ACS ping problem
Hey guys!
Need your help!
I'm setting up an ACS 1113 and I had a weird problem, I turned off the CSA to enable pings ok, it works on my PC for ACS but GBA cannot ping my PC!
I also have another problem, I can access the ACS and all configured but when I put it on the network I can't access it, then I put it directly connected to my PC I can access the web interface normally.
I don't know what happened... I saw a post that says that I should set up directly connected to the network... but I did not I have connected my laptop and composes the tests before putting on the network...
Someone knows why? and what is the job for her arround?
I have attached the ping information and my Ipconfig for my laptop and one following the 'show' connected to the console
Quote
Cisco Secure ACS: 4.2.0.124
The application management software: 4.2.0.124
Ask tiBase Image: 4.2.0.107
The session timeout: 10
Last reset to zero hour: Fri 27 Aug 13:06:44 2010
NTP servers: 10.21.4.1
Free CPU on the free physical memory disk load
Memory of MBhysical 749 109 GB 0.00%
IP of the server configuration
DHCP active...: No.
... The IP address: 10.21.4.61
... Subnet mask: 255.255.255.0
... Default gateway. : 10.21.4.155.0.
DNS servers...: 10.21.4.11
10.21.4.21
CSAuth race
CSDbSync race
Case running
CSMon race
CSRadius race
CSTacacs race
CSAgent stopped
End of quote
Console ping tests
gavprdrjlacs01 > ping 10.21.4.62
Ping 10.21.4.62 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.21.4.62:
Packets: Sent = 4, received = 0, lost = 4 (100% loss)
gavprdrjlacs01 >
gavprdrjlacs01 > ping 10.21.4.61
Ping 10.21.4.61 with 32 bytes of data:
Reply from 10.21.4.61: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.21.4.61: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.21.4.61: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.21.4.61: bytes = 32 time<1ms ttl="">1ms>
Ping statistics for 10.21.4.61:
Packets: Sent = 4, received = 4, lost = 0 (0% loss),
Time approximate round trip in milli-seconds:
Minimum = 0ms, Maximum = 0ms, average = 0ms
Thanks mates!
Your default gateway is listed as 10.21.4.155.0, which means that the 1113 will not be able to reach something outside the local network.
You can fix this by issuing a "set ip" on the CLI and guests.
Tags: Cisco Security
Similar Questions
-
Intel 5300 in T400 high Ping problem!
I bought a laptop T400 with a wireless card intel 5300 a few days ago, and I have installed the latest driver from intel which is v12.1.2.1 for 32-bit vista.
I tried ping the gateway of my house, then feedback between 300-500 ms, sometimes going to 900msand sometimes the sound directly outdoors. I also tried to use my other card USB wireless to test this problem on T400, then it was fine, feedback constantly 206ms.
IM using vista 32 bit with SP1, and I tried to reinstall vista as well and test without any software, then same problem.
but, on my other pc, PING feedbacks are very good, constantly 206ms, if someone knows what's the problem? THX
Check your 5300 card power management settings and make sure they are all set for maximum Performance.
See you soon,.
Bill
-
Internal Hostname Ping problems
Running on my internal network (just a plain jane workgroup) that does not connect.
When I Ping any machine on my network from another machine on my network, he decides:
hostname. Linksys.com (a random IP address)
Request Timed Out
Request Timed Out
Request Timed Out
Request Timed Out
I know I should get (hostname) (ip address of the router assigned) 192.168.1.100
Reply from 192.168.1.100
Setting of the router is causing this problem? Using the RV042.
The RV042 now reports to the Cisco Small Business Support Community.
For discussions concerning this product, please go here.
-
I have problems reinstalling a server ACS (4.0 on Win 2003).
I get a lot of error messages like:
"Failure of line 194, CryptAqquireContext... V:\ismg_israel_acs\Acs\Crypto\init.c. »
I have no disk called V currently mapped, and the name of this directory is certainly not familiar. It does not exist on this server at all.
I used the same setup files on the other servers before without any problem.
I also searched the registry for some of the channels in the error message, without finding them.
It's really giving me a headache!
If all goes well there's someone in the community who can help me on this.
Hello
Do not own you the V: drive. This is the location on the server where ACS has been compiled in this build.
This could be due to a partially broken uninstall a previous version of ACS. You can try to get your hands on the clean utility (on the cd)?
Or make one? findstr /I CiscoSecure *. * ? in your Application Data\... Microsoft... \Crypto\RSA\... and delete the file with the text of Cisco Secure container.
Then you should be good to go.
-
Hello...
I have GBA 2.6 (4) 4 and all the problems are happening:
Authentication and authorization of the NAS work normally, but the accountants do not work properly. If I use accounting only exec, in the report connected' GBA users appears; OK, if I add the accounting level 0, 1 or 15 commands, users appears in the report is 'connected', but if I use any command (enable, show..., debug, etc.) users disappears in the report and that commands are presented in TAC + administration. I tried using ACS 3.1 and accounting works normally.
