Unison SSH Timeout [Solved]
[Solved]: It seems it was the B43 wireless driver. When I plugged my laptop directly into the router, Unison ran like a breeze. Gonna try WL once this is done syncing. Thanks for your suggestions!
I hope you guys can help me out, because I'm at the end of my rope. I've been using Unison for a year to sync files from my laptop to my desktop via SSH, but after the past week I can no longer do so. It will look for changes and display the differences in the GUI and command line, and when I click "Go" the transfer will run for a bit, but after a short time (less than a second on average) the transfer will stop entirely. After about another minute, I get the message:
Fatal Error
Lost Connection with the server.
I can use gFTP to transfer files, which led me to believe this was a problem with Unison rather than SSH. I just can't figure out why Unison is timing out, while every other SSH application has no problems. Any suggestions? If not, are there any applications similar to Unison that are actively developed?
Last edited by Rezero (2010-08-09 19:34:58)
Thanatermesis,
Welcome to Arch Linux Be aware that this is a very old thread -- I hope the OP is not still looking for an answer three years later.
https://wiki.archlinux.org/index.php/Fo … Bumping.22
Similar Messages
-
We are getting the error below for an FTP adapter. The Timeout error was coming because of a SSH timeout policy on the server. Is there anything in the FTP adapter oc4j-ra.xml configuration file that we can set to keep the SSH session alive ?
<2012-06-28 10:02:04,650> <INFO> <crps.collaxa.cube.ws> <File Adapter::Outbound> Connection Created
<2012-06-28 10:02:04,650> <WARN> <crps.collaxa.cube.ws> <File Adapter::Outbound> SFTPChannel is null
<2012-06-28 10:02:04,651> <INFO> <crps.collaxa.cube.ws> <File Adapter::Outbound> Poller raising Alert for exception : ORABPEL-11445
The SSH API threw an exception.
The SSH API threw an exception. [Caused by: Timeout, your session not responding.]
Check the error stack and fix the cause of the error. Contact oracle support if error is not fixable.Hi,
I assumes you ar using 10g version? I tried to find a solution for that....
Add the following parameters to you bpel.xml file (under your FTP partnerlink) and redeploy the project:
<property name="useJCAConnectionPool">true</property>
<property name="cacheConnections">false</property>
After that go to your OC4J home->default->FtpAdapter->Connection Factory->click on your JNDI Location->Change the property "keepConnections" to false.
(or change it on $ORACLE_HOME/j2ee/$bpel_home/application-deployments/default/FtpAdapter/oc4j-ra.xml)
Restart the server.
Please tell me if it helped you.
Arik -
SSH timeout not available while on ssh connection
Hi Everyone,
I found that ssh timeout command is only available when you console to ASA.
It is not available when you do the ssh connection to ASA is this default behaviour? or any reason behind it?
Thanks
MaheshHi Jennifer,
My bad actually i overlooked the command.
it does have option
ciscoasa(config)# ssh ?
configure mode commands/options:
Hostname or A.B.C.D The IP address of the host and/or network authorized to
login to the system
X:X:X:X::X/<0-128> IPv6 address/prefix authorized to login to the system
scopy Secure Copy mode
timeout Configure ssh idle timeout ?????????????
version Specify protocol version to be supported
exec mode commands/options:
disconnect Specify SSH session id to be disconnected after this keyword
Thanks for help.
MAhesh -
Hello
Is there anyone that face this recent vulnerability?
http://tools.cisco.com/security/center/viewAlert.x?alertId=27927
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtc59462
My understanding is that for ASA 8.4.1 and prior, there's a vulnerability that opening many ssh sessions and one of them times out, the firewalls crashes!
As we have many customers with ASA using 8.2.5(26) (for example) I'd like a confirmation that for fixing that bug I need to upgrade my ASA image to at least 8.4.x.
Case that, I believe that all the former firewall configuration must be reviewed because 8.2.x version has many different commands that 8.4.x (for example, NAT)
Hope that Cisco provide a patch for 8.2.x versionsjcarvaja wrote:If I have a device that supports A,B,C,D why would I conform just with A,B.. I mean for me ( and anyone that knows what this ASA beauty is) I would take as much as I can from the unit. If I stay on that old version I would not do that.
Yes, the device that supports A,B,C,D but I only need to use A & B so why would I need to upgrade to the latest.
That is asking for trouble with the new bugs. If you work in a "real" world, you would know that people separate
the function of Firewall and VPN into two different devices because it is much easier to manage.
jcarvaja wrote:( and anyone that knows what this ASA beauty is)
I would not call the ASA a beauty. It is still way behind Cisco IOS in term of VPN capability. Example, it can not
terminate GRE on the ASA itself, and no BGP either.
jcarvaja wrote:And FYI on every version we have NEW bugs ( I mean nothing is perfect) BUT the previous bugs, those mention on the 8.2 track, 8.3,etc,etc,etc are supposed to be fixed on the new code implementation.
That is precisely my point. They mentioned all the previous bugs have been fixed but you will definitely run into new
one that you don't know. You're trading old "known" issues with new "unknown" issues.
jcarvaja wrote:So it's a winning everywhere you see it.. If you want to be limited then be it and stay on that code but if you want to take advantage of what you have... Go to the release notes of the new version, check the NEW features, check the Open bugs and determine if it fits for you.
