Failover of VPN for data/VoIP through ASA 5520 or 7204 VXR
I would like to install a VPN failover for my remote sites using broadband 3dn/1up. They are mainly 2800 routers. I like options for end hub a pair of Cisco ASA active / standby and a 7204 VXR. Voice and data will travel down the VPN failover and I intend to have QOS/Traffic shaping in place to better meet the needs for VoIP as possible. I need to do it on about 150 sites. My questions are:
1. What is the best why the ASA or the 7204
2 Will VoIP packets pass through the two in the same way
3 as far as redistributing routes can I use GRE on an ASA or should I keep all static. NH on the SAA is an L3 switch.
4. an ASA with 100 mg of bandwithd through metro E supports 150 tunnels making VoIP and data. 1 to 3 calls per site max.
Thank you
J R
To answer your questions: -.
1. who is better for this, the ASA or the 7204 - ASA, is what is designed to do.
2 packages VoIP Will cross both the same way - Yes
3 as far as redistributing routes can I use GRE on an ASA or should I keep all static. NH on the SAA is an L3 switch. -l'ASA does not support GRE tunnels.
4. an ASA with 100 mg of bandwithd through metro E supports 150 tunnels making VoIP and data. 1 to 3 calls per site max. -It depends on the model of the SAA, see the below matrix for thru-put http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
HTH >
Tags: Cisco Security
Similar Questions
-
VPN site to Site with ASA 5520 * please help *.
I am using two ASA 5520, and try to put up a site to site VPN. This seems to be pretty simple, but I'm on my third day of train this is up and running. Both 5520's are running the latest 9.1 (5) IOS.
Please note: I replaced it with [#1-WAN IP] and [#2-WAN IP] for WAN IP of the ASA addresses.
Thanks in advance for any help you may have.
-------------------------------------------------------------------------------------------------------------------------------------------------
ASA 5520 # 1:
Crypto ikev1 allow outside
the local object of net network
10.0.0.0 subnet 255.255.255.0net remote object network
172.20.0.0 subnet 255.255.255.0outside_1_cryptomap list of allowed ip object local net net access / remote
tunnel-group [IP #2-WAN] type ipsec-l2l
IPSec-attributes tunnel-group [#2-WAN IP]
pre-shared-key cisco123IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
card crypto oustide_map 1 match address outside_1_cryptomap
card crypto oustide_map 1 set transform-set ESP-3DES-SHA ikev1
card crypto outside_map 1 set pfs Group1
map 1 set outside_map crypto peer [#2-WAN IP]
outside_map interface card crypto outsideNAT (inside, outside) 1 local static source net net-local destination static remote net net / remote
-------------------------------------------------------------------------------------------------------------------------------------------------
ASA 5520 #2:
Crypto ikev1 allow outside
the local object of net network
172.20.0.0 subnet 255.255.255.0net remote object network
10.0.0.0 subnet 255.255.255.0outside_1_cryptomap list of allowed ip object local net net access / remote
tunnel-group [#1-WAN IP] type ipsec-l2l
IPSec-attributes tunnel-group [#1-WAN IP]
pre-shared-key cisco123IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
card crypto oustide_map 1 match address outside_1_cryptomap
card crypto oustide_map 1 set transform-set ESP-3DES-SHA ikev1
card crypto outside_map 1 set pfs Group1
map 1 set outside_map crypto peer [#1-WAN IP]
outside_map interface card crypto outsideNAT (inside, outside) 1 local static source net net-local destination static remote net net / remote
Try to correct the mistakes in the two configs.
In some places, you have 'oustide_map' where you need "outside_map".
-
Cisco Anyconnect VPN and IPSEC coexist on ASA 5520?
Can a Cisco ASA 5520 which has been configured as IPSEC VPN gateway and also be configured as a gateway ANYCONNECT VPN and vpn IPSEC service anyconnect vpn clients clients maintenance at the same time? Any negative impact on the performance or any other problem that everyone knows?
I guess that by 2 connection limit, you are referring to the 2 licenses for anyconnect? You should consider using the anyconnect essentials license, which is relatively cheap (100-200 dollars I think) and will take you to the edge of the platform with anyocnnect.
