Windows 8 and IPSec VPN issues

I have a number of customers that leverage the Cisco IPSec VPN. I can connect to the VPN without any problems but when I attempt to RDP, that fails. I have no RDP or ping or anything. Here are some more symptoms of the issues that I find odd:
Anyconnect works just fine
Fortinet VPN clients work fine
Sonicwall VPN clients work fine
Cisco IPSec VPN client is the only one affected
Cisco IPSec VPN client worked fine for months then just decided it was no longer going to allow RDP or ping
I have duplicated this issue on a half dozen or so laptops
This is on a Windows 8 laptop but I believe I have also experienced this on Windows 7
Just to clarify, the IPSec VPN does succesfully connect. But nothing else works after that. I do understand that AnyConnect is the direction that Cisco would like for people to move towards. Unfortunately, I have quite a few customers that are leveraging the IPSec VPN. I have been through a number of laptops in the last year and every single laptop had a working Cisco IPSec VPN for months....then one day it would just stop passing RDP.
Please somebody tell me that there is a workaround for this. I have played with the IP settings for the Cisco Systems virtual adapter in my network and sharing center. I've modified the binding order. I've compared a routeprint from a working laptop to mine....I'm not sure what else to do. I've uninstalled ALL VPN software and only reinstalled the Cisco VPN. So far the ONLY fix I have found is a clean install of Windows and that solution sucks.

Doing a little more homework on this and I noticed that the tunnel details show no bytes sent or recieved and no packets encrypted, decrypted, or discarded....everything is bypassed. My coworker (who is on Windows 7) is able to launch this VPN and connect to the customer's servers without issues and the tunnel details show all of the appropriate data.

Similar Messages

F3507g mobile broadband driver - Windows 7 - and Cisco Vpn issue

Hi All,
After 3 days trying to install / update latest drivers on my X200/ Windows 7 / 32b, it seems now that my F3507g is now installed correctly…
I can go the a connection over internet and ping some servers BUT when I initiate my Cisco Vpn, ( working perfectly with my Ethernet connection and my Wifi 5300 AGN ) the connection is ok but no incoming or outgoing traffic !!!
Any idea on how to solve that issue ?

Yes, this is a problem with the IPSEC VPN NDIS driver binding your Mobile Broadband driver. You need to read this article and it is explains why and how to work around this issue:
http://www.customsoftwareframeworks.com/blog/fix-vpn-problems-cellular-win7
Good luck

Error with Ericsson h5321gw and IPSEC VPN-Connections

There is an error in the Lenovo drivers [7.x] for the Ericsson h5321gw UMTS module.
Symptoms on Windows 7 x64:
UMTS is working fine. When you connect a vpn ipsec connection though the UMTS , the internet connection (and the vpn as well) gets unstable and has a packet loss of 30% to 50%.
Solution:
Install the UMTS drivers in the NDIS 5.0 mode on Windows 7. (The only problem is, that the system boot takes about 1 minute longer with the ndis 5 drivers).
Further Reading: Message 5: http://forums.lenovo.com/t5/T400-T500-and-newer-T-series/Outlook-Exchange-connection-unstable-on-T52...
Howto form the Lenovo Forum:
Force the installation to install Ericsson's vista driver instead of win7 driver. Vista driver is NDIS 5. Installation can be done.
-> extract the Ericsson drivers package but don't let it install the driver. There should be extracted a setup.exe file
-> do the installation with command: setup.exe /zFORCEVISTA
This helped for us.
Tip:
If you want to install the win7 driver back, it can be done with command: setup.exe /zFORCEWIN7
Otherwise using the setup.exe will install the vista ndis 5 when since it once have been told to to install it by /zFORCEVISTA
I hope, Lenovo can solve this issue quickly.
Greetings

