ASA drop upload session
Hi, I have asa with policy map below when ever anybody wants to upload large file it drops after some time, since i have multiple services i exclude ip of upload server from access-list and then evrything works normally i want to add and fine tune the below policy map
tcp-map tcp-NORM_Map
check-retransmission
checksum-verification
exceed-mss drop
queue-limit 5 timeout 3
syn-data drop
window-variation drop-connection
policy-map CONNS_policy
class CONNS_Class
set connection conn-max 1500 embryonic-conn-max 200 per-client-max 10 per-client-embryonic-max 15
set connection timeout embryonic 0:00:45 half-closed 0:05:00 tcp 0:10:00 reset dcd 0:00:20 3
set connection advanced-options tcp-NORM_Map
Hi,
Have you gathered any firewalls logs or traffic capture data from the dropped connections?
Are you sure that the TCP Map setting of "window-variation drop-connection" is not doing this to your connections? If this setting simply refers to a situation where the window size is changed and because of that dropped I would imagine large transfers will get dropped as I imagine the window size changed during the transfer.
Does the command "show service-policy" provide any information?
- Jouni
Similar Messages
-
I can't get Mozilla Drag and Drop Uploader to work. Suggestions for troubleshooting?
I have a recurring need to post 100's of photos from "My Pictures" to a web site. I currently click on "Browse", up pops the photo file, and I then must manually select the proper photos and double click them to move them to the web site.
A colleague who has the same recurring need has told me to download Firefox as my browser, then download and install the "Drag and Drop Uploader". By doing this, I should be able to simply highlight the proper photos from 'My Pictures" and drag them to the correct box on the web site.
I have seen him do this on his computer, so I know it is possible. I'm guessing the problem I am having lies in having downloaded incompatible versions.
Help?Support for that extension is here: <br />
http://www.teslacore.it/wiki/index.php?title=DragDropUpload -
Hi,
Can anyone explain this error and what is a stray Segment with the IP ident 46866. I can't seem to find this error on the Cisco web site the only bug appears to be to do with Zone firewalls. I have an 877 Router on a remote site configured with IPSEC and a Tunnel back to the main office and I'm getting reported connection issues to network drives on servers located local to the LAN and on the headend LAN. Can't seem to find any other errors apart from this one.
%FW-6-DROP_PKT: Dropping tcp session X.X.X.X X.X.X.X due to
Stray Segment with ip ident 46866 tcpflags 0x5010 seq.no 1237259566 ack 3465174792
If any one could help or point me in the right direction that would be great. Failing that I'm jumping off this building.
Ta
JimThis may help:
Caveat "CSCsj30582"
http://www.cisco.com/en/US/docs/ios/12_4t/release/notes/124TCAVS.html
Symptoms: A Cisco IOS router that is running ZPF (Zone-based Policy Firewall) intermittently drops ESP packets even when it is configured to pass them. This causes traffic over an IPsec VPN tunnel through this router to fail intermittently, although the tunnel is up and phase 1 (isakmp) and phase 2 (ipsec) SAs have been established. If the router is configured to log dropped packets, it will log a %FW-6-DROP_PKT syslog message for these packets.
Conditions: This symptom is observed on a Cisco IOS router that is enabled with ZPF (Zone-based Policy Firewall) and that is configured to pass the ESP traffic based on a "match access-group" policy, where the access list has entries to permit the ESP traffic specifically from one host to another.
For example:
class-map type inspect match-any cm-esp match access-group 100
policy-map type inspect in2out class type inspect cm-esp pass
access-list 100 permit esp host 10.0.0.2 host 10.1.1.2 access-list 100 permit esp host 10.1.1.2 host 10.0.0.2
Workaround: Configure the access list so that the source is "any", for example:
access-list 100 permit esp any host 10.1.1.2 access-list 100 permit esp any host 10.0.0.2
First Alternate Workaround: Use the classic Cisco IOS firewall instead of ZPF; that is, use "ip inspect".
