VPN DHCP
Why does the SA520W not have a very simple option to have the VPN users get there IP address from a DHCP server like Sonicwall devices do? Instead I have to assign a range in dynamic IP area and the adjust my Active Directory to allow the new subnet to communicate.
Sent from Cisco Technical Support iPhone App
Hi,
I guess you would need to use DynDNS. The problem is to my knowledge that the ASA doesnt work with DynDNS.
I however wondered if some host behind the actual ASA could handle updating the DynDNS with the changing public IP address of the ASA as its traffic would be showing with the public IP address?
This might be something to look into.
- Jouni
Similar Messages
-
Routing and Remote Access VPN DHCP error
I have a strange problem.
I have a client that is using Server 2012 Standard.
On this server they have Routing and Remote Access configured for VPN client access. Their users that are working outside the office connect to the VPN to access the internal network.
The VPN works fine for the most part. Recently however, it has started having issues.
Periodically (about once every 8 days) I will hear from them that they cannot connect and that they get error 720. I will check the server and the server will have the following errors in the event log:
Warning: No IP address is available to hand out to the dial-in client.
If you check DHCP the server is running fine and will hand out local addresses but it will not hand out addresses to VPN clients. Also the addresses that it HAS previously handed out to VPN clients will not show in the address leases.
The solution strangly enough is to disconnect and reconnect a the VPN client connection that the server has connecting it to a offsite server that it does a SQL sync with.
Any ideas as to what might be causing this? If need be I can post more detailed logs but I am not sure what logs even to post or what data to collect.
Any help is greatly appreciated.I am experiencing the same issue on a Windows 2008R2 SP1 RAS server. The above statement About increasing the lease time on DHCP does not resolve the problem.
I am also Searching for a Solutions to this issue.
Up to now I have done the Following :
1. Increased the scope/ cleared IP's in DHCP.
2. Ensure that the DHCP server is accessable.
3. Created a Manual Scope on RRAS configurations settings (then clients can connect but cannot access resources on the network). Changing Back to DHCP, you recieve the same 720 Error.
4. Stop and started the DHCP services on the DHCP Server.
5. Stop and Started RRAS Services on RRAS server.
The Only Indication is, that DHCP for some reason does not lease out Addresses to the RRAS server.. -
Greetings. Probably simple thing overlooking here.
Recently changed TZ205 Client VPN from static IPs to DHCP over VPN.
It's a split tunnel VPN allowing Sonicwall X0 + 2 other VLANs. VPN used only for MGT.
Since going DHCP I'll get occasional packet drops and RDP session hangs for 5 sec or so. If I manually assign just IP/mask to adapter no drops.
My desktop will just drop few packets. My Laptop show general failure. What of DHCP over VPN is causing these drops?
Thanks!
This topic first appeared in the Spiceworks CommunityPowerShell Direct – Running PowerShell inside a virtual machine from the Hyper-V hostAt Ignite we announced PowerShell Direct, and briefly demoed it’s capabilities in the “What’s New in Hyper-V” session. This is a follow up so you can get started using PowerShell Direct in your own environment.What is PowerShell Direct?It is a new way of running PowerShell commands inside a virtual machine from the host operating system easily and reliably.There are no network/firewall requirements or configurations.
It works regardless of Remote Management configuration.
You still need guest credentials.For people who want to try it out immediately, go ahead and (as Administrator) run either of these commands on a Windows10 Hyper-V host where VMName refers to a VM running Windows10:Enter-PSSession -VMName VMNameInvoke-Command -VMName VMName -ScriptBlock... -
ASA Hub-and-spoke VPN dhcp-relay
Hi!
Have anyone implemented a solution with a hub-and-spoke IPSEC VPN (running ASA) with dhcp relay for the inside clients on the spoke. With the DHCP server on the hub site?
Normal LAN-LAN IPSEC VPN is a bit cumbersome to configure something like below:
SPOKE
<snip>
access-list CRYPTO_ALLOWED extended permit ip INSIDE-NETWORKS any
#ALL INTERNET ACCESS GOES THROUGH THE SPOKE SITE
access-list CRYPTO_ALLOWED extended permit udp host OUTSIDE_IF_ADDR host HUB_DHCP_SERVER_ADDR eq bootps
access-list CRYPTO_ALLOWED extended permit udp host OUTSIDE_IF_ADDR host HUB_DHCP_SERVER_ADDR eq bootpc
nat (INSIDE,OUTSIDE) source static CRYPTO_ALLOWED CRYPTO_ALLOWED destination static OSKO-INTERNET OSKO-INTERNET route-lookup
dhcprelay DHCP-SERVER outside
dhcprelay enable INSIDE
dhcprelay setroute INSIDE
dhcprelay timeout 60
HUB
<snip>
access-list CRYPTO_ALLOWED_TO_SPOKE extended permit ip 0.0.0.0 0.0.0.0 HUB_NETWORKS
access-list CRYPTO_ALLOWED_TO_SPOKE extended permit udp host HUB_DHCP_SERVER_ADDR host SPOKE_OUTSIDE_ADDR eq 67
access-list CRYPTO_ALLOWED_TO_SPOKE extended permit udp host HUB_DHCP_SERVER_ADDR host SPOKE_OUTSIDE_ADDR eq 68
nat (INSIDE,OUTSIDE) source static ANY ANY destination static SPOKE_NETWORKS SPOKE_NETWORKS
nat (INSIDE,OUTSIDE) source static HUB_DHCP_SERVER_ADDR HUB_DHCP_SERVER_ADDR destination static SPOKE_OUTSIDE_ADDR SPOKE_OUTSIDE_ADDR
### HUB INTERNET ACCESS ##
nat (OUTSIDE,OUTSIDE) source dynamic SPOKE_NETWORKS interface
I can't really apply this to a hub-and-spoke configuration.
Any ideas?