I’m not sure this is the same issue you guys are running into, but I’m using the built-in Ericsson h5321gw and ATT SIM on an i7 X1 Carbon. I am required to use a Cisco VPN Client and after connecting successfully to my VPN endpoint via ATT WWAN, I could not get any data in/out the tunnel.
I tried in both Windows 7 and Windows 8 OS, even trying the setup.exe /zFORCEWIN7 work around to no avail.
After doing some searching, I came across a blog post describing the same issue I had.
There is an update to Windows’ DNE that actually solved the issue for me using the standard Erricson W8 (and W7) drivers. (I also performed the h5321gw fireware update from Lenovo, but I did that before the DNEUpdate – that alone did _not_ fix it)
DNEUpdate x64: ftp://files.citrix.com/dneupdate64.msi
DNEUpdate x86: ftp://files.citrix.com/dneupdate.msi
Hope this helps.
Credit from: http://stenby.wordpress.com/2012/10/03/cisco-vpn-client-and-built-in-lenovo-h5321gw-3g-card/

Smartform Main window and Footer Overlap Issue

Hi,
I have a problem in printing my invoice smartform.
I have to print the footer at the bottom of the main window. If the line items flow to the next page the footer should be printed only on the last page.
I have overlapped the main window and footer windows in first and next page so that the footer window space in the main window is not left empty when there are more than one pages
The problem is sometimes the main window is overlapping into the footer window space.
Can someone suggest a solution for this.
Thanks,
Viswas

Hi,
Solution: The issue faced after overlapping the main window with footer window can be achieved by creating a folder within the main window and using the events to check whether there is enough space to print the footer.
Following are the steps.
Step 1: Create a Secondary window say “Footer” which would be the footer window. Overlap the main window on the footer window as shown below.
The footer window will be behind the main window
Step 2: Create a folder within the main window say “Check_Footer”.
Go to Tab “Events”, select the checkbox “Footer with Height” and give the required height of the footer. Select the checkbox “at End of Table”. Specify the “Minimum height” as required.
Now, go to “Conditions” tab and select the checkbox “Only before end of main window”.
This is basically done to check whether there is enough space to print the footer on that page. The Footer window would then print the output.
Step 3: Go to the created “Footer” window .Under the Conditions tab, select the checkbox “Only after end of main window”. Create a text/tamplate/window whatever you want to display at bottom or footer data.
Step 4: Save & Activate the Smartform and check the output.
regards
Rohit

Static NAT and IPSec VPN

This maybe stupid but may somebody help on this.
Site A --- Internet --- Site B
An IPSec VPN is implemented between Site A and Site B. Some "nat 0" commands are used on Site A PIX to avoid addresses being translated when communicating with site B.
But now there is a problem, there are several public servers which have static NAT entries by "static" command. And it looks like these entry will still be valid even if the "nat 0" is presenting. And thus those inside IPs which have a static NAT, will be translated once it reaches the PIX and can not go via the VPN tunnel.
May someone advise me how to overcome this? Thanks.

Your question really pertains to the nat order of operations. Nat 0 (nat exemption) is first in the order. It preceeds all other including static nat. The servers you mention will absolutely be included in the nat 0 unless they are specifically denied in the nat 0 acl.

Problem running DMVPN and IPSec VPN at the same time

I have a hub-spoke VPN network: 2 hub routers are 7206 VXR and remote routers are 2800. Each hub router has had number of point-to-point IPSec+GRE tunnels configured and running with remote sites. I'm now adding DMVPN between each hub router and a few other remote sites. The DMVPN is running fine between hub and spokes, but somehow it caused all the eixsting point-to-point IPSec tunnels drop. Here are some details:
1) Hub DMVPN config:
crypto isakmp key MYKEY address 12.12.12.12
crypto ipsec profile DMVPN
set transform-set DM
interface Tunnel1
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
tunnel source G0/0
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
router eigrp 1
no passive-interface Tunnel1
2) Spoke DMVPN config:
crypto ipsec profile DMVPN
set transform-set DM
crypto isakmp key MYKEY address 14.14.14.14
interface Tunnel1
ip address 192.168.1.2 255.255.255.0
ip mtu 1400
ip nhrp map 192.168.1.1 14.14.14.14
ip nhrp map multicast 14.14.14.14
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp nhs 192.168.1.1
tunnel source G0/0
tunnel destination 14.14.14.14
tunnel protection ipsec profile DMVPN
3) When DMVPN is up, hub router existing IPSec tunnels are shown ISAKMP failure.
Hub# show crypto isakmp sa
14.14.14.14 20.20.20.20 MM_NO_STATE 1508 0 ACTIVE (deleted)
4) After I shut down interface Tunnel1, existing IPSec tunnels are coming back. ISAKMP SA shows QM_IDLE state.
Have anyone seen similar issues between DMVPN and traditional point-to-point IPSec+GRE tunnels on the same router?
Thanks a lot

