Remote VPN cannot ping any host on remote site
Hi all!
I tried to deploy remote vpn on my asa 5515-x. And my VPN client properly connected, but I can't ping any host on a remote network.
Here is my configuration:
ASA 1.0000 Version 2
!
names of
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 192.168.10.252 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
IP x.x.x.x 255.255.255.252
!
interface GigabitEthernet0/2
DMZ description
nameif dmz
security-level 50
IP 192.168.20.252 255.255.255.0
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.2.40 255.255.255.0
management only
!
boot system Disk0: / asa861-2-smp - k8.bin
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
internal subnet object-
192.168.10.0 subnet 255.255.255.0
network dmz subnet object
subnet 192.168.20.0 255.255.255.0
Note to access-list LAN_VLAN_10 split_tunnel
split_tunnel list standard access allowed 192.168.10.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
management of MTU 1500
MTU 1500 dmz
IP local pool testpool 192.168.10.240 - 192.168.10.250 mask 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ASDM image disk0: / asdm - 714.bin
don't allow no asdm history
ARP timeout 14400
!
internal subnet object-
NAT dynamic interface (indoor, outdoor)
network dmz subnet object
NAT (dmz, outside) dynamic interface
Route outside 0.0.0.0 0.0.0.0 93.174.55.181 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication LOCAL telnet console
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.0.0 255.255.0.0 management
http 192.168.10.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set esp - esp-md5-hmac ikev1 firstset
Crypto-map dynamic dyn1 ikev1 transform-set firstset 1 set
dynamic mymap 1 dyn1 ipsec-isakmp crypto map
mymap outside crypto map interface
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
the Encryption
md5 hash
Group 2
life 43200
Telnet 0.0.0.0 0.0.0.0 inside
Telnet 0.0.0.0 0.0.0.0 management
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 management
SSH timeout 5
Console timeout 0
interface ID client DHCP-client to the outside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal group testgroup strategy
testgroup group policy attributes
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list split_tunnel
user1 fvosA8L1anfyxTw3 encrypted password username
tunnel-group testgroup type remote access
tunnel-group testgroup General attributes
address testpool pool
strategy-group-by default testgroup
testgroup group tunnel ipsec-attributes
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
What's wrong?
TNX!
Hello
I would like to change the current reserve of VPN to something overlapping to the LAN.
You're also missing NAT0 for the VPN Client connection that is your problem more likely.
You can try these changes
mask of 192.168.100.1 - local 192.168.100.254 pool POOL VPN IP 255.255.255.0
tunnel-group testgroup General attributes
No address testpool pool
address VPN-POOL pool
no ip local pool testpool 192.168.10.240 - 192.168.10.250 mask 255.255.255.0
the object of the LAN network
192.168.10.0 subnet 255.255.255.0
network of the VPN-POOL object
255.255.255.0 subnet 192.168.100.0
NAT static destination LAN LAN (indoor, outdoor) static source VPN-VPN-POOL
You can also change your settings for encryption for anything other than a. You can use AES.
Hope this helps
Let us know if this helped.
Don't forget to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary
-Jouni
Tags: Cisco Security
Similar Questions
-
Peer AnyConnect VPN cannot ping, RDP each other
I have an ASA5505 running ASA 8.3 (1) and ASDM 7.1 (1). I have a remote access VPN set up and remote access users are able to connect and access to network resources. I can ping the VPN peers between the Remote LAN. My problem counterparts VPN cannot ping (RDP, CDR) between them. Ping a VPN peer of reveals another the following error in the log of the SAA.
Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp outside CBC: 10.10.10.8 outside dst: 10.10.10.9 (type 8, code 0) rejected due to the failure of reverse NAT.
Here's my ASA running-config:
ASA Version 8.3 (1)
!
ciscoasa hostname
domain dental.local
activate 9ddwXcOYB3k84G8Q encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
DNS lookup field inside
DNS server-group DefaultDNS
192.168.1.128 server name
domain dental.local
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the RAVPN object
10.10.10.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.10.10.0_28 object
subnet 10.10.10.0 255.255.255.240
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
access-list Local_LAN_Access note VPN Customer local LAN access
Local_LAN_Access list standard access allowed host 0.0.0.0
DefaultRAGroup_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
Note VpnPeers access list allow peer vpn ping on the other
permit access list extended ip object NETWORK_OBJ_10.10.10.0_28 object NETWORK_OBJ_10.10.10.0_28 VpnPeers
pager lines 24
Enable logging
asdm of logging of information
logging of information letter
address record [email protected] / * /
exploitation forest-address recipient [email protected] / * / level of information
record level of 1 600 6 rate-limit
Outside 1500 MTU
Within 1500 MTU
mask 10.10.10.5 - 10.10.10.10 255.255.255.0 IP local pool VPNPool
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 711.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside, all) static source all electricity static destination RAVPN RAVPN
NAT (inside, outside) static static source NETWORK_OBJ_10.10.10.0_28 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_10.10.10.0_28
NAT (inside, outside) static source all all NETWORK_OBJ_10.10.10.0_28 of NETWORK_OBJ_10.10.10.0_28 static destination
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
network of the RAVPN object
dynamic NAT (all, outside) interface
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transit
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP ESP-AES-128-SHA ESP - AES - 192 - SHA ESP - AES - 256 - SHA ESP - 3DES - SHA - OF - SHA ESP - AES - 128 - SHA - TRANS ESP - AES - 192 - SHA - TRANS ESP - AES - 256 - SHA - ESP ESP - 3DES - SHA - TRANS TRANS-DES - SHA - TRANS
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
trustpoint crypto ca-CA-SERVER ROOM
LOCAL-CA-SERVER key pair
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = ciscoasa
billvpnkey key pair
Proxy-loc-transmitter
Configure CRL
crypto ca server
CDP - url http://ciscoasa/+CSCOCA+/asa_ca.crl
name of the issuer CN = ciscoasa
SMTP address [email protected] / * /
crypto certificate chain ca-CA-SERVER ROOM
certificate ca 01
* hidden *.