You shouldn't have any problem using IPSEC with LDAP client. It is quite common - my company is IPSEC as Anyconnect off the coast of the same interface using authentication ldap (even same-group policy) for the two.
-Jason
-
Suggestions of VPN for Windows 7 and ASA 5510
We currently have a VPN solution with an ASA5510 and the client to the PC using the Cisco VPN Client V5.0.07.0410. This works for Windows XP SP3 and Windows 7, however, Windows 7 will not allow enable start before logon or disconnect VPN connection when Logging Off (i.e. the Windows logon properties are missing in the client configuration options). Is there a fix for this VPN client? What VPN upgrade options available, which will allow these options?
Thank you very much for your suggestions!
You must use the AnyConnect client. I got on to start the same kind of project and purchased a license key AnyConnect, they are the easiest option.
Sent by Cisco Support technique iPad App
-
Allowing the VPN and return to the ASA 5520
Here is the configuration:
Outside Interface: 50.50.50.5
Internal interface: 192.168.1.5
Wireless interface: 192.168.2.5
The wireless interface is used for the guest access to internet and you can't find the internal servers or workstations. Offiste employees, we use Cisco VPN remotely in through the firewall.
That is the question, an itinerant person comes into the office, connects to the network (no LAN port available) wireless and then wants the VPN in a work. Can that be allowed through the ACL to allow traffic like that or would be using Cisco AnyConnect? I don't want to "overall" activate the ability for Wireless talk range to the inside interface, but allow VPN access. At first glance, I guess the ASA for not allowing this, but try to get some clarification, thank you!
And if it's possible, I can see security implications, so I'm also looking for information best practice as well.
Hello Mrjwilson,
5 stars for you
Thanks for sharing the solution, check now the question as answered so future users can learn of your problem.
-
VPN l2l failed inside on ASA 5520 (8.02)
VPN l2l is dropping packets to Phase 5 because of a rule configured. I have an isakmp his but the client cannot connect to the destination here in my network. I'll post my config to access list at the bottom of the Packet-trace output.
vpnASA01 # entry packet - trace within the icmp [10.0.0.243] 0 8 10.97.29.73 det
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xc92087c8, priority = 12, area = capture, deny = false
hits = 85188209121, user_data = 0xc916a478, cs_id = 0 x 0, l3_type = 0 x 0
Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
DST = 0000.0000.0000 Mac, mask is 0000.0000.0000
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0xc87f1f98, priority = 1, domain = allowed, deny = false
hits = 85193048387, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8
Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
DST = 0000.0000.0000 Mac, mask is 0000.0000.0000
Phase: 3
Type: FLOW-SEARCH
Subtype:
Result: ALLOW
Config:
Additional information:
Not found no corresponding stream, creating a new stream
Phase: 4
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 10.0.0.0 255.0.0.0 inside
Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DECLINE
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0xc87f3670, priority = 111, domain = allowed, deny = true
hits = 67416, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 4000, protocol = 0
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
the output interface: inside
the status of the output: to the top
output-line-status: to the top
Action: drop
Drop-reason: flow (acl-drop) is denied by the configured rule
= ACCESS-LIST + Config =.
the object-group L2LVPN-blah_local network
network-object 10.97.29.73 255.255.255.255
the object-group L2LVPN-blah_remote network
network-object [10.0.0.240] 255.255.255.240INBOUND_OUTSIDE list of allowed ip extended access object-L2LVPN-blah_remote L2LVPN-blah_local group object
L2LVPN-blah_obj allowed extended ip access-list object-L2LVPN-blah_local group L2LVPN-blah_remote
access-list SHEEP extended permits all ip [10.0.0.243] 255.255.255.240
Route outside [10.0.0.240] [10.97.29.1] 255.255.255.240 1
address for correspondence card crypto outside-VPN 46 L2LVPN - blah_obj
peer set card crypto VPN-exterior 46 [10.0.0.243]
outside-VPN 46 transform-set esp-sha-aes-256 crypto card
outside-VPN interface card crypto outsideIPSec-l2l type tunnel-group [10.0.0.243]
IPSec-attributes of tunnel-group [10.0.0.243]
pre-shared-key *.[10.0.0.1] is to protect the global addresses of clients. Assume that these are still used in place of the current range of intellectual property. 10.0.0.240/28
===========================================
Thanks in advance.