That might help a little bit but one needs to throughly test the code that you will deploy in your environmnet or you
will be sorry. Your statement of "winning everywhere" shows that you lack the knowledge of working in a production
environment where downtime is "not" an option. I can not tell you how many times I've run into issues with sqlnet
and smtp with ASA that the only option is to disable sqlnet and smtp inspect. So much for new features.
jcarvaja wrote:As a recommendation, try to check the release notes before an upgrade, that is a must.. Unless that was a new bug it should have appear there.NOTE: By newest mention we refered to the track version.............
That's precisely the point. You're trading old "known" bugs for new "unknown" bugs.
The point I am taking from this is that unless it is a security vulnerability that I have to upgrade, I will stay away
and try to make it work as much as I can. With the new code, it needs to vested throughly in-house (not by Cisco)
because Cisco does not understand my environment. They may know the ASA but I don't know the applications
that operate in my environment. -
I have installed a Solaris 10 with the N1 System Manager 1.3.2 on a Sun fire V240. The server is running on Solaris 10 Sparc.
I wanted to load an update to the new system, but the update failed.
I found an error in /var/opt/SUNWcacao/logs/cacao.0:
SEVERE: com.sun.n1.ps.hutils.jexpect.ExpectTimedoutException: Expect times out after 20 seconds. Output string "" doesn't match expected pattern "password:|Password:|Are you sure you want to continue connecting|WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED|Connection refused|Connection closed"
The size of the update ist 40 MB. I tested a smaller update with only 500kb, which worked. I can copy the Packagefile with scp on the new installed server.
I think I need to configure a timeout parameter but i can't find any informationen about this.Hello,
The job result:
Job ID: 68
Date: 2007-03-08T11:48:22+0100
Type: Load OS Update
Status: Error (2007-03-08T11:48:37+0100)
Command: load server host01 update SunOS_sparc_SMAWnwclt_7.2p8
Owner: root
Errors: 1
Warnings: 0
Steps
ID Type Start Completion Result
1 Acquire Host 2007-03-08T11:48:23+0100 2007-03-08T11:48:23+0100 Completed
2 Execute Java 2007-03-08T11:48:23+0100 2007-03-08T11:48:23+0100 Completed
3 Acquire Host 2007-03-08T11:48:25+0100 2007-03-08T11:48:25+0100 Completed
4 Execute Java 2007-03-08T11:48:25+0100 2007-03-08T11:48:37+0100 Error 1
Errors
Error 1:
Description: Stderr:
Loading SunOS_sparc_SMAWnwclt_7.2p8 on host01 failed:
Warning: Permanently added '<IP removed>' (RSA) to the list of known hosts.
Warning: Permanently added '<IP removed>' (RSA) to the list of known hosts.
Results
Result 1:
Server: host01
Status: -3
Message: Loading OS update SunOS_sparc_SMAWnwclt_7.2p8 failed.
On host01 i found scp processes:
csadmin 20476 20475 0 12:00:30 ? 0:00 sh -c scp -p -t /tmp/SunOS_sparc_SMAWnwclt_7.2p8
csadmin 20477 20476 1 12:00:30 ? 0:00 scp -p -t /tmp/SunOS_sparc_SMAWnwclt_7.2p8 -
Hi
I configured Cisco ASA5510 firewall, but i am facing the problem with ssh login, i gave ssh for inside and outside access, but i am getting "server ... error" i enabled LOCAL for the authentication for ssh and HTTP. and i am able to acees the device through HTTP using ASDM, but not able to access from outside.
please find the configuration
thanks in advance
regards
Javahar
ASA Version 8.2(1)
hostname ASA5510
domain-name default.domain.invalid
enable password Nbxmt7LFbcxtLo.o encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.251.38.0 SAP_remote
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/1
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.252
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 SAP_remote 255.255.255.128
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 SAP_remote 255.255.255.128
access-list outside_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 SAP_remote 255.255.255.128
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 115.115.169.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer XXX.XXX.XXX.20
crypto map outside_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer XXX.XXX.XXX.20
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 28800
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outsde
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outsde
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username test1234 password /FzQ9W6s1KjC0YQ7 encrypted
username cisco1234 password 5sSb..e9ZNWMmk2e encrypted privilege 15
tunnel-group Remote-p2p-vpn type ipsec-l2l
tunnel-group Remote-p2p-vpn ipsec-attributes
pre-shared-key *
tunnel-group XXX.XXX.XXXX.20 type ipsec-l2l
tunnel-group XXX.XXX.XXXX.20 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:83eab0b7ae2d2d9e74f8ea0b005076ea
: endHi,
Did you issue the command
ASA(config)# crypto key generate rsa modulus 2048
So that you can use SSH.
EDIT: I would suggest narrowing down the source address from where you can connect to the ASA from "outside" if possible.
- Jouni -
Dear all,
I inherit this configuration from my colleague,
The PC / host inside the network internet connection will timeout / disconnected after several minutes when not using.
How do i disable the config and I want the host to continously connect to internet.
