jul 27 05:20:32 localhost pppd[31682]: peer refused to authenticate: terminating link
Jul 27 05:20:33 localhost pppd[31682]: Connection terminated.
Jul 27 05:20:33 localhost pppd[31682]: Exit.
As you can see, the peer refuses to authenticate causing the link to be terminated while attempting to connect using Verizons network. This is with the same VPN connection settings on the iPad2 that just worked with WiFi connection from the same device.
Here's what I can verify with regards to 3G networks:
Older (<4) iPhones and iPad1 using AT&T can connect
Windows and OS X based laptops using Sprint 3G can connect
Android based smart phones using Sprint 3G can connect
I have not called Verizon or Apple Support yet but, that's next when I have the time. My initial conclusion is that there is something with Verizons 3G services that is causing the issue. It may be that Verizon is using some sort of data compression process that is problematic with VPN transmission. While the log shows an unsupported IPv6 protocol when connecting via Wi-Fi, it still negotiates a successful connection and I don't think that's the root cause for the disconnect. Thoughts?Hi Alexander,
I am running in to the exact same issue (although not with Linux). Did you ever find a fix for this? I have some support tickets open with my VAR's, but found your post and thought I would check. If I find anything I will post.
Thanks
Stu -
I have the VPN connected...how to access services?
Ok so I activated the VPN service on the server (snow leopard server), and have successfully connected to it from a machine running Lion. Now what?
I would like to access network shares on the file server, and be able to access vnc screen sharing and so forth. Yet nothing shows up in the network browser etc. What am I missing?This has been discussed many times.... the Network Browser only looks at the local network. It knows nothing about (and does not look across) the VPN connection.
To access resources over the VPN use the Finder's Go -> Go to Server menu and enter the appropriate hostname of the remote (VPN-protected) service. This does, of course, mean that you need to know the hostname (or IP address) of the server in question.
There are ways of configuring Network Browser to work, but it's non-trivial in most cases. -
JMS doesn't work with VPN connection on weblogic8.1
Hi:
We have used JMS topic on weblogic 7.x and we use both LAN and VPN connection.
However, when we switch to weblogic 8.1, although it works fine when using
LAN connection,
it does not work when using VPN connection. We tried three different machines,
got the same
error.
The error is:
weblogic.jms.common.JMSException: Error creating connection on the server
at weblogic.jms.client.JMSConnectionFactory.createConnectionInternal(JMS
ConnectionFactory.java:160)
at weblogic.jms.client.JMSConnectionFactory.createTopicConnection(JMSCon
nectionFactory.java:95)
at com.dynamex.decs.common.jms.DecsSubscriber.initialize(DecsSubscriber.
java:59)
at com.dynamex.decs.client.orderentry.swing.OrderEntry.initRMI(OrderEntr
y.java:1714)
at com.dynamex.decs.client.orderentry.swing.OrderEntry.<init>(OrderEntry
.java:124)
at com.dynamex.decs.client.orderentry.swing.OrderEntry.main(OrderEntry.j
ava:3180)
Caused by: java.rmi.MarshalException: CORBA COMM_FAILURE 1398079697 No; nested
e
xception is:
org.omg.CORBA.COMM_FAILURE: vmcid: SUN minor code: 209 completed:
No
at com.sun.corba.se.internal.iiop.ShutdownUtilDelegate.mapSystemExceptio
n(Unknown Source)
at javax.rmi.CORBA.Util.mapSystemException(Unknown Source)
at weblogic.jms.frontend._FEConnectionFactoryRemote_Stub.connectionCreat
eRequest(_FEConnectionFactoryRemote_Stub.java:106)
at weblogic.jms.client.JMSConnectionFactory.createConnectionInternal(JMS
ConnectionFactory.java:139)
... 5 more
Caused by: org.omg.CORBA.COMM_FAILURE: vmcid: SUN minor code: 209 completed:
No
at com.sun.corba.se.internal.iiop.IIOPConnection.purge_calls(Unknown Sou
rce)
at com.sun.corba.se.internal.iiop.MessageMediator.handleInput(Unknown
So
urce)
at com.sun.corba.se.internal.iiop.messages.MessageBase.callback(Unknown
Source)
at com.sun.corba.se.internal.iiop.MessageMediator.processRequest(Unknown
Source)
at com.sun.corba.se.internal.iiop.IIOPConnection.processInput(Unknown
So
urce)
at com.sun.corba.se.internal.iiop.ReaderThread.run(Unknown Source)
Does anybody have the experience? Can anybody give a hint?
