• RELEVANCY SCORE 3.99

    DB:3.99:Vpn3000 Upgrade Question xx





    I am going to upgrade the IOS on the VPN3005 Concentrator. It has 32MB of Flash. I need to know how to check the amount of memory currently being used by the current image. We are running:

    vpn3005-4.1.2.Rel-k9.bin

    I wanted to know also, what would be a good replacement image for this.

    DB:3.99:Vpn3000 Upgrade Question xx


    You can view it from monitoring | system status option. This screen shows the status of several software and hardware variables at the time the screen displays. From this screen you can also display the status and statistics for SEP modules, system power supplies, memory, and network interfaces.

    One of the screen elements:

    RAM Size - The total amount of SDRAM memory installed in the VPN Concentrator. Memory Status is a link to a table that displays information about memory use on the VPN Concentrator; it includes information about block size, with data about used and free blocks, bytes, and percentages.

    Refer the below URL for more info:

    http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/administration/guide/sysstat.html

  • RELEVANCY SCORE 3.93

    DB:3.93:Vpn3000 Webvpn Question For Config Lotus Notes Client And Inotes 1s





    does anyone know how to config VPN3000 concentrator WebVPN to use Lotus Notes Client and inotes, tks

    DB:3.93:Vpn3000 Webvpn Question For Config Lotus Notes Client And Inotes 1s


    You need to enable the port forwarding feature,

    http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_1/config/usermgt.htm#wp2015733

  • RELEVANCY SCORE 3.65

    DB:3.65:Problems Vpn Concentrator 3k Iphone V 4 kp




    I am trying to connect iphone with O.S V4 to vpn concentrator 3000 but apparently the tunnel is established but it does not pass information. The question is if this supported the client of iphone V4 by vpn3000

    DB:3.65:Problems Vpn Concentrator 3k Iphone V 4 kp


    Jorsalas,

    Thanks for the information, the document specifically describes the compatibilities between CISCO VPN with the IPHONE.

    Best Regards

  • RELEVANCY SCORE 3.49

    DB:3.49:Can A Vpn3002 Tunnel Multiple Networks? 83



    (Apologies if this question has appeared twice)

    Can a remote-site VPN3002 tunnel more than one network back to a central VPN3000 concentrator? i.e. remote site networks in addition to that defined by the VPN3002 private interface IP address/subnet mask...

    DB:3.49:Can A Vpn3002 Tunnel Multiple Networks? 83


    Not in NEM mode.

    You can get around it by NAT'ing all other networks on the router behind the 3002 so that they appear to be from the one directly-connected network.

  • RELEVANCY SCORE 3.49

    DB:3.49:Pix 501 Tunnel To Vpn3000 m1



    I am trying to configure a pix 501 as a vpn client to connect to a VPN3000 concentrator, using a microsoft CA server. I have achieved this without any problems using the vpn3002 hardware client but I can't get the pix to authenticate and get the certificate from the CA. Has anyone encountered and resolved the same problem ? any help is appreciated.

    regards

    DB:3.49:Pix 501 Tunnel To Vpn3000 m1


    can you get it to work without using certs? ie w/ a pre shared key? knowing that could help eliminate other possible causes.

  • RELEVANCY SCORE 3.25

    DB:3.25:License Upgrade Question 7x


  • RELEVANCY SCORE 3.08

    DB:3.08:Vpn Client For Mac On Vpn3000 d9



    I am in need of a VPN client for the MAC. We have a VPN3000 Concentrator. I have tried Tunnel Builder from NTS but it does not work with our VPN. Any information would be appreciated. E-mail at cmekyle@hotmail.com. Thanks.

    C Hendricks

    CCNA

  • RELEVANCY SCORE 3.04

    DB:3.04:Write A Static Arp On Vpn3000 pf



    Does anyone know how to write a static ARP on VPN3000 ? Couldn`t find any menu on VPN3000`s WebUI to set a static ARP.

    Appreciate for any reply.

    DB:3.04:Write A Static Arp On Vpn3000 pf


    Hi,

    There is no way to set static ARP in the VPN 3000 interface in the current version. It always use dynamic arp to learn the arp entry.

    Best Regards,

  • RELEVANCY SCORE 3.01

    DB:3.01:Vpn3000 And Passwords fa



    We are using the VPN3000 to access resources that are part of active directory. Use NT authentication for users. Is there a way to logon and change passwords through the VPN client?

    DB:3.01:Vpn3000 And Passwords fa


    thx for the info. Could you tell me what you mean by b/w vpn3k and NT/W2k server? Are you saying this can be accomplished with ACS/Secure server?

  • RELEVANCY SCORE 3.01

    DB:3.01:Running Config Of The Vpn3000 cj



    Dear All,

    In the IOS router, there are two configs which are the "startup config" and the "running config".

    For the VPN3000, we can download the "startup config" from the CONFIG file on the flash.

    Does anyone know how to see the running config of the VPN3000 ?]

    Best Regards

    DB:3.01:Running Config Of The Vpn3000 cj


    If the running config is different than the startup config (the "save needed" icon is present in the upper right hand corner), the currently running config in not viewable or extractable in any way.

  • RELEVANCY SCORE 2.90

    DB:2.90:Why Cisco Vpn3000 Or Vpn5000 Is Unavailable In China? a3



    anyone knows it?

  • RELEVANCY SCORE 2.89

    DB:2.89:Planning A Vpn 3000 Upgrade...Advice? xx



    Hello all,

    I planning on upgrading 2 different VPN3000's to the most current stable

    code. One of them is running 4.7 and the other is running 4.1.7H. I

    thinking of running 4.7.2L. Does anyone have any recommendations or

    caveats I might run into? Also would one of these upgrades cause the

    device to go into ROMMON mode like a router with IOS?

    Thanks all,

    Chris Serafin

    Security Engineer

    chris@chrisserafin.com

    DB:2.89:Planning A Vpn 3000 Upgrade...Advice? xx


    I think 4.7.2L will be stable.The VPN concentrator has ROMMON mode and will automatically boot into it if it doesnot finds any valid software image.

  • RELEVANCY SCORE 2.89

    DB:2.89:Vpn3000 Webvpn Config Windows Terminal Service aa



    does anyone know how to config VPN3000 concentrator WebVPN to use windows terminal service , tks

    DB:2.89:Vpn3000 Webvpn Config Windows Terminal Service aa


    Did it just today

    (keep in mind the windows client will need Sun's Java Runtime Engine JRE 1.4.1 or newer, the Microsoft java virtual machine won't work)

    In the Concentrator's admin page under "port forwarding" enter the mapping 127.0.0.1:2000 to Terminal Server's IP address:3389 (you can choose any available port on the client machine in lieu of port 2000).

    When the client accesses the webVPN home page and clicks the "applications" (or whatever it's called) link,

    they'll be presented with a Java applet that displays the mapping information that you entered.

    Note that this is merely infomational, there's nothing for them to click on in this applet window.

    The client then needs to bring up the RDP client program and enter 127.0.0.1:2000 as the Terminal Servers IP and alternate port number.

    The Java applet port forwards this to the servers actual IP and port 3389. Behind the scenes, the host file on the client is being manipulated.

    OK, I've done my good deed for the day, now could somebody please explain to me how to do port forwarding for the full Outlook client.

  • RELEVANCY SCORE 2.87

    DB:2.87:Vpn3000 Synchronize Backup With Master In Vrrp a7



    Does somebody know a management product for VPN3000 that can automatically synchronize configuration of the backup device with the master in VRRP environment ?

    DB:2.87:Vpn3000 Synchronize Backup With Master In Vrrp a7


    Cisco’s Policy Manager software is supposed to be supporting the Concentrator line soon. I know of nothing available 3rd party.

  • RELEVANCY SCORE 2.86

    DB:2.86:Vpn3000 And Crlnumber x9



    when VPN3000 (or router MC3810) try to get a CRL, fails when CRLNumber is greater than 65535 (0xFFFF), RFC permits 20bytes for this field but cisco only supports 2 bytes, when a CRLNumber is greater than 2 bytes cisco displays and error like "Failed to set ber encoded rules" or "CAPI - RSA PKCS1 payload to be decrypted is not in PKCS1 format".

    Cisco has a fix for this problem?

    DB:2.86:Vpn3000 And Crlnumber x9


    when VPN3000 (or router MC3810) try to get a CRL, fails when CRLNumber is greater than 65535 (0xFFFF), RFC permits 20bytes for this field but cisco only supports 2 bytes, when a CRLNumber is greater than 2 bytes cisco displays and error like "Failed to set ber encoded rules" or "CAPI - RSA PKCS1 payload to be decrypted is not in PKCS1 format".

    Cisco has a fix for this problem?

  • RELEVANCY SCORE 2.86

    DB:2.86:Vpn3000 To Pda ,Authentication Using Movian Client And Rsa Tokens. 9z



    I have tried without any success to get a PDA running pocket PC to authenticate with a VPN3000 using an RSA token. I believe this has worked in the past, but now with VPN3000 sw ver 4, movian ver 3 and RSA ACE ver 5, the authentication fails between the VPN3000 and the ACE server. Movian clients with no RSA authentication work. VPN3000 clients with RSA tokens work, but Movian clients with RSA tokens fail, and the VPN3000 does not pass the authentication to the ACE server. Anyone tried this?

    DB:2.86:Vpn3000 To Pda ,Authentication Using Movian Client And Rsa Tokens. 9z


    Check the paramaters of your IPSec SA for the group you are trying

    to attach to, as well as the IKE Proposal that is tied to that.

  • RELEVANCY SCORE 2.86

    DB:2.86:Migrating Vpn3000 Configuration To Asa jz



    Hi,

    Somebody knows, where do I can to find a tool to migrate from VPN3000 to ASA??.

