Introduction Due to the nature of DPM, and how it handles it's DCOM's it will not work on a Cisco ASA's VPN tunnel due to ...
Introduction
Due to the nature of DPM, and how it handles it's DCOM's it will not work on a Cisco ASA's VPN tunnel due to its DCERPC packet inspection.
This guide will server as a quick solution to this issue. Cisco has documentation on this issue following this link https://supportforums.cisco.com/document/67706/dcerpc-inspection-asapixfwsm#Troubleshooting. Even after completing the guide our issues still persisted. The above link may or may not solve your problem.Steps (5 total)
We need to first establish a basic connectivity check. Please ping both DPM sides of each tunnel. Example DPM server 1 ping remote DPM server 2 then DPM server 2 ping DPM server 1. If this is successful continue to step # 2. If you cannot successfully send ICMP packets, you have a much deeper network issue persisting. This could be as complex as a tunnel routing issue, or as simple as a Windows Firewall running.
You should already have a copy of Putty, I mean how can you be in IT and not use Putty......but I digress ;) Please use this link to download a current version of Putty.
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Next open Putty & ASDM with ASDM launched please make sure to have Monitoring turned on. On Putty click telnet, change the port from 22 to port 135, under host name please enter the IP of your remote DPM device. Now click open, Putty should quickly disappear, and you should notice a DCERPC error in the ASDM Monitor. You may also seeing errant packets stating a failure to open pin holes. If you are seeing this issue you do have a DCOM issue then. Proceed to the next step.
At this point you have two choices # 1 being attempt Cisco's solutionhttps://supportforums.cisco.com/document/67706/dcerpc-inspection-asapixfwsm#Troubleshooting After making the changes please re-attempt the telnet session with Putty mentioned in step 3. If successful telnet will display a black screen and that is all. You may then close Putty and check your DPM session. If your DPM session is active you are done, if it is still not working that leads us into step 2. Disabling DCERPC inspection.
Hopefully you still have ASDM open, if not please re-open it. Upon opening click configuration. Next click firewall, then Service Policy Rules. Now click edit on the global-class rule. Under rule actions uncheck DCERPC, this will disable the ASA inspection of this protocol. Now apply your changes and save them. Now attempt your telnet session over port 135, it should now be successful! DPM 2010 is now ready to perform backups over your WAN VPN connection.
No comments
Post a Comment