ASA5505 - SG300 VPN site2site problem

Hello,
I have a problem with a site2site VPN between a SG300 and an ASA5505. On the SG300 we have two internal connected networks, the second one is an alias. The VPN goes up and works correctly for hours or even for days. Then I don't know why, for some reason, the VPN is up but works only for one of the two networks. When the users try to connect I get this error on the ASA:  ASA-7-710006: ESP request discarded from SG300PubblicInterface to outside:ASAPubblicInterface. To solve this problem I have to restart the VPN or make a ping from the ASA's LAN to the SG's LAN that isn't working. We have other VPNs on both firewalls that work correctly. ASA's Software Version is 8.0(3). I saw that I'm not the only one having this problem but nobody found the right answer...

Hi Vinay,
As per your below config
crypto map vpnmap 10 match address vpnfr
crypto map vpnmap 10 set peer 193.242.9.126
crypto map vpnmap 10 set transform-set myvpn
crypto map vpnmap 20 ipsec-isakmp dynamic dynmap
crypto map vpnmap 30 match address vpnsing
crypto map vpnmap 30 set peer 203.126.186.226
crypto map vpnmap 30 set transform-set myvpn2
crypto map vpnmap 40 match address vpnbl
crypto map vpnmap 40 set peer 61.8.153.122
crypto map vpnmap 40 set transform-set myvpn2
crypto map vpnmap 50 match address vpnde
crypto map vpnmap 50 set peer 61.8.129.170
crypto map vpnmap 50 set transform-set myvpn2
crypto map vpnmap interface outside
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 193.242.9.126
crypto map outside_map 1 set transform-set ESP-3DES-SHA
vpnmap  is your original crypto map if this is the crypto map its applied to oustide interface which is correct
now if you have added a new crypto map say " outside_map"  its not going to work as we can only apply one crypto map per interface i dont see any resundant ISP on the config so i suppose the crypto map 
"outside_map" might be the newly added crypto map if that is true please try below config changes and let me know if it helps
=============================================================
crypto map vpnmap 60 match address outside_1_cryptomap <<<<
crypto map vpnmap 60 set pfs  <<<<<<<<<<<<<<<<<<<<<<<<<
crypto map vpnmap 60 set peer 193.242.9.126
crypto map vpnmap 60 set transform-set ESP-3DES-SHA
===============================================================
make sure the crypto acl  "outside_1_cryptomap" is mirrored on the remote end and you also have PFS enabled on remote end
Thanks
Rohan

Similar Messages

  • VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client

    Hello,
    I have problem in VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client. ASA 5505 have 7.2.3 software and 881G router have 15.1 software.
    881G is configured as hardware client in network exstention mode, and it is placed behind NAT. ASA5505 is working as server. Same VPN Group works correctly from VPN software clients.
    When I send traffic from 881G client side, in show cryto sessin detail I see encrypted packets. But with same command I dont see decrypted packet on ASA5505 side. On both devices Phase 1 and Phase 2 are UP. 
    VPN is working when I replace ASA5505 with ASA5510  correctly with have 8.4.6 software. But problem is that i need to do this VPN between ASA5505 and 881G.
    Can you help me, how can I debug or troubleshoot this problem ?
    I am unable to update software on ASA5505 side.

