Get VPN client to connect, but request timed out when ping
Hi, I use the router Cisco 837 as my VPN server. I am connected using Cisco VPN Client Version 5. But when I ping the ip of the router, I have request timed out. Here is my configuration:
Building configuration... Current configuration : 3704 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname michael ! boot-start-marker boot-end-marker ! memory-size iomem 5 no logging console enable secret 5 $1$pZLW$9RZ8afI8QdGRq0ssaEJVu0 ! aaa new-model ! ! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local ! aaa session-id common ! resource policy ! ip subnet-zero no ip dhcp use vrf connected ip dhcp excluded-address 192.168.1.1 ! ip dhcp pool michael network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server 202.134.0.155 ! ip dhcp pool excluded-address host 192.168.1.4 255.255.255.0 hardware-address 01c8.d719.957a.b9 ! ! ip cef ip name-server 202.134.0.155 ip name-server 203.130.193.74 vpdn enable ! ! ! ! username michael privilege 15 secret 5 $1$ZJQu$KDigCvYWKkzuzdYHBEY7f. username danny privilege 10 secret 5 $1$BDs.$Ez0u9wY7ywiBzVd1ECX0N/ ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp xauth timeout 15 ! crypto isakmp client configuration group michaelvpn key vpnpassword pool SDM_POOL_1 acl 199 netmask 255.255.255.0 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! interface Ethernet0 description $FW_INSIDE$ ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 hold-queue 100 out ! interface Ethernet2 no ip address shutdown hold-queue 100 out ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto pvc 0/35 pppoe-client dial-pool-number 1 ! ! interface FastEthernet1 duplex auto speed auto ! interface FastEthernet2 duplex auto speed auto ! interface FastEthernet3 duplex auto speed auto ! interface FastEthernet4 duplex auto speed auto ! interface Virtual-PPP1 no ip address ! interface Dialer1 description $FW_OUTSIDE$ mtu 1492 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 ppp chap hostname ispusername ppp chap password 0 isppassword ppp pap sent-username ispusername password 0 isppassword crypto map SDM_CMAP_1 ! ip local pool SDM_POOL_1 192.168.2.1 192.168.2.5 ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip http server no ip http secure-server ! ip nat inside source static udp 192.168.1.0 1723 interface Dialer1 1723 ip nat inside source static tcp 192.168.1.4 21 interface Dialer1 21 ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload ! access-list 1 remark SDM_ACL Category=16 access-list 1 permit 192.0.0.0 0.255.255.255 access-list 102 remark SDM_ACL Category=2 access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 102 permit ip 192.168.1.0 0.0.0.255 any access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 route-map SDM_RMAP_1 permit 1 match ip address 102 ! ! control-plane ! banner motd ^C Authorized Access Only UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED You must have explicit permission to access this device. All activities performed on this device are logged. Any violations of access policy will result in disciplinary action. ^C ! line con 0 no modem enable line aux 0 line vty 0 4 ! scheduler max-task-time 5000 endThank you, anny help will be appreciated.
Hi Michael,
I have been through the newspapers, they are not conclusive and only detrmine that Phase 1 is coming. However according to this error message % SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr = 81B50AD8, count = 0 we are hiiting a bug on ios. The id of the bug is CSCsl24693 and the solution is to switch to 12.4 (11) XJ.
Can you re-execute him debugs and send me the detailed results.
Kind regards
Aman
Tags: Cisco Security
Similar Questions
Cisco vpn client to connect but can not access to the internal network
Hi all
I have a VPN configured on cisco 5540. My vpn was working fine, but suddenly there is a question that the cisco vpn client to connect but can not access to the internal network
Any help would be much appreciated.
Hi Samir,
I suggest that you go to the ASA and check the configuration to make sure that it complies with the requirements according to the reference below link:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml
(The link above includes split tunneling, but this is just an option.
Please paste the output of "sh cry ipsec his" here so that we can check if phase 2 is properly trained. I would say as you go to IPSEC vpn client on your PC and check increment in packets sent and received in the window 'status '.
Let me know if this can help,
See you soon,.
Christian V
I need help for my this error error 118 (net::ERR_CONNECTION_TIMED_OUT): the operation timed out
It's my app from facebook
Hi Muhammadarif,
1. the problem occurs only in facebook?
