VPN users unable to access internal network - ASA 8.3.1

Similar Messages

• Unable to access internal networks over Remote acces VPN

  Hi,
  I have set up a Remote access VPN from Home to Cisco ASA 5512-X.
  I am able to connect successfully and even getting a valid IP address from VPN pool 172.21.3.1-. However I am unable to access any of the internal resources.
  Internal Network: 172.20.0.0 255.255.0.0
  Please if someone can help identifying the issue.
  Below is the running config:-
  Result of the command: "sh run"
  : Saved
  ASA Version 9.1(1)
  hostname ASA
  domain-name M8fl.com
  enable password Aoz9GlxLLvkWrTUy encrypted
  passwd Gc1jA6zbgOsj63RW encrypted
  names
  ip local pool vpnclients 172.21.3.1-172.21.3.20 mask 255.255.0.0
  ip local pool test 172.21.3.21-172.21.3.40 mask 255.255.255.0
  interface GigabitEthernet0/1
   nameif inside
   security-level 100
   ip address 172.20.254.250 255.255.0.0
  interface GigabitEthernet0/2
   description vodafone 100mb internet 195.11.180.40_29
   speed 100
   duplex full
   nameif outside1
   security-level 1
   ip address 195.11.180.42 255.255.255.248
  interface GigabitEthernet0/3
   description Voice
   nameif Voice
   security-level 80
   ip address 192.168.2.1 255.255.255.252
  interface GigabitEthernet0/4
   shutdown
   no nameif
   no security-level
   no ip address
  interface GigabitEthernet0/5
   shutdown
   no nameif
   no security-level
   no ip address
  interface Management0/0
   management-only
   nameif management
   security-level 100
   ip address 192.168.1.1 255.255.255.0
  boot system disk0:/asa911-smp-k8.bin
  ftp mode passive
  clock timezone GMT 0
  dns domain-lookup inside
  dns domain-lookup outside1
  dns domain-lookup management
  dns server-group DefaultDNS
   name-server 10.0.0.4
   name-server 172.20.0.100
   domain-name M8fl.com
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network VLAN1
   subnet 172.20.0.0 255.255.0.0
  object network NETWORK_OBJ_172.20.3.0_27
   subnet 172.21.3.0 255.255.255.224
  object network Voice_Net
   subnet 172.21.20.0 255.255.255.0
  object network PBX_Internal
   host 192.168.2.2
   description PBX Internal
  object network Voice_External
   host 195.11.180.43
   description For PBX
  object network Raith_Remote_Network
   subnet 192.168.20.0 255.255.255.0
   description Raith Remote Network
  object network NETWORK_OBJ_172.21.3.0_27
   subnet 172.21.3.0 255.255.255.224
  object network NETWORK_OBJ_172.21.3.0_26
   subnet 172.21.3.0 255.255.255.192
  object-group network azure-networks
   network-object 10.0.0.0 255.0.0.0
  object-group network onprem-networks
   network-object 172.20.0.0 255.255.0.0
  object-group protocol TCPUDP
   protocol-object udp
   protocol-object tcp
  object-group service test_PPTP
   service-object ip
   service-object tcp destination eq pptp
  access-list azure-vpn-acl extended permit ip object-group onprem-networks object-group azure-networks
  access-list outside_access_in extended permit ip object-group azure-networks object-group onprem-networks
  access-list outside_access_in extended permit icmp any any
  access-list outside_access_in extended permit ip any any
  access-list inside_access_in extended permit ip any any log disable
  access-list inside_access_in_1 extended permit ip object-group onprem-networks object-group azure-networks
  access-list inside_access_in_1 extended permit ip any object Voice_Net log debugging
  access-list inside_access_in_1 extended permit ip any any
  access-list outside_access_in_1 extended permit ip object-group azure-networks object-group onprem-networks
  access-list outside_access_in_1 extended permit icmp any any
  access-list outside_access_in_1 extended permit ip any any inactive
  access-list Voice_access_in extended permit ip any any log debugging
  access-list outside_cryptomap extended permit ip object-group onprem-networks object Raith_Remote_Network
  pager lines 24
  logging enable
  logging buffer-size 40000
  logging buffered notifications
  logging asdm debugging
  mtu outside 1500
  mtu inside 1500
  mtu outside1 1500
  mtu Voice 1500
  mtu management 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-66114.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside1) source static onprem-networks onprem-networks destination static azure-networks azure-networks
