ASA drop upload session

Similar Messages

• I can't get Mozilla Drag and Drop Uploader to work. Suggestions for troubleshooting?

  I have a recurring need to post 100's of photos from "My Pictures" to a web site. I currently click on "Browse", up pops the photo file, and I then must manually select the proper photos and double click them to move them to the web site.
  A colleague who has the same recurring need has told me to download Firefox as my browser, then download and install the "Drag and Drop Uploader". By doing this, I should be able to simply highlight the proper photos from 'My Pictures" and drag them to the correct box on the web site.
  I have seen him do this on his computer, so I know it is possible. I'm guessing the problem I am having lies in having downloaded incompatible versions.
  Help?

  Support for that extension is here: <br />
  http://www.teslacore.it/wiki/index.php?title=DragDropUpload

• Firewall Dropping Packets - %FW-6-DROP_PKT: Dropping tcp session X.X.X.X X.

  Hi,
  Can anyone explain this error and what is a stray Segment with the IP ident 46866. I can't seem to find this error on the Cisco web site the only bug appears to be to do with Zone firewalls. I have an 877 Router on a remote site configured with IPSEC and a Tunnel back to the main office and I'm getting reported connection issues to network drives on servers located local to the LAN and on the headend LAN. Can't seem to find any other errors apart from this one.
  %FW-6-DROP_PKT: Dropping tcp session X.X.X.X X.X.X.X due to
  Stray Segment with ip ident 46866 tcpflags 0x5010 seq.no 1237259566 ack 3465174792
  If any one could help or point me in the right direction that would be great. Failing that I'm jumping off this building.
  Ta
  Jim

  This may help:
  Caveat "CSCsj30582"
  http://www.cisco.com/en/US/docs/ios/12_4t/release/notes/124TCAVS.html
  Symptoms: A Cisco IOS router that is running ZPF (Zone-based Policy Firewall) intermittently drops ESP packets even when it is configured to pass them. This causes traffic over an IPsec VPN tunnel through this router to fail intermittently, although the tunnel is up and phase 1 (isakmp) and phase 2 (ipsec) SAs have been established. If the router is configured to log dropped packets, it will log a %FW-6-DROP_PKT syslog message for these packets.
  Conditions: This symptom is observed on a Cisco IOS router that is enabled with ZPF (Zone-based Policy Firewall) and that is configured to pass the ESP traffic based on a "match access-group" policy, where the access list has entries to permit the ESP traffic specifically from one host to another.
  For example:
  class-map type inspect match-any cm-esp match access-group 100
  policy-map type inspect in2out class type inspect cm-esp pass
  access-list 100 permit esp host 10.0.0.2 host 10.1.1.2 access-list 100 permit esp host 10.1.1.2 host 10.0.0.2
  Workaround: Configure the access list so that the source is "any", for example:
  access-list 100 permit esp any host 10.1.1.2 access-list 100 permit esp any host 10.0.0.2
  First Alternate Workaround: Use the classic Cisco IOS firewall instead of ZPF; that is, use "ip inspect".
  Further Problem Description: If an explicit deny rule is added to the above example, for example:
  access-list 100 permit esp host 10.0.0.2 host 10.1.1.2 access-list 100 permit esp host 10.1.1.2 host 10.0.0.2 access-list 100 deny esp any any
  Then the show access-list command will indicate that the dropped packets are hitting the deny rule, although they should match one of the permit rules:
  Router# show access-lists 100
  Extended IP access list 100 10 permit esp host 10.0.0.2 host 10.1.1.2 (999 matches) 20 permit esp host 10.1.1.2 host 10.0.0.2 (999 matches) 30 deny ip any any (1 match)

• VPN SA rekey drops oracle sessions

  Hello
  We have had this issue for sometime now.  We have solved it for numerous sites with dedicated L2 connections but for some outstanding sites with s2s VPN tunnels (asa to asa) we still run into it.
  Basically when the VPN rekey's the SA (sametime everyday) all Oracle sessions are dropped.  The tunnel stays up and the user stays connected but the oracle sessions ALWAYS drops.  I cant for the life of me find a way to stop this from happening and it only happens with Oracle.   It happens to both remote vpn clients and vpn tunnels.
  Does anyone have any idea what I can do to pinpoint or log the problem from the ASA's?