    Hello,
    Hire is what my config look like:
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 40 set pfs
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 60 set pfs
    crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 80 set pfs
    crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 100 set pfs
    crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 120 set pfs
    crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 140 set pfs
    crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-128-SHA
    crypto dynamic-map outside_dyn_map 160 set pfs
    crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 180 set pfs
    crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 200 set pfs
    crypto dynamic-map outside_dyn_map 200 set transform-set ESP-AES-256-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 1
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto isakmp policy 2
     authentication pre-share
     encryption 3des
     hash sha
     group 1
     lifetime 86400
    crypto isakmp policy 3
     authentication pre-share
     encryption des
     hash sha
     group 2
     lifetime 86400
    tunnel-group HW-CLIENT-GROUPR type ipsec-ra
    tunnel-group HW-CLIENT-GROUP general-attributes
     address-pool HW-CLIENT-GROUP-POOL
     default-group-policy HW-CLIENT-GROUP
    tunnel-group HW-CLIENT-GROUP ipsec-attributes
     pre-shared-key *******
    group-policy HW-CLIENT-GROUP internal
    group-policy HW-CLIENT-GROUP attributes
     password-storage enable
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value cisco_splitTunnelAcl
     nem enable

  • Out of ideas diagnosing VPN connection problems

    I'm having trouble narrowing down what's causing the VPN connection problems to my new Mini Server. Sometimes I can connect just fine with my MacBookPro and use all the resources like file sharing, etc. So, this leads me to believe it has been setup correctly. But then, for no reason at all (maybe it's later in the same day, or a completely different day) it will just stop working and I cannot connect at all.
    *MacBook and iMac at home cannot connect, but iPhone can*
    This is what's really throwing me off. This afternoon, I cannot connect to the server from home with my MacBook or my iMac. BUT, my iPhone can -using the same WiFi network my computers are on, not the cellular network. How could that be? The VPN settings on all 3 devices match exactly.
    *Colleagues with other ISP's can connect, while I cannot*
    I've called Comcast business (which provides the static IP for our office server) and they tell me all my settings are correct for allowing VPN traffic through. Likewise, Comcast Residential tells me there is nothing that would block VPN traffic from my home. They tell me to talk with Apple. argh!
    *Web and Server Admin services are still accessible when VPN is not working*
    We have exposed the Server's Web and Admin services without needing a VPN connection to access them. Since these services are accessible to me even when the VPN is not working, this leads me to believe the server is operating normally and capable of receiving incoming traffic.
    I'm out of ideas and I'm starting to lose my mind!!! Any ideas on why my 2 computers sometimes can connect, yet sometimes cannot...all the while, my iPhone can connect just fine over the same network???

    I don't have an explanation for the erratic nature of your connections. It's only as I've said before, in my experiences with such problems it has always traced back to misconfigured network or DNS settings. mDNS is multicast DNS and it's a protocol Apple uses so its devices can find each other easily. That may be the reason why your iPhone can connect when other things can't.
    To take a step back, here is how I think things should be set up:
    \- Your dedicated IP address should be assigned to your router automatically through PPPoE
    \- The name servers as set in your router should be your ISP's name servers
    \- Make sure the server has only one connection to the router that is managing the dedicated IP, either wired or wireless, but not both
    \- A static network address should be assigned to your server's MAC address in the router's DHCP settings
    \- The server's network address should be put in the DMZ on the router or set as the default server in the NAT settings, depending on the router
    \- The network settings in System Preferences on the server should be set to DHCP with manual address and the server's network address entered correctly
    \- The router address should be listed correctly in the network settings in System Preferences on the server
    \- The name servers in the network settings in System Preferences on the server should be 127.0.0.1 and the router's IP address, nothing else.
    \- The zone files on the server should have a primary and reverse zone for each domain name and its network address. Do not use the dedicated IP address in the zone files on the server.
    If everything is set as I described, it should work. If it doesn't, it's time to call a witch doctor or an exorcist.

  • ASA5505 RA VPN problem

    Hi!
    I have my ASA configured for 2 site-to-site VPNs and one Remote Access VPN (L2TP).
    It used to work fine before, but now it stopped working at all.
    Phase 1 shows conf mismatch with DH group I think - log says configured unknown - expected group 2 or smth like this.
    But this issue arose now when I tried to make the RAVPN work again.
    The main issue when it was working was that despite the proper tunnel network list configuration I only had access to the tunnel and did not have access to the local internet when connected.
    I am learning and configuring my asa from documentation found on the internet so I am no professional.
    Any support would be very appreciated.
