VPN stops forwarding traffic on subsequent connections (Cisco 861)

Similar Messages

• CCE 507 stops forwarding traffic to internet

  Our CE (which is our proxy server) constantly stops forwarding traffic to the internet. The engine does not freeze or lock up because I can telnet into it and reload and everything is fine then. This has starting happening in the last two weeks. The engine is integraded with Websense filtering. Could I be experiencing hardware issues? I did recently upgraded websense to the latest version and also upgraded the PIX 515 Firewall IOS to the latest. I am thinking maybe upgrade the IOS on the engine. Any guidance would be appreciated. Thanks in advance.

  Apparently the version of Websense that I was running was not making the CE very happy. I upgraded to a new version and ever since the problem has not arise. But I am having one issue with the CE. There is one website that generates errors when going through the CE proxy server. Although when bypassing the proxy server(CE), there are no errors generated. It is only when going through the proxy that the error is generated. The error does not reflect a Websense blocking page. So it only leads me to believe that the problem is on the CE. I would like to upgrade the IOS on the CE to the latest software in an effort to resolve this. If I upgrade, should I be aware of any problems with the configuration not working after the upgrade. The device is a CE 507 with software version 2.51. Any history on this type of problem? Any help would be appreciated. I have pasted the exact error generated from the site. Thanks again.
  Network Error
  The server yearbookavenue1.jostens.com returned an invalid response to your request for http://yearbookavenue1.jostens.com/cgi-bin/exe2004/year2004.exe?f_4194e967209

• ASA appears to randomly stop forwarding/routing traffic

  Hi guys, got a curly one -
  Our ASA appears to randomly stop forwarding traffic between interfaces. Traffic does not forward for several minutes, then it starts again. After a while the traffic stops again for a few minutes, and the cycle repeats.
  If you are on a directly connected network you can still ping the ASAs local interface (I have ICMP turned on for testing). However you cannot ping the ASA from any remote network. I can ping or trace all the way up to the last hop without an issue. You also cannot ping across the ASA to servers on the other side, even from the immediate next hop (which as I mentioned above, still works) .
  This would appear to point to a routing problem? Strangely, routing still functions for the management network - I have had no problems reaching the command line from elsewhere in the network.
  Has anyone encountered something similar to this before?
  Relevent ASA configuration commands below:
  interface GigabitEthernet0/1
  description DMZ Trunk interface
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/1.220
  description F5 DMZ Internal
  vlan 220
  nameif DMZInternal
  security-level 50
  ip address 172.17.20.1 255.255.255.0 standby 172.17.20.2
  interface GigabitEthernet0/2
  nameif Internal
  security-level 100
  ip address 172.17.99.254 255.255.255.0 standby 172.17.99.253
  icmp permit any DMZInternal
  icmp permit any Internal
  route management 0.0.0.0 0.0.0.0 172.17.42.1 1
  route Internal 172.16.0.0 255.240.0.0 172.17.99.1 1
  EDIT: sorry forgot to post -
  #sh ver
  Cisco Adaptive Security Appliance Software Version 8.3(2)
  Device Manager Version 6.4(1)
  Compiled on Fri 30-Jul-10 17:49 by builders
  System image file is "disk0:/asa832-k8.bin"
  Config file at boot was "startup-config"

  Hi Dan - I suggest you ask this in the forum.
  hth
  Herbert

• 10/100 ports stop forwarding on Cat.4506 SupII Cat7.6.7

  On one location of our campus various 10/100 ports stop forwarding traffic after some time (port stays in notconnected state, sometimes with linkled on, sometimes off).
  This happens on various ports of both Cat.4506 systems on both line-card types:
  WS-X4232-GB-RJ
  WS-X4148-RJ
  We already replaced linecards, without succes.
  Does anyone know what's wrong ?

