The VPN passthrough option is on. Cisco's old VPN client IKEv1 works fine with this router.
Working with Linksys to see if their latest F/W 220.127.116.1120, released July 6, 2017 was made available to the routers and if there were any changes to VPN passthru for IKEv2.
We updated to AnyConnect ver. 4.5.01.044 last week and AC with IKEv2 worked, downgraded back to Anyconnect ver. 4.5.00058 and it also worked. I did not make any changes on the ASA and I am currently running 9.6.3-1 on the ASA.
... View more
I am implementing AnyConnect ver 4.5 on a ASA running 9.4 code, using IKEv2, I turned off SSL. It works well except at a co-workers home. She uses a new Linksys router (waiting on the model number). The connection fails because the ASA does not see the 2nd IKE_AUTH packet which is a fragment of the 1st IKE_AUTH packet. See attached - laptop_Connected_To_Linksys & in_front_of_asa for Wireshark captures.
The laptop can tether to 2 different Cell phones & carriers and Guest wireless at the office and AnyConnect works perfectly.
This laptop is running Win 7 64-bit and the old Cisco VPN Client IKEv1 work perfectly behind this same Linksys router.
I have changed ASA the so Anyconnect uses SSL and the this laptop works when connected to the Linksys router.
We have connected the laptop to the Linksys router both wireless and wired with the same results, works with Anyconnect SSL and old VPN client IKE1, just not with the IKEv2 protocol.
I thought about increasing the MTU size on the client since the IKE_Auth message length is 622 and the Fragmented packet length is 194.
I could switch to SSL but I think IKEv2 is more robust.
... View more
I just starting to get these same errors when I changed the LDAP Authentication Server from a FQDN to a domain name, ie. 'mydomain.com', instead of 'host1.mydomain.com' . I am in the process of retiring a couple of domain servers and instead of just specifying one or two servers, I thought that by specifying the domain name, I could talk to any domain controller. But the log shows: 24028 User's attributes are retrieved 24022 User authentication succeeded 24027 Groups search ended with an error I can see if user authentication failed then getting "24027 Groups search ended with an error", but user authentication did not fail. 11001 Received RADIUS Access-Request 11017 RADIUS created a new session Evaluating Service Selection Policy 15004 Matched rule 15012 Selected Access Service - Default Network Access Evaluating Identity Policy 15006 Matched Default Rule 15013 Selected Identity Store - MY-Servers 24031 Sending request to primary LDAP server 24015 Authenticating user against LDAP Server 24028 User's attributes are retrieved 24022 User authentication succeeded 24027 Groups search ended with an error 22059 The advanced option that is configured for process failure is used. 22062 The 'Drop' advanced option is configured in case of a failed authentication request.
... View more
I have noticed on my 20 site DMVPN network that traffic shapping is not working correctly. I am using a broadband provider and have several sites on a 50 Mbps down / 10 Mbps up Link, including the Hub site. The problem that I see is when one of my hosts aretransmitting a huge amount of data (over 10 Meg stream, typically a backup running on a remote file server), is that I am loosing EIGRP neighbor relationships. The remote router will recieve the DUAL msg "Peer goodbye received" which tells me that the HUB did not see 3 Hello packets in a row. The statistics from a Show Service Policy on the Outside Physical interface show everything is normal, packets with EF, CS6, etc are not being dropped and packets in the default class are being dropped. I am traffic shaping 'average' down to 10 meg and applying the service policy on the outside Interface. I have setup a test lab, (2) 2811 routers back to back, running c2800nm-advipservicesk9-mz.124-24.T.bin (same IOS ver on all my routers). If I turn off the DMVPN, shut down the tunnel int, turn on eigrp for my "Wan" subnet, traffic shape policy is set to 2Mbps, everything works when I flood the router with packets generated by Solarwinds WAN Killer which is sending udp packets 1000 bytes @ average of 15Mbps. Then I turn on the DMVPN, remove the WAN subnet from EIGRP, enable the tunnel interfaces, I loose EIGRP neighbor relationships quite frequently. The only option to stop this behavior is to configure "rate-limit output dscp 0 1800000 17912 17912 conform-action transmit exceed-action drop". I choose 90% of my traffic shaped bandwidth and this is working pretty good. Other than this issue, the DMVPN is working great. I have attached a config from my benchtest and some show commands. On my "live" DMVPN Network, I have 2 DMVPN hub sites, I am not loosing EIGRP Neighbor Relationships with my 2nd Hub site, the file server backups are running to my 1st Hub site.
