ASA reset-I and reset-O

Hi there, 
I have a couple of questions regarding Reset-I and Reset-O messages on the Cisco ASA.  I read a document that Reset-I will appear on the ASA if the inside host resets the connection, but what denotes an 'Inside' host?  Is the inside host determined based on the context of the connection? for example If a host on the internet initiated a connection to a host in the DMZ, and the internet host sent the reset would this be logged as a 'Reset-I' because although the host was on the internet it was the side initiating the connection.
Also.. the same document said that the Reset was sent to the ASA as an indication to drop the connection, but the hosts wouldnt know about the ASA, so isnt the reset actually sent to the host with which they are communicating?
Last question - What would actually cause a connection to be reset, as it says resets are sent after the TCP connection has been established.

Hi,
It is actually on the basis of the Security level. If the reset is sent from the Higher Security level , then it will be "RESET-I" and if from the lower level "RESET-O".
I think if you go through this document and the command , you would understand the behavior of ASA sending the RESETS.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html#pgfId-1452931
Thanks and Regards,
Vibhor Amrodia

Similar Messages

  • Dear All, I'm using Cisco ASA 5505 Firewall and I want the email alert from my Firewall if the CPU increase more than 70 %. Is it possible, Please help me. Thanks Vijay

    Dear All,
                         I'm using Cisco ASA 5505 Firewall and I want the email alert from my Firewall if the CPU increase more than 70 %. Is it possible, Please help me.
    Thanks
    Vijay

    Hi Vijay,
    If can be done but you need any network management software. I personally dont think you can ask your ask to send mails. ASA can trigger alert to a SNMP configured server which will intern send mail to you 
    HTH,

  • Difference between ASA 8.3 and 8.4 IOS VERSION?

    What are major differences between ASA 8.3 and 8.4 IOS VERSION?
    Also data flow?

    The release notes outline the differences in each version of ASA software. You can find the ASA 8.4 Release Notes here.
    I don't understand what you're asking about data flow.

  • ASA 8.4 and NATControll

    For ASA v8.3 and above we don't need to use nat-controll, traffic from high security interface can go to low security interface without matching NAT statements.So does the ASA automatically NAT s the outgoing traffic to the outside interface by default?
    For example
    ASA inside int---10.1.1.1
    outside int---120.11.1.1
    when the inside hosts try to go out they will be NATed to 120.11.1.1 by default on version 8.3 and later.is that right?

    Thanks Dan. I should have asked my above question differently, please let me know whether my below explanation is correct or not.
    If nat-control is enabled-- for the inside hosts (sec level-100, IP-10.x.x.x) to talk to dmz hosts (sec level-50, IP-192.x.x.x) we need a matching NAT statment like
    nat (inside) 1 0.0.0.0 0.0.0.0
    global(dmz) 1 interface
    for ASA Version 8.3 and above, since there is no nat-control, the inside hosts can talk to dmz hosts without any NAT statement as long as the access-list permits that communication if there is any.

  • ASA DMZ zone and Unix proxy server

    Hi.
    i have router which all nat translation done at here. i have a asa and core sw.
    192.168.1930.0/24 subnet my user and some server are located at this subnet. this subnet created at core sw.
    int vlan 393
    ip address 192.168.193.1 255.255.255.0
    core sw connected to asa inside interface.asa inside interface ip 172.30.30.1 and at core sw site this port access vlan 8 which is
    int vlan 8
    ip address 172.30.30.2
    at core sw at i have a default route to asa.
    ip route 0.0.0.0 0.0.0.0 172.30.30.1
    and asa site
    route inside 192.168.193.0 255.255.255.0 172.30.30.2
    all of them are ok.
    i think that is ok.
    at asa i have dmz zone which ip address:
    interface Ethernet0/1
    description connect to CoreSW
    nameif inside
    security-level 100
    ip address 172.30.30.1 255.255.255.0 standby 172.30.30.3
    interface Ethernet0/2
    description DMZ zone connect mail server
    nameif DMZ
    security-level 50
    ip address 172.16.10.1 255.255.255.0 standby 172.16.10.2
    my proxy server inside interface connected to asa dmz zone and ip address 172.16.10.254 and outside interface is connected asa outside site which mean that is same subnet of asa outside interface which is 10.0.0.254 and then 10.0.0.254 i do static nat at router. i have no problem at nat translation.
    i want my 192.168.193.0 subnet pass througth from proxy when this subnet want to connet internet.
    i wrote
    static (inside,DMZ) 192.168.193.0 192.168.193.0 netmask 255.255.255.0
    and access-list
    access-list from_dmz_to_in extended permit ip host 172.16.10.254 any
    access-group from_dmz_to_in in interface DMZ
    at this time what is up?
    the user can not access internet and what i do? i wrote proxy server inside ip and default port 3128 at user internet explorer properties.
    internet explorerr--tools-properties-connection-lan settting and show there 172.16.10.254 and port 3128.
    at this time my user connect internet when i wrote this. when i remove this they can not connect internet
    but i  do not  want write anything at my user. how i solved this?
    after that one problem occur.
    when my server to  do nslookup it can not work.
    i thnik that it is true because we have only one port 3128 is open and my server need udp 53.so it can not work
    how i solve this issue?
    as you see my access-list all of is open and i do
    static (inside,DMZ) 192.168.193.0 192.168.193.0 netmask 255.255.255.0
    it is this wrong proxy connection???
    musti change proxy server inside interface to other device or asa other interface?
    thanks.