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.08.11 11:01:19 =~=~=~=~=~=~=~=~=~=~=~=
kewpie-MLK-ASA# sh run
: Saved
ASA Version 8.0(3)
hostname kewpie-MLK-ASA
domain-name default.domain.invalid
enable password ym1CwmrLnc/fndsu encrypted
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 60.a.a.54 255.255.255.252
interface Ethernet0/1
no nameif
no security-level
no ip address
interface Ethernet0/1.1
vlan 10
nameif Inside
security-level 80
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/1.2
vlan 20
nameif visitor
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list 100 extended permit icmp any any
access-list 100 extended permit tcp any any
access-list 100 extended permit ip any any
access-list 101 extended permit icmp any any
access-list 101 extended permit tcp any any eq 2828
access-list 101 extended permit tcp any host 192.168.0.254 eq 2255
pager lines 24
mtu outside 1500
mtu Inside 1500
mtu visitor 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any Inside
icmp permit any visitor
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (Inside) 1 192.168.0.0 255.255.255.0
nat (visitor) 1 192.168.1.0 255.255.255.0
static (Inside,outside) tcp interface 2828 192.168.0.254 telnet netmask 255.255.255.255
access-group 101 in interface outside
access-group 100 in interface Inside
access-group 100 in interface visitor
route outside 0.0.0.0 0.0.0.0 60.a.a.53 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:30:00 absolute uauth 0:30:00 inactivity
dynamic-access-policy-record DfltAccessPolicy
aaa authentication include tcp/0 Inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 Inside
telnet 192.168.4.0 255.255.255.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 5
console timeout 0
dhcpd dns 202.188.0.133 202.188.5.1
dhcpd address 192.168.0.2-192.168.0.253 Inside
dhcpd enable Inside
dhcpd address 192.168.1.2-192.168.1.253 visitor
dhcpd enable visitor
threat-detection basic-threat
threat-detection statistics access-list
username admin password bOnxO8/ZA7i5hOxq encrypted
username kpmsb password /LTd0pEXjM6Ht1Sp encrypted
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:809895a4506cb7e47a57552c4a0e0a0f
: endHi Mohammad,
You have the following timeoutr values set:
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:30:00 absolute uauth 0:30:00 inactivity
If you do not want the connection to timeout, use the following:
timeout conn 0:00:00
This would never timeout the connection.
Thanks,
Varun -
Cisco ASA 5505 - problem with ssh, icmp on OUTSIDE interface
Hi all,
I have a very strange problem with OUTSIDE interface and remote ssh. Well, I have followed documentation and configure remote access for ssh like this [1.]. If I want to connect from internet to OUTSIDE interface [2.] get no response and in log I can see this message [3.]. I really do not understand why is ssh connection dropped by OUTSIDE access-list [4.]? If I understand documentation correctly there is no impact for remote mangement/access like icmp, ssh, http(s) by interface access-list. So, why?
When I try ssh connection form internal network to INSIDE interface everything works fine and I can log in to ASA. If I try allow ssh in OUTSIDE access-list still no success and a get this message [5.]? It is strange, isn't?
The same problem with icmp if I want to "ping" OUTSIDE interface from internet a get thish message in log [6.] and configuration for ICMP like this [7.].
Full ASA config is in attachment.
Can anybody help how to fix it and explain what is exactly wrong.Thanks.
Regards,
Karel
[1.]
ssh stricthostkeycheck
ssh 10.0.0.0 255.255.255.0 INSIDE
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
ASA-FW01# show ssh
Timeout: 60 minutes
Version allowed: 2
10.0.0.0 255.255.255.0 INSIDE
0.0.0.0 0.0.0.0 OUTSIDE
[2.]
ASA-FW01# show nameif
Interface Name Security
Vlan10 INSIDE 100
Vlan20 EXT-VLAN20 0
Vlan30 EXT-WIFI-VLAN30 10
Vlan100 OUTSIDE 0
ASA-FW01# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan10 INSIDE 10.0.0.1 255.255.255.0 CONFIG
Vlan20 EXT-VLAN20 10.0.1.1 255.255.255.0 CONFIG
Vlan30 EXT-WIFI-VLAN30 10.0.2.1 255.255.255.0 CONFIG
Vlan100 OUTSIDE 85.71.188.158 255.255.255.255 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan10 INSIDE 10.0.0.1 255.255.255.0 CONFIG
Vlan20 EXT-VLAN20 10.0.1.1 255.255.255.0 CONFIG
Vlan30 EXT-WIFI-VLAN30 10.0.2.1 255.255.255.0 CONFIG
Vlan100 OUTSIDE 85.71.188.158 255.255.255.255 CONFIG
ASA-FW01# show interface OUTSIDE detail
Interface Vlan100 "OUTSIDE", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
Description: >>VLAN pro pripojeni do internetu<<
MAC address f44e.05d0.6c17, MTU 1480
IP address 85.71.188.158, subnet mask 255.255.255.255
Traffic Statistics for "OUTSIDE":
90008 packets input, 10328084 bytes
60609 packets output, 13240078 bytes
1213 packets dropped
1 minute input rate 15 pkts/sec, 994 bytes/sec
[3.]
Jan 13 2015 06:45:30 ASA-FW01 : %ASA-6-106100: access-list OUTSIDE denied tcp OUTSIDE/193.86.236.70(46085) -> OUTSIDE/85.71.188.158(22) hit-cnt 1 first hit [0xb74026ad, 0x0]
[4.]
access-list OUTSIDE remark =======================================================================================
access-list OUTSIDE extended permit icmp any any echo-reply
access-list OUTSIDE extended deny ip any any log
access-group OUTSIDE in interface OUTSIDE
[5.]