  nat (inside,outside1) source dynamic VLAN1 interface
  nat (inside,Voice) source static VLAN1 VLAN1 destination static Voice_Net Voice_Net no-proxy-arp route-lookup
  nat (Voice,outside1) source static PBX_Internal Voice_External
  nat (inside,outside) source static onprem-networks onprem-networks destination static Raith_Remote_Network Raith_Remote_Network no-proxy-arp route-lookup
  nat (inside,outside1) source static any any destination static NETWORK_OBJ_172.21.3.0_27 NETWORK_OBJ_172.21.3.0_27 no-proxy-arp route-lookup
  nat (inside,outside1) source static any any destination static NETWORK_OBJ_172.21.3.0_26 NETWORK_OBJ_172.21.3.0_26 no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  access-group inside_access_in_1 in interface inside
  access-group outside_access_in_1 in interface outside1
  access-group Voice_access_in in interface Voice
  route outside1 0.0.0.0 0.0.0.0 195.11.180.41 10
  route inside 172.21.20.0 255.255.255.0 172.20.20.253 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  http server enable 444
  http 192.168.1.0 255.255.255.0 management
  http 172.20.0.0 255.255.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  sysopt connection tcpmss 1350
  sysopt noproxyarp outside
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA mode transport
  crypto ipsec ikev2 ipsec-proposal DES
   protocol esp encryption des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
   protocol esp encryption 3des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
   protocol esp encryption aes
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
   protocol esp encryption aes-192
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
   protocol esp encryption aes-256
   protocol esp integrity sha-1 md5
  crypto ipsec security-association lifetime seconds 3600
  crypto ipsec security-association lifetime kilobytes 102400000
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-3DES-SHA
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
  crypto map outside_map interface outside
  crypto ca trustpoint ASDM_TrustPoint0
   enrollment terminal
   subject-name CN=ASA
   crl configure
  crypto ca trustpool policy
  crypto ikev2 policy 1
   encryption aes-256
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 10
   encryption aes-256
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 28800
  crypto ikev2 policy 20
   encryption aes
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 30
   encryption 3des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 40
   encryption des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 enable outside1
  crypto ikev1 policy 10
   authentication pre-share
   encryption aes-256
   hash sha
   group 2
   lifetime 28800
  crypto ikev1 policy 20
   authentication rsa-sig
   encryption aes-256
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 30
   authentication pre-share
   encryption aes-256
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 40
   authentication crack
   encryption aes-192
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 50
   authentication rsa-sig
   encryption aes-192
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 60
   authentication pre-share
   encryption aes-192
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 70
   authentication crack
   encryption aes
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 80
   authentication rsa-sig
   encryption aes
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 90
   authentication pre-share
   encryption aes
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 100
   authentication crack
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 110
   authentication rsa-sig
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 120
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 130
   authentication crack
   encryption des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 140
   authentication rsa-sig
   encryption des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 150
   authentication pre-share
   encryption des
   hash sha
   group 2
   lifetime 86400
  telnet 172.20.0.0 255.255.0.0 inside
  telnet timeout 5
  ssh 172.20.0.0 255.255.0.0 inside
