NAC VPN SSO Help

I recently inherited the administration of a NAC solution in need of a tune up (running 4.1.8!). The largest consistent I get from users is that SSO VPN does not work and that users must open a web browser to authenticate with NAC once their SSL VPN has been implemented. I'm quite familiar with configuring VPN SSO and I'm ready to do it, but I can't find the answer to a specific question, I. You can enable VPN SSO for a certain types of users only? We have a combination of two employees (who have the officer) and entrepreneurs (who have no agent). I want to only VPN SSO to work for employees and contractors having to open a web browser for authentication. Is this possible and if so, how? I have found that if you do not have the agent and VPN SSO is enabled the connection is very clumsy. You open a browser, you redirected to NAC, and then you get connected once java or active x to run without having to provide your information identification and then you not directed your orginal http request.

Thank you!

For your employees, you can use the attribute class to match to a user within the NAC role according to the criteria of mapping Cisco VPN auth provider. You can also map the class attribute of entrepreneurs for the role of uanauthenticate so when pull it toward the top of their browser, they will see the authentication page of the. Once they authenticate and then in their user role, you can select the redirection page.

I hope this helps.

Tarik Admani

Tags: Cisco Security

Similar Questions

Problem of the NAC in the virtual tape gateway VPN SSO

Hello

I've implemented a NAC solution for remote users. The unit of CASE mode configured in the gateway enVirtual Strip.

I followed all the steps listed in http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml

Remote users can connect succeffuly using the cisco vpn software and they can ping the SIN, but not the DNS (the ASA offers IP @ but not the DNS I do not know why).

When I access the NAS, I can download the NAC Agent but VPN SSO is not executed and the Agent asks me to connect using LOCAL DB.

Any help please,.

Kind regards

Larson,

For VPN SSO work, you must send the accounting package to the CAs. The CASE can in turn send for the ACS if you need accounting also be done on GBA, but for authentication ONLY work, the accountant must reach the CASE.

HTH,

Faisal

NAC ACS SSO

Hi all

I know that there is AD SSO in the NAC. I would like to have SSO with ACS that is integrated with AD. is there any document to show how to configure SSO with ACS Express or ACS?

Thank you

Alex

Alex,

In the short number - or at least, I have to say that I don't know of any way to do. To make the SSO with GBA, looking to connect to Windows with Radius or GANYMEDE +. This means that Windows GINA (Ctrl-Alt-Delete the piece of code) should be able to talk Radius or GANYMEDE + with the ACS server.

Only standards bodies supported on GRP are AD SSO (where connect you to your Windows machine and SSO happens) or RADIUS SSO (kind VPN wireless / installation). The second type is where you can make the accounting on ACS. With AD authentication, I don't know any way so he could be taken into account in the ACS.

One thing you could do theoretical is to send an accounting package to your express ACS of the CPC or the machine itself, but these are wacky solutions and require a lot of work/trials etc.

So in short, not :-)

[EDIT] An option that I have completely forgotten and could work for your customer is to configure the accounting server to the CCA. In this way, you can connect to AD and always send accounting packets to an accounting server. More information here:

http://www.Cisco.com/en/us/partner/docs/security/NAC/appliance/configuration_guide/45/cam/m_auth.html#wp1159082

[END_EDIT]

HTH,

Faisal

NAC AD SSO error: could not start the SSO service. Please check the configuration.

Hi, can someone please help me with a problem of SSO?

I'm trying to start the SINGLE sign-on service, but when I try to update I get the error message: "error: could not start the SSO service.» Please check the configuration. »

The announcement is a Windows 2008 Server Standard R2 (64-bit) running at a 2003 domain functional level. (several servers) with the deployment of the OOB

I was unable to ping the advertising server CASE CLI, so I created a static route to the announcement on the server of the ANC, and after that I successfully of the NAC Server ping IP address of the AD. The nac_server.log when I try to start the SSO:

[[email protected]/ * / _primary_ag ~] # ping 10.200.0.3

PING 10.200.0.3 (10.200.0.3) 56 (84) bytes of data.

64 bytes from 10.200.0.3: icmp_seq = 1 ttl = 128 time = 0,247 ms

64 bytes from 10.200.0.3: icmp_seq = 2 ttl = 128 time = 0,232 ms

-ping - 10.200.0.3 statistics

2 packets transmitted, 2 received, 0% packet loss, time 999ms

RTT min/avg/max/leg = 0.232/0.239/0.247/0.017 ms

[[email protected]/ * / _primary_ag ~] # tail-f /perfigo/access/tomcat/logs/nac_server.log

2012-07-27 17:20:39.079-0300 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo

2012-07-27 17:20:39.079-0300 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0

2012-07-27 17:20:39.080-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader

2012-07-27 17:20:39.080-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 0

2012-07-27 17:20:39.080 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init

2012-07-27 17:20:39.080 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 0

2012-07-27 17:20:39.081 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync

2012-07-27 17:20:39.081 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync:DURATION = 0

2012-07-27 17:20:39.081-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip

2012-07-27 17:20:39.081-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip:DURATION = 0

2012-07-27 17:20:41.775-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo

2012-07-27 17:20:41.775-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0

2012-07-27 17:20:41.775-0300 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo

2012-07-27 17:20:41.775-0300 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0

2012-07-27 17:20:41.776-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader

2012-07-27 17:20:41.776-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 0

2012-07-27 17:20:41.777 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init

2012-07-27 17:20:41.777 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 0

2012-07-27 17:20:41.777-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - setAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:SSOState = 1

2012-07-27 17:20:41.777-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - setAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:SSOState = 1:DURATION = 0

2012-07-27 17:20:41.778-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - setAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:SSOUser = casuser

2012-07-27 17:20:41.778-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - setAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:SSOUser = casuser:DURATION = 0

2012-07-27 17:20:41.778-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - setAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:SSOKdc = nissin.com.br

2012-07-27 17:20:41.778-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - setAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:SSOKdc = nissin.com.br:DURATION = 0

2012-07-27 17:20:41.779-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - setAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:SSORealm = NISSIN.COM.BR

2012-07-27 17:20:41.779-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - setAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:SSORealm = NISSIN.COM.BR:DURATION = 0

2012-07-27 17:20:41.779 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:save

2012-07-27 17:20:41.779 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:save:DURATION = 0

2012-07-27 17:20:41.780 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:startSSOServer

2012-07-27 17:20:41.780 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:startSSOServer:DURATION = 0

2012-07-27 17:20:58.605-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager is running: {0.85,0.3, [0: 15:15]}: DETECT_INTERVAL = 20:DETECT_TIME_OUT = 300

2012-07-27 17:20:58.608-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager http_code = 200: {0.85,0.3, [0: 15:15]}

[2012-07-27 17:20:58.608-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager go to sleep: delay of {0.85,0.3, [0: 15:15]}] = 19997

[2012-07-27 17:21:08.892-0300 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.ssl.SSLLog - RMISocketFactory: removed socket: 173d72d [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/10.200.48.101,port=11093,localport=1099]]

2012-07-27 17:21:08.892-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETS_SIZE = 0 DEBUG

