Tunneling Problem.

Hello All,
This is Jay Kishan. I work in Pakistan Petroleum Limited as a Network Associate. There is a little problem that i am facing recently. We have a Head Office in Karachi and a Remote Location is Islamabad. We are connecting them with a Primary DXX Link with an active VSAT Backup Link. As soon as the DXX Link goes down the VSAT Link comes up automatically. But the DXX Provider has introduced a few more non-cisco devices in the middle and now we have to create a tunnel from our ISB 2610 Router to KHI 3661 Router. The reason for creating the tunnel is that we dont want the DXX provider to know our network. But the problem that we have at our hand is that the tunnel never goes down as the interfaces on both the routers are connected to devices that wont go down. But there can be a problem in some other middle device because of which the link may not work. So the situation is that even the DXX Link isnt working the tunnel is still up and the VSAT Backup link doesnt come up. So how can i make sure that if the DXX Link stops working the tunnel could sense it and the VSAT Backup link comes up automatically. I will be very much thankful for any sort of help. Thanks in advance.
Regards,
Jay Kishan
PPL

Jay
The GRE keepalive is a very nice feature and it does sound like it would solve your problem. It was introduced somewhat recently (I just looked at the notes and it indicates that it was introduced on some platforms in 12.2(8)T and a bit later on other platforms). What platform are you running this on and what version of code?
The configuration is pretty straightforward:
interface tunnel n
keepalive
and it has optional parameters on the keepalive to specify how many seconds and how many retries.
If you router does not have keepalive as a command under the tunnel interface, then that is a good indication that the version of code that you are running does not have this feature. Would it be worth upgrading code to get this feature?
HTH
Rick

Similar Messages

VPN tunnel Problem

Hi all ,
I need create VPN tunnels between two ASAs devices . And these devices are connected through DSL . And as you know in this case we use private outside IP address , because there is a NAT device at the outside . The problem is that no VPN tunnel is created even though all the parameters and the pre-shared-key are typical .

I hve allready configured following configuration.
no crypto map newmap interface outside
no crypto map newmap 171 set peer 195.11.199.144
no isakmp key ********* address 195.11.199.144 netmask 255.255.255.255 no-xauth no-config-mode
crypto map newmap 171 set peer 195.11.204.5
isakmp key ******** address 195.11.204.5 netmask 255.255.255.255 no-xauth no-config-mode
clear crypto ipsec sa
clear crypto isakmp sa
crypto map newmap interface outside
Setting were applied successfully however Still VPN tunnel is not been initiated.

Tunneling Problem using HttpsUrlConnection

Hi,
I had gone through forums regarding this topic and still i am facing the same problem using the HttpsUrlConnection. We are working behind a proxy so we have to make a proxy authorization if we want to connect to a server in the internet.
But in case of HttpUrlConnection, everything works
fine. But if we do the same with a HttpsUrlConnection, the authentication fails. It throws an IOException
with the message
Unable to tunnel through 192.9.100.10:80.
Proxy returns "HTTP/1.1 407 Proxy authentication required"
Sample code as follows,
The following code doesn't have any problem becos it works fine with HttpUrlConnection and also it is working without proxyserver for https as well.
This is running under MSVM.
I don't want to use SSLSocketFactory and i need to use following layout(i.e only with Httpsurlconnection)
Is there any way to make work with proxyserver? Or can't we do this at all?
System.setProperty("proxySet","true");
System.setProperty("https.proxyHost","proxyIP");
System.setProperty("https.proxyPort","80");
OutputStream os = null;
OutputStreamWriter osw = null;
InputStream is = null;
InputStreamReader isr = null;
BufferedReader br = null;
URL url;
String line = null;
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
String login = proxyUserName+":"+proxyPassWord;
String encodedLogin = new sun.misc.BASE64Encoder().encode(login.getBytes());
url = new URL("https://www.verisign.com");
HttpsURLConnection con = null;
con =(HttpsURLConnection) url.openConnection();
con.setRequestProperty("Proxy-Authorization", encodedLogin);
con.setRequestMethod("GET");
con.setDoOutput(true);
con.setDoInput(true);
con.setUseCaches(false);
con.connect();
os = con.getOutputStream();
osw = new OutputStreamWriter(os);
osw.write("SampleMsg");
osw.flush();
osw.close();
is = con.getInputStream();
isr = new InputStreamReader(is);
br = new BufferedReader(isr);
while ( (line = br.readLine()) != null)
System.out.println("line: " + line);
Can any one help me regarding this?I need a reply very urgently.
Thanks,
Prabhakaran R