  ssh timeout 5
  ssh version 2
  console timeout 0
  dhcpd address 172.20.2.1-172.20.2.254 inside
  dhcpd dns 10.0.0.4 172.20.0.100 interface inside
  dhcpd enable inside
  dhcpd dns 172.21.20.254 interface Voice
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  tftp-server inside 172.20.2.34 /tftp
  webvpn
   enable outside1
   anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
   anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
   anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
   anyconnect enable
   tunnel-group-list enable
   internal-password enable
  group-policy DefaultRAGroup_2 internal
  group-policy DefaultRAGroup_2 attributes
   dns-server value 10.0.0.4 172.20.0.100
   vpn-tunnel-protocol l2tp-ipsec
   default-domain value
  group-policy DefaultRAGroup_3 internal
  group-policy DefaultRAGroup_3 attributes
   dns-server value 10.0.0.4 172.20.0.100
   vpn-tunnel-protocol ikev1 l2tp-ipsec
   default-domain value
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
   dns-server value 10.0.0.4 172.20.0.100
   vpn-tunnel-protocol l2tp-ipsec
   default-domain value
  group-policy DefaultRAGroup_1 internal
  group-policy DefaultRAGroup_1 attributes
   dns-server value 10.0.0.4 172.20.0.100
   vpn-tunnel-protocol l2tp-ipsec
   default-domain value
  group-policy DfltGrpPolicy attributes
   vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
  group-policy RA_VPN internal
  group-policy RA_VPN attributes
   dns-server value 8.8.8.8 4.2.2.2
   vpn-tunnel-protocol ikev1
   default-domain value
  group-policy "GroupPolicy_Anyconnect _profile" internal
  group-policy "GroupPolicy_Anyconnect _profile" attributes
   wins-server none
   dns-server value 8.8.8.8
   vpn-tunnel-protocol ssl-client ssl-clientless
   default-domain none
   webvpn
    file-browsing enable
  group-policy GroupPolicy_89.241.208.14 internal
  group-policy GroupPolicy_89.241.208.14 attributes
   vpn-tunnel-protocol ikev1
  username test2 password encrypted privilege 15
  username test1 password  nt-encrypted privilege 0
  username test1 attributes
   vpn-group-policy DefaultRAGroup_2
  username test password  encrypted privilege 15
  username test attributes
   vpn-group-policy DefaultRAGroup_1
  username EdwardM password  encrypted privilege 15
  username vpntest password  encrypted privilege 0
  username vpntest attributes
   vpn-group-policy RA_VPN
  username vpntest3 password  nt-encrypted privilege 15
  username vpntest3 attributes
   service-type remote-access
  username rhunton password  encrypted privilege 15
  username rhunton attributes
   service-type admin
  username e.melaugh password  encrypted privilege 15
  username netx password  encrypted privilege 15
  username netx attributes
   service-type remote-access
  username colin password  encrypted privilege 15
  username colin attributes
   service-type remote-access
  tunnel-group DefaultL2LGroup ipsec-attributes
   ikev1 pre-shared-key *****
  tunnel-group DefaultRAGroup general-attributes
   address-pool vpnclients
   default-group-policy DefaultRAGroup_3
  tunnel-group DefaultRAGroup ipsec-attributes
   ikev1 pre-shared-key *****
   isakmp keepalive disable
  tunnel-group DefaultRAGroup ppp-attributes
   no authentication chap
   authentication ms-chap-v2
  tunnel-group "Anyconnect _profile" type remote-access
  tunnel-group "Anyconnect _profile" general-attributes
   address-pool vpnclients
   default-group-policy "GroupPolicy_Anyconnect _profile"
  tunnel-group "Anyconnect _profile" webvpn-attributes
   group-alias "Anyconnect _profile" enable
  tunnel-group 137.117.215.177 type ipsec-l2l
  tunnel-group 137.117.215.177 ipsec-attributes
   ikev1 pre-shared-key *****
   peer-id-validate nocheck
   isakmp keepalive disable
  tunnel-group 89.241.208.14 type ipsec-l2l
  tunnel-group 89.241.208.14 general-attributes
   default-group-policy GroupPolicy_89.241.208.14
  tunnel-group 89.241.208.14 ipsec-attributes
   ikev1 pre-shared-key *****
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect pptp
  policy-map type inspect ipsec-pass-thru Fairhurst
   description to allow vpn to fairhurst network
   parameters
    esp
    ah
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:f4185106b309478da7804dc22d2c1a85
  : end

