ASA5505 RA VPN problem

Similar Messages

• VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client

  Hello,
  I have problem in VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client. ASA 5505 have 7.2.3 software and 881G router have 15.1 software.
  881G is configured as hardware client in network exstention mode, and it is placed behind NAT. ASA5505 is working as server. Same VPN Group works correctly from VPN software clients.
  When I send traffic from 881G client side, in show cryto sessin detail I see encrypted packets. But with same command I dont see decrypted packet on ASA5505 side. On both devices Phase 1 and Phase 2 are UP. 
  VPN is working when I replace ASA5505 with ASA5510  correctly with have 8.4.6 software. But problem is that i need to do this VPN between ASA5505 and 881G.
  Can you help me, how can I debug or troubleshoot this problem ?
  I am unable to update software on ASA5505 side.

  Hello,
  Hire is what my config look like:
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 40 set pfs
  crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 60 set pfs
  crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 80 set pfs
  crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 100 set pfs
  crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 120 set pfs
  crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 140 set pfs
  crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-128-SHA
  crypto dynamic-map outside_dyn_map 160 set pfs
  crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 180 set pfs
  crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 200 set pfs
  crypto dynamic-map outside_dyn_map 200 set transform-set ESP-AES-256-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 1
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto isakmp policy 2
   authentication pre-share
   encryption 3des
   hash sha
   group 1
   lifetime 86400
  crypto isakmp policy 3
   authentication pre-share
   encryption des
   hash sha
   group 2
   lifetime 86400
  tunnel-group HW-CLIENT-GROUPR type ipsec-ra
  tunnel-group HW-CLIENT-GROUP general-attributes
   address-pool HW-CLIENT-GROUP-POOL
   default-group-policy HW-CLIENT-GROUP
  tunnel-group HW-CLIENT-GROUP ipsec-attributes
   pre-shared-key *******
  group-policy HW-CLIENT-GROUP internal
  group-policy HW-CLIENT-GROUP attributes
   password-storage enable
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value cisco_splitTunnelAcl
   nem enable

• Android 4.4.2 KitKat - Bugs - VPN problem/lockscreen options not working/Walkman Shake not working

  With the new KitKat update (20.1.A.0.47) trying to open VPN from Settings, the Settings app crashes and restarts. Due to that, in Security, the None and Swipe lockscreen options are disabled, leaving PIN, Password, and Pattern the only options. Why is that / is it ever gonna be fixed? 
  Oh and it didn't happen on 4.3... Now, when a music is playing in Walkman, when pressing the Walkman button and shaking the phone as I did on JB will pause the song, as if I didn't shake the phone. On Jelly Bean, this feature worked. This should get fixed too.

  Hi guys, sony seems to have solved the problem in an update in...india. I only found that and not tested yet : http://www.xperiablog.net/2015/05/22/small-update-rolling-for-xperia-e1-20-1-a-2-19-and-e1-dual-20-1-b-2-29/ It solves the lockscreen and VPN problem. Test and say if it works or not. I hope they will relase an european version soon.

• VPN problem behind ASA5505 -regular translation creation failed for protocol 50

  Dear All,
  I have to connect behind my ASA5505 with an VPN klient to an other site.
  First time i got this failure.
  "Deny protocol 50 src inside:192.168.50.X dst  outside:x.x.x.x by access-group "acl_in" [0x0, 0x0]"
  Than I opened our inside (src 192.168.50.0) network  the UDP 500,4500 TCP 500,4500,10000 and ESP (dest x.x.x.x remote firewall ip).
  access-list acl_in extended permit esp host 192.168.50.0  host x.x.x.x eq isakmp
  access-list acl_in extended permit udp host 192.168.50.0  host x.x.x.x eq 500
  access-list acl_in extended permit eudp host 192.168.50.0  host x.x.x.x eq 4500
  etc.
  After that i could connect for the remote firewall with vpn client but i couldn't reach any PC1s on there side and ping gives back no anwser.
  Deny protocol 50 was solved but i got an other problem:
  "regular translation creation failed for protocol 50 src  inside:192.168.50.X dst outside:x.x.x.x"
  I found somewhere thet lines can help:
  crypto isakmp nat-traversal
  inspect ipsec-pass-thru
  But this wasn't usefull.
  I tried a many thing but i'm stuck.
  Could somebody help me what can i do to solve this problem?
  Thanks for all anwsers!

  The solution was the following for one IP!
  object network x.x.x.x                      (inside IP)
     host x.x.x.x                                  (inside IP)
     nat (inside,outside) static y.y.y.y     (remote IP)

• ASA5505 - SG300 VPN site2site problem

  Hello,
  I have a problem with a site2site VPN between a SG300 and an ASA5505. On the SG300 we have two internal connected networks, the second one is an alias. The VPN goes up and works correctly for hours or even for days. Then I don't know why, for some reason, the VPN is up but works only for one of the two networks. When the users try to connect I get this error on the ASA:  ASA-7-710006: ESP request discarded from SG300PubblicInterface to outside:ASAPubblicInterface. To solve this problem I have to restart the VPN or make a ping from the ASA's LAN to the SG's LAN that isn't working. We have other VPNs on both firewalls that work correctly. ASA's Software Version is 8.0(3). I saw that I'm not the only one having this problem but nobody found the right answer...

  Hi Vinay,
  As per your below config
  crypto map vpnmap 10 match address vpnfr
  crypto map vpnmap 10 set peer 193.242.9.126
  crypto map vpnmap 10 set transform-set myvpn
  crypto map vpnmap 20 ipsec-isakmp dynamic dynmap
  crypto map vpnmap 30 match address vpnsing
  crypto map vpnmap 30 set peer 203.126.186.226
  crypto map vpnmap 30 set transform-set myvpn2
  crypto map vpnmap 40 match address vpnbl
  crypto map vpnmap 40 set peer 61.8.153.122
  crypto map vpnmap 40 set transform-set myvpn2
  crypto map vpnmap 50 match address vpnde
  crypto map vpnmap 50 set peer 61.8.129.170
  crypto map vpnmap 50 set transform-set myvpn2
  crypto map vpnmap interface outside
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 193.242.9.126
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  vpnmap  is your original crypto map if this is the crypto map its applied to oustide interface which is correct
  now if you have added a new crypto map say " outside_map"  its not going to work as we can only apply one crypto map per interface i dont see any resundant ISP on the config so i suppose the crypto map 
  "outside_map" might be the newly added crypto map if that is true please try below config changes and let me know if it helps
  =============================================================
  crypto map vpnmap 60 match address outside_1_cryptomap <<<<
  crypto map vpnmap 60 set pfs  <<<<<<<<<<<<<<<<<<<<<<<<<
  crypto map vpnmap 60 set peer 193.242.9.126
  crypto map vpnmap 60 set transform-set ESP-3DES-SHA
  ===============================================================
  make sure the crypto acl  "outside_1_cryptomap" is mirrored on the remote end and you also have PFS enabled on remote end
  Thanks
  Rohan

