WRVS4400N VPN Tunnels work once then a no go
I have created two tunnels that I use with my WRVS4400N. I am using the IPSecuritas client and it works perfectly when I first connect to the router. However after the initial connection and lets say I disconnect or shutdown for the day. The next morning or evening when I need to get the vpn connection up again I can no longer connect. Specifically the negotiation works fine and I get a connected status but the route to the vpn side internal network does not work. In order to fix this I ssh into the network then log onto the router disable the ipsec tunnel click save. Then I enable the tunnel and click save and the connection starts working again. This is highly annoying and killing our business. Clearly this is a problem with the router. Any ideas on what to do to resolve this?
try enabling MTU to 1300 and see if your VPN connection will be stable
Similar Messages
-
# Question
For some reason, I can not delete bookmarks. I did one at a time, then tried 5 or 6 and it worked once then no more. I then tried 1 at a time and it worked once the no more. Why is this happening? This is a brand new computer (Win7) and FF just loaded about 3 hours ago. Do not know how the bookmarks even got in there. Some were ok, but no order and some that were never bookmarks. Looks like FF tried to import some BM's from the Virtual XP installed, but did not get it any where near right. I need to completely delete all of them and install from a saved .html file.Well, I did not see the exact problem that I was having listed in the articles, BUT the problem is solved for now.
I opened FF and the Bookmarks to Organize again. I deleted all of the folders and entries, ONE AT A TIME, AND IT WORKED. Evidently, for what ever reason, FF did not like "Batch" deletes of ANY amount greater than 1 and the HANG UP would occur.
Deleting one at a time then importing the good .html from a good file, loaded the wanted Bookmarks. Yea -
Tried the posted solution for the RETR problem and it works once then it returns. Once the email dl'ds the file deleted per the instructions returns. How do you make the change permanent?
Hi DOC808HI
# I don't know what you mean by "posted RETR solution". Could you please post a link to the suggested solution? Perhaps you are referring to this thread: https://support.mozilla.org/en-US/questions/991792 ?
# Anyhow any further troubleshooting information you can provide will be great e.g. Your Operating System Version (XP, 7, Mac OS X Mavericks), your anti-virus if any, your mail provider, your ISP, what you did, what happened with exact error message, what happened
Cheers!
...Roland -
RFC to XI -- works ONCE then FAILS. SM58 on R3 shows errors. ???
Really stange scenario
Sending a Simple record with about 3 fields in it to XI from R3 via RFC method.
First time Message arrives correctly in XI and ouput file is generated. Payload OK., File name generated OK so no duplicate file names etc etc.
Execute the same program (on R3) with the same data again then nothing appears on the XI side.
SM58 on the R3 side shows error Commit Fault com.sap.aii.rfc.afcommunication.RfcChannelMismatchExcept.
Now sometimes from SM58 I can go to Edit ==> execute LUW and the message gets transferred to XI.
Other times (more ususally) SM58 returns Function Module does not exist or exception raised.
On the XI side there isn't anything in the channel logs showing an error.
If I create a new channel in the IR then it works again ONCE then same problems as before,
Any ideas on how to fix -- I certainly can't uunderstand why the SAME PROGRAM AND DATA works sometimes and other times not.
Thanks all
jimboHi,
Please check your channel under Business System you are using in your configuration. Is there any other RFC Adpater which uses the same Program ID or any other active rfc channel pointing to the same system? If yes please deactivate/delete the other channel. Your problem will be resolved.
Thanks
Amit
Reward points if answer helps -
Printing pdf from mac, works once then printer offline?
I print wirelessly to a Brother HL-2270DW from a macbook pro running OSX 10.9.2 When printing from pages, numbers, email etc it works properly but when I print a PDF using adobe reader 11.0.07 it works once and then I can't print again, printer status is changed to offline. I contacted Brother first and this was their reply...
Thank you for taking the time to write to us about your HL2270DW. We will look into PDF issue for you.
Since you have stated that the model is able to print fine from other applications, but is unable to print from PDF, the issue is isolated to ADOBE.
The issue is not related to the model or the drivers because the issue would occur all the time with all programs.
We recommend contacting ADOBE for further support.
If after reviewing the information you have further inquiries about the PDF issue, please reply and we will be happy assist you.
