VPN 3000 problem
I have 2 CVPN 3000 at my institution. They have both software version 4.7.2.L-k9. Thay also have WebVPN running.
Lately something strange has been happening. One VPN loses connection (ping keepalives stop working) and no one can connect. When this happens I change the dns A record of the vpn service to the 2nd CVPN and, after a while, that 2nd CVPN stops responding. Can this be an attack? What can I search for in the logfile? The logfile cannot handle more than 15, 20 minutes.
Thanks in advance.
I have captured some traffic directed to the SSL port. There alots of TCP retransmission packets (ack dup).
Disabling SSL service I have the CVPN running for a day now.. it seems the problems have stopped. Of course nw I don?t have WebVPN service.
Any suggestions? Has anyone experienced such a problem?
Tx
Similar Messages
-
VPN 3000 and Radius authentication/authorization
hello.
I have to configure RADIUS authentication
with a VPN 3000 concentrator.
I'm completely new with this product
(the concentrator).
It seems that, if I want to perform authentication
of username and password with Radius, then I also have to download the entire VPN configuration from the same Radius, using the attibute set loaded with the appropriate dictionary.
am I rigth with this supposition?
I mean: should be possible to authenticate only an username and password externally on RADIUS, while continuing to mantain the user (or group) VPN configuration locally in the concentrator?
thank you.
DavideNo, downloading the entire VPN configuration from the RADIUS server is not necessary. If you are new to configuring VPN's on concentrators or the Concentrator iself, having a look at the support page will be agood idea. It is accessible at http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:Cisco_VPN_3000_Concentrator
-
How to get the traffic split up in VPN 3000 Concentrator?
Hi,
Requirement:
I want to parse & analyze the Cisco VPN 3000 Concentrator logs and provide the report for the happenings using the log.
Issue:
I am able to get the traffic split up for Cisco Pix501 thro' it's logs for the VPN connections. But in Cisco3000VPN Concentartor, i am not able to get the traffic details for any PPTP/IPSec connections. It simply provide the overall traffic log when the seeion is closed. For example below is my traffic log,
<189>14014 07/23/2004 19:16:24.640 SEV=4 AUTH/28 RPT=41 192.168.101.41 User [sarav] Group [Base Group] disconnected: Session Type: PPTP Duration: 0:16:37 Bytes xmt: 216 Bytes rcv: 38023 Reason: User Requested
My Question:
Is there any configuration/solution available to get the live traffic[traffic split up] thro' that VPN connection for Cisco3000VPN Concentartor?
Please help me in getting this issue resolved.
Thanks to all helping me to resolve the issue.
Thanks.You get the details from the Pix logs not because of VPN functionality but because the Pix is a stateful device the manages and logs each and every session.
The VPN 3000 is not stateful or session aware. The best you could do is provide packet level logging, but this would generate enormous log files that would need to be statistically analyzed to provide useful information.
Your best options are to run their traffic through a Pix firewall for the session logging, use the first hop router inside the network that can provide Netflow export for analysis, or use a probe to monitor the traffic that can discern the indivdual flows. For the last two, ntop can analyze netflow of mirrored sessions to provide protocol analysis by src/dest IP, top protocols used, etc.
-Shannon -
Hi All,
In VPN 3000 concerntrator, I've enabled tftp, telnet, snmp. I've also successfully added the concerntrator into Ciscoworks LMS 4.2.2. All the ports are verified open to Ciscoworks. No question mark shows next to this device in the device management of LMS. However, when I run configuration Achive Job, I always get the following failed message. Can anybody tell me how to to back up the configuration of Cisco VPN 3000 concerntrator in Ciscoworks LMS 4.2.2? Thanks in advance.Sorry, but apparently not. Please see the supported devices table (here).
That table states, among other things:
The following features are not supported:
Network Topology Layer 2 Services
Fault Management
Configuration Deploy Protocols: HTTPS, TELNET, SSH, SCP, TFTP, RCP
Configuration Fetch Protocols: HTTPS, TELNET, SSH, SCP, TFTP, RCP -
Maximum number of local users on a Cisco VPN 3000 Concentrator
Hi,
Do you know if there is a specific maximum number of local users that can be created on a Cisco VPN 3000 Concentrator? If possible, we would like to know the number for the different models.
Thanks in advance for your help!
HarryHi Harry,
Please see table 13-1 for that information, and read Authentication Server Limits paragraph
http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/configuration/guide/Usermgt.html#wp1685274
Pls rate any helpful posts
Bst Rgds
Jorge -
VPN 3000 dynamic crypto?