I have a hub-spoke VPN network: 2 hub routers are 7206 VXR and remote routers are 2800. Each hub router has had number of point-to-point IPSec+GRE tunnels configured and running with remote sites. I'm now adding DMVPN between each hub router and a few other remote sites. The DMVPN is running fine between hub and spokes, but somehow it caused all the eixsting point-to-point IPSec tunnels drop. Here are some details:
1) Hub DMVPN config:
crypto isakmp key MYKEY address 12.12.12.12
crypto ipsec profile DMVPN
set transform-set DM
interface Tunnel1
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
tunnel source G0/0
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
router eigrp 1
no passive-interface Tunnel1
2) Spoke DMVPN config:
crypto ipsec profile DMVPN
set transform-set DM
crypto isakmp key MYKEY address 14.14.14.14
interface Tunnel1
ip address 192.168.1.2 255.255.255.0
ip mtu 1400
ip nhrp map 192.168.1.1 14.14.14.14
ip nhrp map multicast 14.14.14.14
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp nhs 192.168.1.1
tunnel source G0/0
tunnel destination 14.14.14.14
tunnel protection ipsec profile DMVPN
3) When DMVPN is up, hub router existing IPSec tunnels are shown ISAKMP failure.
Hub# show crypto isakmp sa
14.14.14.14 20.20.20.20 MM_NO_STATE 1508 0 ACTIVE (deleted)
4) After I shut down interface Tunnel1, existing IPSec tunnels are coming back. ISAKMP SA shows QM_IDLE state.
Have anyone seen similar issues between DMVPN and traditional point-to-point IPSec+GRE tunnels on the same router?
Thanks a lot

Oracle iLearning 5.0 on Windows and email notifications issue

Hi!
We are upgrading from iLearning 4.3 to iLearning 5.0 on Windows 2000 server and I have a question related to that.
iLearning 5.0 is certified for Windows.
The accompanying release.txt states that:
--'Email', 'Email and Web' notifications options for Learner Rating and Authorized Enrollment/Unenrollment are not available on Windows platforms. Only web-based notifications should be used.
Through a Technical Assistance request (TAR Number 4439000.992 ) I've found that this problem is due to the use of Workflow 2.6.2 stand-alone which requires sendmail, which is not available on Windows.
This worries me because I want the system to be able to:
* notify admin when authorization is needed for enrollment
* notify course participants about changes or a cancelled course.
* Certification reminder and expiration
* Assessment submission
* Notification to all learners currently enrolled in an offering
The suggested workaround from Metalink is to use a Unix/linux server.
Metalink suggestion:
"you can set up a notification mailer on UNIX to work with stand-alone Workflow
hosted on Windows. The following MetaLink article is a step-by-step guide on how
to do this: Note:254973.1 How To Configure UNIX Sendmail To Work With Oracle Workflow Running On Windows
This would be useful if UNIX was an option for me. It is not.
I have some questions:
1)Can I use WorkFlow 2.6.3.5 on windows with iLearning 5.0?
I know Workflow 2.6.3.5 is working with MS Exchange.
2)Can I use sendmail in some form or shape?
IIS 5.0 (or 4.0) has a mail gateway that can be utilized by a sendmail program.
Sendmail software for windows:
http://www.glob.com.au/sendmail/
http://www.indigostar.com/sendmail.htm
http://www.ntsendmail.com/
http://www.windowsitpro.com/Windows/Article/ArticleID/5289/5289.html
Has anyone tried any of theese?
I'd like to make a suggestion to my IT department on how to solve this issue.
Thanx for any help in advance :-)
Kristian Amlie, Bergen Norway

