VPN issues CISCO RV100W
Hi there, i got an issue with vpn and cisco rv100w, router is configured well and computers and iphone can connect with PPTP. Problem became when we map NAS drive from computer or we move data (1-4 Mb). Seems connection go down, speed is so slowly and drop the connection.
Is it from router? or from Internet provider?
More data, If I connect to http of router/NAS .. all go fine, only when we need data from NAS (map drive by windows) copy, open files, ..., connection is so slowly and drop connection.
I saw in the logs of the router
1
2012-12-21 5:33:38 PM
err
pptpd[2280]: CTRL: CTRL read failed
2
2012-12-21 5:33:38 PM
err
pptpd[2280]: CTRL: couldn't read packet header (exit)
3
2012-12-21 5:33:38 PM
err
pptpd[2280]: CTRL: EOF or bad error reading ctrl packet length.
4
2012-12-21 5:29:07 PM
err
pptpd[2019]: CTRL: CTRL read failed
5
2012-12-21 5:29:07 PM
err
pptpd[2019]: CTRL: couldn't read packet header (exit)
6
2012-12-21 5:29:07 PM
err
pptpd[2019]: CTRL: EOF or bad error reading ctrl packet length.
7
2012-12-21 5:24:43 PM
err
pptpd[1643]: CTRL: CTRL read failed
8
2012-12-21 5:24:43 PM
err
pptpd[1643]: CTRL: couldn't read packet header (exit)
9
2012-12-21 5:24:43 PM
err
pptpd[1643]: CTRL: EOF or bad error reading ctrl packet length.
10
2012-12-21 5:24:22 PM
err
pptpd[1331]: CTRL: CTRL read failed
11
2012-12-21 5:24:22 PM
err
pptpd[1331]: CTRL: couldn't read packet header (exit)
12
2012-12-21 5:24:22 PM
err
pptpd[1331]: CTRL: EOF or bad error reading ctrl packet length.
13
2012-12-21 5:17:56 PM
err
pptpd[1031]: CTRL: CTRL read failed
14
2012-12-21 5:17:56 PM
err
pptpd[1031]: CTRL: couldn't read packet header (exit)
15
2012-12-21 5:17:56 PM
err
pptpd[1031]: CTRL: EOF or bad error reading ctrl packet length.
16
2012-12-21 12:49:51 AM
err
mDNSResponder: ERROR: getOptRdata - unknown opt 4
17
2012-12-21 12:49:35 AM
err
mDNSResponder: ERROR: getOptRdata - unknown opt 4
18
2012-12-21 12:49:27 AM
err
mDNSResponder: ERROR: getOptRdata - unknown opt 4
19
2012-12-21 12:49:23 AM
err
mDNSResponder: ERROR: getOptRdata - unknown opt 4
20
2012-12-21 12:49:21 AM
err
mDNSResponder: ERROR: getOptRdata - unknown opt 4
21
2012-12-21 12:49:20 AM
err
mDNSResponder: ERROR: getOptRdata - unknown opt 4
22
2012-12-21 12:44:50 AM
err
mDNSResponder: ERROR: getOptRdata - unknown opt 4
Good morning
Thanks for using our forum
Hi Edu, make sure to be on the latest firmware, the latest release is 1.1.0.9, you can download it in cisco.com
http://software.cisco.com/download/release.html?mdfid=283879340&softwareid=282487380&release=1.1.0.9&relind=AVAILABLE&rellifecycle=&reltype=latest
Happy holidays !!!!
Johnnatan Rodriguez Miranda.
Cisco network support engineer.
Similar Messages
-
Remote access VPN with Cisco Router - Can not get the Internal Lan .
Dear Sir ,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .Please see the attachment for Scenario, Configuration and Ping status.
I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Below is the IP address of the device.
Local PC connect with Router -2 (Through MS Loopback) Router -2 Router-1 PC -01
IP Address :10.10.10.2 Mask : 255.255.255.0 F0/01
IP address:10.10.10.1
Mask:255.255.255.0 F0/0
IP Address :20.20.20.1
Mask :255.255.255.0
F0/1
IP address :192.168.1.3
Mask:255.255.255.0
F0/0
IP address :20.20.20.2
Mask :255.255.255.0
F0/1
IP address :192.168.1.1
Mask:255.255.255.0
I can ping from local PC to the network 10.10.10.0 and 20.20.20.0 .Please find the attach file for ping status .So connectivity is ok from my local PC to Remote Router 1 and 2.
Through Cisco remote vpn client, I can get connected with the VPN Router R1 (Please see the VPN Client pic.)But cannot ping the network 192.168.1.0
Need your help to fix the problem.
Router R2 Configuration :!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip tcp synwait-time 5
interface FastEthernet0/0
ip address 20.20.20.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
ip forward-protocol nd
no ip http server
no ip http secure-server
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
end
Router R1 Configuration :
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login USERAUTH local
aaa authorization network NETAUTHORIZE local
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
username vpnuser password 0 strongpassword
ip tcp synwait-time 5
crypto keyring vpnclientskey
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration group remotevpn
key cisco123
dns 192.168.1.2
wins 192.168.1.2
domain mycompany.com
pool vpnpool
acl VPN-ACL
crypto isakmp profile remoteclients
description remote access vpn clients
keyring vpnclientskey
match identity group remotevpn
client authentication list USERAUTH
isakmp authorization list NETAUTHORIZE
client configuration address respond
crypto ipsec transform-set TRSET esp-3des esp-md5-hmac
crypto dynamic-map DYNMAP 10
set transform-set TRSET
set isakmp-profile remoteclients
crypto map VPNMAP 10 ipsec-isakmp dynamic DYNMAP
interface FastEthernet0/0
ip address 20.20.20.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPNMAP
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpnpool 192.168.50.1 192.168.50.10
ip forward-protocol nd
ip route 10.10.10.0 255.255.255.0 FastEthernet0/0
no ip http server
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
ip access-list extended NAT-ACL
deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VPN-ACL
permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
endDear All,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .
Please see the attachment for Scenario, Configuration and Ping status. I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Waiting for your responce .
--Milon -
Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
Please help me to find where is the issue.
I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
Here is my current configuration.
Thanks for your help.
IOS Configuration
version 15.2
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key cisco address 198.0.183.225
crypto isakmp invalid-spi-recovery
crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
mode transport
crypto map static-map 1 ipsec-isakmp
set peer S2.S2.S2.S2
set transform-set AES-SET
set pfs group2
match address 100
interface GigabitEthernet0/0
ip address S1.S1.S1.S1 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map static-map
interface GigabitEthernet0/1
ip address 192.168.17.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
ASA Configuration
ASA Version 8.4(3)
interface Ethernet0/0
switchport access vlan 2
interface Vlan1
nameif inside
security-level 100
ip address 192.168.83.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address S2.S2.S2.S2 255.255.255.248
ftp mode passive
same-security-traffic permit intra-interface
object network inside-network
subnet 192.168.83.0 255.255.255.0
object network datacenter
host S1.S1.S1.S1
object network datacenter-network
subnet 192.168.17.0 255.255.255.0
object network NETWORK_OBJ_192.168.83.0_24
subnet 192.168.83.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any log
access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic inside-network interface
nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set vpn-transform-set mode transport
crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set L2L_SET mode transport
crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
crypto map vpn 1 match address outside_cryptomap
crypto map vpn 1 set pfs
crypto map vpn 1 set peer S1.S1.S1.S1
crypto map vpn 1 set ikev1 transform-set L2L_SET
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
group-policy GroupPolicy_S1.S1.S1.S1 internal
group-policy GroupPolicy_S1.S1.S1.S1 attributes
vpn-tunnel-protocol ikev1
group-policy remote_vpn_policy internal
group-policy remote_vpn_policy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
username admin password rqiFSVJFung3fvFZ encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool vpn_pool
default-group-policy remote_vpn_policy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group S1.S1.S1.S1 type ipsec-l2l
tunnel-group S1.S1.S1.S1 general-attributes
default-group-policy GroupPolicy_S1.S1.S1.S1
tunnel-group S1.S1.S1.S1 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f55f10c19a0848edd2466d08744556eb
: endThanks for helping me again. I really appreciate.
I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
Because on Cisco ASA I guess I have everything.
Here is show crypto session detail
router(config)#do show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Should I see something in crypto isakmp sa?
pp-border#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
Thanks again for your help. -
Any ideas how to better troubleshoot VPN issue?
