ASA - ICMP works on a L2L tunnel but TCP fails.

Similar Messages

• ANT Deployment issue. works fine in one environment but fails in other

  Hi,
  Ant script is working fine in Dev environment but is failing in the other environment. Somehow the BPEL server is not able to pick the latest deployed process , due to this the dependent BPEL processes are failing. If we restart the server , it moves forward and then fails at the point where it couldn’t find reference to the processes deployed after restart. Restarting the server at every failed interval will deploy all the BPEL processes which is not the solution.
  example : we have BPEL Processes say A, B, C, D and E. A,B are independent processes C is dependent on A, D is independent and E is dependent on D. So I have Ant script to deploy in A,B,C,D,E order. Now I run the Ant Script: It deploys A,B processes and Fails at C saying it couldn't find the process A.wsdl(But A is deployed). So if i restart now it recognizes A and B are deployed so C is also deployed succesfully it also deploys D as it is Independent but fails at E. If i restart the server E is also deployed.
  The Environment is clustered.
  Any suggestion to make my Ant script to run at a go will be highly appreciated
  Thanks
  Krishna

  Hi KrishnaBhaskarla,
  I have something related to ant script, Can you please provide me the steps for deploying applications using ant script.
  Regards
  Kumar

• Cisco ASA 5505 Site to Site VPN tunnel up, but not passing traffic

  Thanks to a previous thread, I do have a 5505 up and running, and passing data....
  https://supportforums.cisco.com/message/3900751
  Now I am trying to get a IPSEC VPN tunnel working.
  I actually have it up (IKE phase 1 & 2 both passed), but it is not sending/receiving data through the tunnel.
  The networks concerned:
  name 10.0.0.0  Eventual  (HQ Site behind Firewall)
  name 1.1.1.0  CFS  (Public Network Gateway for Palo Alto Firewall - Firewall IP: 1.1.1.1)
  name 2.2.2.0  T1  (Remote site - Outside interface of 5505: 2.2.2.2)
  name 10.209.0.0  Local  (Remote Network - internal interface of 5505: 10.209.0.3)
  On a ping to the HQ network from behind the ASA, I get....
  portmap translation creation failed for icmp src inside:10.209.0.9 dst inside:10.0.0.33 (type 8, code 0)
  I am suspecting that there is a NAT error and/or a lack of a static route for the rest of the 10.0.0.0 traffic, and that I may have to exempt/route the traffic for the HQ network (10.0.0.0), but I haven't been able to get the correct entries to make it work.
  Below is the config.
  Can anyone see if there is something sticking out?
  : Saved
  ASA Version 8.2(5)
  hostname ciscoasa
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 10.0.0.0 Eventual
  name 10.209.0.0 Local
  name 2.2.2.0 T1
  name 1.1.1.0 CFS
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 0
  ip address 10.209.0.3 255.0.0.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 2.2.2.2 255.255.255.248
  time-range Indefinite
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object icmp
  protocol-object udp
  protocol-object tcp
  object-group network DM_INLINE_NETWORK_1
  network-object Eventual 255.0.0.0
  network-object T1 255.255.255.248
  network-object CFS 255.255.255.240
  access-list outside_1_cryptomap extended permit ip Local 255.255.255.0 object-group DM_INLINE_NETWORK_1
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any outside
  icmp permit any inside
  asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 67.139.113.217 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http Eventual 255.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 1.1.1.1
  crypto map outside_map 1 set transform-set ESP-3DES-MD5
  crypto map outside_map 1 set phase1-mode aggressive
  crypto map outside_map interface outside
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 28800
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 10.209.0.201-10.209.0.232 inside
  dhcpd dns 8.8.8.8 8.8.4.4 interface inside
  dhcpd auto_config outside interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  group-policy FTMGP internal
  group-policy FTMGP attributes
  vpn-idle-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 general-attributes
  default-group-policy FTMGP
  tunnel-group 1.1.1.1 ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  call-home reporting anonymous
  Cryptochecksum:701d8da28ee256692a1e49d904e9cb04
  : end
  asdm location Eventual 255.0.0.0 inside
  asdm location Local 255.255.255.0 inside
  asdm location T1 255.255.255.248 inside
  asdm location CFS 255.255.255.240 inside
  asdm history enable
  Thank You.