Hope this help.
Note to change the properties to fit your system, and use the supported package ( JSSE, JRE1.5.......).
You can use URLConnection for both HTTP or HTTPS protocol.
import java.io.*;
import java.net.*;
import java.security.*;
import java.util.*;
import javax.net.ssl.*;
public class testSSL9 {
public testSSL9() {
byte[] data = httpConnection();
System.out.println(new String(data));
public static void main(String[] args) {
Properties sysprops = System.getProperties();
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
// sysprops.put("java.protocol.handler.pkgs",
// "com.sun.net.ssl.internal.www.protocol");
sysprops.put("java.protocol.handler.pkgs",
"javax.net.ssl.internal.www.protocol");
sysprops.put("javax.net.ssl.trustStore",
"D:/jdk1.4/jre/lib/security/cacerts");
sysprops.put("javax.net.debug", "ssl,handshake,data,trustmanager");
sysprops.put("https.proxyHost", "172.16.0.1");
sysprops.put("https.proxyPort", "3128");
sysprops.put("https.proxySet", "true");
sysprops.put("http.proxyHost", "172.16.0.1");
sysprops.put("http.proxyPort", "3128");
sysprops.put("proxySet", "true");
testSSL9 testSSL91 = new testSSL9();
private byte[] httpConnection() {
try {
URL url = null;
// String strurl = "https://www.verisign.com";
String strurl = "https://central.sun.net";
// String strurl = "http://www.yahoo.com"; --> use: HttpURLConnection
url = new URL(strurl);
HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
HttpsURLConnection.setFollowRedirects(false);
connection.setDoOutput(true);
connection.setDoInput(true);
connection.setUseCaches(false);
connection.connect();
InputStream stream = null;
BufferedInputStream in = null;
ByteArrayOutputStream bytearr = null;
BufferedOutputStream out = null;
try {
stream = connection.getInputStream();
in = new BufferedInputStream(stream);
bytearr = new ByteArrayOutputStream();
out = new BufferedOutputStream(bytearr);
catch (Exception ex1) {
System.out.println(ex1);
System.out.println("Server reject connection...sory");
int i = 0;
while ( (i = in.read()) != -1) {
out.write(i);
out.flush();
stream.close();
in.close();
bytearr.close();
out.close();
return bytearr.toByteArray();
catch (Exception ex) {
ex.printStackTrace();
return null;
}

Oracle 9i Web Services Quickstart Install TCP tunneling problem

When I try to run the OTNGUIDGenerator example using the TCP Tunneling portion of the Oracle 9i Web Services Quickstart
Install I get this in the From localhost8900 tunnel window:
<?xml version='1.0' encoding='UTF-8'?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Body>
<ns1:getGUID xmlns:ns1="oracle.otn.ws.emarket.OTNGUIDGenerator" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
</ns1:getGUID>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
I get this in the From 127.0.0.1:8888 window:
HTTP/1.1 404 Not Found
Date: Mon, 28 Oct 2002 20:38:06 GMT
Server: Oracle9iAS (9.0.2.0.0) Containers for J2EE
Content-Length: 171
Connection: Close
Content-Type: text/html
<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>404 Not Found</H1>Resource /j2ee-web/oracle.otn.ws.emarket.OTNGUIDGenerator not found on this server</BODY></HTML>
This is my webservices stub
public class OTNGUIDGeneratorStub
/** public String endpoint = "http://otn.oracle.com/ws/oracle.otn.ws.emarket.OTNGUIDGenerator"; */
public String endpoint = "http://127.0.0.1:8900/j2ee-web/oracle.otn.ws.emarket.OTNGUIDGenerator";
private OracleSOAPHTTPConnection m_httpConnection = null;
public OTNGUIDGeneratorStub()
System.setProperty("oracle.soap.transport.noHTTPClient", "true");
m_httpConnection = new OracleSOAPHTTPConnection();
Properties props = new Properties();
/** props.put(OracleSOAPHTTPConnection.PROXY_AUTH_TYPE, "basic");
props.put(OracleSOAPHTTPConnection.PROXY_HOST, "proxy.scott.af.mil");
props.put(OracleSOAPHTTPConnection.PROXY_PORT, "375");
props.put(OracleSOAPHTTPConnection.PROXY_USERNAME, "fowlerji");
props.put(OracleSOAPHTTPConnection.PROXY_PASSWORD, "F1234567*g"); */
m_httpConnection.setProperties(props);
Not sure what to call the server - this works okay when I'm not using tunneling and using our proxy server??