quit smoking
string encryption ca ASDM_TrustPoint0 certificates
certificate 10bdec50
* hidden *.
quit smoking
crypto ISAKMP allow outside
crypto ISAKMP policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
enable client-implementation to date
Telnet 192.168.1.1 255.255.255.255 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
dhcpd outside auto_config
!
dhcpd address 192.168.1.50 - 192.168.1.99 inside
dhcpd allow inside
!
a basic threat threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
SSL-trust outside ASDM_TrustPoint0 point
WebVPN
allow outside
SVC disk0:/anyconnect-win-3.1.04072-k9.pkg 1 image
SVC profiles DellStudioClientProfile disk0: / dellstudioclientprofile.xml
enable SVC
tunnel-group-list activate
internal-password enable
chip-tunnel list SmartTunnelList RDP mstsc.exe windows platform
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
Server DNS 192.168.1.128 value
Protocol-tunnel-VPN l2tp ipsec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl
Dental.local value by default-field
WebVPN
SVC value vpngina modules
internal DefaultRAGroup_1 group strategy
attributes of Group Policy DefaultRAGroup_1
Server DNS 192.168.1.128 value
Protocol-tunnel-VPN l2tp ipsec
Dental.local value by default-field
attributes of Group Policy DfltGrpPolicy
Server DNS 192.168.1.128 value
VPN - 4 concurrent connections
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
value of group-lock RAVPN
value of Split-tunnel-network-list Local_LAN_Access
Dental.local value by default-field
WebVPN
the value of the URL - list DentalMarks
SVC value vpngina modules
SVC value dellstudio type user profiles
SVC request to enable default webvpn
chip-tunnel enable SmartTunnelList
wketchel1 5c5OoeNtCiX6lGih encrypted password username
username wketchel1 attributes
VPN-group-policy DfltGrpPolicy
WebVPN
SVC value DellStudioClientProfile type user profiles
username privilege 15 encrypted password 5c5OoeNtCiX6lGih wketchel
username wketchel attributes
VPN-group-policy DfltGrpPolicy
WebVPN
modules of SVC no
SVC value DellStudioClientProfile type user profiles
jenniferk 5.TcqIFN/4yw0Vq1 of encrypted password privilege 0 username
jenniferk username attributes
VPN-group-policy DfltGrpPolicy
WebVPN
SVC value DellStudioClientProfile type user profiles
attributes global-tunnel-group DefaultRAGroup
address pool VPNPool
LOCAL authority-server-group
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
tunnel-group DefaultRAGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
eap-proxy authentication
type tunnel-group RAVPN remote access
attributes global-tunnel-group RAVPN
address pool VPNPool
LOCAL authority-server-group
tunnel-group RAVPN webvpn-attributes
enable RAVPN group-alias
IPSec-attributes tunnel-group RAVPN
pre-shared key *.
tunnel-group RAVPN ppp-attributes
PAP Authentication
ms-chap-v2 authentication
eap-proxy authentication
type tunnel-group WebSSLVPN remote access
tunnel-group WebSSLVPN webvpn-attributes
enable WebSSLVPN group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
173.194.64.108 SMTP server
context of prompt hostname
HPM topN enable
Cryptochecksum:3304bf6dcf6af5804a21e9024da3a6f8
: end
Hello
Seems to me that you can clean the current NAT configuration a bit and make it a little clearer.
I suggest the following changes
network of the VPN-POOL object
10.10.10.0 subnet 255.255.255.0
the object of the LAN network
subnet 192.168.1.0 255.255.255.0
PAT-SOURCE network object-group
object-network 192.168.1.0 255.255.255.0
object-network 10.10.10.0 255.255.255.0
NAT static destination LAN LAN (indoor, outdoor) static source VPN-VPN-POOL
destination VPN VPN-POOL POOL static NAT (outside, outside) 1 static source VPN-VPN-POOL
NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source
The above should allow
- Dynamic PAT for LAN and VPN users
- NAT0 for traffic between the VPN and LAN
- NAT0 for traffic between the VPN users
You can then delete the previous NAT configurations. Naturally, please save the configuration before you make the change, if you want to revert to the original configuration.
no static source nat (inside, everything) all electricity static destination RAVPN RAVPN
No source (indoor, outdoor) nat static static NETWORK_OBJ_10.10.10.0_28 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_10.10.10.0_28
No source (indoor, outdoor) nat static everything all NETWORK_OBJ_10.10.10.0_28 of NETWORK_OBJ_10.10.10.0_28 static destination
No network obj_any object
No network object RAVPN
In case you do not want to change the settings a lot you might be right by adding this
network of the VPN-POOL object
10.10.10.0 subnet 255.255.255.0
destination VPN VPN-POOL POOL static NAT (outside, outside) 1 static source VPN-VPN-POOL
But the other above configurations changes would make NAT configurations currently simpler and clearer to see every goal of "nat" configurations.
-Jouni
-
ASA VPN cannot ping ip local pool
Hello
We have ASA 5510 a device be deployed for a period of time. Everything works fine except customers local VPN cannot ping local customer VPN which get their IP address to the local swimming pool. They can ping anywhere on the local network of company, but not each other. I don't know there's a logical explantion for this because of an ACL but all appreciated the advice...