Does anyone have a fix for this?Hi chocolatebabz,
Thank you for posting on the Adobe forums, kindly try printing as an image. Try the steps mentioned below.
1) Open the file>Print>Advanced
2) Check the box>print as an image.
Thanks,
Vikrantt Singh -
Spotlight works once, then Mac has to be rebooted for it to work again
I have a G5 Dual 1.8GB. This has started happening over the last 3 days.
Spotlight will do a search, maybe even 2 or 3 searches, but the next search comes up with nothing. The G5 has to be restarted for Spotlight to work.
Tried the fsck thing...
I've checked thru 5 of the previous pages and found that Spotlight often doesn't work and that no-one has solved the problems according to the star logo.Any symptoms?
Have you installed, updated, or changed anything in the last four days?
Have you had any crashes?
Did you attached anything?
Is your system clock on time?
Has your cat stepped on the keyboard?
As for the last 5 over again. Perhaps read a few more, and even visit a few other forums. Notice how often we tend to check that the "problem was solved." Most often it was more a user problem. -
Hi
I have a SA520W with firmware 2.1.18 and are having huge trouble getting windows 7 clients to connect using the SSL VPN Tunnel in Split mode. I've tested the registered users using an XP machine, and they are able to log in just fine and I can ping servers on the inside of the network. On windows 7, however, the VPN tunnel is created, but no IP trafic flows over the virtual network adapter and I'm not able to ping resources on the inside of the network. For the XP clients, the SSL VPN tunnel works like a charm, but not not 7.
Are there any consideration to be taken on windows 7 to enable trafic over the SSL VPN virtual network adapter?
Windows firewall?
SSL service?Hi skcisco11,
You can alternatively use Cisco VPN Client if your SA520 has firmware version 2.1.18 and above. Here is a document how to set it up:
http://www.cisco.com/en/US/docs/security/multi_function_security/multi_function_security_appliance/sa_500/technote/note/SA500_vpnclient_appnote.pdf
Alternatively, please use the following document on how to setup SSL VPN. If you are using a local database on the SA520 to authenticate users,, then ignore the references to Active Directory.
http://www.cisco.com/en/US/docs/security/multi_function_security/multi_function_security_appliance/sa_500/technote/note/active_directory.pdf
Hope this helps,
Julio -
Cisco ASA 5505 Site to Site VPN tunnel up, but not passing traffic
Thanks to a previous thread, I do have a 5505 up and running, and passing data....
https://supportforums.cisco.com/message/3900751
Now I am trying to get a IPSEC VPN tunnel working.
I actually have it up (IKE phase 1 & 2 both passed), but it is not sending/receiving data through the tunnel.
The networks concerned:
name 10.0.0.0 Eventual (HQ Site behind Firewall)
name 1.1.1.0 CFS (Public Network Gateway for Palo Alto Firewall - Firewall IP: 1.1.1.1)
name 2.2.2.0 T1 (Remote site - Outside interface of 5505: 2.2.2.2)
name 10.209.0.0 Local (Remote Network - internal interface of 5505: 10.209.0.3)
On a ping to the HQ network from behind the ASA, I get....
portmap translation creation failed for icmp src inside:10.209.0.9 dst inside:10.0.0.33 (type 8, code 0)
I am suspecting that there is a NAT error and/or a lack of a static route for the rest of the 10.0.0.0 traffic, and that I may have to exempt/route the traffic for the HQ network (10.0.0.0), but I haven't been able to get the correct entries to make it work.
Below is the config.
Can anyone see if there is something sticking out?
: Saved
ASA Version 8.2(5)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.0 Eventual
name 10.209.0.0 Local
name 2.2.2.0 T1
name 1.1.1.0 CFS
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 0
ip address 10.209.0.3 255.0.0.0
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.248
time-range Indefinite
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object Eventual 255.0.0.0
network-object T1 255.255.255.248
network-object CFS 255.255.255.240
access-list outside_1_cryptomap extended permit ip Local 255.255.255.0 object-group DM_INLINE_NETWORK_1
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 67.139.113.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Eventual 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set phase1-mode aggressive
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.209.0.201-10.209.0.232 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy FTMGP internal
group-policy FTMGP attributes
vpn-idle-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy FTMGP
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:701d8da28ee256692a1e49d904e9cb04
: end
asdm location Eventual 255.0.0.0 inside
asdm location Local 255.255.255.0 inside
asdm location T1 255.255.255.248 inside
asdm location CFS 255.255.255.240 inside
asdm history enable
Thank You.I'm just re-engaging on the firewall this afternoon, but right now I'm getting request timed out on the pings....
