2911 w/security - VPN with DHCP Relay to Win2K8, routing fail

Hello

I have a 2911 router and tries to terminate a VPN inside.

I want to do this is before the DHCP request to a Server 2008 inside.

I actually received this part to work. But it seems to be, 2911 router is not set the VPN clients on a VLAN internal associated with the range of network, the DHCP server is to give. Or all least, does not have a flow of information between the IP address of the VPN Client and the router itself.

(washed config below)

Example: VPN Client obtains the IP address of 10.101.55.10. The router has a loop (or subinterface in my last iteration of the config) address of 10.101.55.1.

And yet, when my VPN client connects, I am not able to ping to an IP that my router has. I can ping myself (10.101.55.10), but I only ping the router in any way which.

Does anyone have any ideas?

-----

Paste config

-----

!
! Last configuration change at 04:48:18 UTC Friday 25 March 2011 by x
!
version 15.0
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name x
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 x
!
AAA new-model
!
!
AAA authentication login default local radius group
AAA authentication login userauthen local
AAA authorization groupauthor LAN
!
!
!
!
!
AAA - the id of the joint session
!
!
!
!
No ipv6 cef
IP source-route
IP cef
!
!
!
!
property intellectual name x
!
Authenticated MultiLink bundle-name Panel
!
!
!
Crypto pki trustpoint TP-self-signed-3088527431
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 3088527431
revocation checking no
rsakeypair TP-self-signed-3088527431
!
!
TP-self-signed-3088527431 crypto pki certificate chain
certificate self-signed 01
3082024B 308201B 4 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 33303838 35323734 6174652D 3331301E 31393532 OF 30323236 170 3131
31375A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 33 30383835 65642D
32373433 3130819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100BB8B DCF74C9C 5068AF8B 17458225 C2C3702C 416CE391 6EA8991B D3CFFA1A
62FCA661 566A30C5 2ADE1CBF 558335F9 E9811663 819FA2E9 BEEC77CD 768A 5829
437E90FA 17F50DDE 94B52B67 96E1E8FC E4E7A12C 07E67582 342774 5 DF956CC8
FAB6BA34 AB2D79B0 771D8D88 40FDDC34 9F5A0145 4A18B252 037DCDE1 8A114B84
010001A 3 73307130 1 130101 FF040530 030101FF 301E0603 0F060355 0F190203
551 1104 17301582 1341434 C 50475231 74657374 2E636F6D 301F0603 2E61636C
551 2304 18301680 14929613 69D7A350 EA595EC1 C1520246 C00CAB37 A2301D06
04160414 92961369 D7A350EA 595EC1C1 520246C 03551D0E 0 0CAB37A2 300 D 0609
2A 864886 04050003 81810077 CBE5CA04 9D75B036 CF639BEC EFD03A3C F70D0101
FB1390E6 5DC1DBF9 7311123D 9A 018140 2509EADC 9F03747E 3D12F993 BB69D424
AEA4E0A6 75AF5209 4BD15BE0 92BDA0F1 C74245AF C41DB154 E443F8AD 3605EBE3
F293D601 10 C 07520 FCB38B3E 6AC9AE74 AE9CB2A2 A80CED34 1FE185CF 24B1A689
A9E1CF15 F3041A8E CE12C914 C53EEA
quit smoking
udi pid CISCO2911/K9 sn x license
!
!
VTP version 2
user name x
!
redundancy
!
!
property intellectual ssh time 60
property intellectual ssh version 2
!
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 5
preshared authentication
Group 2
ISAKMP crypto key address 0.0.0.0 dmvpnkey 0.0.0.0
ISAKMP crypto nat keepalive 20
!
the group x crypto isakmp client configuration
x key
DNS 10.0.0.6 10.0.0.3
area x
10.3.0.3 DHCP server
GIADDR DHCP 10.101.55.1
netmask 255.255.255.0
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac VPNSET
Crypto ipsec transform-set esp-3des esp-sha-hmac dmvpnset
!
Crypto ipsec profile dmvpnprof
Set transform-set dmvpnset
!
!
dynamic-map crypto vpn-dynmap 10
game of transformation-VPNSET
!
!
customer vpnclientmap of authentication crypto map list vpnusers
card crypto isakmp authorization list groupauthor vpnclientmap
client configuration address card crypto vpnclientmap answer
vpnclientmap 10 card crypto-isakmp ipsec vpn Dynamics-dynmap
!
!
!
!
!

