NAC VPN SSO Help
I recently inherited the administration of a NAC solution in need of a tune up (running 4.1.8!). The largest consistent I get from users is that SSO VPN does not work and that users must open a web browser to authenticate with NAC once their SSL VPN has been implemented. I'm quite familiar with configuring VPN SSO and I'm ready to do it, but I can't find the answer to a specific question, I. You can enable VPN SSO for a certain types of users only? We have a combination of two employees (who have the officer) and entrepreneurs (who have no agent). I want to only VPN SSO to work for employees and contractors having to open a web browser for authentication. Is this possible and if so, how? I have found that if you do not have the agent and VPN SSO is enabled the connection is very clumsy. You open a browser, you redirected to NAC, and then you get connected once java or active x to run without having to provide your information identification and then you not directed your orginal http request.
Thank you!
For your employees, you can use the attribute class to match to a user within the NAC role according to the criteria of mapping Cisco VPN auth provider. You can also map the class attribute of entrepreneurs for the role of uanauthenticate so when pull it toward the top of their browser, they will see the authentication page of the. Once they authenticate and then in their user role, you can select the redirection page.
I hope this helps.
Tarik Admani
Tags: Cisco Security
Similar Questions
-
Problem of the NAC in the virtual tape gateway VPN SSO
Hello
I've implemented a NAC solution for remote users. The unit of CASE mode configured in the gateway enVirtual Strip.
I followed all the steps listed in http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
Remote users can connect succeffuly using the cisco vpn software and they can ping the SIN, but not the DNS (the ASA offers IP @ but not the DNS I do not know why).
When I access the NAS, I can download the NAC Agent but VPN SSO is not executed and the Agent asks me to connect using LOCAL DB.
Any help please,.
Kind regards
Larson,
For VPN SSO work, you must send the accounting package to the CAs. The CASE can in turn send for the ACS if you need accounting also be done on GBA, but for authentication ONLY work, the accountant must reach the CASE.
HTH,
Faisal
-
Hi all
I know that there is AD SSO in the NAC. I would like to have SSO with ACS that is integrated with AD. is there any document to show how to configure SSO with ACS Express or ACS?
Thank you
Alex
Alex,
In the short number - or at least, I have to say that I don't know of any way to do. To make the SSO with GBA, looking to connect to Windows with Radius or GANYMEDE +. This means that Windows GINA (Ctrl-Alt-Delete the piece of code) should be able to talk Radius or GANYMEDE + with the ACS server.
Only standards bodies supported on GRP are AD SSO (where connect you to your Windows machine and SSO happens) or RADIUS SSO (kind VPN wireless / installation). The second type is where you can make the accounting on ACS. With AD authentication, I don't know any way so he could be taken into account in the ACS.
One thing you could do theoretical is to send an accounting package to your express ACS of the CPC or the machine itself, but these are wacky solutions and require a lot of work/trials etc.
So in short, not :-)
[EDIT] An option that I have completely forgotten and could work for your customer is to configure the accounting server to the CCA. In this way, you can connect to AD and always send accounting packets to an accounting server. More information here:
[END_EDIT]
HTH,
Faisal
-
Hi, can someone please help me with a problem of SSO?
I'm trying to start the SINGLE sign-on service, but when I try to update I get the error message: "error: could not start the SSO service.» Please check the configuration. »
The announcement is a Windows 2008 Server Standard R2 (64-bit) running at a 2003 domain functional level. (several servers) with the deployment of the OOB
I was unable to ping the advertising server CASE CLI, so I created a static route to the announcement on the server of the ANC, and after that I successfully of the NAC Server ping IP address of the AD. The nac_server.log when I try to start the SSO:
[[email protected]/ * / _primary_ag ~] # ping 10.200.0.3
PING 10.200.0.3 (10.200.0.3) 56 (84) bytes of data.
64 bytes from 10.200.0.3: icmp_seq = 1 ttl = 128 time = 0,247 ms
64 bytes from 10.200.0.3: icmp_seq = 2 ttl = 128 time = 0,232 ms
-ping - 10.200.0.3 statistics
2 packets transmitted, 2 received, 0% packet loss, time 999ms
RTT min/avg/max/leg = 0.232/0.239/0.247/0.017 ms
[[email protected]/ * / _primary_ag ~] # tail-f /perfigo/access/tomcat/logs/nac_server.log
2012-07-27 17:20:39.079-0300 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo
2012-07-27 17:20:39.079-0300 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0
2012-07-27 17:20:39.080-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader
2012-07-27 17:20:39.080-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 0
2012-07-27 17:20:39.080 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init
2012-07-27 17:20:39.080 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 0
2012-07-27 17:20:39.081 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync
2012-07-27 17:20:39.081 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync:DURATION = 0
2012-07-27 17:20:39.081-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip
2012-07-27 17:20:39.081-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip:DURATION = 0
2012-07-27 17:20:41.775-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo
2012-07-27 17:20:41.775-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0
2012-07-27 17:20:41.775-0300 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo
2012-07-27 17:20:41.775-0300 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0
2012-07-27 17:20:41.776-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader
2012-07-27 17:20:41.776-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 0
2012-07-27 17:20:41.777 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init
2012-07-27 17:20:41.777 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 0
2012-07-27 17:20:41.777-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - setAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:SSOState = 1
2012-07-27 17:20:41.777-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - setAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:SSOState = 1:DURATION = 0
2012-07-27 17:20:41.778-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - setAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:SSOUser = casuser
2012-07-27 17:20:41.778-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - setAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:SSOUser = casuser:DURATION = 0
2012-07-27 17:20:41.778-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - setAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:SSOKdc = nissin.com.br
2012-07-27 17:20:41.778-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - setAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:SSOKdc = nissin.com.br:DURATION = 0
2012-07-27 17:20:41.779-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - setAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:SSORealm = NISSIN.COM.BR
2012-07-27 17:20:41.779-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - setAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:SSORealm = NISSIN.COM.BR:DURATION = 0
2012-07-27 17:20:41.779 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:save
2012-07-27 17:20:41.779 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:save:DURATION = 0
2012-07-27 17:20:41.780 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:startSSOServer
2012-07-27 17:20:41.780 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:startSSOServer:DURATION = 0
2012-07-27 17:20:58.605-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager is running: {0.85,0.3, [0: 15:15]}: DETECT_INTERVAL = 20:DETECT_TIME_OUT = 300
2012-07-27 17:20:58.608-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager http_code = 200: {0.85,0.3, [0: 15:15]}
[2012-07-27 17:20:58.608-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager go to sleep: delay of {0.85,0.3, [0: 15:15]}] = 19997
[2012-07-27 17:21:08.892-0300 connection TCP RMI 83 - 10.200.48.101 DEBUG com.perfigo.wlan.ssl.SSLLog - RMISocketFactory: removed socket: 173d72d [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/10.200.48.101,port=11093,localport=1099]]
2012-07-27 17:21:08.892-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETS_SIZE = 0 DEBUG
2012-07-27 17:21:08.892-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETSE DEBUG =]
2012-07-27 17:21:08.892-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETS_SIZE = 0 DEBUG
2012-07-27 17:21:08.892-0300 connection TCP RMI 83 - 10.200.48.101 com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETSE DEBUG =]
2012-07-27 17:21:18.610-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager is running: {0.85,0.3, [0: 15:15]}: DETECT_INTERVAL = 20:DETECT_TIME_OUT = 300
2012-07-27 17:21:18.613-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager http_code = 200: {0.85,0.3, [0: 15:15]}
[2012-07-27 17:21:18.613-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager go to sleep: delay of {0.85,0.3, [0: 15:15]}] = 19997
2012-07-27 17:21:38.615-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager is running: {0.85,0.3, [0: 15:15]}: DETECT_INTERVAL = 20:DETECT_TIME_OUT = 300
2012-07-27 17:21:38.618-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager http_code = 200: {0.85,0.3, [0: 15:15]}
[2012-07-27 17:21:38.618-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager go to sleep: delay of {0.85,0.3, [0: 15:15]}] = 19997
2012-07-27 17:21:41.794-0300 DEBUG Thread-246 com.perfigo.wlan.common.HttpClientResource - go to url https://10.200.48.100:443 / wlan/gss/GSSNotificationServlet ...