  Hello,
  I have something similar with ica/metaframe connection.
  Any help will be appreciated.
  Regards
  Sent from Cisco Technical Support iPad App

• Flex drag-n-drop upload from desktop

  Is there a way to upload a file from the desktop by drag and
  dropping the file a flex application running purely on the browser;
  not using AIR. The examples that have seen from my research so far,
  drag files/images which are already within the browser to another
  location within the same browser.
  I would be most grateful for quick anwer to my
  question

  Drag and drop from desktop to Flex App is neat, but I wonder
  if this is possible:
  <mx:TextInput ... />
  <mx:Button label="Browse" click="openFileBrowser()" ...
  />
  Someone says you can't drag and drop from desktop to browser:
  http://board.flashkit.com/board/showthread.php?t=770903
  Apollo?

• Dropping unknown session - Firewall

  Dear Team, I am facing trouble to find out the problem. I am getting the alrms below
  May 22 17:21:02.447: %FW-6-DROP_PKT: Dropping Unknown-l4 session 162.116.205.245:0 169.254.254.254:0 on zone-pair E_FW_ZON_PAIR_SLF_TO_WAN class class-default due to  DROP action found in policy-map with ip ident 0
  May 22 17:21:32.519: %FW-6-DROP_PKT: Dropping Unknown-l4 session 162.116.205.245:0 169.254.254.254:0 on zone-pair E_FW_ZON_PAIR_SLF_TO_WAN class class-default due to  DROP action found in policy-map with ip ident 0
  I I could understand is that the session is being dropped due to something related with ident 0,
  someone could help me ?
  Below I put some config lines which could help me to clarify it,
  thanks,
  pbjs1468#show policy-map type inspect zone-pair E_FW_ZON_PAIR_SLF_TO_WAN sessions
  policy exists on zp E_FW_ZON_PAIR_SLF_TO_WAN
  Zone-pair: E_FW_ZON_PAIR_SLF_TO_WAN
    Service-policy inspect : E_FW_POLICY_MAP_SLF_TO_WAN
      Class-map: E_FW_CL_MAP_PROTOCOL_SLF_TO_WAN_98 (match-any)
        Match: access-group name E_FW_SLF_TO_WAN_ACL_98
          33901576 packets, 6137009389 bytes
          30 second rate 0 bps
        Pass
          33901576 packets, 6137009389 bytes
      Class-map: class-default (match-any)
        Match: any
        Drop
          696394 packets, 19500766 bytes
  pbjs1468#show class-map class-default
  Class Map match-any class-default (id 0)
     Match any
  policy-map type inspect E_FW_POLICY_MAP_LAN_TO_WAN
  class type inspect E_FW_CLASSE_MAP_LAN_TO_WAN_00
    inspect E_FW_GLOBAL_PARAMETERS
  class type inspect E_FW_CLASSE_MAP_LAN_TO_WAN_01
    inspect E_FW_GLOBAL_PARAMETERS
  class type inspect E_FW_CL_MAP_PROTOCOL_LAN_TO_WAN_0E
    drop log
  class class-default
    drop log

  The traffic is getting dropped because it's matching the "class-default" class-map which acts as a catchball for all the packets that didn't match previous class-maps.
  It's default action is to DROP everything.
  That UDP traffic uses port 0, this is not normal traffic and shouldn't be seen under normal circumstances.
  So, it's a good thing the firewall it's dropping it.

• Yosemite's Mail Drop upload progress bar?

  With Yosemite's Mail Drop is there a way to see how the uploading of the file/s is progressing? When sending large attachments I have no idea in what state the upload is, if it is uploading or not and how much time it will take.