!
!
interface GigabitEthernet0/0
Telus MPLS description
IP 10.101.2.1 255.255.255.252
IP virtual-reassembly
Shutdown
automatic duplex
automatic speed
!
!
interface GigabitEthernet0/1
AllNorth hand VPN description
DHCP IP address
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
vpnclientmap card crypto
!
!
interface GigabitEthernet0/2
Description main trunk to LAN internal
no ip address
automatic duplex
automatic speed
!
!
interface GigabitEthernet0/2.4
encapsulation dot1Q 4
IP 10.101.4.1 255.255.255.0
IP helper 10.3.0.3
IP nat inside
IP virtual-reassembly
!
interface GigabitEthernet0/2.10
encapsulation dot1Q 10
IP 10.101.10.1 255.255.255.0
!
interface GigabitEthernet0/2.50
encapsulation dot1Q 50
IP 10.101.50.1 255.255.255.0
!
interface GigabitEthernet0/2.55
encapsulation dot1Q 55
IP 10.101.55.1 255.255.255.0
!
interface GigabitEthernet0/2.99
encapsulation dot1Q 99
IP 10.101.99.1 255.255.255.0
!
interface FastEthernet0/0/0
switchport access vlan 4
!
!
interface FastEthernet0/0/1
!
!
interface FastEthernet0/0/2
switchport access vlan 10
!
!
interface FastEthernet0/0/3
switchport mode trunk
!
!
interface Vlan1
no ip address
!
!
!
Router eigrp 1
Network 10.250.1.2 0.0.0.0
!
router ospf 100
Log-adjacency-changes
0.0.0.0 network 10.101.2.2 area 0
!
VPN IP local pool 10.151.56.1 10.151.56.20
IP forward-Protocol ND
!
no ip address of the http server
no ip http secure server
!
IP nat inside source nat route map - this interface GigabitEthernet0/1 overload
IP route 10.3.0.0 255.255.255.0 10.101.4.2
!
allowed to access-list 23 x
access-list 23 allow 10.0.0.0 0.255.255.255
access-list 100 permit udp any host x eq isakmp
access-list 100 permit esp any host x
access-list 100 permit gre any x host
access-list 100 permit tcp any host x eq telnet
access-list 104. allow ip 10.101.4.0 0.0.0.255 any
access-list 104. allow ip 10.101.55.0 0.0.0.255 any
access-list 130 allow ip 10.0.0.0 0.255.255.255 10.101.55.0 0.0.0.255
!
!
!
!
nat permit - this route map 10
corresponds to the IP 104
!
!
x SNMP-server community
!
control plan
!
!
!
Line con 0
line to 0
line vty 0 4
access-class 23 in
Synchronous recording
transport input telnet ssh
line vty 5 15
access-class 23 in
transport input telnet ssh
!
Scheduler allocate 20000 1000
end

Yes, it looks like you might have as a subnet of more large covered in your routing protocols internal hence set up 'reverse-road '.

Good to hear it works now. Kindly, please mark this post as responded while others can learn from this post. Thank you.

Tags: Cisco Security

Similar Questions

6.1.4 NSX upgrade to 6.2.0: DLR fails to upgrade with DHCP relay message

Hey all, in the middle of an upgrade of non-prod to a greenfield 6.1.4 6.2. Did the Manager NSX, and follow-up of all controllers. Then after the VMware recommended upgrade sequence, I did the GSS. Then began the DLR. When you try to upgrade the DLR, I received an error message
The "Upgrade Version" operation failed for the entity with the following error message.
[DHCP] To enable DHCP Relay, DR instance must be created with a single connected LIF.
Also, the router now displays status in the NSX edges pane: "failed to create/update edgeAssist interface for edge edge-3.» 404 not found. »
So I tried erase the configuration of DHCP on the DLR with the button relay remove, no dice. Tried to redeploy, fail with the same message. Tried to force synchronization, changes in status to "impossible to force synchronization. NSX Edge edge-3 is in poor condition. Try the operation again. The DHCP configuration disappears, but the change seems never commit, because when I browse the bracing or routing section and browse to the DHCP relay page, the original configuration is still there. It is a simple DLR with no configured HA. I have attached the newspapers of DLR tech support in case there is any support curious people out there. Note, vCenter 6.0.0 2741530, ESXi 5.5 Patch 5 reissue 2718055.
He was just going to remove the DLR and re-create it since it's a lab, but if it wasn't a lab I just want to know why it's a failure.