I think your problem is that you have a proxy user/password and the TCP Monitor (both the command line and built-in 9.0.3 version) do not support that - they only support specification of the proxy server itself :-(
It is a feature request that I hope will make it into the late spring/early summer release of JDeveloper - I wrote it up as a request based on the number of folks who faced this issue with these tutorials.
Mike.

Anchor Eiop tunnel problem 5.2

Hi,
were using two dmz WLCs for "guest-Access" - one is designated for an Hotspot and one for a direct dmz access. The internal wlc uses the management-interface as interface in the wlan-config and the internal wlc has all accesspoints directly connected and have the same configuration as the dmz wlcs and both ssids are active. Between the inside and outside wlcs we have differend subnets routers and also checkpoint firewall clusters - but no NAT. All Wlcs are in the same mobility group.
The problem is, that under some condition the mobility feature hangs up ! The internal WLC authenticates the client and give him full access (including IP) but the client can not ping or connect to any device behind the eiop tunnel.(in the DMZ) That problem occurs to both DMZ WLCs. On the wcs i can see that there was a short interrupt of the ancor-tunnels but the alarm disappears. While the client can't forward any traffic a debug mobility or an mobility ping works fine and shows no problems (a lot of keepalives from all wlcs)! The only way to get the tunnel working for traffic-forwarding is to reboot the external wlcs in the DMZ. Rebooting the internal won't help!
Do you have any information or suggestion what can causes that kind of problem ? Is there any debug command wehere i can detect the problem ?
Thanks, Dennis

I am just wanting to verify that all controllers are on the same version of code. A mismatch between an older 5.1 controller or before my result in a problem establishing the tunnel because of the 2 different protocols being used to talk between the AP and the controllers. 5.1 and before is LWAPP 5.2 and later is CAPWAP I believe.

Reverse SSH Tunnel problem?

I'm trying to do a reverse SSH tunnel for a VNC project. I'm successful when I do it on a Linux box or Cygwin under Windows, but I'm having problems under Mac OS.
Here's what I do:
Terminal 1:
ssh -nNTvvv -R 5500:localhost:5500 -l my_username myhost.com
Then, to see what's going on, I run in terminal 2:
nc -l -p 5500
Then, in a third terminal, I ssh over to myhost.com, and telnet to localhost 5500.
If I initiate this whole setup on other platforms, I can then type stuff in my in the third terminal and see it echoed happily in terminal 2.
Under Mac OS, everything goes fine until I do the telnet on myhost.com. The diagnostic in terminal 1 is:
debug1: channel 0: new [::1]
debug1: confirm forwardeded-tcpip
debug3: channel 0: waiting for connection
debug1: channel 0: not connected: Connection refused
It's not a firewall issue, as I can telnet directly to port 5500 on the Mac from myhost.com without any problem.
Google gives me no help here. Any ideas?
Thanks!
12" G4 Powerbook Mac OS X (10.4.8)

