ASA5505 RA VPN problem
Hi!
I have my ASA configured for 2 site-to-site VPNs and one Remote Access VPN (L2TP).
It used to work fine before, but now it stopped working at all.
Phase 1 shows conf mismatch with DH group I think - log says configured unknown - expected group 2 or smth like this.
But this issue arose now when I tried to make the RAVPN work again.
The main issue when it was working was that despite the proper tunnel network list configuration I only had access to the tunnel and did not have access to the local internet when connected.
I am learning and configuring my asa from documentation found on the internet so I am no professional.
Any support would be very appreciated.
My config below:
: Saved
ASA Version 9.1(3)
hostname ciscoasa
domain-name BETONOWA.local
enable password XXX encrypted
passwd XXX encrypted
names
ip local pool VPN_RA_POOL 192.168.1.200-192.168.1.220 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
dhcprelay server 192.168.1.10
interface Vlan2
nameif outside
security-level 0
ip address B.B.B.B 255.255.255.0
boot system disk0:/asa913-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.10
name-server 8.8.8.8
name-server 8.8.4.4
domain-name BETONOWA.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network BETONOWA-DC
host 192.168.1.10
object network BETONOWA-SQL
host 192.168.1.15
object network EXCH-MBX
host 192.168.1.20
object network IIS_https
host 192.168.1.30
object network RenBetPBX
host 192.168.1.2
object network SQL
host 192.168.1.11
object network XEROX
host 192.168.1.3
object network RBSTORE
host 192.168.1.6
object network IIS_smtp
host 192.168.1.30
object network SQL_MateuszServer
host 192.168.1.11
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.192_27
subnet 192.168.1.192 255.255.255.224
object network igolomska-network
subnet 192.168.0.0 255.255.255.0
object network IIS
host 192.168.1.30
object network DC
host 192.168.1.10
object service RDP
service tcp source eq 23456 destination eq 3389
object network VirtualPC-rdp
host 192.168.1.40
object network mlhome-network
subnet 192.168.2.0 255.255.255.0
object network CUE-network
subnet 10.1.10.0 255.255.255.0
object network VOIP-network
subnet 10.1.1.0 255.255.255.0
object network CUE
host 10.1.10.2
object network PBXDATA-network
subnet 192.168.10.0 255.255.255.0
object network VirtualPC
host 192.168.1.40
object network KAM_PTZ
host 192.168.1.81
description Kamera PTZ
object network KAM_PTZ_http
host 192.168.1.81
object network KAM_HALA_PRZOD
host 192.168.1.72
object network KAM_HALA_PRZOD_http
host 192.168.1.72
object network KAM_HALA_CNC
host 192.168.1.74
object network KAM_HALA_CNC_http
host 192.168.1.74
object network vCMA_https
host 192.168.1.17
object network AUTOSAT
host 192.168.1.15
description AUTOSAT_TCP
object network kamwaga1
host 192.168.1.83
object network kamwaga2
host 192.168.1.84
object network kamarcen1
host 192.168.1.76
object network kamarcen1http
host 192.168.1.76
object network kamarcen2
host 192.168.1.79
object network kamarcen2http
host 192.168.1.79
object network kamwaga2http
host 192.168.1.84
object network kamwagahttp
host 192.168.1.83
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq 8080
port-object eq 8081
port-object eq 6881
port-object eq ftp
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp-udp destination eq domain
service-object udp destination eq ntp
access-list outside_access_in extended permit tcp any object RBSTORE object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any 192.168.1.0 255.255.255.0 object-group DM_INLINE_TCP_2 log disable
access-list outside_access_in extended permit tcp any host 192.168.1.30 eq smtp
access-list outside_access_in extended permit tcp any object VirtualPC eq 3389
access-list outside_access_in extended permit tcp any object SQL eq 13000
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object NETWORK_OBJ_192.168.1.0_24
access-list outside_access_in extended permit tcp any object KAM_PTZ eq www
access-list outside_access_in extended permit tcp any object KAM_HALA_PRZOD eq www
access-list outside_access_in extended permit tcp any object KAM_HALA_CNC eq www
access-list outside_access_in extended permit tcp any object BETONOWA-SQL eq 8112
access-list outside_access_in extended permit ip any object kamwaga2
access-list outside_access_in extended permit ip any object kamwaga1
access-list outside_access_in extended permit ip any object kamarcen1
access-list outside_access_in extended permit ip any object kamarcen2
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object igolomska-network
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list outside_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 object igolomska-network
access-list outside_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 object mlhome-network
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list NONAT extended permit ip 10.1.10.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 8000
logging console informational
logging monitor informational
logging buffered informational
logging history informational
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.1.192_27 NETWORK_OBJ_192.168.1.192_27 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static igolomska-network igolomska-network no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mlhome-network mlhome-network no-proxy-arp route-lookup
nat (inside,inside) source dynamic NETWORK_OBJ_192.168.1.0_24 interface destination static CUE-network CUE-network
nat (inside,inside) source dynamic NETWORK_OBJ_192.168.1.0_24 interface destination static VOIP-network VOIP-network
nat (inside,outside) source static CUE-network CUE-network destination static NETWORK_OBJ_192.168.1.192_27 NETWORK_OBJ_192.168.1.192_27 no-proxy-arp route-lookup
nat (inside,outside) source static VOIP-network VOIP-network destination static NETWORK_OBJ_192.168.1.192_27 NETWORK_OBJ_192.168.1.192_27 no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
object network IIS_https
nat (inside,outside) static interface service tcp https https
object network RBSTORE
nat (any,any) static B.B.B.C
object network IIS_smtp
nat (any,outside) static interface service tcp smtp smtp
object network SQL_MateuszServer
nat (any,outside) static interface service tcp 13000 13000
object network VirtualPC-rdp
nat (inside,outside) static interface service tcp 3389 3389
object network KAM_PTZ_http
nat (any,outside) static interface service tcp www 8011
object network KAM_HALA_PRZOD_http
nat (any,outside) static interface service tcp www 8012
object network KAM_HALA_CNC_http
nat (any,outside) static interface service tcp www 8013
object network vCMA_https
nat (any,any) static B.B.B.B service tcp https https
object network AUTOSAT
nat (any,outside) static interface service tcp 8112 8112
object network kamarcen1http
nat (any,outside) static interface service tcp www 8016
object network kamarcen2http
nat (any,outside) static interface service tcp www 8017
object network kamwaga2http
nat (any,outside) static interface service tcp www 8015
object network kamwagahttp
nat (any,outside) static interface service tcp www 8014
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1
route inside 10.1.1.0 255.255.255.0 A.A.A.A 1
route inside 10.1.10.0 255.255.255.0 A.A.A.A 1
route inside 192.168.10.0 255.255.255.0 A.A.A.A 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server BETONOWA-DC protocol radius
aaa-server BETONOWA-DC (inside) host BETONOWA-DC
key *****
radius-common-pw *****
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 212.91.B.B
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 1 set ikev2 pre-shared-key *****
crypto map outside_map 1 set security-association lifetime seconds 86400
crypto map outside_map 1 set security-association lifetime kilobytes unlimited
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set peer 84.10.A.A
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 2 set ikev2 pre-shared-key *****
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable interface outside
ntp server 192.168.1.10 source inside prefer
webvpn
anyconnect-essentials
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.1.10 8.8.8.8
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value BETONOWA.local
group-policy GroupPolicy_212.91.Y.Y internal
group-policy GroupPolicy_212.91.Y.Y attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_84.10.X.X internal
group-policy GroupPolicy_84.10.X.X attributes
vpn-tunnel-protocol ikev1 ikev2
username root password FYt1qT0x6RrulpSE encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_RA_POOL
authentication-server-group BETONOWA-DC
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group 212.91.Y.Y type ipsec-l2l
tunnel-group 212.91.Y.Y general-attributes
default-group-policy GroupPolicy_212.91.Y.Y
tunnel-group 212.91.Y.Y ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 3
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 84.10.X.X type ipsec-l2l
tunnel-group 84.10.X.X general-attributes
default-group-policy GroupPolicy_84.10.X.X
tunnel-group 84.10.A.A ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect dns preset_dns_map dynamic-filter-snoop
inspect icmp
policy-map type inspect esmtp tls-allow
parameters
no mask-banner
allow-tls
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:e67cf29f1b63c6d550ce9333fe3f30d5
: end
asdm image disk0:/asdm-715-100.bin
no asdm history enable
The solution was the following for one IP!
object network x.x.x.x (inside IP)
host x.x.x.x (inside IP)
nat (inside,outside) static y.y.y.y (remote IP)
Similar Messages
-
VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client
Hello,
I have problem in VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client. ASA 5505 have 7.2.3 software and 881G router have 15.1 software.
881G is configured as hardware client in network exstention mode, and it is placed behind NAT. ASA5505 is working as server. Same VPN Group works correctly from VPN software clients.
When I send traffic from 881G client side, in show cryto sessin detail I see encrypted packets. But with same command I dont see decrypted packet on ASA5505 side. On both devices Phase 1 and Phase 2 are UP.
VPN is working when I replace ASA5505 with ASA5510 correctly with have 8.4.6 software. But problem is that i need to do this VPN between ASA5505 and 881G.
Can you help me, how can I debug or troubleshoot this problem ?
I am unable to update software on ASA5505 side.Hello,
Hire is what my config look like:
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-128-SHA
crypto dynamic-map outside_dyn_map 160 set pfs
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 180 set pfs
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 200 set pfs
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 3
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
tunnel-group HW-CLIENT-GROUPR type ipsec-ra
tunnel-group HW-CLIENT-GROUP general-attributes
address-pool HW-CLIENT-GROUP-POOL
default-group-policy HW-CLIENT-GROUP
tunnel-group HW-CLIENT-GROUP ipsec-attributes
pre-shared-key *******
group-policy HW-CLIENT-GROUP internal
group-policy HW-CLIENT-GROUP attributes
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cisco_splitTunnelAcl
nem enable -
With the new KitKat update (20.1.A.0.47) trying to open VPN from Settings, the Settings app crashes and restarts. Due to that, in Security, the None and Swipe lockscreen options are disabled, leaving PIN, Password, and Pattern the only options. Why is that / is it ever gonna be fixed?
Oh and it didn't happen on 4.3... Now, when a music is playing in Walkman, when pressing the Walkman button and shaking the phone as I did on JB will pause the song, as if I didn't shake the phone. On Jelly Bean, this feature worked. This should get fixed too.Hi guys, sony seems to have solved the problem in an update in...india. I only found that and not tested yet : http://www.xperiablog.net/2015/05/22/small-update-rolling-for-xperia-e1-20-1-a-2-19-and-e1-dual-20-1-b-2-29/ It solves the lockscreen and VPN problem. Test and say if it works or not. I hope they will relase an european version soon.
-
VPN problem behind ASA5505 -regular translation creation failed for protocol 50
Dear All,
I have to connect behind my ASA5505 with an VPN klient to an other site.
First time i got this failure.
"Deny protocol 50 src inside:192.168.50.X dst outside:x.x.x.x by access-group "acl_in" [0x0, 0x0]"
Than I opened our inside (src 192.168.50.0) network the UDP 500,4500 TCP 500,4500,10000 and ESP (dest x.x.x.x remote firewall ip).
access-list acl_in extended permit esp host 192.168.50.0 host x.x.x.x eq isakmp
access-list acl_in extended permit udp host 192.168.50.0 host x.x.x.x eq 500
access-list acl_in extended permit eudp host 192.168.50.0 host x.x.x.x eq 4500
etc.
After that i could connect for the remote firewall with vpn client but i couldn't reach any PC1s on there side and ping gives back no anwser.
Deny protocol 50 was solved but i got an other problem:
"regular translation creation failed for protocol 50 src inside:192.168.50.X dst outside:x.x.x.x"
I found somewhere thet lines can help:
crypto isakmp nat-traversal
inspect ipsec-pass-thru
But this wasn't usefull.
I tried a many thing but i'm stuck.
Could somebody help me what can i do to solve this problem?
Thanks for all anwsers!The solution was the following for one IP!
object network x.x.x.x (inside IP)
host x.x.x.x (inside IP)
nat (inside,outside) static y.y.y.y (remote IP) -
ASA5505 - SG300 VPN site2site problem
Hello,
I have a problem with a site2site VPN between a SG300 and an ASA5505. On the SG300 we have two internal connected networks, the second one is an alias. The VPN goes up and works correctly for hours or even for days. Then I don't know why, for some reason, the VPN is up but works only for one of the two networks. When the users try to connect I get this error on the ASA: ASA-7-710006: ESP request discarded from SG300PubblicInterface to outside:ASAPubblicInterface. To solve this problem I have to restart the VPN or make a ping from the ASA's LAN to the SG's LAN that isn't working. We have other VPNs on both firewalls that work correctly. ASA's Software Version is 8.0(3). I saw that I'm not the only one having this problem but nobody found the right answer...Hi Vinay,
As per your below config
crypto map vpnmap 10 match address vpnfr
crypto map vpnmap 10 set peer 193.242.9.126
crypto map vpnmap 10 set transform-set myvpn
crypto map vpnmap 20 ipsec-isakmp dynamic dynmap
crypto map vpnmap 30 match address vpnsing
crypto map vpnmap 30 set peer 203.126.186.226
crypto map vpnmap 30 set transform-set myvpn2
crypto map vpnmap 40 match address vpnbl
crypto map vpnmap 40 set peer 61.8.153.122
crypto map vpnmap 40 set transform-set myvpn2
crypto map vpnmap 50 match address vpnde
crypto map vpnmap 50 set peer 61.8.129.170
crypto map vpnmap 50 set transform-set myvpn2
crypto map vpnmap interface outside
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 193.242.9.126
crypto map outside_map 1 set transform-set ESP-3DES-SHA
vpnmap is your original crypto map if this is the crypto map its applied to oustide interface which is correct
now if you have added a new crypto map say " outside_map" its not going to work as we can only apply one crypto map per interface i dont see any resundant ISP on the config so i suppose the crypto map
"outside_map" might be the newly added crypto map if that is true please try below config changes and let me know if it helps
=============================================================
crypto map vpnmap 60 match address outside_1_cryptomap <<<<
crypto map vpnmap 60 set pfs <<<<<<<<<<<<<<<<<<<<<<<<<
crypto map vpnmap 60 set peer 193.242.9.126
crypto map vpnmap 60 set transform-set ESP-3DES-SHA
===============================================================
make sure the crypto acl "outside_1_cryptomap" is mirrored on the remote end and you also have PFS enabled on remote end
Thanks
Rohan -
Remote Access VPN Problem with ASA 5505
After about ~1 year of having the Cisco VPN Client connecting to a ASA 5505 without any problems, suddenly one day it stops working. The client is able to get a connection to the ASA and browse the local network for only about 30 seconds after connection. After that, no access is available to the network behind the ASA. I tried everything that I can think of to try and troubleshoot the problem, but at this point I am just banging my head against a wall. Does anyone know what could cause this?