Further Problem Description: If an explicit deny rule is added to the above example, for example:
access-list 100 permit esp host 10.0.0.2 host 10.1.1.2 access-list 100 permit esp host 10.1.1.2 host 10.0.0.2 access-list 100 deny esp any any
Then the show access-list command will indicate that the dropped packets are hitting the deny rule, although they should match one of the permit rules:
Router# show access-lists 100
Extended IP access list 100 10 permit esp host 10.0.0.2 host 10.1.1.2 (999 matches) 20 permit esp host 10.1.1.2 host 10.0.0.2 (999 matches) 30 deny ip any any (1 match) -
VPN SA rekey drops oracle sessions
Hello
We have had this issue for sometime now. We have solved it for numerous sites with dedicated L2 connections but for some outstanding sites with s2s VPN tunnels (asa to asa) we still run into it.
Basically when the VPN rekey's the SA (sametime everyday) all Oracle sessions are dropped. The tunnel stays up and the user stays connected but the oracle sessions ALWAYS drops. I cant for the life of me find a way to stop this from happening and it only happens with Oracle. It happens to both remote vpn clients and vpn tunnels.
Does anyone have any idea what I can do to pinpoint or log the problem from the ASA's?Hello,
I have something similar with ica/metaframe connection.
Any help will be appreciated.
Regards
Sent from Cisco Technical Support iPad App -
Flex drag-n-drop upload from desktop
Is there a way to upload a file from the desktop by drag and
dropping the file a flex application running purely on the browser;
not using AIR. The examples that have seen from my research so far,
drag files/images which are already within the browser to another
location within the same browser.
I would be most grateful for quick anwer to my
questionDrag and drop from desktop to Flex App is neat, but I wonder
if this is possible:
<mx:TextInput ... />
<mx:Button label="Browse" click="openFileBrowser()" ...
/>
Someone says you can't drag and drop from desktop to browser:
http://board.flashkit.com/board/showthread.php?t=770903
Apollo? -
Dropping unknown session - Firewall
Dear Team, I am facing trouble to find out the problem. I am getting the alrms below
May 22 17:21:02.447: %FW-6-DROP_PKT: Dropping Unknown-l4 session 162.116.205.245:0 169.254.254.254:0 on zone-pair E_FW_ZON_PAIR_SLF_TO_WAN class class-default due to DROP action found in policy-map with ip ident 0
May 22 17:21:32.519: %FW-6-DROP_PKT: Dropping Unknown-l4 session 162.116.205.245:0 169.254.254.254:0 on zone-pair E_FW_ZON_PAIR_SLF_TO_WAN class class-default due to DROP action found in policy-map with ip ident 0
I I could understand is that the session is being dropped due to something related with ident 0,
someone could help me ?
Below I put some config lines which could help me to clarify it,
thanks,
pbjs1468#show policy-map type inspect zone-pair E_FW_ZON_PAIR_SLF_TO_WAN sessions
policy exists on zp E_FW_ZON_PAIR_SLF_TO_WAN
Zone-pair: E_FW_ZON_PAIR_SLF_TO_WAN
Service-policy inspect : E_FW_POLICY_MAP_SLF_TO_WAN
Class-map: E_FW_CL_MAP_PROTOCOL_SLF_TO_WAN_98 (match-any)
Match: access-group name E_FW_SLF_TO_WAN_ACL_98
33901576 packets, 6137009389 bytes
30 second rate 0 bps
Pass
33901576 packets, 6137009389 bytes
Class-map: class-default (match-any)
Match: any
Drop
696394 packets, 19500766 bytes
pbjs1468#show class-map class-default
Class Map match-any class-default (id 0)
Match any
policy-map type inspect E_FW_POLICY_MAP_LAN_TO_WAN
class type inspect E_FW_CLASSE_MAP_LAN_TO_WAN_00
inspect E_FW_GLOBAL_PARAMETERS
class type inspect E_FW_CLASSE_MAP_LAN_TO_WAN_01
inspect E_FW_GLOBAL_PARAMETERS
class type inspect E_FW_CL_MAP_PROTOCOL_LAN_TO_WAN_0E
drop log
class class-default
drop logThe traffic is getting dropped because it's matching the "class-default" class-map which acts as a catchball for all the packets that didn't match previous class-maps.
