Failover of VPN for data/VoIP through ASA 5520 or 7204 VXR

I would like to install a VPN failover for my remote sites using broadband 3dn/1up.  They are mainly 2800 routers.    I like options for end hub a pair of Cisco ASA active / standby and a 7204 VXR.  Voice and data will travel down the VPN failover and I intend to have QOS/Traffic shaping in place to better meet the needs for VoIP as possible.  I need to do it on about 150 sites. My questions are:

1. What is the best why the ASA or the 7204

2 Will VoIP packets pass through the two in the same way

3 as far as redistributing routes can I use GRE on an ASA or should I keep all static. NH on the SAA is an L3 switch.

4. an ASA with 100 mg of bandwithd through metro E supports 150 tunnels making VoIP and data. 1 to 3 calls per site max.

Thank you

J R

To answer your questions: -.

1. who is better for this, the ASA or the 7204 - ASA, is what is designed to do.

2 packages VoIP Will cross both the same way - Yes

3 as far as redistributing routes can I use GRE on an ASA or should I keep all static. NH on the SAA is an L3 switch. -l'ASA does not support GRE tunnels.

4. an ASA with 100 mg of bandwithd through metro E supports 150 tunnels making VoIP and data. 1 to 3 calls per site max. -It depends on the model of the SAA, see the below matrix for thru-put http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

HTH >

Tags: Cisco Security

Similar Questions

  • VPN site to Site with ASA 5520 * please help *.

    I am using two ASA 5520, and try to put up a site to site VPN.  This seems to be pretty simple, but I'm on my third day of train this is up and running. Both 5520's are running the latest 9.1 (5) IOS.

    Please note: I replaced it with [#1-WAN IP] and [#2-WAN IP] for WAN IP of the ASA addresses.

    Thanks in advance for any help you may have.

    -------------------------------------------------------------------------------------------------------------------------------------------------

    ASA 5520 # 1:

    Crypto ikev1 allow outside

    the local object of net network
    10.0.0.0 subnet 255.255.255.0

    net remote object network
    172.20.0.0 subnet 255.255.255.0

    outside_1_cryptomap list of allowed ip object local net net access / remote

    tunnel-group [IP #2-WAN] type ipsec-l2l

    IPSec-attributes tunnel-group [#2-WAN IP]
    pre-shared-key cisco123

    IKEv1 crypto policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400

    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

    card crypto oustide_map 1 match address outside_1_cryptomap
    card crypto oustide_map 1 set transform-set ESP-3DES-SHA ikev1
    card crypto outside_map 1 set pfs Group1
    map 1 set outside_map crypto peer [#2-WAN IP]
    outside_map interface card crypto outside

    NAT (inside, outside) 1 local static source net net-local destination static remote net net / remote

    -------------------------------------------------------------------------------------------------------------------------------------------------

    ASA 5520 #2:

    Crypto ikev1 allow outside

    the local object of net network
    172.20.0.0 subnet 255.255.255.0

    net remote object network
    10.0.0.0 subnet 255.255.255.0

    outside_1_cryptomap list of allowed ip object local net net access / remote

    tunnel-group [#1-WAN IP] type ipsec-l2l

    IPSec-attributes tunnel-group [#1-WAN IP]
    pre-shared-key cisco123

    IKEv1 crypto policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400

    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

    card crypto oustide_map 1 match address outside_1_cryptomap
    card crypto oustide_map 1 set transform-set ESP-3DES-SHA ikev1
    card crypto outside_map 1 set pfs Group1
    map 1 set outside_map crypto peer [#1-WAN IP]
    outside_map interface card crypto outside

    NAT (inside, outside) 1 local static source net net-local destination static remote net net / remote

    Try to correct the mistakes in the two configs.

    In some places, you have 'oustide_map' where you need "outside_map".

  • Cisco Anyconnect VPN and IPSEC coexist on ASA 5520?

    Can a Cisco ASA 5520 which has been configured as IPSEC VPN gateway and also be configured as a gateway ANYCONNECT VPN and vpn IPSEC service anyconnect vpn clients clients maintenance at the same time? Any negative impact on the performance or any other problem that everyone knows?

    I guess that by 2 connection limit, you are referring to the 2 licenses for anyconnect?  You should consider using the anyconnect essentials license, which is relatively cheap (100-200 dollars I think) and will take you to the edge of the platform with anyocnnect.

    You shouldn't have any problem using IPSEC with LDAP client.  It is quite common - my company is IPSEC as Anyconnect off the coast of the same interface using authentication ldap (even same-group policy) for the two.