Here is the running cfg of the ASA
: Saved
ASA Version 8.4(1)
hostname NCHCO
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxx encrypted
names
name 192.168.2.0 NCHCO description City Offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address **.**.***.*** 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa841-k8.bin
ftp mode passive
object network NCHCO
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.64
subnet 192.168.2.64 255.255.255.224
object network obj-0.0.0.0
subnet 0.0.0.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Webserver
object network FINX
host 192.168.2.11
object service rdp
service tcp source range 1 65535 destination eq 3389
description rdp
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
access-list inside_nat0_outbound extended permit ip 0.0.0.0 255.255.255.0 192.168.2.64 255.255.255.224
access-list outside_1_cryptomap extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list LAN_Access standard permit 192.168.2.0 255.255.255.0
access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
access-list NCHCO_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list outside_access_in extended permit tcp any object FINX eq 3389
access-list outside_access_in_1 extended permit object rdp any object FINX
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static NCHCO NCHCO destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,any) source static any any destination static obj-192.168.2.64 obj-192.168.2.64
nat (inside,any) source static obj-0.0.0.0 obj-0.0.0.0 destination static obj-192.168.2.64 obj-192.168.2.64
object network obj_any
nat (inside,outside) dynamic interface
object network FINX
nat (inside,outside) static interface service tcp 3389 3389
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
network-acl outside_nat0_outbound
webvpn
svc ask enable default svc
http server enable
http 192.168.1.0 255.255.255.0 inside
http **.**.***.*** 255.255.255.255 outside
http **.**.***.*** 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
http 96.11.251.186 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set l2tp-transform esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set l2tp-transform mode transport
crypto ipsec ikev1 transform-set vpn-transform esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs group1
crypto dynamic-map dyn-map 10 set ikev1 transform-set l2tp-transform vpn-transform
crypto dynamic-map dyn-map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 74.219.208.50
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map vpn-map 1 match address outside_1_cryptomap_1
crypto map vpn-map 1 set pfs group1
crypto map vpn-map 1 set peer 74.219.208.50
crypto map vpn-map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
crypto isakmp identity address
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 35
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet 192.168.1.0 255.255.255.0 inside
telnet NCHCO 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh NCHCO 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.150-192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
dhcpd lease 64000 interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value nchco.local
group-policy DfltGrpPolicy attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
ipsec-udp enable
intercept-dhcp 255.255.255.0 enable
address-pools value VPN_Pool
group-policy NCHCO internal
group-policy NCHCO attributes
dns-server value 192.168.2.1 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NCHCO_splitTunnelAcl_1
default-domain value NCHCO.local
username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
username NCHvpn99 password dhn.JzttvRmMbHsP encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) VPN_Pool
address-pool VPN_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
authorization-server-group (outside) LOCAL
default-group-policy DefaultRAGroup
strip-realm
strip-group
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group 74.219.208.50 type ipsec-l2l
tunnel-group 74.219.208.50 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group NCHCO type remote-access
tunnel-group NCHCO general-attributes
address-pool VPN_Pool
default-group-policy NCHCO
tunnel-group NCHCO ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a2110206e1af06974c858fb40c6de2fc
: end
asdm image disk0:/asdm-649.bin
asdm location VPN_Start 255.255.255.255 inside
asdm location VPN_End 255.255.255.255 inside
no asdm history enable
And here is the logs from the Cisco VPN Client when it browses, then fails to browse the network behind the ASA:
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
1 09:44:55.677 10/01/13 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
2 09:44:55.677 10/01/13 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
3 09:44:55.693 10/01/13 Sev=Info/6 GUI/0x63B00011
Reloaded the Certificates in all Certificate Stores successfully.
4 09:45:02.802 10/01/13 Sev=Info/4 CM/0x63100002
Begin connection process
5 09:45:02.802 10/01/13 Sev=Info/4 CM/0x63100004
Establish secure connection
6 09:45:02.802 10/01/13 Sev=Info/4 CM/0x63100024
Attempt connection with server "**.**.***.***"
7 09:45:02.802 10/01/13 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with **.**.***.***.
8 09:45:02.818 10/01/13 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
9 09:45:02.865 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to **.**.***.***
10 09:45:02.896 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
11 09:45:02.896 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from **.**.***.***
12 09:45:02.896 10/01/13 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
13 09:45:02.896 10/01/13 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
14 09:45:02.896 10/01/13 Sev=Info/5 IKE/0x63000001
Peer supports DPD
15 09:45:02.896 10/01/13 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
16 09:45:02.896 10/01/13 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
17 09:45:02.927 10/01/13 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
18 09:45:02.927 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to **.**.***.***
19 09:45:02.927 10/01/13 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xDD3B, Remote Port = 0x01F4
20 09:45:02.927 10/01/13 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end is NOT behind a NAT device
21 09:45:02.927 10/01/13 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
22 09:45:02.943 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
23 09:45:02.943 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
24 09:45:02.943 10/01/13 Sev=Info/4 CM/0x63100015
Launch xAuth application
25 09:45:03.037 10/01/13 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
26 09:45:03.037 10/01/13 Sev=Info/4 CM/0x63100017
xAuth application returned
27 09:45:03.037 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
28 09:45:03.037 10/01/13 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
29 09:45:03.037 10/01/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
30 09:45:03.083 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
31 09:45:03.083 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
32 09:45:03.083 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
33 09:45:03.083 10/01/13 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
34 09:45:03.083 10/01/13 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
35 09:45:03.083 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
36 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
37 09:45:03.146 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
38 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
39 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
40 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
41 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
42 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
43 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
44 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 192.168.2.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
45 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO.local
46 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_UDP_NAT_PORT, value = 0x00002710
47 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
48 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.4(1) built by builders on Mon 31-Jan-11 02:11
49 09:45:03.146 10/01/13 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
50 09:45:03.146 10/01/13 Sev=Info/4 CM/0x63100019
Mode Config data received
51 09:45:03.146 10/01/13 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.2.70, GW IP = **.**.***.***, Remote IP = 0.0.0.0
52 09:45:03.146 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to **.**.***.***
53 09:45:03.177 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
54 09:45:03.177 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from **.**.***.***
55 09:45:03.177 10/01/13 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
56 09:45:03.177 10/01/13 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
57 09:45:03.193 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
58 09:45:03.193 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from **.**.***.***
59 09:45:03.193 10/01/13 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds
60 09:45:03.193 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to **.**.***.***
61 09:45:03.193 10/01/13 Sev=Info/5 IKE/0x63000059
Loading IPsec SA (MsgID=967A3C93 OUTBOUND SPI = 0xAAAF4C1C INBOUND SPI = 0x3EBEBFC5)
62 09:45:03.193 10/01/13 Sev=Info/5 IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0xAAAF4C1C
63 09:45:03.193 10/01/13 Sev=Info/5 IKE/0x63000026
Loaded INBOUND ESP SPI: 0x3EBEBFC5
64 09:45:03.193 10/01/13 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261
96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261
96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261
192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261
65 09:45:03.521 10/01/13 Sev=Info/6 CVPND/0x63400001
Launch VAInst64 to control IPSec Virtual Adapter
66 09:45:03.896 10/01/13 Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=192.168.2.70/255.255.255.0
DNS=192.168.2.1,8.8.8.8
WINS=0.0.0.0,0.0.0.0
Domain=NCHCO.local
Split DNS Names=
67 09:45:03.912 10/01/13 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261
96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261
96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261
192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 0.0.0.0 0.0.0.0 261
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261
255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0 261
68 09:45:07.912 10/01/13 Sev=Info/4 CM/0x63100038
Successfully saved route changes to file.
69 09:45:07.912 10/01/13 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
**.**.***.*** 255.255.255.255 96.11.251.1 96.11.251.149 100
96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261
96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261
96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261
192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.2.0 255.255.255.0 192.168.2.70 192.168.2.70 261
192.168.2.0 255.255.255.0 192.168.2.1 192.168.2.70 100
192.168.2.70 255.255.255.255 192.168.2.70 192.168.2.70 261
192.168.2.255 255.255.255.255 192.168.2.70 192.168.2.70 261
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 192.168.2.70 192.168.2.70 261
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261
255.255.255.255 255.255.255.255 192.168.2.70 192.168.2.70 261
70 09:45:07.912 10/01/13 Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter
71 09:45:07.912 10/01/13 Sev=Info/4 CM/0x6310001A
One secure connection established
72 09:45:07.943 10/01/13 Sev=Info/4 CM/0x6310003B
Address watch added for 96.11.251.149. Current hostname: psaserver, Current address(es): 192.168.2.70, 96.11.251.149, 192.168.1.3.
73 09:45:07.943 10/01/13 Sev=Info/4 CM/0x6310003B
Address watch added for 192.168.2.70. Current hostname: psaserver, Current address(es): 192.168.2.70, 96.11.251.149, 192.168.1.3.
74 09:45:07.943 10/01/13 Sev=Info/5 CM/0x63100001
Did not find the Smartcard to watch for removal
75 09:45:07.943 10/01/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
76 09:45:07.943 10/01/13 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
77 09:45:07.943 10/01/13 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0x1c4cafaa into key list
78 09:45:07.943 10/01/13 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
79 09:45:07.943 10/01/13 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0xc5bfbe3e into key list
80 09:45:07.943 10/01/13 Sev=Info/4 IPSEC/0x6370002F
Assigned VA private interface addr 192.168.2.70
81 09:45:07.943 10/01/13 Sev=Info/4 IPSEC/0x63700037
Configure public interface: 96.11.251.149. SG: **.**.***.***
82 09:45:07.943 10/01/13 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 1.
83 09:45:13.459 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to **.**.***.***
84 09:45:13.459 10/01/13 Sev=Info/6 IKE/0x6300003D
Sending DPD request to **.**.***.***, our seq# = 107205276
85 09:45:13.474 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
86 09:45:13.474 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from **.**.***.***
87 09:45:13.474 10/01/13 Sev=Info/5 IKE/0x63000040
Received DPD ACK from **.**.***.***, seq# received = 107205276, seq# expected = 107205276
88 09:45:15.959 10/01/13 Sev=Info/4 IPSEC/0x63700019
Activate outbound key with SPI=0x1c4cafaa for inbound key with SPI=0xc5bfbe3e
89 09:46:00.947 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to **.**.***.***
90 09:46:00.947 10/01/13 Sev=Info/6 IKE/0x6300003D
Sending DPD request to **.**.***.***, our seq# = 107205277
91 09:46:01.529 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
92 09:46:01.529 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from **.**.***.***
93 09:46:01.529 10/01/13 Sev=Info/5 IKE/0x63000040
Received DPD ACK from **.**.***.***, seq# received = 107205277, seq# expected = 107205277
94 09:46:11.952 10/01/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to **.**.***.***
95 09:46:11.952 10/01/13 Sev=Info/6 IKE/0x6300003D
Sending DPD request to **.**.***.***, our seq# = 107205278
96 09:46:11.979 10/01/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
97 09:46:11.979 10/01/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from **.**.***.***
98 09:46:11.979 10/01/13 Sev=Info/5 IKE/0x63000040
Received DPD ACK from **.**.***.***, seq# received = 107205278, seq# expected = 107205278
Any help would be appreciated, thanks!I made the change that you requested by moving the VPN pool to the 192.168.3.0 network. Unfortunately, now traffic isn't flowing to the inside network at all. I was going to make a specific route as you suggested, but as far as I can see the routes are already being created correctly on the VPN client's end.
Here is the route print off of the computer behind the (test) client:
===========================================================================
Interface List
21...00 05 9a 3c 78 00 ......Cisco Systems VPN Adapter for 64-bit Windows
10...00 15 5d 01 02 01 ......Microsoft Hyper-V Network Adapter
15...00 15 5d 01 02 02 ......Microsoft Hyper-V Network Adapter #2
1...........................Software Loopback Interface 1
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
14...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
23...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
69.61.228.178 255.255.255.255 96.11.251.1 96.11.251.149 100
96.11.251.0 255.255.255.0 On-link 96.11.251.149 261
96.11.251.149 255.255.255.255 On-link 96.11.251.149 261
96.11.251.255 255.255.255.255 On-link 96.11.251.149 261
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.3 261
192.168.1.3 255.255.255.255 On-link 192.168.1.3 261
192.168.1.255 255.255.255.255 On-link 192.168.1.3 261
192.168.2.0 255.255.255.0 192.168.3.1 192.168.3.70 100
192.168.3.0 255.255.255.0 On-link 192.168.3.70 261
192.168.3.70 255.255.255.255 On-link 192.168.3.70 261
192.168.3.255 255.255.255.255 On-link 192.168.3.70 261
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.3 261
224.0.0.0 240.0.0.0 On-link 96.11.251.149 261
224.0.0.0 240.0.0.0 On-link 192.168.3.70 261
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.3 261
255.255.255.255 255.255.255.255 On-link 96.11.251.149 261
255.255.255.255 255.255.255.255 On-link 192.168.3.70 261
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 96.11.251.1 Default
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
14 1020 ::/0 2002:c058:6301::c058:6301
14 1020 ::/0 2002:c058:6301::1
1 306 ::1/128 On-link
14 1005 2002::/16 On-link
14 261 2002:600b:fb95::600b:fb95/128
On-link
15 261 fe80::/64 On-link
10 261 fe80::/64 On-link
21 261 fe80::/64 On-link
10 261 fe80::64ae:bae7:3dc0:c8c4/128
On-link
21 261 fe80::e9f7:e24:3147:bd/128
On-link
15 261 fe80::f116:2dfd:1771:125a/128
On-link
1 306 ff00::/8 On-link
15 261 ff00::/8 On-link
10 261 ff00::/8 On-link
21 261 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
And here is the updated running config in case you need it:
: Saved
ASA Version 8.4(1)
hostname NCHCO
enable password hTjwXz/V8EuTw9p9 encrypted
passwd hTjwXz/V8EuTw9p9 encrypted
names
name 192.168.2.0 NCHCO description City Offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 69.61.228.178 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa841-k8.bin
ftp mode passive
object network NCHCO
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.64
subnet 192.168.2.64 255.255.255.224
object network obj-0.0.0.0
subnet 0.0.0.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Webserver
object network FINX
host 192.168.2.11
object service rdp
service tcp source range 1 65535 destination eq 3389
description rdp
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
access-list inside_nat0_outbound extended permit ip 0.0.0.0 255.255.255.0 192.168.2.64 255.255.255.224
access-list outside_1_cryptomap extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list LAN_Access standard permit 192.168.2.0 255.255.255.0
access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
access-list NCHCO_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list outside_access_in extended permit tcp any object FINX eq 3389
access-list outside_access_in_1 extended permit object rdp any object FINX
access-list outside_specific_blocks extended deny ip host 121.168.66.35 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
ip local pool VPN_Split_Pool 192.168.3.70-192.168.3.80 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static NCHCO NCHCO destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,any) source static any any destination static obj-192.168.2.64 obj-192.168.2.64
nat (inside,any) source static obj-0.0.0.0 obj-0.0.0.0 destination static obj-192.168.2.64 obj-192.168.2.64
object network obj_any
nat (inside,outside) dynamic interface
object network FINX
nat (inside,outside) static interface service tcp 3389 3389
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
network-acl outside_nat0_outbound
webvpn
svc ask enable default svc
http server enable
http 192.168.1.0 255.255.255.0 inside
http 69.61.228.178 255.255.255.255 outside
http 74.218.158.238 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
http 96.11.251.186 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set l2tp-transform esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set l2tp-transform mode transport
crypto ipsec ikev1 transform-set vpn-transform esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs group1
crypto dynamic-map dyn-map 10 set ikev1 transform-set l2tp-transform vpn-transform
crypto dynamic-map dyn-map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 74.219.208.50
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map vpn-map 1 match address outside_1_cryptomap_1
crypto map vpn-map 1 set pfs group1
crypto map vpn-map 1 set peer 74.219.208.50
crypto map vpn-map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
crypto isakmp identity address
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 35
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet 192.168.1.0 255.255.255.0 inside
telnet NCHCO 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh NCHCO 255.255.255.0 inside
ssh 96.11.251.186 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.150-192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
dhcpd lease 64000 interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value nchco.local
group-policy DfltGrpPolicy attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
ipsec-udp enable
intercept-dhcp 255.255.255.0 enable
address-pools value VPN_Split_Pool
group-policy NCHCO internal
group-policy NCHCO attributes
dns-server value 192.168.2.1 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NCHCO_splitTunnelAcl_1
default-domain value NCHCO.local
username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
username NCHvpn99 password dhn.JzttvRmMbHsP encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) VPN_Pool
address-pool VPN_Split_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
authorization-server-group (outside) LOCAL
default-group-policy DefaultRAGroup
strip-realm
strip-group
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group 74.219.208.50 type ipsec-l2l
tunnel-group 74.219.208.50 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group NCHCO type remote-access
tunnel-group NCHCO general-attributes
address-pool VPN_Split_Pool
default-group-policy NCHCO
tunnel-group NCHCO ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9e8466cd318c0bd35bc660fa65ba7a03
: end
asdm image disk0:/asdm-649.bin
asdm location VPN_Start 255.255.255.255 inside
asdm location VPN_End 255.255.255.255 inside
no asdm history enable
Thanks again for your help,
Matthew -
5505 Strange vpn problem I can only connect if the pc has a WAN IP addess
I have a asa5505 if an outside computer has a wan ip address it will see the computers on the network. If the computer is behind a router (any router) it will connect fine but will not see any computers on the network. All computer on the in the vpn are a 10.1.1.0 network and the connecting computers are on a 192.168.1.0 network. All subnet mask are 255.255.255.0. Thanks in advance.