It's default action is to DROP everything.
That UDP traffic uses port 0, this is not normal traffic and shouldn't be seen under normal circumstances.
So, it's a good thing the firewall it's dropping it. -
Yosemite's Mail Drop upload progress bar?
With Yosemite's Mail Drop is there a way to see how the uploading of the file/s is progressing? When sending large attachments I have no idea in what state the upload is, if it is uploading or not and how much time it will take.
Send Apple feedback. They won't answer, but at least will know there is a problem. If enough people send feedback, it may get the problem solved sooner.
Feedback -
PL/SQL to create a temp table that will be dropped after session ends
Is it possible in PL/SQL to create a temp table that will be dropped after the session ends? Please provide example if possible. I can create a global temp table in PL/SQL but I am not sure how (if possible) to have it 'drop' once the session ends.
DB: 10g
OS: Wiindoze 2003 Server
:-)As others have mentioned (but probably not clearly explained), Oracle treats temporary tables differently to SQL Server.
In SQL Server you create a temporary table and it gets dropped (automatically I assume, I dont do SQL Server) after the session finishes. This will obviously allow each session to "request" a temporary table to use, then use it, and not have to worry about cleaning up the database after the session has finished.
Oracle takes a different approach...
On the assumption that each session is likely to be creating a temporary table for the same purposes, with the same structure, Oracle let's you create a Global Temporary Table a.k.a. GTT (which you've already come across). You only have to create this table once and you leave it on the database. This then means that any code written to use that table doesn't have to be dynamic code and can be verified and checked at compile time, just like code written for any other table. The difference of a GTT from a regular table is that any data you put into that table can only be seen by that session and will not interfere with any data of other sessions and, when you either commit, or end the session (depending on the "on commit delete rows" or "on commit preserve rows" option used when creating the GTT), that data from your own session will automatically be removed and hence the table is cleaned up that way, whilst the actual table itself remains.
Some people from SQL Server backgrounds try and create and drop tables dynamically in their PL/SQL code, but this leads to problems...
SQL> ed
Wrote file afiedt.buf
1 begin
2 execute immediate 'create table my_temp (x number)';
3 insert into my_temp values (1);
4 execute immediate 'drop table my_temp';
5* end;
SQL> /
insert into my_temp values (1);
ERROR at line 3:
ORA-06550: line 3, column 15:
PL/SQL: ORA-00942: table or view does not exist
ORA-06550: line 3, column 3:
PL/SQL: SQL Statement ignoredi.e. the code will not compile for direct DML statements trying to use that table.
They then try and get around this issue by making their DML statements dynamic too...
SQL> ed
Wrote file afiedt.buf
1 create or replace procedure my_proc is
2 begin
3 execute immediate 'create table my_temp (x number)';
4 execute immediate 'insert into my_temp values (''A'')';
5 execute immediate 'drop table my_temp';
6* end;
SQL> /
Procedure created.... which looks great and it compiles ok... but... when they try and run it...
SQL> exec my_proc;
BEGIN my_proc; END;
ERROR at line 1:
ORA-01722: invalid number
ORA-06512: at "SCOTT.MY_PROC", line 4
ORA-06512: at line 1... oops the code has a bug in it. Our DML statement was invalid.
This is really something that would have been caught at compile time, if the statement had been a direct DML statement rather than dynamic. And thus we see the problem with people trying to write all their code as dynamic SQL... it's more likely to contain bugs that won't be detected at compile time and only come to light at run time... sometimes only under certain conditions and sometimes once it's got into a production environment. Bad Idea!!!! ;)
Far better to never create tables (or most other database objects) at run time. Just create them once as part of the database design/implementation and use them as required, allowing you to catch the most common coding errors up front before they get anywhere near a test environment or worse still, a production environment. -
Toruble with dropped ARD sessions requiring a logout to fix
I am having a major problem with ARD on my work Mac. It is a Rev A Intel iMac 17" running the latest ARD client.