Regards
DanielThanks. That's what I thought. I'm trying to configure this a my lab and having trouble though. Here's what I am trying to accomplish: HUB should communication with spoke1 and spoke2 via ipsec vpn using their own internal addresses HUB: 192.100.10.0/24, SPOKE1 10.142.0.0/24, SPOKE2 10.25.0.0/24) Communication between SPOKE1 and SPOKE2 should be nat'ed by the HUB so SPOKE2's addresses appear to be 172.16.128.0/24. SPOKE1's interesting traffic rule will allow the entire 172.16.128.0 255.255.128.0 subnet. Any new SPOKE's will use another subnet of that network. In my head I think I might need to let SPOKE2 NAT it's own traffic before it gets to HUB, but I'm dealing with multiple different devices as spokes so I want to handle everything on the HUB. Ideally the HUB would translate all traffic in both directions so both business partners and clients would only need one supernet in their interesting traffic rules.
-
VPN Problem: Can't route to other network clients
Hi,
I can't ping the other clients on the network when I'm connected to VPN from outside.
But accessing internet trough VPN works. (Sending all data through VPN).
So in fact, I can only ping the VPN server I'm connected to.
Maybe someone here has an idea what I'm doing wrong here.
Here is my setup:
internet
I
I
Airport Extreme (internal IP 192.168.3.1, Router with NAT Port forwarding to 192.168.3.3)
I
I
Switch----macMini (192.168.3.3, OS X Server 10.4.10 with VPN, DHCP, DNS, NAT enabled)
l
l
Other Clients on the Network (Clients have DNS entry 192.168.3.3 192.168.3.1, Router is 192.168.3.1)
The services DHCP, DNS working well for internal clients.
Has someone an idea?
Thanks a lot.
Alex
Message was edited by: SyndromeFirst, ping is ICMP traffic, different from other kinds of (eg, TCP) traffic like AFP.
See http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/productstechnote09186a00800a6057.shtml
traceroute also uses some ICMP traffic but might also be using UDP, see
http://en.wikipedia.org/wiki/Traceroute
http://www.linuxplanet.com/linuxplanet/tutorials/6524/1/
However, in testing, I can indeed ping the server, when I connect to a remote Mac OS X Server via the Mac OS X supplied vpn. But there is no AP Extreme in the path. So the two big factors are: limitations and/or configuration of the AP, and firewall settings for each/any machine involved.
The Airport Extreme is really quite limited, compared to any more full-featured routing device - in terms of just how granular you can be with controlling traffic flow.
(As a total aside, I'd recommend investing in something like a Zyxel Zywall 2 Plus (or similar or better) and running the AP in bridge mode for wireless clients.)
When you've connected via VPN, please run
netstat -rn to see what your default gateway is, that's actually being used.
Finally, what led you to try these tests ? What other problems are you having, what primary issue(s) are you trying to solve ? -
Remote Access VPN strange behavior
Hello all,
I have a problem with remote access VPN on a ASA5505 (8.2).
I can establish a VPN connection and can ping the ASA, but nothing else on the network! Not only ping isn't working, I've also tried RDP, HTTP, and file access.
Additionally there is a site-to-site VPN to this ASA, which is working perfectly.
I have another ASA5505 which is almost configured the same and there it's working, so I really don't know where the problem is.
I hope you guys can help me!
Many thanks in advance!
Here's my config:
Result of the command: "show running-config"
: Saved
ASA Version 8.2(1)
hostname Shanghai
domain-name *******.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 172.20.18.0 network-vpnclient
name 172.20.16.8 SHDC01
interface Vlan1
nameif inside
security-level 100
ip address 172.20.16.1 255.255.248.0
interface Vlan2
nameif outside
security-level 0
ip address ***.***.***.62 255.255.255.252
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone SGT 8
dns domain-lookup inside
dns server-group DefaultDNS
name-server 172.20.16.1
domain-name *****.local
same-security-traffic permit inter-interface
access-list nonat extended permit ip 172.20.16.0 255.255.248.0 network-vpnclient 255.255.255.0
access-list nonat extended permit ip 172.20.16.0 255.255.248.0 172.20.0.0 255.255.248.0
access-list split_tunnel standard permit 172.20.16.0 255.255.248.0
access-list acl-in extended permit icmp any any
access-list acl-in extended permit tcp any host ***.***.***.190 eq h323
access-list VPN_acl extended permit ip 172.20.16.0 255.255.248.0 network-vpnclient 255.255.255.0
access-list outside_cryptomap extended permit ip 172.20.16.0 255.255.248.0 172.20.0.0 255.255.248.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool client-vpn 172.20.18.1-172.20.18.254 mask 255.255.248.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 172.20.16.0 255.255.248.0
static (inside,outside) tcp interface h323 192.168.0.250 h323 netmask 255.255.255.255
access-group acl-in in interface outside
route outside 0.0.0.0 0.0.0.0 ***.***.***.61 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ActiveDirectory protocol ldap
aaa-server ActiveDirectory (inside) host SHDC01
server-port 3268
ldap-base-dn DC=*****,DC=local
ldap-scope subtree
ldap-login-password *
ldap-login-dn CN=Administrator,CN=Users,DC=lap-laser,DC=local
server-type microsoft
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 172.20.0.0 255.255.248.0 inside
http 172.20.16.0 255.255.248.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set laplaserset esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 20 set transform-set laplaserset
crypto map laplasermap 1 match address outside_cryptomap
crypto map laplasermap 1 set pfs group5
crypto map laplasermap 1 set peer **.***.***.51
crypto map laplasermap 1 set transform-set ESP-AES-256-SHA
crypto map laplasermap 65535 ipsec-isakmp dynamic dynmap
crypto map laplasermap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd address 172.20.16.50-172.20.17.1 inside
dhcpd dns SHDC01 interface inside
dhcpd option 3 ip 172.20.16.1 interface inside
dhcpd enable inside
vpnclient vpngroup lapserver password ********
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
group-policy user-vpn internal
group-policy user-vpn attributes
wins-server value 172.20.16.8
dns-server value 172.20.16.8
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value *****.local
username admin password VQiqjZZuUSQOWz6. encrypted
username adminlogin password qZwgnR/XebVbOZxI encrypted
tunnel-group connection2 type ipsec-l2l
tunnel-group connection2 ipsec-attributes
pre-shared-key *
tunnel-group **.***.***.51 type ipsec-l2l
tunnel-group **.***.***.51 ipsec-attributes
pre-shared-key *
tunnel-group user-vpn type remote-access
tunnel-group user-vpn general-attributes
address-pool client-vpn
authentication-server-group ActiveDirectory
default-group-policy user-vpn
dhcp-server 172.20.16.1
tunnel-group user-vpn ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns preset_dns_map
inspect http
service-policy global_policy global
prompt hostname context
Cryptochecksum:bc5e7b4ca01a2227885487ab3520ea9c
: endI note in your config that the pool of addresses for remote access VPN is a group of addresses included within the range of addresses on the inside interface. I have seen situations where this caused problems and so have a couple of suggestions:
- do the devices connected on the inside network have routes to the vpn pool of addresses?
