'decrypted packet failed SA identity check' means that we have decrypted a traffic that does not match the proxy ID negotiated. Juniper is violating RFC4301. There is nothing we can do against RFC violation. As mentioned in Section 4.4.1, 'The Security Policy Database (SPD)', the SPD (or associated caches) MUST be consulted during the.
Similar Messages:
Cisco WAN :: 7200 - Egress Netflow V9 And Output Packet Marking Order
Aug 17, 2011when using egress netflow (v9) and output marking.
The topologie : Server <-----> R1 1>-----<1 R2 2>----<2 R3
R2 is a 7200 with c7200p-adventerprisek9-mz.124-15.T11.bin What I'm doing :- R2 forwards ping packets from Server to R3. When they arrive on R2, icmp packets are marked with CS3
- I change the DSCP to CS4 on R2 before forwarding packet to R3. I'm using for that an output service-policy on the R2-2 interface like this : interface ATM2/0.36 point-to-point
ip address 192.168.1.1 255.255.255.252
ip flow ingress
ip flow egress
[Code]....
The topologie : Server <-----> R1 1>-----<1 R2 2>----<2 R3
R2 is a 7200 with c7200p-adventerprisek9-mz.124-15.T11.bin What I'm doing :- R2 forwards ping packets from Server to R3. When they arrive on R2, icmp packets are marked with CS3
- I change the DSCP to CS4 on R2 before forwarding packet to R3. I'm using for that an output service-policy on the R2-2 interface like this : interface ATM2/0.36 point-to-point
ip address 192.168.1.1 255.255.255.252
ip flow ingress
ip flow egress
[Code]....
Cisco WAN :: 7200 / 2921 With VTI IPsec
May 20, 2013We have a Cisco 7204 G1 running c7200-advipservicesk9-mz.122-33.SRE7.bin and we're having a lot of difficulties getting a VTI working to a Cisco 2921 with adv. security. I've ruled out that the 2921 is at fault by successfully establishing a VTI to another 2921 and a 7200 running a different IOS release.
We see the tunnel come up, but when I sent a ping from the 2921 to the 7204 there isn't a reply. When I look at the results on the 7204 from a 'sh crypto engine connection active', I see the decrypt counters increase, but I don't see the Encrypt counters increase as it's trying to reply to the ping. I'm not sure if this is because there is an issue with the encryption or whether there might be a more fundamental issue with the router not replying to the pings.
I've tried the following IOS releases (c7200-advipservicesk9-mz.122-33.SRE7 & c7200-advipservicesk9-mz.122-33.SRE6) and they all behave the same way - this makes me think it might be a config issue rather than and IOS bug which is what I first thought. c7200-advipservicesk9-mz.122-33.SRE7.bin.
sh crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP Address
1 Tu10 IPsec 3DES+SHA 0 31 10.5.5.1
2 Tu10 IPsec 3DES+SHA 19 0 10.5.5.1
1001 Tu10 IKE SHA+3DES 0 0 10.5.5.1
Here is a copy of my config on the 7204 - the other end (Cisco 2921) is configured in the same way.
crypto isakmp policy 1
encr 3des
authentication pre-share
[code].....
We see the tunnel come up, but when I sent a ping from the 2921 to the 7204 there isn't a reply. When I look at the results on the 7204 from a 'sh crypto engine connection active', I see the decrypt counters increase, but I don't see the Encrypt counters increase as it's trying to reply to the ping. I'm not sure if this is because there is an issue with the encryption or whether there might be a more fundamental issue with the router not replying to the pings.
I've tried the following IOS releases (c7200-advipservicesk9-mz.122-33.SRE7 & c7200-advipservicesk9-mz.122-33.SRE6) and they all behave the same way - this makes me think it might be a config issue rather than and IOS bug which is what I first thought. c7200-advipservicesk9-mz.122-33.SRE7.bin.
sh crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP Address
1 Tu10 IPsec 3DES+SHA 0 31 10.5.5.1
2 Tu10 IPsec 3DES+SHA 19 0 10.5.5.1
1001 Tu10 IKE SHA+3DES 0 0 10.5.5.1
Here is a copy of my config on the 7204 - the other end (Cisco 2921) is configured in the same way.
crypto isakmp policy 1
encr 3des
authentication pre-share
[code].....