I was given the ARD admin to take home for telecommuting which I have installed on my PowerMac G5. I connect to my work Mac through a Cisco VPN (this VPN software is very buggy)
Far too frequently while I am connected to the Intel iMac (curtained) I suddenly lose connection to the Mac. Whatever was on my screen at the time freezes in my ARD window. Closing the session reveals that the iMac still has a Locked Screen. I can unlock the screen but can never connect to it unless I log out. I've tried using the shell command kickstart to restart the ARD client and a variety of other things trying to bring it back but that actually causes much more damage and usually results in the need for a hard reboot (power cycle).
The problem only seems to (or most frequently) occur when Mail is open. If I leave it closed I don't see this problem (maybe very rarely if ever). Of course without access to email what good is ARD in my situation? Other than that there doesn't seem to be any pattern.
Anyone have any ideas? Need help badly!
JoshFar too frequently while I am connected to the Intel
iMac (curtained) I suddenly lose connection to the
Mac. Whatever was on my screen at the time freezes
in my ARD window. Closing the session reveals that
the iMac still has a Locked Screen. I can unlock the
screen but can never connect to it unless I log out.
To clarify I must logout of the remote machine to enable a new ARD connection.
I can use Manage -> Logout Current User in the admin. So most of the remote option are still functional just not a full Control. -
Ipod Disconnects In the Middle of Uploading Session!!!
when i upload anything (songs, photos, movies) the ipod will upload them halfway, or three fourths of the way and then disconnect. the icon from itunes disappears, as well as the do not disconnect sign on the ipod. what do i do, to complete the upload? Help, please =(
you assume correctly, but what does that matter? is
it really relevent?
I asked because it does matter. Microsoft has had an issue with their USB drivers since day one. There is even a list of devices that may suddenly be ignored by the OS (they admit to an I/O issue). You might try and unload your USB drivers and let Windows reinstall them on a reboot. Check on the MS Technet site for intermittent USB issues. I wouldn't rule out a USB issue yet.
On the other hand, if others are experiencing a similar issue, it may be your Ipod. I hope you can resolve it. -
Hi people,
OS: Oracle Enterprise Linux 4.5
Storage Server: Openfiler 2.3
I have been trying to setup an Oracle Cluster using Openfiler 2.3 and Oracle Enterprise Linux 4.5. Wen I try to boot up both of my nodes in a cluster, the nodes will find the targets and immediately drop the session, thus shutting down both of my NIC (eth0 and eth1). I have googled till my eyes popped out, below is the error I'm facing:
iscsi-sfnet:host3: Connect failed with rc -113: No route to host
iscsi-sfnet:host3: establish_session failed. Could not connect to target
iscsi-sfnet:host3: Waiting 1 seconds before next login attempt
Has anyone ever came across this error?
Please note that I have tried the solutions mentioned in the below links:
http://www.cuddletech.com/blog/pivot/entry.php?id=601
http://www.nabble.com/Login-Timeout-errors-td5389892.html
Any help will be highly appreciated.
Regards,
Durbanite - South AfricaHi Tommy,
Apologies for the late reply, I will try your suggestion. I will need to turn off the linux server completely as you can't open another session, as soon as this error occur, it shuts down your NICs and from there you cant telnet/ssh or open any session. Even if you try to login locally, the error messages will keep on flashing on your screen.
Thanks for your help. I'll get back to you.
Regards,
Durbanite -
Hi guys!
I have a major problem. I use an Oracle 8.1.6 server and I connect my client to the server trough OleDb (v8.1.6).
After some time when my connection is idle the server drops
the session. It's strange, because it doesn't drop me out if I'm logged in trough SQL-Plus. I'm suspicious that's because of OleDb. My question is: is there any parameter in OleDb for setting this idle time session drop thing? Any methods, functions, etc...
Hint: I see all the resources UNLIMITED in my dba_profiles.
Thank for helping me
Viktor HavasiHi
We had exactly the same problem and got it solved doing the following:
Check your regitry for the key SPTimeout in
HKEY_CLASSES_ROOT\CLSID\{3F63C36E-51A3-11D2-BB7D-00C04FA30080}
We foung this was missing. just inserted SPTimeout = 60 (default value is 60 sec) and oops the session is not dropping!!