  I'm just re-engaging on the firewall this afternoon, but right now I'm getting request timed out on the pings....
  Here's the output requested:
  Result of the command: "show crypto isakmp sa"
  Active SA: 1
  Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1 IKE Peer: 1.1.1.1
  Type : L2L Role : initiator
  Rekey : no State : AM_ACTIVE
  Result of the command: "show crypto ipsec sa"
  interface: outside
  Crypto map tag: outside_map, seq num: 1, local addr: 2.2.2.2
  access-list outside_1_cryptomap extended permit ip 10.209.0.0 255.255.255.0 10.0.0.0 255.0.0.0
  local ident (addr/mask/prot/port): (Local/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port): (Eventual/255.0.0.0/0/0)
  current_peer: 1.1.1.1
  #pkts encaps: 84, #pkts encrypt: 84, #pkts digest: 84
  #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 84, #pkts comp failed: 0, #pkts decomp failed: 0
  #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
  #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
  #send errors: 0, #recv errors: 0
  local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
  path mtu 1500, ipsec overhead 58, media mtu 1500
  current outbound spi: 8FC06BD1
  current inbound spi : 42EC16F4
  inbound esp sas:
  spi: 0x42EC16F4 (1122768628)
  transform: esp-3des esp-md5-hmac no compression
  in use settings ={L2L, Tunnel, PFS Group 2, }
  slot: 0, conn_id: 4096, crypto-map: outside_map
  sa timing: remaining key lifetime (kB/sec): (62207/28464)
  IV size: 8 bytes
  replay detection support: Y
  Anti replay bitmap:
  0x00000000 0x00000001
  outbound esp sas:
  spi: 0x8FC06BD1 (2411752401)
  transform: esp-3des esp-md5-hmac no compression
  in use settings ={L2L, Tunnel, PFS Group 2, }
  slot: 0, conn_id: 4096, crypto-map: outside_map
  sa timing: remaining key lifetime (kB/sec): (62201/28464)
  IV size: 8 bytes
  replay detection support: Y
  Anti replay bitmap:
  0x00000000 0x00000001
  Here's the current config:
  : Saved
  ASA Version 8.2(5)
  hostname ciscoasa
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 10.0.0.0 Eventual
  name 10.209.0.0 Local
  name 67.139.113.216 T1
  name 1.1.1.0 IntegraCFS
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 0
  ip address 10.209.0.3 255.0.0.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 2.2.2.2 255.255.255.248
  time-range Indefinite
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object icmp
  protocol-object udp
  protocol-object tcp
  object-group network DM_INLINE_NETWORK_1
  network-object Eventual 255.0.0.0
  network-object T1 255.255.255.248
  network-object IntegraCFS 255.255.255.240
  access-list outside_1_cryptomap extended permit ip Local 255.255.255.0 object-group DM_INLINE_NETWORK_1
  access-list No_NAT extended permit ip Local 255.255.255.0 Eventual 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit any outside
  asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list No_NAT
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 2.2.2.0 1
  route outside Eventual 255.255.255.0 1.1.1.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http Eventual 255.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 1.1.1.1
  crypto map outside_map 1 set transform-set ESP-3DES-MD5
  crypto map outside_map 1 set security-association lifetime kilobytes 65535
  crypto map outside_map 1 set phase1-mode aggressive
  crypto map outside_map interface outside
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 28800
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 10.209.0.201-10.209.0.232 inside
  dhcpd dns 8.8.8.8 8.8.4.4 interface inside
  dhcpd auto_config outside interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  group-policy FTMGP internal
  group-policy FTMGP attributes
  vpn-idle-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 general-attributes
  default-group-policy FTMGP
  tunnel-group 1.1.1.1 ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  service-policy global_policy global
  prompt hostname context
  call-home reporting anonymous
  Cryptochecksum:301e573544ce0f89b3c597bdfe2c414a
  : end
  asdm location Eventual 255.0.0.0 inside
  asdm location Local 255.255.255.0 inside
  asdm location T1 255.255.255.248 inside
  asdm location IntegraCFS 255.255.255.240 inside
  asdm history enable