Cisco VPN :: 7200 - L2TP Over IPSec With Draytek
Apr 20, 2011I have a Cisco 7200 and need to establish L2TP over IPSEC session with a Draytek Fly200. Draytek must use L2TP over IPSEC to provide LAN-to-LAN connectivity. IPSEC phase 1 and 2 is ok, L2TP tunnel is also established, but on cloned virtual-access IPCP negotiation is not completed:
*Sep 16 09:50:36.911: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
L2X_ADJ: Vi3:midchain adj reqd for ip 0.0.0.0, cid 0
*Sep 16 09:50:38.911: Vi3 IPCP: O CONFREQ [REQsent] id 2 len 10
*Sep 16 09:50:38.911: Vi3 IPCP: Address 192.168.176.2 (0x0306C0A8B002)
*Sep 16 09:50:38.911: Vi3 IPCP: Event[Timeout+] State[REQsent to REQsent]
I think my VPDN configuration from Cisco side is not correct, but I cannot find configuration examples for this kind of solution.
*Sep 16 09:50:36.911: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
L2X_ADJ: Vi3:midchain adj reqd for ip 0.0.0.0, cid 0
*Sep 16 09:50:38.911: Vi3 IPCP: O CONFREQ [REQsent] id 2 len 10
*Sep 16 09:50:38.911: Vi3 IPCP: Address 192.168.176.2 (0x0306C0A8B002)
*Sep 16 09:50:38.911: Vi3 IPCP: Event[Timeout+] State[REQsent to REQsent]
I think my VPDN configuration from Cisco side is not correct, but I cannot find configuration examples for this kind of solution.
Cisco Switching/Routing :: 7200 - QoS Input Policy Doesn't Classify ICMP Packet Based On DSCP
Dec 20, 2011I have made some test and i noticed that qos input policy does not classify the icmp packet based on their dscp.The 'match dscp ef' or 'match precedence 5' is not working only the 'match protocol icmp' shows hits.
We need to classify the different icmp packets based on dscp ( TOS ) for measurement purpose.CISCO 7200, 12.4.25d and 12.4.20T have a same behavior.
We need to classify the different icmp packets based on dscp ( TOS ) for measurement purpose.CISCO 7200, 12.4.25d and 12.4.20T have a same behavior.
Cisco Security :: Configuring IPSec VPN On 7200 Router
I am facing a problem when configuring the ipsec vpn on my 7200 router. [code]
Cisco AAA/Identity/Nac :: 7200 Default Network Access And CHAP
Feb 12, 2012I am configuring some of my devices to use CHAP when their backup ISDN interface dials out to the 7200 concentrator node. I wan the CHAP requests to hit our ACS 5.2 appliances and be authenticated via this method. I have built a rule for 'Default netowrk access' which specifies these devices only however when I bring up the ISDN call the process fails. When I look at the logs it doesn't give an error reason but it does say that it failed on one of the rules in the 'default device admin' rule set.I even went to the bother of specifying a single IP address of one of the ISDN backup devices but the result is always the same.
Cisco VPN :: ASA5540 L2L IPSec And Packet Filtering
Mar 24, 2013I need to set up several L2L ipsec tunnels using ASA 5540 (8.2) as a central node and ASA 5505s (8.4) for branch offices. So far I've configured ipsec for the sake of testing between a 5540 and one of 5505, but it blocks ICMP between hosts behind ASAs. Although there's an echo response from 5540's inside interface (172.30.0.1) to echo requests from a host behind ASA 5505 and I see ipsec counters growing. I still can't figure it out despite hurting my eyes with cisco manuals for the relevant ASA software versions.
One thing I couldn't understand in the 8.4 documentation - it says I need ACLs to allow ipsec traffic on outside if I don't NAT/PAT it. Isn't it achieved with 'sysopt connection permit-vpn' or do I have to do it manually? I've actually tried adding access-groups for the 'in' traffic on outside and those ACLs get hits on both ASAs.
The packet-tracer shows some weird DROP at phase 6 on 5505, but I see no rule denying this traffic and the description doesn't mention implicit rules. [code]
One thing I couldn't understand in the 8.4 documentation - it says I need ACLs to allow ipsec traffic on outside if I don't NAT/PAT it. Isn't it achieved with 'sysopt connection permit-vpn' or do I have to do it manually? I've actually tried adding access-groups for the 'in' traffic on outside and those ACLs get hits on both ASAs.