2012-07-27 17:21:08.892-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETSE DEBUG =]

2012-07-27 17:21:08.892-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETS_SIZE = 0 DEBUG

2012-07-27 17:21:08.892-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETSE DEBUG =]

2012-07-27 17:21:18.610-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager is running: {0.85,0.3, [0: 15:15]}: DETECT_INTERVAL = 20:DETECT_TIME_OUT = 300

2012-07-27 17:21:18.613-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager http_code = 200: {0.85,0.3, [0: 15:15]}

[2012-07-27 17:21:18.613-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager go to sleep: delay of {0.85,0.3, [0: 15:15]}] = 19997

2012-07-27 17:21:38.615-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager is running: {0.85,0.3, [0: 15:15]}: DETECT_INTERVAL = 20:DETECT_TIME_OUT = 300

2012-07-27 17:21:38.618-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager http_code = 200: {0.85,0.3, [0: 15:15]}

[2012-07-27 17:21:38.618-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager go to sleep: delay of {0.85,0.3, [0: 15:15]}] = 19997

2012-07-27 17:21:41.794-0300 DEBUG Thread-246 com.perfigo.wlan.common.HttpClientResource - go to url https://10.200.48.100:443 / wlan/gss/GSSNotificationServlet ...

[2012-07-27 17:21:41.813-0300 HandshakeCompletedNotify-threaded DEBUG com.perfigo.wlan.ssl.SSLLog - RMISocketFactory: added the socket: 1e7e7ac [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/10.200.48.101,port=19660,localport=1099]]

2012-07-27 17:21:41.814-0300 HandshakeCompletedNotify-threaded DEBUG com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETS_SIZE = 1

[2012-07-27 17:21:41.814-0300 HandshakeCompletedNotify-threaded DEBUG com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETSE = [1e7e7ac [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/10.200.48.101,port=19660,localport=1099]]]

2012-07-27 17:21:41.814-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:SSOStatus

2012-07-27 17:21:41.814-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:SSOStatus:DURATION = 0

2012-07-27 17:21:44.103-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo

2012-07-27 17:21:44.103-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0

2012-07-27 17:21:44.104-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo

2012-07-27 17:21:44.104-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0

2012-07-27 17:21:44.104-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader

2012-07-27 17:21:44.104-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 0

2012-07-27 17:21:44.105 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init

2012-07-27 17:21:44.105 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 0

2012-07-27 17:21:44.105 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync

2012-07-27 17:21:44.106 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync:DURATION = 1

2012-07-27 17:21:44.106-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip

2012-07-27 17:21:44.106-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip:DURATION = 0

2012-07-27 17:21:49.105-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo

2012-07-27 17:21:49.105-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0

2012-07-27 17:21:49.105-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo

2012-07-27 17:21:49.105-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0

2012-07-27 17:21:49.106-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader

2012-07-27 17:21:49.106-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 0

2012-07-27 17:21:49.107 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init

2012-07-27 17:21:49.107 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 0

2012-07-27 17:21:49.107 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync

2012-07-27 17:21:49.107 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync:DURATION = 0

2012-07-27 17:21:49.108-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip

2012-07-27 17:21:49.108-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip:DURATION = 0

2012-07-27 17:21:54.107-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo

2012-07-27 17:21:54.107-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0

2012-07-27 17:21:54.108-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo

2012-07-27 17:21:54.108-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0

2012-07-27 17:21:54.108-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader

2012-07-27 17:21:54.108-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 0

2012-07-27 17:21:54.109 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init

2012-07-27 17:21:54.109 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 0

2012-07-27 17:21:54.110 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync

2012-07-27 17:21:54.110 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync:DURATION = 0

2012-07-27 17:21:54.110-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip

2012-07-27 17:21:54.110-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip:DURATION = 0

2012-07-27 17:21:58.619-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager is running: {0.85,0.3, [0: 15:15]}: DETECT_INTERVAL = 20:DETECT_TIME_OUT = 300

2012-07-27 17:21:58.622-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager http_code = 200: {0.85,0.3, [0: 15:15]}

[2012-07-27 17:21:58.622-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager go to sleep: delay of {0.85,0.3, [0: 15:15]}] = 19997

2012-07-27 17:21:59.109-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo

2012-07-27 17:21:59.109-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0

2012-07-27 17:21:59.110-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo

2012-07-27 17:21:59.110-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0

2012-07-27 17:21:59.110-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader

2012-07-27 17:21:59.110-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 0

2012-07-27 17:21:59.111 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init

2012-07-27 17:21:59.111 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 0

2012-07-27 17:21:59.112 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync

2012-07-27 17:21:59.112 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync:DURATION = 0

2012-07-27 17:21:59.113-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip

2012-07-27 17:21:59.113-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip:DURATION = 0

2012-07-27 17:22:04.111-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo

2012-07-27 17:22:04.111-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0

2012-07-27 17:22:04.112-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo

2012-07-27 17:22:04.112-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0

2012-07-27 17:22:04.112-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader

2012-07-27 17:22:04.113-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 1

2012-07-27 17:22:04.113 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init

2012-07-27 17:22:04.113 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 0

2012-07-27 17:22:04.114 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync

2012-07-27 17:22:04.114 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync:DURATION = 0

2012-07-27 17:22:04.114-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip

2012-07-27 17:22:04.114-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip:DURATION = 0

2012-07-27 17:22:09.114-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo

2012-07-27 17:22:09.114-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0

2012-07-27 17:22:09.114-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo

2012-07-27 17:22:09.114-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0

2012-07-27 17:22:09.115-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader

2012-07-27 17:22:09.115-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 0

2012-07-27 17:22:09.116 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init

2012-07-27 17:22:09.116 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 1

2012-07-27 17:22:09.116 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync

2012-07-27 17:22:09.116 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync:DURATION = 0

2012-07-27 17:22:09.117-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip

2012-07-27 17:22:09.117-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip:DURATION = 0

2012-07-27 17:22:14.116-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo

2012-07-27 17:22:14.116-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0

2012-07-27 17:22:14.116-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo

2012-07-27 17:22:14.116-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0

2012-07-27 17:22:14.117-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader

2012-07-27 17:22:14.117-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 0

2012-07-27 17:22:14.117 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init

2012-07-27 17:22:14.118 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 1

2012-07-27 17:22:14.118 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync

2012-07-27 17:22:14.118 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync:DURATION = 0

2012-07-27 17:22:14.119-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip

2012-07-27 17:22:14.119-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip:DURATION = 0

2012-07-27 17:22:17.017-0300 DEBUG RMI RenewClean-[10.200.2.103:1099] com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETS_SIZE = 2

[[2012-07-27 17:22:17.017 - 0300 DEBUG RMI RenewClean-[10.200.2.103:1099] com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETSE = [1e7e7ac [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/10.200.48.101,port=19660,localport=1099]], 1871db1 [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=server_primary_ag/10.200.2.103,port=1099,localport=12312]]]