Thanks,
Tony
Hi Tony,
Given that the thick jar works, I would classify the problem
as a bug - not a missing feature. The thin jar is contracted
to be just as capable as the thick jar. My guess is that
the bug is likely in IIOP but perhaps could be in JMS.
Contact customer support (this forum is not maintained by
customer support). Meanwhile, you can post your info
to the IIOP newsgroup to see if they can help.
You asked how long it would take to fix? That depends
on bug priority (set by the customer) and bug complexity,
but its usually measured in days or weeks (not months).
You can speed up the process by giving support your
logs and stack traces, as well as a simple reproducer,
and telling them you are willing to try out a prototype
patch. But before going through extra trouble, just give
them the logs/stack traces, in case it is a known issue
for which there is already a fix or there is a fix in progress.
Tom
tony yang wrote:
> Tom:
>
> Thanks,
> We actually use t3. However, in terms of weblogic 8.1 doc, t3 transparently
> uses iopp. So t3 or iopp both fails over VPN connection.
>
> After replacing with full weblogic jar as you suggested, it works.
>
> However, we really want the thin client because we have huge amount of client
> deployments.
>
> The other developers here also noticed other problems beside JMS problem
> when using VPN connection and thin client jars.
>
> We guess full weblogic.jar uses real t3 instead of iiop.
>
> Seems that iiop does not work well over VPN connection.
>
> Could you give some estimate of when we can have the new thin client jars
> to support VPN connection (even not official release)?
>
> Tony
>
> Tom Barnes <[email protected]> wrote:
>
>>Hi Tony,
>>
>>At first glance I don't know what is going on, and can only
>>make some random suggestions. Perhaps try
>>the t3 protocol (rather than iiop protocol) if you are using iiop
>>URLs to connect to JMS. If you are using the new 8.1 thin
>>client jars, try switching back and using full jar instead.
>>Perhaps try posting to the IIOP newsgroup.
>>
>>Tom, BEA
>>
>>tony yang wrote:
>>
>>
>>>I also have the log from weblogic server:
>>>
>>>weblogic.jms.dispatcher.DispatcherException: Could not register a HeartbeatMoni
>>>orListener for [weblogic.iiop.IIOPRemoteRef@745152c4] for weblogic.jms.C:dal603
>>>t05:rcy:-l91
>>> at weblogic.jms.dispatcher.DispatcherWrapperState.addPeerGoneListener(D
>>>spatcherWrapperState.java:563)
>>> at weblogic.jms.dispatcher.DispatcherManager.dispatcherAdd(DispatcherMa
>>>ager.java:106)
>>> at weblogic.jms.dispatcher.DispatcherManager.addDispatcherReference(Dis
>>>atcherManager.java:196)
>>> at weblogic.jms.frontend.FEConnectionFactory.connectionCreateInternal(F
>>>ConnectionFactory.java:413)
>>> at weblogic.jms.frontend.FEConnectionFactory.connectionCreateRequest(FE
>>>onnectionFactory.java:385)
>>> at weblogic.jms.frontend.FEConnectionFactory_WLSkel.invoke(Unknown
>>
>>Sour
>>
>>>e)
>>> at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:466)
>>> at weblogic.rmi.cluster.ReplicaAwareServerRef.invoke(ReplicaAwareServer
>>>ef.java:108)
>>> at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:409)
>>> at weblogic.security.acl.internal.AuthenticatedSubject.doAs(Authenticat
>>>dSubject.java:353)
>>> at weblogic.security.service.SecurityManager.runAs(SecurityManager.java
>>>144)
>>>@
>>>
>>>
>>>"tony yang" <[email protected]> wrote:
>>>
>>>
>>>>Hi:
>>>>
>>>> We have used JMS topic on weblogic 7.x and we use both LAN and
>>>>VPN connection.
>>>> However, when we switch to weblogic 8.1, although it works fine
>>>>when using
>>>>LAN connection,
>>>>it does not work when using VPN connection. We tried three different
>>>>machines,
>>>>got the same
>>>>error.
>>>> The error is:
>>>>
>>>>weblogic.jms.common.JMSException: Error creating connection on the
>>
>>server
>>
>>>> at weblogic.jms.client.JMSConnectionFactory.createConnectionInternal(JMS
>>>>ConnectionFactory.java:160)
>>>> at weblogic.jms.client.JMSConnectionFactory.createTopicConnection(JMSCon
>>>>nectionFactory.java:95)
>>>> at com.dynamex.decs.common.jms.DecsSubscriber.initialize(DecsSubscriber.