Figured it out - did a no ip ssh v 2 and hey presto started working

Tunnel Problem

I'm trying to simulate a tunnel through a service provider:
I have 3 Routers, which are connected with static routes and are all pinging each other other through serial and fastethernet interfaces.
Router 1 and Router 3 are acting as tunnel endpoints. Router 2 is service provider.
Configurations:
Router 1 Loopbacks:
192.168.2.0
192.168.3.0
192.168.4.0
Router 3 Loopbacks:
192,168.13.0
192.168.14.0
Router 1 and 2: 192.168.8.1 255.255.255.252
Rouer 2 and 3: 192.168.9.1 255.255.255.252
Tunnel is: 10.40.40.1 on R1
10.40.40.2 on R3
Router 1:
Interface Tunnel 0
Tunnel Source: 192.168.8.1
Tunnel Destination: 192.168,9.2
ip route 192.168.9.2 255.255.255.255 192.168.8.2
router eigrp 1
network 192.168.2.0
network 192.168.3.0
network 192.168.4.0
Router 3:
Interface Tunnel 0
Tunnel Source: 192.168.9.2
Tunnel Destination: 192.168.8.1
ip route 192.168.8.1 255.255.255.255 192.168.9.1
router eigrp 1
network 192.168.13.0
network 192.168.14.0
After these configurations I see on both routers 1 and 3 the Tunnels are in up/up and I can ping 10.40.40.1 to 10.40.40.2, but no eigrp router are coming up, what is the problem ??? Is the source and destination ip addresses correct, are my ip route statics correct ?? Please help.
Thanks,
Sergei.
After this configuration I see my Tunnel on both Roter

Sergei,
Add the tunnel network into your Router EIGRP 1 statements in router 1 & 3. I believe that should do the trick.
router eigrp 1
network 10.40.40.0

VTI tunnel problem

Hi all,
We have VTI tunnels between Cisco (3825 and 878) and Juniper (SRX3600).
Sometimes tunnel is going down and I should manualy shutdown and no shutdown tunnel interface to bring it up.
This is logs from Cisco:
%%crypto-4-recvd_pkt_inv_spi: decaps: rec'd ipsec packet has invalid spi for destaddr=X.Y.100.200, prot=50, spi=0xc5d07a33(3318774323), srcaddr=X.Y.100.100
%%crypto-4-ikmp_no_sa: ike message from X.Y.100.100 has no sa and is not an initialization offer
X.Y.100.100 is Juniper SRX3600
X.Y.100.200 is Cisco 3825
But I see this logs more often, than tunnel is going down!
So what is problem?
Thanks

Hello,
this should help #crypto isakmp invalid-spi-recovery
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080bf6100.shtml
Best Regards
Please rate all helpful posts and close solved questions

MPLS TE tunnel problem

Hi,
i created MPLS TE tunnel between three Cisco 2811 series routers and configured that MPLS TE tunnel will reserve 1Mbps of bandwidth.Then I started to send constant 3 Mbps data flow trough the MPLS TE tunnel (everything looks ok: tunnel is up, bandwidth is reserved, all the data flow entering the tunnel). The problem is that data flow leaving the tunnel at 3Mbps rate. Why tunnel dont limit data rate?????

The tunnel doesn't do rate-limiting. Bandwidth at the tunnel level is only a control plane feature.
You need to configure admission control on the tunnel headend with CAR or some other form of rate limiting if you want to enforce the tunnel reserved bandwidth.
Hope this helps,

