VPN pw mgmt plus framed IP address not working

Similar Messages

• Vpn-framed-ip-address not working with anyconnect

  Hi Folks, please help me to verify if this case is a bug or a "not valid scenario".
  Scenario:
  ASA 5520, OS 9.1, SSL VPN with Anyconnect v3.x, static ip address for the client, and RSA token authentication (all the users/pin/passwords are in the RSA server, not in the ASA, but i need to create some users in the ASA in order to apply the vpn-framed-ip-address attribute for specific users).
  In fact the anyconnect ssl vpn with RSA auth works fine, the ssl connection works, the user is authenticated, the anyconnect works, traffic passing,  BUT.. the anyconnect its getting an ip address from the ip local pool INSTEAD of the static ip defined with the  vpn-framed-ip-address command.
  I'm trying to assign a static ip address for a user (defined locally on the ASA) that performs auth via RSA (aaa-server), by using the  vpn-framed-ip-address  command as an attribute for this local user. But it seems the command is not working.
  Already I´ve tried to resolve (with no success) by entering the
  no vpn-addr-assign aaa
  no vpn-addr-assign dhcp
  vpn-addr-assign local
  Also i´ve tried by removing the pool from tunnel-group in order to force all the connection session to use the static ip address, but in this case, the anyconnect sends a message "No Address Available for SVC Connection".  Meaning the ASA simply is ignoring the  vpn-framed-ip-address command.
  Its supposed the ASA implement the policies in this order, DAP > User policy > UserGrp policy > ConnProfile > DefGrpPolicy, and according to this, the vpn-framed-ip-address command should take effect first since its specified as User policy, overriding everything else. But its not working.
  At this point i think the issue is... since the user is locally defined but its password its being authenticated via RSA (not local), the user attributes (static ip) are being ignored by the ASA because its not expecting to receive an ip address from the aaa server (RSA), so jumps to the next policies falling to the pool. Anyway the user policies attributes SHOULD work according to cisco.
  Please your advise, or tell if its a bug? or a not valid scenario for this command to work with the ASA.
  This is the current config:
  ip local pool PoolSSL 192.168.229.10-192.168.229.19 mask 255.255.255.0
  aaa-server RSA protocol sdi
  aaa-server RSA (inside) host 192.168.12.1
   retry-interval 5
  no vpn-addr-assign aaa
  no vpn-addr-assign dhcp
  group-policy GroupPolicyABC internal
  group-policy GroupPolicyABC attributes
   wins-server none
   dns-server value 192.168.61.1 192.168.61.2
   vpn-tunnel-protocol ssl-client
   group-lock value TunnelGroupABC
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value ServersDB
   default-domain value my.domain.com
   split-tunnel-all-dns disable
   webvpn
    anyconnect ask none default anyconnect
  username USER1 password xHhacRZ56Uadqoq encrypted
  username USER1 attributes
   vpn-framed-ip-address 192.168.229.7 255.255.255.0
   group-lock value TunnelGroupABC
  tunnel-group TunnelGroupABC type remote-access
  tunnel-group TunnelGroupABC general-attributes
   address-pool PoolSSL
   authentication-server-group RSA
   default-group-policy GroupPolicyABC
  tunnel-group TunnelGroupABC webvpn-attributes
   group-alias AccessToDB enable
  I´ll wait for your answers, regards!

  https://tools.cisco.com/bugsearch/bug/CSCtf71671/
  you need AAA assignment, or at least you needed to have it a couple of years back. 

• SQL*Plus COPY command does not work

  SQL*Plus COPY command does not work in SQL Developer. I am using SQL Developer 1.5.1 on Windows XP.
  copy from <source_db_connection> to <target_db_connection> create <target_tab_name> using select * from <source_tab_name>
  Does it work on different versions of SQL Developer ?
  Anyone had any success in trying COPY command in SQL Developer?
  Thanks in advance.