Add the following command to your ASA.
crypto isakmp nat-traversal
In ASDM, it would be located as a checkbox "Enable NAT-T" located under config -> vpn -> ipsec -> ipsec rules -> select the dynamic entry -> Tunnel Policy advanced tab -> enable nat-t
This will allow users behind pat devices to use nat-t and should solve your problem.
Please rate if it helps. -
ASA5505 L2L VPN does not function after move and reconfiguration
I have an ASA5505 that had multiple VPNs to both Cisco5505's and other Vendor security appliances. The one in question that moved to a new IP address checks out on isa sa, ipsec sa and nat, yet there is no communication accross the tunnel. This behavior is consistent accross all remote sites. The remote sites function normally. Below is the output with some show commands.
ASA Version 8.4(4)
hostname RitterBars
names
name 67.231.37.42 RitterLAB-ASA
name 67.231.37.45 RitterLAB-LB-WAN1
name 64.233.131.94 RitterLAB-LB-WAN3
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
description Port 7 on 9108
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
no forward interface Vlan2
nameif CoreNetwork
security-level 0
ip address 172.20.10.22 255.255.255.128
boot system disk0:/asa844-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CST recurring
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.9.0
subnet 192.168.9.0 255.255.255.0
object network obj-192.168.85.0
subnet 192.168.85.0 255.255.255.0
object network obj-10.200.1.0
subnet 10.200.1.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network obj-192.168.1.2
host 192.168.1.2
object service obj-tcp-source-eq-22
service tcp source eq ssh
object service obj-tcp-source-eq-5922
service tcp source eq 5922
object network obj-192.168.1.10
host 192.168.1.10
object service obj-tcp-source-eq-5125
service tcp source eq 5125
object service obj-tcp-source-eq-80
service tcp source eq www
object network obj-192.168.1.119
host 192.168.1.119
object service obj-udp-source-eq-69
service udp source eq tftp
object network obj-192.168.1.51
host 192.168.1.51
object service obj-tcp-source-eq-443
service tcp source eq https
object service obj-tcp-source-eq-5980
service tcp source eq 5980
object network obj-192.168.1.114
host 192.168.1.114
object network obj-96.43.39.27
host 96.43.39.27
object network obj-xxx.xxx.xxx.xxx
host xxx.xxx.xxx.xxx
object-group network Inside
network-object 192.168.1.0 255.255.255.0
access-list split-tunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 10.200.1.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list VPN2LAB extended permit ip 192.168.1.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list VPN2LAB extended permit ip 192.168.1.0 255.255.255.0 10.200.1.0 255.255.255.0
access-list Barracudalab extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inat extended permit ip 192.168.1.0 255.255.255.0 any
access-list vnat extended permit ip 192.168.1.0 255.255.255.0 host 216.163.29.244
access-list out2in extended permit tcp host 64.233.128.6 host 192.168.1.2 eq ssh
access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.2 eq ssh
access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.10 eq 5125
access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.10 eq www
access-list out2in extended permit udp 64.233.128.0 255.255.255.0 host 192.168.1.119 eq tftp
access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.51 eq https
access-list out2in extended permit ip 64.233.128.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list out2in extended permit tcp any host 192.168.1.10 eq 5125
access-list out2in extended permit tcp any host 192.168.1.10 eq www
access-list out2in extended permit tcp any 192.168.1.0 255.255.255.0 eq ftp
access-list out2in extended permit tcp any 192.168.1.0 255.255.255.0 eq ftp-data
access-list out2in extended permit udp any host 192.168.1.119 eq tftp
access-list out2in extended permit tcp any host 192.168.1.51 eq https
access-list out2in extended permit icmp any any
pager lines 24
logging console alerts
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu CoreNetwork 1500
ip local pool vpn-pool 192.168.9.10-192.168.9.250
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.9.0 obj-192.168.9.0 no-proxy-arp
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.85.0 obj-192.168.85.0 no-proxy-arp
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-10.200.1.0 obj-10.200.1.0 no-proxy-arp
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.3.0 obj-192.168.3.0 no-proxy-arp
nat (inside,outside) source static obj-192.168.1.2 interface service obj-tcp-source-eq-22 obj-tcp-source-eq-5922
nat (inside,outside) source static obj-192.168.1.10 interface service obj-tcp-source-eq-5125 obj-tcp-source-eq-5125
nat (inside,outside) source static obj-192.168.1.10 interface service obj-tcp-source-eq-80 obj-tcp-source-eq-80
nat (inside,outside) source static obj-192.168.1.119 interface service obj-udp-source-eq-69 obj-udp-source-eq-69
nat (inside,outside) source static obj-192.168.1.51 interface service obj-tcp-source-eq-443 obj-tcp-source-eq-5980
nat (inside,outside) source static obj-192.168.1.114 obj-96.43.39.27
nat (inside,CoreNetwork) source dynamic obj-192.168.1.0 interface destination static obj-xxx.xxx.xxx.xxx obj-xxx.xxx.xxx.xxx
nat (inside,outside) source dynamic Inside interface
nat (inside,outside) after-auto source dynamic any interface
access-group out2in in interface outside
route CoreNetwork 172.20.30.0 255.255.255.248 172.20.10.1 1
route CoreNetwork 216.163.29.244 255.255.255.255 172.20.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set psset esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map samap 1 match address VPN2LAB
crypto map samap 1 set peer RitterLAB-ASA
crypto map samap 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map samap 2 match address Barracudalab
crypto map samap 2 set peer RitterLAB-LB-WAN1 RitterLAB-LB-WAN3
crypto map samap 2 set ikev1 transform-set ESP-3DES-SHA
crypto map samap interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 11
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd dns 64.233.128.10 64.233.128.11
dhcpd auto_config outside
dhcpd address 192.168.1.100-192.168.1.150 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 66.187.233.4 source outside
ntp server 64.99.80.30 source outside
webvpn
username xxx.xxx.xxx.xxx password xxx.xxx.xxx.xxx encrypted privilege 15
username xxx.xxx.xxx.xxx attributes
vpn-group-policy WebVPNpolicy
username xxx.xxx.xxx.xxx password xxx.xxx.xxx.xxx encrypted privilege 15
username xxx.xxx.xxx.xxx attributes
vpn-group-policy WebVPNpolicy
tunnel-group 67.231.37.42 type ipsec-l2l
tunnel-group 67.231.37.42 ipsec-attributes
ikev1 pre-shared-key xxx.xxx.xxx.xxx
tunnel-group 67.231.37.45 type ipsec-l2l
tunnel-group 67.231.37.45 ipsec-attributes
ikev1 pre-shared-key xxx.xxx.xxx.xxx
tunnel-group 64.233.131.94 type ipsec-l2l
tunnel-group 64.233.131.94 ipsec-attributes
ikev1 pre-shared-key xxx.xxx.xxx.xxx
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect ip-options
inspect tftp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:bcdf7281cbf323ff6af7457149529a5b
: end
RitterBars# sh isa sa
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 67.231.37.45
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: 67.231.37.42
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
RitterBars# sh ipsec sa
interface: outside
Crypto map tag: samap, seq num: 1, local addr: 96.43.41.168
access-list VPN2LAB extended permit ip 192.168.1.0 255.255.255.0 192.168.85.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.85.0/255.255.255.0/0/0)
current_peer: 67.231.37.42
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 96.43.41.168/0, remote crypto endpt.: 67.231.37.42/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 6F98A015
current inbound spi : 6DD466F0
inbound esp sas:
spi: 0x6DD466F0 (1842636528)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1122304, crypto-map: samap
sa timing: remaining key lifetime (kB/sec): (4374000/28182)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x6F98A015 (1872273429)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1122304, crypto-map: samap
sa timing: remaining key lifetime (kB/sec): (4373999/28182)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: samap, seq num: 2, local addr: 96.43.41.168
access-list Barracudalab extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer: 67.231.37.45
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 96.43.41.168/0, remote crypto endpt.: 67.231.37.45/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 51AF17EA
current inbound spi : 859BC586
inbound esp sas:
spi: 0x859BC586 (2241578374)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1118208, crypto-map: samap
sa timing: remaining key lifetime (sec): 28152
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x51AF17EA (1370429418)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1118208, crypto-map: samap
sa timing: remaining key lifetime (sec): 28152
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
RitterBars# sh nat int inside
Manual NAT Policies (Section 1)
1 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.9.0 obj-192.168.9.0 no-proxy-arp
translate_hits = 0, untranslate_hits = 0
2 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.85.0 obj-192.168.85.0 no-proxy-arp
translate_hits = 18, untranslate_hits = 0
3 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-10.200.1.0 obj-10.200.1.0 no-proxy-arp
translate_hits = 0, untranslate_hits = 0
4 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.3.0 obj-192.168.3.0 no-proxy-arp
translate_hits = 0, untranslate_hits = 0
5 (inside) to (outside) source static obj-192.168.1.2 interface service obj-tcp-source-eq-22 obj-tcp-source-eq-5922
translate_hits = 0, untranslate_hits = 0
6 (inside) to (outside) source static obj-192.168.1.10 interface service obj-tcp-source-eq-5125 obj-tcp-source-eq-5125
translate_hits = 0, untranslate_hits = 9094
7 (inside) to (outside) source static obj-192.168.1.10 interface service obj-tcp-source-eq-80 obj-tcp-source-eq-80
translate_hits = 0, untranslate_hits = 126
8 (inside) to (outside) source static obj-192.168.1.119 interface service obj-udp-source-eq-69 obj-udp-source-eq-69
translate_hits = 0, untranslate_hits = 0
9 (inside) to (outside) source static obj-192.168.1.51 interface service obj-tcp-source-eq-443 obj-tcp-source-eq-5980
translate_hits = 0, untranslate_hits = 195
10 (inside) to (outside) source static obj-192.168.1.114 obj-96.43.39.27
translate_hits = 0, untranslate_hits = 0
11 (inside) to (CoreNetwork) source dynamic obj-192.168.1.0 interface destination static obj-216.163.29.244 obj-216.163.29.244
translate_hits = 107, untranslate_hits = 0
12 (inside) to (outside) source dynamic Inside interface
translate_hits = 35387, untranslate_hits = 2940
Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface
translate_hits = 291, untranslate_hits = 78I just recently got the triple play package from verizon with fios too. And of course the Actiontec is total crap. The very first night it rebooted over and over again. What good is an internet connection you can't use right... Anyways, I have a cisco 831 that i use for a VPN to work, and so, I decided to put that up front.
Anyways, had the same problem. First I setup my router to bridge the connetion from the Actiontec to my router. So it goes Broadband Moca -> Actiontec LAN -(eth cable)-> Cisco WAN port. This worked great, except now my vod didn't work. So then I found this article....
http://www.dslreports.com/forum/r19559467-How-To-MI424WR-Network-Bridge-working-FIOS-TV
It was genius, add a second bridge from the Cisco LAN -(eth cable)-> Actiontec WAN -> local Moca. And then put DHCP relay on the bridge. Everything worked again, hooray. then I added an access list, and there went my vod again.
So then I spent about two hours turning ports on and off and such, finally I figured it out. You'll need to allow inbound established tcp connections that internal hosts create. This will get back your guide and allow the vod menu to work again. then you have to allow inbound connections on udp port 21310. I applied it and lo and behold vod is back. Now my only problem is that the 831 only has a 10 Mb/s ethernet WAN, so I can't get HD VOD but ah well. I'll upgrade one of these days to an 851 or 871.
Here's what the access lists should look like in IOS:
permit tcp any host (your external IP address) established
permit udp any host (your external IP address) eq 21310
probably is going to be a little bit different since you have an ASA but I think you get the idea. -
Cisco jabber for mac over fortigate vpn problem
Hi all,
We have installed the cisco jabber for mac successfully.Jabber client able to register locally successfully.
Calling and other features working properly. Jabber IM also working fine.
But when we try over vpn its shows error."services are missing".All the ports are open on fortigate firewall.If you have detailed diagnostics from the Jabber Mac client, this would provide some more context to why it's displaying those errors. (Help > Detailed Logging enabled) (Help > Report a problem)
Another thing to check for would be DNS resolution of the configured servers when the Mac is VPN'd in. If Jabber cannot resolve the DNS name, it will not know where to connect to.
If the diagnostics are pointing towards a connectivity problem, but the firewall says it's wide open, then taking a packet capture on the Mac where Jabber is trying to register may illustrate what's going on at the network layer. -
Site-To_Site VPN problem
Hello everyone
I'm installing a new site-to-site VPN connection between two sites, having problems bringing the tunnel online.
We have two ASA 5505 firewalls - one at our Central site, and another for our customer at the Remote site.
I wiped both firewalls with write erase, installed the latest IOS version 9.2 on both firewalls.
I'm not sure if the new IOS is causing the problem, we have several site-to-site vpn’s all working with IOS 8.4 5
I'm enclosing the configs for both ASA firewalls for you to review and see if I missed something or what's changed in the IOS that maybe causing our tunnel issue.
Thank youCentral site
packet-tracer input inside tcp 10.10.1.100 12345 10.4.1.1$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static REMOTE-ONE REMOTE-ONE
Additional Information:
NAT divert to egress interface outside
Untranslate 10.4.1.100/80 to 10.4.1.100/80
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static REMOTE-ONE REMOTE-ONE
Additional Information:
Static translate 10.10.1.100/12345 to 10.10.1.100/12345
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static REMOTE-ONE REMOTE-ONE
Additional Information:
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 817, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Remote site
packet-tracer input inside tcp 10.4.1.100 12345 10.10.1.1$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static net-remote net-remote
Additional Information:
NAT divert to egress interface outside
Untranslate 10.10.1.100/80 to 10.10.1.100/80
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static net-remote net-remote
Additional Information:
Static translate 10.4.1.100/12345 to 10.4.1.100/12345
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static net-remote net-remote
Additional Information:
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 774, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
After running the command we see both firewalls have the same pre shared key -
Site to Site VPN Problems With 2801 Router and ASA 5505
Hello,
I am having some issue setting up a site to site ipsec VPN between a Cisco 2801 router and a Cisco ASA 5505. I was told there was a vpn previously setup with an old hosting provider, but those connections have been servered. Right now I am trying to get the sites to talk to the 2801. Here ere are my current configs, please let me know if you need anything else. Im stumped on this one. Thanks.