    My config below:
    : Saved
    ASA Version 9.1(3)
    hostname ciscoasa
    domain-name BETONOWA.local
    enable password XXX encrypted
    passwd XXX encrypted
    names
    ip local pool VPN_RA_POOL 192.168.1.200-192.168.1.220 mask 255.255.255.0
    interface Ethernet0/0
     switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
     nameif inside
     security-level 100
     ip address 192.168.1.1 255.255.255.0
     dhcprelay server 192.168.1.10
    interface Vlan2
     nameif outside
     security-level 0
     ip address B.B.B.B 255.255.255.0
    boot system disk0:/asa913-k8.bin
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
     name-server 192.168.1.10
     name-server 8.8.8.8
     name-server 8.8.4.4
     domain-name BETONOWA.local
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network obj_any
     subnet 0.0.0.0 0.0.0.0
    object network BETONOWA-DC
     host 192.168.1.10
    object network BETONOWA-SQL
     host 192.168.1.15
    object network EXCH-MBX
     host 192.168.1.20
    object network IIS_https
     host 192.168.1.30
    object network RenBetPBX
     host 192.168.1.2
    object network SQL
     host 192.168.1.11
    object network XEROX
     host 192.168.1.3
    object network RBSTORE
     host 192.168.1.6
    object network IIS_smtp
     host 192.168.1.30
    object network SQL_MateuszServer
     host 192.168.1.11
    object network NETWORK_OBJ_192.168.1.0_24
     subnet 192.168.1.0 255.255.255.0
    object network NETWORK_OBJ_192.168.1.192_27
     subnet 192.168.1.192 255.255.255.224
    object network igolomska-network
     subnet 192.168.0.0 255.255.255.0
    object network IIS
     host 192.168.1.30
    object network DC
     host 192.168.1.10
    object service RDP
     service tcp source eq 23456 destination eq 3389
    object network VirtualPC-rdp
     host 192.168.1.40
    object network mlhome-network
     subnet 192.168.2.0 255.255.255.0
    object network CUE-network
     subnet 10.1.10.0 255.255.255.0
    object network VOIP-network
     subnet 10.1.1.0 255.255.255.0
    object network CUE
     host 10.1.10.2
    object network PBXDATA-network
     subnet 192.168.10.0 255.255.255.0
    object network VirtualPC
     host 192.168.1.40
    object network KAM_PTZ
     host 192.168.1.81
     description Kamera PTZ
    object network KAM_PTZ_http
     host 192.168.1.81
    object network KAM_HALA_PRZOD
     host 192.168.1.72
    object network KAM_HALA_PRZOD_http
     host 192.168.1.72
    object network KAM_HALA_CNC
     host 192.168.1.74
    object network KAM_HALA_CNC_http
     host 192.168.1.74
    object network vCMA_https
     host 192.168.1.17
    object network AUTOSAT
     host 192.168.1.15
     description AUTOSAT_TCP
    object network kamwaga1
     host 192.168.1.83
    object network kamwaga2
     host 192.168.1.84
    object network kamarcen1
     host 192.168.1.76
    object network kamarcen1http
     host 192.168.1.76
    object network kamarcen2
     host 192.168.1.79
    object network kamarcen2http
     host 192.168.1.79
    object network kamwaga2http
     host 192.168.1.84
    object network kamwagahttp
     host 192.168.1.83
    object-group service DM_INLINE_TCP_1 tcp
     port-object eq www
     port-object eq https
     port-object eq 8080
     port-object eq 8081
     port-object eq 6881
     port-object eq ftp
    object-group service DM_INLINE_TCP_2 tcp
     port-object eq www
     port-object eq https
    object-group service DM_INLINE_SERVICE_1
     service-object icmp
     service-object tcp-udp destination eq domain
     service-object udp destination eq ntp
    access-list outside_access_in extended permit tcp any object RBSTORE object-group DM_INLINE_TCP_1
    access-list outside_access_in extended permit tcp any 192.168.1.0 255.255.255.0 object-group DM_INLINE_TCP_2 log disable
    access-list outside_access_in extended permit tcp any host 192.168.1.30 eq smtp
    access-list outside_access_in extended permit tcp any object VirtualPC eq 3389
    access-list outside_access_in extended permit tcp any object SQL eq 13000
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object NETWORK_OBJ_192.168.1.0_24
    access-list outside_access_in extended permit tcp any object KAM_PTZ eq www
    access-list outside_access_in extended permit tcp any object KAM_HALA_PRZOD eq www
    access-list outside_access_in extended permit tcp any object KAM_HALA_CNC eq www
    access-list outside_access_in extended permit tcp any object BETONOWA-SQL eq 8112
    access-list outside_access_in extended permit ip any object kamwaga2
    access-list outside_access_in extended permit ip any object kamwaga1
    access-list outside_access_in extended permit ip any object kamarcen1
    access-list outside_access_in extended permit ip any object kamarcen2
    access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
    access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object igolomska-network
    access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
