Manuals / Cisco Systems / Household Appliance / Home Safety Product

Cisco Systems VPN 3002 manual 12-17

Models: VPN 3002

1 282

Download 282 pages 2.25 Kb

Page 143

12-17

Chapter 12 Administration

Certificate Management

If you have trouble enrolling or installing digital certificates via SCEP, enable both the CLIENT and CERT event classes to assist in troubleshooting.

Digital certificates indicate the time frame during which they are valid. Therefore, it is essential that the time on the VPN 3002 is correct and synchronized with network time. See Configuration System Servers NTP and Configuration System General Time and Date.

You must complete the enrollment and certificate installation process within one week of generating the request. If you do not, the pending request is deleted.

Installing CA Certificates Automatically Using SCEP

If you plan to use SCEP to enroll for identity or SSL certificates, you must obtain the associated CA certificate using SCEP. The Manager does not let you enroll for a certificate from a CA unless that CA was installed using SCEP. A certificate that is obtained via SCEP and therefore capable of issuing other SCEP certificates is called SCEP-enabled.

Tip In order to obtain CA certificates using SCEP, you need to know the URL of your CA. Find out your CA’s URL before beginning the following steps.

Step 1 Using the VPN 3002 Hardware Client Manager, display the Administration Certificate Management screen. (See Figure 12-19.)

Figure 12-19 Administration Certificate Management Screen

		VPN 3002 Hardware Client Reference
		VPN 3002 Hardware Client Reference
	OL-1893-01			12-17
	OL-1893-01			12-17

