VPN 3030 - balancing problem
Hi all
I had set up on VPN 3030 of load balancing. On it, he had a few problems. Firstly, 3030 high school has more RAM (512) that the primary (128). The secondary was purchased just a month back with 512 M RAM and latest OS 4.1.7.
(1) land of redirected to the secondary hub, after active LB normal VPN clients. There are more than 10-15 connections that landed on the secondary and none landed on the primary. I understand that this is because the captain now less connections... is that good? But why is there not all connections on the master?
(2) web VPN didn't work that well with load balancing enabled. HTTPS protocol and the virtual IP address does not work. When tried with the physical separately IPs, it works, but not with the virtual IP address. port 443 opens not with the virtual IP address. Why is this? can I configure something else for this?
I also noticed that once you activate load balancing, redirection is done directly on physical IP addresses, which means that end users will know the physical IP addresses and connect directly if they need. Why is this? can someone shed light on this?
REDA
To answer one of your questions, I think that primary will have connections only when the secondary a number of minimum connections...
Tags: Cisco Security
Similar Questions
-
Hi all
Asked me to configure the load balancing between two hub Cisco VPN (Cisco VPN 3030).
I set up two such boxes mentioned in the cisco Web site
[url] https://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_tech_note09186a0080094b4a.shtml [url]
After you enable VPN load balancing, I get the error described for 30 seconds.
Quote:
Master double detected LBSSF [0003a 0889463] and going to SLAVE
One of my friends said me that try with encryption active but not different.
I searched in google but did not get any solution. I am now hlepless. If any of you guys have met this kind of problem before could you please help to solve this problem...
Thank you
Please set each device to have different priorities and then charge two devices.
If this does not work then you can confirm your settings of the VCA have been properly configured and applied to the public interface? The following links provide more details on how to configure filters VCA:
https://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_tech_note09186a0080094b4a.shtml#C2
Kind regards
ATRI -
Impossible to get WebVPN working on chassis VPN 3030
This v4.1.7P chassis works perfectly for our installation of the client vpn Cisco, no problem. We have decided to extend its usefulness by turning on and configuring WebVPN.
I did it on a router IOS, Cisco 1841, works very well, so I'm following the same basic procedure to activate it on our vpn 3030.
But when trying to connect to the vpn 3030 to the public interface of an internet ISP, I even don't get a login window, error, same no nothing. Finally the browser times out and stops.
I did all the usual steps to enable WebVPN, yet nothing seems to work. I can't admin the box fine internally via https, so I know that work self-signed certificates.
Any ideas where the attack of this of?
Thanks, Jeff
Hi Jeff,
Try to upgrade to 4.7.x
This generation of OS is fully operational with WebVPN.
You can ignore the Client SSL part and troubleshoot why didn't not now works for your environment.
For a complete list of commands/options check:
Please rate if this helped.
Kind regards
Daniel
-
Hello group,
I have a small request. I have a VPN 3030 hub, which has installed in IOS 4.1.5. I do not have the 4.1.5 image right now with me and is available for download in cisco. I need this image to another customer. Can I download the 4.1.5 IOS image from the hub? I had seen the tftp option, but it doesn't seem to work.
Kind regards
REDA
You will need to open a TAC case and they can provide it for you. Unfortunately you cannot not TFTP image off the hub.
-
Can I block the user to connect to the VPN 3030 by type of customer or version?
I would like to block some users who use to connect to our VPN 3030 client Win98 or very old version of VPN client.
Is there a way to set up my VPN 3030 so I can block customers? I don't want to push new customer for them or that you don't have a server radius or something like that to put them on an isolated network independent.
I want to configure VPN 3030, is it possible?
Thank you.
Jayesh,
Reach:
Configuration | User management | Groups
Go to the specific group and click on modify.
On the IPSec tab, you will see a section for:
Customer type & Version limiting
For example:
p *: 4.7*
This will allow the version 4.7 of customers.
See you soon
Gilbert
Write it down, if it can help
-
ASA Vpn load balancing and failover
Hi all.
We have two asa5520 configured as main unit and emergency in failover configuration, and everything works fine.
Is it possible with this configuration (switch), configure the vpn load balancing/grouping?