    access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
    access-list AnyConnect_Client_Local_Print remark Windows' printing port
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
    access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
    access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
    access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
    access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
    access-list outside_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 object igolomska-network
    access-list outside_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 object mlhome-network
    access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 10.1.10.0 255.255.255.0
    access-list NONAT extended permit ip 10.1.10.0 255.255.255.0 192.168.1.0 255.255.255.0
    pager lines 24
    logging enable
    logging buffer-size 8000
    logging console informational
    logging monitor informational
    logging buffered informational
    logging history informational
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip verify reverse-path interface outside
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-715-100.bin
    no asdm history enable
    arp timeout 14400
    arp permit-nonconnected
    nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.1.192_27 NETWORK_OBJ_192.168.1.192_27 no-proxy-arp route-lookup
    nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static igolomska-network igolomska-network no-proxy-arp route-lookup
    nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mlhome-network mlhome-network no-proxy-arp route-lookup
    nat (inside,inside) source dynamic NETWORK_OBJ_192.168.1.0_24 interface destination static CUE-network CUE-network
    nat (inside,inside) source dynamic NETWORK_OBJ_192.168.1.0_24 interface destination static VOIP-network VOIP-network
    nat (inside,outside) source static CUE-network CUE-network destination static NETWORK_OBJ_192.168.1.192_27 NETWORK_OBJ_192.168.1.192_27 no-proxy-arp route-lookup
    nat (inside,outside) source static VOIP-network VOIP-network destination static NETWORK_OBJ_192.168.1.192_27 NETWORK_OBJ_192.168.1.192_27 no-proxy-arp route-lookup
    object network obj_any
     nat (inside,outside) dynamic interface
    object network IIS_https
     nat (inside,outside) static interface service tcp https https
    object network RBSTORE
     nat (any,any) static B.B.B.C
    object network IIS_smtp
     nat (any,outside) static interface service tcp smtp smtp
    object network SQL_MateuszServer
     nat (any,outside) static interface service tcp 13000 13000
    object network VirtualPC-rdp
     nat (inside,outside) static interface service tcp 3389 3389
    object network KAM_PTZ_http
     nat (any,outside) static interface service tcp www 8011
    object network KAM_HALA_PRZOD_http
     nat (any,outside) static interface service tcp www 8012
    object network KAM_HALA_CNC_http
     nat (any,outside) static interface service tcp www 8013
    object network vCMA_https
     nat (any,any) static B.B.B.B service tcp https https
    object network AUTOSAT
     nat (any,outside) static interface service tcp 8112 8112
    object network kamarcen1http
     nat (any,outside) static interface service tcp www 8016
    object network kamarcen2http
     nat (any,outside) static interface service tcp www 8017
    object network kamwaga2http
     nat (any,outside) static interface service tcp www 8015
    object network kamwagahttp
     nat (any,outside) static interface service tcp www 8014
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1
    route inside 10.1.1.0 255.255.255.0 A.A.A.A 1
    route inside 10.1.10.0 255.255.255.0 A.A.A.A 1
    route inside 192.168.10.0 255.255.255.0 A.A.A.A 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server BETONOWA-DC protocol radius
    aaa-server BETONOWA-DC (inside) host BETONOWA-DC
     key *****
     radius-common-pw *****
    user-identity default-domain LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec ikev2 ipsec-proposal AES256
     protocol esp encryption aes-256
     protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
     protocol esp encryption aes-192
     protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
     protocol esp encryption aes
     protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
     protocol esp encryption 3des
     protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal DES
     protocol esp encryption des
     protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
    crypto map outside_map 1 match address outside_cryptomap_1
    crypto map outside_map 1 set pfs group1
    crypto map outside_map 1 set peer 212.91.B.B
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
    crypto map outside_map 1 set ikev2 pre-shared-key *****
    crypto map outside_map 1 set security-association lifetime seconds 86400
    crypto map outside_map 1 set security-association lifetime kilobytes unlimited
