AAA Accounting through a NAT device

Good Day to you all,
I am trying to configure aaa accounting through a natted device to a ACS 4.0 server. the information is logged ok but is logged as the device that is performing the natting. is there a way to configure aaa accounting to show the acctual device being updated in the ACS logs

Assuming its RADIUS...
Is it possible to get the originating device to include the NAS-IP-Address or NAS-Identifier attributes in the accounting records?
This will be the actual device values rather than the peer address of the NAT device.

Similar Messages

  • Site to SIte VPN through a NAT device

    I, i am having some trouble running a site to site vpn between two 3725 routers running c3725-advsecurityk9-mz124-15T1 which i hope i can get some help with, i am probably missing something here. The VPN ran fine when both VPN routers were connected directly to the internet and had public IPs on the WAN interfaces, but i have had to move one of the firewalls inside onto a private IP. The setup is now as below
    VPN router A(192.168.248.253)---Company internal network----Fortigate FW-----internet----(217.155.113.179)VPN router B
    Now the fortigate FW is doing some address translations
    - traffic from 192.168.248.253 to 217.155.113.179 has its source translated to 37.205.62.5
    - traffic from 217.155.113.179 to 37.205.62.5 has its destination translated to 192.168.248.253
    - The firewall rules allow any traffic between the 2 devices, no port lockdown enabled.
    - The 37.205.62.5 address is used by nothing else.
    I basically have a GRE tunnel between the two routers and i am trying to encrypt it.
    Router A is showing the below
    SERVER-RTR#show crypto map
    Crypto Map "S2S_VPN" 10 ipsec-isakmp
    Peer = 217.155.113.179
    Extended IP access list 101
    access-list 101 permit gre host 192.168.248.253 host 217.155.113.179
    Current peer: 217.155.113.179
    Security association lifetime: 4608000 kilobytes/3600 seconds
    PFS (Y/N): N
    Transform sets={
    STRONG,
    Interfaces using crypto map S2S_VPN:
    FastEthernet0/1
    SERVER-RTR#show crypto sessio
    Crypto session current status
    Interface: FastEthernet0/1
    Session status: DOWN
    Peer: 217.155.113.179 port 500
    IPSEC FLOW: permit 47 host 192.168.248.253 host 217.155.113.179
    Active SAs: 0, origin: crypto map
    Interface: FastEthernet0/1
    Session status: UP-IDLE
    Peer: 217.155.113.179 port 4500
    IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 Active
    IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 Inactive
    IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 Inactive
    Router B is showing the below
    BSU-RTR#show crypto map
    Crypto Map "S2S_VPN" 10 ipsec-isakmp
    Peer = 37.205.62.5
    Extended IP access list 101
    access-list 101 permit gre host 217.155.113.179 host 37.205.62.5
    Current peer: 37.205.62.5
    Security association lifetime: 4608000 kilobytes/3600 seconds
    PFS (Y/N): N
    Transform sets={
    STRONG,
    Interfaces using crypto map S2S_VPN:
    FastEthernet0/1
    BSU-RTR#show crypto sess
    Crypto session current status
    Interface: FastEthernet0/1
    Session status: DOWN
    Peer: 37.205.62.5 port 500
    IPSEC FLOW: permit 47 host 217.155.113.179 host 37.205.62.5
    Active SAs: 0, origin: crypto map
    Interface: FastEthernet0/1
    Session status: UP-IDLE
    Peer: 37.205.62.5 port 4500
    IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 Active
    IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 Inactive
    IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 Inactive
    I can see the counters incrementing over the ACL on both routers so i know GRE traffic is interesting.
    Here are some debugs too
    Router A
    debug crypto isakmp
    *Mar 2 23:07:10.898: ISAKMP:(1024):purging node 940426884
    *Mar 2 23:07:10.898: ISAKMP:(1024):purging node 1837874301
    *Mar 2 23:07:10.898: ISAKMP:(1024):purging node -475409474
    *Mar 2 23:07:20.794: ISAKMP (0:0): received packet from 217.155.113.179 dport 500 sport 500 Global (N) NEW SA
    *Mar 2 23:07:20.794: ISAKMP: Created a peer struct for 217.155.113.179, peer port 500
    *Mar 2 23:07:20.794: ISAKMP: New peer created peer = 0x64960C04 peer_handle = 0x80000F0E
    *Mar 2 23:07:20.794: ISAKMP: Locking peer struct 0x64960C04, refcount 1 for crypto_isakmp_process_block
    *Mar 2 23:07:20.794: ISAKMP: local port 500, remote port 500
    *Mar 2 23:07:20.794: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 6464D3F0
    *Mar 2 23:07:20.794: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    *Mar 2 23:07:20.794: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
    *Mar 2 23:07:20.794: ISAKMP:(0): processing SA payload. message ID = 0
    *Mar 2 23:07:20.794: ISAKMP:(0): processing vendor id payload
    *Mar 2 23:07:20.794: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
    *Mar 2 23:07:20.798: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
    *Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
    *Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
    *Mar 2 23:07:20.798: ISAKMP (0:0): vendor ID is NAT-T v7
    *Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
    *Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
    *Mar 2 23:07:20.798: ISAKMP:(0): vendor ID is NAT-T v3
    *Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
    *Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    *Mar 2 23:07:20.798: ISAKMP:(0): vendor ID is NAT-T v2
    *Mar 2 23:07:20.798: ISAKMP:(0):found peer pre-shared key matching 217.155.113.179
    *Mar 2 23:07:20.798: ISAKMP:(0): local preshared key found
    *Mar 2 23:07:20.798: ISAKMP : Scanning profiles for xauth ...
    *Mar 2 23:07:20.798: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
    *Mar 2 23:07:20.798: ISAKMP: encryption DES-CBC
    *Mar 2 23:07:20.798: ISAKMP: hash SHA
    *Mar 2 23:07:20.798: ISAKMP: default group 1
    *Mar 2 23:07:20.798: ISAKMP: auth pre-share
    *Mar 2 23:07:20.798: ISAKMP: life type in seconds
    *Mar 2 23:07:20.798: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
    *Mar 2 23:07:20.798: ISAKMP:(0):atts are acceptable. Next payload is 0
    *Mar 2 23:07:20.798: ISAKMP:(0):Acceptable atts:actual life: 0
    *Mar 2 23:07:20.798: ISAKMP:(0):Acceptable atts:life: 0
    *Mar 2 23:07:20.798: ISAKMP:(0):Fill atts in sa vpi_length:4
    *Mar 2 23:07:20.798: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
    *Mar 2 23:07:20.798: ISAKMP:(0):Returning Actual lifetime: 86400
    *Mar 2 23:07:20.798: ISAKMP:(0)::Started lifetime timer: 86400.
    *Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
    *Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
    *Mar 2 23:07:20.798: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
    *Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
    *Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
    *Mar 2 23:07:20.798: ISAKMP (0:0): vendor ID is NAT-T v7
    *Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
    *Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
    *Mar 2 23:07:20.798: ISAKMP:(0): vendor ID is NAT-T v3
    *Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
    *Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    *Mar 2 23:07:20.798: ISAKMP:(0): vendor ID is NAT-T v2