Here's the output requested:
Result of the command: "show crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : AM_ACTIVE
Result of the command: "show crypto ipsec sa"
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 2.2.2.2
access-list outside_1_cryptomap extended permit ip 10.209.0.0 255.255.255.0 10.0.0.0 255.0.0.0
local ident (addr/mask/prot/port): (Local/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (Eventual/255.0.0.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 84, #pkts encrypt: 84, #pkts digest: 84
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 84, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 8FC06BD1
current inbound spi : 42EC16F4
inbound esp sas:
spi: 0x42EC16F4 (1122768628)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (62207/28464)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x8FC06BD1 (2411752401)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (62201/28464)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Here's the current config:
: Saved
ASA Version 8.2(5)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.0 Eventual
name 10.209.0.0 Local
name 67.139.113.216 T1
name 1.1.1.0 IntegraCFS
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 0
ip address 10.209.0.3 255.0.0.0
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.248
time-range Indefinite
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object Eventual 255.0.0.0
network-object T1 255.255.255.248
network-object IntegraCFS 255.255.255.240
access-list outside_1_cryptomap extended permit ip Local 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list No_NAT extended permit ip Local 255.255.255.0 Eventual 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list No_NAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 2.2.2.0 1
route outside Eventual 255.255.255.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Eventual 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime kilobytes 65535
crypto map outside_map 1 set phase1-mode aggressive
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.209.0.201-10.209.0.232 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy FTMGP internal
group-policy FTMGP attributes
vpn-idle-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy FTMGP
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:301e573544ce0f89b3c597bdfe2c414a
: end
asdm location Eventual 255.0.0.0 inside
asdm location Local 255.255.255.0 inside
asdm location T1 255.255.255.248 inside
asdm location IntegraCFS 255.255.255.240 inside
asdm history enable -
Having problems with ipad mini and Siri. Works sporadically, will work once and then the second time not. Worked all the time with the original Mailbox app. Then started doing the same thing when I installed the new update so wondering if it is software?
Hi,
I have the check box on a second Partition but not on the Time Machine one
I forget what I did now to get this called "Recovery HD"
For the rest try https://discussions.apple.com/docs/DOC-4055 User Tip that links to Pondini's work on Time Machine.
10:17 pm Friday; May 2, 2014
iMac 2.5Ghz i5 2011 (Mavericks 10.9)
G4/1GhzDual MDD (Leopard 10.5.8)
MacBookPro 2Gb (Snow Leopard 10.6.8)
Mac OS X (10.6.8),
Couple of iPhones and an iPad -
I am unable to download photos from my iphone4 , SD card , SLR camera to my ipad2 using apple accessories , please help , it has worked once and then never again.
Plumchunks-
The only accessory I know of that can be used to transfer photos from a camera or SD card to the iPad, is the Apple Camera Connection Kit. The kit consists of two adapters. One has an SD card socket. The other has a USB connector to connect directly to the camera.
I do not think you can transfer photos from the iPhone to the iPad unless you first transfer them to a computer. If you then transfer the photos to an SD card, they must have eight character names plus suffix and be stored in a DCIM folder, just as if they came from a camera.
One thing you can try is to reboot the iPad. Hold both the Home and Sleep buttons for several seconds until the Apple logo appears. Ignore the "Slide to power off" arrow. The iPad will restart after a couple of minutes. Rebootting will not hurt anything and sometimes clears up mysterious problems.
Fred -
I use photoshop cs6 extended and when I create a new shortcut, it will work once and then disappear..any help on why this would happen
Sorry, no further idea what can cause this.
Is the shortcuts file truely saved to disk? You can find in the user path, where the preferences and presets are stored for PS. Or if you go to the dialog again where you change shortcuts, is it reverted there too? -
Why is my iPhone 5c's home button not working at all it didn't work once for a few minutes then it was normal again now it won't work at all. HELP
The screen repair was botched. Take iPhone back to place of screen repair, and have them get the home button working again.
