Xsan's cvadmin repquota command BLOCKING???
Dear list,
could it be, that a repquota command is blocking the whole SAN system until finished? The manual only describes this behaviour for "quotacheck".
But:
I have a XSan System running as an NFS server (three XServes: one as metadata, two as NFS servers) for a Intel-based Linux cluster.
I had an hourly cron job running doing the following:
/usr/sbin/cvadmin -F User -e repquota
The output was transferred to a web server for User inspection.
I had to do this, as you cannot pass the user's quota via normal quota commands to the clients (there is a third-party rpc.quotad available, but this doesn't help on XSan filesystems).
Now I discovered that during the execution of the above mentioned command, all NFS servers are stalled!!! The clients are reporting something like:
Feb 16 09:11:56 WhiteRabbit kernel: nfs: server 10.50.130.21 not responding, timed out
Feb 16 09:11:56 WhiteRabbit kernel: nfs: server 10.50.130.21 not responding, timed out
bringing the whole cluster down!!!
I assume this to be a bug in XSan.
Any ideas how to solve this? Apple: please comment!
Best regards,
Torsten
Mac OS X (10.4.4)
For whatever it's worth, I had the same behavior happen today running repquota.
I attempted to Control-C out but clients connected via AFP were still stalling; luckily it failed over to the other node after a minute or two.
I'd appreciate it if the help page for cvadmin reflected that repquota also blocks the SAN.
Similar Messages
-
I installed an IRIX client on SGI machine but can't mount or start Xsan "file system" on the IRIX machine.
I get "missing configuration file" error using cvadmin start command.
I couldn't find in ADIC or Apple manuals info whether I need to copy the <Xsan_Volume>.cfg file from Mac MDC to IRIX client.
Any help will be appreciated.Did you install correct SNFS for IRIX client
software?
Yes, I was instructed by ADIC to install 650F
The uname -Ra command resulted:6.5 6.5.23f
And you must copy '.auth_secret' on Mac MDC to
/usr/cvfs/config folder in IRIX machine.
I did that and I can't mount...
Here is the SYSLOG :
Jan 2 14:19:08 6B:flameHD syslog: PortMapper: No fsroutes file - No preferred routes will be registered.
Jan 2 14:19:08 6B:flameHD syslog: PortMapper: self (flameHD) IP address is 192.168.100.144 .
Jan 2 14:19:08 6B:flameHD syslog: PortMapper: Added FSS route from '127.0.0.1' to '192.168.100.144'
Jan 2 14:19:08 6B:flameHD syslog: NSS: Primary Name Server is 'data' (192.168.100.17)
Jan 2 14:19:08 7D:flameHD fsmpm[602]: LogDebug is set to 0x10
Jan 2 14:19:08 6D:flameHD fsmpm[602]: NSS: Name Server 'data' (192.168.100.17) port is 49181.
Jan 2 14:19:08 6D:flameHD fsmpm[602]: PortMapper: Listening on TCP socket flameHD (0.0.0.0):65294
Jan 2 14:19:08 6D:flameHD fsmpm[602]: NSS: Listening on UDP socket flameHD:65177
Jan 2 14:19:08 7D:flameHD fsmpm[602]: getcvfs_disklabel no CVFS NAME label on /dev/rdsk/dks0d1vol.
Jan 2 14:19:08 7D:flameHD fsmpm[602]: getcvfs_disklabel can't read-label device /dev/rdsk/dks2d0vol
Jan 2 14:19:08 7D:flameHD fsmpm[602]: getcvfs_disklabel no CVFS NAME label on /dev/rdsk/dks3d10vol.
Jan 2 14:19:08 7D:flameHD fsmpm[602]: getcvfs_disklabel no CVFS NAME label on /dev/rdsk/dks3d8vol.
Jan 2 14:19:08 7D:flameHD fsmpm[602]: getcvfs_disklabel no CVFS NAME label on /dev/rdsk/dks3d12vol.
Jan 2 14:19:08 7D:flameHD fsmpm[602]: getcvfs_disklabel no CVFS NAME label on /dev/rdsk/dks3d14vol.
Jan 2 14:19:08 7D:flameHD fsmpm[602]: getcvfs_disklabel no CVFS NAME label on /dev/rdsk/dks3d0vol.
Jan 2 14:19:08 7D:flameHD fsmpm[602]: getcvfs_disklabel no CVFS NAME label on /dev/rdsk/dks3d2vol.
Jan 2 14:19:08 7D:flameHD fsmpm[602]: getcvfs_disklabel no CVFS NAME label on /dev/rdsk/dks3d6vol.
Jan 2 14:19:08 7D:flameHD fsmpm[602]: getcvfs_disklabel no CVFS NAME label on /dev/rdsk/dks3d4vol.
Jan 2 14:19:08 7D:flameHD fsmpm[602]: getcvfs_disklabel no CVFS NAME label on /dev/rdsk/dks4d13vol.
Jan 2 14:19:08 7D:flameHD fsmpm[602]: getcvfs_disklabel no CVFS NAME label on /dev/rdsk/dks4d9vol.
Jan 2 14:19:08 7D:flameHD fsmpm[602]: getcvfs_disklabel no CVFS NAME label on /dev/rdsk/dks4d1vol.
Jan 2 14:19:08 7D:flameHD fsmpm[602]: getcvfs_disklabel no CVFS NAME label on /dev/rdsk/dks4d3vol.
Jan 2 14:19:08 7D:flameHD fsmpm[602]: getcvfs_disklabel no CVFS NAME label on /dev/rdsk/dks4d11vol.
Jan 2 14:19:08 7D:flameHD fsmpm[602]: getcvfs_disklabel no CVFS NAME label on /dev/rdsk/dks4d7vol.
Jan 2 14:19:08 7D:flameHD fsmpm[602]: getcvfs_disklabel no CVFS NAME label on /dev/rdsk/dks4d5vol.
Jan 2 14:19:08 7D:flameHD fsmpm[602]: getcvfs_disklabel can't read-label device /dev/rdsk/50003930000111a3/lun0vol/c6p60003930000111a3
Jan 2 14:19:08 7D:flameHD fsmpm[602]: getcvfs_disklabel can't read-label device /dev/rdsk/500039300001141b/lun0vol/c6p600039300001141b
Jan 2 14:19:08 7D:flameHD fsmpm[602]: CvDskVolumes found 0 disks
Jan 2 14:19:08 4D:flameHD fsmpm[602]: PortMapper: No CVFS Disk Volumes are accessible.
Jan 2 14:19:08 6D:flameHD fsmpm[602]: PortMapper: No fsmlist file - No File System Services launched.
Jan 2 14:19:09 6D:flameHD fsmpm[602]: PortMapper: Added FSS route from '192.168.100.17' to '192.168.10.17'
Jan 2 14:19:09 6D:flameHD fsmpm[602]: PortMapper: Creating sync file </usr/cvfs/debug/fsmpm-sync.574>
Jan 2 14:19:09 5D:flameHD fsmpm[602]: PortMapper: Local FSD client is registered.
Jan 2 14:19:14 2C:flameHD sendmail[777]: My unqualified host name (flameHD) unknown; sleeping for retry
Jan 2 14:19:14 2C:flameHD sendmail[777]: My unqualified host name (flameHD) unknown; sleeping for retry
Jan 2 14:19:16 6B:flameHD syslog: IOCONFIG: scsictlr_walkfn : Cannot open the file : /hw/module/001c01/IXbrick/xtalk/11/pci-x/1/2b/scsi_ctlr/0/node/50003930000111a3 /port/60003930000111a3/lun/0/disk/volume/char : No such device or address
Jan 2 14:19:17 6B:flameHD syslog: IOCONFIG: scsictlr_walkfn : Cannot open the file : /hw/module/001c01/IXbrick/xtalk/11/pci-x/1/2b/scsi_ctlr/0/node/500039300001141b /port/600039300001141b/lun/0/disk/volume/char : No such device or address
Jan 2 14:19:18 6D:flameHD numastatd: no routers found -- exiting: No such file or directory
Jan 2 14:19:18 6E:flameHD sshd[1146]: Server listening on 0.0.0.0 port 22.
Jan 2 14:19:25 3D:flameHD Xsgi0[1297]: odsyKernInit: attaching for brdnum=0
Jan 2 14:19:29 6A:flameHD unix: swfs INFO: mount: File system loaded for partition 0
Jan 2 14:19:38 4D:flameHD fsmpm[602]: NSS: Name Server 'data' (192.168.100.17) heartbeat lost, unable to send message.
Jan 2 14:19:43 6B:flameHD Xsession: flame: login
Jan 2 14:20:14 1C:flameHD sendmail[777]: unable to qualify my own domain name (flameHD) -- using short name
Jan 2 14:20:14 1C:flameHD sendmail[777]: unable to qualify my own domain name (flameHD) -- using short name
Jan 2 14:27:32 6E:flameHD sshd[1548]: Accepted password for root from 192.168.100.82 port 3236 ssh2
Jan 2 14:54:11 4A:flameHD unix: WARNING: ARP: got MAC address 0:d:93:44:a1:18 on tg for BCAST IP address 0.0.0.0
Jan 2 17:05:01 6A:flameHD unix: qlfc6: 500e09ec00149693/c6p1800000000: target disappeared (1); waiting 120 seconds for it to return.