    *Mar 2 23:07:20.798: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    *Mar 2 23:07:20.798: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
    *Mar 2 23:07:20.802: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
    *Mar 2 23:07:20.802: ISAKMP:(0): sending packet to 217.155.113.179 my_port 500 peer_port 500 (R) MM_SA_SETUP
    *Mar 2 23:07:20.802: ISAKMP:(0):Sending an IKE IPv4 Packet.
    *Mar 2 23:07:20.802: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    *Mar 2 23:07:20.802: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
    *Mar 2 23:07:20.822: ISAKMP (0:0): received packet from 217.155.113.179 dport 500 sport 500 Global (R) MM_SA_SETUP
    *Mar 2 23:07:20.822: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    *Mar 2 23:07:20.822: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
    *Mar 2 23:07:20.822: ISAKMP:(0): processing KE payload. message ID = 0
    *Mar 2 23:07:20.850: ISAKMP:(0): processing NONCE payload. message ID = 0
    *Mar 2 23:07:20.854: ISAKMP:(0):found peer pre-shared key matching 217.155.113.179
    *Mar 2 23:07:20.854: ISAKMP:(1027): processing vendor id payload
    *Mar 2 23:07:20.854: ISAKMP:(1027): vendor ID is Unity
    *Mar 2 23:07:20.854: ISAKMP:(1027): processing vendor id payload
    *Mar 2 23:07:20.854: ISAKMP:(1027): vendor ID is DPD
    *Mar 2 23:07:20.854: ISAKMP:(1027): processing vendor id payload
    *Mar 2 23:07:20.854: ISAKMP:(1027): speaking to another IOS box!
    *Mar 2 23:07:20.854: ISAKMP:received payload type 20
    *Mar 2 23:07:20.854: ISAKMP (0:1027): NAT found, the node inside NAT
    *Mar 2 23:07:20.854: ISAKMP:received payload type 20
    *Mar 2 23:07:20.854: ISAKMP:(1027):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    *Mar 2 23:07:20.854: ISAKMP:(1027):Old State = IKE_R_MM3 New State = IKE_R_MM3
    *Mar 2 23:07:20.854: ISAKMP:(1027): sending packet to 217.155.113.179 my_port 500 peer_port 500 (R) MM_KEY_EXCH
    *Mar 2 23:07:20.854: ISAKMP:(1027):Sending an IKE IPv4 Packet.
    *Mar 2 23:07:20.858: ISAKMP:(1027):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    *Mar 2 23:07:20.858: ISAKMP:(1027):Old State = IKE_R_MM3 New State = IKE_R_MM4
    *Mar 2 23:07:20.898: ISAKMP:(1024):purging SA., sa=64D5723C, delme=64D5723C
    *Mar 2 23:07:20.902: ISAKMP (0:1027): received packet from 217.155.113.179 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
    *Mar 2 23:07:20.902: ISAKMP:(1027):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    *Mar 2 23:07:20.902: ISAKMP:(1027):Old State = IKE_R_MM4 New State = IKE_R_MM5
    *Mar 2 23:07:20.902: ISAKMP:(1027): processing ID payload. message ID = 0
    *Mar 2 23:07:20.902: ISAKMP (0:1027): ID payload
    next-payload : 8
    type : 1
    address : 217.155.113.179
    protocol : 17
    port : 0
    length : 12
    *Mar 2 23:07:20.902: ISAKMP:(0):: peer matches *none* of the profiles
    *Mar 2 23:07:20.906: ISAKMP:(1027): processing HASH payload. message ID = 0
    *Mar 2 23:07:20.906: ISAKMP:(1027): processing NOTIFY INITIAL_CONTACT protocol 1
    spi 0, message ID = 0, sa = 6464D3F0
    *Mar 2 23:07:20.906: ISAKMP:(1027):SA authentication status:
    authenticated
    *Mar 2 23:07:20.906: ISAKMP:(1027):SA has been authenticated with 217.155.113.179
    *Mar 2 23:07:20.906: ISAKMP:(1027):Detected port floating to port = 4500
    *Mar 2 23:07:20.906: ISAKMP: Trying to find existing peer 192.168.248.253/217.155.113.179/4500/ and found existing peer 648EAD00 to reuse, free 64960C04
    *Mar 2 23:07:20.906: ISAKMP: Unlocking peer struct 0x64960C04 Reuse existing peer, count 0
    *Mar 2 23:07:20.906: ISAKMP: Deleting peer node by peer_reap for 217.155.113.179: 64960C04
    *Mar 2 23:07:20.906: ISAKMP: Locking peer struct 0x648EAD00, refcount 2 for Reuse existing peer
    *Mar 2 23:07:20.906: ISAKMP:(1027):SA authentication status:
    authenticated
    *Mar 2 23:07:20.906: ISAKMP:(1027): Process initial contact,
    bring down existing phase 1 and 2 SA's with local 192.168.248.253 remote 217.155.113.179 remote port 4500
    *Mar 2 23:07:20.906: ISAKMP:(1026):received initial contact, deleting SA
    *Mar 2 23:07:20.906: ISAKMP:(1026):peer does not do paranoid keepalives.
    *Mar 2 23:07:20.906: ISAKMP:(1026):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 217.155.113.179)
    *Mar 2 23:07:20.906: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
    *Mar 2 23:07:20.906: ISAKMP:(1027):Setting UDP ENC peer struct 0x0 sa= 0x6464D3F0
    *Mar 2 23:07:20.906: ISAKMP:(1027):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    *Mar 2 23:07:20.906: ISAKMP:(1027):Old State = IKE_R_MM5 New State = IKE_R_MM5
    *Mar 2 23:07:20.910: ISAKMP: set new node -98987637 to QM_IDLE
    *Mar 2 23:07:20.910: ISAKMP:(1026): sending packet to 217.155.113.179 my_port 4500 peer_port 4500 (R) QM_IDLE
    *Mar 2 23:07:20.910: ISAKMP:(1026):Sending an IKE IPv4 Packet.
    *Mar 2 23:07:20.910: ISAKMP:(1026):purging node -98987637
    *Mar 2 23:07:20.910: ISAKMP:(1026):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    *Mar 2 23:07:20.910: ISAKMP:(1026):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
    *Mar 2 23:07:20.910: ISAKMP:(1027):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
    *Mar 2 23:07:20.910: ISAKMP (0:1027): ID payload
    next-payload : 8
    type : 1
    address : 192.168.248.253
    protocol : 17
    port : 0
    length : 12
    *Mar 2 23:07:20.910: ISAKMP:(1027):Total payload length: 12
    *Mar 2 23:07:20.914: ISAKMP:(1027): sending packet to 217.155.113.179 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
    *Mar 2 23:07:20.914: ISAKMP:(1027):Sending an IKE IPv4 Packet.
    *Mar 2 23:07:20.914: ISAKMP:(1027):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    *Mar 2 23:07:20.914: ISAKMP:(1027):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
    *Mar 2 23:07:20.914: ISAKMP:(1026):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 217.155.113.179)
    *Mar 2 23:07:20.914: ISAKMP: Unlocking peer struct 0x648EAD00 for isadb_mark_sa_deleted(), count 1
    *Mar 2 23:07:20.914: ISAKMP:(1026):deleting node 334747020 error FALSE reason "IKE deleted"
    *Mar 2 23:07:20.914: ISAKMP:(1026):deleting node -1580729900 error FALSE reason "IKE deleted"
    *Mar 2 23:07:20.914: ISAKMP:(1026):deleting node -893929227 error FALSE reason "IKE deleted"
    *Mar 2 23:07:20.914: ISAKMP:(1026):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    *Mar 2 23:07:20.914: ISAKMP:(1026):Old State = IKE_DEST_SA New State = IKE_DEST_SA
    *Mar 2 23:07:20.914: ISAKMP:(1027):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    *Mar 2 23:07:20.914: ISAKMP:(1027):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
    *Mar 2 23:07:20.930: ISAKMP (0:1026): received packet from 217.155.113.179 dport 4500 sport 4500 Global (R) MM_NO_STATE
    *Mar 2 23:07:20.934: ISAKMP (0:1027): received packet from 217.155.113.179 dport 4500 sport 4500 Global (R) QM_IDLE
    *Mar 2 23:07:20.934: ISAKMP: set new node 1860263019 to QM_IDLE
    *Mar 2 23:07:20.934: ISAKMP:(1027): processing HASH payload. message ID = 1860263019
    *Mar 2 23:07:20.934: ISAKMP:(1027): processing SA payload. message ID = 1860263019
    *Mar 2 23:07:20.934: ISAKMP:(1027):Checking IPSec proposal 1
    *Mar 2 23:07:20.934: ISAKMP: transform 1, ESP_AES