Thank you
Daniele
Hi Daniele,
You cannot run two of them on two firewalls ASA, VPN feature load balancing or failover functionality.
Where you need to use the two feature, you must use more than three ASA firewall, two first ASAs will work as the failover and the ASA third will work as cluster VPN for them, the following example uses four firewalls:
ASA1 (active FO) - ASA2 (TF Standby)
(VPN virtual master)
|
|
|
|
(Backup VPN device)
ASA3 (active FO) - ASA4 (TF Standby)
Kind regards
Wajih
-
Hello
for Concentrators VPN load-balancing, a similar configuration must be to both devices. The master of the cluster config VPN concentrator push. for other members of the cluster, or must be manually?
Thanks in advance
Hi Abu Alqader,
The decision to use load balancing or VRRP is a lot depends on your VPN environment.
Personally, I think that load balancing is good/ideal if you have a lot of clients VPN, for example > 500 users. With 2 VPN3K of load balancing, you can share VPN connectivity between the boxes and will not weigh 1 VPN unit at any time. Also, if one of these boxes is down, affected vpn clients can still connect to the other device. But you must configure the VPN backup server in all the software VPN Client to achieve configuration.
VRRP, however, has its own advantages. If the primary VPN device, all VPN Clients can still connect to a 1 modem router VPN, VRRP, allowing practically to the backup device to inherit/use primary/active VPN public IP (as the gateway). With regard to non max users, VRRP probably appropriate for the low-end model like 3005 (IPsec-200/50 clientless) & 3015 (IPSec 100/75 without client).
However, the final decision depends on what option you feel better suite your environment. There is no right or wrong.
Pls rate if find you this post will help you.
Rgds,
AK
-
We have two network connections coming into the office. One is a private Wan, and the other is a WAN on the internet. We have a RV042 router configured for load balancing. We have our private WAN which includes Exchange and 6 VPN Wan1. On WAN2, we have a public IP address and home workers. Both connections are 5 Mg T1s and both have the ability to access the internet but only wan2 has a public IP (76.x.x.x) were as WAN1 has a private IP address. (10.x.x.x).
Were now the problem lies is our new website based on payroll, system does not support load balancing. We have on one hand stop when we do pay (Tower load balancing off.)
Now is it possible to use our computers to pay only one side? change the host file maybe? Or force a certain MAC address of use only the WAN1 or is there a better router to achieve?
Any help would be appreciated
Peter Labelle
I don't have a RV042 and have had reference to the Administrator's guide:
http://www.Cisco.com/en/us/docs/routers/CSBR/RV042/Admin/Guide/RV042_V10_UG_C-Web.PDF
I hope these comments are useful. Perhaps you can comment and let me know if it works for you. Check balancing load and the binding protocol section. These changes are disruptive... Please assume a failure during the change. Not a long interruption, but the sessions at the same distance could be lowered.
Out, you can use the protocol binding. This could cause some problems with the VPN client... you can try this after hours?
For entrants, how customers and remote computers know the accounting software? You are advertising this IP address via a link or another?
If you are, then you can have a preference through one of the links. If you advertise this IP address then you will not be able to provide a preference to a supplier of services on the other.
Do please see the Administrator's guide and let me know your thoughts. Sincere greetings and HTH,
Andrew Lissitz
-
Unauthorized access admin on VPN 3030.
Hello
ACS 4.1
2 x 3030 concentrators ver 4.7
I have problems with administrative access to our backup c3030 VPN via GANYMEDE.
Scenario: We have a live and a c3030 backup. They will be configured VRRP failover in case of failure on the direct c3030. The direct c3030 is enabled on GANYMEDE and all access is fine.
According to the doc cisco here:
.. .privilege level is set to 15 on the admin on the c3030 user as well as on the GANYMEDE group, as I have said - everything works fine on the direct c3030.
I now backup c3030 added the same device group of GANYMEDE network and configured the c3030 with exactly the same setup ACS as the direct c3030. We can log to the backup c3030 via GANYMEDE, we cannot access the admin section and get the error "you don't have sufficient permission to access the specified page.".
This was curious me for quite awhile, it there's nothing I can find on the web and short to wipe the backup c3030 and back that I'm not sure that there is something we can do?