SSL-Tunneling Problem with Stronghold

Hello,
I installed HTTP-Tunneling between a Java-Client and a WLS 4.5.1SP 13
throuch a Stronghold-Server using mod_wl_ssl.so.
But when I'm trying to connect via HTTPS (port 443) to the Stronghold, the
plugin is no longer working correctly. I get the following output in the log
of the plug-in:
--------------Begin--------------
========New Request: [GET
/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=634395
5830116743121 HTTP/1.0] =========
Thu Jan 4 18:46:57 2001 Cookie String missing in the Cookie
Thu Jan 4 18:46:57 2001 queryStr =
wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=6343955830116743121
Thu Jan 4 18:46:57 2001 The request string is
'/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=63439
55830116743121'
Thu Jan 4 18:46:57 2001 After trimming path:
'/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=63439
55830116743121'
Thu Jan 4 18:46:57 2001 Now trying whatever is on the list;
ci->canUseSrvrList = 1
Thu Jan 4 18:46:57 2001 AttemptConnect(): Srvr# [1] = [agni:7002]
Thu Jan 4 18:46:57 2001 general list: trying connect to 'agni'/7002
Thu Jan 4 18:46:57 2001 Connected to agni:7002
Thu Jan 4 18:46:57 2001 Headers from the client [Accept]=[text/html,
image/gif, image/jpeg, *; q=.2, */*; q=.2]
Thu Jan 4 18:46:57 2001 Headers from the client [Host]=[sbcipx:443]
Thu Jan 4 18:46:57 2001 Headers from the client [User-Agent]=[Java1.2.2]
Thu Jan 4 18:46:57 2001 Sending header to WLS [Accept]=[text/html,
image/gif, image/jpeg, *; q=.2, */*; q=.2]
Thu Jan 4 18:46:57 2001 Sending header to WLS [Host]=[sbcipx:443]
Thu Jan 4 18:46:57 2001 Sending header to WLS [User-Agent]=[Java1.2.2]
Thu Jan 4 18:46:57 2001 Sending header to WLS
[X-WebLogic-Force-Cookie]=[true]
Thu Jan 4 18:46:57 2001 Sending header to WLS [WL-Proxy-SSL]=[true]
Thu Jan 4 18:46:57 2001 Sending header to WLS
[Proxy-Client-IP]=[192.168.17.116]
Thu Jan 4 18:46:57 2001 Sending header to WLS
[X-Forwarded-For]=[192.168.17.116]
Thu Jan 4 18:47:12 2001 sysRecv failed, return val = [0] errno=0
errmsg=[Error 0]
Thu Jan 4 18:47:12 2001 Error reading WebLogic Response from agni:7002
Return Value = -1
Thu Jan 4 18:47:12 2001 Marking agni:7002 as bad
Thu Jan 4 18:47:12 2001 Got FAILOVER response from sendRequest... will
retry
Thu Jan 4 18:47:12 2001 Attempting a connect with the forceCookie bit
turned ON : [1]
Thu Jan 4 18:47:12 2001 Now trying whatever is on the list;
ci->canUseSrvrList = 1
Thu Jan 4 18:47:12 2001 AttemptConnect(): Srvr# [1] = [agni:7002]
Thu Jan 4 18:47:12 2001 Request timed out after 10 seconds
Thu Jan 4 18:47:12 2001 Redirecting the error response to the errorPage =
[http://www.finance.ch]
Thu Jan 4 18:47:12 2001 r->status=302 returning 0
Thu Jan 4 18:47:14 2001
---------------End
Any Ideas, what I didn't configured correctly for the stronghold/plug-in/WLS
Thank you
Remo