    *Mar 2 23:07:20.934: ISAKMP: attributes in transform:
    *Mar 2 23:07:20.934: ISAKMP: encaps is 3 (Tunnel-UDP)
    *Mar 2 23:07:20.934: ISAKMP: SA life type in seconds
    *Mar 2 23:07:20.934: ISAKMP: SA life duration (basic) of 3600
    *Mar 2 23:07:20.934: ISAKMP: SA life type in kilobytes
    *Mar 2 23:07:20.934: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
    *Mar 2 23:07:20.934: ISAKMP: key length is 128
    *Mar 2 23:07:20.934: ISAKMP:(1027):atts are acceptable.
    *Mar 2 23:07:20.934: ISAKMP:(1027): IPSec policy invalidated proposal with error 32
    *Mar 2 23:07:20.934: ISAKMP:(1027): phase 2 SA policy not acceptable! (local 192.168.248.253 remote 217.155.113.179)
    *Mar 2 23:07:20.938: ISAKMP: set new node 1961554007 to QM_IDLE
    *Mar 2 23:07:20.938: ISAKMP:(1027):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
    spi 1688526152, message ID = 1961554007
    *Mar 2 23:07:20.938: ISAKMP:(1027): sending packet to 217.155.113.179 my_port 4500 peer_port 4500 (R) QM_IDLE
    *Mar 2 23:07:20.938: ISAKMP:(1027):Sending an IKE IPv4 Packet.
    *Mar 2 23:07:20.938: ISAKMP:(1027):purging node 1961554007
    *Mar 2 23:07:20.938: ISAKMP:(1027):deleting node 1860263019 error TRUE reason "QM rejected"
    *Mar 2 23:07:20.938: ISAKMP:(1027):Node 1860263019, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    *Mar 2 23:07:20.938: ISAKMP:(1027):Old State = IKE_QM_READY New State = IKE_QM_READY
    *Mar 2 23:07:24.510: ISAKMP: set new node 0 to QM_IDLE
    *Mar 2 23:07:24.510: SA has outstanding requests (local 100.100.213.56 port 4500, remote 100.100.213.84 port 4500)
    *Mar 2 23:07:24.510: ISAKMP:(1027): sitting IDLE. Starting QM immediately (QM_IDLE )
    *Mar 2 23:07:24.510: ISAKMP:(1027):beginning Quick Mode exchange, M-ID of 670698820
    *Mar 2 23:07:24.510: ISAKMP:(1027):QM Initiator gets spi
    *Mar 2 23:07:24.510: ISAKMP:(1027): sending packet to 217.155.113.179 my_port 4500 peer_port 4500 (R) QM_IDLE
    *Mar 2 23:07:24.510: ISAKMP:(1027):Sending an IKE IPv4 Packet.
    *Mar 2 23:07:24.514: ISAKMP:(1027):Node 670698820, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
    *Mar 2 23:07:24.514: ISAKMP:(1027):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
    *Mar 2 23:07:24.530: ISAKMP (0:1027): received packet from 217.155.113.179 dport 4500 sport 4500 Global (R) QM_IDLE
    *Mar 2 23:07:24.534: ISAKMP: set new node 1318257670 to QM_IDLE
    *Mar 2 23:07:24.534: ISAKMP:(1027): processing HASH payload. message ID = 1318257670
    *Mar 2 23:07:24.534: ISAKMP:(1027): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
    spi 3268378219, message ID = 1318257670, sa = 6464D3F0
    *Mar 2 23:07:24.534: ISAKMP:(1027): deleting spi 3268378219 message ID = 670698820
    *Mar 2 23:07:24.534: ISAKMP:(1027):deleting node 670698820 error TRUE reason "Delete Larval"
    *Mar 2 23:07:24.534: ISAKMP:(1027):deleting node 1318257670 error FALSE reason "Informational (in) state 1"
    *Mar 2 23:07:24.534: ISAKMP:(1027):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
    *Mar 2 23:07:24.534: ISAKMP:(1027):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
    *Mar 2 23:07:40.898: ISAKMP:(1025):purging node -238086324
    *Mar 2 23:07:40.898: ISAKMP:(1025):purging node -1899972726
    *Mar 2 23:07:40.898: ISAKMP:(1025):purging node -321906720
    Router B
    debug crypto isakmp
    1d23h: ISAKMP:(0): SA request profile is (NULL)
    1d23h: ISAKMP: Created a peer struct for 37.205.62.5, peer port 500
    1d23h: ISAKMP: New peer created peer = 0x652C3B54 peer_handle = 0x80000D8C
    1d23h: ISAKMP: Locking peer struct 0x652C3B54, refcount 1 for isakmp_initiator
    1d23h: ISAKMP: local port 500, remote port 500
    1d23h: ISAKMP: set new node 0 to QM_IDLE
    1d23h: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 652CBDC4
    1d23h: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
    1d23h: ISAKMP:(0):found peer pre-shared key matching 37.205.62.5
    1d23h: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
    1d23h: ISAKMP:(0): constructed NAT-T vendor-07 ID
    1d23h: ISAKMP:(0): constructed NAT-T vendor-03 ID
    1d23h: ISAKMP:(0): constructed NAT-T vendor-02 ID
    1d23h: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    1d23h: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
    1d23h: ISAKMP:(0): beginning Main Mode exchange
    1d23h: ISAKMP:(0): sending packet to 37.205.62.5 my_port 500 peer_port 500 (I) MM_NO_STATE
    1d23h: ISAKMP:(0):Sending an IKE IPv4 Packet.
    1d23h: ISAKMP (0:0): received packet from 37.205.62.5 dport 500 sport 500 Global (I) MM_NO_STATE
    1d23h: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    1d23h: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
    1d23h: ISAKMP:(0): processing SA payload. message ID = 0
    1d23h: ISAKMP:(0): processing vendor id payload
    1d23h: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
    1d23h: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
    1d23h: ISAKMP:(0):found peer pre-shared key matching 37.205.62.5
    1d23h: ISAKMP:(0): local preshared key found
    1d23h: ISAKMP : Scanning profiles for xauth ...
    1d23h: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
    1d23h: ISAKMP: encryption DES-CBC
    1d23h: ISAKMP: hash SHA
    1d23h: ISAKMP: default group 1
    1d23h: ISAKMP: auth pre-share
    1d23h: ISAKMP: life type in seconds
    1d23h: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
    1d23h: ISAKMP:(0):atts are acceptable. Next payload is 0
    1d23h: ISAKMP:(0):Acceptable atts:actual life: 0
    1d23h: ISAKMP:(0):Acceptable atts:life: 0
    1d23h: ISAKMP:(0):Fill atts in sa vpi_length:4
    1d23h: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
    1d23h: ISAKMP:(0):Returning Actual lifetime: 86400
    1d23h: ISAKMP:(0)::Started lifetime timer: 86400.
    1d23h: ISAKMP:(0): processing vendor id payload
    1d23h: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
    1d23h: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
    1d23h: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    1d23h: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
    1d23h: ISAKMP:(0): sending packet to 37.205.62.5 my_port 500 peer_port 500 (I) MM_SA_SETUP
    1d23h: ISAKMP:(0):Sending an IKE IPv4 Packet.
    1d23h: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    1d23h: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
    1d23h: ISAKMP (0:0): received packet from 37.205.62.5 dport 500 sport 500 Global (I) MM_SA_SETUP
    1d23h: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    1d23h: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
    1d23h: ISAKMP:(0): processing KE payload. message ID = 0
    1d23h: ISAKMP:(0): processing NONCE payload. message ID = 0
    1d23h: ISAKMP:(0):found peer pre-shared key matching 37.205.62.5
    1d23h: ISAKMP:(1034): processing vendor id payload
    1d23h: ISAKMP:(1034): vendor ID is Unity
    1d23h: ISAKMP:(1034): processing vendor id payload
    1d23h: ISAKMP:(1034): vendor ID is DPD
    1d23h: ISAKMP:(1034): processing vendor id payload
    1d23h: ISAKMP:(1034): speaking to another IOS box!
    1d23h: ISAKMP:received payload type 20
    1d23h: ISAKMP:received payload type 20
    1d23h: ISAKMP (0:1034): NAT found, the node outside NAT
    1d23h: ISAKMP:(1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    1d23h: ISAKMP:(1034):Old State = IKE_I_MM4 New State = IKE_I_MM4