Jan 2 17:06:40 6A:flameHD unix: NFS server 192.168.100.145 not responding still trying
Jan 2 17:07:05 6A:flameHD unix: qlfc6: 500e09ec00149693/c6p1800000000: target did not reappear after 120 seconds; clearing requests.
Jan 2 17:11:27 6E:flameHD sshd[1751]: Accepted password for root from 192.168.100.84 port 1122
Jan 2 17:12:06 5E:flameHD su[1762]: succeeded: ttyq2 changing from root to flame
Jan 2 17:13:10 3D:flameHD autofsd[408]: pingnfs: nfs3/port=0, 192.168.100.145: Port mapper failure - Timed out
Jan 2 17:13:40 3D:flameHD autofsd[408]: pingnfs: nullproc nfs3/udp/port=2049, 192.168.100.145: Timed out
Jan 2 17:14:10 3D:flameHD autofsd[408]: pingnfs: nullproc nfs2/udp/port=2049, 192.168.100.145: Timed out
Jan 2 17:14:10 3D:flameHD autofsd[408]: do_unmount cannot contact 192.168.100.145
Jan 2 17:30:29 6A:flameHD unix: qlfc6: 500e09ec00149693/c6p1800000000: Target has changed port id from 0x10d00 to 0x10e00
Jan 2 17:30:29 6A:flameHD unix: qlfc6: 500e09ec00149693/c6p1800000000: target has returned.
Jan 2 18:08:19 6E:flameHD sshd[1906]: Accepted password for root from 192.168.100.201 port 1164 ssh2
Jan 2 19:02:13 6E:flameHD sshd[2246]: Accepted password for root from 192.168.100.202 port 65502 ssh2
Jan 2 19:02:19 6E:flameHD sshd[2248]: Accepted password for root from 192.168.100.164 port 1933 ssh2
Jan 2 19:10:38 6B:flameHD syslog: IOCONFIG: scsictlr_walkfn : Cannot open the file : /hw/module/001c01/IXbrick/xtalk/11/pci-x/1/2b/scsi_ctlr/0/node/50003930000111a3 /port/60003930000111a3/lun/0/disk/volume/char : No such device or address
Jan 2 19:10:38 6B:flameHD syslog: IOCONFIG: scsictlr_walkfn : Cannot open the file : /hw/module/001c01/IXbrick/xtalk/11/pci-x/1/2b/scsi_ctlr/0/node/500039300001141b /port/600039300001141b/lun/0/disk/volume/char : No such device or address
Jan 2 19:12:03 4A:flameHD unix: |$(0xb91)WARNING: (TOOK-ACTION):/hw/module/001c01/node/cpubus/1/b: Cache Error (recoverable) 0x40101f60<Type=Dcache,TM[0]> errorEPC=0xc00000000006aa04 tag=0x2000000008fdad09 paddr=0x8fdadf60 (Tag Invalid)
Jan 2 19:13:02 6B:flameHD syslog: IOCONFIG: scsictlr_walkfn : Cannot open the file : /hw/module/001c01/IXbrick/xtalk/11/pci-x/1/2b/scsi_ctlr/0/node/50003930000111a3 /port/60003930000111a3/lun/0/disk/volume/char : No such device or address
Jan 2 19:13:02 6B:flameHD syslog: IOCONFIG: scsictlr_walkfn : Cannot open the file : /hw/module/001c01/IXbrick/xtalk/11/pci-x/1/2b/scsi_ctlr/0/node/500039300001141b /port/600039300001141b/lun/0/disk/volume/char : No such device or address
Thanks -
ASDM error - you do not have sufficient privileges to execute commands required to load asdm
I am getting below error to log in via ASDM for ASA firewall.
Please help.Hello Gurujaj,
You are running AAA on your network and you are running authorization,
The user you are using does not have the command authorization set to load the ASDM,
The ones need it are:
Commands required to log ASDM
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command blocks
Regards,
Julio Carvajal -
Cannot mount Xsan volume on Mac Pro
Hi,
I installed a new workstation - a first Mac Pro in our PPC Xsan deployment. I installed Xsan, then latest updates. However, I cannot mount an Xsan volume on this workstation. This is an abstract from the log:
May 16 19:06:14 Mac-Pro kernel[0]: Xsan Client Revision 2.7.201 Build 7.23 Built for Darwin 8.0 Created on Mon Nov 13 11:53:07 PST 2006
May 16 19:06:14 Mac-Pro sudo: root : TTY=unknown ; PWD=/Library/Filesystems/Xsan/debug ; USER=root ; COMMAND=/sbin/kextload -v -s /Library/Filesystems/Xsan/debug /System/Library/Extensions/acfsctl.kext
May 16 19:06:14 Mac-Pro /Library/Filesystems/Xsan/bin/fsmpm: NSS: No FS Name Servers file - NAME SERVICE DISABLED.
May 16 19:06:14 Mac-Pro fsmpm[246]: Portmapper: ComputerInfo: computer_name = "Mac Pro", hostname = "Mac-Pro"
May 16 19:06:14 Mac-Pro fsmpm[246]: PortMapper: CVFS Volume Meta on device: /dev/rdisk1 (blk 0xe000003 raw 0xe000003) con: 2 lun: 0 state: 0xf4 inquiry [APPLE Xserve RAID 1.50] controller # '5000393000018365' serial # '5000393000018365L0' Size: 490190848 Sector Size: 512
May 16 19:06:14 Mac-Pro fsmpm[246]: PortMapper: CVFS Volume RAID2_Left on device: /dev/rdisk2 (blk 0xe000004 raw 0xe000004) con: 2 lun: 0 state: 0xf4 inquiry [APPLE Xserve RAID 1.50] controller # '5000393000018A78' serial # '5000393000018A78L0' Size: 5860554719 Sector Size: 512
May 16 19:06:14 Mac-Pro fsmpm[246]: PortMapper: CVFS Volume RAID2_Right on device: /dev/rdisk3 (blk 0xe000005 raw 0xe000005) con: 2 lun: 0 state: 0xf4 inquiry [APPLE Xserve RAID 1.50] controller # '5000393000018805' serial # '5000393000018805L0' Size: 5860554719 Sector Size: 512
May 16 19:06:14 Mac-Pro fsmpm[246]: PortMapper: CVFS Volume RAID1_Right on device: /dev/rdisk4 (blk 0xe000006 raw 0xe000006) con: 2 lun: 0 state: 0xf4 inquiry [APPLE Xserve RAID 1.50] controller # '5000393000018319' serial # '5000393000018319L0' Size: 5860554719 Sector Size: 512
May 16 19:06:15 Mac-Pro servermgrd: xsan: [52] main: Waited 21 secs for fsmpm to start (now running)
May 16 19:06:15 Mac-Pro fsmpm[246]: PortMapper: Local FSD client is registered.
May 16 19:06:17 Mac-Pro servermgrd: xsan: [52] Done waiting for fsmpm to start
May 16 19:06:40 Mac-Pro servermgrd: xsan: [52/358E60] ERROR: mountvolumenamed(EditSAN): Cannot mount volume, file system does not know about it.
I tried reinstalling Xsan on this workstation, re-entering a licence key to the Xsan admin and rewriting Xsan settings, with no success.
All of the other 10 PowerMac workstations can access the Xsan volume with no problems.
Your help would be highly appreciated.Hi,
I am accessing this WS via ARD, so public LAN is definitely there. I have not connected the "Xsan" network (but it should be no problems communicating the Xsan traffic over this single LAN connection).
With the firewall, the situation is more strange. When I try to open the Firewall settings on Sharing, there is a dialog "Other firewall software is running on this computer." I googled this and it seems that this was a common problem on 10.3. They suggest to delete com.apple.sharing.firewall.plist file but it is not there on 10.4.
"sudo ipfw list" shows this:
00001 allow udp from any 626 to any dst-port 626
65535 allow ip from any to any
Any ideas on how to make Firewall behave as expected? I will try to reinstall if I don't receive a reply.
Thanks. -
XSan clients with 2 scsi controllers
Hi all!
I have an Xsan with 6 Mac clients with an Apple Fibre Channel card each. Some of them have an Atto scsi controller connected to an external disk tower too. These client don't work if the external disk tower is connected. The client boots but when login the finder can't start and freeze.