    There is 2 way the proxy server can work, ie: either transparent or explicit proxy.
    From your explaination, explicit proxy works just fine when you configure the proxy settings on your browser.
    The reason why transparent proxy does not work is because:
    1) When user browser connects to the Internet, the ASA default gateway is via the outside interface, that is why the Internet traffic is not being routed transparently towards your proxy server which is connected to the DMZ interface.
    The static NAT statement configured on the ASA does not perform redirection. If you would like to transparently route the internet traffic towards the proxy server on DMZ, you would need to route the traffic towards the proxy server. With the current topology that you have, it is not achievable on the ASA. ASA does not support Policy Based Routing, nor it supports WCCP when the user and the proxy server is on different interfaces.
    2) Also need to find out if the proxy server itself supports transparent proxy.
    Otherwise, since explicit proxy works, why don't you just push the proxy settings to the browser via Active Directory Group Policy?

  • VPN ASA inside Interface and ip pool are one same Subnet

    Hi Everyone,
    I have configured RA VPN full tunnel.
    Inside interface of ASA is
    Vlan1                    inside                 10.0.0.1        255.255.255.0   CONFIG
    ip local pool 10-pool 10.0.0.51-10.0.0.100 mask 255.255.255.0
    Need to know is it good design to have both on same subnet?
    When i access the Switch  connecting to VPN ASA  inside interface via--https://10.0.0.2
    which has IP 10.0.0.2  while using Remote VPN connection to ASA it does not work gives error
    message as below
    Jan 19 2014 19:42:46: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.0.0.51/51077(LOCAL\ipsec-user) dst inside:10.0.0.2/443 denied due to NAT reverse path failure.
    Jan 19 2014 19:42:57: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.0.0.51/51078(LOCAL\ipsec-user) dst inside:10.0.0.2/443 denied due to NAT reverse path failure
    Jan 19 2014 19:42:59: %ASA-6-302014: Teardown TCP connection 22418 for outside:10.0.0.51/51069(LOCAL\ipsec-user) to identity:10.0.0.1/443 duration 0:01:08 bytes 1035 TCP Reset-O (ipsec-user)
    Jan 19 2014 19:42:59: %ASA-6-106015: Deny TCP (no connection) from 10.0.0.51/51069 to 10.0.0.1/443 flags FIN ACK  on interface outside
    Current NAT config is
    nat (inside,outside) source dynamic any interface
    Regards
    MAhesh
    Message was edited by: mahesh parmar

    Hi Mahesh,
    It should work but I generally would not suggest having the same network on the LAN and also configured partially as a VPN Pool network.
    Your problem at the moment is simply lacking the NAT0 configuration for the traffic between LAN and VPN Pool.
    I would suggest changing the VPN Pool first and then configuring this
    object network LAN
    subnet 10.0.0.0 255.255.255.0
    object network VPN-POOL
    subnet
    nat (inside,outside) 1 source static LAN LAN destination static VPN-POOL VPN-POOL
    We have to use the line number "1" in the above command so that it gets moved to the top since your current Dynamic PAT would otherwise override it.
    In the future it would be best if you changed your current Dynamic PAT configuration to this
    nat (inside,outside) after-auto source dynamic any interface
    We simply add the "after-auto" to this Dynamic PAT configuration so that it gets moved down in priority. The "after-auto" refers to the fact that this NAT will be inserted after Auto NAT (after Section 2). Your current rule is Manual NAT (Sectiom 1). The new rule will be Manual NAT (Section 3)
    - Jouni