[2012-07-27 17:21:41.813-0300 HandshakeCompletedNotify-threaded DEBUG com.perfigo.wlan.ssl.SSLLog - RMISocketFactory: added the socket: 1e7e7ac [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/10.200.48.101,port=19660,localport=1099]]
2012-07-27 17:21:41.814-0300 HandshakeCompletedNotify-threaded DEBUG com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETS_SIZE = 1
[2012-07-27 17:21:41.814-0300 HandshakeCompletedNotify-threaded DEBUG com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETSE = [1e7e7ac [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/10.200.48.101,port=19660,localport=1099]]]
2012-07-27 17:21:41.814-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:SSOStatus
2012-07-27 17:21:41.814-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:SSOStatus:DURATION = 0
2012-07-27 17:21:44.103-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo
2012-07-27 17:21:44.103-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0
2012-07-27 17:21:44.104-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo
2012-07-27 17:21:44.104-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0
2012-07-27 17:21:44.104-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader
2012-07-27 17:21:44.104-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 0
2012-07-27 17:21:44.105 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init
2012-07-27 17:21:44.105 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 0
2012-07-27 17:21:44.105 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync
2012-07-27 17:21:44.106 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync:DURATION = 1
2012-07-27 17:21:44.106-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip
2012-07-27 17:21:44.106-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip:DURATION = 0
2012-07-27 17:21:49.105-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo
2012-07-27 17:21:49.105-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0
2012-07-27 17:21:49.105-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo
2012-07-27 17:21:49.105-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0
2012-07-27 17:21:49.106-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader
2012-07-27 17:21:49.106-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 0
2012-07-27 17:21:49.107 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init
2012-07-27 17:21:49.107 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 0
2012-07-27 17:21:49.107 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync
2012-07-27 17:21:49.107 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync:DURATION = 0
2012-07-27 17:21:49.108-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip
2012-07-27 17:21:49.108-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip:DURATION = 0
2012-07-27 17:21:54.107-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo
2012-07-27 17:21:54.107-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0
2012-07-27 17:21:54.108-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo
2012-07-27 17:21:54.108-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0
2012-07-27 17:21:54.108-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader
2012-07-27 17:21:54.108-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 0
2012-07-27 17:21:54.109 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init
2012-07-27 17:21:54.109 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 0
2012-07-27 17:21:54.110 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync
2012-07-27 17:21:54.110 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync:DURATION = 0
2012-07-27 17:21:54.110-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip
2012-07-27 17:21:54.110-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip:DURATION = 0
2012-07-27 17:21:58.619-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager is running: {0.85,0.3, [0: 15:15]}: DETECT_INTERVAL = 20:DETECT_TIME_OUT = 300
2012-07-27 17:21:58.622-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager http_code = 200: {0.85,0.3, [0: 15:15]}
[2012-07-27 17:21:58.622-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager go to sleep: delay of {0.85,0.3, [0: 15:15]}] = 19997
2012-07-27 17:21:59.109-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo
2012-07-27 17:21:59.109-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0
2012-07-27 17:21:59.110-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo
2012-07-27 17:21:59.110-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0
2012-07-27 17:21:59.110-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader
2012-07-27 17:21:59.110-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 0
2012-07-27 17:21:59.111 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init
2012-07-27 17:21:59.111 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 0
2012-07-27 17:21:59.112 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync
2012-07-27 17:21:59.112 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync:DURATION = 0
2012-07-27 17:21:59.113-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip
2012-07-27 17:21:59.113-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip:DURATION = 0
2012-07-27 17:22:04.111-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo
2012-07-27 17:22:04.111-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0
2012-07-27 17:22:04.112-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo
2012-07-27 17:22:04.112-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0
2012-07-27 17:22:04.112-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader
2012-07-27 17:22:04.113-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 1
2012-07-27 17:22:04.113 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init
2012-07-27 17:22:04.113 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 0
2012-07-27 17:22:04.114 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync
2012-07-27 17:22:04.114 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync:DURATION = 0
2012-07-27 17:22:04.114-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip
2012-07-27 17:22:04.114-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip:DURATION = 0
2012-07-27 17:22:09.114-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo
2012-07-27 17:22:09.114-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0
2012-07-27 17:22:09.114-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo
2012-07-27 17:22:09.114-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0
2012-07-27 17:22:09.115-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader
2012-07-27 17:22:09.115-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 0
2012-07-27 17:22:09.116 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init
2012-07-27 17:22:09.116 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 1
2012-07-27 17:22:09.116 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync
2012-07-27 17:22:09.116 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync:DURATION = 0
2012-07-27 17:22:09.117-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip
2012-07-27 17:22:09.117-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip:DURATION = 0
2012-07-27 17:22:14.116-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo
2012-07-27 17:22:14.116-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0
2012-07-27 17:22:14.116-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo
2012-07-27 17:22:14.116-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0
2012-07-27 17:22:14.117-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader
2012-07-27 17:22:14.117-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 0
2012-07-27 17:22:14.117 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init
2012-07-27 17:22:14.118 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 1
2012-07-27 17:22:14.118 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync
2012-07-27 17:22:14.118 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync:DURATION = 0
2012-07-27 17:22:14.119-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip
2012-07-27 17:22:14.119-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip:DURATION = 0
2012-07-27 17:22:17.017-0300 DEBUG RMI RenewClean-[10.200.2.103:1099] com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETS_SIZE = 2
[[2012-07-27 17:22:17.017 - 0300 DEBUG RMI RenewClean-[10.200.2.103:1099] com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETSE = [1e7e7ac [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/10.200.48.101,port=19660,localport=1099]], 1871db1 [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=server_primary_ag/10.200.2.103,port=1099,localport=12312]]]
[2012-07-27 17:22:17.017-0300 HandshakeCompletedNotify-threaded DEBUG com.perfigo.wlan.ssl.SSLLog - RMISocketFactory: socket: 59725 c added [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/10.200.2.103,port=12312,localport=1099]]
