Problem with the Cisco ASA vpn redundancy?

Similar Questions

• Problem with the Cisco ASA 5525 X SFR and Firesight high school

  Hi team,

  We have two ASA 5525 X installed on them and Firesight in a Linux VM whose two SFRs are registered with SFR failover mode. We use the SAA secondary off the hook if the primary fails to turn on the secondary manually switch the wan cable. I turn on the ASA secondary every weekend to take the configuration of the primary for the ASA and the SFR and close by button walk / stop.

  Last week I turn on high school ASA and the Firesight couldn't see the secondary SFR and show the message below:

  Module device heartbeat: device > don't send heartbeats.

  (I should mention I can Pinger the IP ADDRESS)

  I tried to study the problem without success.

  I also deleted the sensor just Firesight devices management in case something is stuck, and I'm trying to re added without success.

  I'm new in firepower so... any ideas?

  Thank you

  Finally, this problem has been resolved by the redefinition of firepower:

  see detailed here procedure to perform this redefinition;

  http://www.Cisco.com/c/en/us/support/docs/security/ASA-firepower-service...

  Before that, it appeared that firepower was not very healthy:

  After a success "" configure Manager add xxxxx"command.

  the command of managers show show nothing;

  He should have shown this result:

  > Display managers
  Host: 193.193.2.75
  Registration key: AZERTY
  Inscription: pending
  State of the PRC:

  on the other hand, in expert mode, the following command shows several processes (and not in the normal state):

  sudo pmtool status | grep-i down

  Last point,

  After the recreation and reconfigure all this fire power, installed in the ASA secondary standby, was considered to be OK under Firesight health Monitor,.

  but after 10mins, it appeared in critical condition with the following message:

  "Interface"DataPlaneInterface0"receives not all packages.

  This is normal and due to the fact that Eve ASA receives no flow and the same goes for firepower inside this ASA;

  by performing a failover from the primary to the secondary ASA, this critical message disappeared for firepower inside the ASA Sec and appeared for firepower inside the ASA elementary school

• Problem with the Cisco VPN and Vista client

  Hello

  I have an easy VPN server configured on a c2811 and users use the Cisco VPN client. Lately, I have users running Windows Vista 64 bit and I need to know what is the correct version of the vpn client, I have to use and the compatibility problems with the server, I configured.

  Thank you and best regards.

  Cisco VPN Client doesn't have any version that is compatible with Vista 64 bit OS. The only customer that Cisco has released that supports the 64 bit OS's AnyConnect, but it is only supported on the CISCO ASA Appliance

• the Cisco asa vpn processing error payload: payload ID: 1

  Hello

  I set up vpn L2TP by using ASDM and now I am not able to connect my Cisco ASA 5505.

  It is showing the error message

  3

  July 7, 2011

  18:57:38

  IP = *. *. *. *, payload processing error: ID payload: 1

  Please suggest me how to solve this problem (by using ASDM)

  Thank you

  Hi Nikhil,

  Your config seems incomplete, command 'IPSec l2tp ipsec vpn-tunnel-Protocol' is missing, what is needed to connect L2tp try to reconfigure your firewall using the link:-

  http://www.Cisco.com/en/us/customer/docs/security/ASA/asa80/configuration/guide/l2tp_ips.html

  Hope this helps,

  Parminder Sian

• Problem with the cisco 5510 port mapping

  Hello

  My device Cisco ASA 5510, ASA 8.4 (2), 6.4 AMPS (5) 206

  What I'm trying to achieve.

  (1) listening host 10.10.11.108 port 8080

  (2) trying to access from WAN for example port 8090

  I tried command sequence:

  Network 10.10.11.108_8080 object
  Home 10.10.11.108
  NAT (LAN1, WAN) interface static 8080-8090 tcp service

  allowed to Access - list line extended 11 tcp WAN_access_in any object eq 10.10.11.108_8080 8080
  WAN_access_in access to the WAN interface group

  But I do not have access gett. Can someone help me to solve this case?