The packet-tracer shows some weird DROP at phase 6 on 5505, but I see no rule denying this traffic and the description doesn't mention implicit rules. [code]
Cisco WAN :: 1841 / Packet Drop In Ipsec Tunnel?
Oct 23, 2012I have a 1841 router connected to an ISP (currently SDSL EFM 10Mbps through an ISP modem, the router and the model are connected with a FastEthernet interface). On another location I have a linux server.There is an ipsec tunnel (3des-sha esp) between the router and the linux server (actually done with a crypto mac).The router has a hierarchical QOS policy on the egress interface.When sending traffic from the network inside the router to the linux host without the ipsec tunnel, everything is working fine and throughput is correct.When sending traffic from the inside network to the linux host internal ip through the ipsec tunnel, some packets are lost and the traffic throughput decrease.When sending traffic through the tunnel in the reverse direction (from the linux host to the internal network), everything is fine.I looked at the QOS statistics and the dropped packets counters don't increase. I looked at the egress/ingress interface statistics and no packets dropped there.I lowered the MTU on the egress interface, but it didn't solve the problem. I played by sending various ping icmp packets size, but even small packets are sometimes lost.I tried to check the router CPU, but it seems relatively fine (<= 10%)I captured the traffic on both side, and I see the packets emitted, and then I can see that some of the esp packets of the corresponding side are not received, so it looks like the cisco router is the culprit. This 1841 router is running: 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(24)T4,How can I troubleshoot where and why those packets are lost?
Cisco VPN :: Cannot Ping Packet Size Larger Than 9200 Over IPSec On ASR
Feb 22, 2011I have an existing site-2-site VPN between a Cisco 2621 router (IOS 12.3) and Cisco 1841 (IOS 12.3) and I can ping packet size of 17000 over the IPSec tunnel without any issue:c2621#ping 192.168.230.254 source f0/1 repeat 20 size 17000,Type escape sequence to abort.Sending 20, 17000-byte ICMP Echos to 192.168.230.254, timeout is 2 seconds:Packet sent with a source address of 192.168.208.254!!!!!!!!!!!!!!!!!!!!Success rate is 100 percent (20/20), round-trip min/avg/max = 144/146/148 msc2621#I replaced the Cisco 2621 with a more powerful ASR 1002 running IOS version asr1000rp1-adventerprisek9.03.01.00.S.150-1.S.bin. However, I can not ping packet size larger than 9200 over the IPSec tunnel:Feb 24 02:42:52.362: %IOSXE-3-PLATFORM: F0: cpp_cp: QFP:00 Thread:015 TS:00000015834854465792 %IPSEC-3-PKT_TOO_BIG: IPSec Packet size 10072 larger than maximum supported size 9216 hence dropping it.Success rate is 0 percent (0/10)asr1002# Why is not working? Basically the more expensive ASR router can not perform the same task as the old Cisco 2621 router.
Cisco VPN :: 3925e / IPsec Packet Batching - Increase Latency
Jun 14, 2011I just installed a new ISR G2 3925e (spe200 integrated) in a VPN environment it works well but I lost latency (it adds around 8-10 ms in the VPN) because of ' IPsec packet batching' :Queues multiple packets at the interrupt service routine level after being processed by crypto engine Reduces interrupt context switching by allowing one crypto interrupt for multiple crypto packetsIt's not very good specaly if you tunnel ToIP and/or video streamsI'm trying to find a solution how to disable it without impact other things or is there something planned soon to improve itfyi I use IOS c3900e-universalk9-mz.SPA.151-4.M.bin
Cisco VPN :: 2921 - IPSec Tunnel Random Packet Drops
Mar 15, 2013I'm trying to troubleshoot a random packet drop issue for an IPSec tunnel between two VTIs. For over a month, we didn't see any issue, and starting today, we have up to 30% packet loss across an IPSec tunnel.
After some analysis, I concluded that the packet loss happens somewhere on the path from the uc520 to the 2921. Packet counts show up correctly on the uc520 physical egress interface, but the packet count is low on the ingress interface on the 2921.