    I apreciate all information.

    Best regards,

    DT.

    DB:2.86:Migrating Vpn3000 Configuration To Asa jz


    DT,

    I hope the below response helps.

    http://forum.cisco.com/eforum/servlet/NetProf?page=netprofforum=Virtual%20Private%20Networkstopic=SecuritytopicID=.ee6b2b8CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40%40.2cc1b2c5/6#selected_message

    And here is the URL:

    http://www.cisco.com/en/US/docs/security/asa/asa70/vpn3000_upgrade/upgrade/guide/migr_vpn.html

    Regards,

    Arul

  • RELEVANCY SCORE 2.83

    DB:2.83:Ssl Vpn Client(Svc) Is Unable To Establish A Connection 31



    Now, when my previous question is answered, I got a new one:

    When SVC is loaded and regarding log on VPN3000 everything is OK, I get message: The SSL VPN client is unable to establish a connection. I tried with Win XP sp1 and sp2 machines and in both cases got the same message.

    Any ideas ?

    Best regards,

    Marko

    DB:2.83:Ssl Vpn Client(Svc) Is Unable To Establish A Connection 31


    Did you ever get this solved? I keep getting "SSL VPN Client(SVC) is unable to establish a connection" I am using Thawte as my CA and I noticed that My certificate cache on my concentrator nevers has anything chached. I am running SSL Client 1.0.0 but I did not see any updates on this in the release notes for 1.0.1 or 1.0.2.

    If I uncheck "Check for publisher's certificate revocation" in IE-Options then the problem goes away. This is not acceptable because we have people in Corp. setting that cannot uncheck that setting. Your help would be greatly appreciated.

  • RELEVANCY SCORE 2.83

    DB:2.83:Rules And Filters From Vpn3000 To Asa5500 zz



    Hi,

    I am in process of transitioning from VPN3000 to ASA5500 for remote access. I am having trouble with configuring same rules and filters that I have in VPN3000 to ASA5500.

    Any one have link to good document that would explain it better or any other kind of help would be good too.

    Thanks,

    Jayesh

    DB:2.83:Rules And Filters From Vpn3000 To Asa5500 zz


    Hi,

    I am in process of transitioning from VPN3000 to ASA5500 for remote access. I am having trouble with configuring same rules and filters that I have in VPN3000 to ASA5500.

    Any one have link to good document that would explain it better or any other kind of help would be good too.

    Thanks,

    Jayesh

  • RELEVANCY SCORE 2.83

    DB:2.83:Vpn3000 Concentrator (Altiga) Password Recovery pp



    Hey All,

    I have a VPN3000 (altiga) with a software version 2.2 and can't figure out a password recovery procedure for this unit. I have looked in the Archives as well as scoured the Cisco site and numerous newsgroups. Any help would be appreciated before I have to break down and open a TAC on this guy.

    Thanks,

    Rob H.

    DB:2.83:Vpn3000 Concentrator (Altiga) Password Recovery pp


    For pre-2.5 concentrators, try this:

    It requires that you corrupt the NVRAM checksum, thereby causing the NVRAM to be re-initialized. It also requires being physically connected to the console or via modem.

    At the console type " p". This brings you to the pROBE+ prompt.

    Type "nv 1". This command generates the NVRAM information, which looks something like this:

    NVRAM Section Information

    NAME SIZE ADDRESS XSUMMED

    CHKSUM 00000418 c0000000 Y

    PSOS 00000100 c0000418 Y

    BOOT 00000200 c0000518 Y

    SYSTEM 00000100 c0000718 Y

    DIAG 00001000 c0000818 Y

    CFG 00000200 c0001818 Y

    EVENT 00040030 c0001a18 N

    PROBE 00000800 c0041a48 Y

    Determine the address of the CHKSUM section (in this case c0000000).

    Type "pm address data" where address is the address of the CHKSUM section and data is any non-zero value. In this example, you would type "pm c0000000 5".

    Type "prb". This causes the VPN Concentrator to reboot.

    Rebooting the VPN Concentrator resets the administrator password to the factory default.

  • RELEVANCY SCORE 2.83

    DB:2.83:Another Upgrade Question md


  • RELEVANCY SCORE 2.83

    DB:2.83:After Software-Upgrade I Get Many Pacets With Esp Probs. mm



    Hello Folks,

    i have upgraded one of our VPN3000 with Version 4.7.2.I .now on a normal workday in germany i get many of this messages:

    60697 08/21/2006 16:31:17.860 SEV=6 IPSEC/43 RPT=41719 134.81.x.x

    IPSEC could not transmit ESP packet: no UDP port, SA=0674f578

    the clientversion is WinNT

    4.6.00.0049

    What can i do to stop this messages ?

    Your help is greatly appreciated.

    regards

    Klaus

    DB:2.83:After Software-Upgrade I Get Many Pacets With Esp Probs. mm


    Hi Didyap,

    no i see this messages in the event log file there are no debug commands enabled on the 3000.

    I have changed the software back to the previos version and the messages disappear.

    but thank you for your help

    regards

    Klaus

  • RELEVANCY SCORE 2.83

    DB:2.83:Vpn3000 Config Sync In Cluster fc



    Hi,

    what´s the best practice to sync the configs in an vpn3000-cluster.

    thanks

    Ronny

    DB:2.83:Vpn3000 Config Sync In Cluster fc


    Hi,

    this does´nt answered my question.

    I want a solution to syncronisation the

    configs of my Concentrators, without config each menu separately.

    ciao

    Ronny

  • RELEVANCY SCORE 2.83

    DB:2.83:Vpn3000`S Radius Accounting mk



    Dear all,

    Does anyone know if the following scenario is possible on VPN3000?

    1. External authentication to ACE/Server (native protocol, port 5500)

    2. External accounting to a RADIUS server.

    The ACE/Server and Radius are on two separate servers. Does VPN3000 still sends an accounting record if the authentication done on an ACE/Server ?

    Appreciate for any help

    Best Regards,

    DB:2.83:Vpn3000`S Radius Accounting mk


    The VPN 3000 would authenticate natively to both ACE server (udp/5500) and

    radius server. You would only get radius accounting records if the the authentication is done thru radius. If you want accounting records with the ACE server, you could setup the authentication on the VPN 3000 to be radius and configure the radius server as an ACE comms clients. The user or password database of the Radius server could then be pointed to the ACE server (as an external database). It would not then matter if your Radius and ACE server are on the same servers or not.

  • RELEVANCY SCORE 2.83

    DB:2.83:Vpn3000 Concentrator Logging Client Versions 7a



    Just rolled out a client upgrade. Is there a way for the vpn 3000 concentrator to log the versions of the clients that are logging in so I can make sure everyone is upgraded?

    DB:2.83:Vpn3000 Concentrator Logging Client Versions 7a


    Hello,

    IKEDBG with a severity of 1-9 should tell you the client type and the version they are logging in as.

    Client Type: WinNT

    Client Application Version: 5.0.04.0300

    Also, you can look at "Administration| Administer Sessions" which will give you the client version also.

    Let me know is this is what you are looking for.

    Thanks

    Gilbert

  • RELEVANCY SCORE 2.83

    DB:2.83:Update Concentrator Image p7



    We are running a cisco 3030 vpn concentrator with 512mb.

    The current image is vpn3000-4.7.Rel-k9.bin however I am am trying to upgrade it to the latest image vpn3000-4.7.2.M-k9.bin

    Everytime I attempt to upload it it fails at around 97% any ideas why ?

    I am trying to update it so I can use the SSL VPN client which I gather only works with 4.7.2

    DB:2.83:Update Concentrator Image p7


    Andrew

    My first reaction was that it sounded like there might not be enough room for the new image. But as I look at the concentrator I do not find any thing that describes the amount of memory for storing the image or any way to manage that space. I had thought of checking the File Management screen to see if there were some files taking up space that were not needed. But I am not sure if that would really help or not.

    I am also wondering if there might be some problem in the image that you downloaded. Perhaps you could load the image from the Cisco site again and see if that makes any difference?

    HTH

    Rick

  • RELEVANCY SCORE 2.81

    DB:2.81:Vpn3000 Using Cisco Acs 2.4 dm



    Any one know if you the 3000's work with a ACS 2.4 server?

    DB:2.81:Vpn3000 Using Cisco Acs 2.4 dm


    Thanks, I should be trying it around the same time.

  • RELEVANCY SCORE 2.81

    DB:2.81:Split Tunneling Not Working Pix? kx



    No clue why split-tunneling isn't working on this PIX. It appears to be tunneling all traffic. Maybe someone will see something I missed...

    Running PIX 6.3(3)

    crypto ipsec transform-set myset esp-3des esp-md5-hmac

    crypto dynamic-map dynmap 10 set transform-set myset

    crypto map mymap 10 ipsec-isakmp dynamic dynmap

    crypto map mymap interface outside

    isakmp enable outside

    isakmp identity address

    isakmp nat-traversal 20

    isakmp policy 10 authentication pre-share

    isakmp policy 10 encryption des

    isakmp policy 10 hash md5

    isakmp policy 10 group 2

    isakmp policy 10 lifetime 86400

    vpngroup vpn3000-all address-pool vpnpool

    vpngroup vpn3000-all dns-server 10.30.30.100

    vpngroup vpn3000-all wins-server 10.30.30.100

    vpngroup vpn3000-all default-domain crm

    vpngroup vpn3000-all split-tunnel TUNNELED_NETWORKS

    vpngroup vpn3000-all idle-time 1800

    vpngroup vpn3000-all password ********

    access-list TUNNELED_NETWORKS permit 10.30.30.0 255.255.255.0

    DB:2.81:Split Tunneling Not Working Pix? kx


    Hi Tyler,

    Incase if the issue still exists, post the full config from the PIX where the remote users terminating.