Jan 12 2015 23:00:46 ASA-FW01 : %ASA-2-106016: Deny IP spoof from (193.86.236.70) to 85.71.188.158 on interface OUTSIDE
[6.]
Jan 13 2015 06:51:16 ASA-FW01 : %ASA-4-400014: IDS:2004 ICMP echo request from 193.86.236.70 to 85.71.188.158 on interface OUTSIDE
[7.]
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.0.0.0 255.0.0.0 INSIDE
icmp permit 10.0.0.0 255.0.0.0 EXT-WIFI-VLAN30
icmp permit any OUTSIDEYou're right that the ACL should not affect otherwise allowed communications to the interface address.
Try disabling the ip audit feature on your outside interface.
no ip audit interface OUTSIDE AP_OUTSIDE_INFO
no ip audit interface OUTSIDE AP_OUTSIDE_ATTACK -
Solaris 11 ssh ControlMaster support?
I am trying to run use "net::openssh" perl script, which is using ssh multiplexing i.e. ControlMaster, and I am getting an error illegal option -- M..., is there any way to turn on multiplexing on Solaris 11 in the ssh client, or we are forcd to compile from source?
perl script used
#!/bin/perl -w
use Net::OpenSSH;
my $ssh = Net::OpenSSH->new(
host,
ssh_cmd => '/bin/ssh',
timeout => 10,
user => user,
password => passwd
my @cmd = (ls => '-a');
$ssh->system(@cmd);
The script returns the errors below.
/bin/ssh: illegal option -- M
/bin/ssh: illegal option -- S
ssh: illegal option -- M
Usage: ssh [options] host [command]
Options:
Thnaks,
Eliunfortunately I didn't find any workaround, Solaris SSH is an old fork of openssh and dose not support the multithreading option. I cant comment on your Solaris 11 > Linux environment, most of our environment's where migrated from 10 to 11.1, and all I can say is Solaris rocks, features you find in Solaris you can find on any other OS in the market just to name a few ZFS, BE, IPS, FMA, SMF, etc..
Thnaks,
Eli -
ASA 5510 - Version 8.2(1) - SSH, ICMP and NAT not working
I have an ASA 5510 using version 8.2(1) and I have enabled ssh, icmp and they work from the inside network but not from the outside network.
Further to this, I exposed one site from the inside interface on the ASA (192.168.1.100) to outside (1.1.1.7) using NAT and it is not pingable nor accessible from the outside. I also allowed SSH from the outside network to the external IP addresses of the ASA and it is not working either. Any ideas what I could be missing in my configuration? I bolded the configurations involved in the ASA running configuration I copied below (please note I have replaced the real IP addresses with 1.1.1.x and 2.2.2.x):
ASA Version 8.2(1)
hostname fw
domain-name net.com
enable password eYKAfQL1.ZSbcTXZ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
interface Ethernet0/0
description Primary Outside (Internet)
speed 10
duplex full
nameif outside
security-level 0
ip address 1.1.1.5 255.255.255.240
ospf cost 10
interface Ethernet0/1
description inside
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
ospf cost 10
interface Ethernet0/2
description WLAN
nameif WLAN
security-level 100
ip address 192.168.108.240 255.255.255.0
ospf cost 10
interface Ethernet0/3
description Secondary Outside (Internet)
speed 100
duplex full
nameif WAN2
security-level 0
ip address 2.2.2.133 255.255.255.192
interface Management0/0
description LAN/STATE Failover Interface
time-range after_hours
periodic weekdays 7:00 to 23:00
boot system disk0:/asa821-k8.bin
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup WLAN
dns server-group DefaultDNS
retries 3
timeout 5
name-server 8.8.8.8
name-server 206.191.0.210
name-server 4.2.2.1
name-server 4.2.2.2
domain-name net.com
access-list WAN2_access_in extended permit icmp any any echo-reply
access-list WAN2_access_in extended permit icmp any any time-exceeded
access-list WAN2_access_in extended permit icmp any any source-quench
access-list WAN2_access_in extended permit icmp any any unreachable
access-list WLAN_access_in extended permit icmp any any echo-reply
access-list WLAN_access_in extended permit icmp any any time-exceeded
access-list WLAN_access_in extended permit icmp any any source-quench
access-list WLAN_access_in extended permit icmp any any unreachable
access-list WLAN_access_in extended permit tcp host 192.168.1.100 eq ssh any
access-list WLAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
access-list WLAN_access_in extended permit ip any any
access-list time_based extended permit ip any any time-range after_hours
access-list split_tunnel standard permit host 206.191.0.210
access-list split_tunnel standard permit host 206.191.0.140
access-list split_tunnel standard permit host 207.181.101.4
access-list split_tunnel standard permit host 207.181.101.5
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 1.1.1.7 eq ssh
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any host 192.168.1.100 eq ssh
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
pager lines 20
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu WLAN 1500
mtu WAN2 1500
ip local pool DHCP 192.168.1.245-192.168.1.252 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface WAN2
failover
failover lan unit secondary
failover lan interface FO Management0/0
failover key *****
failover link FO Management0/0
failover interface ip FO 192.168.255.171 255.255.255.0 standby 192.168.255.172
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any WLAN
icmp permit any WAN2
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (WAN2) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (WLAN) 1 192.168.108.0 255.255.255.0
static (inside,outside) 1.1.1.7 192.168.1.100 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group WLAN_access_in in interface WLAN
access-group WAN2_access_in in interface WAN2
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route WAN2 0.0.0.0 0.0.0.0 2.2.2.129 254
