Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2719
Views
0
Helpful
6
Replies

RPC through Site-toSite vpn

Darren.Rohwling
Level 1
Level 1

‎01-25-2011 11:37 AM - edited ‎03-11-2019 12:39 PM

I have a site-to-site vpn set up between our ASA 5510 and a Pix 515.  Everything works fine with a Domain controllers synching from the remote site to the main site.  I am having an issue with our backup server not being able to connect to the server via RPC (from ASA side to Pix side).  It is giving me a "RPC server is unavailable".  How can I test to see which appliance is blocking this traffic an dwhat do I need to add to that side to make this work?  Thanks in advance for any assistance you can provide.

Labels:
0 Helpful
6 Replies 6

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-25-2011 01:25 PM

Hi Darren,


The problem is the server on the ASA side not able to RPC to a server on the PIX side through the VPN correct?

Most likely there's an ACL applied to the inside (or the ASA's interface connected to the server), that is not allowing this traffic, please check on this.

One test could be a simple PING to check if you have IP connectivity between both servers through the tunnel in that direction (if allowed).

Federico.

0 Helpful

Darren.Rohwling
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-25-2011 01:57 PM

Thank you for your offer of assistance.

I can ping both ways. I have permit any any on the inside interface of the ASA. The only acl on the pix outbound is for the nat control of the interesting traffic to the private side via the tunnel. The domain controllers can do everything they need across the tunnel. The only time I have any issue is when our NAS device tries to connect to the server. The NAS device and PDC are on the ASA side. The BDC is on the Pix side.

Thanks,

Darren

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Darren.Rohwling

‎01-25-2011 02:01 PM

Darren,

If that's the case I think the next step in troubleshooting would be to check the logs and captures.

You can search the logs on the ASA/PIX and pipe for the IP addresses in question and check if there's any connection teardown or similar error.

An excellent way to gather a communication problem between two hosts is to use the capture command and open it with wireshark to analize the flow.

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/c1.html#wp2147322

Federico.

0 Helpful

Darren.Rohwling
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-26-2011 10:49 AM

When I sniff this I get an IsystemActivator Malformed packet response from the NAS device responding to the BDC. Are you familiar with this type of error. It would appear that this is not a network issue, but rather an OS issue with their negotiation failing. Would you concur?

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Darren.Rohwling

‎01-26-2011 10:51 AM

Darren,

I would agree with you.

No network issue... seems like an OS problem.

Hope you can solve the problem.

Federico.

0 Helpful

Darren.Rohwling
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-26-2011 10:53 AM

Thanks for your help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card