Is it possible to establish a tunnel (LAN-to-LAN) from a VPN 3000 series
Concentrator with a static IP address to another VPN 3000 series
concentrator (or an IOS router) with a dynamic IP address.That is possible, you just need to configure it on the Base Group of the 3000 with static ip and on the remote 3K or router configure the tunnel as a normal L2L.
Please check this e-mail:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00801dd672.shtml -
Will Nortel's Contivity VPN Client work with Cisco's VPN 3000 concentrator?
Hi, need help. We have VPN 3000 concentrator and a number of VPN clients (these are using Cisco VPN client).
We have one user that wants to use Nortel's Contivity VPN Client. Will this work with the Cisco COncentrator 3000?Tricky question - in theory yes, if the nortel client follows all the ISPEC RFC's.
I did try to get the cisco VPN client working on a Nortel Contivity once - did not get it working - but did'nt have that much time to test and get it working.
My advise - Configure, TEST DEBUG TEST DEBUG! -
Out of ideas diagnosing VPN connection problems
I'm having trouble narrowing down what's causing the VPN connection problems to my new Mini Server. Sometimes I can connect just fine with my MacBookPro and use all the resources like file sharing, etc. So, this leads me to believe it has been setup correctly. But then, for no reason at all (maybe it's later in the same day, or a completely different day) it will just stop working and I cannot connect at all.
*MacBook and iMac at home cannot connect, but iPhone can*
This is what's really throwing me off. This afternoon, I cannot connect to the server from home with my MacBook or my iMac. BUT, my iPhone can -using the same WiFi network my computers are on, not the cellular network. How could that be? The VPN settings on all 3 devices match exactly.
*Colleagues with other ISP's can connect, while I cannot*
I've called Comcast business (which provides the static IP for our office server) and they tell me all my settings are correct for allowing VPN traffic through. Likewise, Comcast Residential tells me there is nothing that would block VPN traffic from my home. They tell me to talk with Apple. argh!
*Web and Server Admin services are still accessible when VPN is not working*
We have exposed the Server's Web and Admin services without needing a VPN connection to access them. Since these services are accessible to me even when the VPN is not working, this leads me to believe the server is operating normally and capable of receiving incoming traffic.
I'm out of ideas and I'm starting to lose my mind!!! Any ideas on why my 2 computers sometimes can connect, yet sometimes cannot...all the while, my iPhone can connect just fine over the same network???I don't have an explanation for the erratic nature of your connections. It's only as I've said before, in my experiences with such problems it has always traced back to misconfigured network or DNS settings. mDNS is multicast DNS and it's a protocol Apple uses so its devices can find each other easily. That may be the reason why your iPhone can connect when other things can't.
To take a step back, here is how I think things should be set up:
\- Your dedicated IP address should be assigned to your router automatically through PPPoE
\- The name servers as set in your router should be your ISP's name servers
\- Make sure the server has only one connection to the router that is managing the dedicated IP, either wired or wireless, but not both
\- A static network address should be assigned to your server's MAC address in the router's DHCP settings
\- The server's network address should be put in the DMZ on the router or set as the default server in the NAT settings, depending on the router
\- The network settings in System Preferences on the server should be set to DHCP with manual address and the server's network address entered correctly
\- The router address should be listed correctly in the network settings in System Preferences on the server
\- The name servers in the network settings in System Preferences on the server should be 127.0.0.1 and the router's IP address, nothing else.
\- The zone files on the server should have a primary and reverse zone for each domain name and its network address. Do not use the dedicated IP address in the zone files on the server.
If everything is set as I described, it should work. If it doesn't, it's time to call a witch doctor or an exorcist. -
I have remote access vpn configured on cisco 2901 router. Everything works good exept ipad 2 3g. When i am connecting with ipad from 3g network it connects but it is unable to access corporate resources. I talked to my telephone provaider and they told me that they have some nat problems with ESP. and adviced me to force vpn clients to use udp ports 500 and 4500. How i have to configure my router to accomplish this ?
Thanks in advanceHello,
Isakmp uses port UDP 500 for the managment connection establishment ( Phase 1).
NAT-T ( used when they are nat devices in between two VPN endpoints) uses port UDP 4500.