Pings outside the tunnel along the same path are fine.
I also cleared the tunnels on both ends and after they reestablished, the issue was still present.
Any pointers on finding where the packets get lost?
rr-hq-2921#ping 10.1.13.1 source g0/1 rep 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds:
[Code].....
After some analysis, I concluded that the packet loss happens somewhere on the path from the uc520 to the 2921. Packet counts show up correctly on the uc520 physical egress interface, but the packet count is low on the ingress interface on the 2921.
Pings outside the tunnel along the same path are fine.
I also cleared the tunnels on both ends and after they reestablished, the issue was still present.
Any pointers on finding where the packets get lost?
rr-hq-2921#ping 10.1.13.1 source g0/1 rep 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds:
[Code].....
Cisco VPN :: ASR901 Support IPsec - Cannot Encrypt ICMP Packet Back
Apr 25, 2013I'm trying to setup a GDOI based IPsec connection between a cisco AS901 (advanced Metro lic - asr901-universalk9-mz.152-2.SNI ) and a 7606-S.What I see is that the ASR901 is capable of decrypting the IPsec packet but I cannot encrypt the ICMP packet back, so the question is if the AS901 can support IPsec in software. What I could not find in the docs on CCO. [code]
Cisco AAA/Identity/Nac :: ACS 5.3 / 11014 RADIUS Packet Contains Invalid Attribute(s)?
Mar 19, 2012how I can determine what attribute is coming up as 'invalid' ?Tried full debug and looked at all the logs - nothing.
AAA/Identity/Nac :: ACS 5.3.0.40 With Blue Coat Packet Shaper Via Radius
Sep 3, 2012We have a strange issue may be an known issue. We have the ACS 5.3.0.40 with Bluecoat Packetshaper (Packeteer) as the Radius Client and tried with PAP as well as CHAP with the suggested VSA. But once we try to authenticate with GUI in the PS end we get authentication failed. i.e its says invalid password but in the ACS end we get it as the Auth success log. We are not able to login to the PS as well. What is the issue anything to be done with the patch upgrade or any issue with the packetshaper? [code]
Cisco AAA/Identity/Nac :: ACS 5.3 - Application Failed To Start
Apr 28, 2012Although, ACS states its installed, after going through the startup. However when I do show application nothing comes up. When I do a application start acs, %Application failed to start.
Cisco AAA/Identity/Nac :: ACS 5.3 Secondary Registration Failed
Jun 5, 2013I've just had to rebuild my ACS appliance with new hardrives but I am unable to register the devices to each I get a system error. I thought it may have had something to do with the rebuilt device not being joined tothe domain but it has now been joined albeit using a different ad account, but still cannot register to primary.
Cisco AAA/Identity/Nac :: 802.1x Failed Authentication With WS-C3750G-24T
Mar 12, 2013I have already set up a lab comprising of 1x2950-24 switch, 2x3750-24T in stack mode and 2x MS Domain Controller with AD 2008 Servers and NPS enabled (Domain level 2008). I use NPS as a Radius Server. I am trying to test the 802.1x framework in two scenarios.
1. I use as client a domain laptop with Windows XP SP3 with the embedded 802.1x MS supplicant. As authenticator use the 2950 switch and as authentication servers I use the two NPS integrated in MS DCs. Everything is working fine as I expected with basic configuration guidelines from Cisco & Microsoft.
2. I use as client a domain laptop with Windows XP SP3 with the embedded 802.1x MS supplicant (the same as before). As authenticator I use the 3750 Stack switch and as authentication servers I use the two NPS integrated in MS DCs (the same as before). I have configured the supplicant for both machine or user authentication in both scenarios. However the client never pass the authentication in the second one. I disconnect and connect the same supplicant in the 2950 switch and the authentication is completed successfully. Getting back to the 3750 stack the authentication failed and the laptop gains network access in the configured Auth-Failed Vlan. I have tried several configuration changes without success. I cannot understand why does this happen. I have made some debugs and I am sending them a long with a partial basic configuration of 3750 stack switch.
1. I use as client a domain laptop with Windows XP SP3 with the embedded 802.1x MS supplicant. As authenticator use the 2950 switch and as authentication servers I use the two NPS integrated in MS DCs. Everything is working fine as I expected with basic configuration guidelines from Cisco & Microsoft.