Hi,
I've recently upgraded my WLAN router to a brand new AVM FRITZ!Box WLAN 7390, in part for its VPN capabilities.
So far, I've been unable to create a working connection.
AVM's VPN is based on Cisco IPSec, and they provide a step-by-step procedure on how configure a Mac-based VPN connection (http://www.avm.de/de/Service/Service-Portale/Service-Portal/VPN_Interoperabilita et/16206.php - unfortunately only available in German, sorry). Following it, I still can't get it to work. Contacting their support I got first the same procedure and after pointing out I already followed it a "we don't support other vendors".
Funny enough, I got a second VPN connection to my work's VPN server just fine, though admittedly there we have a true Cisco box.
My initial setup was based on a 192.x.x.x net on my AVM, I could establish a VPN connection but coudn't ping/ssh/http/you-name-the-protocol in either direction. Our companies net is a 10.x.x.x net so, and as I have also VMware fusion running on my Mac with DHCP enabled on a different 192.x.x.x net plus a third 192.x.x.x net from my Wifi access I decided to reconfigure my AVM net to a 172.x.x.x net and stop VMware services for the tests (ie simplify as much as I could to help troubleshoot).
Alas, instead of being able to establish a non-working VPN connection, now I ain't able to get the tunnel up. IKE Phase 1 completes but Phase 2 doesn't.
Here's the relevant section from kernel.log:
Dec 30 11:47:57 jupiter configd[16]: IPSec connecting to server <myservernameismybusiness>.dyndns.info
Dec 30 11:47:57 jupiter configd[16]: SCNC: start, triggered by SystemUIServer, type IPSec, status 0
Dec 30 11:47:57 jupiter configd[16]: IPSec Phase1 starting.
Dec 30 11:47:57 jupiter racoon[1910]: IPSec connecting to server 77.x.x.x
Dec 30 11:47:57 jupiter racoon[1910]: Connecting.
Dec 30 11:47:57 jupiter racoon[1910]: IPSec Phase1 started (Initiated by me).
Dec 30 11:47:57 jupiter racoon[1910]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
Dec 30 11:47:58 jupiter racoon[1910]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
Dec 30 11:47:58 jupiter racoon[1910]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
Dec 30 11:47:58 jupiter racoon[1910]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).
Dec 30 11:47:58 jupiter racoon[1910]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
Dec 30 11:47:58 jupiter racoon[1910]: IKE Packet: transmit success. (Information message).
Dec 30 11:47:58 jupiter racoon[1910]: IKEv1 Information-Notice: transmit success. (ISAKMP-SA).
Dec 30 11:47:58 jupiter racoon[1910]: IPSec Phase1 established (Initiated by me).
Dec 30 11:47:58 jupiter racoon[1910]: IPSec Extended Authentication requested.
Dec 30 11:47:58 jupiter configd[16]: IPSec requesting Extended Authentication.
Dec 30 11:48:01 jupiter configd[16]: IPSec sending Extended Authentication.
Dec 30 11:48:01 jupiter racoon[1910]: IKE Packet: transmit success. (Mode-Config message).
Dec 30 11:48:01 jupiter racoon[1910]: IPSec Extended Authentication sent.
Dec 30 11:48:02 jupiter racoon[1910]: IKEv1 XAUTH: success. (XAUTH Status is OK).
Dec 30 11:48:02 jupiter racoon[1910]: IPSec Extended Authentication Passed.
Dec 30 11:48:02 jupiter racoon[1910]: IKE Packet: transmit success. (Mode-Config message).
Dec 30 11:48:02 jupiter racoon[1910]: IKEv1 Config: retransmited. (Mode-Config retransmit).
Dec 30 11:48:02 jupiter racoon[1910]: IPSec Network Configuration requested.
Dec 30 11:48:03 jupiter racoon[1910]: IPSec Network Configuration established.
Dec 30 11:48:03 jupiter racoon[1910]: IKE Packet: receive success. (MODE-Config).
Dec 30 11:48:03 jupiter configd[16]: IPSec Network Configuration started.
Dec 30 11:48:03 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-ADDRESS = 172.77.7.14.
Dec 30 11:48:03 jupiter configd[16]: IPSec Network Configuration: SAVE-PASSWORD = 1.
Dec 30 11:48:03 jupiter configd[16]: IPSec Network Configuration: DEFAULT-ROUTE = local-address 172.77.7.14/32.
Dec 30 11:48:03 jupiter configd[16]: host_gateway: write routing socket failed, command 2, No such process
Dec 30 11:48:03 jupiter configd[16]: IPSec Phase2 starting.
Dec 30 11:48:03 jupiter configd[16]: IPSec Network Configuration established.
Dec 30 11:48:03 jupiter configd[16]: IPSec Phase1 established.
Dec 30 11:48:03 jupiter configd[16]: event_callback: Address added. previous interface setting (name: en1, address: 192.168.43.242), current interface setting (name: utun0, family: 1001, address: 172.77.7.14, subnet: 255.255.255.255, destination: 172.77.7.14).
Dec 30 11:48:03 jupiter racoon[1910]: IPSec Phase2 started (Initiated by me).
Dec 30 11:48:03 jupiter racoon[1910]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
Dec 30 11:48:03 jupiter configd[16]: network configuration changed.
Dec 30 11:48:03 jupiter configd[16]: IPSec port-mapping update for en1 ignored: VPN is the Primary interface. Public Address: ac4d070e, Protocol: None, Private Port: 0, Public Port: 0
Dec 30 11:48:03 jupiter configd[16]:
Dec 30 11:48:03 jupiter configd[16]: setting hostname to "jupiter.local"
Dec 30 11:48:03 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:06 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:07 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:09 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:09 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:12 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:13 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:15 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:15 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:18 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:18 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:21 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:21 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:24 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:25 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:27 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:27 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:30 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:30 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:33 jupiter configd[16]: IPSec disconnecting from server 77.x.x.x
Dec 30 11:48:33 jupiter racoon[1910]: IPSec disconnecting from server 77.x.x.x
Dec 30 11:48:33 jupiter racoon[1910]: IKE Packet: transmit success. (Information message).
Dec 30 11:48:33 jupiter racoon[1910]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).
Dec 30 11:48:33 jupiter configd[16]: SCNC Controller: service_ending_verify_primaryservice, waiting for PrimaryService. status = 1
Dec 30 11:48:33 jupiter configd[16]:
Dec 30 11:48:33 jupiter configd[16]: network configuration changed.
Dec 30 11:48:33 jupiter configd[16]: SCNC Controller: ipv4_state_changed, done waiting for ServiceID.
Dec 30 11:48:33 jupiter configd[16]:
Dec 30 11:48:33 jupiter configd[16]: setting hostname to "jupiter"
When connecting to my work-place it looks like:
Dec 30 12:33:14 jupiter configd[16]: IPSec connecting to server <mycompanyismybusiness>.ch
Dec 30 12:33:14 jupiter configd[16]: SCNC: start, triggered by SystemUIServer, type IPSec, status 0
Dec 30 12:33:14 jupiter configd[16]: IPSec Phase1 starting.
Dec 30 12:33:14 jupiter racoon[1976]: IPSec connecting to server 62.x.x.x
Dec 30 12:33:14 jupiter racoon[1976]: Connecting.
Dec 30 12:33:14 jupiter racoon[1976]: IPSec Phase1 started (Initiated by me).
Dec 30 12:33:14 jupiter racoon[1976]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
Dec 30 12:33:14 jupiter racoon[1976]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
Dec 30 12:33:14 jupiter racoon[1976]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
Dec 30 12:33:14 jupiter racoon[1976]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).
Dec 30 12:33:14 jupiter racoon[1976]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
Dec 30 12:33:14 jupiter racoon[1976]: IPSec Phase1 established (Initiated by me).
Dec 30 12:33:15 jupiter racoon[1976]: IPSec Extended Authentication requested.
Dec 30 12:33:15 jupiter configd[16]: IPSec requesting Extended Authentication.
Dec 30 12:33:21 jupiter configd[16]: IPSec sending Extended Authentication.
Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: transmit success. (Mode-Config message).
Dec 30 12:33:21 jupiter racoon[1976]: IPSec Extended Authentication sent.
Dec 30 12:33:21 jupiter racoon[1976]: IKEv1 XAUTH: success. (XAUTH Status is OK).
Dec 30 12:33:21 jupiter racoon[1976]: IPSec Extended Authentication Passed.
Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: transmit success. (Mode-Config message).