Michael Garcia
Profit Systems, Inc..
Hi Michael,
-Is the IP peer really part of the network that make up the field of encryption?
-Is the ACL INBOUND_OUTSIDE applied (incoming) inside or outside interface (inbound)? It is the current form, it would need to be on the external interface.
-You specify the peer IP only in the ACL SHEEP, so all other traffic is NAT would and eventually denied because it does not match the field of encryption
Someone else may have a few ideas, but these are questions I have for the moment.
James
-
How many group Supportepar ASA 5520 vpn for remote access
Hello
Howmany vpn group is supported on asa 5520 with configuraion vpn remote access.
Concerning
1 if nat-control is disabled and you do not have any other order NAT in your config file, you do not have it. Try to remove the existing "NAT 0" command and "clear xlate."
2. you must ensure that your network inside know they can go by ASA to access remote vpn client IP. You have any device layer 3 behind the ASA that does the routing. If so, please verify that this is the routing table.
-
ASA 5520 Infiltration of DNS query
Is the operation of TCPDUMP, simular to Sindwinder FW (example below), possible through ASA 5520 and AIP-SSM-10 (IPS) module? Reference and the answer to my question are appreciated.
•tcpdump options for DNS
-Internal Burba: tcpdump - ntpi em0 port 53
-External Burba: tcpdump - ntpi em1 port 53
tcpdump for SMTP options:
Burba internal: tcpdump - ntpi em0 port 25
External Burba: tcpdump - ntpi em1 port 25
You can use the iplog command to capture a PCAP file on the module AIP - SSM (assuming that you sent the traffic you with capture or through the module AIP - SSM IPS). It will capture based on the source IP address.
http://www.Cisco.com/en/us/docs/security/IPS/6.0/command/reference/crCmds.html#wp466857
If you want TCPdump granularity, make a service account on the sensor, open a session in the Linux system, able to root and tcpdump away.
-
Hi all
I have a data center with two lines of ISP redundancy and two ASA 5520 for redundancy VPN to my branches. Each of my branches has 1 ASA 5505 with a base license and 1 ISP circuit. Currently all my VPN tunnels are built for data center main circuit ISP only, so if one goes down, I'm toast. I need to fix this. Problem is, I don't know how I can control failover on 5505 with 1 single line branch. Please see my picture for an example of how he looks at it right now.
So the problem is that the data center LAN my branch has to go to is identical regardless of which circuit of data center is in the. And I know the ASA rules say only 1 VPN tunnel can be active at a time if flow are the same. So in this case, I know you usually do:
card crypto outside_map 1 set 12.x.xxx.20 50.xxx.xx.190 counterpart
and then configure route followed to control when cut down the primary counterpart and turn back up by peers. But where I have only 1 ISP on the side of the branch, I'll only have 1 default route: route outside 0.0.0.0 0.0.0.0 3.3.3.2 1, will be used that the active end counterpart is the primary or the secondary data center. Also, since I did not have a second track, I can't configure followed on the main road with an SLA that defines the trigger conditions, because there is nothing to ensure the follow-up of the routing.
How is - a would handle a situation like this? Are there other features that can be taken off the roads? I really need to be able to define "num-package 5 ' in ALS so my sites are not beat all day, but once again, without something to follow, I can't really set up a meaningful SLAS. Any help is appreciated.
Thanks for the additional explanation. It helps to clarify your environment. EIGRP running on the Remote would be a nice option, but I'm not sure that it is supported on the SAA. I ran EIGRP to remote peers using IOS routers (using the two ACCORD with IPsec and VTI tunnels tunnels) and it was very effective. But on the SAA, I believe that we must seek an alternative.
It seems to me that using reverse road Injection as part of your VPN site-to-site should work. With IPP the ASA inserts a static route to remote resources when the VPN tunnel is negotiated and traffic can flow. If you redistribute the static in EIGRP EIGRP then must learn the ways of any ASA a currently active tunnel. And who should provide the dynamic rollover you need.