    1d23h: ISAKMP:(1034):Send initial contact
    1d23h: ISAKMP:(1034):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
    1d23h: ISAKMP (0:1034): ID payload
    next-payload : 8
    type : 1
    address : 217.155.113.179
    protocol : 17
    port : 0
    length : 12
    1d23h: ISAKMP:(1034):Total payload length: 12
    1d23h: ISAKMP:(1034): sending packet to 37.205.62.5 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
    1d23h: ISAKMP:(1034):Sending an IKE IPv4 Packet.
    1d23h: ISAKMP:(1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    1d23h: ISAKMP:(1034):Old State = IKE_I_MM4 New State = IKE_I_MM5
    1d23h: ISAKMP:(1031):purging SA., sa=652D60C8, delme=652D60C8
    1d23h: ISAKMP (0:1033): received packet from 37.205.62.5 dport 4500 sport 4500 Global (I) QM_IDLE
    1d23h: ISAKMP: set new node 33481563 to QM_IDLE
    1d23h: ISAKMP:(1033): processing HASH payload. message ID = 33481563
    1d23h: ISAKMP:received payload type 18
    1d23h: ISAKMP:(1033):Processing delete with reason payload
    1d23h: ISAKMP:(1033):delete doi = 1
    1d23h: ISAKMP:(1033):delete protocol id = 1
    1d23h: ISAKMP:(1033):delete spi_size = 16
    1d23h: ISAKMP:(1033):delete num spis = 1
    1d23h: ISAKMP:(1033):delete_reason = 11
    1d23h: ISAKMP:(1033): processing DELETE_WITH_REASON payload, message ID = 33481563, reason: Unknown delete reason!
    1d23h: ISAKMP:(1033):peer does not do paranoid keepalives.
    1d23h: ISAKMP:(1033):deleting SA reason "Receive initial contact" state (I) QM_IDLE (peer 37.205.62.5)
    1d23h: ISAKMP:(1033):deleting node 33481563 error FALSE reason "Informational (in) state 1"
    1d23h: ISAKMP: set new node 1618266182 to QM_IDLE
    1d23h: ISAKMP:(1033): sending packet to 37.205.62.5 my_port 4500 peer_port 4500 (I) QM_IDLE
    1d23h: ISAKMP:(1033):Sending an IKE IPv4 Packet.
    1d23h: ISAKMP:(1033):purging node 1618266182
    1d23h: ISAKMP:(1033):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    1d23h: ISAKMP:(1033):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
    1d23h: ISAKMP (0:1034): received packet from 37.205.62.5 dport 4500 sport 4500 Global (I) MM_KEY_EXCH
    1d23h: ISAKMP:(1034): processing ID payload. message ID = 0
    1d23h: ISAKMP (0:1034): ID payload
    next-payload : 8
    type : 1
    address : 192.168.248.253
    protocol : 17
    port : 0
    length : 12
    1d23h: ISAKMP:(0):: peer matches *none* of the profiles
    1d23h: ISAKMP:(1034): processing HASH payload. message ID = 0
    1d23h: ISAKMP:(1034):SA authentication status:
    authenticated
    1d23h: ISAKMP:(1034):SA has been authenticated with 37.205.62.5
    1d23h: ISAKMP: Trying to insert a peer 217.155.113.179/37.205.62.5/4500/, and found existing one 643BCA10 to reuse, free 652C3B54
    1d23h: ISAKMP: Unlocking peer struct 0x652C3B54 Reuse existing peer, count 0
    1d23h: ISAKMP: Deleting peer node by peer_reap for 37.205.62.5: 652C3B54
    1d23h: ISAKMP: Locking peer struct 0x643BCA10, refcount 2 for Reuse existing peer
    1d23h: ISAKMP:(1034):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    1d23h: ISAKMP:(1034):Old State = IKE_I_MM5 New State = IKE_I_MM6
    1d23h: ISAKMP:(1033):deleting SA reason "Receive initial contact" state (I) QM_IDLE (peer 37.205.62.5)
    1d23h: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.
    1d23h: ISAKMP: Unlocking peer struct 0x643BCA10 for isadb_mark_sa_deleted(), count 1
    1d23h: ISAKMP:(1033):deleting node 1267924911 error FALSE reason "IKE deleted"
    1d23h: ISAKMP:(1033):deleting node 1074093103 error FALSE reason "IKE deleted"
    1d23h: ISAKMP:(1033):deleting node -183194519 error FALSE reason "IKE deleted"
    1d23h: ISAKMP:(1033):deleting node 33481563 error FALSE reason "IKE deleted"
    1d23h: ISAKMP:(1033):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    1d23h: ISAKMP:(1033):Old State = IKE_DEST_SA New State = IKE_DEST_SA
    1d23h: ISAKMP:(1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    1d23h: ISAKMP:(1034):Old State = IKE_I_MM6 New State = IKE_I_MM6
    1d23h: ISAKMP:(1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    1d23h: ISAKMP:(1034):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
    1d23h: ISAKMP:(1034):beginning Quick Mode exchange, M-ID of 1297417008
    1d23h: ISAKMP:(1034):QM Initiator gets spi
    1d23h: ISAKMP:(1034): sending packet to 37.205.62.5 my_port 4500 peer_port 4500 (I) QM_IDLE
    1d23h: ISAKMP:(1034):Sending an IKE IPv4 Packet.
    1d23h: ISAKMP:(1034):Node 1297417008, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
    1d23h: ISAKMP:(1034):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
    1d23h: ISAKMP:(1034):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    1d23h: ISAKMP:(1034):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
    1d23h: ISAKMP (0:1034): received packet from 37.205.62.5 dport 4500 sport 4500 Global (I) QM_IDLE
    1d23h: ISAKMP: set new node -874376893 to QM_IDLE
    1d23h: ISAKMP:(1034): processing HASH payload. message ID = -874376893
    1d23h: ISAKMP:(1034): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
    spi 56853244, message ID = -874376893, sa = 652CBDC4
    1d23h: ISAKMP:(1034): deleting spi 56853244 message ID = 1297417008
    1d23h: ISAKMP:(1034):deleting node 1297417008 error TRUE reason "Delete Larval"
    1d23h: ISAKMP:(1034):deleting node -874376893 error FALSE reason "Informational (in) state 1"
    1d23h: ISAKMP:(1034):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
    1d23h: ISAKMP:(1034):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
    1d23h: ISAKMP (0:1034): received packet from 37.205.62.5 dport 4500 sport 4500 Global (I) QM_IDLE
    1d23h: ISAKMP: set new node 439453045 to QM_IDLE
    1d23h: ISAKMP:(1034): processing HASH payload. message ID = 439453045
    1d23h: ISAKMP:(1034): processing SA payload. message ID = 439453045
    1d23h: ISAKMP:(1034):Checking IPSec proposal 1
    1d23h: ISAKMP: transform 1, ESP_AES
    1d23h: ISAKMP: attributes in transform:
    1d23h: ISAKMP: encaps is 3 (Tunnel-UDP)
    1d23h: ISAKMP: SA life type in seconds
    1d23h: ISAKMP: SA life duration (basic) of 3600
    1d23h: ISAKMP: SA life type in kilobytes
    1d23h: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
    1d23h: ISAKMP: key length is 128
    1d23h: ISAKMP:(1034):atts are acceptable.
    1d23h: ISAKMP:(1034): IPSec policy invalidated proposal with error 32
    1d23h: ISAKMP:(1034): phase 2 SA policy not acceptable! (local 217.155.113.179 remote 37.205.62.5)
    1d23h: ISAKMP: set new node 1494356901 to QM_IDLE
    1d23h: ISAKMP:(1034):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
    spi 1687353736, message ID = 1494356901
    1d23h: ISAKMP:(1034): sending packet to 37.205.62.5 my_port 4500 peer_port 4500 (I) QM_IDLE
    1d23h: ISAKMP:(1034):Sending an IKE IPv4 Packet.
    1d23h: ISAKMP:(1034):purging node 1494356901
    1d23h: ISAKMP:(1034):deleting node 439453045 error TRUE reason "QM rejected"
    1d23h: ISAKMP:(1034):Node 439453045, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    1d23h: ISAKMP:(1034):Old State = IKE_QM_READY New State = IKE_QM_READY
    1d23h: ISAKMP:(1032):purging node 1513722556
    1d23h: ISAKMP:(1032):purging node -643121396
    1d23h: ISAKMP:(1032):purging node 1350014243
    1d23h: ISAKMP:(1032):purging node 83247347