After reading more carefully, I apparently missed a step in the upgrade (hosts). I suggest that whoever does the upgrade follows the upgrade guide in pubs located here: 6.2 NSX VMware vSphere Documentation Center
- Manager of NSX upgrade to 6.2
- Upgrade of the Cluster controller NSX to 6.2, check the status of cluster control
- Upgrade the cluster hosts for NSX 6.2
- 6.2 the NSX border upgrade
- Guest Introspection to NSX 6.2 update
- Remove the NSX data security and redeploy
So I tried a lot of things to work myself back from that. I tried to upgrade the hosts but that didn't fly, esx-vxlan has been blocked to version 5.5.0 - 0.0.2691051. To return to a viable State in the end I had to nuke basically the GSS, logical switches, DLR, TZ, manually uninstall the NSX vibs and unsubscribe manager the NSX to vCenter in the cluster take-off of the State of "uninstall." From there, re - install the 5.5.0 - esx-vxlan 0.0.2983935 (6.2) vibs on the cluster worked OK, and I rebuilt the gateway routing and dashboard. So read before making anywhere near prod. : )

Help with DHCP relay

I inherited a network with a dhcp/DC with two network cards, 1 for the data network and the other for the vlan voice.

I know this is an unsupported configuration, and I want to get rid of the adapter for the vlan voice. I have to make sure that dhcp is working on the vlan voice.

Network is made up of a stack of PowerConnect 70xx switces.

My question is what must be configured on the stack. There are so many options... IP helper, relay DHCP, ect...

If the switch is in mode Layer 2, then use l2relay DHCP commands. If it is in Layer 3 mode, then you use the controls to support IP. If in layer 3 mode make sure VLANS routing is turned on.

Console #config

Console (config) #ip Routing

Console (config) #interface vlan 2

Console (config-if-vlan2) #routing

Console (config-if-vlan2) #exit

Console (config) #interface vlan 3

Console (config-if-vlan3) #routing

Console (config-if-vlan3) #exit

Console (config) #interface vlan 4

Console (config-if-vlan4) #routing

Console (config-if-vlan4) #end

Hope this helps,

Thank you.

ASA remote VPN with DHCP failed

I am running a version 8.3 ASA5540 (2). I have several deletion of vpn users working on this server. Lately, I have had problems with people starting or being not not able to route any where and it seems to be cause that they fight for the same IP address using the local pool, so I decided to try to DHCP rather (I have no idea why he keeps overlapping IPs, we have tons in the pool and they fight for the same). This just started about a month ago, we use only maybe 3-5 fps on / 24 block. The only thing that changed was we hired more people, but we have separate groups for team operations corporate vs.

So I configure the scope dhcp-network for the subnet and the server dhcp under the policies. I see demand go on the server, but it seems to put the MAC ASA in the field of the hardware address of the Client in the DHCP header. I have attached the IBDP of ASA showing this. Anyone know why this is happening and is there a way around it?

Hello Keith,

118 great option to have this info.

Please keep an eye on it and if you still see it works please mark it as answered so future users can refer to this discussion for a solution

Concerning

L2l VPN with public ip of the router and firewall with private IP

Dear all,

I have a requiremnt for site to site VPN configuration but the firewall on the remote end is not obtained public ip, public ip address is termintaed on the router. Please find the attached diagram

LAN--> Firewall - privateip--> router-publicip - ISP

How can I set up the site to site VPN tunnel, enjoy emergency assistance

Thanks in advance...

Mikael

You can configure static NAT for 1:1 for the SAA outside interface with a spare public ip address of the router address.

If you don't have spare public ip address, then you must configure static UDP/500 and UDP/4500 PAT on the router and enable NAT - T on the SAA.

a way vpn with asa to the 800 router

people

I have a site to site vpn set up between a asa 5540 and a 800 router

I want only the vpn to be initiated from the asa with the 800 remote listen incoming connections

I know that I can define the type of connection on the asa as only come but I can find an equivalent command to answer only for the 800 remote

can anyone point me in the right direction or is it enough to simply configure the asa as are created only for this encryption card

Thanks to anyone who takes the time to answer

Hello

I recommend you configure the tunnel as a dynamic to static tunnel VPN, the ASA will be the static counterpart, so it will be the initiator and the router will never be able to establish the connection.