• Remote Access VPN Problem with ASA 5505

  After about ~1 year of having the Cisco VPN Client connecting to a ASA 5505 without any problems, suddenly one day it stops working. The client is able to get a connection to the ASA and browse the local network for only about 30 seconds after connection. After that, no access is available to the network behind the ASA. I tried everything that I can think of to try and troubleshoot the problem, but at this point I am just banging my head against a wall. Does anyone know what could cause this?
  Here is the running cfg of the ASA
  : Saved
  ASA Version 8.4(1)
  hostname NCHCO
  enable password xxxxxxxxxxxxxxx encrypted
  passwd xxxxxxxxxxx encrypted
  names
  name 192.168.2.0 NCHCO description City Offices
  name 192.168.2.80 VPN_End
  name 192.168.2.70 VPN_Start
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address **.**.***.*** 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  boot system disk0:/asa841-k8.bin
  ftp mode passive
  object network NCHCO
  subnet 192.168.2.0 255.255.255.0
  object network obj-192.168.1.0
  subnet 192.168.1.0 255.255.255.0
  object network obj-192.168.2.64
  subnet 192.168.2.64 255.255.255.224
  object network obj-0.0.0.0
  subnet 0.0.0.0 255.255.255.0
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Webserver
  object network FINX
  host 192.168.2.11
  object service rdp
  service tcp source range 1 65535 destination eq 3389
  description rdp
  access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
  access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
  access-list inside_nat0_outbound extended permit ip 0.0.0.0 255.255.255.0 192.168.2.64 255.255.255.224
  access-list outside_1_cryptomap extended permit ip object NCHCO 192.168.1.0 255.255.255.0
  access-list outside_1_cryptomap_1 extended permit ip object NCHCO 192.168.1.0 255.255.255.0
  access-list LAN_Access standard permit 192.168.2.0 255.255.255.0
  access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
  access-list NCHCO_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
  access-list AnyConnect_Client_Local_Print extended deny ip any any
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
  access-list outside_access_in extended permit tcp any object FINX eq 3389
  access-list outside_access_in_1 extended permit object rdp any object FINX
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-649.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,any) source static NCHCO NCHCO destination static obj-192.168.1.0 obj-192.168.1.0
  nat (inside,any) source static any any destination static obj-192.168.2.64 obj-192.168.2.64
  nat (inside,any) source static obj-0.0.0.0 obj-0.0.0.0 destination static obj-192.168.2.64 obj-192.168.2.64
  object network obj_any
  nat (inside,outside) dynamic interface
  object network FINX
  nat (inside,outside) static interface service tcp 3389 3389
  access-group outside_access_in_1 in interface outside
  route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  network-acl outside_nat0_outbound
  webvpn
    svc ask enable default svc
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http **.**.***.*** 255.255.255.255 outside
  http **.**.***.*** 255.255.255.255 outside
  http NCHCO 255.255.255.0 inside
  http 96.11.251.186 255.255.255.255 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set l2tp-transform esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set l2tp-transform mode transport
  crypto ipsec ikev1 transform-set vpn-transform esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map dyn-map 10 set pfs group1
  crypto dynamic-map dyn-map 10 set ikev1 transform-set l2tp-transform vpn-transform
  crypto dynamic-map dyn-map 10 set reverse-route
  crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 20 set reverse-route
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer 74.219.208.50
  crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
  crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto map vpn-map 1 match address outside_1_cryptomap_1
  crypto map vpn-map 1 set pfs group1
  crypto map vpn-map 1 set peer 74.219.208.50
  crypto map vpn-map 1 set ikev1 transform-set ESP-3DES-SHA
  crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
  crypto isakmp identity address
  crypto ikev1 enable inside
  crypto ikev1 enable outside
  crypto ikev1 ipsec-over-tcp port 10000
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto ikev1 policy 15
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 35
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  client-update enable
  telnet 192.168.1.0 255.255.255.0 inside
  telnet NCHCO 255.255.255.0 inside
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh NCHCO 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.2.150-192.168.2.225 inside
  dhcpd dns 216.68.4.10 216.68.5.10 interface inside
  dhcpd lease 64000 interface inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  dns-server value 192.168.2.1
  vpn-tunnel-protocol ikev1 l2tp-ipsec
  default-domain value nchco.local
  group-policy DfltGrpPolicy attributes
  dns-server value 192.168.2.1
  vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
  password-storage enable
  ipsec-udp enable
  intercept-dhcp 255.255.255.0 enable
  address-pools value VPN_Pool
  group-policy NCHCO internal
  group-policy NCHCO attributes
  dns-server value 192.168.2.1 8.8.8.8
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value NCHCO_splitTunnelAcl_1
  default-domain value NCHCO.local
  username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
  username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
  username NCHvpn99 password dhn.JzttvRmMbHsP encrypted
  tunnel-group DefaultRAGroup general-attributes
  address-pool (inside) VPN_Pool
  address-pool VPN_Pool
  authentication-server-group (inside) LOCAL
  authentication-server-group (outside) LOCAL
  authorization-server-group LOCAL
  authorization-server-group (inside) LOCAL
  authorization-server-group (outside) LOCAL
  default-group-policy DefaultRAGroup
  strip-realm
  strip-group
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  peer-id-validate nocheck
  tunnel-group DefaultRAGroup ppp-attributes
  no authentication chap
  no authentication ms-chap-v1
  authentication ms-chap-v2
  tunnel-group DefaultWEBVPNGroup ppp-attributes
  authentication pap
  authentication ms-chap-v2
  tunnel-group 74.219.208.50 type ipsec-l2l
  tunnel-group 74.219.208.50 ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group NCHCO type remote-access
  tunnel-group NCHCO general-attributes
  address-pool VPN_Pool
  default-group-policy NCHCO
  tunnel-group NCHCO ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:a2110206e1af06974c858fb40c6de2fc
  : end
  asdm image disk0:/asdm-649.bin
  asdm location VPN_Start 255.255.255.255 inside
  asdm location VPN_End 255.255.255.255 inside
  no asdm history enable
  And here is the logs from the Cisco VPN Client when it browses, then fails to browse the network behind the ASA:
  Cisco Systems VPN Client Version 5.0.07.0440
  Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
  Client Type(s): Windows, WinNT
  Running on: 6.1.7601 Service Pack 1
  Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
  1      09:44:55.677  10/01/13  Sev=Info/6    CERT/0x63600026
  Attempting to find a Certificate using Serial Hash.
  2      09:44:55.677  10/01/13  Sev=Info/6    CERT/0x63600027
  Found a Certificate using Serial Hash.
  3      09:44:55.693  10/01/13  Sev=Info/6    GUI/0x63B00011
  Reloaded the Certificates in all Certificate Stores successfully.
  4      09:45:02.802  10/01/13  Sev=Info/4    CM/0x63100002
  Begin connection process
  5      09:45:02.802  10/01/13  Sev=Info/4    CM/0x63100004
  Establish secure connection
  6      09:45:02.802  10/01/13  Sev=Info/4    CM/0x63100024
  Attempt connection with server "**.**.***.***"
  7      09:45:02.802  10/01/13  Sev=Info/6    IKE/0x6300003B
  Attempting to establish a connection with **.**.***.***.
  8      09:45:02.818  10/01/13  Sev=Info/4    IKE/0x63000001
  Starting IKE Phase 1 Negotiation
  9      09:45:02.865  10/01/13  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to **.**.***.***
  10     09:45:02.896  10/01/13  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  11     09:45:02.896  10/01/13  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from **.**.***.***
  12     09:45:02.896  10/01/13  Sev=Info/5    IKE/0x63000001
  Peer is a Cisco-Unity compliant peer
  13     09:45:02.896  10/01/13  Sev=Info/5    IKE/0x63000001
  Peer supports XAUTH
  14     09:45:02.896  10/01/13  Sev=Info/5    IKE/0x63000001
  Peer supports DPD
  15     09:45:02.896  10/01/13  Sev=Info/5    IKE/0x63000001
  Peer supports NAT-T
  16     09:45:02.896  10/01/13  Sev=Info/5    IKE/0x63000001
  Peer supports IKE fragmentation payloads
  17     09:45:02.927  10/01/13  Sev=Info/6    IKE/0x63000001
  IOS Vendor ID Contruction successful
  18     09:45:02.927  10/01/13  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to **.**.***.***
  19     09:45:02.927  10/01/13  Sev=Info/4    IKE/0x63000083
  IKE Port in use - Local Port =  0xDD3B, Remote Port = 0x01F4
  20     09:45:02.927  10/01/13  Sev=Info/5    IKE/0x63000072
  Automatic NAT Detection Status:
     Remote end is NOT behind a NAT device
     This   end is NOT behind a NAT device
  21     09:45:02.927  10/01/13  Sev=Info/4    CM/0x6310000E
  Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
  22     09:45:02.943  10/01/13  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  23     09:45:02.943  10/01/13  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
  24     09:45:02.943  10/01/13  Sev=Info/4    CM/0x63100015
  Launch xAuth application
  25     09:45:03.037  10/01/13  Sev=Info/6    GUI/0x63B00012
  Authentication request attributes is 6h.
  26     09:45:03.037  10/01/13  Sev=Info/4    CM/0x63100017
  xAuth application returned
  27     09:45:03.037  10/01/13  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
  28     09:45:03.037  10/01/13  Sev=Info/4    IPSEC/0x63700008
  IPSec driver successfully started
  29     09:45:03.037  10/01/13  Sev=Info/4    IPSEC/0x63700014
  Deleted all keys
  30     09:45:03.083  10/01/13  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  31     09:45:03.083  10/01/13  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
  32     09:45:03.083  10/01/13  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
  33     09:45:03.083  10/01/13  Sev=Info/4    CM/0x6310000E
  Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
  34     09:45:03.083  10/01/13  Sev=Info/5    IKE/0x6300005E
  Client sending a firewall request to concentrator
  35     09:45:03.083  10/01/13  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
  36     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  37     09:45:03.146  10/01/13  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
  38     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x63000010
  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
  39     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x63000010
  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
  40     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x63000010
  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
  41     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x63000010
  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
  42     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
  43     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
  44     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300000F
  SPLIT_NET #1
      subnet = 192.168.2.0
      mask = 255.255.255.0
      protocol = 0
      src port = 0
      dest port=0
  45     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300000E
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO.local
  46     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_UDP_NAT_PORT, value = 0x00002710
  47     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
  48     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300000E
  MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.4(1) built by builders on Mon 31-Jan-11 02:11
  49     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
  50     09:45:03.146  10/01/13  Sev=Info/4    CM/0x63100019
  Mode Config data received
  51     09:45:03.146  10/01/13  Sev=Info/4    IKE/0x63000056
  Received a key request from Driver: Local IP = 192.168.2.70, GW IP = **.**.***.***, Remote IP = 0.0.0.0
  52     09:45:03.146  10/01/13  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to **.**.***.***
  53     09:45:03.177  10/01/13  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  54     09:45:03.177  10/01/13  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from **.**.***.***
  55     09:45:03.177  10/01/13  Sev=Info/5    IKE/0x63000045
  RESPONDER-LIFETIME notify has value of 86400 seconds
  56     09:45:03.177  10/01/13  Sev=Info/5    IKE/0x63000047
  This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
  57     09:45:03.193  10/01/13  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  58     09:45:03.193  10/01/13  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from **.**.***.***
  59     09:45:03.193  10/01/13  Sev=Info/5    IKE/0x63000045
  RESPONDER-LIFETIME notify has value of 28800 seconds
  60     09:45:03.193  10/01/13  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK QM *(HASH) to **.**.***.***
  61     09:45:03.193  10/01/13  Sev=Info/5    IKE/0x63000059
  Loading IPsec SA (MsgID=967A3C93 OUTBOUND SPI = 0xAAAF4C1C INBOUND SPI = 0x3EBEBFC5)
  62     09:45:03.193  10/01/13  Sev=Info/5    IKE/0x63000025
  Loaded OUTBOUND ESP SPI: 0xAAAF4C1C
  63     09:45:03.193  10/01/13  Sev=Info/5    IKE/0x63000026
  Loaded INBOUND ESP SPI: 0x3EBEBFC5
  64     09:45:03.193  10/01/13  Sev=Info/5    CVPND/0x63400013
      Destination           Netmask           Gateway         Interface   Metric
          0.0.0.0           0.0.0.0       96.11.251.1     96.11.251.149      261
      96.11.251.0     255.255.255.0     96.11.251.149     96.11.251.149      261
    96.11.251.149   255.255.255.255     96.11.251.149     96.11.251.149      261
    96.11.251.255   255.255.255.255     96.11.251.149     96.11.251.149      261
        127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
        127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
  127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
      192.168.1.0     255.255.255.0       192.168.1.3       192.168.1.3      261
      192.168.1.3   255.255.255.255       192.168.1.3       192.168.1.3      261
    192.168.1.255   255.255.255.255       192.168.1.3       192.168.1.3      261
        224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
        224.0.0.0         240.0.0.0     96.11.251.149     96.11.251.149      261
        224.0.0.0         240.0.0.0       192.168.1.3       192.168.1.3      261
  255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
  255.255.255.255   255.255.255.255     96.11.251.149     96.11.251.149      261
  255.255.255.255   255.255.255.255       192.168.1.3       192.168.1.3      261
  65     09:45:03.521  10/01/13  Sev=Info/6    CVPND/0x63400001
  Launch VAInst64 to control IPSec Virtual Adapter
  66     09:45:03.896  10/01/13  Sev=Info/4    CM/0x63100034
  The Virtual Adapter was enabled:
      IP=192.168.2.70/255.255.255.0
      DNS=192.168.2.1,8.8.8.8
      WINS=0.0.0.0,0.0.0.0
      Domain=NCHCO.local
      Split DNS Names=
  67     09:45:03.912  10/01/13  Sev=Info/5    CVPND/0x63400013
      Destination           Netmask           Gateway         Interface   Metric
          0.0.0.0           0.0.0.0       96.11.251.1     96.11.251.149      261
      96.11.251.0     255.255.255.0     96.11.251.149     96.11.251.149      261
    96.11.251.149   255.255.255.255     96.11.251.149     96.11.251.149      261
    96.11.251.255   255.255.255.255     96.11.251.149     96.11.251.149      261
        127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
        127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
  127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
      192.168.1.0     255.255.255.0       192.168.1.3       192.168.1.3      261
      192.168.1.3   255.255.255.255       192.168.1.3       192.168.1.3      261
    192.168.1.255   255.255.255.255       192.168.1.3       192.168.1.3      261
        224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
        224.0.0.0         240.0.0.0     96.11.251.149     96.11.251.149      261
        224.0.0.0         240.0.0.0       192.168.1.3       192.168.1.3      261
        224.0.0.0         240.0.0.0           0.0.0.0           0.0.0.0      261
  255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
  255.255.255.255   255.255.255.255     96.11.251.149     96.11.251.149      261
  255.255.255.255   255.255.255.255       192.168.1.3       192.168.1.3      261
  255.255.255.255   255.255.255.255           0.0.0.0           0.0.0.0      261
  68     09:45:07.912  10/01/13  Sev=Info/4    CM/0x63100038
  Successfully saved route changes to file.
  69     09:45:07.912  10/01/13  Sev=Info/5    CVPND/0x63400013
      Destination           Netmask           Gateway         Interface   Metric
          0.0.0.0           0.0.0.0       96.11.251.1     96.11.251.149      261
    **.**.***.***   255.255.255.255       96.11.251.1     96.11.251.149      100
      96.11.251.0     255.255.255.0     96.11.251.149     96.11.251.149      261
    96.11.251.149   255.255.255.255     96.11.251.149     96.11.251.149      261
    96.11.251.255   255.255.255.255     96.11.251.149     96.11.251.149      261
        127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
        127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
  127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
      192.168.1.0     255.255.255.0       192.168.1.3       192.168.1.3      261
      192.168.1.3   255.255.255.255       192.168.1.3       192.168.1.3      261
    192.168.1.255   255.255.255.255       192.168.1.3       192.168.1.3      261
      192.168.2.0     255.255.255.0      192.168.2.70      192.168.2.70      261
      192.168.2.0     255.255.255.0       192.168.2.1      192.168.2.70      100
     192.168.2.70   255.255.255.255      192.168.2.70      192.168.2.70      261
    192.168.2.255   255.255.255.255      192.168.2.70      192.168.2.70      261
        224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
        224.0.0.0         240.0.0.0     96.11.251.149     96.11.251.149      261
        224.0.0.0         240.0.0.0       192.168.1.3       192.168.1.3      261
        224.0.0.0         240.0.0.0      192.168.2.70      192.168.2.70      261
  255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
  255.255.255.255   255.255.255.255     96.11.251.149     96.11.251.149      261
  255.255.255.255   255.255.255.255       192.168.1.3       192.168.1.3      261
  255.255.255.255   255.255.255.255      192.168.2.70      192.168.2.70      261
  70     09:45:07.912  10/01/13  Sev=Info/6    CM/0x63100036
  The routing table was updated for the Virtual Adapter
  71     09:45:07.912  10/01/13  Sev=Info/4    CM/0x6310001A
  One secure connection established
  72     09:45:07.943  10/01/13  Sev=Info/4    CM/0x6310003B
  Address watch added for 96.11.251.149.  Current hostname: psaserver, Current address(es): 192.168.2.70, 96.11.251.149, 192.168.1.3.
  73     09:45:07.943  10/01/13  Sev=Info/4    CM/0x6310003B
  Address watch added for 192.168.2.70.  Current hostname: psaserver, Current address(es): 192.168.2.70, 96.11.251.149, 192.168.1.3.
  74     09:45:07.943  10/01/13  Sev=Info/5    CM/0x63100001
  Did not find the Smartcard to watch for removal
  75     09:45:07.943  10/01/13  Sev=Info/4    IPSEC/0x63700014
  Deleted all keys
  76     09:45:07.943  10/01/13  Sev=Info/4    IPSEC/0x63700010
  Created a new key structure
  77     09:45:07.943  10/01/13  Sev=Info/4    IPSEC/0x6370000F
  Added key with SPI=0x1c4cafaa into key list
  78     09:45:07.943  10/01/13  Sev=Info/4    IPSEC/0x63700010
  Created a new key structure
  79     09:45:07.943  10/01/13  Sev=Info/4    IPSEC/0x6370000F
  Added key with SPI=0xc5bfbe3e into key list
  80     09:45:07.943  10/01/13  Sev=Info/4    IPSEC/0x6370002F
  Assigned VA private interface addr 192.168.2.70
  81     09:45:07.943  10/01/13  Sev=Info/4    IPSEC/0x63700037
  Configure public interface: 96.11.251.149. SG: **.**.***.***
  82     09:45:07.943  10/01/13  Sev=Info/6    CM/0x63100046
  Set tunnel established flag in registry to 1.
  83     09:45:13.459  10/01/13  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to **.**.***.***
  84     09:45:13.459  10/01/13  Sev=Info/6    IKE/0x6300003D
  Sending DPD request to **.**.***.***, our seq# = 107205276
  85     09:45:13.474  10/01/13  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  86     09:45:13.474  10/01/13  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from **.**.***.***
  87     09:45:13.474  10/01/13  Sev=Info/5    IKE/0x63000040
  Received DPD ACK from **.**.***.***, seq# received = 107205276, seq# expected = 107205276
  88     09:45:15.959  10/01/13  Sev=Info/4    IPSEC/0x63700019
  Activate outbound key with SPI=0x1c4cafaa for inbound key with SPI=0xc5bfbe3e
  89     09:46:00.947  10/01/13  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to **.**.***.***
  90     09:46:00.947  10/01/13  Sev=Info/6    IKE/0x6300003D
  Sending DPD request to **.**.***.***, our seq# = 107205277
  91     09:46:01.529  10/01/13  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  92     09:46:01.529  10/01/13  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from **.**.***.***
  93     09:46:01.529  10/01/13  Sev=Info/5    IKE/0x63000040
  Received DPD ACK from **.**.***.***, seq# received = 107205277, seq# expected = 107205277
  94     09:46:11.952  10/01/13  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to **.**.***.***
  95     09:46:11.952  10/01/13  Sev=Info/6    IKE/0x6300003D
  Sending DPD request to **.**.***.***, our seq# = 107205278
  96     09:46:11.979  10/01/13  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  97     09:46:11.979  10/01/13  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from **.**.***.***
  98     09:46:11.979  10/01/13  Sev=Info/5    IKE/0x63000040
  Received DPD ACK from **.**.***.***, seq# received = 107205278, seq# expected = 107205278
  Any help would be appreciated, thanks!

  I made the change that you requested by moving the VPN pool to the 192.168.3.0 network. Unfortunately, now traffic isn't flowing to the inside network at all. I was going to make a specific route as you suggested, but as far as I can see the routes are already being created correctly on the VPN client's end.
  Here is the route print off of the computer behind the (test) client:
  ===========================================================================
  Interface List
  21...00 05 9a 3c 78 00 ......Cisco Systems VPN Adapter for 64-bit Windows
  10...00 15 5d 01 02 01 ......Microsoft Hyper-V Network Adapter
  15...00 15 5d 01 02 02 ......Microsoft Hyper-V Network Adapter #2
    1...........................Software Loopback Interface 1
  13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
  11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
  14...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
  16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
  23...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
  ===========================================================================
  IPv4 Route Table
  ===========================================================================
  Active Routes:
  Network Destination        Netmask          Gateway       Interface  Metric
            0.0.0.0          0.0.0.0      96.11.251.1    96.11.251.149    261
      69.61.228.178  255.255.255.255      96.11.251.1    96.11.251.149    100
        96.11.251.0    255.255.255.0         On-link     96.11.251.149    261
      96.11.251.149  255.255.255.255         On-link     96.11.251.149    261
      96.11.251.255  255.255.255.255         On-link     96.11.251.149    261
          127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
          127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
    127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        192.168.1.0    255.255.255.0         On-link       192.168.1.3    261
        192.168.1.3  255.255.255.255         On-link       192.168.1.3    261
      192.168.1.255  255.255.255.255         On-link       192.168.1.3    261
        192.168.2.0    255.255.255.0      192.168.3.1     192.168.3.70    100
        192.168.3.0    255.255.255.0         On-link      192.168.3.70    261
       192.168.3.70  255.255.255.255         On-link      192.168.3.70    261
      192.168.3.255  255.255.255.255         On-link      192.168.3.70    261
          224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
          224.0.0.0        240.0.0.0         On-link       192.168.1.3    261
          224.0.0.0        240.0.0.0         On-link     96.11.251.149    261
          224.0.0.0        240.0.0.0         On-link      192.168.3.70    261
    255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
    255.255.255.255  255.255.255.255         On-link       192.168.1.3    261
    255.255.255.255  255.255.255.255         On-link     96.11.251.149    261
    255.255.255.255  255.255.255.255         On-link      192.168.3.70    261
  ===========================================================================
  Persistent Routes:
    Network Address          Netmask  Gateway Address  Metric
            0.0.0.0          0.0.0.0      96.11.251.1  Default
  ===========================================================================
  IPv6 Route Table
  ===========================================================================
  Active Routes:
  If Metric Network Destination      Gateway
  14   1020 ::/0                     2002:c058:6301::c058:6301
  14   1020 ::/0                     2002:c058:6301::1
    1    306 ::1/128                  On-link
  14   1005 2002::/16                On-link
  14    261 2002:600b:fb95::600b:fb95/128
                                      On-link
  15    261 fe80::/64                On-link
  10    261 fe80::/64                On-link
  21    261 fe80::/64                On-link
  10    261 fe80::64ae:bae7:3dc0:c8c4/128
                                      On-link
  21    261 fe80::e9f7:e24:3147:bd/128
                                      On-link
  15    261 fe80::f116:2dfd:1771:125a/128
                                      On-link
    1    306 ff00::/8                 On-link
  15    261 ff00::/8                 On-link
  10    261 ff00::/8                 On-link
  21    261 ff00::/8                 On-link
  ===========================================================================
  Persistent Routes:
    None
  And here is the updated running config in case you need it:
  : Saved
  ASA Version 8.4(1)
  hostname NCHCO
  enable password hTjwXz/V8EuTw9p9 encrypted
  passwd hTjwXz/V8EuTw9p9 encrypted
  names
  name 192.168.2.0 NCHCO description City Offices
  name 192.168.2.80 VPN_End
  name 192.168.2.70 VPN_Start
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 69.61.228.178 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  boot system disk0:/asa841-k8.bin
  ftp mode passive
  object network NCHCO
  subnet 192.168.2.0 255.255.255.0
  object network obj-192.168.1.0
  subnet 192.168.1.0 255.255.255.0
  object network obj-192.168.2.64
  subnet 192.168.2.64 255.255.255.224
  object network obj-0.0.0.0
  subnet 0.0.0.0 255.255.255.0
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Webserver
  object network FINX
  host 192.168.2.11
  object service rdp
  service tcp source range 1 65535 destination eq 3389
  description rdp 
  object network obj-192.168.3.0
  subnet 192.168.3.0 255.255.255.0
  object network obj-192.168.2.0
  subnet 192.168.2.0 255.255.255.0
  access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
  access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
  access-list inside_nat0_outbound extended permit ip 0.0.0.0 255.255.255.0 192.168.2.64 255.255.255.224
  access-list outside_1_cryptomap extended permit ip object NCHCO 192.168.1.0 255.255.255.0
  access-list outside_1_cryptomap_1 extended permit ip object NCHCO 192.168.1.0 255.255.255.0
  access-list LAN_Access standard permit 192.168.2.0 255.255.255.0
  access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
  access-list NCHCO_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
  access-list AnyConnect_Client_Local_Print extended deny ip any any
  access-list outside_access_in extended permit tcp any object FINX eq 3389
  access-list outside_access_in_1 extended permit object rdp any object FINX
  access-list outside_specific_blocks extended deny ip host 121.168.66.35 any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
  ip local pool VPN_Split_Pool 192.168.3.70-192.168.3.80 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-649.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,any) source static NCHCO NCHCO destination static obj-192.168.1.0 obj-192.168.1.0
  nat (inside,any) source static any any destination static obj-192.168.2.64 obj-192.168.2.64
  nat (inside,any) source static obj-0.0.0.0 obj-0.0.0.0 destination static obj-192.168.2.64 obj-192.168.2.64
  object network obj_any
  nat (inside,outside) dynamic interface
  object network FINX
  nat (inside,outside) static interface service tcp 3389 3389
  access-group outside_access_in_1 in interface outside
  route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  network-acl outside_nat0_outbound
  webvpn
    svc ask enable default svc
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 69.61.228.178 255.255.255.255 outside
  http 74.218.158.238 255.255.255.255 outside
  http NCHCO 255.255.255.0 inside
  http 96.11.251.186 255.255.255.255 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set l2tp-transform esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set l2tp-transform mode transport
  crypto ipsec ikev1 transform-set vpn-transform esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map dyn-map 10 set pfs group1
  crypto dynamic-map dyn-map 10 set ikev1 transform-set l2tp-transform vpn-transform
  crypto dynamic-map dyn-map 10 set reverse-route
  crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 20 set reverse-route
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer 74.219.208.50
  crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
  crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto map vpn-map 1 match address outside_1_cryptomap_1
  crypto map vpn-map 1 set pfs group1
  crypto map vpn-map 1 set peer 74.219.208.50
  crypto map vpn-map 1 set ikev1 transform-set ESP-3DES-SHA
  crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
  crypto isakmp identity address
  crypto ikev1 enable inside
  crypto ikev1 enable outside
  crypto ikev1 ipsec-over-tcp port 10000
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto ikev1 policy 15
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 35
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  client-update enable
  telnet 192.168.1.0 255.255.255.0 inside
  telnet NCHCO 255.255.255.0 inside
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh NCHCO 255.255.255.0 inside
  ssh 96.11.251.186 255.255.255.255 outside
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.2.150-192.168.2.225 inside
  dhcpd dns 216.68.4.10 216.68.5.10 interface inside
  dhcpd lease 64000 interface inside
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics port
  threat-detection statistics protocol
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  dns-server value 192.168.2.1
  vpn-tunnel-protocol ikev1 l2tp-ipsec
  default-domain value nchco.local
  group-policy DfltGrpPolicy attributes
  dns-server value 192.168.2.1
  vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
  password-storage enable
  ipsec-udp enable
  intercept-dhcp 255.255.255.0 enable
  address-pools value VPN_Split_Pool
  group-policy NCHCO internal
  group-policy NCHCO attributes
  dns-server value 192.168.2.1 8.8.8.8
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value NCHCO_splitTunnelAcl_1
  default-domain value NCHCO.local
  username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
  username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
  username NCHvpn99 password dhn.JzttvRmMbHsP encrypted
  tunnel-group DefaultRAGroup general-attributes
  address-pool (inside) VPN_Pool
  address-pool VPN_Split_Pool
  authentication-server-group (inside) LOCAL
  authentication-server-group (outside) LOCAL
  authorization-server-group LOCAL
  authorization-server-group (inside) LOCAL
  authorization-server-group (outside) LOCAL
  default-group-policy DefaultRAGroup
  strip-realm
  strip-group
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  peer-id-validate nocheck
  tunnel-group DefaultRAGroup ppp-attributes
  no authentication chap
  no authentication ms-chap-v1
  authentication ms-chap-v2
  tunnel-group DefaultWEBVPNGroup ppp-attributes
  authentication pap
  authentication ms-chap-v2
  tunnel-group 74.219.208.50 type ipsec-l2l
  tunnel-group 74.219.208.50 ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group NCHCO type remote-access
  tunnel-group NCHCO general-attributes
  address-pool VPN_Split_Pool
  default-group-policy NCHCO
  tunnel-group NCHCO ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:9e8466cd318c0bd35bc660fa65ba7a03
  : end
  asdm image disk0:/asdm-649.bin
  asdm location VPN_Start 255.255.255.255 inside
  asdm location VPN_End 255.255.255.255 inside
  no asdm history enable
  Thanks again for your help,
  Matthew