2012-07-27 17:22:17.017-0300 HandshakeCompletedNotify-threaded DEBUG com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETS_SIZE = 3
[[[2012-07-27 17:22:17.017-0300 HandshakeCompletedNotify-threaded DEBUG com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETSE = [1e7e7ac [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/10.200.48.101,port=19660,localport=1099]], 1871db1 [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=server_primary_ag/10.200.2.103,port=1099,localport=12312]], 59725 c [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/10.200.2.103,port=12312,localport=1099]]]
2012-07-27 17:22:18.624-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager is running: {0.85,0.3, [0: 15:15]}: DETECT_INTERVAL = 20:DETECT_TIME_OUT = 300
2012-07-27 17:22:18.627-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager http_code = 200: {0.85,0.3, [0: 15:15]}
[2012-07-27 17:22:18.627-0300 TRACE Timer-0 com.perfigo.wlan.jmx.admin.FailSafeManager - FailSafeManager go to sleep: delay of {0.85,0.3, [0: 15:15]}] = 19997
2012-07-27 17:22:19.118-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo
2012-07-27 17:22:19.118-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0
2012-07-27 17:22:19.118-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo
2012-07-27 17:22:19.118-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0
2012-07-27 17:22:19.119-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader
2012-07-27 17:22:19.119-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 0
2012-07-27 17:22:19.120 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init
2012-07-27 17:22:19.120 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 0
2012-07-27 17:22:19.120 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync
2012-07-27 17:22:19.120 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync:DURATION = 0
2012-07-27 17:22:19.121-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip
2012-07-27 17:22:19.121-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip:DURATION = 0
2012-07-27 17:22:24.119-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo
2012-07-27 17:22:24.119-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0
2012-07-27 17:22:24.119-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo
2012-07-27 17:22:24.119-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0
2012-07-27 17:22:24.120-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader
2012-07-27 17:22:24.120-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 0
2012-07-27 17:22:24.121 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init
2012-07-27 17:22:24.121 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 0
2012-07-27 17:22:24.122 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync
2012-07-27 17:22:24.122 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync:DURATION = 0
2012-07-27 17:22:24.122-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip
2012-07-27 17:22:24.122-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip:DURATION = 0
2012-07-27 17:22:29.120-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo
2012-07-27 17:22:29.120-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0
2012-07-27 17:22:29.121-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo
2012-07-27 17:22:29.121-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0
2012-07-27 17:22:29.121-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader
2012-07-27 17:22:29.121-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 0
2012-07-27 17:22:29.122 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init
2012-07-27 17:22:29.122 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 0
2012-07-27 17:22:29.123 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync
2012-07-27 17:22:29.123 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync:DURATION = 0
2012-07-27 17:22:29.123-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip
2012-07-27 17:22:29.123-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip:DURATION = 0
[2012-07-27 17:22:32.022-0300 RMI Scheduler (0) DEBUG com.perfigo.wlan.ssl.SSLLog - RMISocketFactory: removed socket: 1871db1 [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=server_primary_ag/10.200.2.103,port=1099,localport=12312]]
2012-07-27 17:22:32.022-0300 com.perfigo.wlan.ssl.SSLLog RMI Scheduler (0) DEBUG - RMISocketFactory:CACHED_SOCKETS_SIZE = 2
[[2012-07-27 17:22:32.022-0300 RMI Scheduler (0) com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETSE = DEBUG [1e7e7ac [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/10.200.48.101,port=19660,localport=1099]], 59725 c [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/10.200.2.103,port=12312,localport=1099]]]
[2012-07-27 17:22:32.022-0300 connection TCP RMI 86 - 10.200.2.103 DEBUG com.perfigo.wlan.ssl.SSLLog - RMISocketFactory: moved socket: 59725 c [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/10.200.2.103,port=12312,localport=1099]]
2012-07-27 17:22:32.022-0300 TCP RMI 86 - 10.200.2.103 DEBUG com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETS_SIZE = 1 connection
[2012-07-27 17:22:32.022-0300 connection TCP RMI 86 - 10.200.2.103 com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETSE = DEBUG [1e7e7ac [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/10.200.48.101,port=19660,localport=1099]]]
2012-07-27 17:22:32.022-0300 TCP RMI 86 - 10.200.2.103 DEBUG com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETS_SIZE = 1 connection
[2012-07-27 17:22:32.022-0300 connection TCP RMI 86 - 10.200.2.103 com.perfigo.wlan.ssl.SSLLog - RMISocketFactory:CACHED_SOCKETSE = DEBUG [1e7e7ac [TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/10.200.48.101,port=19660,localport=1099]]]
2012-07-27 17:22:34.122-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo
2012-07-27 17:22:34.123-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - isRegistered DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 1
2012-07-27 17:22:34.123-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo
2012-07-27 17:22:34.123-0300 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - unregisterMBean: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:DURATION = 0
2012-07-27 17:22:34.123-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader
2012-07-27 17:22:34.123-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - createMBean DEBUG: com.perfigo.wlan.jmx.admin.ServerInfo:DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CAS:type = MLet, name = casLoader:DURATION = 0
2012-07-27 17:22:34.124 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init
2012-07-27 17:22:34.124 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:init:DURATION = 0
2012-07-27 17:22:34.125 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync
2012-07-27 17:22:34.125 connection TCP RMI 85 - 10.200.48.101 DEBUG com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper --0300 call: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:isServerInSync:DURATION = 0
2012-07-27 17:22:34.125-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip
2012-07-27 17:22:34.125-0300 connection TCP RMI 85 - 10.200.48.101 com.perfigo.wlan.jmx.BeanServerWrapper - BeanServerWrapper - getAttribute DEBUG: DefaultDomain:type = com.perfigo.wlan.jmx.admin.ServerInfo:CurrMgrEth0Ip:DURATION = 0
[[email protected]/ * / _primary_ag ~] #.
Thank you
Moises,
I wanted to know if you have followed these steps:
Thank you
Tarik Admani
* Please note the useful messages *. -
Hi all
I have 3 sites, the main site has a cisco firewall mikrotik router.
There is a vpn ipsec existing between the cisco router and another router cisco on the site of the 2nd and it works well.
Now, I've added an another vpn between a 3rd site and main site. The router on the 3rd site is a mikrotik firewall.
I had the vpn on the main site and the 3rd site where the mikrotik firewall is and it worked well.
then for some reason, the vpn with the 3rd site has failed and I could not get it working again.
When looking for answers, I see that the vpn for the 3rd site States the following:
#pkts program: 46, #pkts encrypt: 46, #pkts digest: 46
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0It seems that no traffic is coming back to the cisco
I also found the following output below to diagnose the problem.
It seems that there is communication, but if I read this right, it looks like the cisco established a new number but the other end is not the new number
new node-1868419487
node-1868419487 error suppression FALSE "Information (in) condition 1" pattern
Any help would be appreciated.
* 02:49:51.911 Jul 22: ISAKMP: (2060): purge the node-1140469772
* 02:49:59.723 Jul 22: ISAKMP: DPD received message KMI.
