VPN 3000 Concentrator authentication failure.

Similar Questions

• Console Cable - Cisco VPN 3000 Concentrator

  Where can I get a cable from the console to the Cisco VPN 3000 Concentrator? The place I bought the hub of not sent me one with it.

  Thank you

  JP

  JP,

  Console port for the concentrator vpn being complient rs-232, you can buy two female DB9 to RJ45 / adapters, one for the concetrator and one for the PC to use in the COM1 port, then use a regular straight through CAT5 cable, that's the way I do and it is convenient as suppose to use the straight through serial rs-232 cable.

  http://www.sealevel.com/product_detail.asp?product_id=787

  With regard to the regular cable this hub comes with you can use it.

  http://www.stonewallcable.com/product.asp?Dept%5Fid=35&PF%5Fid=SC%2DS9%2DFF

  Adidtional information for your initial hub seup -.

  http://www.Cisco.com/univercd/CC/TD/doc/product/VPN/vpn3000/3_6/getting/gs2inst.htm#1050260

  Concerning

  PLS rate useful posts

• Failures of intermittent connection to the VPN 3000 Concentrator

  Hello

  I managed a VPN 300 hub that works with happiness for several years with no problems. All users are part of the same group and authenticate on a server RSA. We recently moved from Authentication Manager RSA RSA 7.1 Authentication Manager 6.1. Continuous everthing works well for several weeks, then at the beginning of this week we started having users intermittently failing to connect to the VPN. I don't know if this problem is related to our new server RSA, but we have other devices on the network that authenticate on it without any problem, so I guess the problem is with the Concentrator VPN itself.

  When users fail they just get a generic error message 'Reason 427 completed peer connection'. Live event log shows "group = vpn, status = is not off duty" when their connection fails. Other times they connect normally and no error messages appear. There seems to be no real reason, sometimes your connection fails, but if you keep trying you will get eventually in [However it may take several attempts in the course of an hour or two until you succeed, or you can get immediately without a problem].

  I don't think that it's a network problem, because I ran continuous for the hub and the RSA server pings while users are experiencing these problems and there are no drops.

  Authentication RSA server monitor always shows that the user is authenticated successfully, the connection of users actually succeed or not. I'm tempted to reboot just the hub, but we have tunnels VPN site-to-site connected on it and I'm a little worried if it is faulty you can not come back at all.

  Has anyone encountered this problem before?

  Thanks in advance

  Hi Graham,

  My guess is that the new RSA server is slower to react, causing the Timeout vpn3000 sometimes - this would explain all the symptoms (nature intermitten's not in service, the success of logs on the server).

  I don't have a vpn3k at hand to check, but I think that in the config server aaa where you set the ip address etc. of the RSA server, you can also set a time-out value - see if increasing this value help.

  HTH

  Herbert

• VPN 3000 Concentrator logging

  Our company uses a 3000 VPN concentrator for our VPN access.

  Is there a way to view a log history of what the user connected to the VPN and what IP address they were assigned?  This would be 2 days ago, which was over the weekend.

  Thank you.

  To obtain this type of information, you must configure an external management server, syslog server and send this info to this server.

  You can for example download any freeware like http://www.kiwisyslog.com kiwi syslog server, then configure the hub to send the logs on the server.

  Here's how to use the VPN 3 k and syslogs etc...

  http://www.Cisco.com/en/us/partner/docs/security/vpn3000/vpn3000_47/configuration/guide/events.html

  For information more fancy graphical reporting you can also use Cisco Security Manager http://www.cisco.com/en/US/partner/products/ps6498/index.html

  There are also 3rd party sofwware out there who can collect this type of information such as the engine firewall monitor of manage - may also collect newspapers of concentrators Cisco VPN - connections vpn etc...
  http://www.ManageEngine.com/products/firewall/distributed-monitoring/index.html

  Concerning

• Problems with VPN between Cisco PIX 6.3.3 and VPN 3000 Concentrator

  Hi guys,.

  I hope this is the right place and that someone has encountered this before I don't have much hair left to offset - I'm trying to set up a tunnel between our Pix 6.3.3 performer and a customer using a VPN3000.