  Peter,
  You would probably have a better chance of getting a solution to this issue by posting on the LAN switching forum.
  Hope this helps,

• Cisco vpn 5.0.07.0440-k9 connected but not access remote network from Windows 8.1 pro

  I am using Cisco vpn 5.0.07.0440-k9 and Cisco vpn 5.0.07.0290-k9 both version on our windows 8.1 pro laptop.
  VPN successfully connected but not access remote network and not getting ping. 
  But when i am try through wifi then vpn good work.
  Please help me as soon as possible.
  Thanks
  Sanjib

  Hello Karthik,
  I am using "MTS usb wifi" device and connect vpn through wifi Its working good the same win8.1 pro. But when i am try to connect VPN through LAN/Wired or USB modem (Like: Vodafone,MTS and others) its not working.
  I am using Easy vpn on Cisco RV325 router in our office. Same VPN client is very good working in Windows 7 SP1 and Windows XP SP3.
  Thanks
  Sanjib

• VPN: Port-forwarding OK but Nothing Talking

  I've set up several 10.3 & 10.4 VPN services but this one has me puzzled...
  10.4.2 Server (does it just need updated?)
  Internal ip only (no firewall on server) with router forwarding UDP 1701, 500 & 4500 (for L2TP).
  When attempting to form the VPN with remote (wan side) Internet Connect client, there is no connection showing in vpnd.log (set to verbose logging) and no connection showing on Internet Connect log. It's like the port forwarding is not taking place. However...
  If I run a port scan from remote machine, on UDP 1701, 500 & 4500, this traffic shows up on a TCPDump session running on the server.
  Attempting to form the VPN, however, shows NO traffic with TCPDump.
  The IP address of the server, in Internet Connect, is correct (same as the one used during port scanning). The VPN client is able to connect to several other servers OK.
  Any ideas?
  Ta.
  -david
      Server 10.4.8

  1. What kind of router are you using?
  Corega router at server side and Netgear DG834G on client side (with ethernet cable, not wireless).
  The Netgear works fine to other sites. The Corega is 'unproven' in that I do not have another site with same router. It can act as a VPN gateway (this does work elsewhere) but is not active in this role at this site (we want to use server vpn service).
  2. I have seen a few copies of 10.4.x Server just go
  L2TP/IPSec deaf. They all eventually sorted
  themselves out with software updates, but certain
  versions were just plain ol' deaf.
  I've now updated to 10.4.8. No difference.
  Just to reiterate...
  Port-forwarding of 500, 1701 and 4500 appears to be working, as a TCPDump on the server lists these packets when a remote machine is port scanning for them.
  However, the same TCPDump session does not list any UDP 500 packets when the VPN client (internet connect) is attempting to start. Logs show nothing beyond "listening for connections...". As I understand it, L2TP commences with an IKE communication on port 500 prior to the later 'real' stuff. Why is this not showing up in a TCPDump?
  Puzzled...
  -david
      Server 10.4.8

• How ASA forwarding traffic to AIP-SSM

  Hi All,
  Can someone help how ASA device forwarding traffic to AIP-SSM? I'm not taking abt Configuration part like Class-map, policy-map and service policy....want to understand the traffic flow from ASA once traffic matched with ACL to AIP-SSM.
  From one of Cisoc document, understood that the module using a Cisco Propietary protocol for communicating with ASA appliance.
  ================================================================================================================
  FYR from Cisco Website:
  Q. How does the Cisco ASA AIP-SSM plug into and communicate with the appliance?
  A. The Cisco ASA AIP-SSM plugs directly into the SSM slot in the Cisco ASA appliance's chassis. This provides a direct connection to the appliance's backplane. Once the module is installed, a proprietary protocol runs over the bus and controls data flow and messaging between the module and appliance.
  ================================================================================================================
  Regards,
  S.Vinoth

  Hey ,
  as you mentioned above , it uses a cisco Probietary protocol for that communication , there are two interfaces , control channel and data channnel , data channel is where the traffic being forwarded , the backplane is the connection between the ASA and the IPS interface .
  Hope that this helps .
  Mohammad.