  While it hasn't been updated for v1.5, this page lists the supported SQL*Plus commands. COPY is explicitly listed as not supported.
  theFurryOne

• HT5312 Rescue email address not work and I forget my security question answers

  Rescue email address not work and I forget my security question answers

  If you don't have access to your rescue email account (you won't be able to change it until you can answer 2 of your questions), or you aren't receiving the email to it, then you will need to contact iTunes Support or Apple to get the questions reset.
  e.g. you can try contacting iTunes Support : http://www.apple.com/support/itunes/contact/ - click on Contact iTunes Store Support on the right-hand side of the page, then Account Management , and then 'Forgotten Apple ID security questions'
  or try ringing Apple in your country and ask to talk to the Accounts Security Team : http://support.apple.com/kb/HE57
  When they've been reset you can then use the steps half-way down the page that you posted from to update your rescue email address for potential future use, or you could change to 2-step verification : http://support.apple.com/kb/HT5570

• Erec - leaving action deleted internal candidate email address not working

  Good morning
  We have the following situation:
  1. A person was made a leaver in HR with future leaving date.
  2. Decision was made that the person could actually stay so the leaving action was deleted in HR.
  3. In erec in SU01 person still showing as role RCF_INT however the email address (produced from IT105 subtype 0010 in HR) was blank and his Alias field populated with his employee number ie: as if he was a leaver still.
  4. I have manually updated the email address in erec for his internal email address - this did not let him apply for an internal job. I then deleted it in IT105 in HR and then recreated it in IT105 - this has gone across to Erec however he still cannot apply and the Alias field is still being populated.
  So erec is behaving as if he is part internal and part external! How can I stop the Alias field being populated for him and how can I then get the email address to work?
  many thanks
  Dawn

  Hi Nicole
  Thank you. The order of events was as follows:
  a. On 25.01.11 a leaving action was done to start 01.04.11
  b. A decision made in March that the individual could stay however the leaving action was not deleted until 08.04.11
  c. This meant that he became a leaver in erec and due to subsequently deleting the leaving action he has reverted to INT_CAND (which is what we want).
  I have managed to get the email address to work by deleting the IT105 subtype 0010 in HR, I then recreated it in HR and it has PFAL'd over to erecruitment so the user is now able to apply for jobs.
  However the Alias field is still populated and the user has an additional employee number in erecuitment. Are you able to advise how the alias field can be depopulated?
  Many thanks
  Dawn

• Dynamic IP Address not working on MBP

  Hello:
  I am experiencing a problem with my MacBook Pro not being able to assign an IPv4 IP Address when "Using DHCP" is selected for either a wifi or ethernet connection.   In order to be able to connect either device, I have to manually add an address (i.e., 192.168.0.36) & use "Using DHCP with manual address" instead.
  It is interesting to note that all other devices on my home network work perfectly and all use DHCP and have addresses assigned to them.   These devices include iPad's, iPhone's, AppleTV, etc...  The only device that does not work is my MacBook Pro.  Thinking it was a network issue, I reset my DSL router as well as my Airport Extreme to default settings and re-configured my network.  This proved to be of no use.
  Has anyone else expierienced this issue and know a possible solution? 
  Thanks in Advance.

  If you have the public on the WAN of the router, you do not need it on the server.  The server wants to be a static on the same range as the LAN of the router.  If you have the router LAN set as 192.168.1.1 (which is the default of most out there)
  you want the IP of the server to be something like 192.168.1.10, with the same subnet mask of the LAN of the router (Usually 255.255.255.0) and the Default Gateway of the server to be the LAN IP of the router (in this example: 192.168.1.1).  For DNS,
  you probably want to set the LAN IP of the router, as the router should send any requests to the public DNS set by the ISP.
  This should get the server back online.  

• Manually set IP addresses not working as needed

  We have setup our DCHP server in that we manually not dynamically give IP addresses to workstations according to there mac addresses. But most of the time the the workstations go and get the IP addresses dynamically, and in this case most of the time we get IP conflict. Does it mean the giving IP addresses manually does not work properly in the DHCP configuration. For reasons, we need to use Manually assigned IP addresses not dynamically. And how can I trace why the manually configured workstation go and get IP addresses dynamically ?

  It should work properly. Please post your configuration.

