Spend 3000 Concentrator VPN L2L ASA

Hello

We migrate an ASA5500 450 LAN to LAN VPN a VPN concentrator. Is there a reasonable way to do it? If I remember correctly, the configuration file for the VPN concentrator is in XML is not trivial to even read the config for each VPN. If it took say 15 minutes a VPN which is estimated at about three weeks of the working man!

Patrick,

I hope the post below helps.

http://Forum.Cisco.com/eForum/servlet/NetProf?page=NetProf&Forum=virtual%20Private%20Networks&topic=security&TopicId=.ee6b2b8&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40%40.2cc1b2c5/6#selected_message

Kind regards

Arul

* Please note all useful messages *.

Tags: Cisco Security

Similar Questions

  • Design of VPN L2L ASA question

    We expect to have more than 10,000 remote VPN L2L clients.

    I see that each crypto card needs a statement of 'same game' and the IP address is the address of the remote peer VPN L2L.

    :

    EX:

    card encryption UNI-POP 3 set peer 172.23.0.3

    : . . .

    card crypto UNI-POP 10000 set peer 172.26.0.250

    :

    I already feel that this will be a VERY long config, maybe too big to save/read/from memory.

    :

    Anyone would be a better approach?

    Thank you

    Frank

    Frank,

    If the remote end will run only from time to time, you should not have set peer statements and normally it would suffice to have a dynamic encryption card.

    If the remote ends do not support certificates, it is possible to land on defaultl2l tunnel-group.

    bsns-asa5505-19# sh run all tunnel-group
    

    tunnel-group DefaultL2LGroup type ipsec-l2l
    

    tunnel-group DefaultL2LGroup general-attributes
    

    (...)

    You need to test yourself to see if it will work.

    I also agree in terms of more than one firewall. With devices for two in the load balancing or if possible 2pairs of devices in the failover cluster could be great way to have a decent charge by machine and equipment redundancy (ideal circumstances]);. I suggest you ping your system engineer for sure any deployment involving 5585, guys can usually give good advice (and discounts;]).

    Marcin

  • Concentrator VPN config ASA

    Hello;

    Is there a document (s) that describes the steps to migrate the configuration of VPN concentrator to ASA?

    Thank you

    I think that there may be another link there not sure, if I remember seeing any other backwards.

    http://www.Cisco.com/en/us/docs/security/ASA/asa70/vpn3000_upgrade/upgrade/guide/migr_vpn.html

  • Dynamic IP address of the remote VPN L2L ASA sites

    Hello

    I have a client who is to change their links to backup from ADSL to 4 G - LTE using Cisco 819 s.

    Unfortunately, access to 4G of PSI will have dynamic IP addressing. Online, I see configurations for one remote site with dynamic IP address, speaking to ASA, but I can't find anything on several sites of L2L linking to the ASA with dynamic addressing.

    Does anyone can help with examples of configuration

    concerning

    Richard

    Hi Richard,

    the next days I will also write a blogpost with triple recovery WAN by using this configuration.

    Michael

  • VPN L2L ASA with NAT

    Hello, I was hoping someone might have an example of a site to site VPN configuration where the ASA is statically NATting its internal network. Basically the same configuration like this, but instead of "not nat", the ASA is NATting. So instead of the remote site, connect to the local network 10.10.10.0/24, ASA would be NAT at 172.16.17.0/24 for example.

    http://www.Cisco.com/en/us/products/ps9422/products_configuration_example09186a0080b4ae61.shtml

    Thank you.

    Mike

    It's not very complicated, just keep in mind that NAT is done before the encryption.

    So if you your network 10.10.10.0/24 nat internal to 172.16.17.0/24:

    public static 172.16.17.0 (Interior, exterior) 10.10.10.0 netmask 255.255.255.0

    You can use the address translated into your crypto-ACL:

    REMOTE VPN ip 172.16.17.0 access list allow REMOTE-NET 255.255.255.0 255.255.255.0

    I suppose that you run ASA v8.3 + that you referred to an older document. If you have a more recent software, the logic is the same but the NAT commands differ.

    Sent by Cisco Support technique iPad App

  • MS CA for VPN L2L ASA

    What type of certifcates I should issueing bee in my ASA.

    Now I'm issueing IPSEC (offline) and I don't know if it's the right kind.

    I have ICP work for mobile users. simply not L2L

    Yes,

    Which can cause failure.