route inside 192.168.1.100 255.255.255.255 192.168.1.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.108.0 255.255.255.0 WLAN
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.101 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
timeout 1000
frequency 3
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 123 reachability
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh scopy enable
ssh 2.2.2.132 255.255.255.255 outside
ssh 69.17.141.134 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.108.0 255.255.255.0 WLAN
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.108.11-192.168.108.239 WLAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 128.100.100.128
ntp server 132.246.168.148
ntp server 128.100.56.135
tftp-server inside 192.168.1.100 /
webvpn
group-policy Wifi internal
group-policy Wifi attributes
wins-server none
dns-server value 206.191.0.210 206.191.0.140
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
tunnel-group Wifi type remote-access
tunnel-group Wifi general-attributes
address-pool DHCP
default-group-policy Wifi
tunnel-group Wifi ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
service-policy global_policy global
prompt hostname context
Cryptochecksum:ac25ef0642e0ecb8f0ef63219833f3ae
: end
asdm image disk0:/asdm-621.bin
asdm location 192.168.1.245 255.255.255.255 inside
asdm location 192.168.1.252 255.255.255.255 inside
asdm history enableHi,
I can't see any problems right away in the configuration.
I guess we could start by using the "packet-tracer" to simulate the SSH and ICMP through the firewall
packet-tracer input outside tcp 1.1.1.1 12345 22
packet-tracer input outside icmp 1.1.1.1 8 0
Don'd mind the source address of 1.1.1.1. Its just an address that is located behind "outside" interface according to the ASA routing table. (As the configurations 1.1.1.0/28 is not actually configured on the ASA)
Share the exact "packet-tracer" command used (wihtout the public IP, notice that the output contains the public IP also) and the output of the command with us here.
Also, have you made sure that there is no old translations active on the ASA?
You can use this command to view those
show xlate local 192.168.1.100
You can clear the xlates with
clear xlate local 192.168.1.100
- Jouni -
SSH local database username and password not working
I have a weird issue. I recently setup an ASA 5510 and had SSH working. To make it easier on my VPN users I then decided I wanted to setup a Windows 2008 Network Policy Server for RADIUS authentication. Ever since I added the RADIUS part to aaa authentication, when I use SSH to connect to the ASA it will not take the local user name and password I have setup. I can however get in using a Domain user name and password. Below is the SSH and AAA configuration. Am I missing something here? The username and password in the ASA is not on the domain and it's like the ASA is not even trying LOCAL when it tries to authenticate. I want it to use the local username and password if possible. I'm kind of new to ASA's..
On another note, I have never been able to SSH in on the internal interface. I always get a "The remote system refused the connection" error message. I can only use the outside interface.
Site-ASA# sh run | in ssh
aaa authentication ssh console SERVER_RADIUS LOCAL
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
Site-ASA# sh run | in aaa
aaa-server SERVER_RADIUS protocol radius
aaa-server SERVER_RADIUS (inside) host 10.0.0.6
aaa authentication ssh console SERVER_RADIUS LOCAL
aaa authentication http console SERVER_RADIUS LOCAL
Site-ASA#
If there are any other config that would help I would be more than happy to display them
Thanks!Thanks for the reply. I was just coming in to update this because you are exactly correct. For some reason I kept thinking that if the authentication failed via RADIUS it would use local which is not the case.
Problem (or no problem) resolved. -
Acs 4.2.1.15 and ssh authentication with ios xr
Hello,
we have a new acs appliance (1113) with version 4.2.1.15 and we want to authenticate user through ssh from routers with ios xr software. unfortunately this doesn't work.
Here ist our configuration of the router:
line template VTY
access-class ingress abcd
tacacs-server host x.x.x.x port 49 single-connection
tacacc-server key 7 test
tacacs source-interface Loopback13
ssh server v2
ssh timeout 60
! AAA config
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting commands default start-stop group tacacs+
aaa authorization exec default group tacacs+ none
aaa authorization commands default group tacacs+ none
aaa authentication login default group tacacs+ local
does anybody has a solution for this problem?
thnx and best regards
Torsten WaibelHello,we
have a new acs appliance (1113) with version 4.2.1.15 and we want to
authenticate user through ssh from routers with ios xr software.
unfortunately this doesn't work.Here ist our configuration of the router:##################################################line template VTY
access-class ingress abcd!tacacs-server host x.x.x.x port 49 single-connectiontacacc-server key 7 test!tacacs source-interface Loopback13!ssh server v2
ssh timeout 60! AAA config
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting commands default start-stop group tacacs+
aaa authorization exec default group tacacs+ none
aaa authorization commands default group tacacs+ none
aaa authentication login default group tacacs+ local##################################################does anybody has a solution for this problem?thnx and best regardsTorsten Waibel
Hi Torsten Waibel,
For ssh to support you should have a cryptography ios image in router and check the following command in line vty that transpot input ssh under line vty cofiguration.