• Richard Huggins/Art ? email address not working Reply here

  I received this email.
  The return address does not work.
  On 13 Mar 2006, at 22:51, art wrote:
  On 3/13/06 1:13 PM, Richard Huggins wrote:
  My daughter has the world's cutest toddlers and a PC. I, grand-dad, live 300
  miles away and have a MacBook Pro with the built-in camera. So you now
  understand my subject topic!
  I'm new to the video chat stuff, so I'd appreciate help with what she could
  use and I could use and us both see/hear each other. (She mentioned that She
  has Skype, but Skype's Mac version does not yet support video.) I'm thinking
  that I can't use iChat for this, but if I'm wrong let me know.
  Thanks,
  Richard
  Sent using the Microsoft Entourage 2004 for Mac Test Drive.
  Richard,
  This might be possible depending on the configurations of the computers and the speeds of the communications links that you both have. iChat can be a bit tricky to set up for audio/video sessions, especially if there are one or more firewalls involved.
  There's an excellent narrative on the specific topic of iChatPC at:
  http://www.ralphjohnsuk.dsl.pipex.com/page12.html
  You might check out the iChat forums in the Apple discussion groups at:
  http://discussions.apple.com/category.jspa?categoryID=139
  There is a wealth of knowledge and assistance about iChat related issues on these forums. There tends to be more active discussions regarding iChat related issues then here in the Usenet groups.
  If you are unsuccessful with iChat, try Sight Speed (www.sightspeed.com). There are free clients for both Mac and PC. Unlike iChat, it is client-server based (iChat is peer-to-peer) so there are less obstacles to success.
  It doesn't have as good video/audio quality as iChat and the echo suppression isn't as advanced, but it is much easier to set up. Also, unlike iChat, the conferencing capabilities (more than two users) are not included with the free versions.
  HTH...
  Regards,
  Art
  My reply was
  Hi,
  iChat will Video chat to the AIM 5.9 Application or Trillian Pro ($25) run on a XP PC.
  Both ends need some settings up. The AIM application more, with an extra "Tuning" stage.
  The AIM application needs the Tuning and Enabling through the XP firewall (links to Tuning and an Explanation of the Firewall stuff on the Page 12 link)
  The Trillian needs just enabling though the XP firewall.
  Both ends also need to make sure the applications involved can also get through the routers and modems involved.
  This page has links to Real People testers and some Autoresponding test accounts. Both ends should try contacting the autoresponding accounts and then with a selection of the Real People, to see where they are up to. Then Try PC to PC and Mac to Mac before trying Mac to PC (Or the other way round).
  This list has some cross platform stuff
  There is also YakforFree iVisit and others out there.
  I hope this helps whoever sent the email.
  4:58 PM Thursday; March 16, 2006

  Hi ernestw31,
  First make sure that you're using the email address that you used to set up your subscription. If you are and still can't sign in, please contact Adobe Customer Support; an agent can help you resolve your account issue.
  Click the Chat link at https://www.acrobat.com/misc/en/contact-support.html. Chat is available from 5am – 7pm PST.
  Please let us know if you need further assistance.
  Best,
  Sara

• Answer-address not work

  Dear Admin,
  I have tried few day already to match inbound call base on Calling number.
  Call made from calling number range 8000-9 and try to terminate the call by prefix 332168 thru TDM link but it was not work.
  Below is my scenario and configuration detail. Please advice if anything wrong.
  Partner A ( Over SIP protocol ) ------> ( Inbound SIP ) AS5400  ( TDM )----->PSTN
  dial-peer voice 332855 pots
  description Outbound to TDM-A
  max-conn 1
  answer-address 800[0-9]
  destination-pattern 332168.
  progress_ind alert enable 8
  port 6/7:D
  dial-peer voice 3328551 voip
  description Inbound Sip from KZ
  voice-class codec 1
  session protocol sipv2
  answer-address 800[0-9]
  Best Regards,
  Daneth

  Call Apple Care and ask for the Account Security Team. They can assist you with your issue.

• Switch from AppleTalk to IP Address not working well in Quark 7.5

  Knowing I have to switch from AppleTalk to IP Address printing with two new MACs coming online with Snow Leopard, and updates I plan to do to three MacPros, I started testing by turning off AppleTalk on a MacPro running Leopard. I then set up our two printers (HP Color LaserJet 8500 and HP Laserjet 2200) through their IP addresses. Everything prints fine to the 8500, but have a problem with the 2200.
  We have routinely printed color documents out of Quark 7.5 to the 2200 for initial proofing, to save the cost of color printing. While some graphics don't look particularly great, they have printed OK (for initial proofing). However, when printing through the IP address to this printer, Quark documents with graphics become nothing more than junk, and print page after page of nothing but a row or two of junk. I've tested this on two MacPros prior to any update to Snow Leopard, with the same result.
  What could be causing this? Everything works fine through AppleTalk, but not through IP address on the one printer. (I'm totally disgusted that Apple did away with AppleTalk in Snow Leopard!!!)
  Thanks,
  Ginny

  https://tools.cisco.com/bugsearch/bug/CSCtf71671/
  you need AAA assignment, or at least you needed to have it a couple of years back. 