Image 143

Cisco Systems VPN 3002 manual 12-17

Contents

170 West Tasman Drive San Jose, CA Release NovemberCorporate Headquarters Cisco Systems, IncCopyright 2001, Cisco Systems, Inc VPN 3002 Hardware Client ReferenceC O N T E N T S ConfigurationSystem Configuration Configuration | SystemConfiguration System Management Protocols Configuration | System | Servers | DNSConfiguration | System | Tunneling Protocols Configuration | System | IP RoutingAdministration | Access Rights Configuration | Policy ManagementAdministration Administration | PingMonitoring | System Status MonitoringMonitoring | Routing Table Monitoring | Live Event LogMonitoring | Statistics | MIB-II| IP Files for Troubleshooting A-1LED Indicators Monitoring | Statistics | MIB-II78-13782-01 viiiContents Chapter PrefacePrerequisites OrganizationChapter ChapterTitle DescriptionVPN Client Documentation Related DocumentationVPN 3002 Hardware Client Documentation VPN 3000 Series Concentrator Documentationboldface font Documentation conventionsOther References ConventionDocumentation CD-ROM Obtaining DocumentationData Formats World Wide WebCisco.com Obtaining technical assistanceOrdering documentation Documentation feedbackContacting TAC by telephone Contacting TAC by using the Cisco TAC websiteTechnical Assistance Center OL-1893-01 Preface Obtaining technical assistanceVPN 3002 Hardware Client Reference C H A P T E R Using the VPN 3002 Hardware Client ManagerVPN 3002 Hardware Client Browser Requirements Navigation Toolbar Connecting to the VPN 3002 Using HTTPRecommended PC Monitor/Display Settings JavaScript and CookiesOL-1893-01 Installing the SSL Certificate in Your BrowserInstalling the SSL Certificate in Your Browser VPN 3002 Hardware Client ReferenceFigure 1-2Install SSL Certificate Screen 4.Click Install Certificate 5.Click Next to continue 7.Click Finish Viewing Certificates with Internet Explorer Installing the SSL Certificate with Netscape 1-10 ReinstallationFirst-timeInstallation 2.Click Next> to proceed 1-111-12 1-13 8.Click Continue1-14 Viewing Certificates with NetscapeClick OK when finished 1-151-16 Connecting to the VPN 3002 Using HTTPSConfiguring HTTP, HTTPS, and SSL Parameters 1-17 Logging into the VPN 3002 Hardware Client ManagerVPN 3002 Hardware Client Reference 1-18Figure 1-27Manager Main Welcome Screen Logging into the VPN 3002 Hardware Client ManagerVPN 3002 Hardware Client Reference Interactive Hardware Client AuthenticationIndividual User Authentication 1-19Step 1 Click the Connect Now button Step 1 Click the Connection Login Status button1-20 The Connection/Login Status screen displaysStep 2 Click Connect 1-21Figure 1-31Connection Login Status Screen Figure 1-33Connection/Login Status Screen 1-22Figure 1-32Individual User Authentication Screen OL-1893-01 1-23VPN 3002 Hardware Client Reference Top frame Title barStatus bar Mouse pointer and tipsConfiguration ResetRestore Table of Contents1-26 Open or expandedMain frame Manager screen–Interfaces: Ethernet parameters 1-27Figure 1-35Manager Table of Contents Navigating the VPN 3002 Hardware Client Manager1-28 C H A P T E R ConfigurationConfiguration OL-1893-01 Chapter 2 Configuration ConfigurationVPN 3002 Hardware Client Reference C H A P T E R Configuration | InterfacesInterfaces DNS Domain Name InterfaceEthernet 1 Private, Ethernet 2 Public DNS ServersSubnet Mask Default GatewayStatus IP AddressIP Address Configuration | Interfaces | PrivateDisabled Static IP AddressingDuplex Apply/CancelSubnet Mask SpeedDisabled Configuration | Interfaces | PublicDHCP Client PPPoE ClientStatic IP Addressing PPPoE PasswordVerify PPPoE Password PPPoE User NameReminder Apply / CancelDuplex C H A P T E R System ConfigurationConfiguration | System OL-1893-01 Chapter 4 System ConfigurationConfiguration | System VPN 3002 Hardware Client ReferenceC H A P T E R Configuration | System | ServersConfiguration | System | Servers | DNS ServersSecondary DNS Server EnabledDomain Primary DNS ServerConfiguration | System | Servers | DNS Timeout PeriodTimeout Retries Apply / CancelOL-1893-01 Configuration | System | Servers | DNSChapter VPN 3002 Hardware Client ReferenceC H A P T E R TunnelingConfiguration System Tunneling Protocols Remote Server Backup ServersAbout Backup Servers IPSec over TCP Port IPSec over TCPAbout IPSec over TCP Use CertificateCertificate Transmission GroupPassword PasswordUser VerifyTunneling ChapterVPN 3002 Hardware Client Reference OL-1893-01C H A P T E R Configuration | System | IP