Duplicate first detected package - VPN 3005
We had a few problems to connect to a remote office associated with our Head Office of neighborhoods using an ADSL link, with only 1 IP address public. Remote Desktop doesn't have any VPN equipment, so we use only customer Cisco VPN on W2K and W98.
Everything works for the first customer, it connects and works very well. The problem is that other equipment use the same IP to the Internet, so I think the VPN 3005 answers the request of session to the computer that it is already connected and the second PC expects a response until it delays.
Any ideas? Is it necessary to get a VPN on the other side equipment and LAN to LAN VPN?
Thanks in advance,
Juan Diego
The VPN client and the hub have a feature in them called NAT - T, where they detect that they're going through a NAT device and automatically encapsulate everything for UDP port 4500 packages, which should then be PAT would have correctly.
Check this is enabled in the properties of customers, and on the hub under Config transparency - system - Tunnelling profits - IPSec - Nat, you must be good after that.
Tags: Cisco Security
Similar Questions
-
Can a VPN 3005 cause multiple IP addresses on the external interface?
Nice day
Can a VPN 3005 cause several IPS on an external interface?
I expect to use it in an environment that has 2 ADSL connections to an internet service provider. For the sake of the exercise, we could call them ROUTER1 and ROUTER2.
We have a few VPN we always want to spend by ROUTER1 and some VPN we always want going through ROUTER2.
Is this possible?
Thank you very much
No, not possible, sorry.
-
Client VPN vs VPN 3005 concentrator using the Dial - up Internet GPRS connection
Hello!
I'm in trouble by using the GPRS Internet connection. I installed a VPN Client to connect to our VPN 3005 and it works fine but only using a V.90 Internet Dial-up regular connection. When I use GPRS I have access to the Internet, my VPN Client to connect successfully to the VPN3005, but I get no access to the Remote LAN (not even the ping test!). Can the overhead of 3DES cause something to do with this topic?
Kind regards
Russ
I also activated the udp encapsulation mode, however I notice that the success rate for the vpn full implementation of IKE (complete Exchange of keys and connection) is only abt 50% of no. some trys. I wonder if you have such an experience... Not sure it's because of the latency in GPRS.
-
VPN 3005 remote access concentrator
I inherited 2 VPN 3005 one in production with a weird config, probably because the one who set up was having a similar problem. The other I'm trying to configure correctly and will then move users who him. It has a public IP address and the private port has an address on the local network. I have installed a swimming pool with a different subnet. My client connects but cannot get on the local network. I ping the local of the 3005 but nothing past interface.
Thank you
Eric
Hello
As I understand it, the tunnel is to establish properly (so no problem on the VPN config).
If you check under surveillance | Sessions make you see the session to set up remote access? Also see packets received/transmitted?
I would check that the internal LAN has a default gateway pointing to the internal IP address of the hub (or at least a route to access) to be able to send packets to the VPN clients.
Federico.
-
Hi all
Could you someboy help me on that?
I have a network like this:
Internet Internet
| |
router VPN - 3005
|
Internal
I can set up Lan to Lan VPN 3005 and other PIX aside, but I can't ping internal network with the back of my internal network. I've already put the static route to the subnet of setbacks in the router and my subnet route internal VPN. What should I do? Thanks in advance.
Banlan
in fact the 3000 can do a ping will depend on your network-lists / lists access so that my not be a relevant question.
-
I use this version of ios on vpn 3005:
vpn3005 - 4.0.4.A - k9.bin
What is the upgrade that I need to perform:
vpn3005 - 4.1.7.O - k9.bin GOLD
vpn3005 - 4.7.2.I - k9.bin
Please advise,
Aurélie neslie
Yanic,
In your case, you can improve is updated the VPN3005 to 4.1 or 4.7 and both should be OK. Make sure you have enough RAM to upgrade to 4.1 code or 4.7 and read the detailed release notes to avoid surprises
Release notes:
4.1
http://www.Cisco.com/univercd/CC/TD/doc/product/VPN/vpn3000/4_1/417fcn3k.htm#wp28723
4.7
http://www.Cisco.com/univercd/CC/TD/doc/product/VPN/vpn3000/4_7/472con3k.htm
I hope it helps.
Kind regards
Arul
* Please note all useful messages *.
-
PIX 515e VPN 3005 concentrator cannot pass phase 1
My list of vpn access increases, so I know that it is correct. IM testing with ping. Debug configurations and follow. Remote location through VPN connection attempt with THE. Thanks to all who can help. His failure in the first phase which means configuration mess up, but I can't find a miss-match for me? Maybe ive been looking at this for a long time.