- if you change the vpn address pool to use addresses that do not overlap with your inside network, does the behavior change?
HTH
Rick -
Easy VPN Server? Hmmm.. Not so Easy...
I used the Cisco Configuration Professional to add an Easy VPN Server to my 3825. I'm able to connect when remote but I can't ping the default gateway of 192.168.1.1 which is in the same network as the VPN DHCP pool. I can access every single other device on the VLAN segments but not the default gateway which means when i connect I can't look at my router. And there's more, I cannot ping anything offnet (ie 75.75.75.75). Below is my config. Attached are some images which show some details from the client during the VPN connect and a few from the router (i had to use the lan switch as a jump host). If you can figure this out before I go back to the coffee shop to test this tomorrow I will send you a cake.
One thing I just thought of, does the virtual-tempalte 1 interface have to have "nat inside" applied?
Current configuration : 12356 bytes
! Last configuration change at 17:21:16 EDT Sat Nov 24 2012 by cluettr
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router-wan
boot-start-marker
boot system flash:c3825-advipservicesk9-mz.151-4.M5.bin
boot-end-marker
logging buffered 100000000
enable password xxxxxxxxxx
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
clock timezone EDT -4 0
dot11 syslog
no ip source-route
ip dhcp excluded-address 192.168.1.1 192.168.1.199
ip dhcp excluded-address 172.16.2.1 172.16.2.199
ip dhcp excluded-address 172.16.3.1 172.16.3.199
ip dhcp excluded-address 172.16.4.1 172.16.4.199
ip dhcp pool 192.168.1.0
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.1
default-router 192.168.1.1
lease infinite
ip dhcp pool 172.16.2.0
network 172.16.2.0 255.255.255.0
dns-server 172.168.2.1
default-router 172.168.2.1
lease 0 4
ip dhcp pool 172.16.3.0
network 172.16.3.0 255.255.255.0
dns-server 172.16.3.1
default-router 172.16.3.1
lease infinite
ip dhcp pool 172.16.4.0
network 172.16.4.0 255.255.255.0
dns-server 172.16.4.1
default-router 172.16.4.1
lease 0 4
ip dhcp pool 172.16.5.0
network 172.16.5.0 255.255.255.0
dns-server 172.16.5.1
default-router 172.16.5.1
lease infinite
ip cef
ip domain name robcluett.net
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
voice service voip
allow-connections sip to sip
sip
registrar server expires max 600 min 60
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-423317436
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-423317436
revocation-check none
rsakeypair TP-self-signed-423317436
archive
log config
hidekeys
vtp domain robcluett.net
vtp mode transparent
vtp version 2
username xxxxxxx privilege 15 secret 5 $1$q8RN$N/gL80J2Rj9qOILvzXPgS.
redundancy
vlan 3-5
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group cisco
key xxxxxxxxxxxxxxxxxxxx
dns 75.75.75.75
domain robcluett.net
pool SDM_POOL_2
crypto isakmp profile ciscocp-ike-profile-1
description "VPN Default Profile for Group Cisco"
match identity group cisco
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
client configuration group cisco
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
interface Loopback0
description "Circuitless IP Address / Router Source IP"
ip address 172.16.1.1 255.255.255.254
interface GigabitEthernet0/0
description "WAN :: COMCAST via DHCP"
ip address dhcp client-id GigabitEthernet0/0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
media-type rj45
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
no mop enabled
interface GigabitEthernet1/0
description "Uplink to switch-core-lan (Catalyst 2948G-GE-TX)"
switchport mode trunk
no ip address
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
description "LAN :: VLAN 1 :: PRIVATE 192.168.1.0"
ip address 192.168.1.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan2
description "LAN :: VLAN 2 :: PUBLIC 172.16.2.0"
ip address 172.16.2.1 255.255.255.0
ip access-group 102 in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan3
description "WLAN :: VLAN 3 :: PRIVATE SSID=wlan-ap-private (not broadcast)"
ip address 172.16.3.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan4
description "WLAN :: VLAN 4 :: PUBLIC SSID=wlan-ap-public"
ip address 172.16.4.1 255.255.255.0
ip access-group 104 in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
rate-limit input 1024000 192000 384000 conform-action transmit exceed-action drop
rate-limit output 5120000 960000 1920000 conform-action transmit exceed-action drop
interface Vlan5
description "EDMZ :: VLAN 5 :: 10.10.10.0"
ip address 10.10.10.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan6
description "IDMZ :: VLAN 6 :: 10.19.19.0"
ip address 10.19.19.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan7
description "LAN :: VLAN 7 :: Voice 172.16.5.0
ip address 172.16.5.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
ip local pool SDM_POOL_2 192.168.1.200 192.168.1.254
ip forward-protocol nd
ip flow-export source Loopback0
ip flow-top-talkers
top 10
sort-by bytes
ip dns server
ip nat inside source list 2 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.10.10.10 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 10.10.10.51 443 interface GigabitEthernet0/0 443
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp 2
logging trap debugging
logging source-interface Loopback0
access-list 2 remark NAT
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 permit 172.16.2.0 0.0.0.255
access-list 2 permit 172.16.3.0 0.0.0.255
access-list 2 permit 172.16.4.0 0.0.0.255
access-list 2 permit 172.16.5.0 0.0.0.255