  The customer wants us to be able to do checkups on a device without allowing anything to of our range of addresses network side private, just one public IP address.  We currently run a VPN to our recovery site to allow off-site replication, but the ACL on the other end of this VPN * does * allow the configuration that we had for our private network side, so traffic was not useful at that.  Here is a screenshot of what I tried:

  ethernet0 nameif outside security0
  nameif ethernet1 inside the security100
  nameif ethernet2 dmz1 security50

  name 172.16.1.48 Cust_DVR1

  permit 192.168.1.0 ip access list inside_outbound_nat0_acl 255.255.255.0 255.255.255.255 Cust_DVR1

  permit 192.168.1.0 ip access list outside_cryptomap_30 255.255.255.0 255.255.255.255 Cust_DVR1

  IP outside X.Y.Z.227 255.255.255.224
  IP address inside 192.168.1.1 255.255.255.0

  location of PDM Cust_DVR1 255.255.255.255 outside

  Global 1 X.Y.Z.230 (outside)
  Global (dmz1) 1 interface
  NAT (inside) 0-list of access inside_outbound_nat0_acl
  NAT (inside) 1 192.168.1.0 255.255.255.0 0 0

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  outside_map 30 ipsec-isakmp crypto map

  outside_map 30 peer A.B.C.D crypto card game<--- (public="" ip="" of="" customer="">

  card crypto outside_map 30 match address centura_map_30

  card crypto outside_map 30 the transform-set ESP-3DES-MD5 value

  outside_map interface card crypto outside

  ISAKMP key * A.B.C.D netmask 255.255.255.255 No.-xauth No. config-mode

  part of pre authentication ISAKMP policy 30

  ISAKMP policy 30 3des encryption

  ISAKMP policy 30 md5 hash

  30 2 ISAKMP policy group

  ISAKMP duration strategy of life 30 86400

  My hope is that anything on the 192.168.1.0/24 would be able to get out of the external interface as our only our public IP addresses (i.e. X.Y.Z.230), but the traffic they see on the other end is coming from the 192.168.1.0 network.  I tried to remove the line inside_outbound_nat0_acl think she would use then the world but still do not have a bit of luck and the only difference I see on Kiwi Syslogd is that the src_proxy changes to 0.0.0.0 where is shows the IP address of my private side (for the purposes of the config above let's call it 192.168.1.135).

  THANKS MUCH FOR ANY HELP!

  -Mario

  Hello

  For example, you can NAT your internal via the tunnel network traffic when you go to this customer.

  In this way, they will see your unique internal network as an IP address.

  Let's say, rather than them seeing your internal 192.168.1.0/24, eelle will see your traffic like X.Y.Z.227

  Is this what you need?

  Federico.

• How to configure VPN 3000 Concentrator for remote access

  I have inherited a VPN concentrator and want to configure it to provide remote access to my internal laboratory network when I'm traveling.  Private interface is configured as 192.168.1.240/24.  Public interface is configured as one of my public IP addresses.  I have a public IP pool on the back side of a cable modem Roadrunner.  I created a pool of addresses for clients such as 192.168.1.200 by 192.168.1.205.  I created all group configurations, group and user base.

  In the IP Routing tab, I see a default route pointing to my IP address of public gateway - the IP address of my box of roadrunner cable modem gateway.

  Since my VPN client, I am able to connect to the VPN concentrator.  I get an address from the pool and check the details of the tunnel under the statistics section shows IP address correct pool for the customer and the correct public IP address of my VPN reorga

  Jeff,

  According to statistics, it seems that the client sends traffic to the hub, but his answer not get back.

  We need check the hub settings itself.

  I need check the hub settings and that it is a GUI based device so I can't even ask to see the technology and the only option available is to WebEx.

  You're ok with webex, pls lemme session comfortable time id and e-mail to send the invitation, it takes no more time and we will carry it out

  Thank you

  Ankur

• Public interface on VPN 3000

  Hello

  It is as sure to fix the public interface on a VPN 3000 Concentrator on the internet? Or should there be a firewall in front.

  I understand that the public interface is "hardcoded" and only open ports you'd pass firewall anyway, but I just wanted to check with experts to ensure that :-)

  Peter

  Hi Peter,.

  I don't think there are major problems involving the public interface of VPN 3030 Internet. It is means in reality for public access... it is a little hardened to allow only specific protocols... If you have an ID, you can monitor the traffic on this interface and shun unnecessary connections if necessary... you also have filters on the public interface, which allows you to restrict the traffic...

  set the vpn behind a firewall increases the complexity of your network. You may as well have this behind, but it will be a little complicated.

  I hope this helps... all the best

  REDA

• Network VPN 3000 list

  I keep to err msge "mask/area bad ip address/subnet mask/generic id" when you attempt to add a class C network to the list a VPN 3000 Concentrator using the CLI. Here's my entry 192.168.51.0/0.0.0.255. The number and the wildcard mask seem ok. Isn't the right syntax?

  Vincent, you're very welcome and thank you for the update... happy all worked... Please rate as solved post.

  Rgds BST

  Jorge

• PIX 515e VPN 3005 concentrator cannot pass phase 1

  My list of vpn access increases, so I know that it is correct. IM testing with ping. Debug configurations and follow. Remote location through VPN connection attempt with THE. Thanks to all who can help. His failure in the first phase which means configuration mess up, but I can't find a miss-match for me? Maybe ive been looking at this for a long time.

