Upgrading is never fun :-P Once I get back from vacation, I'm hitting the lab with a few firmware versions to test out. I was trying to stay away from 7.2 due to stability problems I've had with it in the past, but I might not have a choice anymore.. Thanks for the tips. I'll follow up on this thread after I can get some testing done. -Joshua ... View more

Thanks for the response, Patrick. However, the problem isn't that I need the ASA to respond to the RST-ACK (or generate one!), I just need it to forward it on to the requestor (a user on the inside network), instead of silently dropping it. The ASA is dropping the RST-ACK (generated from a remote network), and so the initiator (inside user) ends up having to wait for the TCP connection to time out, instead of breaking the connection immediately. Bug CSCsg00748 appears to be related to this issue, but it's only a functionality request to allow the "tcp-options window-scale clear" filter to work on non-SYN packets.. -Joshua ... View more

Thanks for the Tip, Jason. Unfortunately, I have too much traffic going through this device to pin-point the problem for sure. One of the counters that is incrimenting pretty close to when I do a 'clear asp drop' is for 'Bad TCP SACK ALLOW option'. SACK appears to be enabled on all traffic from the particular host I'm having the majority of issues with, so I'm not sure if this is the cause, or just other traffic on the wire. Thanks, -Joshua ... View more

I'm running into this same problem of 'Outside NAT' breaking the 'Inside NAT'. 305011: Built dynamic UDP translation from inside:192.168.1.2/3738 to outside:10.61.147.123/1084 305005: No translation group found for udp src inside:192.168.1.2/3738 dst outside:10.61.147.109/53 305011: Built dynamic UDP translation from inside:192.168.1.2/3739 to outside:10.61.147.123/1085 305005: No translation group found for udp src inside:192.168.1.2/3739 dst outside:10.61.147.108/53 305011: Built dynamic UDP translation from inside:192.168.1.2/3740 to outside:10.61.147.123/1086 305005: No translation group found for udp src inside:192.168.1.2/3740 dst outside:10.61.147.108/53 I tried adding explicit hosts to my inside NAT table, but it still didn't help. All outbound traffic was blocked out. Anyone care to comment? The config I used is as follows: static (inside,outside) tcp interface 2222 192.168.1.100 22 access-list nat5 permit tcp any interface outside eq 2222 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (outside) 5 access-list nat5 outside global (inside) 5 interface global (outside) 1 interface -Joshua ... View more

Hi Stephen, No, I'm using local accounts on the server, but nothing to do with 802.1x. Google shows quite a lot of hits concerning FreeRadius and 802.1x authentication. Two of the most likely candidates listed below: http://www.tldp.org/HOWTO/html_single/8021X-HOWTO/ http://security.fi.infn.it/TRIP/802.1x-wired/802.1x-wired.html -Joshua ... View more

Hi Stephen, Yes, I'm using the Linux version. It was a straight forward configuration. The only change was that I had to configure it to use the old radius and radaccounting ports (1645/1646 respectively) by editing the /etc/raddb/radiusd.conf file (search for "port ="). The port to use depends on which RFC Cisco is following for that device. The newer RFC's define the port as 1812, and I believe FreeRadius defaults to this port as well. If you're unsure, start up tcpdump and watch for the requests. After you have your ports setup properly, it's just a matter of editing your /etc/raddb/clients.conf file to set it up properly with the right secret. Also, set your nastype to cisco. Cheers, -Joshua ... View more

If you use radius as an xauth for your remote vpn users, you can configure your radius server to send an ACL name to the PIX, which can be applied as additional filtering. As an example, I have a few different VPN groups setup to define general access restrictions (users/admins/etc), as well as downloadable ACL's which get applied to each remote users VPN connection to further restrict areas based on the particular user (or group). On my radius server (FreeRADIUS), this is configured with the variable Filter-Id, which references the name of an ACL on the PIX to apply to the remote user. This document may be useful if you end up adding this extra level of filtering: http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_guide_chapter09186a00801fd703.html Cheers, -Joshua ... View more

Thanks for the reply, but you missed the question. This isn't about switch redundancy. I'm looking for PATH redundancy (ie: Internet links) for VPN connections.. ... View more

I'm running into the same types of problems. I upgraded two 525's to 7.1(2) over the weekend from 6.3(5), and had to back down to 7.0(4) instead due to constant crashing and failovers. Prior to the upgrade, I was sitting around 50% CPU usage during the day, handling 12 Mb of ICA traffic over 3DES/AES VPNs. Post "upgrade", they're running between the 75 and 80% range. -Joshua ... View more

I'm having the same problem on a pair of 525's. I upgraded them over the weekend to 7.0(4) and the same PIX-3-210005 error messages are logged on my failover. Checking my debug, these only occur with NTP and SNMP packets. The NTP data is originating from my remote PIX's over a VPN to the 525's and reaching an Internal NTP server. The SNMP data is originating from internal hosts sent over the VPN to the remote PIX's. Failed to create rev flow (dropped) np/port/id/0/-1: xx.xx.xx.226/123 - np/port/id/1/-1: 172.16.11.1/123 %PIX-3-210005: LU allocate connection failed Failed to create flow (dropped) for np/port/id/1/-1: 172.16.11.59/36307 - np/port/id/0/-1: yy.yy.yy.205/161 %PIX-3-210005: LU allocate connection failed ... View more

I was assuming something related to the controller as well, but I can't find anything in the switch to say that it's been faulty. A show tech didn't give me any clues either. Is there anyway to force the switch to re-test a group of ports, other than during initial bootup? ... View more

It turns out it was 8 ports, 25 to 32. Each port had a server connected to it, forced to 100mb/full duplex. A mix of HP ProLiants and Dell PowerEdge servers. It can't be cables, because all ports died at exactly the same time. I haven't been able to reboot the switch yet to see if the ports come back up. The switch still shows the ports as fine, but no devices can transmit data on them. I've tried changing the speed and duplex and disabling/enabling various features on the ports, all to no avail. This looks related to bug ID CSCdy72718, but it's supposed to be fixed in the version I'm running on this switch. ... View more

Hi. SSH will work on your switch after you have configured your system's crypto key (crypto key generate rsa) and set the transport method on your vty lines (the default is both telnet and ssh). Also make sure that you have given yourself access to use the ssh service if you have an ACL applied to the VTY's. An example VTY config allowing ssh, telnet and local authentication from 10.0.0.2 is shown below: access-list 105 permit tcp host 10.0.0.2 any range 22 telnet log line vty 0 4 access-class 105 in exec-timeout 9 0 privilege level 0 login local ... View more