I hope that someone out there encountered this problem?
See you soon.
I wanted to make sure was, when we try to connect to VPNC (backup), the newspaper of Pass that we obtain NAS IP address as private IP of the interface on the ACS reports. It is, then that's fine.
This may sound weird, if you have multiple local users on VPNC with 'same' privilege level, change them at the level of different privileges and keep admin 15. And then try again. I think you should have access to consoles, do?
Kind regards
Prem
Please rate if this can help!
-
I downloaded the 2012 standard test server on my server set up as a file server. We use it for is in and out of the office network drives. I had trial set up works correctly with network drives via VPN for remote access and the office on the local network. I bought a copy of windows server 2012 with 5 CAL license and reinstalled the program everything works. I have the updated VPN in place and it connects, but when I type in the location of the shared folder by using the name of the server that it will not conclude it, but it will be on the local network and using the external server IP address when connected to the VPN. Any idea what my problem is? This network does not use DNS or a domain.
Much better if you can transfer this issue to this... http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer
This forum is for servers... This forum is intended for consumer type products... -
I had connected two windows server 2003 sp2 as Server1 and Server2 via a vpn
Thanks to the internet.
Each server also has a network of LAN.
problem is when vpn is connected between two servers that LAN is disconnected. client systems cannot connect to the server via the lan.
area of the systems windows xp or windows 7 cannot access its main server. How to solve this problem?Post in the Windows Server Forums:
http://social.technet.Microsoft.com/forums/en-us/category/WindowsServer/ -
Hello
I have a problem with establishing a VPN connection to my company. I changed the network card in XP of NAT to my internal adapter of W7 (Marvell Yukon...). Map of XP mode cannot get valid IP, only APIPA address.
My W7 Marvell Yukon network card gets IP from the DHCP server of my Internet access by cable modem provider.
Any ideas?
Sincerely,
Stefan
Hello
You need a router for such a link, since the wise network, you have two independent computers.
To work both computers (Win 7 and XP-Mode) must be live on the network, if you connect directly to a Modem you have no network.
Jack - Microsoft MVP, Windows networking. WWW.EZLAN.NET
-
It seems that I have problems similar to many others in the connection of remote clients to a PIX 515E.
Currently, I have tried both the client VPN Cisco 3.6 and 4.03 without success. Users are authenticated very well and the customer, you can see that their assigned an address etc but they are unable to access the internal network. The crypto ipsec his watch HS no encrypted traffic has affected the Pix as its...
within the State of the customer etc., it shows that packets are encrypted so I'm at a bit of a loss.
I have also a problem with pptp connections - this seems to differ between the BONES on the client but Win2K machines can connect and get checked etc but again failed to connect within the networks. These could be linked?
My current config is: (change of address, etc.)
SH run
: Saved
:
PIX Version 6.2 (1)
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif ethernet2 security10 intf2
enable password xxxx
passwd xxxx
hostname fw
domain name
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol 2000 skinny
No fixup protocol sip 5060
names of
name Inside_All 10.0.0.0
name 10.30.1.0 Ireland1_LAN
name 159.135.101.34 Ireland1_VPN
name 213.95.227.137 IrelandSt1_VPN
name 10.30.2.0 Cardiff_LAN
name 82.69.56.30 Cardiff_VPN
access-list 101 permit ip Inside_All 255.0.0.0 10.1.1.88 255.255.255.248
access-list 101 permit ip Ireland1_LAN 255.255.255.0 255.0.0.0 Inside_All
access-list 101 permit ip Cardiff_LAN 255.255.255.0 255.0.0.0 Inside_All
access-list 101 permit ip Inside_All 255.0.0.0 10.30.3.0 255.255.255.0
access-list 101 permit ip Inside_All 255.0.0.0 192.168.253.0 255.255.255.0
outside_interface list access permit icmp any any echo
outside_interface list access permit icmp any any echo response
outside_interface list of access permit icmp any any traceroute
outside_interface list access permit tcp any host 212.36.237.99 eq smtp
outside_interface ip access list allow any host 212.36.237.100
access-list permits outside_interface tcp host 212.241.168.236 host 212.36.237.101 eq telnet
outside_interface list of access permitted tcp 192.188.69.0 255.255.255.0 host 212.36.237.101 eq telnet
outside_interface list access permit tcp any any eq telnet