So on your Router NAT-T is configured by default, all you got to do is if you have an ACL on the outside interface allow this traffic (Isakamp and NAT T) On some of the newer IOS versions you do not have to apply the ACL as by default the VPN traffic (encrypted traffic bypasses the ACL).
So your requirement is done by default, great thing right!! You can let your Telephone provider you are ready for the test.
Julio
Do rate all helpful posts!! -
I am currently unable to connect to my VPN server with either of 2 Lion machines 2010 white MacBook and a black MacBook . I run iVPN (L2TP) on an old PPC Mac Mini, my iPhone and iPad still connect instantly. When the Lion machines try to connect for they try for about a minute and fail returning "The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator." I currently have my router setup to port foward and use a dynamic DNS. I tried connecting straight to the VPN directly by changing to the internal LAN IP still no luck. Any suggestions
I've been out of my SonicWall VPN since I upgraded to Lion last week. Found a trick and succeeded. I had to reconfigure the settings on the Sonicwall and make sure that the phase 1 and phase 2 authentications were using AES encryption rather than 3DES.
That did the trick and I was back in.
Of course now my 10.6.8 clients are out - I'll post more on that front if I figure it out. -
I have 2 AD account in 2 domain, Singapore and China. Both dom are under 1 forest. Problem is when I used Cisco VPN to connect to Singapore firewall but used China AD account & password, authentication failed. But when I used Cisco VPN to connect to China firewall but used Singapore AD account & password, authentication works. Why ? Please help an thanks.
Muhammad,
I think you have an issue with your AD search order....try adding the domain OU prefix with a "\" then the username i.e:-
domain\username
HTH. -
Hi all ,
I need create VPN tunnels between two ASAs devices . And these devices are connected through DSL . And as you know in this case we use private outside IP address , because there is a NAT device at the outside . The problem is that no VPN tunnel is created even though all the parameters and the pre-shared-key are typical .I hve allready configured following configuration.
no crypto map newmap interface outside
no crypto map newmap 171 set peer 195.11.199.144
no isakmp key ********* address 195.11.199.144 netmask 255.255.255.255 no-xauth no-config-mode
crypto map newmap 171 set peer 195.11.204.5
isakmp key ******** address 195.11.204.5 netmask 255.255.255.255 no-xauth no-config-mode
clear crypto ipsec sa
clear crypto isakmp sa
crypto map newmap interface outside
Setting were applied successfully however Still VPN tunnel is not been initiated. -
I have created a working VPN between a remote PC with Cisco VPN Client and Easy VPN server on Cisco 1802 (DSL). The Router has an dynamic external IP and is accessible over DynDNS. The problem is not the VPN connetion, but the communication between the remote PC and LAN behind the router.
Ping functions to all devices on the LAN
telnet 25 functions
DNS functions
Access to shares is taking ages, functions then sometimes, usually runs it into a Timeout
HTTP is taking ages and breaks then
Remotedesktop to a 2k server breaks
Remotedesktop to a 2k3 server opens the server window, but before the login mask breaks
Application Security Log of the SDM:
JAN 16 14:09:35.902 PC Time DROP PKT Dropping tcp pkt 192.168.121.15:80 => 192.168.122.5:4293
JAN 16 14:11:35.662 PC Time DROP PKT Dropping tcp pkt 192.168.122.5:4302 => 192.168.121.15:3389
Any idea's what's wrong with the config?Hi there,
I see some issues here:
1. Increase the value in the command:
ip tcp synwait-time 10
2. Remove following command from the interface Dialer0 config:
ip route-cache flow
3. On the VPN client PC, open the SetMTU utiliy (in the VPN client folder) and set the MTU on the interface to 1300.
Start the above steps and test after each.
Please rate if this helped.
Regards,
Daniel -
Hi
I have a problem with ping in VPN Client,
In this senario, the VPN client should be able to ping PC-4 through ASA-1 (Site-A)but it could not.
The router is able to ping Z.Z.Z.0/24.
The Tunnel and VPN client are working.