• Stop DHCP traffic from passing across interfaces

  I'm having an issue with dhcp traffic passing across my cisco ASA 5510 interfaces.
  Example of setup
  Company 1 connected to interface 1 has its own dhcp server
  Company 2 connected to interface 2 has its own dhcp server.
  Some users are getting there ip address from the other companys dhcp server. The 2 companys should pass traffic to each other but not dhcp.
  Is there anyway to stop dhcp traffic from crossing interfaces
  Shane

  usually have to permit DHCP traffic explicitly. Specification of the DHCP client-server protocol describes several cases when packets must have the source address of 0x00000000 or the destination address of 0xffffffff. Anti-spoofing policy rules and tight inclusive firewalls often stop such packets. Multi-homed DHCP servers require special consideration and further complicate configuration.
  To allow DHCP, network administrators need to allow several types of packets through the server-side firewall. All DHCP packets travel as UDP datagrams; all client-sent packets have source port 68 and destination port 67; all server-sent packets have source port 67 and destination port 68. For example, a server-side firewall should allow the following types of packets:
  * Incoming packets from 0.0.0.0 or dhcp-pool to dhcp-ip
  * Incoming packets from any address to 255.255.255.255
  * Outgoing packets from dhcp-ip to dhcp-pool or 255.255.255.255
  where dhcp-ip represents any address configured on a DHCP server host and dhcp-pool stands for the pool from which a DHCP server assigns addresses to clients
  An example in an ASA would similar to the following.
  For blocking client:
  access-list TEST extended deny udp any any eq bootpc
  For blocking server:
  or access-list TEST extended deny udp any any eq bootps
  Hope that helps.

• How to prevent packet forwarding over non-MPLS connection.

  I'm wondering if it is possible to configure Cisco ESR to not forward packet over non-MPLS connection(VPI/VCI=0/32) when an LSP for its destination has not been established, while allowing control packets(BGP, LDP, OSPF) to be sent over non-MPLS connection. The reason why I ask about is as follows.
  Referring to the following network configuration,
  R1 --- Cisco_ESR --- ATM_LSR --- LER --- R2
  <--> non-MPLS connection
  ----------------------->
  LSPs
  ----------------------->
  In the ordinary operation, when a packet arrives at Cisco_LER from R1, it gets forwarded over an LSP if available, while getting forwarded over non-MPLS connection(VPI/VCI=0/32) if the corresponding LSP is not available. In the configuration mentioned above,ATM_LSR does software-based packet processing for incoming packet through non-MPLS channel, while doing cell-switching for LSP traffic. Thus if ESR sends packet over non-MPLS connection, e.g, STM-1c, the ATM_LSR could get crashed or time-critical control traffic could be delayed or lost, thereby resulting in BGP/LDP session failure between ESR and ATM_LSR or LER.
  In summary, my question is how to prevent Cisco_ESR from forwarding packets over non-MPLS connection when LSPs for their destinations are not available due to LSP failures.
  Thanks.
  Yongjun.

  It already is, except for Aliens, they have access to everything on your phone(they always have had this access) .

• Howto block p2p traffic of clients connected to the same ssid on different wlc

  Hi all,
  I use two wlc 4400 (4.2.x version) with a mobility domain and one ssid, both wlc are connected to a cisco l2 switch infrastructure. On the wlc I use the p2p blocking action 'drop' (http://www.cisco.com/en/US/docs/wireless/controller/5.2/configuration/guide/c52wlan.html#wp1209597) to isolate the clients from each other. Does anybody know if only unicast traffic is blocked or also multicast and broadcast traffic like arp requests?
  Concerning blocking p2p traffic of clients connected to the same ssid but different controllers I found the following statement in the LAP FAQs (http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a00806a4da3.shtml):
  ===
  Q. In autonomous APs, Public Secure Packet Forwarding (PSPF) is used to avoid client devices associated to this AP from inadvertently sharing files with other client devices on the wireless network. Is there any equivalent feature in Lightweight APs?
  A. The feature or the mode that performs the similar function of PSPF in lightweight architecture is called peer-to-peer blocking mode. Peer-to-peer blocking mode is actually available with the controllers that manage the LAP. If this mode is disabled on the controller (which is the default setting), it allows the wireless clients to communicate with each other through the controller. If the mode is enabled, it blocks the communication between clients through the controller. It only works among the APs that have joined to the same controller. When enabled, this mode does not block wireless clients terminated on one controller from the ability to get to wireless clients terminated on a different controller, even in the same mobility group.
  ===
  Does anybody know what's the best practise to prevent this inter wlc client traffic? I already read about using acls on the wlc dynamic interfaces, or private vlans on the l2 switch vlans where the dynamic interfaces are connected to. Is it allowed to completely isolate the wlc from each other on these dynamic interfaces with acls or private vlans or do the wlc need to see each other on this interfaces (e.g. heart beat)?
  Many thanks in advance,
  Thorsten