Thanks in advance
Keith
Hi Keith,
I think that, in order to allow a customer VPN reach another VPN client, the SAA should turn the VPN traffic (because it will receive the traffic of a VPN tunnel and re - again to send another tunnel.)
Can you add "same-security-traffic intra-interface permits" and try again?
Federico.
-
Site to Site VPN - cannot ping remote subnet
Hi all.
I have a site to site VPN IPSEC between a 5510 (HQ) and 5505 (Remote). Everything works on the tunnel. Crypto cards and ACL is symmetrical. I see that the tunnel is in place for the required subnets. However, I can not ping of internal subnets inside 5510 to Remote LAN inside 5505 and vice versa. I have other rays VPN 5510 where I can ping within remote LAN successfully x.x.x.x. Can figure out what I'm missing. I can ping internet points, but cannot ping HQ.
Any suggestions?
I'm also an instant learn the ASAs, so I'm not an expert. I know that I encouraged outside ICMP. My statement SHEEP and crypto are running off of the same group of objects that lists subnets of HQ.
Thanks in advance.
5505 lack the command:
management-access inside
Federico.
-
Customer remote VPN cannot ping certain IP
My Cisco VPN client can establish the tunnel with my successful ASA5505 Office vpn but cannot ping some IP such as an internal server (10.100.194.6).
FIREWALL-1 # ping 10.100.194.6
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.100.194.6, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/1 msWhy I can't ping certain IP?
Help, please.
Thank you.
Hey Kevin,
Check out the capture, it is obvious that there is a problem of internal routing as we can see packets from the VPN client requests, but there is no response from the server package.
Please ensure that the server has pointing on the Firewall VPN subnet route.
HTH.Kind regards
Dinesh Moudgil
PS: Please check the useful messages.
-
cannot ping external hosts to site 2 site vpn
Hi all
I have 2 sites configured as VPN L2L back to my ASA5520. a site uses a PIX525 and the other an ASA5505. I can access all the resources on my netwrok private without a problem and all traffic from remote sites is "protected". the issue I'm having is that I can not ping and external guests. for example, if I try to ping 4.2.2.1 emanating from a host on a remote site it times out. I can ping no matter what resource a my networks 'private' to any site without problem. any suggestions? Thank you.
If you are relying on access to Internet through the tunnel L2L (because you're tunnel everything), then you need to...
(1) configure uturn and outside nat for the remote network on the ASA station so traffic can leave the same interface it came with a public IP address for the Internet:
NAT (outside) 99
Global interface 99 (external)
permit same-security-traffic intra-interface
Or
(2) put in place a tunnel default gateway pointing to an internal router which has access to the internet
Route inside 0.0.0.0 0.0.0.0 in tunnel
-heather
-
Client VPN connects but cannot ping all hosts
Here is the configuration of a PIX 501, which I want to accept connections from the VPN software clients. I can connect successfully to the PIX using the 5.0.0.7.0290 VPN client and I can ping the PIX to 192.168.5.1, but I can't ping or you connect to all hosts behind the PIX. Can someone tell me what Miss me in my setup?
Thanks for your help.
Chi - pix # sh conf
: Saved
: Written by enable_15 at 03:49:39.701 UTC Friday, January 1, 1993
6.3 (3) version PIX
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the encrypted password
encrypted passwd
hostname chi - pix
.com domain name
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
list-access internet-traffic ip 192.168.5.0 allow 255.255.255.0 any
Allow Access-list allowed a whole icmp ping
access-list 101 permit ip 192.168.5.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list 102 permit ip 192.168.5.0 255.255.255.0 10.10.11.0 255.255.255.0
pager lines 24
opening of session
debug logging in buffered memory
ICMP deny everything outside
Outside 1500 MTU
Within 1500 MTU
IP address outside pppoe setroute
IP address inside 192.168.5.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool ippool 10.10.11.1 - 10.10.11.254
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) - 0 102 access list
NAT (inside) 1 list-access internet-traffic 0 0
group-access allowed to ping in external interface
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp - esp-md5-hmac GvnPix-series
Crypto-map dynamic dynmap 10 GvnPix-set transform-set
toGvnPix 10 card crypto ipsec-isakmp dynamic dynmap
toGvnPix interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 0.0.0.0 netmask 0.0.0.0
ISAKMP keepalive 60
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 9
encryption of ISAKMP policy 9
ISAKMP policy 9 md5 hash
9 2 ISAKMP policy group
ISAKMP policy 9 life 86400
vpngroup address ippool pool chiclient
vpngroup dns 192.168.5.1 Server chiclient
vpngroup wins 192.168.5.1 chiclient-Server
vpngroup chiclient com default domain
vpngroup split tunnel 101 chiclient
vpngroup idle 1800 chiclient-time
vpngroup password chiclient *.
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 30
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 30
management-access inside
Console timeout 0
VPDN group chi request dialout pppoe
VPDN group chi net localname
VPDN group chi ppp authentication pap
VPDN username password net *.
dhcpd address 192.168.5.2 - 192.168.5.33 inside
dhcpd dns xx
dhcpd rental 86400
dhcpd ping_timeout 750
dhcpd outside auto_config
dhcpd allow inside
Terminal width 100
Cryptochecksum:
Chi - pix #.On the PIX configuration seems correct.
I guess you try to access hosts in 192.168.5.0/24, and these default hosts is the PIX inside interface 192.168.5.1?
How you try to access these internal hosts? If you try to ping the hosts, please please make sure there is no personal firewall enabled inside welcomes as personal firewall normally doesn't allow incoming connections from different subnet ip address.