    Also, my understanding here is, you have PIX configured to accept the remote access VPN connections , and when users connect successfully they can access Internet using their local internet service but unable to reach your internal servers."

    Thanks

    MS

  • RELEVANCY SCORE 2.81

    DB:2.81:Problem With Net-Snmp Vpn3000 ac



    Hello,

    I want to monitor via MRTG our VPN3000 concentrators, but I didn't success. So first I tray to execute "snmpget" with an explicit OID and I received the error:

    Error in packet

    Reason: commitFailed

    I use net-snmp ver 5.08 over FreeBSD. By the away "snmpget" return correct answers for all others our cisco devices!

    Has it any specific particularities with VPN3000?

    Thanks!

    DB:2.81:Problem With Net-Snmp Vpn3000 ac


    It could be the SNMP version. Try specifying -v 1 or -v 2c and see if that helps.

  • RELEVANCY SCORE 2.81

    DB:2.81:Ask The Expert-Implementing Webvpns On Vpn3000 Concentrator kf



    Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss implementation of Web VPNs on Cisco VPN3000 Concentrator with Cisco expert Afaq Khan. Afaq Khan is a customer support engineer at the Technical Assistance Center (TAC) at Cisco Systems Inc. He specializes on VPN involving VPN3000, IOS, PIX FW and third party products. Afaq has represented Cisco in many virtual Security/VPN seminars. He is a CCIE (#9070) in Routing Switching, Security and is Cisco SAFE certified. Remember to use the rating system to let Afaq know if you have received an adequate response.

    Afaq might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through March 26. Visit this forum often to view responses to your questions and the questions of other community members.

    DB:2.81:Ask The Expert-Implementing Webvpns On Vpn3000 Concentrator kf


    HI,

    here are they:

    http://cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00801f1dd5.html

    http://cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00801f1fb6.html

    let us know, if you're looking for anything specific.

    Thanks

    Afaq, CSE

  • RELEVANCY SCORE 2.81

    DB:2.81:Vpn3000 Group Password On Acs ? xx



    Hi

    is it possible to create an external group on VPN3000 but the password for the group should be stored and managed on the ACS like for users

    DB:2.81:Vpn3000 Group Password On Acs ? xx


    Thanks,

    bat what I mean is that the group password at the VPN3000 and the password for the user at the ACS have to be the same but is it possible to manage the password only on the ACS.

    What I think that in this case ACS has to send the password, what is used as tunnel preshared secret too, over the network what, RADIUS not used to do.

    Or is there a solution to manage the VPN group password without touching the VPN?

  • RELEVANCY SCORE 2.81

    DB:2.81:Lan2lan Vpn On Soho97 Vpn3000 Or Pix500 x3



    Hi all,

    We have a situation:

    1. We have DSL lines in branch offices.

    2. We have SOHO97 DSL Routers.

    3. In Central Office we have PIX 525 (with VPN Acceleration card) and VPN3000 for remote access.

    4. We need to establish LAN-to-LAN VPN tunnel to remote locations.

    I have found several examples on Cisco website, but I have not found "right" answer.

    1. I have example, how to build VPN tunnel. But in example they use route-map to separate VPN non-VPN traffic (i.e. Corp Traffic and Internet Traffic). This command is completely missing in SOHO97.

    2. I can build GRE tunnel on SOHO97, but in examples they have GRE tunnel to VPN5000 only (and nothing for VPN3000 and PIX).

    So, final question: How to marry them?

    Thanks.

    DB:2.81:Lan2lan Vpn On Soho97 Vpn3000 Or Pix500 x3


    To seperate traffic that you want to send accross unencrypted from traffic you want to encrypt, you can use split tunneling which is nothing but defining the traffic you want tunneled across using access lists. To configure split tunneling for your client-concentrator tunnel, create a network list to include all the networks you want the client to access over the VPN tunnel. This can be done (on the concentrator) by going to Configuration | PolicyManagement | Traffic Management | Network Lists and clicking on add. After defining the list, go to Configuration | User Management | Groups and select the group the VPN clients are connecting to. Under the split tunneling configuration option, select the network list you just created. When the client connects to the concentrator it will encrypt traffic only for the network specified. For all other traffic, the client will use the ISP connection.

    With reference to your second question, I don't think that you can have a GRE tunnel to your concentrator just as you can't have a GRE tunnel to your PIX (... do cross check this though!!). The way I do the same is to configure the gre tunnel between the remote router and an internal router over the vpn, behind the concentrator. Configuration is simple and similar to the configuration that you will put in place with no vpn setup. All that you need to make sure is that just make sure that the gre tunnel traffic is classified as interesting.

  • RELEVANCY SCORE 2.81

    DB:2.81:Does Cisco Secure Client Able To Connect To Vpn3000? k7



    As my tile said, I have a Netscreen VPN client, which is basically same as Cisco Secure client, and i would like to create a tunnel to a VPN3000. is that possible? anyone have try that before?

    any suggestion would be appreciate.

    Simon

    DB:2.81:Does Cisco Secure Client Able To Connect To Vpn3000? k7


    No, this won't work, you need the Cisco VPN Client (different to the CiscoSecure VPN Client) to connect to a VPN3000.

  • RELEVANCY SCORE 2.77

    DB:2.77:Verisign Cert On Vpn3000 sm



    Has anyone successfully installed VeriSign Certificate on Cisco VPN 3000?

    Please help

    Thanks a lot!

    DB:2.77:Verisign Cert On Vpn3000 sm


    That is just for installing the Root VeriSign CA. To install and apply verified SSL cert to the interfaces, you need to downgrade to version 4.0.5.B. Install the ssl cert, then upgrade back to whatever version you want to use. It took me a week to figure out with so many times on the phone with Cisco and VeriSign tech support.

    Hope this information will help for those people who are running to this problem. Thanks Pengke11 for your post.

  • RELEVANCY SCORE 2.76

    DB:2.76:Pptp Denied - Already Established ? cj



    This may be stupid question. I have multiple users behind soho cable connection and linksys router. When they try to establish multiple PPTP connections I get this error message on the 3015 Concentrator. software vpn3000-4.1.4.Rel-k9.bin. Windows XP clients.

    Is it because they are coming from the same IP address?

    10644 02/23/2005 14:12:43.810 SEV=4 PPTP/33 RPT=158 x.x.x.x

    PPTP tunnel for peer x.x.x.x denied - already established

    DB:2.76:Pptp Denied - Already Established ? cj


    You probably need to update the Linksys router's firmware. Older versions didn't support multiple-ipsec and multiple-pptp pass-through. I think the problem was that the Linksys router maintained one map of source/destination for ipsec or pptp session, that is good for one vpn session at a time. In this case, if a second user tries to connect, the Linksys will re-use the existing source/destination/ports and the connection fails.

    Check the release notes for Linksys BEFSR41 router here:

    http://www.linksys.com/download/vertxt/befsr-v1462_ver.txt

    It seems this has been fixed as of version 1.45.6

    HTH

    Mustafa

  • RELEVANCY SCORE 2.76

    DB:2.76:Anyconnect And Vpn3000 fd



    Hello,

    Anyconnect it is envisaged on the VPN3000, or I replace my VPN3030 by another product?

    Thanks

    DB:2.76:Anyconnect And Vpn3000 fd


    OK, if Cisco decides to stop the development on VPN3000, I change my concentrator by another company that Cisco. I didn't buy a ASA.

    Thanks

  • RELEVANCY SCORE 2.76

    DB:2.76:Using Tacacs+ For Accounting On Vpn 3000 Concentrator x3



    Quick question for someone.

    Is there anyway I can configure my VPN3000 to use a TACACS+ accounting device? In the documentation all I see is that it supports only RADIUS.

    Thanks,

    Kevin

    DB:2.76:Using Tacacs+ For Accounting On Vpn 3000 Concentrator x3


    Hey...thanks for replying.

    That post deals with using TACACS+ for authentication whereas I'm looking to use it for accounting purposes only.

    Basically I'm looking to have authentication to occur using the NT Domain but have a central location for who logged in when, for how long, etc. I already have a service using TACACS+ so I hopped I'd be able to use that...

    Thanks though...

  • RELEVANCY SCORE 2.76

    DB:2.76:Vpn Tunnel Can Be Only Initiated From Router To Vpn3000 Concentrator ? d9



    1760+wic-adsl and vpn 3000 concentrator

    the config is refered to : http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009482e.shtml

    ios:c1700-k9o3sy7-mz.123-1a

    vpn3000 soft version:3.6

    another strange thing:can not telnet the ADSL interface IP from Internet

  • RELEVANCY SCORE 2.76

    DB:2.76:Vpn3000 : Privat Public Interface In The Same Subnet 3p



    Hi,

    Is it possible to have the Privat Public Interface in the same subnet ?

    thanks

    Regards

    Damien

  • RELEVANCY SCORE 2.75

    DB:2.75:Webvpn - User Ias Passoword Expired x8



    Hi,

    I have a WebVpn access through a VPN3000. My problem is that when a vpn user password expires in our domain, he don?t receive a notification if his get his access through the vpn and he don?t know that his password is expired the next day, so, the next day he don?t get to logon in the domain again.

    Is possible to configure any parameter in the VPN3000 about this question??

    Thanks you for your help,

    Oscar

    DB:2.75:Webvpn - User Ias Passoword Expired x8


    Hi,

    I have a WebVpn access through a VPN3000. My problem is that when a vpn user password expires in our domain, he don?t receive a notification if his get his access through the vpn and he don?t know that his password is expired the next day, so, the next day he don?t get to logon in the domain again.