Is this a BUG? If not, why I solve this problem?
the configuration of my equipment is:
======
Cisco IOS 2620 (C2600-I-M), Version 12.1 T7 (5)
======
Console rate-limit logging 10 except errors
AAA new-model
AAA authentication login default group Ganymede + local
AAA authentication ppp default to group Ganymede + local
authorization AAA console
default AAA authorization exec group Ganymede + none
default network AAA authorization group Ganymede + none
AAA accounting update newinfo
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 0 arrhythmic default group Ganymede +.
orders accounting AAA 1 by default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
AAA accounting network default start-stop Ganymede group.
Default connection accounting AAA power Ganymede group.
====
TKS.
Yep, it's a bug.
See http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdv61239
-
5.6 ACS authentication problem
We are in the process of upgrading our ACS 4.1 for a 5.6 ACS appliance.
The unit is installed on the network, etc. correctly licensed.
I joined the ACS server to the AD domain without problem. I created a few local and external (AD) users for testing.
I created a network (switch catalyst) as a Ganymede client device + and specified single-connect.
When I SSH into the switch, I can connect using my AD user name and password, but I can't go into enable mode. It says "authentication failure".
My aaa settings are
radius-server host 172.25.50.8
RADIUS-server timeout 3
RADIUS-server application made
radius-server keyMiss me something somewhere, I don't know where. If I try and download the bundle to support ACS, it says download, but does not say where (or how).
any advice would be great. I'm new to this product.
See the document: http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/migration/guide/migration_guide/Migration_support.html#pgfId-1014889
-
Version 4.1 ACS certificate problem
Our self-signed certificate has expired and I tried to install a valid certificate of our internal CA. The generation of CSR, addition of our internal CA as a valid root, import and installation of the new key all seemed to go smoothly. However, when I restarted the service to activate the new cert I was no longer able to access the server via the web interface.
Connection via the console allows me to see that everything works apparently fine, but I cannot manage the server through the web and therefore cannot add/remove/edit and entries.
Attempted to update the certificate on the second certificate, signed by association with a car and he is also updated without problem, but the web interface works in this system.
I need advice on how to get the web interface work.
Can you give us some details on what happens when you try to access the server via a browser? What is happening in the browser? Messages?
Have you tried using http: instead of https:?
Have you tried another browser?
Your ACS running Windows, it is the camera, or?
-
With Ganymede ACS authentication problem
My organization was using ACS with AD to authenticate users for access to network devices.
But lately, it does not work. There has been no known changes.
Can anyone help point the possible problems or links to see how the actual configuration of the CSA to be or look like for that to work.
My apologies if this is naïve question, am not not so easy with ACS.
Thank you!
Hello
There are two ways to correct the message 'windows dialin permission required. You can either add permissions to call on the user accounts on your database of Windows, or you can remove the option "Require Dialin permissions" ACS. To do this, go to "External user databases" and select "Database Configuration". Then go in your database of Windows and click "configure". The first option is a
box that gives you the opportunity to "make sure that grant dialin permission is checked.
Checking this box will cause the error you get if your windows users do not have permissions to call. If you uncheck this box, it must clarify this.
HTH
JK
-
Cisco ACS installation problem
Hello everyone.
I have Cisco acs 4.2 on windows 2008 64 bit installation and get a very strange error when installing. V: ismg_israel_acs it gives some encryption error.
Can someone please help me on this who have encountered the same problem. My project is stopped cause of it.
Thanks in advance.Sent by Cisco Support technique Android app
Hi Rizwan,
If you're upgrading some version prerequisites ACS then I think you get something like this V:\ismg_israel_acs\Acs\Crypto\init.cpp
You need to locate the old CryptoAPI container used by ACS, which may still be on the system. This is normally located in C:\Documents and Settings\username that installed ACS> \Application\Data\Microsoft\Crypto\RSA.
There will be one or more files will be very long filenames hexdecimal. You must identify the right one.
Open a command prompt in that folder and type "findstr /I CiscoSecure *.» ' * ' - the file name that appears should be the
old container of ACS.
Let me know if you will be able to search for any file.
~ BR
Jatin kone* Does the rate of useful messages *.
-
Hi all!
I have a problem with the configuration of the network access restrictions.
I put the function through the shared profile component and group level NAR also, but none of them doesn't work.
My test AAA client is a simulator of customer RADIUS of VASCO. I thought that this software does not send the correct RADIUS attributes, behavior of the ACS is never prohibitive, but sometimes, it should be.
I also tried with version 3.2 and 4.2.
Y at - it a tip or something that I messed up?