I'm using the latest update 1.3
Logging in via ssh on the client I get this in /var/log/system.log:
Apr 27 18:21:37 localhost diskarbitrationd[96]: disk0s2 hfs 2B44F0E7-8C49-3AD4-BB8A-F9F2E3643E57 Macintosh HD /
Apr 27 18:21:37 localhost diskarbitrationd[96]: disk14 hfs 03BB7013-9B81-3D1F-9F81-D91095711495 Raid [not mounted]
Apr 27 18:21:37 localhost SystemStarter: Starting SecurityServer
Apr 27 18:21:37 localhost SystemStarter: Avvio Apple Multicast DNS Responder
Apr 27 18:21:37 localhost SystemStarter: Inizializzo network
Apr 27 18:21:37 localhost ConsoleMessage: Checking disks
Apr 27 18:21:37 localhost mDNSResponder[194]: mDNSResponder-58.8.1 (Jan 31 2005 21:11:41) starting
Apr 27 18:21:37 localhost diskarbitrationd[96]: disk10 acfs B3B884A6-BD45-35C9-824D-7C32E50F1202 XRAID1RightSmall [not mounted]
Apr 27 18:21:37 localhost diskarbitrationd[96]: disk11 acfs 83C6884B-3543-3AE3-9B4D-A842AD3DF156 XRAID1RightBig [not mounted]
Apr 27 18:21:37 localhost diskarbitrationd[96]: disk12 acfs 98BF0B54-15E9-30B0-A8E0-D6DD26CD27C7 XRAID1LeftSmall [not mounted]
Apr 27 18:21:37 localhost diskarbitrationd[96]: disk13 acfs 952512A1-A3E0-37D7-8D3A-4142FB882471 XRAID1LeftBig [not mounted]
Apr 27 18:21:50 localhost SystemStarter: Attendo Xsan File System
Apr 27 18:21:51 localhost /System/Library/CoreServices/ARD Agent.app/Contents/MacOS/ARD Agent: ******Launched Agent******
Apr 27 18:21:53 localhost SystemStarter: Attendo Xsan File System
Apr 27 18:21:56 localhost SystemStarter: Attendo Xsan File System
Apr 27 18:21:58 localhost SNFS:
Apr 27 18:21:58 localhost SNFS: File System Server:
Apr 27 18:21:58 localhost SNFS: Server Revision 2.7.200 Build 92.2
Apr 27 18:21:58 localhost SNFS: Built for Darwin 7.0
Apr 27 18:21:58 localhost SNFS: Created on Thu Apr 20 15:47:16 PDT 2006
Apr 27 18:21:58 localhost SNFS:
Apr 27 18:21:58 localhost SNFS:
Apr 27 18:21:58 localhost SNFS: File System Client:
Apr 27 18:21:58 localhost SNFS: Client Revision 2.7.200 Build 92.2
Apr 27 18:21:58 localhost SNFS: Built for Darwin 7.0
Apr 27 18:21:58 localhost SNFS: Created on Thu Apr 20 15:53:03 PDT 2006
Apr 27 18:21:58 localhost SNFS: Built in /SourceCache/XsanFS/XsanFS-270.92.2
Apr 27 18:21:59 localhost sudo: root : TTY=unknown ; PWD=/Library/Filesystems/Xsan/debug ; USER=root ; COMMAND=/sbin/kextload -v -s /Library/Filesystems/Xsan/debug
Apr 27 18:21:59 localhost kernel: Xsan Client Revision 2.7.200 Build 92.2 Built for Darwin 7.0 Created on Thu Apr 20 15:53:03 PDT 2006
Apr 27 18:21:59 localhost sudo: root : TTY=unknown ; PWD=/Library/Filesystems/Xsan/debug ; USER=root ; COMMAND=/sbin/kextload -v -s /Library/Filesystems/Xsan/debug
Apr 27 18:21:59 localhost ConsoleMessage: Current socket buffer size: 262144
Apr 27 18:21:59 localhost SystemStarter: Current socket buffer size: 262144
Apr 27 18:21:59 localhost ConsoleMessage: Setting max socket buffer size: 16777216
Apr 27 18:21:59 localhost SystemStarter: Setting max socket buffer size: 16777216
Apr 27 18:21:59 localhost ConsoleMessage: Starting fsmpm
Apr 27 18:21:59 localhost SystemStarter: Starting fsmpm
Apr 27 18:21:59 localhost SystemStarter: Attendo Xsan File System
Apr 27 18:21:59 localhost /Library/Filesystems/Xsan/bin/fsmpm: PortMapper: No fsroutes file - No preferred routes will be registered.
Apr 27 18:22:00 localhost /Library/Filesystems/Xsan/bin/fsmpm: PortMapper: self (mac03.local) IP address is 192.168.15.22 .
Apr 27 18:22:00 localhost /Library/Filesystems/Xsan/bin/fsmpm: PortMapper: Added FSS route from '127.0.0.1' to '192.168.15.22'
Apr 27 18:22:00 localhost /Library/Filesystems/Xsan/bin/fsmpm: NSS: Primary Name Server is '192.168.15.186' (192.168.15.186)
Apr 27 18:22:00 localhost fsmpm[414]: NSS: Name Server '192.168.15.186' (192.168.15.186) port is 49161.
Apr 27 18:22:00 localhost fsmpm[414]: Portmapper: ComputerInfo: computer_name = "mac03", hostname = "mac03"
Apr 27 18:22:00 localhost fsmpm[414]: PortMapper: Listening on TCP socket mac03.local (0.0.0.0):49212
Apr 27 18:22:00 localhost fsmpm[414]: NSS: Listening on UDP socket mac03.local:49165
Apr 27 18:22:00 localhost diskarbitrationd[96]: disk14 hfs 03BB7013-9B81-3D1F-9F81-D91095711495 Raid [not mounted]
Apr 27 18:22:00 localhost fsmpm[414]: PortMapper: CVFS Volume XRAID1RightSmall on device: /dev/rdisk10 (blk 0xe00001e raw 0xe00001e) con: 2 lun: 0 state: 0xf4 inquiry
Apr 27 18:22:00 localhost fsmpm[414]: PortMapper: CVFS Volume XRAID1LeftSmall on device: /dev/rdisk12 (blk 0xe000020 raw 0xe000020) con: 2 lun: 0 state: 0xf4 inquiry [Apr 27 18:22:00 localhost fsmpm[414]: PortMapper: CVFS Volume XRAID1RightBig on device: /dev/rdisk11 (blk 0xe00001f raw 0xe00001f) con: 2 lun: 1 state: 0xf4 inquiry [AApr 27 18:22:00 localhost fsmpm[414]: PortMapper: CVFS Volume XRAID1LeftBig on device: /dev/rdisk13 (blk 0xe000021 raw 0xe000021) con: 2 lun: 1 state: 0xf4 inquiry [APApr 27 18:22:00 localhost fsmpm[414]: PortMapper: No fsmlist file - No File System Services launched.
Apr 27 18:22:00 localhost /usr/share/servermgrd/cgi-bin/servermgr_nomadfss: [374] main: Waited 2 secs for fsmpm to start (now running)
Apr 27 18:22:00 localhost /usr/share/servermgrd/cgi-bin/servermgr_nomadfss: [374] main: Will detach its own daemon
Apr 27 18:22:00 localhost /usr/share/servermgrd/cgi-bin/servermgr_nomadfss: [420] main: Detached its own daemon
Apr 27 18:22:00 localhost fsmpm[414]: PortMapper: Creating sync file </Library/Filesystems/Xsan/debug/fsmpm-sync.278>
Apr 27 18:22:01 localhost ConsoleMessage: fsmpm started
Apr 27 18:22:01 localhost SystemStarter: fsmpm started
Apr 27 18:22:01 localhost ConsoleMessage: Starting cvfsd
Apr 27 18:22:01 localhost SystemStarter: Starting cvfsd
Apr 27 18:22:01 localhost mach_init[2]: Server 0 in bootstrap d03 uid 0: "/usr/sbin/diskarbitrationd": exited as a result of signal 6 [pid 96]
Apr 27 18:22:01 localhost fsmpm[414]: Disk rescan found 4 disks
Apr 27 18:22:02 localhost fsmpm[414]: PortMapper: Local FSD client is registered.
Apr 27 18:22:02 localhost diskarbitrationd[431]: disk0s2 hfs 2B44F0E7-8C49-3AD4-BB8A-F9F2E3643E57 Macintosh HD /
Apr 27 18:22:02 localhost diskarbitrationd[431]: disk14 hfs 03BB7013-9B81-3D1F-9F81-D91095711495 Raid [not mounted]
Apr 27 18:22:02 localhost SystemStarter: Attendo Xsan File System
Apr 27 18:22:03 localhost diskarbitrationd[431]: disk13 acfs 952512A1-A3E0-37D7-8D3A-4142FB882471 XRAID1LeftBig [not mounted]
Apr 27 18:22:03 localhost diskarbitrationd[431]: disk10 acfs B3B884A6-BD45-35C9-824D-7C32E50F1202 XRAID1RightSmall [not mounted]
Apr 27 18:22:03 localhost diskarbitrationd[431]: disk12 acfs 98BF0B54-15E9-30B0-A8E0-D6DD26CD27C7 XRAID1LeftSmall [not mounted]
Apr 27 18:22:03 localhost diskarbitrationd[431]: disk11 acfs 83C6884B-3543-3AE3-9B4D-A842AD3DF156 XRAID1RightBig [not mounted]
Apr 27 18:22:03 localhost /Library/PreferencePanes/BlueHarvest.prefPane/Contents/Resources/BlueHarvestMon itor: BH: Started.
Apr 27 18:22:04 localhost ConsoleMessage: cvfsd started
Apr 27 18:22:04 localhost SystemStarter: cvfsd started
Apr 27 18:22:04 localhost ConsoleMessage: Mounting Xsan File System volumes
Apr 27 18:22:04 localhost SystemStarter: Mounting Xsan File System volumes
Apr 27 18:22:04 localhost SystemStarter: Avvio completato.