  • ASA interface name and nameif are different

    Hi Everyone,
    On one of ASA  i have this config say
    interface BCISCO
    nameif CISCO
    ip address 192.168.x.x 255.255.0.0 standby IP 192.168.x.x
    Need to understand why we have interface and nameif different here?
    Also when i try to access ASA  by ASDM to ASA  from internal network log shows
    built inbound TCP connection for ASA interface.
    So need to know whenever we access ASA  from internal network it will say inbound connection?
    Or there are some criteria that tells when connection is inbound to ASA?
    Thanks
    MAhesh

    Hi Jouni,
    yes it is in context mode
    72           2013/04/17 10:10:59.640 MST     192.168.100.12  Apr 17 2013 17:10:58: %ASA-6-302013: Built inbound TCP connection 11283929 for Net:192.168.100.17/62287 (192.168.100.17/62287) to identity:192.168.100.12/443 (192.168.100.12/443)
    71           2013/04/17 10:10:59.640 MST     192.168.100.12  Apr 17 2013 17:10:58: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62286 to 192.168.100.12/443 flags FIN ACK  on interface Net
    70           2013/04/17 10:10:59.640 MST     192.168.100.12  Apr 17 2013 17:10:58: %ASA-6-302014: Teardown TCP connection 11283774 for Net:192.168.100.17/62286 to identity:192.168.100.12/443 duration 0:00:03 bytes 381 TCP Reset-O
    69           2013/04/17 10:10:59.640 MST     192.168.100.12  Apr 17 2013 17:10:58: %ASA-6-605005: Login permitted from 192.168.100.17/62286 to Net:192.168.100.12/https for user "cisco"
    68           2013/04/17 10:10:56.343 MST     192.168.100.12  Apr 17 2013 17:10:55: %ASA-6-302013: Built inbound TCP connection 11283774 for Net:192.168.100.17/62286 (192.168.100.17/62286) to identity:192.168.100.12/443 (192.168.100.12/443)
    67           2013/04/17 10:10:56.343 MST     192.168.100.12  Apr 17 2013 17:10:55: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62285 to 192.168.100.12/443 flags FIN ACK  on interface Net
    66           2013/04/17 10:10:56.343 MST     192.168.100.12  Apr 17 2013 17:10:55: %ASA-6-302014: Teardown TCP connection 11283684 for Net:192.168.100.17/62285 to identity:192.168.100.12/443 duration 0:00:03 bytes 381 TCP Reset-O
    65           2013/04/17 10:10:56.343 MST     192.168.100.12  Apr 17 2013 17:10:55: %ASA-6-605005: Login permitted from 192.168.100.17/62285 to Net:192.168.100.12/https for user "cisco"
    64           2013/04/17 10:10:56.343 MST     192.168.100.12  Apr 17 2013 17:10:55: %ASA-6-606001: ASDM session number 0 from 192.168.100.17 started
    63           2013/04/17 10:10:56.343 MST     192.168.100.12  Apr 17 2013 17:10:55: %ASA-6-605005: Login permitted from 192.168.100.17/62284 to Net:192.168.100.12/https for user "cisco"
    62           2013/04/17 10:10:52.733 MST     192.168.100.12  Apr 17 2013 17:10:51: %ASA-6-302013: Built inbound TCP connection 11283684 for Net:192.168.100.17/62285 (192.168.100.17/62285) to identity:192.168.100.12/443 (192.168.100.12/443)