    Hi Lei , here are the 2 configs for the VPN routers. Hope it sheds some light.
    Just to add i have removed the crypto map from the fa0/1 interfaces on both routers just so i can continue my work with the GRE tunnel.
    Router A
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname SERVER-RTR
    boot-start-marker
    boot-end-marker
    logging buffered 4096
    enable secret 5 $1$RihE$Po9HPkuvEHaspaD5ZC72m0
    no aaa new-model
    memory-size iomem 20
    ip cef
    no ip domain lookup
    ip multicast-routing
    multilink bundle-name authenticated
    archive
    log config
      hidekeys
    crypto isakmp policy 1
    authentication pre-share
    crypto isakmp key XXXX address 217.155.113.179
    crypto ipsec transform-set STRONG esp-aes
    crypto map S2S_VPN 10 ipsec-isakmp
    set peer 217.155.113.179
    set transform-set STRONG
    match address 101
    controller E1 1/0
    interface Tunnel0
    bandwidth 100000
    ip address 10.208.200.1 255.255.255.0
    ip mtu 1400
    ip pim dense-mode
    ip route-cache flow
    tunnel source FastEthernet0/1
    tunnel destination 217.155.113.179
    interface FastEthernet0/0
    ip address 10.208.1.10 255.255.224.0
    ip pim state-refresh origination-interval 30
    ip pim dense-mode
    ip route-cache flow
    ip igmp version 1
    duplex auto
    speed auto
    interface FastEthernet0/1
    ip address 192.168.248.253 255.255.254.0
    ip nbar protocol-discovery
    ip route-cache flow
    load-interval 60
    duplex auto
    speed auto
    router eigrp 1
    auto-summary
    router ospf 1
    log-adjacency-changes
    network 10.208.0.0 0.0.31.255 area 0
    network 10.208.200.0 0.0.0.255 area 0
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 10.208.1.1
    ip route 217.155.113.179 255.255.255.255 192.168.248.1
    ip flow-export version 5
    ip flow-export destination 192.168.249.198 9996
    no ip http server
    no ip http secure-server
    access-list 101 permit gre host 192.168.248.253 host 217.155.113.179
    ROuter B
    version 12.4
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    hostname BSU-RTR
    boot-start-marker
    boot-end-marker
    enable secret 5 $1$VABE$6r6dayC90o52Gb8iZZgNP/
    no aaa new-model
    memory-size iomem 25
    ip cef
    no ip domain lookup
    ip multicast-routing
    multilink bundle-name authenticated
    archive
    log config
      hidekeys
    crypto isakmp policy 1
    authentication pre-share
    crypto isakmp key XXXX address 37.205.62.5
    crypto ipsec transform-set STRONG esp-aes
    crypto map S2S_VPN 10 ipsec-isakmp
    set peer 37.205.62.5
    set transform-set STRONG
    match address 101
    controller E1 1/0
    interface Tunnel0
    bandwidth 20000
    ip address 10.208.200.2 255.255.255.0
    ip mtu 1400
    ip pim dense-mode
    tunnel source FastEthernet0/1
    tunnel destination 37.205.62.5
    interface FastEthernet0/0
    ip address 10.208.102.1 255.255.255.0
    ip helper-address 10.208.2.31
    ip pim dense-mode
    duplex auto
    speed auto
    interface FastEthernet0/1
    ip address 217.155.113.179 255.255.255.248
    ip nbar protocol-discovery
    load-interval 60
    duplex auto
    speed auto
    router ospf 1
    log-adjacency-changes
    network 10.208.102.0 0.0.0.255 area 0
    network 10.208.200.0 0.0.0.255 area 0
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 10.208.200.1
    ip route 37.205.62.5 255.255.255.255 217.155.113.182
    no ip http server
    no ip http secure-server
    ip pim bidir-enable
    ip mroute 10.208.0.0 255.255.224.0 Tunnel0
    access-list 101 permit gre host 217.155.113.179 host 37.205.62.5