-
VPN - cannot ping the next hop
Then some advice... I have configured a server VPN - pptp on my router, create a vpn for the customer at the site. For the moment, the client computer can connect and a connection to the router. I can ping from client to the router (192.168.5.1) but cannot ping 192.168.5.2 (switch) or 192.168.10.X (workstations)
What I try to achieve is to access the internal network (192.168.10.X), which is the end of the layer 3 switch. Any help/extra eyes would be good.
Here is my design of the network and the config below:
Client computer---> Internet---> (1.1.1.1) Cisco router (192.168.5.1) 881---> switch Dell Powerconnect 6248 (192.168.5.2)--> Workstation (192.168.10.x)
Router Cisco 881
AAA new-model
!
AAA of authentication ppp default local
!
VPDN enable
!
!
VPDN-group VPDN PPTP
!
accept-dialin
Pptp Protocol
virtual-model 1
!
interface FastEthernet0
Description link to switch
switchport access vlan 5
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 70
no ip address
!
interface FastEthernet4
Description INTERNET WAN PORT
IP [IP EXTERNAL address]
NAT outside IP
IP virtual-reassembly in
full duplex
Speed 100
card crypto VPN1
!
interface Vlan1
no ip address
!
interface Vlan5
Description $ES_LAN$
IP 192.168.5.1 255.255.255.248
no ip redirection
no ip unreachable
IP nat inside
IP virtual-reassembly in
!
interface Vlan70
IP [IP EXTERNAL address]
IP virtual-reassembly in
IP tcp adjust-mss 1452
!
!
!
interface virtual-Template1
IP unnumbered FastEthernet4
encapsulation ppp
peer default ip address pool defaultpool
Ms-chap PPP chap authentication protocol
!
IP local pool defaultpool 192.168.10.200 192.168.10.210
IP forward-Protocol ND
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy inactive 600 life 86400 request 10000
!
overload of IP nat inside source list no. - NAT interface FastEthernet4
IP route 0.0.0.0 0.0.0.0 [address IP EXTERNAL]
Route IP 192.168.0.0 255.255.0.0 192.168.5.2
!
No. - NAT extended IP access list
deny ip 192.168.0.0 0.0.255.255 10.1.0.0 0.0.255.255
IP 192.168.0.0 allow 0.0.255.255 everything
VLAN70 extended IP access list
ip [IP EXTERNAL] 0.0.0.15 permit 192.168.10.0 0.0.1.255
permit tcp [IP EXTERNAL] 0.0.0.15 any eq smtp
permit tcp [IP EXTERNAL] 0.0.0.15 any eq www
permit any eq 443 tcp [IP EXTERNAL] 0.0.0.15
permit tcp [IP EXTERNAL] 0.0.0.15 any eq field
permits any udp [IP EXTERNAL] 0.0.0.15 eq field
list of IP - VPN access scope
IP 192.168.10.0 allow 0.0.1.255 10.1.0.0 0.0.1.255
Licensing ip [IP EXTERNAL] 0.0.0.15 10.1.0.0 0.0.1.255
WAN extended IP access list
!
Layer 3 switch - Dell Powerconnect 6224
!
IP routing
IP route 0.0.0.0 0.0.0.0 192.168.5.1
interface vlan 5
name "to connect to the Cisco router.
Routing
IP 192.168.5.2 255.255.255.248
output
!
interface vlan 10
"internal network" name
Routing
IP 192.168.10.1 255.255.255.0
output
!
interface ethernet 1/g12
switchport mode acesss vlan 5
output
!
interface ethernet 1/g29
switchport mode access vlan 10
output
!
Hi Samuel,.
I went through your configuration and picked up a few problematic lines...
First of all, you can't have your vpn-pool to be in the range of 192.168.10.x/24, because you already have this subnet used behind the switch (this would be possible if you had 192.168.10.x range connected directly to the router). In addition, you may not link your virtual model to the WAN ip address, it must be bound to an interface with a subnet that includes your IP vpn-pool range.
The cleaner for this is,
Create a new interface of back of loop with a new subnet
!
loopback interface 0
192.168.99.1 IP address 255.255.255.0
!
New vpn set up, pool
!
IP local pool defaultpool 192.168.99.200 192.168.99.210
!
Change your template to point the new loopback interface,
!
interface virtual-Template1
IP unnumbered loopback0
encapsulation ppp
peer default ip address pool defaultpool
Ms-chap PPP chap authentication protocol
!
All vpn clients will get an IP address of 192.168.99.200 192.168.99.210 range. And they will be able to get the router and up to the desired range 192.168.10.x/24 behind the router. Packages get the switch, then to the host. Host will respond through the gateway (switch)-> router-> Client.
PS: Sooner, even if your packages arrive at the host, the host will never try to send the response back through the gateway (switch) packets because STI (hosts) point of view, the package came from the same local network, so the host will simply try to "arp" for shippers MAC and eventually will expire)
I hope this helps.
Please don't forget to rate/brand of useful messages
Shamal
-
Site to site between ASA 8.2 VPN, cannot ping
Two 8.2 ASA is configured with a VPN tunnel from site to site, as shown in the diagram:
Clients on the inside network to the ASA cannot ping inside, network clients, else the ASA. Why not?
When the rattling from inside network SALMONARM inside network of KAMLOOPS, the following debug logs can be seen on SALMONARM:
%ASA-7-609001: Built local-host outside:10.30.7.2
%ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
%ASA-6-302021: Teardown ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
%ASA-7-609002: Teardown local-host outside:10.30.7.2 duration 0:00:02
%ASA-7-609001: Built local-host outside:10.30.7.2
%ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
%ASA-6-302021: Teardown ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
%ASA-7-609002: Teardown local-host outside:10.30.7.2 duration 0:00:02
%ASA-7-609001: Built local-host outside:10.30.7.2
%ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
...