2. I use as client a domain laptop with Windows XP SP3 with the embedded 802.1x MS supplicant (the same as before). As authenticator I use the 3750 Stack switch and as authentication servers I use the two NPS integrated in MS DCs (the same as before). I have configured the supplicant for both machine or user authentication in both scenarios. However the client never pass the authentication in the second one. I disconnect and connect the same supplicant in the 2950 switch and the authentication is completed successfully. Getting back to the 3750 stack the authentication failed and the laptop gains network access in the configured Auth-Failed Vlan. I have tried several configuration changes without success. I cannot understand why does this happen. I have made some debugs and I am sending them a long with a partial basic configuration of 3750 stack switch.
Cisco AAA/Identity/Nac :: ISE V1.1 NAD 6500 Failed To Decrypt Key
Sep 11, 2012I´ve implemented 2 Cisco ISE v1.1 in HA to run MAB and 802.x Authentication / Authorization. Using Local ISE DB and Active Directory as an External Identity Source for wireless and wired users and devices. This was working fine 2 weeks ago after finishing installation.
My NAD devices are a Core SW 6500 for wired users (there are no access SW, just the Core for the whole network, its a small office) and a WLC 2405 for Wireless Users.[code].....
My NAD devices are a Core SW 6500 for wired users (there are no access SW, just the Core for the whole network, its a small office) and a WLC 2405 for Wireless Users.[code].....
Cisco AAA/Identity/Nac :: W2003 / ACS Tacacs Authentication Failed
Jun 27, 2012we have a ACS server V4 installed on W2003 server ,when we make a telnet to an equipement on the wan the authentication pass on the first connexion ,but when we telent to a switch on the lan the first connxion fails and we need to retry to login .when i check the field attempt log on the ACS i dont find the field attempt.i find this issue in ALL switch on the LAN ,from the switch i can ping the the ACS server .this problem appear frequently?
Cisco AAA/Identity/Nac :: ACS 5.3.0.40 On-demand Full Backup Failed
Dec 27, 2012I have ACS 5.3.0.40 Primary Secondary Authenticators , of which the Scheduled backup has stopped.When checked the : Monitoring Configuration > System Operations > Data Management > Removal and Backup > Incremental Backup , it had changed to OFF mode. without any reason.Later i did the acs stop/start 'view-jobmanager' and initiated the On-demand Full Backup , but no luck, same error reported this time too.
Cisco AAA/Identity/Nac :: Wireless ISE - 12508 EAP-TLS Handshake Failed
Mar 21, 2013I'm in the middle of my very first wireless ISE deployment and I'm hitting issues with EAP-TLS based authentication. In short, all EAP-TLS authentication is failing with the following error. Below that is the relevant excerpt from the logs:
Authentication failed : 12508 EAP-TLS handshake failed
OpenSSLErrorMessage=SSL alert: code=0x233=563 ; source=local ; type=fatal ; message='X509 decrypt error - certificate signature failure', OpenSSLErrorStack= 597863312:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown
[Code].....
Authentication failed : 12508 EAP-TLS handshake failed
OpenSSLErrorMessage=SSL alert: code=0x233=563 ; source=local ; type=fatal ; message='X509 decrypt error - certificate signature failure', OpenSSLErrorStack= 597863312:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown
[Code].....
Cisco AAA/Identity/Nac :: 3395 - Getting Error - Failed To Start DB
Oct 14, 2012While installing ISE 3395 i am getting error failed to start DB!
Database is not available withintimeout of 240 seconds.this could be reason of incorrect network configuration or lack of resources on the appliance or VM, run the folloing CLI to re-prime database 'application reset-config ise'
Database is not available withintimeout of 240 seconds.this could be reason of incorrect network configuration or lack of resources on the appliance or VM, run the folloing CLI to re-prime database 'application reset-config ise'
Cisco AAA/Identity/Nac :: 002SWC003 - ISE Dynamic Authorization Failed
Dec 5, 2012I am gettning warning messages in ISE saying
Cause:Dynamic Authorization Failed for Device: 0002SWC003 (switch)Details:Dynamic Authorization Failed
It is not only on that switch but on all switches I have configured. I am using 3560 IPBase 12.2(55)SE6. I have configured them according to Trustsec 2.1. My end devices are none-802.1x. I can't figure out what is causing this error.