    61           2013/04/17 10:10:52.718 MST     192.168.100.12  Apr 17 2013 17:10:51: %ASA-6-302013: Built inbound TCP connection 11283681 for Net:192.168.100.17/62284 (192.168.100.17/62284) to identity:192.168.100.12/443 (192.168.100.12/443)
    60           2013/04/17 10:10:52.515 MST     192.168.100.12  Apr 17 2013 17:10:51: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62283 to 192.168.100.12/443 flags FIN ACK  on interface Net
    59           2013/04/17 10:10:52.515 MST     192.168.100.12  Apr 17 2013 17:10:51: %ASA-6-302014: Teardown TCP connection 11283636 for Net:192.168.100.17/62283 to identity:192.168.100.12/443 duration 0:00:02 bytes 806 TCP Reset-O
    58           2013/04/17 10:10:52.515 MST     192.168.100.12  Apr 17 2013 17:10:51: %ASA-6-605005: Login permitted from 192.168.100.17/62283 to Net:192.168.100.12/https for user "cisco"
    57           2013/04/17 10:10:52.358 MST     192.168.100.12  Apr 17 2013 17:10:51: %ASA-6-606003: ASDM logging session number 0 from 192.168.100.17 started
    56           2013/04/17 10:10:52.358 MST     192.168.100.12  Apr 17 2013 17:10:51: %ASA-6-605005: Login permitted from 192.168.100.17/62282 to Net:192.168.100.12/https for user "cisco"
    55           2013/04/17 10:10:50.374 MST     192.168.100.12  Apr 17 2013 17:10:49: %ASA-6-302013: Built inbound TCP connection 11283636 for Net:192.168.100.17/62283 (192.168.100.17/62283) to identity:192.168.100.12/443 (192.168.100.12/443)
    54           2013/04/17 10:10:50.140 MST     192.168.100.12  Apr 17 2013 17:10:49: %ASA-6-302013: Built inbound TCP connection 11283629 for Net:192.168.100.17/62282 (192.168.100.17/62282) to identity:192.168.100.12/443 (192.168.100.12/443)
    53           2013/04/17 10:10:50.108 MST     192.168.100.12  Apr 17 2013 17:10:49: %ASA-6-106015: Deny TCP (no connection) from 192.168.100.17/62281 to 192.168.100.12/443 flags FIN ACK  on interface Net
    52           2013/04/17 10:10:50.108 MST     192.168.100.12  Apr 17 2013 17:10:49: %ASA-6-302014: Teardown TCP connection 11283529 for Net:192.168.100.17/62281 to identity:192.168.100.12/443 duration 0:00:02 bytes 3107 TCP Reset-O
    51           2013/04/17 10:10:49.937 MST     192.168.100.12  Apr 17 2013 17:10:49: %ASA-6-605005: Login permitted from 192.168.100.17/62281 to Net:192.168.100.12/https for user "cisco"
    50           2013/04/17 10:10:47.640 MST     192.168.100.12  Apr 17 2013 17:10:46: %ASA-6-302013: Built inbound TCP connection 11283529 for Net:192.168.100.17/62281 (192.168.100.17/62281) to identity:192.168.100.12/443 (192.168.100.12/443)
    Where interface NET is ASA interface with IP 192.168.100.12
    192.168.100.17 is MY PC IP
    This is log while i access the ASA  by https.
    Can you please tell in logs why it has repeat logs for example
    ASDM logging session started  it has this line 2 times
    Thanks
    MAhesh