  Send Apple feedback. They won't answer, but at least will know there is a problem. If enough people send feedback, it may get the problem solved sooner.
  Feedback

• PL/SQL to create a temp table that will be dropped after session ends

  Is it possible in PL/SQL to create a temp table that will be dropped after the session ends? Please provide example if possible. I can create a global temp table in PL/SQL but I am not sure how (if possible) to have it 'drop' once the session ends.
  DB: 10g
  OS: Wiindoze 2003 Server
  :-)

  As others have mentioned (but probably not clearly explained), Oracle treats temporary tables differently to SQL Server.
  In SQL Server you create a temporary table and it gets dropped (automatically I assume, I dont do SQL Server) after the session finishes. This will obviously allow each session to "request" a temporary table to use, then use it, and not have to worry about cleaning up the database after the session has finished.
  Oracle takes a different approach...
  On the assumption that each session is likely to be creating a temporary table for the same purposes, with the same structure, Oracle let's you create a Global Temporary Table a.k.a. GTT (which you've already come across). You only have to create this table once and you leave it on the database. This then means that any code written to use that table doesn't have to be dynamic code and can be verified and checked at compile time, just like code written for any other table. The difference of a GTT from a regular table is that any data you put into that table can only be seen by that session and will not interfere with any data of other sessions and, when you either commit, or end the session (depending on the "on commit delete rows" or "on commit preserve rows" option used when creating the GTT), that data from your own session will automatically be removed and hence the table is cleaned up that way, whilst the actual table itself remains.
  Some people from SQL Server backgrounds try and create and drop tables dynamically in their PL/SQL code, but this leads to problems...
  SQL> ed
  Wrote file afiedt.buf
    1  begin
    2    execute immediate 'create table my_temp (x number)';
    3    insert into my_temp values (1);
    4    execute immediate 'drop table my_temp';
    5* end;
  SQL> /
    insert into my_temp values (1);
  ERROR at line 3:
  ORA-06550: line 3, column 15:
  PL/SQL: ORA-00942: table or view does not exist
  ORA-06550: line 3, column 3:
  PL/SQL: SQL Statement ignoredi.e. the code will not compile for direct DML statements trying to use that table.
  They then try and get around this issue by making their DML statements dynamic too...
  SQL> ed
  Wrote file afiedt.buf
    1  create or replace procedure my_proc is
    2  begin
    3    execute immediate 'create table my_temp (x number)';
    4    execute immediate 'insert into my_temp values (''A'')';
    5    execute immediate 'drop table my_temp';
    6* end;
  SQL> /
  Procedure created.... which looks great and it compiles ok... but... when they try and run it...
  SQL> exec my_proc;
  BEGIN my_proc; END;
  ERROR at line 1:
  ORA-01722: invalid number
  ORA-06512: at "SCOTT.MY_PROC", line 4
  ORA-06512: at line 1... oops the code has a bug in it. Our DML statement was invalid.
  This is really something that would have been caught at compile time, if the statement had been a direct DML statement rather than dynamic. And thus we see the problem with people trying to write all their code as dynamic SQL... it's more likely to contain bugs that won't be detected at compile time and only come to light at run time... sometimes only under certain conditions and sometimes once it's got into a production environment. Bad Idea!!!! ;)
  Far better to never create tables (or most other database objects) at run time. Just create them once as part of the database design/implementation and use them as required, allowing you to catch the most common coding errors up front before they get anywhere near a test environment or worse still, a production environment.

• Toruble with dropped ARD sessions requiring a logout to fix

  I am having a major problem with ARD on my work Mac. It is a Rev A Intel iMac 17" running the latest ARD client.
  I was given the ARD admin to take home for telecommuting which I have installed on my PowerMac G5. I connect to my work Mac through a Cisco VPN (this VPN software is very buggy)
  Far too frequently while I am connected to the Intel iMac (curtained) I suddenly lose connection to the Mac. Whatever was on my screen at the time freezes in my ARD window. Closing the session reveals that the iMac still has a Locked Screen. I can unlock the screen but can never connect to it unless I log out. I've tried using the shell command kickstart to restart the ARD client and a variety of other things trying to bring it back but that actually causes much more damage and usually results in the need for a hard reboot (power cycle).
  The problem only seems to (or most frequently) occur when Mail is open. If I leave it closed I don't see this problem (maybe very rarely if ever). Of course without access to email what good is ARD in my situation? Other than that there doesn't seem to be any pattern.
  Anyone have any ideas? Need help badly!
  Josh

  Far too frequently while I am connected to the Intel
  iMac (curtained) I suddenly lose connection to the
  Mac. Whatever was on my screen at the time freezes
  in my ARD window. Closing the session reveals that
  the iMac still has a Locked Screen. I can unlock the
  screen but can never connect to it unless I log out.
  To clarify I must logout of the remote machine to enable a new ARD connection.
  I can use Manage -> Logout Current User in the admin. So most of the remote option are still functional just not a full Control.