The thing is that I have not experienced any problem. In Live Authentications there are some 'Unknown' and 'Profiled' devices hitting the DenyAccess rule, but other then that everying is beeing Authorized fine.
Cause:Dynamic Authorization Failed for Device: 0002SWC003 (switch)Details:Dynamic Authorization Failed
It is not only on that switch but on all switches I have configured. I am using 3560 IPBase 12.2(55)SE6. I have configured them according to Trustsec 2.1. My end devices are none-802.1x. I can't figure out what is causing this error.
The thing is that I have not experienced any problem. In Live Authentications there are some 'Unknown' and 'Profiled' devices hitting the DenyAccess rule, but other then that everying is beeing Authorized fine.
Cisco AAA/Identity/Nac :: ACS Version 5.2.0.26 / Failed MAB Authentication Logs
Jan 8, 2013Having an issue where a user will plug a PC into a switch. The switch does a MAB authenticaiton and the MAC is not located in the ACS server. It logs the failed attempt, but when the PC is removed from the switch, the failed attempts keep getting logged until the port is bounced. Any way to keep the attemps from happening after the PC is removed? If not, any way to make it stop without bouncing the port?
running ACS version 5.2.0.26
switch port config:
interface GigabitEthernet1/0/2
sw access vlan 2 sw mode access
authentication control-direction in
authenticaion host-mode multi-auth
authentication port-control auto
mab
spanning-tree portfast
running ACS version 5.2.0.26
switch port config:
interface GigabitEthernet1/0/2
sw access vlan 2 sw mode access
authentication control-direction in
authenticaion host-mode multi-auth
authentication port-control auto
mab
spanning-tree portfast
Cisco AAA/Identity/Nac :: Radius Authentication Failed On 6509
Jan 29, 2012I have configured Radius authentication on Windows 2008 server (NPS) The following configuration is working perfectly on Cisco Switch 3560. [code]But, the same configuration is not working on Cisco Catlyst Switch 6509 (C3560-IPBASEK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)/
Cisco AAA/Identity/Nac :: ACS 5.2 License File Installation Failed
Sep 19, 2011have a ACS 5.2 version installed on Vmware . I purchased below liscense
Product Name : L-CSACS-5-LRG-LIC=
Product Description : L-CSACS-5-LRG-LIC= : ACS 5 Large Deployment License (Electronic Delivery)
When i am trying to upgrade the liscense i am getting an Error ' Liscense file installation failed : The liscense file must contain single base liscense '
Product Name : L-CSACS-5-LRG-LIC=
Product Description : L-CSACS-5-LRG-LIC= : ACS 5 Large Deployment License (Electronic Delivery)
When i am trying to upgrade the liscense i am getting an Error ' Liscense file installation failed : The liscense file must contain single base liscense '
Cisco AAA/Identity/Nac :: Cannot Upgrade ACS 5.2 Transfer Failed (code 1)
Nov 29, 2011I am facing an issue with several ACS appliances (some other work well) when upgrading to version 5.2.0.26.8.
When I launch the command acs patch install, I receive the following error message (we use FTP):
Failed to copy file '5-2-0-26-8.tar.gpg' from repository PatchRepository
(Error -302)
% Error: patch install 5-2-0-26-8.tar.gpg from repository PatchRepository - transfer failed (code 1)
This happens on three appliances but I could successfully upgrade 4 other appliances.
What is the reason behind this error code ? What could I do solve it ? I have already tried to create another repository on another server, without success.
When I launch the command acs patch install, I receive the following error message (we use FTP):
Failed to copy file '5-2-0-26-8.tar.gpg' from repository PatchRepository
(Error -302)
% Error: patch install 5-2-0-26-8.tar.gpg from repository PatchRepository - transfer failed (code 1)
This happens on three appliances but I could successfully upgrade 4 other appliances.
What is the reason behind this error code ? What could I do solve it ? I have already tried to create another repository on another server, without success.
AAA/Identity/Nac :: Command Authorization Failed In TACACS With ACS 4.2
Feb 2, 2012We have a group in TACACS ACS4.2. I configure it can do show command. When logged, it can do show command some parameters, like show ip interface, but it cannot do show running-config. it says 'command authorization failed'.