access-list 2 permit 10.10.10.0 0.0.0.255
access-list 2 permit 10.19.19.0 0.0.0.255
access-list 100 remark WAN Firewall Access List
access-list 100 permit udp any eq bootps any eq bootpc
access-list 100 permit tcp any any eq www
access-list 100 permit udp any eq domain any
access-list 100 permit tcp any any established
access-list 100 deny ip any any log-input
access-list 102 remark VLAN 2 Prevent Public LAN Access to Other Networks
access-list 102 deny ip 172.16.2.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 102 deny ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255 log
access-list 102 deny ip 172.16.2.0 0.0.0.255 172.16.3.0 0.0.0.255 log
access-list 102 deny ip 172.16.2.0 0.0.0.255 172.16.4.0 0.0.0.255 log
access-list 102 deny ip 172.16.2.0 0.0.0.255 172.16.5.0 0.0.0.255 log
access-list 102 permit ip any any
access-list 104 remark VLAN 4 Prevent Public Wifi Access to Other Networks
access-list 104 deny ip 172.16.4.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 104 deny ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255 log
access-list 104 deny ip 172.16.4.0 0.0.0.255 172.16.2.0 0.0.0.255 log
access-list 104 deny ip 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 log
access-list 104 deny ip 172.16.4.0 0.0.0.255 172.16.5.0 0.0.0.255 log
access-list 104 permit ip any any
access-list 105 remark VLAN 5 Prevent EDMZ Access to Other Networks
access-list 105 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 105 deny ip 10.10.10.0 0.0.0.255 172.16.2.0 0.0.0.255 log
access-list 105 deny ip 10.10.10.0 0.0.0.255 172.16.3.0 0.0.0.255 log
access-list 105 deny ip 10.10.10.0 0.0.0.255 172.16.4.0 0.0.0.255 log
access-list 105 deny ip 10.10.10.0 0.0.0.255 172.16.5.0 0.0.0.255 log
access-list 105 deny ip 10.10.10.0 0.0.0.255 10.19.19.0 0.0.0.255 log
access-list 105 permit ip any any
snmp-server trap-source Loopback0
snmp-server location xxxxxxxxxxxxxxxxxxxxx
snmp-server contact xxxxxxxxxxxxxxxxxxxxxxx
control-plane
mgcp profile default
telephony-service
max-conferences 12 gain -6
web admin system name cluettr password 11363894
dn-webedit
transfer-system full-consult
line con 0
line aux 0
line vty 0 4
transport input telnet ssh
transport output all
line vty 5 15
transport input telnet ssh
transport output all
scheduler allocate 20000 1000
ntp logging
ntp source Loopback0
end
router-wan#I was under the impression that using the virtual template and ip unnumbered allows the interface to respond to the DHCP IP provided to Gi0/0 by my ISP. If I were to make, say, VLAN 1 the VPN interface how would I then access it from the WAN given that it has a Nat'd LAN IP? I guess port forwarding would work if that would have to be in addition to using a VLAN?
> Here's a follow up question which you or someone might be able to answer for me. Sorry for dumping the added question on you. My ultimate goal is to have a WAN accessible VPN and a VPN residing on the local LAN. Reason is so I can secure with encryption any wifi clients I have on the LAN (preventing man-in-the-middle attacks) and be secured at, for exmaple, a coffe shop. I'm not sure if there's a means to have the same configured VPN work when attached locally or remotely? And if roaming in regards to a VPN is something that can be acheived...
As an aside my reason for going to these lengths for security are valid. I've recently encountered a situation where I was hacked (this is my home network) using a MIMA and what I assume to be SSLstrip or some derivative to obtain my email address and password. Wasn't fun, wasn't pretty. -
Port forwarding not working for VPN
Hi there,
I am at a loss as to what I am doing wrong with regards to setting up a VPN. I admit this is all completely new territory for me, and I am learning as I go along, so may have overlooked something very obvious.
I have openned up the VPN ports on the router (500, 1701, 4500 - UDP; 1723 - TCP), and can confirm from the logs that they are letting traffic in ok.
So that leaves the server itself - testing using an open port checking tool confirms all ports I have open in the router firewall, and active and accessible on the server, except the VPN ports and service, are indeed open and accessible.
The VPN service is running, and I have ensured the services are available within the firewall service for 'all', and all services available for the 192.168.1.xxx range.
I have indicated that the VPN should use the range - 10.0.0.1 to 200
The DNS and DHCP services on the server are running. At the domain resgitsrar, I have indicated that the subdomain I am using to access the server and its services via the web should point to the static IP I have from the ISP.
I should mention that if I use the local IP address of the server, I can connect ok, it is only when I use the static IP that I am unable to connect.
Every other port opens up successfully - FTP (21), Web (80/443), etc - just not the ones for the VPN, so I assume there is some sort of conflict between or within the the VPN/DHCP/DNS services or with the VPN service itself.
Any advice and potential solutions would be greatly appreciated, as I have spent quite a bit of time trying to figure this one out by myself.
Thanks in advance, and I hope to hear from folk soon.
ChrisOK - here's how my router is configured:
NAT (Type = Destination) Public IP address to VPN Server IP address (I had a problem when I didn't have the NAT Type set properly)
I have a separate public IP address reserved for VPN traffic, but that's not necessary if you set up the order of the rules on your router properly. It's just easier to have a separate IP address.