    -Jason

  • Suggestions of VPN for Windows 7 and ASA 5510

    We currently have a VPN solution with an ASA5510 and the client to the PC using the Cisco VPN Client V5.0.07.0410.  This works for Windows XP SP3 and Windows 7, however, Windows 7 will not allow enable start before logon or disconnect VPN connection when Logging Off (i.e. the Windows logon properties are missing in the client configuration options).  Is there a fix for this VPN client?  What VPN upgrade options available, which will allow these options?

    Thank you very much for your suggestions!

    You must use the AnyConnect client. I got on to start the same kind of project and purchased a license key AnyConnect, they are the easiest option.

    Sent by Cisco Support technique iPad App

  • Allowing the VPN and return to the ASA 5520

    Here is the configuration:

    Outside Interface: 50.50.50.5

    Internal interface: 192.168.1.5

    Wireless interface: 192.168.2.5

    The wireless interface is used for the guest access to internet and you can't find the internal servers or workstations.  Offiste employees, we use Cisco VPN remotely in through the firewall.

    That is the question, an itinerant person comes into the office, connects to the network (no LAN port available) wireless and then wants the VPN in a work.  Can that be allowed through the ACL to allow traffic like that or would be using Cisco AnyConnect?  I don't want to "overall" activate the ability for Wireless talk range to the inside interface, but allow VPN access.  At first glance, I guess the ASA for not allowing this, but try to get some clarification, thank you!

    And if it's possible, I can see security implications, so I'm also looking for information best practice as well.

    Hello Mrjwilson,

    5 stars for you

    Thanks for sharing the solution, check now the question as answered so future users can learn of your problem.

  • VPN l2l failed inside on ASA 5520 (8.02)

    VPN l2l is dropping packets to Phase 5 because of a rule configured. I have an isakmp his but the client cannot connect to the destination here in my network. I'll post my config to access list at the bottom of the Packet-trace output.

    vpnASA01 # entry packet - trace within the icmp [10.0.0.243] 0 8 10.97.29.73 det

    Phase: 1

    Type: CAPTURE

    Subtype:

    Result: ALLOW

    Config:

    Additional information:

    Direct flow from returns search rule:

    ID = 0xc92087c8, priority = 12, area = capture, deny = false

    hits = 85188209121, user_data = 0xc916a478, cs_id = 0 x 0, l3_type = 0 x 0

    Mac SRC = 0000.0000.0000, mask is 0000.0000.0000

    DST = 0000.0000.0000 Mac, mask is 0000.0000.0000

    Phase: 2

    Type: ACCESS-LIST

    Subtype:

    Result: ALLOW

    Config:

    Implicit rule

    Additional information:

    Direct flow from returns search rule:

    ID = 0xc87f1f98, priority = 1, domain = allowed, deny = false

    hits = 85193048387, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8

    Mac SRC = 0000.0000.0000, mask is 0000.0000.0000

    DST = 0000.0000.0000 Mac, mask is 0000.0000.0000

    Phase: 3

    Type: FLOW-SEARCH

    Subtype:

    Result: ALLOW

    Config:

    Additional information:

    Not found no corresponding stream, creating a new stream

    Phase: 4

    Type:-ROUTE SEARCH

    Subtype: entry

    Result: ALLOW

    Config:

    Additional information:

    in 10.0.0.0 255.0.0.0 inside

    Phase: 5

    Type: ACCESS-LIST

    Subtype:

    Result: DECLINE

    Config:

    Implicit rule

    Additional information:

    Direct flow from returns search rule:

    ID = 0xc87f3670, priority = 111, domain = allowed, deny = true

    hits = 67416, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 4000, protocol = 0

    SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

    DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

    Result:

    input interface: inside

    entry status: to the top

    entry-line-status: to the top

    the output interface: inside

    the status of the output: to the top

    output-line-status: to the top

    Action: drop

    Drop-reason: flow (acl-drop) is denied by the configured rule

    = ACCESS-LIST + Config =.

    the object-group L2LVPN-blah_local network
    network-object 10.97.29.73 255.255.255.255
    the object-group L2LVPN-blah_remote network
    network-object [10.0.0.240] 255.255.255.240

    INBOUND_OUTSIDE list of allowed ip extended access object-L2LVPN-blah_remote L2LVPN-blah_local group object

    L2LVPN-blah_obj allowed extended ip access-list object-L2LVPN-blah_local group L2LVPN-blah_remote

    access-list SHEEP extended permits all ip [10.0.0.243] 255.255.255.240

    Route outside [10.0.0.240] [10.97.29.1] 255.255.255.240 1

    address for correspondence card crypto outside-VPN 46 L2LVPN - blah_obj
    peer set card crypto VPN-exterior 46 [10.0.0.243]
    outside-VPN 46 transform-set esp-sha-aes-256 crypto card
    outside-VPN interface card crypto outside

    IPSec-l2l type tunnel-group [10.0.0.243]
    IPSec-attributes of tunnel-group [10.0.0.243]
    pre-shared-key *.