  I think I know what the problem is:

  object service tcp-8080 service tcp destination eq 8080 object service tcp-8090 service tcp destination eq 8090 

  change to the source destination:

  object service tcp-8080 service tcp source eq 8080 object service tcp-8090 service tcp source eq 8090 
  
  

  no access-list WAN_access_in extended permit object tcp-8080 any object 10.10.11.108_8080 

  access-list WAN_access_in extended permit tcp any object 10.10.11.108_8080 eq 8080

  -Please do not forget to select a correct answer and rate useful posts

• PIX 6.3 SNMP MIB, problem with the CISCO-PROCESS compilation - MIB.oid

  I am Edgar Servín

  I have a cactus and got to watch the CPU of the PIX, I got the OID number:

  cpmCPUTotal5sec 1.3.6.1.4.1.9.9.109.1.1.1.1.3

  I used the Cisco SNMP Object Navigator and said:

  Compile the MIB

  Before you can compile CISCO-PROCESS-MIB, you need to compile the MIBS listed below in the order listed.

  Download all of these MIBs (WARNING: does not include non - Cisco MIB) or view details about each MIB below.

  How can I do?

  Hi Edgar,

  compiling the MIBs is necessary only when you are using HP OpenView or something similar. With the cactus, I confess that I have never used myself, but I'm pretty confident that you can just set the OID in Cacti and it will just make a periodic SNMP query for that object.

  HTH

  Herbert

• 8.3 Cisco ASA VPN problem

  Hi all

  I have some problems with the implementation of a VPN using IPSEC to establish a connection from Site to Site.

  What I'm trying to Setup is the following, his IP address of a site can reach the beaches on site B and visa versa.

  Site A                                                       Site B

  192.168.10.0 172.16.0.0

  192.168.20.0 IPSEC tunnel - 172.17.0.0 -.

  192.168.30.0 172.18.0.0

  I tested with one subnet to another subnet that works. However, when I try to group the objects it fails.

  As an example I can set up a VPN of 192.168.20.0 to 172.18.0.0 that I can pass the traffic through but its unable to reach other subnets.

  Excerpts from the config.

  crypto ISAKMP allow outside

  ACL

  list of allowed outside_1_cryptomap ip access dmz LAN object dmz-network-remote

  Tunnel group

  tunnel-group type ipsec-l2l

  IPSec-attributes tunnel-group

  pre-shared key

  ISAKMP retry threshold 10 keepalive 2

  Phase 1

  part of pre authentication isakmp crypto policy 10

  crypto ISAKMP policy 10 3des encryption

  crypto ISAKMP policy hash 10 sah

  10 crypto isakmp policy group 2

  crypto ISAKMP policy life 10 86400

  Phase 2

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set pfs Group1

  map 1 set outside_map crypto peer

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  outside_map interface card crypto outside

  NAT

  NAT (inside, outside) 1 static source local-network-dmz dmz LAN destination static remote-network-dmz dmz-network distance

  Any advice would be greatly appreciated.

  Thank you.

  Andrew,

  Accroding to your config, each network is behind a different interface of the SAA, so you will need to change the NAT rule for each of them, for example:

  NAT (DMZ_Zone, outside) 1 static source ad-network-local ad-network-local destination static obj obj-remote control-remote control

  NAT (DB_Zone, outside) 1 static source local-network-db db-network-local destination static obj obj-remote control-remote control

  NAT (AD_Zone, outside) 1 static source local-network-dmz dmz LAN destination static obj obj-remote-distance

  Please review and give it a try.

  I hope hear from you soon.

• ProBook 650 1: Problems with W10 upgrade - Client VPN in my notebook?

  Hello

  I upgraded my laptop to Windows 10 but, like many people, I encountered some problems with the Broadcom 802.11 wi - fi adapter. I read a lot of discussion about it and I decide to yestarday to roll back to Windows 7 in order to do a clean update by ISO and unisntall VPN. I read that Cisco VPN Client is the problem when upgrading to W10... but I'm not sure I have the Cisco Client in my notebook.
  You help me find a software which VPN I have in my book?
  I run Microsoft Fixit and found out that I have:
  Cisco PEAP
  Cisco LEAP
  Cisco EAP-FAST

  Is this software VPN? Or not?

  After having updated Broadcom driver on Windows 10 WiFi worked well, but I still had an error message ' Broadcom 802.11 network adapter wi - fi doesn't work "whenever I turned on the laptop.
  In addition, it was impossible on W10 to open the Broadcom Wireless Tool (Control Panel) software, I always get an error message.