The ASA will be a common L2L configuration, but the router will use a dynamic encryption card.

http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008051a69a.shtml

The PIX in the example is old, then you can simply adjust the controls to your current version, the important thing is to understand the concept.

Please let me know if that answers your question,

Thank you.

VPN with a site on dhcp

I have a very simple deal put in place and wanted to similate a vpn with a site on the dhcp address.

R1 - R2 = R3 - R4.

R2 with static IP and R3 is supposed to be with DHCP. The underlying routing works very well. But when I apply cryptography to routers, it stops working.

When I got a ping from R1 to R4, R2 is decryption, but when I ping from R1 to R4, R2 is not encrypt.

Thank you.

===============

Chantal of R2

!

R2 #sh run
hostname R2
!!
crypto ISAKMP policy 10
BA aes
md5 hash
preshared authentication
Group 2
ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0 no.-xauth
!
!
Crypto ipsec transform-set RIGHT aes - esp esp-md5-hmac
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
match address 150
!
!
map statmap 65000-isakmp ipsec crypto dynamic dynmap
!
!
!
!
interface FastEthernet0/0
1.1.12.2 IP address 255.255.255.0
automatic duplex
automatic speed
!
interface FastEthernet1/0
IP 1.1.23.2 255.255.255.0
automatic duplex
automatic speed
statmap card crypto
!
no ip address of the http server
no ip http secure server
IP classless
IP route 0.0.0.0 0.0.0.0 1.1.23.3
!
!
access-list 150 permit icmp 1.1.12.1 host 1.1.34.4
access-list 150 permit ip host 1.1.12.1 1.1.34.4
!
===============

R3 racing

R3 #sh run
!
hostname R3
!
!
crypto ISAKMP policy 10
BA aes
md5 hash
preshared authentication
Group 2
ISAKMP crypto key cisco123 address 1.1.23.2 No.-xauth
!
!
Crypto ipsec transform-set RIGHT aes - esp esp-md5-hmac
!
MYmap 10 ipsec-isakmp crypto map
defined by peer 1.1.23.2
Set transform-set RIGHT
match address 150
!
!
!
!
interface FastEthernet0/0
IP 1.1.23.3 255.255.255.0
automatic duplex
automatic speed
crypto mymap map
!
interface FastEthernet1/0
IP 1.1.34.3 255.255.255.0
automatic duplex
automatic speed
!
no ip address of the http server
no ip http secure server
IP classless
IP route 0.0.0.0 0.0.0.0 1.1.23.2
!
!
access-list 150 permit ip host 1.1.34.4 1.1.12.1
access-list 150 permit icmp 1.1.34.4 host 1.1.12.1
!
end

For dynamic to static IPSec site to site VPN, you can only come from the dynamic end VPN tunnel.

In your topology, you can only start the VPN of R4 to R1, and once the VPN tunnel is established, you will be able to pass traffic in both directions, that is to say: R4 R1 and R1 to R4.

The reason why you cannot start the tunnel VPN of R1 to R4 is the static end won't know which IP address to connect to the VPN too since DHCP is.

If however, you want to say that even after the opening of the tunnel VPN of R4 to R1, still cannot you ping from R1 to R4, then it's probably a config problem.

Please kindly share the complete configuration of all 4 routers, as well as the output of "show the isa cry his ' and ' show cry ipsec his" of R2 and R3 after the test.

DHCP Snooping without configured DHCP relay

Hello

We use DHCP Snooping with DHCP relay successfully configured... but I was wondering if the DHCP-Snooping function is also working on a (composed by different switches) L2 network where the DHCP server is on the same VLAN as the client?

I know that server must be in a VLAN dedicated but segmentation VLAN server DHCP - client is scheduled in a second step...

Thanks for your suggestions!

Hi Omar,.

The DHCP server can be on the same VLAN as the customers, no problem with that.

You must configure the port on the DHCP server as being approved with the following commands:

conf t

IP dhcp snooping

IP dhcp snooping vlan x

interface fastethernet x / y

IP dhcp snooping trust

FastEthernet x / is the port where the DHCP server must be located.

Cheers:

István

IPSEC VPN with Dynamics to dynamic IP

Hello

I tried IPSEC VPN with dynamic IP to dynamic (router to router) for some time. But still can not auto-établir the tunnel.

Is someone can you please tell me if it is possible to do?

