Vpn concentraor 3005

Similar Messages

• VPN Concentrator 3005 will not allocate IP Addresses

  Greetings,
  I have a very strange issue. I have configured a 3005 concentrator with an address pool that is in the same subnet as the private interface. When I try and connect a client...I get an error stating that NO AVAIL ADDR with a further explanation that an IP address could not be obtained for the remote peer because it exhausted all available addresses.
  Further study of the log files shows that the concentrator believes there is a network conflict...however I can assure everyone there isn't.
  Can anyone tell me why the concentrator would false think that an IP address had already been assigned when it isn't?
  It works fine if I use a different pool...however this is on a DMZ and we really don't want to use another subnet for a few VPN clients.
  The exact error it give is:
  IP Address Conflict on the network: 192.168.123.101
  Marking address as unusable
  There is no 123.101 anywhere on the subnet.
  The worst part is...I have another concentrator setup the exact same way at a different location and this config works just fine.
  Any ideas?
  Thank you very much!

  thank you for your reply...but we are running 4.7.2.O
  any other ideas why this would happen?

• VPN CONCERNTRATOR 3005 running at 100 CPU!!

  Hi all
  We have a customer which has a VPN concerntrator model 3005. They have been complaining that over the last 6-7 months that connectioned from about 20 remote sites (L2L) have been running very slowly. This occurs especially when the VPNC CPU shows that it is running at 100%. As soon as this drops, it all returns to normal. However, it is intermittent and even when there are minimal active sessions the CPU goes to 100%. The VPNC has 64mb ram and the usage is a mere 30%...Can anyone explain what is going on? The remote sites are running cisco routers over broadband. Which pass through a PIX 515E (via ACL) to be authenticated on this VPNC.
  Someone help?
  Regards
  Randeep CCSP

  High CPU utilization may depends on a number of factors, please let me know the following:
  1 - Do you have compression turned on for any of the group, how many of those users connected at the same time, compression is extremely cpu intensive?
  2 - Is your SEP card(s) taking load, what does "Monitoring | Sessions | SEPs" show?
  3 - What other features you have configured on the box, QoS/Routing Protocols?
  4 - Do you have logging turned on the box, if yes, what are the severity levels configured, high
  severity level will result in high cpu util.

• VPN CON 3005

  I would like to confirm that if my office only requires VPN access, NO internet browsing, then a VPN CON would be secure enough and I do not need any FW.
  Please let me know if my understanding is correct.
  Thanks

  Hi,
  Most of the time a concentrator and PIX are used in series -
  Concentrator on a different segment (DMZ), of the PIX firewall.
  So, the concentrator real IP will be an RFC 1918, but it will be NATted via the PIX firewall. One to One - NAT.
  Once you have the one to one NAT configured, then you would need to allow the protocols like UDP 500, ESP & NAT-T to go through the firewall so that clients or remote devices can build IPSec sessions.
  Or you can just use the PIX firewall to terminate VPN connections instead of the concentrator.
  All decisions depend on cost, security, reliability, back-up scenarios, network architecture, etc..
  Rate this topic, if it helps
  Cheers
  Gilbert

• AAA VPN Concentrator 3005

  Hi, I have run into a problem with my VPN concentrator. I was setting up AAA on it this morning and after configuring it ,I cannot get back into the web interface. It is version 2.21 running on the concentrator. I cannot get a console session, nothing appears when I use the settings 9600, 8, 0, 1, Hardware. I can see the authentication is working on the ACS Logs but I am getting invalid login on the VPN Concentrator. Is there anything I can do at this point?

  Was using the wrong type cable to console into the Concentrator. Done a password reset from the console and that allowed me back in.
  Cheers
  Brian

• VPN CON 3005 to Watchguard X550

  I am getting an error in phase 2.
  2368 04/16/2008 13:29:10.020 SEV=4 IKEDBG/97 RPT=1056 141.157.24.238
  Group [141.157.24.238]
  QM FSM error (P2 struct &0x365dac8, mess id 0x60374f02)!
  2369 04/16/2008 13:29:10.020 SEV=7 IKEDBG/65 RPT=1101 141.157.24.238
  Group [141.157.24.238]
  IKE QM Initiator FSM error history (struct &0x365dac8)
  <state>, <event>:
  QM_DONE, EV_ERROR
  QM_WAIT_MSG2, EV_TIMEOUT
  QM_WAIT_MSG2, NullEvent
  QM_SND_MSG1, EV_SND_MSG
  Does anyone know what is going on?
  -Thanks

  This is a general message indicating something is wrong with quick mode. If the debug level is increased, there should be surrounding messages that will give a better indication of what's going on.