    Is possible to configure any parameter in the VPN3000 about this question??

    Thanks you for your help,

    Oscar

  • RELEVANCY SCORE 2.74

    DB:2.74:Authentication From Vpn3000 To Non-Hybrid Win2000 xf



    Am I right in assuming that the VPN3000 can only authenticate against NT servers or HYBRID Win2000 servers - NOT pure Active Directory (i.e. Kerberos)?

    If so, will MS IAS (Microsoft's free Radius server) allow me to authenticate indirectly against Active Directory?

    Thanks.

    DB:2.74:Authentication From Vpn3000 To Non-Hybrid Win2000 xf


    I’ve seen other users on the board asking about this and since its RADIUS it should work. If you test it, come back and let me know how it worked and what you learned.

  • RELEVANCY SCORE 2.74

    DB:2.74:Allowing Vpn3000 To X-Authenticate Nt Users Across A Pix da



    Hi Experts.

    I have the following scenario:

    NT Server

    |

    |

    (in)

    [PIX](dmz)---(in)[VPN3000](out)

    (out)

    _|______________________|__

    Internet

    (Both the Pix and the VPN3000 have the outside interface connected to the Internet).

    Well, I need to allow the VPN3000 to x-autenticate users using the NT database.

    Could someone please tell me what are the protocols/port to open on the Pix?

    Thanks

    michele

    DB:2.74:Allowing Vpn3000 To X-Authenticate Nt Users Across A Pix da


    Michele,

    Good question. Unfortunately, I have no idea. I would assume that it would be the usual MS suspects (TCP/UDP 135-139) but that is just a guess. My suggestion would be to turn syslogging to debug level and try an authentication from the 3K. Then look at the logs and see what the PIX denied. Sorry I can't be of more help.

    Scott

  • RELEVANCY SCORE 2.74

    DB:2.74:Vpn3000 kp



    Hello,

    Are the VPN3000 Supported in RME 3.3 or 3.4 if not , what does the section

    VPN Configuration Reports / Configuration Management / VPNSecurity Management Solutions in CW2000 means.

    Thanks

    DB:2.74:Vpn3000 kp


    For RME 3.3, refer to 'Table 2: Concentrators Supported in Essentials 3.3':

    http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_3/e3_3.htm to see the list of VPN Concentrators supported.

    For RME 3.4, refer to 'Table 3: Concentrators Supported in Essentials 3.4':

    http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_4/dev_sup/e3_4.htm for the same.

    As for your question on what does 'VPN Configuration Reports / Configuration Management / VPNSecurity Management Solutions in CW2000 means', refer to: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_4/u_guide/ug_vpn.htm for details.

  • RELEVANCY SCORE 2.70

    DB:2.70:Which One Should Be The Default Gateway, Vpn 3000 Or Pix? 3d



    In the following doc:http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/3_6/getting/gs1und.htm,

    VPN Concentrator configured in parallel with a firewall. and I don't find router in private segement. so which one should be the default gatways for the hosts in private segment. Pix couldn't do this, because it couldn't redirect(reroute) packets that sended to vpn clinet to vpn3000 even you add static route in it.

    so I think we should select vpn3000. can the vpn3000 redirect(reroute) the packets that sended to internet to pix? if it can, there would be two default routes in vpn3000? because the remote vpn clients have various public addresses, so we should have default route to outside router(public segment), on the other side ,local hosts want to go everywhere through pix, so vpn3000 should have default route to pix in order to reroute those packets. Two default route is impossible,I am really puzzled.

    of course if there is a router in the pivated segment, this is not a prolbem, router will reroute packets correctly.

    The key point is that the pix couldn't redirct(reroute) packets like a router.

    can someone help me?

    another question:

    If there isn't pix,just internet----router---vpn3000---private lan, can the hosts in private lan vist the internet and vpn clients (lans) at the same time? router can do this, can the vpn3000 works like a router in such condition?

    DB:2.70:Which One Should Be The Default Gateway, Vpn 3000 Or Pix? 3d


    Thanks. but I think your answer is about how to set 'tunnel default gateways' in vpn3000.

    My question is how to select default gateway for the hosts and servers in private segement(central office). If it is still pix, I don't think the hosts in central office could visite remote hosts through vpn3000, because pix couldn't reroute(redirect) the traffic even there is a static route in the pix. The key is pix don't acts like router.

  • RELEVANCY SCORE 2.69

    DB:2.69:Vpn3000 Lan-To-Lan Ipsec:Wont Recognize Interesting Traffic dx



    VPN3000 at both ends. lan-to-lan ipsec tunnel configured. I'm generating traffic from my local network destined for the remote network, but no attempt to establish the tunnel is observed.

    HELP!

    DB:2.69:Vpn3000 Lan-To-Lan Ipsec:Wont Recognize Interesting Traffic dx


    Frank, when trying to bring up the tunnel please observe the real time log and post the log information to determined in what phase the tunnel is failing.

    Rgds

    Jorge

  • RELEVANCY SCORE 2.68

    DB:2.68:Keepalive Implementation Of Vpn3000 7a



    Dear All,

    From the VPN3000 specification, it sends keepalive message to a remote-client every 5 minutes. Does it able to change this default keepalive ?

    Really appreciate for any help

    Best Regards,

    Engel

    DB:2.68:Keepalive Implementation Of Vpn3000 7a


    Engel, the 5 minute keepalive interval cannot be changed.

    Just curious. What time interval would be acceptable and why?

    Nelson

  • RELEVANCY SCORE 2.66

    DB:2.66:Vpn3000 Aggressive Mode kz



    Hi,

    Folowing security flaw existing in aggressive mode ipsec, Is there a way to deactivate aggresive mode on VPN3000 Concentrator. All my SAs are in main mode but it seems it still answer on aggressive handshake. (verify with tool like ike-scan)

    If it's not possible to deactivate it can I mask the ID returned in the handshake has it is the private IP.

    Thanks

    DB:2.66:Vpn3000 Aggressive Mode kz


    I too would like to know the best fix for this.

    According to:

    http://www.cisco.com/en/US/tech/tk583/tk372/technologies_security_notice09186a008016b57f.html

    "When responding to IPSec session initialization, Cisco IOS? software

    may use Aggressive Mode even if it has not been explicitly configured

    to do so."

  • RELEVANCY SCORE 2.66

    DB:2.66:Vpn3000-2-Ios;Enabling Pfs On Vpn3000. Solution Found 9k



    Quick question. I'm playing with bringing an IOS box and a VPN 3000 up with on Lan-2-lan, and it appears to cause the IPSec tunnel to never be able to come completely up if I set pfs group2 on the IOS box.

    Found my answer. It's under the SAs.

    Config - Policy Mgmt - Traffic Mgmt - SAs

    DB:2.66:Vpn3000-2-Ios;Enabling Pfs On Vpn3000. Solution Found 9k


    Quick question. I'm playing with bringing an IOS box and a VPN 3000 up with on Lan-2-lan, and it appears to cause the IPSec tunnel to never be able to come completely up if I set pfs group2 on the IOS box.

    Found my answer. It's under the SAs.

    Config - Policy Mgmt - Traffic Mgmt - SAs

  • RELEVANCY SCORE 2.66

    DB:2.66:Pix Answers Dhcp Arp From Client Connected To Vpn3000 a8



    I have a PIX 515 running 6.3(3) with 3 zones and a vpn 3000 in one of the zones. everything seems to be functioning properly except that Pix answers DHCP ARP from client connected to VPN3000 this response prevents the client from retaining the address.

    DB:2.66:Pix Answers Dhcp Arp From Client Connected To Vpn3000 a8


    The PIX will proxy ARP for addresses that it has statics/globals defined in its config.

    You can stop this with the command:

    sysopt noproxyarp

    on the PIX, but monitor access to other devices after issuing this (it shouldn't cause any problems). Worst case add static routes on your devices connected to the PIX for networks on the other side of it, so that the PIX doesn't need to proxy ARP.

  • RELEVANCY SCORE 2.66

    DB:2.66:Tunnel Established But No Traffic With Vpn3000 78



    I'm able to establish a lan-to-lan tunnel between my vpn3000 concentrator and a partner (using checkpoint or netscreen gateway) but i can't see host on the remote lan.

    During a ping , i see my 'bytes Tx' counter increments but the Rx stays on 0.

    thanks for your help.

    Morgan.

    DB:2.66:Tunnel Established But No Traffic With Vpn3000 78


    thanks for your answer,

    i'm seeing counters on concentrator side and don't have the hand on the remote end.

    My partners tell me , they send traffic to my local lan through tunnel but i can't see any packets coming...

  • RELEVANCY SCORE 2.66

    DB:2.66:Ciscoworks, Vpn Concentrator Fails Config Archive jj



    I am trying to add 3005 VPN concentrators to Ciscoworks.

    The devices are failing config archives with the following error:

    TELNET Protocol not supported for VPN3000 TFTP Protocol not supported for VPN3000 SSH Protocol not supported for VPN3000

    Do VPN3005s not allow for config archiving?

    DB:2.66:Ciscoworks, Vpn Concentrator Fails Config Archive jj


    Once again,

    You helped me solve a problem.

    It looks good now, config archive is 32 successful and 0 failed.

    Don't forget either J,

    This was a mess when I started, you have helped me get it working pretty well.

    The test will be the scheduled jobs tonight and I will see if everything works.

    I need to do some test restores from config archives to see how that works.

    But thanks again.

  • RELEVANCY SCORE 2.66

    DB:2.66:Vpn Client Vpn3000 And Linux Smp px



    Hello,

    i have a question about VPN Client for Linux.Is there any Client that works with a VPN3000 and multiprocessor ?