[2012-07-27 17:22:17.017-0300 HandshakeCompletedNotify-threaded DEBUG com.perfigo.wlan.ssl.SSLLog - RMISocketFactory: socket: 59725 c added [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/10.200.2.103,port=12312,localport=1099]]

2012-07-27 17:22:17.017-0300 HandshakeCompletedNotify-threaded DEBUG com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETS_SIZE = 3

[[[2012-07-27 17:22:17.017-0300 HandshakeCompletedNotify-threaded DEBUG com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETSE = [1e7e7ac [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/10.200.48.101,port=19660,localport=1099]], 1871db1 [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=server_primary_ag/10.200.2.103,port=1099,localport=12312]], 59725 c [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/10.200.2.103,port=12312,localport=1099]]]

2012-07-27 17:22:18.624-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager is running: {0.85,0.3, [0: 15:15]}: DETECT_INTERVAL = 20:DETECT_TIME_OUT = 300

2012-07-27 17:22:18.627-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager http_code = 200: {0.85,0.3, [0: 15:15]}

[2012-07-27 17:22:18.627-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager go to sleep: delay of {0.85,0.3, [0: 15:15]}] = 19997

2012-07-27 17:22:19.118-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo

2012-07-27 17:22:19.118-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0

2012-07-27 17:22:19.118-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo

2012-07-27 17:22:19.118-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0

2012-07-27 17:22:19.119-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader

2012-07-27 17:22:19.119-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 0

2012-07-27 17:22:19.120 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init

2012-07-27 17:22:19.120 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 0

2012-07-27 17:22:19.120 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync

2012-07-27 17:22:19.120 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync:DURATION = 0

2012-07-27 17:22:19.121-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip

2012-07-27 17:22:19.121-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip:DURATION = 0

2012-07-27 17:22:24.119-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo

2012-07-27 17:22:24.119-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0

2012-07-27 17:22:24.119-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo

2012-07-27 17:22:24.119-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0

2012-07-27 17:22:24.120-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader

2012-07-27 17:22:24.120-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 0

2012-07-27 17:22:24.121 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init

2012-07-27 17:22:24.121 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 0

2012-07-27 17:22:24.122 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync

2012-07-27 17:22:24.122 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync:DURATION = 0

2012-07-27 17:22:24.122-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip

2012-07-27 17:22:24.122-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip:DURATION = 0

2012-07-27 17:22:29.120-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo

2012-07-27 17:22:29.120-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0

2012-07-27 17:22:29.121-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo

2012-07-27 17:22:29.121-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0

2012-07-27 17:22:29.121-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader

2012-07-27 17:22:29.121-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 0

2012-07-27 17:22:29.122 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init

2012-07-27 17:22:29.122 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 0

2012-07-27 17:22:29.123 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync

2012-07-27 17:22:29.123 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync:DURATION = 0

2012-07-27 17:22:29.123-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip

2012-07-27 17:22:29.123-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip:DURATION = 0

[2012-07-27 17:22:32.022-0300 RMI Scheduler (0) DEBUG com.perfigo.wlan.ssl.SSLLog - RMISocketFactory: removed socket: 1871db1 [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=server_primary_ag/10.200.2.103,port=1099,localport=12312]]

2012-07-27 17:22:32.022-0300 com.perfigo.wlan.ssl.SSLLog RMI Scheduler (0) DEBUG - RMISocketFactory:CACHED_SOCKETS_SIZE = 2

[[2012-07-27 17:22:32.022-0300 RMI Scheduler (0) com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETSE = DEBUG [1e7e7ac [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/10.200.48.101,port=19660,localport=1099]], 59725 c [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/10.200.2.103,port=12312,localport=1099]]]

[2012-07-27 17:22:32.022-0300 connection TCP RMI 86 - 10.200.2.103 DEBUG com.perfigo.wlan.ssl.SSLLog - RMISocketFactory: moved socket: 59725 c [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/10.200.2.103,port=12312,localport=1099]]

2012-07-27 17:22:32.022-0300 TCP RMI 86 - 10.200.2.103 DEBUG com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETS_SIZE = 1 connection

[2012-07-27 17:22:32.022-0300 connection TCP RMI 86 - 10.200.2.103 com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETSE = DEBUG [1e7e7ac [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/10.200.48.101,port=19660,localport=1099]]]

2012-07-27 17:22:32.022-0300 TCP RMI 86 - 10.200.2.103 DEBUG com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETS_SIZE = 1 connection

[2012-07-27 17:22:32.022-0300 connection TCP RMI 86 - 10.200.2.103 com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETSE = DEBUG [1e7e7ac [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/10.200.48.101,port=19660,localport=1099]]]

2012-07-27 17:22:34.122-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo

2012-07-27 17:22:34.123-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 1

2012-07-27 17:22:34.123-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo

2012-07-27 17:22:34.123-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0

2012-07-27 17:22:34.123-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader

2012-07-27 17:22:34.123-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 0

2012-07-27 17:22:34.124 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init

2012-07-27 17:22:34.124 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 0

2012-07-27 17:22:34.125 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync

2012-07-27 17:22:34.125 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync:DURATION = 0

2012-07-27 17:22:34.125-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip

2012-07-27 17:22:34.125-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip:DURATION = 0

[[email protected]/ * / _primary_ag ~] #.

Thank you

Moises,

I wanted to know if you have followed these steps:

http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/49/CAs/s_adsso.html#wp1266896

Thank you

Tarik Admani
* Please note the useful messages *.

Cisco's VPN IPSec help please

Hi all

I have 3 sites, the main site has a cisco firewall mikrotik router.

There is a vpn ipsec existing between the cisco router and another router cisco on the site of the 2nd and it works well.

Now, I've added an another vpn between a 3rd site and main site. The router on the 3rd site is a mikrotik firewall.

I had the vpn on the main site and the 3rd site where the mikrotik firewall is and it worked well.

then for some reason, the vpn with the 3rd site has failed and I could not get it working again.

When looking for answers, I see that the vpn for the 3rd site States the following:

#pkts program: 46, #pkts encrypt: 46, #pkts digest: 46
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

It seems that no traffic is coming back to the cisco

I also found the following output below to diagnose the problem.

It seems that there is communication, but if I read this right, it looks like the cisco established a new number but the other end is not the new number

new node-1868419487

node-1868419487 error suppression FALSE "Information (in) condition 1" pattern

Any help would be appreciated.

* 02:49:51.911 Jul 22: ISAKMP: (2060): purge the node-1140469772

* 02:49:59.723 Jul 22: ISAKMP: DPD received message KMI.

* 02:49:59.723 Jul 22: ISAKMP: node set 1053074288 to QM_IDLE

* 02:49:59.723 Jul 22: ISAKMP: (2060): Protocol for sending INFORMER DPD/R_U_THERE 1

SPI 2273844328, message ID = 1053074288

* 02:49:59.723 Jul 22: ISAKMP: (2060): seq. no 0x645EC368

* 02:49:59.723 Jul 22: ISAKMP: (2060): my_port of x.x.x.127 package sending 5

peer_port 00 500 (R) QM_IDLE

* 02:49:59.723 Jul 22: ISAKMP: (2060): sending a packet IPv4 IKE.