  • IPsec Issues ASA 8.0 and Watchguard XTM 510

    Hi Everyone,
    I am trying to merge two networks, one using an ASA 5510 as its edge device, and the other using a Watchguard XTM 510.  For some reason, when a connection is initiated from the Watchguard side, phase 1 complets with MM_ACTIVE, but when the ASA initiates, IKE shows the following status:
    IKE Peer: x.x.x.145    (Watchguard Side)
        Type    : L2L             Role    : initiator
        Rekey   : no              State   : MM_WAIT_MSG6
    Regardless, however, even at MM_ACTIVE, phase 1 resets and phase 2 never begins and so a connection is never made.  I have collected a debug from both sides and they are as follows
    ASA IP:                x.x.x.60
    Watchguard IP:     x.x.x.145
    ASA:
    Jan 07 06:51:02 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x2f6a83f)
    Jan 07 06:51:02 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
    Jan 07 06:51:02 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
    Jan 07 06:51:02 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=e57925a0) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    Jan 07 06:51:04 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x2f6a840)
    Jan 07 06:51:04 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
    Jan 07 06:51:04 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
    Jan 07 06:51:04 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=6bfb344) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    Jan 07 06:51:06 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x2f6a841)
    Jan 07 06:51:06 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
    Jan 07 06:51:06 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
    Jan 07 06:51:06 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=51a5ab4d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    Jan 07 06:51:08 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
    Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, IKE SA MM:7a82c06c rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tuncnt 0
    Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, IKE SA MM:7a82c06c terminating:  flags 0x01000002, refcnt 0, tuncnt 0
    Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, sending delete/delete with reason message
    Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
    Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing IKE delete payload
    Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
    Jan 07 06:51:08 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=1ef674ce) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
    Jan 07 06:51:08 [IKEv1]: Ignoring msg to mark SA with dsID 2019328 dead because SA deleted
    Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing SA payload
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Oakley proposal is acceptable
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing VID payload
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Received DPD VID
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing VID payload
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Received NAT-Traversal ver 02 VID
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing IKE SA payload
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 5
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing ISAKMP SA payload
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing NAT-Traversal VID ver 02 payload
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing Fragmentation VID + extended capabilities payload
    Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132
    Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 284
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing ke payload
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing ISA_KE payload
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing nonce payload
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing NAT-Discovery payload
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, computing NAT Discovery hash
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing NAT-Discovery payload
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, computing NAT Discovery hash
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing ke payload
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing nonce payload
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing Cisco Unity VID payload
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing xauth V6 VID payload
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Send IOS VID
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing VID payload
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing NAT-Discovery payload
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, computing NAT Discovery hash
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing NAT-Discovery payload
    Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, computing NAT Discovery hash
    Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, Connection landed on tunnel_group x.x.x.145
    Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Generating keys for Responder...
    Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 368
    Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
    Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, processing ID payload
    Jan 07 06:51:19 [IKEv1 DECODE]: Group = x.x.x.145, IP = x.x.x.145, ID_IPV4_ADDR ID received
    x.x.x.145
    Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, processing hash payload
    Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Computing hash for ISAKMP
    Jan 07 06:51:19 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
    Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, Connection landed on tunnel_group x.x.x.145
    Jan 07 06:51:19 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Freeing previously allocated memory for authorization-dn-attributes
    Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing ID payload
    Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing hash payload
    Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Computing hash for ISAKMP
    Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing dpd vid payload
    Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 107
    Jan 07 06:51:19 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, PHASE 1 COMPLETED
    Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, Keep-alive type for this connection: DPD
    Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Starting P1 rekey timer: 64800 seconds.
    Jan 07 06:51:23 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Duplicate Phase 1 packet detected.  Retransmitting last packet.
    Jan 07 06:51:23 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, P1 Retransmit msg dispatched to MM FSM
    Jan 07 06:51:23 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Responder resending last msg
    Jan 07 06:51:27 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Duplicate Phase 1 packet detected.  Retransmitting last packet.
    Jan 07 06:51:27 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, P1 Retransmit msg dispatched to MM FSM
    Jan 07 06:51:27 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Responder resending last msg
    Jan 07 06:51:31 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Duplicate Phase 1 packet detected.  Retransmitting last packet.
    Jan 07 06:51:31 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, P1 Retransmit msg dispatched to MM FSM
    Jan 07 06:51:31 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Responder resending last msg
    Jan 07 06:51:32 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x7a794f28)
    Jan 07 06:51:32 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
    Jan 07 06:51:32 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
    Jan 07 06:51:32 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=96f50614) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    Jan 07 06:51:34 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x7a794f29)
    Jan 07 06:51:34 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
    Jan 07 06:51:34 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
    Jan 07 06:51:34 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=f17efc6e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    Jan 07 06:51:36 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x7a794f2a)
    Jan 07 06:51:36 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
    Jan 07 06:51:36 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
    Jan 07 06:51:36 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=a4d9cf11) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    Jan 07 06:51:38 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
    Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, IKE SA MM:7b9076bf rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tuncnt 0
    Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, IKE SA MM:7b9076bf terminating:  flags 0x01000002, refcnt 0, tuncnt 0
    Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, sending delete/delete with reason message
    Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
    Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing IKE delete payload
    Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
    Jan 07 06:51:38 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=f1d3a895) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
    Jan 07 06:51:38 [IKEv1]: Ignoring msg to mark SA with dsID 2023424 dead because SA deleted
    Watchguard:
    <158>Jan  7 13:57:11 iked[1976]: unsupported WG notification event - 524293
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCreateIsakmpSA: init vpnDpdSequenceNum = 384341539(Isakmp SA 0x81b26a0)
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)MainMode: recv 1st msg pcy [newbury] peer x.x.x.60:500 (Ct=324)
    <156>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Phase 1 started by peer with policy [newbury] from x.x.x.60:500 main mode
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloads : Payload(SA) Len(172)
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(24)
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeProposalNtoH : Recv SPI(0x03 0000 0000 0x28) SPI(0000 0000 0000 0000) 
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_NAT-T_VID(first 4bytes: 0x9180cb90)
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)P1__Mode: NAT-T negotiated [newbury] peer 0xd5534a3c:500
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeProposalHtoN : net order spi(0000 0000 0000 0000) 
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Sending second message with policy [newbury] to x.x.x.60:500 main mode
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Received third  message with policy [newbury] from x.x.x.60:500 main mode
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(4) Len(196)
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(10) Len(24)
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(12)
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(130) Len(24)
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(130) Len(24)
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_XAUTH06_VID(first 4bytes: 0x89260009)
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Sending fourth message with policy [newbury] to x.x.x.60:500 main mode
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Received fifth  message with policy [newbury] from x.x.x.60:500 main mode
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : SAState.sState(7)
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkePrepareIsakmpKeyMat()
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkeCipherMsg()
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(5) Len(35)
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(8) Len(24)
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_DPD_VID(first 4bytes: 0x13d7caaf)
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Enable DPD locally
    <156>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)WARNING: Mismatched ID settings at peer x.x.x.60:500 caused an authentication failure
    <155>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Process 5/6 Msg : failed to process ID payload
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Cannot process MM ID payload from x.x.x.60:500 to x.x.x.145 cookies i=4114a226 2bd42182 r=40856ef5 71cb0439
    <158>Jan  7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)ike_process_pkt : ProcessData returned error (-1)
    <158>Jan  7 13:57:17 iked[1976]: unsupported WG notification event - 524293
    <158>Jan  7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Phase 1 IkeRetryTimeout:: Retrying 1st phase.. (Gateway newbury)
    <158>Jan  7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
    <158>Jan  7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Received fifth  message with policy [newbury] from x.x.x.60:500 main mode
    <158>Jan  7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : SAState.sState(7)
    <158>Jan  7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkePrepareIsakmpKeyMat()
    <158>Jan  7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkeCipherMsg()
    <158>Jan  7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(5) Len(35)
    <158>Jan  7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(8) Len(24)
    <158>Jan  7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
    <158>Jan  7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_DPD_VID(first 4bytes: 0x13d7caaf)
    <158>Jan  7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Enable DPD locally
    <156>Jan  7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)WARNING: Mismatched ID settings at peer x.x.x.60:500 caused an authentication failure
    <155>Jan  7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Process 5/6 Msg : failed to process ID payload
    <158>Jan  7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Cannot process MM ID payload from x.x.x.60:500 to x.x.x.145 cookies i=4114a226 2bd42182 r=40856ef5 71cb0439
    <158>Jan  7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)ike_process_pkt : ProcessData returned error (-1)
    <158>Jan  7 13:57:21 iked[1976]: unsupported WG notification event - 524293
    <158>Jan  7 13:57:24 iked[1976]: (x.x.x.145<->x.x.x.60)Phase 1 IkeRetryTimeout:: Retrying 1st phase.. (Gateway newbury)
    <158>Jan  7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
    <158>Jan  7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)Received fifth  message with policy [newbury] from x.x.x.60:500 main mode
    <158>Jan  7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : SAState.sState(7)
    <158>Jan  7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkePrepareIsakmpKeyMat()
    <158>Jan  7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkeCipherMsg()
    <158>Jan  7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(5) Len(35)
    <158>Jan  7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(8) Len(24)
    <158>Jan  7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
    <158>Jan  7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_DPD_VID(first 4bytes: 0x13d7caaf)
    <158>Jan  7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)Enable DPD locally
    <156>Jan  7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)WARNING: Mismatched ID settings at peer x.x.x.60:500 caused an authentication failure
    <155>Jan  7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)Process 5/6 Msg : failed to process ID payload
    <158>Jan  7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)Cannot process MM ID payload from x.x.x.60:500 to x.x.x.145 cookies i=4114a226 2bd42182 r=40856ef5 71cb0439
    <158>Jan  7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)ike_process_pkt : ProcessData returned error (-1)
    <158>Jan  7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Phase 1 IkeRetryTimeout:: Retrying 1st phase.. (Gateway newbury)
    <158>Jan  7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
    <158>Jan  7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Received fifth  message with policy [newbury] from x.x.x.60:500 main mode
    <158>Jan  7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : SAState.sState(7)
    <158>Jan  7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkePrepareIsakmpKeyMat()
    <158>Jan  7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkeCipherMsg()
    <158>Jan  7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(5) Len(35)
    <158>Jan  7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(8) Len(24)
    <158>Jan  7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
    <158>Jan  7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_DPD_VID(first 4bytes: 0x13d7caaf)
    <158>Jan  7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Enable DPD locally
    <156>Jan  7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)WARNING: Mismatched ID settings at peer x.x.x.60:500 caused an authentication failure
    <155>Jan  7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Process 5/6 Msg : failed to process ID payload
    <158>Jan  7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Cannot process MM ID payload from x.x.x.60:500 to x.x.x.145 cookies i=4114a226 2bd42182 r=40856ef5 71cb0439
    <158>Jan  7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)ike_process_pkt : ProcessData returned error (-1)
    Any insight you can provide in this regard would be greatly appreciated.