  Hi,
  You seem to have this nat (inside,outside1) source dynamic VLAN1 interface at line 2 which is causing the identity Nat/ Nat exempt to fail.
  It is always good to use the packet tracer feature on the ASA to see what exactly is happening.
  Try this
  nat (inside,outside1) 1 source static VLAN1 VLAN1 destination static NETWORK_OBJ_172.21.3.0_27 NETWORK_OBJ_172.21.3.0_27 no-pr route-lo
  Let me know how it goes for you.
  Regards,
  Nitish Emmanuel

• Can't access internal network from VPN using PIX 506E

  Hello,
  I seem to be having an issue with my PIX configuration. I can ping the VPN client from the the internal network, but can cannot access any resources from the vpn client. My running configuration is as follows:
  Building configuration...
  : Saved
  PIX Version 6.3(5)
  interface ethernet0 auto
  interface ethernet1 auto
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password N/JZnmeC2l5j3YTN encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  hostname SwantonFw2
  domain-name *****.com
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  access-list outside_access_in permit icmp any any
  access-list allow_ping permit icmp any any echo-reply
  access-list allow_ping permit icmp any any unreachable
  access-list allow_ping permit icmp any any time-exceeded
  access-list INSIDE-IN permit tcp interface inside interface outside
  access-list INSIDE-IN permit udp any any eq domain
  access-list INSIDE-IN permit tcp any any eq www
  access-list INSIDE-IN permit tcp any any eq ftp
  access-list INSIDE-IN permit icmp any any echo
  access-list INSIDE-IN permit tcp any any eq https
  access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.240.0 255.255.255.0
  access-list swanton_splitTunnelAcl permit ip any any
  access-list outside_cryptomap_dyn_20 permit ip any 192.168.240.0 255.255.255.0
  no pager
  mtu outside 1500
  mtu inside 1500
  ip address outside 192.168.1.150 255.255.255.0
  ip address inside 192.168.0.35 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool VPN_Pool 192.168.240.1-192.168.240.254
  pdm location 0.0.0.0 255.255.255.0 outside
  pdm location 192.168.1.26 255.255.255.255 outside
  pdm location 192.168.240.0 255.255.255.0 outside
  pdm logging informational 100
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_outbound_nat0_acl
  nat (inside) 1 192.168.0.0 255.255.255.0 0 0
  access-group outside_access_in in interface outside
  access-group INSIDE-IN in interface inside
  route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
  timeout xlate 0:05:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout sip-disconnect 0:02:00 sip-invite 0:03:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ max-failed-attempts 3
  aaa-server TACACS+ deadtime 10
  aaa-server RADIUS protocol radius
  aaa-server RADIUS max-failed-attempts 3
  aaa-server RADIUS deadtime 10
  aaa-server LOCAL protocol local
  http server enable
  http 192.168.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map client authentication LOCAL
  crypto map outside_map interface outside
  isakmp enable outside
  isakmp identity address
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  vpngroup swanton address-pool VPN_Pool
  vpngroup swanton dns-server 192.168.1.1
  vpngroup swanton split-tunnel swanton_splitTunnelAcl
  vpngroup swanton idle-time 1800
  vpngroup swanton password ********
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.0.36-192.168.0.254 inside
  dhcpd dns 8.8.8.8 8.8.4.4
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd auto_config outside
  dhcpd enable inside
  username scott password hwDnqhIenLiwIr9B encrypted privilege 15
  username norm password ET3skotcnISwb3MV encrypted privilege 2
  username tarmbrecht password Zre8euXN6HxXaSdE encrypted privilege 2
  username jlillevik password 9JMTvNZm3dLhQM/W encrypted privilege 2
  username ruralogic password 49ikl05C8VE6k1jG encrypted privilege 15
  username bzeiter password 1XjpdpkwnSENzfQ0 encrypted privilege 2
  username mwalla password l5frk9obrNMGOiOD encrypted privilege 2
  username heavyfab1 password 6.yy0ys7BifWsa9k encrypted privilege 2
  username heavyfab3 password 6.yy0ys7BifWsa9k encrypted privilege 2
  username heavyfab2 password 6.yy0ys7BifWsa9k encrypted privilege 2
  username djet password wj13fSF4BPQzUzB8 encrypted privilege 2
  username cmorgan password y/NeUfNKehh/Vzj6 encrypted privilege 2
  username cmayfield password Pe/felGx7VQ3I7ls encrypted privilege 2
  username jeffg password zQEQceRITRrO4wJa encrypted privilege 2
  terminal width 80
  Cryptochecksum:9005f35a85fa5fe31dab579bbb1428c8
  : end
  [OK]
  Any help will be greatly appreciated

  Bj,
  Are you trying to access network resources behind the inside interface?
  ip address inside 192.168.0.35 255.255.255.0
  If so, please make the following changes:
  1- access-list SWANTON_VPN_SPLIT permit ip 192.168.0.0 255.255.255.0 192.168.240.0 255.255.255.0
  2- no vpngroup swanton split-tunnel swanton_splitTunnelAcl
          vpngroup swanton split-tunnel SWANTON_VPN_SPLIT
  3- no access-list outside_cryptomap_dyn_20 permit ip any 192.168.240.0 255.255.255.0
  4- isakmp nat-traversal 30
  Let me know how it goes.
  Portu.
  Please rate any helpful posts   

• Unable to access the network

  Ok, I've had this problem for quite a while now
  There's this 1 site that I cannot access on my computer it says "Unable to access the network Google Chrome is having trouble accessing the network." However I can access the site on my laptop, I don't see how I can fix the problem!?

  Bradley750 wrote:
  Ok, I've had this problem for quite a while now
  There's this 1 site that I cannot access on my computer it says "Unable to access the network Google Chrome is having trouble accessing the network." However I can access the site on my laptop, I don't see how I can fix the problem!?
  Hi. Welcome to the forums.
  Can you give a little more information, mainly the site you're havging problems with.
  Have you tried a different browser ? What OS ?
  There are a wide variety of reasons, security products interferring, hosts file problems, browser issues etc.
  http://www.andyweb.co.uk/shortcuts
  http://www.andyweb.co.uk/pictures

• Unable to access Verizon network!

  Unable to access Verizon network! Got pop up window that "you've reached your mobile data usage limit.  Mobile data turned off. " I have option to click re-enable button but doing so may result in additional charges.  I've check settings, my mobile data box is checked. When I try to open a web page it tells me I'm off line with message "Wi-Fi and mobile data are turned off. The page can be loaded once you connect to a network. Error code: ERR_INTERNET_DISCONNECTED"  My wi-fi DOES work, it's the Verizon network that I cannot access. Someone PLEASE HELP.