• Submit button to an email address not working?

  Created a submit button for sending the complete PDF form to an email address, works fine on my computer with the 8.3 Pro version. But when I send it to someone else to use with Adobe reader it won't work, returns an error message. Isn't that the whole idea of a form is to be able to be able to send data? My email address is wron in my profile and it won't let me change it...  [email protected]  Also tried using the FDF and XFDF format as the help suggests, that didn't work either.

  The problem may be on the other machine, one of the major problems with using e-mail submission. E-mail submission requires that the user machine be properly configured. With AA9 (or maybe AA8), additional options were setup that did not require MAPI to be active on the machine, but there are apparently some problems. If the data file is being sent, then there is not a Reader Rights issue. It looks like you are using Acroforms since you mentioned FDF and XFDF (Designer uses XML) data formats. It may be that the client is using an earler version of Reader before AR9 and that is an issue.
  The safest way to send the data is to a web script on a server, not e-mail. Setting this up is not necessarily that easy, but the safest as mentioned.
  I have not answered your problem as such, but given some indication of why you may be having a problem.

• Static IP Address not working on windows server

  first of all...I am not an IT person so most of this is greek to me...
  I got a static IP address from my ISP and loaded it into the TCP/IPv4 for my ethernet ont he server.  As soon as I do that I lose internet access.  I can ping the static IP address but not the gateway IP.
  I have called my ISP and they said all the setting were correct on the modem. 
  Not sure what to do.

  If you have the public on the WAN of the router, you do not need it on the server.  The server wants to be a static on the same range as the LAN of the router.  If you have the router LAN set as 192.168.1.1 (which is the default of most out there)
  you want the IP of the server to be something like 192.168.1.10, with the same subnet mask of the LAN of the router (Usually 255.255.255.0) and the Default Gateway of the server to be the LAN IP of the router (in this example: 192.168.1.1).  For DNS,
  you probably want to set the LAN IP of the router, as the router should send any requests to the public DNS set by the ISP.
  This should get the server back online.  

• Blog Address not working in the RSS Widget

  I just updated to iWeb '09 and am trying to put my blog address into my website using the RSS Widget. However, it seems that the widget won't accept the address saying "The RSS feed source can't be reached" Am I missing something?

  Throwing my hat in on this one today as well. Worked fine yesterday, this morning nothing. As you noted i can paste to the calculator widget but not back out from it. Have repaired permissions and trashed the dashboard prefs to no avail. Other widgets are still able to Copy & Paste without issue - seems constrained to Calculator itself.

• Group mail address not working

  Maverick 10.9.2 tilll not allow me to put groups into my email address bar.

  It sounds like your group contains one card. Mail will only use one email address per card when you compose to a group. You have control over which email address is selected, though. You can select the Edit > Edit Distribution List... menu item, then select a group, then click on an email address per group member to make it bold.

• Instanceconfig.xml Allow address not working

  Hello all,
  In our 10g installation, we limited access to our OBI using the <Listener><Firewall> tags. They had following format:
  <Listener>
       <Firewall>
            <Allow address="127.0.0.1"/>
       </Firewall>
  </Listener>
  But moving this to our 11g installation prevents the OBIPS service to start. Does anyone know if the tags or location of this has changed? I did not find any working examples in the documentation so far...

  Hi,
  I found just a way to allow a particular range of IP access to OBIEE 11g.
  You can use the Weblogic Connection Filter but you will stop the access for all the application on the domain.
  http://weblogicissuesolutions.blogspot.it/2011/05/steps-to-configure-weblogic-connection.html
  http://weblogic-wonders.com/weblogic/2011/03/03/weblogic-connection-filters/
  http://jvzoggel.wordpress.com/2011/07/12/using-weblogic-network-connection-filters/
  http://docs.oracle.com/cd/E13222_01/wls/docs81/security/con_filtr.html
  Luigi