These are the ports I have open:
UDP - 500
UDP - 1701
TCP - 1723
TCP - 3283
UDP - 3283
UDP - 4500
TCP - 5900
TCP - 5988
I have these ports open to accomodate remoting in via Apple Remote Desktop.
However, since Mavericks, I can't use ARD anymore. But I can use Back to My Mac and Screen Sharing (go figure!) to get to my server and then from the server I can use ARD within the network.
Don't know if that helps or not, but it works for me. -
Windows 2008 R2 RRAS VPN Issue
Hello,
I have a Windows 2008 R2 server configured with RRAS. I have several persistent connections set up to do remote data backups. After a while, the connections get disconnected and if I try to reconnect, I get an error message
that states:
An error occurred during connection of the interface. A connection to the remote computer could not be established. You might need to change the network settings for this connection.
If I restart the RRAS service, then I can reconnect them all. And they work fine until they get disconnected again. The server is a standalone server, not part of a domain or anything.
I previously had these connections set up on a 2003 server, and they worked pretty flawlessly. It's only since I changed to this new server that these issues started. Anyone know what the issue could be?
Thanks.Is that Event ID 20167?
Is there a DHCP Relay Agent configured?
I assume the DHCP server has enough free IPs to hand out to RRAS when needed. RRAS grabs a block of 10 IPs from DHCP at a time to use for connections.
How long is the lease?
References:
Event ID 20167 — RRAS IPCP Negotiation - Resolution
http://technet.microsoft.com/en-us/library/dd315994(v=ws.10).aspx
Not enough IPs in DHCP Scope:
http://www.eventid.net/display.asp?eventid=20167&eventno=5288&source=RemoteAccess&phase=1
Routing and Remote Access VPN DHCP error - DHCP lease too short
http://social.technet.microsoft.com/Forums/windowsserver/en-US/58e62df7-ce40-4814-b522-6785e230c869/routing-and-remote-access-vpn-dhcp-error?forum=winserver8gen
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
More 525 VPN phone issues.
So I have a VPN setup on a customers UC560 that has been working just fine for close to a year. The 525 phone worked well at a remote location for 6 months and has been nothing but problems since.
I have wiped it to factory defaults, updated the firmware to 7.5.5, re-configured it via the wizard in CCA, increased the VPN DHCP pool to 10 from 3, and it tests out fine on our shop network here at work. After that it is 50/50 whether it wants to sync up and work properly off-site. The client brings it to his house where he has cable internet and a basic Linksys router and it boots up, shows the VPN icon on the top bar as connected but just sits at downloading some .xml file. Bypasses the router and same thing so it can't be a weird firewall issue.
I was under the impression that if this phone finds an internet connection it would work. Don't understand all the hit and miss whether it's going to sync up or not.Thanks for the response.
I have verified we're on the latest IOS...
Cisco IOS Software, UC500 Software (UC500-ADVIPSERVICESK9-M), Version 15.1(4)M6, RELEASE SOFTWARE (fc2)
And I always use the 2.5.6005 version of Anyconnect. Not sure about the DART thing.
Thanks for reminding me about the subnet. The client is taking the phone home with him for testing and keeps reporting that the vpn connects but doesn't fully sync up with the phone system. I bet he is on the same subnet of the system. The data VLAN is 192.168.0.X which is common with home routers.
Thanks again,
Jim -
Are UDP 500, 1701 and 4500 ports being blocked -- VPN ports ??
I recently set up a VPN back into my network (for use on public wi-fi, keep they prying eyes away).
Everything was working and now it is not. I checked the access to the port via the internet and they are now closed.
Is VZ blocking UDP 500, 1701 and 4500 now.#1 Is the computer that you are forwarding to a Static IP?
Yes, the server on the inside is a static IP.
#2 Is that Static IP outside of the DHCP Range of the router?
Yes, the static iP is well above my 4 devices that get their normal dhcp address
i put the starting VPN DHCP address well above my static IP and yet below where the set boxes start using IPs.
#3 If you don't know what the DHCP Range of the router is, it would help to know the brand and model of your router.
I believe the router is the standard VZ issue ActionTek MIR some model, can dig it up when i get home.
Things to note:
All my other port forwards (ssh, http, https) are still working, they terminate on the same host as the VPN.
DNS is up-to-date as i can still access the box from the internet (I am using dyndns updater).
I nmapped from the internet to my host on ports 500, 1701 and 4500 and they are close, where my other port forward ports are open. -
Hi
I support many different client via VPN/ARD and one thing that is really bugging me is how to sort you VPN list into some sort of alphabetical order under 10.5 since the removal or Internet Connect/VPN under 10.4. Any ideas?DBAqua,
That's the thing, this IS already the now-discontinued xServe OSX Server appliance that I have to repurpose.
It is my understanding that I need the xServer to be:
NAT Server,
DHCP Server, and
DNS Server
for me to be able to dish out VPN DHCP IP addresses for clients (Both Windows & OSX) connecting from home...
Is this correct, community?
Canada911 -
Server 10.5 VPN - Not the Gateway
OSX Support Community,
This is my first post to Apple Support Communities, as our business is branching out from Windows Servers into the OSX Server Realm.
I am being asked to repurpose a Leopard 10.5.8 XServe OSX Server for a client, but have a few questions for the community:
Initial Requirements:
Client wants to use the server as a simple file server for 10 OSX Clients and 3 Windows Clients; and
Client wants to eventually allow VPN access to all the files on the server for some of the staff from home
Considered these Options:
I was wanting to allow our Cisco (VPN Pass-through only) router to handle the NAT, DNS, and DHCP
The OSX XServe would be given a static IP and accessible for file-sharing by Apple and Windows computers
Once the file-sharing server is working as hoped, I'm trying to figure out the VPN aspect, and whether it can be "added" later
Questions:
Does the OSX Leopard Server Have to Handle DHCP, DNS, and NAT to also serve up VNP to the clients?