• 5505 Strange vpn problem I can only connect if the pc has a WAN IP addess

  I have a asa5505 if an outside computer has a wan ip address it will see the computers on the network. If the computer is behind a router (any router) it will connect fine but will not see any computers on the network. All computer on the in the vpn are a 10.1.1.0 network and the connecting computers are on a 192.168.1.0 network. All subnet mask are 255.255.255.0. Thanks in advance.

  Add the following command to your ASA.
  crypto isakmp nat-traversal
  In ASDM, it would be located as a checkbox "Enable NAT-T" located under config -> vpn -> ipsec -> ipsec rules -> select the dynamic entry -> Tunnel Policy advanced tab -> enable nat-t
  This will allow users behind pat devices to use nat-t and should solve your problem.
  Please rate if it helps.

• ASA5505 L2L VPN does not function after move and reconfiguration

                     I have an ASA5505 that had multiple VPNs to both Cisco5505's and other Vendor security appliances.  The one in question that moved to a new IP address checks out on isa sa, ipsec sa and nat, yet there is no communication accross the tunnel.  This behavior is consistent accross all remote sites. The remote sites function normally. Below is the output with some show commands.
  ASA Version 8.4(4)
  hostname RitterBars
  names
  name 67.231.37.42 RitterLAB-ASA
  name 67.231.37.45 RitterLAB-LB-WAN1
  name 64.233.131.94 RitterLAB-LB-WAN3
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport access vlan 3
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  description Port 7 on 9108
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Vlan3
  no forward interface Vlan2
  nameif CoreNetwork
  security-level 0
  ip address 172.20.10.22 255.255.255.128
  boot system disk0:/asa844-k8.bin
  ftp mode passive
  clock timezone CST -6
  clock summer-time CST recurring
  object network obj-192.168.1.0
  subnet 192.168.1.0 255.255.255.0
  object network obj-192.168.9.0
  subnet 192.168.9.0 255.255.255.0
  object network obj-192.168.85.0
  subnet 192.168.85.0 255.255.255.0
  object network obj-10.200.1.0
  subnet 10.200.1.0 255.255.255.0
  object network obj-192.168.3.0
  subnet 192.168.3.0 255.255.255.0
  object network obj-192.168.1.2
  host 192.168.1.2
  object service obj-tcp-source-eq-22
  service tcp source eq ssh
  object service obj-tcp-source-eq-5922
  service tcp source eq 5922
  object network obj-192.168.1.10
  host 192.168.1.10
  object service obj-tcp-source-eq-5125
  service tcp source eq 5125
  object service obj-tcp-source-eq-80
  service tcp source eq www
  object network obj-192.168.1.119
  host 192.168.1.119
  object service obj-udp-source-eq-69
  service udp source eq tftp
  object network obj-192.168.1.51
  host 192.168.1.51
  object service obj-tcp-source-eq-443
  service tcp source eq https
  object service obj-tcp-source-eq-5980
  service tcp source eq 5980
  object network obj-192.168.1.114
  host 192.168.1.114
  object network obj-96.43.39.27
  host 96.43.39.27
  object network obj-xxx.xxx.xxx.xxx
  host xxx.xxx.xxx.xxx
  object-group network Inside
  network-object 192.168.1.0 255.255.255.0
  access-list split-tunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
  access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
  access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.85.0 255.255.255.0
  access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 10.200.1.0 255.255.255.0
  access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list VPN2LAB extended permit ip 192.168.1.0 255.255.255.0 192.168.85.0 255.255.255.0
  access-list VPN2LAB extended permit ip 192.168.1.0 255.255.255.0 10.200.1.0 255.255.255.0
  access-list Barracudalab extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list inat extended permit ip 192.168.1.0 255.255.255.0 any
  access-list vnat extended permit ip 192.168.1.0 255.255.255.0 host 216.163.29.244
  access-list out2in extended permit tcp host 64.233.128.6 host 192.168.1.2 eq ssh
  access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.2 eq ssh
  access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.10 eq 5125
  access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.10 eq www
  access-list out2in extended permit udp 64.233.128.0 255.255.255.0 host 192.168.1.119 eq tftp
  access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.51 eq https
  access-list out2in extended permit ip 64.233.128.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list out2in extended permit tcp any host 192.168.1.10 eq 5125
  access-list out2in extended permit tcp any host 192.168.1.10 eq www
  access-list out2in extended permit tcp any 192.168.1.0 255.255.255.0 eq ftp
  access-list out2in extended permit tcp any 192.168.1.0 255.255.255.0 eq ftp-data
  access-list out2in extended permit udp any host 192.168.1.119 eq tftp
  access-list out2in extended permit tcp any host 192.168.1.51 eq https
  access-list out2in extended permit icmp any any
  pager lines 24
  logging console alerts
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu CoreNetwork 1500
  ip local pool vpn-pool 192.168.9.10-192.168.9.250
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-649.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.9.0 obj-192.168.9.0 no-proxy-arp
  nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.85.0 obj-192.168.85.0 no-proxy-arp
  nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-10.200.1.0 obj-10.200.1.0 no-proxy-arp
  nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.3.0 obj-192.168.3.0 no-proxy-arp
  nat (inside,outside) source static obj-192.168.1.2 interface service obj-tcp-source-eq-22 obj-tcp-source-eq-5922
  nat (inside,outside) source static obj-192.168.1.10 interface service obj-tcp-source-eq-5125 obj-tcp-source-eq-5125
  nat (inside,outside) source static obj-192.168.1.10 interface service obj-tcp-source-eq-80 obj-tcp-source-eq-80
  nat (inside,outside) source static obj-192.168.1.119 interface service obj-udp-source-eq-69 obj-udp-source-eq-69
  nat (inside,outside) source static obj-192.168.1.51 interface service obj-tcp-source-eq-443 obj-tcp-source-eq-5980
  nat (inside,outside) source static obj-192.168.1.114 obj-96.43.39.27
  nat (inside,CoreNetwork) source dynamic obj-192.168.1.0 interface destination static obj-xxx.xxx.xxx.xxx obj-xxx.xxx.xxx.xxx
  nat (inside,outside) source dynamic Inside interface
  nat (inside,outside) after-auto source dynamic any interface
  access-group out2in in interface outside
  route CoreNetwork 172.20.30.0 255.255.255.248 172.20.10.1 1
  route CoreNetwork 216.163.29.244 255.255.255.255 172.20.10.1 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set psset esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto map samap 1 match address VPN2LAB
  crypto map samap 1 set peer RitterLAB-ASA
  crypto map samap 1 set ikev1 transform-set ESP-AES-256-SHA
  crypto map samap 2 match address Barracudalab
  crypto map samap 2 set peer RitterLAB-LB-WAN1 RitterLAB-LB-WAN3
  crypto map samap 2 set ikev1 transform-set ESP-3DES-SHA
  crypto map samap interface outside
  crypto isakmp identity address
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 11
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  management-access inside
  dhcpd dns 64.233.128.10 64.233.128.11
  dhcpd auto_config outside
  dhcpd address 192.168.1.100-192.168.1.150 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 66.187.233.4 source outside
  ntp server 64.99.80.30 source outside
  webvpn       
  username xxx.xxx.xxx.xxx password xxx.xxx.xxx.xxx encrypted privilege 15
  username xxx.xxx.xxx.xxx attributes
  vpn-group-policy WebVPNpolicy
  username xxx.xxx.xxx.xxx password xxx.xxx.xxx.xxx encrypted privilege 15
  username xxx.xxx.xxx.xxx attributes
  vpn-group-policy WebVPNpolicy
  tunnel-group 67.231.37.42 type ipsec-l2l
  tunnel-group 67.231.37.42 ipsec-attributes
  ikev1 pre-shared-key xxx.xxx.xxx.xxx
  tunnel-group 67.231.37.45 type ipsec-l2l
  tunnel-group 67.231.37.45 ipsec-attributes
  ikev1 pre-shared-key xxx.xxx.xxx.xxx
  tunnel-group 64.233.131.94 type ipsec-l2l
  tunnel-group 64.233.131.94 ipsec-attributes
  ikev1 pre-shared-key xxx.xxx.xxx.xxx
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect xdmcp
    inspect ip-options
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:bcdf7281cbf323ff6af7457149529a5b
  : end
  RitterBars# sh isa sa
  IKEv1 SAs:
     Active SA: 2
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 2
  1   IKE Peer: 67.231.37.45
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  2   IKE Peer: 67.231.37.42
      Type    : L2L             Role    : initiator
      Rekey   : no              State   : MM_ACTIVE
  There are no IKEv2 SAs
  RitterBars# sh ipsec sa
  interface: outside
      Crypto map tag: samap, seq num: 1, local addr: 96.43.41.168
        access-list VPN2LAB extended permit ip 192.168.1.0 255.255.255.0 192.168.85.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.85.0/255.255.255.0/0/0)
        current_peer: 67.231.37.42
        #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 96.43.41.168/0, remote crypto endpt.: 67.231.37.42/0
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: 6F98A015
        current inbound spi : 6DD466F0
      inbound esp sas:
        spi: 0x6DD466F0 (1842636528)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1122304, crypto-map: samap
           sa timing: remaining key lifetime (kB/sec): (4374000/28182)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
      outbound esp sas:
        spi: 0x6F98A015 (1872273429)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1122304, crypto-map: samap
           sa timing: remaining key lifetime (kB/sec): (4373999/28182)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
      Crypto map tag: samap, seq num: 2, local addr: 96.43.41.168
        access-list Barracudalab extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
        current_peer: 67.231.37.45
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 96.43.41.168/0, remote crypto endpt.: 67.231.37.45/0
        path mtu 1500, ipsec overhead 58, media mtu 1500
        current outbound spi: 51AF17EA
        current inbound spi : 859BC586
      inbound esp sas:
        spi: 0x859BC586 (2241578374)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1118208, crypto-map: samap
           sa timing: remaining key lifetime (sec): 28152
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
      outbound esp sas:
        spi: 0x51AF17EA (1370429418)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1118208, crypto-map: samap
           sa timing: remaining key lifetime (sec): 28152
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  RitterBars# sh nat int inside
  Manual NAT Policies (Section 1)
  1 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0   destination static obj-192.168.9.0 obj-192.168.9.0 no-proxy-arp
      translate_hits = 0, untranslate_hits = 0
  2 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0   destination static obj-192.168.85.0 obj-192.168.85.0 no-proxy-arp
      translate_hits = 18, untranslate_hits = 0
  3 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0   destination static obj-10.200.1.0 obj-10.200.1.0 no-proxy-arp
      translate_hits = 0, untranslate_hits = 0
  4 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0   destination static obj-192.168.3.0 obj-192.168.3.0 no-proxy-arp
      translate_hits = 0, untranslate_hits = 0
  5 (inside) to (outside) source static obj-192.168.1.2 interface   service obj-tcp-source-eq-22 obj-tcp-source-eq-5922
      translate_hits = 0, untranslate_hits = 0
  6 (inside) to (outside) source static obj-192.168.1.10 interface   service obj-tcp-source-eq-5125 obj-tcp-source-eq-5125
      translate_hits = 0, untranslate_hits = 9094
  7 (inside) to (outside) source static obj-192.168.1.10 interface   service obj-tcp-source-eq-80 obj-tcp-source-eq-80
      translate_hits = 0, untranslate_hits = 126
  8 (inside) to (outside) source static obj-192.168.1.119 interface   service obj-udp-source-eq-69 obj-udp-source-eq-69
      translate_hits = 0, untranslate_hits = 0
  9 (inside) to (outside) source static obj-192.168.1.51 interface   service obj-tcp-source-eq-443 obj-tcp-source-eq-5980
      translate_hits = 0, untranslate_hits = 195
  10 (inside) to (outside) source static obj-192.168.1.114 obj-96.43.39.27 
      translate_hits = 0, untranslate_hits = 0
  11 (inside) to (CoreNetwork) source dynamic obj-192.168.1.0 interface   destination static obj-216.163.29.244 obj-216.163.29.244
      translate_hits = 107, untranslate_hits = 0
  12 (inside) to (outside) source dynamic Inside interface 
      translate_hits = 35387, untranslate_hits = 2940
  Manual NAT Policies (Section 3)
  1 (inside) to (outside) source dynamic any interface 
      translate_hits = 291, untranslate_hits = 78

  I just recently got the triple play package from verizon with fios too.  And of course the Actiontec is total crap.  The very first night it rebooted over and over again.  What good is an internet connection you can't use right... Anyways, I have a cisco 831 that i use for a VPN to work, and so, I decided to put that up front.
  Anyways, had the same problem.  First I setup my router to bridge the connetion from the Actiontec to my router.  So it goes Broadband Moca -> Actiontec LAN -(eth cable)-> Cisco WAN port.  This worked great, except now my vod didn't work.  So then I found this article....
  http://www.dslreports.com/forum/r19559467-How-To-MI424WR-Network-Bridge-working-FIOS-TV
  It was genius, add a second bridge from the Cisco LAN -(eth cable)-> Actiontec WAN -> local Moca.    And then put DHCP relay on the bridge.  Everything worked again, hooray.  then I added an access list, and there went my vod again. 
  So then I spent about two hours turning ports on and off and such, finally I figured it out.  You'll need to allow inbound established tcp connections that internal hosts create.  This will get back your guide and allow the vod menu to work again.  then you have to allow inbound connections on udp port 21310.  I applied it and lo and behold vod is back.  Now my only problem is that the 831 only has a 10 Mb/s ethernet WAN, so I can't get HD VOD but ah well.  I'll upgrade one of these days to an 851 or 871.
  Here's what the access lists should look like in IOS:
  permit tcp any host (your external IP address) established
  permit udp any host (your external IP address) eq 21310
  probably is going to be a little bit different since you have an ASA but I think you get the idea.

