ASA site-site VPN error using Microsoft Digital Certificates.
Hi,
I configured site-site between ASA's with authentication type as RSA-SIG for Phase1. I got manual certificates from Microsoft CA Server but not able to form the tunnel. Need someones help badly on this issue.
ASA1 Config:
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash sha
group 1
lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
tunnel-group 200.160.126.30 type ipsec-l2l
tunnel-group 200.160.126.30 ipsec-attributes
peer-id-validate cert
trust-point CA1
crypto map outside_map 1 match address vpn
crypto map outside_map 1 set peer 200.160.126.30
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set trustpoint CA1
crypto map outside_map interface outside
access-list vpn extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto ca trustpoint CA1
enrollment terminal
fqdn asa1.cisco.com
keypair my.ca.key
crl configure
ASA-2 Config:
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash sha
group 1
lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address vpn
crypto map outside_map 1 set peer 59.160.128.50
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set trustpoint CA1
crypto map outside_map interface outside
tunnel-group 59.160.128.50 type ipsec-l2l
tunnel-group 59.160.128.50 ipsec-attributes
peer-id-validate cert
trust-point CA1
access-list vpn extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
crypto ca trustpoint CA1
enrollment terminal
fqdn asa2.cisco.com
keypair my.ca.key
crl configure
Debug Output:
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-5-713041: IP = 59.160.128.50, IKE Initiator: New Phase 1, Intf inside, IKE Peer 59.160.128.50 local Proxy Address 172.16.1.0, remote Proxy Address 192.168.1.0, Crypto map (outside_map)
%ASA-7-715046: IP = 59.160.128.50, constructing ISAKMP SA payload
%ASA-7-715046: IP = 59.160.128.50, constructing Fragmentation VID + extended capabilities payload
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
%ASA-7-609001: Built local-host NP Identity Ifc:200.160.126.30
%ASA-7-609001: Built local-host outside:59.160.128.50
%ASA-6-302015: Built outbound UDP connection 122 for outside:59.160.128.50/500 (59.160.128.50/500) to NP Identity Ifc:200.160.126.30/500 (200.160.126.30/500)
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
%ASA-7-715047: IP = 59.160.128.50, processing SA payload
%ASA-7-713906: IP = 59.160.128.50, Oakley proposal is acceptable
%ASA-7-715047: IP = 59.160.128.50, processing VID payload
%ASA-7-715049: IP = 59.160.128.50, Received Fragmentation VID
%ASA-7-715064: IP = 59.160.128.50, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
%ASA-7-715046: IP = 59.160.128.50, constructing ke payload
%ASA-7-715046: IP = 59.160.128.50, constructing nonce payload
%ASA-7-715046: IP = 59.160.128.50, constructing certreq payload
%ASA-7-715046: IP = 59.160.128.50, constructing Cisco Unity VID payload
%ASA-7-715046: IP = 59.160.128.50, constructing xauth V6 VID payload
%ASA-7-715048: IP = 59.160.128.50, Send IOS VID
%ASA-7-715038: IP = 59.160.128.50, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
%ASA-7-715046: IP = 59.160.128.50, constructing VID payload
%ASA-7-715048: IP = 59.160.128.50, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 322
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 322
%ASA-7-715047: IP = 59.160.128.50, processing ke payload
%ASA-7-715047: IP = 59.160.128.50, processing ISA_KE payload
%ASA-7-715047: IP = 59.160.128.50, processing nonce payload
%ASA-7-715047: IP = 59.160.128.50, processing cert request payload
%ASA-7-715047: IP = 59.160.128.50, processing VID payload
%ASA-7-715049: IP = 59.160.128.50, Received Cisco Unity client VID
%ASA-7-715047: IP = 59.160.128.50, processing VID payload
%ASA-7-715049: IP = 59.160.128.50, Received xauth V6 VID
%ASA-7-715047: IP = 59.160.128.50, processing VID payload
%ASA-7-715038: IP = 59.160.128.50, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
%ASA-7-715047: IP = 59.160.128.50, processing VID payload
%ASA-7-715049: IP = 59.160.128.50, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713906: IP = 59.160.128.50, Generating keys for Initiator...