• Ipod Disconnects In the Middle of Uploading Session!!!

  when i upload anything (songs, photos, movies) the ipod will upload them halfway, or three fourths of the way and then disconnect. the icon from itunes disappears, as well as the do not disconnect sign on the ipod. what do i do, to complete the upload? Help, please =(

  you assume correctly, but what does that matter? is
  it really relevent?
  I asked because it does matter. Microsoft has had an issue with their USB drivers since day one. There is even a list of devices that may suddenly be ignored by the OS (they admit to an I/O issue). You might try and unload your USB drivers and let Windows reinstall them on a reboot. Check on the MS Technet site for intermittent USB issues. I wouldn't rule out a USB issue yet.
  On the other hand, if others are experiencing a similar issue, it may be your Ipod. I hope you can resolve it.

• Iscsi session dropped

  Hi people,
  OS: Oracle Enterprise Linux 4.5
  Storage Server: Openfiler 2.3
  I have been trying to setup an Oracle Cluster using Openfiler 2.3 and Oracle Enterprise Linux 4.5. Wen I try to boot up both of my nodes in a cluster, the nodes will find the targets and immediately drop the session, thus shutting down both of my NIC (eth0 and eth1). I have googled till my eyes popped out, below is the error I'm facing:
  iscsi-sfnet:host3: Connect failed with rc -113: No route to host
  iscsi-sfnet:host3: establish_session failed. Could not connect to target
  iscsi-sfnet:host3: Waiting 1 seconds before next login attempt
  Has anyone ever came across this error?
  Please note that I have tried the solutions mentioned in the below links:
  http://www.cuddletech.com/blog/pivot/entry.php?id=601
  http://www.nabble.com/Login-Timeout-errors-td5389892.html
  Any help will be highly appreciated.
  Regards,
  Durbanite - South Africa

  Hi Tommy,
  Apologies for the late reply, I will try your suggestion. I will need to turn off the linux server completely as you can't open another session, as soon as this error occur, it shuts down your NICs and from there you cant telnet/ssh or open any session. Even if you try to login locally, the error messages will keep on flashing on your screen.
  Thanks for your help. I'll get back to you.
  Regards,
  Durbanite

• Session drop trough OleDb

  Hi guys!
  I have a major problem. I use an Oracle 8.1.6 server and I connect my client to the server trough OleDb (v8.1.6).
  After some time when my connection is idle the server drops
  the session. It's strange, because it doesn't drop me out if I'm logged in trough SQL-Plus. I'm suspicious that's because of OleDb. My question is: is there any parameter in OleDb for setting this idle time session drop thing? Any methods, functions, etc...
  Hint: I see all the resources UNLIMITED in my dba_profiles.
  Thank for helping me
  Viktor Havasi

  Hi
  We had exactly the same problem and got it solved doing the following:
  Check your regitry for the key SPTimeout in
  HKEY_CLASSES_ROOT\CLSID\{3F63C36E-51A3-11D2-BB7D-00C04FA30080}
  We foung this was missing. just inserted SPTimeout = 60 (default value is 60 sec) and oops the session is not dropping!!
  Ganesh.

• Rdisp/gui_auto_logout does not consider uploading

  hi experts,
  I set the rdisp/gui_auto_logout to 10 mins for testing. My problem is that it got me disconnected while in the middle of uploading. It seems it counts uploading as idle. Is there any way to drop idle sessions but not those in the middle of uploading data?
  Thank you in advance!

  Hi Karshbax,
  Please go through the link. Here it says this parameter works upon idle time.
  http://help.sap.com/saphelp_nw04/helpdata/en/22/41c43ac23cef2fe10000000a114084/content.htm
  It says:
  rdisp/gui_auto_logout:      
  Defines the maximum idle time for a user in seconds (applies only for SAP GUI connections).
  Default value: 0 (no restriction); permissible values: any numerical value
  Hope it clarifies. Let us know if it is helpful.
  Regards,
  Sujit.