Dec 30 12:33:21 jupiter racoon[1976]: IKEv1 Config: retransmited. (Mode-Config retransmit).
Dec 30 12:33:21 jupiter racoon[1976]: IPSec Network Configuration requested.
Dec 30 12:33:21 jupiter racoon[1976]: IPSec Network Configuration established.
Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: receive success. (MODE-Config).
Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration started.
Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-ADDRESS = 10.100.1.18.
Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-MASK = 255.255.255.0.
Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: SAVE-PASSWORD = 1.
Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-DNS = 10.100.1.129.
Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: SPLIT-INCLUDE.
Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: DEF-DOMAIN = iw.local.
Dec 30 12:33:21 jupiter configd[16]: host_gateway: write routing socket failed, command 2, No such process
Dec 30 12:33:21 jupiter configd[16]: installed route: (address 10.100.1.0, gateway 10.100.1.18)
Dec 30 12:33:21 jupiter configd[16]: IPSec Phase2 starting.
Dec 30 12:33:21 jupiter racoon[1976]: IPSec Phase2 started (Initiated by me).
Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration established.
Dec 30 12:33:21 jupiter configd[16]: IPSec Phase1 established.
Dec 30 12:33:21 jupiter configd[16]: event_callback: Address added. previous interface setting (name: en1, address: 192.168.43.242), current interface setting (name: utun0, family: 1001, address: 10.100.1.18, subnet: 255.255.255.0, destination: 10.100.1.18).
Dec 30 12:33:21 jupiter configd[16]: network configuration changed.
Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: receive success. (Initiator, Quick-Mode message 2).
Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).
Dec 30 12:33:21 jupiter racoon[1976]: IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).
Dec 30 12:33:21 jupiter racoon[1976]: IPSec Phase2 established (Initiated by me).
Dec 30 12:33:21 jupiter configd[16]: IPSec Phase2 established.
An earlies test in a Starbucks around here had the same result, during looking at the netstat -nr output I found I got onto a 10.x.x.x net on the Wifi and still could connect to the (different) 10.x.x.x net at work.
My TCP/IP Networking course was around 2000, but the default route seen in the non-working log section looks like bullsh*t to me anyhow: DEFAULT-ROUTE = local-address 172.77.7.14/32
On the other hand, the Phase 2 message seem to indicate a different mode for Phase 2 between the working and the non-working one.
This is from the exported config of my AVM box:
**** CFGFILE:vpn.cfg
* /var/flash/vpn.cfg
* Wed Dec 28 16:01:09 2011
vpncfg {
connections {
enabled = yes;
conn_type = conntype_user;
name = "[email protected]";
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 172.77.7.14;
remoteid {
key_id = "<mykeyismybusiness>";
mode = phase1_mode_aggressive;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "<mykeyismybusiness>";
cert_do_server_auth = no;
use_nat_t = no;
use_xauth = yes;
xauth {
valid = yes;
username = "<myuserismybusiness>";
passwd = "<mypasswordismybusiness>";
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 0.0.0.0;
mask = 0.0.0.0;
phase2remoteid {
ipaddr = 172.22.7.14;
phase2ss = "esp-all-all/ah-none/comp-all/no-pfs";
accesslist =
"permit ip 172.22.7.0 255.255.255.240 172.22.7.14 255.255.255.255";
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
// EOF
**** END OF FILE ****
I also noticed an extra "IPSec port-mapping update for en1 ignored" message in the non-working log section, but I'm not sure a) how significant that might be, and b) how to find out what the ignored update might have been to decide whether not ignoring it would help.
A quick test with the AnyConnect Client from Cisco didn't help either, apparently it establishes an https connection first as I got a window which certificate details from my QNAP behind the AVM Box (I got a port forward for https to it)
So I'm looking for any ideas how to better troubleshoot this VPN issue...
Many thanks in advance!
BR,
AlexOk, found a small typo in my config (had at one point a 172.77.7.14 instead of the 172.22.7.14), no I can also connect from the 172.x.x.x net but still no ping etc. The relevant section of the log looks now like this:
Dec 30 16:44:27 jupiter configd[16]: IPSec connecting to server <myservernameismybusiness>.dyndns.info
Dec 30 16:44:27 jupiter configd[16]: SCNC: start, triggered by SystemUIServer, type IPSec, status 0
Dec 30 16:44:28 jupiter configd[16]: IPSec Phase1 starting.
Dec 30 16:44:28 jupiter racoon[2183]: IPSec connecting to server 77.x.x.x
Dec 30 16:44:28 jupiter racoon[2183]: Connecting.
Dec 30 16:44:28 jupiter racoon[2183]: IPSec Phase1 started (Initiated by me).
Dec 30 16:44:28 jupiter racoon[2183]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
Dec 30 16:44:28 jupiter racoon[2183]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
Dec 30 16:44:28 jupiter racoon[2183]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
Dec 30 16:44:28 jupiter racoon[2183]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).
Dec 30 16:44:28 jupiter racoon[2183]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
Dec 30 16:44:28 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
Dec 30 16:44:28 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (ISAKMP-SA).
Dec 30 16:44:28 jupiter racoon[2183]: IPSec Phase1 established (Initiated by me).
Dec 30 16:44:28 jupiter racoon[2183]: IPSec Extended Authentication requested.
Dec 30 16:44:28 jupiter configd[16]: IPSec requesting Extended Authentication.
Dec 30 16:44:31 jupiter configd[16]: IPSec sending Extended Authentication.
Dec 30 16:44:31 jupiter racoon[2183]: IKE Packet: transmit success. (Mode-Config message).
Dec 30 16:44:31 jupiter racoon[2183]: IPSec Extended Authentication sent.
Dec 30 16:44:32 jupiter racoon[2183]: IKEv1 XAUTH: success. (XAUTH Status is OK).
Dec 30 16:44:32 jupiter racoon[2183]: IPSec Extended Authentication Passed.
Dec 30 16:44:32 jupiter racoon[2183]: IKE Packet: transmit success. (Mode-Config message).
Dec 30 16:44:32 jupiter racoon[2183]: IKEv1 Config: retransmited. (Mode-Config retransmit).
Dec 30 16:44:32 jupiter racoon[2183]: IPSec Network Configuration requested.
Dec 30 16:44:33 jupiter racoon[2183]: IPSec Network Configuration established.
Dec 30 16:44:33 jupiter racoon[2183]: IKE Packet: receive success. (MODE-Config).
Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration started.
Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-ADDRESS = 172.22.7.14.
Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration: SAVE-PASSWORD = 1.
Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-DNS = 172.22.7.1.
Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration: DEFAULT-ROUTE = local-address 172.22.7.14/32.
Dec 30 16:44:33 jupiter configd[16]: host_gateway: write routing socket failed, command 2, No such process
Dec 30 16:44:33 jupiter configd[16]: IPSec Phase2 starting.
Dec 30 16:44:33 jupiter racoon[2183]: IPSec Phase2 started (Initiated by me).
Dec 30 16:44:33 jupiter racoon[2183]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration established.
Dec 30 16:44:33 jupiter configd[16]: IPSec Phase1 established.
Dec 30 16:44:33 jupiter configd[16]: event_callback: Address added. previous interface setting (name: en1, address: 192.168.43.242), current interface setting (name: utun0, family: 1001, address: 172.22.7.14, subnet: 255.255.255.255, destination: 172.22.7.14).
Dec 30 16:44:33 jupiter configd[16]: network configuration changed.
Dec 30 16:44:33 jupiter racoon[2183]: IKE Packet: receive success. (Initiator, Quick-Mode message 2).
Dec 30 16:44:33 jupiter racoon[2183]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).
Dec 30 16:44:33 jupiter racoon[2183]: IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).
Dec 30 16:44:33 jupiter racoon[2183]: IPSec Phase2 established (Initiated by me).
Dec 30 16:44:33 jupiter configd[16]: IPSec Phase2 established.
Dec 30 16:44:43 jupiter racoon[2183]: IKE Packet: receive failed. (MODE-Config).
Dec 30 16:44:48 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
Dec 30 16:44:48 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
Dec 30 16:44:48 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
Dec 30 16:44:48 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
Dec 30 16:44:48 jupiter racoon[2183]: IKE Packet: receive success. (Information message).
Dec 30 16:45:03 jupiter configd[16]: setting hostname to "jupiter.local"
followed by lots of:
Dec 30 16:45:03 jupiter racoon[2183]: IKE Packet: receive failed. (MODE-Config).