2. what web browser do you use?This is a known error in Google chrome. If you are using Google chrome then I suggest you post in the forums of Google chrome.
http://productforums.Google.com/d/Forum/chromeIf the problem only occurs in facebook, then I suggest you to contact facebook support.
http://www.Facebook.com/help/Hope this information is helpful and let us know if you need more assistance. We will be happy to help.
Hello
I don't know what could be held, vpn users can ping to the outside and inside of the Cisco ASA interface but can not connect to servers or servers within the LAN ping.
is hell config please kindly and I would like to know what might happen.
hostname horse
domain evergreen.com
activate 2KFQnbNIdI.2KYOU encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
ins-guard
!
interface GigabitEthernet0/0
LAN description
nameif inside
security-level 100
192.168.200.1 IP address 255.255.255.0
!
interface GigabitEthernet0/1
Description CONNECTION_TO_FREEMAN
nameif outside
security-level 0
IP 196.1.1.1 255.255.255.248
!
interface GigabitEthernet0/2
Description CONNECTION_TO_TIGHTMAN
nameif backup
security-level 0
IP 197.1.1.1 255.255.255.248
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
management only
!
boot system Disk0: / asa844-1 - k8.bin
boot system Disk0: / asa707 - k8.bin
passive FTP mode
clock timezone WAT 1
DNS server-group DefaultDNS
domain green.com
network of the NETWORK_OBJ_192.168.2.0_25 object
Subnet 192.168.2.0 255.255.255.128
network of the NETWORK_OBJ_192.168.202.0_24 object
192.168.202.0 subnet 255.255.255.0
network obj_any object
subnet 0.0.0.0 0.0.0.0
the DM_INLINE_NETWORK_1 object-group network
object-network 192.168.200.0 255.255.255.0
object-network 192.168.202.0 255.255.255.0
the DM_INLINE_NETWORK_2 object-group network
object-network 192.168.200.0 255.255.255.0
object-network 192.168.202.0 255.255.255.0
access-list extended INSIDE_OUT allow ip 192.168.202.0 255.255.255.0 any
access-list extended INSIDE_OUT allow ip 192.168.200.0 255.255.255.0 any
Access extensive list permits all ip a OUTSIDE_IN
gbnlvpntunnel_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0
standard access list gbnlvpntunnel_splitTunnelAcl allow 192.168.202.0 255.255.255.0
gbnlvpntunnell_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0
standard access list gbnlvpntunnell_splitTunnelAcl allow 192.168.202.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
backup of MTU 1500
mask of local pool VPNPOOL 192.168.2.0 - 192.168.2.100 IP 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-645 - 206.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static source NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination
NAT (inside, backup) static source NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination
NAT (inside, outside) static source DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination
NAT (inside, backup) static source DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination
!
network obj_any object
dynamic NAT interface (inside, backup)
Access-group interface inside INSIDE_OUT
Access-group OUTSIDE_IN in interface outside
Route outside 0.0.0.0 0.0.0.0 196.1.1.2 1 track 10
Route outside 0.0.0.0 0.0.0.0 197.1.1.2 254
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.200.0 255.255.255.0 inside
http 192.168.202.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
monitor SLA 100
type echo protocol ipIcmpEcho 212.58.244.71 interface outside
Timeout 3000
frequency 5
monitor als 100 calendar life never start-time now
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
backup_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
backup of crypto backup_map interface card
Crypto ikev1 allow outside
Crypto ikev1 enable backup
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
!
track 10 rtr 100 accessibility
Telnet 192.168.200.0 255.255.255.0 inside
Telnet 192.168.202.0 255.255.255.0 inside
Telnet timeout 5
SSH 192.168.202.0 255.255.255.0 inside
SSH 192.168.200.0 255.255.255.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 15
SSH group dh-Group1-sha1 key exchange
Console timeout 0
management-access inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal group vpntunnel strategy
Group vpntunnel policy attributes
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpntunnel_splitTunnelAcl
field default value green.com
internal vpntunnell group policy
attributes of the strategy of group vpntunnell
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list gbnlvpntunnell_splitTunnelAcl
field default value green.com
Green user name encrypted BoEFKkDtbnX5Uy1Q privilege 15 password
attributes of user name THE
VPN-group-policy gbnlvpn
tunnel-group vpntunnel type remote access
tunnel-group vpntunnel General attributes
address VPNPOOL pool
strategy-group-by default vpntunnel
tunnel-group vpntunnel ipsec-attributes
IKEv1 pre-shared-key *.