%ASA-7-715046: IP = 59.160.128.50, constructing ID payload
%ASA-7-715046: IP = 59.160.128.50, constructing cert payload
%ASA-7-715001: IP = 59.160.128.50, constructing RSA signature
%ASA-7-715076: IP = 59.160.128.50, Computing hash for ISAKMP
%ASA-7-713906: Constructed Signature Len: 128
%ASA-7-713906: Constructed Signature:
0000: 4FB66432 FCA9DA52 5420E6C1 DF8293AC O.d2...RT ......
0010: DE3533F1 7036E5C8 40B11A9D 5C68C884 .53.p6..@...\h..
0020: D4BCA531 BAE87710 09D1AD06 7994CD1B ...1..w.....y...
0030: DCEDB9CE E971F21B 0104C06A 1901FACE .....q.....j....
0040: D1E8AED1 7684DFDA 40E98BC2 E195F3C8 ....v...@.......
0050: 3625E936 E35F47A3 F44BC326 62E99135 6%.6._G..K.&b..5
0060: 88EB90FF 10938CC3 0FFAA576 A9DBD9AD ...........v....
0070: 65592C71 5A13C4C5 8EBA60F6%ASA-7-715034: IP = 59.160.128.50, Constructing IOS keep alive payload: proposal=32767/32767 sec.
%ASA-7-715046: IP = 59.160.128.50, constructing dpd vid payload
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + SIG (9) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 1668
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-715065: IP = 59.160.128.50, IKE MM Initiator FSM error history (struct &0xd8a30d08) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG6, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG6, EV_TIMEOUT-->MM_WAIT_MSG6, NullEvent-->MM_SND_MSG5, EV_SND_MSG-->MM_SND_MSG5, EV_START_TMR-->MM_SND_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG6, EV_TIMEOUT
%ASA-7-713906: IP = 59.160.128.50, IKE SA MM:f2cbbafa terminating: flags 0x0100c022, refcnt 0, tuncnt 0
%ASA-7-713906: IP = 59.160.128.50, sending delete/delete with reason message
%ASA-7-715046: IP = 59.160.128.50, constructing blank hash payload
%ASA-7-715046: IP = 59.160.128.50, constructing IKE delete payload
%ASA-7-715046: IP = 59.160.128.50, constructing qm hash payload
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE SENDING Message (msgid=372e03ac) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
%ASA-3-713902: IP = 59.160.128.50, Removing peer from peer table failed, no match!
%ASA-4-713903: IP = 59.160.128.50, Error: Unable to remove PeerTblEntry
Kindly suggest me for further steps.
Regards,
Mon
HI Mate ,
your ASA is sending the ASA certificate :
but after that we are recieving an isakmp notify message which tears down the connection ?
somehow the remote peer didn't like the ASA certificate
do you have access to that peer ? is it a CISCO ASA?
is the time synchronized with that side ?
it the CA certificate installed on that peer?
HTH
Mohammad.
Similar Messages
-
VPN error when using Microsoft digital certificates.
Hi,
I tried implementing site-site VPN between Cisco Router and Cisco ASA using Microsoft digital certificates. After performing the following configurations, I was not able to ping to other site LAN. I enabled debug and got following out put. I sucessfully enrolled digital certificates.
Cisco ASA config:
access-list 100 extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list 100
static (inside,outside) 1.1.1.10 10.1.1.10 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map mymap 1 match address 100
crypto map mymap 1 set peer 2.2.2.2
crypto map mymap 1 set transform-set myset
crypto map mymap interface outside
crypto ca trustpoint winca
enrollment url http://10.1.1.10:80/certsrv/mscep/mscep.dll
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
trust-point winca
On router:
crypto ca trustpoint winca
enrollment mode ra
enrollment url http://1.1.1.10:80/certsrv/mscep/mscep.dll
crypto isakmp policy 19
encr 3des
group 2
authentication rsa-sig
crypto isakmp key cisco address 1.1.1.1
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set myset
match address 100
access-list 100 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
crypto ipsec transform-set myset esp-3des esp-sha-hmac
Debug output on ASA
CorpASA# Nov 15 02:12:49 [IKEv1]: Group = 2.2.2.2, IP = 2.2.2.2, Removing peer from peer table failed, no match!