"Remo Schnidrig" <[email protected]> wrote:
Hello,
I installed HTTP-Tunneling between a Java-Client and a WLS 4.5.1SP 13
throuch a Stronghold-Server using mod_wl_ssl.so.
But when I'm trying to connect via HTTPS (port 443) to the Stronghold, the
plugin is no longer working correctly. I get the following output in the log
of the plug-in:
--------------Begin--------------
========New Request: [GET
/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=634395
5830116743121 HTTP/1.0] =========
Thu Jan 4 18:46:57 2001 Cookie String missing in the Cookie
Thu Jan 4 18:46:57 2001 queryStr =
wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=6343955830116743121
Thu Jan 4 18:46:57 2001 The request string is
'/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=63439
55830116743121'
Thu Jan 4 18:46:57 2001 After trimming path:
'/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=63439
55830116743121'
Thu Jan 4 18:46:57 2001 Now trying whatever is on the list;
ci->canUseSrvrList = 1
Thu Jan 4 18:46:57 2001 AttemptConnect(): Srvr# [1] = [agni:7002]
Thu Jan 4 18:46:57 2001 general list: trying connect to 'agni'/7002
Thu Jan 4 18:46:57 2001 Connected to agni:7002
Thu Jan 4 18:46:57 2001 Headers from the client [Accept]=[text/html,
image/gif, image/jpeg, *; q=.2, */*; q=.2]
Thu Jan 4 18:46:57 2001 Headers from the client [Host]=[sbcipx:443]
Thu Jan 4 18:46:57 2001 Headers from the client [User-Agent]=[Java1.2.2]
Thu Jan 4 18:46:57 2001 Sending header to WLS [Accept]=[text/html,
image/gif, image/jpeg, *; q=.2, */*; q=.2]
Thu Jan 4 18:46:57 2001 Sending header to WLS [Host]=[sbcipx:443]
Thu Jan 4 18:46:57 2001 Sending header to WLS [User-Agent]=[Java1.2.2]
Thu Jan 4 18:46:57 2001 Sending header to WLS
[X-WebLogic-Force-Cookie]=[true]
Thu Jan 4 18:46:57 2001 Sending header to WLS [WL-Proxy-SSL]=[true]
Thu Jan 4 18:46:57 2001 Sending header to WLS
[Proxy-Client-IP]=[192.168.17.116]
Thu Jan 4 18:46:57 2001 Sending header to WLS
[X-Forwarded-For]=[192.168.17.116]
Thu Jan 4 18:47:12 2001 sysRecv failed, return val = [0] errno=0
errmsg=[Error 0]
Thu Jan 4 18:47:12 2001 Error reading WebLogic Response from agni:7002
Return Value = -1
Thu Jan 4 18:47:12 2001 Marking agni:7002 as bad
Thu Jan 4 18:47:12 2001 Got FAILOVER response from sendRequest... will
retry
Thu Jan 4 18:47:12 2001 Attempting a connect with the forceCookie bit
turned ON : [1]
Thu Jan 4 18:47:12 2001 Now trying whatever is on the list;
ci->canUseSrvrList = 1
Thu Jan 4 18:47:12 2001 AttemptConnect(): Srvr# [1] = [agni:7002]
Thu Jan 4 18:47:12 2001 Request timed out after 10 seconds
Thu Jan 4 18:47:12 2001 Redirecting the error response to the errorPage =
[http://www.finance.ch]
Thu Jan 4 18:47:12 2001 r->status=302 returning 0
Thu Jan 4 18:47:14 2001
---------------End
Any Ideas, what I didn't configured correctly for the stronghold/plug-in/WLS
Thank you
Remo
As far as I know, HTTPS-Tunneling through NES, APACHE, and IIS
is not supported. You can setup HttpClusterServlet to do HTTPS-
Tunneling.
Jong

ASA ssh,telnet.jar smart tunnels problems

Hi
From my asa I'm trying to gain access to some servers Linux (no local firewalls on them) from the clientless session using the ssh,telnet jar plugin.
The plugin starts and shows the login prompt and then I enter the correct user name and passwords and then I'm left with a black square.
Any suggestions for debugging?
ASA runnig 9.1, the problem is to both Linux boxes and a IOS router.

On testing the above even further, I seem to have an issue...
With the following configuration loaded...
aaa-server TLS-ACS5 protocol tacacs+
aaa-server TLS-ACS5 (inside) host 10.0.20.200
key passme123
aaa authentication ssh console TLS-ACS5 LOCAL
aaa authentication telnet console TLS-ACS5 LOCAL
aaa authentication ssh console TLS-ACS5 LOCAL
aaa authentication telnet console TLS-ACS5 LOCAL
aaa authentication enable console TLS-ACS5 LOCAL
With the PIX in communication with the ACS the above works well, with me successfully logging in with credentials added to the ACS.
On testing this further I have taken the link down between the PIX and the ACS (to recreate a failure scenario). I can still login using the internal (LOCAL) username & password. This seems to work fine, however if I try to access the exec-privilege mode (i.e. enable) the PIX does not except the enable password added to the configuration moreover it prefers the same password used for creating the initial user.
username admin-user password adminpass123 encrypted
enable password enablepass123 encrypted
For example; with the above lines in the running configuration of the PIX , I can login into PIX using admin-user and enter the password adminpass123. However, if I try and then go onto access exec-privilege mode (i.e. enable) the PIX does not except the password "enablepass123" put does except "adminpass123"... this is even with "aaa authentication enable console TLS-ACS5 LOCAL" added to the running configuration.
Has anyone else seen this issue on a PIX/FW. Am I missing something from my configuration? Does anyone know of a workaround to this issue or is it just something I have to live with?