type tunnel-group vpntunnell remote access
tunnel-group vpntunnell General-attributes
address VPNPOOL2 pool
Group Policy - by default-vpntunnell
vpntunnell group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:7c1b1373bf2e2c56289b51b8dccaa565
Hello
1 - Please run these commands:
"crypto isakmp nat-traversal 30.
"crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 Road opposite value.
The main issue here is that you have two roads floating and outside it has a better than backup metric, that's why I added the command 'reverse-road '.
Please let me know.
Thank you.
VPN Client TCP connection to router IOS
Hello
I try to get a VPN client to connect via TCP to a router. I currently have the router put in place (and work) in using a VPN - UDP. Unfortunately one of the sites I visit will not allow VPN traffic outside of their firewall. I have searched all over the site of Cisco and can't find any information on the IOS configuration to accept TCP - VPN connections. I would like to change the TCP port 80, so my VPN traffic looks like just standard internet browsing my client firewall. Any links/pointer would be greatly appreciated.
Thanks in advance!
-Joe
Take a look at this:
http://www.Cisco.com/en/us/docs/iOS/12_2t/12_2t8/feature/guide/ftunity.html#wp1310210
http://www.Cisco.com/en/us/docs/iOS/12_2t/12_2t8/feature/guide/ftunity.html#wp1305478
http://www.Cisco.com/en/us/docs/iOS/12_2t/12_2t8/feature/guide/ftunity.html#wp1315635
Please rate if useful.
Concerning
Farrukh
When I ping, I get "request timed out every 40 response once.
I have an other customers with same VLAN with IP, 10.12.121.15, 10.12.121.16, when I ping 10.xxx.xxx.xxx t I receive a response continues but same time each of them has expired for 2 hops. After 2 hops normally his response up to 48 hops yet expired.
Please let me know what are all possible? even I tried to ping to router the same. If it's a customer, I can suspect network connector or network port, but its almost all customers.
Please if you more details please let me know in response.
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Request timed out.
Request timed out.
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time = 1ms TTL = 126
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>
Reply from 10.12.121.17: bytes = 32 time<1ms ttl="">1ms>Hello
The question you posted would be better suited to the TechNet community. Please visit the link below to find a community that will provide the support you want.
http://social.technet.Microsoft.com/forums/en-us/category/WindowsServer
Hope this information is useful.
WiFi doesn't work does not correctly and he always finds Request Timed Out
Hello
I have two laptops side by side. On two laptops, I have 'ping www.google.com t' on cmd and most of the time "ping www.yahoo.com t.Laptop shows "Request Timed Out", but it's only in time and one or two occurrences whenever it shows "Request Timed Out". Portable B shows 'Request Timed Out' more often and several times it is displayed continuously as in the screenshot.This has been observed for a few months because I noticed on this subject.I wonder this has to do with the firewall or antivirus? Or that it has something to do with the infection by the virus?I am very little deep in the knowledge of it. Please bear with me if I ask funny questions. I would appreciate your help! Thanks :)Hello
1. don't you make changes on the computer before the show?
2. what web browser do you use?
3. what anti-virus is installed on the computer?
Method 1:
You can try the steps in the link and check:
Windows wireless and wired network connection problems
http://Windows.Microsoft.com/en-us/Windows/help/wired-and-wireless-network-connection-problems-in-WindowsMethod 2:
You can perform a clean boot and check if any third-party software is causing the problem.
How to troubleshoot a problem by performing a clean boot in Windows Vista or in Windows 7
http://support.Microsoft.com/kb/929135
Note: After the adventures of shooting set the computer to start as usual by performing step 7 above of the Knowledge Base article.Method 3:
You can try to disable the firewall and anti-virus installed on the computer.Enable or disable Windows Firewall
http://Windows.Microsoft.com/en-us/Windows7/turn-Windows-Firewall-on-or-off
NOTE: turning off Windows Firewall may make your computer (and your network, if you have one) more vulnerable to damage caused by worms or hackers.