Nov 15 02:12:49 [IKEv1]: Group = 2.2.2.2, IP = 2.2.2.2, Error: Unable to remove PeerTblEntry
CorpASA#
CorpASA#
CorpASA# Nov 15 02:13:06 [IKEv1]: Removing peer from peer table failed, no match!
Nov 15 02:13:06 [IKEv1]: Error: Unable to remove PeerTblEntry
Nov 15 02:13:11 [IKEv1]: Removing peer from peer table failed, no match!
Nov 15 02:13:11 [IKEv1]: Error: Unable to remove PeerTblEntry
Debug out put on router:
R2#ping 10.1.1.10 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
Nov 15 02:21:01.067: %SYS-5-CONFIG_I: Configured from console by console
Nov 15 02:21:02.651: ISAKMP: received ke message (1/1)
Nov 15 02:21:02.655: ISAKMP (0:0): SA request profile is (NULL)
Nov 15 02:21:02.655: ISAKMP: local port 500, remote port 500
Nov 15 02:21:02.655: ISAKMP: set new node 0 to QM_IDLE
Nov 15 02:21:02.655: ISAKMP: insert sa successfully sa = 64597C20
Nov 15 02:21:02.655: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
Nov 15 02:21:02.659: ISAKMP: Looking for a matching key for 1.1.1.1 in default : success
Nov 15 02:21:02.659: ISAKMP (0:1): found peer pre-shared key matching 1.1.1.1
Nov 15 02:21:02.659: ISAKMP (0:1): constructed NAT-T vendor-07 ID
Nov 15 02:21:02.659: ISAKMP (0:1): constructed NAT-T vendor-03 ID
Nov 15 02:21:02.659: ISAKMP (0:1): constructed NAT-T vendor-02 ID
Nov 15 02:21:02.659: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Nov 15 02:21:02.663: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1
Nov 15 02:21:02.663: ISAKMP (0:1): beginning Main Mode exchange
Nov 15 02:21:02.663: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
Nov 15 02:21:02.703: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
Nov 15 02:21:02.707: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 15 02:21:02.707: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_I_MM2
Nov 15 02:21:02.707: ISAKMP (0:1): processing SA payload. message ID = 0
Nov 15 02:21:02.707: ISAKMP (0:1): processing vendor id payload
Nov 15 02:21:02.707: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch
Nov 15 02:21:02.711: ISAKMP : Scanning profiles for xauth ...
Nov 15 02:21:02.711: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 19 policy
Nov 15 02:21:02.711: ISAKMP: encryption 3DES-CBC
Nov 15 02:21:02.711: ISAKMP: hash SHA
Nov 15 02:21:02.711: ISAKMP: default group 2
Nov 15 02:21:02.711: ISAKMP.: auth RSA sig
Nov 15 02:21:02.711: ISAKMP: life type in seconds
Nov 15 02:21:02.711: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Nov 15 02:21:02.715: ISAKMP (0:1): atts are acceptable. Next payload is 0
Nov 15 02:21:02.771: ISAKMP (0:1): processing vendor id payload
Nov 15 02:21:02.771: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch
Nov 15 02:21:02.775: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 15 02:21:02.775: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM2
Nov 15 02:21:02.783: ISAKMP (0:1): constructing CERT_REQ for issuer cn=md902j-n5dros99,dc=md902j,dc=ca,dc=com
Nov 15 02:21:02.783: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
Nov 15 02:21:02.783: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 15 02:21:02.787: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM3
Nov 15 02:21:02.903: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP
Nov 15 02:21:02.907: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 15 02:21:02.907: ISAKMP (0:1): Old State = IKE_I_MM3 New State = IKE_I_MM4
Nov 15 02:21:02.907: ISAKMP (0:1): processing KE payload. message ID = 0
Nov 15 02:21:02.979: ISAKMP (0:1): processing NONCE payload. message ID = 0
Nov 15 02:21:02.987: ISAKMP (0:1): SKEYID state generated
Nov 15 02:21:02.991: ISAKMP (0:1): processing CERT_REQ payload. message ID = 0
Nov 15 02:21:02.991: ISAKMP (0:1): peer wants a CT_X509_SIGNATURE cert
Nov 15 02:21:02.995: ISAKMP (0:1): peer want cert issued by cn=md902j-n5dros99,dc=md902j,dc=ca,dc=com
Nov 15 02:21:02.995: ISAKMP (0:1): Choosing trustpoint winca as issuer
Nov 15 02:21:02.995: ISAKMP (0:1): processing vendor id payload
Nov 15 02:21:02.995: ISAKMP (0:1): vendor ID is Unity
Nov 15 02:21:02.999: ISAKMP (0:1): processing vendor id payload
Nov 15 02:21:02.999: ISAKMP (0:1): vendor ID seems Unity/DPD but major 11 mi.smatch
Nov 15 02:21:02.999: ISAKMP (0:1): vendor ID is XAUTH
Nov 15 02:21:02.999: ISAKMP (0:1): processing vendor id payload
Nov 15 02:21:02.999: ISAKMP (0:1): speaking to another IOS box!