-
When I update in Wordpress it works once or twice then Firefox hangs and becomes unusable - on any site. Cleared history, cookies etc. nothing works. What can I do?
You can retrieve the certificate and check who issued the certificate.
* Click the link at the bottom of the error page: "I Understand the Risks"
Let Firefox retrieve the certificate: "Add Exception" -> "Get Certificate".
* Click the "View..." button to inspect the certificate and check who is the issuer. -
Configure a VPN client and Site to Site VPN tunnel
Hi, I'm setting up a test network between 2 sites. SiteA has a 515E PIX and SiteB has a 501 PIX. Both sites have been setup with a site to site VPN tunnel, see SiteA config below. I also require that remote clients using Cisco VPN client 3.6 be able to connect into SiteA, be authenticated, get DHCP info and connect to hosts inside the network. However, when I add these config lines, see below, to SiteA PIX it stops the vpn tunnel to SiteB. However, the client can conect and do as needed so that part of my config is correct but I cannot see why the site to site vpn tunnel is then no longer.
SiteA config with working VPN tunnel to SiteB:
SITE A
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 webdmz security20
enable password xxx
passwd xxx
hostname SiteA-pix
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 200.x.x.0 SiteA_INT
name 201.x.x.201 SiteA_EXT
name 200.x.x.254 PIX_INT
name 10.10.10.0 SiteB_INT
name 11.x.x.11 SiteB_EXT
access-list inside_outbound_nat0_acl permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
access-list outside_cryptomap_20 permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
access-list acl_inside permit icmp any any
access-list acl_inside permit ip any any
access-list acl_outside permit ip any any
access-list acl_outside permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu webdmz 1500
ip address outside SiteA_EXT 255.x.x.128
ip address inside PIX_INT 255.255.0.0
no ip address webdmz
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
route outside 0.0.0.x.x.0.0 201.201.201.202 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer SiteB_EXT
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key secret address SiteB_EXT netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
SiteA-pix(config)#
Lines I add for Cisco VPN clients is attached
I entered each line one by one and did a reload and sh crypto map all was OK until I entered the crypto map VPNPEER lines.
Anyone any ideas what this can be?
ThanksHeres my config:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 webdmz security20
enable password xxx
passwd xxx
hostname SiteA-pix
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 200.x.x.0 SiteA_INT
name 201.x.x.201 SiteA_EXT
name 200.x.x.254 PIX_INT
name 10.10.10.0 SiteB_INT
name 11.11.11.11 SiteB_EXT
access-list inside_outbound_nat0_acl permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
access-list outside_cryptomap_20 permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
access-list acl_inside permit icmp any any
access-list acl_inside permit ip any any
access-list acl_outside permit ip any any
access-list acl_outside permit icmp any any
access-list 80 permit ip SiteA_INT 255.255.0.0 200.220.0.0 255.255.0.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu webdmz 1500
ip address outside SiteA_EXT 255.255.255.128
ip address inside PIX_INT 255.255.0.0
no ip address webdmz
ip audit info action alarm
ip audit attack action alarm
ip local pool pix_inside 200.x.x.100-200.220.200.150
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
route outside 0.0.0.0 0.0.0.x.x.201.202 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 200.200.200.20 letmein timeout 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set AAADES esp-3des esp-md5-hmac
crypto dynamic-map DYNOMAP 10 match address 80
crypto dynamic-map DYNOMAP 10 set transform-set AAADES
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer SiteB_EXT
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 30 ipsec-isakmp dynamic DYNOMAP
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp key secret address SiteB_EXT netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup Remote address-pool pix_inside
vpngroup Remote dns-server 200.200.200.20
vpngroup Remote wins-server 200.200.200.20
vpngroup Remote default-domain mycorp.co.uk
vpngroup Remote idle-time 1800
vpngroup Remote password password
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
I will attach debug output later today.
Thanks -
VPN not working after adding subinterface - ASA 5510
Hello,
Currently I want to add a second lan (vlan) in a customers network. The new network will be for a wireless infrastructure.
There is also VPN Configured on the ASA - One with L2TP for Windows Clients and an IPsec for Cisco Clients.
Former we only had one outside (Eth0/0) and one inside interface (Eth0/1) on the ASA.
Now I want to use the Eth0/2 with subinterfaces, so that we will be flexible for future, when deploying more vlans.