... View more
The Campus Manager User Tracking Report has the dot1xEnabled field that is always false. It was my understanding that the switch will send SNMP Trap Notifications to Cisco Works regarding the status of 802.1x authentication per port. We have configured per port: snmp trap mac-notification added snmp trap mac-notification removed and globally snmp-server host x.x.x.x abababa udp-port 1431 MAC-Notification With no success, so we opened a TAC case, 614376387 and we were told by TAC and the Development Engineers that this "feature" does not work in LMS 3.2 and Campus Manager 5.2.1 and that this feature will be available in the next new release. I thought I had read on this forum that some folks have this 'feature' working, where this field shows the current status of 802.1x per access port. Has anyone been able to get this 'feature' to work? And if so, what versions are you running and what were the 'tricks' to get it working? Much appreciated.
... View more
Thank you for correcting this: >> SNMP only access from Routers/Switches >> 1) can modify Router/Switch Configs from Cisco Works >> 2) Archive of Router/Switch Configs to Cisco Works. If I had SNMP & TFTP from the routers & switches to Cisco Works, The Archive Config process will detect a config change via SNMP and if a config has changed then SNMP will TFTP the startup config to the shadow directory? CSCOpx\files\rme\dcma\shadow\Switches_and_Hubs\PRIMARY Thanks This has been updated. Telnet. The Server that Cisco Works is running on, now can only access the routers and switches via SNMP v2 only. Network Devices are sysloging to Cisco Works, but not SNMP Trapping to Cisco Works. No TFTP from/to Cisco Works I am trying to come up with a list of items that are useless now in Cisco Works: No SSH/Telnet access to Routers/Switches 1) no Configuration Versioning - Running config to Startup config or to various versions. 2) no Copying of the VLAN.dat file for backup, uses TFTP 3) no Copying of the IOS from flash for backup, uses TFTP No SNMP Traps to Cisco Works 1) disables notifications to Cisco Works when a configuration change has been made, causing the new config to be archived promptly instead of waiting on the collection job to run. 2) Renders the User Tracking Tool basically useless, could track dot1X switch ports status and other info. SNMP only access from Routers/Switches 1) cannot modify Router/Switch Configs from Cisco Works 2) cannot Archive of Router/Switch Configs to Cisco Works. 3) Only IPM, Cisco View, and a tiny piece of Campus Manager functionalities will function.
... View more
Due to New Corporate Security Policies, only 2 servers can access the routers and switches via SSH2 and Telnet. The Server that Cisco Works is running on, now can only access the routers and switches via SNMP v2 only. Network Devices are syslog'ing to Cisco Works, but not SNMP Trap'ing to Cisco Works. No TFTP from/to Cisco Works I am trying to come up with a list of items that are useless now in Cisco Works: No SSH/Telnet access to Routers/Switches 1) no Configuration Version'ing - Running config to Startup config or to various versions. 2) no Copying of the VLAN.dat file for backup, uses TFTP 3) no Copying of the IOS from flash for backup, uses TFTP No SNMP Traps to Cisco Works 1) disables notifications to Cisco Works when a configuration change has been made, causing the new config to be archived promptly instead of waiting on the collection job to run. 2) Renders the User Tracking Tool basically useless, could track dot1X switch ports status and other info. SNMP only access from Routers/Switches 1) can modify Router/Switch Configs from Cisco Works 2) Archive of Router/Switch Configs to Cisco Works. This is what I came up with so far, if anyone can add to the list, I would appreciate it. Charlie
... View more
I am working on enabling dot1x on switch ports and disabling inactive switch ports on over 350 Switches. Senior Manager wants a weekly report that shows them statistics by port on were we are at with this project. I am pretty sure that Cisco Works will not work for this, but I would like to double check. I am thinking that we can have the program scan thru all the *.cfg files in a directory IF Device = switch Increment counter "Total Switches" IF Interface (except Vlan) = Switch mode access Increment counter "Total Access Ports" IF (dot1x port-control and shutdown) increment counter "Dot1x Disabled Port" Else IF (dot1x port-control and NOT shutdown) increment counter "Dot1x Enabled Port" Else IF (switchport port-security and shutdown) increment counter "Port Security Disabled Port" Else IF (switchport port-security and NOT shutdown) increment counter "Port Security Enabled Port" ELse Exception Display value of Hostname and Interface (none of the above 4 conditions existed, error) Else (except Vlan) Increment counter "Total Trunk Ports" If (switchport mode trunk and shutdown) increment counter "Disabled Trunk Port" Else If (switchport mode trunk and NOT shutdown) increment counter "Enabled Trunk Port" EndIF Exception Display value of Hostname and Interface (none of the above 2 conditions existed, error) Any suggestions?
... View more