Apr 27 18:22:06 localhost mach_init[2]: Server 0 in bootstrap d03 uid 0: "/usr/sbin/diskarbitrationd": exited as a result of signal 6 [pid 431]
Apr 27 18:22:07 localhost /usr/share/servermgrd/cgi-bin/servermgr_nomadvol: [421] ERROR: mountvolumenamed(XsanVol): Could not remove mount point directory /Volumes/XsApr 27 18:22:12 localhost /Library/PreferencePanes/BlueHarvest.prefPane/Contents/Resources/BlueHarvestMon itor: BH: Main engine start.
Apr 27 18:22:36 localhost /usr/share/servermgrd/cgi-bin/servermgr_nomadfss: [420] ERROR: getlabeleddisks: Error -1 iterating over list
Apr 27 18:22:36 localhost /usr/share/servermgrd/cgi-bin/servermgr_nomadfss: getlabeleddisks: SNFS Generic Error
Apr 27 18:22:36 localhost /usr/share/servermgrd/cgi-bin/servermgr_nomadfss: [420] ERROR: getlocalproperties: Did not save reply because no disk or status=100047/0
Apr 27 18:22:36 localhost /usr/share/servermgrd/cgi-bin/servermgr_nomadfss: [420] ERROR: synchronizeconfiguration_ifclient: 192.168.15.22 sees 0 disks
Any ideas?
Thanks
DiegoYou may have what are called corrupt free inodes. Inodes are the actual containers in the file system that store your data. Here are some similar threads that may help you:
http://www.xsanity.com/forum/viewtopic.php?p=3521
http://www.xsanity.com/forum/viewtopic.php?p=4408
In the first thread, they were able to simply rebuild their Xsan and restore from backup, but in the second, they were able to use cvfsck -C to perform a "clobber" which removes the bad inodes, so new, uncorrupted inodes can be created.
The problem is, if you have an Xsan with this kind of corruption, it will usually re-appear, so your best bet is to do what you have to to get your volume back online long enough to grab your data, then re-create your volume again from scratch. If you did a volume expansion in the past without running cvfsck and making sure your file system was clean first, this kind of corruption will sometimes happen.
Without seeing more, this is all just a guess, but if you find that corrupt inodes are what you're running into, here are some notes from when I've had to fix this myself:
http://www.jasonmyres.com/2010/11/xsan-2-0-troubleshooting/
Good luck.
JM -
Hi
On my Server, keytool command block when I run it with -genkey parameter.
A trace of my consol:
[root@pollux bin]# ./keytool -genkey -alias toto
Tapez le mot de passe du Keystore : tototo
Quels sont vos pr�nom et nom ?
[Unknown] : toto
Quel est le nom de votre unit� organisationnelle ?
[Unknown] : tutu
Quelle est le nom de votre organisation ?
[Unknown] : tata
Quel est le nom de votre ville de r�sidence ?
[Unknown] : titi
Quel est le nom de votre �tat ou province ?
[Unknown] : tete
Quel est le code de pays � deux lettres pour cette unit� ?
[Unknown] : FR
Est-ce CN=toto, OU=tutu, O=tata, L=titi, ST=tete, C=FR ?
[non] : ouiI can fill certificate information but when I tape "oui"(the french "yes") after keytool ask me confirmation, the process block.
I tried to install another jdk version but I have the same problem.
My server is an Intel with a Linux Red Hat (version 2.4.21-15.ELsmp)
JosephHi
On my Server, keytool command block when I run it with -genkey parameter.
A trace of my consol:
[root@pollux bin]# ./keytool -genkey -alias toto
Tapez le mot de passe du Keystore : tototo
Quels sont vos pr�nom et nom ?
[Unknown] : toto
Quel est le nom de votre unit� organisationnelle ?
[Unknown] : tutu
Quelle est le nom de votre organisation ?
[Unknown] : tata
Quel est le nom de votre ville de r�sidence ?
[Unknown] : titi
Quel est le nom de votre �tat ou province ?
[Unknown] : tete
Quel est le code de pays � deux lettres pour cette unit� ?
[Unknown] : FR
Est-ce CN=toto, OU=tutu, O=tata, L=titi, ST=tete, C=FR ?
[non] : ouiI can fill certificate information but when I tape "oui"(the french "yes") after keytool ask me confirmation, the process block.
I tried to install another jdk version but I have the same problem.
My server is an Intel with a Linux Red Hat (version 2.4.21-15.ELsmp)
Joseph -
ASDM (ASA9.1) won't fully initiated when configured AAA command authorization
ASA doesn't have any local account, all authentications is done via AAA.
On AAA, we have two "groups" both assigned to privilege_15, one group (A) can issue all commands, another group (B) only can issue command sets we defined.
Group A can login to ASDM without any problems.
Group B can pass the login pop up, then start to load ASDM window, at the bottom it does show login user has privilede 15, then it's stopped at "parsing running configuration..." asd login screen pops up again, and I cannot pass it.
I suspect it's somewhere in permisssion, can someone help? thanks.
Leo SongHello,
There are some commands that are required in order to load the ASDM
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command blocks
Make sure you have them
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com -
Where can I find a list / explanation of the SHOW commands in SQLPlus?
Thanks,Hi,
Also, try this cool glogin script from Chris Foot to show the instance name in your SQL*Plus promt:
COLUMN file_name FORMAT a44
COLUMN tablespace_name FORMAT a20
COLUMN owner FORMAT a15
COLUMN segment_name FORMAT a20
set lines 132
set pages 100
set termout off
col dbname new_value prompt_dbname
select instance_name dbname from v$instance;
set sqlprompt "&&prompt_dbname> "
set termout on
set time on
Here are the set options:
APPI[NFO]ON
Application info for performance monitor (see DBMS_APPLICATION_INFO)
ARRAY[SIZE] {15|n}
Fetch size (1 to 5000) the number of rows that will be retrieved in one go.
AUTO[COMMIT] OFF|n}
Autocommit commits after each SQL command or PL/SQL block
AUTOP[RINT] OFF
Automatic PRINTing of bind variables.(see PRINT)
AUTORECOVERY ON
Configure the RECOVER command to automatically apply
archived redo log files during recovery - without any user confirmation.
AUTOT[RACE] OFF} [EXP[LAIN]] [STAT[ISTICS]]
Display a trace report for SELECT, INSERT, UPDATE or DELETE statements
EXPLAIN shows the query execution path by performing an EXPLAIN PLAN.
STATISTICS displays SQL statement statistics.
Using ON or TRACEONLY with no explicit options defaults to EXPLAIN STATISTICS
BLO[CKTERMINATOR] {.|c|OFF|ON}
Set the non-alphanumeric character used to end PL/SQL blocks to c
CMDS[EP] {;|c|OFF|ON}
Change or enable command separator - default is a semicolon (;)
COLSEP { |text}
The text to be printed between SELECTed columns normally a space.
COM[PATIBILITY] {V5|V6|V7|V8|NATIVE}
Version of oracle - see also init.ora COMPATIBILITY=
You can set this back by up to 2 major versions e.g. Ora 9 supports 8 and 7
CON[CAT] {.|c|OFF|ON}
termination character for substitution variable reference
default is a period.
COPYC[OMMIT] {0|n}
The COPY command will fetch n batches of data between commits.
(n= 0 to 5000) the size of each fetch=ARRAYSIZE.
If COPYCOMMIT = 0, COPY will commit just once - at the end.
COPYTYPECHECK OFF
Suppres the comparison of datatypes while inserting or appending to DB2
DEF[INE] {&|c|OFF|ON}
c = the char used to prefix substitution variables.
ON or OFF controls whether to replace substitution variables with their values.
(this overrides SET SCAN)
DESCRIBE [DEPTH {1|n|ALL}][LINENUM {ON|OFF}][INDENT {ON|OFF}]
Sets the depth of the level to which you can recursively describe an object
(1 to 50) see the DESCRIBE command
ECHO OFF
Display commands as they are executed
EMB[EDDED] OFF
OFF = report printing will start at the top of a new page.
ON = report printing may begin anywhere on a page.
ESC[APE] {\|c|OFF|ON}
Defines the escape character. OFF undefines. ON enables.
FEED[BACK] {6|n|OFF|ON}
Display the number of records returned (when rows > n )
OFF (or n=0) turns the display off
ON sets n=1
FLAGGER OFF|FULL}
Checks to make sure that SQL statements conform to the ANSI/ISO SQL92 standard.
non-standard constructs are flagged as errors and displayed
See also ALTER SESSION SET FLAGGER.
FLU[SH] OFF
Buffer display output (OS)
(no longer used in Oracle 9)
HEA[DING] OFF
print column headings
HEADS[EP] {||c|OFF|ON}
Define the heading separator character (used to divide a column heading onto > one line.)
OFF will actually print the heading separator char
see also: COLUMN command
INSTANCE [instance_path|LOCAL]
Change the default instance for your session, this command may only be issued when
not already connected and requires Net8
LIN[ESIZE] {150|n}
Width of a line (before wrapping to the next line)
Earlier versions default to 80, Oracle 9 is 150
LOBOF[FSET] n
Starting position from which CLOB and NCLOB data is retrieved and displayed
LOGSOURCE [pathname]
Change the location from which archive logs are retrieved during recovery
normally taken from LOG_ARCHIVE_DEST
LONG {80|n}
Set the maximum width (in chars) for displaying and copying LONG values.