• Question about site to site VPN failover on an ASA

  Hello all. I am building a site to site VPN from our headquarters to a customer. I am using an ASA 5520. The customer is using Cisco 3945 routers. The customer has two VPN termination points. The customer requests that we make one of their termination points the primary VPN connection and make the other termination point the backup in the event that the primary VPN fails. How do I configure this on the ASA? Does the below configuration fulfill this goal?
  crypto map cccccc 10 set peer 2.2.2.2 1.3.3.3

  I have just encountered a similar situation.  It seems to work near enough, but I still consider it a hack.  
  Also if the second peer (887 router in this case) attempts to bring up the IPSec tunnel the ASA drops the the primary tunnel and restablishes it causing brief packet loss during the tunnel bounce.  A debug shows an error that it thinks the peer IP has changed, hence the tunnel should be dropped!!!
  Im just using HRSP on the access site between 2 x 887's tracking the WAN interface.  On the ASA side I have both peers defined in the same way "crypto map cccccc 10 set peer 2.2.2.2 1.3.3.3".
  The ASA feature set just hasnt improved in this space since the VPN3000 days, it may have actually gone backwards. Introduction of VTI interfaces and support for routing protocols over tunnels should have been introduced into the ASA years ago, but from what I understand has been put in the too hard basket.
  Cheers
  Kent.