HTH
Rick
-
AnyConnect VPN for Cisco ASA 5505 refused connections
I'm trying to set up my Cisco 5505 with AnyConnect VPN client VPN access. Here is the relevant information of my config:
interface Vlan2
mac-address xxxx.xxxx.xxxx
nameif outside
security-level 0
ip address A.A.A.A 255.255.255.240
!
access-list outside_access_in extended permit tcp any host C.C.C.C eq pptp
access-list outside_access_in extended permit tcp any host C.C.C.C eq https
access-list outside_access_in extended permit tcp any host C.C.C.C eq ftp
access-list outside_access_in extended permit tcp any host C.C.C.D eq https
access-list outside_access_in extended permit tcp any host C.C.C.D eq ftp
access-list outside_access_in extended permit tcp any host C.C.C.D eq www
access-list outside_access_in extended permit tcp any host C.C.C.C eq smtp
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host C.C.C.D eq ssh
access-list outside_access_in extended permit tcp any host C.C.C.D eq 8080
access-list outside_access_in extended permit gre any host C.C.C.C
access-list outside_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any interface outside
access-list inside_access_out extended permit ip any anyaccess-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outsidewebvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enablegroup-policy DfltGrpPolicy attributes
dns-server value X.X.X.X
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
address-pools value palm
webvpn
svc rekey time 30
svc rekey method ssl
svc ask enable default webvpnpolicy-map global_policy
class inspection_default
inspect pptp
inspect http
inspect icmp
inspect ftp
!When I try to connect, I get this error in the real-time log viewer:
TCP access denied by ACL from X.X.X.X/57356 to outside:A.A.A.A/443
Here are the details of the license:
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : DisabledThis platform has a Base license.
Can someone tell me what I am doing wrong or what access list I'm missing?
I have two Cisco ASA 5510 firewall with a similar setup configuration and the AnyConnect SSL VPN works great.
Hi Matt,
You are probably landing on the tunnel-group by default - you will need to indicate which group to connect to the client. This can be done in different ways - I see that you already have a defined group aliases, but to be able to use that you must configure:
WebVPN
tunnel-group-list activate
Alternatively, if you have only a single group, you can add 'group-url https://yourasa.yourcompany.com/ permit' to the webvpn attributes tunnel-group.
HTH
Herbert
-
External ACL does not increment for traffic allowed through the site to site VPN
Hi all, we have many site - to IPSEC VPNS that are sending traffic to us successfully - the largest part of this traffic is FTP or SFTP.
There is not configuration of the firewall of the SAA sysopt. Access lists have been configured on the external interface of the ASA to allow these VPN for FTP SFTP connections & - however, all counters are 0 when I do a 'show access-list internet-in' for FTP or SFTP.
There are general IP entries in list of FTP & SFTP natted access connected to the Internet addresses of these FTP servers and these are increment but then there are certain customers who use the internet to transfer files.
I guess what I was asking is ASA outside increment for traffic access lists allowed by VPN? The access list entries are for THEIRINTERNALIP to OURINTERNALIP (according to crypto card)
Just to add that these ACL is configured through groups of objects in the case that matters - also once again that they are correctly transfer files to us - only I don't get where they are allowed.
Thanks in advance
Mark
VPN traffic is flowing properly and there is no ACL allowing UDP 500 or ESP?
Can you post the output of "sh run all the sysopt"
Federico.
-
Tunnel VPN ASA 5520 (DMZ + INSIDE) destined for OUTSIDE
I can't find any reference to anywhere else.
We have an ASA 5520 to our site HQ (inside the network) with several regional subnets on the DMZ interface.
We need connectivity VPN Site to Site between the INSIDE and a remote control on the OUTSIDE of the site, as well as between the DMZ subnets and even outside the site. The interface from the OUTSIDE of the SAA must be local VPN endpoint for all tunnels.
I created a S2S VPN between the INSIDE and the OUTSIDE site and it works great.