LONGC[HUNKSIZE] {80|n}
Set the fetch size (in chars) for retrieving LONG values.
MARK[UP] HTML ON
[HEAD text] [BODY text] [TABLE text]
[ENTMAP {ON|OFF}][SPOOL {ON|OFF}]
[PRE[FORMAT] ON]
Output HTML text, which is the output used by iSQL*Plus.
NEWP[AGE] {1|n} NULL text
The number of blank lines between the top of each page and the top title.
0 = a formfeed between pages.
NULL text
Replace a null value with 'text'
The NULL clause of the COLUMN command will override this for a given column.
NUMF[ORMAT] format
The default number format.
see COLUMN FORMAT.
NUM[WIDTH] {10|n}
The default width for displaying numbers.
PAGES[IZE] {14|n}
The height of the page - number of lines.
0 will suppress all headings, page breaks, titles
PAU[SE] OFF
press [Return] after each page
enclose text in single quotes
RECSEP {WR[APPED]|EA[CH]|OFF}
Print a single line of the RECSEPCHAR between each record.
WRAPPED = print only for wrapped lines
EACH=print for every row
RECSEPCHAR {_|c}
Define the RECSEPCHAR character, default= ' '
SCAN OFF
OFF = disable substitution variables and parameters
SERVEROUT[PUT] OFF [SIZE n] [FOR[MAT] {WRA[PPED]|WOR[D_WRAPPED]|TRU[NCATED]}]
whether to display the output of stored procedures (or PL/SQL blocks)
i.e., DBMS_OUTPUT.PUT_LINE
SIZE = buffer size (2000-1,000,000) bytes
SHOW[MODE] OFF
Display old and new settings of a system variable
SPA[CE] {1|n}
The number of spaces between columns in output (1-10)
SQLBL[ANKLINES] ON
Allow blank lines within an SQL command. reverts to OFF after the curent command/block.
SQLC[ASE] {MIX[ED]|LO[WER]|UP[PER]}
Convert the case of SQL commands and PL/SQL blocks
(but not the SQL buffer itself)
SQLPLUSCOMPAT[IBILITY] {x.y[.z]}
Set the behavior or output format of VARIABLE to that of the
release or version specified by x.y[.z].
SQLCO[NTINUE] {> |text}
Continuation prompt (used when a command is continued on an additional line using a hyphen -)
SQLN[UMBER] OFF
Set the prompt for the second and subsequent lines of a command or PL/SQL block.
ON = set the SQL prompt = the line number.
OFF = set the SQL prompt = SQLPROMPT.
SQLPRE[FIX] {#|c}
set a non-alphanumeric prefix char for immediately executing one line of SQL (#)
SQLP[ROMPT] {SQL>|text}
Set the command prompt.
SQLT[ERMINATOR] {;|c|OFF|ON}|
Set the char used to end and execute SQL commands to c.
OFF disables the command terminator - use an empty line instead.
ON resets the terminator to the default semicolon (;).
SUF[FIX] SQL
Default file extension for SQL scripts
TAB OFF
Format white space in terminal output.
OFF = use spaces to format white space.
ON = use the TAB char.
Note this does not apply to spooled output files.
The default is system-dependent. Enter SHOW TAB to see the default value.
TERM[OUT] OFF
OFF suppresses the display of output from a command file
ON displays the output.
TERMOUT OFF does not affect the output from commands entered interactively.
TI[ME] OFF
Display the time at the command prompt.
TIMI[NG] OFF
ON = display timing statistics for each SQL command or PL/SQL block run.
OFF = suppress timing statistics
TRIM[OUT] OFF
Display trailing blanks at the end of each line.
ON = remove blanks, improving performance
OFF = display blanks.
This does not affect spooled output.
SQL*Plus ignores TRIMOUT ON unless you set TAB ON.
TRIMS[POOL] ON
Allows trailing blanks at the end of each spooled line.
This does not affect terminal output.
UND[ERLINE] {-|c|ON|OFF}
Set the char used to underline column headings to c.
VER[IFY] OFF
ON = list the text of a command before and after replacing substitution variables with values.
OFF = dont display the command.
WRA[P] OFF
Controls whether to truncate or wrap the display of long lines.
OFF = truncate
ON = wrap to the next line
The COLUMN command (WRAPPED and TRUNCATED clause) can override this for specific columns. -
Hi,
Just wandering if someone could tell me the IOS equivalent to these CATOS commands. I have been to the CATOS TO IOS Conversion utility Page and to be honest it doesn't work properly and skips a majority of commands.
The CATOS commands l need translated to IOS are :
set trunk 11/8 nonegotiate dot1q 1-1005,1024-4094
clear trunk 11/8 1006-1023
clear trunk 11/6 1-39,41-99,101-339,341-419,421-4094
set trunk 11/6 nonegotiate dot1q 40,100,340,420
clear trunk 11/13 1006-1023
set trunk 11/13 auto-negotiate 1-1005,1024-4094
#IPACLVLAN280
set qos acl ip IPACLVLAN280 dscp 32 ip any any
commit qos acl all
set qos acl map IPACLVLAN280 280
Thanks much appreciatedhi,
the three trunk command-blocks should be converted in this way:
clear trunk 11/8 1006-1023
set trunk 11/8 nonegotiate dot1q 1-1005,1024-4094
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-1005,1024-4094
switchport mode trunk
clear trunk 11/6 1-39,41-99,101-339,341-419,421-4094
set trunk 11/6 nonegotiate dot1q 40,100,340,420
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 40,100,340,420
switchport mode trunk
clear trunk 11/13 1006-1023
set trunk 11/13 auto-negotiate 1-1005,1024-4094
switchport trunk encapsulation negotiate
switchport trunk allowed vlan 1-1005,1024-4094
switchport mode dynamic auto
kind regards,
Bernhard -
When users choose get info. It shows that they are only using a portion of the allocated space. However, when looking at the admin quota screen it shows that nearly all of their space is used up. My question is this; Is there an easy way to delete the items from trash and other locations that are mysteriously using this space. Also other than trash where is this space being used?
Do you know that the users have a bunch of stuff in their trash folders? If so, why not ask them to empty the trash?
If you're not certain that this is the case, you may want to run du to find out what's going on. For example:
pmg5:/ root# du -kd1 Users/
3913028 Users//blloyd
1632 Users//gern
5368 Users//joe
7364 Users//Shared
3927400 Users/
This shows how many KB are in use in each of the folders... so it should give an accurate idea of exactly how much disk space is in use (it may be more accurate than "Get Info," and certainly it's all grouped in one place). If the info returned by this is significantly different than what quotas are reporting, then something else is afoot, and it may be time to get down with your command-line bad self to muck around and see what's going on. For example, here's a partial on 'repquota' on my root file system:
pmg5:/ root# repquota /
1K Block limits File limits
User used soft hard grace used soft hard grace
1026 -- 16476 0 0 316 0 0
gern -- 12712 0 0 107 0 0
blloyd -- 3994748 0 0 3510 0 0
It does a pretty good job agreeing with what "my" user on the server is using.
See if these are in agreement.
I wouldn't really suggest manually futzing with someone's trash folder (it's in ~/.Trashes), because if you delete it, their trash will quit working. You could descend into there via the command line and delete stuff... but really, force them to empty their own trash... use the quota to block them from doing anything else once they use too much disk space. Users need to learn to empty the trash... just like 4 year old kids do -
ASA 5505 IPSEC VPN connected but can't access to LAN
ASA : 8.2.5
ASDM: 6.4.5
LAN: 10.1.0.0/22
VPN Pool: 172.16.10.0/24
Hi, we purcahsed a new ASA 5505 and try to setup IPSEC VPN via ASDM; i just simply run the Wizards, setup vpnpool, split tunnelling,etc.
I can connect to the ASA by using cisco VPN client and internet works fine on the local PC, but it cannot access to the LAN (can't ping. can't remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile i created worked fine.
Below is my configure, do I mis-configure anything?
ASA Version 8.2(5)
hostname asatest
domain-name XXX.com
enable password 8Fw1QFqthX2n4uD3 encrypted
passwd g9NiG6oUPjkYrHNt encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.253 255.255.252.0
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.240
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name vff.com
access-list vpntest_splitTunnelAcl standard permit 10.1.0.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.252.0 172.16.10.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging asdm informational
logging device-id hostname
logging host inside 10.1.1.230
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 172.16.10.1-172.16.10.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD protocol nt
aaa-server AD (inside) host 10.1.1.108
nt-auth-domain-controller 10.1.1.108
http server enable
http 10.1.0.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.1.0.0 255.255.252.0 inside
ssh timeout 20
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpntest internal
group-policy vpntest attributes
wins-server value 10.1.1.108
dns-server value 10.1.1.108
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpntest_splitTunnelAcl
default-domain value XXX.com
split-tunnel-all-dns disable
backup-servers keep-client-config
address-pools value vpnpool
username admin password WeiepwREwT66BhE9 encrypted privilege 15
username user5 password yIWniWfceAUz1sUb encrypted privilege 5
username user3 password umNHhJnO7McrLxNQ encrypted privilege 3
tunnel-group vpntest type remote-access
tunnel-group vpntest general-attributes
address-pool vpnpool
authentication-server-group AD
authentication-server-group (inside) AD
default-group-policy vpntest
strip-realm
tunnel-group vpntest ipsec-attributes
pre-shared-key BEKey123456
peer-id-validate nocheck
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4
: endI change a Machine's gateway to this ASA and capture again, now we can see some reply.