  Pix515e config:

  ----------------

  Crypto ipsec transform-set esp - esp-md5-hmac aptset

  aptmap 10 ipsec-isakmp crypto map

  aptmap 10 correspondence address vpn crypto card

  card crypto aptmap 10 peers set yyy.xxx.xxx.131

  card crypto aptmap 10 transform-set aptset

  aptmap interface card crypto outside

  ISAKMP allows outside

  ISAKMP key * address yyy.xxx.xxx.131 netmask 255.255.255.255

  part of pre authentication ISAKMP policy 10

  encryption of ISAKMP policy 10

  ISAKMP policy 10 md5 hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  Debugs ipsec, isakmp, ca

  -------------------------

  Peer VPN: ISAKMP: approved new addition: ip:yyy.xxx.xxx.131 Total VPN peer: 1

  Peer VPN: ISAKMP: ip:yyy.xxx.xxx.131 Ref cnt is incremented to peers: 1 Total peer VPN: 1

  ISAKMP (0): early changes of Main Mode

  ISAKMP (0): retransmission of phase 1... IPSEC (key_engine): request timer shot: count = 1,.

  local (identity) = zzz.xxx.xxx.226, distance = yyy.xxx.xxx.131,

  local_proxy = 192.168.33.0/255.255.255.0/0/0 (type = 4),

  remote_proxy = 192.168.65.0/255.255.255.0/0/0 (type = 4)

  ISAKMP (0): retransmission of phase 1...

  ISAKMP (0): delete SA: src zzz.xxx.xxx.226 dst yyy.xxx.xxx.131

  ISADB: Reaper checking HIS 0x81377ad8, id_conn = 0 DELETE IT!

  Peer VPN: ISAKMP: ip:yyy.xxx.xxx.131 Ref cnt decremented to peers: 0 Total of VPN peer: 1

  Peer VPN: ISAKMP: deleted peer: ip:yyy.xxx.xxx.131 VPN peer Total: 0

  results of ' show crypto isamkp his. "

  -----------------------------------

  Total: 1

  Embryonic: 1

  Src DST in the meantime created State

  YYY.xxx.xxx.131 zzz.xxx.xxx.226 MM_NO_STATE 0 0

  Error messages on the concentrator 3005

  ------------------------------------

  11:14:47.640 57 07/01/2004-SEV = 4 RPT IKE/48 = 23 yyy.xxx.xxx.226

  Support useful treatment of error: ID payload: 1

  11:15:02.770 58 07/01/2004-SEV = 4 RPT IKE/48 = 24 yyy.xxx.xxx.226

  Support useful treatment of error: ID payload: 1

  3005 page concentrator Lan-To-Lan settings

  -----------------------

  Activated

  External interface

  Answer only

  YYY.xxx.xxx.226 peer

  Digital cert: no (use preshared keys)

  Transmission of the CERT: (full certification chain)

  Preshared key: {same on pix}

  AUTH: esp, md5, hmac-128

  encryption: des-56

  proposal of IKE: IKE-DES-MD5

  Filter: none

  IPSec NAT - T not verified

  No bandwidth policy

  Routing: no

  I noticed that you have a lifetime and a pfs group configured on the pix. The pfs group is 2 which I think will not work with-although I'm not positive, as I have only used with 3des. Diffie-Hellman Group1 should work with simple.

  In any case, recheck the config vpn 3000 to see if a group and life expectancy have been speced on config. If not, or if you are not sure, then remove the two outside the pix and run the command of his clear cry on the pix. Then try again and let me know what you find.

• Cisco ACS 5.4 and VPN 3000

  Hello

  I'm trying to use CIsco ACS 5.4 for RADIUS authentication for VPN by using VPN concentrator 3000 users.

  I added the VPN 3000 on ACS and added GBA on VPN group with a shared secret authentication server. When I do a test on the authentication server using the local account that I created on ACS it happens as no response was received from the server so that I can see the RAIDUS AAuth in green.

  Any help would be much appreciated.

  Concerning

  AR

  Hey,.

  What is the report on GBA?

  "RAIDUS AAuth in green"

  If so, a pcap help between the two.

  Concerning

  Ed

• LAN-to-LAN tunnel between VPN 3000 and Cisco 1721

  Hello

  I have a current LAN-to-LAN tunnel configuration between VPN 3000 (3.6) and Cisco 1721 (12.2 (11) T).

  When I use the encryption = authentication and Des-56 = ESP\MD5\HMAC-128 for the IPSec Security Association, everything works fine.

  However, I would like to Turn off encryption for some time getting the speed improvements, so I changed

  Encryption = null esp (in 1721) and to "null" in VPN-3000.

  Now the tunnel is setup but I can spend only ICMP traffic. When I pass the traffic UDP\TCP the message below appears the Cisco 1721

  % C1700_EM-1-ERROR: error in packet-rx: pad size error, id 75, hen offset 0

  Has anyone seen this behavior?