Nov 15 02:21:02.999: ISAKMP (0:1): processing vendor id payload
Nov 15 02:21:03.003: ISAKMP (0:1:): vendor ID seems Unity/DPD but hash mismatch
Nov 15 02:21:03.003: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 15 02:21:03.003: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM4
Nov 15 02:21:03.007: ISAKMP (0:1): Send initial contact
Nov 15 02:21:03.067: ISAKMP (1): My ID configured as IPv4 Addr,but Addr not in Cert!
Nov 15 02:21:03.067: ISAKMP (1): Using FQDN as My ID
Nov 15 02:21:03.067: ISAKMP (0:1): SA is doing RSA signature authentication using id type ID_FQDN
Nov 15 02:21:03.067: ISAKMP (0:1): ID payload
next-payload : 6
type : 2
FQDN name : R2.cisco.com
protocol : 17
port : 500
length : 20
Nov 15 02:21:03.067: ISAKMP (1): Total payload length: 20
Nov 15 02:21:03.095: ISAKMP (0:1): constructing CERT payload for hostname=R2.cisco.com
Nov 15 02:21:03.095: ISKAMP: growing send buffer from 1024 to 3072
Nov 15 02:21:03.095: ISAKMP (0:1): using the winca trustpoint's keypair to sign
Nov 15 02:21:03.215: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Nov 15 02:21:03.219: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 15 02:21:03.219: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM5
Nov 15 02:21:03.375: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Nov 15 02:21:03.375: ISAKMP: set new node -1205710646 to QM_IDLE
Nov 15 02:21:03.379: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Nov 15 02:21:03.379: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Nov 15 02:21:03.383: ISAKMP (0:1): received packe.t from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Nov 15 02:21:03.383: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Nov 15 02:21:03.383: ISAKMP: Info Notify message requeue retry counter exceeded sa request from 1.1.1.1 to 2.2.2.2...
Success rate is 0 percent (0/5)
R2#
Nov 15 02:21:13.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
Nov 15 02:21:13.219: ISAKMP (0:1): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Nov 15 02:21:13.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Nov 15 02:21:13.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
R2#
Nov 15 02:21:23.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
Nov 15 02:21:23.219: ISAKMP (0:1): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Nov 15 02:21:23.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Nov 15 02:21:23.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
R2#
Nov 15 02:21:32.651: ISAKMP: received ke message (1/1)
Nov 15 02:21:32.651: ISAKMP: set new node 0 to QM_IDLE
Nov 15 02:21:32.651: ISAKMP (0:1): SA is still budding. Attached new ipsec request to it. (local 2.2.2.2, remote 1.1.1.1)
Nov 15 02:21:33.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
Nov 15 02:21:33.219: ISAKMP (0:1): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Nov 15 02:21:33.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Nov 15 02:21:33.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
R2#
Nov 15 02:21:43.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
Nov 15 02:21:43.219: ISAKMP (0:1): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Nov 15 02:21:43.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Nov 15 02:21:43.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
PLease assist me in sorting this issue, i need to implement on my live network.