  Check the graph in your Data Usage section; it sounds like you've enabled the Alert About Data Usage feature, have reached that limit, and the phone is now restricting your data usage accordingly.  For more info., see:
  How do I monitor online data usage on my Samsung Galaxy S5? | Support | SAMSUNG UK

• Cisco ASA 5505 L2TP VPN cannot access internal network

  Hi,
  I'm trying to configure Cisco L2TP VPN to my office. After successful connection I cannot access to internal network.
  Can you jhelp me to find out the issue?
  I have Cisco ASA:
  inside network - 192.168.1.0
  VPN network - 192.168.168.0
  I have router 192.168.1.2 and I cannot ping or get access to this router.
  Here is my config:
  ASA Version 8.4(3)
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 198.X.X.A 255.255.255.248
  ftp mode passive
  same-security-traffic permit intra-interface
  object network net-all
  subnet 0.0.0.0 0.0.0.0
  object network vpn_local
  subnet 192.168.168.0 255.255.255.0
  object network inside_nw
  subnet 192.168.1.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended deny ip any any log
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool sales_addresses 192.168.168.1-192.168.168.254
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic net-all interface
  nat (inside,outside) source static inside_nw inside_nw destination static vpn_local vpn_local
  nat (outside,inside) source static vpn_local vpn_local destination static inside_nw inside_nw route-lookup
  object network vpn_local
  nat (outside,outside) dynamic interface
  object network inside_nw
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 198.X.X.B 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication enable console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport
  crypto dynamic-map dyno 10 set ikev1 transform-set my-transform-set-ikev1
  crypto map vpn 20 ipsec-isakmp dynamic dyno
  crypto map vpn interface outside
  crypto isakmp nat-traversal 3600
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 30
  console timeout 0
  management-access inside
  dhcpd address 192.168.1.5-192.168.1.132 inside
  dhcpd dns 75.75.75.75 76.76.76.76 interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy sales_policy internal
  group-policy sales_policy attributes
  dns-server value 75.75.75.75 76.76.76.76
  vpn-tunnel-protocol l2tp-ipsec
  username ----------
  username ----------
  tunnel-group DefaultRAGroup general-attributes
  address-pool sales_addresses
  default-group-policy sales_policy
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13
  : end
  Thanks for your help.

  You have to test it with "real" traffic to 192.168.1.2 and if you use ping, you have to add icmp-inspection:
  policy-map global_policy
    class inspection_default
      inspect icmp
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Unable to access Internal HTTPS through VPN conn

  Anytime I have internal websites with HTTPS connections that do not have valid certificates, our VPN users are unable to make a connection. The wireshark trace shows acknowlegement number = broken TCP.  I have run Packet Tracer and it shows a problem on my DMZ???? not sure why as the traffic flow is inside to inside interface. I am at a total lost as to why...
  +++++++++++++++++++++++++++++++
  ASA 5520 with 8.4(1) code
  VPN Addressing = 172.25.17.0/24
  HTTP Server = 172.18.2.13 (port 8443)
  Can ping by IP Address or by server name
  Can access site internally after responding to the Certificate Warning
  ++++++++++++++++++++++++++++
  Any help is greatly appreciated!
  Dave

  Hi,
  The NAT configuration mentioned in your screencapture is the configuration that causes all traffic from the VPN users to be diverted to the "HomeOffice" interface because "any any" is configured
  You would either have to make the above rule more specific by removing the "any any" and adding the actual networks
  OR
  You could add a new rule BEFORE the above mentioned NAT configurations
  I am not sure what the real local interface "nameif" is (the one where the server IP is actually located) but you would need this kind of configurations
  object network SERVER
  host 172.18.2.13
  object network VPN-POOL
  subnet 172.25.17.0 255.255.255.0
  nat (serverint,outside2) 1 source static SERVER SERVER destination static VPN-POOL VPN-POOL
  The above rule should match the traffic from the VPN-POOL to the SERVER. The number "1" seen in the CLI format configurations means that it would be added to the top of the rules. The "serverint" is meant to mean the actual name of the interface where the server is located as I presume that its not located behind the "HomeOffice"
  - Jouni

• ASA 5505 Anyconnect VPN Users can't access Internet

  Vpn user cannot access the internet but able to ping the lan network (192.168.1.0).. it seem like im missing a lan or nat rule.. Possibly allowing the vpn subnet 192.168.2.0 /24 to pass through to the internet.  Im looking to accomplish this without split tunneling.. Thanks

  on 8.2.5 version or lower:  Let say your inside hosts are accessing Internet by using dynamic nat index "1" and now you can use the same nat index "1" allow your vpn-pool range to be part of the same dynamic-nat index "1" to access the Internet.  Note I am natting source interface is be outside for vpn-client users because they (vpn-users) are physically coming off the outside interface.
  nat (outside) 1 192.168.2.0 255.255.255.0
  on 8.3 version or greater:  
  object network vpn-user-subnet
   subnet 192.168.2.0 255.255.255.0
   nat (outside,outside) dynamic interface
  Hope this helps.
  Thanks
  Rizwan Rafeek