* 02:49:59.723 Jul 22: ISAKMP: node set 1053074288 to QM_IDLE
* 02:49:59.723 Jul 22: ISAKMP: (2060): Protocol for sending INFORMER DPD/R_U_THERE 1
SPI 2273844328, message ID = 1053074288
* 02:49:59.723 Jul 22: ISAKMP: (2060): seq. no 0x645EC368
* 02:49:59.723 Jul 22: ISAKMP: (2060): my_port of x.x.x.127 package sending 5
peer_port 00 500 (R) QM_IDLE
* 02:49:59.723 Jul 22: ISAKMP: (2060): sending a packet IPv4 IKE.
* 02:49:59.723 Jul 22: ISAKMP: (2060): purge the node 1053074288
* 02:49:59.767 Jul 22: ISAKMP (2060): packet received dport x.x.x.127
500 sport Global 500 (R) QM_IDLE
* 02:49:59.767 Jul 22: ISAKMP: node set-1868419487 to QM_IDLE
* 02:49:59.771 Jul 22: ISAKMP: (2060): HASH payload processing. Message ID = 24265
47809
* 02:49:59.771 Jul 22: ISAKMP: (2060): treatment of the NOTIFY DPD/R_U_THERE_ACK protoco
l 1
0, message ID SPI = 2426547809, a = 0x8705F854
* 02:49:59.771 Jul 22: ISAKMP: (2060): DPO/R_U_THERE_ACK received from the peer 125,23
6.211.127, sequence 0x645EC368
* 02:49:59.771 Jul 22: ISAKMP: (2060): node-1868419487 FALSE reason for deletion error
"Information (in) condition 1"
* 02:49:59.771 Jul 22: ISAKMP: (2060): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
* 02:49:59.771 Jul 22: ISAKMP: (2060): former State = new State IKE_P1_COMPLETE = IKE
_P1_COMPLETE
* 02:50:01.111 Jul 22: ISAKMP: (2060): purge the node-1201068805
Comparing encrypt of 46 to 47436 counters, it seems that router is ecncrypting the traffic, but we do not get any interesting traffic on the remote side.
Most likely, you might want to check on the remote site, if you see counters increment in parallel decryption and encryption of the counters are incrementing or not.
On the router IOS, if are incrementing counters encrypt, and confirm that you have not any tunnel existing before the router can be seen same proxy IDs, which is already negotiated with other peer.
Finally, please make sure that the ESP, 50 protocol traffic is not blocked in transit.
I hope this helps.Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
Being trained by Cisco NAC nuts! Help!
Hi all
Getting desperate here... been trying to get the solution NAC Cisco (Cisco NAC 3310) to work, but with limited success, and the results are currently desperately randomly. I have a lot of experience with Cisco product and so far this has been the most painful :-( Here, any help would be appreciated gladly!
OK, here's the Setup: the cam and CASES are configured in mode OOB VG (Layer 2). I install everything by following the guide from Cisco (I hope) - different VLAN for the CASE, the cam and VLAN mapping, managed subnets, etc. to switch profiles configured. Yet, I get strange answers: some PCs are unable to connect to the network, even if successfully managed switch port informs the cam a new MAC is detected (varies the switch port to the vlan auth of vlan initial). I have accumulated my brain trying to figure out what's wrong, newspapers event does not indicate a lot of problems. Just to check on some uncertainties:
1. for the managed subnet IP, should I check the box "Enable subnet based Vlan change?"
2. for the subnet managed, if I put the IP address of subnet managed as the IP of the gateway? E.g. 110 VLAN (vlan not reliable) mapped to 10 VLANS (VLAN trust) which is the 10.1.10.0/24 subnet. The gateway is 10.1.10.254. So should I configure managed subnet IP/netmask as 10.1.10.254/255.255.255.0? Or choose another unused IP address from that subnet (for example 10.1.10.1)?
3. I am also the experience of the situation where to connect with success (pass the verification of the NAC etc.), I unplugged my laptop on the port managed switch and after a while connected. This time no authentication happens, but the network connectivity is broken (even if the Cisco Agent is running). Seems that the network port is placed in the VLAN Auth, yet nothing is invited to open a session. Any ideas?
W
Woon,
What policies do they install on your current user roles?
You can try allowing all TCP/UDP and fragments to see if not connect at all times.
Right-click on the agent access as well and select Properties. Make sure that there not a host of discovery, since it is an implementation of L2
You also have to note the previous post, so if others have similar problems that they will look at this thread
Thank you!
-
Hello
I wonder if it is possible to have SSL VPN users sign on to Active Directory, instead of (ASA) VPN gateway.
Sending a link, if the scenario is possible would be appreciated.
Thank you
Mike
Yes, it is possible.
Here is the sample configuration for your reference:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008067e9ff.shtml
Hope that helps.
-
[Config] 877 VPN - please help
Hello
I wonder if someone could help me because I am quite stuck
I am trying to establish the following VPN configuration?
Remote user Mobile > Internet > Cisco VPN > server (service)
With the help of SDM I selected 'Easy VPN Server' deployment.
I am able to connect remotely via the telephone dialler customer of Cisco, connection is made very well and I am able to ping 192.168.1.1 where the standard ping results are returned.
I have a server that is running IIS on 192.168.1.20 but I can't ping the server? I don't want to install software on this server that users can synchronize remotely with and I'm not sure what to do.
Attached configuration
Thanks in advance
Hello
Somethings to check.
a. What is the default gateway on the server?
b. the server has more than one NETWORK card?
can c. If Yes, you close the second NETWORK card and see if it works.
d. you can run debug on the router to see if we even get the package and respond to the customer.
Here are a few troubleshooting steps.
Thank you
Gilbert
-
I have an ASA 5505 can I VPN in, my problem is that I do not have access to my internal network. Right now, I have my cable modem enter my ASA and my ASA goes to my Cisco 3660 router. I think my problem is somewhere in the routing domain, but I don't really know what I'm doing... Help, please.
The ASA config:
: Saved : ASA Version 8.2(3) ! hostname ciscoasa domain-name wood.homeesrv.com enable password DQucN59Njn0OjpJL encrypted passwd 2KFQnbNIdI.2KYOU encrypted names dns-guard ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.2.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp ! ftp mode passive dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS name-server 8.8.8.8 name-server 8.8.4.4 domain-name wood.homeesrv.com access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list VPNWoodHome_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 access-list WoodVPN_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0 pager lines 24 logging enable logging asdm warnings mtu inside 1500 mtu outside 1500 ip local pool HomeVPN 192.168.3.0-192.168.3.10 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 174.56.139.1 1 route inside 192.168.1.0 255.255.255.0 192.168.2.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa-server VPN protocol radius http server enable http 192.168.2.0 255.255.255.0 inside http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto isakmp enable inside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 client-update enable telnet timeout 5 ssh timeout 5 console timeout 0 management-access inside dhcpd dns 8.8.8.8 8.8.4.4 interface inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn enable inside enable outside group-policy WoodVPN internal group-policy WoodVPN attributes dns-server value 192.168.1.14 8.8.8.8 vpn-tunnel-protocol IPSec webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list value WoodVPN_splitTunnelAcl default-domain value wood.homeserv.com username Jonathan password WsMCHUiqvEuA9Gmb encrypted privilege 15 tunnel-group WoodVPN type remote-access tunnel-group WoodVPN general-attributes address-pool HomeVPN default-group-policy WoodVPN tunnel-group WoodVPN ipsec-attributes pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context Cryptochecksum:20c3b97b24f2fadeb1154024bd995f03 : end no asdm history enable
Cisco 3660 Router Config:
Building configuration...