When I create a VPN S2S tunnel between a site of DMZ and even outside the site (using the same settings the and remote, but with a cryptomap different because the local subnet (DMZ) is different from the other inside the subnet, the traffic gets the mapping (show crypto isakmp his) to the same cryptomap that was created for the access to the tunnel from the OUTSIDE) , instead of to the new cryptomap, so remote endpoint deletes it, and traffic also causes SPI incorrect of for the remote endpoint, which makes the original INTERIOR outside OF THE VPN tunnel to fall from time to time.
Is this a bug?
I also did a local S2S VPN tunnel configuration test of networks as everything INSIDE and the DMZ. With the help of the wizard VPN S2S leads ASA only to create a NAT rule exempted for the subnet on the INSIDE interface. Can I manually create another tax-exempt NAT rule to the side of the DMZ and use this a S2S tunnel to connect sites inside and DMZ to the remote OFF-SITE in a connection profile?
I'm building a Rube Goldberg?
Thank you
George
Hi George,.
It seems you have a situation overlapping it, are you sure that subnets inside did not overlap with the networks from the DMZ? A package tracer could clarify wha that the ASA is actually sending.
In addition, you can merge the two interfaces on the same card encryption if you wish, just make sure that the NAT is configured correctly. For example; Source NAT (all, outside) static...
It may be useful
-Randy-
-
Problem loading data for Planning Server through ODI
Hi all
I am facing problem while loading data for Planning Server through ODI.
I created the interface with flat as a source of data as file below
Location data load Cube name POV cost per seat
Ctbn_PnL of Tidel Equifax, Budget, Working_2010, FY10, Wk1, Local 333
Ctbn_PnL of Tidel Equifax, Budget, Working_2010, FY10, Wk2, Local 444
Ctbn_PnL of Tidel Equifax, Budget, Working_2010, FY10, Wk3, 555 Local
Ctbn_PnL of Tidel Equifax, Budget, Working_2010, FY10, Wk4, Local 666
Budget, Working_2010, FY10, Wk5, Tidel Equifax, Local 777 Ctbn_PnL
Ctbn_PnL of Tidel Equifax, Budget, Working_2010, FY10, Wk6, Local 888
Budget, Working_2010, FY10, Wk1, PADI Ctbn_PnL Equifax, Local 222
Budget, Working_2010, FY10, Wk2, PADI Ctbn_PnL Equifax, Local 111
Budget, Working_2010, FY10, Wk3, PADI Ctbn_PnL Equifax, room 345
Budget, Working_2010, FY10, Wk4, PADI Ctbn_PnL Equifax, Local 346
Budget, Working_2010, FY10, Wk5, PADI Ctbn_PnL Equifax, Local 347
Budget, Working_2010, FY10, Wk6, PADI Ctbn_PnL Equifax, Local 349
And the target as an application of Planinng. Interface has been properly executed, but are not filled with data in the form of Plannning or Essbase.
I obtained the information in the log file after running the interface:
2010-05-20 18:45:38, 409 [DwgCmdExecutionThread:null:5] INFO: Oracle Data Integrator adapter for Hyperion Planning - free 9.3.1.1
2010-05-20 18:45:38, 409 INFO [DwgCmdExecutionThread:null:5]: connection for application [PnL_ODI] [chnveltss03]: [11333] using [admin] username.
2010-05-20 18:45:39, 800 [DwgCmdExecutionThread:null:5] INFO: successfully connected to the planning application.
2010-05-20 18:45:39, 800 INFO [DwgCmdExecutionThread:null:5]: loading for the charge of planning options
Name of the dimension: location like Parent child: false
Order By entry charge: forgery
Update the database: true
2010-05-20 18:45:39, 815 INFO [DwgCmdExecutionThread:null:5]: beginning of the loading process.
2010-05-20 18:45:39, 815 DEBUG [DwgCmdExecutionThread:null:5]: number of columns in the result set of source does not match the number of columns planning targets.
2010-05-20 18:45:39, 831 [DwgCmdExecutionThread:null:5] INFO: type of load is a [member of the load dimension].
2010-05-20 18:45:39, 831 [DwgCmdExecutionThread:null:5] ERROR: file [[Tidel, null, null, null, null, null, null, null, null, null, null, null, Ctbn_PnL, Budget, null, "Equifax, null, null, null]] has been rejected by Planning Server.