You can see the following link to disable the Antivirus installed on your computer software.Disable the anti-virus software
http://Windows.Microsoft.com/en-us/Windows7/disable-antivirus-softwareNOTE: Antivirus software can help protect your computer against viruses and other security threats. In most cases, you should not disable your antivirus software. If you need to disable temporarily to install other software, you must reactivate as soon as you are finished. If you are connected to the Internet or a network, while your antivirus software is disabled, your computer is vulnerable to attacks
For more information, please see the following links:RemoteAccess VPN does not, the client VPNC connects but no connectivity
Hi all
I configured cisco ASA 5520 VPN remote access, Cisco vpn client connects very well and both phases are upcoming but aren't encapsulating packets phase ipsec. and ima could not reach remote subnets 192.168.10.0 and 192.168.180.0
kindly help me to solve the problem... Here's the relevant config
Thank you
Mikaelconfig====================================================================
allowed to access list acl sheep line 20 extended ip 192.168.10.0 255.255.255.0 172.23.20.0 255.255.255.128
allowed to access list acl sheep line 20 extended ip 192.168.180.0 255.255.255.240 172.23.20.0 255.255.255.128access-list 1 permit line splitTunnel_raacl extended ip 192.168.10.0 255.255.255.0 any
allowed to Access-list splitTunnel_raacl line 2 extended ip 192.168.180.0 255.255.255.240 allallowed to Access-list ra_acl line 1 extended ip all 192.168.10.0 255.255.255.0
allowed to Access-list ra_acl line 2 extended ip all 192.168.180.0 255.255.255.240AAA-server non-retail-VPN protocol Ganymede +.
AAA-server non-retail-VPN (inside) host 192.168.200.14
3n0cr1ght5 key
Non-retail-VPN (inside) host 192.168.10.9 AAA-server
3n0cr1ght5 keymask IP local pool ra 172.23.20.2 - 172.23.20.125 255.255.255.128
internal RAVPN group policy
RAVPN group policy attributes
VPN-idle-timeout 30
VPN-filter value ra_acl
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list splitTunnel_raacltype tunnel-group RAVPN remote access
attributes global-tunnel-group RAVPN
address-ra-pool
Group Policy - by default-RAVPN
IPSec-attributes tunnel-group RAVPN
pre-shared key xxxxCrypto ipsec transform-set esp-3des esp-sha-hmac ravpn-series
Crypto dynamic-map 23 RAVPN set transform-set ravpn-set
card crypto ENOCMAP 4-isakmp dynamic ipsec RAVPN
========================================================================Output
2 IKE peers: 94.58.71.99
Type: user role: answering machine
Generate a new key: no State: AM_ACTIVE# sh crypto ipsec peer of his 94.58.71.99
address of the peers: 94.58.71.99
Tag crypto map: RAVPN, seq num: 23, local addr: x.x.x.xlocal ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)
Remote ident (addr, mask, prot, port): (172.23.20.2/255.255.255.255/0/0)
current_peer: 94.58.71.99, username: shanilra
dynamic allocated peer ip: 172.23.20.2#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 117, #pkts decrypt: 117, #pkts check: 117
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0EDIT: Sorry, just see that I read your config wrong. The vpn-filter is OK, but with split tunnel always not necessary.
Your vpn-filter-ACL is false (mixex source and destination). Please, remove the vpn filter from your group policy and test again if this works. Looks like you want your customers only to reach the two given networks. For this you need the vpn filter anyway, because they are the only networks that are reached in the split-tunnel-config.
Sent by Cisco Support technique iPad App
VPN client works well, but I am not able to open the desktop remotely
Hi all
I configured a router 877 with features of firewall and VPN and DDNS, when the user connects his WAN pc via VPN all works well (mail, telnet, ping, LAN access) but the Remote Desktop feature is not available. I traced with wireshark and saw that the request to port 3389 was correctly sent to the destination server, but the response to the VPN client has been abandoned by the router... and I have no idea how to solve this problem.
Can someone help me...? Thank you very much.
Ilaria.
In room router attached.