    crypto map outside_map 2 match address outside_cryptomap_2
    crypto map outside_map 2 set peer 84.10.A.A
    crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 2 set ikev2 pre-shared-key *****
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpool policy
    crypto ikev2 policy 1
     encryption aes-256
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 policy 10
     encryption aes-192
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 policy 20
     encryption aes
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 policy 30
     encryption 3des
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 policy 40
     encryption des
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 enable outside
    crypto ikev1 enable outside
    crypto ikev1 policy 10
     authentication crack
     encryption aes-256
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 20
     authentication rsa-sig
     encryption aes-256
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 30
     authentication pre-share
     encryption aes-256
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 40
     authentication crack
     encryption aes-192
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 50
     authentication rsa-sig
     encryption aes-192
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 60
     authentication pre-share
     encryption aes-192
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 70
     authentication crack
     encryption aes
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 80
     authentication rsa-sig
     encryption aes
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 90
     authentication pre-share
     encryption aes
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 100
     authentication crack
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 110
     authentication rsa-sig
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 120
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 130
     authentication crack
     encryption des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 140
     authentication rsa-sig
     encryption des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 150
     authentication pre-share
     encryption des
     hash sha
     group 2
     lifetime 86400
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    management-access inside
    threat-detection basic-threat
    threat-detection scanning-threat shun duration 3600
    threat-detection statistics
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    dynamic-filter updater-client enable
    dynamic-filter use-database
    dynamic-filter enable interface outside
    ntp server 192.168.1.10 source inside prefer
    webvpn
     anyconnect-essentials
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
     dns-server value 192.168.1.10 8.8.8.8
     vpn-tunnel-protocol l2tp-ipsec
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
     default-domain value BETONOWA.local
    group-policy GroupPolicy_212.91.Y.Y internal
    group-policy GroupPolicy_212.91.Y.Y attributes
     vpn-idle-timeout none
     vpn-session-timeout none
     vpn-tunnel-protocol ikev1 ikev2
    group-policy GroupPolicy_84.10.X.X internal
    group-policy GroupPolicy_84.10.X.X attributes
     vpn-tunnel-protocol ikev1 ikev2
    username root password FYt1qT0x6RrulpSE encrypted
    tunnel-group DefaultRAGroup general-attributes
     address-pool VPN_RA_POOL
     authentication-server-group BETONOWA-DC
     default-group-policy DefaultRAGroup
    tunnel-group DefaultRAGroup ipsec-attributes
     ikev1 pre-shared-key *****
    tunnel-group DefaultRAGroup ppp-attributes
     authentication ms-chap-v2
    tunnel-group 212.91.Y.Y type ipsec-l2l
    tunnel-group 212.91.Y.Y general-attributes
     default-group-policy GroupPolicy_212.91.Y.Y
    tunnel-group 212.91.Y.Y ipsec-attributes
     ikev1 pre-shared-key *****
     isakmp keepalive threshold 10 retry 3
     ikev2 remote-authentication pre-shared-key *****
     ikev2 local-authentication pre-shared-key *****
    tunnel-group 84.10.X.X type ipsec-l2l
    tunnel-group 84.10.X.X general-attributes
     default-group-policy GroupPolicy_84.10.X.X
    tunnel-group 84.10.A.A ipsec-attributes
     ikev1 pre-shared-key *****
     ikev2 remote-authentication pre-shared-key *****
     ikev2 local-authentication pre-shared-key *****
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect sqlnet
      inspect skinny  
      inspect sunrpc
      inspect xdmcp
      inspect sip  
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect dns preset_dns_map dynamic-filter-snoop
      inspect icmp
    policy-map type inspect esmtp tls-allow
     parameters
      no mask-banner
      allow-tls
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    hpm topN enable
    Cryptochecksum:e67cf29f1b63c6d550ce9333fe3f30d5
    : end
    asdm image disk0:/asdm-715-100.bin
    no asdm history enable

    The solution was the following for one IP!