I didn't want to have all the traffic have to go through the server (they are hosting email elseswhere) and wanted to know the best way to configure this server to SOLELY be a (1) file server, and a (2) VPN server, and would like some guidance.
Thanks in advance from Canada.
Canada911DBAqua,
That's the thing, this IS already the now-discontinued xServe OSX Server appliance that I have to repurpose.
It is my understanding that I need the xServer to be:
NAT Server,
DHCP Server, and
DNS Server
for me to be able to dish out VPN DHCP IP addresses for clients (Both Windows & OSX) connecting from home...
Is this correct, community?
Canada911 -
Using a 3rd party router for Multicast
Hi all,
There’s a lot of feedback on this board about using third party routers with Multicast, so we’ve decided to put this information all in the one place for you.
NOTE: the workarounds below haven’t been tested by BT as we do not support 3rd party routers and we do not endorse any of them. Our recommended router remains the Home Hub.
With the above statement in mind, we know that a lot of you do choose to use other routers. The information contained here has come from fellow customers who have given their time to share this information in good faith. Thanks to all of the forum members who have helped make this information available to our community it is a great example of the wealth of information that a community can provide and we hope this encourages users to come back and visit us in the future.
A special mention goes to walkerx who has posted and prompted a lot of the provided information.
Hub configurations in alphabetical order:
Apple Airport Extreme
Put your Airport Extreme into Bridge Mode and turn the Home Hub's wireless off.
[From MartinH's post]
ASUS RT-N66U
You must configure 'Enable VPN + DHCP Connection' to 'No' under the WAN option.
Settings used were:
- Have router on the latest firmware: 3.0.0.4.374.130
- Use the following settings in LAN > IPTV:
- 'Select ISP Profile' = None
- 'Choose IPTV STB Port' = None
- 'Use DHCP routes' = Microsoft
- 'Enable multicast routing (IGMP Proxy) = Enable
- 'Enable efficient multicast forwarding (IGMP Snooping) = Enable
- 'UDB Proxy (Udpxy) = 0
[From sepph's post]
Billion 7800DXL
Router has been reported to work.
[From walkerx's post]
Billion 7800N
Requires you to add another profile (Pure Bridge) to the EWAN port along with the PPPoE profile. Save settings & restart. Also enable IGMP proxy & snooping.
[TimCurtis' post]
DLink Dir 825
If enable multicast you can see the on-demand players but get an IPC6023 error when viewing the test channel (this means poor internet channel quality). This error message comes up even though it works if use the Home Hub 4
[walkerx's post]
Netgear R6300
Netgear R6300, but with the Home Hub 3.0 and 500Mbit Powerline adapters in the picture.
Modem -> HH3 -> R6300 -> Powerline -> 2 x Youview Boxes on other Powerlines.
To do this, configure the Home Hub 3.0 as 192.168.1.1, then disable its wireless and DHCP. Make sure that NAT and UPNP were enabled, and then set it to use the address 192.168.1.254 as a DMZ server.
Then configure the R6300 as the address 192.168.0.1, using the WAN IP address of 192.168.1.254, with 192.168.1.1 as the gateway and DNS server. The R6300 is then connected via WAN port to the HH3 Gigabit port.
In the R6300 settings switch on IGMP.
The above settings allow both YouView boxes to use on demand content and different streaming channels simultaneously, as well as giving the full features of the R6300 such as AC1750 wireless, network printing, and DLNA
[wigglr's post]
TP-Link AC1750
Router has been reported to work.
[zarf2007's post]
TP-Link Archer C7
Router has been reported to work.
[HappySlayerUK's post]
TP-Link TL-WR1043ND
No configuration needed, plug and play.
[walkerx's post]
TP-Link WDR4300 N750
Router has been reported to work.
[aseymour's post]
TP-Link TL-WDR4900 N900
Router has been reported to work, plug and play.
[cactusbob's post]
TP-Link routers in general
How to configure Multicast on TP-Link routers (from the TP-Link website).
One of our posters also found the following:
He found that your router must be able to do the following for Multicast:
For an end user connected via Openreach GEA (FTTC and FTTH)
• The Residential Gateway will support:
– IPoE for multicast traffic and PPPoE for BB traffic;
– VLAN tag ID of 0 or no VLAN tag ID for multicast and BB traffic;
– Fork IGMP requests up multicast and BB paths.
For an end user connected to an MSAN (WBC copper)
• The Residential Gateway will support:
– A dual VC architecture;
– Accept TV Connect multicast traffic on ATM VP/VC 0/35 with IPoE and broadband traffic on ATM VP/VC 0/38 with PPPoE;
– Fork IGMP requests up multicast and broadband paths.
IGMP should v3 and will be in range from 225.0.0.0 to 239.255.255.255
[walkerx's post]
List of routers that do not appear to work:
Draytek 2750n
Linksys EA4500
linksys EA6300
Netgear AC6300
[From Red_Snow's post]
If you use a router that’s not listed here, do a search on the YouView from BT board to see if advice has been posted elsewhere. If it hasn’t, do post your question.
Thanks,
Stephanie
Stephanie
BTCare Community Manager
If you like a post, or want to say thanks for a helpful answer, please click on the Ratings star on the left-hand side of the post. If someone answers your question correctly please let other members know by clicking on ’Mark as Accepted Solution’.Thanks for confirming that quails.
Cheers
David
BTCare Community Mod
If we have asked you to email us with your details, please make sure you are logged in to the forum, otherwise you will not be able to see our ‘Contact Us’ link within our profiles.