  • How to access the gui through a NAT device

    Hi
    I have to access the management GUI over a NAT IP. So the browser is not accessing the configured managment IP. How can this be realized?
    Unfortunately the programmers wrote the HTML code with absolute addressed links instead of using relative links.
    Example HTML code excerpt from the web gui:
    <script src="
    https://wsa.test.local:8443/scfw/1y-7.1.2-020/yui/animation/animation-min.js"></script>
    Good code shoul read like:
    <script src="/scfw/1y-7.1.2-020/yui/animation/animation-min.js"></script>
    The second code doesn't take care on which hostname/IP nor port the web gui is seen from the client. The browser just adds hostname to the beginning of the URL as it was used to access the starting page. So a NAT or even PAT on the way to access the box has no influence on the usability.
    Any ideas how to circumvent that problem?

    We found out that this seems to be a limitation of the browser. It doesn't work with iE 8/9 but it works with Firefox 6.0.1.
    Strange...

  • TACACS+ requests through NAT device

    Hi everyone.
    I want to Authenticate and Authorize VTY-Access to Cisco devices using TACACS+. The config is pritty "straight forwasrd", BUT:
    I want to forward the TACACS+ Request through a NAT device and on to the "Internet" where the TACAS+ server is located. (ACS 3.3)
    2 Questions in this situation appeares:
    - Does TACACS+ protocol support request through NAT devices?
    - Is it possible to connect different devices begind the NAT device, using only one Outside NAT IP address? (Using the same secret key for all aaa-clients and on the ACS)
    As you see, i want to connect "as many aaa-clients as possible" to a TACACS+ Server with "as easy = less configuration changes, as possible" .
    I know VPN's are options as well, but it is not prefered in my design.
    Best Regards
    Jarle Steffensen

    As far as I know what you propose will work. You are the only one who knows what the local environment is and what the real requirements are and you must decide whether it is a good idea to do it this way.
    I do not see why passing the TACACS request through a NAT device would impact it, so long as the NAT was static or an overload (PAT). The request needs to get to the TACACS server with a consistent source address. If it was a dynamic NAT and one request came with one source address and the next request came with a different source address, it would only work if the TACACS server was configured with ALL of the possible translated addresses. (and part of your requirement is to simplify the config not to complicate it).
    If there are multiple devices sending requests to TACACS through the NAT device, it would look to the TACACS server as if there were a single remote device with lots of users. If you do not care that the TACACS server can not differentiate the remote devices then your solution should work. Do you want to be able to look at the TACACS reports and see that this successful (or that unsuccessful) attempt came from this machine or that machine? If you do not care then your solution should work. If you do care to differentiate the remote activity then you need a solution like VPN which maintains the individuality of the remote devices.
    HTH
    Rick

  • ACS 4.2.1: adding new AAA clients through odbc import

    Hello,
    we have added the user defined vendor RADIUS_HUAWEI to our Cisco ACS 4.2.1  Windows Server.
    Unfortunately there is a problem with importing network devices through odbc  connection using the accountactions table with the action code 220.
    The documentation tells us :
    220
    ADD_NAS
    VN, V1, V2, V3
    Adds a new AAA client (named in VN) with an IP address (V1), shared secret key  (V2), and vendor (V3). Valid vendors are:
    •VENDOR_ID_IETF_RADIUS—For IETF RADIUS.
    •VENDOR_ID_CISCO_RADIUS—For Cisco IOS/PIX RADIUS.
    •VENDOR_ID_CISCO_TACACS—For Cisco TACACS+.
    •VENDOR_ID_AIRESPACE_RADIUS—For Cisco Airespace RADIUS.
    •VENDOR_ID_ASCEND_RADIUS—For Ascend RADIUS.
    •VENDOR_ID_ALTIGA_RADIUS—For Cisco 3000/ASA/PIX 7.x+ RADIUS.
    •VENDOR_ID_AIRONET_RADIUS—For Cisco Aironet RADIUS.
    •VENDOR_ID_NORTEL_RADIUS—For Nortel RADIUS.
    •VENDOR_ID_JUNIPER_RADIUS—For Juniper RADIUS.
    •VENDOR_ID_CBBMS_RADIUS—For Cisco BBMS RADIUS.
    •VENDOR_ID_3COM_RADIUS—For Cisco 3COMUSR RADIUS.
    The new user defined vendor is:
    C:\Program Files\CiscoSecure ACS v4.2\bin>CSUtil.exe -listUDV
    CSUtil v4.2(1.15), Copyright 1997-2009, Cisco Systems Inc
    UDV 0 - RADIUS (RADIUS_HUAWEI)
    Our action code and variables look like:
    A=220
    VN="xxx"
    V1="10.10.10.10"
    V2="blabla"
    V3="VENDOR_ID_RADIUS_HUAWEI"
    Error Code is as following:
    06/22/2010,10:21:12,W03P-3413,ERROR,Parse Error: Reason - Host vendor is unknown   [A=220 UN="" GN="" AI="" VN="xxx" V1="10.10.10.10" V2="blabla"  V3="VENDOR_ID_RADIUS_HUAWEI"]
    Does anybody knows the correct name for the V3-variable to import the network  device in a correct way?
    Best regards
    Torsten Waibel

    Hello,we
    have a new acs appliance (1113) with version 4.2.1.15 and we want to
    authenticate user through ssh from routers with ios xr software.
    unfortunately this doesn't work.Here ist our configuration of the router:##################################################line template VTY
    access-class ingress abcd!tacacs-server host x.x.x.x port 49 single-connectiontacacc-server key 7 test!tacacs source-interface Loopback13!ssh server v2
    ssh timeout 60! AAA config
    aaa accounting exec default start-stop group tacacs+
    aaa accounting network default start-stop group tacacs+
    aaa accounting commands default start-stop group tacacs+
    aaa authorization exec default group tacacs+ none
    aaa authorization commands default group tacacs+ none
    aaa authentication login default group tacacs+ local##################################################does anybody has a solution for this problem?thnx and best regardsTorsten Waibel
    Hi Torsten Waibel,
    For ssh to support you should have a cryptography ios image in router and check the following command in line vty that transpot input ssh under line vty cofiguration.
    If helpful do rate the post
    Ganesh.H