* 02:49:59.723 Jul 22: ISAKMP: (2060): purge the node 1053074288

* 02:49:59.767 Jul 22: ISAKMP (2060): packet received dport x.x.x.127

500 sport Global 500 (R) QM_IDLE

* 02:49:59.767 Jul 22: ISAKMP: node set-1868419487 to QM_IDLE

* 02:49:59.771 Jul 22: ISAKMP: (2060): HASH payload processing. Message ID = 24265

47809

* 02:49:59.771 Jul 22: ISAKMP: (2060): treatment of the NOTIFY DPD/R_U_THERE_ACK protoco

l 1

0, message ID SPI = 2426547809, a = 0x8705F854

* 02:49:59.771 Jul 22: ISAKMP: (2060): DPO/R_U_THERE_ACK received from the peer 125,23

6.211.127, sequence 0x645EC368

* 02:49:59.771 Jul 22: ISAKMP: (2060): node-1868419487 FALSE reason for deletion error

"Information (in) condition 1"

* 02:49:59.771 Jul 22: ISAKMP: (2060): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

* 02:49:59.771 Jul 22: ISAKMP: (2060): former State = new State IKE_P1_COMPLETE = IKE

_P1_COMPLETE

* 02:50:01.111 Jul 22: ISAKMP: (2060): purge the node-1201068805

Comparing encrypt of 46 to 47436 counters, it seems that router is ecncrypting the traffic, but we do not get any interesting traffic on the remote side.

Most likely, you might want to check on the remote site, if you see counters increment in parallel decryption and encryption of the counters are incrementing or not.

On the router IOS, if are incrementing counters encrypt, and confirm that you have not any tunnel existing before the router can be seen same proxy IDs, which is already negotiated with other peer.

Finally, please make sure that the ESP, 50 protocol traffic is not blocked in transit.
I hope this helps.

Kind regards
Dinesh Moudgil

PS Please rate helpful messages.

Being trained by Cisco NAC nuts! Help!

Hi all

Getting desperate here... been trying to get the solution NAC Cisco (Cisco NAC 3310) to work, but with limited success, and the results are currently desperately randomly. I have a lot of experience with Cisco product and so far this has been the most painful :-( Here, any help would be appreciated gladly!

OK, here's the Setup: the cam and CASES are configured in mode OOB VG (Layer 2). I install everything by following the guide from Cisco (I hope) - different VLAN for the CASE, the cam and VLAN mapping, managed subnets, etc. to switch profiles configured. Yet, I get strange answers: some PCs are unable to connect to the network, even if successfully managed switch port informs the cam a new MAC is detected (varies the switch port to the vlan auth of vlan initial). I have accumulated my brain trying to figure out what's wrong, newspapers event does not indicate a lot of problems. Just to check on some uncertainties:

1. for the managed subnet IP, should I check the box "Enable subnet based Vlan change?"

2. for the subnet managed, if I put the IP address of subnet managed as the IP of the gateway? E.g. 110 VLAN (vlan not reliable) mapped to 10 VLANS (VLAN trust) which is the 10.1.10.0/24 subnet. The gateway is 10.1.10.254. So should I configure managed subnet IP/netmask as 10.1.10.254/255.255.255.0? Or choose another unused IP address from that subnet (for example 10.1.10.1)?

3. I am also the experience of the situation where to connect with success (pass the verification of the NAC etc.), I unplugged my laptop on the port managed switch and after a while connected. This time no authentication happens, but the network connectivity is broken (even if the Cisco Agent is running). Seems that the network port is placed in the VLAN Auth, yet nothing is invited to open a session. Any ideas?

W

Woon,

What policies do they install on your current user roles?

You can try allowing all TCP/UDP and fragments to see if not connect at all times.

Right-click on the agent access as well and select Properties. Make sure that there not a host of discovery, since it is an implementation of L2

You also have to note the previous post, so if others have similar problems that they will look at this thread

Thank you!

SSL VPN SSO with AD/LDAP

Hello

I wonder if it is possible to have SSL VPN users sign on to Active Directory, instead of (ASA) VPN gateway.

Sending a link, if the scenario is possible would be appreciated.

Thank you

Mike

Yes, it is possible.

Here is the sample configuration for your reference:

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008067e9ff.shtml

Hope that helps.

[Config] 877 VPN - please help

Hello

I wonder if someone could help me because I am quite stuck

I am trying to establish the following VPN configuration?

Remote user Mobile > Internet > Cisco VPN > server (service)

With the help of SDM I selected 'Easy VPN Server' deployment.

I am able to connect remotely via the telephone dialler customer of Cisco, connection is made very well and I am able to ping 192.168.1.1 where the standard ping results are returned.

I have a server that is running IIS on 192.168.1.20 but I can't ping the server? I don't want to install software on this server that users can synchronize remotely with and I'm not sure what to do.

Attached configuration

Thanks in advance

Hello

Somethings to check.

a. What is the default gateway on the server?

b. the server has more than one NETWORK card?

can c. If Yes, you close the second NETWORK card and see if it works.

d. you can run debug on the router to see if we even get the package and respond to the customer.

Here are a few troubleshooting steps.

Thank you

Gilbert

VPN/routing HELP!

I have an ASA 5505 can I VPN in, my problem is that I do not have access to my internal network. Right now, I have my cable modem enter my ASA and my ASA goes to my Cisco 3660 router. I think my problem is somewhere in the routing domain, but I don't really know what I'm doing... Help, please.

The ASA config:

: Saved : ASA Version 8.2(3) ! hostname ciscoasa domain-name wood.homeesrv.com enable password DQucN59Njn0OjpJL encrypted passwd 2KFQnbNIdI.2KYOU encrypted names dns-guard ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.2.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp ! ftp mode passive dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS name-server 8.8.8.8 name-server 8.8.4.4 domain-name wood.homeesrv.com access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list VPNWoodHome_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 access-list WoodVPN_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0 pager lines 24 logging enable logging asdm warnings mtu inside 1500 mtu outside 1500 ip local pool HomeVPN 192.168.3.0-192.168.3.10 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 174.56.139.1 1 route inside 192.168.1.0 255.255.255.0 192.168.2.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa-server VPN protocol radius http server enable http 192.168.2.0 255.255.255.0 inside http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto isakmp enable inside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 client-update enable telnet timeout 5 ssh timeout 5 console timeout 0 management-access inside dhcpd dns 8.8.8.8 8.8.4.4 interface inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn enable inside enable outside group-policy WoodVPN internal group-policy WoodVPN attributes dns-server value 192.168.1.14 8.8.8.8 vpn-tunnel-protocol IPSec webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list value WoodVPN_splitTunnelAcl default-domain value wood.homeserv.com username Jonathan password WsMCHUiqvEuA9Gmb encrypted privilege 15 tunnel-group WoodVPN type remote-access tunnel-group WoodVPN general-attributes address-pool HomeVPN default-group-policy WoodVPN tunnel-group WoodVPN ipsec-attributes pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context Cryptochecksum:20c3b97b24f2fadeb1154024bd995f03 : end no asdm history enable

Cisco 3660 Router Config:

Building configuration...