>>>>java:59)
>>>> at com.dynamex.decs.client.orderentry.swing.OrderEntry.initRMI(OrderEntr
>>>>y.java:1714)
>>>> at com.dynamex.decs.client.orderentry.swing.OrderEntry.<init>(OrderEntry
>>>>.java:124)
>>>> at com.dynamex.decs.client.orderentry.swing.OrderEntry.main(OrderEntry.j
>>>>ava:3180)
>>>>Caused by: java.rmi.MarshalException: CORBA COMM_FAILURE 1398079697
>>
>>No;
>>
>>>>nested
>>>>e
>>>>xception is:
>>>> org.omg.CORBA.COMM_FAILURE: vmcid: SUN minor code: 209 completed:
>>>>No
>>>>
>>>> at com.sun.corba.se.internal.iiop.ShutdownUtilDelegate.mapSystemExceptio
>>>>n(Unknown Source)
>>>> at javax.rmi.CORBA.Util.mapSystemException(Unknown Source)
>>>> at weblogic.jms.frontend._FEConnectionFactoryRemote_Stub.connectionCreat
>>>>eRequest(_FEConnectionFactoryRemote_Stub.java:106)
>>>> at weblogic.jms.client.JMSConnectionFactory.createConnectionInternal(JMS
>>>>ConnectionFactory.java:139)
>>>> ... 5 more
>>>>Caused by: org.omg.CORBA.COMM_FAILURE: vmcid: SUN minor code: 209
>>>>completed:
>>>>No
>>>> at com.sun.corba.se.internal.iiop.IIOPConnection.purge_calls(Unknown
>>>>Sou
>>>>rce)
>>>> at com.sun.corba.se.internal.iiop.MessageMediator.handleInput(Unknown
>>>>So
>>>>urce)
>>>> at com.sun.corba.se.internal.iiop.messages.MessageBase.callback(Unknown
>>>>Source)
>>>> at com.sun.corba.se.internal.iiop.MessageMediator.processRequest(Unknown
>>>>Source)
>>>> at com.sun.corba.se.internal.iiop.IIOPConnection.processInput(Unknown
>>>>So
>>>>urce)
>>>> at com.sun.corba.se.internal.iiop.ReaderThread.run(Unknown Source)
>>>>
>>>>
>>>> Does anybody have the experience? Can anybody give a hint?
>>>>
>>>> Thanks,
>>>>
>>>>Tony
>>>
>>>
>
-
Use VPN connection as a listen network interface in Web Application proxy
I have a test environment: domain in hyper-v with Sharepoint and Office Web Apps servers (all under Windows 2012 - Windows 2012 R2).
Because my home ISP does not permit some inbound ports (80,443) in a gate machine (under Windows 2012 R2) I create a vpn connection (by "setup a new connection or network") to my outside vpn server. On this vpn server the ports forwarding is configured
and work fine (f.e. default IIS site is visible).
I try to public my Sharepoint 2013 Foundation in Internet over this vpn connection and faced with the problem - WAPx (Web application proxy) does not bind to this vpn connection, only to traditional network interfaces.
The question is how to make listening WAPx the VPN interface?Hi,
Thank you for posting in Windows Server Forum.
Please check beneath thread and article might helpful in your case.
Configure a reverse proxy device for SharePoint Server 2013 hybrid
http://technet.microsoft.com/en-us/library/dn607304(v=office.15).aspx
Forcing VPN users through a proxy
http://social.technet.microsoft.com/Forums/en-US/5a6a502d-4583-4c51-8486-3af982ba92da/forcing-vpn-users-through-a-proxy?forum=winserverNIS
What’s New in 2012 R2: People-centric IT in Action - End-to-end Scenarios Across Products
http://blogs.technet.com/b/in_the_cloud/archive/2013/07/17/people-centric-it-in-action-end-to-end-scenarios-across-products.aspx
Hope it helps!
Thanks,
Dharmesh -
RemotePanel.ConnToServers property not returning results
Hi!
I'm trying to detect remote panel connections to my labview app. I have created the following snipped of code:
When I run this and then connect remotly with this other computer sitting next to me, the array remains blank.
I'm using LabVIEW 2009. Any input greatly appreciated.
Solved!