    object network x.x.x.x                      (inside IP)
       host x.x.x.x                                  (inside IP)
       nat (inside,outside) static y.y.y.y     (remote IP)

  • ASA5505 L2L VPN does not function after move and reconfiguration

                       I have an ASA5505 that had multiple VPNs to both Cisco5505's and other Vendor security appliances.  The one in question that moved to a new IP address checks out on isa sa, ipsec sa and nat, yet there is no communication accross the tunnel.  This behavior is consistent accross all remote sites. The remote sites function normally. Below is the output with some show commands.
    ASA Version 8.4(4)
    hostname RitterBars
    names
    name 67.231.37.42 RitterLAB-ASA
    name 67.231.37.45 RitterLAB-LB-WAN1
    name 64.233.131.94 RitterLAB-LB-WAN3
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    switchport access vlan 3
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    description Port 7 on 9108
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Vlan3
    no forward interface Vlan2
    nameif CoreNetwork
    security-level 0
    ip address 172.20.10.22 255.255.255.128
    boot system disk0:/asa844-k8.bin
    ftp mode passive
    clock timezone CST -6
    clock summer-time CST recurring
    object network obj-192.168.1.0
    subnet 192.168.1.0 255.255.255.0
    object network obj-192.168.9.0
    subnet 192.168.9.0 255.255.255.0
    object network obj-192.168.85.0
    subnet 192.168.85.0 255.255.255.0
    object network obj-10.200.1.0
    subnet 10.200.1.0 255.255.255.0
    object network obj-192.168.3.0
    subnet 192.168.3.0 255.255.255.0
    object network obj-192.168.1.2
    host 192.168.1.2
    object service obj-tcp-source-eq-22
    service tcp source eq ssh
    object service obj-tcp-source-eq-5922
    service tcp source eq 5922
    object network obj-192.168.1.10
    host 192.168.1.10
    object service obj-tcp-source-eq-5125
    service tcp source eq 5125
    object service obj-tcp-source-eq-80
    service tcp source eq www
    object network obj-192.168.1.119
    host 192.168.1.119
    object service obj-udp-source-eq-69
    service udp source eq tftp
    object network obj-192.168.1.51
    host 192.168.1.51
    object service obj-tcp-source-eq-443
    service tcp source eq https
    object service obj-tcp-source-eq-5980
    service tcp source eq 5980
    object network obj-192.168.1.114
    host 192.168.1.114
    object network obj-96.43.39.27
    host 96.43.39.27
    object network obj-xxx.xxx.xxx.xxx
    host xxx.xxx.xxx.xxx
    object-group network Inside
    network-object 192.168.1.0 255.255.255.0
    access-list split-tunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
    access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
    access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.85.0 255.255.255.0
    access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 10.200.1.0 255.255.255.0
    access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
    access-list VPN2LAB extended permit ip 192.168.1.0 255.255.255.0 192.168.85.0 255.255.255.0
    access-list VPN2LAB extended permit ip 192.168.1.0 255.255.255.0 10.200.1.0 255.255.255.0
    access-list Barracudalab extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
    access-list inat extended permit ip 192.168.1.0 255.255.255.0 any
    access-list vnat extended permit ip 192.168.1.0 255.255.255.0 host 216.163.29.244
    access-list out2in extended permit tcp host 64.233.128.6 host 192.168.1.2 eq ssh
    access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.2 eq ssh
    access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.10 eq 5125
    access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.10 eq www
    access-list out2in extended permit udp 64.233.128.0 255.255.255.0 host 192.168.1.119 eq tftp