Tunnel Problem from New ASA to Working ASA

I have a working asa at the home office with 56 tunnels out to satellite stations. We recently acquired another office and trying to get a tunnel working back to the home office. The tunnel will not come up nor do I see any traffic on it using the debug isakmp or debug ipsec commands.
Here's the working config. Assuming that the ASA in the home office is mirrored configuration for the tunnel, does anyone see anything wrong with this config?
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
shutdown
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.25.44.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 108.232.238.84 255.255.255.248
boot system disk0:/asa824-k8.bin
boot system disk0:/asa722-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 68.94.156.1
name-server 68.94.157.1
domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any host 108.214.237.84 eq 11
access-list inside_nat0_outbound extended permit ip 172.25.44.0 255.255.255.0 172.20.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.25.44.0 255.255.255.0 172.20.100.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 172.25.44.0 255.255.255.0 172.20.200.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 172.25.44.0 255.255.255.0 172.20.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm errors
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-642.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 11 172.25.44.2 www netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 108.214.237.86 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 84.212.62.34
crypto map outside_map 1 set transform-set myset
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 84.212.60.2
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
customization value DfltCustomization
username admin password vbv/ec7dyKqeaH4R encrypted privilege 15
tunnel-group 84.212.62.34 type ipsec-l2l
tunnel-group 84.212.62.34 ipsec-attributes
pre-shared-key *****
tunnel-group 84.212.60.2 type ipsec-l2l
tunnel-group 84.212.60.2 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:cdf40c985104c7afc07a6dcdd36f27e0
: end
asdm image disk0:/asdm-642.bin
no asdm history enable

Thanks for the reply Ajay. It was actually the provider not placing the ASA's IP into the DMZ. The office uses a small business Uverse connection, and they need to provide a set of static IP's in a DMZ.
thanks,

Guest Tunneling Problems

Hi
I was wondering if anybody could help me out here. I have been following the guidelines as per the WLC softweare configuration guide with regards to configuring the internal controller which is pretty straightforward. The mobility anchor is up with the DMZ controller however I am not sure what configuration is required on the DMZ controller itself with regards to DHCP and the Guest WLAN itself. To be honest the documentation is a bit skimpy to say the least.
Any help would be greatly appreciated
Cheers,
Martin

Martin,
I share your frustrations with the documentation on the guest access. From what you stated you're having trouble with how guest access mobility is configured with respect to DHCP. Hope this helps.
The first part is well documented. Setup a mobility group between the remote and DMZ controller. Make sure it's up. Now we'll move onto DHCP configuration.
1) On the DMZ controller, configure a DHCP pool for the guest clients. Make sure you build a WLAN and bind it to the proper interface
2) On the remote controller, under your "management" interface set the DHCP server to be the ip address of the management interface on the DMZ controller. Very important!
3) Build the guest WLAN on the remote controller with the same configuration and bind it's interface to the management interface of the remote controller.
Voila... all DHCP requests will now be forwarded to the DMZ anchor.
Anything else I can help with let me know.
-Mike
http://cs-mars.blogspot.com

RTMPT problems... HELP!!!

We're working on a big project with a Beta due monday. It's a
flash network game produced for a large Swedish bank. Since it's
going to run on bank computers, the firewalls won't allow anything
but RTMPT traffic on port 80. Our client and server side scripting
works fine... except with RTMPT.
When we use RTMPT we can connect to the server and read
information from a SharedObject. We cannot however call or recieve
calls for methods on the NetConnection or se updates on the
SharedObjects. After a while the connection dies but the
RTMPT-connected client does not notice. If other clients are
connected through RTMP, they can se the RTMPT clients connect and
disconnect.
All connections are made on port 80.
Ideas anyone?