    The issue was resolved.  Watchguard uses both a "Remote Gateway IP", as well as a "Remote Gateway ID."  In most cases, these will have the same IPv4 value.  However, in this case, the ASA was using an old FQDN as its ID so it was causing a mismatch with the ID configured for that gateway on the Watchguard side.  Once, the ID was changed to the FQDN of the ASA, the tunnel came up and started passing traffic.

  • ASA 5505 - Backup and restore to another device of same model and version

    How can I backup the configuration of the ASA 5505 on 8.x and restore it to another ASA 5505 with same version? I have tried to save the running config to a file and then copy it to the new device and use the boot config: filename but it doesn't work. Or is there any other way to try? Thanks.

    Thanks Andrew, I had tried it but I was having issues with the fact that I kept both ver 7 and ver 8 of the OS images on the flash. So it booted from the first found (ver 7) and creating confusion for me as the config file was for ver 8.
    I noticed that it keeps the 192.168.1.1 IP even though in the config file it has another IP assigned. Is there other things that I need to check that do not change apart the IP address?
    Thanks.

  • ASA 5505 VPN and Sprint Mobile Broadband clients.

    I have a strange problem, it's something that just started recently when we had a user try to gain access with a Sprint Mobile Broadband card. We have quite a few remote users, probably not more than 6 ever connected to the VPN at once, and I have not heard of any issues until recently. We are starting to require more travel to remote locations, so the use of the hotel internet, as well as Sprint mobile broadband is becoming more important.
    There are a few issues here. Everything is IPsec.
    Mac OSX with VPN client version 4.9.01 will connect to the VPN when connected to a normal internet connection, but as soon as it gets on the Sprint Mobile Broadband device, it connects for exactly 5 seconds and disconnects.
    Windows XP Pro, has no problems with normal internet, on the wireless broadband modem, it will connect to the VPN, but have no access to internal resources or access to the internet.
    Windows Vista, has issues all the way around, but mainly when connected to the wireless it has the same issues as XP minus the internet browsing.
    Strange thing is, all these problems seem to been different, but they all started around the same time. I have been testing everything I can think of. Talked to Sprint, which the lady there was actually very helpful...just have to get to the right person. But nothing we tried did any good.
    Does anyone know of any settings on my ASA that I need to change in order to get these types of connections to work?
    The best part of all this is that my Linux machine can connect/surf/and browse the internal network through the VPN just like it normally would work.
    Something has to be wrong with my client config settings that is causing this to happen.

    Have you enabled NAT Traversal? (Both on the Client and ASA)
    That would be the first thing to check.
    http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1
    Regards
    Farrukh

  • ASA 5505 Username and Password

    Hi All,
    I am trying to configure an ASA 5505 with a username and password. I set all the pass words:
    password xxxxxxx
    enable password xxxxxxx
    username xxxxxx password xxxxxxx
    When I reload the device it prompts me for the username, then the password and it fails and just asks for the username again. I have even tried to delete the username/password combo but it still prompts me for it. When I do password recovery the confreg is 0x00000001. I am no ASA expert and this is getting a bit frustrating.
    When I first configured the device and reloaded it, everything worked fine.....once. Upon the second reload it just keeps prompting me.
    Thanks for any help.
    Bill

    Hello Carter,
    Hmm, it sounds like a config-register problem.
    So when you are in rommon you got to set the confreg to be on 0x41 so you can ignore the startup-config.
    Then when you enter to the ASA please do the following:
    enable password cisco
    username password cisco
    config-register 0x01
    wr
    and then finally reload,
    Regards,
    Julio

  • Changed our ASA IP address and we're no longer able to Authenticate with RSA.

    Hi,
    We changed our ASA IP last night and since then we can no longer authenticate with RSA.  I know we had to modify the IAS policy on our DC to the new IP but I'm not sure where I would change that in RSA.  Any one have an idea?
    ASA 5510 (8.3)
    RSA (6.1)
    Thanks.

    I don't have
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;
    mso-fareast-language:EN-US;}
    > Programs > RSA ACE Server
    I have the following...
    RSA Authentication Manager Configuration Tools > RSA Authentication Manager
    RSA Authentication Manager Configuration Tools > Configuration Management
    RSA Authentication Manager Configuration Tools >  Replica Management
    RSA Authentication Manager Database Tools > Compress
    RSA Authentication Manager Database Tools > Dump
    RSA Authentication Manager Database Tools > Load
    RSA Authentication Manager Control Panel
    RSA Authentication Manager Host Mode
    RSA Authentication Manager Log Monitor
    RSA Authentication Manager Remote Mode
    RSA Security Center
    Where would I find the configuration from those items?