Go to Solution.Turns out that particular property of the App reference will not get you remote panel connections. Not sure what that particular property is used for.
The remote panel connections list is accessable through an Invoke node of a VI reference. If you open a reference to the current VI, you can get a list of remote panel connections and make decisions based on this list:
-Nic -
Trouble about vpn connecting (PPTP VPN did not respond)
I am new in mac. These days I have searched a lot on line for the solution to this problem but none fixed it. So....
Our lab only have an instruciton for connecting vpn under windows and I succeeded to do this by following this in windwos 7.
There is a host name instead of ip address in the instruciton and I think that should not be the problem.
And in the protocol of TCP/IP property settings, the user was asked to Remove the tick before “Use default gateway on remote network”. Besides, in the instruction, it sets to obtain the IP address and DNS address automatically, so that I do not have such inforamtion about the server of our lab.
In my new macbook pro (Mac ox lion 10.7.3), I did the following things:
1. in system properties->network, Select the + button at the bottom left of the screen to add a new connection.
2. Select the following:
a. Interface: VPN
b. VPN Type: PPTP
c. Service Name: SAS VPN
d. Select Create.
3. Configuration: default
server address: host name “xxx.xx.xxxx.xx”
account name: (I am sure there is no error in this)
encryptiong: none
4. click Authorization settings to input the password.
5. Click the Advanced button. and Select Options. Verify Send all traffic over VPN connection is checked. (and is not checked ) (I tried both, none of them worked). About the other seetings.
6. On the TCP/IP tab, set "Configure IPv4" to "Using PPP." So I can not input the DNS server information.
7. click apply and then try to connect.
However, it returned me an error said " PPTP-VPN server did not respond. Try to reconnect. If that continues....."
I think there are lots of experts in mac os x. Can anyone here help me with this? Thanks a lot in advance!>> encryptiong: none
I found out, that you NEED the encryption in Lion Server VPN.
I understand, that you use Lion Server as you mention the problem here in the Lion Server section.
I do the following: Install the "Admin Tool VPN" from App-Store for some Euros. Than I found section PPTP and there is a check for
a) Active
b) Compression and Encryption
I take the check for b) out and restart (Off / On), took my XP-Notebook and connected via PPTP and all working!
Since Lion Apple hide a lot of things from the official tools and if you have some special tools, you can activate function. There is
Level 1, the userlevel: Something like Dashboard in the new MS-Servers or the Server App in the new Lion Server
Level 2, the administrator level: The difference between Server App and Server Admin! The Server Tools you need download separatly as you know after a while, something is missing. Same with the new Airport Utility: Userlevel tool = AU 6.0 with grafical fun and some basics, AU 5.6 is the tool for the admin what you separtly need download.
Level 3, the special deeper view: Typically it is the command line interface, CLI, but if you need some GUI (grafical user interface), you buy an App like Admin VPN Tool and this tool (App for some Euros) in real does nothing else than comfortably set some inside switches and flags that the offical GUI admin tools not have realized.
Why?
Oh, I think it's because security issues. You want the Mac Server become like a Microsoft Server? So, you shouldn't use not encrypted connections and that's (in my understanding) the reason why the Lion Server EXPECTS YOU to use encryption and the official tools not give you the oportunity to switch the encryption off!
Maybe you are looking for
-
Error while check database in DB13
Hi, I have scheduled check database in DB13 , I am getting an error as, BR0970W Database administration alert - level: ERROR, type: MISSING_STATISTICS, object: (table) SAPSR3./BEV2/ED970. There are lot of messages found after check database. I am als
-
What is this Symbol called and what does it mean?
What is this symbol/icon called and what does it mean? It goes away with it's "notification" and I would have no idea where to find it should I need to. Please. And thank you.
-
MY daughter sold me this iPad! When I go to update it always tries to use her appleid instead of mine!! She has forgot the password to this account what should I do! Because it says it's hooked up to my Id but when I try to update itsail ways says he
-
Execution does not end even after all records updated..
Hi, I have plsql code like : declare begin for x in ( select .......) loop -- about 4000 times for y in ( select ............) loop -- about 50 times end loop; -- some code goes here to manipulate clob data -- like creating free temp clobs - use - th
-
SYSTAT01 for inbound processing
Hello all, I receive an incoming IDOC for creation of ORDERS. Upon creation, I need to return the created Order Number. 1. Do I maintain Basic type SYSTAT01 (message type STATUS) in my Partner Profile Outbound Parameters? So that the information can