  Hi Sasha,Thorsten
  The bug is Junked and I believe which is what you are running into with your tests:
  CSCtr60787    WLC P2P Blocking Set to Forward-UpStream Doesn't Work.
  Bugtoolkit : http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
  To answer your original query :
  ACL is only solution to block client communication on same ssid between 2 wlcs. 5508 works better with ACLs then 44xx platform.
  ARP requests will be forwarded to upstream router just like any other traffic. WLC won't proxy arp for clients on same vlan.
  Gateway arp's I believe should be handled by WLC . ( Don't quote me on this but I am pretty sure it is ) ..If it was not, then how would client know about gw ?
  Multicast traffic is not applicable for p2p.
  Your ACL can be as simple as this for the scenario :
  WLC 1 - clientvlan = 10
  WLC 2 - clientvlan = 10
  and you want to restrict users from wlc1-wlc1, wlc1-wlc2, wlc2-wlc2 for same vlan10.
  Basically in that case the ACL should look like on both WLCs :
  1. Permit statement to talk to gateway.
  2. Deny to subnet.
  3. Permit all.
  4. If DHCP/DNS other services are on same subnet then you would need to add a permit
  statement before the deny.
  5. Attach the ACL to SSID or dymanic interface.
  Thanks..Salil
  CSCtr60787    WLC P2P Blocking Set to Forward-UpStream Doesn't Work.

• VPN Client and AAA services on a Cisco ISR Router

  Hi, my name is Jim, and I was just promoted as a trainer for the company I work for.  Part of my new challenge is understanding how the configuration files in both my Terminal Services/VPN Router and Core Router work, so for many of you, these questions are going to seem very fundamental, but please help, I am an instructor in training.  I hold a CCNA, CCNA-Wireless, and a CCSI cert, but I have little working experience in building and maintaining a lab....hence the need for this inquiry.
  So to my questions. In our lab environment, we have a router that acts as our terminal services router and VPN router.  Each laptop that connects to the lab has the Cisco VPN client loaded onto it, as well as my laptop that I teach from.  My questions are these:
  1.  What parts of the AAA output of the running configuration tell me how to configure the VPN clients on my laptops?
  2.  I am using crypto key generate RSA at 1024 bits on the VPN/TS router, so does that tell me how to configure some part of the client?
  3.  In our lab, we are going to use a direct connection to an AP to get connected to the network, and how will the absence of an Internet connection affect the settings on the VPN client, or will they?
  4.  Are there helpful articles I can read that will answer some or all of these questions? 
  Thanks in advance,
  Jim

  Hi Jim,
  congratulations
  Assuming a basic setup, your router will have something like this:
  crypto isakmp client configuration group MyGroup
    key cisco123
  So on the client, you configure it to use MyGroup as the group name, and cisco123 as the (group) password.
  I'm not sure I understand your question #3 and what you mean by "AP" (Access Point? So WiFi?). In any case you don't need Internet access per se, as long as you have network (IP) connectivity between the host running the vpnclient and the VPN router.
  Does this help?
  Herbert

• 10.9.2 Update Issue (VPN) - Eclipse Perl debugger issues while connected to VPN