• Cisco jabber for mac over fortigate vpn problem

  Hi all,
  We have installed the cisco jabber for mac successfully.Jabber client able to register locally successfully.
  Calling and other features working properly. Jabber IM also working fine.
  But when we try over vpn its shows error."services are missing".All the ports are open on fortigate firewall.

  If you have detailed diagnostics from the Jabber Mac client, this would provide some more context to why it's displaying those errors.  (Help > Detailed Logging enabled) (Help > Report a problem)
  Another thing to check for would be DNS resolution of the configured servers when the Mac is VPN'd in.  If Jabber cannot resolve the DNS name, it will not know where to connect to.
  If the diagnostics are pointing towards a connectivity problem, but the firewall says it's wide open, then taking a packet capture on the Mac where Jabber is trying to register may illustrate what's going on at the network layer.

• Site-To_Site VPN problem

  Hello everyone
  I'm installing a new site-to-site VPN connection between two sites, having problems bringing the tunnel online.
  We have two ASA 5505 firewalls - one at our Central site, and another for our customer at the Remote site.
  I wiped both firewalls with write erase, installed the latest IOS version 9.2 on both firewalls.
  I'm not sure if the new IOS is causing the problem, we have several site-to-site vpn’s all working with IOS 8.4 5
  I'm enclosing the configs for both ASA firewalls for you to review and see if I missed something or what's changed in the IOS that maybe causing our tunnel issue.
  Thank you 

  Central site
  packet-tracer input inside tcp 10.10.1.100 12345 10.4.1.1$
  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 2
  Type: UN-NAT
  Subtype: static
  Result: ALLOW
  Config:
  nat (inside,outside) source static any any destination static REMOTE-ONE REMOTE-ONE
  Additional Information:
  NAT divert to egress interface outside
  Untranslate 10.4.1.100/80 to 10.4.1.100/80
  Phase: 3
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  nat (inside,outside) source static any any destination static REMOTE-ONE REMOTE-ONE
  Additional Information:
  Static translate 10.10.1.100/12345 to 10.10.1.100/12345
  Phase: 4
  Type: NAT
  Subtype: per-session
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 5
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 6
  Type: NAT
  Subtype: rpf-check
  Result: ALLOW
  Config:
  nat (inside,outside) source static any any destination static REMOTE-ONE REMOTE-ONE
  Additional Information:
  Phase: 7
  Type: NAT
  Subtype: per-session
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 9
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 817, packet dispatched to next module
  Result:
  input-interface: inside
  input-status: up
  input-line-status: up
  output-interface: outside
  output-status: up
  output-line-status: up
  Action: allow
  Remote site
  packet-tracer input inside tcp 10.4.1.100 12345 10.10.1.1$
  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 2
  Type: UN-NAT
  Subtype: static
  Result: ALLOW
  Config:
  nat (inside,outside) source static any any destination static net-remote net-remote
  Additional Information:
  NAT divert to egress interface outside
  Untranslate 10.10.1.100/80 to 10.10.1.100/80
  Phase: 3
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  nat (inside,outside) source static any any destination static net-remote net-remote
  Additional Information:
  Static translate 10.4.1.100/12345 to 10.4.1.100/12345
  Phase: 4
  Type: NAT
  Subtype: per-session
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 5
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 6
  Type: NAT
  Subtype: rpf-check
  Result: ALLOW
  Config:
  nat (inside,outside) source static any any destination static net-remote net-remote
  Additional Information:
  Phase: 7
  Type: NAT
  Subtype: per-session
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 9
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 774, packet dispatched to next module
  Result:
  input-interface: inside
  input-status: up
  input-line-status: up
  output-interface: outside
  output-status: up
  output-line-status: up
  Action: allow
  After running the command we see both firewalls have the same pre shared key

• Site to Site VPN Problems With 2801 Router and ASA 5505

  Hello,
  I am having some issue setting up a site to site ipsec VPN between a Cisco 2801 router and a Cisco ASA 5505. I was told there was a vpn previously setup with an old hosting provider, but those connections have been servered. Right now I am trying to get the sites to talk to the 2801. Here ere are my current configs, please let me know if you need anything else. Im stumped on this one. Thanks.
  IP scheme at SIte A:
  IP    172.19.3.x
  sub 255.255.255.128
  GW 172.19.3.129
  Site A Ciscso 2801 Router
  Current configuration : 11858 bytes
  version 12.4
  service timestamps debug datetime localtime
  service timestamps log datetime localtime show-timezone
  service password-encryption
  hostname router-2801
  boot-start-marker
  boot-end-marker
  logging message-counter syslog
  logging buffered 4096
  aaa new-model
  aaa authentication login userauthen group radius local
  aaa authorization network groupauthor local
  aaa session-id common
  clock timezone est -5
  clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00
  dot11 syslog
  ip source-route
  ip dhcp excluded-address 172.19.3.129 172.19.3.149
  ip dhcp excluded-address 172.19.10.1 172.19.10.253
  ip dhcp excluded-address 172.19.3.140
  ip dhcp ping timeout 900
  ip dhcp pool DHCP
     network 172.19.3.128 255.255.255.128
     default-router 172.19.3.129
     domain-name domain.local
     netbios-name-server 172.19.3.7
     option 66 ascii 172.19.3.225
     dns-server 172.19.3.140 208.67.220.220 208.67.222.222
  ip dhcp pool VoiceDHCP
     network 172.19.10.0 255.255.255.0
     default-router 172.19.10.1
     dns-server 208.67.220.220 8.8.8.8
     option 66 ascii 172.19.10.2
     lease 2
  ip cef
  ip inspect name SDM_LOW cuseeme
  ip inspect name SDM_LOW dns
  ip inspect name SDM_LOW ftp
  ip inspect name SDM_LOW h323
  ip inspect name SDM_LOW https
  ip inspect name SDM_LOW icmp
  ip inspect name SDM_LOW imap
  ip inspect name SDM_LOW pop3
  ip inspect name SDM_LOW netshow
  ip inspect name SDM_LOW rcmd
  ip inspect name SDM_LOW realaudio
  ip inspect name SDM_LOW rtsp
  ip inspect name SDM_LOW esmtp
  ip inspect name SDM_LOW sqlnet
  ip inspect name SDM_LOW streamworks
  ip inspect name SDM_LOW tftp
  ip inspect name SDM_LOW tcp
  ip inspect name SDM_LOW udp
  ip inspect name SDM_LOW vdolive
  no ip domain lookup
  ip domain name domain.local
  multilink bundle-name authenticated
  key chain key1
  key 1
     key-string 7 06040033484B1B484557
  crypto pki trustpoint TP-self-signed-3448656681
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3448bb6681
  revocation-check none
  rsakeypair TP-self-signed-344bbb56681
  crypto pki certificate chain TP-self-signed-3448656681
  certificate self-signed 01
    3082024F
              quit
  username admin privilege 15 password 7 F55
  archive
  log config
    hidekeys
  crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp key XXXXX address 209.118.0.1
  crypto isakmp key xxxxx address SITE B Public IP
  crypto isakmp keepalive 40 5
  crypto isakmp nat keepalive 20
  crypto isakmp client configuration group IISVPN
  key 1nsur3m3
  dns 172.19.3.140
  wins 172.19.3.140
  domain domain.local
  pool VPN_Pool
  acl 198
  crypto isakmp profile IISVPNClient
     description VPN clients profile
     match identity group IISVPN
     client authentication list userauthen
     isakmp authorization list groupauthor
     client configuration address respond
  crypto ipsec transform-set myset esp-3des esp-md5-hmac
  crypto dynamic-map Dynamic 5
  set transform-set myset
  set isakmp-profile IISVPNClient
  qos pre-classify
  crypto map VPN 10 ipsec-isakmp
  set peer 209.118.0.1
  set peer SITE B Public IP
  set transform-set myset
  match address 101
  qos pre-classify
  crypto map VPN 65535 ipsec-isakmp dynamic Dynamic
  track 123 ip sla 1 reachability
  delay down 15 up 10
  class-map match-any VoiceTraffic
  match protocol rtp audio
  match protocol h323
  match protocol rtcp
  match access-group name VOIP
  match protocol sip
  class-map match-any RDP
  match access-group 199
  policy-map QOS
  class VoiceTraffic
      bandwidth 512
  class RDP
      bandwidth 768
  policy-map MainQOS
  class class-default
      shape average 1500000
    service-policy QOS
  interface FastEthernet0/0
  description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
  ip address 172.19.3.129 255.255.255.128
  ip access-group 100 in
  ip inspect SDM_LOW in
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface FastEthernet0/0.10
  description $ETH-VoiceVLAN$$
  encapsulation dot1Q 10
  ip address 172.19.10.1 255.255.255.0
  ip inspect SDM_LOW in
  ip nat inside
  ip virtual-reassembly
  interface FastEthernet0/1
  description "Comcast"
  ip address PUB IP 255.255.255.248
  ip access-group 102 in
  ip inspect SDM_LOW out
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map VPN
  interface Serial0/1/0
  description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"
  bandwidth 1536
  no ip address
  encapsulation frame-relay IETF
  frame-relay lmi-type ansi
  interface Serial0/1/0.1 point-to-point
  bandwidth 1536
  ip address 152.000.000.18 255.255.255.252
  ip access-group 102 in
  ip verify unicast reverse-path
  ip inspect SDM_LOW out
  ip nat outside
  ip virtual-reassembly
  frame-relay interface-dlci 500 IETF 
  crypto map VPN
  service-policy output MainQOS
  interface Serial0/2/0
  description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"
  ip address 123.252.123.102 255.255.255.252
  ip access-group 102 in
  ip inspect SDM_LOW out
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  crypto map VPN
  service-policy output MainQOS
  ip local pool VPN_Pool 172.20.3.130 172.20.3.254
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123
  ip route 0.0.0.0 0.0.0.0 111.252.237.000 254
  ip route 122.112.197.20 255.255.255.255 209.252.237.101
  ip route 208.67.220.220 255.255.255.255 50.78.233.110
  no ip http server
  no ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip flow-top-talkers
  top 20
  sort-by bytes
  ip nat inside source route-map COMCAST interface FastEthernet0/1 overload
  ip nat inside source route-map PAETEC interface Serial0/2/0 overload
  ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload
  ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable
  ip access-list extended VOIP
  permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190
  permit ip host 172.19.3.190 172.20.3.0 0.0.0.127
  ip radius source-interface FastEthernet0/0
  ip sla 1
  icmp-echo 000.67.220.220 source-interface FastEthernet0/1
  timeout 10000
  frequency 15
  ip sla schedule 1 life forever start-time now
  access-list 23 permit 172.19.3.0 0.0.0.127
  access-list 23 permit 172.19.3.128 0.0.0.127
  access-list 23 permit 173.189.251.192 0.0.0.63
  access-list 23 permit 107.0.197.0 0.0.0.63
  access-list 23 permit 173.163.157.32 0.0.0.15
  access-list 23 permit 72.55.33.0 0.0.0.255
  access-list 23 permit 172.19.5.0 0.0.0.63
  access-list 100 remark "Outgoing Traffic"
  access-list 100 deny   ip 67.128.87.156 0.0.0.3 any
  access-list 100 deny   ip host 255.255.255.255 any
  access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 100 permit tcp host 172.19.3.190 any eq smtp
  access-list 100 permit tcp host 172.19.3.137 any eq smtp
  access-list 100 permit tcp any host 66.251.35.131 eq smtp
  access-list 100 permit tcp any host 173.201.193.101 eq smtp
  access-list 100 permit ip any any
  access-list 100 permit tcp any any eq ftp
  access-list 101 remark "Interesting VPN Traffic"
  access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10
  access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11
  access-list 101 permit tcp any any eq ftp
  access-list 101 permit tcp any any eq ftp-data
  access-list 102 remark "Inbound Access"
  access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp
  access-list 102 permit udp any host 152.179.53.18 eq isakmp
  access-list 102 permit esp any host 152.179.53.18
  access-list 102 permit ahp any host 152.179.53.18
  access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp
  access-list 102 permit udp any host 209.000.000.102 eq isakmp
  access-list 102 permit esp any host 209.000.000.102
  access-list 102 permit ahp any host 209.000.000.102
  access-list 102 permit udp any host PUB IP eq non500-isakmp
  access-list 102 permit udp any host PUB IP eq isakmp
  access-list 102 permit esp any host PUB IP
  access-list 102 permit ahp any host PUB IP
  access-list 102 permit ip 72.55.33.0 0.0.0.255 any
  access-list 102 permit ip 107.0.197.0 0.0.0.63 any
  access-list 102 deny   ip 172.19.3.128 0.0.0.127 any
  access-list 102 permit icmp any any echo-reply
  access-list 102 permit icmp any any time-exceeded
  access-list 102 permit icmp any any unreachable
  access-list 102 permit icmp any any
  access-list 102 deny   ip any any log
  access-list 102 permit tcp any host 172.19.3.140 eq ftp
  access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established
  access-list 102 permit udp any host SITE B Public IP  eq non500-isakmp
  access-list 102 permit udp any host SITE B Public IP  eq isakmp
  access-list 102 permit esp any host SITE B Public IP
  access-list 102 permit ahp any host SITE B Public IP
  access-list 110 remark "Outbound NAT Rule"
  access-list 110 remark "Deny VPN Traffic NAT"
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
  access-list 110 deny   ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
  access-list 110 deny   ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.11
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.10
  access-list 110 permit ip 172.19.3.128 0.0.0.127 any
  access-list 110 permit ip 172.19.10.0 0.0.0.255 any
  access-list 198 remark "Networks for IISVPN Client"
  access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 199 permit tcp any any eq 3389
  route-map PAETEC permit 10
  match ip address 110
  match interface Serial0/2/0
  route-map COMCAST permit 10
  match ip address 110
  match interface FastEthernet0/1
  route-map VERIZON permit 10
  match ip address 110
  match interface Serial0/1/0.1
  snmp-server community 123 RO
  radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000
  control-plane
  line con 0
  line aux 0
  line vty 0 4
  access-class 23 in
  privilege level 15
  transport input telnet ssh
  line vty 5 15
  access-class 23 in
  privilege level 15
  transport input telnet ssh
  scheduler allocate 20000 1000
  ntp server 128.118.25.3
  ntp server 217.150.242.8
  end
  IP scheme at site B:
  ip     172.19.5.x
  sub  255.255.255.292
  gw   172.19.5.65
  Cisco ASA 5505 at Site B
  ASA Version 8.2(5)
  hostname ASA5505
  domain-name domain.com
  enable password b04DSH2HQqXwS8wi encrypted
  passwd b04DSH2HQqXwS8wi encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.19.5.65 255.255.255.192
  interface Vlan2
  nameif outside
  security-level 0
  ip address SITE B public IP 255.255.255.224
  boot system disk0:/asa825-k8.bin
  ftp mode passive
  clock timezone est -5
  clock summer-time zone recurring last Sun Mar 2:00 last Sun Oct 2:00
  dns server-group DefaultDNS
  domain-name iis-usa.com
  same-security-traffic permit intra-interface
  object-group network old hosting provider
  network-object 72.55.34.64 255.255.255.192
  network-object 72.55.33.0 255.255.255.0
  network-object 173.189.251.192 255.255.255.192
  network-object 173.163.157.32 255.255.255.240
  network-object 66.11.1.64 255.255.255.192
  network-object 107.0.197.0 255.255.255.192
  object-group network old hosting provider
  network-object host 172.19.250.10
  network-object host 172.19.250.11
  access-list 100 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
  access-list 100 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
  access-list 10 extended deny ip 0.0.0.0 255.0.0.0 any
  access-list 10 extended deny ip 127.0.0.0 255.0.0.0 any
  access-list 10 extended deny ip 169.254.0.0 255.255.0.0 any
  access-list 10 extended deny ip 172.16.0.0 255.255.0.0 any
  access-list 10 extended deny ip 224.0.0.0 224.0.0.0 any
  access-list 10 extended permit icmp any any echo-reply
  access-list 10 extended permit icmp any any time-exceeded
  access-list 10 extended permit icmp any any unreachable
  access-list 10 extended permit icmp any any traceroute
  access-list 10 extended permit icmp any any source-quench
  access-list 10 extended permit icmp any any
  access-list 10 extended permit tcp object-group old hosting provider any eq 3389
  access-list 10 extended permit tcp any any eq https
  access-list 10 extended permit tcp any any eq www
  access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.0 255.255.255.128
  access-list 110 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
  pager lines 24
  logging enable
  logging timestamp
  logging console emergencies
  logging monitor emergencies
  logging buffered warnings
  logging trap debugging
  logging history debugging
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip verify reverse-path interface inside
  ip verify reverse-path interface outside
  ip audit name jab attack action alarm drop reset
  ip audit name probe info action alarm drop reset
  ip audit interface outside probe
  ip audit interface outside jab
  ip audit info action alarm drop reset
  ip audit attack action alarm drop reset
  ip audit signature 2000 disable
  ip audit signature 2001 disable
  ip audit signature 2004 disable
  ip audit signature 2005 disable
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit 75.150.169.48 255.255.255.240 outside
  icmp permit 72.44.134.16 255.255.255.240 outside
  icmp permit 72.55.33.0 255.255.255.0 outside
  icmp permit any outside
  icmp permit 173.163.157.32 255.255.255.240 outside
  icmp permit 107.0.197.0 255.255.255.192 outside
  icmp permit 66.11.1.64 255.255.255.192 outside
  icmp deny any outside
  asdm image disk0:/asdm-645.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list 100
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group 10 in interface outside
  route outside 0.0.0.0 0.0.0.0 174.78.151.225 1
  timeout xlate 3:00:00
  timeout conn 24:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 24:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http 107.0.197.0 255.255.255.192 outside
  http 66.11.1.64 255.255.255.192 outside
  snmp-server host outside 107.0.197.29 community *****
  snmp-server host outside 107.0.197.30 community *****
  snmp-server host inside 172.19.250.10 community *****
  snmp-server host outside 172.19.250.10 community *****
  snmp-server host inside 172.19.250.11 community *****
  snmp-server host outside 172.19.250.11 community *****
  snmp-server host outside 68.82.122.239 community *****
  snmp-server host outside 72.55.33.37 community *****
  snmp-server host outside 72.55.33.38 community *****
  snmp-server host outside 75.150.169.50 community *****
  snmp-server host outside 75.150.169.51 community *****
  no snmp-server location
  no snmp-server contact
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map VPNMAP 10 match address 110
  crypto map VPNMAP 10 set peer 72.00.00.7 old vpn public ip Site B Public IP
  crypto map VPNMAP 10 set transform-set ESP-3DES-MD5
  crypto map VPNMAP 10 set security-association lifetime seconds 86400
  crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000
  crypto map VPNMAP interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 20
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 172.19.5.64 255.255.255.192 inside
  telnet 172.19.3.0 255.255.255.128 outside
  telnet timeout 60
  ssh 0.0.0.0 0.0.0.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 60
  console timeout 0
  management-access inside
  dhcpd dns 172.19.3.140
  dhcpd wins 172.19.3.140
  dhcpd ping_timeout 750
  dhcpd domain iis-usa.com
  dhcpd address 172.19.5.80-172.19.5.111 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection scanning-threat shun except object-group old hosting provider
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server 128.118.25.3 source outside
  ntp server 217.150.242.8 source outside
  tunnel-group 72.00.00.7 type ipsec-l2l
  tunnel-group 72.00.00.7 ipsec-attributes
  pre-shared-key *****
  tunnel-group old vpn public ip type ipsec-l2l
  tunnel-group old vpn public ip ipsec-attributes
  pre-shared-key *****
  tunnel-group SITE A Public IP  type ipsec-l2l
  tunnel-group SITE A Public IP  ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect netbios
    inspect tftp
    inspect pptp
    inspect sip 
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:
  : end