allow the ip host 82.69.108.125 access list outside_interface a
access-list 102 permit ip 10.1.1.0 255.255.255.0 Ireland1_LAN 255.255.255.0
access-list 103 allow ip 10.1.1.0 255.255.255.0 Cardiff_LAN 255.255.255.0
access-list 104. allow ip 10.1.1.0 255.255.255.0 10.30.3.0 255.255.255.0
pager lines 24
opening of session
recording of debug console
monitor debug logging
interface ethernet0 10baset
interface ethernet1 10baset
Automatic stop of interface ethernet2
Outside 1500 MTU
Within 1500 MTU
intf2 MTU 1500
IP outdoor 212.36.237.98 255.255.255.240
IP address inside 10.1.1.250 255.255.255.0
intf2 IP address 127.0.0.1 255.255.255.255
alarm action IP verification of information
alarm action attack IP audit
IP local pool ippool 10.1.1.88 - 10.1.1.95
IP local pool mspool 10.7.1.1 - 10.7.1.50
IP local pool mspools 192.168.253.1 - 192.168.253.50
location of PDM Inside_All 255.255.255.0 inside
location of PDM 82.69.108.125 255.255.255.255 outside
location of PDM 10.55.1.0 255.255.255.0 inside
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
(Inside) NAT 0-list of access 101
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
public static 212.36.237.100 (Interior, exterior) 10.1.1.50 netmask 255.255.255.255 0 0
public static 212.36.237.101 (Interior, exterior) 10.1.1.254 netmask 255.255.255.255 0 0
public static 212.36.237.99 (Interior, exterior) 10.1.1.208 netmask 255.255.255.255 0 0
Access-group outside_interface in interface outside
Route outside 0.0.0.0 0.0.0.0 212.36.237.97 1
Route inside Inside_All 255.255.255.0 10.1.1.254 1
Route inside 10.2.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.3.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.4.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.5.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.6.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.7.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.8.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.9.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.10.1.0 255.255.255.0 10.1.1.254 1
Route inside 10.11.1.0 255.255.255.0 10.1.1.253 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout uauth 0:00:00 uauth absolute 0:30:00 inactivity
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
AAA-server AuthInOut Protocol Ganymede +.
AAA-server AuthInOut (inside) host 10.1.1.203 Kinder timeout 10
the AAA authentication include http outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut
the AAA authentication include http inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut
AAA accounting include http outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut
AAA accounting include http inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut
Enable http server
http 82.69.108.125 255.255.255.255 outside
http 10.1.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server SNMP community xxx
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Sysopt connection permit-pptp
Sysopt route dnat
Crypto ipsec transform-set esp - esp-md5-hmac VPNAccess
Crypto ipsec transform-set esp-3des esp-md5-hmac VPNAccess2
Crypto-map dynamic dynmap 10 game of transformation-VPNAccess2
card crypto home 9 ipsec-isakmp dynamic dynmap
card crypto ipsec-isakmp 10 home
address of 10 home game card crypto 102
set of 10 House card crypto peer IrelandSt1_VPN
House 10 game of transformation-VPNAccess crypto card
card crypto ipsec-isakmp 15 home
address of home 15 game card crypto 103
set of 15 home map crypto peer Cardiff_VPN
House 15 game of transformation-VPNAccess crypto card
card crypto ipsec-isakmp 30 home
address of 30 home game card crypto 104
crypto home 30 card set peer 212.242.143.147
House 30 game of transformation-VPNAccess crypto card
interface card crypto home outdoors
ISAKMP allows outside
ISAKMP key * address IrelandSt1_VPN netmask 255.255.255.255
ISAKMP key * address Cardiff_VPN netmask 255.255.255.255
ISAKMP key * address 212.242.143.147 netmask 255.255.255.255
ISAKMP identity address
part of pre authentication ISAKMP policy 5
ISAKMP strategy 5 3des encryption
ISAKMP strategy 5 md5 hash
5 2 ISAKMP policy group
ISAKMP life duration strategy 5 86400
part of pre authentication ISAKMP policy 7
ISAKMP strategy 7 3des encryption
ISAKMP strategy 7 sha hash
7 2 ISAKMP policy group
ISAKMP strategy 7 life 28800
part of pre authentication ISAKMP policy 10
encryption of ISAKMP policy 10
ISAKMP policy 10 md5 hash
10 1 ISAKMP policy group
ISAKMP policy 10 life 85000
part of pre authentication ISAKMP policy 20
encryption of ISAKMP policy 20
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 85000
vpngroup client address mspools pool
vpngroup dns-server 194.153.0.18 client
vpngroup wins client-server 10.155.1.16
vpngroup idle time 1800 customer
vpngroup customer password *.