• Replacement for a 3005

  Can anyone recommend a replacement for a VPN Cisco 3005 that will also tie into Active Directory so that users of the VPN can change their AD accounts while using the VPN. Total of <100 users.
  Thanks

  Ray,
  The Cisco ASA 5510 should suit your needs. The ASA is the replacement for the 300 series concentrators. You should be fine integrating active directory using ACS server with the ASA.
  http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
  HTH,
  Mark

• Swapping out a VPN Concerntrator

  Hi All,
  I will be swapping out a customer VPN concerntrator 3005 with a replacement VPN Concerntrator 3005 with more RAM. This is the first time i am doing this so am wondering if I will have to re-configure everything all over again or can I offload the config of the old one onto the new one? If so, how?? What is the best procedure? Any links i can look at?
  Hope you can help
  Regards
  Randeep

  If it were me I would just slap it in and then using your (with a direct connect to one of your switch ports) browser http to the IP 198.168.1.1. Login using the defaults and set it up that way. You should get a snapshot of your old linksys setting  before you pull it off. I installed my first linksys that way and it wasn't till ver 5 that I encountered the CD. For your basic install this should be just fine. I am sure there is a lot of good stuff on the CD, but just get it up and running that is the way I would go.
  Oh by the way...Wanna buy a used linksys router? Lookie here in my trunk...gotta a couple extra hubs and switches...
  It's Labor Day...just kidding...hope you had a nice weekend.

• VPN client over wireless

  We have a VPN Concentrator 3005. One of the users is trying to connect to our network through wireless at a hotel. He was able to login through Cisco VPN client. However, he could not open Microsoft Outlook. Can you help? Thanks.
  Diane

  Hi-
  This is actually not a Cisco issue per-se, but due to the fact that (i'm almost certain) the hotel is blocking the port that Exchange uses. Assuming that you guys use the MS OWA (Outlook web access), you need to go into Outlook ->Tools ->email accounts ->Next ->change ->More Settings ->Connection -> Enable and then click on Connect to my Exchange mailbox using HTTP.
  You would then need to click the Exchange Proxy Settings button and add the URL for your OWA to that page, and then change your authentication type from NTLM to Basic. Also, make sure that both boxes are checked for fast and slow connections.
  Save these settings, close OUtlook and then re-open it and that should do it.
  HTH,
  Paul
  You know, I just re-read your post and I may be wrong. I'm going to test this setup this evening and I'll post back.
  P

• Controlling Access

  Not sure if this is the right forum for this questions. I have a vpn concentrator 3005 with it's private interface connected to a dmz interface on my pix. The public interface to a hub hanging off my router facing the internet.
  I have a vlan set-up on our core switch (4507) that contains servers that are used for our application developers. Our applications developers are able to access their servers by connecting and authenticating to our concentrator. The are given an ip and then access to their particular servers are controlled via the pix.
  I would like to prevent the developers from being able to transfer any data from the development server to their computer they are using to make the vpn connection.
  What would be the best why to accomplish this?
  Thanks in advance for any assistance.

  Transfer how? Secure copy, ftp, CIFS? There are multiple ways to transfer files and if the developers really want them, they will find a way to get them. Block the ports on the firewall or create a policy on the Concentrator to block ports will be your best bet.

• WebVPN using External Authentication

  I have a VPN concentrator 3005 that is configured for WebVPN which works great if I login with a local user.
  I would like to authenticate my users through our LDAP. I created a SSLusers group that is setup for external authentication. The SSLusers group works fine when I use the Cisco VPN client to connect (I enter the group name/password in the text boxes, when it connects it asks for the username/password).
  In the logs it shows that it is checking for the user in the Internal server, I want to point it to my ACS box. I feel like there is a check box somewhere that I am missing that tells the concentrator 'if I can't find the user in my local database, check the external authentication server'.
  Any advice on how to get the external authentication working with the WebVPN would be most appreciated. Thanks in advance.

  Thanks Daniel for the suggestion. I tried to add the above, but still received the same error. Is there an additional checkbox that needs to be marked for the base group to search the radius server?
  Authentication rejected: Reason = User was not found
  handle = 686, server = Internal, user = bobeldde, domain =
  It appears to work ok if I login with 'bobeldde#ssl';where the ssl group is configured for Radius Authentication.

• Allow File Sharing Only

  We have a VPN Concentrator 3005. How do we restrict access on the VPN Concentrator that would only allow file sharing on a particular server? I want the Remote users to be able to access file sharing only and nothing else. The server is running Windows 2003 server.
  Thanks.
  Diane

  Hi,
  I haven't use VPN Concentrator. I use ASA/PIX for both S2S and Remote VPN.
  Open port 135 to 139 (both TCP and UDP) and port 445 (both TCP and UDP).
  These ports are considered dangerous ports. Make sure that when you are opening these ports for user access, it doesn't spill to internet (plain unauthenticated/unencrypted) and should be opened only to few trusted users.
  Regards,
  Dandy

• Allowing Email Only...