Dec 30 16:45:08 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
Dec 30 16:45:08 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
Dec 30 16:45:08 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
Dec 30 16:45:08 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
Dec 30 16:45:08 jupiter racoon[2183]: IKE Packet: receive success. (Information message).
Dec 30 16:45:28 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
Dec 30 16:45:28 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
Dec 30 16:45:28 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
Dec 30 16:45:29 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
Dec 30 16:45:29 jupiter racoon[2183]: IKE Packet: receive success. (Information message).
Dec 30 16:45:49 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
Dec 30 16:45:49 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
Dec 30 16:45:49 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
Dec 30 16:45:50 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
Dec 30 16:45:50 jupiter racoon[2183]: IKE Packet: receive success. (Information message).
Dec 30 16:46:10 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
Dec 30 16:46:10 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
Dec 30 16:46:10 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
Dec 30 16:46:10 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
Dec 30 16:46:10 jupiter racoon[2183]: IKE Packet: receive success. (Information message).
Dec 30 16:46:30 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
Dec 30 16:46:30 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
Dec 30 16:46:30 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
Dec 30 16:46:30 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
Dec 30 16:46:30 jupiter racoon[2183]: IKE Packet: receive success. (Information message). -
Hi All,
I need help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect
2811 having C2800NM-ADVIPSERVICESK9-M
2811 router connects to the Internet SW then connects to the Internet router.
Note- For Authentication am using the Device ID & Pre share key. I am worried as all user traffic goes with PAT and not firing up my tunnel for port 80 traffic. Can you please suggest what can be the issue ?
Below is router config for VPN & NAT
crypto keyring ISR_Keyring
pre-shared-key hostname vpn.websense.net key 2c22524d554556442d222d565f545246
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10
crypto isakmp profile isa-profile
keyring ISR_Keyring
self-identity user-fqdn [email protected]
match identity user vpn-proxy.websense.net
crypto ipsec transform-set ESP-NULL-SHA esp-null esp-sha-hmac
crypto map GUEST_WEB_FILTER 10 ipsec-isakmp
set peer vpn.websense.net dynamic
set transform-set ESP-NULL-SHA
set isakmp-profile isa-profile
match address 101
interface FastEthernet0/1
description connected to Internet
ip address 216.222.208.101 255.255.255.128
ip access-group HVAC_Public in
ip nat outside
ip virtual-reassembly
duplex full
speed 100
no cdp enable
crypto map GUEST_WEB_FILTER
access-list 101 permit tcp 192.168.8.0 0.0.3.255 any eq www
access-list 103 deny ip 192.168.8.0 0.0.3.255 host 85.115.41.187 log
access-list 103 deny ip 192.168.8.0 0.0.3.255 host 85.115.41.181 log
access-list 103 deny ip 192.168.8.0 0.0.3.255 host 85.115.41.182 log
access-list 103 deny ip 192.168.8.0 0.0.3.255 86.111.216.0 0.0.1.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 116.50.56.0 0.0.7.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 86.111.220.0 0.0.3.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 103.1.196.0 0.0.3.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 177.39.96.0 0.0.3.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 196.216.238.0 0.0.1.255
access-list 103 permit ip 192.168.8.0 0.0.3.255 any
ip nat pool mypool 216.222.208.101 216.222.208.101 netmask 255.255.255.128
ip nat inside source list 103 interface FastEthernet0/1 overload
ip nat inside source route-map nonat pool mypool overloadHow does Websense expect your source IPs in the tunnel? 192.168.8.0 0.0.3.255 or PAT'ed 216.222.208.101 ?
Check
show crypto isakmp sa
show crypto ipsec sa
show crypto session
You'd better remove the preshared key from your post. -
ion successfully installed. now unable to get on vpn using cisco, error 51 constantly appears. should have stayed on snow leopard!
Try opening a terminal window (Applications >> Utilities). At the prompt, enter:
>sudo SystemStarter restart CiscoVPN
This will ask you for the admin password and it will restart the Cisco client service. That should fix it. This seems to be a known issue that will eventually be solved with some updates.
DB -
Azure Site to Site VPN with Cisco ASA 5505
I have got Cisco ASA 5505 device (version 9.0(2)). And i cannot connect S2S with azure (azure network alway in "connecting" state). In my cisco log:
IP = 104.40.182.93, Keep-alives configured on but peer does not support keep-alives (type = None)
Group = 104.40.182.93, IP = 104.40.182.93, QM FSM error (P2 struct &0xcaaa2a38, mess id 0x1)!
Group = 104.40.182.93, IP = 104.40.182.93, Removing peer from correlator table failed, no match!
Group = 104.40.182.93, IP = 104.40.182.93,Overriding Initiator's IPSec rekeying duration from 102400000 to 4608000 Kbs
Group = 104.40.182.93, IP = 104.40.182.93, PHASE 1 COMPLETED
I have done all cisco s2s congiguration over standard wizard cos seems your script for 8.x version of asa only?
(Does azure support 9.x version of asa?)
How can i fix it?Hi,
As of now, we do not have any scripts for Cisco ASA 9x series.
Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as
demonstrated in this blog:
Step-By-Step: Create a Site-to-Site VPN between your network and Azure
http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
You can refer to this article for Cisco ASA templates for Static routing:
http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
Did you download the VPN configuration file from the dashboard and copy the content of the configuration
file to the Command Line Interface of the Cisco ASDM application? It seems that there is no specified IP address in the access list part and maybe that is why the states message appeared.
According to the
Cisco ASA template, it should be similar to this:
access-list <RP_AccessList>
extended permit ip object-group
<RP_OnPremiseNetwork> object-group <RP_AzureNetwork>
nat (inside,outside) source static <RP_OnPremiseNetwork>
<RP_OnPremiseNetwork> destination static <RP_AzureNetwork>
<RP_AzureNetwork>
Based on my experience, to establish
IPSEC tunnel, you need to allow the ESP protocol and UDP Port 500. Please make sure that the
VPN device cannot be located behind a NAT. Besides, since Cisco ASA templates are not
compatible for dynamic routing, please make sure that you chose the static routing.
Since you configure the VPN device yourself, it's important that you would be familiar with the device and its configuration settings.
Hope this helps you.
Girish Prajwal -
Hello, I have been trying to configure a VPN with Cisco Asa 5505 and Cisco VPN client 5.X for 3 weeks and I am not being able to accomplish it, so I decided to reset to factory defaults and start over again.
I used ASDM 6.4 VPN wizard to configure it (I selected exempt local network from NAT and enabled split tunneling, but I have tried other combinations as well).
Tunnel seems to be established properly since I do see an endpoint while using 'sh crypto isakmp sa' but 'sh crypto ipsec sa' shows no packets encrypted or decrypted, so VPN is not working as expected. I can't ping or rdp to internal LAN:
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
The running-config it created is:
ciscoasa# sh run
: Saved
ASA Version 8.4(2)
hostname ciscoasa
enable password XXXX encrypted
passwd XXXX encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.16.1.254 255.255.0.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ADSL_Telefonica
ip address pppoe setroute
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.0.0.0_24
subnet 10.0.0.0 255.255.255.0
object network NETWORK_OBJ_172.16.0.0_16
subnet 172.16.0.0 255.255.0.0
access-list test_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool test 10.0.0.1-10.0.0.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_172.16.0.0_16 NETWORK_OBJ_172.16.0.0_16 destination static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 172.16.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 172.16.0.0 255.255.0.0 inside
telnet timeout 55
ssh 172.16.0.0 255.255.0.0 inside
ssh timeout 55
console timeout 0
vpdn group ADSL_Telefonica request dialout pppoe
vpdn group ADSL_Telefonica localname adslppp@telefonicanetpa
vpdn group ADSL_Telefonica ppp authentication pap
vpdn username adslppp@telefonicanetpa password *****
dhcpd auto_config outside
dhcpd address 172.16.2.2-172.16.2.129 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy test internal
group-policy test attributes
dns-server value 172.16.1.1
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test_splitTunnelAcl
username test password XXXXXX encrypted privilege 0
username test attributes
vpn-group-policy test
username ignacio password XXXXXXX encrypted
tunnel-group test type remote-access
tunnel-group test general-attributes
address-pool test
default-group-policy test
tunnel-group test ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c8935bd572dfd37e81c6aa9f9dc8207c
: end
Thank you very much for your helpYes, it was a VPN client problem. I was doing test with a WWAN card and it seems it is not compatible with windows 7.