  • Two Asa Two Isp and Windows 2008 R2 Server

    Hello Everybody ,
    If you can support my issue , I do appreciate a lot.
    First of all thanks a lot for your interest ..
    Here is my  issue :
    I have two Isp Connection ( 1 metro Eth Connection  and 1 Ghdsl Connection )
    1) Asa 5505 (Version 8.0(5)) is for the 1.st Isp Connection
    Windows 2008 R2 server is up and running as Web Server on this ASA 5505 config.
    As:
    (static (inside,outside) mywebsrv.mycompany.com 192.168.5.5 netmask 255.255.255.255
    And Ipconfig of W2008Srv is 192.168.5.5 255.255.255.0 192.168.5.1 (Gateway ASA 5505)
    2) Asa 5510 (Version 8.0(5)) is for the 2.nd Isp Connection
    Windows 2003 R2 server is up and running as Ftp Server on this ASA 5510 config.
    As:
    (static (inside,outside) myftpsrv.mycompany.com 192.168.50.10 netmask 255.255.255.255
    And Ipconfig of W2003Srv is 192.168.50.10  255.255.255.0 192.168.50.1 (Gateway ASA 5510)
    Here is my question :
    I need to move my Ftp server (due to old hardware + old server issues ) 
    into the Windows 2008 R2 Server ( HP DL Server with 4 Nic).
    If I conect my Asa 5510 to the second nic of Windows 2008 R2 Server.
    and give an ip address as 192.168.50.10 255.255.255.0
    what should be the gateway Ip address : ?
    Before I go ahead and implement :
    a) What do I need to do  on  the Windows 2008 R2 Server
    as persistent route adds with different metrics
    b) Any config adds or changes on Asa 5505 and ASA 5510 regarding static routes with
       different metric and so on ...
    Many thanks in advance for your support .

    If you do that, the second interface will work as a failsafe for the first NIC.
    As far as i know, you won't be able to route traffic based on the type of traffic nor do load-balancing between the interfaces.
    I guess the best approach will be to get a newer server and use it as a replacement for the one running 2003 R2.

  • ASA 8.0 and Microsoft ISA (local user backup)

    What is the command so that when the username + password cannot be found in the microsoft isa server, the pix will look at the local database?
    This command works in the router, but I cannot seem to find the equivlant for the pix.
    aaa authentication login default local group tacacs+
    Basically does the pix asa 8.0 support Multiple authorization commands?
    Thank you very much for your help.

    On a router, "aaa authentication login default local group tacacs+ " will ALWAYS use the local user DB, never tacacs.
    "aaa authentication login default group tacacs+ local" will first try tacacs and only if the tacacs server is not responding, use the local DB. Note that if the tacacs DOES respond but rejects the authentication attempt (user does not exist or wrong password), that the router will NOT use the local DB.
    That said, on pix/asa you can do the same, e.g.:
    aaa-server TPLUS protocol tacacs+
    aaa-server TPLUS (management) host 10.0.0.1
    aaa authentication telnet console TPLUS LOCAL
    hth
    H

  • ASA: Smart Tunnel and proxy problem

    Hello
    I are having problem that some of my external users that has a proxy setup on theres end can't use the smart tunnel.
    They get proxy warning when they click on a bookmark.
    If I skipp using Smart tunnel the user can't start the citrix app, get corrupted ica file.
    Is it a common problem if so is there a soultion ?
    KR
    Daniel

    Hi Daniel,
    "Smart tunnel supports only proxies placed between computers running Microsoft Windows and the security appliance. Smart tunnel uses the Internet Explorer configuration (that is, the one intended for system-wide use in Windows). If the remote computer requires a proxy server to reach the ASA,
    the URL of the terminating end of the connection must be in the list of URLs excluded from proxy services
    . If the proxy configuration specifies that traffic destined for the ASA goes through a proxy, all smart tunnel traffic goes through the proxy."
    You can get more information from following link:-
    http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_clientless_ssl.html#wp1321610
    HTH!!
    Regards,
    Naresh

Maybe you are looking for

  • How can I make my new AirPort Time Capsule with VOIP?

    I purchased an AirPort Time Capsule because of the modem capability. The modem we have from the phone company isn't very good. Now I have a little problem. I forgot we have our phone over internet and I cannot figure out how to set it all up. Any ide

  • Exported Interlaced MP4 Unplayable

    I'm using the DV NTSC High Quality preset in Adobe Media Encoder CS4.  The export appears to go fine, but I have trouble playing the video.  The video looks very blocky and corrupt.  I've tried playing it in Media Player Classic and Windows Media Pla

  • Japanese Chars

    I have an issue with Japanese characters. We have an application that was using NVARCHAR in Oracle 8.1.6 on Windows NT 4.0. There was no problem getting the data from the database. Then we upgraded from NT4.0 to Windows 2000. Under both Operating sys

  • Stock Transfer Order: Delivery date issue BAPI_PO_CREATE1

    Hi, I am creating STO using Inbound Delivery data from BAPI_PO_CREATE1 inbound shipping date is 30 may 2014. Passing below data HeaderData: doc_type = 'UB'.     "STO suppl_plnt     =     '101' doc_date     =     inbound shipping date. comp_code     =

  • Do typable forms created in Pro, work in Reader?

    If I add typable areas in a PDF on a form using Professional, can people using Acrobat Reader still enter information into those fields?