Current configuration : 1096 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.19
!
ip dhcp pool 192.168.1.0/24
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4 192.168.1.14 192.168.1.13
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username woodjl privilege 15 secret 5 $1$FJyW$Ozgsn9oO0acvYSSeohvzX/
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
endto do this: -.
attributes of Group Policy WoodVPN
no value in split-tunnel-network-list WoodVPN_splitTunnelACL
value of Split-tunnel-network-list Split_Tunnel_List
Add also: -.
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
Let me know if that helps.
Manish -
Hello
I have a PIX 515E current of execution to 7.
Is it possible to use VPN with only 1 static IP address from the ISP (no gateway or the ip address of the ISP router is provided).
I can set up routing on the ADSL modem, but then the PIX does not have a valid Internet IP address?
I think that v7 does not support PPPOE? so I can't set the mode on the bridged adsl modem?
Is there a way to fix this?
Any help appreciated gratefully.
apply the commands below:
ISAKMP identity address
ISAKMP nat-traversal 20
If the problem persists, then please post the entire config with ip hidden public.
-
I need to configure NAT on a VPN tunnel to accomplish the following. I already have the tunnel upward and running just need to confirm my NAT config.
ASA 8.2 Version running (5)
I only need to set up A
The internal subnet to site A is 172.30.6.0/24 and I need NAT this subnet to 172.31.183.0/24 when the destination subnet is 172.31.255.128/25
So here's what I thought.
Policy NAT 172.30.6.0/24 to 172.31.183.0/24 the translation when the destination is 172.31.255.128/25.
Public static 172.31.183.0 (inside, outside) - CBC-NAT-TRANSLATION access list
CBC-NAT-TRANSLATION scope ip 172.30.6.0 access list allow 255.255.255.0 172.31.255.128 255.255.255.128
Then I would need that
Public static 172.31.255.128 (exterior, Interior) 172.30.6.0 netmask 255.255.255.0
That sounds about right.
Thank you
Mike
Mike
As I said that I did not use a network with a static NAT strategy, so I don't know if the host part of the IP address matches the host Party in the range NAT if you see what I mean.
It could, but it cannot be a concern for you anyway. You would need to watch the xlate table once you make the connection to know for sure.
In addition, it means all devices in this subnet may send packets to each device in the remote subnet but once again can not be a cause for concern.
But apart from that, Yes, your config seems fine for me.
I try with the first beach and establish a connection and then if it works check the xlate dashboard to see exactly what IP he chose.
Jon
-
I was working on the creation of a PIX 515e to serve my firewall and VPN. The firewall and main routing work well as I am able to VPN and get an IP address. However, I am unable to remote desktop on a PC behind the firewall.
Here is my config as I have now. If someone could show me what I'm missing, would be great.
Firewall # sh run
: Saved
:
PIX Version 7.2 (3)
!
Firewall host name
DOMAINNAME.COM domain name
activate r9tt5TvvX00Om3tg encrypted password
names of
!
interface Ethernet0
PPPoE Interface Description
nameif outside
security-level 0
PPPoE client vpdn group pppoe
63.115.220.5 255.255.255.255 IP address pppoe setroute
!
interface Ethernet1
Description network internal
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface Ethernet2
DMZ Interface Description
nameif DMZ
security-level 50
IP 10.1.48.1 255.255.252.0
!
2KFQnbNIdI.2KYOU encrypted passwd
passive FTP mode
clock timezone STD - 7
clock to summer time recurring MDT
DNS server-group DefaultDNS
domain ivanwindon.ghpstudios.com
object-group service remote tcp - udp
Description Office remotely
3389 3389 port-object range
standard access list vpn_client_splitTunnelAcl allow a
inside_nat0_outbound list of allowed ip extended access any 192.168.0.192 255.255.255.192
permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.0.96 255.255.255.240
access-list Local_LAN_Access Note Local LAN access
Local_LAN_Access list standard access allowed host 0.0.0.0
outside_cryptomap_65535.20 deny ip extended access list a whole
access-list 102 extended allow ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
vpn_client_splitTunnelAcl_1 list standard access allowed 192.168.0.0 255.255.255.0
inside_access_in list extended access permit tcp any eq 3389 3389 any eq
pager lines 24
Enable logging
information recording console
registration of information monitor
logging trap information
asdm of logging of information
address record [email protected] / * /
exploitation forest-address recipient [email protected] / * / level of errors
Outside 1500 MTU
Within 1500 MTU
MTU 1500 DMZ
IP local pool vpn_pool 192.168.0.100 - 192.168.0.105 mask 255.255.255.0
IP verify reverse path to the outside interface
ICMP unreachable rate-limit 1 burst-size 1
ASDM image Flash: / asdm - 523.bin
enable ASDM history
ARP timeout 14400
Overall 101 (external) interface
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 101 0.0.0.0 0.0.0.0
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 207.225.112.2 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
AAA authentication LOCAL telnet console
Enable http server
http 192.168.0.4 255.255.255.255 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic outside_dyn_map 20 set pfs
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
Crypto-map dynamic outside_dyn_map 20 the value reverse-road
PFS set 40 crypto dynamic-map outside_dyn_map
Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP disconnect - notify
Telnet 192.168.0.4 255.255.255.255 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
VPDN group request dialout pppoe pppoe
VPDN group pppoe localname [email protected] / * /
VPDN group pppoe ppp authentication chap
VPDN username username password *.
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 1500
dhcpd ping_timeout 10
NAME of domain domain dhcpd
dhcpd auto_config off vpnclient-wins-override
dhcpd option 3 ip 192.168.0.1
!
dhcpd address 192.168.0.5 - 192.168.0.49 inside
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd lease interface 1500 inside
interface ping_timeout 10 dhcpd inside
dhcpd DOMAIN domain name inside interface
dhcpd 192.168.0.1 ip interface option 3 inside
dhcpd allow inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
TFTP server inside 192.168.0.4/TFTP-Root
internal vpn_client group policy
attributes of the strategy of group vpn_client
value of server DNS 208.67.222.222 208.67.220.220
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpn_client_splitTunnelAcl_1
value by default-domain DomainName
admin I727P4FvcUV4IZGC encrypted privilege 15 password username
username ivanwindon encrypted password privilege 0 7K5PuGcBwHggqgCD
username ivanwindon attributes
VPN-group-policy vpn_client
tunnel-group vpn_client type ipsec-ra
tunnel-group vpn_client General-attributes
address vpn_pool pool
Group Policy - by default-vpn_client
vpn_client group of tunnel ipsec-attributes
pre-shared-key *.