    I found only this Message:

    The VPN Client does not support SMP (multiprocessor) or 64-bit processor kernels.

    DB:2.66:Vpn Client Vpn3000 And Linux Smp px


    Hi

    thanks for your help.

    we have tested with the clientversion 4.8 and have it compiled with a multiprocessorkernel and now it works.

    regards

    Klaus

  • RELEVANCY SCORE 2.65

    DB:2.65:Both Ios-Router And Vpn3000-Clients To Central Ios-Router At The Same Time 77



    Is it possible to run VPN both from an IOS-router with dynamic public address and VPN3000-clients at the same time to a central IOS-router with static public address. Does this mean that there must be double dynamic crypto maps in the central router? Anyone having a config for that?

    /Peter

    DB:2.65:Both Ios-Router And Vpn3000-Clients To Central Ios-Router At The Same Time 77


    here is a link to what you are looking for

    http://www.cisco.com/en/US/tech/tk648/tk367/technologies_configuration_example09186a0080094685.shtml

    also here's another real good link

    http://www.cisco.com/en/US/tech/tk648/tk367/tech_configuration_examples_list.html

  • RELEVANCY SCORE 2.65

    DB:2.65:Migrating Vpn3000 To Asa xj



    Hi,

    Somebody knows, where do I can to find a tool to migrate from VPN3000 to ASA??.

    I apreciate all information.

    Best regards,

    DT.

    DB:2.65:Migrating Vpn3000 To Asa xj


    Hi Arul,

    I just had reviewed this information. Inside URL http://www.cisco.com/en/US/docs/security/asa/asa70/vpn3000_upgrade/upgrade/guide/migr_vpn.html, it shows other one where there is AVPN3000_to_ASA_Migration_tool, but this last link isn't available.

    Do you know if this tool is in other place??.

    Regards,

    DT.

  • RELEVANCY SCORE 2.65

    DB:2.65:Vpn3000 With Certificate Backup 73



    Hi there,

    can somebody tell me if it´s possible to backup a vpn3000 config and its certificate/generated keys in case of hardware failure. If not i have to generate new keys, get a new certificate and tell this all my clients, routers, firewalls ? (which sounds horrible!).

    Regards,

    Thomas

    DB:2.65:Vpn3000 With Certificate Backup 73


    Hello Thomas,

    It is possible to manually backup the certificates with private keys from the VPN3k web-interface.

    1. Log into the web-administration

    2. Navigate to Administration-Certificate Management

    3. Select Export for the certificate you wish to backup.

    4. The VPN3k will request a password to encrypt the prifvate RSA key.

    5. When you enter the password and click export the certificate and key will be saved as CERTEXP.TXT on the VPN3K flash and it will try to popup a window showing the data.  Copy this data and store it somewhere, remember the key

    That exported certificate can be imported to the VPN3k Via the Certificate Management-Installation section using the Import SSL certificate with private key link.

    The export/import format that the VPN3k uses is not a standard PKCS12, it is a PKCS8 encrypted private key in Base64 with the X509 certificate in base64 encoding.

    I don't think the XML Export option gives you the certificates, so to have a full backup you would need both items.

    I hope this helps,Craig

  • RELEVANCY SCORE 2.65

    DB:2.65:Vpn3000 On Pix506e z8



    Can someone tell me what the following config does? I would like to configure VPN server on a PIX506E so taht users can connect to the local network using Cisco VPN software. I saw these lines in the firewall's config but I'm not sure that's all that's required:

    vpngroup vpn3000 address-pool ipsecvpn

    vpngroup vpn3000 dns-server 10.0.0.10

    vpngroup vpn3000 wins-server 10.0.0.250

    vpngroup vpn3000 default-domain somedomainname.com

    vpngroup vpn3000 split-tunnel nonat

    vpngroup vpn3000 idle-time 1800

    vpngroup vpn3000 password ********

    Thanks in advance!

    DB:2.65:Vpn3000 On Pix506e z8


    Great guide. Thank you very much! I'm up and running in no time!

  • RELEVANCY SCORE 2.65

    DB:2.65:Vpn3000 Spoke To Spoke Rri 3k



    We implemented PIX 501s with network extension to a vpn3000. Phones behind the pixs can call each other no problem. We then switched to cisco 806 with ezvpn so that we could use LLQ to prioritize the phone traffic. Network extension now only works to phones in the central site; phone to phone through the vpn3000 does not work. Anyone run into this?

    DB:2.65:Vpn3000 Spoke To Spoke Rri 3k


    I have the exact same problem, but am using 3002's with vpn3000. Phones behind the 3002's cannot talk to each other. TAC suggested downgrading to 3.6. I tried 3.6.7.H and the problem still existed.

  • RELEVANCY SCORE 2.65

    DB:2.65:Private Key Backup For Vpn3000 cs



    Hi there,

    Is it possible to install keys and identity certificates on the VPN 3000 without using the VPN 3000 itself for the enrollment/generation? This would allow for backup of the private keys. In case of VPN3000 failure that would save (down) time and money requesting a new certificate.

    thx

    DB:2.65:Private Key Backup For Vpn3000 cs


    Ofcourse you need solid procedures to safeguard the private key (password protected in a safe place). I think it's common practice to generate all certificate requests on a dedicated server. In my company that's how we handle our SSL certificates. Unfortunately (for as far I know) the VPN3000 doesn't let you import ID cert's without initiating the request from the VPN300o itself.

  • RELEVANCY SCORE 2.65

    DB:2.65:Vpn3000 Remote Access Tunnel Problem xj



    Hi,

    If the IP network segment of remote access VPN client conflicted with VPN3000`s private interface IP network segment, can I still let the remote access VPN client to access the servers at VPN3000`s private network?

    Best Regards,

    Jackson Ku

    DB:2.65:Vpn3000 Remote Access Tunnel Problem xj


    If you mean that say, the VPN client is on a network of 10.1.1.0/24, and you're also trying to connect to a network over the VPN of 10.1.1.0/24, then no, this won't work.

    Theoretically it should if you're not doing split tunnelling, but the underlying Windows OS will grab the packet and send it straight out the LAN interface unencrypted, cause it thinks that you're trying to get to a local machine.

  • RELEVANCY SCORE 2.64

    DB:2.64:Router-Router (Dynamic-Static) And Vpn3000-Client c9



    I have a VPN between two IOS-routers there one of them gets it's address dynamicly from the ISP. Now I also want to use VPN3000-clients to connect to the router with the static address. Is this possible? Can I have double dynamic maps? Is there any config-examples?

    Thanks

    DB:2.64:Router-Router (Dynamic-Static) And Vpn3000-Client c9


    This is exaclty what I am trying to do and its not working. I can get one or the other but not both. If I figure it out, I will post it.

    I would appreciate if you could do the same.

    thanks

    -pat

  • RELEVANCY SCORE 2.64

    DB:2.64:Where To Find The Vpn3000 Vsas For Radius? xa



    Who can tell me where I can find the Vendor Specific Attributes I need to use Radius authentication for the vpn 3005 concentrator?

    DB:2.64:Where To Find The Vpn3000 Vsas For Radius? xa


    you likely have them by now but they can be found here:

    http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00801f1d83.html#1546963

  • RELEVANCY SCORE 2.64

    DB:2.64:Vpn3000 Log File Analysis ax



    I am trying to generate a report of how many people are using my VPN3000 concentrator; how long they are staying on, and how much data is moving through it. I have the log files saved out to a FTP server, but am having trouble organising the data in a meaningfull way.

    Does anyone have a tool for interpreting the VPN3000 log data?

    Thanks.

    DB:2.64:Vpn3000 Log File Analysis ax


    This might help you: http://www.sollerconsulting.com/AcctSW.html

    If you can put some time into it you could use snmp tool mrtg:

    http://people.ee.ethz.ch/~oetiker/webtools/mrtg/pub/

  • RELEVANCY SCORE 2.64

    DB:2.64:Vpn3000 Concentrator Psk Recovery 37



    Is there a way to view the group keys on a VPN3000 in clear text, either on the device or through 3rd party tools?

    TIA,

    Luke

  • RELEVANCY SCORE 2.64

    DB:2.64:Vpn3000 And Ciscoworks xs



    Hi, We have a VPN3000 on our network, In near future we are planning to monitor our university traffice through Ciscoworks2000.

    I am keen to get usage statistics from the VPN3000 concentrator that the students use for remote access. Is this possible using CiscoWorks?

    If possible than How we can do it????

    DB:2.64:Vpn3000 And Ciscoworks xs


    Thanks for your reply. I have checked with Cisco2000 Works and We are able to find out the statistics.....

  • RELEVANCY SCORE 2.64

    DB:2.64:Vpn3000 In Natd Dmz m3



    Here's the situation:

    I would like to put my VPN3000 behind my 'DMZ' int. on my PIX. Big problem - traffic coming out of the 'DMZ' is NAT'd.

    Is there any way that I could put this concentrator behind this interface without removing the NAT command from my PIX?

    thanks--

    jason

    DB:2.64:Vpn3000 In Natd Dmz m3


    Hi Jason,

    You can still NAT at the PIX, and just define a Static one to one NAT for the Concentrator address and this should work fine without a problem.

    Regards,

    Aamir

    -=-=-

  • RELEVANCY SCORE 2.64

    DB:2.64:Vpn3000`S Vrrp c3



    Dear All,

    Does VPN3000 support VRRP Active-Active ?

    I am aware that the default is VRRP Active-Standby.

    Regards,

    DB:2.64:Vpn3000`S Vrrp c3


    This is proprietary. Only cisco vpn clients are load balanced, although all members of the load balancing clusters accept other connection on their own(not load balanced).