RoutingIP Routing Chapter 7 IP Routing Static RoutesAdd / Modify / Delete ReminderSubnet Mask Network AddressMetric Interface Add or Apply / CancelDestination Destination Router AddressReminder Default GatewayApply / Cancel MetricEnabled Configuration | System | IP Routing | DHCPLease Timeout Address Pool Start/EndReminder DHCP OptionAdd/Modify/Delete Apply/CancelReminder Option ValueDHCP Option Nonconfigurable DHCP Options OL-1893-01 7-10Chapter 7 IP Routing VPN 3002 Hardware Client ReferenceC H A P T E R Configuration | System | Management ProtocolsManagement Protocols About HTTP/HTTPS Enable HTTPHTTPS Port Enable HTTPSEnable HTTPS on Public HTTP PortVPN 3002 Hardware Client Reference Enable TelnetChapter 8 Management Protocols Maximum Connections Enable Telnet/SSLTelnet Port Telnet/SSL PortApply / Cancel Enable SNMPSNMP Port Maximum Queued RequestsReminder Reminder Community StringsCommunities | Add or Modify Add/Modify/DeleteReminder Community StringAdd or Apply / Cancel Related information 8-108-11 Client AuthenticationEncryption Algorithms Apply/Cancel SSL VersionGenerated Certificate Key Size 8-12OL-1893-01 8-13Chapter 8 Management Protocols VPN 3002 Hardware Client ReferenceKey Regeneration Period Enable SSHEnable SSH on Public SSH PortReminder 8-15Apply / Cancel To apply your SSH settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | Management Protocols screenChapter 8 Management Protocols Enable XML8-16 Enable HTTPS on PublicSSH Wildcard-mask HTTPS IP AddressHTTPS Wildcard-mask SSH IP AddressOL-1893-01 8-18Chapter 8 Management Protocols VPN 3002 Hardware Client ReferenceClass Name EventsEvent Class Class Description Event SourceEVENTMIB Class Description Event SourceClass Name Cisco-specificEvent ClassDescription Event Severity LevelLevel CategoryEvent Log Data Event LogFigure 9-1Configuration | System | Events Screen Configuration | System | EventsConfiguration System Events General String Syslog FormatCisco IOS Severity Severity to LogSeverity to Console Severity to SyslogTo send this “well-known” Configuration | System | Events | ClassesConfigure either General event Severity to TrapReminder Configured Event ClassesAdd/Modify/Delete 9-10 EnableClass Name Modify screenSeverity to Syslog Add or Apply/Cancel9-11 Severity to ConsoleChapter Trap Destinations9-12 Add/Modify/DeleteDestination SNMP VersionCommunity 9-13Add or Apply/Cancel Configuration System Events Syslog ServersPort 9-14Reminder Syslog Servers9-15 Add/Modify/DeletePort Syslog ServerFacility 9-16Reminder 9-17Add or Apply/Cancel To add this server to the list of syslog servers, click Add. Or to apply your changes to this syslog server, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Events | Syslog Servers screen. Any new server appears in the Syslog Servers listOL-1893-01 9-18Chapter VPN 3002 Hardware Client ReferenceC H A P T E R Configuration | System | GeneralGeneral 10-1Location Configuration | System | General | IdentificationSystem Name ContactNew Time Configuration | System | General | Time and DateEnable DST Support Current TimeChapter 10 General 10-4Configuration | System | General | Time and Date Reminder11-1 Policy ManagementClient Mode/PAT Client Mode with Split TunnelingNetwork Extension Mode Network Extension Mode11-2 Chapter 11 Policy Management11-3 Network Extension Mode with Split Tunneling11-4 Tunnel InitiationData Initiation Step 2 Click Connect NowTunneling Policy Configuration | Policy ManagementTraffic Management ModeEnable Configuration Policy Management TrafficManagement | PAT 11-6Reminder PAT Enabled11-7 Apply/CancelOL-1893-01 11-8Chapter 11 Policy Management VPN 3002 Hardware Client ReferenceC H A P T E R AdministrationAdministration 12-1Figure 12-1Administration Screen Administration | Software Update12-2 12-3 Upload/CancelCurrent Software Revision Browse12-4 Software Update ProgressSoftware Update Success Software Update ErrorAdministration | System Reboot Administration | System Reboot12-5 Chapter 12 AdministrationFigure 12-6Administration | System Reboot Screen ConfigurationAction 12-6Apply/Cancel Administration | PingWhen to Reboot/Shutdown 12-7Success Ping Ping/CancelError Ping Address/Hostname to PingFigure 12-10Administration | Access Rights Screen Administration | Access RightsAdministration | Access Rights | Administrators 12-912-10 AdministratorPassword VerifySession Limit Administration | Access Rights | Access SettingsSession Idle Timeout Encrypt Config File12-12 Administration | File ManagementView