  I have removed the old "set peer" and have added:
  IOS router:
  access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.65
  ASA fw:
  access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
  on the router I have also added;
  access-list 110 deny  ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
  Here is my acl :
  access-list 110 remark "Outbound NAT Rule"
  access-list 110 remark "Deny VPN Traffic NAT"
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
  access-list 110 deny   ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
  access-list 110 deny   ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.11
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.10
  access-list 110 permit ip 172.19.3.128 0.0.0.127 any
  access-list 110 permit ip 172.19.10.0 0.0.0.255 any
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
  access-list 198 remark "Networks for IISVPN Client"
  access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
  Still no ping tothe other site.

• VPN Problem: Can't route to other network clients

  Hi,
  I can't ping the other clients on the network when I'm connected to VPN from outside.
  But accessing internet trough VPN works. (Sending all data through VPN).
  So in fact, I can only ping the VPN server I'm connected to.
  Maybe someone here has an idea what I'm doing wrong here.
  Here is my setup:
  internet
  I
  I
  Airport Extreme (internal IP 192.168.3.1, Router with NAT Port forwarding to 192.168.3.3)
  I
  I
  Switch----macMini (192.168.3.3, OS X Server 10.4.10 with VPN, DHCP, DNS, NAT enabled)
  l
  l
  Other Clients on the Network (Clients have DNS entry 192.168.3.3 192.168.3.1, Router is 192.168.3.1)
  The services DHCP, DNS working well for internal clients.
  Has someone an idea?
  Thanks a lot.
  Alex
  Message was edited by: Syndrome

  First, ping is ICMP traffic, different from other kinds of (eg, TCP) traffic like AFP.
  See http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/productstechnote09186a00800a6057.shtml
  traceroute also uses some ICMP traffic but might also be using UDP, see
  http://en.wikipedia.org/wiki/Traceroute
  http://www.linuxplanet.com/linuxplanet/tutorials/6524/1/
  However, in testing, I can indeed ping the server, when I connect to a remote Mac OS X Server via the Mac OS X supplied vpn. But there is no AP Extreme in the path. So the two big factors are: limitations and/or configuration of the AP, and firewall settings for each/any machine involved.
  The Airport Extreme is really quite limited, compared to any more full-featured routing device - in terms of just how granular you can be with controlling traffic flow.
  (As a total aside, I'd recommend investing in something like a Zyxel Zywall 2 Plus (or similar or better) and running the AP in bridge mode for wireless clients.)
  When you've connected via VPN, please run
  netstat -rn to see what your default gateway is, that's actually being used.
  Finally, what led you to try these tests ? What other problems are you having, what primary issue(s) are you trying to solve ?

• VPN PROBLEM CISCO ASA 5505

      Hello,  I have been trying to configure a VPN with Cisco Asa 5505 and Cisco VPN client 5.X for 3 weeks and I am not being able to accomplish it, so I decided to reset to factory defaults and start over again.
       I used ASDM 6.4 VPN wizard to configure it (I selected exempt local network from NAT and enabled split tunneling, but I have tried other combinations as well).
       Tunnel seems to be established properly since I do see an endpoint while using 'sh crypto isakmp sa' but 'sh crypto ipsec sa' shows no packets encrypted or decrypted, so VPN is not working as expected. I can't ping or rdp to internal LAN:
       #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
       The running-config it created is:
  ciscoasa# sh run
  : Saved
  ASA Version 8.4(2)
  hostname ciscoasa
  enable password XXXX encrypted
  passwd XXXX encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.16.1.254 255.255.0.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group ADSL_Telefonica
  ip address pppoe setroute
  ftp mode passive
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network NETWORK_OBJ_10.0.0.0_24
  subnet 10.0.0.0 255.255.255.0
  object network NETWORK_OBJ_172.16.0.0_16
  subnet 172.16.0.0 255.255.0.0
  access-list test_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
  pager lines 24
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  ip local pool test 10.0.0.1-10.0.0.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static NETWORK_OBJ_172.16.0.0_16 NETWORK_OBJ_172.16.0.0_16 destination static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 no-proxy-arp route-lookup
  object network obj_any
  nat (inside,outside) dynamic interface
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 172.16.0.0 255.255.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 172.16.0.0 255.255.0.0 inside
  telnet timeout 55
  ssh 172.16.0.0 255.255.0.0 inside
  ssh timeout 55
  console timeout 0
  vpdn group ADSL_Telefonica request dialout pppoe
  vpdn group ADSL_Telefonica localname adslppp@telefonicanetpa
  vpdn group ADSL_Telefonica ppp authentication pap
  vpdn username adslppp@telefonicanetpa password *****
  dhcpd auto_config outside
  dhcpd address 172.16.2.2-172.16.2.129 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy test internal
  group-policy test attributes
  dns-server value 172.16.1.1
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value test_splitTunnelAcl
  username test password XXXXXX encrypted privilege 0
  username test attributes
  vpn-group-policy test
  username ignacio password XXXXXXX encrypted
  tunnel-group test type remote-access
  tunnel-group test general-attributes
  address-pool test
  default-group-policy test
  tunnel-group test ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:c8935bd572dfd37e81c6aa9f9dc8207c
  : end
  Thank you very much for your help

  Yes, it was a VPN client problem. I was doing test with a WWAN card and it seems it is not compatible with windows 7.
  • The VPN Client on Windows 7 does not support WWAN devices (also called wireless data cards).
  I should have read Release Notes before. Thank you very much for your help and effort.

• VPN problems..  Cant connect due to tunneling issues.