Each attempt to ping responds with "Request timed out" on the computer of ping.
Why clients cannot mutually ping on the VPN tunnel?
Hello
Create a NAT0 ACL at both ends.
ex: 10.30.0.0 ip access-list extended SHEEP 255.255.0.0 allow 10.45.0.0 255.255.0.0
NAT (inside) 0 access-list SHEEP
THX
MS
Edit: at the beginning, I mentioned ACL #, it may not work.
-
VMs that newly set up cannot ping the host
A few days ago vSphere VMs worked well on nested host A that was vSphere, too. Then, install a vDS and place all hosts. He because of problem that guests could not ping each other. But, other virtual machines (I mean windows OS above) can always ping the host. So, moved the hosts of the vDS and removed the vDS, the problem is there. And implemented a few new virtual machines, what operating system are vSphere, too on the nested host a. They can only ping itself, but cannot ping on nested host A, too. Then, remove the data center and set up a new. the probel is still here.
The problem should be soon after vDS, how can I solve this problem?
the configuration of these new virtual machines are inpicture.
my thought here, you forgot to activate rear promicious (security) on vSwitch0 & 1 after the migration, both of vNDS
-
Cannot ping the host name of the operating system in vmware after intall kaspersky antivirus 2009
Dear all
I use windows xp professional, and XP, I use vmware workstation 6.0.2 I installed RHEL4 in vmware.
I was able to ping the host name of the guest operating system after you have entered the information (192.168.1.2 appserver.ibcs appserver)
in the C:\WINDOWS\system32\drivers\etc\hosts file. But after installing Kaspersky Antivirus 2009, I couldn't ping to the
Comments more bones by host name. But if I remove kaspersky anti-virus it pings again.
............ Can someone give me any solution please
Check your firewall Karspersky rules. Set the IP of comments as a secure IP.
Concerning
-
Client VPN cannot access anything at the main Site
I am sure that this problem has been resolved in a million times more, but I can't get this to work. Can someone take a look at this quick config and tell me what is the problem?
The Cisco VPN client connects without problems but I can't access anything whatsoever.
ASA Version 8.4 (4)
!
ciscoasa hostname
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 15
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.43.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address a.a.a.a 255.255.255.248
!
interface Vlan15
prior to interface Vlan1
nameif IPOffice
security-level 100
IP 192.168.42.254 255.255.255.0
!
boot system Disk0: / asa844 - k8.bin
passive FTP mode
network object obj - 192.168.43.0
192.168.43.0 subnet 255.255.255.0
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the NETWORK_OBJ_10.11.12.0_24 object
10.11.12.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.43.160_28 object
subnet 192.168.43.160 255.255.255.240
network of the IPOffice object
subnet 0.0.0.0 0.0.0.0
outside_access_in list extended access permit icmp any 192.168.42.0 255.255.255.0
Note access list ACL for VPN Tunnel from Split vpn_SplitTunnel
standard access list vpn_SplitTunnel allow 192.168.43.0 255.255.255.0
AnyConnect_Client_Local_Print deny ip extended access list a whole
AnyConnect_Client_Local_Print list extended access permit tcp any any eq lpd
Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 631
print the access-list AnyConnect_Client_Local_Print Note Windows port
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol
AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.251 eq 5353
AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol
AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.252 eq 5355
Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 137
AnyConnect_Client_Local_Print list extended access udp allowed any any eq netbios-ns
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 IPOffice
IP local pool newvpnpool 10.11.12.100 - 10.11.12.150 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 649.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static source any any static destination NETWORK_OBJ_10.11.12.0_24 NETWORK_OBJ_10.11.12.0_24 non-proxy-arp-search to itinerary
NAT (inside, outside) static source any any static destination NETWORK_OBJ_192.168.43.160_28 NETWORK_OBJ_192.168.43.160_28 non-proxy-arp-search to itinerary
NAT (IPOffice, outside) static source any any static destination NETWORK_OBJ_192.168.43.160_28 NETWORK_OBJ_192.168.43.160_28 non-proxy-arp-search to itinerary
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
network of the IPOffice object
NAT (IPOffice, outside) dynamic interface
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 b.b.b.b 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
AAA authentication LOCAL telnet console
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outdoors
http 192.168.43.0 255.255.255.0 inside
http 192.168.42.0 255.255.255.0 IPOffice
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
IKEv1 crypto ipsec transform-set high - esp-3des esp-md5-hmac
crypto ipsec transform-set encrypt method 1 IKEv1 esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
Crypto-map dynamic dynmap pfs set 30 Group1
Crypto-map dynmap 30 set transform-set ikev1 strong dynamic - a
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
map rpVPN 65535-isakmp ipsec crypto dynamic dynmap
rpVPN interface card crypto outside
crypto isakmp identity address
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 2
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 192.168.43.5 - 192.168.43.36 inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
internal RPVPN group policy
RPVPN group policy attributes
value of server DNS 8.8.8.8
Ikev1 VPN-tunnel-Protocol
username admin privilege 15 encrypted password gP3lHsTOEfvj7Z3g
username password encrypted blPoPZBKFYhjYewF privilege 0 mark
type tunnel-group RPVPN remote access
attributes global-tunnel-group RPVPN
address newvpnpool pool
Group Policy - by default-RPVPN
IPSec-attributes tunnel-group RPVPN
IKEv1 pre-shared-key *.
!
!
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:b3f15dda5472d65341d7c457f2e8b2a2
: end
Well Yes, you are quite right on site!