If so, please share with me the secret to do work.

Thank you!

Best regards

Rather than the Crypto map, I would use the profile of Crypto. Then, establish you an IPSEC tunnel. The beauty of the profile, is that you can run through it routing protocols, and you do not have to change constantly the cards whenever you change the topology of the network. The "* * *" in the timer event is "minute hour day week month" so "* * *" is updated every minute. In Tunnel destination, it's an IP address, not a hostname that is stored, but when you set it, you can put in a HOST name and it converts to the moment where you configure it to an IP address.

So, if you type:

config t

interface tunnel100
destination remote.dyndns.com tunnel

output

See the race int tunnel100

It shows:

interface Tunnel100
tunnel destination 75.67.43.79

That's why the event handler goes and becomes the destination of tunnel every minute what ever the DDNS says that is the new IP address.

I have seen that two of your routers running DDNS. They will have to do this.

Local router:

crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
ISAKMP crypto key XXXXXXX address 0.0.0.0 0.0.0.0 no.-xauth
!
!
Crypto ipsec transform-set ESP-AES-SHA esp - aes 256 esp-sha-hmac
!
Profile of crypto ipsec CRYPTOPROFILE
game of transformation-ESP-AES-SHA
!
interface Tunnel100
Description of remote.dyndns.org
IP 10.254.220.10 255.255.255.252
IP virtual-reassembly
IP tcp adjust-mss 1400
source of Dialer0 tunnel
tunnel destination 75.67.43.79
ipv4 ipsec tunnel mode
Tunnel CRYPTOPROFILE ipsec protection profile

IP route 192.168.2.0 255.255.255.0 10.254.220.9

Change-tunnel-dest applet event handler
cron-event entry timer cron name "CHRON" * * *"
command action 1.0 cli 'enable '.
action 1.1 cli command "configures terminal.
Action 1.2 command cli "interface tunnel100".
Action 1.3 cli command "destination remote.dyndns.org tunnel".
!

--------

Remote router:

crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
ISAKMP crypto key XXXXXXX address 0.0.0.0 0.0.0.0 no.-xauth
!
!
Crypto ipsec transform-set ESP-AES-SHA esp - aes 256 esp-sha-hmac
!
Profile of crypto ipsec CRYPTOPROFILE
game of transformation-ESP-AES-SHA
!
interface Tunnel100
Description of local.dyndns.org
IP 10.254.220.9 255.255.255.252
IP virtual-reassembly
IP tcp adjust-mss 1400
source of Dialer0 tunnel
tunnel destination 93.219.58.191
ipv4 ipsec tunnel mode
Tunnel CRYPTOPROFILE ipsec protection profile

IP route 192.168.1.0 255.255.255.0 10.254.220.10

Change-tunnel-dest applet event handler
cron-event entry timer cron name "CHRON" * * *"
command action 1.0 cli 'enable '.
action 1.1 cli command "configures terminal.
Action 1.2 command cli "interface tunnel100".
Action 1.3 cli command "destination local.dyndns.org tunnel".

Thank you

Bert

DHCP relay for users (ASA) SSL VPN

I have ASA 5520 vpn endpoint. Before asa, there are firewalls which translates the public ip address to the private sector and to pass SSL traffic to ASA. I have configured DHCP relay to get the IP address for the DHCP in Windows Server users:

dhcprelay Server 10.100.2.101 on the inside

dhcprelay activate vpn

dhcprelay setroute vpn

and it does not work. with the local pool, it works fine. Should I do something else? When I turn on debugging it has not any activity.

You try to assign the IP address to the SSL vpn client using the DHCP server?

If so, you don't need these commands contained in your message.

Basically, you need to set dhcp server in tunnel-group and dhcp-network-scope in group policy.

Here is an example of Ipsec client. Setup must be the same.

http://www.Cisco.com/en/us/partner/products/ps6120/products_configuration_example09186a0080a66bc6.shtml

Remote access VPN with ASA 5510 by using the DHCP server

Hello

Can someone please share your knowledge to help me find out why I'm not able to receive an IP address on the remote access VPN connection so that I can get an IP local pool DHCP?

I'm trying to set up remote access VPN with ASA 5510. It works with dhcp local pool but does not seem to work when I tried to use an existing DHCP server. It is tested in an internal network as follows:

!