2010-05-20 18:45:39, 831 [DwgCmdExecutionThread:null:5] ERROR: file [[Tidel, null, null, null, null, null, null, null, null, null, null, null, Ctbn_PnL, Budget, null, "Equifax, null, null, null]] has been rejected by Planning Server.
2010-05-20 18:45:39, 847 [DwgCmdExecutionThread:null:5] ERROR: file [[Tidel, null, null, null, null, null, null, null, null, null, null, null, Ctbn_PnL, Budget, null, "Equifax, null, null, null]] has been rejected by Planning Server.
2010-05-20 18:45:39, 847 [DwgCmdExecutionThread:null:5] ERROR: file [[Tidel, null, null, null, null, null, null, null, null, null, null, null, Ctbn_PnL, Budget, null, "Equifax, null, null, null]] has been rejected by Planning Server.
2010-05-20 18:45:39, 847 [DwgCmdExecutionThread:null:5] ERROR: file [[Tidel, null, null, null, null, null, null, null, null, null, null, null, Ctbn_PnL, Budget, null, "Equifax, null, null, null]] has been rejected by Planning Server.
2010-05-20 18:45:39, 847 [DwgCmdExecutionThread:null:5] ERROR: file [[Tidel, null, null, null, null, null, null, null, null, null, null, null, Ctbn_PnL, Budget, null, "Equifax, null, null, null]] has been rejected by Planning Server.
2010-05-20 18:45:39, 847 [DwgCmdExecutionThread:null:5] ERROR: file [[Padi, null, null, null, null, null, null, null, null, null, null, null, Ctbn_PnL, Budget, null, "Equifax, null, null, null]] has been rejected by Planning Server.
2010-05-20 18:45:39, 862 ERROR [DwgCmdExecutionThread:null:5]: file [[Padi, null, null, null, null, null, null, null, null, null, null, null, Ctbn_PnL, Budget, null, "Equifax, null, null, null]] has been rejected by Planning Server.
2010-05-20 18:45:39, 862 ERROR [DwgCmdExecutionThread:null:5]: file [[Padi, null, null, null, null, null, null, null, null, null, null, null, Ctbn_PnL, Budget, null, "Equifax, null, null, null]] has been rejected by Planning Server.
2010-05-20 18:45:39, 862 ERROR [DwgCmdExecutionThread:null:5]: file [[Padi, null, null, null, null, null, null, null, null, null, null, null, Ctbn_PnL, Budget, null, "Equifax, null, null, null]] has been rejected by Planning Server.
2010-05-20 18:45:39, 862 ERROR [DwgCmdExecutionThread:null:5]: file [[Padi, null, null, null, null, null, null, null, null, null, null, null, Ctbn_PnL, Budget, null, "Equifax, null, null, null]] has been rejected by Planning Server.
2010-05-20 18:45:39, 862 ERROR [DwgCmdExecutionThread:null:5]: file [[Padi, null, null, null, null, null, null, null, null, null, null, null, Ctbn_PnL, Budget, null, "Equifax, null, null, null]] has been rejected by Planning Server.
2010-05-20 18:45:39, 878 [DwgCmdExecutionThread:null:5] ERROR: Record [[null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null]] has been rejected by Planning Server.
2010-05-20 18:45:39, 878 [DwgCmdExecutionThread:null:5] INFO: planing cube refresh initiated.
2010-05-20 18:45:44, 284 INFO [DwgCmdExecutionThread:null:5]: planning of the cube refresh operation completed successfully.
2010-05-20 18:45:44, 284 INFO [DwgCmdExecutionThread:null:5]: load the process is complete.
Please help me in this grace,
SrinivasYou are right. The table that you have described is in the format 'Generation' (the highest to the lowest level of the hierarchy). The KM of planning requires data to load in format "Parent/child". You must create multiple interfaces (one for each pair of generation) or use a view to make the transformation.
While a view seems to be the easier choice, note that ODI will not be able to perform any analysis of lineage of data on the integration process.
Hope this helps,
Matt -
Community support,
I want to run this question by you guys to avoid the sales of our partner CISCO and similar pitch more to the best solution that would give us what we want.