    Put command

    "ignore-ipsec-keyusage" under the CompanyTrustPoint

    That should solve.

  • Do not do a ping ASA inside IP port of the remote site VPN L2L with her

    The established VPN L2L OK between ASA-1/ASA-2:

    ASA-2# see the crypto isakmp his

    KEv1 SAs:

    ITS enabled: 1

    Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)

    Total SA IKE: 1

    1 peer IKE: 207.140.28.102

    Type: L2L role: answering machine

    Generate a new key: no State: MM_ACTIVE

    There are no SAs IKEv2

    QUESTION: 3750-2, we ping 3750-1 (10.10.2.253) are OK, but not ASA-1 inside port (10.10.2.254).

    Debug icmp ASA-1 data:

    ASA-1 debug icmp trace #.

    trace of icmp debug enabled at level 1

    Echo ICMP Internet request: 10.100.2.252 server: 10.10.2.253 ID = 400 seq = 0 len = 72

    ICMP echo response from the server: 10.10.2.253 Internet: 10.100.2.252 ID = 400 seq = 0 len = 72

    Echo ICMP Internet request: 10.100.2.252 server: 10.10.2.253 ID = 400 seq = 1 len = 72

    ICMP echo response from the server: 10.10.2.253 Internet: 10.100.2.252 ID = 400 seq = 1 len = 72

    Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 0 len = 72

    Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 1 len = 72

    Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 2 len = 72

    Make sure you have access to the administration # inside

    lt me know f This allows.

  • Console Cable - Cisco VPN 3000 Concentrator

    Where can I get a cable from the console to the Cisco VPN 3000 Concentrator? The place I bought the hub of not sent me one with it.

    Thank you

    JP

    JP,

    Console port for the concentrator vpn being complient rs-232, you can buy two female DB9 to RJ45 / adapters, one for the concetrator and one for the PC to use in the COM1 port, then use a regular straight through CAT5 cable, that's the way I do and it is convenient as suppose to use the straight through serial rs-232 cable.

    http://www.sealevel.com/product_detail.asp?product_id=787

    With regard to the regular cable this hub comes with you can use it.

    http://www.stonewallcable.com/product.asp?Dept%5Fid=35&PF%5Fid=SC%2DS9%2DFF

    Adidtional information for your initial hub seup -.

    http://www.Cisco.com/univercd/CC/TD/doc/product/VPN/vpn3000/3_6/getting/gs2inst.htm#1050260

    Concerning

    PLS rate useful posts

  • l2l ASA vpn issues

    Hi all

    I have two firewalls that I'm trying to implement VPNs l2l between them. Once of them is an old wall of sonic and the other 5505.

    I put in all and ends the phase 1/2 and the tunnel rises however no traffic passes through

    Here is my configuration

    ASA (outside, 192.168.30.1) asa internal 192.168.10.0/25

    (Outside 192.168.30.2) SonicWALL sonicwall 192.168.20.0/24

    I have an accesslist that is configured on the asa and applied to the cypto card using card crypto XXXX 1, atch address YYY

    However when I watch the news ebugging on the console it says: "cannot locate the output for UDP of XXXX interface: 192.168.10.10/1 to 192.178.20.1/0.

    any ideas why this is?

    I just need a static route to say all traffic on asa with 192 source... 10.0 should go through 192.168.30.2?

    I guess it's the work of crypto card

    Am I wrong?

    Hello

    Begins to seems to me you have a filter ACL configured for your L2L VPN VPN and also the ACL filter of VPN and Crypto ACLs are the same things, which means you use a simple both ACL.

    Why I think it's like this is the fact that you say that your VPN L2L cross trading in the "packet-tracer" VPN Phase means Crypto VPN L2L ACL was correct. At the same time say you that the connection was stopped to the Phase of the VPN USER. He points to a VPN filter ACL being configured.

    In view of the foregoing, I also know that the ACL of filter for the L2L VPN behave with a logic different than typical ACL interface. In VPN L2L the ACL filter ALWAYS mention the remote network as the source ALWAYS and your Local network as the destination.