AAA/Identity/Nac :: ACS 4.2 Authenticating 4710 ACE Appliance Failed
May 5, 2011I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is 'Login incorrect'. I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1).
tacacs-server key 7 'xxxxxxxxxxxxx'aaa group server tacacs+ tac_admin server xx.xx.xx.xx
aaa authentication login default group tac_admin local aaa authentication login console group tac_admin local aaa accounting default group tac_admin
ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is 'Login incorrect'. I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1).
tacacs-server key 7 'xxxxxxxxxxxxx'aaa group server tacacs+ tac_admin server xx.xx.xx.xx
aaa authentication login default group tac_admin local aaa authentication login console group tac_admin local aaa accounting default group tac_admin
Cisco AAA/Identity/Nac :: ASA 5520 Failover Exec Authorization Failed
Mar 14, 2013I have a pair of ASA 5520 firewalls running in active/standby mode on 8.3.2.34 code. My configuration performs authentication/authorization into ACS 5.1, however command authorization is failing when I try to execute a command on the standby from the active unit...
failover exec standby dir disk0:/
Fallback authorization. Username 'adminuser' not in LOCAL database Command authorization failed
I don't even see the authentication attempt going into ACS.
failover exec standby dir disk0:/
Fallback authorization. Username 'adminuser' not in LOCAL database Command authorization failed
I don't even see the authentication attempt going into ACS.
Cisco AAA/Identity/Nac :: WLC To ACS 4400 V5 To AD - 12309 PEAP Handshake Failed
Feb 25, 2010I have a Cisco WLC talking to a ACS 4400 version 5.1 which in turn talks to Active Directory.Ive been trying to get 802.1x for wireless clients going, I have a cert on the ACS from verisign on the box but when users try to sign in they get 12309 PEAP handshake failed in the ACS RADIUS log.The cert was exported and placed directly on the testing laptop and at one point it all worked. I stepped away from it for 2 weeks to get a new internal CA built on a windows box, now coming back to it with the intent of issuing new certs to the ACS from the internal CA and thought I would check it to make sure all was good, but its not.Google doesn’t return happy results for “12309 PEAP handshake failed”, I opened a TAC case on it and they took my cert to their lab. Haven’t heard back.
Cisco AAA/Identity/Nac :: ACS 5.2 Failed Authenticate With Same Voice And Data Vlan
Apr 14, 2011I have a question its posible to authenticate an cisco phone and PC with the same vlan(voice and data)when i do this configuratión , the phone and pc dont work. The phone display registering and never finished.interface FastEthernet0/5 switchport mode access switchport voice vlan 1 authentication event fail action authorize vlan 11 authentication event no-response action authorize vlan 11 authentication host-mode multi-domain authentication port-control auto authentication periodic authentication violation protect mab dot1x pae authenticator dot1x timeout tx-period 10 dot1x max-reauth-req 3 spanning-tree portfastend.
When I was troubleshooting a VPN tunnel on a Cisco ASA, 100% of the packets coming over the tunnel were being counted as
#recv errors
. It turns out that these errors can go up if there are anti-replay failures, corrupted packets, or other decapsulation errors. Because 100% of my packets were being counted for this I assumed it wasn’t a corrupted packet or decapsulation error and began looking into anti-replay problems.Show the error count
Let’s take a look at some show commands and configs.
The ACL for this tunnel is only one line:
Enable Debugs
Let’s turn on the following debug and take a look:
debug crypto ipsec 1
Jan 19 2015 20:00:43: %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x76F99C4C, sequence number= 0x2D) from 93.184.216.34 (user= 93.184.216.34) to 11.11.11.11. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 10.10.10.11, its source as 10.14.155.11, and its protocol as icmp. The SA specifies its local proxy as 10.10.10.11/255.255.255.255/ip/0 and its remote_proxy as 192.168.60.60/255.255.255.255/ip/0.
This is a fantastic clue! What the debug is telling us is that when traffic comes over the tunnel it’s expected to look like:
From:
192.168.60.60
To: 10.10.10.11
But instead it’s looking like this:
From:
10.14.155.11
To: 10.10.10.11
This likely means that the remote side either does not have the same ACL defined on it OR it is NATing incorrectly.