96.125.164.139 SMTP server
context of prompt hostname
Cryptochecksum:48fdc775b2330699db8fc41493a2767c
: end
Firewall #.Ivan Windon
Sent by Cisco Support technique iPad App
Hello
I had first change in the pool of VPN Client to something other than the LAN
As 192.168.1.0/24
NAT0
- Adding NAT0 rule for the new pool and then removing the 'old'
permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0
no access list inside_nat0_outbound extended permits all ip 192.168.0.192 255.255.255.192
No inside_nat0_outbound extended access list only to allowed ip 192.168.0.0 255.255.255.0 192.168.0.96 255.255.255.240
VPN Client pool
- Remove the old group "tunnel-group" configurations, then removing the pool, make a new pool, and finally configure the pool to group "tunnel".
tunnel-group vpn_client General-attributes
No address vpn_pool pool
no ip local pool vpn_pool 192.168.0.100 - 192.168.0.105 mask 255.255.255.0
IP local pool vpn_pool 192.168.1.100 - 192.168.1.105 mask 255.255.255.0
tunnel-group vpn_client General-attributes
address vpn_pool pool
Theres another thread with a similar problem (even if the settings appear to be correct) on the forums.
If you can't get the RDP connection works I would also maybe Google for UltraVNC and its installation on the host LAN and your VPN Client and trying to connect with him to determine that the Client VPN configurations are all ok. There were problems that were ultimately associated with the LAN host rather than the VPN Client configurations.
If you think that his need. Save your settings before making any changes.
-Jouni
-
Site to site VPN - need help to set up several tunnels
I currently have tunnels VPN site-to-site of two remote sites with 1720s to connect to an ASA5510 on my site TOWN_HALL. (see attached diagram)
It works well, but I want to add connectivity between the 1720-A LAN (172.20.3.0/24) and LAN 1720 - B (172.22.3.0/24). What is the best way to do it? The years 1720 can be configured with direct VPN L2L tunnels or that will affect the existing tunnels is the ASA5510? If so, I'm guessing that each 1720 will have to go through the ASA first.
Thank you.
Configs below:
ASA5510
ASA Version 7.2 (2)
!
names of
name 172.18.3.19 Postal Mail Server description
name 172.18.3.33 description Helpdesk Server helpdesk
DNS-guard
!
interface Ethernet0/0
Description link Comcast
nameif ComCast_Out
security-level 0
IP 29.92.14.73 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
address 192.168.10.2 255.255.255.252
!
interface Ethernet0/2
security-level 0
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 10.10.10.1 255.255.255.0
management only
!
boot system Disk0: / asa722 - k8.bin
boot system Disk0: / asa706 - k8.bin
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
list of allowed incoming access extended ip any host 29.92.14.74
list of extended all inbound icmp permitted access all inaccessible
list of inbound icmp permitted access extended throughout entire echo response
list of allowed inbound tcp extended access any host 29.92.14.73 eq 3000
list of allowed inbound tcp extended access any newspaper SMTP host 29.92.14.73 eq
list of allowed inbound tcp extended access any host 29.92.14.73 eq www
list of allowed inbound tcp extended access any host 29.92.14.73 eq 3389
list of allowed inbound tcp extended access any host 29.92.14.73 eq pptp
list of allowed inbound tcp extended access any host 116.204.226.42 eq 3000
list of allowed inbound tcp extended access any host 116.204.226.42 eq smtp
list of allowed inbound tcp extended access any host 116.204.226.42 eq www
list of allowed inbound tcp extended access any host 116.204.226.42 eq 3389
list of allowed inbound tcp extended access any host 116.204.226.42 eq pptp
list of inbound note FTP Server access
list of allowed inbound tcp extended access any host 29.92.14.73 eq ftp
acl_out list extended access permit tcp host 29.92.14.73 any eq smtp
acl_out list extended access permit tcp host 192.168.1.4 any eq smtp
tcp extended access list acl_out deny any any eq smtp
access ip allowed any one extended list acl_out
121 extended access-list permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
IP 172.18.3.0 allow Access-list extended sheep 255.255.255.0 172.22.3.0 255.255.255.0
IP 172.18.3.0 allow Access-list extended sheep 255.255.255.0 172.20.3.0 255.255.255.0
access-list extended sheep allowed ip 192.168.1.0 255.255.255.0 172.22.3.0 255.255.255.0
access-list sheep extended ip 172.30.1.0 allow 255.255.255.0 172.31.255.0 255.255.255.0
access-list sheep extended ip 192.168.10.0 allow 255.255.255.252 172.31.255.0 255.255.255.0
IP 172.17.1.0 allow Access-list extended sheep 255.255.255.0 172.31.255.0 255.255.255.0
172.18.0.0 IP Access-list extended sheep 255.255.0.0 allow 172.31.255.0 255.255.255.0
IP 172.31.3.0 allow Access-list extended sheep 255.255.255.0 172.31.255.0 255.255.255.0
access-list sheep extended ip 192.168.0.0 allow 255.255.0.0 172.31.255.0 255.255.255.0
backup_access_out of access allowed any ip an extended list
outside_access_out of access allowed any ip an extended list
Note to access list outside_access_out Barracuda
outside_access_out list extended access permit tcp host 172.18.3.8 any eq smtp inactive
Comment from outside_access_out-access SMTP Block list
outside_access_out tcp extended access list deny any any eq smtp inactive
Note to access list schools SMTP inside_access_in
inside_access_in list extended access permit tcp host postal eq smtp no matter what eq smtp
inside_access_in list extended access permit tcp host 172.18.3.8 any eq smtp
inside_access_in list extended access permit tcp host 172.18.3.30 any eq smtp
inside_access_in tcp extended access list deny any any eq smtp
inside_access_in of access allowed any ip an extended list
Access extensive list ip 172.18.3.0 ComCast_Out_20_cryptomap allow 255.255.255.0 172.22.3.0 255.255.255.0
ComCast_Out_20_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 172.22.3.0 255.255.255.0
Access extensive list ip 172.18.3.0 ComCast_Out_25_cryptomap allow 255.255.255.0 172.20.3.0 255.255.255.0
vpn_access list standard access allowed 192.168.10.0 255.255.255.252
standard access list vpn_access allow 172.17.1.0 255.255.255.0
standard access list vpn_access allow 172.18.0.0 255.255.0.0
standard access list vpn_access allow 172.31.3.0 255.255.255.0
vpn_access list standard access allowed 172.30.1.0 255.255.255.0
vpn_access list standard access allowed 192.168.0.0 255.255.0.0
pager lines 24
Enable logging
emergency logging monitor
logging warnings put in buffered memory
asdm of logging of information
MTU 1500 ComCast_Out
Within 1500 MTU
MTU 1500 NOT_IN_USE