Your problem is the NAT-config. First of all, the next line is not necessary that RDP does not have UDP ober:
IP nat inside source static udp 192.168.10.136 3389 3389 Dialer0 interface
Then, the following command causes problems:
IP nat inside source static tcp 192.168.10.136 3389 3389 Dialer0 interface
With which the router assumes that the server 192.168.10.136 must always be reached through the IP address of dialer0 and made a translation.
There are two ways to solve the problem, but they all have some disadvantages...
(1) only access the server through VPN. For that you can just remove the NAT statement above (the one with tcp) and you should be able to reach the server via VPN.
(2) restrict the NAT for not doing a translation if a VPN-peer's access to the server.
To do this, you must attach a roadmap to the NAT statement. But who does not work with the "interface" - keyword in the NAT Statement. But you can use it if you get a fixed IP address from your provider.
(3) assign a second IP address to the RDP server. The period of the original INVESTIGATION that is used in the NAT statement is used to access the server without VPN, the second IP address is used to access the server through VPN.
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteniVPN client, lost connection
Hello
I pix506e here... and vpn clients connected.
But suddenly lost connection vpn client 40 minutes and then try to reconnect again but fail. If the vpn client restarts their pc/notebook...yes it can connected to vpn again... but the interruption of the connection again... then restart... and so on... What is the cause of this problem?
Thanks for the help
Tonny
All remote VPN clients are having the same problem or is it limited to just a few. If the problem is seen with only a few, it is quiet possible that the problem is not with the PIX of the customer. In addition, the DPO is enabled or not. DPD will cause tips to know an IPSec connection over, where the SAs flusing, allowing new being negotiate quickly.
Hello
I am setting up a VPN on a Cisco ASA 5510 version 8.4 remote access (4) 1.
When I try to connect via the Cisco VPN client software, I am able to connect however I am unable to access network resources.
However, I can ping the servers in the other site that is connected through the VPN site-to site to the main site!
VPN client--> main site (ping times on)--> Site connected with the main site with VPN S2S (successful ping)
Please help me I need to find a solution as soon as POSSIBLE!
Thank you in advance.
Hello
Please remove the NAT exemption and the re - issue the command but with #1, so it will place the NAT as first line:
No nat (SERVERS, external) static source SERVERS_LAN SERVERS_LAN NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 non-proxy-arp-search of route static destination
NAT (SERVERS, external) 1 static source SERVERS_LAN SERVERS_LAN NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 non-proxy-arp-search of route static destination
After re-configured this way, make sure that this command is also available:
Sysopt connection permit VPN
This sysopt will allow traffic regardles any ACL a fall, just in case. Please continue to run a package tracer and post it here,
Packet-trace entry Server icmp XXXXXX 8 0 detailed YYYYY
XXXX--> server IP
AAAA--> VPN IP of the user
Don't forget to do the two steps and a just in case, capture Please note and mark it as correct the useful message!
Thank you
David Castro,
VPN question, can connect, but can, t go anywhere
Hello
I have my house 2621xm router and I have configured my router as a vpn server and I can connect using vpn client, but that's all I can do. I can't ping or go anywhere. I can't find all the documents on cisco or google that can help me here, so here I am.
Basically, I give the client vpn ip 192.168.6.X then I want the customer to be able to go anywhere in the 192.168.1.X range 5.X and 10.X.
any help would be appreciated to greately!
Try,
crypto dynamic-map VTELDYNAMAP 10
market arriere-route
Kind regards
Prem
VPN client - multiple connection possibilities?
Hi people,
My basic question is, Cisco VPN Client allows two simultaneous VPN connections at the same time?
I would like to implement the following:
Customer user (remote access VPN via Internet)--> Head Office c/o ASA 5520 pair--> (VPN remote access via Internet)--> pair of Branch Office ASA 5510 S + a/s
For example, to access the Branch Office system, the user must:
1. connect to the peer of Head Office ASA via Cisco VPN Client (the user/password authentication)
Head Office ASA peer gives an 172.16.1.x private IP address and is configured to route all requests for public office ASA IP through its own public IP address.
2. once Head Office VPN is established, the user establishes a SECOND VPN tunnel of the Cisco VPN client (user/password and focused on the cert auth)
I.e. branch sees the VPN connection try from the public IP address of Headquarters and therefore allows the VPN through the ACL traffic and allows the continuation of the VPN negotiations as usual. Customer is given another IP address private, 192.168.10.x.