Pix515e config:
----------------
Crypto ipsec transform-set esp - esp-md5-hmac aptset
aptmap 10 ipsec-isakmp crypto map
aptmap 10 correspondence address vpn crypto card
card crypto aptmap 10 peers set yyy.xxx.xxx.131
card crypto aptmap 10 transform-set aptset
aptmap interface card crypto outside
ISAKMP allows outside
ISAKMP key * address yyy.xxx.xxx.131 netmask 255.255.255.255
part of pre authentication ISAKMP policy 10
encryption of ISAKMP policy 10
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
Debugs ipsec, isakmp, ca
-------------------------
Peer VPN: ISAKMP: approved new addition: ip:yyy.xxx.xxx.131 Total VPN peer: 1
Peer VPN: ISAKMP: ip:yyy.xxx.xxx.131 Ref cnt is incremented to peers: 1 Total peer VPN: 1
ISAKMP (0): early changes of Main Mode
ISAKMP (0): retransmission of phase 1... IPSEC (key_engine): request timer shot: count = 1,.
local (identity) = zzz.xxx.xxx.226, distance = yyy.xxx.xxx.131,
local_proxy = 192.168.33.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.168.65.0/255.255.255.0/0/0 (type = 4)
ISAKMP (0): retransmission of phase 1...
ISAKMP (0): delete SA: src zzz.xxx.xxx.226 dst yyy.xxx.xxx.131
ISADB: Reaper checking HIS 0x81377ad8, id_conn = 0 DELETE IT!
Peer VPN: ISAKMP: ip:yyy.xxx.xxx.131 Ref cnt decremented to peers: 0 Total of VPN peer: 1
Peer VPN: ISAKMP: deleted peer: ip:yyy.xxx.xxx.131 VPN peer Total: 0
results of ' show crypto isamkp his. "
-----------------------------------
Total: 1
Embryonic: 1
Src DST in the meantime created State
YYY.xxx.xxx.131 zzz.xxx.xxx.226 MM_NO_STATE 0 0
Error messages on the concentrator 3005
------------------------------------
11:14:47.640 57 07/01/2004-SEV = 4 RPT IKE/48 = 23 yyy.xxx.xxx.226
Support useful treatment of error: ID payload: 1
11:15:02.770 58 07/01/2004-SEV = 4 RPT IKE/48 = 24 yyy.xxx.xxx.226
Support useful treatment of error: ID payload: 1
3005 page concentrator Lan-To-Lan settings
-----------------------
Activated
External interface
Answer only
YYY.xxx.xxx.226 peer
Digital cert: no (use preshared keys)
Transmission of the CERT: (full certification chain)
Preshared key: {same on pix}
AUTH: esp, md5, hmac-128
encryption: des-56
proposal of IKE: IKE-DES-MD5
Filter: none
IPSec NAT - T not verified
No bandwidth policy
Routing: no
I noticed that you have a lifetime and a pfs group configured on the pix. The pfs group is 2 which I think will not work with-although I'm not positive, as I have only used with 3des. Diffie-Hellman Group1 should work with simple.
In any case, recheck the config vpn 3000 to see if a group and life expectancy have been speced on config. If not, or if you are not sure, then remove the two outside the pix and run the command of his clear cry on the pix. Then try again and let me know what you find.
-
Cannot access Internet on VPN 3005 concentrator
I installed a new concentrator 3005. I am able to connect using the Cisco VPN client. Everything seems to work except the Internet. I am able to access everything in the local network, including local intranet Web pages. If I try to access Web pages on the outside, it does not. Any ideas?
OK, so it seems there is a configuration or a problem with routing somewhere. Concentrator vpn routing table look like? Is there a default route set correctly? You can use ping to ping the default gateway?
NAT is used? Is it possible the problem is that packages are not properly natted out to internet?
-
VPN 3005 concentrator Web Administration fails
I have a vpn concentrator 3005 I can't connect to the web administration page. When I have the access concentrator, I get an HTTP 403 forbidden error. IE, the details of the error is "this error (HTTP 403 Forbidden) means that Internet Explorer was able to connect on the site, but it doesn't have permission to view the Web page." I tried several machines and Firefox as well, but all give the same error. I have no problem with the administration via telnet, but wishes to get the web interface works again. I even tried updating the hub to 4.7.2.P (from 4.7.2.O), but it does not solve the problem either. I also noticed an error in the event log which shows demand and an error HTTP 404 not found (/). Any ideas?
On your interfaces, for example, "Configuration | Interfaces | Ethernet 1 ", on the WebVPN tab you have the check box for"allow management HTTPS sessions "?
-
Recovery password: VPN 3005 concentrator
How 3005 Concentrator VPN admin password.
Here is the procedure
-
Dead Peer detection on VPN client
Hello world
I know that we can DPD over Anyconnect SSL config on cisco ASA.
You need to know we can configure the DPD on VPN on your PC as client?
Concerning
MAhesh
Mahesh,
DPD for ASA-side and Client-side detection are configured in the group policy on the ASA.
Here is a link to the section of the configuration guide and below a photo of the place where it is ASDM:
-
I have a couple of site to site vpn is configured. Is it possible to set up an event that will detect when a tunnel from site to site is to send an email? If so, I would be grateful for a point in the right direction. Thank you.