Asymmetric routing is not supported on the firewall, such as trafficking and out should be via the interfaces of same, in the contrary case, it think it's an attack and drop the package.
Default gateway on the subnet devices IPOffice should be the interface IPOffice ASA (192.168.42.254), not the switch, if it is a switch shared with your home network. Similarly for devices inside subnet, default gateway must be ASA 192.168.43.254.
In regards to the switch, you can get a default gateway or the ASA inside or IP interface IPOffice ASA and the needs of return traffic to route through the same path
-
Customer quick RV042 VPN cannot ping lan network
Hi guys,.
I just created a client2gateway on RV042 IPSec tunnel and use the remote PC quick VPN client tries to connect to this router.
Fast VPN showed that the tunnel has been established. But I couldn't ping the LAN behind the router RV042.
Can someone help me?
Thank you.
Hello
Yes, you are right. To use the fast with RV042 VPN, it is necessary to configure the user name and a password for access to the VPN Client page. As this router does not support VLANs, you can only connect the VPN client to the LAN subnet (you cannot connect the client to any beach IP configured with multiple subnets)
Kind regards
Bismuth
-
Cannot ping port host MD3000i on RC0
Hello
I have set up my iSCSI network, as suggested in this post:
http://en.community.Dell.com/TechCenter/storage/w/wiki/MPIO-to-PowerVault-MD3000i-with-Microsoft-iSCSI-initiator.aspx
I can only ping the ports of controller RAID 1 (two ports). All of my iSCSI traffic is drunk through the controller. Windows Server 2008R2 (R710/810), but also an ESXi 4.1 cluster (R610 and PE2950) access the dedicated iSCSI network. I contacted the support a few weeks ago, and they have replaced the MD3000i RAID controllers as well as the background. They are insistent that there is a configuration problem and would not assist any more beyond to send me links suggested configs. I went through the Setup on the R810 (Windows 2008R2) from scratch. This has not produced different results. Then I updated all drivers (BCM5709Cs) NETWORK card and software on all hosts, successfully restarted the MD3000i and the two MD1000s bike powered two switches HP Procurve 1400 and restarted all hosts. I can't always ping RC0. I Putty and captured RC0 boot logs, but it was not obvious to me. Here are the logs of boot:
-=<###>=-
Set the interface lo0... doneAutonomous 9768 symbols added.
Error
03/26/13-16:44:29 (GMT) (tRootTask): NOTE: I2C transaction returned 0x0423fe00ATTENTION: Reset by spare controller
Current date: 26/03/13 time: 09:26:15
Send
Change Service Interface rate or baud ###>
03/26/13-16: 44:46 (GMT) (NCDB): NOTE: sequence SOD is Normal, 0
03/26/13-16: 44:46 (GMT) (NCDB): NOTE: SOD: removed host SAS from index 0
03/26/13-16: 44:46 (GMT) (NCDB): NOTE: in iscsiIOQLIscsiInitDq. iscsiIoFstrBase = 0 x 0
03/26/13-16: 44:46 (GMT) (NCDB): NOTE: turn on seeing failure summary tray
03/26/13-16: 44:48 (GMT) (NCDB): NOTE: SYMBOL: SYMbolAPI registered.
esmc0: event LinkUp
03/26/13-16: 44:50 (GMT) (tNetCfgInit): NOTE: the loan network
03/26/13-16: 44:51 (GMT) (NCDB): NOTE: channel initiating Drive: ioc:0 bringup
03/26/13-16: 44:54 (GMT) (NCDB): NOTE: the Firmware Version of the IOC: 00-24-63-00
03/26/13-16: 45:17 (GMT) (tSasEvtWkr): NOTE: sasIocPhyUp: chan: 0 phy:0 prevNumActivePhys:2 numActivePhys:2
03/26/13-16: 45:17 (GMT) (tSasEvtWkr): NOTE: sasIocPhyUp: chan: 0 phy:1 prevNumActivePhys:2 numActivePhys:2
03/26/13-16: 45:17 (GMT) (tSasEvtWkr): NOTE: sasIocPhyUp: chan: 1 phy:2 prevNumActivePhys:2 numActivePhys:2
03/26/13-16:45:18 (GMT) (tSasEvtWkr): NOTE: sasIocPhyUp: chan: 1 phy:3 prevNumActivePhys:2 numActivePhys:2
03/26/13-16:45:18 (GMT) (tSasCfg021): NOTE: path of the Alt up - chan: 0 phy:18 itn:1 controller
03/26/13-16:45:18 (GMT) (tSasCfg022): NOTE: path of the Alt up - chan: 1 phy:16 itn:2 controller
03/26/13-16:45:18 (GMT) (IOSched): NOTE: discoveredEncl: enclosure: 1, enclProp: x2c50104, trayId: slotCount 2:15
03/26/13-16: 45:19 (GMT) (NCDB): NOTE: IonMgr: Drive Interface enabled
03/26/13-16: 45:19 (GMT) (NCDB): NOTE: SOD: instantiation Phase complete
03/26/13-16: 45:19 (GMT) (NCDB): NOTE: controller between open Communication channels