Thanks a lot in advance.
Regards,
Mohan.DHI Mate ,
your ASA is sending the ASA certificate :
but after that we are recieving an isakmp notify message which tears down the connection ?
somehow the remote peer didn't like the ASA certificate
do you have access to that peer ? is it a CISCO ASA?
is the time synchronized with that side ?
it the CA certificate installed on that peer?
HTH
Mohammad. -
Using a digital certificate to send an encrypted email.
I want to send an e-mail through my i-pad using a digital certificate, that i have already configurated in my e-mail account. This e-mail i want to send also encrypted. Do i need to have a public certificate code from the person i´m sending the e-mail to? Like outlook express works?
thanks for the answer in advanceHello,
Your best option will be to use an encoder for feedback in your system. If you use an encoder then at the end of the move, the controller will compare your trajectory position with the position the encoder reads (the actual position) and make the necessary adjustments. Also, this is all handled transparently so you won't have to worry about any complicated programming issues.
Regards,
Andy Bell
Applications Engineer
National Instruments -
Error using "Microsoft ODBC for Oracle" driver
I am trying to connect to Oracle 10g Express Edition from Access 2003 on Windows XP. I created a DSN using "Microsoft ODBC for Oracle" driver. When I try to connect using ADO, I get this error:
[Microsoft][ODBC Driver Manager] Driver's SQLSetConnectAttr failed
I googled this error and got a lot of hits but no solution.
Any help would be greatly appreciated. I am new to Oracle and am coming from SQL Server 2000.
Thanks a lot!This is the connection string I am using:
Conn1.ConnectionString = "driver={Oracle in XE};Dbq=GMIS_LIVE.WORLD;Uid=Administrator;Pwd=ubs;"
These are the contents of my tnsnames.ora (what entries do I add to make this work)?
XE =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = your-a9279112e3)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = XE)
EXTPROC_CONNECTION_DATA =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC_FOR_XE))
(CONNECT_DATA =
(SID = PLSExtProc)
(PRESENTATION = RO)
ORACLR_CONNECTION_DATA =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC_FOR_XE))
(CONNECT_DATA =
(SID = CLRExtProc)
(PRESENTATION = RO)
) -
Error using Microsoft CommonDialog OCX
Guys ..
I have problem about using Microsoft CommonDialog (OCX) in Form (Open File). Herewith i enclose my code below:
----- When Button Pressed ----
DECLARE
CDialog oleObj;
BEGIN
CDialog := :ITEM('BLOCK3.ACTIVEX_CONTROL99').Interface;
MSComDlg_ICommonDialog.ShowOpen(CDialog);
END;
----- End Of When Button Pressed ----
It success when i compile, but when i running there's an error message:
"FRM 41344 - OLE Object not defined for ACTIVEX_CONTROL99 in current record"
What should i do? :|Insert the ActiveX control into the field in the builder - if you have done this, but you still get the error at runtime, then it's probably licence issue with the control - see bug 59305.
Mid you if you are just trying to get a file open dialog look at the get_file_name() built-in in Forms -
ASA 8.0 VPN cluster with WEBVPN and Certificates
I'm looking for advice from anyone who has implemented or tested ASA 8.0 in a VPN cluster using WebVPN and the AnyConnect client. I have a stand alone ASA configured with a public certificate for SSL as vpn.xxxx.org, which works fine.
According to the config docs for 8.0, you can use a FQDN redirect for the cluster so that certificates match when a user is sent to another ASA.
Has anyone done this? It looks like each box will need 2 certificates, the first being vpn.xxxx.org and the second being vpn1.xxxx.org or vpn2.xxxx.org depending on whether this is ASA1 or ASA2. I also need DNS forward and reverse entries, which is no problem.
I'm assuming the client gets presented the appropriate certificate based on the http GET.
Has anyone experienced any issues with this? Things to look out for migrating to a cluster? Any issues with replicating the configuration and certificate to a second ASA?