• Tunnel Problem from New ASA to Working ASA

  I have a working asa at the home office with 56 tunnels out to satellite stations.  We recently acquired another office and trying to get a tunnel working back to the home office.  The tunnel will not come up nor do I see any traffic on it using the debug isakmp or debug ipsec commands.
  Here's the working config.  Assuming that the ASA in the home office is mirrored configuration for the tunnel, does anyone see anything wrong with this config?
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  shutdown
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.25.44.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 108.232.238.84 255.255.255.248
  boot system disk0:/asa824-k8.bin
  boot system disk0:/asa722-k8.bin
  ftp mode passive
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 68.94.156.1
  name-server 68.94.157.1
  domain-name default.domain.invalid
  access-list outside_access_in extended permit tcp any host 108.214.237.84 eq 11
  access-list inside_nat0_outbound extended permit ip 172.25.44.0 255.255.255.0 172.20.200.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 172.25.44.0 255.255.255.0 172.20.100.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 172.25.44.0 255.255.255.0 172.20.200.0 255.255.255.0
  access-list outside_2_cryptomap extended permit ip 172.25.44.0 255.255.255.0 172.20.100.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm errors
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-642.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface 11 172.25.44.2 www netmask 255.255.255.255
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 108.214.237.86 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  nac-policy DfltGrpPolicy-nac-framework-create nac-framework
  reval-period 36000
  sq-period 300
  aaa authentication enable console LOCAL
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  aaa authorization command LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 outside
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set myset esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer 84.212.62.34
  crypto map outside_map 1 set transform-set myset
  crypto map outside_map 2 match address outside_2_cryptomap
  crypto map outside_map 2 set peer 84.212.60.2
  crypto map outside_map 2 set transform-set ESP-3DES-MD5
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 1
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  no crypto isakmp nat-traversal
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 30
  ssh version 2
  console timeout 0
  management-access inside
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  webvpn
  group-policy DfltGrpPolicy attributes
  vpn-idle-timeout none
  webvpn
    svc keepalive none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
    customization value DfltCustomization
  username admin password vbv/ec7dyKqeaH4R encrypted privilege 15
  tunnel-group 84.212.62.34 type ipsec-l2l
  tunnel-group 84.212.62.34 ipsec-attributes
  pre-shared-key *****
  tunnel-group 84.212.60.2 type ipsec-l2l
  tunnel-group 84.212.60.2 ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:cdf40c985104c7afc07a6dcdd36f27e0
  : end
  asdm image disk0:/asdm-642.bin
  no asdm history enable

  Thanks for the reply Ajay.  It was actually the provider not placing the ASA's IP into the DMZ.  The office uses a small business Uverse connection, and they need to provide a set of static IP's in a DMZ.
  thanks,

• Two separate L2L tunnels between same two ASA

  I have a large MPLS fully meshed network with two main locations, both of which have an ASA with internet access as well as the MPLS access.  I need to be able to provide a backup connection between the two main locations in the event one of the MPLS links to one or the other goes down.
  I am considering using a L2L IPSEC tunnel between the two ASA's but the interesting traffic for the tunnel is different depending on which of the links is down and there fore I would need two different tunnels.  I have my servers and remote desktop servers at one of the main sites and the other main site has another organization attached to it externally that the servers must be able to access.
  Is there a way of creating two separate L2L tunnels between the two ASA's?  Could I perhaps assign two public IP addresses to each of the ASA's and then create the tunnels between different endpoints on each ASA?
  Does anyone have another possible solution to the problem? 
  Gene

  You should be able to do what you want using IP SLA. Please see this excellent blog post which documents one way to accomplish it.
  Hope this helps.

• Oracle application having problem on PIX to ASA L2L tunnel.