If helpful do rate the post
Ganesh.H -
[kinda solved] screen hardstatus: right align problem...
hey guys, previously i was using an old monitor at 1024x768 & screen's hardstatus was working fine with that setup. but some days ago i got a new monitor & now at a resolution of 1920x1080, the stuff that is supposed to be at the right most side has got some problem & is appearing abt 200-300px (i guess) before. i have googled it but found nothing.
here's a shot
http://omploader.org/vNWducg
& here's my screenrc
# Basic Settings {{{
nethack on # Fun error messages
deflogin off # All screens are considered logins
autodetach on # Detach on HUP instead of kill
startup_message off # Don't be annoying
vbell off # Don't be annoying
defshell -$SHELL # The dash makes it a login shell
defscrollback 10000 # Remember a lot
nonblock on # Block input from hung applications
defutf8 on # Always use utf8
defflow off # Turn off flow-control
msgwait 5 # Display msgs for N seconds
altscreen on # Enable alternate screen support
defbce on # Erase background with current background color
bell_msg "" # For urgency hints
setenv LC_CTYPE en_US.UTF-8
term rxvt-256color
# Define terminal capabilities {{{
termcapinfo xterm-256color 'Co#256:AB=\E[48;5;%dm:AF=\E[38;5;%dm'
termcapinfo rxvt-256color 'Co#256:AB=\E[48;5;%dm:AF=\E[38;5;%dm'
backtick 1 1800 1800 bday
backtick 2 1800 1800 cat ${HOME}/.weather
sorendition '= dY'
hardstatus alwayslastline '%{= M}%H%{W} | %{= B}%l%{W} | %{G}%1`%{W} | %{C}%2` %= %{= w}%-w%{+b r}%n*%t%{-b r}%{w}%+w'
# Banish screen 0, it sucks {{{
bind c screen 1
bind ^c screen 1
bind 0 select 10
# find the nearest shell
bind s select zsh
screen -t torrents 1 rtorrent
screen -t zsh 2
# Keybinds {{{
# Be lazy and use Fx keys for screen switching
#bindkey -k k1 select 1
#bindkey -k k2 select 2
#bindkey -k k3 select 3
#bindkey -k k4 select 4
#bindkey -k k5 select 5
#bindkey -k k6 select 6
#bindkey -k k7 select 7
#bindkey -k k8 select 8
# Use F11 as escape (for caps-lock mapped to F13)
bindkey -k F1 command
# vim:foldlevel=0
Last edited by vik_k (2010-09-11 09:47:00)sorry -- I dont have a solution to your problem.
do you know howto get screen to send a command to the bash shell its displaying?
paste seems to do what I want,... if get date command in buffer, C-A ]
will send date, and bash runs date.
but how can I that to loop to automatically simulate activity to prevent ssh timeouts and disconnects -
Syn Timeout Traffic From VPNPool
Hello i know theres a lot topics about the subject but i been reading since past 2 weeks and i cant find my solution.
My VPN Cisco client connects to the ASA 5510 and everything looks good but when i try send traffic(RDP) nevers connects and the logs shows a syn timeout. Here is my Configuration i really appreciated any help
ASA Version 8.2(1)
hostname xxx
domain-name xxxx
enable password g.wfzl577L4IVnRL encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Ethernet0/0
nameif outside
security-level 0
ip address 201.199.135.x 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.x 255.255.255.0
interface Ethernet0/2
no nameif
security-level 100
ip address 192.168.30.x 255.255.255.0
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa821-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server xx
name-server xx
domain-name xxxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inbound extended deny ip object-group Deny_Access any
access-list inbound extended permit tcp any object-group web-servers object-group web-ports
access-list inbound extended permit tcp 209.200.128.0 255.255.192.0 host 201.199.135.x object-group web-ports
access-list outbound extended permit ip object-group trusted any
access-list outbound extended permit tcp object-group web-servers any object-group web-ports
access-list outbound extended permit tcp 10.1.1.0 255.255.255.0 any object-group general-access
access-list outbound extended permit tcp host 201.199.135.xx any object-group web-ports
access-list inside_access_in extended permit ip object-group trusted any log disable
access-list inside_access_in extended permit ip object-group DNS-Servers any log disable
access-list inside_access_in extended permit udp host WEB3 any eq ntp inactive
access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list ISA_access_in extended permit object-group Ports host 192.168.30.7 any
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging list configLog level debugging class auth
logging list configLog level debugging class config
logging list system-IDSLog level informational class ids
logging list system-IDSLog level informational class sys