  All those put in place an IPSec Tunnel with only the ESP authentication and NO encryption between VPN-3000 and Cisco 1721?

  Thanx------Naman

  Naman,

  Disable you the vpn Accelerator? "no accel crypto engine. Sure that you can't do with a null module vpn.

  Kurtis Durrett

• VPN 3000 and wildcard peer IKE

  The order PIX (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312) reference:

  ISAKMP key address

  To configure a preshared authentication key and associate the key with a host name or the IPSec peer address, use the address isakmp key command. Use the address no. isakmp key command to remove a preshared authentication key and its associated IPSec peer address.

  A 0.0.0.0 netmask. may be entered as a wildcard indicating that any peer IPSec with a preshared key valid given is a valid counterpart.

  Question: Is it possible to do the same thing on the VPN 3000? I have a bunch of PIX firewall, they use DSL w / DHCP. I need them to operate in the Mode of Extension of network, but unlike PIX, I can't seem to get the VPN 3000 to accept the '0.0.0.0' as you can do it with PIX. Anyone has any idea if this is possible or another way to achieve the goal? Any ideas would be greatly appreciated.

  Yep, it's possible, even if it's not too obvious how you do :-) The following configuration example shows how do:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00801dd672.shtml

  The key option is the "Default pre-shared key" under the core group.

• Cellular data network 5 s could not be an activated PDP authentication failure

  IPhone 5 s could not activate cellular data network due to the PDP authentication failure.  Phone has been used in Japan (mobile service with NTT DOCOMO chip B), taken to the United States for 2 months (T Mobile) and now back in Japan with the same piece of mobile service B installed (monthly service has been paid for and maintained during the period of 2 months then in the USA).  Tweaks has been altered by an employee of Apple in the United States to work with chip T Mobile phone.

  9.3.1 last IOS version

  Have you tried a hard reboot, take the card Sim inside and out, reset network, switching cellular parameters market, switching carrier setting from automatic to manual.

  Hello aemikulen,

  If you are unable to activate your iPhone 5s, now that you're back to the Japan, you may need to contact your provider and having replaced SIM card.  The resources below will provide some additional information:

  If you can not activate your iPhone

  Mobile phone service provider support and features for iPhone in Asia-Pacific

  Take care

• "All of a sudden cannot receive incoming mail - server response: '-ERR re of authentication failure.

  When I try to get incoming mail all of a sudden, I get a message that says "account: 'pop.gwi.net', server: 'pop.gwi.net', Protocol: POP3, server response: '-ERR reauthentication failure ', Port: 110, secure (SSL)": no, Server error: 0x800CCC90, error number: 0x800CCC92 ' "

  Which is based by a command prompt to verify my user name and password.  This email account has been implemented if a long time that I can remember is no longer my password.

  When I try to get incoming mail all of a sudden, I get a message that says "account: 'pop.gwi.net', server: 'pop.gwi.net', Protocol: POP3, server response: '-ERR reauthentication failure ', Port: 110, secure (SSL)": no, Server error: 0x800CCC90, error number: 0x800CCC92 ' "

  Which is based by a command prompt to verify my user name and password.  This email account has been implemented if a long time that I can remember is no longer my password.

  "Part of your error message: server response: '-ERR re of authentication failure.
  Try this. Assuming you use Windows Mail or Windows Live Mail. If you aren't the case, ignore this response.

  Open Windows Mail or Windows Live Mail > tools > accounts > select your account of gwi > properties > servers.
  Under incoming mail server,.
  If you have a " logon using clear text authentication " option,click it > click OK
  If you do not, leave which are VIRGINS he. Do NOT check the "connect using secure password authentication"

  Go to the Advanced tab > put check on BOTH "this server requires a secure connection (SSL)" > OK

  t-4-2

• Cable 802. 1 x an authentication failure - credentials pop-up window

  We have recently implemented dot1x wired network authentication based in institutions; majority of PCs are windows 7.

  It is necessary to have a PDP Windows once all authentication failure happens on the LAN NIC. What we are doing is running the wired autoconfiguration service, and in the authentication network adapter tab, we store the credentials of the user; Once these credentials expire or authentication fails for some reason, the network card indicates that the authentication failed, but he he invites, on the desktop or anywhere, a pop-up window that allows the user to enter different credentials.

  Is it feasible by any means of configuration in windows 7, or by the code?

  Appreciate your help, thank you.

  This issue is beyond the scope of this site (for consumers) and to make sure you get the best answer, we need to ask either on Technet (for IT Pro) or MSDN (for developers)
  http://social.technet.Microsoft.com/forums/en-us/home s/fr-U.S./Accueil
  http://social.msdn.Microsoft.com/Forum
  
  
  If you give us a link to the new thread we can point to some resources it