Current configuration : 1096 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.19
!
ip dhcp pool 192.168.1.0/24
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8 8.8.4.4 192.168.1.14 192.168.1.13
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username woodjl privilege 15 secret 5 $1$FJyW$Ozgsn9oO0acvYSSeohvzX/
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

to do this: -.

attributes of Group Policy WoodVPN

no value in split-tunnel-network-list WoodVPN_splitTunnelACL

value of Split-tunnel-network-list Split_Tunnel_List

Add also: -.

access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

Let me know if that helps.
Manish

PIX 515E v7 VPN config help

Hello

I have a PIX 515E current of execution to 7.

Is it possible to use VPN with only 1 static IP address from the ISP (no gateway or the ip address of the ISP router is provided).

I can set up routing on the ADSL modem, but then the PIX does not have a valid Internet IP address?

I think that v7 does not support PPPOE? so I can't set the mode on the bridged adsl modem?

Is there a way to fix this?

Any help appreciated gratefully.

apply the commands below:

ISAKMP identity address

ISAKMP nat-traversal 20

If the problem persists, then please post the entire config with ip hidden public.

VPN NAT help

I need to configure NAT on a VPN tunnel to accomplish the following. I already have the tunnel upward and running just need to confirm my NAT config.

ASA 8.2 Version running (5)

I only need to set up A

The internal subnet to site A is 172.30.6.0/24 and I need NAT this subnet to 172.31.183.0/24 when the destination subnet is 172.31.255.128/25

So here's what I thought.

Policy NAT 172.30.6.0/24 to 172.31.183.0/24 the translation when the destination is 172.31.255.128/25.

Public static 172.31.183.0 (inside, outside) - CBC-NAT-TRANSLATION access list

CBC-NAT-TRANSLATION scope ip 172.30.6.0 access list allow 255.255.255.0 172.31.255.128 255.255.255.128

Then I would need that

Public static 172.31.255.128 (exterior, Interior) 172.30.6.0 netmask 255.255.255.0

That sounds about right.

Thank you

Mike

Mike

As I said that I did not use a network with a static NAT strategy, so I don't know if the host part of the IP address matches the host Party in the range NAT if you see what I mean.

It could, but it cannot be a concern for you anyway. You would need to watch the xlate table once you make the connection to know for sure.

In addition, it means all devices in this subnet may send packets to each device in the remote subnet but once again can not be a cause for concern.

But apart from that, Yes, your config seems fine for me.

I try with the first beach and establish a connection and then if it works check the xlate dashboard to see exactly what IP he chose.

Jon

PIX 515 VPN config help

I was working on the creation of a PIX 515e to serve my firewall and VPN. The firewall and main routing work well as I am able to VPN and get an IP address. However, I am unable to remote desktop on a PC behind the firewall.

Here is my config as I have now. If someone could show me what I'm missing, would be great.

Firewall # sh run
: Saved
:
PIX Version 7.2 (3)
!
Firewall host name
DOMAINNAME.COM domain name
activate r9tt5TvvX00Om3tg encrypted password
names of
!
interface Ethernet0
PPPoE Interface Description
nameif outside
security-level 0
PPPoE client vpdn group pppoe
63.115.220.5 255.255.255.255 IP address pppoe setroute
!
interface Ethernet1
Description network internal
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface Ethernet2
DMZ Interface Description
nameif DMZ
security-level 50
IP 10.1.48.1 255.255.252.0
!
2KFQnbNIdI.2KYOU encrypted passwd
passive FTP mode
clock timezone STD - 7
clock to summer time recurring MDT
DNS server-group DefaultDNS
domain ivanwindon.ghpstudios.com
object-group service remote tcp - udp
Description Office remotely
3389 3389 port-object range
standard access list vpn_client_splitTunnelAcl allow a
inside_nat0_outbound list of allowed ip extended access any 192.168.0.192 255.255.255.192
permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.0.96 255.255.255.240
access-list Local_LAN_Access Note Local LAN access
Local_LAN_Access list standard access allowed host 0.0.0.0
outside_cryptomap_65535.20 deny ip extended access list a whole
access-list 102 extended allow ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
vpn_client_splitTunnelAcl_1 list standard access allowed 192.168.0.0 255.255.255.0
inside_access_in list extended access permit tcp any eq 3389 3389 any eq
pager lines 24
Enable logging
information recording console
registration of information monitor
logging trap information
asdm of logging of information
address record [email protected] / * /
exploitation forest-address recipient [email protected] / * / level of errors
Outside 1500 MTU
Within 1500 MTU
MTU 1500 DMZ
IP local pool vpn_pool 192.168.0.100 - 192.168.0.105 mask 255.255.255.0
IP verify reverse path to the outside interface
ICMP unreachable rate-limit 1 burst-size 1
ASDM image Flash: / asdm - 523.bin
enable ASDM history
ARP timeout 14400
Overall 101 (external) interface
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 101 0.0.0.0 0.0.0.0
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 207.225.112.2 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
AAA authentication LOCAL telnet console
Enable http server
http 192.168.0.4 255.255.255.255 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic outside_dyn_map 20 set pfs
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
Crypto-map dynamic outside_dyn_map 20 the value reverse-road
PFS set 40 crypto dynamic-map outside_dyn_map
Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP disconnect - notify
Telnet 192.168.0.4 255.255.255.255 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
VPDN group request dialout pppoe pppoe
VPDN group pppoe localname [email protected] / * /
VPDN group pppoe ppp authentication chap
VPDN username username password *.
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 1500
dhcpd ping_timeout 10
NAME of domain domain dhcpd
dhcpd auto_config off vpnclient-wins-override
dhcpd option 3 ip 192.168.0.1
!
dhcpd address 192.168.0.5 - 192.168.0.49 inside
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd lease interface 1500 inside
interface ping_timeout 10 dhcpd inside
dhcpd DOMAIN domain name inside interface
dhcpd 192.168.0.1 ip interface option 3 inside
dhcpd allow inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
TFTP server inside 192.168.0.4/TFTP-Root
internal vpn_client group policy
attributes of the strategy of group vpn_client
value of server DNS 208.67.222.222 208.67.220.220
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpn_client_splitTunnelAcl_1
value by default-domain DomainName
admin I727P4FvcUV4IZGC encrypted privilege 15 password username
username ivanwindon encrypted password privilege 0 7K5PuGcBwHggqgCD
username ivanwindon attributes
VPN-group-policy vpn_client
tunnel-group vpn_client type ipsec-ra
tunnel-group vpn_client General-attributes
address vpn_pool pool
Group Policy - by default-vpn_client
vpn_client group of tunnel ipsec-attributes
pre-shared-key *.
96.125.164.139 SMTP server
context of prompt hostname
Cryptochecksum:48fdc775b2330699db8fc41493a2767c
: end
Firewall #.