There are a couple of patches available that allow a customer to upgrade their Oracle iLearning database to 10g and with that, upgrade Oracle Workflow to version 2.6.3 which supports email notifications through workflow on windows.
Patch #s are 4321769 and 4485520
Thanks!
Scott

Mail Viewer Window and Email Opening Issues

About a week ago I began having some significant problems using Mail on 10.5.8 that I have never had before. I opened Mail, only to find that while it opened on my menu bar and I had the little circle indicating it was open in my dock, no Viewer Window opened. Also, I couldn't quit the app without Force Quitting through the Apple menu in the menu bar. I could right click on the icon in the dock and open a Compose Email or a New Note window, however it would not allow me to send said composed email. Instead, Mail would hang and I would have to force quit as "Application not Responding". The beach ball would also be evident and a Force Quit required.
A buddy recommended trying to open a Viewer Window through the File folder in the menu. I did that, a viewer window DID open and mail synced itself up to allow my inbox to show all recent emails I had received and read. Unfortunately, if I clicked on any email in my inbox, it would not load the email in the preview pane or open the email with a double click. Instead I would get a message saying "Loading" and the beach ball reappeared. Force Quit required.
I found some solution somewhere which suggested rebuilding the database by moving the Envelope Index to my desktop from Home/Library/Mail to allow it to rebuild. I did this and it rebuilt a new Envelope Index, but the same problems exist. Frankly, I only have about 100-125 emails in my system so it is not exactly an overburdened mail system. I also do not have any mail haxies which would be causing this. Any thoughts or solutions? I would like to be able to check mail from somewhere other than the Mobile Me web browser app. Thanks.

Not trying to be "That Guy" but I am bumping in the hopes that someone has a solution to this annoying and vexing issue. Thanks.

Since yesterday morning Firefox can not load Facebook. Every other browser works fine. Tried many computers, both Windows and Macs, same issue. Help!

Facebook loads fine on multiple PCs and Macs in any number of browsers but NOT with Firefox on any of them. Started Friday AM. It tries to load but takes FOREVER and never gets "up". Frustrating since FF is my browser of choice despite the fact it has recently become the slowest of all the browsers I've tried. Be nothing like THIS slow. Other sites seem to be unaffected, just Facebook.

What you describe look like a problem of infection, for me.
I have W7 and FF34 as you, and FF is faster than Chromium.
So, except a problem of corruption of the code of your Firefox (and maybe problems generated by some addons or plugins), I' rather believe that there is malware(s) on your computer.
For FB, it could be the adware pushow**.dll, like pushow35.dll, in c:\windows\system32
What security programs do you use on your computer ?
If you want, you could also try to start Firefox in "safe mode", to see if there is a difference of speed and on FB.

Hub and spoke VPN issue - probably simple

Hello,
I setup a Hub & Spoke VPN configuration as a temporary solution to get phones working at a client with 5 Sites.
Site A: HQ and main PBX System - Cisco ASA 5520
Sites B-E: Remote Sites with PBX systems with ASA 5505's
I configured my crypto access-lists to allow all interesting traffic to/from all sites, and it's working for the most part.
Refer to this short discussion for further reference
https://supportforums.cisco.com/message/4162268#4162268
Recently the customer started saying sometimes the call forwarding between sites isn't working correctly. Upon further testing, it seems that you have to ping to/from both ends of the Spokes before traffic will start passing through properly.
E.g.
Site B wants to talk to Site C
I need to initiate a ping on Site B to Site C which fails
Initiate a ping on Site C to Site B and the first packet drops, then the rest go through
Initiate Ping on Site B to Site C and all works just fine.
Traffic going to/from Site A to/from any remote site (Sites B-E) works fine 100% of the time.
This is happening for all remote sites. When traffic has been initiated on both ends, it works just fine, but after a specific timeout it appears to stop working.
Probably something simple I'm missing. Any help is greatly appreciated.
(Also, kind of silly but I realize that I didn't need same-security-traffic on each spoke, correct?)