    If add you an ACL rule with order switched networks appears this fixes the VPN filter ACL problems and finally allowed traffic. Naturally I can only guess that I saw actual configurations at this point (which, usually with release "packet - trace", help to solve a problem faster just guessing)

    If you indeed filter VPN, you may be able to track him down with the following commands

    See the tunnel-group race

    Check if a "group policy" is defined then the command

    See establishing group policy enforcement

    This output should list the name of the ACL filter VPN if its game

    Regarding the installantion auto road. The default setting for ASA, is that it will create NO static routes automatically depending on the VPN configurations. This must be enabled manually in "crypto map" configurations, or you can configure static routes manually.

    ASA tracking to default TCP and UDP connections. ICMP is inspected only if his permit. By default, it is NOT inspected.

    Hope this helps

    Remember to mark a reply as the answer if it answered your question.

    Feel free to ask more if necessary.

    -Jouni

  • ASA 8.4. (1) VPN L2L can only be established through default gateway

    Hi all!

    We have an ASA 5510, with two internet connections. A destined for VPN l2l and the other to access inet users in general.

    On asa 8.04, I configured the encryption on inteface "VPNAccess" card and a static route on the remote peer L2L with access internet VPN, the default rotue pointed the router General inet.

    We bought a new firewall with 8.4.1 and now asa only tries to open the remote if peer traffic is on the default gateway.

    It does not take into account routes more specific (I mean longer masks) and always tries to use the gateway by default, but only for VPN, if I do a trace to that peer route, it uses the routing table correctly.

    Any advice?

    Thank you!

    Well well, (any, any) certainly does not help.

    You need to be more specific, otherwise, even once, as suggested earlier, he does not know which interface to use because you don't have specify it.

    In addition, you must also be precise with the source network and destination. Otherwise, the firewall will not know which interface the subnet should be connected to.

    More precise best for NAT statement.

    NAT (, PublicTESAVPNBackup) source static static destination

  • VPN Cisco ASA 5540 L2L - one-way traffic only for the pair to a network

    Hello

    I'm a little confused as to which is the problem. This is the premise for the problem I have face.

    One of our big clients has a Cisco ASA5540 (8.2 (2)) failover (active / standby). Early last year, we have configured a VPN from Lan to Lan to a 3rd party site (a device of control point on their end). He worked until early this week when suddenly the connection problems.

    Only 1 of the 3 networks the / guests can access a remote network on the other side. 2 others have suddenly stopped working. We do not know of any change on our side and the remote end also insists that their end configurations are correct (and what information they sent me it seems to be correct)

    So essentially the encryption field is configured as follows:

    access-list line 1 permit extended ip 10.238.57.21 host 10.82.0.202 (hitcnt = 2)
    access-list line 2 extended permit ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252 (hitcnt = 198)
    access-list line 3 extended permit ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252 (hitcnt = 173)

    Free NAT has been configured as follows (names modified interfaces):

    NAT (interface1) 0-list of access to the INTERIOR-VPN-SHEEP

    the INTERIOR-VPN-SHEEP line 1 permit access list extended ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
    permit for Access-list SHEEP-VPN-INSIDE line lengthened 2 ip host 10.238.57.21 10.82.0.202

    NAT (interface2) 0-list of access VPN-SHEEP

    VPN-SHEEP line 1 permit access list extended ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252

    After the problem started only 10.207.0.0/16 network connections worked for the site remote 10.82.0.200/30. All other connections do not work.

    There has been no change made on our side and on the side remote also insists there has been no change. I also checked how long the ASAs have been upward and how long the same device has been active in the failover. Both have been at the same time (about a year)

    The main problem is that users of the 10.231.191.0/24 cant access remote network network. However, the remote user can initiate and implement the VPN on their side but usually get any return traffic. Ive also checked that the routes are configured correctly in the routers in core for the return of their connections traffic should go back to the firewall.

    Also used of "packet - trace" event raising the VPN tunnel (even if it passes the phases VPN). For my understanding "packet - trace" alone with the IP source and destination addresses must activate the VPN connection (even if it generates no traffic to the current tunnel).

    This is printing to the following command: "packet - trace entry interface1 tcp 10.231.191.100 1025 10.82.0.203 80.