1. PC-1 can connect to ASA-1 and ping Network 20.20.0.0/16 and 10.10.10.0/24 but cannot ping PC-4.
2. PC-2 can ping PC-1 and PC-3 but cannot ping PC-4.
3. If PC-3 gateway be 10.10.10.1 , It can ping Z.Z.Z.2.
4. If PC-3 gateway be 10.10.10.20 , It cannot ping Z.Z.Z.2.
5. ASA-1 can ping ASA-2 and 10.10.10.1/24 but cannot ping Z.Z.Z.2.
6. ASA-2 can ping ASA-1 and Z.Z.Z.2.
This is my config on ASA-1 and ASA-2:
hostname ASA-1
interface G0/0
nameif Outside
security-level 0
ip address x.x.x.1 255.255.255.224
NO SHUT
interface G0/3
nameif Inside
security-level 100
ip address 20.20.0.1 255.255.0.0
NO SHUT
route Outside 0.0.0.0 0.0.0.0 x.x.x.2 1
object-group network DM_INLINE_NETWORK_1
network-object 10.10.10.0 255.255.255.0
network-object 20.20.0.0 255.255.0.0
network-object z.z.z.0 255.255.255.0
ip local pool ATA 20.20.0.20-20.20.20.255 mask 255.255.0.0
access-list 100 extended permit icmp any any
access-group 100 in interface Outside
global (Outside) 1 interface
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp enable Outside
tunnel-group y.y.y.1 type ipsec-l2l
tunnel-group y.y.y.1 ipsec-attributes
pre-shared-key 1234
group-policy ATA internal
group-policy ATA attributes
vpn-tunnel-protocol IPSec
username TEST password TEST privilege 0
username TEST attributes
vpn-group-policy ATA
tunnel-group ATA type remote-access
tunnel-group ATA general-attributes
address-pool ATA
default-group-policy ATA
tunnel-group ATA ipsec-attributes
pre-shared-key 1234
access-list Outside_1_Cryptomap extended permit ip 20.20.0.0 255.255.0.0 z.z.z.0 255.255.255.0
access-list Outside_1_Cryptomap extended permit ip 20.20.0.0 255.255.0.0 10.10.10.0 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer y.y.y.200
crypto map Outside_map 1 match address Outside_1_Cryptomap
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 1 set security-association lifetime kilobytes 10000
crypto map Outside_map interface Outside
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group2
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
access-list Inside_nat0_Outside extended permit ip 20.20.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list Inside_nat0_Outside extended permit ip 20.20.0.0 255.255.0.0 z.z.z.0 255.255.255.0
access-list Inside_nat0_Outside extended permit ip object-group DM_INLINE_NETWORK_1 20.20.0.0 255.255.224.0
nat (Inside) 0 access-list Inside_nat0_Outside
nat (Inside) 1 0.0.0.0 0.0.0.0
policy-map global_policy
class inspection_default
inspect icmp
same-security-traffic permit intra-interface
management-access Inside
hostname ASA-2
interface E0/0
nameif Outside
security-level 0
ip address y.y.y.1 255.255.255.192
NO SHUT
interface E0/3
nameif Inside
security-level 100
ip address 10.10.10.20 255.255.255.0
NO SHUT
route Outside 0.0.0.0 0.0.0.0 y.y.y.2 1
route Inside z.z.z.0 255.255.255.0 10.10.10.1 1
access-list 100 extended permit icmp any any
access-group 100 in interface Outside
global (Outside) 1 interface
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp enable Outside
tunnel-group x.x.x.1 type ipsec-l2l
tunnel-group x.x.x.1 ipsec-attributes
pre-shared-key 1234
access-list Outside_1_Cryptomap extended permit ip 10.10.10.0 255.255.255.0 20.20.0.0 255.255.0.0
access-list Outside_1_Cryptomap extended permit ip z.z.z.0 255.255.255.0 20.20.0.0 255.255.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer x.x.x.1
crypto map Outside_map 1 match address Outside_1_Cryptomap
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 1 set security-association lifetime kilobytes 10000
crypto map Outside_map interface Outside
access-list Inside_nat0_Outside extended permit ip 10.10.10.0 255.255.255.0 20.20.0.0 255.255.0.0
access-list Inside_nat0_Outside extended permit ip z.z.z.0 255.255.255.0 20.20.0.0 255.255.0.0
nat (Inside) 0 access-list Inside_nat0_Outside
nat (Inside) 1 0.0.0.0 0.0.0.0
policy-map global_policy
class inspection_default
inspect icmp
same-security-traffic permit intra-interface
management-access Inside
RegardsHi,
My suggestion to your puzzle is to either load your ASDM real time log and observe the logs while one host tries to ping each other and take notes on the log , this should provide you with information and some clues on what the issue could be. You may also try to packet capture in ASA-2 , either way, I would start with easiest one which is realtime log on ASDM.