Thank you for the answers!
For wireless users, you must use CLIS/DNIS based access restriction.
If you the corresponding IETF Radius user wireless access point, basic authentication should work, but question would be with a part of the authorization.
Kind regards
~ JG
-
Cisco ACS taccas + problem with authentication
I'm having a problem authenticating to a switch using taccas + my ACS 5.2 server. I can actually do a 'test of aaa group taccas + username password inheritance' and returns a successful user authentication. When I try to use this same account to authenticate the switch, it is unsuccessful, and I'm not even that attempt to hit GBA.
Most likely, is a configuration of Miss of the AAA command on the switch.
Sent by Cisco Support technique iPad App
-
Hi all
First of all, I apologize if this is something that I can google. My knowledge of the administration of the network is all self-taught, so if there is a guide that I missed please point me in the right direction, it is often difficult to Google the terms for troubleshooting when your jargon is not the height.
The main problem is that when ping devices internal when you are connected to the results are very inconsistent.
Ping 192.168.15.102 with 32 bytes of data:
Reply from 192.168.15.102: bytes = 32 time = 112ms TTL = 128
Request timed out.
Request timed out.
Request timed out.
We have implemented an IPSec VPN connection to a remote Cisco ASA 5505. There is no connection problems, connection seems constant, etc. good packages. At this stage, I can only assume I have configuration problems, but I was watching this while if long and pair with my inexperience configuration of these settings I have no idea where to start. My first impressions are that LAN devices I'm ping do not send their response back or the ASA does not know how to route packets back?
Here is a dump of the configuration:
Output of the command: "show config".
: Saved
: Written by enable_15 to the 12:40:06.114 CDT MON Sep 9 2013
!
ASA Version 8.2 (5)
!
hostname VPN_Test
activate the encrypted password of D37rIydCZ/bnf1uj
2KFQnbNIdI.2KYOU encrypted passwd
names of
192.168.15.0 - internal network name
DDNS update method DDNS_Update
DDNS both
maximum interval 0 4 0 0
!
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
Description VLAN internal guests
nameif inside
security-level 100
DDNS update hostname 0.0.0.0
DDNS update DDNS_Update
DHCP client updated dns server time
192.168.15.1 IP address 255.255.255.0
!
interface Vlan2
Description of VLAN external to the internet
nameif outside
security-level 0
address IP xx.xx.xx.xx 255.255.255.248
!
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
DNS server-group DefaultDNS
Server name 216.221.96.37
Name-Server 8.8.8.8
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
DM_INLINE_TCP_1 tcp service object-group
port-object eq www
EQ object of the https port
outside_access_in list extended access permit icmp any one
outside_access_in list extended access deny interface icmp outside interface inside
access extensive list ip 192.168.15.192 outside_access_in allow 255.255.255.192 all
Remote_splitTunnelAcl list standard allowed internal-network access 255.255.255.0
inside_nat0_outbound list extended access allowed internal-network ip, 255.255.255.0 192.168.15.192 255.255.255.192
Note to inside_access_in to access list blocking Internet traffic
access extensive list ip 192.168.15.192 inside_access_in allow 255.255.255.192 all
Note to inside_access_in to access list blocking Internet traffic
inside_access_in extended access list allow interface ip inside the interface inside
inside_access_in list of allowed ip extended access all 192.168.15.192 255.255.255.192
Note to inside_access_in to access list blocking Internet traffic
access extensive list ip 192.168.15.192 inside_nat0_outbound_1 allow 255.255.255.192 all
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask 192.168.15.200 - 192.168.15.250 255.255.255.0 IP local pool VPN_IP_Pool
inside_access_ipv6_in list of access allowed IPv6 interface ip inside the interface inside
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow any response of echo outdoors
ICMP allow all outside
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access
NAT (inside) 1 192.168.15.192 255.255.255.192
NAT (inside) 1 0.0.0.0 0.0.0.0
inside_access_in access to the interface inside group
inside_access_ipv6_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
255.255.255.0 inside internal network http
http yy.yy.yy.yy 255.255.255.255 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Sysopt connection timewait
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
dhcpd outside auto_config
!
dhcpd address 192.168.15.200 - 192.168.15.250 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
NTP server 192.168.15.101 source inside
prefer NTP server 192.168.15.100 source inside
WebVPN
internal remote group strategy
Group remote attributes policy
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Remote_splitTunnelAcl
username StockUser encrypted password privilege 0 t6a0Nv8HUfWtUdKz
username StockUser attributes
Strategy-Group-VPN remote
tunnel-group type remote access remotely
tunnel-group remote General attributes
address pool VPN_IP_Pool
Group Policy - by default-remote control
tunnel-group remote ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:f4271785b86e45dd3a17bab8f60cd2f3
Hi Graham,
My first question is do you have a site to site VPN and VPN remote access client.