But now, when i turn the first subinterface Eth0/2.2 to no-shut the VPN Connections does not work any more.
Bulding up the VPN connection works, but it seems that the traffic is not tunneled. (I checked this, because tracert to an internal adress goes to the internet)
Below there is my config, i don't know whats wrong. I think split-tunnel is configured correctly (because it works when i delete eth0/2.2)
TREV is the network of this location.
Company1,2,3 are remote locations.
: Saved
ASA Version 8.2(5)
hostname XXXXXXX
domain-name domain.lan
enable password XXXXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
names
name 192.168.100.0 TREV
name 192.168.200.0 COMPANY3
name XXXXXXXX Company1
name 192.168.1.0 Company2
name XXXXXXXXX GCT
name XXXXXXXX BMD
name 192.168.110.0 Wireless
name 192.168.201.0 COMPANY3-VPN
name 192.168.11.0 COMPANY2-VPN
name 192.168.101.0 TREV-VPN
interface Ethernet0/0
description Outside
nameif outside
security-level 0
ip address XXXXX 255.255.255.248
interface Ethernet0/1
description Inside
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Ethernet0/2
description Trunk Interface
no nameif
no security-level
no ip address
interface Ethernet0/2.2
description Wireless
vlan 110
nameif wlan
security-level 100
ip address 192.168.110.1 255.255.255.0
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.100.10
domain-name domain.lan
dns server-group COMPANY2
name-server 192.168.1.16
domain-name domain.local
dns server-group COMPANY3
name-server 192.168.200.1
domain-name domain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network VPN_Networks
network-object COMPANY3 255.255.255.0
network-object COMPANY3-VPN 255.255.255.0
network-object COMPANY2 255.255.255.0
network-object COMPANY2-VPN 255.255.255.0
network-object TREV 255.255.255.0
network-object TREV-VPN 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object COMPANY2 255.255.255.0
network-object COMPANY3 255.255.255.0
network-object COMPANY3-VPN 255.255.255.0
network-object COMPANY2-VPN 255.255.255.0
network-object Wireless 255.255.255.0
access-list INCOMING remark *** ICMP Erlauben ***
access-list INCOMING extended permit icmp any any echo-reply
access-list INCOMING extended permit icmp any any time-exceeded
access-list INCOMING extended permit icmp any any unreachable
access-list INCOMING extended permit icmp any any parameter-problem
access-list INCOMING extended permit icmp any any source-quench
access-list INCOMING extended permit icmp any any echo
access-list INCOMING remark *** Wartung Company1 ***
access-list INCOMING remark *** Wartung BMD ***
access-list INCOMING remark *** Mail ***
access-list ......
access-list Trev-nat0 remark *** NoNat ***
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group VPN_Networks
access-list Trev-nat0 extended permit ip object-group VPN_Networks TREV 255.255.255.0
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list DefaultRAGroup_splitTunnelAcl standard permit TREV 255.255.255.0
access-list outside_1_cryptomap extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_debug extended permit tcp any host 192.168.100.5
access-list inside_debug extended permit tcp any TREV 255.255.255.0
access-list Wireless-nat0 extended permit ip Wireless 255.255.255.0 TREV 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu wlan 1500
ip local pool VPN-Pool 192.168.101.1-192.168.101.31 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 XXXXXXXXXXX
nat (inside) 0 access-list Trev-nat0
nat (inside) 2 192.168.100.25 255.255.255.255
nat (inside) 2 192.168.100.250 255.255.255.255
nat (inside) 1 TREV 255.255.255.0
nat (wlan) 0 access-list Wireless-nat0
static (inside,outside) tcp interface 444 192.168.100.10 444 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.100.10 https netmask 255.255.255.255
.... a lot of statics..............