• The VPN Client on Windows 7 does not support WWAN devices (also called wireless data cards).
I should have read Release Notes before. Thank you very much for your help and effort. -
Remote Access VPN on Cisco ASA Problem
Hi, i configured Remote access VPN on Cisco ASA 8.x as per below configuration.
Problem is that my internet has stopped working, and default route is just showing stars.
i can ping internal server 10.110.10.150 fine , which i allowed on VPN ACL, but my other traffic not going to regular internet on my laptop,
what additional required to force my internet to go to regular internet instead of getting encrypted?
Also attaching output of route print at the point when VPN is connected.
ip local pool RA_VPN_POOL 10.1.200.100-10.1.200.150 mask 255.255.255.0
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map RA_VPN 65535 set transform-set ESP-AES-128-SHA
crypto dynamic-map RA_VPN 65535 set security-association lifetime seconds 28800
crypto dynamic-map RA_VPN 65535 set security-association lifetime kilobytes 4608000
crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_VPN
crypto map VPN_MAP interface outside
isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group ITT_RA type remote-access
tunnel-group ITT_RA general-attributes
address-pool RA_VPN_POOL
default-group-policy RA_VPN_GP
tunnel-group ITT_RA ipsec-attributes
pre-shared-key <group key>
group-policy RA_VPN_GP internal
group-policy RA_VPN_GP attributes
dns-server value 10.0.0.1 10.0.0.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value mydomain.com
address-pools value RA_VPN_POOL
access-list Split_Tunnel_List extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
access-list nonattest extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
nat (inside) 0 access-list nonattest
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.111.36.1 10.111.36.9 276
0.0.0.0 0.0.0.0 On-link 10.1.200.100 20
10.1.200.0 255.255.255.0 On-link 10.1.200.100 276
10.1.200.100 255.255.255.255 On-link 10.1.200.100 276
10.1.200.255 255.255.255.255 On-link 10.1.200.100 276
10.110.10.150 255.255.255.255 10.1.200.1 10.1.200.100 100
10.111.36.0 255.255.255.0 On-link 10.111.36.9 276Hi, i configured Remote access VPN on Cisco ASA 8.x as per below configuration.
Problem is that my internet has stopped working, and default route is just showing stars.
i can ping internal server 10.110.10.150 fine , which i allowed on VPN ACL, but my other traffic not going to regular internet on my laptop,
what additional required to force my internet to go to regular internet instead of getting encrypted?
Also attaching output of route print at the point when VPN is connected.
ip local pool RA_VPN_POOL 10.1.200.100-10.1.200.150 mask 255.255.255.0
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map RA_VPN 65535 set transform-set ESP-AES-128-SHA
crypto dynamic-map RA_VPN 65535 set security-association lifetime seconds 28800
crypto dynamic-map RA_VPN 65535 set security-association lifetime kilobytes 4608000
crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_VPN
crypto map VPN_MAP interface outside
isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group ITT_RA type remote-access
tunnel-group ITT_RA general-attributes
address-pool RA_VPN_POOL
default-group-policy RA_VPN_GP
tunnel-group ITT_RA ipsec-attributes
pre-shared-key <group key>
group-policy RA_VPN_GP internal
group-policy RA_VPN_GP attributes
dns-server value 10.0.0.1 10.0.0.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value mydomain.com
address-pools value RA_VPN_POOL
access-list Split_Tunnel_List extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
access-list nonattest extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
nat (inside) 0 access-list nonattest
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.111.36.1 10.111.36.9 276
0.0.0.0 0.0.0.0 On-link 10.1.200.100 20
10.1.200.0 255.255.255.0 On-link 10.1.200.100 276
10.1.200.100 255.255.255.255 On-link 10.1.200.100 276
10.1.200.255 255.255.255.255 On-link 10.1.200.100 276
10.110.10.150 255.255.255.255 10.1.200.1 10.1.200.100 100
10.111.36.0 255.255.255.0 On-link 10.111.36.9 276 -
Dear All,
I have configured remote access vpn without using split tunnel.Everything is working fine.I can access all the inside network which is allowed in acl.
I am facing strange issue now. I have created a pool for remote access vpn with a range 192.168.5.8/29.I can access my internal subnets 10.10.0.0/16.
I have below acess-list for acl-in.
access-list acl-in extended permit ip object-group vpnclients 192.168.5.8 255.255.255.248
object-group network vpnclients
network-object host 10.110.100.26
network-object host 10.106.100.15
network-object host 10.10.10.6
network-object host 10.10.20.82
network-object host 10.110.100.48
network-object host 10.10.20.53
network-object host 10.10.20.54
network-object host 10.60.100.1
network-object host 10.10.10.75
network-object host 10.10.20.100
network-object host 10.10.130.136
network-object host 10.106.100.16
network-object host 10.106.100.9
network-object host 10.170.100.1
network-object host 10.170.100.2
network-object host 10.170.100.21
network-object host 10.101.100.20
network-object host 10.170.100.25
So whichever IPs i have called in vpnclient group is able to access via RA vpn.Issue is when i try to access internal network of 192.168.198.0/24, i am able to access it without adding in vpnclient group. Even for 192.168.197.0/24,192.168.197.0/24 the same. But for 10.10.0.0/16 we can access only after adding in vpnclient group. Any one has face this issue before. Is this because of same network i mean 192.168.0.0 something like that.There is no other staement in acl-in for 192.168.0.0
Regards
-Danesh AhammadHi,
If i read correctly you made the RA vpn "without" split tunnel, correct? if that is the case, all of the traffic will traverse the vpn connection (tunnel all) , the access-list "acl-in" is of no use to it.
try converting it to use split tunnel, i am sure that way you can not access resources that are not mentioned in the list.
~Harry -
%ASA-7-710005: TCP request discarded error in Client to Site VPN in CISCO ASA 5510
Hi Friends,
I'm trying to built client to site VPN in CISCO ASA 5510 8.4(4) and getting below error while connecting cisco VPN client software. Also, I'm getting below log in ASA. Please help me to reslove.
Error in CISCO VPN Client Software:
Secure VPN Connection Terminated locally by the client.
Reason : 414 : Failed to establish a TCP connection.