All ohter PCs and switches gateway are point to another ASA, maybe that's the reason why i didn't work?
what's the recommanded way to make our LAN to have two 2 gateways(for load balance or backup router, etc)?
add two gateways to all PCs and swtichwes?
1: 18:15:48.307875 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
2: 18:15:49.777685 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
3: 18:15:51.377147 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
4: 18:15:57.445777 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
5: 18:15:58.856324 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
6: 18:16:00.395090 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
7: 18:16:06.483464 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
8: 18:16:08.082805 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
9: 18:16:09.542406 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
10: 18:16:20.640424 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
11: 18:16:20.642193 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
12: 18:16:21.169607 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
13: 18:16:21.171210 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
14: 18:16:22.179556 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
15: 18:16:22.181142 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
16: 18:16:23.237673 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
17: 18:16:23.239291 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
18: 18:16:27.676402 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 50
19: 18:16:29.246935 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 50
20: 18:16:30.676921 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 50
21: 18:16:49.539660 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request
22: 18:16:54.952602 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request
23: 18:17:04.511463 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request -
ASA 5505: Outside Interface Becomes Inaccessible
Greetings --
I've been having occurrences of my ASA's 'outside' interface become inaccessible from the internet side. AnyConnect users that are logged in get kicked out ... can't ping to the IP address ... can't ssh into the ASA. Internally, I can ping the IP address and I can ssh into the ASA.
The 'lockout' typically occurs around 1PM, 7:30PM, and 10:30PM. To get the 'outside' interface working again, I would have to log into a host machine on the LAN (via TeamViewer) and then ssh into the ASA and reboot.
Any ideas why the lockouts are occuring? Is it possible my ISP is shutting down the IP?
Below is the configs to the ASA:
hostname psa-asa
enable password IqUJj3NwPkd63BO9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.1.0 Net-10
name 192.168.1.20 dbserver
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.98 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.43 255.255.255.0
interface Vlan3
no nameif
security-level 50
ip address 192.168.5.1 255.255.255.0
ftp mode passive
object-group service RDP tcp
port-object eq 3389
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list inside_nat0_outbound extended permit ip host chewieOP-host Net-LabCorp 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
access-list outside_1_cryptomap extended permit ip host chewieOP-host Net-LabCorp 255.255.255.0
access-list outside_access_in extended permit ip host Mac any
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging history errors
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list vpn_nat_inside outside
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.41 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 162.134.70.20
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=pas-asa.null
keypair pasvpnkey
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate fecf8751
308202da 308201c2 a0030201 020204fe cf875130 0d06092a 864886f7 0d010105
0500302f 31153013 06035504 03130c70 61732d61 73612e6e 756c6c31 16301406
092a8648 86f70d01 09021607 7061732d 61736130 1e170d31 33303530 36323134
3131365a 170d3233 30353034 32313431 31365a30 2f311530 13060355 0403130c
7061732d 6173612e 6e756c6c 31163014 06092a86 4886f70d 01090216 07706173
2d617361 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a
02820101 00dc6f5c 584be603 1219ad4a 43085a97 b8fd7e33 c887933d 1b46dbca
deada1da 7689ab5e 9b6fa20b d6f7e5e3 049285e7 65778c15 a9447e1e 8ba749cb
61e0e985 9a90c09f b4c28af0 c6b5263c d2c13107 cce6c207 62f17cbe 99d9d5c2
86870084 25c035e4 ea9ab8ae 8b664464 40305c4d e40dd774 506f6c0a 6f4ca4d1
0c81d2dd bcdc8393 3f4fbcba 1b477d45 502063b8 af862bdf 50499615 7b9dac1b
67252db8 1473feec c39d9c32 9d9f3564 74fdf1bd 71ca9310 e5ad6cba 999ae711
c381347c a6508759 eb405cc0 a4adbe94 fb8204a2 382fad46 bc0fc43d 35df1b83
6379a040 90469661 63868410 e16bf23b 05b724a3 edbd13e1 caa49238 ee6d1024
a32a1003 af020301 0001300d 06092a86 4886f70d 01010505 00038201 010084b1
62698729 c96aeec0 4e65cace 395b9053 62909905 e6f2e325 df31fbeb 8d767c74
434c5fde 6b76779f 278270e0 10905abc a8f1e78e f2ad2cd9 6980f0be 56acfe53
f1d715b9 89da338b f5ac9726 34520055 2de50629 55d1fcc5 f59c1271 ad14cd7e
14adc454 f9072744 bf66ffb5 20c04069 375b858c 723999f8 5cc2ae38 4bb4013a
2bdf51b3 1a36b7e6 2ffa3bb7 025527e1 e12cb2b2 f4fc624a 143ff416 d31135ff
6c57d226 7d5330c4 c2fa6d3f a1472abc a6bd4d4c be7380b8 6214caa5 78d53ef0
f08b2946 be8e04d7 9d15ef96 2e511fc5 33987858 804c402b 46a7b473 429a1936
681a0caa b189d4f8 6cfe6332 8fc428df f07a21f8 acdb8594 0f57ffd4 376d
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd auto_config inside
dhcpd address 192.168.1.222-192.168.1.223 inside
dhcpd dns 64.238.96.12 66.180.96.12 interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
wins-server none
dns-server value 64.238.96.12 66.180.96.12
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
ipv6-vpn-filter none
vpn-tunnel-protocol svc
group-lock value PSA-SSL-VPN
default-domain none
vlan none
nac-settings none
webvpn
svc mtu 1200
svc keepalive 60
svc dpd-interval client none
svc dpd-interval gateway none
svc compression none
group-policy DfltGrpPolicy attributes
dns-server value 64.238.96.12 66.180.96.12
vpn-tunnel-protocol IPSec svc webvpn
username user1 password ks88YmM0AaUUmhfU encrypted privilege 0
username user1 attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
username user2 password 1w1.F5oqiDOWdcll encrypted privilege 0
username user2 attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
username user3 password lQ8frBN8p.5fQvth encrypted privilege 15
username user4 password w4USQXpU8Wj/RFt8 encrypted privilege 15
username user4 attributes
vpn-group-policy SSLClientPolicy
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
service-type admin
username user5 password PElMTjYTU7c1sXWr encrypted privilege 0
username user5 attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
username user6 password /zt/9z7XUifQbEsA encrypted privilege 0
username user6 attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
username user7 password aEGh.k89043.2NUa encrypted privilege 0
username user7 attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
address-pool SSLClientPool-10
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group PSA-SSL-VPN type remote-access
tunnel-group PSA-SSL-VPN general-attributes
address-pool SSLClientPool-10
default-group-policy SSLClientPolicy
tunnel-group PSA-SSL-VPN webvpn-attributes
group-alias PSA_VPN enable
group-url https://xxx.xxx.xxx.43/PSA_VPN enable
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:2298b0ae64f8ff7a5e25d97fe3f02841Hi,
I guess if you want to temporarily set up a software to receive the logs on some computer you could even use Tftpd (you will find it easily through Google search) The same software can be used for multiple different purposes.
I sometime use it personally when testing different stuff on my home ASA.
It naturally isnt a real option if you actuall setup a separate Syslog server.
You wouldnt really need to add much to your logging configuration
logging device-id hostname
logging trap informational
logging host
Where is the name of the interface behind which the server is and the is naturally the IP address of the server.
Though the above would generate a lot of logging.
I am not even 100% sure it would log anything when you are facing the problem.
Best would be to also troubleshoot while the problem is there.
Can you confirm that you use the Internet connection through the ASA when you are accessing the internal host behind the ASA? I assume that the host connects from the LAN to the Internet which enables you to have a remote connection to the host?
If this is so it makes it a wierd problem as the ASA and your ISP can clearly pass traffic to and from your network since that remote connections is working even if there is other problems.