Ivan Windon

Sent by Cisco Support technique iPad App

Hello

I had first change in the pool of VPN Client to something other than the LAN

As 192.168.1.0/24

NAT0
- Adding NAT0 rule for the new pool and then removing the 'old'
permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0

no access list inside_nat0_outbound extended permits all ip 192.168.0.192 255.255.255.192

No inside_nat0_outbound extended access list only to allowed ip 192.168.0.0 255.255.255.0 192.168.0.96 255.255.255.240

VPN Client pool
- Remove the old group "tunnel-group" configurations, then removing the pool, make a new pool, and finally configure the pool to group "tunnel".
tunnel-group vpn_client General-attributes

No address vpn_pool pool

no ip local pool vpn_pool 192.168.0.100 - 192.168.0.105 mask 255.255.255.0

IP local pool vpn_pool 192.168.1.100 - 192.168.1.105 mask 255.255.255.0

tunnel-group vpn_client General-attributes

address vpn_pool pool

Theres another thread with a similar problem (even if the settings appear to be correct) on the forums.

If you can't get the RDP connection works I would also maybe Google for UltraVNC and its installation on the host LAN and your VPN Client and trying to connect with him to determine that the Client VPN configurations are all ok. There were problems that were ultimately associated with the LAN host rather than the VPN Client configurations.

If you think that his need. Save your settings before making any changes.

-Jouni

Site to site VPN - need help to set up several tunnels

I currently have tunnels VPN site-to-site of two remote sites with 1720s to connect to an ASA5510 on my site TOWN_HALL. (see attached diagram)

It works well, but I want to add connectivity between the 1720-A LAN (172.20.3.0/24) and LAN 1720 - B (172.22.3.0/24). What is the best way to do it? The years 1720 can be configured with direct VPN L2L tunnels or that will affect the existing tunnels is the ASA5510? If so, I'm guessing that each 1720 will have to go through the ASA first.

Thank you.

Configs below:

ASA5510

ASA Version 7.2 (2)

!

names of

name 172.18.3.19 Postal Mail Server description

name 172.18.3.33 description Helpdesk Server helpdesk

DNS-guard

!

interface Ethernet0/0

Description link Comcast

nameif ComCast_Out

security-level 0

IP 29.92.14.73 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

address 192.168.10.2 255.255.255.252

!

interface Ethernet0/2

security-level 0

!

interface Ethernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

nameif management

security-level 100

IP 10.10.10.1 255.255.255.0

management only

!

boot system Disk0: / asa722 - k8.bin

boot system Disk0: / asa706 - k8.bin

passive FTP mode

clock timezone IS - 5

clock to summer time EDT recurring

list of allowed incoming access extended ip any host 29.92.14.74

list of extended all inbound icmp permitted access all inaccessible

list of inbound icmp permitted access extended throughout entire echo response

list of allowed inbound tcp extended access any host 29.92.14.73 eq 3000

list of allowed inbound tcp extended access any newspaper SMTP host 29.92.14.73 eq

list of allowed inbound tcp extended access any host 29.92.14.73 eq www

list of allowed inbound tcp extended access any host 29.92.14.73 eq 3389

list of allowed inbound tcp extended access any host 29.92.14.73 eq pptp

list of allowed inbound tcp extended access any host 116.204.226.42 eq 3000

list of allowed inbound tcp extended access any host 116.204.226.42 eq smtp

list of allowed inbound tcp extended access any host 116.204.226.42 eq www

list of allowed inbound tcp extended access any host 116.204.226.42 eq 3389

list of allowed inbound tcp extended access any host 116.204.226.42 eq pptp

list of inbound note FTP Server access

list of allowed inbound tcp extended access any host 29.92.14.73 eq ftp

acl_out list extended access permit tcp host 29.92.14.73 any eq smtp

acl_out list extended access permit tcp host 192.168.1.4 any eq smtp

tcp extended access list acl_out deny any any eq smtp

access ip allowed any one extended list acl_out

121 extended access-list permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

IP 172.18.3.0 allow Access-list extended sheep 255.255.255.0 172.22.3.0 255.255.255.0

IP 172.18.3.0 allow Access-list extended sheep 255.255.255.0 172.20.3.0 255.255.255.0

access-list extended sheep allowed ip 192.168.1.0 255.255.255.0 172.22.3.0 255.255.255.0

access-list sheep extended ip 172.30.1.0 allow 255.255.255.0 172.31.255.0 255.255.255.0

access-list sheep extended ip 192.168.10.0 allow 255.255.255.252 172.31.255.0 255.255.255.0

IP 172.17.1.0 allow Access-list extended sheep 255.255.255.0 172.31.255.0 255.255.255.0

172.18.0.0 IP Access-list extended sheep 255.255.0.0 allow 172.31.255.0 255.255.255.0

IP 172.31.3.0 allow Access-list extended sheep 255.255.255.0 172.31.255.0 255.255.255.0

access-list sheep extended ip 192.168.0.0 allow 255.255.0.0 172.31.255.0 255.255.255.0

backup_access_out of access allowed any ip an extended list

outside_access_out of access allowed any ip an extended list

Note to access list outside_access_out Barracuda

outside_access_out list extended access permit tcp host 172.18.3.8 any eq smtp inactive

Comment from outside_access_out-access SMTP Block list

outside_access_out tcp extended access list deny any any eq smtp inactive

Note to access list schools SMTP inside_access_in

inside_access_in list extended access permit tcp host postal eq smtp no matter what eq smtp

inside_access_in list extended access permit tcp host 172.18.3.8 any eq smtp

inside_access_in list extended access permit tcp host 172.18.3.30 any eq smtp

inside_access_in tcp extended access list deny any any eq smtp

inside_access_in of access allowed any ip an extended list

Access extensive list ip 172.18.3.0 ComCast_Out_20_cryptomap allow 255.255.255.0 172.22.3.0 255.255.255.0

ComCast_Out_20_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 172.22.3.0 255.255.255.0

Access extensive list ip 172.18.3.0 ComCast_Out_25_cryptomap allow 255.255.255.0 172.20.3.0 255.255.255.0

vpn_access list standard access allowed 192.168.10.0 255.255.255.252

standard access list vpn_access allow 172.17.1.0 255.255.255.0

standard access list vpn_access allow 172.18.0.0 255.255.0.0

standard access list vpn_access allow 172.31.3.0 255.255.255.0

vpn_access list standard access allowed 172.30.1.0 255.255.255.0

vpn_access list standard access allowed 192.168.0.0 255.255.0.0

pager lines 24

Enable logging

emergency logging monitor

logging warnings put in buffered memory

asdm of logging of information

MTU 1500 ComCast_Out

Within 1500 MTU

MTU 1500 NOT_IN_USE

management of MTU 1500

IP local pool vpnpool 192.168.20.2 - 192.168.20.254

172.31.255.1 mask - local 172.31.255.250 pool POOL VPN IP 255.255.255.0

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 522.bin

don't allow no asdm history

ARP timeout 14400

NAT-control

Global interface (ComCast_Out) 1

Global (NOT_IN_USE) 1 interface

NAT (inside) 0 access-list sheep

NAT (inside) 1 192.0.0.0 255.0.0.0

NAT (inside) 1 0.0.0.0 0.0.0.0

TCP static (inside ComCast_Out) interface 3000 172.18.3.22 3000 netmask 255.255.255.255