  Should I unistall Cisco software?

  See you soon,.

  Marco

  "Hi @Kreiskybill,

  I'm sorry that was meant to be an internal memo that I'm not trained on commercial products and I was hoping one of my colleagues would help, but I'll try my best to help you.

  For your wireless problem, there are several troubleshooting documents available on the page of product support for your ProBook (http://ow.ly/ADK7301hCLl), that might be useful.  Also, here is the 'HP PC' document - troubleshooting wireless network and the Internet (Windows 10) consumer ( http://ow.ly/pIm0301hEIN ) for reference.

  With regard to programs of Cisco that you listed, @SpiritX on the Microsoft Forums ( http://ow.ly/DAhQ301hCFt ) well answer your question about Cisco programs you listed.  I know that you are not running Windows Vista, but the answer is always valid for you.

  If it helps and you want to thank me, please click the 'Thumbs Up' icon to say thank you.  If you think that I helped to solve your problem, please click the button of "acceptable Solution".  This will allow other users to find what worked for you. »

• Error1722 problem with the windows package install.

  I try to install the Cisco VPN software and I get error 1722.  Says that there is a problem with the windows package install.  How can I fix it?

  This is a general error and often a problem with the installation program itself, not Windows.

  Download the installer for the latest version taken support your version of Windows (32-bit / 64-bit),

  and give him another chance.

  If problem persistst, redirect your question to the Forum of Cisco's Support of TechNet.

  They will be able to help you the best.

  https://supportforums.Cisco.com/

  http://social.technet.Microsoft.com/forums/en-us/category/w7itpro

• Problem with the disk free space.

  I use the power of fire 7100 (the 5.3.0.3 Version of FireSight 5.4.1.7 sensor Version). I have political problems that apply to the device. And is unable to update sensor for the newest version. Cisco support community help me! Thank you! They and I think that this problem can be in the use of the disk.

  What I oh sensor:

  Size of filesystem used Avail use % mounted on
  / dev/sda5 2.9 G 562 M 2.2 G 21%.
  / dev/sda1 99M 37 M 58M 39% / Boot
  / dev/sda7 67 67 G 0 100% but
  No 1.9 G 136 K 1.9 G 1% / dev/shm

  May be the problem with the records of Volume.What I could check and delete? Thank you!

  Hello team,

  * Could you please check the following points: -.

  CD/var/tmp /.

  du-sh *.

  You can clear the/var/tmp/en using the following. Files under/var/tmp temporary files are. :-

  rm - rf *.

  It is a known bug where the but gets completely due to Apply_ files *.

  * Also check the following points: -.

  CD/var/sf/updates

  Remove the old patches if there are.

  * Check the following backup folder and the folder of detection engine too.

  CD/var/sf/upgrade_backup

  du-sh *.

  CD/var/sf/detection_engines

  du-sh *.

  Rate if this helps you.

  Concerning

  Jetsy

• Problem with switch Cisco SG300

  Hi guys,.

  I have a problem with switch Cisco SG300-20. After the failure of the switch boots in a kind of mode. It requires

  MAC address and serial number to be entered manually for the device. I tried to find information on this mode, but without success.

  My question is: what is this mode and how to make the start switch in this mode?

  How can I turn on the switch in this mode on purpose if it happens again and I enter the wrong information by accident.

  Thank you

  Hi Aegx, this is a rare case where the switch basically forget his identity. Although the switch is recoverable, it is recommended the switch RMA.

  If you are certain that you have neither taken under warranty, all the information that is asked is on the bottom of the switch sticker. If the thumbnail is is not present you wouldn't able to do this is correct.

  In addition, if you make a typographical error, the switch will have undesirable failures that are permanent, such as the inability to update software.

• Having the problem with the function on SG300 Dhcp / 500?

  Having the problem with the function on SG300 Dhcp / 500? now I can use the dhcp server on the two model, but have a problem.