Save Delete12-13 Swap Config FilesConfig File Upload via HTTP OK/CancelUpload/Cancel Local Config File/BrowseFile Upload Progress 12-1412-15 File Upload ErrorFile Upload Success 12-16 Enrolling and Installing Digital CertificatesCertificate Management 12-17 12-18 12-19 Installing CA Certificates ManuallyField Name Enrolling and Installing Identity CertificatesRecommended Content AbbrevVerify Challenge Password 12-2112-22 Step 5 Fill in the fields and click Enroll. For information on the fields on this screen, see Table 12-1.The VPN 3002 sends the certificate request to the CA 12-2312-24 Step 5 Fill in the fields and click Enroll. For information on the fields on this screen, see Table 12-1.The Manager displays the Administration | Certificate Management | Enrollment | Request Generated screen. See Figure 12-25Certificate Obtained via Enrollment Screen 12-2612-27 Obtaining SSL Certificates 12-29 Enabling Digital Certificates on the VPN12-30 Deleting Digital Certificates12-31 Administration | Certificate ManagementCertificate Authority Fields ContentCertificate Authorities Table Identity Certificates Table12-33 SSL Certificate Table GenerateFields 12-34Content Subject/IssuerContent Enrollment Status TableRemove All 12-35Status 12-36Content Field12-37 Administration | Certificate Management | EnrollIdentity Certificate SSL CertificateEnroll via SCEP at Name of SCEP CA Install a New SA Using SCEP before EnrollingType Enroll via PKCS10 Request Manual12-39 Enroll / CancelFields Chapter 12 Administration Go to Certificate ManagementGo to Certificate Enrollment 12-40Fields Go to Certificate Installation12-41 VPN 3002 Hardware Client Reference 12-42Enroll / Cancel Chapter 12 AdministrationFields CancelEnroll 12-43Install Certificate Obtained via Enrollment Administration | Certificate Management | InstallInstall CA Certificate Install SSL Certificate with Private KeyCertificate Obtained via Enrollment Screen 12-45Enrollment Status Table 12-46 SCEP Simple Certificate Enrollment ProtocolCut & Paste Text Upload File from Workstation12-47 Retrieve / CancelCA Descriptor Password Install / CancelCertificate Text 12-48Install / Cancel Filename / Browse12-49 PasswordAdministration | Certificate Management | View Administration | Certificate Management | View12-50 Chapter 12 AdministrationField Certificate Fields12-51 ContentField Back12-52 ContentCertificate Administration | Certificate Management |Configure CA Certificate SCEP ConfigurationApply / Cancel Administration | Certificate Management | RenewalPolling Limit 12-54Renewal Type Challenge PasswordVerify Challenge Password Renew / CancelGo to Certificate Management 12-56Go to Certificate Installation StatusFields Administration | Certificate Management | Delete12-57 Administration | Certificate Management | View Enrollment RequestYes / No 12-58Field Enrollment Request Fields12-59 ContentContent Cancel Enrollment Request12-60 Administration Certificate ManagementFields Delete Enrollment Request12-61 Administration | Certificate Management |To delete this enrollment request, click Yes 12-62Fields Yes / NoFigure 13-1Monitoring Screen Monitoring13-1 C H A P T E RAddress Monitoring | Routing TableClear Routes Valid Routes13-3 Monitoring | Filterable Event LogMetric Client IP Address Select Filter OptionsEvent Class SeveritiesThere is no undo Event Log FormatGet Log Clear LogEvent Class/Number Monitoring | Live Event LogEvent Time Event SeverityRestart TimerPause Display/Resume Display Clear Display13-8 ResetRestore Monitoring | System StatusSoftware Rev Bootcode RevRefresh VPN Client TypeSecurity Associations AuthenticationTunnel Established to Duration13-11 Front PanelBack Panel OtherBack 13-12Restore RefreshTx Multicast Rx UnicastTx Unicast Rx MulticastUsername Cisco IP Phone Bypass Enabled/DisabledLogin Time Monitoring | User Status13-15 Monitoring | StatisticsRestore Monitoring Statistics IPSec13-16 ResetReceived Bytes IKE Phase 1 StatisticsActive Tunnels Total TunnelsInvalid Phase-2Exchanges Sent Received Phase-2ExchangesSent Phase-2Exchanges Invalid Phase-2Exchanges ReceivedFailed Initiated Tunnels Phase-2SA Delete Requests SentAuthentication Failures Initiated TunnelsActive Tunnels IPSec Phase 2 StatisticsReceived Packets Dropped Anti-Replay 13-20Failed Outbound Authentications Inbound AuthenticationsFailed Inbound Authentications Outbound AuthenticationsSystem Capability Failures Monitoring Statistics HTTPProtocol Use Failures 13-22Peak Octets Sent/ReceivedPackets