  Hi ALL,
  My customer has performed a PIX migration to ASA5520 on last weekend. And the configuration on the new ASA5520 is almost the same as the original PIX515. There are several L2L vpn tunnel configuration on the ASA5520. After the migration, all VPN tunnel can establish without problem. But my customer found that their Oracle application running on one of the VPN tunnel has connectivity issue. This application did not have problem when in the original environment.
  This VPN tunnel is a L2L tunnel between remote and main office. In remote office, the VPN endpoint is a PIX515E w/ OS 7.0(5). In main office is an ASA5520 with 7.2(2). The original firewall in main office is a PIX 515 w/ 7.0(5). The IPSec match address list is an IP network to IP network access list without port definition.
  We found that the Oracle client on remote office can connect to the port opened on the Oracle server on main office. But after connected to the port on the server, the application will re-establish a new connection using random port between this client and server, and this new connection seems to not able to establish.
  Anyone can tell me that is it possible to impact the Oracle application on this IPSec tunnel? The ACL is an IP to IP acl. What can I do to troubleshoot this issue? Why the issue rise on the new ASA implementation?
  I'm looking forward to your reply! Please help!
  Jason

  Hi,
  Here is the end to end troubleshooting steps for L2L tunnel.
  Please check debug commands carefully you will get your key point where is troubble.
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
  Regards,
  Dharmesh Purohit

• RV082 to SA540 tunnel but no ping - HELP

  I'll try my best to explani and give details.
  SA540 v.2.1.71    at host
  RV082 v4.2.1.02  at remote site.
  Trying to setup tunnel between the 2.  WHEN this works, I'll have 20 remote sites tunneling into the SA540 host.
  SA540:
  SA540 says site to site vpn is up and IPsec SA Established.
  192.168.1.0
  Gateway Policies
  Client Policies
  Exchange Mode:
  Main
  Aggressive
  ID Type:
  Local WAN IP
  FQDN
  Local WAN ID:
  Local WAN IP
  local.com
  Remote WAN ID:
  N/A
  remote.com
  Encryption Algorithm:
  AES-128
  AES-128
  Authentication Algorithm:
  SHA-1
  SHA-1
  Authentication Method:
  Pre-shared Key
  Pre-shared Key
  Key-Group:
  DH-Group 2 (1024 bit)
  DH-Group 2 (1024 bit)
  Life Time:
  8 hours
  8 hours
  VPN Wizard default values for VPN:
  Encryption Algorithm:
  AES-128
  Authentication Algorithm:
  SHA-1
  Life Time:
  1 hour
  PFS Key Group:
  DH-Group 2(1024 bit)
  NETBIOS:
  Enabled (Gateway Policies)
  Disabled (Client Policies)
  WAN Security Checks
  Block Ping to WAN interface
  Enable Stealth Mode
  Block TCP flood
  RV082:
  RV082 says gateway to gateway is Connected.
  192.168.2.0
  same settings w/ Aggressive, Keep Alive and NAT Traversal checked.
  Firewall Setting Status
  SPI (Stateful Packet Inspection) :
  On
  DoS (Denial of Service) :
  On
  Block WAN Request :
  Off
  Remote Management :
  On
  FROM RV082 diagnostics on router, I cannot ping 192.168.1.1 router or 192.168.1.70 server inside host.
  FROM SA540 host diagnostics, I CAN ping 192.168.2.1 when I check Ping through VPN tunnel, but I canNOT ping an XP computer at 192.168.2.100 which has firewall turned off.
  What am I missing? 
  Goal is to establish full tunneling and computer/server access between sites.
  Any help is greatly appreciated.

  I have added the permit any any on the outside and vpn interfaces of both ASAs. I also change the source and destination of the nat exempt rule to any any.

• L2L Tunnel keeps dropping

  I have our main site using a Cisco 5510 running 8.4.2 code and a remote site using a Cisco 5505 running 8.4.2 code.  The main site has a T1 and the remote site is using a DSL connection.  About every other day I have to reset the connection at the remote site.  The process that I have found that works is to remove the nat statement, clear the cry ips sa and then add back the  nat statement.  The connection usually comes back up and a few minutes.  I am trying to see what is causing this to drop.  Does anybody have any ideas?
  Thanks,
  TJ                  