We are sorry but we are unable to deal with service/account queries via the private message(PM) function so please don't PM your account info, we need to deal with this via our email account :-) -
Link outage in Etherchannel causes interface down and failover Secondary Faild
Hi,
I have configured port-channel Firewall ASA5515-X and stacking switch WS-3750X. Also firewall configured as failover mode. Problem is that my active firewall connected switch port show green and working but standby firewall connected switch port shows orange color. When i inpute show failover command on firewall, secondary is faild. Please assist. Here is the below show command.
mdbl-int-fw-01# sho port-channel 10
Ports: 2 Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: LACP/ active
Minimum Links: 1
Maximum Bundle: 8
Load balance: src-dst-ip
mdbl-int-fw-01# sho interface port-channel 10
Interface Port-channel10 "inside", is up, line protocol is up
Hardware is EtherChannel/LACP, BW 2000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: *** Connected to CORE-SW ***
MAC address 4c00.821d.511f, MTU 1500
IP address 10.98.8.97, subnet mask 255.255.255.248
Traffic Statistics for "inside":
56859 packets input, 3419130 bytes
148709 packets output, 16063580 bytes
56858 packets dropped
1 minute input rate 0 pkts/sec, 46 bytes/sec
1 minute output rate 2 pkts/sec, 216 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 46 bytes/sec
5 minute output rate 2 pkts/sec, 216 bytes/sec
5 minute drop rate, 0 pkts/sec
Members in this channel:
Active: Gi0/1 Gi0/2
mdbl-int-fw-01# sho port
mdbl-int-fw-01# sho port-channel sum
mdbl-int-fw-01# sho port-channel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
U - in use N - not in use, no aggregation/nameif
M - not in use, no aggregation due to minimum links not met
w - waiting to be aggregated
Number of channel-groups in use: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
10 Po10(U) LACP Gi0/1(P) Gi0/2(P)
mdbl-int-fw-01#
mdbl-int-fw-01# sho port-channel ?
<1-48> Channel group number
brief Brief information
detail Detail information
port Port information
protocol protocol enabled
summary One-line summary per channel-group
| Output modifiers
<cr>
mdbl-int-fw-01# sho port-channel bri
mdbl-int-fw-01# sho port-channel brief
Channel-group listing:
Group: 10
Ports: 2 Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: LACP/ active
Minimum Links: 1
Maximum Bundle: 8
Load balance: src-dst-ip
mdbl-int-fw-01# sho port-channel ?
<1-48> Channel group number
brief Brief information
detail Detail information
port Port information
protocol protocol enabled
summary One-line summary per channel-group
| Output modifiers
<cr>
mdbl-int-fw-01# sho port-channel pro
mdbl-int-fw-01# sho port-channel protocol
Channel-group listing:
Group: 10
Protocol: LACP
mdbl-int-fw-01# sho port-channel ?
<1-48> Channel group number
brief Brief information
detail Detail information
port Port information
protocol protocol enabled
summary One-line summary per channel-group
| Output modifiers
<cr>
mdbl-int-fw-01# sho port-channel det
mdbl-int-fw-01# sho port-channel detail
Channel-group listing:
Group: 10
Ports: 2 Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: LACP/ active
Minimum Links: 1
Maximum Bundle: 8
Load balance: src-dst-ip
Ports in the group:
Port: Gi0/1
Port state = bndl
Channel group = 10 Mode = LACP/ active
Port-channel = Po10
Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs.
A - Device is in active mode. P - Device is in passive mode.
Local information:
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Gi0/1 SA bndl 32768 0xa 0xa 0x2 0x3d
Partner's information:
Partner Partner LACP Partner Partner Partner Partner Partner
Port Flags State Port Priority Admin Key Oper Key Port Number Port State
Gi0/1 SA bndl 32768 0x0 0xa 0x118 0x3d
Port: Gi0/2
Port state = bndl
Channel group = 10 Mode = LACP/ active
Port-channel = Po10
Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs.
A - Device is in active mode. P - Device is in passive mode.
Local information:
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Gi0/2 SA bndl 32768 0xa 0xa 0x3 0x3d
Partner's information:
Partner Partner LACP Partner Partner Partner Partner Partner
Port Flags State Port Priority Admin Key Oper Key Port Number Port State
Gi0/2 SA bndl 32768 0x0 0xa 0x119 0x3d
mdbl-int-fw-01#
mdbl-int-fw-01#
mdbl-int-fw-01#
mdbl-int-fw-01#
mdbl-int-fw-01# sho port-channel ?
<1-48> Channel group number
brief Brief information
detail Detail information
port Port information
protocol protocol enabled
summary One-line summary per channel-group
| Output modifiers
<cr>
mdbl-int-fw-01# sho fail
mdbl-int-fw-01# sho failover st
mdbl-int-fw-01# sho failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Failed Ifc Failure 22:03:03 UTC Jan 8 2014
outside: No Link
dmz: No Link
mgt: No Link
inside: No Link
====Configuration State===
Sync Done
====Communication State===
Mac set
mdbl-int-fw-01#
mdbl-int-fw-01#
mdbl-int-fw-01#
mdbl-int-fw-01# sho failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
failover replication http
Version: Ours 8.6(1)2, Mate 8.6(1)2
Last Failover at: 02:16:48 UTC Jan 8 2014
This host: Primary - Active
Active time: 74479 (sec)
slot 0: ASA5515 hw/sw rev (1.0/8.6(1)2) status (Up Sys)
Interface outside (118.179.139.4): No Link (Waiting)
Interface dmz (10.98.56.3): No Link (Waiting)
Interface mgt (10.10.11.1): Unknown (Waiting)
Interface inside (10.98.8.97): Normal (Waiting)
slot 1: IPS5515 hw/sw rev (N/A/7.1(4)E4) status (Up/Up)
IPS, 7.1(4)E4, Up
Other host: Secondary - Failed
Active time: 0 (sec)
slot 0: ASA5515 hw/sw rev (1.0/8.6(1)2) status (Up Sys)
Interface outside (118.179.139.6): No Link (Waiting)
Interface dmz (10.98.56.2): No Link (Waiting)
Interface mgt (0.0.0.0): No Link (Waiting)
Interface inside (10.98.8.98): No Link (Waiting)
slot 1: IPS5515 hw/sw rev (N/A/7.1(4)E4) status (Up/Up)
IPS, 7.1(4)E4, Up
Stateful Failover Logical Update Statistics
Link : failover GigabitEthernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 12665 0 9929 0
sys cmd 9929 0 9929 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 2735 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 1 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 7 9930
Xmit Q: 0 30 99581
mdbl-int-fw-01#
mdbl-int-fw-01#
mdbl-int-fw-01# sho failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Failed Ifc Failure 22:03:03 UTC Jan 8 2014
outside: No Link
dmz: No Link
mgt: No Link
inside: No Link
====Configuration State===
Sync Done
====Communication State===
Mac set
mdbl-int-fw-01# sho failover ?