Ganesh. -
Rdisp/gui_auto_logout does not consider uploading
hi experts,
I set the rdisp/gui_auto_logout to 10 mins for testing. My problem is that it got me disconnected while in the middle of uploading. It seems it counts uploading as idle. Is there any way to drop idle sessions but not those in the middle of uploading data?
Thank you in advance!Hi Karshbax,
Please go through the link. Here it says this parameter works upon idle time.
http://help.sap.com/saphelp_nw04/helpdata/en/22/41c43ac23cef2fe10000000a114084/content.htm
It says:
rdisp/gui_auto_logout:
Defines the maximum idle time for a user in seconds (applies only for SAP GUI connections).
Default value: 0 (no restriction); permissible values: any numerical value
Hope it clarifies. Let us know if it is helpful.
Regards,
Sujit. -
Question about site to site VPN failover on an ASA
Hello all. I am building a site to site VPN from our headquarters to a customer. I am using an ASA 5520. The customer is using Cisco 3945 routers. The customer has two VPN termination points. The customer requests that we make one of their termination points the primary VPN connection and make the other termination point the backup in the event that the primary VPN fails. How do I configure this on the ASA? Does the below configuration fulfill this goal?
crypto map cccccc 10 set peer 2.2.2.2 1.3.3.3I have just encountered a similar situation. It seems to work near enough, but I still consider it a hack.
Also if the second peer (887 router in this case) attempts to bring up the IPSec tunnel the ASA drops the the primary tunnel and restablishes it causing brief packet loss during the tunnel bounce. A debug shows an error that it thinks the peer IP has changed, hence the tunnel should be dropped!!!
Im just using HRSP on the access site between 2 x 887's tracking the WAN interface. On the ASA side I have both peers defined in the same way "crypto map cccccc 10 set peer 2.2.2.2 1.3.3.3".
The ASA feature set just hasnt improved in this space since the VPN3000 days, it may have actually gone backwards. Introduction of VTI interfaces and support for routing protocols over tunnels should have been introduced into the ASA years ago, but from what I understand has been put in the too hard basket.
Cheers
Kent. -
Two Cisco ASA 5505, IPSec Multiple Subnets, Problem with Phase2, DSL
Hi all.
we have following IPSec configuration:
ASA Site 1:
Cisco Adaptive Security Appliance Software Version 9.1(1)
crypto ipsec ikev1 transform-set TSAES esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TSMD5 esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal PropAES256
access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.28.60.0 255.255.254.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.99.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.99.0 255.255.255.0
crypto map CMVPN 5 match address SITE_2
crypto map CMVPN 5 set peer IP_SITE2
crypto map CMVPN 5 set ikev2 ipsec-proposal PropAES256
crypto map CMVPN interface OUTSIDE
route OUTSIDE 172.27.97.0 255.255.255.0 citic-internet-gw 255
route OUTSIDE 172.27.99.0 255.255.255.0 citic-internet-gw 255
tunnel-group IP_SITE2 type ipsec-l2l
tunnel-group IP_SITE2 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
ASA Site 2:
Cisco Adaptive Security Appliance Software Version 9.1(4)
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.28.60.0 255.255.254.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.22.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.22.0.0 255.255.0.0
crypto map CMVPN 10 match address SITE_1
crypto map CMVPN 10 match address SITE_1
crypto map CMVPN 10 set peer IP_SITE1
crypto map CMVPN 10 set ikev2 ipsec-proposal IKEV2AES
crypto map CMVPN 10 set reverse-route
crypto map CMVPN interface OUTSIDE
tunnel-group IP_SITE1 type ipsec-l2l
tunnel-group IP_SITE1 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
We are not able to reach from 172.22.20.x ips 172.27.99.x.
It seems so that the phase2 for this subnet is missing…...... as long as we try to reach from 172.27.99.x any ip in 172.22.20.x.
We are using similar configuration on many sites and it works correctly expect sites with DSL line.