  I cant log into my company intranet using my VPN..  other people at my company have no problem using their mac, but I cant seem to get in
  I get this error.
  Network Connect cannot establish a secure session.  Network Connect cannot start the tunneling service. See the Log Viewer for more information.
  Here are the logs if anyone knows what they mean and can help it would be great.
  2011-05-26 17:06:06.204 ncproxyd-admintool[13313] config.info Removing key "ncproxyd_saved_routes" from the persistent store (config.cpp:273)
  2011-05-26 17:06:06.204 ncproxyd-admintool[13313] NCAdminHelper.info removing ncproxyd_saved_routes (NCAdminHelper.cpp:1020)
  2011-05-26 17:06:06.204 ncproxyd-admintool[13313] NCAdminHelper.warn restore_dns_configuration: failed to rename /etc/hosts.bak to /etc/hosts: No such file or directory (NCAdminHelper.cpp:810)
  2011-05-26 17:06:06.214 Network Connect[13291] DSIPC.para Recevied message bytes:  (186) <0><0><0><ba><81>$<9b><dd>&\<11><18><b><4><e0><cd>$<f4><da>2<e3>H<a1><95><df><a 5><7f><17>><9><9f>b<cd>I4<ae><ea>v<fe><81><a6><dd>D<7f><aa>~|G<b6>mV$<a>'u<f0>=< a>Nil<d5>r~n<92><6>=A<e7>#<c5><da>A<9f>O<c3>p<82>E<d><e8><e6>b<fb><15>-<f5><9d>< e9><fa><5><e6>1<f5><9a><fb><a8><d9>m<e7>PmZ<a6><98>I<ee>MP<7f><d1><92><12><9f>30 <dd>|<eb> <b4>X<aa><ce>o<88>l[b<2><d8>6<b7>.K<ba><9c><97><96><7f>]<b3>J<83><eb>.<c><b5><< a><a>eH<a2><b9><12><99><9c><bb><eb>D<bd>|0&<ab>k<fc>`<13><af>6<9d><cf>(T<9d><8d> <e5><fe>7<8f>r<fb> (ipc.cpp:727)
  2011-06-02 13:50:52.231 ../../webserver/:093 [        Thread-9]     [RuntimeExec] Executing ["/bin/sh" "-c" "ps xco 'state,pid,command' | awk '/^[^zZ].+[N]etwork Connect/ { print $2 }'" ]...
  2011-06-02 13:50:52.980 ../../webserver/:100 [        Thread-9]     [RuntimeExec] Process ID = java.lang.UNIXProcess@4d8f9b75
  2011-06-02 13:50:54.012 ../../webserver/:141 [        Thread-9]     [RuntimeExec] ExitValue of waitFor() = 0
  2011-06-02 13:50:54.013 ../../webserver/:166 [        Thread-9]     [RuntimeExec] ... done executing [/bin/sh] waitFor()=[java.lang.UNIXProcess@4d8f9b75] outputStream=[empty -null output stream-] statusStream=[empty -null status stream-]
  DSAppControlThre:000 (06/02 13:50:54.013)[        Thread-9] Checking to see if the application is already running
  2011-06-02 13:50:54.013 ../../webserver/:093 [        Thread-9]     [RuntimeExec] Executing ["/bin/sh" "-c" "ps xaco 'state,pid,command' | awk '/^[^zZ].+[N]etwork Connect/ { print $2 }'" ]...
  2011-06-02 13:50:54.041 ../../webserver/:100 [        Thread-9]     [RuntimeExec] Process ID = java.lang.UNIXProcess@10d4f27
  2011-06-02 13:50:54.214 ../../webserver/:141 [        Thread-9]     [RuntimeExec] ExitValue of waitFor() = 0
  2011-06-02 13:50:54.216 ../../webserver/:166 [        Thread-9]     [RuntimeExec] ... done executing [/bin/sh] waitFor()=[java.lang.UNIXProcess@10d4f27] outputStream=[empty -null output stream-] statusStream=[empty -null status stream-]
  DSAppControlThre:000 (06/02 13:50:54.216)[        Thread-9] The application is NOT already running
  NCAppInstallImpl:000 (06/02 13:50:54.216)[        Thread-9] Attempting to launch the application (mode 1)
  NCAppInstallImpl:000 (06/02 13:50:54.219)[        Thread-9] Running this command: /Applications/Network Connect.app/Contents/MacOS/Network Connect -NCLaunchType 1 -AppleLanguages ( en )
  NCAppInstallImpl:000 (06/02 13:50:54.283)[        Thread-9] Pushing parameter [ProductVersion=14619] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.285)[        Thread-9] Pushing parameter [SystemVersion=6.4.0] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.285)[        Thread-9] Pushing parameter [action=install] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.285)[        Thread-9] Pushing parameter [autolaunch=1] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.285)[        Thread-9] Pushing parameter [cert_md5=d0ba5f2839b732e6972d55ea9e6c40e6] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.285)[        Thread-9] Pushing parameter [dns-suffix=adt.com] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.286)[        Thread-9] Pushing parameter [enable_logging=1] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.286)[        Thread-9] Pushing parameter [enable_logupload=1] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.286)[        Thread-9] Pushing parameter [internal-proxy-config=no] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.286)[        Thread-9] Pushing parameter [ivehost=go.adt.com] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.286)[        Thread-9] Pushing parameter [launch_url=] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.287)[        Thread-9] Pushing parameter [linux_end_script=] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.287)[        Thread-9] Pushing parameter [linux_start_script=] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.287)[        Thread-9] Pushing parameter [locale=en] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.287)[        Thread-9] Pushing parameter [mac_end_script=] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.287)[        Thread-9] Pushing parameter [mac_start_script=] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.287)[        Thread-9] Pushing parameter [ncp_read_timeout=120] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.288)[        Thread-9] Pushing parameter [redir_url=/dana/home/index.cgi] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.288)[        Thread-9] Pushing parameter [redir_win=Please_Wait7819] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.288)[        Thread-9] Pushing parameter [signin_url=/] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.288)[        Thread-9] Pushing parameter [switch-dns-search-order=enabled] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.288)[        Thread-9] Pushing parameter [uninstall_on_quit=0] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.289)[        Thread-9] Pushing parameter [upgradeMode=2] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.289)[        Thread-9] Pushing parameter [win_end_script=] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.289)[        Thread-9] Pushing parameter [win_skip_start_script=0] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.289)[        Thread-9] Pushing parameter [win_start_script=] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.289)[        Thread-9] Pushing parameter [=null] to the app
  NCAppInstallImpl:000 (06/02 13:50:54.289)[        Thread-9] Pushing parameter [cookies=<hidden>] to the app
  DSAppControlThre:000 (06/02 13:50:54.290)[        Thread-9] Checking to see if the application is already running
  2011-06-02 13:50:54.290 ../../webserver/:093 [        Thread-9]     [RuntimeExec] Executing ["/bin/sh" "-c" "ps xco 'state,pid,command' | awk '/^[^zZ].+[N]etwork Connect/ { print $2 }'" ]...
  2011-06-02 13:50:54.324 ../../webserver/:100 [        Thread-9]     [RuntimeExec] Process ID = java.lang.UNIXProcess@56b61c3
  2011-06-02 13:50:54.330 ../../webserver/:045 [       Thread-15]     [RuntimeExec] Result [22538]
  2011-06-02 13:50:54.332 ../../webserver/:141 [        Thread-9]     [RuntimeExec] ExitValue of waitFor() = 0
  2011-06-02 13:50:54.333 ../../webserver/:166 [        Thread-9]     [RuntimeExec] ... done executing [/bin/sh] waitFor()=[java.lang.UNIXProcess@56b61c3] outputStream=[22538] statusStream=[empty -null status stream-]
  NCAppController.:000 (06/02 13:50:54.333)[        Thread-9] Starting quit sequence...
  NCAppController.:000 (06/02 13:50:54.333)[        Thread-9] Cleaning up
  NCAppController.:000 (06/02 13:50:54.333)[        Thread-9] doQuit trying to load /dana/home/index.cgi
  NCAppController.:000 (06/02 13:50:54.333)[        Thread-9] Loading https://go.adt.com/dana/home/index.cgi in current window
  NCAppController.:000 (06/02 13:51:16.724)[applet-NCAppController.class] Entering NCAppController.init() on Thu Jun 02 13:51:16 PDT 2011
  NCAppController.:000 (06/02 13:51:16.724)[applet-NCAppController.class] New NCAppController session release [6.4.0]
  NCAppController.:000 (06/02 13:51:16.724)[applet-NCAppController.class] Build number [14619]
  NCAppController.:000 (06/02 13:51:16.766)[applet-NCAppController.class] This host needs a i386 binary
  NCAppController.:000 (06/02 13:51:16.833)[applet-NCAppController.class] Param ProductVersion=14619
  NCAppController.:000 (06/02 13:51:16.833)[applet-NCAppController.class] Param SystemVersion=6.4.0
  NCAppController.:000 (06/02 13:51:16.833)[applet-NCAppController.class] Param action=install
  NCAppController.:000 (06/02 13:51:16.834)[applet-NCAppController.class] Param autolaunch=0
  NCAppController.:000 (06/02 13:51:16.834)[applet-NCAppController.class] Param cert_md5=d0ba5f2839b732e6972d55ea9e6c40e6
  NCAppController.:000 (06/02 13:51:16.834)[applet-NCAppController.class] Param dns-suffix=adt.com
  NCAppController.:000 (06/02 13:51:16.834)[applet-NCAppController.class] Param enable_logging=1
  NCAppController.:000 (06/02 13:51:16.834)[applet-NCAppController.class] Param enable_logupload=1
  NCAppController.:000 (06/02 13:51:16.834)[applet-NCAppController.class] Param internal-proxy-config=no
  NCAppController.:000 (06/02 13:51:16.834)[applet-NCAppController.class] Param ivehost=go.adt.com
  NCAppController.:000 (06/02 13:51:16.835)[applet-NCAppController.class] Param launch_url=
  NCAppController.:000 (06/02 13:51:16.835)[applet-NCAppController.class] Param linux_end_script=
  NCAppController.:000 (06/02 13:51:16.835)[applet-NCAppController.class] Param linux_start_script=
  NCAppController.:000 (06/02 13:51:16.835)[applet-NCAppController.class] Param locale=en
  NCAppController.:000 (06/02 13:51:16.835)[applet-NCAppController.class] Param mac_end_script=
  NCAppController.:000 (06/02 13:51:16.835)[applet-NCAppController.class] Param mac_start_script=
  NCAppController.:000 (06/02 13:51:16.836)[applet-NCAppController.class] Param ncp_read_timeout=120
  NCAppController.:000 (06/02 13:51:16.836)[applet-NCAppController.class] Param redir_url=/dana/home/starter.cgi?startpageonly=1
  NCAppController.:000 (06/02 13:51:16.836)[applet-NCAppController.class] Param redir_win=Please_Wait7819
  NCAppController.:000 (06/02 13:51:16.836)[applet-NCAppController.class] Param signin_url=/
  NCAppController.:000 (06/02 13:51:16.836)[applet-NCAppController.class] Param switch-dns-search-order=enabled
  NCAppController.:000 (06/02 13:51:16.836)[applet-NCAppController.class] Param uninstall_on_quit=0
  NCAppController.:000 (06/02 13:51:16.837)[applet-NCAppController.class] Param upgradeMode=2
  NCAppController.:000 (06/02 13:51:16.837)[applet-NCAppController.class] Param win_end_script=
  NCAppController.:000 (06/02 13:51:16.837)[applet-NCAppController.class] Param win_skip_start_script=0
  NCAppController.:000 (06/02 13:51:16.837)[applet-NCAppController.class] Param win_start_script=
  NCAppController.:000 (06/02 13:51:16.837)[applet-NCAppController.class] Param =null
  NCAppController.:000 (06/02 13:51:16.837)[applet-NCAppController.class] Param cookies=<hidden>
  DSAppControlThre:000 (06/02 13:51:16.841)[       Thread-21] Beginning install...
  NCAppInstallImpl:000 (06/02 13:51:16.841)[       Thread-21] Checking installed version
  NCAppInstallImpl:000 (06/02 13:51:16.911)[       Thread-21] Version on disk is 14619
  NCAppInstallImpl:000 (06/02 13:51:16.911)[       Thread-21] This version is 14619
  NCAppInstallImpl:000 (06/02 13:51:16.911)[       Thread-21] Checking if correct locale is installed
  DSAppControlThre:000 (06/02 13:51:16.912)[       Thread-21] Checking to see if the application is already running
  2011-06-02 13:51:10.387 Network Connect[22538] NCController.info -applicationDidFinishLaunching: Network Connect 6.4.0 (14619)/Version 10.6.6 (Build 10J567) starting (NCController.m:98)
  2011-06-02 13:51:10.721 Network Connect[22538] NCController.info -applicationDidFinishLaunching: launched from applet/application launcher (launchType: 1), waiting for parameters (NCController.m:133)
  2011-06-02 13:51:10.762 Network Connect[22538] DSIPCConnection.info -_clearIPCBuffer: Clearing the IPC buffer (DSIPCConnection.mm:526)
  2011-06-02 13:51:11.386 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter internal-proxy-config = "no" (NCController+NCIPC.m:10)
  2011-06-02 13:51:11.387 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received internal-proxy-config = no (NCController.m:1297)
  2011-06-02 13:51:11.387 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter ivehost = "go.adt.com" (NCController+NCIPC.m:10)
  2011-06-02 13:51:11.387 Network Connect[22538] NCController.info -ipc:appletSetIVEParameter:: applet says to connect to go.adt.com. (NCController+NCIPC.m:13)
  2011-06-02 13:51:11.387 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received ivehost = go.adt.com (NCController.m:1297)
  2011-06-02 13:51:11.387 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter launch_url = "" (NCController+NCIPC.m:10)
  2011-06-02 13:51:11.387 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received launch_url =  (NCController.m:1297)
  2011-06-02 13:51:11.387 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter linux_end_script = "" (NCController+NCIPC.m:10)
  2011-06-02 13:51:11.387 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received linux_end_script =  (NCController.m:1297)
  2011-06-02 13:51:11.387 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter linux_start_script = "" (NCController+NCIPC.m:10)
  2011-06-02 13:51:11.387 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received linux_start_script =  (NCController.m:1297)
  2011-06-02 13:51:11.387 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter locale = "en" (NCController+NCIPC.m:10)
  2011-06-02 13:51:11.387 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received locale = en (NCController.m:1297)
  2011-06-02 13:51:11.387 Network Connect[22538] NCController.info -loginWindowController:setClientParameter:value: saving locale preference (
      en
  ) as AppleLanguages for use on next launch. (NCController.m:1324)
  2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter mac_end_script = "" (NCController+NCIPC.m:10)
  2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received mac_end_script =  (NCController.m:1297)
  2011-06-02 13:51:11.388 Network Connect[22538] NCScriptLauncher.info -scheduleScriptAtPath:forEventIdentifier: scheduled  for NCScriptLauncherPostDisconnectEventIdentifier (NCScriptLauncher.m:35)
  2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter mac_start_script = "" (NCController+NCIPC.m:10)
  2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received mac_start_script =  (NCController.m:1297)
  2011-06-02 13:51:11.388 Network Connect[22538] NCScriptLauncher.info -scheduleScriptAtPath:forEventIdentifier: scheduled  for NCScriptLauncherPostConnectEventIdentifier (NCScriptLauncher.m:35)
  2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter ncp_read_timeout = "120" (NCController+NCIPC.m:10)
  2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received ncp_read_timeout = 120 (NCController.m:1297)
  2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter redir_url = "/dana/home/index.cgi" (NCController+NCIPC.m:10)
  2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received redir_url = /dana/home/index.cgi (NCController.m:1297)
  2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter redir_win = "Please_Wait7819" (NCController+NCIPC.m:10)
  2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received redir_win = Please_Wait7819 (NCController.m:1297)
  2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter signin_url = "/" (NCController+NCIPC.m:10)
  2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received signin_url = / (NCController.m:1297)
  2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter switch-dns-search-order = "enabled" (NCController+NCIPC.m:10)
  2011-06-02 13:51:11.388 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received switch-dns-search-order = enabled (NCController.m:1297)
  2011-06-02 13:51:11.389 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter uninstall_on_quit = "0" (NCController+NCIPC.m:10)
  2011-06-02 13:51:11.389 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received uninstall_on_quit = 0 (NCController.m:1297)
  2011-06-02 13:51:11.389 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter upgradeMode = "2" (NCController+NCIPC.m:10)
  2011-06-02 13:51:11.389 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received upgradeMode = 2 (NCController.m:1297)
  2011-06-02 13:51:11.389 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter win_end_script = "" (NCController+NCIPC.m:10)
  2011-06-02 13:51:11.389 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received win_end_script =  (NCController.m:1297)
  2011-06-02 13:51:11.389 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter win_skip_start_script = "0" (NCController+NCIPC.m:10)
  2011-06-02 13:51:11.389 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received win_skip_start_script = 0 (NCController.m:1297)
  2011-06-02 13:51:11.389 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter win_start_script = "" (NCController+NCIPC.m:10)
  2011-06-02 13:51:11.389 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received win_start_script =  (NCController.m:1297)
  2011-06-02 13:51:11.389 Network Connect[22538] NCController.para -ipc:appletSetIVEParameter:: received applet parameter cookies = "DSLastAccess=1307047821; DSFirstAccess=1307047819; DSID=bff2f274c3d8f863f7e631151c7a9bd3; DSSignInURL=/" (NCController+NCIPC.m:10)
  2011-06-02 13:51:11.389 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received DSLastAccess = 1307047821 (NCController.m:1297)
  2011-06-02 13:51:11.389 Network Connect[22538] DSSessionContext.info -addCookieWithName:domain:value: Adding cookie with name DSLastAccess, domain go.adt.com, and value <hidden> (DSSessionContext.m:81)
  2011-06-02 13:51:11.389 Network Connect[22538] DSSessionContext.info -cookie: Didn't find DSLastAccess cookie! (DSSessionContext.m:68)
  2011-06-02 13:51:11.814 Network Connect[22538] DSSessionContext.info -addCookieWithName:domain:value: Creating a new DSLastAccess cookie (DSSessionContext.m:148)
  2011-06-02 13:51:11.814 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received DSFirstAccess = 1307047819 (NCController.m:1297)
  2011-06-02 13:51:11.814 Network Connect[22538] DSSessionContext.info -addCookieWithName:domain:value: Adding cookie with name DSFirstAccess, domain go.adt.com, and value <hidden> (DSSessionContext.m:81)
  2011-06-02 13:51:11.814 Network Connect[22538] DSSessionContext.info -cookie: Didn't find DSFirstAccess cookie! (DSSessionContext.m:68)