Sorry, the path is
configuration-> system-> events-> classes
-
How to export the list of internal users from VPN 3005 concentrator?
I would like to be able to export the list of users for the purpose of documentation. Is this possible to do with the 3005?
Thank you
Raul
It's not easy passing just to get the list of name of user, but you can get the whole config and then grab users ot there in a couple of ways.
In XML format, which is easier to read, go to Admin - Mgmt - XML Export file and export the config file to any file name. Then under the file Mgmt section this file that will appear in a separate window. Search to find the sections of the user names and passwords.
Text (a bit like an in the Windows .ini file), go to settings to access Admin - rights of access - and no Config File Encryption value. Save the configuration. Then go to file Mgmt and display the CONFIGURATION file, search for [user *. 1] to find all of the names of users and their values. This way is not very useful to be honest.
-
Are there explanations of debug as there are for the syslog from a pix.
I see this on my 3030. Any suggestions of what it could be. This user can enter normally. She is on a connection, it uses not normally.
10/24/2002 51575 11:57:25.440 SEV = 7 RPT AUTH/12 = 3207
Authentication login: manage = 134
51576 10/24/2002 11:57:25.540 SEV = 6 RPT AUTH/41 = 2458 xxx.xxx.xxx.34
Successful authentication: handle = 134, Server internal =, group = test
10/24/2002 51577 11:57:25.540 SEV = 7 RPT AUTH/13 = 3207
Closed session authentication: handle = 134
51578 10/24/2002 11:57:30.480 SEV = 4 IKE/0 RPT = 102 xxx.xxx.xxx.34
Duplicate first detected package!
51579 10/24/2002 11:57:35.490 SEV = 4 IKE/0 RPT = 103 xxx.xxx.xxx.34
Duplicate first detected package!
51580 10/24/2002 11:57:40.490 SEV = 4 IKE/0 RPT = 104 xxx.xxx.xxx.34
Duplicate first detected package!
10/24/2002 51581 11:57:57.570 SEV = 4 IKEDBG/65 RPT = 164 xxx.xxx.xxx.34
Group [test]
IKE AM Responder history FSM error (struct & 0xc37d0ac)
, : AM_DONE, EV_ERROR
AM_WAIT_MSG3, EV_TIMEOUT
AM_WAIT_MSG3, NullEvent
AM_SND_MSG2, EV_CRYPTO_ACTIVE
Tom, what is your email address.
I just talked to the person who is putting this together to be published on ORC, he hopes that towards the end of the year.
At this moment we have the zip file of all the events of VPN 3000 and some explanations (this is not work in progress full product - it's), but might help you in your application.
I can send you the zip file or post it on CCO. I need to your e-mail, however.
If you don't feel comfortable yor e-mail here assignment, you can email me directly ([email protected] / * /).
Thank you.
Nelson
-
3005 integrated VPN with ACS and server RSA auth
Hi guys, I have a VPN 3005, using the version 4.7.2.B version, and I have the following problem.
When a remote user using the Cisco VPN client tries to connect to the VPN 3005, it must try twice to authenticate.
The first test, the user is authenticated, but the connection is immediately undermined by the peer.
After the second attempt, the user is authenticated ok.
Pablo,
When you use RADIUS authentication on the hub, the ACS server will automatically send all the attributes of the user towards the concentrator for the user who is connecting. There is no need to have the authorization to be configured on the RADIUS server.
According to the newspapers, it looks like the IP pool is the problem.
[GroupP] user group [tuser] obtained IP addr (192.168.32.128) before launching the Cfg Mode (active XAuth)
Subnet mask of the user [tuser] sending [GroupP] (255.255.255.224) group to the remote client
User group [GroupP] [tuser] attempt to assign network or broadcast IP address, remove (192.168.32.128) of the
After that, I see the customer negotiation again and the client is connected.
Thus, the IP address is removed from the pool. Please make sure that you set up a pool that does not have a broadcast IP address.
Thank you
Gilbert
Write it down, if this post can help.
Maybe you are looking for
-
Hello! I have an iMac at home who receives the iMessages through the Message App. I'm currently disappeared from home for the next few months and do not have access to this computer. I was wondering if there is anyway that I could not disable Message
-
Boot Camp error "your bootable USB key could not be created.
Hi people... I'm trying to create bootable Windows 7 USB using bootcamp but I get this error. I know for sure the file ISO of Windows 7 is 64 bit so how cross the Please this problem?
-
PTR DNS records Server 2008 R2
Hello I am fairly new to controllers Windows Server and domain, looking for a DNS on my Server 2008 R2, I see the PTR records for machines that are no longer on the field, and some Machines have multiple PTR records. How can I get the server of range
-
'Search' and 'Run' is missing in the startup folder
original title: "Search" & "Run" is missing. My "Search" & "Run" are missing from my 'Startup' folder, how do I reinstall? I have Windows XP Professional.
-
Hey everyone, I have songs on ITunes I want on my Xperia Z3 and I was wondering if Media Go supports transfer music to ITunes? Thank you.