    [10.0.0.1] is to protect the global addresses of clients. Assume that these are still used in place of the current range of intellectual property. 10.0.0.240/28

    ===========================================

    Thanks in advance.

    Michael Garcia

    Profit Systems, Inc..

    Hi Michael,

    -Is the IP peer really part of the network that make up the field of encryption?

    -Is the ACL INBOUND_OUTSIDE applied (incoming) inside or outside interface (inbound)? It is the current form, it would need to be on the external interface.

    -You specify the peer IP only in the ACL SHEEP, so all other traffic is NAT would and eventually denied because it does not match the field of encryption

    Someone else may have a few ideas, but these are questions I have for the moment.

    James

  • How many group Supportepar ASA 5520 vpn for remote access

    Hello

    Howmany vpn group is supported on asa 5520 with configuraion vpn remote access.

    Concerning

    1 if nat-control is disabled and you do not have any other order NAT in your config file, you do not have it. Try to remove the existing "NAT 0" command and "clear xlate."

    2. you must ensure that your network inside know they can go by ASA to access remote vpn client IP. You have any device layer 3 behind the ASA that does the routing. If so, please verify that this is the routing table.

  • ASA 5520 Infiltration of DNS query

    Is the operation of TCPDUMP, simular to Sindwinder FW (example below), possible through ASA 5520 and AIP-SSM-10 (IPS) module? Reference and the answer to my question are appreciated.

    •tcpdump options for DNS

    -Internal Burba: tcpdump - ntpi em0 port 53

    -External Burba: tcpdump - ntpi em1 port 53

    tcpdump for SMTP options:

    Burba internal: tcpdump - ntpi em0 port 25

    External Burba: tcpdump - ntpi em1 port 25

    You can use the iplog command to capture a PCAP file on the module AIP - SSM (assuming that you sent the traffic you with capture or through the module AIP - SSM IPS). It will capture based on the source IP address.

    http://www.Cisco.com/en/us/docs/security/IPS/6.0/command/reference/crCmds.html#wp466857

    If you want TCPdump granularity, make a service account on the sensor, open a session in the Linux system, able to root and tcpdump away.

  • Branch 5505, 1 circuit ISP, Dual - peer VPN Configuration for Data Center & Track Options

    Hi all

    I have a data center with two lines of ISP redundancy and two ASA 5520 for redundancy VPN to my branches.  Each of my branches has 1 ASA 5505 with a base license and 1 ISP circuit. Currently all my VPN tunnels are built for data center main circuit ISP only, so if one goes down, I'm toast.  I need to fix this. Problem is, I don't know how I can control failover on 5505 with 1 single line branch.  Please see my picture for an example of how he looks at it right now.

    So the problem is that the data center LAN my branch has to go to is identical regardless of which circuit of data center is in the. And I know the ASA rules say only 1 VPN tunnel can be active at a time if flow are the same.  So in this case, I know you usually do:

    card crypto outside_map 1 set 12.x.xxx.20 50.xxx.xx.190 counterpart

    and then configure route followed to control when cut down the primary counterpart and turn back up by peers. But where I have only 1 ISP on the side of the branch, I'll only have 1 default route: route outside 0.0.0.0 0.0.0.0 3.3.3.2 1, will be used that the active end counterpart is the primary or the secondary data center. Also, since I did not have a second track, I can't configure followed on the main road with an SLA that defines the trigger conditions, because there is nothing to ensure the follow-up of the routing.

    How is - a would handle a situation like this? Are there other features that can be taken off the roads?  I really need to be able to define "num-package 5 ' in ALS so my sites are not beat all day, but once again, without something to follow, I can't really set up a meaningful SLAS.  Any help is appreciated.

    Thanks for the additional explanation. It helps to clarify your environment. EIGRP running on the Remote would be a nice option, but I'm not sure that it is supported on the SAA. I ran EIGRP to remote peers using IOS routers (using the two ACCORD with IPsec and VTI tunnels tunnels) and it was very effective. But on the SAA, I believe that we must seek an alternative.

    It seems to me that using reverse road Injection as part of your VPN site-to-site should work. With IPP the ASA inserts a static route to remote resources when the VPN tunnel is negotiated and traffic can flow. If you redistribute the static in EIGRP EIGRP then must learn the ways of any ASA a currently active tunnel. And who should provide the dynamic rollover you need.