• Vpn client can access internet but cannot access internal network

  I am using PIX 501 to setup a VPN. At first the VPN client cannot access the internet once they logged in via the Cisco system vpn client, so i enable split tunneling. Now the VPN client can access the internet but they can't access the internal network.Due to the limited characters can be posted here, only necessary IOS coding is posted on the next message. Who knows how to solve this problem? Pls Help.....

  enable password ********** encrypted
  passwd ********** encrypted
  hostname Firewall
  domain-name aqswdefrgt.com.sg
  access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
  access-list nat permit tcp any host 65.165.123.142 eq smtp
  access-list nat permit tcp any host 65.165.123.142 eq pop3
  access-list nat permit tcp any host 65.165.123.143 eq smtp
  access-list nat permit tcp any host 65.165.123.143 eq pop3
  access-list nat permit tcp any host 65.165.123.143 eq www
  access-list nat permit tcp any host 65.165.123.152 eq smtp
  access-list nat permit tcp any host 65.165.123.152 eq pop3
  access-list nat permit tcp any host 65.165.123.152 eq www
  access-list nat permit tcp any host 65.165.123.143 eq https
  access-list nat permit icmp any any
  ip address outside 65.165.123.4 255.255.255.240
  ip address inside 192.168.1.2 255.255.255.0
  ip verify reverse-path interface outside
  ip local pool clientpool 192.168.50.1-192.168.50.50
  global (outside) 1 interface
  nat (inside) 0 access-list 100
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  static (inside,outside) tcp 65.165.123.142 smtp 192.168.1.56 smtp netmask 255.255.2
  55.255 0 0
  static (inside,outside) tcp 65.165.123.142 pop3 192.168.1.56 pop3 netmask 255.255.2
  55.255 0 0
  static (inside,outside) tcp 65.165.123.143 smtp 192.168.1.55 smtp netmask 255.255.2
  55.255 0 0
  static (inside,outside) tcp 65.165.123.143 pop3 192.168.1.55 pop3 netmask 255.255.2
  55.255 0 0
  static (inside,outside) tcp 65.165.123.143 www 192.168.1.55 www netmask 255.255.255
  .255 0 0
  static (inside,outside) tcp 65.165.123.152 smtp 192.168.1.76 smtp netmask 255.255.
  255.255 0 0
  static (inside,outside) tcp 65.165.123.152 pop3 192.168.1.76 pop3 netmask 255.255.
  255.255 0 0
  static (inside,outside) tcp 65.165.123.152 www 192.168.1.76 www netmask 255.255.25
  5.255 0 0
  static (inside,outside) tcp 65.165.123.143 https 192.168.1.55 https netmask 255.255
  .255.255 0 0
  access-group nat in interface outside
  route outside 0.0.0.0 0.0.0.0 65.165.123.1 1
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  aaa-server plexus protocol radius
  aaa-server plexus (inside) host 192.168.1.55 ******** timeout 5
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set myset esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto dynamic-map cisco 1 set transform-set myset
  crypto map dyn-map 20 ipsec-isakmp dynamic cisco
  crypto map dyn-map client authentication plexus
  crypto map dyn-map interface outside
  isakmp enable outside
  isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  isakmp policy 40 authentication pre-share
  isakmp policy 40 encryption 3des
  isakmp policy 40 hash md5
  isakmp policy 40 group 2
  isakmp policy 40 lifetime 86400
  vpngroup vpn3000 address-pool clientpool
  vpngroup vpn3000 dns-server 192.168.1.55
  vpngroup vpn3000 wins-server 192.168.1.55
  vpngroup vpn3000 default-domain aqswdefrgt.com.sg
  vpngroup vpn3000 idle-time 1800
  vpngroup vpn3000 password ********
  telnet 192.168.1.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  terminal width 80

• VPN Clients can't access DMZ Network

  Hello,
  I will try to describe my problem as best as possible. The title says VPN clients cannot access DMZ network, but that is not exactly the problem, the situation is this, a group of users are using an actual 10.x network where they have their servers and pretty much everything. The users must be relocated into a new network, the 172.16.x.  In a point in time they will not have to use 10.x anymore, but meanwhile, they need access to that network.
  I have an ASA 5510 as default gateway for the new network (172.16.x.x), one interface e0/0 connected to the outside (internet), interface e0/1 to the inside and other interface connected to the actual 10.x (which I call DMZ), so basically I am using the ASA as a bridge using NAT to grant access to the users in the network 172.16.x to the resources in the 10.x network while the migration is completed.
  All the users must use the path to the internet thru the ASA using the NAT overload to the outside interface and I put in place a NAT policy to 10.x to allow access to the 10.x network only when the internal users 172.16.x try to reach that path and so far, everything is working just fine for the internal users.
  Now for some reason, when I do VPN, the VPN clients cannot reach the 10.x network, even when they are supposed to be in the internal network (because they are doing VPN right?) .
  I have enabled split tunneling with NAT exempt the 172.16 network and I am not sure if that is causing the problem, because when I trace from my PC the 172.16.16.1 address using the VPN I get the proper route path, but when I try to reach 10.x, my PC is using its default gateway and not the VPN gateway which has a route to 10.x.
  I’m not even sure if what I am trying to do is possible, I want VPN users to be able to access a 10.x network using NAT overload with the Interface of the ASA plugged to the 10.x network, just like the internal users are doing right now.
  Any help or advice will be highly appreciated.