TCP static (inside ComCast_Out) interface smtp 172.18.3.8 smtp netmask 255.255.255.255

TCP static (inside ComCast_Out) interface www 172.18.3.30 www netmask 255.255.255.255

TCP static (inside ComCast_Out) interface 3389 172.18.3.22 3389 netmask 255.255.255.255

TCP static (inside ComCast_Out) interface 172.18.3.22 pptp pptp netmask 255.255.255.255

TCP static (inside NOT_IN_USE) interface 3000 172.18.3.22 3000 netmask 255.255.255.255

TCP static (inside NOT_IN_USE) interface smtp 172.18.3.8 smtp netmask 255.255.255.255

TCP static (inside NOT_IN_USE) interface www 172.18.3.30 www netmask 255.255.255.255

TCP static (inside NOT_IN_USE) interface 3389 172.18.3.23 3389 netmask 255.255.255.255

TCP static (inside NOT_IN_USE) interface 172.18.3.22 pptp pptp netmask 255.255.255.255

TCP static (inside ComCast_Out) interface 3101 172.18.3.8 3101 netmask 255.255.255.255

TCP static (inside ComCast_Out) ftp ftp netmask 255.255.255.255 helpdesk interface

static TCP (inside ComCast_Out) interface ftp - data helpdesk ftp - data netmask 255.255.255.255

static (inside, ComCast_Out) 29.92.14.74 172.18.3.16 netmask 255.255.255.255

Access-group entering interface ComCast_Out

Access-group interface ComCast_Out outside_access_out

inside_access_in access to the interface inside group

Access-group entering interface NOT_IN_USE

Access-group interface NOT_IN_USE backup_access_out

Route 0.0.0.0 ComCast_Out 0.0.0.0 29.92.14.78 1 track 1

Route inside 192.168.0.0 255.255.0.0 192.168.10.1 1

Route inside 172.17.1.0 255.255.255.0 192.168.10.1 1

Route inside 172.18.0.0 255.255.0.0 192.168.10.1 1

Route inside 172.31.3.0 255.255.255.0 192.168.10.1 1

Route inside 172.30.1.0 255.255.255.0 192.168.10.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout, uauth 0:05:00 absolute

internal group vpnclient strategy

vpnclient group policy attributes

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list vpn_access

internal remote group strategy

Group remote attributes policy

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value 121

Enable http server

http 172.0.0.0 255.0.0.0 inside

http 192.0.0.0 255.0.0.0 inside

http 10.10.10.0 255.255.255.0 management

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

monitor SLA 123

interface type echo protocol ipIcmpEcho 168.87.71.226 ComCast_Out

NUM-package of 3

frequency 10

Annex ALS life monitor 123 to always start-time now

Crypto ipsec transform-set esp-3des esp-md5-hmac 3des

Crypto ipsec transform-set esp - esp-sha-hmac SHA3DES

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

3DES encryption dynamic-map dynmap 10 transform-set

Crypto-map dynamic outside_dyn_map 10 the value transform-set ESP-3DES-SHA

address for correspondence card crypto vpnremote 20 ComCast_Out_20_cryptomap

peer set card crypto vpnremote 20 202.13.116.209

vpnremote card crypto 20 the transform-set ESP-DES-MD5 value

address for correspondence card crypto vpnremote 25 ComCast_Out_25_cryptomap

peer set card crypto vpnremote 25 207.147.31.97

card crypto vpnremote 25 game of transformation-ESP-DES-MD5

vpnremote 30 card crypto ipsec-isakmp dynamic dynmap

map vpnremote 65535-isakmp ipsec crypto dynamic outside_dyn_map

vpnremote ComCast_Out crypto map interface

card crypto VN1530600A 663 matches the address ACL663

card crypto VN1530600A 663 set pfs

card crypto VN1530600A 663 set peer 29.92.14.73

crypto VN1530600A 663 the transform-set SHA3DES value card

card crypto VN1530600A 663 defined security-association life seconds 1800

crypto isakmp identity address

ISAKMP crypto enable ComCast_Out

crypto ISAKMP policy 10

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

crypto ISAKMP policy 20

preshared authentication

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 30

preshared authentication

the Encryption

md5 hash

Group 2

life 86400

Crypto isakmp nat-traversal 20

!

track 1 rtr 123 accessibility

tunnel-group type remote ipsec-ra

tunnel-group remote General attributes

address vpnpool pool

Group Policy - by default-remote control

tunnel-group remote ipsec-attributes

pre-shared-key *.

tunnel-group 29.92.14.73 type ipsec-l2l

IPSec-attributes tunnel-group 29.92.14.73

pre-shared-key *.

tunnel-group 202.13.116.209 type ipsec-l2l

IPSec-attributes tunnel-group 202.13.116.209

pre-shared-key *.

tunnel-group 207.147.31.97 type ipsec-l2l

IPSec-attributes tunnel-group 207.147.31.97

pre-shared-key *.

Telnet 192.168.0.0 255.255.0.0 inside

Telnet 172.0.0.0 255.0.0.0 inside

Telnet timeout 120

SSH timeout 5

Console timeout 0

management-access inside

management of 10.10.10.11 - dhcpd addresses 10.10.10.20

!

!

class-map inspection_default

match default-inspection-traffic

!

!

Policy-map global_policy

class inspection_default

inspect the pptp

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:82155434d3cfa69cd7217f20aaacabb7

: end

1720-A

version 12.2

horodateurs service debug datetime

Services log timestamps datetime

encryption password service

!

1720-A host name

!

logging buffered debugging 4096

!

iomem 20 memory size

clock timezone IS - 5

clock to summer time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 02:00

IP subnet zero

!

!

no ip domain-lookup

name of the IP-server 172.18.3.24

DHCP excluded-address IP 172.20.3.1 172.20.3.20

!

IP dhcp pool dhcppool

network 172.20.3.0 255.255.255.0

router by default - 172.20.3.1

DNS-server 172.18.3.24 172.18.3.26

!

audit of IP notify Journal

Max-events of po verification IP 100

property intellectual ssh timeout of 120

property intellectual ssh authentication-3 retries

!

crypto ISAKMP policy 10

md5 hash

preshared authentication

Group 2

address of Cisco key crypto isakmp 29.92.14.73

!

!

Crypto ipsec transform-set esp - esp-md5-hmac TOWN_HALL

Crypto ipsec transform-set esp - esp-md5-hmac DES-MD5

Dimensions of tunnel mib crypto ipsec flowmib history 200

MIB crypto ipsec flowmib size of 200 historical failure

!

map VPNmap 10 ipsec-isakmp crypto

defined by peer 29.92.14.73

game of transformation-TOWN_HALL

match address TOWN_HALL

!

!

!

!

interface Ethernet0

IP 207.147.31.97 255.255.255.252

IP-group access to the PERIMETER of

NAT outside IP

Half duplex

card crypto VPNmap

!

interface FastEthernet0

LAN description

IP 172.20.3.1 255.255.255.0

IP nat inside

automatic speed

!

interface Serial0

no ip address

Shutdown

!

