James I am not authoritative on this issue. But I would suggest that you generate new RSA keys and specify a large modulus for the key. HTH Rick Sent from Cisco Technical Support iPhone App ... View more

Thanks to both of you for the quick responses.  I will perform some additional testing tomorrow tomorrow and report back.  ... View more

Hello, The following commands are very helpful on the CSS: show system-resources show version show chassis James Denton Network Security Rackspace ... View more

Haven't tested it yet, but I think the absence of 'type http' is causing my problem, as it's defaulting to 'type tcp'. The hash is never being considered. Will implement the change later this evening. Thanks all! ... View more

8.20.0.01 Still happening in this version of code. We were looking at when it happened and explored the active/suspend timing but it didn't matter.  i.e., making changes and appling them when the service was active but doesn't appear to matter. ... View more

You may need to enable DNS doctoring to get this working properly. If you're using static NAT translations you'll need to remove the NAT entry and re-enter it with 'dns' tacked on at the end. FROM: static (inside,outside) 66.55.12.33 192.168.1.33 netmask 255.255.255.255 TO: static (inside,outside) 66.55.12.33 192.168.1.33 netmask 255.255.255.255 dns After re-entering the entry you may need to clear the xlate as well. Good luck! James ... View more

I know this is old by now, but I just spent days figuring this out. Try taking out your vpn-filter ACL like so: no access-list vpn-filter permit/deny ip ALSO, make sure your crypto ACL is set like this: access-list OUTSIDE_CRYPTO extended permit ip host Your source is your REMOTE addresses, and destination is your LOCAL. I scoured the internet and NO ONE had an answer for this. Seems like more people would have run into this at some point. Anyway, let me know! ... View more

Hi, Hope you understood the solution. your internal DNS server is not the autherative(public) DNS server to publish your website domain on internet. DNS requests to your website from internet is resolved by autherative DNS server(where you purchased your domain) to your x.y.z.2 public ip. DNS requests from your LAN is resolved by your internal DNS server so you need to have this A record pointing to your webserver IP 10.0.0.2. (If I am not wrong)the reason your LAN users cant access your webserver is because: The HTTP packet initiated within your LAN(10.0.x.x)------your CE router----internet------your CE router(comingback as the webserver withing ur LAN)-----your router blocks the http request packet.  coz gone out on same interface and coming back on same. Well I had similar issue when I was working for a company few years back.... ... View more

I have noticed a couple of browsers that are exhibiting similar bahavior. First, we use client certificates with 'both' certificate and AAA (LDAP).  Cisco, by default, puts RC4 at the top of the list, and with most browsers it will be the chosen cipher.  I have noticed that up-to-date Macs will terminate the connection (SSL reset) and refuse to submit a certificate.  Not sure if Apple decided strong key negotiation was incompatible with a weak cipher, but as soon as RC4 was demoted and AES 128 was negotiated the Mac worked fine. Now, on Chrome (seen in both 16 and 17) I am seeing this in the ASDM logs. Device chooses cipher : AES128-SHA for the SSL session with client gap:208.179.252.194/60870 CRYPTO: The ASA hardware accelerator encountered an error (Invalid Record, code= 0x2) while executing the command SSL Process Application Data Record (0x308D). SSL lib error. Function: SSL3_GET_RECORD Reason: decryption failed or bad record mac CRYPTO: The ASA hardware accelerator encountered an error (Invalid Record, code= 0x2) while executing the command SSL Process Application Data Record (0x308D). The two errors are obviously not related, but could you look in the ASDM logs and see if there are messages. ... View more

My experience is that you can have many connections from the same source IP without the ASA disconnecting you. However, the base SSL VPN license on an ASA allows only 2 SSL VPN connections. If you were hitting that limit I would expect you to get a credential failure, not a disconnect. Is there a possibility that multiple SSL VPN connections are being initiated from the same machine (ie. Terminal Services), or someone is logging into a box through RDP or TS that has an already established SSL VPN connection? Default behavior for AnyConnect is to disconnect the VPN if this is the case. James ... View more

Just to add to this... the number *does* matter if you'd like to prefer one policy over another. Since it processes the policies sequentially and the first match is chosen, you might consider putting the strong methods first (like aes-256, aes) and something like MD5 last. The reason you see gaps in number is likely so that someone can insert a new policy in the middle without having to re-number everything. James ... View more

James, Pls. enable logging and add "logging buffered 7" and watch the logs for these inside IPs that have trouble reaching the internet. sh logg | i x.x.x.x where x.x.x.x is the IP of the problem client on the inside. you are patting to the interface so, you should be able to provide translation for the inside host.  In any case what ever the problem is logs will show you what is wrong. If you don't see it in the logs may be the buffer logs are wraping too quickly and you can increase the buffer size logging buffer-size 1048576 clear logg buff and then try the "sh logg | i x.x.x.x" again. Let us know what you see. Remember for any flow to work through the firewall you need RTP Route Translation Permission -KS ... View more

All this can now be done in the ASDM in the profile editor!!!!! Pete ... View more