    HTH

    Rick

  • AnyConnect VPN for Cisco ASA 5505 refused connections

    I'm trying to set up my Cisco 5505 with AnyConnect VPN client VPN access.  Here is the relevant information of my config:

    interface Vlan2
    
    mac-address xxxx.xxxx.xxxx
    
    nameif outside
    
    security-level 0
    
    ip address A.A.A.A 255.255.255.240
    
    !
    
    access-list outside_access_in extended permit tcp any host C.C.C.C eq pptp
    
    access-list outside_access_in extended permit tcp any host C.C.C.C eq https
    
    access-list outside_access_in extended permit tcp any host C.C.C.C eq ftp
    
    access-list outside_access_in extended permit tcp any host C.C.C.D eq https
    
    access-list outside_access_in extended permit tcp any host C.C.C.D eq ftp
    
    access-list outside_access_in extended permit tcp any host C.C.C.D eq www
    
    access-list outside_access_in extended permit tcp any host C.C.C.C eq smtp
    
    access-list outside_access_in extended permit icmp any any
    
    access-list outside_access_in extended permit tcp any host C.C.C.D eq ssh
    
    access-list outside_access_in extended permit tcp any host C.C.C.D eq 8080
    
    access-list outside_access_in extended permit gre any host C.C.C.C
    
    access-list outside_access_out extended permit ip any any
    
    access-list inside_access_in extended permit ip any any
    
    access-list inside_access_in extended permit ip any interface outside
    
    access-list inside_access_out extended permit ip any any
    

    access-group inside_access_in in interface inside
    
    access-group inside_access_out out interface inside
    
    access-group outside_access_in in interface outside
    
    access-group outside_access_out out interface outside
    

    webvpn
    
    enable inside
    
    enable outside
    
    svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
    
    svc enable
    

    group-policy DfltGrpPolicy attributes
    
    dns-server value X.X.X.X
    
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    
    split-tunnel-policy tunnelspecified
    
    split-tunnel-network-list value
    
    address-pools value palm
    
    webvpn
    
      svc rekey time 30
    
      svc rekey method ssl
    
      svc ask enable default webvpn
    

    policy-map global_policy
    
    class inspection_default
    
      inspect pptp
    
      inspect http
    
      inspect icmp
    
      inspect ftp
    
    !

    When I try to connect, I get this error in the real-time log viewer:

    TCP access denied by ACL from X.X.X.X/57356 to outside:A.A.A.A/443

    Here are the details of the license:

    Licensed features for this platform:
    
    Maximum Physical Interfaces  : 8
    
    VLANs                        : 3, DMZ Restricted
    
    Inside Hosts                 : Unlimited
    
    Failover                     : Disabled
    
    VPN-DES                      : Enabled
    
    VPN-3DES-AES                 : Enabled
    
    SSL VPN Peers                : 2
    
    Total VPN Peers              : 10
    
    Dual ISPs                    : Disabled
    
    VLAN Trunk Ports             : 0
    
    Shared License               : Disabled
    
    AnyConnect for Mobile        : Disabled
    
    AnyConnect for Linksys phone : Disabled
    
    AnyConnect Essentials        : Disabled
    
    Advanced Endpoint Assessment : Disabled
    
    UC Phone Proxy Sessions      : 2
    
    Total UC Proxy Sessions      : 2
    
    Botnet Traffic Filter        : Disabled
    

    This platform has a Base license.

    Can someone tell me what I am doing wrong or what access list I'm missing?

    I have two Cisco ASA 5510 firewall with a similar setup configuration and the AnyConnect SSL VPN works great.

    Hi Matt,

    You are probably landing on the tunnel-group by default - you will need to indicate which group to connect to the client. This can be done in different ways - I see that you already have a defined group aliases, but to be able to use that you must configure:

    WebVPN

    tunnel-group-list activate

    Alternatively, if you have only a single group, you can add 'group-url https://yourasa.yourcompany.com/ permit' to the webvpn attributes tunnel-group.

    HTH

    Herbert

  • External ACL does not increment for traffic allowed through the site to site VPN

    Hi all, we have many site - to IPSEC VPNS that are sending traffic to us successfully - the largest part of this traffic is FTP or SFTP.

    There is not configuration of the firewall of the SAA sysopt. Access lists have been configured on the external interface of the ASA to allow these VPN for FTP SFTP connections & - however, all counters are 0 when I do a 'show access-list internet-in' for FTP or SFTP.

    There are general IP entries in list of FTP & SFTP natted access connected to the Internet addresses of these FTP servers and these are increment but then there are certain customers who use the internet to transfer files.