After checking your configuration, I see you don't have any Site to SIte VPN configuration, so I'm assuming you ara facing issue with the VPN client.
And if I understand you are able to connect VPN client, but you not able to access internal resources properly.
I recommend tey and make the following changes.
First remove the following configuration:
NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access
NAT (inside) 1 192.168.15.192 255.255.255.192
You don't need the 1st one and I do not understand the reason for the second
Second, one is your pool IP subnet (192.168.15.200 - 192.168.15.250) and I don't know why you added this NAT.
If possible change your subnet pool all together because we do not recommend to use th ip POOL that is similar to your local network.
Try the changes described above and let me know in case if you have any problem.
Thank you
Jeet Kumar
-
I installed a vpn for access to HVAC equipment suppliers.
The profile is RCPS_Vendor
DHCP pool is RCPS_Vendor
Finished outdoor int
Here are the steps I took:
remote access, outside of the--> psk (password), RCPS_Vendors-> authentic local name-> Hoff_Vendor (password)-> RCPS_Vendors 192.168.10.2-192.168.10.128->10.1.252.101/103->3DES SHA 2-> 3DES SHA->10.0.0.0/8 en split tunnel
from: http://www.cisco.com/en/US/docs/security/asa/asa71/getting_started/asa5500/quick/guide/rem_acc.html
The question is the seller has ping internal unit, and its program does not connect to units.
Updated the attached config.
Thanks in advance.
All receivers are a section of the ASA, so could you put this static route on each of these units. That would point to the inside interface on the ASA. The ASA would use its default route to send traffic to the VPN clients.
If the receivers are further inside your network and you are using a dynamic routing protocol, you can redistribute the static route to 192.168.10.0/24 on the next (from ASA) inside your network hop router so that the internal units default gateways to know where to send the traffic destined to 192.168.10.0/24.
Since your remote clients are sending traffic in VPN tunnels I don't think you need to add an ACL on the ASA to allow specific traffic from VPN clients for the receivers.
-
The trial ver 4.2 ACS installation problem
Hello
I searched the net for a while, for what could be the reason why the admin on http://127.0.0.1:2002 page do not open, after installed successfully the 4.2 ACS on Win - 2003 SP1.
I made fixes Java JRE 6.0 and installed both and I used Firefox as a browser, but all invain.
No idea what I need to do more.
Thank you
Sam
Hi Sam,
You have an other applications to install on this server?
I suggest to install the ACS service on a new installation of windows 2003.
Thank you
-
I have two ACS with replication configured. Manual replication works fine, but when setting up scheduled replication, server said "preliminary checks indicate a unnecessary outgoing replication - completed cycle. Even if the new features have been added to the main server, replication is irrelevant.
Any thoughts?
Please check this bug,
CSCsd02854 : automatic replication has not triggered after changing the config
components
Symptom: When it is configured for automatic replication, only the changes to the users/groups/SPC are replicated automatically. Changes to the configuration of NAS, Admin, PAN, external databases
components do not replication trigger.
Conditions: This is seen when the automatic replication (intermittently or at a specific time) is configured.
Solution: Start the replication manually after configuration changes for the affected
components have been made.
http://Tools.Cisco.com/support/BugToolKit/action.do?hdnAction=searchBugs
Please make sure that the secondary ACS server, we have all the replicated network devices
from the primary ACS server successfully. If they are not, and we have configured replication scheduled to take place, then we are hitting this bug.
Kind regards
~ JG
Note the useful messages
Maybe you are looking for
-
How to move icons of the add-on at the helm the additional module at the bottom of the screen
I have a number of modules, and the icons on some of them take a lot of space. So the navigation bar is stuffed full. I added the bar add-on that appears at the bottom of the screen. However, I did not understand how to get the icons module moved to
-
I can't download autofill after reloading os 7 64 bit and the newest version of firefox.
-
Recovery disk Tecra M2 installs but happens with incomplete installation
Tecra M2 worked fine, it's a good little machine without running out of space.I tried to install a new drive HARD 160 GB (Seagate) was 60 GB (Hitachi).I used the recovery on the new HARD drive disk, it formats the drive sets up XP Professional, gets
-
Hi have a Toshiba Satellite L750 with a 1366 x 768 screen, the GPU is an Intel HD Graphics 2000 (device id 0106).Resolution max should be 2560 x 1600, according to https://software.intel.com/en-us/art...cs-hd-graphics Yet when I try with a 1920 x 108
-
How to remove the CurrentDatabase_360 file
I'm deleting logon server of cleaning WinXP system profiles. The profile has been removed but left in Local Settings... Media Player file-> CurrentDatbase_360. When I try to remove it I get the error message of "unable to delete. It is used by anothe