  This post was initially added to this discussion: 10.9.2 Mavericks update issues
  I have yet another issue related to 10.9.2 update - Eclipse Perl debugger issues while connected to VPN...
  One of the big changes introduced by 10.9.2 update - are VPN changes (security fixes). Unfortunately, whatever these changes are - they "broke" Eclipse (OpenSource IDE) debugger. I am not sure if *all* programming languages (Eclipse plugins) are affected by this, but I know for sure that 'Epic' (Perl plugin) debugger *stopped working* while system is connected through VPN.
  Here is the error that gets “popped-up” in the Eclipse:
  Timed out while waiting for Perl debugger connection
  … and here is exact exception stack that gets printed:
  Unable to connect to remote host: 130.10.210.74:5000
  Compilation failed in require.
  at /Users/valeriy/workspace/ROBO-PROD-RA-685/src/lib/test/Val_test.pm line 0.
            main::BEGIN() called at /Users/valeriy/workspace/.metadata/.plugins/org.epic.debug/perl5db.pl line 0
            eval {...} called at /Users/valeriy/workspace/.metadata/.plugins/org.epic.debug/perl5db.pl line 0
  BEGIN failed--compilation aborted.
  at /Users/valeriy/workspace/ROBO-PROD-RA-685/src/lib/test/Val_test.pm line 0.
  Can't use an undefined value as a symbol reference at /Users/valeriy/workspace/.metadata/.plugins/org.epic.debug/perl5db.pl line 7596.
  END failed--call queue aborted.
  at /Users/valeriy/workspace/ROBO-PROD-RA-685/src/lib/test/Val_test.pm line 0.
  (of course IP address changes dynamically for each VPN connection session)…
  I was able to prove that this issue is related to 10.9.2 update:
  Issue *does not* exist under 10.9.1 (I had to revert back to 10.9.1 to get it working again)
  No updates were performed around the same time 10.9.2 update occurred (I verified that using Software Update log)
  No configuration changes were introduced around the same time
  Reverting back to 10.9.1 using Time Machine (thanks god I had backup !!!) fixed the issue
  Steps to reproduce this issue:
  In Eclipse, try to use 'Epic' (Perl plugin) to debug any perl script while *not* connected through VPNEpic debugger works
  Connect to VPN
  Start Epic debugger to debug same script
  Debugger *does not* start, and "Timed out while waiting for Perl debugger connection" error pop-up comes up after some time. At the same time, exception stack (listed above) is printed in Eclipse's console
  I am programmer/software developer, I work remotely (telecommute) and thus have to rely on use of VPN to connect to company's intranet. Perl - is primary language used by my team, and we use Eclipse IDE with Epic plugin - heavily. Use of Epic's debugger - is a *very large* aspect of my work, I cannot work without it. So in essense, 10.9.2 has *entirely* disrupted my ability to work! It took me almost a week to get back to normal work environment, and I cannot afford to let it happen again... I need Apple's development team resolve this VPN related issue, as soon as possible! Because of this issue, I am *stuck* with 10.9.1 and can not upgrade my laptop to any other versions. In fact, I had to disable system updates - just so I do not run into this issue again... I contacted Apple's Tech Support on 02/28 with this issue (Ref: 582428110), asking to raise trouble ticket. Since then, I tried to follow-up on that issue, but do not get any information. Please advise on the status:
  is there a trouble ticket to track this issue?
  is there any progress?
  what's the ETA for an update that fixes this problem?
  - Val
  Message was edited by: vpogrebi

  Am I the only one experiencing this issue ???

• How do I forward traffic to an IP Address from a gateway through an extreme?

  I have a DVR for a Camera system attached to a WiFi Ethernet device (becuase there is too far a distance between the DVR and Cable Gateway). When it was attached directly attached to the cable modem, I used Port Forwarding to route traffic to the DVR. That worked great. NOW I have to use the WiFi adapter and that is connecting to the Airport Extreme. The Aiport Extreme is connected to that cable modem.
  So I understand how to forward traffic from the modem to an IP address (the Extreme's IP perhaps ??) but then how do I send that traffic through the Extreme to the wifi-ethernet adapter connected to the DVR ?

  I am on my mobile phone getting an address of 10...83 through the router 10...1.
  Then the DVR setup on 10...69 IS accessible.
  When I switch my wifi off (on the mobile phone)  and I use the ip address (23…94) of the modem w/ port specification I do not get connected.
  When I plug DIRECTLY into the Cable Modem and get an IP address of 10…53, via (Mac OS X) I CAN access the DVR again with ip of 10…69.
  When I use WIFI (via the AE) I get an IP Address of 10…44 and CAN access the DVR as well.
  I have also confirmed traffic is port forwarding to .69:7000 as per the port specified on the DVR.
  So with all that it is confirmed, I tried it again and and still not working...
  THEN I reset the AE, Resset the Wifi Adapter, Reset the DVR and updated Firmwares, started with the basics outline from everyone and IT'S WORKING!!
  I believe it was actually all the AE and requiring a reset on that device.
  Thank you again for all the help, this was a fun challenge!