03/26/13-16: 45:19 (GMT) (IOSched): NOTE: initiator of news: 1 - channel: 1, devHandle: x2c, SAS address: 590b11c41a9d8b00
03/26/13-16: 45:19 (GMT) (tSasDiscCom): NOTE: complete a discovery SAS task created
03/26/13-16: 45:19 (GMT) (NCDB): NOTE: LockMgr role is slave
03/26/13-16: 45:19 (GMT) (IOSched): NOTE: discoveredEncl: enclosure: 1, enclProp: x2c9516c, trayId: slotCount 2:15
03/26/13-16: 45:19 (GMT) (IOSched): NOTE: new initiator: 2 - channels: 0, devHandle: x1a, SAS address: 590b11c41a9d8b01
03/26/13-16: 45:21 (GMT) (IOSched): NOTE: discoveredEncl: Speaker: 2, enclProp: x2c8f730, trayId: 1, slotCount: 15
03/26/13-16: 45:21 (GMT) (sasCheckExpanderSet): NOTE: Expander Firmware Version: 0116-e05c
03/26/13-16: 45:21 (GMT) (sasCheckExpanderSet): NOTE: address SAS Expander: salvation = Low = xf6ac8d10 x5848f694
03/26/13-16: 45:21 (GMT) (tSasDiscCom): WARN: SAS: Initial full time of discovery: 33 seconds
03/26/13-16: 45:21 (GMT) (IOSched): NOTE: discoveredEncl: Speaker: 2, enclProp: x2c66ad4, trayId: 1, slotCount: 15
03/26/13-16: 45:22 (GMT) (NCDB): NOTE: spmEarlyData: from alternate data
03/26/13-16: 45:22 (GMT) (NCDB): NOTE: WWN baseName (valid ==> SigMatch) 00040026-b95795de
03/26/13-16: 45:23 (GMT) (NCDB): NOTE: ionEnableHostInterfaces is waiting for a channel lends itself
03/26/13-16: 45:26 (GMT) (NCDB): NOTE: ionEnableHostInterfaces expected 3800ms for a channel lends itself
03/26/13-16: 45:26 (GMT) (NCDB): NOTE: IonMgr: Host Interface enabled
03/26/13-16: 45:26 (GMT) (NCDB): NOTE: SOD: pre to complete initialization Phase
03/26/13-16: 45:47 (GMT) (NCDB): NOTE: ACS: autoCodeSync(): beginning of the process. Comm mode: 0, State: 1
03/26/13-16: 45:47 (GMT) (NCDB): NOTE: SOD: complete Phase initialization Code synchronization
03/26/13-16: 45:48 (GMT) (NvpsPersistentSyncM): NOTE: persistent storage NVSRAM updated successfully
03/26/13-16: 45:48 (GMT) (NCDB): NOTE: initialization complete USM Mgr with 0 records.
03/26/13-16: 45:49 (GMT) (NCDB): NOTE: BDU - received 1 small files
03/26/13-16: 45:49 (GMT) (NCDB): NOTE: BDU - received 0 records of great
03/26/13-16: 45:50 (GMT) (NCDB): NOTE: acquire 0.035 dry
03/26/13-16: 45:53 (GMT) (NCDB): NOTE: QLStartFw: FW drive download image 03.00.01.47 033eab00 4c0c8 bytes, result 0
03/26/13-16:45:55 (GMT) (tRAID): NOTE: ********************************************************************************
03/26/13-16:45:55 (GMT) (NCDB): NOTE: Application target QLogic, 2.01.08 Version 2005-06-13 (W2K)
03/26/13-16:45:55 (GMT) (NCDB): NOTE: iSCSI Target Application
03/26/13-16:45:55 (GMT) (tRAID): NOTE: ********************************************************************************
03/26/13-16: 45:56 (GMT) (NCDB): NOTE: QLInitializeFW: iSNS Server 0.0.0.0:3205
03/26/13-16: 45:56 (GMT) (NCDB): NOTE: QLInitializeFW: ISNSServerIPv6Addr 00:00:00:00:00:00:00:00: 3205
03/26/13-16: 45:56 (GMT) (NCDB): NOTE: QLInitializeFW: iSCSI name iqn.1984 - 05.com.dell:powervault.md3000i.60026b90005795de000000004b2ae7b6
03/26/13-16: 45:56 (GMT) (NCDB): NOTE: QLInitializeFW: port = 0, turn on IPv4 = 1, turn on IPv6 = 0
03/26/13-16: 45:56 (GMT) (NCDB): NOTE: QLInitializeFW: 10.182.233.250:3260 IP address
03/26/13-16: 45:56 (GMT) (NCDB): NOTE: QLInitializeFW: Firmware waiting for DHCP lease. State 18
03/26/13-16: 45:56 (GMT) (NCDB): NOTE: QLInitializeFW: 18 FwState 000/010 of time
03/26/13-16: 45:57 (GMT) (NCDB): NOTE: QLInitializeFW: 10/01/00 18 FwState of time
03/26/13-16: 45:58 (GMT) (NCDB): NOTE: QLInitializeFW: 10/02/00 18 FwState of time
03/26/13-16: 45:58 (GMT) (IOSched): NOTE: QLIsrDecodeMailbox: Port 0 bind upward.
03/26/13-16: 45:59 (GMT) (NCDB): NOTE: QLInitializeFW: 10/03/00 FwState time 0
03/26/13-16: 46:00 (GMT) (NCDB): NOTE: QLInitializeFW: port = 1, turn on IPv4 = 1, turn on IPv6 = 0
03/26/13-16: 46:00 (GMT) (NCDB): NOTE: QLInitializeFW: 10.182.232.250:3260 IP address
03/26/13-16: 46:00 (GMT) (NCDB): NOTE: QLInitializeFW: Firmware waiting for DHCP lease. State 18
03/26/13-16: 46:00 (GMT) (NCDB): NOTE: QLInitializeFW: 18 FwState 000/010 of time
03/26/13-16: 46:01 (GMT) (NCDB): NOTE: QLInitializeFW: 10/01/00 18 FwState of time
03/26/13-16: 46:02 (GMT) (NCDB): NOTE: QLInitializeFW: 10/02/00 18 FwState of time
03/26/13-16: 46:03 (GMT) (NCDB): NOTE: QLInitializeFW: 10/03/00 FwState 18 time
03/26/13-16: 46:03 (GMT) (IOSched): NOTE: QLIsrDecodeMailbox: Port 1 link up.