management of MTU 1500
IP local pool vpnpool 192.168.20.2 - 192.168.20.254
172.31.255.1 mask - local 172.31.255.250 pool POOL VPN IP 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 522.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global interface (ComCast_Out) 1
Global (NOT_IN_USE) 1 interface
NAT (inside) 0 access-list sheep
NAT (inside) 1 192.0.0.0 255.0.0.0
NAT (inside) 1 0.0.0.0 0.0.0.0
TCP static (inside ComCast_Out) interface 3000 172.18.3.22 3000 netmask 255.255.255.255
TCP static (inside ComCast_Out) interface smtp 172.18.3.8 smtp netmask 255.255.255.255
TCP static (inside ComCast_Out) interface www 172.18.3.30 www netmask 255.255.255.255
TCP static (inside ComCast_Out) interface 3389 172.18.3.22 3389 netmask 255.255.255.255
TCP static (inside ComCast_Out) interface 172.18.3.22 pptp pptp netmask 255.255.255.255
TCP static (inside NOT_IN_USE) interface 3000 172.18.3.22 3000 netmask 255.255.255.255
TCP static (inside NOT_IN_USE) interface smtp 172.18.3.8 smtp netmask 255.255.255.255
TCP static (inside NOT_IN_USE) interface www 172.18.3.30 www netmask 255.255.255.255
TCP static (inside NOT_IN_USE) interface 3389 172.18.3.23 3389 netmask 255.255.255.255
TCP static (inside NOT_IN_USE) interface 172.18.3.22 pptp pptp netmask 255.255.255.255
TCP static (inside ComCast_Out) interface 3101 172.18.3.8 3101 netmask 255.255.255.255
TCP static (inside ComCast_Out) ftp ftp netmask 255.255.255.255 helpdesk interface
static TCP (inside ComCast_Out) interface ftp - data helpdesk ftp - data netmask 255.255.255.255
static (inside, ComCast_Out) 29.92.14.74 172.18.3.16 netmask 255.255.255.255
Access-group entering interface ComCast_Out
Access-group interface ComCast_Out outside_access_out
inside_access_in access to the interface inside group
Access-group entering interface NOT_IN_USE
Access-group interface NOT_IN_USE backup_access_out
Route 0.0.0.0 ComCast_Out 0.0.0.0 29.92.14.78 1 track 1
Route inside 192.168.0.0 255.255.0.0 192.168.10.1 1
Route inside 172.17.1.0 255.255.255.0 192.168.10.1 1
Route inside 172.18.0.0 255.255.0.0 192.168.10.1 1
Route inside 172.31.3.0 255.255.255.0 192.168.10.1 1
Route inside 172.30.1.0 255.255.255.0 192.168.10.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
internal group vpnclient strategy
vpnclient group policy attributes
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpn_access
internal remote group strategy
Group remote attributes policy
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value 121
Enable http server
http 172.0.0.0 255.0.0.0 inside
http 192.0.0.0 255.0.0.0 inside
http 10.10.10.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
monitor SLA 123
interface type echo protocol ipIcmpEcho 168.87.71.226 ComCast_Out
NUM-package of 3
frequency 10
Annex ALS life monitor 123 to always start-time now
Crypto ipsec transform-set esp-3des esp-md5-hmac 3des
Crypto ipsec transform-set esp - esp-sha-hmac SHA3DES
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
3DES encryption dynamic-map dynmap 10 transform-set
Crypto-map dynamic outside_dyn_map 10 the value transform-set ESP-3DES-SHA
address for correspondence card crypto vpnremote 20 ComCast_Out_20_cryptomap
peer set card crypto vpnremote 20 202.13.116.209
vpnremote card crypto 20 the transform-set ESP-DES-MD5 value
address for correspondence card crypto vpnremote 25 ComCast_Out_25_cryptomap
peer set card crypto vpnremote 25 207.147.31.97
card crypto vpnremote 25 game of transformation-ESP-DES-MD5
vpnremote 30 card crypto ipsec-isakmp dynamic dynmap
map vpnremote 65535-isakmp ipsec crypto dynamic outside_dyn_map
vpnremote ComCast_Out crypto map interface
card crypto VN1530600A 663 matches the address ACL663
card crypto VN1530600A 663 set pfs
card crypto VN1530600A 663 set peer 29.92.14.73
crypto VN1530600A 663 the transform-set SHA3DES value card
card crypto VN1530600A 663 defined security-association life seconds 1800
crypto isakmp identity address
ISAKMP crypto enable ComCast_Out
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
Crypto isakmp nat-traversal 20
!
track 1 rtr 123 accessibility
tunnel-group type remote ipsec-ra
tunnel-group remote General attributes
address vpnpool pool
Group Policy - by default-remote control
tunnel-group remote ipsec-attributes
pre-shared-key *.
tunnel-group 29.92.14.73 type ipsec-l2l
IPSec-attributes tunnel-group 29.92.14.73
pre-shared-key *.
tunnel-group 202.13.116.209 type ipsec-l2l
IPSec-attributes tunnel-group 202.13.116.209
pre-shared-key *.
tunnel-group 207.147.31.97 type ipsec-l2l
IPSec-attributes tunnel-group 207.147.31.97
pre-shared-key *.
Telnet 192.168.0.0 255.255.0.0 inside
Telnet 172.0.0.0 255.0.0.0 inside
Telnet timeout 120
SSH timeout 5
Console timeout 0
management-access inside
management of 10.10.10.11 - dhcpd addresses 10.10.10.20
!
!
class-map inspection_default
match default-inspection-traffic
!
!
Policy-map global_policy
class inspection_default
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:82155434d3cfa69cd7217f20aaacabb7
: end
1720-A
version 12.2
horodateurs service debug datetime
Services log timestamps datetime
encryption password service
!
1720-A host name
!
logging buffered debugging 4096
!
iomem 20 memory size
clock timezone IS - 5
clock to summer time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 02:00
IP subnet zero
!
!
no ip domain-lookup
name of the IP-server 172.18.3.24
DHCP excluded-address IP 172.20.3.1 172.20.3.20
!
IP dhcp pool dhcppool
network 172.20.3.0 255.255.255.0
router by default - 172.20.3.1
DNS-server 172.18.3.24 172.18.3.26
!
audit of IP notify Journal
Max-events of po verification IP 100
property intellectual ssh timeout of 120
property intellectual ssh authentication-3 retries
!
crypto ISAKMP policy 10
md5 hash
preshared authentication
Group 2
address of Cisco key crypto isakmp 29.92.14.73
!
!
Crypto ipsec transform-set esp - esp-md5-hmac TOWN_HALL
Crypto ipsec transform-set esp - esp-md5-hmac DES-MD5
Dimensions of tunnel mib crypto ipsec flowmib history 200
MIB crypto ipsec flowmib size of 200 historical failure
!
map VPNmap 10 ipsec-isakmp crypto
defined by peer 29.92.14.73
game of transformation-TOWN_HALL
match address TOWN_HALL
!
!
!
!
interface Ethernet0
IP 207.147.31.97 255.255.255.252
IP-group access to the PERIMETER of
NAT outside IP
Half duplex
card crypto VPNmap
!
interface FastEthernet0
LAN description
IP 172.20.3.1 255.255.255.0
IP nat inside
automatic speed
!
interface Serial0
no ip address
Shutdown
!
IP nat inside source list NAT_ADDRESSES interface Ethernet0 overload
IP classless
IP route 0.0.0.0 0.0.0.0 207.147.31.98
no ip address of the http server
enable IP pim Bennett
!
!