Telnet 82.69.108.125 255.255.255.255 outside
Telnet 10.55.1.0 255.255.255.0 inside
Telnet 10.1.1.0 255.255.255.0 inside
Telnet timeout 15
SSH 82.69.108.125 255.255.255.255 outside
SSH timeout 15
VPDN Group 6 accept dialin pptp
PAP VPDN Group 6 ppp authentication
VPDN Group 6 chap for ppp authentication
VPDN Group 6 ppp mschap authentication
VPDN Group 6 ppp encryption mppe auto
VPDN Group 6 client configuration address local mspools
VPDN Group 6 pptp echo 60
local 6 VPDN Group client authentication
VPDN username xxxx password *.
VPDN username password xxx *.
VPDN username password xxx *.
VPDN username password xxx *.
VPDN username xxxx password *.
VPDN allow outside
username xxx pass xxx
Terminal width 80
Cryptochecksum:8f8ceca91c6652e3cc8086edc8ed62fa
: end
If you do not see decrypts side Pix while my thoughts are (for IPSEC) ESP and GRE (for PPTP) do not get to your Pix (blocks perhaps of ISP or other devices).
If you do a "capture" of the packets on the external interface you see all traffic ESP or GRE? Where the customer? If this isn't the case, dialup is ESP or permitted GRE?
-
Hello
I try to install a digital certificate from verisign on a vpn (version 4.1.6). hub This certificate must be used for WebVPN - HTTPS (SSL).
When I try to install the SSL certificate I get following error message:
Installation of SSL certificate error: incomplete chain.
(The certificate has a term until 2006. The only note that I found on CCO is that the duration of the certificate is then more 2048).
Has anyone an idea what is the problem?
Thanks Horst
Generally, you will get this message if you have not loaded the cert CA (root) on the 3000 before trying to load the identity cert. You cannot have a certificate of identity for SSL from an external CA server without going through the cert root since this CA server installed also.
Go to Administration - certificate Mgmt - click here to install a certification authority, install first, then install the SSL certificate.
-
I have a big problem and I don't know what to do. set up a VPN with the following data:
of the encryotion, md5 hash, dh 1, pre-shared, but when I tried to affermirai the vpn router ios show me this error
Jul 1 20:50:15.311: IPSEC (validate_transform_proposal): application for conversion not supported for identity:
{esp-3des esp-md5-hmac}
Help, please
show configurations.
Maybe you are looking for
-
I had to restore windows and then no extensions. which never happened before that my version either 35.0 I noticed the fireform was missing and when I check the addon I have seen that the extensions have been disabled. I do not see anywhere to enable
-
Auto. updates fail to install. but Firefox tells me I have the latest version.
Updates fail to install. When the order of Firefox, said I have the latest version and am unable to download the updated version.
-
Cannot view pdf attachments in mail apps
6 p iPhone / iPad 2 Air the two running iOS 9.3.1 Previously, when I typed on an attachment in the Mail application I could see it. Now, it downloads an image of the first page (which means that I don't even have the option to open in a pdf reader. A
-
I have recently upgraded to Windows 8. 1. Since then, I can't scan multiple pages in PDF format. Also does not have the familiar scanning application. New application does not allow me to scan in PDF or scan multiple pages. I tried to reinstall fr
-
Hi all in one pc with the decimal separator defined as, comma (European) that I have to install software that needs a decimal separator such as .dot. Is it possible to create a user dedicated with regional setting for the software? The OS is Windows