Are you absolutely certain you're not connecting through a
proxy? It's pretty unusual for large organisations not to have some
kind of proxy these days. I'm starting from the assumption that
your application works fine for RTMP, and that the only difference
between RTMP and RTMPT clients is the port and protocol you use
when you set them up. If this is the case, it seems that the
problem must lie between yourself and the user.
You could start getting someone who is having the problem to
try this link:
http://store1.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_16466
If there's a tunnelling problem it should show up there.
There are several articles about HTTP tunnelling, including:
http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=1ccfec30&pss=rss_flashcomm_1ccfec3 0
http://www.adobe.com/devnet/flashcom/articles/firewalls_proxy.html
I suppose that a bank might have all kinds of security
policies enforced on its firewalls. It would be worth asking.

Jms & proxy http tunnel

"I am trying to run TradeRecive sample program that come with 7.0 on a machine behind the firewall at remote site and I am having the following exception. (java command line has proxy specified, server has http tunneling enabled)
          Can someone help ?
          C:\ArthurTest\JMS>java -Dhttp.proxyHost=134.142.50.10 -Dhttp.proxyPort=8080 -cp
          .;.\weblogic.jar TraderReceive http://205.172.179.92:80
          <May 6, 2003 4:33:25 PM CDT> <Error> <RJVM> <000515> <execute failed
          java.net.ProtocolException: Tunneling result unspecified - is the HTTP server a
          t host: '205.172.179.92' and port: '80' a WebLogic Server?
          java.net.ProtocolException: Tunneling result unspecified - is the HTTP server at
          host: '205.172.179.92' and port: '80' a WebLogic Server?
          at weblogic.rjvm.http.HTTPClientJVMConnection.handleNullResponse(HTTPCli
          entJVMConnection.java:173)
          at weblogic.rjvm.http.HTTPClientJVMConnection.receiveAndDispatch(HTTPCli
          entJVMConnection.java:409)
          at weblogic.rjvm.http.HTTPClientJVMConnection.execute(HTTPClientJVMConne
          ction.java:305)
          at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:153)
          at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:134)
          >
          Exception in thread "main" javax.naming.CommunicationException. Root exception
          is java.net.ConnectException: http://205.172.179.92:80: Bootstrap t


Hi,
          The tunneling problem likely has nothing to do with JMS.
          JMS likely hasn't been called yet. I have little experience here,
          so all I can suggest is trying to connect
          to the WL server directly without the
          firewall/proxy-server/interposed-web-server in between --
          to see if you can narrow down the problem to the HTTP pass-through
          to the WL server. Then check the BEA docs, and google search and/or
          post to the more relevant rmi and/or jndi newsgroups...
          Tom, BEA
          tieeren wrote:
          > "I am trying to run TradeRecive sample program that come with 7.0 on a machine behind the firewall at remote site and I am having the following exception. (java command line has proxy specified, server has http tunneling enabled)
          >
          > Can someone help ?
          >
          >
          >
          > C:\ArthurTest\JMS>java -Dhttp.proxyHost=134.142.50.10 -Dhttp.proxyPort=8080 -cp
          > .;.\weblogic.jar TraderReceive http://205.172.179.92:80
          > <May 6, 2003 4:33:25 PM CDT> <Error> <RJVM> <000515> <execute failed
          > java.net.ProtocolException: Tunneling result unspecified - is the HTTP server a
          > t host: '205.172.179.92' and port: '80' a WebLogic Server?
          > java.net.ProtocolException: Tunneling result unspecified - is the HTTP server at
          > host: '205.172.179.92' and port: '80' a WebLogic Server?
          > at weblogic.rjvm.http.HTTPClientJVMConnection.handleNullResponse(HTTPCli
          > entJVMConnection.java:173)
          > at weblogic.rjvm.http.HTTPClientJVMConnection.receiveAndDispatch(HTTPCli
          > entJVMConnection.java:409)
          > at weblogic.rjvm.http.HTTPClientJVMConnection.execute(HTTPClientJVMConne
          > ction.java:305)
          > at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:153)
          > at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:134)
          >
          > Exception in thread "main" javax.naming.CommunicationException. Root exception
          > is java.net.ConnectException: http://205.172.179.92:80: Bootstrap t

Tunneling Problem.

Similar Messages

Maybe you are looking for