Sent/Received Packets Sent Sockets/SessionsMax Connections Login NameLogin Time HTTP SessionsReset Monitoring | Statistics | TelnetActive Sessions 13-25Telnet Sessions Inbound Octets CommandAttempted Sessions Successful Sessions13-27 Monitoring | Statistics | DNSRequests ResponsesOther Failures TimeoutsMonitoring | Statistics | SSL Server UnreachableEncrypted Outbound Octets Unencrypted Inbound OctetsEncrypted Inbound Octets Unencrypted Outbound Octets13-30 Monitoring | Statistics | DHCPActive Leases Maximum Active LeasesTime Left Pool StartPool End Leased IP AddressRestore Monitoring | Statistics | SSH13-32 ResetLogin Name SSH SessionsRemote IP Address:Port 13-33Reset Monitoring | Statistics | NATPackets In/Out 13-34Translations Total NAT SessionsTranslations Active Translations PeakReset Monitoring | Statistics | PPPoETranslated Bytes/Packets 13-36User Name PPPoE Access ConcentratorPADI Timeouts PADR TimeoutsMalformed Packets Rx Generic Errors RxPADT Rx PADT Tx13-39 Monitoring | Statistics | MIB-IIRestore Monitoring | Statistics | MIB-II| Interfaces13-40 ResetMulticast Out Unicast InUnicast Out Multicast InReset Monitoring | Statistics | MIB-II| TCP/UDPTCP Segments Received 13-42TCP Segments Retransmitted TCP Timeout MinTCP Timeout Max TCP Segments TransmittedUDP Datagrams Received TCP Established ResetsUDP Errored Datagrams TCP Current EstablishedRestore Monitoring | Statistics | MIB-II| IP13-45 ResetPackets Received Unknown Protocols Packets Received Header ErrorsPackets Received Address Errors Packets Received TotalOutbound Packets with No Route Fragments Needing ReassemblyReassembly Successes Reassembly FailuresReset Monitoring Statistics MIB-II ICMPTotal Received/Transmitted 13-48Time Exceeded Received/Transmitted Errors Received/TransmittedParameter Problems Received/Transmitted Destination Unreachable Received/TransmittedAddress Mask Replies Received/Transmitted Timestamp Requests Received/TransmittedTimestamp Replies Received/Transmitted Address Mask Requests Received/TransmittedChapter 13 Monitoring Monitoring | Statistics | MIB-II| ARP Table13-51 Refresh13-52 Physical AddressMapping Type Action/DeleteRestore Monitoring | Statistics | MIB-II| Ethernet13-53 ResetSQE Test Errors Alignment ErrorsFCS Errors Carrier Sense ErrorsSpeed Mbps MAC Errors: TransmitMAC Errors: Receive Excessive Collisions13-56 Monitoring | Statistics | MIB-II| SNMPRequests Received Bad VersionProxy Drops Parsing ErrorsBad Community String Silent DropsVPN 3002 Hardware Client Reference 13-58Chapter 13 Monitoring Monitoring | Statistics | MIB-II| SNMP14-1 Using the Command-LineInterfaceAccessing the Command-lineInterface Console Access14-2 Starting the Command-lineInterfaceTelnet or Telnet/SSL access 14-3 Using the Command-lineInterfaceChoosing Menu Items Entering Values14-4 Using Shortcut NumbersNavigating Quickly 14-5 Using Back and HomeGetting Help Information 14-6 Saving the Configuration FileStopping the Command-lineInterface Understanding Access RightsMenu Reference 1Configuration1.1 Configuration > Quick Configuration 1.2 Configuration > Interface Configuration1.3.1Configuration > System Management > Servers 1.3Configuration > System Management2.1 Administration > Software Update 2Administration1.4Configuration > Policy Management 14-10 2.2Administration > System Reboot2.3Administration > Ping 2.4Administration Access Rights2.6Administration > Certificate Management 2.5 Administration > File Management3 Monitoring 3.3 Monitoring > System Status 3.1 Monitoring > Routing Table3.2Monitoring > Event Log 3.2.2 Monitoring > Event Log > View Event Log3.5Monitoring > General Statistics 3.4 Monitoring > User StatusCrash Dump File Troubleshooting and System ErrorsFiles for Troubleshooting Event LogsCrash Dump File LED IndicatorsConfiguration Files VPN 3002 Front LEDsVPN 3002 Rear LEDs System ErrorsProblem or Symptom Possible Solutionon Connect Now Settings on the VPN ConcentratorSeries Concentrator Reference Volume the VPN 3002 Hardware Client User ReferenceInvalid Login or Session Timeout VPN 3002 Hardware Client Manager ErrorsManager Logs Out ProblemSolution LoginPossible cause Error MessageIncorrect Display Back or Forward onPossible cause Not Allowed MessageProblem SolutionSolution Not Foundinterface supported ProblemProblem Command-lineInterface ErrorsError A-10IN-1 NumericsI N D E help command See CLIIN-2 errors A-10IN-3 IN-4 IN-5 IN-6 IN-7 IN-8 See also tunnelIN-9 IN-10 IN-11 OL-1893-01 IN-12Index VPN 3002 Hardware Client Reference