logging buffer-size 10000
logging asdm informational
logging from-address xxxx
logging recipient-address xxxxx level notifications
no logging message 111008
no logging message 111007
mtu outside 1500
mtu inside 1500
mtu ISA 1500
mtu management 1500
ip local pool VPN-POOL 192.168.3.2-192.168.3.254 mask 255.255.255.0
ip audit name attackPolicy attack action alarm drop
ip audit name antiSnifferPolicy info action drop
ip audit interface outside attackPolicy
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (ISA) 1 201.199.135.xx netmask 255.255.255.248
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.1.1.0 255.255.255.0
nat (ISA) 1 192.168.30.0 255.255.255.0
static (inside,outside) 201.199.xxx.xx WEB3 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group ISA_access_in in interface ISA
route outside 0.0.0.0 0.0.0.0 201.199.135.113 1
route inside 0.0.0.0 0.0.0.0 10.1.1.3 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.1.0 255.255.255.0 inside
snmp-server host inside 10.1.1.56 community
snmp-server host inside 10.1.1.18 community
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
service resetinbound interface ISA
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=xxx.xxxxxx
keypair sslvpnkeypair
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 6ef8fc4f
308201f3 3082015c a0030201 0202046e f8fc4f30 0d06092a 864886f7 0d010105
0500303e 311a3018 06035504 03131149 4345332e 646f746e 65742e63 6f2e6372
3120301e 06092a86 4886f70d 01090216 11494345 332e646f 746e6574 2e636f2e
6372301e 170d3132 30393035 31333435 35345a17 0d323230 39303331 33343535
345a303e 311a3018 06035504 03131149 4345332e 646f746e 65742e63 6f2e6372
3120301e 06092a86 4886f70d 01090216 11494345 332e646f 746e6574 2e636f2e
63723081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100e4
52687fe4 bc46d95c bb14cb51 c9ba2757 692683e2 315fb2cb 585c9785 295e9090
88dea89d 5a1497f5 49107a1f ea35d71b fd05d9ff 68766519 652f1ff9 d19dc584
310312b2 b369673f 70db355a 8d1e0a5e 4c825c27 7ad5e4f6 d36cbda7 b4ad77a5
f490d942 2ef2488a bcb97b3f 5795bbcd 5f5b5c5a ff965272 2c8deaa5 2aa78902
03010001 300d0609 2a864886 f70d0101 05050003 818100aa c1a3301a ec3898ac
18699233 9aa26005 ad6c326f 51228c6b ba6a91e8 2ac79a0c 2af687c1 17bce83f
bbf94b0e e6f09977 fad72c47 96d206ed c1157e67 79862e20 9f28cfa1 739c0fa2
81272d5d a7124fc0 f95904db 72eacc9a 772208e2 1edba72b 618ed8dc d3c1b8f7
5047604e f767eaf1 7ee5ed95 79ef9184 db62bcfb b71e6f
quit
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address 192.168.30.5-192.168.30.20 ISA
dhcpd dns 4.2.2.2 200.91.75.5 interface ISA
dhcpd enable ISA
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
enable inside
svc image disk0:/anyconnect-win-2.5.2019-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy VPNGP internal
group-policy VPNGP attributes
wins-server none
dns-server value 10.1.1.11 10.1.1.16
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value dotnet.co.cr
address-pools value VPN-POOL
username xxxx password gsUajqpee0ffkhsw encrypted
username xx password Wl5xhq9rOjTEyzHN encrypted privilege 15
username xxvpn password 9tblNqPJ2.cWaLSD encrypted
username xxvpn attributes
service-type remote-access
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
default-group-policy VPNGP
tunnel-group AnyConnect webvpn-attributes
group-alias VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
service-policy global_policy global
smtp-server 10.1.1.20
prompt hostname context
Cryptochecksum:9720306792f52eac533976d69f0f3daa
: end
ThanksHi Oscar,
The configuration seems to be fine.
At this point lets troubleshoot the VPN communication.
The SYN timeout means that the server does not repond, or the SYN ACK never reached the ASA.
We need to place a packet capture on the inside interface as follows:
capture capin interface inside match ip 10.1.1.0 255.255.255.0 192.168.3.0 255.255.255.0
Then you try to access the server via RDP and issue the "show capture capin" command.
Another good test would be the following:
packet-tracer input inside icmp 10.1.1.250 8 0 192.168.3.1 detail ---> where the 192.168.3.1 must be the IP of the VPN client
Attach the output of the "show capture capin" and "packet-tracer" output.
Let me know.
Portu.
Please rate any post you find useful. -
Here is a variation on a theme I've seen on the boards here. I have an ASA 5580 configured for client ipsec vpns. I can connect via the vpn, ping the interface being used for management, and complete the TCP handshake for telnet or SSH. After that, the connection times out. I know I'm missing something small, but can't find it. Any help would be greatly appreciated.