• Two Cisco ASA 5505, IPSec Multiple Subnets, Problem with Phase2, DSL

  Hi all.
  we have following IPSec configuration:
  ASA Site 1:
  Cisco Adaptive Security Appliance Software Version 9.1(1)
  crypto ipsec ikev1 transform-set TSAES esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set TSMD5 esp-3des esp-md5-hmac
  crypto ipsec ikev2 ipsec-proposal PropAES256
  access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.97.0 255.255.255.0
  access-list SITE_2 extended permit ip 172.28.60.0 255.255.254.0 172.27.97.0 255.255.255.0
  access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.97.0 255.255.255.0
  access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.99.0 255.255.255.0
  access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.99.0 255.255.255.0
  crypto map CMVPN 5 match address SITE_2
  crypto map CMVPN 5 set peer IP_SITE2
  crypto map CMVPN 5 set ikev2 ipsec-proposal PropAES256
  crypto map CMVPN interface OUTSIDE
  route OUTSIDE 172.27.97.0 255.255.255.0 citic-internet-gw 255
  route OUTSIDE 172.27.99.0 255.255.255.0 citic-internet-gw 255
  tunnel-group IP_SITE2 type ipsec-l2l
  tunnel-group IP_SITE2 general-attributes
  default-group-policy VPN_S2S_WAN
  tunnel-group IP_SITE2 ipsec-attributes
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  ASA Site 2:
  Cisco Adaptive Security Appliance Software Version 9.1(4)
  access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.28.60.0 255.255.254.0
  access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.27.0.0 255.255.0.0
  access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.22.0.0 255.255.0.0
  access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.27.0.0 255.255.0.0
  access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.22.0.0 255.255.0.0
  crypto map CMVPN 10 match address SITE_1
  crypto map CMVPN 10 match address SITE_1
  crypto map CMVPN 10 set peer IP_SITE1
  crypto map CMVPN 10 set ikev2 ipsec-proposal IKEV2AES
  crypto map CMVPN 10 set reverse-route
  crypto map CMVPN interface OUTSIDE
  tunnel-group IP_SITE1 type ipsec-l2l
  tunnel-group IP_SITE1 general-attributes
  default-group-policy VPN_S2S_WAN
  tunnel-group IP_SITE1 ipsec-attributes
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  We are not able to reach from 172.22.20.x ips 172.27.99.x.
  It seems so that the phase2 for this subnet is missing…...... as long as we try to reach from 172.27.99.x any ip in 172.22.20.x.
  We are using similar configuration on many sites and it works correctly expect sites with DSL line.
  We can exclude problem with NAT,ACL or routing. The connection is working fine as long as “we open all phase 2 manually” . After re-open (idle timeout) the tunnel the problem comes back.
  Thanks in advance for your help.
  Regards.
  Jan
  ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
  Session Type: LAN-to-LAN Detailed
  Connection   : IP ASA Site 2
  Index        : 3058                   IP Addr      : IP ASA Site 2
  Protocol     : IKEv2 IPsec
  Encryption   : IKEv2: (1)AES256  IPsec: (3)AES256
  Hashing      : IKEv2: (1)SHA512  IPsec: (3)SHA1
  Bytes Tx     : 423634                 Bytes Rx     : 450526
  Login Time   : 19:59:35 HKT Tue Apr 29 2014
  Duration     : 1h:50m:45s
  IKEv2 Tunnels: 1
  IPsec Tunnels: 3
  IKEv2:
    Tunnel ID    : 3058.1
    UDP Src Port : 500                    UDP Dst Port : 500
    Rem Auth Mode: preSharedKeys
    Loc Auth Mode: preSharedKeys
    Encryption   : AES256                 Hashing      : SHA512
    Rekey Int (T): 86400 Seconds          Rekey Left(T): 79756 Seconds
    PRF          : SHA512                 D/H Group    : 5
    Filter Name  :
    IPv6 Filter  :
  IPsec:
    Tunnel ID    : 3058.2
    Local Addr   : 172.22.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.97.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 22156 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607648 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 312546                 Bytes Rx     : 361444
    Pkts Tx      : 3745                   Pkts Rx      : 3785
  IPsec:
    Tunnel ID    : 3058.3
    Local Addr   : 172.27.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.97.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 22165 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607952 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 50014                  Bytes Rx     : 44621
    Pkts Tx      : 496                    Pkts Rx      : 503
  IPsec:
    Tunnel ID    : 3058.4
    Local Addr   : 172.27.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.99.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 22324 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607941 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 61074                  Bytes Rx     : 44461
    Pkts Tx      : 402                    Pkts Rx      : 437
  NAC:
    Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
    SQ Int (T)   : 0 Seconds              EoU Age(T)   : 6648 Seconds
    Hold Left (T): 0 Seconds              Posture Token:
    Redirect URL :
  ....  after ping from 172.27.99.x any ip in 172.22.20.x.
  ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
  Session Type: LAN-to-LAN Detailed
  Connection   : IP ASA Site 2
  Index        : 3058                   IP Addr      : IP ASA Site 2
  Protocol     : IKEv2 IPsec
  Encryption   : IKEv2: (1)AES256  IPsec: (4)AES256
  Hashing      : IKEv2: (1)SHA512  IPsec: (4)SHA1
  Bytes Tx     : 784455                 Bytes Rx     : 1808965
  Login Time   : 19:59:35 HKT Tue Apr 29 2014
  Duration     : 2h:10m:48s
  IKEv2 Tunnels: 1
  IPsec Tunnels: 4
  IKEv2:
    Tunnel ID    : 3058.1
    UDP Src Port : 500                    UDP Dst Port : 500
    Rem Auth Mode: preSharedKeys
    Loc Auth Mode: preSharedKeys
    Encryption   : AES256                 Hashing      : SHA512
    Rekey Int (T): 86400 Seconds          Rekey Left(T): 78553 Seconds
    PRF          : SHA512                 D/H Group    : 5
    Filter Name  :
    IPv6 Filter  :
  IPsec:
    Tunnel ID    : 3058.2
    Local Addr   : 172.22.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.97.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 20953 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4606335 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 652492                 Bytes Rx     : 1705136
    Pkts Tx      : 7419                   Pkts Rx      : 7611
  IPsec:
    Tunnel ID    : 3058.3
    Local Addr   : 172.27.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.97.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 20962 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607942 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 60128                  Bytes Rx     : 52359
    Pkts Tx      : 587                    Pkts Rx      : 594
  IPsec:
    Tunnel ID    : 3058.4
    Local Addr   : 172.27.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.99.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 21121 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607931 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 70949                  Bytes Rx     : 50684
    Pkts Tx      : 475                    Pkts Rx      : 514
  IPsec:
    Tunnel ID    : 3058.5
    Local Addr   : 172.22.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.99.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 28767 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4608000 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 961                    Bytes Rx     : 871
    Pkts Tx      : 17                     Pkts Rx      : 14
  NAC:
    Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
    SQ Int (T)   : 0 Seconds              EoU Age(T)   : 7852 Seconds
    Hold Left (T): 0 Seconds              Posture Token:
    Redirect URL :

  Hi,
  on 212 is see
  tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
  tunnel-group 195.xxx.xxx.xxx ipsec-attributes
  pre-shared-key
  When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
  If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
  Regards,
  Abaji.