  2011-06-02 13:51:11.887 Network Connect[22538] DSSessionContext.info -addCookieWithName:domain:value: Creating a new DSFirstAccess cookie (DSSessionContext.m:148)
  2011-06-02 13:51:11.887 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received DSID = bff2f274c3d8f863f7e631151c7a9bd3 (NCController.m:1297)
  2011-06-02 13:51:11.887 Network Connect[22538] DSSessionContext.info -addCookieWithName:domain:value: Adding cookie with name DSID, domain go.adt.com, and value <hidden> (DSSessionContext.m:81)
  2011-06-02 13:51:11.887 Network Connect[22538] DSSessionContext.info -cookie: Didn't find DSID cookie! (DSSessionContext.m:68)
  2011-06-02 13:51:11.887 Network Connect[22538] DSSessionContext.info -addCookieWithName:domain:value: Creating a new DSID cookie (DSSessionContext.m:148)
  2011-06-02 13:51:11.887 Network Connect[22538] NCController.para -loginWindowController:setClientParameter:value: received DSSignInURL = / (NCController.m:1297)
  2011-06-02 13:51:11.887 Network Connect[22538] DSSessionContext.info -addCookieWithName:domain:value: Adding cookie with name DSSignInURL, domain go.adt.com, and value <hidden> (DSSessionContext.m:81)
  2011-06-02 13:51:11.887 Network Connect[22538] DSSessionContext.info -cookie: Didn't find DSSignInURL cookie! (DSSessionContext.m:68)
  2011-06-02 13:51:11.887 Network Connect[22538] DSSessionContext.info -addCookieWithName:domain:value: Creating a new DSSignInURL cookie (DSSessionContext.m:148)
  2011-06-02 13:51:12.393 Network Connect[22538] DSLoginWindowController.info -windowDidLoad setting user-agent to Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/6533.20.25 (KHTML, like Gecko) Network Connect (like Safari)/14619 (DSLoginWindowController.m:105)
  2011-06-02 13:51:14.343 Network Connect[22538] DSLoginWindowController.info -showWindowWithWebLogin No proxy to resolve.. (DSLoginWindowController.m:824)
  2011-06-02 13:51:14.343 Network Connect[22538] NCController.info -enterResolvingProxiesStateWithOldState: reconfiguring and resolving proxies (NCController+NCStateChanges.m:112)
  2011-06-02 13:51:14.344 Network Connect[22538] NCController.info -reconfigure Reconfiguring on en1 (NCController.m:824)
  2011-06-02 13:51:14.789 Network Connect[22538] DSHTTPSProxyResolver.info -resolveProxiesInBackground No HTTPS proxy (DSHTTPSProxyResolver.m:378)
  2011-06-02 13:51:15.227 Network Connect[22538] nc.mac.app.1200.error <DSError 0x2a04f0 domain=nc.mac.app code=1200 "Network Connect can't launch service" userInfo={
      DSErrorClassName = NCController;
      DSErrorLocalizedAlertText = "Network Connect cannot start the tunneling service. See the Log Viewer for more information.";
      DSErrorLocalizedAlertTitle = "Network Connect cannot establish a secure session.";
      DSErrorLocalizedFirstButtonTitle = Cancel;
      DSErrorLocalizedSecondButtonTitle = DSOptions;
      DSErrorMethodName = "enterWaitingOnServiceStateWithOldState:";
      DSErrorStackBackTrace =     (
          "atos not installed: hex trace: 0x11007e97  0x110088d5  0x105f8  0x3fd6  0x12008469  0x12008d6c  0x3fd6  0x1201914d  0xf7e0  0x9867cedd  0x9867ce48  0x986b9698  0x11016b46  0x11006148  0x110063ba  0x11017f4e  0x96cb5588  0x9865e793  0x9865e19a  0x96caa384  0x96d82038  0x986424cb  0x9863ff8f  0x9863f464  0x9863f291  0x92884004  0x92883cf7  0x92883c40  0x96f5b78d  0x96f5afce  0x96f1d247  0x96f152d9  0xde2a  0x2656  0x2571  0x5"
      path = "/usr/local/juniper/nc/6.4.0/ncproxyd";
      reason = "working directory doesn't exist.";
  } (NCController+NCStateChanges.m:160)>
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info ifconfig -a: lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info           inet6 ::1 prefixlen 128
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info           inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info           inet 127.0.0.1 netmask 0xff000000
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info stf0: flags=0<> mtu 1280
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info           ether d4:9a:20:ec:fe:36
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info           media: autoselect
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info           status: inactive
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info           ether 34:15:9e:8d:11:36
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info           inet6 fe80::3615:9eff:fe8d:1136%en1 prefixlen 64 scopeid 0x5
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info           inet 192.168.1.65 netmask 0xffffff00 broadcast 192.168.1.255
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info           inet6 ::3615:9eff:fe8d:1136 prefixlen 64 autoconf
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info           media: autoselect
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info           status: active
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info netstat -rnf inet: -a: Routing tables
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info Internet:
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info Destination        Gateway            Flags        Refs      Use   Netif Expire
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info default            192.168.1.254      UGSc           28        0     en1
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info 127                127.0.0.1          UCS             0        0     lo0
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info 127.0.0.1          127.0.0.1          UH              0      958     lo0
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info 169.254            link#5             UCS             0        0     en1
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info 192.168.1          link#5             UCS             6        0     en1
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info 192.168.1.64       0:1b:63:f3:64:4f   UHLWI           0        0     en1    239
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info 192.168.1.65       127.0.0.1          UHS             0      703     lo0
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info 192.168.1.70       24:ab:81:fd:8:46   UHLWI           0        0     en1    100
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info 192.168.1.74       0:1b:63:c8:71:2    UHLWI           1      627     en1    548
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info 192.168.1.254      0:1b:5b:6e:35:a1   UHLWI          39      226     en1   1199
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info 192.168.1.255      link#5             UHLWbI          2       85     en1
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info resolv.conf: #
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info # Mac OS X Notice
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info #
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info # This file is not used by the host name and address resolution
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info # or the DNS query routing mechanisms used by most processes on
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info # this Mac OS X system.
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info #
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info # This file is automatically generated.
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info #
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info domain gateway.2wire.net
  2011-06-02 13:51:15.294 Network Connect[22538] diag.info nameserver 192.168.1.254
  2011-06-02 13:51:16.912 ../../webserver/:093 [       Thread-21]     [RuntimeExec] Executing ["/bin/sh" "-c" "ps xco 'state,pid,command' | awk '/^[^zZ].+[N]etwork Connect/ { print $2 }'" ]...
  2011-06-02 13:51:16.964 ../../webserver/:100 [       Thread-21]     [RuntimeExec] Process ID = java.lang.UNIXProcess@cc7f9e
  2011-06-02 13:51:16.970 ../../webserver/:045 [       Thread-23]     [RuntimeExec] Result [22538]
  2011-06-02 13:51:16.972 ../../webserver/:141 [       Thread-21]     [RuntimeExec] ExitValue of waitFor() = 0
  2011-06-02 13:51:16.972 ../../webserver/:166 [       Thread-21]     [RuntimeExec] ... done executing [/bin/sh] waitFor()=[java.lang.UNIXProcess@cc7f9e] outputStream=[22538] statusStream=[empty -null status stream-]
  DSAppControlThre:000 (06/02 13:51:16.973)[       Thread-21] The application is already running with PID 22538
  NCAppController.:000 (06/02 13:51:18.775)[       Thread-21] Starting quit sequence...
  NCAppController.:000 (06/02 13:51:18.776)[       Thread-21] Cleaning up
  NCAppController.:000 (06/02 13:51:18.777)[       Thread-21] doQuit trying to load /dana/home/starter.cgi?startpageonly=1
  NCAppController.:000 (06/02 13:51:18.777)[       Thread-21] Loading https://go.adt.com/dana/home/starter.cgi?startpageonly=1 in current window
  NCAppController.:000 (06/02 13:58:03.266)[applet-NCAppController.class] Entering NCAppController.init() on Thu Jun 02 13:58:03 PDT 2011
  NCAppController.:000 (06/02 13:58:03.311)[applet-NCAppController.class] New NCAppController session release [6.4.0]
  NCAppController.:000 (06/02 13:58:03.311)[applet-NCAppController.class] Build number [14619]
  NCAppController.:000 (06/02 13:58:03.387)[applet-NCAppController.class] This host needs a i386 binary
  NCAppController.:000 (06/02 13:58:03.452)[applet-NCAppController.class] Param ProductVersion=14619
  NCAppController.:000 (06/02 13:58:03.452)[applet-NCAppController.class] Param SystemVersion=6.4.0
  NCAppController.:000 (06/02 13:58:03.452)[applet-NCAppController.class] Param action=install
  NCAppController.:000 (06/02 13:58:03.452)[applet-NCAppController.class] Param autolaunch=0
  NCAppController.:000 (06/02 13:58:03.452)[applet-NCAppController.class] Param cert_md5=d0ba5f2839b732e6972d55ea9e6c40e6
  NCAppController.:000 (06/02 13:58:03.452)[applet-NCAppController.class] Param dns-suffix=adt.com
  NCAppController.:000 (06/02 13:58:03.453)[applet-NCAppController.class] Param enable_logging=1
  NCAppController.:000 (06/02 13:58:03.453)[applet-NCAppController.class] Param enable_logupload=1
  NCAppController.:000 (06/02 13:58:03.453)[applet-NCAppController.class] Param internal-proxy-config=no
  NCAppController.:000 (06/02 13:58:03.453)[applet-NCAppController.class] Param ivehost=go.adt.com
  NCAppController.:000 (06/02 13:58:03.453)[applet-NCAppController.class] Param launch_url=
  NCAppController.:000 (06/02 13:58:03.453)[applet-NCAppController.class] Param linux_end_script=
  NCAppController.:000 (06/02 13:58:03.496)[applet-NCAppController.class] Param linux_start_script=
  NCAppController.:000 (06/02 13:58:03.496)[applet-NCAppController.class] Param locale=en
  NCAppController.:000 (06/02 13:58:03.496)[applet-NCAppController.class] Param mac_end_script=
  NCAppController.:000 (06/02 13:58:03.497)[applet-NCAppController.class] Param mac_start_script=
  NCAppController.:000 (06/02 13:58:03.497)[applet-NCAppController.class] Param ncp_read_timeout=120
  NCAppController.:000 (06/02 13:58:03.497)[applet-NCAppController.class] Param redir_url=/dana/home/starter.cgi?startpageonly=1
  NCAppController.:000 (06/02 13:58:03.498)[applet-NCAppController.class] Param redir_win=Please_Wait7819
  NCAppController.:000 (06/02 13:58:03.498)[applet-NCAppController.class] Param signin_url=/
  NCAppController.:000 (06/02 13:58:03.498)[applet-NCAppController.class] Param switch-dns-search-order=enabled
  NCAppController.:000 (06/02 13:58:03.498)[applet-NCAppController.class] Param uninstall_on_quit=0
  NCAppController.:000 (06/02 13:58:03.498)[applet-NCAppController.class] Param upgradeMode=2
  NCAppController.:000 (06/02 13:58:03.498)[applet-NCAppController.class] Param win_end_script=
  NCAppController.:000 (06/02 13:58:03.499)[applet-NCAppController.class] Param win_skip_start_script=0
  NCAppController.:000 (06/02 13:58:03.499)[applet-NCAppController.class] Param win_start_script=
  NCAppController.:000 (06/02 13:58:03.499)[applet-NCAppController.class] Param =null
  NCAppController.:000 (06/02 13:58:03.499)[applet-NCAppController.class] Param cookies=<hidden>
  DSAppControlThre:000 (06/02 13:58:03.505)[       Thread-29] Beginning install...
  NCAppInstallImpl:000 (06/02 13:58:03.505)[       Thread-29] Checking installed version
  NCAppInstallImpl:000 (06/02 13:58:03.534)[       Thread-29] Version on disk is 14619
  NCAppInstallImpl:000 (06/02 13:58:03.534)[       Thread-29] This version is 14619
  NCAppInstallImpl:000 (06/02 13:58:03.534)[       Thread-29] Checking if correct locale is installed
  DSAppControlThre:000 (06/02 13:58:03.570)[       Thread-29] Checking to see if the application is already running
  2011-06-02 13:51:38.496 Network Connect[22538] NCProxyMonitor.warn -quit quitting ncproxyd (0) (NCProxyMonitor.mm:132)
  2011-06-02 13:51:38.496 Network Connect[22538] DSIPCConnection.warn -enqueueMessageWithName:types: IPC message nc_quit sent while _writeFileHandle == nil (DSIPCConnection.mm:455)
  2011-06-02 13:51:38.531 Network Connect[22538] NCAdminFunctions.info calling ncproxyd to restore system configuration. (NCAdminFunctions.mm:111)
  2011-06-02 13:51:38.779 Network Connect[22538] http_connection.para Starting a timed connect with SSL session 0x2bdd30, proxy 0:0, and timeout 30 (http_connection.cpp:175)
  2011-06-02 13:51:38.779 Network Connect[22538] http_connection.para Entering state_start_connection (http_connection.cpp:285)
  2011-06-02 13:51:38.806 ncproxyd-admintool[22557] DSIPC.para Recevied message bytes:  (52) <0><0><0>4<a1><4><85><d8>/X<16>>1<1c><ff><c7>:<f4><db>2<e4>c<bc><82><c9><8f>`<1 a>M<14><fa>.<f><a>2<c0><8c><1f><99><87><fc><d7>Ud<ab>u<10><7><96>w<1f><fc> (ipc.cpp:727)
  2011-06-02 13:51:38.846 Network Connect[22538] http_connection.para Entering state_continue_connection (http_connection.cpp:302)
  2011-06-02 13:51:38.846 ncproxyd-admintool[22557] NCAdminHelper.info looking for ncproxyd in 63 processes (NCAdminHelper.cpp:1131)
  2011-06-02 13:51:38.847 Network Connect[22538] http_connection.para Entering state_ssl_connect (http_connection.cpp:471)
  2011-06-02 13:51:38.847 ncproxyd-admintool[22557] rmon.info got system route 0.0.0.0/0.0.0.0 gw 192.168.1.254 metric 1 via 0x00000000 (routemon.cpp:572)
  2011-06-02 13:51:38.847 ncproxyd-admintool[22557] rmon.info got system route 127.0.0.0/255.0.0.0 gw 127.0.0.1 metric 1 via 0x00000000 (routemon.cpp:572)
  2011-06-02 13:51:38.847 ncproxyd-admintool[22557] rmon.info got system route 127.0.0.1/255.255.255.255 gw 127.0.0.1 metric 1 via 0x00000000 (routemon.cpp:572)
  2011-06-02 13:51:38.847 ncproxyd-admintool[22557] rmon.info got system route 169.254.0.0/255.255.0.0 gw 0.0.0.0 metric 1 via 0x00000005 (routemon.cpp:572)
  2011-06-02 13:51:38.847 ncproxyd-admintool[22557] rmon.info got system route 192.168.1.0/255.255.255.0 gw 0.0.0.0 metric 1 via 0x00000005 (routemon.cpp:572)
  2011-06-02 13:51:38.847 ncproxyd-admintool[22557] rmon.info got system route 192.168.1.65/255.255.255.255 gw 127.0.0.1 metric 1 via 0x00000000 (routemon.cpp:572)
  2011-06-02 13:51:38.847 ncproxyd-admintool[22557] ncproxyd.info No added routes to delete (ncproxyd.cpp:242)
  2011-06-02 13:51:38.847 ncproxyd-admintool[22557] config.info Removing key "ncproxyd_added_routes" from the persistent store (config.cpp:273)
  2011-06-02 13:51:38.847 ncproxyd-admintool[22557] NCAdminHelper.info removing ncproxyd_added_routes (NCAdminHelper.cpp:1020)
  2011-06-02 13:51:38.847 ncproxyd-admintool[22557] ncproxyd.info No routes to restore (ncproxyd.cpp:251)
  2011-06-02 13:51:38.847 ncproxyd-admintool[22557] config.info Removing key "ncproxyd_saved_routes" from the persistent store (config.cpp:273)
  2011-06-02 13:51:38.847 ncproxyd-admintool[22557] NCAdminHelper.info removing ncproxyd_saved_routes (NCAdminHelper.cpp:1020)
  2011-06-02 13:51:38.848 ncproxyd-admintool[22557] NCAdminHelper.warn restore_dns_configuration: failed to rename /etc/hosts.bak to /etc/hosts: No such file or directory (NCAdminHelper.cpp:810)
  2011-06-02 13:51:38.917 Network Connect[22538] DSIPC.para Recevied message bytes:  (186) <0><0><0><ba><81>$<9b><dd>&\<11><18><b><4><e0><cd>$<f4><da>2<e3>H<a1><95><df><a 5><7f><17>><9><9f><12>|<c9>4<ae><ea>v<fe><81><a6><dd>D<7f><aa>~|G<b6>mV$<a>'u<f0 >=<a>Nil<d5>r~n<92><6>=A<e7>#<c5><da>A<9f>O<c3>p<82>E<d><e8><e6>b<fb><15>-<f5><9 d><e9><fa><5><e6>1<f5><9a><fb><a8><d9>m<e7>PmZ<a6><98>I<ee>MP<7f><d1><92><12><9f >30 <dd>|<eb> <b4>X<aa><ce>o<88>l[b<2><d8>6<b7>.K<ba><9c><97><96><7f>]<b3>J<83><eb>.<c><b5><< a><a>eH<a2><b9><12><99><9c><bb><eb>D<bd>|0&<ab>k<fc>`<13><af>6<9d><cf>(T<9d><8d> <e5><fe>7<8f>r<fb> (ipc.cpp:727)
  2011-06-02 13:58:03.569 ../../webserver/:093 [       Thread-29]     [RuntimeExec] Executing ["/bin/sh" "-c" "ps xco 'state,pid,command' | awk '/^[^zZ].+[N]etwork Connect/ { print $2 }'" ]...
  2011-06-02 13:58:03.607 ../../webserver/:100 [       Thread-29]     [RuntimeExec] Process ID = java.lang.UNIXProcess@2af6a882
  2011-06-02 13:58:03.679 ../../webserver/:141 [       Thread-29]     [RuntimeExec] ExitValue of waitFor() = 0
  2011-06-02 13:58:03.680 ../../webserver/:166 [       Thread-29]     [RuntimeExec] ... done executing [/bin/sh] waitFor()=[java.lang.UNIXProcess@2af6a882] outputStream=[empty -null output stream-] statusStream=[empty -null status stream-]
  DSAppControlThre:000 (06/02 13:58:03.681)[       Thread-29] Checking to see if the application is already running
  2011-06-02 13:58:03.680 ../../webserver/:093 [       Thread-29]     [RuntimeExec] Executing ["/bin/sh" "-c" "ps xaco 'state,pid,command' | awk '/^[^zZ].+[N]etwork Connect/ { print $2 }'" ]...
  2011-06-02 13:58:03.720 ../../webserver/:100 [       Thread-29]     [RuntimeExec] Process ID = java.lang.UNIXProcess@6a25b72a
  2011-06-02 13:58:03.736 ../../webserver/:141 [       Thread-29]     [RuntimeExec] ExitValue of waitFor() = 0
  2011-06-02 13:58:03.737 ../../webserver/:166 [       Thread-29]     [RuntimeExec] ... done executing [/bin/sh] waitFor()=[java.lang.UNIXProcess@6a25b72a] outputStream=[empty -null output stream-] statusStream=[empty -null status stream-]
  DSAppControlThre:000 (06/02 13:58:03.738)[       Thread-29] The application is NOT already running
  NCAppInstallImpl:000 (06/02 13:58:03.740)[       Thread-29] Attempting to launch the application (mode 1)
  NCAppInstallImpl:000 (06/02 13:58:03.741)[       Thread-29] Running this command: /Applications/Network Connect.app/Contents/MacOS/Network Connect -NCLaunchType 1 -AppleLanguages ( en )