• VPN client will not open or connect

  Hi,
  I'm running VPN Client 5.0.07.0440 on a Windows 7 Pro HP TouchSmart. The .pcf file is the same iI am using on many other machines om this same network.  When I double click the icon, the window opens up, but when I double click the connection entry, the dialog box says "connecting to security gateway at xxx.xxx.xxx.xxx for a few seconds and then says "Not connected."  I can't even get to the log-in screen I normally can. This is a new computer set-up. All updates are downloaded for windows. 
  I've uninstalled the client and re-insatlled it re-booting after every step. I've pinged the address and had no problems. Running Avast, Malwarebytes as on other machines. No other security software. My VPN is enabled in my Network Connections. 
  Here is my log file:
  Cisco Systems VPN Client Version 5.0.07.0440
  Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
  Client Type(s): Windows, WinNT
  Running on: 6.1.7600 
  Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
  1      13:05:53.644  07/05/14  Sev=Warning/3 IKE/0xE3000057
  The received HASH payload cannot be verified
  2      13:05:53.644  07/05/14  Sev=Warning/2 IKE/0xE300007E
  Hash verification failed... may be configured with invalid group password.
  3      13:05:53.644  07/05/14  Sev=Warning/2 IKE/0xE300009B
  Failed to authenticate peer (Navigator:915)
  4      13:05:53.645  07/05/14  Sev=Warning/2 IKE/0xE30000A7
  Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2263)
  I know the names and passwords are correct as they were copied from working files.
  Hope this is posted to the right group.
  Never had this problem after many machines. Any help would be greatly appreciated. 
  Thank you

  Since you're getting the message "may be configured with invalid group password", perhaps your pcf file got corrupted. 
  I'd recommend you compare the profile pcf file (stored in "C:\Program Files (x86)\Cisco Systems\VPN Client\Profiles") on the non-working machine with one from a working setup.
  They can be examined in a text editor or with a diff tool (like the freeware ExamDiff). The encrypted group password hashes (string in the file preceded by "enc_GroupPwd=") should match.

• Connect Cisco Process Orchestrator in IAC 4.0

  During the execution of the 'Connect Cisco Process Orchestrator' task in the Day 0 Wizard, many miss out on the underlying note to
  'Start all other agents'   Please start all other agents 2 minutes after executing connect Cisco Process Orchestrator
  thus resulting in errors in the configuration of the HTTP/WS adapter based agents, in particular the ones that communicate with CPO.
  The way this service works is the following:
  The requestor is prompted with a form to populate related info (hostname, port, URL, credentials, etc.)
  Upon ‘submit order’ the request will use the ‘REX Set HTTP Agent Properties’ to configured all the agents that need to communicate with CPO (it modifies their outbound properties).
  Once all the agents are configured, the service will pause until ‘start all other agents’ is ordered. Only then will the last step of onboarding CPO take place, where it will communicate with CPO to configure the respective targets, etc. and finalize the request.
  If you are still on task ‘Connect Cisco Process Orchestrator’, then you should be able to observer in PSC, Service Link > View Transactions the progress of the request.
  The highlighted task should be in a 'waiting' state, before you execute 'Start All Other Agents'
  In the event you have not been patient or have not read the instructions (like myself), the following is the process to get you back on track ...
  Manually:                           Stop all the agents apart from the ones starting with ‘REX’
  Manuall or Wizard Step 1:   Start DB Agent (Agent Name: Insert Default Parameters & Portal Page Assignment to OU)
  Manuall or Wizard Step 1:   Start nsAPI Agent (Agent Name: Retrieve OU ID on Name)
  Wizard Step 2:                   Connect Cisco Process Orchestrator AND WAIT/ monitor that all configurations are complete before proceeding to the next step 
  Regards,
  Dimitris

  up