ASA Version 8.2 (5)

!

interface Ethernet0/1

nameif inside

security-level 100

IP 10.6.0.12 255.255.254.0

!

IP local pool testpool 10.6.240.150 - 10.6.240.159 a mask of 255.255.248.0. (worked with it)

!

Route inside 0.0.0.0 0.0.0.0 10.6.0.1 1

!

Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto-map dynamic dyn1 1jeu transform-set FirstSet

dynamic mymap 1 dyn1 ipsec-isakmp crypto map

mymap map crypto inside interface

crypto ISAKMP allow inside

crypto ISAKMP policy 1

preshared authentication

3des encryption

sha hash

Group 2

life 43200

!

VPN-addr-assign aaa

VPN-addr-assign dhcp

!

internal group testgroup strategy

testgroup group policy attributes

DHCP-network-scope 10.6.192.1

enable IPSec-udp

IPSec-udp-port 10000

!

username testlay password * encrypted

!

tunnel-group testgroup type remote access

tunnel-group testgroup General attributes

strategy-group-by default testgroup

DHCP-server 10.6.20.3

testgroup group tunnel ipsec-attributes

pre-shared key *.

!

I got following output when I test connect to the ASA with Cisco VPN client 5.0

Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: (4) SA (1) + KE + NUNCIO (10) + ID (5), HDR + VENDO

4024 bytesR copied in 3,41 0 seconds (1341 by(tes/sec) 13) of the SELLER (13) seller (13) + the SELLER (13), as well as the SELLER (13) ++ (0) NONE total length: 853

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, SA payload processing

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ISA_KE

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, nonce payload processing

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received xauth V6 VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, DPD received VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received Fragmentation VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received NAT-Traversal worm 02 VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, the customer has received Cisco Unity VID

Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, connection landed on tunnel_group testgroup

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA payload processing

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA proposal # 1, turn # 9 entry overall IKE acceptable matches # 1

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build the payloads of ISAKMP security

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building ke payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building nonce payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for answering machine...

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of payload ID

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of Cisco Unity VID

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing payload V6 VID xauth

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building dpd vid payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing the payload of the NAT-Traversal VID ver 02

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of Fragmentation VID + load useful functionality

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads VID

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, send Altiga/Cisco VPN3000/Cisco ASA GW VID

Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR SA (1) KE (4) NUNCIO (10) + ID (5) + HASH (8) + SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) total length: 440

Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + HASH (8) + NOTIFY (11) + NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) overall length: 168

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, useful treatment IOS/PIX Vendor ID (version: 1.0.0 capabilities: 00000408)

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, the customer has received Cisco Unity VID

Jan 16 15:39:21 [IKEv1]: Group = testgroup, I

[OK]

KenS-mgmt-012 # P = 10.15.200.108, status of automatic NAT detection: remote end is NOT behind a NAT device this end is NOT behind a NAT device

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, empty building hash payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash qm

Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 72

Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 87

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): enter!

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, transformation MODE_CFG response attributes.

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = authorized

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = authorized

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized primary WINS

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized secondary WINS

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Compression IP = disabled

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling political = disabled

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: setting Proxy browser = no - modify

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: browser Local Proxy bypass = disable

Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, (testlay) the authenticated user.

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm

Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 64

Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + NONE (0) overall length: 60

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cfg ACK processing attributes

Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 49ae1bb8) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 182

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, treatment cfg request attributes

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 address!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 network mask!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for DNS server address.

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the address of the WINS server.

Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, transaction mode attribute unhandled received: 5

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the banner!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting save PW!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: receipt of request for default domain name!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for Split-Tunnel list!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for split DNS!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for PFS setting!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Proxy Client browser setting!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the list of backup peer ip - sec!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting disconnect from the Client Smartcard Removal!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Version of the Application.

Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Type of Client: Windows NT Client Application Version: 5.0.07.0440

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for FWTYPE!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: request received for the DHCP for DDNS hostname is: DEC20128!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the UDP Port!

Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets. No last packet retransmit.

Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = b04e830f) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84

Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload

Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload

Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets. No last packet retransmit.