IP scheme at SIte A:
IP 172.19.3.x
sub 255.255.255.128
GW 172.19.3.129
Site A Ciscso 2801 Router
Current configuration : 11858 bytes
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
hostname router-2801
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 4096
aaa new-model
aaa authentication login userauthen group radius local
aaa authorization network groupauthor local
aaa session-id common
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00
dot11 syslog
ip source-route
ip dhcp excluded-address 172.19.3.129 172.19.3.149
ip dhcp excluded-address 172.19.10.1 172.19.10.253
ip dhcp excluded-address 172.19.3.140
ip dhcp ping timeout 900
ip dhcp pool DHCP
network 172.19.3.128 255.255.255.128
default-router 172.19.3.129
domain-name domain.local
netbios-name-server 172.19.3.7
option 66 ascii 172.19.3.225
dns-server 172.19.3.140 208.67.220.220 208.67.222.222
ip dhcp pool VoiceDHCP
network 172.19.10.0 255.255.255.0
default-router 172.19.10.1
dns-server 208.67.220.220 8.8.8.8
option 66 ascii 172.19.10.2
lease 2
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip domain lookup
ip domain name domain.local
multilink bundle-name authenticated
key chain key1
key 1
key-string 7 06040033484B1B484557
crypto pki trustpoint TP-self-signed-3448656681
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3448bb6681
revocation-check none
rsakeypair TP-self-signed-344bbb56681
crypto pki certificate chain TP-self-signed-3448656681
certificate self-signed 01
3082024F
quit
username admin privilege 15 password 7 F55
archive
log config
hidekeys
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXX address 209.118.0.1
crypto isakmp key xxxxx address SITE B Public IP
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
crypto isakmp client configuration group IISVPN
key 1nsur3m3
dns 172.19.3.140
wins 172.19.3.140
domain domain.local
pool VPN_Pool
acl 198
crypto isakmp profile IISVPNClient
description VPN clients profile
match identity group IISVPN
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map Dynamic 5
set transform-set myset
set isakmp-profile IISVPNClient
qos pre-classify
crypto map VPN 10 ipsec-isakmp
set peer 209.118.0.1
set peer SITE B Public IP
set transform-set myset
match address 101
qos pre-classify
crypto map VPN 65535 ipsec-isakmp dynamic Dynamic
track 123 ip sla 1 reachability
delay down 15 up 10
class-map match-any VoiceTraffic
match protocol rtp audio
match protocol h323
match protocol rtcp
match access-group name VOIP
match protocol sip
class-map match-any RDP
match access-group 199
policy-map QOS
class VoiceTraffic
bandwidth 512
class RDP
bandwidth 768
policy-map MainQOS
class class-default
shape average 1500000
service-policy QOS
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
ip address 172.19.3.129 255.255.255.128
ip access-group 100 in
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/0.10
description $ETH-VoiceVLAN$$
encapsulation dot1Q 10
ip address 172.19.10.1 255.255.255.0
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
interface FastEthernet0/1
description "Comcast"
ip address PUB IP 255.255.255.248
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
interface Serial0/1/0
description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"
bandwidth 1536
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type ansi
interface Serial0/1/0.1 point-to-point
bandwidth 1536
ip address 152.000.000.18 255.255.255.252
ip access-group 102 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 500 IETF
crypto map VPN
service-policy output MainQOS
interface Serial0/2/0
description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"
ip address 123.252.123.102 255.255.255.252
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
encapsulation ppp
crypto map VPN
service-policy output MainQOS
ip local pool VPN_Pool 172.20.3.130 172.20.3.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123
ip route 0.0.0.0 0.0.0.0 111.252.237.000 254
ip route 122.112.197.20 255.255.255.255 209.252.237.101
ip route 208.67.220.220 255.255.255.255 50.78.233.110
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 20
sort-by bytes
ip nat inside source route-map COMCAST interface FastEthernet0/1 overload
ip nat inside source route-map PAETEC interface Serial0/2/0 overload
ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload
ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable
ip access-list extended VOIP
permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190
permit ip host 172.19.3.190 172.20.3.0 0.0.0.127
ip radius source-interface FastEthernet0/0
ip sla 1
icmp-echo 000.67.220.220 source-interface FastEthernet0/1
timeout 10000
frequency 15
ip sla schedule 1 life forever start-time now
access-list 23 permit 172.19.3.0 0.0.0.127
access-list 23 permit 172.19.3.128 0.0.0.127
access-list 23 permit 173.189.251.192 0.0.0.63
access-list 23 permit 107.0.197.0 0.0.0.63
access-list 23 permit 173.163.157.32 0.0.0.15
access-list 23 permit 72.55.33.0 0.0.0.255
access-list 23 permit 172.19.5.0 0.0.0.63
access-list 100 remark "Outgoing Traffic"
access-list 100 deny ip 67.128.87.156 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit tcp host 172.19.3.190 any eq smtp
access-list 100 permit tcp host 172.19.3.137 any eq smtp
access-list 100 permit tcp any host 66.251.35.131 eq smtp
access-list 100 permit tcp any host 173.201.193.101 eq smtp
access-list 100 permit ip any any
access-list 100 permit tcp any any eq ftp
access-list 101 remark "Interesting VPN Traffic"
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
access-list 102 remark "Inbound Access"
access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp
access-list 102 permit udp any host 152.179.53.18 eq isakmp
access-list 102 permit esp any host 152.179.53.18
access-list 102 permit ahp any host 152.179.53.18
access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp
access-list 102 permit udp any host 209.000.000.102 eq isakmp
access-list 102 permit esp any host 209.000.000.102
access-list 102 permit ahp any host 209.000.000.102
access-list 102 permit udp any host PUB IP eq non500-isakmp
access-list 102 permit udp any host PUB IP eq isakmp
access-list 102 permit esp any host PUB IP
access-list 102 permit ahp any host PUB IP
access-list 102 permit ip 72.55.33.0 0.0.0.255 any
access-list 102 permit ip 107.0.197.0 0.0.0.63 any
access-list 102 deny ip 172.19.3.128 0.0.0.127 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 permit icmp any any
access-list 102 deny ip any any log
access-list 102 permit tcp any host 172.19.3.140 eq ftp
access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established
access-list 102 permit udp any host SITE B Public IP eq non500-isakmp
access-list 102 permit udp any host SITE B Public IP eq isakmp
access-list 102 permit esp any host SITE B Public IP
access-list 102 permit ahp any host SITE B Public IP
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 199 permit tcp any any eq 3389
route-map PAETEC permit 10
match ip address 110
match interface Serial0/2/0
route-map COMCAST permit 10
match ip address 110
match interface FastEthernet0/1
route-map VERIZON permit 10
match ip address 110
match interface Serial0/1/0.1
snmp-server community 123 RO
radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000
control-plane
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
ntp server 128.118.25.3
ntp server 217.150.242.8
end
IP scheme at site B:
ip 172.19.5.x
sub 255.255.255.292
gw 172.19.5.65
Cisco ASA 5505 at Site B
ASA Version 8.2(5)
hostname ASA5505
domain-name domain.com
enable password b04DSH2HQqXwS8wi encrypted
passwd b04DSH2HQqXwS8wi encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.19.5.65 255.255.255.192
interface Vlan2
nameif outside
security-level 0
ip address SITE B public IP 255.255.255.224
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name iis-usa.com
same-security-traffic permit intra-interface
object-group network old hosting provider
network-object 72.55.34.64 255.255.255.192
network-object 72.55.33.0 255.255.255.0
network-object 173.189.251.192 255.255.255.192
network-object 173.163.157.32 255.255.255.240
network-object 66.11.1.64 255.255.255.192
network-object 107.0.197.0 255.255.255.192
object-group network old hosting provider
network-object host 172.19.250.10
network-object host 172.19.250.11
access-list 100 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
access-list 100 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
access-list 10 extended deny ip 0.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 127.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 169.254.0.0 255.255.0.0 any
access-list 10 extended deny ip 172.16.0.0 255.255.0.0 any
access-list 10 extended deny ip 224.0.0.0 224.0.0.0 any
access-list 10 extended permit icmp any any echo-reply
access-list 10 extended permit icmp any any time-exceeded
access-list 10 extended permit icmp any any unreachable
access-list 10 extended permit icmp any any traceroute
access-list 10 extended permit icmp any any source-quench
access-list 10 extended permit icmp any any
access-list 10 extended permit tcp object-group old hosting provider any eq 3389
access-list 10 extended permit tcp any any eq https
access-list 10 extended permit tcp any any eq www
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.0 255.255.255.128
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
pager lines 24
logging enable
logging timestamp
logging console emergencies
logging monitor emergencies
logging buffered warnings
logging trap debugging
logging history debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name jab attack action alarm drop reset
ip audit name probe info action alarm drop reset
ip audit interface outside probe
ip audit interface outside jab
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
icmp unreachable rate-limit 1 burst-size 1
icmp permit 75.150.169.48 255.255.255.240 outside
icmp permit 72.44.134.16 255.255.255.240 outside
icmp permit 72.55.33.0 255.255.255.0 outside
icmp permit any outside
icmp permit 173.163.157.32 255.255.255.240 outside
icmp permit 107.0.197.0 255.255.255.192 outside
icmp permit 66.11.1.64 255.255.255.192 outside
icmp deny any outside
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 10 in interface outside
route outside 0.0.0.0 0.0.0.0 174.78.151.225 1
timeout xlate 3:00:00
timeout conn 24:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 24:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http 107.0.197.0 255.255.255.192 outside
http 66.11.1.64 255.255.255.192 outside
snmp-server host outside 107.0.197.29 community *****
snmp-server host outside 107.0.197.30 community *****
snmp-server host inside 172.19.250.10 community *****
snmp-server host outside 172.19.250.10 community *****
snmp-server host inside 172.19.250.11 community *****
snmp-server host outside 172.19.250.11 community *****
snmp-server host outside 68.82.122.239 community *****
snmp-server host outside 72.55.33.37 community *****
snmp-server host outside 72.55.33.38 community *****
snmp-server host outside 75.150.169.50 community *****
snmp-server host outside 75.150.169.51 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPNMAP 10 match address 110
crypto map VPNMAP 10 set peer 72.00.00.7 old vpn public ip Site B Public IP
crypto map VPNMAP 10 set transform-set ESP-3DES-MD5
crypto map VPNMAP 10 set security-association lifetime seconds 86400
crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 172.19.5.64 255.255.255.192 inside
telnet 172.19.3.0 255.255.255.128 outside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 172.19.3.140
dhcpd wins 172.19.3.140
dhcpd ping_timeout 750
dhcpd domain iis-usa.com
dhcpd address 172.19.5.80-172.19.5.111 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection scanning-threat shun except object-group old hosting provider
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 128.118.25.3 source outside
ntp server 217.150.242.8 source outside
tunnel-group 72.00.00.7 type ipsec-l2l
tunnel-group 72.00.00.7 ipsec-attributes
pre-shared-key *****
tunnel-group old vpn public ip type ipsec-l2l
tunnel-group old vpn public ip ipsec-attributes
pre-shared-key *****
tunnel-group SITE A Public IP type ipsec-l2l
tunnel-group SITE A Public IP ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect pptp
inspect sip
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: endI have removed the old "set peer" and have added:
IOS router:
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.65
ASA fw:
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
on the router I have also added;
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
Here is my acl :
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
Still no ping tothe other site. -
VPN Problem: Can't route to other network clients
Hi,
I can't ping the other clients on the network when I'm connected to VPN from outside.
But accessing internet trough VPN works. (Sending all data through VPN).
So in fact, I can only ping the VPN server I'm connected to.
Maybe someone here has an idea what I'm doing wrong here.
Here is my setup:
internet
I
I
Airport Extreme (internal IP 192.168.3.1, Router with NAT Port forwarding to 192.168.3.3)
I
I
Switch----macMini (192.168.3.3, OS X Server 10.4.10 with VPN, DHCP, DNS, NAT enabled)
l
l
Other Clients on the Network (Clients have DNS entry 192.168.3.3 192.168.3.1, Router is 192.168.3.1)
The services DHCP, DNS working well for internal clients.
Has someone an idea?
Thanks a lot.
Alex
Message was edited by: SyndromeFirst, ping is ICMP traffic, different from other kinds of (eg, TCP) traffic like AFP.
See http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/productstechnote09186a00800a6057.shtml
traceroute also uses some ICMP traffic but might also be using UDP, see
http://en.wikipedia.org/wiki/Traceroute
http://www.linuxplanet.com/linuxplanet/tutorials/6524/1/
However, in testing, I can indeed ping the server, when I connect to a remote Mac OS X Server via the Mac OS X supplied vpn. But there is no AP Extreme in the path. So the two big factors are: limitations and/or configuration of the AP, and firewall settings for each/any machine involved.
The Airport Extreme is really quite limited, compared to any more full-featured routing device - in terms of just how granular you can be with controlling traffic flow.
(As a total aside, I'd recommend investing in something like a Zyxel Zywall 2 Plus (or similar or better) and running the AP in bridge mode for wireless clients.)
When you've connected via VPN, please run
netstat -rn to see what your default gateway is, that's actually being used.
Finally, what led you to try these tests ? What other problems are you having, what primary issue(s) are you trying to solve ? -
Hello, I have been trying to configure a VPN with Cisco Asa 5505 and Cisco VPN client 5.X for 3 weeks and I am not being able to accomplish it, so I decided to reset to factory defaults and start over again.
I used ASDM 6.4 VPN wizard to configure it (I selected exempt local network from NAT and enabled split tunneling, but I have tried other combinations as well).
Tunnel seems to be established properly since I do see an endpoint while using 'sh crypto isakmp sa' but 'sh crypto ipsec sa' shows no packets encrypted or decrypted, so VPN is not working as expected. I can't ping or rdp to internal LAN:
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
The running-config it created is:
ciscoasa# sh run
: Saved
ASA Version 8.4(2)
hostname ciscoasa
enable password XXXX encrypted
passwd XXXX encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.16.1.254 255.255.0.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ADSL_Telefonica
ip address pppoe setroute
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.0.0.0_24
subnet 10.0.0.0 255.255.255.0
object network NETWORK_OBJ_172.16.0.0_16
subnet 172.16.0.0 255.255.0.0
access-list test_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool test 10.0.0.1-10.0.0.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_172.16.0.0_16 NETWORK_OBJ_172.16.0.0_16 destination static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 172.16.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 172.16.0.0 255.255.0.0 inside
telnet timeout 55
ssh 172.16.0.0 255.255.0.0 inside
ssh timeout 55
console timeout 0
vpdn group ADSL_Telefonica request dialout pppoe
vpdn group ADSL_Telefonica localname adslppp@telefonicanetpa
vpdn group ADSL_Telefonica ppp authentication pap
vpdn username adslppp@telefonicanetpa password *****
dhcpd auto_config outside
dhcpd address 172.16.2.2-172.16.2.129 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy test internal
group-policy test attributes
dns-server value 172.16.1.1
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test_splitTunnelAcl
username test password XXXXXX encrypted privilege 0
username test attributes
vpn-group-policy test
username ignacio password XXXXXXX encrypted
tunnel-group test type remote-access
tunnel-group test general-attributes
address-pool test
default-group-policy test
tunnel-group test ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c8935bd572dfd37e81c6aa9f9dc8207c
: end
Thank you very much for your helpYes, it was a VPN client problem. I was doing test with a WWAN card and it seems it is not compatible with windows 7.
• The VPN Client on Windows 7 does not support WWAN devices (also called wireless data cards).
I should have read Release Notes before. Thank you very much for your help and effort. -
VPN problems.. Cant connect due to tunneling issues.
I cant log into my company intranet using my VPN.. other people at my company have no problem using their mac, but I cant seem to get in
I get this error.