  • Missing Tunnel-Client-Endpoint attribute in AAA accounting from 2821

    I am trying to optimise the detailed accounting records for VPN client connections on our system
    but have noticed I am not receiving Tunnel-Client-Endpoint (attribute 66) in tunnel start accounting records from the router.
    The VPN functionality works fine, this is just an accounting issue.
    All other accouting attributes I need are received fine (times, username, VPN Framed IP, NAS identifier).
    The system details are:
    VPN server : Cisco 2821 with IOS 12.4(11)XW3
    Tunnel type: VPDN, PPTP, MPPE 128bit, MS-CHAPv2
    Accouting RADIUS: Microsoft Windows Server 2008 R2 NPS
    I have used the same setup many times previously on various 2801, 2811, and 2911 platfroms with no issue (across v12 and v15 IOS).
    Sending attribute 66 "Tunnel-Client-Endpoint" appeared to be standard for any tunnel setup, no config was require to send it.
    Does anyone know a reason why this fairly standard tunnel RADIUS attribute is not being sent to us from the router in this case?
    Example debug of tunnel start accounting message, showing that attribute 66 is not included in info sent to accouting server:
    Jun 25 2013 14:55:13.591 AEST: RADIUS/ENCODE(0000061A):Orig. component type = VPDN
    Jun 25 2013 14:55:13.595 AEST: RADIUS(0000061A): Config NAS IP: 0.0.0.0
    Jun 25 2013 14:55:13.595 AEST: RADIUS(0000061A): sending
    Jun 25 2013 14:55:13.595 AEST: RADIUS/ENCODE: Best Local IP-Address 192.168.xxx.xxx for Radius-Server 192.168.xxx.xxx
    Jun 25 2013 14:55:13.595 AEST: RADIUS(0000061A): Send Accounting-Request to 192.168.xxx.xxx:1646 id 1646/220, len 184
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  authenticator D7 DD 05 D9 72 FC 72 9C - 02 E0 6A FD D1 AC DB 06
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  Acct-Session-Id     [44]  10  "00000642"
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  Tunnel-Medium-Type  [65]  6   00:IPv4                   [1]
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  Tunnel-Assignment-Id[82]  3   "1"
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  Tunnel-Server-Auth-I[91]  14  "********"
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  Acct-Tunnel-Connecti[68]  4   "44"
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  Framed-IP-Address   [8]   6   192.168.xxx.xxx          
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  User-Name           [1]   10  "*********"
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  Acct-Authentic      [45]  6  
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  NAS-Port            [5]   6   426                      
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  NAS-Port-Id         [87]  17  "Uniq-Sess-ID426"
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  Class               [25]  46 
    Jun 25 2013 14:55:13.595 AEST: RADIUS:   69 89 04 FA 00 00 01 37 00 01 02 00 C0 A8 AC 01  [i??????7????????]
    Jun 25 2013 14:55:13.595 AEST: RADIUS:   00 00 00 00 00 00 00 00 00 00 00 00 01 CE 6E 22  [??????????????n"]
    Jun 25 2013 14:55:13.595 AEST: RADIUS:   2F A7 37 14 00 00 00 00 00 00 00 29              [/?7????????)]
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  NAS-IP-Address      [4]   6   192.168.xxx.xxx          
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  Acct-Delay-Time     [41]  6   0                        
    Jun 25 2013 14:55:13.691 AEST: RADIUS: Received from id 1646/220 192.168.xxx.xxx:1646, Accounting-response, len 20
    Jun 25 2013 14:55:13.691 AEST: RADIUS:  authenticator E8 EC 1C 30 D2 01 8E D8 - 15 10 09 5F 37 95 D4 25
    Important config
    aaa new-model
    aaa authentication login default local group radius
    aaa authentication ppp default local group radius
    aaa authorization exec default local group radius
    aaa authorization network default local group radius
    aaa accounting delay-start
    aaa accounting session-duration ntp-adjusted
    aaa accounting exec default start-stop group radius
    aaa accounting network default start-stop group radius
    aaa session-id common
    vpdn enable
    vpdn-group 1
    ! Default PPTP VPDN group
    accept-dialin
      protocol pptp
      virtual-template 1
    interface Virtual-Template1
    ip unnumbered Dialer1
    ip nat inside
    ip virtual-reassembly
    peer default ip address pool VPN
    no keepalive
    ppp encrypt mppe 128
    ppp authentication ms-chap-v2
    ip local pool VPN 192.168.xxx.xxx 192.168.xxx.xxx
    radius-server host 192.168.xxx.xxx auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    Larry,
    1) Please set up enable authentication to get the actual user name,
    aaa authentication enable console tacacs-auth LOCAL
    On ACS user setup you need to set up tacacs+ enable password.
    3) Since you have defined both server for authentication and accounting ie 219 and 218 it is sending accounting to 218, as it is also defined as accounting server and firewall it active.
    Use only
    aaa-server tacacs-auth (dept-outside) host 10.1.26.218 key tacacs-secret
    aaa-server tacacs-acct (dept-outside) host 10.1.26.219 key tacacs-secret
    Now auth should go to 218 and acc to 219.
    Regards,
    ~JG
    Do rate helpful posts

  • AAA Accounting Commands

    I have just started logging AAA accounting commands on my ACS. I am able to view all commands entered without any trouble. I would like to NOT see commands entered from one particular source. I have an IDS device that shuns to a router. The shunning frequency causes the ACS TACACS+ admin report to become full and unusable. Any ideas on how to exempt commands issued by the IDS?
    I have considered setting up multiple vty line configurations. Set up a vty 0 0 and vty 1 4. Configure the vty 0 0 to use something other than the 'default' AAA group. This, of course, assumes that the IDS will always use vty 0 and everyone else will use vty 1 - 4.
    Thanks, Rick

    Give extraxi aaa-reports! a try (free trial version available)
    We offer loads of great canned reports for device admin.. and more importantly you can filter out stuff you dont want during import.
    Once the CSVs are imported we also have a visual query builder for drilling down into your data - with the results exportable to word/excel/html etc.
    Our csvsync utility can also harvest CSV logs from any number of ACS servers of any version and type (sw & appliance)
    We are a Cisco Technology Partner and aaa-reports! is tested "Cisco Compatible"
    Darran

  • AAA Accounting 'wait-start' option

    I am configuring aaa accounting on a Catalyst 3750 running 12.2(25)SEE, but not have the wait-start option; I only have start-stop and stop-only. So I go to univercd and the wait-start option is in the IOS documentation for 12.0 and prior, but does not show up in documentation for 12.1 and beyond. I cannot find any evidence, however, that the option was removed in any documentation that I have found. So I use start-stop and continue configuring on other devices. Then, I get to a Cisco 2621 router running 12.2(5d), and it does have the wait-start option. Any ideas why it would be available on one and not the other? Is it a router/switch thing? Also, any idea why it disappears from the IOS documentation at version 12.1 and up, even though it shows as an option on a router with 12.2? Thanks.

    As I understood it, each device group runs their own source train of IOS and it can all get a bit messy.
    for example multiple implementations of 802.1x across the various device types.
    A difference between routers and switches is not suprising to an old ex-cisco hack.

  • My problem is trying to restore my iphone 4s. The icloud password is from a defunct email account through an ISP that I no longer use. I have upgraded to an iphone5s . I want to give the iphone4s to a special needs child that can make good use of it.

    My problem is trying to restore my iphone 4s. The icloud password is from a defunct email account through an ISP that I no longer use. I have upgraded to an iphone5s . I want to give the iphone4s to a special needs child that can make good use of it.I am at the point of despair. I can prove where I got the 4s etc. which seems to be a requirement from postings on forums. IT IS BREAKING THIS KIDS HEART AND BREAKING MINE. PLEASE SOMEONE HELP !!

    Welcome to the Apple community.
    This feature has been introduced to make stolen phones useless to those that have stolen them.
    However it can also arise when the user has changed their Apple ID details with Apple and not made the same changes to their iCloud account/Find My Phone on their device before upgrading to iOS 7, or if you restore from a previous back up made before you changed your details.
    The only solution is to change your Apple ID back to its previous state with Apple at My Apple ID, verify the changes, enter the password as requested on your device and then turn off "find my phone".
    You should then change your Apple ID back to its current state, verify it once again, delete the iCloud account from your device and then log back in using your current Apple ID. Finally, turn "find my phone" back on once again.
    This article provides more information about Activation Lock.