    access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.51 eq https
    access-list out2in extended permit ip 64.233.128.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list out2in extended permit tcp any host 192.168.1.10 eq 5125
    access-list out2in extended permit tcp any host 192.168.1.10 eq www
    access-list out2in extended permit tcp any 192.168.1.0 255.255.255.0 eq ftp
    access-list out2in extended permit tcp any 192.168.1.0 255.255.255.0 eq ftp-data
    access-list out2in extended permit udp any host 192.168.1.119 eq tftp
    access-list out2in extended permit tcp any host 192.168.1.51 eq https
    access-list out2in extended permit icmp any any
    pager lines 24
    logging console alerts
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu CoreNetwork 1500
    ip local pool vpn-pool 192.168.9.10-192.168.9.250
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-649.bin
    no asdm history enable
    arp timeout 14400
    nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.9.0 obj-192.168.9.0 no-proxy-arp
    nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.85.0 obj-192.168.85.0 no-proxy-arp
    nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-10.200.1.0 obj-10.200.1.0 no-proxy-arp
    nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.3.0 obj-192.168.3.0 no-proxy-arp
    nat (inside,outside) source static obj-192.168.1.2 interface service obj-tcp-source-eq-22 obj-tcp-source-eq-5922
    nat (inside,outside) source static obj-192.168.1.10 interface service obj-tcp-source-eq-5125 obj-tcp-source-eq-5125
    nat (inside,outside) source static obj-192.168.1.10 interface service obj-tcp-source-eq-80 obj-tcp-source-eq-80
    nat (inside,outside) source static obj-192.168.1.119 interface service obj-udp-source-eq-69 obj-udp-source-eq-69
    nat (inside,outside) source static obj-192.168.1.51 interface service obj-tcp-source-eq-443 obj-tcp-source-eq-5980
    nat (inside,outside) source static obj-192.168.1.114 obj-96.43.39.27
    nat (inside,CoreNetwork) source dynamic obj-192.168.1.0 interface destination static obj-xxx.xxx.xxx.xxx obj-xxx.xxx.xxx.xxx
    nat (inside,outside) source dynamic Inside interface
    nat (inside,outside) after-auto source dynamic any interface
    access-group out2in in interface outside
    route CoreNetwork 172.20.30.0 255.255.255.248 172.20.10.1 1
    route CoreNetwork 216.163.29.244 255.255.255.255 172.20.10.1 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set psset esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto map samap 1 match address VPN2LAB
    crypto map samap 1 set peer RitterLAB-ASA
    crypto map samap 1 set ikev1 transform-set ESP-AES-256-SHA
    crypto map samap 2 match address Barracudalab
    crypto map samap 2 set peer RitterLAB-LB-WAN1 RitterLAB-LB-WAN3
    crypto map samap 2 set ikev1 transform-set ESP-3DES-SHA
    crypto map samap interface outside
    crypto isakmp identity address
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 11
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    management-access inside
    dhcpd dns 64.233.128.10 64.233.128.11
    dhcpd auto_config outside
    dhcpd address 192.168.1.100-192.168.1.150 inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 66.187.233.4 source outside
    ntp server 64.99.80.30 source outside
    webvpn       
    username xxx.xxx.xxx.xxx password xxx.xxx.xxx.xxx encrypted privilege 15
    username xxx.xxx.xxx.xxx attributes
    vpn-group-policy WebVPNpolicy
    username xxx.xxx.xxx.xxx password xxx.xxx.xxx.xxx encrypted privilege 15
    username xxx.xxx.xxx.xxx attributes
    vpn-group-policy WebVPNpolicy
    tunnel-group 67.231.37.42 type ipsec-l2l
    tunnel-group 67.231.37.42 ipsec-attributes
    ikev1 pre-shared-key xxx.xxx.xxx.xxx
    tunnel-group 67.231.37.45 type ipsec-l2l
    tunnel-group 67.231.37.45 ipsec-attributes
    ikev1 pre-shared-key xxx.xxx.xxx.xxx