    I guess what I was asking is ASA outside increment for traffic access lists allowed by VPN? The access list entries are for THEIRINTERNALIP to OURINTERNALIP (according to crypto card)

    Just to add that these ACL is configured through groups of objects in the case that matters - also once again that they are correctly transfer files to us - only I don't get where they are allowed.

    Thanks in advance

    Mark

    VPN traffic is flowing properly and there is no ACL allowing UDP 500 or ESP?

    Can you post the output of "sh run all the sysopt"

    Federico.

  • Tunnel VPN ASA 5520 (DMZ + INSIDE) destined for OUTSIDE

    I can't find any reference to anywhere else.

    We have an ASA 5520 to our site HQ (inside the network) with several regional subnets on the DMZ interface.

    We need connectivity VPN Site to Site between the INSIDE and a remote control on the OUTSIDE of the site, as well as between the DMZ subnets and even outside the site. The interface from the OUTSIDE of the SAA must be local VPN endpoint for all tunnels.

    I created a S2S VPN between the INSIDE and the OUTSIDE site and it works great.

    When I create a VPN S2S tunnel between a site of DMZ and even outside the site (using the same settings the and remote, but with a cryptomap different because the local subnet (DMZ) is different from the other inside the subnet, the traffic gets the mapping (show crypto isakmp his) to the same cryptomap that was created for the access to the tunnel from the OUTSIDE) , instead of to the new cryptomap, so remote endpoint deletes it, and traffic also causes SPI incorrect of for the remote endpoint, which makes the original INTERIOR outside OF THE VPN tunnel to fall from time to time.

    Is this a bug?

    I also did a local S2S VPN tunnel configuration test of networks as everything INSIDE and the DMZ. With the help of the wizard VPN S2S leads ASA only to create a NAT rule exempted for the subnet on the INSIDE interface. Can I manually create another tax-exempt NAT rule to the side of the DMZ and use this a S2S tunnel to connect sites inside and DMZ to the remote OFF-SITE in a connection profile?

    I'm building a Rube Goldberg?

    Thank you

    George

    Hi George,.

    It seems you have a situation overlapping it, are you sure that subnets inside did not overlap with the networks from the DMZ?  A package tracer could clarify wha that the ASA is actually sending.

    In addition, you can merge the two interfaces on the same card encryption if you wish, just make sure that the NAT is configured correctly.   For example; Source NAT (all, outside) static...

    It may be useful

    -Randy-

  • Problem loading data for Planning Server through ODI

    Hi all

    I am facing problem while loading data for Planning Server through ODI.
    I created the interface with flat as a source of data as file below

    Location data load Cube name POV cost per seat
    Ctbn_PnL of Tidel Equifax, Budget, Working_2010, FY10, Wk1, Local 333
    Ctbn_PnL of Tidel Equifax, Budget, Working_2010, FY10, Wk2, Local 444
    Ctbn_PnL of Tidel Equifax, Budget, Working_2010, FY10, Wk3, 555 Local
    Ctbn_PnL of Tidel Equifax, Budget, Working_2010, FY10, Wk4, Local 666
    Budget, Working_2010, FY10, Wk5, Tidel Equifax, Local 777 Ctbn_PnL
    Ctbn_PnL of Tidel Equifax, Budget, Working_2010, FY10, Wk6, Local 888
    Budget, Working_2010, FY10, Wk1, PADI Ctbn_PnL Equifax, Local 222
    Budget, Working_2010, FY10, Wk2, PADI Ctbn_PnL Equifax, Local 111
    Budget, Working_2010, FY10, Wk3, PADI Ctbn_PnL Equifax, room 345
    Budget, Working_2010, FY10, Wk4, PADI Ctbn_PnL Equifax, Local 346
    Budget, Working_2010, FY10, Wk5, PADI Ctbn_PnL Equifax, Local 347
    Budget, Working_2010, FY10, Wk6, PADI Ctbn_PnL Equifax, Local 349

    And the target as an application of Planinng. Interface has been properly executed, but are not filled with data in the form of Plannning or Essbase.
    I obtained the information in the log file after running the interface:

    2010-05-20 18:45:38, 409 [DwgCmdExecutionThread:null:5] INFO: Oracle Data Integrator adapter for Hyperion Planning - free 9.3.1.1
    2010-05-20 18:45:38, 409 INFO [DwgCmdExecutionThread:null:5]: connection for application [PnL_ODI] [chnveltss03]: [11333] using [admin] username.
    2010-05-20 18:45:39, 800 [DwgCmdExecutionThread:null:5] INFO: successfully connected to the planning application.
    2010-05-20 18:45:39, 800 INFO [DwgCmdExecutionThread:null:5]: loading for the charge of planning options
    Name of the dimension: location like Parent child: false
    Order By entry charge: forgery
    Update the database: true
    2010-05-20 18:45:39, 815 INFO [DwgCmdExecutionThread:null:5]: beginning of the loading process.
    2010-05-20 18:45:39, 815 DEBUG [DwgCmdExecutionThread:null:5]: number of columns in the result set of source does not match the number of columns planning targets.
    2010-05-20 18:45:39, 831 [DwgCmdExecutionThread:null:5] INFO: type of load is a [member of the load dimension].
    2010-05-20 18:45:39, 831 [DwgCmdExecutionThread:null:5] ERROR: file [[Tidel, null, null, null, null, null, null, null, null, null, null, null, Ctbn_PnL, Budget, null, "Equifax, null, null, null]] has been rejected by Planning Server.
    2010-05-20 18:45:39, 831 [DwgCmdExecutionThread:null:5] ERROR: file [[Tidel, null, null, null, null, null, null, null, null, null, null, null, Ctbn_PnL, Budget, null, "Equifax, null, null, null]] has been rejected by Planning Server.
    2010-05-20 18:45:39, 847 [DwgCmdExecutionThread:null:5] ERROR: file [[Tidel, null, null, null, null, null, null, null, null, null, null, null, Ctbn_PnL, Budget, null, "Equifax, null, null, null]] has been rejected by Planning Server.
    2010-05-20 18:45:39, 847 [DwgCmdExecutionThread:null:5] ERROR: file [[Tidel, null, null, null, null, null, null, null, null, null, null, null, Ctbn_PnL, Budget, null, "Equifax, null, null, null]] has been rejected by Planning Server.
    2010-05-20 18:45:39, 847 [DwgCmdExecutionThread:null:5] ERROR: file [[Tidel, null, null, null, null, null, null, null, null, null, null, null, Ctbn_PnL, Budget, null, "Equifax, null, null, null]] has been rejected by Planning Server.
    2010-05-20 18:45:39, 847 [DwgCmdExecutionThread:null:5] ERROR: file [[Tidel, null, null, null, null, null, null, null, null, null, null, null, Ctbn_PnL, Budget, null, "Equifax, null, null, null]] has been rejected by Planning Server.
    2010-05-20 18:45:39, 847 [DwgCmdExecutionThread:null:5] ERROR: file [[Padi, null, null, null, null, null, null, null, null, null, null, null, Ctbn_PnL, Budget, null, "Equifax, null, null, null]] has been rejected by Planning Server.
    2010-05-20 18:45:39, 862 ERROR [DwgCmdExecutionThread:null:5]: file [[Padi, null, null, null, null, null, null, null, null, null, null, null, Ctbn_PnL, Budget, null, "Equifax, null, null, null]] has been rejected by Planning Server.
    2010-05-20 18:45:39, 862 ERROR [DwgCmdExecutionThread:null:5]: file [[Padi, null, null, null, null, null, null, null, null, null, null, null, Ctbn_PnL, Budget, null, "Equifax, null, null, null]] has been rejected by Planning Server.
    2010-05-20 18:45:39, 862 ERROR [DwgCmdExecutionThread:null:5]: file [[Padi, null, null, null, null, null, null, null, null, null, null, null, Ctbn_PnL, Budget, null, "Equifax, null, null, null]] has been rejected by Planning Server.
    2010-05-20 18:45:39, 862 ERROR [DwgCmdExecutionThread:null:5]: file [[Padi, null, null, null, null, null, null, null, null, null, null, null, Ctbn_PnL, Budget, null, "Equifax, null, null, null]] has been rejected by Planning Server.
    2010-05-20 18:45:39, 862 ERROR [DwgCmdExecutionThread:null:5]: file [[Padi, null, null, null, null, null, null, null, null, null, null, null, Ctbn_PnL, Budget, null, "Equifax, null, null, null]] has been rejected by Planning Server.
    2010-05-20 18:45:39, 878 [DwgCmdExecutionThread:null:5] ERROR: Record [[null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null]] has been rejected by Planning Server.
    2010-05-20 18:45:39, 878 [DwgCmdExecutionThread:null:5] INFO: planing cube refresh initiated.
    2010-05-20 18:45:44, 284 INFO [DwgCmdExecutionThread:null:5]: planning of the cube refresh operation completed successfully.
    2010-05-20 18:45:44, 284 INFO [DwgCmdExecutionThread:null:5]: load the process is complete.


    Please help me in this grace,
    Srinivas

    You are right. The table that you have described is in the format 'Generation' (the highest to the lowest level of the hierarchy). The KM of planning requires data to load in format "Parent/child". You must create multiple interfaces (one for each pair of generation) or use a view to make the transformation.