NAT_ADDRESSES extended IP access list
deny ip 172.20.3.0 0.0.0.255 172.18.3.0 0.0.0.255
IP 172.20.3.0 allow 0.0.0.255 any
PERIMETER extended IP access list
permit udp host 29.92.14.73 host 207.147.31.97 eq isakmp
esp permits 29.92.14.73 host 207.147.31.97
IP 172.18.3.0 allow 0.0.0.255 172.20.3.0 0.0.0.255
allow all all unreachable icmp
permit any any icmp echo response
allow any host 207.147.31.97 eq telnet tcp
allow any host 192.168.20.1 eq telnet tcp
permit tcp any eq www everything
permit tcp any eq 443 all
permit udp host 173.13.116.209 host 207.147.31.97 eq isakmp
esp permits 173.13.116.209 host 207.147.31.97
IP 172.22.3.0 allow 0.0.0.255 172.20.3.0 0.0.0.255
refuse an entire ip
TOWN_HALL extended IP access list
IP 172.20.3.0 allow 0.0.0.255 172.18.3.0 0.0.0.255
!
alias exec sr show run
alias exec s sh ip int br
alias exec srt show ip route
!
Line con 0
exec-timeout 0 0
Synchronous recording
line to 0
line vty 0 4
exec-timeout 60 0
Synchronous recording
local connection
transport telnet entry
!
No Scheduler allocate
NTP-period clock 17180009
end
1720-Bversion 12.1no single-slot-reload-enable servicehorodateurs service debug datetimeServices log timestamps datetimeencryption password service!1720-B host name!logging buffered debugging 4096no set record in buffered memoryConsole rate-limit logging 10 except errors!iomem 25 memory sizeclock AND time zone - 5clock to summer time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 02:00IP subnet zerono ip fingerno ip domain-lookupname of the IP-server 172.18.3.24DHCP excluded-address IP 172.22.3.1 172.22.3.20!IP dhcp pool dhcppoolnetwork 172.22.3.0 255.255.255.0router by default - 172.22.3.1DNS-server 172.18.3.24 172.18.3.26!audit of IP notify JournalMax-events of po verification IP 100!!crypto ISAKMP policy 10md5 hashpreshared authenticationGroup 2address of Cisco key crypto isakmp 29.92.14.73!!Crypto ipsec transform-set esp - esp-md5-hmac TOWN_HALL!map VPNmap 10 ipsec-isakmp cryptodefined by peer 29.92.14.73game of transformation-TOWN_HALLmatch address TOWN_HALL!!!!interface Ethernet0IP 202.13.116.209 255.255.255.252IP-group access to the PERIMETER ofNAT outside IPHalf duplexcard crypto VPNmap!interface FastEthernet0LAN descriptionIP 172.22.3.1 255.255.255.0IP nat insideautomatic speed!IP nat inside source list NAT_ADDRESSES interface Ethernet0 overloadsource-interface IP kerberos anyIP classlessIP route 0.0.0.0 0.0.0.0 202.13.116.210no ip address of the http server!!NAT_ADDRESSES extended IP access listdeny ip 172.22.3.0 0.0.0.255 172.18.3.0 0.0.0.255deny ip 172.22.3.0 0.0.0.255 192.168.1.0 0.0.0.255IP 172.22.3.0 allow 0.0.0.255 anyPERIMETER extended IP access listpermit udp host 29.92.14.73 host 202.13.116.209 eq isakmpesp permits 29.92.14.73 host 202.13.116.209IP 172.18.3.0 allow 0.0.0.255 172.22.3.0 0.0.0.255allow all all unreachable icmppermit any any icmp echo responsepermit tcp any eq www everythingpermit tcp any eq 443 allip permit 192.168.1.0 0.0.0.255 172.22.3.0 0.0.0.255refuse an entire ipTOWN_HALL extended IP access listIP 172.22.3.0 allow 0.0.0.255 172.18.3.0 0.0.0.255IP 172.22.3.0 allow 0.0.0.255 192.168.1.0 0.0.0.255alias exec sr show runalias exec s sh ip int bralias exec srt show ip routealias exec sri see the race | I havealias exec srb see the race | b!Line con 0Synchronous recordingtransport of entry noline to 0line vty 0 4exec-timeout 0 0Synchronous recordinglocal connectionNo Scheduler allocateNTP-period clock 17180266endMake sure you have the following sets of transformations in used through the tunnel:
Crypto ipsec transform-set esp - esp-md5-hmac TOWN_HALLThe tunnel seems to be failing on the negotiations of the phase 2 due to incompatibility, but depending on the configuration
It seems very well.Are you sure that these debugs are not only a part of the negotiations and finally the established tunnel?
Check the condition of the tunnel with the commands:
HS cry isa his
HS cry ips its
In trying to establish the tunnel again and we will see the results.Federico.
-
NAC SSO vpn: is the CASE real-IP mode supported?
Hi all
I tried to setup a CAS like inline real gateway IP to support only enroll via a Cisco ASA running IPsec cisco vpn client.
CASE and CAM are 4.5.1 running
I followed the guide online to the letter (except for running in the virtual gateway mode and do the mapping vlan)
My vpn authentication works on the SAA and Ray is transmitted if the CASE to the ACS server very well.
I did a tcpdump on the case and cam and saw the package of accounting Radius passed from the ASA to the CAs, and then by the CAS to the CAM, so managing accounts radius 'start' package is sent to the user authenticated on the vpn.
The problem is that the laptop is trying to access the network does not display the "auto connect" screen of the agent of the CCA, in contrast, agent of the CCA screen the authentication of user request and password details.
I also following the advice of this link unsuccessfully
(Known issue for VPN SSO after upgrade to version 4.5)
http://www.Cisco.com/en/us/docs/security/NAC/appliance/Release_notes/45/45rn.html#wp711526
So, I am now suspecting whether the CASES can take in charge SSO real-mode gateway IP.
Dale
I've implemented in real gw ip mode, but not in 4.5. It has worked well.
What is the guide that you followed?
-
VPN as PIA services are worth getting.
It depends on if you're a criminal or not...
What is the logic behind in getting a? If you use a public network, a VPN can help prevent users on the same local network of detection or to intercept traffic between your machine and what you are communicating with at the other end. If the services or the sites that you use are safe, it's really not much of a question. If you are a criminal or a terrorist trying to hide your activity for application of the law, or someone trying to access services that are limited by the geographic location of the outside of the geographical area of service, he peut be used to achieve a purpose, though service providers are actively blocking traffic in many VPN known now.
Maybe you are looking for
-
I need jre 7u5 plugin for firefox for my final project
Hello! I IT am a student and for my safety class that I need to find a loophole, exploiting a system and then learn how this feat. I took feat 7u5 JRE. I downloaded this version of java from the archives of the oracle, but the problem is that I need
-
Portege R500 - Slim port replicator monitor external activation question
HelloI use a Toshiba Portege R500i and a thin replicator II I have the extensions mobile tosh running and set to activate the external monitor only on the dock. This works very well if the machine is open and connected, BUT if the machine is closed a
-
I found the error of => niincludes.h (18) : fatal error C1083: cannot open include file: 'NiVisaComponent.h': no such file or directory I checked a few path, "C:\Program Files (x 86) \National Instruments\MeasurementStudioVS2005\VCNET\Include.I found
-
Color property of multiline string is too slow, why is-console so much faster?
-
How to print the password of account invited WLAN?
When a guest wlan user is created (by the LobbyAdmn function) I get a box pop up with auto-generated password. This is normally a relatively complex password. Is it possible to print it with for example a printer so that I can give to people and wish