03/26/13-16: 46:04 (GMT) (NCDB): NOTE: QLInitializeFW: 10/04/00 FwState time 0
03/26/13-16: 46:05 (GMT) (NCDB): NOTE: PM - reading DB (record 1.0)
03/26/13-16: 46:08 (GMT) (t1): NOTE: QLTA_HandleTeb: Connect ports 0
03/26/13-16: 46:08 (GMT) (t3): NOTE: QLTA_HandleTeb: port 1 link up
03/26/13-16: 46:09 (GMT) (t2): WARN: QLTA_Handleteb: 72 event Code.
03/26/13-16: 46:09 (GMT) (t4): WARN: QLTA_Handleteb: 72 event Code.
03/26/13-16: 46:09 (GMT) (NCDB): NOTE: CCM: sodMirrorCheckIn() waiting alt cache check in mirror...
03/26/13-16: 46:10 (GMT) (NCDB): WARN: CCM: initMirrorAltChkIn() may not reflect
03/26/13-16: 46:11 (GMT) (NCDB): NOTE: CCM: initialize(): cache configuration
03/26/13-16: 46:11 (GMT) (NCDB): NOTE: from UWManager::initialize, 510, the invalid index - 1 entries
03/26/13-16: 46:11 (GMT) (NCDB): NOTE: NVSRAM IW queue size is 0
03/26/13-16: 46:16 (GMT) (NCDB): NOTE: RTR: IO released
03/26/13-16: 46:17 (GMT) (NCDB): NOTE: SOD: initialization Phase complete
==============================================
Title: Disk Array Controller
Copyright 2005 - 2011 LSI Logic Corporation, all rights reserved.Name: RC
Version: 07.35.39.64
Date: 16/08/2011
Time: 14:24:32 CDT
Models: 1532
Manager: devmgr.v1035api01.Manager
==============================================03/26/13-16: 46:17 (GMT) (NCDB): NOTE: sodMain of the sequence is complete, elapsed time = 90 seconds
03/26/13-16: 46:17 (GMT) (NCDB): NOTE: complete sodMain
03/26/13-16: 46:17 (GMT) (EventGateManager): WARN: GMOS: 8 events of creation for objects that already existIPs I can ping: 10.182.232.251 and 10.182.233.251 (both on RC1). I can even ping all other iSCSI host initiator ports! I hope I gave enough information about me for some answers. Please advise!
Thank you.
What are the 4 IP addresses and subnets for the 4 the MD3000i iSCSI ports?
ISCSI controller 0 port 0?: (guess 10.182.232.250/24)
ISCSI 0 1 controller port?: (guess 10.182.233.250/24)
Controller 1 iSCSI port 0: 10.182.232.251 24 (hypothesis on the mask)
Port of iSCSI controller 1 1: 10.182.233.251 24 (hypothesis on the mask)
Wiring must be:
iSCSI 1 Switch / VLAN:
ISCSI controller 0 port 0
ISCSI controller 1 port 0
Server 1 iSCSI port 0 (in the subnet 10.182.232.x 24)
etc.
iSCSI Switch 2 / VLAN:
ISCSI 0 1 controller port
ISCSI 1 1 controller port
Server 1 iSCSI port 0 (in the subnet 10.182.233.x 24)
etc.
To test iSCSI on controller 0 port, take a cell phone with a Gbit ethernet port (any modern laptop should have it), connect the ethernet controller iSCSI 0 0, 10.182.232.100 port value IP from the laptop and try to ping 10.182.232.250 (assuming that it comes to the INVESTIGATION period on this port). If it works, change the IP of the laptop to 10.182.233.100 and move the cable to the iSCSI port 1 and try to ping 10.182.233.250 and see if you can ping the IP address.
If these two are working, the first thing that comes to mind is that the port 0 and 1 have their swapped cables.
-
ASA 5505 VPN cannot access inside hosts
I set up VPN on the using 5505 ASDM and I am able to connect to the 5505 and the customer is also getting an IP address from the configured pool.
The Cisco VPN client displays an error in the log: AddRoute cannot add a route: code 87
Cisco
You may need to nat traversal lit. Try to add crypto isakmp nat-traversal 3600
Maybe you are looking for
-
I added the NewtabUrl 2.2.3 extension while I entered in google when you open a new window and it worked. I updated firefox and now when I open a new tab I get multiple windows and I have to click on the window of google again to see just google so 2
-
The Adobe Flash plugin broke down even after that I do exactly as told on aid
I get "the Adobe Acrobat plugin broke down." no matter how many times I reload the page or download the plug in. On my plugin page Check the download says it's up-to-date. I hate IE, but am forced to use it for the sites where this is happening to me
-
I have Vista but recquires game 2000 XP
I don't know if I download Windows 200 XP on my PC which has Vista, if it will mess it up completely and I usually, being able to play my game. Should I just get a new game that is compatible with Vista? The game is Super Pack of CSI.
-
count can not detect a cd/dvd player - windows 6
I went to Device Manager tried to update the driver and even uninstalled,-he re-installed itself after I restarted the computer. I ran microsoft Mr Fixit. but no joy,-he told me that he could not find a driver for the cd/dvd.
-
Cannot delete the file on the desktop
Message says it's open in Windows Explorer, which is not. Close the file in Explorer, and then try again.