    While a view seems to be the easier choice, note that ODI will not be able to perform any analysis of lineage of data on the integration process.

    Hope this helps,
    Matt

  • ASA 5520 VPN licenses

    Community support,

    I want to run this question by you guys to avoid the sales of our partner CISCO and similar pitch more to the best solution that would give us what we want.

    We currently have a VPN from CISCO 3020 hub to terminate the Lan-to-Lan tunnels and have our mobile workers to connect through the client VPN CISCO (300 users-employees and contractors).

    Given that this device is coming to an end of LIFE this year, we bought a CISCO 5520 (here is the current licenses in this topic)

    Licensing seems quite complicated, so here's my question:

    -What VPN do you recommend for our users and entrepreneurs? I understand that the CISCO VPN client does not work with ASA 5500 Series devices

    Is there a license needed to deploy a VPN solution for our remote users(employees/contractors)?

    Thank you

    John

    The devices allowed for this platform:
    The maximum physical Interfaces: unlimited perpetual
    VLAN maximum: 150 perpetual
    Guests of the Interior: perpetual unlimited
    Failover: Active/active perpetual
    VPN - A: enabled perpetual
    VPN-3DES-AES: activated perpetual
    Security contexts: 2 perpetual
    GTP/GPRS: Disabled perpetual
    AnyConnect Premium peers: 2 perpetual
    AnyConnect Essentials: Disabled perpetual
    Counterparts in other VPNS: 750 perpetual
    Total VPN counterparts: 750 perpetual
    Shared license: disabled perpetual
    AnyConnect for Mobile: disabled perpetual
    AnyConnect Cisco VPN phone: disabled perpetual
    Assessment of Advanced endpoint: disabled perpetual
    Proxy UC phone sessions: 2 perpetual
    Proxy total UC sessions: 2 perpetual
    Botnet traffic filter: disabled perpetual
    Intercompany Media Engine: Disabled perpetual

    This platform includes an ASA 5520 VPN Plus license.

    Your understanding that the Cisco VPN client does not work with ASA is wrong. Maybe it's the version of Cisco VPN client that you use currently does not work with ASA. But these (and so not very new indeed) versions of VPN client work with the ASA. I installed for several clients who use the traditional IPSec VPN client with ASA ASAs and they work well.

    You are right that the granting of licenses for the SAA is complicated. Your tunnels IPSec VPN site-to-site will work on the SAA and pose much challenge in terms of licenses. But there are problems and alternative solutions to consider for remote access VPN clients. At this point, there are two major variants: you can use the classic IPSec VPN client or you can use the new AnyConnect client. From a licensing perspective there is a Hugh difference between them. It is not special license that applies to the traditional IPSec client and they are just against your license for peers Total VPN (for which you have 750 in your license). For the AnyConect there is a condition of licence. There is a premium for AnyConnect license and there are licensed AnyConnect Essentials. The Essentials license price is much lower than the premium license, but Essentials does not all the features that made the premium.

    In the immediate future, that it would sound like an easy question to answer, use the traditional IPSec VPN client for which theere is not a special permit and it is what you are used to. However Cisco has announced the dates of end of sale and end of Support for the traditional VPN client. If at some point you will need to use the AnyConnect client. I would say that if you make the change of the ASA that it might be a good choice to also adopt the AnyConnect client.

    HTH

    Rick

  • IPSec VPN to asa 5520

    Hello

    First I must admit that I am not very versed in Cisco equipment or in general IPSEC connections so my apologies if I'm doing something really good obviously stupid, but I checked through any kind of things that I could find on the internet on the configuration of IPSEC VPN.

    The setup I have is an asa 5520 (o/s 8.2) firewall which, for now, is connected to a temporary connection beautiful style home broadband for testing purposes. The netopia router is configured to allow ipsec passthrough and redirect 62515 UDP, TCP 10000, 4500 UDP, UDP 500 ports in the asa 5520.

    I'm trying to connein out of a laptop with disabled windows firewall and vpn cisco 5.0.02.0090 client version.

    I ran several attempts through the ipsec configuration wizard options. most of the time that nothing comes in the newspaper to show that a connection was attempted, but there is a way I can set up product options the following on the firewall log:

    4. Sep 24 2010 | 13: 54:29 | 713903 | Group = VPNtest9, IP = 86.44.x.x, error: cannot delete PeerTblEntry

    5: Sep 24 2010 | 13: 54:29 | 713902 | Group = VPNtest9, IP = 86.44.x.x, drop table homologous counterpart does not, no match!

    6. Sep 24 2010 | 13: 54:21 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF

    3: Sep 24 2010 | 13: 54:21 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.