  Allow clients to access DMZ, add exempt NAT rule, add both the "same-security-traffic" thru cli. Please give it a try.
  Sent from Cisco Technical Support iPad App

• Unable to access mapped network drive, DFS

  TL;DR: Unable to map a network drive on one particular computer, except if circumventing DFS.
  OK - So I have exhausted all my options in this matter, so all suggestions are welcome. 
  Keep in mind the file system is DFS.
  1. User has been set up the same as our other users in Active Directory.
  2. Most network drives are connected via GPO. They are mapped via\\company.local\common\
  3. The users' home folder is connected via setting in AD -> Profile -> Home folder -> 
  Connect X: To \\company.local\homedir\username
  4. When the user logs on, all network drives defined in GPO are mapped OK, but the X: which is defined via "Home folder" in AD, is not connected. When trying to map it manually, we get "Access denied".
  5. If the user tries the complete path via Explorer: \\company.local\homedir\username - Error 0x80004005 Unspecified error occurs. We have googled this particular code but found nothing that applies to us.
  6. If the user tries the complete path to the folder on the actual file server, circumventing DFS, the home folder is mapped OK.
  Strange thing is: This only happens on this particular computer. If users logs on to another computer, in the same domain, receiving the same GPO etc. The X: is mapped fine via \\company.local\homedir\username
  Also if another user logs on to the problematic computer they also cannot access their X: on \\company.local\homedir\username
  So we tried updating the WLAN/LAN drivers to no avail. Might there be any settings on the network adapters that might cause this?
  Kthxbai

  If other computer has the same policy ("Send NTLMv2 response only. Refuse LM"), it should not be the cause.
  I agree that all clients should have the same Group Policy but sometimes the group policy may not be applied correctly on a client which causes issues. Thus you can try a "gpupdate /force" and see if issue persists. 
  Also you can test to access \\company.local to see if it will success. Try \\rootserver as well if it is different as DFS folder target. 
  As the issue only occurs on a specific client, maybe we can have a try with re-join domain.
  If you have any feedback on our support, please send to [email protected]

• Cannot access internal network after Tiger upgrade

  I've just upgraded an eMac (1.25GHz, 768MB) from 10.3.9 to 10.4.6. Although I can get online, access Mail and all applications, I cannot access the internal network at all.
  I've updated to 10.4.9, but still no luck. I've restarted, logged in as a different user, logged out and in again, removed the 'com.apple.networkconfig.plist' file from the 'Library/Preferences' folder, but still doesn't work.
  I can see all the aliases to the other machines on the network in the sidebar, but clicking on them brings up a message "The alias xxxx could not be opened, because the original alias could not be found.".
  Other machines can see this on on the network. File Sharing is turned on.
  Any thoughts, I'm tearing my hair out a bit!
  Powerbook G4   Mac OS X (10.4.8)  

  no good, is an afpmounter error, i solved it with an
  Archive and Install
  http://docs.info.apple.com/article.html?artnum=107120-en
  maybe someone have a solution..
  i think is an error during the update (i had the same from panther to tiger)
  with A&I and half-hour, your machine work perfectly.

• User unable to access OWA

  User is unable to access OWA any pointers.. getting the below error pls Thanks
  The item can't be opened because it's become corrupted.
  Request
  Url: https://ukexchange.abc.com:443/owa/lang.owa
  User: Wes, Aurélia
  EX Address: /O=abc/OU=London/cn=Recipients/cn=AWes
  SMTP Address: [email protected]
  OWA version: 14.3.123.3
  Exception
  Exception type: Microsoft.Exchange.Data.Storage.CorruptDataException
  Exception message: Can't save invalid object Wes, Aurélia.
  Call stack
  Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save()
  Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostLocally(OwaContext owaContext, OwaIdentity logonIdentity, CultureInfo culture, String timeZoneKeyName, Boolean isOptimized, String destination)
  Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostRequestFromProxy(OwaContext owaContext)
  Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.PrepareRequestWithoutSession(OwaContext owaContext, UserContextCookie userContextCookie)
  Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.AcquireAndPreprocessUserContext(OwaContext owaContext, HttpRequest request)
  Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.InternalDispatchRequest(OwaContext owaContext)
  Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchRequest(OwaContext owaContext)
  Microsoft.Exchange.Clients.Owa.Core.OwaRequestEventInspector.OnPostAuthorizeRequest(Object sender, EventArgs e)
  System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
  System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
  Inner Exception
  Exception type: Microsoft.Exchange.Data.DataValidationException
  Exception message: The property value Aurélia Wes is invalid. The value can contain only 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H',
  'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '"', ''', '(', ')', '+', ',', '-', '.', '/', ':', '?', ' '.
  Call stack
  Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties)
  Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save()