Could you provide the folloing:
1 - Post output of c:\ipconfig /all from PC-4 z.z.z.2/24
2 - Post output of show ip route from Router where PC-4 subnet is routed from
Regards -
Hi I have quite a complex (to explain) VPN problem, I've built a model in GNS3 but I still cant get it to work. here is the topology
1. SiteW is the main site, if W-CLient wants to talk to S-Client (on SiteS) the traffic is simply NATTED to 106.200.194.240 and sent there (this works fine).
2. SiteB is a new site, Ive set that up with a Site to Site VPN, that works fine.
New Requirement
If a user at SiteB wants to Talk to a Client at SiteS, then the traffic should go over the existing VPN to W-FW1 then get decrypted and routed there. This is the bit I CANNOT despite HOURS of tweaking and testing get to work.
What I've done
On W-FW2
Added Site S to the existing interesting traffic ACL and added a 'NO NAT' for it like so;
object network S-CLIENTS
subnet 65.253.1.0 255.255.255.0
access-list VPN-INTERESTING-TRAFIC extended permit ip object B-CLIENTS object S-CLIENTS
nat (inside,outside) source static B-CLIENTS B-CLIENTS destination static S-CLIENTS S-CLIENTS
On W-FW1
Added Site S to the existing interesting traffic ACL and added a 'NO NAT' for it like so;
object network S-CLIENTS
subnet 65.253.1.0 255.255.255.0
access-list VPN-INTERESTING-TRAFIC extended permit ip object S-CLIENTS object B-CLIENTS
nat (inside,outside) source static S-CLIENTS S-CLIENTS destination static B-CLIENTS B-CLIENTS
At this point packet tracer said the traffic was being blocked by ACL so I added
access-list inbound extended permit ip object B-CLIENTS object S-CLIENTS
access-list inbound extended permit icmp object B-CLIENTS object S-CLIENTS
access-group inbound in interface outside
Now Packet Tracer was happy, Still B-Client Cannot Ping S-Client!
W-FW1 can ping S-Client
Attempting to ping S-Client from B-Client brings up the tunnel (phase 1 and 2) but no traffic ever travels BACK to B-Client.
Running Wireshark on the 106.200.194.1 interface of S-FW1 whilst attempting to ping 65.253.1.10 from S-FW1 shows traffic (as expected) but if I ping from B-Client it gets nothing (so I'm assuming the traffic never gets out of W-FW1
Help!First check if the packet from the S client is making it back to the W-F1.
Configure Captures on the interface that is connected to the 106.200.194 subnet.
#cap capin interface <interface name> match ip host <sclient ip> host <bclient ip>
#show cap capin
Capture is bidirectional. Hence no need to enable it in the opposite direction.
If the packet is seen coming back from the Sclient and still not getting encrypted then do asp drop capture to see if the ASA is dropping it
#capture asp type asp-drop all
send the traffic.
#show cap asp | in <Sclient IP>
If the packet is see in this capture then the ASA is dropping it.
Then do a packet tracer to see why it is dropping it.
#packet-t input <Sclient connected interface name> icmp <sclient IP> 8 0 <b client IP> det.
Check why the packet is dropping.
if the capin capture does not see the reply packet then check the reply path and routing.
Maybe you are looking for
-
IOS 8 AirPrint Bug: Email printing is slow. iOS 7 works fine.
I have been troubleshooting the AirPrint bug for several days and could not find a solution for this. Whenever I print an email (even an almost blank email), it takes about 25 - 30 seconds before the print job is sent to the printer, after that the p
-
Is somebody developing in Action Script under Arch?
Hi! Not sure it's the right place to post this, but at work I had all the pain in the world to set up an Action Script development under Debian (that's the distro I am using at work) and finally had to work under Windows. There was no free IDE and it
-
Sorting albums within an artist
Okay so I used to be able to sort my different albums by the same artist within the order that I set by going into "get info" and saying the albums were disc 1 through 10 or what have you. For example, if I had Linkin Park in my iTunes, I could say h
-
WFM_Op does not return when iterating indefinite​ly?
I'm using the WFM_Op function with a DAQPad 6020E with the WFMsingleBufRegenerate.C that is provided with NI-DAQ. If I change the number of iterations to zero (i.e., indefinite iterations), it never proceeds to the next instruction. I'd ideally like
-
Wi-Fi N95 further help required
I am still unable to log on to my home network. My ISP is Orange. When I try to define access point it asks for a pre-shared access key. Yet when I try to log on to a BT home network it asks for a WEP key and after entering the key I can start surfin