Network Connect cannot establish a secure session. Network Connect cannot start the tunneling service. See the Log Viewer for more information.
Here are the logs if anyone knows what they mean and can help it would be great.
2011-05-26 17:06:06.204 ncproxyd-admintool[13313] config.info Removing key "ncproxyd_saved_routes" from the persistent store (config.cpp:273)
2011-05-26 17:06:06.204 ncproxyd-admintool[13313] NCAdminHelper.info removing ncproxyd_saved_routes (NCAdminHelper.cpp:1020)
2011-05-26 17:06:06.204 ncproxyd-admintool[13313] NCAdminHelper.warn restore_dns_configuration: failed to rename /etc/hosts.bak to /etc/hosts: No such file or directory (NCAdminHelper.cpp:810)
2011-05-26 17:06:06.214 Network Connect[13291] DSIPC.para Recevied message bytes: (186) <0><0><0><ba><81>$<9b><dd>&\<11><18><b><4><e0><cd>$<f4><da>2<e3>H<a1><95><df><a 5><7f><17>><9><9f>b<cd>I4<ae><ea>v<fe><81><a6><dd>D<7f><aa>~|G<b6>mV$<a>'u<f0>=< a>Nil<d5>r~n<92><6>=A<e7>#<c5><da>A<9f>O<c3>p<82>E<d><e8><e6>b<fb><15>-<f5><9d>< e9><fa><5><e6>1<f5><9a><fb><a8><d9>m<e7>PmZ<a6><98>I<ee>MP<7f><d1><92><12><9f>30 <dd>|<eb> <b4>X<aa><ce>o<88>l[b<2><d8>6<b7>.K<ba><9c><97><96><7f>]<b3>J<83><eb>.<c><b5><< a><a>eH<a2><b9><12><99><9c><bb><eb>D<bd>|0&<ab>k<fc>`<13><af>6<9d><cf>(T<9d><8d> <e5><fe>7<8f>r<fb> (ipc.cpp:727)
2011-06-02 13:50:52.231 ../../webserver/:093 [ Thread-9] [RuntimeExec] Executing ["/bin/sh" "-c" "ps xco 'state,pid,command' | awk '/^[^zZ].+[N]etwork Connect/ { print $2 }'" ]...
2011-06-02 13:50:52.980 ../../webserver/:100 [ Thread-9] [RuntimeExec] Process ID = java.lang.UNIXProcess@4d8f9b75
2011-06-02 13:50:54.012 ../../webserver/:141 [ Thread-9] [RuntimeExec] ExitValue of waitFor() = 0
2011-06-02 13:50:54.013 ../../webserver/:166 [ Thread-9] [RuntimeExec] ... done executing [/bin/sh] waitFor()=[java.lang.UNIXProcess@4d8f9b75] outputStream=[empty -null output stream-] statusStream=[empty -null status stream-]
DSAppControlThre:000 (06/02 13:50:54.013)[ Thread-9] Checking to see if the application is already running
2011-06-02 13:50:54.013 ../../webserver/:093 [ Thread-9] [RuntimeExec] Executing ["/bin/sh" "-c" "ps xaco 'state,pid,command' | awk '/^[^zZ].+[N]etwork Connect/ { print $2 }'" ]...
2011-06-02 13:50:54.041 ../../webserver/:100 [ Thread-9] [RuntimeExec] Process ID = java.lang.UNIXProcess@10d4f27
2011-06-02 13:50:54.214 ../../webserver/:141 [ Thread-9] [RuntimeExec] ExitValue of waitFor() = 0
2011-06-02 13:50:54.216 ../../webserver/:166 [ Thread-9] [RuntimeExec] ... done executing [/bin/sh] waitFor()=[java.lang.UNIXProcess@10d4f27] outputStream=[empty -null output stream-] statusStream=[empty -null status stream-]
DSAppControlThre:000 (06/02 13:50:54.216)[ Thread-9] The application is NOT already running
NCAppInstallImpl:000 (06/02 13:50:54.216)[ Thread-9] Attempting to launch the application (mode 1)
NCAppInstallImpl:000 (06/02 13:50:54.219)[ Thread-9] Running this command: /Applications/Network Connect.app/Contents/MacOS/Network Connect -NCLaunchType 1 -AppleLanguages ( en )
NCAppInstallImpl:000 (06/02 13:50:54.283)[ Thread-9] Pushing parameter [ProductVersion=14619] to the app
NCAppInstallImpl:000 (06/02 13:50:54.285)[ Thread-9] Pushing parameter [SystemVersion=6.4.0] to the app
NCAppInstallImpl:000 (06/02 13:50:54.285)[ Thread-9] Pushing parameter [action=install] to the app
NCAppInstallImpl:000 (06/02 13:50:54.285)[ Thread-9] Pushing parameter [autolaunch=1] to the app
NCAppInstallImpl:000 (06/02 13:50:54.285)[ Thread-9] Pushing parameter [cert_md5=d0ba5f2839b732e6972d55ea9e6c40e6] to the app
NCAppInstallImpl:000 (06/02 13:50:54.285)[ Thread-9] Pushing parameter [dns-suffix=adt.com] to the app
NCAppInstallImpl:000 (06/02 13:50:54.286)[ Thread-9] Pushing parameter [enable_logging=1] to the app
NCAppInstallImpl:000 (06/02 13:50:54.286)[ Thread-9] Pushing parameter [enable_logupload=1] to the app
NCAppInstallImpl:000 (06/02 13:50:54.286)[ Thread-9] Pushing parameter [internal-proxy-config=no] to the app
NCAppInstallImpl:000 (06/02 13:50:54.286)[ Thread-9] Pushing parameter [ivehost=go.adt.com] to the app
NCAppInstallImpl:000 (06/02 13:50:54.286)[ Thread-9] Pushing parameter [launch_url=] to the app
NCAppInstallImpl:000 (06/02 13:50:54.287)[ Thread-9] Pushing parameter [linux_end_script=] to the app
NCAppInstallImpl:000 (06/02 13:50:54.287)[ Thread-9] Pushing parameter [linux_start_script=] to the app
NCAppInstallImpl:000 (06/02 13:50:54.287)[ Thread-9] Pushing parameter [locale=en] to the app
NCAppInstallImpl:000 (06/02 13:50:54.287)[ Thread-9] Pushing parameter [mac_end_script=] to the app
NCAppInstallImpl:000 (06/02 13:50:54.287)[ Thread-9] Pushing parameter [mac_start_script=] to the app
NCAppInstallImpl:000 (06/02 13:50:54.287)[ Thread-9] Pushing parameter [ncp_read_timeout=120] to the app
NCAppInstallImpl:000 (06/02 13:50:54.288)[ Thread-9] Pushing parameter [redir_url=/dana/home/index.cgi] to the app
NCAppInstallImpl:000 (06/02 13:50:54.288)[ Thread-9] Pushing parameter [redir_win=Please_Wait7819] to the app
NCAppInstallImpl:000 (06/02 13:50:54.288)[ Thread-9] Pushing parameter [signin_url=/] to the app
NCAppInstallImpl:000 (06/02 13:50:54.288)[ Thread-9] Pushing parameter [switch-dns-search-order=enabled] to the app
NCAppInstallImpl:000 (06/02 13:50:54.288)[ Thread-9] Pushing parameter [uninstall_on_quit=0] to the app
NCAppInstallImpl:000 (06/02 13:50:54.289)[ Thread-9] Pushing parameter [upgradeMode=2] to the app
NCAppInstallImpl:000 (06/02 13:50:54.289)[ Thread-9] Pushing parameter [win_end_script=] to the app
NCAppInstallImpl:000 (06/02 13:50:54.289)[ Thread-9] Pushing parameter [win_skip_start_script=0] to the app
NCAppInstallImpl:000 (06/02 13:50:54.289)[ Thread-9] Pushing parameter [win_start_script=] to the app
NCAppInstallImpl:000 (06/02 13:50:54.289)[ Thread-9] Pushing parameter [=null] to the app
NCAppInstallImpl:000 (06/02 13:50:54.289)[ Thread-9] Pushing parameter [cookies=<hidden>] to the app
DSAppControlThre:000 (06/02 13:50:54.290)[ Thread-9] Checking to see if the application is already running
2011-06-02 13:50:54.290 ../../webserver/:093 [ Thread-9] [RuntimeExec] Executing ["/bin/sh" "-c" "ps xco 'state,pid,command' | awk '/^[^zZ].+[N]etwork Connect/ { print $2 }'" ]...
2011-06-02 13:50:54.324 ../../webserver/:100 [ Thread-9] [RuntimeExec] Process ID = java.lang.UNIXProcess@56b61c3
2011-06-02 13:50:54.330 ../../webserver/:045 [ Thread-15] [RuntimeExec] Result [22538]
2011-06-02 13:50:54.332 ../../webserver/:141 [ Thread-9] [RuntimeExec] ExitValue of waitFor() = 0
2011-06-02 13:50:54.333 ../../webserver/:166 [ Thread-9] [RuntimeExec] ... done executing [/bin/sh] waitFor()=[java.lang.UNIXProcess@56b61c3] outputStream=[22538] statusStream=[empty -null status stream-]
NCAppController.:000 (06/02 13:50:54.333)[ Thread-9] Starting quit sequence...
NCAppController.:000 (06/02 13:50:54.333)[ Thread-9] Cleaning up
NCAppController.:000 (06/02 13:50:54.333)[ Thread-9] doQuit trying to load /dana/home/index.cgi
NCAppController.:000 (06/02 13:50:54.333)[ Thread-9] Loading https://go.adt.com/dana/home/index.cgi in current window
NCAppController.:000 (06/02 13:51:16.724)[applet-NCAppController.class] Entering NCAppController.init() on Thu Jun 02 13:51:16 PDT 2011
NCAppController.:000 (06/02 13:51:16.724)[applet-NCAppController.class] New NCAppController session release [6.4.0]
NCAppController.:000 (06/02 13:51:16.724)[applet-NCAppController.class] Build number [14619]
NCAppController.:000 (06/02 13:51:16.766)[applet-NCAppController.class] This host needs a i386 binary
NCAppController.:000 (06/02 13:51:16.833)[applet-NCAppController.class] Param ProductVersion=14619
NCAppController.:000 (06/02 13:51:16.833)[applet-NCAppController.class] Param SystemVersion=6.4.0
NCAppController.:000 (06/02 13:51:16.833)[applet-NCAppController.class] Param action=install
NCAppController.:000 (06/02 13:51:16.834)[applet-NCAppController.class] Param autolaunch=0
NCAppController.:000 (06/02 13:51:16.834)[applet-NCAppController.class] Param cert_md5=d0ba5f2839b732e6972d55ea9e6c40e6
NCAppController.:000 (06/02 13:51:16.834)[applet-NCAppController.class] Param dns-suffix=adt.com
NCAppController.:000 (06/02 13:51:16.834)[applet-NCAppController.class] Param enable_logging=1
NCAppController.:000 (06/02 13:51:16.834)[applet-NCAppController.class] Param enable_logupload=1
NCAppController.:000 (06/02 13:51:16.834)[applet-NCAppController.class] Param internal-proxy-config=no
NCAppController.:000 (06/02 13:51:16.834)[applet-NCAppController.class] Param ivehost=go.adt.com
NCAppController.:000 (06/02 13:51:16.835)[applet-NCAppController.class] Param launch_url=
NCAppController.:000 (06/02 13:51:16.835)[applet-NCAppController.class] Param linux_end_script=
NCAppController.:000 (06/02 13:51:16.835)[applet-NCAppController.class] Param linux_start_script=
NCAppController.:000 (06/02 13:51:16.835)[applet-NCAppController.class] Param locale=en
NCAppController.:000 (06/02 13:51:16.835)[applet-NCAppController.class] Param mac_end_script=
NCAppController.:000 (06/02 13:51:16.835)[applet-NCAppController.class] Param mac_start_script=
NCAppController.:000 (06/02 13:51:16.836)[applet-NCAppController.class] Param ncp_read_timeout=120
NCAppController.:000 (06/02 13:51:16.836)[applet-NCAppController.class] Param redir_url=/dana/home/starter.cgi?startpageonly=1
NCAppController.:000 (06/02 13:51:16.836)[applet-NCAppController.class] Param redir_win=Please_Wait7819
NCAppController.:000 (06/02 13:51:16.836)[applet-NCAppController.class] Param signin_url=/
NCAppController.:000 (06/02 13:51:16.836)[applet-NCAppController.class] Param switch-dns-search-order=enabled
NCAppController.:000 (06/02 13:51:16.836)[applet-NCAppController.class] Param uninstall_on_quit=0
NCAppController.:000 (06/02 13:51:16.837)[applet-NCAppController.class] Param upgradeMode=2
NCAppController.:000 (06/02 13:51:16.837)[applet-NCAppController.class] Param win_end_script=
NCAppController.:000 (06/02 13:51:16.837)[applet-NCAppController.class] Param win_skip_start_script=0
NCAppController.:000 (06/02 13:51:16.837)[applet-NCAppController.class] Param win_start_script=
NCAppController.:000 (06/02 13:51:16.837)[applet-NCAppController.class] Param =null
NCAppController.:000 (06/02 13:51:16.837)[applet-NCAppController.class] Param cookies=<hidden>
DSAppControlThre:000 (06/02 13:51:16.841)[ Thread-21] Beginning install...