Error in CISCO ASA 5510
%ASA-7-710005: TCP request discarded from <Public IP> /49276 to outside:<Outside Interface IP of my ASA> /10000
ASA Configuration:
XYZ# sh run
: Saved
ASA Version 8.4(4)
hostname XYZ
domain-name XYZ
enable password 3uLkVc9JwRA1/OXb level 3 encrypted
enable password R/x90UjisGVJVlh2 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
nameif outside_rim
security-level 0
ip address 1.1.1.1 255.255.255.252
interface Ethernet0/1
duplex full
nameif XYZ_DMZ
security-level 50
ip address 172.1.1.1 255.255.255.248
interface Ethernet0/2
speed 100
duplex full
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.252
interface Ethernet0/3
speed 100
duplex full
nameif inside
security-level 100
ip address 3.3.3.3 255.255.255.224
interface Management0/0
shutdown
no nameif
no security-level
no ip address
boot system disk0:/asa844-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server xx.xx.xx.xx
name-server xx.xx.xx.xx
name-server xx.xx.xx.xx
name-server xx.xx.xx.xx
domain-name XYZ
object network obj-172.17.10.3
host 172.17.10.3
object network obj-10.1.134.0
subnet 10.1.134.0 255.255.255.0
object network obj-208.75.237.0
subnet 208.75.237.0 255.255.255.0
object network obj-10.7.0.0
subnet 10.7.0.0 255.255.0.0
object network obj-172.17.2.0
subnet 172.17.2.0 255.255.255.0
object network obj-172.17.3.0
subnet 172.17.3.0 255.255.255.0
object network obj-172.19.2.0
subnet 172.19.2.0 255.255.255.0
object network obj-172.19.3.0
subnet 172.19.3.0 255.255.255.0
object network obj-172.19.7.0
subnet 172.19.7.0 255.255.255.0
object network obj-10.1.0.0
subnet 10.1.0.0 255.255.0.0
object network obj-10.2.0.0
subnet 10.2.0.0 255.255.0.0
object network obj-10.3.0.0
subnet 10.3.0.0 255.255.0.0
object network obj-10.4.0.0
subnet 10.4.0.0 255.255.0.0
object network obj-10.6.0.0
subnet 10.6.0.0 255.255.0.0
object network obj-10.9.0.0
subnet 10.9.0.0 255.255.0.0
object network obj-10.11.0.0
subnet 10.11.0.0 255.255.0.0
object network obj-10.12.0.0
subnet 10.12.0.0 255.255.0.0
object network obj-172.19.1.0
subnet 172.19.1.0 255.255.255.0
object network obj-172.21.2.0
subnet 172.21.2.0 255.255.255.0
object network obj-172.16.2.0
subnet 172.16.2.0 255.255.255.0
object network obj-10.19.130.201
host 10.19.130.201
object network obj-172.30.2.0
subnet 172.30.2.0 255.255.255.0
object network obj-172.30.3.0
subnet 172.30.3.0 255.255.255.0
object network obj-172.30.7.0
subnet 172.30.7.0 255.255.255.0
object network obj-10.10.1.0
subnet 10.10.1.0 255.255.255.0
object network obj-10.19.130.0
subnet 10.19.130.0 255.255.255.0
object network obj-XXXXXXXX
host XXXXXXXX
object network obj-145.248.194.0
subnet 145.248.194.0 255.255.255.0
object network obj-10.1.134.100
host 10.1.134.100
object network obj-10.9.124.100
host 10.9.124.100
object network obj-10.1.134.101
host 10.1.134.101
object network obj-10.9.124.101
host 10.9.124.101
object network obj-10.1.134.102
host 10.1.134.102
object network obj-10.9.124.102
host 10.9.124.102
object network obj-115.111.99.133
host 115.111.99.133
object network obj-10.8.108.0
subnet 10.8.108.0 255.255.255.0
object network obj-115.111.99.129
host 115.111.99.129
object network obj-195.254.159.133
host 195.254.159.133
object network obj-195.254.158.136
host 195.254.158.136
object network obj-209.164.192.0
subnet 209.164.192.0 255.255.224.0
object network obj-209.164.208.19
host 209.164.208.19
object network obj-209.164.192.126
host 209.164.192.126
object network obj-10.8.100.128
subnet 10.8.100.128 255.255.255.128
object network obj-115.111.99.130
host 115.111.99.130
object network obj-10.10.0.0
subnet 10.10.0.0 255.255.0.0
object network obj-115.111.99.132
host 115.111.99.132
object network obj-10.10.1.45
host 10.10.1.45
object network obj-10.99.132.0
subnet 10.99.132.0 255.255.255.0
object-group network Serversubnet
network-object 10.10.1.0 255.255.255.0
network-object 10.10.5.0 255.255.255.192
object-group network XYZ_destinations
network-object 10.1.0.0 255.255.0.0
network-object 10.2.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.4.0.0 255.255.0.0
network-object 10.6.0.0 255.255.0.0
network-object 10.7.0.0 255.255.0.0
network-object 10.11.0.0 255.255.0.0
network-object 10.12.0.0 255.255.0.0
network-object 172.19.1.0 255.255.255.0
network-object 172.19.2.0 255.255.255.0
network-object 172.19.3.0 255.255.255.0
network-object 172.19.7.0 255.255.255.0
network-object 172.17.2.0 255.255.255.0
network-object 172.17.3.0 255.255.255.0
network-object 172.16.2.0 255.255.255.0
network-object 172.16.3.0 255.255.255.0
network-object host 10.50.2.206
object-group network XYZ_us_admin
network-object 10.3.1.245 255.255.255.255
network-object 10.5.33.7 255.255.255.255
network-object 10.211.5.7 255.255.255.255
network-object 10.3.33.7 255.255.255.255
network-object 10.211.3.7 255.255.255.255
object-group network XYZ_blr_networkdevices
network-object 10.200.10.0 255.255.255.0
access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host 172.16.2.21
access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host 172.16.2.22
access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host XXXXXXXX
access-list XYZ_PAT extended permit ip 10.19.130.0 255.255.255.0 any
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 195.254.159.133
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 195.254.158.136
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 any
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 209.164.192.0 255.255.224.0
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 209.164.208.19
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 209.164.192.126
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.7.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.17.3.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.3.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.7.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.3.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.4.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.6.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.9.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.11.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.12.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.1.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.21.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list nonat extended permit ip host 10.19.130.201 172.30.2.0 255.255.255.0
access-list nonat extended permit ip host 10.19.130.201 172.30.3.0 255.255.255.0
access-list nonat extended permit ip host 10.19.130.201 172.30.7.0 255.255.255.0
access-list nonat extended permit ip object-group Serversubnet object-group XYZ_destinations
access-list nonat extended permit ip 10.10.1.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list nonat extended permit ip 10.19.130.0 255.255.255.0 host XXXXXXXX
access-list nonat extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
access-list Guest_PAT extended permit ip 10.8.108.0 255.255.255.0 any
access-list Cacib extended permit ip 10.8.100.128 255.255.255.128 145.248.194.0 255.255.255.0
access-list Cacib_PAT extended permit ip 10.8.100.128 255.255.255.128 any
access-list New_Edge extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
access-list XYZ_global extended permit ip 10.7.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.7.0.0 255.255.0.0
access-list XYZ_global extended permit ip 172.17.2.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.17.3.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.19.2.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.19.3.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.19.7.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.2.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.3.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.4.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.6.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.9.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.11.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.12.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.19.1.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.21.2.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.17.3.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.2.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.3.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.7.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.3.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.4.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.6.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.9.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.11.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.12.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.1.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.21.2.0 255.255.255.0
access-list XYZ_global extended permit ip 172.16.2.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list XYZ_global extended permit ip 172.30.2.0 255.255.255.0 host 10.19.130.201
access-list XYZ_global extended permit ip host 10.19.130.201 172.30.2.0 255.255.255.0
access-list XYZ_global extended permit ip 172.30.3.0 255.255.255.0 host 10.19.130.201
access-list XYZ_global extended permit ip host 10.19.130.201 172.30.3.0 255.255.255.0
access-list XYZ_global extended permit ip 172.30.7.0 255.255.255.0 host 10.19.130.201
access-list XYZ_global extended permit ip host 10.19.130.201 172.30.7.0 255.255.255.0
access-list XYZ_global extended permit ip object-group Serversubnet object-group XYZ_destinations
access-list XYZ_global extended permit ip object-group XYZ_destinations object-group Serversubnet
access-list ML_VPN extended permit ip host 115.111.99.129 209.164.192.0 255.255.224.0
access-list ML_VPN extended permit ip host 115.111.99.129 host 209.164.208.19
access-list ML_VPN extended permit ip host 115.111.99.129 host 209.164.192.126
access-list Da_VPN extended permit ip host 10.9.124.100 host 10.125.81.88
access-list Da_VPN extended permit ip host 10.9.124.101 host 10.125.81.88
access-list Da_VPN extended permit ip host 10.9.124.102 host 10.125.81.88
access-list Da_VPN extended permit ip host 10.9.124.100 10.125.81.0 255.255.255.0
access-list Da_VPN extended permit ip host 10.9.124.101 10.125.81.0 255.255.255.0
access-list Da_VPN extended permit ip host 10.9.124.102 10.125.81.0 255.255.255.0
access-list Sr_PAT extended permit ip 10.10.0.0 255.255.0.0 any
access-list Da_Pd_VPN extended permit ip host 10.9.124.100 10.125.80.64 255.255.255.192
access-list Da_Pd_VPN extended permit ip host 10.9.124.100 10.125.64.0 255.255.240.0
access-list Da_Pd_VPN extended permit ip host 10.9.124.100 host 10.125.85.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.100 host 10.125.86.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.101 10.125.80.64 255.255.255.192
access-list Da_Pd_VPN extended permit ip host 10.9.124.101 10.125.64.0 255.255.240.0
access-list Da_Pd_VPN extended permit ip host 10.9.124.101 host 10.125.85.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.101 host 10.125.86.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.102 10.125.80.64 255.255.255.192