    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit rule
    Additional information:
    MAC access list

    Phase: 2
    Type: FLOW-SEARCH
    Subtype:
    Result: ALLOW
    Config:
    Additional information:
    Not found no corresponding stream, creating a new stream

    Phase: 3
    Type:-ROUTE SEARCH
    Subtype: entry
    Result: ALLOW
    Config:
    Additional information:
    in 10.82.0.200 255.255.255.252 outside

    Phase: 4
    Type: ACCESS-LIST
    Subtype: Journal
    Result: ALLOW
    Config:
    Access-group interface interface1
    access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
    Additional information:

    Phase: 5
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional information:

    Phase: 6
    Type: INSPECT
    Subtype: np - inspect
    Result: ALLOW
    Config:
    class-map inspection_default
    match default-inspection-traffic
    Policy-map global_policy
    class inspection_default
    inspect the http
    global service-policy global_policy
    Additional information:

    Phase: 7
    Type: FOVER
    Subtype: Eve-updated
    Result: ALLOW
    Config:
    Additional information:

    Phase: 8
    Type: NAT-FREE
    Subtype:
    Result: ALLOW
    Config:
    NAT-control
    is the intellectual property inside 10.231.191.0 255.255.255.0 outside 10.82.0.200 255.255.255.252
    Exempt from NAT
    translate_hits = 32, untranslate_hits = 35251
    Additional information:

    -Phase 9 is a static nat of the problem to another network interface. Don't know why his watch to print.

    Phase: 9
    Type: NAT
    Subtype: host-limits
    Result: ALLOW
    Config:
    static (interface1, interface3) 10.231.0.0 10.231.0.0 255.255.0.0 subnet mask
    NAT-control
    is the intellectual property inside 10.231.0.0 255.255.0.0 interface3 all
    static translation at 10.231.0.0
    translate_hits = 153954, untranslate_hits = 88
    Additional information:

    -Phase 10 seems to be the default NAT for the local network configuration when traffic is to the Internet

    Phase: 10
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    NAT (interface1) 5 10.231.191.0 255.255.255.0
    NAT-control
    is the intellectual property inside 10.231.191.0 255.255.255.0 outside of any
    dynamic translation of hen 5 (y.y.y.y)
    translate_hits = 3048900, untranslate_hits = 77195
    Additional information:

    Phase: 11
    Type: VPN
    Subtype: encrypt
    Result: ALLOW
    Config:
    Additional information:

    Phase: 12
    Type: VPN
    Subtype: ipsec-tunnel-flow
    Result: ALLOW
    Config:
    Additional information:

    Phase: 13
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional information:

    Phase: 14
    Type: CREATING STREAMS
    Subtype:
    Result: ALLOW
    Config:
    Additional information:
    New workflow created with the 1047981896 id, package sent to the next module

    Result:
    input interface: interface1
    entry status: to the top
    entry-line-status: to the top
    output interface: outside
    the status of the output: to the top
    output-line-status: to the top
    Action: allow

    So, basically, the connection should properly go to connect VPN L2L but yet is not. I tried to generate customer traffic of base (with the source IP address of the client network and I see the connection on the firewall, but yet there is absolutely no encapsulated packets when I check "crypto ipsec to show his" regarding this connection VPN L2L.) Its almost as if the firewall only transfers the packets on the external interface instead of encapsulating for VPN?

    And as I said, at the same time the remote end can activate the connection between these 2 networks very well, but just won't get any traffic back to their echo ICMP messages.

    access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
    local ident (addr, mask, prot, port): (10.231.191.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (10.82.0.200/255.255.255.252/0/0)
    current_peer: y.y.y.y

    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 131, #pkts decrypt: 131, #pkts check: 131
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
    success #frag before: 0, failures before #frag: 0, #fragments created: 0
    Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
    #send errors: 0, #recv errors: 0

    If it was just a routing problem it would be a simple thing to fix, but it is not because I can see the connection I have to confirm it by the router base on the firewall, but they don't just get passed on to the VPN connection.

    Could this happen due to a bug in the Software ASA? Would this be something with Checkpoint VPN device? (I have absolutely no experience with devices of control point)

    If there is any essential information that I can give, please ask.

    -Jouni

    Jouni,

    8.2.4.1 is the minimum - 8.2.4 had some issues (including TCP proxy).

    If this does not resolve the problem - I suggest open TAC box to get to the bottom of this ;-)

    Marcin

  • ASA IPP on VPN L2L w/NAT

    I have a tunnel VPN L2L on a Cisco ASA 5520 I am trying to get IPPS, to work on. On my ACL cryptomap I defined a local group object and a remote object-group, and I'm the one-to-one NAT scene on the local group. I also have a configured route map that will take the static routes and redistribute in my ACE. EIGRP two things - 1, I noticed, I don't see on my ASA static routes that point to remote subnets and 2, the ACL that I used in my definition of route map is not getting any hits on it.