    Regards,

  • RELEVANCY SCORE 2.64

    DB:2.64:How Can I View The Local Users Password On The Vpn3000 Concentrator ? ja



    Hi all,

    How can I view the local user's password on the VPN3000 concentrator ? I want to migrate the vpn3000 to the ASA5500.But I can view the user account but can't get the user password on the vpn3000 local user database.How can I do?

    Thanks a lots.

  • RELEVANCY SCORE 2.64

    DB:2.64:Vpn Client Problem Transfering Long Files With Vpn3000 jp



    I have problems transfering big files (more than 4Mb) using vpn client 4.8.02 or 5.0 with vpn3020 4.7.2.N

    DB:2.64:Vpn Client Problem Transfering Long Files With Vpn3000 jp


    This happens to be the issue with MTU. Try reducing the MTU by running setMTU.exe file on the VPN client. Make sure Don't Fragment bit is not set on the intermediate routers. For adjusting MTU on VPN 3000 refer URL http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_book09186a00800d81b3.html

  • RELEVANCY SCORE 2.64

    DB:2.64:Vpn Between Remote Router And Headend Vpn3000 s7



    Is it possible to set up a VPN between a remote router and a headend VPN3000 whereby all traffic (traffic destined for the central office as well as traffic destined for the Internet) from the remote end comes in to the VPN3000.

    That is, the remote router will not be split tunneling. I believe this scenario is possible in a router to router setup, but would like to know if it is possible in a router to VPN3000 setup.

    Chris

  • RELEVANCY SCORE 2.64

    DB:2.64:Vpn 3000 Software Question ??? zf



    Hello all,

    i have a question about the software for the VPN 3000 .on the cisco side i found last week the new 4.2.7.I from 03-AUG-2006 and now i found a newer one with vpn3000-4.1.7.O-k9.bin from 15-AUG-2006.

    this is a little bit confusing for me.

    can anyone explain me what to use for a VPN Conc 3030 with 128mb mem?

    thanks in advance

    Klaus

    DB:2.64:Vpn 3000 Software Question ??? zf


    Not 100% sure, but my impression is that the 4.7.x series have more to do with WebVPN and SVC (activeX vpn client) featues. Can someone confirm this?

  • RELEVANCY SCORE 2.64

    DB:2.64:Vpn3000 And Dynamic Dns 3s



    I'm asked to build a l2l tunnel with a sonicwall TZ170 which has a dynamic public address, providing that this device cannot behave like an easy vpn client, is there a way to tell the vpn3000 to accept a fqdn as a vpn peer or to configure a 0.0.0.0 as the peer address of a l2l vpn?

    Bye,

    Max.

    DB:2.64:Vpn3000 And Dynamic Dns 3s


    Dynamic DNS (DDNS) allows automatic registration of VPN Client host names into a DNS server upon successful negotiation of the VPN connection. When a VPN Client initiates a connection, the local host name is sent to the concentrator, which in turn forwards this onto the centrally located Dynamic Host Configuration Protocol (DHCP) server for the address allocation. If the DHCP server supports DDNS, then the allocated address and host name are entered automatically. DHCP address allocation is a requirement for DDNS to function, but does not work with local address pools.

    http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008015f324.shtml

  • RELEVANCY SCORE 2.64

    DB:2.64:Ios Upgrade For Vpn Concentrator 3030 px



    Hi Netpros,

    I need to upgrade a VPN concentrator with 128 MB of memory to the latest version which I believe is vpn3000-4.1.7.Q-k9.bin however in the software download files section I can also see another release with 4.7.2 i.e vpn3000-4.7.2.K-k9.bin and so my question is which one should I installed ..? the number 4.7.2 seems newer that 4.1.7 however 4.1.7 has been released after .. you see my confusion ..? can anybody please give me some guidance on this ..?

    I really appreciate it !!

    DB:2.64:Ios Upgrade For Vpn Concentrator 3030 px


    Also .. would 128 Mb be OK for upgrading .. currently the memory status is green under 25%

  • RELEVANCY SCORE 2.64

    DB:2.64:Vpn3000 Software 4.1.7 H .Vs 4.7.2 B 3a



    What is the difference?

    DB:2.64:Vpn3000 Software 4.1.7 H .Vs 4.7.2 B 3a


    i guess v4.7 has more features, like:

    ssl vpn client for webvpn

    cisco secure desktop for webvpn

    clientless citrix support for webvpn

    windows nt lan manager (ntlm) and http authentication support for clientless webvpn

    pocket pc 2003 with hp ipaq support for webvpn

    nac ipsec policy enforcement

    nokia symbian ipsec vpn client support

    http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/prod_bulletin0900aecd8021455d.html

  • RELEVANCY SCORE 2.64

    DB:2.64:Vpn3000 And Anyconnect Ssl Vpn Package 8s



    Hi,

    With my VPN3030 (vpn3000-4.7.2.L-k9.bin), i installed anyconnect-win-2.0.0343-k9.pkg and it's OK!

    But i don't known if the VPN3030 can manage multiple package (anyconnect-macosx-powerpc-2.0.0343-k9.pkg and

    anyconnect-macosx-i386-2.0.0343-k9.pkg and anyconnect-linux-2.0.0343-k9.pkg).

    I don't find a documentation.

    Thanks

    DB:2.64:Vpn3000 And Anyconnect Ssl Vpn Package 8s


    Hi,

    With my VPN3030 (vpn3000-4.7.2.L-k9.bin), i installed anyconnect-win-2.0.0343-k9.pkg and it's OK!

    But i don't known if the VPN3030 can manage multiple package (anyconnect-macosx-powerpc-2.0.0343-k9.pkg and

    anyconnect-macosx-i386-2.0.0343-k9.pkg and anyconnect-linux-2.0.0343-k9.pkg).

    I don't find a documentation.

    Thanks

  • RELEVANCY SCORE 2.64

    DB:2.64:Vpn3000 : L2tp/Ipsec Without Using Base Group 8c



    Hello,

    is it possible using a VPN3000 to enable l2tp over IPSec for a particular group while only IPsec is selected on the Base Group ?

    Thanks

    DB:2.64:Vpn3000 : L2tp/Ipsec Without Using Base Group 8c


    you can only use the configuration with the base group because you cannot configure the VPN Concentrator for a LAN-to-LAN tunnel in this scenario because the address is assigned dynamically to the remote device and is not always the same

  • RELEVANCY SCORE 2.64

    DB:2.64:Vpn3000, Radius Admin Authentication, And Failed Acs Server f9



    How do I log into a VPN3000 concentrator via the serial port when the ACS server is off-line?

    DB:2.64:Vpn3000, Radius Admin Authentication, And Failed Acs Server f9


    sorry for not providing enough detail.

    I have connected via the serial cable but I am being prompted for ID and Password. TACaCS/Radius is unavailable to authenticate. How do I gain access. I have found the password recovery document for the Cisco 3000 concentrator. I had mixed results with it. I did not get prompted to reset passwords but admin/admin let me in.

    Can local authentication be used to authenticate admin users? Can it be set to only be available if tacacs/radius is not available?

  • RELEVANCY SCORE 2.64

    DB:2.64:Checking For Client-Side Fw From Vpn3000 7c



    Can I customize the firewall that the VPN3000 checks connecting clients for? Like and I specify a certain executable that must be running to allow the tunnel to be established or do something along those lines?

    DB:2.64:Checking For Client-Side Fw From Vpn3000 7c


    No, It not possible through VPN300.

    Try this link:

    http://www.cisco.com/warp/public/110/pix3000.html

  • RELEVANCY SCORE 2.63

    DB:2.63:Vpn Concentrator Causing Firewall Alerts ca



    We do not use IKE keepalives between our vpn3000 concentrator and the remote client. The idle timeout for users is 60mins. Intermittently, when a client connection is lost rather than closing down correctly the vpn 3000 seems to try to send data to it. This causes firewall alerts as the connection is no longer valid on the firewall. My question is, as we're not using IKE keepalives what can this traffic be and how can we stop it?

    DB:2.63:Vpn Concentrator Causing Firewall Alerts ca


    I've left the IKE/IPSEC lifetimes at the Cisco default - something like a day? - so I don't think it's SA re-negotiation. Traffic from in internal source could be likely - I'll have to check the internal firewall logs next time it happens.

    Thanks for your help.

  • RELEVANCY SCORE 2.63

    DB:2.63:Lan-To-Lan Issue Between Vpn3000 And Ios With Nat-T mp



    I configured a lan-to-lan between my concentrator and an IOS router .

    Everything is OK when my partner establishes the connection but i'm unable to do it.

    When I uncheck "IPSec over NAT-T" on my VPN3000 then i can establish the tunnel.

    Any idea?

    DB:2.63:Lan-To-Lan Issue Between Vpn3000 And Ios With Nat-T mp


    Thanks Mustapha,

    we tried to use the command:

    "no crypto ipsec nat-transparency udp-encapsulation"

    but nothing happenned (i think it was the 'by default config')

    So we used the following command to come back:

    "crypto ipsec nat-transparency udp-encapsulation"

    and then i saw request on UDP 4500 and we were both unable to establish the tunnel.

    It seems that the gateways cannot negotiate NAT-T!

    Any Ideas?

    Thanks,

    Morgan

  • RELEVANCY SCORE 2.62

    DB:2.62:Vpn3000 Idle Timeout For Ipsec Lan-To-Lan Tunnel kj



    Is it possible to limit the time for an IPsec tunnel at the VPN3000 Concentrator for a LAN-to-LAN connection? At the moment the tunnel is always up. Can I bring the tunnel down if there is no traffic?