access-list Da_Pd_VPN extended permit ip host 10.9.124.102 10.125.64.0 255.255.240.0
access-list Da_Pd_VPN extended permit ip host 10.9.124.102 host 10.125.85.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.102 host 10.125.86.46
access-list XYZ_reliance extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
access-list coextended permit ip host 2.2.2.2 host XXXXXXXX
access-list coextended permit ip host XXXXXXXXhost 2.2.2.2
access-list ci extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
access-list ci extended permit ip 208.75.237.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list acl-outside extended permit ip host 57.66.81.159 host 172.17.10.3
access-list acl-outside extended permit ip host 80.169.223.179 host 172.17.10.3
access-list acl-outside extended permit ip any host 172.17.10.3
access-list acl-outside extended permit tcp any host 10.10.1.45 eq https
access-list acl-outside extended permit tcp any any eq 10000
access-list acl-outside extended deny ip any any log
pager lines 10
logging enable
logging buffered debugging
mtu outside_rim 1500
mtu XYZ_DMZ 1500
mtu outside 1500
mtu inside 1500
ip local pool XYZ_c2s_vpn_pool 172.30.10.51-172.30.10.254
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-208.75.237.0 obj-208.75.237.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.7.0.0 obj-10.7.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.17.2.0 obj-172.17.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.17.3.0 obj-172.17.3.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.2.0 obj-172.19.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.3.0 obj-172.19.3.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.7.0 obj-172.19.7.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.1.0.0 obj-10.1.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.2.0.0 obj-10.2.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.3.0.0 obj-10.3.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.4.0.0 obj-10.4.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.6.0.0 obj-10.6.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.9.0.0 obj-10.9.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.11.0.0 obj-10.11.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.12.0.0 obj-10.12.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.1.0 obj-172.19.1.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.21.2.0 obj-172.21.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.16.2.0 obj-172.16.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.2.0 obj-172.30.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.3.0 obj-172.30.3.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.7.0 obj-172.30.7.0 no-proxy-arp route-lookup
nat (inside,any) source static Serversubnet Serversubnet destination static XYZ_destinations XYZ_destinations no-proxy-arp route-lookup
nat (inside,any) source static obj-10.10.1.0 obj-10.10.1.0 destination static obj-10.2.0.0 obj-10.2.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.0 obj-10.19.130.0 destination static obj-XXXXXXXX obj-XXXXXXXX no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.0 obj-10.19.130.0 destination static obj-145.248.194.0 obj-145.248.194.0 no-proxy-arp route-lookup
nat (inside,outside) source static obj-10.1.134.100 obj-10.9.124.100
nat (inside,outside) source static obj-10.1.134.101 obj-10.9.124.101
nat (inside,outside) source static obj-10.1.134.102 obj-10.9.124.102
nat (inside,outside) source dynamic obj-10.8.108.0 interface
nat (inside,outside) source dynamic obj-10.19.130.0 obj-115.111.99.129
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-195.254.159.133 obj-195.254.159.133
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-195.254.158.136 obj-195.254.158.136
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.192.0 obj-209.164.192.0
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.208.19 obj-209.164.208.19
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.192.126 obj-209.164.192.126
nat (inside,outside) source dynamic obj-10.8.100.128 obj-115.111.99.130
nat (inside,outside) source dynamic obj-10.10.0.0 obj-115.111.99.132
nat (inside,outside) source static obj-10.10.1.45 obj-115.111.99.133
nat (inside,outside) source dynamic obj-10.99.132.0 obj-115.111.99.129
object network obj-172.17.10.3
nat (XYZ_DMZ,outside) static 115.111.99.134
access-group acl-outside in interface outside
route outside 0.0.0.0 0.0.0.0 115.111.23.129 1
route outside 0.0.0.0 0.0.0.0 115.254.127.130 10
route inside 10.10.0.0 255.255.0.0 10.8.100.1 1
route inside 10.10.1.0 255.255.255.0 10.8.100.1 1
route inside 10.10.5.0 255.255.255.192 10.8.100.1 1
route inside 10.8.100.128 255.255.255.128 10.8.100.1 1
route inside 10.8.108.0 255.255.255.0 10.8.100.1 1
route inside 10.19.130.0 255.255.255.0 10.8.100.1 1
route inside 10.99.4.0 255.255.255.0 10.99.130.254 1
route inside 10.99.132.0 255.255.255.0 10.8.100.1 1
route inside 10.1.134.0 255.255.255.0 10.8.100.1 1
route outside 208.75.237.0 255.255.255.0 115.111.23.129 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set vpn2 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set vpn6 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set vpn5 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set vpn7 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set vpn4 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set vpn1 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set vpn_reliance esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set c2s_vpn esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map dyn1 1 set ikev1 transform-set c2s_vpn
crypto dynamic-map dyn1 1 set reverse-route
crypto map vpn 1 match address XYZ
crypto map vpn 1 set peer XYZ Peer IP
crypto map vpn 1 set ikev1 transform-set vpn1
crypto map vpn 1 set security-association lifetime seconds 3600
crypto map vpn 1 set security-association lifetime kilobytes 4608000
crypto map vpn 2 match address NE
crypto map vpn 2 set peer NE_Peer IP
crypto map vpn 2 set ikev1 transform-set vpn2
crypto map vpn 2 set security-association lifetime seconds 3600
crypto map vpn 2 set security-association lifetime kilobytes 4608000
crypto map vpn 4 match address ML_VPN
crypto map vpn 4 set pfs
crypto map vpn 4 set peer ML_Peer IP
crypto map vpn 4 set ikev1 transform-set vpn4
crypto map vpn 4 set security-association lifetime seconds 3600
crypto map vpn 4 set security-association lifetime kilobytes 4608000
crypto map vpn 5 match address XYZ_global
crypto map vpn 5 set peer XYZ_globa_Peer IP
crypto map vpn 5 set ikev1 transform-set vpn5
crypto map vpn 5 set security-association lifetime seconds 3600
crypto map vpn 5 set security-association lifetime kilobytes 4608000
crypto map vpn 6 match address Da_VPN
crypto map vpn 6 set peer Da_VPN_Peer IP
crypto map vpn 6 set ikev1 transform-set vpn6
crypto map vpn 6 set security-association lifetime seconds 3600
crypto map vpn 6 set security-association lifetime kilobytes 4608000
crypto map vpn 7 match address Da_Pd_VPN
crypto map vpn 7 set peer Da_Pd_VPN_Peer IP
crypto map vpn 7 set ikev1 transform-set vpn6
crypto map vpn 7 set security-association lifetime seconds 3600
crypto map vpn 7 set security-association lifetime kilobytes 4608000
crypto map vpn interface outside
crypto map vpn_reliance 1 match address XYZ_rim
crypto map vpn_reliance 1 set peer XYZ_rim_Peer IP
crypto map vpn_reliance 1 set ikev1 transform-set vpn_reliance
crypto map vpn_reliance 1 set security-association lifetime seconds 3600
crypto map vpn_reliance 1 set security-association lifetime kilobytes 4608000
crypto map vpn_reliance interface outside_rim
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto isakmp identity address
no crypto isakmp nat-traversal
crypto ikev1 enable outside_rim
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 4
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28000
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.8.100.0 255.255.255.224 inside
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy XYZ_c2s_vpn internal
username testadmin password oFJjANE3QKoA206w encrypted
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXXtype ipsec-l2l
tunnel-group XXXXXXXXipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XYZ_c2s_vpn type remote-access
tunnel-group XYZ_c2s_vpn general-attributes
address-pool XYZ_c2s_vpn_pool
tunnel-group XYZ_c2s_vpn ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect ip-options
service-policy global_policy global
privilege show level 3 mode exec command running-config
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command crypto
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:caa7476cd348ed89b95d37d4e3c9e1d8
: end
XYZ#Thanks Javier.
But i have revised the VPN confuration. Below are the latest configs. with this latest configs. I'm getting username & password screen while connecting cisco vpn client software. once we entered the login credential. it shows "security communication channel" then it goes to "not connected" state. Can you help me to fix this.
access-list ACL-RA-SPLIT standard permit host 10.10.1.3
access-list ACL-RA-SPLIT standard permit host 10.10.1.13
access-list ACL-RA-SPLIT standard permit host 10.91.130.201
access-list nonat line 1 extended permit ip host 10.10.1.3 172.30.10.0 255.255.255.0
access-list nonat line 2 extended permit ip host 10.10.1.13 172.30.10.0 255.255.255.0
access-list nonat line 3 extended permit ip host 10.91.130.201 172.30.10.0 255.255.255.0
ip local pool CO-C2S-VPOOL 172.30.10.51-172.30.10.254 mask 255.255.255.0
group-policy CO-C2S internal
group-policy CO-C2S attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list vlauel ACL-RA-SPLIT
dns-server value 10.10.1.3
tunnel-group TUN-RA-SPLIT type remote-access
tunnel-group TUN-RA-SPLIT general-attributes
default-group-policy CO-C2S
address-pool CO-C2S-VPOOL
tunnel-group TUN-RA-SPLIT ipsec-attributes
pre-shared-key sekretk3y
username ra-user1 password passw0rd1 priv 1
group-policy CO-C2S internal
group-policy CO-C2S attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list vlauel ACL-RA-SPLIT
dns-server value 10.10.1.3
tunnel-group TUN-RA-SPLIT type remote-access
tunnel-group TUN-RA-SPLIT general-attributes
default-group-policy CO-C2S
address-pool CO-C2S-VPOOL
tunnel-group TUN-RA-SPLIT ipsec-attributes
pre-shared-key *********
username ******* password ******** priv 1
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set 3DES
crypto map Outside_Map 500 ipsec-isakmp dynamic dynmap
crypto isakmp identify address
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encr 3des
hash sha
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set 3DES
crypto map Outside_Map 500 ipsec-isakmp dynamic dynmap
crypto map vpn interface outside
crypto isakmp identify address
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encr 3des
hash sha
group 1
lifetime 3600 -
SAPGUI Java 7.20 Rev 6 download and VPN issue
Dear SAP friends please help.