    Any thoughts on where I can go wrong?

    Thank you

    Darren

    You have configured the following:

    crypto set reverse-road map

    If you do, can you remove and Add again and see if that fixes the problem?

  • Easy VPN with IPSec VPN L2L (Site - to - Site) in the same ASA 5505

    Hi Experts,

    We have an ASA 5505 in our environment, and currently two IPSec VPN L2L tunnels are established. But we intend to connect with VPN (Network Extension Mode) easy to another site as a customer. Is it possible to configure easy VPN configurations by keeping the currently active IPSec L2L VPN(Site-to-Site) tunnels? If not possible is there any work around?

    Here's the warning we get then tried to configure the easy VPN Client.

    NOCMEFW1 (config) # vpnclient enable

    * Delete "nat (inside) 0 S2S - VPN"

    * Detach crypto card attached to the outside interface

    * Remove the tunnel groups defined by the user

    * Remove the manual configuration of ISA policies

    CONFLICT of CONFIG: Configuration that would prevent the Cisco Easy VPN Remo success

    you

    operation was detected and listed above. Please solve the

    above a configuration and re - activate.

    Thanks and greetings

    ANUP sisi

    "Dynamic crypto map must be installed on the server device.

    Yes, dynamic crypto is configured on the EasyVPN server.

    Thank you

  • VPN l2l failed inside on ASA 5520 (8.02)

    VPN l2l is dropping packets to Phase 5 because of a rule configured. I have an isakmp his but the client cannot connect to the destination here in my network. I'll post my config to access list at the bottom of the Packet-trace output.

    vpnASA01 # entry packet - trace within the icmp [10.0.0.243] 0 8 10.97.29.73 det

    Phase: 1

    Type: CAPTURE

    Subtype:

    Result: ALLOW

    Config:

    Additional information:

    Direct flow from returns search rule:

    ID = 0xc92087c8, priority = 12, area = capture, deny = false

    hits = 85188209121, user_data = 0xc916a478, cs_id = 0 x 0, l3_type = 0 x 0

    Mac SRC = 0000.0000.0000, mask is 0000.0000.0000

    DST = 0000.0000.0000 Mac, mask is 0000.0000.0000

    Phase: 2

    Type: ACCESS-LIST

    Subtype:

    Result: ALLOW

    Config:

    Implicit rule

    Additional information:

    Direct flow from returns search rule:

    ID = 0xc87f1f98, priority = 1, domain = allowed, deny = false

    hits = 85193048387, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8

    Mac SRC = 0000.0000.0000, mask is 0000.0000.0000

    DST = 0000.0000.0000 Mac, mask is 0000.0000.0000

    Phase: 3

    Type: FLOW-SEARCH

    Subtype:

    Result: ALLOW

    Config:

    Additional information:

    Not found no corresponding stream, creating a new stream

    Phase: 4

    Type:-ROUTE SEARCH

    Subtype: entry

    Result: ALLOW

    Config:

    Additional information:

    in 10.0.0.0 255.0.0.0 inside

    Phase: 5

    Type: ACCESS-LIST

    Subtype:

    Result: DECLINE

    Config:

    Implicit rule

    Additional information:

    Direct flow from returns search rule:

    ID = 0xc87f3670, priority = 111, domain = allowed, deny = true

    hits = 67416, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 4000, protocol = 0

    SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

    DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

    Result:

    input interface: inside

    entry status: to the top

    entry-line-status: to the top

    the output interface: inside

    the status of the output: to the top

    output-line-status: to the top

    Action: drop

    Drop-reason: flow (acl-drop) is denied by the configured rule

    = ACCESS-LIST + Config =.

    the object-group L2LVPN-blah_local network
    network-object 10.97.29.73 255.255.255.255
    the object-group L2LVPN-blah_remote network
    network-object [10.0.0.240] 255.255.255.240

    INBOUND_OUTSIDE list of allowed ip extended access object-L2LVPN-blah_remote L2LVPN-blah_local group object

    L2LVPN-blah_obj allowed extended ip access-list object-L2LVPN-blah_local group L2LVPN-blah_remote

    access-list SHEEP extended permits all ip [10.0.0.243] 255.255.255.240

    Route outside [10.0.0.240] [10.97.29.1] 255.255.255.240 1

    address for correspondence card crypto outside-VPN 46 L2LVPN - blah_obj
    peer set card crypto VPN-exterior 46 [10.0.0.243]
    outside-VPN 46 transform-set esp-sha-aes-256 crypto card
    outside-VPN interface card crypto outside

    IPSec-l2l type tunnel-group [10.0.0.243]
    IPSec-attributes of tunnel-group [10.0.0.243]
    pre-shared-key *.