We currently have a VPN from CISCO 3020 hub to terminate the Lan-to-Lan tunnels and have our mobile workers to connect through the client VPN CISCO (300 users-employees and contractors).
Given that this device is coming to an end of LIFE this year, we bought a CISCO 5520 (here is the current licenses in this topic)
Licensing seems quite complicated, so here's my question:
-What VPN do you recommend for our users and entrepreneurs? I understand that the CISCO VPN client does not work with ASA 5500 Series devices
Is there a license needed to deploy a VPN solution for our remote users(employees/contractors)?
Thank you
John
The devices allowed for this platform:
The maximum physical Interfaces: unlimited perpetual
VLAN maximum: 150 perpetual
Guests of the Interior: perpetual unlimited
Failover: Active/active perpetual
VPN - A: enabled perpetual
VPN-3DES-AES: activated perpetual
Security contexts: 2 perpetual
GTP/GPRS: Disabled perpetual
AnyConnect Premium peers: 2 perpetual
AnyConnect Essentials: Disabled perpetual
Counterparts in other VPNS: 750 perpetual
Total VPN counterparts: 750 perpetual
Shared license: disabled perpetual
AnyConnect for Mobile: disabled perpetual
AnyConnect Cisco VPN phone: disabled perpetual
Assessment of Advanced endpoint: disabled perpetual
Proxy UC phone sessions: 2 perpetual
Proxy total UC sessions: 2 perpetual
Botnet traffic filter: disabled perpetual
Intercompany Media Engine: Disabled perpetualThis platform includes an ASA 5520 VPN Plus license.
Your understanding that the Cisco VPN client does not work with ASA is wrong. Maybe it's the version of Cisco VPN client that you use currently does not work with ASA. But these (and so not very new indeed) versions of VPN client work with the ASA. I installed for several clients who use the traditional IPSec VPN client with ASA ASAs and they work well.
You are right that the granting of licenses for the SAA is complicated. Your tunnels IPSec VPN site-to-site will work on the SAA and pose much challenge in terms of licenses. But there are problems and alternative solutions to consider for remote access VPN clients. At this point, there are two major variants: you can use the classic IPSec VPN client or you can use the new AnyConnect client. From a licensing perspective there is a Hugh difference between them. It is not special license that applies to the traditional IPSec client and they are just against your license for peers Total VPN (for which you have 750 in your license). For the AnyConect there is a condition of licence. There is a premium for AnyConnect license and there are licensed AnyConnect Essentials. The Essentials license price is much lower than the premium license, but Essentials does not all the features that made the premium.
In the immediate future, that it would sound like an easy question to answer, use the traditional IPSec VPN client for which theere is not a special permit and it is what you are used to. However Cisco has announced the dates of end of sale and end of Support for the traditional VPN client. If at some point you will need to use the AnyConnect client. I would say that if you make the change of the ASA that it might be a good choice to also adopt the AnyConnect client.
HTH
Rick
-
Hello
First I must admit that I am not very versed in Cisco equipment or in general IPSEC connections so my apologies if I'm doing something really good obviously stupid, but I checked through any kind of things that I could find on the internet on the configuration of IPSEC VPN.
The setup I have is an asa 5520 (o/s 8.2) firewall which, for now, is connected to a temporary connection beautiful style home broadband for testing purposes. The netopia router is configured to allow ipsec passthrough and redirect 62515 UDP, TCP 10000, 4500 UDP, UDP 500 ports in the asa 5520.
I'm trying to connein out of a laptop with disabled windows firewall and vpn cisco 5.0.02.0090 client version.
I ran several attempts through the ipsec configuration wizard options. most of the time that nothing comes in the newspaper to show that a connection was attempted, but there is a way I can set up product options the following on the firewall log:
4. Sep 24 2010 | 13: 54:29 | 713903 | Group = VPNtest9, IP = 86.44.x.x, error: cannot delete PeerTblEntry
5: Sep 24 2010 | 13: 54:29 | 713902 | Group = VPNtest9, IP = 86.44.x.x, drop table homologous counterpart does not, no match!
6. Sep 24 2010 | 13: 54:21 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF
3: Sep 24 2010 | 13: 54:21 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.
6. Sep 24 2010 | 13: 54:16 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF
3: Sep 24 2010 | 13: 54:16 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.