NCAppInstallImpl:000 (06/02 13:51:16.841)[ Thread-21] Checking installed version
NCAppInstallImpl:000 (06/02 13:51:16.911)[ Thread-21] Version on disk is 14619
NCAppInstallImpl:000 (06/02 13:51:16.911)[ Thread-21] This version is 14619
NCAppInstallImpl:000 (06/02 13:51:16.911)[ Thread-21] Checking if correct locale is installed
DSAppControlThre:000 (06/02 13:51:16.912)[ Thread-21] Checking to see if the application is already running
2011-06-02 13:51:10.387 Network Connect[22538] NCController.info -applicationDidFinishLaunching: Network Connect 6.4.0 (14619)/Version 10.6.6 (Build 10J567) starting (NCController.m:98)
2011-06-02 13:51:10.721 Network Connect[22538] NCController.info -applicationDidFinishLaunching: launched from applet/application launcher (launchType: 1), waiting for parameters (NCController.m:133)
2011-06-02 13:51:10.762 Network Connect[22538] DSIPCConnection.info -_clearIPCBuffer: Clearing the IPC buffer (DSIPCConnection.mm:526)
2011-06-02 13:51:11.386 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter internal-proxy-config = "no" (NCController+NCIPC.m:10)
2011-06-02 13:51:11.387 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received internal-proxy-config = no (NCController.m:1297)
2011-06-02 13:51:11.387 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter ivehost = "go.adt.com" (NCController+NCIPC.m:10)
2011-06-02 13:51:11.387 Network Connect[22538] NCController.info -ipc:appletSetIVEParameter:: applet says to connect to go.adt.com. (NCController+NCIPC.m:13)
2011-06-02 13:51:11.387 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received ivehost = go.adt.com (NCController.m:1297)
2011-06-02 13:51:11.387 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter launch_url = "" (NCController+NCIPC.m:10)
2011-06-02 13:51:11.387 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received launch_url = (NCController.m:1297)
2011-06-02 13:51:11.387 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter linux_end_script = "" (NCController+NCIPC.m:10)
2011-06-02 13:51:11.387 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received linux_end_script = (NCController.m:1297)
2011-06-02 13:51:11.387 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter linux_start_script = "" (NCController+NCIPC.m:10)
2011-06-02 13:51:11.387 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received linux_start_script = (NCController.m:1297)
2011-06-02 13:51:11.387 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter locale = "en" (NCController+NCIPC.m:10)
2011-06-02 13:51:11.387 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received locale = en (NCController.m:1297)
2011-06-02 13:51:11.387 Network Connect[22538] NCController.info -loginWindowController:setClientParameter:value: saving locale preference (
en
) as AppleLanguages for use on next launch. (NCController.m:1324)
2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter mac_end_script = "" (NCController+NCIPC.m:10)
2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received mac_end_script = (NCController.m:1297)
2011-06-02 13:51:11.388 Network Connect[22538] NCScriptLauncher.info -scheduleScriptAtPath:forEventIdentifier: scheduled for NCScriptLauncherPostDisconnectEventIdentifier (NCScriptLauncher.m:35)
2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter mac_start_script = "" (NCController+NCIPC.m:10)
2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received mac_start_script = (NCController.m:1297)
2011-06-02 13:51:11.388 Network Connect[22538] NCScriptLauncher.info -scheduleScriptAtPath:forEventIdentifier: scheduled for NCScriptLauncherPostConnectEventIdentifier (NCScriptLauncher.m:35)
2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter ncp_read_timeout = "120" (NCController+NCIPC.m:10)
2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received ncp_read_timeout = 120 (NCController.m:1297)
2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter redir_url = "/dana/home/index.cgi" (NCController+NCIPC.m:10)
2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received redir_url = /dana/home/index.cgi (NCController.m:1297)
2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter redir_win = "Please_Wait7819" (NCController+NCIPC.m:10)
2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received redir_win = Please_Wait7819 (NCController.m:1297)
2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter signin_url = "/" (NCController+NCIPC.m:10)
2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received signin_url = / (NCController.m:1297)
2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter switch-dns-search-order = "enabled" (NCController+NCIPC.m:10)
2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received switch-dns-search-order = enabled (NCController.m:1297)
2011-06-02 13:51:11.389 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter uninstall_on_quit = "0" (NCController+NCIPC.m:10)
2011-06-02 13:51:11.389 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received uninstall_on_quit = 0 (NCController.m:1297)
2011-06-02 13:51:11.389 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter upgradeMode = "2" (NCController+NCIPC.m:10)
2011-06-02 13:51:11.389 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received upgradeMode = 2 (NCController.m:1297)
2011-06-02 13:51:11.389 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter win_end_script = "" (NCController+NCIPC.m:10)
2011-06-02 13:51:11.389 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received win_end_script = (NCController.m:1297)
2011-06-02 13:51:11.389 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter win_skip_start_script = "0" (NCController+NCIPC.m:10)
2011-06-02 13:51:11.389 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received win_skip_start_script = 0 (NCController.m:1297)
2011-06-02 13:51:11.389 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter win_start_script = "" (NCController+NCIPC.m:10)
2011-06-02 13:51:11.389 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received win_start_script = (NCController.m:1297)
2011-06-02 13:51:11.389 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter cookies = "DSLastAccess=1307047821; DSFirstAccess=1307047819; DSID=bff2f274c3d8f863f7e631151c7a9bd3; DSSignInURL=/" (NCController+NCIPC.m:10)
2011-06-02 13:51:11.389 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received DSLastAccess = 1307047821 (NCController.m:1297)
2011-06-02 13:51:11.389 Network Connect[22538] DSSessionContext.info -addCookieWithName:domain:value: Adding cookie with name DSLastAccess, domain go.adt.com, and value <hidden> (DSSessionContext.m:81)
2011-06-02 13:51:11.389 Network Connect[22538] DSSessionContext.info -cookie: Didn't find DSLastAccess cookie! (DSSessionContext.m:68)
2011-06-02 13:51:11.814 Network Connect[22538] DSSessionContext.info -addCookieWithName:domain:value: Creating a new DSLastAccess cookie (DSSessionContext.m:148)
2011-06-02 13:51:11.814 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received DSFirstAccess = 1307047819 (NCController.m:1297)
2011-06-02 13:51:11.814 Network Connect[22538] DSSessionContext.info -addCookieWithName:domain:value: Adding cookie with name DSFirstAccess, domain go.adt.com, and value <hidden> (DSSessionContext.m:81)
2011-06-02 13:51:11.814 Network Connect[22538] DSSessionContext.info -cookie: Didn't find DSFirstAccess cookie! (DSSessionContext.m:68)
2011-06-02 13:51:11.887 Network Connect[22538] DSSessionContext.info -addCookieWithName:domain:value: Creating a new DSFirstAccess cookie (DSSessionContext.m:148)
2011-06-02 13:51:11.887 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received DSID = bff2f274c3d8f863f7e631151c7a9bd3 (NCController.m:1297)
2011-06-02 13:51:11.887 Network Connect[22538] DSSessionContext.info -addCookieWithName:domain:value: Adding cookie with name DSID, domain go.adt.com, and value <hidden> (DSSessionContext.m:81)
2011-06-02 13:51:11.887 Network Connect[22538] DSSessionContext.info -cookie: Didn't find DSID cookie! (DSSessionContext.m:68)
2011-06-02 13:51:11.887 Network Connect[22538] DSSessionContext.info -addCookieWithName:domain:value: Creating a new DSID cookie (DSSessionContext.m:148)
2011-06-02 13:51:11.887 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received DSSignInURL = / (NCController.m:1297)
2011-06-02 13:51:11.887 Network Connect[22538] DSSessionContext.info -addCookieWithName:domain:value: Adding cookie with name DSSignInURL, domain go.adt.com, and value <hidden> (DSSessionContext.m:81)
2011-06-02 13:51:11.887 Network Connect[22538] DSSessionContext.info -cookie: Didn't find DSSignInURL cookie! (DSSessionContext.m:68)
2011-06-02 13:51:11.887 Network Connect[22538] DSSessionContext.info -addCookieWithName:domain:value: Creating a new DSSignInURL cookie (DSSessionContext.m:148)
2011-06-02 13:51:12.393 Network Connect[22538] DSLoginWindowController.info -windowDidLoad setting user-agent to Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/6533.20.25 (KHTML, like Gecko) Network Connect (like Safari)/14619 (DSLoginWindowController.m:105)
2011-06-02 13:51:14.343 Network Connect[22538] DSLoginWindowController.info -showWindowWithWebLogin No proxy to resolve.. (DSLoginWindowController.m:824)
2011-06-02 13:51:14.343 Network Connect[22538] NCController.info -enterResolvingProxiesStateWithOldState: reconfiguring and resolving proxies (NCController+NCStateChanges.m:112)
2011-06-02 13:51:14.344 Network Connect[22538] NCController.info -reconfigure Reconfiguring on en1 (NCController.m:824)
2011-06-02 13:51:14.789 Network Connect[22538] DSHTTPSProxyResolver.info -resolveProxiesInBackground No HTTPS proxy (DSHTTPSProxyResolver.m:378)
2011-06-02 13:51:15.227 Network Connect[22538] nc.mac.app.1200.error <DSError 0x2a04f0 domain=nc.mac.app code=1200 "Network Connect can't launch service" userInfo={
DSErrorClassName = NCController;
DSErrorLocalizedAlertText = "Network Connect cannot start the tunneling service. See the Log Viewer for more information.";
DSErrorLocalizedAlertTitle = "Network Connect cannot establish a secure session.";
DSErrorLocalizedFirstButtonTitle = Cancel;
DSErrorLocalizedSecondButtonTitle = DSOptions;
DSErrorMethodName = "enterWaitingOnServiceStateWithOldState:";
DSErrorStackBackTrace = (
"atos not installed: hex trace: 0x11007e97 0x110088d5 0x105f8 0x3fd6 0x12008469 0x12008d6c 0x3fd6 0x1201914d 0xf7e0 0x9867cedd 0x9867ce48 0x986b9698 0x11016b46 0x11006148 0x110063ba 0x11017f4e 0x96cb5588 0x9865e793 0x9865e19a 0x96caa384 0x96d82038 0x986424cb 0x9863ff8f 0x9863f464 0x9863f291 0x92884004 0x92883cf7 0x92883c40 0x96f5b78d 0x96f5afce 0x96f1d247 0x96f152d9 0xde2a 0x2656 0x2571 0x5"
path = "/usr/local/juniper/nc/6.4.0/ncproxyd";
reason = "working directory doesn't exist.";
} (NCController+NCStateChanges.m:160)>
2011-06-02 13:51:15.294 Network Connect[22538] diag.info ifconfig -a: lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
2011-06-02 13:51:15.294 Network Connect[22538] diag.info inet6 ::1 prefixlen 128
2011-06-02 13:51:15.294 Network Connect[22538] diag.info inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
2011-06-02 13:51:15.294 Network Connect[22538] diag.info inet 127.0.0.1 netmask 0xff000000
2011-06-02 13:51:15.294 Network Connect[22538] diag.info gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
2011-06-02 13:51:15.294 Network Connect[22538] diag.info stf0: flags=0<> mtu 1280
2011-06-02 13:51:15.294 Network Connect[22538] diag.info en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
2011-06-02 13:51:15.294 Network Connect[22538] diag.info ether d4:9a:20:ec:fe:36
2011-06-02 13:51:15.294 Network Connect[22538] diag.info media: autoselect
2011-06-02 13:51:15.294 Network Connect[22538] diag.info status: inactive
2011-06-02 13:51:15.294 Network Connect[22538] diag.info en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
2011-06-02 13:51:15.294 Network Connect[22538] diag.info ether 34:15:9e:8d:11:36
2011-06-02 13:51:15.294 Network Connect[22538] diag.info inet6 fe80::3615:9eff:fe8d:1136%en1 prefixlen 64 scopeid 0x5
2011-06-02 13:51:15.294 Network Connect[22538] diag.info inet 192.168.1.65 netmask 0xffffff00 broadcast 192.168.1.255
2011-06-02 13:51:15.294 Network Connect[22538] diag.info inet6 ::3615:9eff:fe8d:1136 prefixlen 64 autoconf
2011-06-02 13:51:15.294 Network Connect[22538] diag.info media: autoselect
2011-06-02 13:51:15.294 Network Connect[22538] diag.info status: active
2011-06-02 13:51:15.294 Network Connect[22538] diag.info netstat -rnf inet: -a: Routing tables
2011-06-02 13:51:15.294 Network Connect[22538] diag.info Internet:
2011-06-02 13:51:15.294 Network Connect[22538] diag.info Destination Gateway Flags Refs Use Netif Expire
2011-06-02 13:51:15.294 Network Connect[22538] diag.info default 192.168.1.254 UGSc 28 0 en1
2011-06-02 13:51:15.294 Network Connect[22538] diag.info 127 127.0.0.1 UCS 0 0 lo0
2011-06-02 13:51:15.294 Network Connect[22538] diag.info 127.0.0.1 127.0.0.1 UH 0 958 lo0
2011-06-02 13:51:15.294 Network Connect[22538] diag.info 169.254 link#5 UCS 0 0 en1
2011-06-02 13:51:15.294 Network Connect[22538] diag.info 192.168.1 link#5 UCS 6 0 en1
2011-06-02 13:51:15.294 Network Connect[22538] diag.info 192.168.1.64 0:1b:63:f3:64:4f UHLWI 0 0 en1 239
2011-06-02 13:51:15.294 Network Connect[22538] diag.info 192.168.1.65 127.0.0.1 UHS 0 703 lo0
2011-06-02 13:51:15.294 Network Connect[22538] diag.info 192.168.1.70 24:ab:81:fd:8:46 UHLWI 0 0 en1 100
2011-06-02 13:51:15.294 Network Connect[22538] diag.info 192.168.1.74 0:1b:63:c8:71:2 UHLWI 1 627 en1 548
2011-06-02 13:51:15.294 Network Connect[22538] diag.info 192.168.1.254 0:1b:5b:6e:35:a1 UHLWI 39 226 en1 1199
2011-06-02 13:51:15.294 Network Connect[22538] diag.info 192.168.1.255 link#5 UHLWbI 2 85 en1
2011-06-02 13:51:15.294 Network Connect[22538] diag.info resolv.conf: #
2011-06-02 13:51:15.294 Network Connect[22538] diag.info # Mac OS X Notice
2011-06-02 13:51:15.294 Network Connect[22538] diag.info #
2011-06-02 13:51:15.294 Network Connect[22538] diag.info # This file is not used by the host name and address resolution
2011-06-02 13:51:15.294 Network Connect[22538] diag.info # or the DNS query routing mechanisms used by most processes on
2011-06-02 13:51:15.294 Network Connect[22538] diag.info # this Mac OS X system.
2011-06-02 13:51:15.294 Network Connect[22538] diag.info #
2011-06-02 13:51:15.294 Network Connect[22538] diag.info # This file is automatically generated.
2011-06-02 13:51:15.294 Network Connect[22538] diag.info #
2011-06-02 13:51:15.294 Network Connect[22538] diag.info domain gateway.2wire.net
2011-06-02 13:51:15.294 Network Connect[22538] diag.info nameserver 192.168.1.254
2011-06-02 13:51:16.912 ../../webserver/:093 [ Thread-21] [RuntimeExec] Executing ["/bin/sh" "-c" "ps xco 'state,pid,command' | awk '/^[^zZ].+[N]etwork Connect/ { print $2 }'" ]...
2011-06-02 13:51:16.964 ../../webserver/:100 [ Thread-21] [RuntimeExec] Process ID = java.lang.UNIXProcess@cc7f9e
2011-06-02 13:51:16.970 ../../webserver/:045 [ Thread-23] [RuntimeExec] Result [22538]
2011-06-02 13:51:16.972 ../../webserver/:141 [ Thread-21] [RuntimeExec] ExitValue of waitFor() = 0
2011-06-02 13:51:16.972 ../../webserver/:166 [ Thread-21] [RuntimeExec] ... done executing [/bin/sh] waitFor()=[java.lang.UNIXProcess@cc7f9e] outputStream=[22538] statusStream=[empty -null status stream-]
DSAppControlThre:000 (06/02 13:51:16.973)[ Thread-21] The application is already running with PID 22538
NCAppController.:000 (06/02 13:51:18.775)[ Thread-21] Starting quit sequence...
