This topic is really interesting and does also apply to me. Are there further hints/solution that can be given? ... View more

Well i did some sniffing on the client. Im kind of uncomfortable posting the capture here (whireshark) since there was a lot of other traffic which may include unsecure transmission of passwords. Please tell me if the information i provided was adequate. If not, i'll try to snif a second time. Here is what i've got: Before i clicked on "Topology Services" i started the capture. There was NOT a single connection over tcp to the ciscoworks server ip. I saw some http traffic over our proxy to the ciscoworks system tough. I don't think that my client is misconfigured on the network side, since i tested this on some devices of my colleagues. As soon as i test the ports with telnet, this is also displayed in the packet capture. On some occasion, if i wait long enough, some more log-output is displayed. (please see the attached screenshot) ... View more

Hi Joe, thanks again for your response. I really hoped that i overviewed some system specs that doesn't fit with cisco works...unfortunely that wasn't the fact. What is really anoying is that we had already LMS 2.6 running. Topology Services was functionating properly (with the same client specs...well an older java version tough) I read the LMS 3.1 Quick Start Guide again and double checked my system specs: Client Operating System:          Windows Vista - SP1 Client RAM:                             3GB Virtual Memory:                       6144 MB Default Location:                      English (United States) C:\Windows\System32>java -version java version "1.6.0_05" Java(TM) SE Runtime Environment (build 1.6.0_05-b13) Java HotSpot(TM) Client VM (build 10.0-b19, mixed mode) Some tests with different browsers: Firefox 3.5               ->               X Opera 10.51             ->               X IE 7 (7.0.6001.18000)->               X (At least this one is officialy supported) Checking the reachability of some ports: (from client to server) 43242/tcp     ->     reachable (ANIServer, Campus) 42342/tcp     ->     reachable (OSAGENT, CiscoWorks Common Service) I checked the server's chort hostname. It is perfectly resolveable on the client. (also backwards) Am I missing something important here? Thanks in advance ... View more

Thank you for your fast respone. I checked the ports. Both are reachable. I changed my location und language for non-Unicode programs to English (United States). Unfortunely the problem still persists. Same symptoms. ... View more

********* Can you PING everything on the inside network (the problem is just with the inside IP of the secondary ASA?) ******* Yes i can ping everything on the inside network, except the secondary ASA. I can even ping the passive ASA on another site, when my tunnel isn't terminating on its primary device.As soon as I initiate a vpn-connection to that primary device i cannot ping that passive one. ***** Is the inside IP of both ASAs on the same VLAN connected to the same switch? **** Yes the inside (management) IPs are uns the same VLAN. ***** You can enable the Packet Tracer utility or the capture commands to check if the traffic is making it to the secondary ASA. **** Packet Tracer seems to be confused with the vpn connection. Please see the attached screenshot. Everything else looks fine so far. A Realtime Log Viewer output is in the other post i created. Thanks for your help ... View more

Ok and here we have the strange part: Inside the log of the active device i can see 1) Built inbound ICMP connection for faddr a.a.a.a/1 gaddr b.b.b.b/0 laddr b.b.b.b/0 (username) 2) Teardown ICMP connection for faddr a.a.a.a/1 gaddr b.b.b.b/0 laddr b.b.b.b/0 (username) where a.a.a.a is the ip address which the client get from the vpn-pool where b.b.b.b is the target ip; in this case the ip of the passive ASA (for further reference 1) is %PIX|ASA-6-302020 and 2) is %PIX|ASA-6-302021 ; http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp1280803 ) BUT there is nothing inside the log of the passive device! (I enabled debugging for the logging level) Thanks for your help ... View more

Thank you for that fast response. **** Are you connecting with a the Cisco VPN client? ***** We are using the Cisco VPN Client on Windows Client. We do have some Linux clients which show the same issue. The monitoring of our devices is done via a LAN to LAN -tunnel and theres also the same issue. (As far as I know the other side, also uses an ASA) **** If this is so, you can only PING the inside interface of the ASA if you have the ''management-access inside'' command (assuming that the inside interface is the interface where the interesting traffic resides). **** OK! the command "management-access '' is in place. So that's the cause we can't ping the other ASA? Do we have to disable that command to ping/telnet/snmp the secondary ASA? Any good reasons why that wouldn't be a good idea. May there be a way around? ******* Are you trying to reach the outside or inside IP of the ASA via the VPN tunnel? ******** I'm trying to reach the inside IP of the ASA *** Do you have the configs sync between both ASAs? *** Our ASAs are in an active/standby setup. Failover configurations are in place. Please correct me if I'm wrong. If I understood that correctly all commands are replicated from the active to the standby unit. *** Have you tried switching the failover, to see if the behavior continues? *** I haven't tried that yet. Thanks for any further feedback. Sven Schlingloff ... View more

Ok NOW i'm really confused!! After 1 1/2 day's of headache i did a second restart. Well, i dont know how to describe my astonishment as i actually saw the Device in DCR... Like i said, i'm pretty confused right now. I just don't understand it. Maybe someone can give me a hint what was the cause. ... View more