descriptor Show failover interface descriptors. Two numbers are shown for
each interface. When exchanging information regarding a
particular interface, this unit uses the first number in messages
it sends to its peer. And it expects the second number in
messages it receives from its peer. For trouble shooting, collect
the show output from both units and verify that the numbers
match.
exec Show failover command execution information
history Show failover switching history
interface Show failover command interface information
state Show failover internal state information
statistics Show failover command interface statistics information
| Output modifiers
<cr>
mdbl-int-fw-01# sho failover inter
mdbl-int-fw-01# sho failover interface
interface failover GigabitEthernet0/3
System IP Address: 10.98.8.89 255.255.255.248
My IP Address : 10.98.8.89
Other IP Address : 10.98.8.90
mdbl-int-fw-01# sho failover stati
mdbl-int-fw-01# sho failover statistics
tx:995725
rx:980617
mdbl-int-fw-01# sho failover hi
mdbl-int-fw-01# sho failover history
==========================================================================
From State To State Reason
==========================================================================
02:16:40 UTC Jan 8 2014
Not Detected Negotiation No Error
02:16:48 UTC Jan 8 2014
Negotiation Just Active No Active unit found
02:16:48 UTC Jan 8 2014
Just Active Active Drain No Active unit found
02:16:48 UTC Jan 8 2014
Active Drain Active Applying Config No Active unit found
02:16:48 UTC Jan 8 2014
Active Applying Config Active Config Applied No Active unit found
02:16:48 UTC Jan 8 2014
Active Config Applied Active No Active unit found
==========================================================================
mdbl-int-fw-01# sho failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
failover replication http
Version: Ours 8.6(1)2, Mate 8.6(1)2
Last Failover at: 02:16:48 UTC Jan 8 2014
This host: Primary - Active
Active time: 74554 (sec)
slot 0: ASA5515 hw/sw rev (1.0/8.6(1)2) status (Up Sys)
Interface outside (118.179.139.4): No Link (Waiting)
Interface dmz (10.98.56.3): No Link (Waiting)
Interface mgt (10.10.11.1): Unknown (Waiting)
Interface inside (10.98.8.97): Normal (Waiting)
slot 1: IPS5515 hw/sw rev (N/A/7.1(4)E4) status (Up/Up)
IPS, 7.1(4)E4, Up
Other host: Secondary - Failed
Active time: 0 (sec)
slot 0: ASA5515 hw/sw rev (1.0/8.6(1)2) status (Up Sys)
Interface outside (118.179.139.6): No Link (Waiting)
Interface dmz (10.98.56.2): No Link (Waiting)
Interface mgt (0.0.0.0): No Link (Waiting)
Interface inside (10.98.8.98): No Link (Waiting)
slot 1: IPS5515 hw/sw rev (N/A/7.1(4)E4) status (Up/Up)
IPS, 7.1(4)E4, Up
Stateful Failover Logical Update Statistics
Link : failover GigabitEthernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 12676 0 9938 0
sys cmd 9938 0 9938 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 2737 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 1 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 7 9940
Xmit Q: 0 30 99677Hi Ganesan,
I am proposing a design like this. You can have the STP in pvst mode and have a different priority set for the core switch to make it core a as root bridge. There is nothing wrong with your design you have made you core switch which will be physically down to your firewall... but in real it comes on the top of your firewall as well... But spanning tree conf should be done properly to achieve this... I have proposed my design which is pretty simple but easy for troubleshoot....
You can have your firewalls connected to core switch on the down and can directly connected to router on outside... always core a -->py fw--rtra will be the primary path... if anything goes wrong then secondary line will come in to picture....
make sure that your hsrp will have high priority to ur core a vlan conf for the access switches.....
Please do rate for the helpful posts.
By
Karthik
Maybe you are looking for
-
How can I call functions from a SWF loaded in to another SWF?
Hi there, Please excuse my ignorance, I am very new to actionscript and flash. I have 2 SWF's - a.swf and b.swf. I load b.swf into a.swf with the following code: var swfLoader:MovieClipLoader = new MovieClipLoader(); swfLoader.loadClip("b.swf", conta
-
Hello everyone, I'm new to this forum so I hope my post is in the right place, if not I apologize.. Ok, my problem is the following: I have recently upgraded my page to use CSS, templates and all that nice web design stuff which I was not aware of be
-
Printer prints wrong colours after installing security update 6/2006
Hello, I installed the last security update(006/2006) on my fathers imac running 10.3.9 and now the Printer, a Epson Stylus Color 740, prints pink when he schould print red and other colors are wrong too.Please help. thanx
-
All of my CC products crash around 10-20 seconds after launch
I have read various forums & posts & tried all kinds of suggestions people have made to others that have suffered a similar issue (updating drivers, disabling graphics card etc) but I am experiencing the same problem. I think this traces back to when
-
Ipod 4th Gen Error Code (9)
About a week ago i turned off my ipod, from which the screen went white and froze for estimated 1hr. after booting, it was in recovery mode. After many attempts it just switches between freezing and going to connect to itunes sighn. I HAVE TRIED EVER