- Jouni -
ASA 5505: VPN Access to Different Subnets
Hi All-
I'm trying to figure out how to configure our ASA so that remote users can have VPN access to two different subnets (office LAN and phone LAN). Currently, I have 3 VLANs setup -- VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN). Essentially, remote users should be able to access their PC (192.168.1.0 /24) and also access the office phone system (192.168.254.0 /24). Is this even possible? Below is the configurations on our ASA,
Thanks in advance:
ASA Version 8.2(5)
names
name 10.0.1.0 Net-10
name 20.0.1.0 Net-20
name 192.168.254.0 phones
name 192.168.254.250 PBX
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 13
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.98 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address X.X.139.79 255.255.255.224
interface Vlan3
no nameif
security-level 50
ip address 192.168.5.1 255.255.255.0
interface Vlan13
nameif phones
security-level 100
ip address 192.168.254.200 255.255.255.0
ftp mode passive
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq ssh
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 phones 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list inside_access_in extended permit ip any any
access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
access-list phones_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host Mac any
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging history errors
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu phones 1500
ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
global (phones) 20 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list vpn_nat_inside outside
nat (phones) 0 access-list phones_nat0_outbound
nat (phones) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.139.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=pas-asa.null
keypair pasvpnkey
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh Mac 255.255.255.255 outside
ssh timeout 60
console timeout 0
dhcpd auto_config inside
dhcpd address 192.168.1.222-192.168.1.223 inside
dhcpd dns 64.238.96.12 66.180.96.12 interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
wins-server none
dns-server value 64.238.96.12 66.180.96.12
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
ipv6-vpn-filter none
vpn-tunnel-protocol svc
group-lock value PAS-SSL-VPN
default-domain none
vlan none
nac-settings none
webvpn
svc mtu 1200
svc keepalive 60
svc dpd-interval client none
svc dpd-interval gateway none
svc compression none
group-policy DfltGrpPolicy attributes
dns-server value 64.238.96.12 66.180.96.12
vpn-tunnel-protocol IPSec svc webvpn
tunnel-group DefaultRAGroup general-attributes
address-pool SSLClientPool-10
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group PAS-SSL-VPN type remote-access
tunnel-group PAS-SSL-VPN general-attributes
address-pool SSLClientPool-10
default-group-policy SSLClientPolicy
tunnel-group PAS-SSL-VPN webvpn-attributes
group-alias PAS_VPN enable
group-url https://X.X.139.79/PAS_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymousHi Jouni-
Yes, with the current configs remote users only have access to the 'inside' LAN (192.168.1.0). The digital PBX on the 'phone' LAN (192.168.254.0) is not reachable through their VPN session.
Per you recommendation, I removed the following configs from my ASA:
global (phones) 20 interface
... removing this configuration didn't make a difference -- I was still able to ping the inside LAN, but not the phone LAN.
global (inside) 10 interface
nat (outside) 10 access-list vpn_nat_inside outside
.... removing these two configurations caused the inside LAN to be unreachable. The phone LAN was not reachable, either. So, I put the '10' configurations back.
The ASDM syslog is showing the following when I try to ping the PBX (192.168.254.250) through the VPN session:
"portmap translation creation failed for icmp src outside:10.0.1.1 dest phones:PBX (type 8, code 0)"
What do you think?
Thanks! -
L2TP on Cisco ASA 5505, just doesn't work??!
This is pretty urgent, client expects me to have this up by lunch today
So, there is this Cisco ASA 5505 ver 8.4.
Most things work but now I want to setup a vpn connection...
I have done this 2 ways, first by using the "VPN Wizard" in ASDM and then 5 hours later removing everything and configuring from cli.
And it just doesn't work, client (WinXP & Win7) gets "error 792" and sometimes "error 789" (both indicating problem with phase 1, I'm pretty sure of that)
Googling on those gives a few suggestions none works.
All I get in the log on Cisco is the "Error processing payload: Payload ID: 1"
Googling on that only comes up with a few pages telling me this message is caused by an error. (Yeah, I could never have guessed...)
For the cli config, I followed this tutorial carefully (3 times actually...)
http://www.cisco.com/en/US/docs/secu...html#wp1117464
I'm using PSK for IPSec, entered same on Cisco and client - checked several times, this is not a password/PSK issue.
Ports opened on Cisco: 500, 1701, 4500
(For a try I opened all ports, no change.)
And here's the "show run":
Code:
ASA Version 8.4(2)
hostname ciscoasa
enable password <string> encrypted
passwd <string> encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address #.#.#.# 255.255.255.252
interface Vlan7
description VLAN till kontor
no forward interface Vlan2
nameif kontor
security-level 100
ip address 172.16.5.1 255.255.255.0
ftp mode passive
clock timezone GMT 0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Webserver
host 192.168.5.2
object network Webserver443
host 192.168.5.2
object network rdp
host 192.168.5.2
object network vpnserver
host 192.168.5.2
object service vpn-service-group
object network VPN
host 192.168.5.2
object-group service Webports tcp-udp
description Portar för webbserver
port-object eq 443
port-object eq www
object-group service DM_INLINE_TCP_1 tcp
group-object Webports
port-object eq www
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service VPNports tcp-udp
port-object eq 1701
port-object eq 4500
port-object eq 500
object-group service RDP tcp-udp
port-object eq 3389
object-group service vpn-services tcp-udp
port-object eq 1701
port-object eq 500
access-list outside_access_in extended permit tcp any object Webserver eq www
access-list outside_access_in_1 extended permit tcp any object Webserver object-group DM_INLINE_TCP_1
access-list outside_access_in_1 remark Ãppnar för vpn
access-list outside_access_in_1 extended permit object-group TCPUDP any any object-group VPNports
access-list outside_access_in_1 extended permit object-group TCPUDP any any object-group RDP
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu kontor 1500
ip local pool vpn1 10.10.10.10-10.10.10.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network obj_any
nat (inside,outside) dynamic interface
object network Webserver
nat (inside,outside) static interface service tcp www www
object network Webserver443
nat (inside,outside) static interface service tcp https https
object network rdp
nat (inside,outside) static interface service tcp 3389 3389
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 79.142.243.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev2 ipsec-proposal 3DES-SHA
protocol esp encryption aes-256 aes-192 aes 3des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal 3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
.... (sorry, not giving you the cert...)
crypto ikev2 policy 1
encryption 3des
integrity sha
group 2 1
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 1
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
l2tp tunnel hello 100
dhcpd dns 8.8.8.8
dhcpd auto_config outside
dhcpd address 192.168.5.11-192.168.5.36 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
address-pools value vpn1
group-policy DfltGrpPolicy attributes
dns-server value 79.142.240.10
vpn-tunnel-protocol l2tp-ipsec
address-pools value vpn1
username test password <string> nt-encrypted
username someoneelse password <string> nt-encrypted privilege 15
username someoneelse attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
service-type admin
username someone password <string> nt-encrypted privilege 0
tunnel-group DefaultRAGroup general-attributes
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group vpn1 type remote-access
tunnel-group vpn1 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:dd92aa6707dc63e8ed7dad47cfecdd47
: end
In Pingvino Veritas!I lmost got it working now, new problem is that the connection is immediately ended.
Logs shows that client is authenticated and assigned an ip.
From the logs, all happens during one second:
IPAA: Client assigned ip-address from local pool
IPAA: Local pool request succeeded for tunnel-group
IPAA: Freeing local pool address
L2TP Tunnel created, tunnel_id is 24
L2TP Tunnel deleted, tunnel_id =24
IPSEC: An outbound remote access SA has been deleted
IPSEC: An inbound remote access SA has been deleted
Session is being torn down. Reason: L2TP initiated
Teardown UDP connection -
ASA 5505 Speed Issue - Help Requested if possible
Hi All,
I am wondering if anybody here can shed some light on any potential configuration issues with the configuration below (Sanitized). Current State:
1. SIte to Site VPN is up and running perfectly.
2. Client to Site VPNs work through L2PT/IPSEC and through mobile devices such as IPhone.
3. The outside interface is at line speed - approximately 5-6MBits per second.
4. When performing a download of a service pack from microsoft - Bit rate on the inside interface is approximately 1/3rd of the outside interface (A lot of loss). Interface shows no CRC errors and no input errors.
5. The outside interface shows CRC errors and INPUT errors but due to the line speed being optimal (as the client experienced via their WAN router direct (with the ASA out of the mix), have not looked in to this further. I suspect the device it is directly attached to does not auto negotiate correctly even though the interface is set to 100Mb Full Duplex.
6. Outside interface MTU is set to 1492, purposely set this way due to PPPOE over head (Please correct me if I am wrong). (Approx 8 bytes)
7. Inside Interface MTU is set to 1500, no drops or loss detected on that interface so have left it as is.
8. All inspection has been disabled on the ASA as I thought that scans on the traffic could have impaired performance.
Current Environment Traffic Flow:
1. All hosts on the network have there DNS pointed to external IP addresses currently as the DNS server is out of the mix. This usually points to DNS servers in the US. If the hosts use this, the DNS queries are performed over the site-to-site VPN but the internet traffic is routed around the VPN as the traffic is a seperate established session. Split tunneling is enabled on the ASA to only trust the internal hosts from accessing the US hosts. Everything else uses the default route.
2. The version of software on this ASA is 8.2(1). I have checked and there does not seem to be any underlying issues that would cause this type of behaviour.
3. Memory is stable at roughly 190Mb out of 512Mb
4. CPU is constant at approximately 12%.
5. WAN and INSIDE switch are Fast Ethernet and the ASA interfaces are all Ethernet - Potential compatibility issue between standards? I'm aware they should be compatible - any body that has experienced any issues regarding this would be greatly apprecaited.
Current Issues:
1. Speed on the inside interface is approximately 1/3rd of the WAN/Outside interface - download speeds are sitting at approximately 250 - 300kb (should be sitting at approximately 700-800kb).
2. Noticed that when the DC is pointed to the USA Root Domain Controller (Across the tunnel) latency is approximately 400ms average. (Performed using host name).
3. I ping the IP address of the exact same server and the latency is still 400ms.
4. Changing the DCs DNS address to 8.8.8.8, I perform the same ping to the same servers. Still 400ms.
5. I ping google.co.nz and I still get 400ms (You would expect it to route out the default gateway but session is still active for that IP on the ASA).
6. I ping 74.x.x.x (The IP from the resolution from step 5) and I get the same result.
7. I flush dns, same issue for 5/6.
8. I clear xlate on the ASA and the same issue persists.
9. I close command line, repen it, and perform the test again - latency is now back to 40 - 50ms as we would expect for non-vpn traffic.