6. Sep 24 2010 | 13: 54:11 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF
3: Sep 24 2010 | 13: 54:11 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
6. Sep 24 2010 | 13: 54:06 | 302015 | 86.44.x.x | 51905 | 192.168.0.27 | 500 | Built UDP inbound connection 7487 for Internet:86.44.x.x/51905 (86.44.x.x/51905) at identity:192.168.0.27/500 (192.168.0.27/500)
and this, in the journal of customer:
Cisco Systems VPN Client Version 5.0.02.0090
Copyright (C) 1998-2007 Cisco Systems, Inc.. All rights reserved.
Customer type: Windows, Windows NT
Running: 5.1.2600 Service Pack 3
24 13:54:08.250 24/09/10 Sev = Info/4 CM / 0 x 63100002
Start the login process
25 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100004
Establish a secure connection
26 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100024
Attempt to connect with the server "213.94.x.x".
27 13:54:08.437 24/09/10 Sev = Info/6 IKE/0x6300003B
Attempts to establish a connection with 213.94.x.x.
28 13:54:08.437 24/09/10 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 213.94.x.x
29 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700008
IPSec driver started successfully
30 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
31 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021
Retransmit the last package!
32 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x
33 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021
Retransmit the last package!
34 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x
35 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021
Retransmit the last package!
36 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x
37 13:54:28.484 24/09/10 Sev = Info/4 IKE / 0 x 63000017
Marking of IKE SA delete (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
38 13:54:28.984 24/09/10 Sev = Info/4 IKE/0x6300004B
IKE negotiation to throw HIS (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
39 13:54:28.984 24/09/10 Sev = Info/4 CM / 0 x 63100014
Could not establish the Phase 1 SA with the server '213.94.x.x' due to the 'DEL_REASON_PEER_NOT_RESPONDING '.
40 13:54:28.984 24/09/10 Sev = Info/5 CM / 0 x 63100025
Initializing CVPNDrv
41 13:54:28.984 24/09/10 Sev = Info/6 CM / 0 x 63100046
Set indicator established tunnel to register to 0.
42 13:54:28.984 24/09/10 Sev = Info/4 IKE / 0 x 63000001
Signal received IKE to complete the VPN connection
43 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
44 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
45 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
46 13:54:29.187 24/09/10 Sev = Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
I have connectivity full http from the internet to a machine inside the asa 5520 so I think that the static routing and NAT'ing should be ok, but I am pleased to provide you with all the details.
Can you see what I'm doing wrong?
Thank you
Sam
Pls add the following policy:
crypto ISAKMP policy 10
preshared authentication
the Encryption
md5 hash
Group 2
You can also run debug on the ASA:
debugging cry isa
debugging ipsec cry
and retrieve debug output after trying to connect.
Maybe you are looking for
-
EtreCheck results for Mac start VERY slowly
I just ran EtrCheck and cannot find anything that could trigger my iMac start slowly. Verification of any help would be greatly appreciated. Ed EtreCheck version: 2.6.6 (226) Report generated on 02/12/15, 08:29 Time 02:38 Download EtreCheck from http
-
interested in an inspiron all-in-one 20 "or 23". you want to customize with win 7 os, core i3 or i5 processor, no touchscreen. is it possible to order custom an all-in-one with these specific adaptations?
-
Computer laptop loss during berthing and departure color management settings
I am running Windows 7 Enterprise SP1 64 bit on a Dell Latitude E6540 with a docking station. I have calibrated color screen on the laptop as well as an external monitor attached to the docking station. Whenever I'm disconnecting the computer, the
-
Error "disk Management console view is not updated" on Windows 7 64 bit
Hi team, Is my laptop model Dell Studio XPS 1645 Operating system is Windows 7 Professional 64 bit Size of HARD drive internal 500 GB I got 4 partitions initially, 1 for the C drive and remaining 3 storage purpose. I took the backup of all Partitions
-
We need to change 1000 existing extensions in CM of the new range. Since there are many 2/3 lines and party lines phones. I need some kind of tool/App in order to get existing numbers CM SQL database to Excel and replace it. Even if I can't replace t