  First off let me say I didn't design, create or, even recommend this network. I Inherited this mess, I'm just the one cleaning up...
  The previous admin has setup a email account for a local lawyer that my company uses. When someone needs to send the lawyer sensitive information they will do so by sending to his email address here. Now the lawyer has his own network and firewall. The previous admin supposedly setup a LAN to LAN VPN connection between his network and ours using our PIX 515 Firewall. Since the previous admin has been gone we have purchased a VPN Concentrator, 3005, and I would like to start using this instead of what he setup on the PIX, since I can't really trust how he put things together.
  I only want the lawyer to be able to pull his email and not have access to the rest of the network. Is there a way to setup some type of ACL, or Filter, or something that will only allow this function with a VPN Concentrator 3005? Any suggested would be greatly appreciated.
  Thanks,
  Bob

  Create a separate group on the concentrator for just this person, and set up his client to connect to that group.
  Create a rule (under Config - Policy Mgmt - Traffic Mgmt - Rules) that is Inbound/Forward, Source of Anything, Destination of /0.0.0.0, dest port TCP port 25. Create another rule, it can be left at the defaults which is Inbound, Drop, Source of anything, Dest of anything. Create a filter (under Config - Policy Mgmt - Traffic Mgmt - Filters) with default action of forward and add both your new rules to it, making sure the rule that allows access to the host mail server is ABOVE the default rule that will drop everything else.
  Modify the group you created for this one user and under the General tab, apply that filter to it.
  This should be all you need to do. Test it first to make sure.

• Pb: secure desktop with web client citrix

  version :
  Cisco Secure Desktop Release: 3.1.1.45
  VPN Concentrator 3005
  client web citrix : 10.1
  description :
  1) Connexion SSL portal : OK
  2) Secure Desktop install OK
  3) connect to portal citrix and retreive msi package citrix web client : OK
  4) During install msi package error occure.
  Idea ???
  Can I install msi package in environnent secure desktop ??

  Yes, you can install an msi package on secure desktop environment. The problem seems to be with the package you are trying to install or it may be with the msi installer. To confirm this you can disable the cisco secure desktop and then try to install the package. If installation fails with same error the problem may be in the package. Get a different copy of the package and try to install it.

• VPN 3005 and Microsoft AD authentication

  I would like to use Microsoft Active
  Directory (AD) to authenticate
  remote access users connecting to the
  VPN3005 concentrator. Everything is
  working fine but I want the VPN3k to use
  microsoft ds (tcp port 445) instead of
  netbios (tcp port 139) when it communicates with the AD server.
  In the vpn 3005 I specified port 445
  as the communication port between vpn3k
  and the AD server but in my tcpdump,
  i see this:
  [Expert@cp]# tcpdump -i eth1 -n host 192.168.1.4
  tcpdump: listening on eth1
  14:41:54.664335 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: S 1464837366:1464837366(0) win 8192 <mss 1460,nop,wscale 0,nop,nop,timestamp 732419 0>
  14:41:54.666758 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: . ack 2621223901 win 8192 <nop,nop,timestamp 732419 0>
  14:41:54.669135 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: P 0:72(72) ack 1 win 8192 <nop,nop,timestamp 732419 0>NBT Packet
  14:41:54.671835 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: P 72:240(168) ack 5 win 8192 <nop,nop,timestamp 732419 579729>NBT Packet
  14:41:54.700474 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: P 240:371(131) ack 110 win 8192 <nop,nop,timestamp 732419 579729>NBT Packet
  14:41:54.704467 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: P 371:414(43) ack 223 win 8192 <nop,nop,timestamp 732419 579729>NBT Packet
  14:41:54.706526 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: F 414:414(0) ack 262 win 8192 <nop,nop,timestamp 732419 579729>
  14:41:54.715653 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: . ack 263 win 8192 <nop,nop,timestamp 732419 579729>
  obviously, it is using port 139 instead
  of port 445.
  How can I fix this on the vpn3k? Thanks.

  Hi Kevin, I've looked at this message to see any replies for a while and I don't know if you have already resolved this issue.. I used vpn3005 as well but use different method of authentication which is RADIUS from our Windows AD, I tend to believe this may be more of a PPTP client netbios setup and not the VPN , where? I don't know but clearly the tcpdump the client is initiating netbios session and even though vpn is setup for port 445 it still forwards netbios port... well just a thought .
  Rgds
  Jorge