    [10.0.0.1] is to protect the global addresses of clients. Assume that these are still used in place of the current range of intellectual property. 10.0.0.240/28

    ===========================================

    Thanks in advance.

    Michael Garcia

    Profit Systems, Inc..

    Hi Michael,

    -Is the IP peer really part of the network that make up the field of encryption?

    -Is the ACL INBOUND_OUTSIDE applied (incoming) inside or outside interface (inbound)? It is the current form, it would need to be on the external interface.

    -You specify the peer IP only in the ACL SHEEP, so all other traffic is NAT would and eventually denied because it does not match the field of encryption

    Someone else may have a few ideas, but these are questions I have for the moment.

    James

  • Failures of intermittent connection to the VPN 3000 Concentrator

    Hello

    I managed a VPN 300 hub that works with happiness for several years with no problems. All users are part of the same group and authenticate on a server RSA. We recently moved from Authentication Manager RSA RSA 7.1 Authentication Manager 6.1. Continuous everthing works well for several weeks, then at the beginning of this week we started having users intermittently failing to connect to the VPN. I don't know if this problem is related to our new server RSA, but we have other devices on the network that authenticate on it without any problem, so I guess the problem is with the Concentrator VPN itself.

    When users fail they just get a generic error message 'Reason 427 completed peer connection'. Live event log shows "group = vpn, status = is not off duty" when their connection fails. Other times they connect normally and no error messages appear. There seems to be no real reason, sometimes your connection fails, but if you keep trying you will get eventually in [However it may take several attempts in the course of an hour or two until you succeed, or you can get immediately without a problem].

    I don't think that it's a network problem, because I ran continuous for the hub and the RSA server pings while users are experiencing these problems and there are no drops.

    Authentication RSA server monitor always shows that the user is authenticated successfully, the connection of users actually succeed or not. I'm tempted to reboot just the hub, but we have tunnels VPN site-to-site connected on it and I'm a little worried if it is faulty you can not come back at all.

    Has anyone encountered this problem before?

    Thanks in advance

    Hi Graham,

    My guess is that the new RSA server is slower to react, causing the Timeout vpn3000 sometimes - this would explain all the symptoms (nature intermitten's not in service, the success of logs on the server).

    I don't have a vpn3k at hand to check, but I think that in the config server aaa where you set the ip address etc. of the RSA server, you can also set a time-out value - see if increasing this value help.

    HTH

    Herbert

Maybe you are looking for

  • Rechnungsadresse please?

    Habe mir das neue iPhone 7 which. Fiel mir auf, dass die Rechnungsadresse please ist nun. Uber die Hotline out ich keine Hilfe, die weil Warteschleife immer über 60 Minuten ist. Kann ich das trotz der falschen address Commission oder wird die iPhone

  • Satellite Pro M75 with Vista: Mat * a UJ - 841 S cannot save

    Hello world. I installed windows vista on my Satellite Pro M75 and everything seems to work fine except the DVD player. It reads CDs and DVDs fine, but when I try to record a DVD it gives me an error message that the media is not empty or a general e

  • Mini Ipod and itunes

    Hello I recently helped someone with his powerbook from 2006. He has a small ipod and wants to get music on this subject. He's already got a lot, but when you plug in the ipod it looks like a USB key with nothing in it except 4 songs, it moves from i

  • Satellite L350D-10s - bootproblems USB - HD on

    * L350D-10s - bootproblems USB - HD on *. Hello If I want to make a backup of my external hard drive systemI have to start 3 or 4 times until I get behind my BACK. first I so wait several minutes with a "_" on the black screen until I get to the xp-b

  • Form of CONF. IPSec PIX to ASA

    Hi.I have a small question. I have a PIX configured with Ipsec configuration, but we have now upgraded to an ASA. I can just copy paste the configuration of PIX, ASA (all crypto and isakmp orders) or what I have to change some commands to make it wor