NCAppController.:000 (06/02 13:51:18.776)[ Thread-21] Cleaning up
NCAppController.:000 (06/02 13:51:18.777)[ Thread-21] doQuit trying to load /dana/home/starter.cgi?startpageonly=1
NCAppController.:000 (06/02 13:51:18.777)[ Thread-21] Loading https://go.adt.com/dana/home/starter.cgi?startpageonly=1 in current window
NCAppController.:000 (06/02 13:58:03.266)[applet-NCAppController.class] Entering NCAppController.init() on Thu Jun 02 13:58:03 PDT 2011
NCAppController.:000 (06/02 13:58:03.311)[applet-NCAppController.class] New NCAppController session release [6.4.0]
NCAppController.:000 (06/02 13:58:03.311)[applet-NCAppController.class] Build number [14619]
NCAppController.:000 (06/02 13:58:03.387)[applet-NCAppController.class] This host needs a i386 binary
NCAppController.:000 (06/02 13:58:03.452)[applet-NCAppController.class] Param ProductVersion=14619
NCAppController.:000 (06/02 13:58:03.452)[applet-NCAppController.class] Param SystemVersion=6.4.0
NCAppController.:000 (06/02 13:58:03.452)[applet-NCAppController.class] Param action=install
NCAppController.:000 (06/02 13:58:03.452)[applet-NCAppController.class] Param autolaunch=0
NCAppController.:000 (06/02 13:58:03.452)[applet-NCAppController.class] Param cert_md5=d0ba5f2839b732e6972d55ea9e6c40e6
NCAppController.:000 (06/02 13:58:03.452)[applet-NCAppController.class] Param dns-suffix=adt.com
NCAppController.:000 (06/02 13:58:03.453)[applet-NCAppController.class] Param enable_logging=1
NCAppController.:000 (06/02 13:58:03.453)[applet-NCAppController.class] Param enable_logupload=1
NCAppController.:000 (06/02 13:58:03.453)[applet-NCAppController.class] Param internal-proxy-config=no
NCAppController.:000 (06/02 13:58:03.453)[applet-NCAppController.class] Param ivehost=go.adt.com
NCAppController.:000 (06/02 13:58:03.453)[applet-NCAppController.class] Param launch_url=
NCAppController.:000 (06/02 13:58:03.453)[applet-NCAppController.class] Param linux_end_script=
NCAppController.:000 (06/02 13:58:03.496)[applet-NCAppController.class] Param linux_start_script=
NCAppController.:000 (06/02 13:58:03.496)[applet-NCAppController.class] Param locale=en
NCAppController.:000 (06/02 13:58:03.496)[applet-NCAppController.class] Param mac_end_script=
NCAppController.:000 (06/02 13:58:03.497)[applet-NCAppController.class] Param mac_start_script=
NCAppController.:000 (06/02 13:58:03.497)[applet-NCAppController.class] Param ncp_read_timeout=120
NCAppController.:000 (06/02 13:58:03.497)[applet-NCAppController.class] Param redir_url=/dana/home/starter.cgi?startpageonly=1
NCAppController.:000 (06/02 13:58:03.498)[applet-NCAppController.class] Param redir_win=Please_Wait7819
NCAppController.:000 (06/02 13:58:03.498)[applet-NCAppController.class] Param signin_url=/
NCAppController.:000 (06/02 13:58:03.498)[applet-NCAppController.class] Param switch-dns-search-order=enabled
NCAppController.:000 (06/02 13:58:03.498)[applet-NCAppController.class] Param uninstall_on_quit=0
NCAppController.:000 (06/02 13:58:03.498)[applet-NCAppController.class] Param upgradeMode=2
NCAppController.:000 (06/02 13:58:03.498)[applet-NCAppController.class] Param win_end_script=
NCAppController.:000 (06/02 13:58:03.499)[applet-NCAppController.class] Param win_skip_start_script=0
NCAppController.:000 (06/02 13:58:03.499)[applet-NCAppController.class] Param win_start_script=
NCAppController.:000 (06/02 13:58:03.499)[applet-NCAppController.class] Param =null
NCAppController.:000 (06/02 13:58:03.499)[applet-NCAppController.class] Param cookies=<hidden>
DSAppControlThre:000 (06/02 13:58:03.505)[ Thread-29] Beginning install...
NCAppInstallImpl:000 (06/02 13:58:03.505)[ Thread-29] Checking installed version
NCAppInstallImpl:000 (06/02 13:58:03.534)[ Thread-29] Version on disk is 14619
NCAppInstallImpl:000 (06/02 13:58:03.534)[ Thread-29] This version is 14619
NCAppInstallImpl:000 (06/02 13:58:03.534)[ Thread-29] Checking if correct locale is installed
DSAppControlThre:000 (06/02 13:58:03.570)[ Thread-29] Checking to see if the application is already running
2011-06-02 13:51:38.496 Network Connect[22538] NCProxyMonitor.warn -quit quitting ncproxyd (0) (NCProxyMonitor.mm:132)
2011-06-02 13:51:38.496 Network Connect[22538] DSIPCConnection.warn -enqueueMessageWithName:types: IPC message nc_quit sent while _writeFileHandle == nil (DSIPCConnection.mm:455)
2011-06-02 13:51:38.531 Network Connect[22538] NCAdminFunctions.info calling ncproxyd to restore system configuration. (NCAdminFunctions.mm:111)
2011-06-02 13:51:38.779 Network Connect[22538] http_connection.para Starting a timed connect with SSL session 0x2bdd30, proxy 0:0, and timeout 30 (http_connection.cpp:175)
2011-06-02 13:51:38.779 Network Connect[22538] http_connection.para Entering state_start_connection (http_connection.cpp:285)
2011-06-02 13:51:38.806 ncproxyd-admintool[22557] DSIPC.para Recevied message bytes: (52) <0><0><0>4<a1><4><85><d8>/X<16>>1<1c><ff><c7>:<f4><db>2<e4>c<bc><82><c9><8f>`<1 a>M<14><fa>.<f><a>2<c0><8c><1f><99><87><fc><d7>Ud<ab>u<10><7><96>w<1f><fc> (ipc.cpp:727)
2011-06-02 13:51:38.846 Network Connect[22538] http_connection.para Entering state_continue_connection (http_connection.cpp:302)
2011-06-02 13:51:38.846 ncproxyd-admintool[22557] NCAdminHelper.info looking for ncproxyd in 63 processes (NCAdminHelper.cpp:1131)
2011-06-02 13:51:38.847 Network Connect[22538] http_connection.para Entering state_ssl_connect (http_connection.cpp:471)
2011-06-02 13:51:38.847 ncproxyd-admintool[22557] rmon.info got system route 0.0.0.0/0.0.0.0 gw 192.168.1.254 metric 1 via 0x00000000 (routemon.cpp:572)
2011-06-02 13:51:38.847 ncproxyd-admintool[22557] rmon.info got system route 127.0.0.0/255.0.0.0 gw 127.0.0.1 metric 1 via 0x00000000 (routemon.cpp:572)
2011-06-02 13:51:38.847 ncproxyd-admintool[22557] rmon.info got system route 127.0.0.1/255.255.255.255 gw 127.0.0.1 metric 1 via 0x00000000 (routemon.cpp:572)
2011-06-02 13:51:38.847 ncproxyd-admintool[22557] rmon.info got system route 169.254.0.0/255.255.0.0 gw 0.0.0.0 metric 1 via 0x00000005 (routemon.cpp:572)
2011-06-02 13:51:38.847 ncproxyd-admintool[22557] rmon.info got system route 192.168.1.0/255.255.255.0 gw 0.0.0.0 metric 1 via 0x00000005 (routemon.cpp:572)
2011-06-02 13:51:38.847 ncproxyd-admintool[22557] rmon.info got system route 192.168.1.65/255.255.255.255 gw 127.0.0.1 metric 1 via 0x00000000 (routemon.cpp:572)
2011-06-02 13:51:38.847 ncproxyd-admintool[22557] ncproxyd.info No added routes to delete (ncproxyd.cpp:242)
2011-06-02 13:51:38.847 ncproxyd-admintool[22557] config.info Removing key "ncproxyd_added_routes" from the persistent store (config.cpp:273)
2011-06-02 13:51:38.847 ncproxyd-admintool[22557] NCAdminHelper.info removing ncproxyd_added_routes (NCAdminHelper.cpp:1020)
2011-06-02 13:51:38.847 ncproxyd-admintool[22557] ncproxyd.info No routes to restore (ncproxyd.cpp:251)
2011-06-02 13:51:38.847 ncproxyd-admintool[22557] config.info Removing key "ncproxyd_saved_routes" from the persistent store (config.cpp:273)
2011-06-02 13:51:38.847 ncproxyd-admintool[22557] NCAdminHelper.info removing ncproxyd_saved_routes (NCAdminHelper.cpp:1020)
2011-06-02 13:51:38.848 ncproxyd-admintool[22557] NCAdminHelper.warn restore_dns_configuration: failed to rename /etc/hosts.bak to /etc/hosts: No such file or directory (NCAdminHelper.cpp:810)
2011-06-02 13:51:38.917 Network Connect[22538] DSIPC.para Recevied message bytes: (186) <0><0><0><ba><81>$<9b><dd>&\<11><18><b><4><e0><cd>$<f4><da>2<e3>H<a1><95><df><a 5><7f><17>><9><9f><12>|<c9>4<ae><ea>v<fe><81><a6><dd>D<7f><aa>~|G<b6>mV$<a>'u<f0 >=<a>Nil<d5>r~n<92><6>=A<e7>#<c5><da>A<9f>O<c3>p<82>E<d><e8><e6>b<fb><15>-<f5><9 d><e9><fa><5><e6>1<f5><9a><fb><a8><d9>m<e7>PmZ<a6><98>I<ee>MP<7f><d1><92><12><9f >30 <dd>|<eb> <b4>X<aa><ce>o<88>l[b<2><d8>6<b7>.K<ba><9c><97><96><7f>]<b3>J<83><eb>.<c><b5><< a><a>eH<a2><b9><12><99><9c><bb><eb>D<bd>|0&<ab>k<fc>`<13><af>6<9d><cf>(T<9d><8d> <e5><fe>7<8f>r<fb> (ipc.cpp:727)
2011-06-02 13:58:03.569 ../../webserver/:093 [ Thread-29] [RuntimeExec] Executing ["/bin/sh" "-c" "ps xco 'state,pid,command' | awk '/^[^zZ].+[N]etwork Connect/ { print $2 }'" ]...
2011-06-02 13:58:03.607 ../../webserver/:100 [ Thread-29] [RuntimeExec] Process ID = java.lang.UNIXProcess@2af6a882
2011-06-02 13:58:03.679 ../../webserver/:141 [ Thread-29] [RuntimeExec] ExitValue of waitFor() = 0
2011-06-02 13:58:03.680 ../../webserver/:166 [ Thread-29] [RuntimeExec] ... done executing [/bin/sh] waitFor()=[java.lang.UNIXProcess@2af6a882] outputStream=[empty -null output stream-] statusStream=[empty -null status stream-]
DSAppControlThre:000 (06/02 13:58:03.681)[ Thread-29] Checking to see if the application is already running
2011-06-02 13:58:03.680 ../../webserver/:093 [ Thread-29] [RuntimeExec] Executing ["/bin/sh" "-c" "ps xaco 'state,pid,command' | awk '/^[^zZ].+[N]etwork Connect/ { print $2 }'" ]...
2011-06-02 13:58:03.720 ../../webserver/:100 [ Thread-29] [RuntimeExec] Process ID = java.lang.UNIXProcess@6a25b72a
2011-06-02 13:58:03.736 ../../webserver/:141 [ Thread-29] [RuntimeExec] ExitValue of waitFor() = 0
2011-06-02 13:58:03.737 ../../webserver/:166 [ Thread-29] [RuntimeExec] ... done executing [/bin/sh] waitFor()=[java.lang.UNIXProcess@6a25b72a] outputStream=[empty -null output stream-] statusStream=[empty -null status stream-]
DSAppControlThre:000 (06/02 13:58:03.738)[ Thread-29] The application is NOT already running
NCAppInstallImpl:000 (06/02 13:58:03.740)[ Thread-29] Attempting to launch the application (mode 1)
NCAppInstallImpl:000 (06/02 13:58:03.741)[ Thread-29] Running this command: /Applications/Network Connect.app/Contents/MacOS/Network Connect -NCLaunchType 1 -AppleLanguages ( en )
NCAppInstallImpl:000 (06/02 13:58:03.809)[ Thread-29] Pushing parameter [ProductVersion=14619] to the app
NCAppInstallImpl:000 (06/02 13:58:03.810)[ Thread-29] Pushing parameter [SystemVersion=6.4.0] to the app
NCAppInstallImpl:000 (06/02 13:58:03.866)[ Thread-29] Pushing parameter [action=install] to the app
NCAppInstallImpl:000 (06/02 13:58:03.866)[ Thread-29] Pushing parameter [autolaunch=0] to the app
NCAppInstallImpl:000 (06/02 13:58:03.867)[ Thread-29] Pushing parameter [cert_md5=d0ba5f2839b732e6972d55ea9e6c40e6] to the app
NCAppInstallImpl:000 (06/02 13:58:03.867)[ Thread-29] Pushing parameter [dns-suffix=adt.com] to the app
NCAppInstallImpl:000 (06/02 13:58:03.867)[ Thread-29] Pushing parameter [enable_logging=1] to the app
NCAppInstallImpl:000 (06/02 13:58:03.868)[ Thread-29] Pushing parameter [enable_logupload=1] to the app
NCAppInstallImpl:000 (06/02 13:58:03.868)[ Thread-29] Pushing parameter [internal-proxy-config=no] to the app
NCAppInstallImpl:000 (06/02 13:58:03.868)[ Thread-29] Pushing parameter [ivehost=go.adt.com] to the app
NCAppInstallImpl:000 (06/02 13:58:03.868)[ Thread-29] Pushing parameter [launch_url=] to the app
NCAppInstallImpl:000 (06/02 13:58:03.868)[ Thread-29] Pushing parameter [linux_end_script=] to the app
NCAppInstallImpl:000 (06/02 13:58:03.868)[ Thread-29] Pushing parameter [linux_start_script=] to the app
NCAppInstallImpl:000 (06/02 13:58:03.869)[ Thread-29] Pushing parameter [locale=en] to the app
NCAppInstallImpl:000 (06/02 13:58:03.869)[ Thread-29] Pushing parameter [mac_end_script=] to the app
NCAppInstallImpl:000 (06/02 13:58:03.869)[ Thread-29] Pushing parameter [mac_start_script=] to the app
NCAppInstallImpl:000 (06/02 13:58:03.869)[ Thread-29] Pushing parameter [ncp_read_timeout=120] to the app
NCAppInstallImpl:000 (06/02 13:58:03.869)[ Thread-29] Pushing parameter [redir_url=/dana/home/starter.cgi?startpageonly=1] to the app
NCAppInstallImpl:000 (06/02 13:58:03.869)[ Thread-29] Pushing parameter [redir_win=Please_Wait7819] to the app
NCAppInstallImpl:000 (06/02 13:58:03.870)[ Thread-29] Pushing parameter [signin_url=/] to the app
NCAppInstallImpl:000 (06/02 13:58:03.870)[ Thread-29] Pushing parameter [switch-dns-search-order=enabled] to the app
NCAppInstallImpl:000 (06/02 13:58:03.870)[ Thread-29] Pushing parameter [uninstall_on_quit=0] to the app
NCAppInstallImpl:000 (06/02 13:58:03.870)[ Thread-29] Pushing parameter [upgradeMode=2] to the app
NCAppInstallImpl:000 (06/02 13:58:03.870)[ Thread-29] Pushing parameter [win_end_script=] to the app
NCAppInstallImpl:000 (06/02 13:58:03.870)[ Thread-29] Pushing parameter [win_skip_start_script=0] to the app
NCAppInstallImpl:000 (06/02 13:58:03.871)[ Thread-29] Pushing parameter [win_start_script=] to the app
NCAppInstallImpl:000 (06/02 13:58:03.871)[ Thread-29] Pushing parameter [=null] to the app
NCAppInstallImpl:000 (06/02 13:58:03.871)[ Thread-29] Pushing parameter [cookies=<hidden>] to the app
DSAppControlThre:000 (06/02 13:58:03.871)[ Thread-29] Checking to see if the application is already running
2011-06-02 13:58:03.871 ../../webserver/:093 [ Thread-29] [RuntimeExec] Executing ["/bin/sh" "-c" "ps xco 'state,pid,command' | awk '/^[^zZ].+[N]etwork Connect/ { print $2 }'" ]...
2011-06-02 13:58:03.916 ../../webserver/:100 [ Thread-29] [RuntimeExec] Process ID = java.lang.UNIXProcess@6dabbec4
2011-06-02 13:58:03.920 ../../webserver/:045 [ Thread-35] [RuntimeExec] Result [22587]
2011-06-02 13:58:03.921 ../../webserver/:141 [ Thread-29] [RuntimeExec] ExitValue of waitFor() = 0
2011-06-02 13:58:03.921 ../../webserver/:166 [ Thread-29] [RuntimeExec] ... done executing [/bin/sh] waitFor()=[java.lang.UNIXProcess@6dabbec4] outputStream=[22587] statusStream=[empty -null status stream-]
NCAppController.:000 (06/02 13:58:03.922)[ Thread-29] Starting quit sequence...