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE has received the response from type [] at the request of the utility of IP address

Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cannot get an IP address for the remote peer

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE TM V6 WSF (struct & 0xd8030048) , : TM_DONE, EV_ERROR--> TM_BLD_REPLY, EV_IP_FAIL--> TM_BLD_REPLY NullEvent--> TM_BLD_REPLY, EV_GET_IP--> TM_BLD_REPLY, EV_NEED_IP--> TM_WAIT_REQ, EV_PROC_MSG--> TM_WAIT_REQ, EV_HASH_OK--> TM_WAIT_REQ, NullEvent

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE AM Responder WSF (struct & 0xd82b6740) , : AM_DONE, EV_ERROR--> AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL--> AM_TM_INIT_MODECFG_V6H NullEvent--> AM_TM_INIT_MODECFG, EV_WAIT--> AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG--> AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK--> AM_TM_INIT_XAUTH_V6H NullEvent--> AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b ending: 0x0945c001, refcnt flags 0, tuncnt 0

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending clear/delete with the message of reason

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing the payload to delete IKE

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm

Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 9de30522) with payloads: HDR HASH (8) + DELETE (12) + (0) NONE total length: 80

Kind regards

Lay

For the RADIUS, you need a definition of server-aaa:

Protocol AAA - NPS RADIUS server RADIUS

AAA-server RADIUS NPS (inside) host 10.10.18.12

key *.

authentication port 1812

accounting-port 1813

and tell your tunnel-group for this server:

General-attributes of VPN Tunnel-group

Group-NPS LOCAL RADIUS authentication server

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

7048 routing/DHCP relay with 5548

Hello

I have a problem with the 5548 do not relay the query DHCP for PXE (SCCM), 5548 is connected to 7048 (trunk). We shop Cisco, this is the first time that I am using DELL. Any help is appreciated.

--------7048--------

!Current Configuration:!System Description "PowerConnect 7048, 4.2.2.3, VxWorks 6.6"!System Software Version 4.2.2.3!System Operational Mode "Normal"!configuregvrp enablevlan databasevlan 2,10-11,21,50-52,156vlan routing 1 1vlan routing 10 2vlan routing 21 3vlan routing 50 4vlan routing 51 5vlan routing 52 6vlan routing 156 7vlan routing 2 8vlan routing 11 9vlan association subnet 10.112.0.0 255.255.252.0 10vlan association subnet 10.112.4.0 255.255.255.0 11vlan association subnet 10.116.4.0 255.255.252.0 21slot 1/0 5    ! PowerConnect 7048slot 1/1 11   ! SFP+ Cardslot 1/2 9    ! CX4 Cardslot 2/0 6    ! PowerConnect 7048Pslot 2/1 11   ! SFP+ Cardslot 2/2 9    ! CX4 Cardstackmember 1 5    ! PCT7048member 2 6    ! PCT7048Pip routingip route 0.0.0.0 0.0.0.0 192.168.1.58ip route 10.0.0.0 255.0.0.0 192.168.1.58interface vlan 1exitinterface vlan 2ip address 192.168.1.57 255.255.255.252ip local-proxy-arpno ip redirectsexitinterface vlan 10ip address 10.112.0.1 255.255.252.0no ip redirectsexitinterface vlan 11ip address 10.112.4.1 255.255.255.0ip helper-address 10.112.1.50ip local-proxy-arpno ip redirectsexitinterface vlan 21ip address 10.116.4.1 255.255.252.0ip helper-address 10.112.1.50ip helper-address 10.112.1.51exitinterface Te1/1/2description 'F2_NTR_4'gvrp enablespanning-tree portfastswitchport mode trunkdot1x port-control force-authorizedexit

------5548------

vlan databasevlan 10-11,21exit

gvrp enable

ip dhcp relay enable

stack master unit 1!interface vlan 1 ip address dhcp!interface vlan 10 ip address 10.112.0.4 255.255.252.0 ip dhcp relay enable ip proxy-arp

interface gigabitethernet1/0/18 spanning-tree portfast switchport access vlan 21

ip route 0.0.0.0 0.0.0.0 10.112.0.1

interface tengigabitethernet1/0/1 description F2_NTM gvrp enable spanning-tree portfast auto switchport mode trunkSW version 4.1.0.1 (date  05-Apr-2012 time  15:03:04)

Gigabit Ethernet Ports=============================no shutdownspeed 1000duplex fullnegotiationflow-control onmdix autono back-pressurespanning-treespanning-tree mode RSTP

qos basicqos trust coseee enable

SCCM PXE server is fine, tested on Cisco gear.

It's weird, PXE starts working when I hard code the fiber connecting switches to full-duplex, even if they show the full duplex in automatic. Thanks for your help.