  • RELEVANCY SCORE 2.62

    DB:2.62:Single Sign-On Solution With Vpn3000 Client sf



    Dear List members,

    Anyone know solution for a Windows VPN client logon (NT, 2000, XP, Win98) to be able to login to the VPN3000 Concentrator and at the same time authenticate to the Domain Controller ?

    Appreciate for any reply

    Best Regards,

    Engel

    DB:2.62:Single Sign-On Solution With Vpn3000 Client sf


    I'll try.

    Local group defined on 3005 is type=external, which have the ACS server as their authentication server. This acts as my group "pre-shared" secret...I am using RADIUS between the 3005 and the ACS Server. The ACS server then points to the AD server, and the user logs in DOMAIN\username. The ACS server definition is Password Auth=external Win2K, group assigned is External auth. This is done after you connect to the AD and select which object you map to for allow. We use 2 things, must be a memeber of VPNGroup, and check box of allow dialin remote...

    Does that help ?

  • RELEVANCY SCORE 2.62

    DB:2.62:Netscreen-Vpn3000 Certificate-Base Vpn Interoperability 98



    Dear All,

    Does anyone success to configure certificate-base VPN between NetScreen and VPN3000 ? We got the IKE (Phase1) established but no Phase2 session. Seems like there is an issue with the cert (we are using Entrust to generate cerficates). Would be very appreciate for any help

    Best Regards,

    DB:2.62:Netscreen-Vpn3000 Certificate-Base Vpn Interoperability 98


    Hi, I'm also having similar problems. Can you please send me the details of how you did the config.

    Thanks,

    Naveen

  • RELEVANCY SCORE 2.62

    DB:2.62:Disable Vpn3000 Concentrator Xauth kk



    Hi,

    Is it possible to disable the xauth in the vpn3000s and only use the group name and password for authenticating remote vpn clients?

    TIA,

    Cheers

    LR

    DB:2.62:Disable Vpn3000 Concentrator Xauth kk


    Yes, it is. Just set Authentication = None on the IPSec tab of the Modify Group screen.

  • RELEVANCY SCORE 2.62

    DB:2.62:Cant Login Vpn3000 Concentrator Via Web dc



    Dear Expert,

    I have a problem with vpn3000 concentrator and need your help to resolve. I can't login via web by username and password, the message "username or passowrd invalid" although, i have been reset password and can login by console. pls tell me how to do.

    Thanks in advance

    DB:2.62:Cant Login Vpn3000 Concentrator Via Web dc


    Dear Expert,

    I have a problem with vpn3000 concentrator and need your help to resolve. I can't login via web by username and password, the message "username or passowrd invalid" although, i have been reset password and can login by console. pls tell me how to do.

    Thanks in advance

  • RELEVANCY SCORE 2.61

    DB:2.61:Monitoring Vpn3000 From Cwlms - 2.1 xk



    Trying to configure a VPN300 device for monitoring from CWLMS-2.1. The VPN3000 has SNMP server configuration page, where one can configure the community string. The problem is, it does not say whether it's the read or read/write community string and anny attempts to add this device to my CWLMS have been unsuccessfull because of the wrong community string. Has anybody managed to successfully do this?

    Thanks.

    DB:2.61:Monitoring Vpn3000 From Cwlms - 2.1 xk


    Thanks for your response. I must be doing something wrong as I can't even send an SNMP getnext request from the management station to the device. The ping and traceroute work OK. The SNMP is enabled on the VPN 3000 box and the port 161 is opened.The Community string on the VPN 3000 box is identical to the one I am using for sending an SNMP getnext request. Is there a seting on the VPN 3000 I am missing?

    Thanks again.

  • RELEVANCY SCORE 2.56

    DB:2.56:Vpn3000 To Router Ios Using Ip Negotiated At Intf Router kz



    When trying to connect a router which gets its IP address from the provider I dial in to, I want to connect to a VPN3000.

    However when configuring LAN-to-LAN the VPN3000 expects me to have a fixed IP address at the router.

    It uses this IP address as group name as it seems. With my IP address changing every time I dial in this is not a working solution as the VPN3000 doesn't find the group.

    Now the other option could be to configure Remote-access client at the VPN3000 allowing the Router to connect. The router in that case should act as a VPN client but WITH using a Group parameter.

    Does anyone know how to overcome the fact that the IOS router is NOT capable of using the Group value?

    DB:2.56:Vpn3000 To Router Ios Using Ip Negotiated At Intf Router kz


    Thanks for this link!

    I think that it is prety new because it was not there the time I tried to find a solution. However at that time a TAC engineer was already telling me this one.

    I upgraded to 3.1.1 in where you can configure a base-group with a preshared key. This one will be used now for the routers trying to dial-in retrieving the address from a provider.

    This is also to overcome the 'not knowing what a group is' of the IOS.

    Tested it and it works!

    One drawback there... All the routers will have to have to use the same preshared key now...

    Finally I received some information that the IOS in it's roadmap (not official!) has a full Unity client compatibility. In that case you can distinguise the different routers through different configured groups and a preshared key per group.

    That would be (to me) the nicest solution for this.

    Again, thank you all.

  • RELEVANCY SCORE 2.55

    DB:2.55:Sctp Flow Problem - Asa5500 Vpn3000 sz



    The following is the setup and the problem we have:

    * SCTP -- ASA5500 -- vpn tunnel -- VPN3000 -- SCTP

    * When LAN-to-LAN VPN tunnel is up, any other traffic behind ASA5500 and VPN3000 can go through the tunnel but not SCTP from ASA5500 side.

    Does anyone experience problem with SCTP and any gotcha? Thanks a lot in advance.

    DB:2.55:Sctp Flow Problem - Asa5500 Vpn3000 sz


    What particular program are you using fro SCTP and what version of ASA are you running?

  • RELEVANCY SCORE 2.55

    DB:2.55:Dns Payload Translation In Vpn3000 mc



    Hi !

    we have a VPN configuration currently using a VPN3000 device.  According to this https://supportforums.cisco.com/docs/DOC-5229  and some others I seen DNS payload can also be translated in NAT configuration.

    How can I doing it with the VPN3000 box ?  On my configuration DNS payload aren't translated, but it is maybe an option I need to set or unset !

    Thanks !

    DB:2.55:Dns Payload Translation In Vpn3000 mc


    Hello,

    VPN3000 is not able to do dns doctoring. U would need an ASA or an IOS router to do that.

    On top the VPN3000 is almost obsolete and it will reaches end of life end of August 2012.

    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5a0.html

    U should migrate services from the the vpn3000 to IOS based products

    Cheers,

    Olivier Pelerin

    CCIE #20306

  • RELEVANCY SCORE 2.55

    DB:2.55:Vpn3000`S Mtbf 97



    Dear All,

    Some questions regarding VPN3000.

    1.Does anyone know the following MTBF of VPN3000 series?

    a. VPN3005

    b. VPN3015

    c. VPN3030

    d. VPN3060

    e. VPN3080

    2. How many lines is the maximum of VPN3000`s CONFIG file can be configured ? How big is the size in bytes ?

    3. Anyone know throughput (performance) of VPN3000 Software client ?

    Would be very gratefull for any help

    Best Regards,

    DB:2.55:Vpn3000`S Mtbf 97

    Regarding CONFIG size, I calculate from our VPN3060, it has around 3300 lines with 60Kb . If the file grows to 10Mb it would have 530,000 lines.

    Anyone know about the other questions ?

    Regards,

  • RELEVANCY SCORE 2.55

    DB:2.55:Destination Nat On Vpn3000? 93



    Hi,

    Does VPN 3000 Concentrator support destination NAT??

    Thanks in advance for your help.

    Regards,

    Shijo George.

    DB:2.55:Destination Nat On Vpn3000? 93


    please excuse me for misunderstanding your original post.

    i don't think that's supported, or i should say i don't know how.

  • RELEVANCY SCORE 2.55

    DB:2.55:Cisco Vpn Client Vista j9



    Can anyone tell me if Cisco have resolved the issue with the VPN client integrated FW and Windows Vista. I have downloaded the beta version 5.0.0.90, but this doesnt work if I set my VPN policy requiring that the client use the IFW.

    I have clients connecting into a VPN3000 concentrator. Do I need to upgrade to an ASA device?

    DB:2.55:Cisco Vpn Client Vista j9


    The word I have gotten is that Cisco does not plan to include the firewall in the client for Vista at all, ever. Not even to verify that the built-in firewall is active.

    As you point out, this is a serious drop down in the level of VPN security.

    If you feel this is important, please let your Cisco account team know so that they can communicate it back to product management...

  • RELEVANCY SCORE 2.55

    DB:2.55:Branch-To-Branch Access Via Vpn3000? 3m



    Central site VPN3000, 192.168.2.0/24

    remote site IOS Routers, 192.168.5x.0/24

    Need to get from branch-to-branch via the central site vpn3000

    Branch Office Crypto Map uses 192.168.0.0/16 as the "remote LAN" can get to/from HQ ok.

    Packets destined for another branch appear to go into the tunnel ok, but no debug on vpn3000 to say what happens when they get there....

    Any suggestions gratefully received.

    DB:2.55:Branch-To-Branch Access Via Vpn3000? 3m


    Each LAN-TO-LAN tunnel on the VPN3000 should then also have 192.168.0.0/16 as its "Local Network". Also on the VPN3000 put a static route for 192.168.5x.0/24 pointing out the outside interface.

    Other than that it should work, the VPN3000 is definately able to re-route packets from one spoke out to another spoke.

  • RELEVANCY SCORE 2.55

    DB:2.55:Vpn3000 To Checkpointfw1 Tunneling m1



    I have been trying to setup an IPSec Tunnel between VPN3000 and Checkpoint Fw1, but it doesnt seem to work. I have done the setup based on Cisco documents. Also the box to which i am trying to setup the IPSec tunnel with is behind another PIX FW which is between the Checkpoint FW1 and the end machine. Any help is welcomed....