NCAppController.:000 (06/02 13:58:03.922)[ Thread-29] Cleaning up
NCAppController.:000 (06/02 13:58:03.923)[ Thread-29] doQuit trying to load /dana/home/starter.cgi?startpageonly=1
NCAppController.:000 (06/02 13:58:03.923)[ Thread-29] Loading https://go.adt.com/dana/home/starter.cgi?startpageonly=1 in current window
2011-06-02 13:58:08.899 Network Connect[22587] NCController.info -applicationDidFinishLaunching: Network Connect 6.4.0 (14619)/Version 10.6.6 (Build 10J567) starting (NCController.m:98)
2011-06-02 13:58:09.111 Network Connect[22587] NCController.info -applicationDidFinishLaunching: launched from applet/application launcher (launchType: 1), waiting for parameters (NCController.m:133)
2011-06-02 13:58:09.113 Network Connect[22587] DSIPCConnection.info -_clearIPCBuffer: Clearing the IPC buffer (DSIPCConnection.mm:526)
2011-06-02 13:58:09.154 Network Connect[22587] DSSessionContext.info -addCookieWithName:domain:value: Creating a new DSFirstAccess cookie (DSSessionContext.m:148)
2011-06-02 13:58:09.154 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received DSID = bff2f274c3d8f863f7e631151c7a9bd3 (NCController.m:1297)
2011-06-02 13:58:09.154 Network Connect[22587] DSSessionContext.info -addCookieWithName:domain:value: Adding cookie with name DSID, domain go.adt.com, and value <hidden> (DSSessionContext.m:81)
2011-06-02 13:58:09.154 Network Connect[22587] DSSessionContext.info -cookie: Didn't find DSID cookie! (DSSessionContext.m:68)
2011-06-02 13:58:09.154 Network Connect[22587] DSSessionContext.info -addCookieWithName:domain:value: Creating a new DSID cookie (DSSessionContext.m:148)
2011-06-02 13:58:09.155 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received DSSignInURL = / (NCController.m:1297)
2011-06-02 13:58:09.155 Network Connect[22587] DSSessionContext.info -addCookieWithName:domain:value: Adding cookie with name DSSignInURL, domain go.adt.com, and value <hidden> (DSSessionContext.m:81)
2011-06-02 13:58:09.155 Network Connect[22587] DSSessionContext.info -cookie: Didn't find DSSignInURL cookie! (DSSessionContext.m:68)
2011-06-02 13:58:09.155 Network Connect[22587] DSSessionContext.info -addCookieWithName:domain:value: Creating a new DSSignInURL cookie (DSSessionContext.m:148)
2011-06-02 13:58:09.174 Network Connect[22587] DSLoginWindowController.info -windowDidLoad setting user-agent to Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/6533.20.25 (KHTML, like Gecko) Network Connect (like Safari)/14619 (DSLoginWindowController.m:105)
2011-06-02 13:58:09.387 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter internal-proxy-config = "no" (NCController+NCIPC.m:10)
2011-06-02 13:58:09.391 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received internal-proxy-config = no (NCController.m:1297)
2011-06-02 13:58:09.392 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter ivehost = "go.adt.com" (NCController+NCIPC.m:10)
2011-06-02 13:58:09.392 Network Connect[22587] NCController.info -ipc:appletSetIVEParameter:: applet says to connect to go.adt.com. (NCController+NCIPC.m:13)
2011-06-02 13:58:09.393 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received ivehost = go.adt.com (NCController.m:1297)
2011-06-02 13:58:09.393 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter launch_url = "" (NCController+NCIPC.m:10)
2011-06-02 13:58:09.394 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received launch_url = (NCController.m:1297)
2011-06-02 13:58:09.394 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter linux_end_script = "" (NCController+NCIPC.m:10)
2011-06-02 13:58:09.395 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received linux_end_script = (NCController.m:1297)
2011-06-02 13:58:09.395 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter linux_start_script = "" (NCController+NCIPC.m:10)
2011-06-02 13:58:09.396 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received linux_start_script = (NCController.m:1297)
2011-06-02 13:58:09.396 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter locale = "en" (NCController+NCIPC.m:10)
2011-06-02 13:58:09.396 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received locale = en (NCController.m:1297)
2011-06-02 13:58:09.397 Network Connect[22587] NCController.info -loginWindowController:setClientParameter:value: saving locale preference (
en
) as AppleLanguages for use on next launch. (NCController.m:1324)
2011-06-02 13:58:09.398 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter mac_end_script = "" (NCController+NCIPC.m:10)
2011-06-02 13:58:09.399 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received mac_end_script = (NCController.m:1297)
2011-06-02 13:58:09.399 Network Connect[22587] NCScriptLauncher.info -scheduleScriptAtPath:forEventIdentifier: scheduled for NCScriptLauncherPostDisconnectEventIdentifier (NCScriptLauncher.m:35)
2011-06-02 13:58:09.400 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter mac_start_script = "" (NCController+NCIPC.m:10)
2011-06-02 13:58:09.400 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received mac_start_script = (NCController.m:1297)
2011-06-02 13:58:09.400 Network Connect[22587] NCScriptLauncher.info -scheduleScriptAtPath:forEventIdentifier: scheduled for NCScriptLauncherPostConnectEventIdentifier (NCScriptLauncher.m:35)
2011-06-02 13:58:09.401 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter ncp_read_timeout = "120" (NCController+NCIPC.m:10)
2011-06-02 13:58:09.401 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received ncp_read_timeout = 120 (NCController.m:1297)
2011-06-02 13:58:09.402 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter redir_url = "/dana/home/starter.cgi?startpageonly=1" (NCController+NCIPC.m:10)
2011-06-02 13:58:09.402 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received redir_url = /dana/home/starter.cgi?startpageonly=1 (NCController.m:1297)
2011-06-02 13:58:09.403 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter redir_win = "Please_Wait7819" (NCController+NCIPC.m:10)
2011-06-02 13:58:09.403 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received redir_win = Please_Wait7819 (NCController.m:1297)
2011-06-02 13:58:09.404 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter signin_url = "/" (NCController+NCIPC.m:10)
2011-06-02 13:58:09.404 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received signin_url = / (NCController.m:1297)
2011-06-02 13:58:09.404 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter switch-dns-search-order = "enabled" (NCController+NCIPC.m:10)
2011-06-02 13:58:09.405 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received switch-dns-search-order = enabled (NCController.m:1297)
2011-06-02 13:58:09.406 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter uninstall_on_quit = "0" (NCController+NCIPC.m:10)
2011-06-02 13:58:09.406 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received uninstall_on_quit = 0 (NCController.m:1297)
2011-06-02 13:58:09.406 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter upgradeMode = "2" (NCController+NCIPC.m:10)
2011-06-02 13:58:09.407 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received upgradeMode = 2 (NCController.m:1297)
2011-06-02 13:58:09.407 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter win_end_script = "" (NCController+NCIPC.m:10)
2011-06-02 13:58:09.408 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received win_end_script = (NCController.m:1297)
2011-06-02 13:58:09.408 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter win_skip_start_script = "0" (NCController+NCIPC.m:10)
2011-06-02 13:58:09.408 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received win_skip_start_script = 0 (NCController.m:1297)
2011-06-02 13:58:09.409 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter win_start_script = "" (NCController+NCIPC.m:10)
2011-06-02 13:58:09.409 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received win_start_script = (NCController.m:1297)
2011-06-02 13:58:09.410 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter cookies = "DSLastAccess=1307048282; DSFirstAccess=1307047819; DSID=bff2f274c3d8f863f7e631151c7a9bd3; DSSignInURL=/" (NCController+NCIPC.m:10)
2011-06-02 13:58:09.410 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received DSLastAccess = 1307048282 (NCController.m:1297)
2011-06-02 13:58:09.411 Network Connect[22587] DSSessionContext.info -addCookieWithName:domain:value: Adding cookie with name DSLastAccess, domain go.adt.com, and value <hidden> (DSSessionContext.m:81)
2011-06-02 13:58:09.411 Network Connect[22587] DSSessionContext.info -cookie: Didn't find DSLastAccess cookie! (DSSessionContext.m:68)
2011-06-02 13:58:09.748 Network Connect[22587] DSLoginWindowController.info -showWindowWithWebLogin No proxy to resolve.. (DSLoginWindowController.m:824)
2011-06-02 13:58:09.748 Network Connect[22587] NCController.info -enterResolvingProxiesStateWithOldState: reconfiguring and resolving proxies (NCController+NCStateChanges.m:112)
2011-06-02 13:58:09.748 Network Connect[22587] NCController.info -reconfigure Reconfiguring on en1 (NCController.m:824)
2011-06-02 13:58:09.788 Network Connect[22587] DSHTTPSProxyResolver.info -resolveProxiesInBackground No HTTPS proxy (DSHTTPSProxyResolver.m:378)
2011-06-02 13:58:09.841 Network Connect[22587] DSSessionContext.info -addCookieWithName:domain:value: Creating a new DSLastAccess cookie (DSSessionContext.m:148)
2011-06-02 13:58:09.842 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received DSFirstAccess = 1307047819 (NCController.m:1297)
2011-06-02 13:58:09.843 Network Connect[22587] DSSessionContext.info -addCookieWithName:domain:value: Adding cookie with name DSFirstAccess, domain go.adt.com, and value <hidden> (DSSessionContext.m:81)
2011-06-02 13:58:09.843 Network Connect[22587] DSSessionContext.info -cookie: Didn't find DSFirstAccess cookie! (DSSessionContext.m:68)
2011-06-02 13:58:09.847 Network Connect[22587] nc.mac.app.1200.error <DSError 0x28bf20 domain=nc.mac.app code=1200 "Network Connect can't launch service" userInfo={
DSErrorClassName = NCController;
DSErrorLocalizedAlertText = "Network Connect cannot start the tunneling service. See the Log Viewer for more information.";
DSErrorLocalizedAlertTitle = "Network Connect cannot establish a secure session.";
DSErrorLocalizedFirstButtonTitle = Cancel;
DSErrorLocalizedSecondButtonTitle = DSOptions;
DSErrorMethodName = "enterWaitingOnServiceStateWithOldState:";
DSErrorStackBackTrace = (
"atos not installed: hex trace: 0x11007e97 0x110088d5 0x105f8 0x3fd6 0x12008469 0x12008d6c 0x3fd6 0x1201914d 0xf7e0 0x9867cedd 0x9867ce48 0x986b9698 0x11016b46 0x11006148 0x110063ba 0x11017f4e 0x96cb5588 0x9865e793 0x9865e19a 0x96caa384 0x96d82038 0x986424cb 0x9863ff8f 0x9863f464 0x9863f291 0x92884004 0x92883cf7 0x92883c40 0x96f5b78d 0x96f5afce 0x96f1d247 0x96f152d9 0xde2a 0x2656 0x2571 0x5"
path = "/usr/local/juniper/nc/6.4.0/ncproxyd";
reason = "working directory doesn't exist.";
} (NCController+NCStateChanges.m:160)>
2011-06-02 13:58:09.895 Network Connect[22587] diag.info ifconfig -a: lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
2011-06-02 13:58:09.895 Network Connect[22587] diag.info inet6 ::1 prefixlen 128
2011-06-02 13:58:09.895 Network Connect[22587] diag.info inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
2011-06-02 13:58:09.895 Network Connect[22587] diag.info inet 127.0.0.1 netmask 0xff000000
2011-06-02 13:58:09.895 Network Connect[22587] diag.info gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
2011-06-02 13:58:09.895 Network Connect[22587] diag.info stf0: flags=0<> mtu 1280
2011-06-02 13:58:09.895 Network Connect[22587] diag.info en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
2011-06-02 13:58:09.895 Network Connect[22587] diag.info ether d4:9a:20:ec:fe:36
2011-06-02 13:58:09.895 Network Connect[22587] diag.info media: autoselect
2011-06-02 13:58:09.895 Network Connect[22587] diag.info status: inactive
2011-06-02 13:58:09.895 Network Connect[22587] diag.info en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
2011-06-02 13:58:09.895 Network Connect[22587] diag.info ether 34:15:9e:8d:11:36
2011-06-02 13:58:09.895 Network Connect[22587] diag.info inet6 fe80::3615:9eff:fe8d:1136%en1 prefixlen 64 scopeid 0x5
2011-06-02 13:58:09.895 Network Connect[22587] diag.info inet 192.168.1.65 netmask 0xffffff00 broadcast 192.168.1.255
2011-06-02 13:58:09.895 Network Connect[22587] diag.info inet6 ::3615:9eff:fe8d:1136 prefixlen 64 autoconf
2011-06-02 13:58:09.895 Network Connect[22587] diag.info media: autoselect
2011-06-02 13:58:09.895 Network Connect[22587] diag.info status: active
2011-06-02 13:58:09.895 Network Connect[22587] diag.info netstat -rnf inet: -a: Routing tables
2011-06-02 13:58:09.895 Network Connect[22587] diag.info Internet:
2011-06-02 13:58:09.895 Network Connect[22587] diag.info Destination Gateway Flags Refs Use Netif Expire
2011-06-02 13:58:09.895 Network Connect[22587] diag.info default 192.168.1.254 UGSc 15 0 en1rtdolfan13 I have the same problem with my new mac Mac OS X (10.6.7). My other mac worked fine. I work for the same company as you also.. please let me know if you found a solution and I will do the same. Our "help desk" does not know anything about macs which makes no sense to me. We have 4 mac users in our office and we can not log on with the VPN.. kinda frustrating.
hope we can resolve this soon! -
Hi....
windows 8.1 64 bit
my problem is Check point vpn configure complite,
but not access VPN'
Massage shows " Server is not responding or cannot to be reached "Hi,
Any VPN error code? The error message indicates that the VPN client cannot reach the server. This can happen if the VPN server is not properly connected to the network, the network is temporarily down, or if the server or network is overloaded with traffic.
The error also occurs if the VPN client has incorrect configuration settings, so please eliminate the network connection issue and configuration issue.
Meanhwhile, manke sure the Firewall and anti-virus program are not blocking the connectin, you can temporarily disable them as a test.
We can also refer to this link for troubleshooting
http://windows.microsoft.com/en-hk/windows7/why-am-i-having-problems-with-my-vpn-connection
Yolanda Zhu
TechNet Community Support
Maybe you are looking for
-
Need some design idea for a multi- thread concurrent system
I am totally new to this area. Hope ppl can give me some suggestion for the following project. The project is using socket to deal with huge concurrent data. Server will send me more than 50K (maybe more) XML strings in a short time. I need parse str
-
Best practice for loading from mysql into oracle?
Hi! We're planning migrating our software from mysql to oracle. Therefore we need a migration path for moving the customer's data from mysql to oracle. The installation and the data migration/transfer have to run onto different customer's enviroments
-
ITunes installs but will not run. It says it was not installed correctly?
I have tried installing the new iTunes (19/2/13) and when I try and run it, it comes up saying 'iTunes was not installed correctly, please reinstall' and error code 7. I have tried repairing it, reinstalling it and installing an earlier version. Plea
-
Is there any reference site for 'HTMLB'?
Hi. I just curious about ALL attribute of HTMLB so looking for any API or reference site for HTMLB like 'http://msdn.microsoft.com/workshop/author/html/reference/elements.asp' this is just for HTML though. I will apprciate if show me link for any doc
-
17" and 15" MBpro Keyboards Interchangeable?
Are the two keyboards interchangeable because I plan on buying a used keyboard from a 17" MBpro and wanted to make sure it will be a direct fit? TIA