static (inside,outside) tcp XXXXXXXXXX pop3 192.168.100.25 pop3 netmask 255.255.255.255
static (inside,outside) tcp XXXXXXXXXX 995 192.168.100.25 995 netmask 255.255.255.255
access-group INCOMING in interface outside
route outside 0.0.0.0 0.0.0.0 XXXXXXXXXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.100.10
timeout 5
key *****
radius-common-pw *****
aaa-server RADIUS2 protocol radius
aaa-server RADIUS2 (inside) host 192.168.100.10
key *****
radius-common-pw *****
aaa authentication ssh console LOCAL
http server enable 4430
http COMPANY2 255.255.255.0 management
http TREV 255.255.255.0 inside
http Company1 255.255.255.224 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_128_SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_128_SHA mode transport
crypto ipsec transform-set TRANS_ESP_AES_256_SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_256_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 TRANS_ESP_AES_128_SHA TRANS_ESP_AES_256_SHA TRANS_ESP_3DES_MD5 TRANS_ESP_3DES_SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 178.188.202.78
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash sha
group 5
lifetime 28800
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh bit-Studio 255.255.255.224 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh TREV 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcprelay server 192.168.100.10 inside
dhcprelay enable wlan
dhcprelay setroute wlan
dhcprelay timeout 90
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.100.10
dns-server value 192.168.100.10
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value domain.lan
intercept-dhcp enable
group-policy IPsecVPN internal
group-policy IPsecVPN attributes
wins-server value 192.168.100.10
dns-server value 192.168.100.10
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value domain.lan
username admin password XXXXXXXXXX encrypted privilege 15
username vpntest password XXXXXXXXX nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-Pool
authentication-server-group RADIUS
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group XXXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXXXXXX ipsec-attributes
pre-shared-key *****
tunnel-group IPsecVPN type remote-access
tunnel-group IPsecVPN general-attributes
address-pool VPN-Pool
authentication-server-group RADIUS
default-group-policy IPsecVPN
tunnel-group IPsecVPN ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f2041a5902e945a130fe25fbb8e5d368
: endHi,
First I would go through all the NAT0/NAT Exempt rules you have for VPNs. They seem to contain useless lines where either destination or source network isnt correct.
Lets look at the NAT0 ACL you have line by line
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group VPN_Networks
The above access-list has the correct source network configured Yet it has its destination addresses configured with an "object-group" which contains your LAN network
You should probably remove the LAN network from the object-group VPN_Networks
access-list Trev-nat0 extended permit ip object-group VPN_Networks TREV 255.255.255.0
To my understanding the above ACL line doesnt serve any purpose as the networks configured under VPN_Networks arent located behind your "inside" interface (Other than the one I'm asking to remove from the object-group)
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
The above ACL overlap with the very first ACL lines configurations and needlesly makes the configuration harder to read. It also contains the Wireless network which it shouldnt
I would suggest simplifying your NAT0 configurations for example in the following way (change the names if you want if youre going to try it out)
object-group network TREV-LAN
description Local networks
network-object 192.168.100.0 255.255.255.0
object-group network VPN-NETWORKS
description Remote networks
network-object 192.168.200.0 255.255.255.0
network-object 192.168.201.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 192.168.101.0 255.255.255.0
access-list TREV-LAN-NAT0 remark NAT0 / NAT Exempt for VPN Connections
access-list TREV-LAN-NAT0 permit ip object-group TREV-LAN object-group VPN-NETWORKS
With the above configurations
You have all NAT0 with a single line of access-list configuration (not counting the remark line as it doesnt affect anything)
If there is changes in the VPN pools, VPN remote networks or LAN networks you can simply change them under the configured object-groups instead of touching the actual ACL. There might be situations where you should change the ACL from the above if there is some bigger changes to network
So as I said, I would start with changing the above NAT configurations and then test the VPN again. If it doesnt work we will have to check some other things out.
- Jouni
Maybe you are looking for
-
Monitor will suddenly go black, have to turn off monitor and then back on to recieve error message that DVI has no input. Cords are all attached in correct places but still have this problem. Any ideas
-
Cant use screen mirroring wirelessly since yesterday
I got home today and i cannot get my HP laptop to connect to my samsung smart tv anymore.. I have only had this laptop for about two weeks but it has worked flawlessly since puchased and connected without any issues. I use this feature to stream mo
-
I just updated to Tiger 10.4.11/combo update. I used the stand alone installer (because Software Update since I updated to 10.4.10delta). I repaired permissions before and after the update. Now I can't mount disk images I always get the message "Moun
-
hi, How can we find by simply seing that this error is outbound or inbound in idoc error status
-
I want to know my encrypt iphone backup password
today i downloaded the latest version of itunes and after backing up i noticed the option of encrypt iphone backup. while trying to disable it, it requires i password which i am not aware!! FYI my iphone didn't had any password protection!! even the