  NCAppInstallImpl:000 (06/02 13:58:03.809)[       Thread-29] Pushing parameter [ProductVersion=14619] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.810)[       Thread-29] Pushing parameter [SystemVersion=6.4.0] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.866)[       Thread-29] Pushing parameter [action=install] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.866)[       Thread-29] Pushing parameter [autolaunch=0] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.867)[       Thread-29] Pushing parameter [cert_md5=d0ba5f2839b732e6972d55ea9e6c40e6] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.867)[       Thread-29] Pushing parameter [dns-suffix=adt.com] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.867)[       Thread-29] Pushing parameter [enable_logging=1] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.868)[       Thread-29] Pushing parameter [enable_logupload=1] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.868)[       Thread-29] Pushing parameter [internal-proxy-config=no] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.868)[       Thread-29] Pushing parameter [ivehost=go.adt.com] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.868)[       Thread-29] Pushing parameter [launch_url=] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.868)[       Thread-29] Pushing parameter [linux_end_script=] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.868)[       Thread-29] Pushing parameter [linux_start_script=] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.869)[       Thread-29] Pushing parameter [locale=en] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.869)[       Thread-29] Pushing parameter [mac_end_script=] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.869)[       Thread-29] Pushing parameter [mac_start_script=] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.869)[       Thread-29] Pushing parameter [ncp_read_timeout=120] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.869)[       Thread-29] Pushing parameter [redir_url=/dana/home/starter.cgi?startpageonly=1] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.869)[       Thread-29] Pushing parameter [redir_win=Please_Wait7819] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.870)[       Thread-29] Pushing parameter [signin_url=/] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.870)[       Thread-29] Pushing parameter [switch-dns-search-order=enabled] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.870)[       Thread-29] Pushing parameter [uninstall_on_quit=0] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.870)[       Thread-29] Pushing parameter [upgradeMode=2] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.870)[       Thread-29] Pushing parameter [win_end_script=] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.870)[       Thread-29] Pushing parameter [win_skip_start_script=0] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.871)[       Thread-29] Pushing parameter [win_start_script=] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.871)[       Thread-29] Pushing parameter [=null] to the app
  NCAppInstallImpl:000 (06/02 13:58:03.871)[       Thread-29] Pushing parameter [cookies=<hidden>] to the app
  DSAppControlThre:000 (06/02 13:58:03.871)[       Thread-29] Checking to see if the application is already running
  2011-06-02 13:58:03.871 ../../webserver/:093 [       Thread-29]     [RuntimeExec] Executing ["/bin/sh" "-c" "ps xco 'state,pid,command' | awk '/^[^zZ].+[N]etwork Connect/ { print $2 }'" ]...
  2011-06-02 13:58:03.916 ../../webserver/:100 [       Thread-29]     [RuntimeExec] Process ID = java.lang.UNIXProcess@6dabbec4
  2011-06-02 13:58:03.920 ../../webserver/:045 [       Thread-35]     [RuntimeExec] Result [22587]
  2011-06-02 13:58:03.921 ../../webserver/:141 [       Thread-29]     [RuntimeExec] ExitValue of waitFor() = 0
  2011-06-02 13:58:03.921 ../../webserver/:166 [       Thread-29]     [RuntimeExec] ... done executing [/bin/sh] waitFor()=[java.lang.UNIXProcess@6dabbec4] outputStream=[22587] statusStream=[empty -null status stream-]
  NCAppController.:000 (06/02 13:58:03.922)[       Thread-29] Starting quit sequence...
  NCAppController.:000 (06/02 13:58:03.922)[       Thread-29] Cleaning up
  NCAppController.:000 (06/02 13:58:03.923)[       Thread-29] doQuit trying to load /dana/home/starter.cgi?startpageonly=1
  NCAppController.:000 (06/02 13:58:03.923)[       Thread-29] Loading https://go.adt.com/dana/home/starter.cgi?startpageonly=1 in current window
  2011-06-02 13:58:08.899 Network Connect[22587] NCController.info -applicationDidFinishLaunching: Network Connect 6.4.0 (14619)/Version 10.6.6 (Build 10J567) starting (NCController.m:98)
  2011-06-02 13:58:09.111 Network Connect[22587] NCController.info -applicationDidFinishLaunching: launched from applet/application launcher (launchType: 1), waiting for parameters (NCController.m:133)
  2011-06-02 13:58:09.113 Network Connect[22587] DSIPCConnection.info -_clearIPCBuffer: Clearing the IPC buffer (DSIPCConnection.mm:526)
  2011-06-02 13:58:09.154 Network Connect[22587] DSSessionContext.info -addCookieWithName:domain:value: Creating a new DSFirstAccess cookie (DSSessionContext.m:148)
  2011-06-02 13:58:09.154 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received DSID = bff2f274c3d8f863f7e631151c7a9bd3 (NCController.m:1297)
  2011-06-02 13:58:09.154 Network Connect[22587] DSSessionContext.info -addCookieWithName:domain:value: Adding cookie with name DSID, domain go.adt.com, and value <hidden> (DSSessionContext.m:81)
  2011-06-02 13:58:09.154 Network Connect[22587] DSSessionContext.info -cookie: Didn't find DSID cookie! (DSSessionContext.m:68)
  2011-06-02 13:58:09.154 Network Connect[22587] DSSessionContext.info -addCookieWithName:domain:value: Creating a new DSID cookie (DSSessionContext.m:148)
  2011-06-02 13:58:09.155 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received DSSignInURL = / (NCController.m:1297)
  2011-06-02 13:58:09.155 Network Connect[22587] DSSessionContext.info -addCookieWithName:domain:value: Adding cookie with name DSSignInURL, domain go.adt.com, and value <hidden> (DSSessionContext.m:81)
  2011-06-02 13:58:09.155 Network Connect[22587] DSSessionContext.info -cookie: Didn't find DSSignInURL cookie! (DSSessionContext.m:68)
  2011-06-02 13:58:09.155 Network Connect[22587] DSSessionContext.info -addCookieWithName:domain:value: Creating a new DSSignInURL cookie (DSSessionContext.m:148)
  2011-06-02 13:58:09.174 Network Connect[22587] DSLoginWindowController.info -windowDidLoad setting user-agent to Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/6533.20.25 (KHTML, like Gecko) Network Connect (like Safari)/14619 (DSLoginWindowController.m:105)
  2011-06-02 13:58:09.387 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter internal-proxy-config = "no" (NCController+NCIPC.m:10)
  2011-06-02 13:58:09.391 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received internal-proxy-config = no (NCController.m:1297)
  2011-06-02 13:58:09.392 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter ivehost = "go.adt.com" (NCController+NCIPC.m:10)
  2011-06-02 13:58:09.392 Network Connect[22587] NCController.info -ipc:appletSetIVEParameter:: applet says to connect to go.adt.com. (NCController+NCIPC.m:13)
  2011-06-02 13:58:09.393 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received ivehost = go.adt.com (NCController.m:1297)
  2011-06-02 13:58:09.393 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter launch_url = "" (NCController+NCIPC.m:10)
  2011-06-02 13:58:09.394 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received launch_url =  (NCController.m:1297)
  2011-06-02 13:58:09.394 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter linux_end_script = "" (NCController+NCIPC.m:10)
  2011-06-02 13:58:09.395 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received linux_end_script =  (NCController.m:1297)
  2011-06-02 13:58:09.395 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter linux_start_script = "" (NCController+NCIPC.m:10)
  2011-06-02 13:58:09.396 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received linux_start_script =  (NCController.m:1297)
  2011-06-02 13:58:09.396 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter locale = "en" (NCController+NCIPC.m:10)
  2011-06-02 13:58:09.396 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received locale = en (NCController.m:1297)
  2011-06-02 13:58:09.397 Network Connect[22587] NCController.info -loginWindowController:setClientParameter:value: saving locale preference (
      en
  ) as AppleLanguages for use on next launch. (NCController.m:1324)
  2011-06-02 13:58:09.398 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter mac_end_script = "" (NCController+NCIPC.m:10)
  2011-06-02 13:58:09.399 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received mac_end_script =  (NCController.m:1297)
  2011-06-02 13:58:09.399 Network Connect[22587] NCScriptLauncher.info -scheduleScriptAtPath:forEventIdentifier: scheduled  for NCScriptLauncherPostDisconnectEventIdentifier (NCScriptLauncher.m:35)
  2011-06-02 13:58:09.400 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter mac_start_script = "" (NCController+NCIPC.m:10)
  2011-06-02 13:58:09.400 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received mac_start_script =  (NCController.m:1297)
  2011-06-02 13:58:09.400 Network Connect[22587] NCScriptLauncher.info -scheduleScriptAtPath:forEventIdentifier: scheduled  for NCScriptLauncherPostConnectEventIdentifier (NCScriptLauncher.m:35)
  2011-06-02 13:58:09.401 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter ncp_read_timeout = "120" (NCController+NCIPC.m:10)
  2011-06-02 13:58:09.401 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received ncp_read_timeout = 120 (NCController.m:1297)
  2011-06-02 13:58:09.402 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter redir_url = "/dana/home/starter.cgi?startpageonly=1" (NCController+NCIPC.m:10)
  2011-06-02 13:58:09.402 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received redir_url = /dana/home/starter.cgi?startpageonly=1 (NCController.m:1297)
  2011-06-02 13:58:09.403 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter redir_win = "Please_Wait7819" (NCController+NCIPC.m:10)
  2011-06-02 13:58:09.403 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received redir_win = Please_Wait7819 (NCController.m:1297)
  2011-06-02 13:58:09.404 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter signin_url = "/" (NCController+NCIPC.m:10)
  2011-06-02 13:58:09.404 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received signin_url = / (NCController.m:1297)
  2011-06-02 13:58:09.404 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter switch-dns-search-order = "enabled" (NCController+NCIPC.m:10)
  2011-06-02 13:58:09.405 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received switch-dns-search-order = enabled (NCController.m:1297)
  2011-06-02 13:58:09.406 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter uninstall_on_quit = "0" (NCController+NCIPC.m:10)
  2011-06-02 13:58:09.406 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received uninstall_on_quit = 0 (NCController.m:1297)
  2011-06-02 13:58:09.406 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter upgradeMode = "2" (NCController+NCIPC.m:10)
  2011-06-02 13:58:09.407 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received upgradeMode = 2 (NCController.m:1297)
  2011-06-02 13:58:09.407 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter win_end_script = "" (NCController+NCIPC.m:10)
  2011-06-02 13:58:09.408 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received win_end_script =  (NCController.m:1297)
  2011-06-02 13:58:09.408 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter win_skip_start_script = "0" (NCController+NCIPC.m:10)
  2011-06-02 13:58:09.408 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received win_skip_start_script = 0 (NCController.m:1297)
  2011-06-02 13:58:09.409 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter win_start_script = "" (NCController+NCIPC.m:10)
  2011-06-02 13:58:09.409 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received win_start_script =  (NCController.m:1297)
  2011-06-02 13:58:09.410 Network Connect[22587] NCController.para -ipc:appletSetIVEParameter:: received applet parameter cookies = "DSLastAccess=1307048282; DSFirstAccess=1307047819; DSID=bff2f274c3d8f863f7e631151c7a9bd3; DSSignInURL=/" (NCController+NCIPC.m:10)
  2011-06-02 13:58:09.410 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received DSLastAccess = 1307048282 (NCController.m:1297)
  2011-06-02 13:58:09.411 Network Connect[22587] DSSessionContext.info -addCookieWithName:domain:value: Adding cookie with name DSLastAccess, domain go.adt.com, and value <hidden> (DSSessionContext.m:81)
  2011-06-02 13:58:09.411 Network Connect[22587] DSSessionContext.info -cookie: Didn't find DSLastAccess cookie! (DSSessionContext.m:68)
  2011-06-02 13:58:09.748 Network Connect[22587] DSLoginWindowController.info -showWindowWithWebLogin No proxy to resolve.. (DSLoginWindowController.m:824)
  2011-06-02 13:58:09.748 Network Connect[22587] NCController.info -enterResolvingProxiesStateWithOldState: reconfiguring and resolving proxies (NCController+NCStateChanges.m:112)
  2011-06-02 13:58:09.748 Network Connect[22587] NCController.info -reconfigure Reconfiguring on en1 (NCController.m:824)
  2011-06-02 13:58:09.788 Network Connect[22587] DSHTTPSProxyResolver.info -resolveProxiesInBackground No HTTPS proxy (DSHTTPSProxyResolver.m:378)
  2011-06-02 13:58:09.841 Network Connect[22587] DSSessionContext.info -addCookieWithName:domain:value: Creating a new DSLastAccess cookie (DSSessionContext.m:148)
  2011-06-02 13:58:09.842 Network Connect[22587] NCController.para -loginWindowController:setClientParameter:value: received DSFirstAccess = 1307047819 (NCController.m:1297)
  2011-06-02 13:58:09.843 Network Connect[22587] DSSessionContext.info -addCookieWithName:domain:value: Adding cookie with name DSFirstAccess, domain go.adt.com, and value <hidden> (DSSessionContext.m:81)
  2011-06-02 13:58:09.843 Network Connect[22587] DSSessionContext.info -cookie: Didn't find DSFirstAccess cookie! (DSSessionContext.m:68)
  2011-06-02 13:58:09.847 Network Connect[22587] nc.mac.app.1200.error <DSError 0x28bf20 domain=nc.mac.app code=1200 "Network Connect can't launch service" userInfo={
      DSErrorClassName = NCController;
      DSErrorLocalizedAlertText = "Network Connect cannot start the tunneling service. See the Log Viewer for more information.";
      DSErrorLocalizedAlertTitle = "Network Connect cannot establish a secure session.";
      DSErrorLocalizedFirstButtonTitle = Cancel;
      DSErrorLocalizedSecondButtonTitle = DSOptions;
      DSErrorMethodName = "enterWaitingOnServiceStateWithOldState:";
      DSErrorStackBackTrace =     (
          "atos not installed: hex trace: 0x11007e97  0x110088d5  0x105f8  0x3fd6  0x12008469  0x12008d6c  0x3fd6  0x1201914d  0xf7e0  0x9867cedd  0x9867ce48  0x986b9698  0x11016b46  0x11006148  0x110063ba  0x11017f4e  0x96cb5588  0x9865e793  0x9865e19a  0x96caa384  0x96d82038  0x986424cb  0x9863ff8f  0x9863f464  0x9863f291  0x92884004  0x92883cf7  0x92883c40  0x96f5b78d  0x96f5afce  0x96f1d247  0x96f152d9  0xde2a  0x2656  0x2571  0x5"
      path = "/usr/local/juniper/nc/6.4.0/ncproxyd";
      reason = "working directory doesn't exist.";
  } (NCController+NCStateChanges.m:160)>
  2011-06-02 13:58:09.895 Network Connect[22587] diag.info ifconfig -a: lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
  2011-06-02 13:58:09.895 Network Connect[22587] diag.info           inet6 ::1 prefixlen 128
  2011-06-02 13:58:09.895 Network Connect[22587] diag.info           inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
  2011-06-02 13:58:09.895 Network Connect[22587] diag.info           inet 127.0.0.1 netmask 0xff000000
  2011-06-02 13:58:09.895 Network Connect[22587] diag.info gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
  2011-06-02 13:58:09.895 Network Connect[22587] diag.info stf0: flags=0<> mtu 1280
  2011-06-02 13:58:09.895 Network Connect[22587] diag.info en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
  2011-06-02 13:58:09.895 Network Connect[22587] diag.info           ether d4:9a:20:ec:fe:36
  2011-06-02 13:58:09.895 Network Connect[22587] diag.info           media: autoselect
  2011-06-02 13:58:09.895 Network Connect[22587] diag.info           status: inactive
  2011-06-02 13:58:09.895 Network Connect[22587] diag.info en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
  2011-06-02 13:58:09.895 Network Connect[22587] diag.info           ether 34:15:9e:8d:11:36
  2011-06-02 13:58:09.895 Network Connect[22587] diag.info           inet6 fe80::3615:9eff:fe8d:1136%en1 prefixlen 64 scopeid 0x5
  2011-06-02 13:58:09.895 Network Connect[22587] diag.info           inet 192.168.1.65 netmask 0xffffff00 broadcast 192.168.1.255
  2011-06-02 13:58:09.895 Network Connect[22587] diag.info           inet6 ::3615:9eff:fe8d:1136 prefixlen 64 autoconf
  2011-06-02 13:58:09.895 Network Connect[22587] diag.info           media: autoselect
  2011-06-02 13:58:09.895 Network Connect[22587] diag.info           status: active
  2011-06-02 13:58:09.895 Network Connect[22587] diag.info netstat -rnf inet: -a: Routing tables
  2011-06-02 13:58:09.895 Network Connect[22587] diag.info Internet:
  2011-06-02 13:58:09.895 Network Connect[22587] diag.info Destination        Gateway            Flags        Refs      Use   Netif Expire
  2011-06-02 13:58:09.895 Network Connect[22587] diag.info default            192.168.1.254      UGSc           15        0     en1

  rtdolfan13 I have the same problem with my new mac Mac OS X (10.6.7). My other mac worked fine. I work for the same company as you also.. please let me know if you found a solution and I will do the same. Our "help desk" does not know anything about macs which makes no sense to me. We have 4 mac users in our office and we can not log on with the VPN.. kinda frustrating.
  hope we can resolve this soon!

• Vpn problem of win 8.1

  Hi....
  windows 8.1 64 bit
  my problem is Check point vpn configure complite,
  but not access VPN'
  Massage shows " Server is not responding or  cannot to be reached "

  Hi,
  Any VPN error code? The error message indicates that the VPN client cannot reach the server. This can happen if the VPN server is not properly connected to the network, the network is temporarily down, or if the server or network is overloaded with traffic.
  The error also occurs if the VPN client has incorrect configuration settings, so please eliminate the network connection issue and configuration issue.  
  Meanhwhile, manke sure the Firewall and anti-virus program are not blocking the connectin, you can temporarily disable them as a test.
  We can also refer to this link for troubleshooting
  http://windows.microsoft.com/en-hk/windows7/why-am-i-having-problems-with-my-vpn-connection
  Yolanda Zhu
  TechNet Community Support