The purpose of doing VPN is that you want 2 or more different networks seamlessly become line 1 common network. Your class B network having 192.168.0.0 and class C networks 192.168.10.0 are in the same network sine both are in the network 192.168.x.x network. Try to consider changing the Class B network into 192.169.0.0 or you can change the Class C network into 192.169.10.0.

How to check the port status in IPSec VPN

Hi Experts,
Is there any way by which we can find that the UDP port 500 is blocked at ISP side.
My IPSec VPN configured between two cisco router in production network is not coming up and experts are saying that the ISP has blocked the port 500 somewhere in between, however ISP denying and saying that they dont block any port.
kindly suggest what whould be the best wayout?
Thanks

Thanks Marvin,
How could I capture the traffic from initiating peer so that I can figure out that UDP port 500 is blocked or not, with the help of wireshark...
In my network ONT/Modem (having four ethernet port) is installed at both the end and from one of its port the router is connected at each side and IPSec VPN is configured between the router. to check the UDP port status, my question is, should i connect my laptop (running with wireshark) with one of the port of ONT and capture the traffice or is there any other way and how that traffice will tell me that port 500 is blocked or not?

Cisco ASA 5505 Ipsec VPN and random connection dropping issues.

Hello,
We are currently having issues with a ASA 5505 Ipsec VPN. It was configured about 7-8 months ago and has been running very well..up until the last few weeks. For some reason, the VPN tends to randomly disconnect any user clients connected a lot. Furthermore, sometimes it actually connects; however does not put us on the local network for some reason and unable to browse file server. We have tried rebooting the ASA a few times and our ISP Time Warner informed us there are no signs of packet loss but still unable to pinpoint the problem. Sometimes users close out of VPN client completely, reopen several times and then it works. However it's never really consistent enough and hasn't been the last few weeks. No configuration changes have been made to ASA at all. Furthermore, the Cisco Ipsec VPN client version is: 5.0.70
Directly below is our current running config (modded for public). Any help or ideas would be greatly appreciated. Otherwise, if everything looks good...then I will defer back to our ISP Time Warner:
: Saved
ASA Version 8.4(2)
hostname domainasa
domain-name adomain.local
enable password cTfsR84pqF5Xohw. encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 205.101.1.240 255.255.255.248
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.2.60
domain-name adomain.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network SBS_2011
host 192.168.2.60
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.5.192_
27
subnet 192.168.5.192 255.255.255.224
object network Https_Access
host 192.168.2.90
description Spam Hero
object-group network DM_INLINE_NETWORK_1
network-object object SPAM1
network-object object SPAM2
network-object object SPAM3
network-object object SPAM4
network-object object SPAM5
network-object object SPAM6
network-object object SPAM7
network-object object SPAM8
object-group service RDP tcp
description Microsoft RDP
port-object eq 3389
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object SBS_2011 eq smtp
access-list outside_access_in extended permit tcp any object SBS_2011 eq https
access-list outside_access_in extended permit icmp any interface outside
access-list outside_access_in remark External RDP Access
access-list outside_access_in extended permit tcp any object SBS_2011 object-group RDP
access-list domain_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool test 192.168.10.1-192.168.10.5 mask 255.255.255.0
ip local pool VPN_Users 192.168.5.194-192.168.5.22
0 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24
NETWORK_OBJ_192.168.2.0_24
destination static NETWORK_OBJ_192.168.5.192_
27 NETWORK_OBJ_192.168.5.192_
27 no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
object network SBS_2011
nat (inside,outside) static interface service tcp smtp smtp
object network Https_Access
nat (inside,outside) static interface service tcp https https
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 205.101.1.239 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
rd DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.160-192.168.2.19
9 inside
dhcpd dns 192.168.2.60 24.29.99.36 interface inside
dhcpd wins 192.168.2.60 24.29.99.36 interface inside
dhcpd domain adomain interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy domain internal
group-policy domain attributes
wins-server value 192.168.2.60
dns-server value 192.168.2.60
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value domain_splitTunnelAcl
default-domain value adomain.local
username ben password zWCAaitV3CB.GA87 encrypted privilege 0
username ben attributes
vpn-group-policy domain
username sdomain password FATqd4I1ZoqyQ/MN encrypted
username sdomain attributes
vpn-group-policy domain
username adomain password V5.hvhZU4S8NwGg/ encrypted
username adomain attributes
vpn-group-policy domain
service-type admin
username jdomain password uODal3Mlensb8d.t encrypted privilege 0
username jdomain attributes
vpn-group-policy domain
service-type admin
tunnel-group domain type remote-access
tunnel-group domain general-attributes
address-pool VPN_Users
default-group-policy domain
tunnel-group domain ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e2466a5b754
eebcdb0cef
f051bef91d
9
: end
no asdm history enable
Thanks again