IP nat inside source list NAT_ADDRESSES interface Ethernet0 overload

IP classless

IP route 0.0.0.0 0.0.0.0 207.147.31.98

no ip address of the http server

enable IP pim Bennett

!

!

NAT_ADDRESSES extended IP access list

deny ip 172.20.3.0 0.0.0.255 172.18.3.0 0.0.0.255

IP 172.20.3.0 allow 0.0.0.255 any

PERIMETER extended IP access list

permit udp host 29.92.14.73 host 207.147.31.97 eq isakmp

esp permits 29.92.14.73 host 207.147.31.97

IP 172.18.3.0 allow 0.0.0.255 172.20.3.0 0.0.0.255

allow all all unreachable icmp

permit any any icmp echo response

allow any host 207.147.31.97 eq telnet tcp

allow any host 192.168.20.1 eq telnet tcp

permit tcp any eq www everything

permit tcp any eq 443 all

permit udp host 173.13.116.209 host 207.147.31.97 eq isakmp

esp permits 173.13.116.209 host 207.147.31.97

IP 172.22.3.0 allow 0.0.0.255 172.20.3.0 0.0.0.255

refuse an entire ip

TOWN_HALL extended IP access list

IP 172.20.3.0 allow 0.0.0.255 172.18.3.0 0.0.0.255

!

alias exec sr show run

alias exec s sh ip int br

alias exec srt show ip route

!

Line con 0

exec-timeout 0 0

Synchronous recording

line to 0

line vty 0 4

exec-timeout 60 0

Synchronous recording

local connection

transport telnet entry

!

No Scheduler allocate

NTP-period clock 17180009

end

1720-B

version 12.1

no single-slot-reload-enable service

horodateurs service debug datetime

Services log timestamps datetime

encryption password service

!

1720-B host name

!

logging buffered debugging 4096

no set record in buffered memory

Console rate-limit logging 10 except errors

!

iomem 25 memory size

clock AND time zone - 5

clock to summer time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 02:00

IP subnet zero

no ip finger

no ip domain-lookup

name of the IP-server 172.18.3.24

DHCP excluded-address IP 172.22.3.1 172.22.3.20

!

IP dhcp pool dhcppool

network 172.22.3.0 255.255.255.0

router by default - 172.22.3.1

DNS-server 172.18.3.24 172.18.3.26

!

audit of IP notify Journal

Max-events of po verification IP 100

!

!

crypto ISAKMP policy 10

md5 hash

preshared authentication

Group 2

address of Cisco key crypto isakmp 29.92.14.73

!

!

Crypto ipsec transform-set esp - esp-md5-hmac TOWN_HALL

!

map VPNmap 10 ipsec-isakmp crypto

defined by peer 29.92.14.73

game of transformation-TOWN_HALL

match address TOWN_HALL

!

!

!

!

interface Ethernet0

IP 202.13.116.209 255.255.255.252

IP-group access to the PERIMETER of

NAT outside IP

Half duplex

card crypto VPNmap

!

interface FastEthernet0

LAN description

IP 172.22.3.1 255.255.255.0

IP nat inside

automatic speed

!

IP nat inside source list NAT_ADDRESSES interface Ethernet0 overload

source-interface IP kerberos any

IP classless

IP route 0.0.0.0 0.0.0.0 202.13.116.210

no ip address of the http server

!

!

NAT_ADDRESSES extended IP access list

deny ip 172.22.3.0 0.0.0.255 172.18.3.0 0.0.0.255

deny ip 172.22.3.0 0.0.0.255 192.168.1.0 0.0.0.255

IP 172.22.3.0 allow 0.0.0.255 any

PERIMETER extended IP access list

permit udp host 29.92.14.73 host 202.13.116.209 eq isakmp

esp permits 29.92.14.73 host 202.13.116.209

IP 172.18.3.0 allow 0.0.0.255 172.22.3.0 0.0.0.255

allow all all unreachable icmp

permit any any icmp echo response

permit tcp any eq www everything

permit tcp any eq 443 all

ip permit 192.168.1.0 0.0.0.255 172.22.3.0 0.0.0.255

refuse an entire ip

TOWN_HALL extended IP access list

IP 172.22.3.0 allow 0.0.0.255 172.18.3.0 0.0.0.255

IP 172.22.3.0 allow 0.0.0.255 192.168.1.0 0.0.0.255

alias exec sr show run

alias exec s sh ip int br

alias exec srt show ip route

alias exec sri see the race | I have

alias exec srb see the race | b

!

Line con 0

Synchronous recording

transport of entry no

line to 0

line vty 0 4

exec-timeout 0 0

Synchronous recording

local connection

!
No Scheduler allocate

NTP-period clock 17180266

end

Make sure you have the following sets of transformations in used through the tunnel:
Crypto ipsec transform-set esp - esp-md5-hmac TOWN_HALL

The tunnel seems to be failing on the negotiations of the phase 2 due to incompatibility, but depending on the configuration
It seems very well.

Are you sure that these debugs are not only a part of the negotiations and finally the established tunnel?

Check the condition of the tunnel with the commands:
HS cry isa his
HS cry ips its
In trying to establish the tunnel again and we will see the results.

Federico.

NAC SSO vpn: is the CASE real-IP mode supported?

Hi all

I tried to setup a CAS like inline real gateway IP to support only enroll via a Cisco ASA running IPsec cisco vpn client.

CASE and CAM are 4.5.1 running

I followed the guide online to the letter (except for running in the virtual gateway mode and do the mapping vlan)

My vpn authentication works on the SAA and Ray is transmitted if the CASE to the ACS server very well.

I did a tcpdump on the case and cam and saw the package of accounting Radius passed from the ASA to the CAs, and then by the CAS to the CAM, so managing accounts radius 'start' package is sent to the user authenticated on the vpn.

The problem is that the laptop is trying to access the network does not display the "auto connect" screen of the agent of the CCA, in contrast, agent of the CCA screen the authentication of user request and password details.

I also following the advice of this link unsuccessfully

(Known issue for VPN SSO after upgrade to version 4.5)

http://www.Cisco.com/en/us/docs/security/NAC/appliance/Release_notes/45/45rn.html#wp711526

So, I am now suspecting whether the CASES can take in charge SSO real-mode gateway IP.

Dale

I've implemented in real gw ip mode, but not in 4.5. It has worked well.

What is the guide that you followed?

http://www.Cisco.com/en/us/partner/docs/security/NAC/appliance/configuration_guide/45/CAs/s_vpncon.html

VPN services

VPN as PIA services are worth getting.

It depends on if you're a criminal or not...

What is the logic behind in getting a? If you use a public network, a VPN can help prevent users on the same local network of detection or to intercept traffic between your machine and what you are communicating with at the other end. If the services or the sites that you use are safe, it's really not much of a question. If you are a criminal or a terrorist trying to hide your activity for application of the law, or someone trying to access services that are limited by the geographic location of the outside of the geographical area of service, he peut be used to achieve a purpose, though service providers are actively blocking traffic in many VPN known now.

NAC VPN SSO Help

Similar Questions

Maybe you are looking for