    6. Sep 24 2010 | 13: 54:16 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF

    3: Sep 24 2010 | 13: 54:16 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.

    6. Sep 24 2010 | 13: 54:11 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF

    3: Sep 24 2010 | 13: 54:11 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.

    3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

    3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

    3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

    3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

    3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

    3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

    3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

    3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

    3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

    3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

    6. Sep 24 2010 | 13: 54:06 | 302015 | 86.44.x.x | 51905 | 192.168.0.27 | 500 | Built UDP inbound connection 7487 for Internet:86.44.x.x/51905 (86.44.x.x/51905) at identity:192.168.0.27/500 (192.168.0.27/500)

    and this, in the journal of customer:

    Cisco Systems VPN Client Version 5.0.02.0090

    Copyright (C) 1998-2007 Cisco Systems, Inc.. All rights reserved.

    Customer type: Windows, Windows NT

    Running: 5.1.2600 Service Pack 3

    24 13:54:08.250 24/09/10 Sev = Info/4 CM / 0 x 63100002

    Start the login process

    25 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100004

    Establish a secure connection

    26 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100024

    Attempt to connect with the server "213.94.x.x".

    27 13:54:08.437 24/09/10 Sev = Info/6 IKE/0x6300003B

    Attempts to establish a connection with 213.94.x.x.

    28 13:54:08.437 24/09/10 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 213.94.x.x

    29 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700008

    IPSec driver started successfully

    30 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014

    Remove all keys

    31 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021

    Retransmit the last package!

    32 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x

    33 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021

    Retransmit the last package!

    34 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x

    35 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021

    Retransmit the last package!

    36 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x

    37 13:54:28.484 24/09/10 Sev = Info/4 IKE / 0 x 63000017

    Marking of IKE SA delete (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

    38 13:54:28.984 24/09/10 Sev = Info/4 IKE/0x6300004B

    IKE negotiation to throw HIS (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

    39 13:54:28.984 24/09/10 Sev = Info/4 CM / 0 x 63100014

    Could not establish the Phase 1 SA with the server '213.94.x.x' due to the 'DEL_REASON_PEER_NOT_RESPONDING '.

    40 13:54:28.984 24/09/10 Sev = Info/5 CM / 0 x 63100025

    Initializing CVPNDrv

    41 13:54:28.984 24/09/10 Sev = Info/6 CM / 0 x 63100046

    Set indicator established tunnel to register to 0.

    42 13:54:28.984 24/09/10 Sev = Info/4 IKE / 0 x 63000001

    Signal received IKE to complete the VPN connection

    43 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014

    Remove all keys

    44 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014

    Remove all keys

    45 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014

    Remove all keys

    46 13:54:29.187 24/09/10 Sev = Info/4 IPSEC/0x6370000A

    IPSec driver successfully stopped

    I have connectivity full http from the internet to a machine inside the asa 5520 so I think that the static routing and NAT'ing should be ok, but I am pleased to provide you with all the details.

    Can you see what I'm doing wrong?

    Thank you

    Sam

    Pls add the following policy:

    crypto ISAKMP policy 10

    preshared authentication

    the Encryption

    md5 hash

    Group 2

    You can also run debug on the ASA:

    debugging cry isa

    debugging ipsec cry

    and retrieve debug output after trying to connect.

Maybe you are looking for

  • EtreCheck results for Mac start VERY slowly

    I just ran EtrCheck and cannot find anything that could trigger my iMac start slowly. Verification of any help would be greatly appreciated. Ed EtreCheck version: 2.6.6 (226) Report generated on 02/12/15, 08:29 Time 02:38 Download EtreCheck from http

  • customize the system?

    interested in an inspiron all-in-one 20 "or 23".  you want to customize with win 7 os, core i3 or i5 processor, no touchscreen.  is it possible to order custom an all-in-one with these specific adaptations?

  • Computer laptop loss during berthing and departure color management settings

    I am running Windows 7 Enterprise SP1 64 bit on a Dell Latitude E6540 with a docking station.  I have calibrated color screen on the laptop as well as an external monitor attached to the docking station.  Whenever I'm disconnecting the computer, the

  • Error "disk Management console view is not updated" on Windows 7 64 bit

    Hi team, Is my laptop model Dell Studio XPS 1645 Operating system is Windows 7 Professional 64 bit Size of HARD drive internal 500 GB I got 4 partitions initially, 1 for the C drive and remaining 3 storage purpose. I took the backup of all Partitions

  • SOAP/AXL to pull numbers

    We need to change 1000 existing extensions in CM of the new range. Since there are many 2/3 lines and party lines phones. I need some kind of tool/App in order to get existing numbers CM SQL database to Excel and replace it. Even if I can't replace t