  9 local4.notice 10.10.10.1  May 18 2013 18:42:29: %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1.  Map Tag = outside_map.  Map Sequence Number = 4.\n
  2013-05-18 18:42:29 local4.debug 10.10.10.1  May 18 2013 18:42:29: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0\n
  2013-05-18 18:42:29 local4.warning 10.10.10.1  May 18 2013 18:42:29: %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel.  Map Tag = outside_map.  Map Sequence Number = 4.\n
  2013-05-18 18:42:29 local4.error 10.10.10.1  May 18 2013 18:42:29: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel. Map Tag= outside_map.  Map Sequence Number = 4.\n
  2013-05-18 18:42:29 local4.debug 10.10.10.1  May 18 2013 18:42:29: %ASA-7-752002: Tunnel Manager Removed entry.  Map Tag = outside_map.  Map Sequence Number = 4.\n
  9 local4.notice 10.10.10.1  May 18 2013 18:42:29: %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1.  Map Tag = outside_map.  Map Sequence Number = 4.\n
  2013-05-18 18:42:29 local4.debug 10.10.10.1  May 18 2013 18:42:29: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0\n
  2013-05-18 18:42:29 local4.warning 10.10.10.1  May 18 2013 18:42:29: %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel.  Map Tag = outside_map.  Map Sequence Number = 4.\n
  2013-05-18 18:42:29 local4.error 10.10.10.1  May 18 2013 18:42:29: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel. Map Tag= outside_map.  Map Sequence Number = 4.\n
  2013-05-18 18:42:29 local4.debug 10.10.10.1  May 18 2013 18:42:29: %ASA-7-752002: Tunnel Manager Removed entry.  Map Tag = outside_map.  Map Sequence Number = 4
  I just enabled the crypto ipsec 255 and will post that when it drops again.
  Thanks,
  TJ

• Is it possible to allocate bandwidth to an application in an L2L tunnel?

  Hi,
  In an L2L tunnel, we wanted to allocate bandwidth for all users in Site A when accessing applications (Web-based and thick) in a server in Site B. The responses for both applications are not acceptable.
  The same VPN link between the two sites is also used by other applications i.e. DC replication, etc. and the Internet link used for VPN is also used for SMTP and Lotus Notes.
  In Site A, the tunnel is terminated outside of the PIX 7.2(2) and Site B is terminated outside of ASA 5510 7.2(2). The routers infront of these firewalls have PBR such that PAT?ed address from the firewall is routed to the ADSL instead of the serial interface.
  If we?ll upgrade the Internet line, I have to make sure that it will resolve the issue.
  Thanks in advance.
  Regards,
  Archie

  Hi,
  Thanks.
  - The first challenge is where to apply QoS i.e. do traffic policing/allocate bandwidth for IPSec use. My guess is on the router but I'm not 100% sure.
  -If on the router, what's the command?
  - Once the first challenge is done, can I do traffic policing on applications inside VPN which are terminated on PIX and ASA?
  Regards,
  Archie

• Creating L2L Tunnel to IOS Endpoint

  Hey All,
  Quick questions. I've been reviewing the guides on Cisco and have yet to find an example of what I'm looking for. The scenario is that there will be a client device that uses DHCP on the WAN side. This device can authenticate using IPSec to a VPN termination device. On our hub end we want to use a Cisco IOS router to terminate the connection. My question is that this will not be exactly a L2L tunnel, the endpoint has a configuration to build in a username to authenticate with. So it appears the tunnel with authenticate using a username a pre-shared key, rather than PSK and configured remote IP address (since this is DHCP). I've found an example of this on Cisco here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800ae459.shtml. Unfortunately the example is from an IOS DHCP endpoint to a 3000-series concentrator. Anyone have a config example of what I'm looking for?
  -Mike
  http://cs-mars.blogspot.com

  Mike,
  When you say client device. Is it like a router or is it a PC.
  If it is a PC, take a look at this link
  Link:1
  http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml
  If it is a device like a router or so, you need to configure the router just like one in the link given above
  Link2:
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800945cf.shtml
  But the server part is like Link 1.
  Hope this helps.
  Here is a good link for configuration of VPN on Cisco devices.
  http://www.cisco.com/en/US/partner/tech/tk583/tk372/tech_configuration_examples_list.html
  Rate this post, if it helps.
  Thanks
  Gilbert

• Long shot question about L2L tunnel

  I have a Cisco 5540 that terminates one end of a L2L tunnel, the remote end is a Sonicwall TZ100.  The tunnel is in place to carry voice traffic and I have a need to decrypt the traffic that's been captured in .cap file using Wireshark 1.8.5.
  Anyone have any thoughts on how to go about getting the session keys from either device?