  My problem is when I create

  VLAN 1: 192.168.0.1/24 dhcp pool 192.168.0.10 - 250

  VLAN 10: 192.168.10.10 - 250 192.168.10.1/24 dhcp pool

  case 1

  I plug the pc to vlan 1 can I get ip 192.168.0.11. But when I change this pc to a new port in vlan 2 I always get the same ip address. why I can not get IP of vlan2.

  case 1

  I plug the pc to vlan 2 I can get ip 192.168.10.11. But when I change this pc to a new port in the vlan 1 I always get the same ip address. why I can not get IP of vlan1.

  but when I have access to the switch and remove the link after that that i will get correct IP.

  I think this is the bug of this firmware. Could you help this case.

  This is a known bug that is the setting of Cisco

  Sent by Cisco Support technique iPad App

• Problem with the start of VMware ESXi 5.0

  I just installed VMware ESXi 5.0 on a new Cisco UCS B200 series blade with two 300 GB hard drives configured in a RAID 1 mirror.  I went through and completed the installation of VMware ESXi 5.0 on this server.  When the installation is complete and the server restarted, he did not initiate the ESXi where I can change the IP address and VLAN.  Instead, I get this text string after the initial boot sequence that is shown in the attachment.  I have a guest who said Shell > do not know why I can not start correctly in ESXi 5.0.  Thank you!  Paul

  Hi Paul,.

  Looks like you boot to the EFI shell. What is the startup policy that you have configured on this server service profile? It should look like the one below.  If there is a problem with the boot order, you should be able to type "EXIT", then enter on the EFI shell to exit the prompt. If your startup is similar to the one below and you still experience this issue, try to downgrade and re - ack the blade.

  Let me know if it helps.

  

• Problems with the propertie recognized in WCS

  Hello

  I have a problem with the ACK propertie in the WCS. I check a logg entry in the logg with the receipt, within a few seconds/minutes/hours this alarm disappear, and then if this alarm appears again, this message show marked ACK.

  Should not the message again without significant acknowledgement? What is the problem?

  Thanks in advance

  Hello

  According to also which is indicated in the official guides, this seems to be the expected behavior:

  '' You acknowledge receipt of the alarm to prevent it from appearing in the alarm summary page. The alarm remains in WCS and you can search all the alarms that are paid using the alarm search. »

  http://www.Cisco.com/en/us/docs/wireless/WCS/7.0/Configuration/Guide/7_0event.html#wp1229996

  So, you can accuse reception that specific alarm once do not show on the alarm page, only for this event. If however the alarm goes off again, the new instance will appear and let you know that you already recognize a similar instance.

  Hope that clarifies the behavior,

  Fede

  --

  If this answers your question please mark the question as "answered" and write it down, so other users can easily find it.

• Problem with the Polycom endpoint dial string via VCS

  Greetings,

  Currently I have an environment using a set of standalone Polycom endpoints (mixture of VSX/HDX units).  We have recently installed VCS - c / VCS-e / TMS and despite a few problems with the SIP registration on some of the older endpoints and management through TMS, all support works well.  The only remaining problem is when there are a number of business partners using the extensions in their chains of H.323 dialing that works very well for the Polycoms during the use not VCS - c as a guard in the numbering of the format #.  When you use this same dial string and endpoints are registered in VCS - c then the only thing it is indicated in the call history is a number of , which fails.

  I am aware that different manufacturers have historically managed extension dialing differently since ISDN only and has apparently been perpetuated until today.  However, it's a pretty critical need still at this stage and I am looking for input on chipboard VCS supports the use of extension component in the dial string (or did once the call is connected to a gateway is the host).  If so, is there a specific format for this connection string which can support both the end points of Polycom and VCS able to interpret correctly?  Does anyone have this working?

  Latest versions of software are on all components.

  Thank you in advance for any thoughts you may have!

  Hi Readamson,

  using the syntax of "device-IP-address ##extension" to compose a H323 device isn't a way standard of doing things, it is approach of Polycom extension numbering that VCS does not understand without changing the alias of a '[email protected] / * /' format.

  Assuming that the address-IP-receives the message SETUP H225 VCS-E, he does the SETUP message? Is there a way that you can configure this device to end to remove the [email protected]/ * /' part of the route the call to the post and the dialed number?

  Visit this link:

  https://supportforums.Cisco.com/thread/2129307

  Best regards, Ahmad