We are trying to connect to SAP via a Mac running Lion and a VPN with SAPGUI for Java Rev 5. We get the logon successfully but never get further than the licence message. We have updated to the latest Java and also tried it in 32 bitz mode. We are unable to download the latest Rev 6 (due to my user authorisation) but we still think this is a VPN issue. Can you please help? I enclose the trace which shows the point at which is stops.
Many thanks
Andrew
16.11. 17:36:05.118 CALL: <CONTROL SHELLID="101">
16.11. 17:36:05.118 CALL: <PROPERTY VALUE="0" NAME="120"/>
16.11. 17:36:05.118 CALL: <PROPERTY VALUE="0" NAME="300"/>
16.11. 17:36:05.118 CALL: </CONTROL>
16.11. 17:36:05.118 CALL: </CONTROLS>
16.11. 17:36:05.118 CALL: <COPY id="copy">
16.11. 17:36:05.118 CALL: <GUI id="gui">
16.11. 17:36:05.118 CALL: <METRICS id="metrics" X3="1440" X2="7" X1="7" X0="283" Y3="900" Y2="20" Y1="12" Y0="283"/>
16.11. 17:36:05.118 CALL: </GUI>
16.11. 17:36:05.118 CALL: </COPY>
16.11. 17:36:05.118 CALL: </DATAMANAGER>
16.11. 17:36:05.119 CALL: Call 1042: #3#.setMoreDataIndicator(true);
16.11. 17:36:05.122 CON: GuiNiNetConnection: sending DIAG data to writer thread for modus 0
ERROR #############################
16.11. 17:37:10.018 ERROR: GuiNiReaderThread: read failed: Error: connection to partner '172.23.200.109:3200' broken
16.11. 17:37:10.018 ERROR:
16.11. 17:37:10.018 ERROR: Wed Nov 16 17:37:10 2011
16.11. 17:37:10.018 ERROR: Release 720
16.11. 17:37:10.018 ERROR: Component NI (network interface), version 40
16.11. 17:37:10.018 ERROR: rc = -6, module nixxi.cpp, line 5087
16.11. 17:37:10.018 ERROR: Detail NiIRead: P=172.23.200.109:3200; L=10.64.10.112:53387
16.11. 17:37:10.018 ERROR: System Call recv
16.11. 17:37:10.018 ERROR: Error No 60
16.11. 17:37:10.018 ERROR: 'Operation timed out'
ERROR #############################
16.11. 17:37:10.018 CON: -
16.11. 17:37:10.018 CON: GuiNiNetConnection: sending DIAG data to connection for modus -1
ERROR #############################
16.11. 17:37:10.234 ERROR: GuiConnection: Connection closed
16.11. 17:37:10.234 ERROR: Error: connection to partner '172.23.200.109:3200' broken
16.11. 17:37:10.234 ERROR:
16.11. 17:37:10.234 ERROR: Wed Nov 16 17:37:10 2011
16.11. 17:37:10.234 ERROR: Release 720
16.11. 17:37:10.234 ERROR: Component NI (network interface), version 40
16.11. 17:37:10.234 ERROR: rc = -6, module nixxi.cpp, line 5087
16.11. 17:37:10.234 ERROR: Detail NiIRead: P=172.23.200.109:3200; L=10.64.10.112:53387
16.11. 17:37:10.234 ERROR: System Call recv
16.11. 17:37:10.234 ERROR: Error No 60
16.11. 17:37:10.234 ERROR: 'Operation timed out'
ERROR #############################
ERROR #############################Hello Andrew,
some version of the VPN client on Lion seems to have a known issue according to SAP internal discussions.
I found someone telling, that with F5 SSL VPN Plugin 7000.2011.0907.01, it is working again.
It seems to be available from https://connectfp.sap.com.
For uninstalling old F5 version, see http://support.f5.com/kb/en-us/solutions/public/3000/800/sol3826.html
(many "seems", because I am still on Snow Leopard and can not talk about this issue from my own experience)
Regarding user authorization for downloading software in Service MarketPlace, please refer to [note 1037574|https://service.sap.com/sap/support/notes/1037574].
Best regards
Rolf-Martin -
I have Cisco RV100W.
With firmware 1.0.0.2 iptv work though wires and wi-fi. With new firmware iptv doesnt work via wi-fi but via wires it is work.
Why it could be?Dear Vitalli,
Thank you for reaching Small Business Support Community.
Are you running latest firmware v.1.2.0.9? If not, I suggest you to upgrade to that version. I would then suggest you to configure QoS Port Based settings on your LAN port(s) forwarding the IPTV traffic giving it the highest priority (4).
If that configuration setting does not make a difference I then suggest you to contact the Small Business Support Center for further assistance;
https://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
Please do not hesitate to reach me back if there is anything else I may assist you with in the meantime.
Kind regards,
Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer
*Please rate the Post so other will know when an answer has been found. -
Airport Extreme 802.11n New Firmware Release (VPN ISSUE)
The info accompanying the release of today's firmware upgrade makes no mention of a fix to the VPN problems. Does anyone know if the new firmware had any effect on the problem?
Mac Pro Mac OS X (10.4.9) 4 GB RamOur VPN is now working (checkpoint)
For me the firmware update initially seemed to fix the VPN issue, but after closer inspection there still seems to be something wrong with it. (We are using CheckPoint.) My Wintel-box that has been provided by my employee is still having issues with connecting to our exchange server and the network drives do not seem to be working all that realiable. Probably a configuration issue, but do you have any ideas on where to start looking for a solution?
br,
-Joose -
Hello to all,
I want to setup a site to site VPN using RV016 for the Head Office and RV042G for the branch offices.
I managed to configure the VPN using cisco tutorials. Status on both routers shows connected.
However cannot ping remote IPs and access remote resources. Your help will be highly appreciated.
Thank Youi suggest that you change the local ip address of the RVL200 to 192.168.2.1 instead of using 192.168.0.1. please check also the encryption and the security on both ends of the tunnel. make sure that you use the same encryption and same authentication. you may also want to start with low encryption and security to make sure that it is not the problem.
Maybe you are looking for
-
Back button on a PDF to go back to my iPad App
I created a responsive project in CP8 used phonegap to package it as an app and have some problems. one is that I have many PDF files that are opened locally (in the calles folder). Opening them is not an issue. The problem is when I need to navigate
-
TS3297 6.1.3 to 6.1.4 problem.. please help
Hi All, I have the Iphone 5 with IOS 6.1.3 and when I try to update it to 6.1.4 Itunes tells me "This device is not eligible for the requested build". Apple Help says that it happens when people Jailbreaked their Iphone... but I haven't. What can i d
-
Spotlight has stopped working on my brand new iMac
I've had my new 17" Intel iMac for one day...and Spotlight has all of a sudden stopped working. It happened when I connected the G4 iMac to the new one but before I even accessed the G4. I tried to search for "Migration" using Spotlight and it didn't
-
Dvd burned won't play.. tried many methods of trouble shooting still nothin
I'm trying to burn some of my video work for an application for grad school. It is HD, but I exported to an mov. file threw it in dvd studio pro and when I build it's fine, and simulate it it works, when I burn it it work on my mac, but it won't play
-
Flash 11 will not install in Firefox
So i just did my 6 month formating. Installed all my drivers and then installed FireFox. Went to youtube, of course flash was needed. It tried to install the 10.3 but failed because of it being out of date i guess, but it directed me to adobe. I