  • I need to change my account information so my devices will sync together but i can log onto my old itunes account because i dont have that email and forgot that password, what can i do?

    i need to change my account information so my devices will sync together, however i do not have my email my ipod account is linked to and i dont remeber the password. In short i need to remove my ipod from my old itunes account but i cant log on to that old account. What can i do?

    You'll need to reset the password that account then before you can transfer these purchases to your iTunes library and your iPhone.
    https://iforgot.apple.com/cgi-bin/WebObjects/DSiForgot.woa/wa/iforgot
    If that doesn't work, you'll need to contact Apple support directly by phone and have them walk you through resetting the account information.
    B-rock

  • Aaa accounting commands levels

    Hello,
    I am confused on aaa accounting. If I wish to account all commands and the levels I have configured are say 5 and 15, do I need to include level 0 in my aaa accounting commands?

    Hello,
    By default on IOS devices we have three commands distributed over three privilege levels i.e.,
    Level 0
    Level 1, and
    Level 15.
    If you explicitly donot change the privilege level of command(s), then only commands that you require to enter in an IOS device to monitor all commands executed over device is:
    aaa accounting commands 0 default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    I have defined TACACS+ as the as the accounting server, as it jells best for adminstrative purposes i.e. Shell Command authorization
    Let me know if this clarifies your doubt :)

  • I already have a CC account through my educational institution but it did not include the Lightroom mobile. So now, apparantly, in order to get Lightroom mobile I have to purchase the PS/LR photographers package but when I went to do it I was told that I

    I already have a CC account through my educational institution but it did not include the Lightroom mobile. So now, apparantly, in order to get Lightroom mobile I have to purchase the PS/LR photographers package but when I went to do it I was told that I already have a CC account. What am I to do?

    I think all you have to do is go to the App Store and download Lightroom mobile onto your mobile device. You don't need another package in order to get it.

  • AAA accounting of Lan-to-Lan VPN connections on a 3005 Concentrator

    Hello all,
    I am trying to do AAA accounting for the Lan-to-Lan connections on a 3005 VPN concentrator. It does not seem to work. For incoming VPN client connections, it's working ok, I see the 3005 sending accounting data to our radius server. But nothig is sent for Lan-to-Lan connections.
    Any ideas ? Is this not supported on the 3005 ?
    Thanks,
    Stefan

    Ok, I have updated the image and now I can access all the SNMP info that was not there before. As before, no AAA data is sent for Lan-to-Lan connections and you only have access to current connection info via SNMP. So no historical data. But still, I can make a script that posts on a webpage the current connections, so people with no access to the concentrator can see it.
    I see something weird tho, the snmpwalk is very slow. If I try to walk the interfaces.ifTable for example, it's very slow, one line every second. Must be something from the concentrator because the same snmpwalk on another router is very fast. Walking through the active vpn list takes longer than walking through the whole snmp tree on another router.
    I only found something about SNMP reuqests queued ... but that didn't help. Any idea how I can speed up the snmp replies ?
    Thanks,
    Stefan

  • AAA Accounting with WLSM

    I have a customer with Cat6500 and WLSM running WDS. The APs and dot1x clients can authenticate with the ACS server. However, we cannot get any accounting information. We have tried configuring the WLSM with the following commands:
    aaa accounting network default start-stop group ClientDevices
    aaa accounting resource default start-stop group ClientDevices
    aaa accounting auth-proxy default start-stop group ClientDevices
    but none of these work. Devices are running the following code:
    Cat6500/Sup720 - 12.2(18)SXD5
    WLSM - 12.3(4)JA
    1200APs - 12.3(7)JA2
    Any assistance would be greatly appreciated.
    Tracey

    I set this up in the lab using an AP as the WDS and got the same problem; authentication logs but no accounting logs. Here are excerpts from the configs:
    AP:
    no aaa new-model
    dot11 ssid eduroam
    vlan 1800
    authentication open eap eap_methods
    authentication network-eap eap_methods
    authentication key-management wpa
    mobility network-id 180
    wlccp ap username xxxx password xxxx
    wlccp ap wds ip address 172.30.2.174
    WLSM:
    aaa new-model
    aaa group server radius AccessPoints
    server 130.x.x.139 auth-port 1645 acct-port 1646
    aaa group server radius ClientDevices
    server 130.x.x.32 auth-port 1812 acct-port 1813
    aaa authentication login Leap-devices group AccessPoints
    aaa authentication login client-authentication group ClientDevices
    aaa session-id common
    radius-server host 130.x.x.32 auth-port 1812 acct-port 1813 key 7
    radius-server host 130.209.13.139 auth-port 1645 acct-port 1646 key 7
    wlccp authentication-server infrastructure Leap-devices
    wlccp authentication-server client any client-authentication
    wlccp wds interface Ethernet0/0.2
    wlccp wnm ip address 172.20.18.58
    The WLSM currently does not have any aaa accounting config. The following commands have been tried with no success:
    aaa accounting network default start-stop group ClientDevices
    aaa accounting resource default start-stop group ClientDevices
    aaa accounting auth-proxy default start-stop group ClientDevices
    Thanks for your help.
    Tracey

  • Cisco ASA 5505 IPSEC, one endpoint behind NAT device

    We have two Cisco ASA 5505 devices.
    Both are identical, however, one of them is behind a NAT device.
    We are attempting to create an IPSEC network.
    Site fg:
    <ipsec subnet1> -- ASA 5505 (ASA1) -- <internet>
    ASA1: 10.1.1.2/24 (inside), 212.xxx.xxx.xxx/28 (outside)
    Site be:
    <ipsec_subnet2> -- ASA 5505 (ASA3) -- Zywall USG (USG1) -- <internet>
    ASA3: 10.1.4.1/24 (inside), 192.168.4.50/24 (outside)
    USG1: 192.168.4.100/24 (inside), 195.xxx.xxx.xxx/30 (outside)
    USG1: UDP port 500/4500 forwarded to 192.168.4.50
    It seems that ASA1 stops the procedure (we verified this with debug crypto isakmp 254):
    Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, QM FSM error (P2 struct &0xd1111cd8, mess id 0x81111a78)!
    Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.4.50/255.255.255.255/0/0 local proxy 212.xxx.xxx.xxx/255.255.255.255/0/0 on interface outside
    Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, PHASE 1 COMPLETED
    We verified / attempted the following:
    - NAT excemption on both sides for IPSEC subnets
    - Mirror image crypto maps
    - Disabled IKE peer ID validation (yes, pre-shared key but we ran out of ideas)
    - Toggled between static to dynamic crypto maps on ASA1
    Most search results turned up results referring to the incorrect settings of the crypto map or the lack of NAT excemption.
    Does anyone have any idea?
    195.txt contains show running-config of ASA3
    212.txt contains show running-config of ASA1
    log.txt contains somewhat entire log snipper of ASA1

    Hi,
    on 212 is see
    tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
    tunnel-group 195.xxx.xxx.xxx ipsec-attributes
    pre-shared-key
    When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
    If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
    Regards,
    Abaji.

Maybe you are looking for