Here are the relevant parts of the config:
interface TenGigabitEthernet0/8
nameif INSIDE
security-level 100
ip address 10.50.254.249 255.255.255.248 standby 10.50.254.250
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address x.x.x.x x.x.x.x
interface GigabitEthernet0/1
nameif ToMGMT
security-level 10
ip address 10.50.253.18 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name local
object-group network Inside_NETWORK_ALL
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.248.0.0
object-group network Outside_REMOTE_VPN
network-object 10.50.224.0 255.255.254.0
object-group network MGMT_NET
network-object 10.50.253.0 255.255.255.0
access-list PERMIT_ANY extended permit ip any any
access-list RemoteVPN_SPLIT standard permit 10.50.253.0 255.255.255.0
access-list RemoteVPN_SPLIT standard permit 10.50.0.0 255.255.0.0
access-list RemoteVPN_SPLIT standard permit 10.50.224.0 255.255.254.0
access-list NO-NAT-VPN extended permit ip any 10.50.224.0 255.255.254.0
access-list MGMT-2-VPN extended permit ip 10.50.253.0 255.255.255.0 10.50.224.0 255.255.254.0
mtu INSIDE 1500
mtu OUTSIDE 1500
mtu ToMGMT 1500
ip local pool RemoteVPN_POOL 10.50.224.0-10.50.225.0 mask 255.255.254.0
monitor-interface DMZ
no monitor-interface OUTSIDE
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (INSIDE,any) source static Inside_NETWORK_ALL Inside_NETWORK_ALL destination static Inside_NETWORK_ALL Inside_NETWORK_ALL
nat (INSIDE,OUTSIDE) source dynamic Inside_NETWORK_ALL interface
access-group OUTSIDE_IN in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 200.200.100.10 1
route INSIDE 10.50.0.0 255.255.224.0 10.50.254.254 1
route INSIDE 10.50.253.0 255.255.255.0 10.50.254.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS_COLO protocol radius
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set 3dessha-Transport esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set 3dessha-Transport mode transport
crypto ipsec ikev1 transform-set dessha esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set 3dessha esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto dynamic-map RemoteVPN_DM 5 set ikev1 transform-set 3dessha
crypto dynamic-map PUB_IPSEC_CLIENT 1 set ikev1 transform-set ESP-3DES-MD5
crypto map CRYPTO_MAP 1 ipsec-isakmp dynamic RemoteVPN_DM
crypto map CRYPTO_MAP 2 ipsec-isakmp dynamic PUB_IPSEC_CLIENT
crypto map CRYPTO_MAP interface OUTSIDE
crypto isakmp identity key-id ***********
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 65534
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
ssh 10.0.0.0 255.0.0.0 INSIDE
ssh 10.50.253.0 255.255.255.0 ToMGMT
ssh 10.50.224.0 255.255.254.0 ToMGMT
ssh 10.0.0.0 255.0.0.0 ToMGMT
ssh timeout 5
ssh version 2
console timeout 0
management-access ToMGMT
tls-proxy maximum-session 1000
ssl trust-point localtrust OUTSIDE
webvpn
enable OUTSIDE
anyconnect image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 10.50.223.10
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteVPN_SPLIT
address-pools value RemoteVPN_POOL
group-policy RemoteVPN internal
group-policy RemoteVPN attributes
dns-server value 10.200.0.6
password-storage enable
split-tunnel-network-list value RemoteVPN_SPLIT
group-policy IPSEC-POLICY internal
group-policy IPSEC-POLICY attributes
vpn-simultaneous-logins 20
vpn-tunnel-protocol ikev1
ip-comp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteVPN_SPLIT
user-authentication enable
tunnel-group RemoteVPN type remote-access
tunnel-group RemoteVPN general-attributes
address-pool RemoteVPN_POOL
default-group-policy RemoteVPN
tunnel-group RemoteVPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
tunnel-group IPSECGROUP type remote-access
tunnel-group IPSECGROUP general-attributes
address-pool RemoteVPN_POOL
default-group-policy IPSEC-POLICY
authorization-required
tunnel-group IPSECGROUP ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-trafficMichael,
TFTP should work through VPN, I have tested through RA VPN. I do not see a reason why should not work through l2l vpn scenario.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/t.html#wp1498951
In RA vpn scenario where client runs the tftp server.
In RA VPN test scenario,VPN client gets IP 140.40.30.15 assigned.
asa5500fw(config)#tftp-server inside
tftp-server 140.40.30.15 f:\
asa5500fw(config)# copy running-config tftp:
Source filename [running-config]?
Address or name of remote host [140.40.30.15]?
Destination filename []? running-config
Cryptochecksum: 67f2f1a3 c31d5a9b 0f6b1f6d 2f21766d
26019 bytes copied in 3.460 secs (8673 bytes/sec)
In your scenario with l2l vpn as long the tftp server IP on other side of tunnel is part of the IPsec tunnel policy try this bellow.
tftp-server outside
Regards
Maybe you are looking for
-
Want to affix a default value to a field in PO creation
Hi all, I want to set the default value for the field 'Account assignment category ' when a certain type of Purchase order is created in all the screens pertaining to Purchase order. Please suggest regards kanishak
-
Trouble syncingiPod Nano (2nd gen) with Windows
I recently lost the ability to sync my iPod. It might have started after iTunes was updated to 8.1, but I'm not sure. I've tried everything. Resetting, uninstalling & reinstalling iTunes, new cord, etc. When I try to RESTORE the iPod, it just hangs f
-
Free goods configuration, plz help
Pl help for this scenerio: 1) Sales order - Material A - Qty 23 Free Goods - Material B - Qty 3 Nos and Material C - Qty 1 No There is a scale also. 2) Sales order - Material A and Material B - combined qty - 30 Nos Free Goods - Material
-
Using CS3 Web Photo Gallery Control Panel in Bridge CS4?
I found where the styles are located in the library, and it doesn't look like the old templates will work with the new Output feature of Bridge. I want to use my old templates from CS3 that I have customized, and would like to use them with Bridge. I
-
Photoshop Elements 10 Mac crashes when opening images
As the title says Photoshop Elements 10 Mac crashes when opening images! I cannot understand why this is happening as i've never had any issues with it before. Below I have copied and pasted the crash report in the hope someone can decypher it and te