Example: Assuming ASA1 is the current virtual cluster master and is also vpn1.xxxx.org. ASA 2 is vpn2.xxxx.org. A user browses to vpn.xxxx.org and terminates to ASA1, the current virtual master. ASA1 should present the vpn.xxxx.org certificate. ASA1 determines that it has the lowest load and redirects the user to vpn1.xxxx.org to terminate the WebVPN session. The user should now be presented a certificate that matches vpn1.xxxx.org. ASA2 should also have the certificate for vpn.xxxx.org in case it becomes the cluster master during a failure scenario.
Thanks,
MarkThere is a bug associated with this issue: CSCsj38269. Apparently it is fixed in the iterim release 8.0.2.11, but when I upgraded to 8.0.3 this morning the bug is still there.
Here are the details:
Symptom:
========
ASA 8.0 load balancing cluster with WEBVPN.
When connecting using a web browser to the load balancing ip address or FQDN,
the certifcate send to the browser is NOT the certificate from the trustpoint
assigned for the load balancing using the
"ssl trust-point vpnlb-ip" command.
Instead its using the ssl trust-point certificate assigned to the interface.
This will generate a certificate warning on the browser as the URL entered
on the browser does not match the CN (common name) in the certificate.
Other than the warning, there is no functional impact if the end user
continues by accepting to proceed to the warning message.
Condition:
=========
webvpn with load balancing is used
Workaround:
===========
1) downgrade to latest 7.2.2 interim (7.2.2.8 or later)
Warning: configs are not backward compatible.
2) upgrade to 8.0.2 interim (8.0.2.11 or later) -
I need the GSA eoffer site to show as a trusted site.
Never encountered this problem until today when I up-dated Firefox from 3.5 to v. 4 and none of these higher security sites will work any longer.
As far as considering this to be a problem of the owner of the site, the main one I use suggests Firefox as the preferred browser for activating the certificates and surely all of these higher security sites cannot all have the same problem at the same time after I updated Firefox (Mac OSX, by the way). -
We want to authenticate both a device (iPad) to our corporate WLAN, but after authenticating the device we would also like to authentiate the user in Active Directory if possible. Has anyone had any experience with this?
You need to make sure that the server sends the "GeoTrust DV SSL CA" intermediate certificate.
See:
* http://www.networking4all.com/en/support/tools/site+check/ (www.ucfs.net)
* https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO9557
* https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422 -
Import Labels / Tags / Ratings from Microsoft Digital Image?
I'm a new user with LOTS of pictures I've been organizing using Microsoft Digital Image. They are all tagged with labels and ratings, that it would be a REAL pain to have to redo.
Is there a way to tell Photoshop Elements 4 to import the pictures with the tags?
Thanks!
--DeanJeffrey,
A quick Google search shows that Microsoft Digital Image and Windows XP used (incredibly) a proprietary set of metadata fields in photos:
http://www.shahine.com/omar/WarningToYouIfYouUsedMicrosoftDigitalImageSuiteAndUpgradeToVis ta.aspx
http://discussions.apple.com/message.jspa?messageID=6074850
There are a couple of suggested solutions to get the proprietary tags into industry-standard fields that other programs understand:
1. Use Windows Live Photo Gallery (the one you download, not Windows Photo Gallery which is builtin to Vista). WLPG understands the old proprietary format. Import your photos into WLPG, and then add a new dummy tag to your photos this will write out the tags using industry-standard fields. Not clear if this will preserve captions, ratings, and date/time.
2. Use exiftool, a free tool that is widely recognized as the most robust tool for modifying metadata. Unfortunately, the learning curve is steep.
I havent tried these solutions, but they seem quite plausible. -
Looking for equivilent of Microsoft Digital Image Pro 10
Sorry if this is in the wrong topic, didn't know where to post....
I am a new Mac user and am loving my MacBook, but iPhoto isn't quite doing enough for me when it comes to working with and editing pictures. I've used Microsoft Digital Image Pro on my PC for the last few years, and REALLY like it, although of course they don't make it for macs. Any ideas on a program that would be the equivilent for macs? I don't want something as comlicated as Photoshop, but a little more than iPhoto. Thanks!Here's a tip for controlling iPhoto's red-eye tool. It also works with the Retouch tool:
* Type Caps lock + Control + 9
* Undo caps lock
* Click on Retouch or the Red-Eye Removal tool.