    DB:2.55:Vpn3000 To Checkpointfw1 Tunneling m1


    You could turn on the following event logs on the concentrator:

    auth

    authdbg

    ike

    ikedbg

    ipsec

    ipsecdbg

    log event 1-9 and see the filterable event log as you establish connection with the checkpoint and see what is not matching in phase 1 and/or 2. Also try to see if you could modify the IKE proposal on the 3000 to use DH group 1 rather 2, as sometimes Checkpoint doesn't want group 2.

  • RELEVANCY SCORE 2.55

    DB:2.55:Vpn3000 Radius Accounting Update 78



    Hi there!

    We are using VPN 3030 Concentrator

    (vpn3000-4.7.2.L-k9.bin)

    and can't find where to enable and turn radius accounting update option? (like aaa accounting update periodic command in "common" IOS)

    Could someone help me?

    Thanks a lot!

  • RELEVANCY SCORE 2.55

    DB:2.55:Load Balancing In Vpn3000 1j



    Hello,

    Can i have load balancing in VPN3000 of my Lan-to-Lan connections?. In all documents i see that load balancing is for Client VPN connectios.

    Regards.

    DB:2.55:Load Balancing In Vpn3000 1j


    Load balancing is effective only on remote sessions initiated with the Cisco VPN Client (Release 3.0 and later) or the Cisco VPN 3002 Hardware Client (Release 3.5). All other clients, including LAN-to-LAN connections, can connect to a VPN Concentrator on which load balancing is enabled, but they cannot participate in load balancing.

  • RELEVANCY SCORE 2.55

    DB:2.55:Notification About Password Expiry On Vpn Client 1m



    Hello everyone.

    Our VPN users are connected to VPN with VPN Client. We're using VPN3000 to terminate VPN and ACS 5.1 to authenticate users from its internal identity store. VPN3000 gets info from ACS via RADIUS.

    Now I want users to be notified about password expiration at their VPN client and be able to change their password.

    I've configured:

    - "RADIUS with expiry" at VPN3000

    - "Disable user account after X days if password was not changed" and "Display reminder after Y days" at ACS

    Now user is blocked when his password is expired after X days and he can't connect. But the reminder is not displayed after Y days and users have not chance to change his own password.

    If I check "Change password on next login" user can change his password in VPN Client.

    Should this feature (password expiry notification) work with ACS5.1 internal identity store and RADIUS?

    I found in ACS5.1 release notes the following:

    - Internal identity store enhancements include support for Password expiry

    but:

    - Expiry of any user (admin or internal) after certain number of days is not supported.

    I'm confused with these two phrases.

    And one more question. What RADIUS attributes say about password expiration and password notification to check them with radlogin?

    Thanks in advance for any help.

      Pavel

    DB:2.55:Notification About Password Expiry On Vpn Client 1m


    Hello everyone.

    Our VPN users are connected to VPN with VPN Client. We're using VPN3000 to terminate VPN and ACS 5.1 to authenticate users from its internal identity store. VPN3000 gets info from ACS via RADIUS.

    Now I want users to be notified about password expiration at their VPN client and be able to change their password.

    I've configured:

    - "RADIUS with expiry" at VPN3000

    - "Disable user account after X days if password was not changed" and "Display reminder after Y days" at ACS

    Now user is blocked when his password is expired after X days and he can't connect. But the reminder is not displayed after Y days and users have not chance to change his own password.

    If I check "Change password on next login" user can change his password in VPN Client.

    Should this feature (password expiry notification) work with ACS5.1 internal identity store and RADIUS?

    I found in ACS5.1 release notes the following:

    - Internal identity store enhancements include support for Password expiry

    but:

    - Expiry of any user (admin or internal) after certain number of days is not supported.

    I'm confused with these two phrases.

    And one more question. What RADIUS attributes say about password expiration and password notification to check them with radlogin?

    Thanks in advance for any help.

      Pavel

  • RELEVANCY SCORE 2.55

    DB:2.55:Does The Sep Module For Vpn3000 Support Mppe? zf



    I'm testing PPTP with MPPE against VPN3060. But it seems that the SEP modules of VPN3060 are not working.Does the SEP module for VPN3000 support MPPE?

    DB:2.55:Does The Sep Module For Vpn3000 Support Mppe? zf


    No, Cisco does not currently support MPPE on the SEPs.

  • RELEVANCY SCORE 2.55

    DB:2.55:Active Configuration In Vpn3000 m8



    does the configuration goes active/running the moment changes are made through the GUI

    or

    They become active only when 'save needed' is pressed.

    Regds,

    Vijay.

    DB:2.55:Active Configuration In Vpn3000 m8


    Thanx for the input, even i m of the same opinion.

  • RELEVANCY SCORE 2.55

    DB:2.55:Question On Nat Traversal mj



    Kindly advise on the following questions regarding VPN3000 remote client`s NAT Traversal. For NAT Traversal, we have an option to use UDP port 10000.

    Does phase 1 (IKE) port 500 translated to port 10000 also ?

    Best Regards,

    Engel

    DB:2.55:Question On Nat Traversal mj


    Thanks for your reply.

    I think I sould be clear, the question is for a VPN client to the Concentrator, where the client is behind a firewall which doing NAT. I am aware that the IPSec (ESP packets) will be translated to UDP port 10000. But I was not sure if the first stage for preparation of IPSec which is IKE (UDP 500) is also translated to UDP port 10000. I tested this using a PIX Firewall as a NAT device, and I found two translations occur from the "xlate" table.

    One is port 500 and the other is port 10000. My conclusion is IKE still uses port 500 and the ESP packet is encapsulated in UDP port 10000.

    Best Regards,

    Engel

  • RELEVANCY SCORE 2.55

    DB:2.55:Vpn3000-3.5.2.Rel-K9.Bin 7a



    I am having random "system lock ups" with no severity log entries. any sugestions on what I should look at or address in my config?

    DB:2.55:Vpn3000-3.5.2.Rel-K9.Bin 7a


    See if you don't have too much event logged on.

    Also do you see a lot of http request to your box?

    I've seen this before if there was a workstation infected with Nimda sending http request to the box.

    When it is on a lockup state, could you still ping the interfaces? Maybe be best to log a case with TAC when it is on a lockup state so basic troubleshooting could be carried out.

  • RELEVANCY SCORE 2.55

    DB:2.55:Vpn3000 Accounting Tunnel Traffic 1m



    I have a question about accounting data traffic through site-to-site tunnel.

    I need traffic data (how many bytes are sent and received through vpn tunnel to different customer sites).

    Tunnels are authenticate with preshared keys. But I dont know, how I can get traffic data after the tunnel is disconnected.

    I tried syslog with Event list "ALL/ (Sev1-13)", but I cant find traffic data, only connect time.

    Who can help me?

    Many thanks, Frank Pusch

    DB:2.55:Vpn3000 Accounting Tunnel Traffic 1m


    Hi Mike,

    Many thanks, but it doesnt work on my VPN concentrator.

    Only user login (client to LAN) logs during logout the following line:

    Mar 13 15:52:02 kpbcisco010 852868 03/13/2006 15:52:02.410 SEV=4 AUTH/28 RPT=2 212.224.53.21 User [Domain\user1] Group [] disconnected: Session Type: PPTP Duration: 0:00:39 Bytes xmt: 14608 Bytes rcv: 20123 Reason: User Requested

    But LAN-to-LAN connections logs only:

    Mar 13 15:54:09 kpbcisco010 852942 03/13/2006 15:54:09.650 SEV=4 AUTH/23 RPT=4222 3.3.3.3 User [3.3.3.3] Group [3.3.3.3] disconnected: duration: 1:21:48

    Mar 13 15:54:09 kpbcisco010 852943 03/13/2006 15:54:09.650 SEV=4 AUTH/85 RPT=4123 LAN-to-LAN tunnel to headend device 3.3.3.3 disconnected: duration: 1:21:48

    Mar 13 15:54:10 kpbcisco010 852949 03/13/2006 15:54:10.220 SEV=4 AUTH/22 RPT=8459 User [3.3.3.3] Group [3.3.3.3] connected, Session Type: IPSec/LAN-to-LAN

    Mar 13 15:54:10 kpbcisco010 852951 03/13/2006 15:54:10.220 SEV=4 AUTH/84 RPT=6897 LAN-to-LAN tunnel to headend device 3.3.3.3 connected

    There is no AUTH/28 event or other event with Bytes-data regarding LAN-to-LAN connections.

    Do you have an additional hint or me?

    Kind regards,

    Frank Pusch

  • RELEVANCY SCORE 2.55

    DB:2.55:Vpn3000 And A Sonicwall Firewall p1



    Has anyone successfully connected a vpn3000 and a sonicwall firewall lan-to-lan. I'm on the VPN3000 side and am receiving error messages indicating that I'm receiving unencrypted packets from the sonicwall.

    DB:2.55:Vpn3000 And A Sonicwall Firewall p1


    Yes, I've got L2L between a Sonicwall PRO200 and VPN3030 running without any problems. I've used a document of SonicWall to configure the VPN3030 and the Sonicwall. Importent is to have your Sonicwall and VPN3030 updated to the lastest firmware.

    You can find the documentation on the Sonicwall support site.

    At the moment the VPN3030 is running 3.6.7 and the Sonicwall 6.4.2.0.

    Getting a L2L tunnel running between the VPN3030 and a Sonicwall SOHO/3 behind a NAT'ted Internet solution never succeeded because of NAT traversal issues.

    Best regards,

    Jurrien Wijlhuizen