  Hi,
  Nice find and interesting read. Might have to take a look at this at some point
  Are you capturing traffic on the ASA "outside" interface?
  I guess there must be a specific reason that you didnt capture the traffic before/after the tunnel on the "inside" interface of the ASA? Maybe see that the same traffic/data was passed on to the L2L VPN after the ASA had encrypted/encapsulated the traffic?
  - Jouni

• ADOBE CLOUD ON MY DESKTOP WILL NOT WORK. IT LOADS UP BUT NOTHING FILLS THE WINDOW

  ADOBE CLOUD ON MY DESKTOP WILL NOT WORK. IT LOADS UP BUT NOTHING FILLS THE WINDOW

  BLANK Cloud Screen http://forums.adobe.com/message/5484303 may help
  -and step by step http://forums.adobe.com/thread/1440508?tstart=0
  -and http://helpx.adobe.com/creative-cloud/kb/blank-white-screen-ccp.html

• IPod nano works with USB 1.1 but not USB 2.0

  Anyone using an iPod nano that works with USB 1.1 but not with USB 2.0? I am using Windows XP and when installing the iPod software from CD it recognizes the iPod and am able to transfer songs using iTunes but when installing SP1 or SP2 to enable USB 2.0 transfers, Windows XP only recognizes the iPod nano as a USB Mass Storage Device. This is the same with iPod Updater.

  I have a similar problem with the following configuration:
  - Dell Dimension 4100 Desktop with 2 integrated USB 1.1 ports, Windows 2000 SP 4
  - PCI 6-Ports USB 2.0 Card ("Mentor" resp. www.bona.com.tw), Model USB20-PCI/6P
  What works well?
  - All my USB add-ons (1.1 and 2.0) on the internal 1.1 ports as well as on the USB2.0 PCI card
  - iPod Nano 4GB on internal 1.1 ports (external drive in windows 2000 as well as iPod in iTunes)
  - iPod Nano works as well as on the USB 2.0 card ONLY WHEN my old 4-port USB1.1 hub is connected between Nano and USB card
  What doesn't works?
  My iPod Nano directly connected to the USB 2.0 card. Symptoms when connecting:
  - Windows is very slow, process "scvhost.exe" or "system.exe" using 99% of CPU for some minutes
  - iPod is recognised as external drive, but when I click on it, it is empty and copying files to it results in "I/O error"
  - iTunes doesn't recognise the iPod (of course, if even windows itself cannot read from it...)
  I removed all USB drivers, reinstalled iTunes, iPod (by the way, I still don't understand what "iPod update" is good for, except for updating the iPod's firmware), deactivate the internal USB1.1 ports, no result.
  Help!!!!!!!!!!!!!!!!

• Facetime works fine on my iphone, but will not work on my MBA.

  Facetime works fine on my iphone, but will not work on my MBA.   Keeps telling me "unable to verify address" and says it is sending me a verification link to my email address but I never get anything.   Crazy. 
  After a while it tells then me that it cannot verify my email address because of a network connection  ("Could not verify the email address. Please check your network connection and try again. ")
  Does anyone have any ideas?

  Facetime works fine on my iphone, but will not work on my MBA.   Keeps telling me "unable to verify address" and says it is sending me a verification link to my email address but I never get anything.   Crazy. 
  After a while it tells then me that it cannot verify my email address because of a network connection  ("Could not verify the email address. Please check your network connection and try again. ")
  Does anyone have any ideas?

• Why exchange email will not work on my ipod touch, but ok on iphone

  Why will microsoft exchange email not work on my ipod touch, but with the exact same settings, it works fine on my iphone? What is the reason for this?

  Try a soft reset, press and hold both power and home buttons together until the Apple logo appears, about 15 seconds, then release both. If still no joy, go into Settings>General>Reset then tap Reset All Settings. If still no joy, back up your iPod to your computer then do a Restore to Backup, if that doesn't work Restore to new through iTunes. If a full restore to new does not work, you may have a hardware issue, contact Apple Genius Bar to have your iPod evaluated. Good luck, Cheers.