* The tab key will toggle between cursor types, a cross or a circle for Red-Eye removal tool and between darken and lighten in the Retouch tool.
* The "[" and "]" keys decrease or increase the size accordingly.
* To get a lighter pupil with the red-eye tool, Shift-Click inside the circular curser.
NOTE: Using the "{" "}" keys will will change the value next to the circle and that represents the degree of change or intensity that the Retouch tool imparts on each pass.
Thanks to Old Toad for the above information.
I have found that in some situations where Elements absolutely refuses to correct the red-eye properly, I can get a better adjustment using iPhoto. But without the use of this secret mode, it is pretty much useless.
As far as iPhoto's capabilities, it is a really powerful image organizer with a few editing features for added convenience. What makes it better than other organizers is that it is not a file browser, it is a database application. Once you give the database some information, you can use that info to search and group your photos in almost infinite ways very quickly and easily. You can print your own cards, too. If you've had trouble with the 7 X 10 size you may benefit from Old Toad's tutorial. See his posts in this thread for an explanation and link: http://discussions.apple.com/thread.jspa?messageID=4605228
I agree with you that Elements can be complicated and overwhelming. It has so many features that it can be challenging trying to figure out which ones you need to correct your photo. When editing a group of photos I try to keep it simple: adjust the levels, lighten shadows (a must for many indoor shots), fix red-eye, crop. Plus, I do love the healing brush (band-aid tool) for removing the odd spec of anything that doesn't belong. My Elements experience was greatly improved after I bought and read a good book. You can get one that will tell you which features really work, which ones are more of a gimmick, and how to do the things you need to do most. If you can get through the learning curve, then the tools I listed really are quick and simple to use.
Good luck. -
Do you have to deal with a CA to get digital certificates?
Hi,
I'm investigating the use of digital certificates for communication
between our WLS internally. I would like to be able to generate my own
certificates and keys for our testing purposes. I'm under the impression
that the only way to do this is to deal with a Verisign or somethin like
that and to buy a license. Am I correct? Or is there another way to do
this?
Thanks,
L
Laurent Duperval <mailto:[email protected]>
Je suis le plus fort! ... Je suis encore plus fort que tout à l'heure! ...
Tiens... pour me définir, le mot fort ne l'est plus assez!
-Léonard le géniethanks everyone, helped alot, cant wait to buy one of these
-
Cant choose which digital certificate to sign outgoing email in Mail.app
I am posting this here as this post:
http://discussions.apple.com/message.jspa?messageID=5746197#5746197
was archived.
I just wanted to add that this is still an issue for us. We use three digital certificates inside our organization, one from Thawte, one from caCert, and one from our in-house/private CA. All three work perfectly inside all applications that we use them in. There is on issue which is that if the user clicks the icon on the far right side of their outgoing email to "sign" that email, there is no telling which certificate it will use. We want to use the one from Thawte for all outgoing email but it ends up picking one of the other ones instead & as far as I can tell there is no way to control this or change this.
What I am requesting is that Mail.app ask me which certificate I want to use, either once, in preferences, or each email, or something, as sendind with the wrong one is really not workable.
I think 10.5.2 is a real step forward. Thanks for all the hardwork to make the improvements in it that we see.
Thanks so much.
SjobeckSomewhere online I found mention that you can assign the cert you don't want to use as untrusted and the one you do want to use as trusted. So in Keychain, double click on your Thawte cert, click on the Trust arrow and change the "When using this certificate:" drop down to "Always Trust". Do the opposite for your other certs.
This way you can still use your other certs for decrypting if anyones uses it to send to you. But you'll always use the trusted cert for signing/encrypting new messages.