Problems with P2P VPN with interface DHCP

I have properly configured a P2P VPN with two Cisco 888 using the static IP address. If I put a single interface to DHCP and the unit is power cycling it won't ask an IP address, until I have don't deliver "no card crypto " and bounce the interface.

Any ideas on how I can leave the card encryption in place and have the interface to get an IP address?

Thanks in advance.

With config like this:

access ip-list 100 permit a whole

You are due ALL traffic is encrypted and expect to have to decrypt all traffic. That is traffic that is recived on the interface will be deleted unless they are encrypted.

Is site to site VPN with sufficiently secure router?

Hello

I have a question about the site to site VPN with router.

Internet <> router <> LAN

If I have a VPN site-to-site configured on the router above with another site. I configured to block incoming Internet connections with the exception of VPN to access list. What are the risks of the LAN is exposed to threats from the Internet? Recommend that you put in a firewall between the router and the LAN, or replace the router with a firewall?

Thank you

Hi Amanda,.

Assuming your L2L looks like this:

LAN - router - INTERNET - Router_Remote - LAN

|-------------------------------------------------------------------------------|

L2L

Traffic between the two local area networks is protected by the VPN tunnel. It is recommended to use the recommended security (strong encryption settings) to ensure that the encrypted traffic would not be compromised through the Internet.

On the other hand, if you talk about outbound plaintext to the Internet, as when a user acceses google.com, then you just make out traffic, but never allow all incoming connections.

If you want to protect your network with advanced security as a FW features, you can consider ZBF, which is the available in IOS Firewall/set function:

Design of the area Guide of Application and firewall policies

If you consider that this is not enough, check the ASA5500 series.

HTH.

Portu.

Please note all useful posts

WRVS4400Nv2 DHCP Relay on 2nd VLAN

Hello

Here's what I'm trying to understand:

My network is set up such that I have a wireless network in the VLAN 1, which is the main network we use. The subnet is 10.5.1.x.

My goal is to set up a wireless network completely isolated comments, but it would work better. What I'm trying to do now, is that I created a VLAN separated (VLAN 2, ranging 10.5.2.x IP) and activated DHCP on the WRVS4400N. However, in comments network, he is always picking up a 10.5.1.x IP which will be distributed by the server DHCP (10.5.1.5, Win 2003) and yet all traffic to our private network routing.

Here's what I put:

Wireless > security settings > network (SSID 2) comments
- Wireless Isolation (between w/o SSID VLAN): enabled
- Insulation (within SSID) wireless: enabled
Setup > LAN > VLAN 1
- Router IP 10.5.1.1, CAMERA IP WiFi 10.5.1.3
- DHCP relay for 10.5.1.5
Setup > LAN > VLAN 2
- 10.5.2.1 IP router
- DHCP enabled for the subnet 10.5.2.x
- Relay DHCP option is grayed out (don't know why)
Setup > Advanced Routing
- Routing inter - VLAN: disabled
A way to solve this problem would be nice. I don't want traffic through our internal network. Ideally, if I get Windows server to distribute addresses of 10.5.2.x, it would be perfect, but I do not know how to configure it for such.

If anyone has any ideas, that would be great-thanks!

Matt

Yes... Here is an answer I got Cisco engineering support:

The issue you reported is a known problem.
Engineering and development are aware of this problem and provided the following information:

DESCRIPTION OF THE PROBLEM:
If the WRVS4400N is configured with multiple VLANs, and these VLANs are mapped to different SSIDS, the user cannot use an external DHCP server to provide IP scopes for these VLANS.
Hosts connected to two SSID will get the native DHCP server IP address only.
The workaround for this is to use the DHCP server integrated for all the VLANS defined on the WRVS4400N.

Note: This is not a bug but rather a limitation of product. The developer confirmed that the WRVS4400N works as expected.

A difficulty regarding:
Because of the wireless switch port and the trunk by using different chipset, it is not possible to provide a fix for this problem.
In the future, engineering & product Dev teams will try to use the same chip set (same provider).
This feature has been targeted for the next new product. No solution will be on the current hardware.

Note: If this function is vital for your deployment and you want to recover the cost of the WRVS4400N, please send the serial number and a copy of your proof of purchase and we will gladly provide a refund.

Best regards

Alex Delano

2911 w/security - VPN with DHCP Relay to Win2K8, routing fail

Similar Questions

Maybe you are looking for