  Hi,
  We can use the New-MailboxRepairRequest cmdlet to detect and repair mailbox corruptions. For more information about it, please refer to:
  http://technet.microsoft.com/en-us/library/ff625221(v=exchg.141).aspx
  Hope it helps.
  Thanks,
  Winnie Liang
  TechNet Community Support

• Users unable to access the internet sites

  Hi Everyone,
  We have users who are able to get the IP address but unable to access any internet sites.
  I check the trap logs on the WLC
  RADIUS server 192.168.50.1:1812 failed to respond to request (ID 16) for client 88:53:2e:99:24:b5 / user 'unknown'
  RADIUS server 192.168.50.1:1812 activated on WLAN 1
  RADIUS server 192.168.60.1:1812 deactivated on WLAN 1
  RADIUS server 192.168.60.1:1812 failed to respond to request (ID 200) for client 88:53:2e:99:24:b5 / user 'unknown'
  RADIUS server 192.168.60.1:1812 activated on WLAN 1
  RADIUS server 192.168.50.1:1812 deactivated on WLAN 1
  RADIUS server 192.168.50.1:1812 failed to respond to request (ID 15) for client 88:53:2e:99:24:b5 / user 'unknown'
  RADIUS server 192.168.50.1:1812 activated on WLAN 1
  RADIUS server 192.168.50.1:1812 failed to respond to request (ID 16) for client 88:53:2e:99:24:b5 / user 'unknown'
  RADIUS server 192.168.50.1:1812 activated on WLAN 1
  RADIUS server 192.168.60.1:1812 deactivated on WLAN 1
  RADIUS server 192.168.60.1:1812 failed to respond to request (ID 200) for client 88:53:2e:99:24:b5 / user 'unknown'
  RADIUS server 192.168.60.1:1812 activated on WLAN 1
  RADIUS server 192.168.50.1:1812 deactivated on WLAN 1
  RADIUS server 192.168.50.1:1812 failed to respond to request (ID 15) for client 88:53:2e:99:24:b5 / user 'unknown'
  RADIUS server 192.168.50.1:1812 activated on WLAN 1
  Need to know  how can i troubleshoot this further?
  Regards
  Mahesh

  I would do the troubleshooting in  following sequence.
  1. Put a wired PC on to the vlan allocated for WLAN1
  2. Check whether wired PC gets an IP & can browse internet
  3. If that works, then we know no issue of DHCP & not issue with L3/NAT routing to access internet
  4. If step2, does not work then your issue is not within wireless, you have to change the focus of your troubleshoot.
  5. If step2 works, then test a wireless client with OPEN Authentication (No ACS involvment).If this does not work,then it means wireless client does not get proper IP connectivity. Check dynamic interface configuration for this WLAN & make sure gateway addresses correctly configured. Also VLANs are trunk across to WLC from switch.
  6. If step5 works, then try your client with ACS & see the client get successfully authenticated. If not it may be WLC to ACS issue. Troubleshoot that in that case.
  Do some troubleshooting like this & let us know the outcome. I am sure you will abe to find out the issue easily in this way.
  HTH
  Rasika

• User unable to access Leave Request in Portal

  Hello guys,
  A user can't access the leave request via Enterprise Portal 7.0 - the view works perfectly with the other users thus the issue seems to be isolated to this particular user. IE version being used is IE 6.0 - so that shouldn't be the cause of the problem. Also, the roles have been cross-checked and synchronized with the other users who are able to access the Leave Request function. Yet, it appears the roles are correctly assigned
  Could it be possible that this is a problem with the user's data? Which component should I also look into?
  Thank you in advance!
  Regards,
  Jan

  As for the IE patch problem, we're conducting an http-trace to check with this. But I see this as very unlikely, since the user also tried accessing it via a different workstation but the problem persists.
  The 'resolution' for similar cases was to recreate a user account - even just a direct copy of the same user works. This could be an SAP application bug perhaps? The target is for a long term fix to the problem.
  Thanks!
  Regards,
  Jan