I too wish there was a way to explicitly select the cert you want to use but till they allow that, this is the best way I've found to work around the issue. -
ASA 5505 Site to Site IPSec VPN WILL NOT CONNECT
I've spent 2 days already trying to get 2 ASA 5505's to connect using an IPSec vpn tunnel. I cannot seem to figure out what im doing wrong, im using 192.168.97.0 and 192.168.100.0 as my internal networks that i'm trying to connect over a directly connected link on the outside interfaces with 50.1.1.1 and 50.1.1.2 as the addresses (all /24). I also tried with and currently without NAT enabled. Here are the configs for both ASA's, the vpn config was done by the ASDM, however i have also tried the command line apporach with no success. I have followed various guides to the letter online, starting from an empty config and from factory default. I have also tried the 8.4 IOS.
ASA 1 Config
ASA Version 8.3(2)
hostname VIC
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.97.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 50.1.1.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
boot system disk0:/asa832-k8.bin
ftp mode passive
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.97.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4745f7cd76c82340ba1e7920dbfd2395
ASA2 Config
ASA Version 8.3(2)
hostname QLD
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 50.1.1.2 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
ftp mode passive
object network SITEA
subnet 192.168.97.0 255.255.255.0
object network NETWORK_OBJ_192.168.100.0_24
subnet 192.168.100.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object SITEA
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static SITEA SITEA
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 50.1.1.1
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 50.1.1.1 type ipsec-l2l
tunnel-group 50.1.1.1 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d987f3446fe780ab5fbb9d4213b3adff
: endHello Mitchell,
Thank you for letting us know the resolution of this topic.
Please answer the question as answered so future users can learn from this topic.
Regards,
Julio -
how to handle multiple site to site IPsec vpn on ASA, any best practice to to manage multiple ipsec vpn configurations
before ver 8.3 and after version 8.3 ...8.4.. 9 versions..Hi,
To my understanding you should be able to attach the same cryptomap to the other "outside" interface or perhaps alternatively create a new crypto map that you attach only to your new "outside" interface.
Also I think you will probably need to route the remote peer ip of the VPN connection towards the gateway IP address of that new "outside" and also the remote network found behind the VPN connection.
If you attempt to use VPN Client connection instead of L2L VPN connection with the new "outside" interface then you will run into routing problems as naturally you can have 2 default routes active at the sametime (default route would be required on the new "outside" interface if VPN Client was used since you DONT KNOW where the VPN Clients are connecting to your ASA)
Hope this helps
- Jouni -
Cannot establish site-site vpn tunnel through ASA 9.1(2)
Hi,
We use ASA 9.1(2) to filter traffic in/out of our organisation. A dept within the organisation also have a firewall. They want to establish a site-site VPN tunnel with a remote firewall. We have allowed full access between the public address of the dept firewall and the remote firewall and full access between the remote firewall address and the dept firewall address . We do not use NAT.
The site-site VPN tunnel fails to establish.
The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?
Has anyone encountered issues with ASA 9.1(2) interfering with site-site tunnels?
Regards>The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?
Yes, in that case, no IPsec-pass-through is needed. All you need is (in both directions):
UDP/500
UDP/4500 (also if you don't use NAT, the remote gateway could be located behind a NAT gateway)
IP/50
for testing ICMP/Echo
If you allowed full IP-access between these two endpoints, it is more than enough.
When they start testing, do you see a connection on your ASA. There should be at least UDP/500 traffic.
Can the two gateways ping each other?
Maybe you are looking for
-
Message trying to open firefox; your firefox profile cannot be loaded. it may be missing or inaccessible
-
Compatibility between MII with different patch levels.
Hi all, I know that the best solution is to have the same MII patch level in MII development environment and in produztion enviroment. For many reasons that aren't under my direct controli, we'll have an MII 12.0.5 in development and MII 12.0.8 in p
-
Windows Server 2008R2 profile unload impossible due to Temp "Z@.." files
Hi, We are supporting many environments for different customers. Unfortunately they all share the same issue, which is caused by the combination of Windows Server 2008R2 and Adobe Reader 11. The files are located in "C:\Users\Some-User\AppData\Local\
-
please sent me my appstore purchase..because i want to know what im buying at there.. i cant see it on my itunes..
-
PS3 to Fireworks: Copy Layer Style
Here's the setup for my question: In Photoshop I can create a shape, apply effects through Layer Style and copy those effects onto other objects. To achieve this I go to: Layer > Layer Style > Copy Layer Style. I then select the different object I wa