Basically, I need to limit the remote access VPN branch to make it only accessible from Headquarters public IP address, no public IP address of the user (and therefore the entire internet).
I know this is an unusual configuration, and some will say on the sensitivity of security to allow two simultaneous VPN connections. These are the two networks of trust, strict ACL would be at stake and there is a long history behind this requirement...
Thanks in advance!
Alistair,
You can limit the access of VPN connections to branch by blocking connections on UDP ports 500, 4500 UDP and ESP and allowing him only from your home office. In this way, only the explicitly authorized public IP address of your home office would be able to connect to your remote sites by using an IPSec tunnel.
Now, on the second tunnel I don't think it's possible. As far I am aware you cannot have two connections to VPN at the same time of the same customer. The VPN will not let you do, it's mainly because when you have a VPN Client the VPN map session comes up and you can only one card virtual VPN.
Because I don't think it is possible I would advice to try something like this:
Could provide you the connectivity that you are looking for without needing a second tunnel VPN from the client side.
I hope this helps.
Raga
Hello
just a quick,
TOPOLOGY
ASA isps1 - 197.1.1.1 - outside
ASA ISP2 - 196.1.1.1 - backup
LAN IP - 192.168.202.100 - inside
I have configured Tunnel on the interfaces (external and backup), but is to link both legs public to serve a thare as redundancy for vpn users and users of the vpn tunnel leave pointing inside IP whenever they want to establish vpn sssion, we want it to be one, so if an interface fails vpn users will not know , but he will try the second for the connection. instead of creating the profile for the two outside of the leg on the vpn client.
is this possible?
Hi Rammany.
In your case, you have only an ASA that connects with 2 ISP in another segment IP... 196.x.x.x (Link1) & 197.x.x.x (Link2). What your condition is you want to have the VPN client who must be consulted with backup. If 196.x.x.x link fails, it should automatically take 197.x.x.x link. That too we should not have the config set in the VPN client backup server. You don have the possibility of having standby active also in asa single.
I think n so it will work with your current design.
This option is if your VPN client supports host name resolution (DNS). You can have the VPN created for both the public IP address share the same host name keeping the bond as the primary address 1 and 2 a secondary address. It will work alone.
Hope someother experts in our forum can help you with that.
506th PIX and VPN client - multiple connections connections
I have a PIX of the 506th (6.2) w/3DES license and 3.6.3 VPN client software. I'm only using group user name and password to authenticate. The first user login works fine. When the second user connects, the first is finished and the second works very well. The product turned on States I should be able to have 25 simultaneous connections or site to site or customer.
Any help will be greatly appreciated, Kyle
Are these two users on the same site, behind a device that makes PAT? If so, then this device is causing the problem, not the PIX. The device is unable to correctly translate the IPsec packets. Unfortunately nothing you can do about it on the PIX, although the next version of the software (6.3 to your calendar of March) will have NAT - T support (which the client currently supports). Once that support NAT - T both ends, they'll be able to say that there's a PAT instrument between the two and they will automatically encapsulate everything in the UDP packets, which your PAT instrument will be able to translate correctly.
Maybe you are looking for
How to use the adapter from the wall with my Mac Pro laptop?
How to use the adapter from the wall with my Mac Pro laptop?
HP Pavilion Elite m9426f: need replacement of the graphics card
I need a replacement for my ATI Raedon HD 3650 which burned and have no idea what to get. Sheet here http://h20564.www2.hp.com/hpsc/doc/public/display?docId=c01570954
15 CA 120 tx: Brightness LED have been up and down three to four times
need help... When I moved my Brightness LED in another window was up and down three to four times I HAV already resets and updated all the drivers but issue was same so please give all solutions at the same time...
Creative WP-250 - Bluetooth Peripheral Device not found Driver
Hi guys,. I Peel my new WP-250 Bluetooth headset, but I still can't use it with windows 7 :( It keeps giving me Bluetooth Peripheral Device not found Driver and I can't use it yet as a headset. I looked for a driver for the Bluetooth device, but can'
How can I change password to get into my computer? I am now in my computer, but want to change for the next time I open it. Thank you.