Hello Belnet,
What do the logs show from the ASA.
Can you post them ??
Any other question..Sure..Just remember to rate all of the community answers.
Julio

Cisco Jabber Client for Windows 9.7 Can't Connect to Other IPSec VPN Clients Over Clustered ASAs

Environment:
2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
Both ASAs are at version 8.4(5)6
IPSec VPN Client version: 5.0.07.440 (64-bit)
Jabber for Windows v9.7.0 build 18474
Issue:
If I am an IPSec VPN user…
I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)

Portu,
Thanks for your quick reply.
Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above. I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
I can, though, do whatever you want on the Linux router. Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this. (But I might need a bit of handholding if I need to set up a wireshark andor tcpdump.)
Thanks again.

Cisco Jabber Client for Windows 9.7 Can't Connect IPSec VPN Clients over two ASAs

Environment:
2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
Both ASAs are at version 8.4(5)6
IPSec VPN Client version: 5.0.07.440 (64-bit)
Jabber for Windows v9.7.0 build 18474
Issue:
If I am an IPSec VPN user…
I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)

Portu,
Thanks for your quick reply.
Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above. I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
I can, though, do whatever you want on the Linux router. Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this. (But I might need a bit of handholding if I need to set up a wireshark andor tcpdump.)
Thanks again.

Cisco ASA 5505 site to site IPSec VPN with RV220W issue

I have a ASA5505 connected to RV220W through IPSec VPN. When using SMB to transfer large file, the ASA5505 will show error message:
CTM ERROR: Invalid input parameters, ctm_get_scb_prot_stats:1561
The error message from the debug crypto engine. When the message show, the speed of the transfer will slow down quickly, and even no data can be go through between ASA and the RV220W. But the IPSec SA and the IKE SA is active, and can ping the inside network in both site.
Both ASA5505 and the RV220W has been updated the latest firmware. I have surf the Google but no such related issue found.
Any suggestions on where to look would be much appreciated.
Thanks in advance
Terry

Hi Ted thanks for your reply and information.
The strange things happened in RV220W shows the IPSec sa is expired, but the ASA5505 IPSec and IKEv1 sa is active. Inside both site internal network can ping to other side, but cant transfer file through Windows SMB. It seems when I transfer over 4GBytes of file, it will start happening and required clear IPSec and IKEv1 sa so that the VPN tunnel will start up again.
I am already surrander for this issue......

Windows 8 and IPSec VPN issues

Similar Messages

Maybe you are looking for