I am currently out of ideas and would like some advice on what I have actually missed.
Things I suspect that I may need to do:
1. Upgrade IOS to latest version (Other than that - I'm out of ideas).
ASA Version 8.2(1)
hostname BLAH
enable password x.x.x.x encrypted
passwd x.x.x.x encrypted
names
name x.x.x.x BLAHPC
name 8.8.8.8 Google-DNS description Google-DNS
name 202.27.184.3 Telecom-Alien-Pri description Telecom-Alien-Pri
name 202.27.184.5 Telecom-Terminator-Sec description Telecom-Terminator-Sec
name 203.96.152.4 TelstraClearPri description TCL-PRI
name 203.96.152.12 TelstraClearSec description TCL-Sec
name x.x.x.x BLAH_Network description BLAH-Internal
name x.x.x.x DC description DC VPN Access
name x.x.x.x Management-Home description Allow RDP Access from home
name x.x.x.x SentDC description BLAHDC
name x.x.x.x Outside-Intf
dns-guard
interface Vlan1
nameif inside
security-level 100
ip address x.x.x.x 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group pppoex
ip address pppoe setroute
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
banner exec [BLAH MANAGED DEVICE] - IF YOU ARE UNAUTHORIZED TO USE THIS DEVICE, LEAVE NOW!!!
banner login If you are Unauthorized to use this device, leave now. Prosecution will follow if you are found to access this device without being Authorized.
banner asdm [BLAH MANAGED DEVICE] - IF YOU ARE UNAUTHORIZED TO USE THIS DEVICE, LEAVE NOW!!!
ftp mode passive
clock timezone WFT 12
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server Google-DNS
name-server Telecom-Alien-Pri
name-server Telecom-Terminator-Sec
name-server TelstraClearPri
name-server TelstraClearSec
object-group service RDP tcp
description RDP
port-object eq 3389
object-group network BLAH-US
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
object-group network x.x.x.x
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
object-group service Management_Access_Secure
description Management Access - SECURE
service-object tcp eq https
service-object tcp eq ssh
service-object tcp eq 4434
object-group service FileTransfer tcp
description Allow File Transfer
port-object eq ftp
port-object eq ssh
object-group service WebAccess tcp
description Allow Web Access
port-object eq www
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service AD_Access udp
description Allow Active Directory AD ports - UDP Only
port-object eq 389
port-object eq 445
port-object eq netbios-ns
port-object eq 636
port-object eq netbios-dgm
port-object eq domain
port-object eq kerberos
object-group network DM_INLINE_NETWORK_2
group-object x.x.x.x
group-object x.x.x.x
object-group network DM_INLINE_NETWORK_3
group-object x.x.x.x
group-object x.x.x.x
object-group network BLAH_DNS
description External DNS Servers
network-object host Telecom-Alien-Pri
network-object host Telecom-Terminator-Sec
network-object host TelstraClearSec
network-object host TelstraClearPri
network-object host Google-DNS
object-group service AD_Access_TCP tcp
description Active Directory TCP protocols
port-object eq 445
port-object eq ldap
port-object eq ldaps
port-object eq netbios-ssn
port-object eq domain
port-object eq kerberos
port-object eq 88
object-group network DM_INLINE_NETWORK_4
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
object-group network DM_INLINE_NETWORK_5
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
object-group network DM_INLINE_NETWORK_6
group-object x.x.x.x
group-object x.x.x.x
object-group network DM_INLINE_NETWORK_1
group-object x.x.x.x
group-object x.x.x.x
access-list inside_access_in remark Allow Internal ICMP from BLAH
access-list inside_access_in extended permit icmp Sentinel_Network 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list inside_access_in remark Allow Internal ICMP to BLAH
access-list inside_access_in extended permit icmp object-group DM_INLINE_NETWORK_3 BLAH 255.255.255.0
access-list inside_access_in remark External DNS
access-list inside_access_in extended permit object-group TCPUDP BLAH 255.255.255.0 object-group BLAH_DNS eq domain
access-list inside_access_in remark Allows Web Access
access-list inside_access_in extended permit tcp BLAH 255.255.255.0 any object-group WebAccess
access-list inside_access_in remark Allow Remote Desktop Connections to the Internet
access-list inside_access_in extended permit tcp BLAH 255.255.255.0 any object-group RDP
access-list inside_access_in remark Allow File Transfer Internet
access-list inside_access_in extended permit tcp BLAH 255.255.255.0 any object-group FileTransfer
access-list inside_access_in remark ldap, 445, 137, 636, dns, kerberos
access-list inside_access_in extended permit udp BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_4 object-group AD_Access
access-list inside_access_in remark ldap, 445, 137, 636, dns, kerberos
access-list inside_access_in extended permit tcp BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_5 object-group AD_Access_TCP
access-list inside_access_in extended permit ip any any
access-list outside_cryptomap_65535.1 extended permit ip BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_6
access-list nonat extended permit ip BLAH 255.255.255.0 object-group BLAH-US
access-list nonat extended permit ip BLAH 255.255.255.0 object-group BLAH-USA
access-list nonat extended permit ip BLAH 255.255.255.0 x.x.x.x 255.255.255.0
access-list tekvpn extended permit ip BLAH 255.255.255.0 object-group BLAH-US
access-list tekvpn extended permit ip BLAH 255.255.255.0 object-group BLAH-USA
access-list tekvpn extended permit ip BLAH 255.255.255.0 x.x.x.x 255.255.255.0
access-list inbound extended permit icmp any any
access-list inside_nat0_outbound extended permit ip BLAH 255.255.255.0 10.1.118.192 255.255.255.224
access-list inside_nat0_outbound extended permit ip BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list outside_1_cryptomap extended permit ip BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list outside_access_in extended permit icmp any any
pager lines 24
logging enable
logging monitor informational
logging buffered notifications
logging trap informational
logging asdm informational
logging class auth monitor informational trap informational asdm informational
mtu inside 1500
mtu outside 1492
ip local pool ipsec_pool x.x.x.x-x.x.x.x mask 255.255.255.0
ip local pool Remote-Access-DHCP x.x.x.x-x.x.x.x mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 BLAH 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authorization exec authentication-server
http server enable RANDOM PORT
http 0.0.0.0 0.0.0.0 outside
http x.x.x.x x.x.x.x inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1428
sysopt connection tcpmss minimum 48
auth-prompt prompt You are now authenticated. All actions are monitored! if you are Unauthorized, Leave now!!!
auth-prompt accept Accepted
auth-prompt reject Denied
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 1 set transform-set TRANS_ESP_3DES_SHA TRANS_ESP_3DES_MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh x.x.x.x 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname **************
vpdn group pppoex ppp authentication pap
vpdn username ************** password PPPOE PASSPHRASE HERE
dhcpd auto_config outside
dhcpd address x.x.x.x/x inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server x.x.x.x source outside prefer
tftp-server outside x.x.x.x /HOSTNAME
webvpn
group-policy DfltGrpPolicy attributes
banner value Testing ONE TWO THREE
vpn-idle-timeout 300
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value outside_cryptomap_65535.1
user-authentication enable
nem enable
address-pools value Remote-Access-DHCP
webvpn
svc keepalive none
svc dpd-interval client none
USER CREDENTIALS HERE
vpn-tunnel-protocol l2tp-ipsec
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key SITETOSITE PSK
peer-id-validate nocheck
tunnel-group DefaultRAGroup general-attributes
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key CLIENTTOSITE PSK
peer-id-validate nocheck
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
authentication eap-proxy
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
class-map inspect_default
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:894474af5fe446eeff5bd9e7f629fc4f
: endHi all, this post can be officially closed. The issue had nothing to do with the ASA but required a firmware upgrade on the WAN router which boosted the throughput on the external interface on the ASA to 10Mbps and the inside throughput naturally corrected itself to what was expected.
Thanks to everybody who looked at this issue.
Andrew
Maybe you are looking for
-
Run applescript automatically on file open and close
Is it possible to automatically invoke a given applescript when opening -any- document with a given application? In effect, I would like to automatically detect the "open file" operation (irrespective of how the file was opened) so as to immediately
-
Yo Guys I've had some kernel problems with my mid2010 MBP, problems booting, crashes etc. so decided to make a clean install of mavericks, first through the recovery partion, later at the genius bar (they coudnt help me and blamed my toshiba HD (not
-
I have recently purchased the megaworks 6.1 and a Sound Blaster Audigy2 . Some speakers come 6ft. of wire, My question is if I add another 10ft will I lose a lot of quality etc, Has anyone had a similer problem, please lets hear from you. Thanks for
-
Mass change of po message error
Dear Experts. I am trying to change the WBS in purchase orders.(BUS2012). However when i execute the system gives me that no data has changed. the system shows that no data has changed as below. Kindly assist. Thanks. Carol.
-
Closed Captions in Premiere Pro CS5.5 | Adobe Evangelists - Karl Soule | Adobe TV
In this episode of Short and Suite, Karl Soule shows how to import Closed Caption files such as .scc and .mcc and embed them into the timeline. You'll also learn how to preview closed captioning directly in Premiere Pro, as well as how to output your