We can exclude problem with NAT,ACL or routing. The connection is working fine as long as “we open all phase 2 manually” . After re-open (idle timeout) the tunnel the problem comes back.
Thanks in advance for your help.
Regards.
Jan
ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
Session Type: LAN-to-LAN Detailed
Connection : IP ASA Site 2
Index : 3058 IP Addr : IP ASA Site 2
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (3)AES256
Hashing : IKEv2: (1)SHA512 IPsec: (3)SHA1
Bytes Tx : 423634 Bytes Rx : 450526
Login Time : 19:59:35 HKT Tue Apr 29 2014
Duration : 1h:50m:45s
IKEv2 Tunnels: 1
IPsec Tunnels: 3
IKEv2:
Tunnel ID : 3058.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA512
Rekey Int (T): 86400 Seconds Rekey Left(T): 79756 Seconds
PRF : SHA512 D/H Group : 5
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID : 3058.2
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22156 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607648 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 312546 Bytes Rx : 361444
Pkts Tx : 3745 Pkts Rx : 3785
IPsec:
Tunnel ID : 3058.3
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22165 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607952 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 50014 Bytes Rx : 44621
Pkts Tx : 496 Pkts Rx : 503
IPsec:
Tunnel ID : 3058.4
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22324 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607941 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 61074 Bytes Rx : 44461
Pkts Tx : 402 Pkts Rx : 437
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 6648 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
.... after ping from 172.27.99.x any ip in 172.22.20.x.
ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
Session Type: LAN-to-LAN Detailed
Connection : IP ASA Site 2
Index : 3058 IP Addr : IP ASA Site 2
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (4)AES256
Hashing : IKEv2: (1)SHA512 IPsec: (4)SHA1
Bytes Tx : 784455 Bytes Rx : 1808965
Login Time : 19:59:35 HKT Tue Apr 29 2014
Duration : 2h:10m:48s
IKEv2 Tunnels: 1
IPsec Tunnels: 4
IKEv2:
Tunnel ID : 3058.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA512
Rekey Int (T): 86400 Seconds Rekey Left(T): 78553 Seconds
PRF : SHA512 D/H Group : 5
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID : 3058.2
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 20953 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4606335 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 652492 Bytes Rx : 1705136
Pkts Tx : 7419 Pkts Rx : 7611
IPsec:
Tunnel ID : 3058.3
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 20962 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607942 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 60128 Bytes Rx : 52359
Pkts Tx : 587 Pkts Rx : 594
IPsec:
Tunnel ID : 3058.4
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 21121 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607931 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 70949 Bytes Rx : 50684
Pkts Tx : 475 Pkts Rx : 514
IPsec:
Tunnel ID : 3058.5
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 28767 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 961 Bytes Rx : 871
Pkts Tx : 17 Pkts Rx : 14
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 7852 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :Hi,
on 212 is see
tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
tunnel-group 195.xxx.xxx.xxx ipsec-attributes
pre-shared-key
When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
Regards,
Abaji.
Maybe you are looking for
-
I just sync my apps from itunes to my iphone but app don't show up on my phone
Please help me i just sync my apps from itunes to my iphone but app don't show up on my phone
-
Display image in "Image" UIElement without storing it in MIMEs
Hi All, I am new to Web Dynpro ABAP. I am learning WDA by selftrainning. I want to retrieve the image from database table and display that image in an "Image" UI Element. (Without storing that image in to MIME objects) This is my requiremen
-
Recently I am unable to play AVI videos on quicktime that I have never had any problems playing before, the thumbnails of the clips also don't display. Has there been some change to Quicktime as there was never an issue since I've had my macbook pro
-
when I add the brightness/contrast filter to my footage and adjust it-the picture looks normal,until I render, in which case I get flickering multi-colored frames. I'm editing prores422HQ footage at 23.98fps. The timeline is set to the correct settin
-
SNC Field names - Find tables.
Hello Experts, In which SNC tables we will find the following fields. Act WOS Actual price Actual Receipt Date Actual Received Quantity ASN Time Avail to ship Qty Base UOM Brand C&D SAP Number Capacity CD owned or Consignment Chep Quantity Received