    tunnel-group 64.233.131.94 type ipsec-l2l
    tunnel-group 64.233.131.94 ipsec-attributes
    ikev1 pre-shared-key xxx.xxx.xxx.xxx
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny 
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect xdmcp
      inspect ip-options
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:bcdf7281cbf323ff6af7457149529a5b
    : end
    RitterBars# sh isa sa
    IKEv1 SAs:
       Active SA: 2
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 2
    1   IKE Peer: 67.231.37.45
        Type    : L2L             Role    : responder
        Rekey   : no              State   : MM_ACTIVE
    2   IKE Peer: 67.231.37.42
        Type    : L2L             Role    : initiator
        Rekey   : no              State   : MM_ACTIVE
    There are no IKEv2 SAs
    RitterBars# sh ipsec sa
    interface: outside
        Crypto map tag: samap, seq num: 1, local addr: 96.43.41.168
          access-list VPN2LAB extended permit ip 192.168.1.0 255.255.255.0 192.168.85.0 255.255.255.0
          local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
          remote ident (addr/mask/prot/port): (192.168.85.0/255.255.255.0/0/0)
          current_peer: 67.231.37.42
          #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
          #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: 96.43.41.168/0, remote crypto endpt.: 67.231.37.42/0
          path mtu 1500, ipsec overhead 74, media mtu 1500
          current outbound spi: 6F98A015
          current inbound spi : 6DD466F0
        inbound esp sas:
          spi: 0x6DD466F0 (1842636528)
             transform: esp-aes-256 esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, }
             slot: 0, conn_id: 1122304, crypto-map: samap
             sa timing: remaining key lifetime (kB/sec): (4374000/28182)
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
        outbound esp sas:
          spi: 0x6F98A015 (1872273429)
             transform: esp-aes-256 esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, }
             slot: 0, conn_id: 1122304, crypto-map: samap
             sa timing: remaining key lifetime (kB/sec): (4373999/28182)
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
        Crypto map tag: samap, seq num: 2, local addr: 96.43.41.168
          access-list Barracudalab extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
          local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
          remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
          current_peer: 67.231.37.45
          #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
          #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: 96.43.41.168/0, remote crypto endpt.: 67.231.37.45/0
          path mtu 1500, ipsec overhead 58, media mtu 1500
          current outbound spi: 51AF17EA
          current inbound spi : 859BC586
        inbound esp sas:
          spi: 0x859BC586 (2241578374)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, }
             slot: 0, conn_id: 1118208, crypto-map: samap
             sa timing: remaining key lifetime (sec): 28152
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
        outbound esp sas:
          spi: 0x51AF17EA (1370429418)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, }
             slot: 0, conn_id: 1118208, crypto-map: samap
             sa timing: remaining key lifetime (sec): 28152
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
    RitterBars# sh nat int inside
    Manual NAT Policies (Section 1)
    1 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0   destination static obj-192.168.9.0 obj-192.168.9.0 no-proxy-arp
        translate_hits = 0, untranslate_hits = 0
    2 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0   destination static obj-192.168.85.0 obj-192.168.85.0 no-proxy-arp
        translate_hits = 18, untranslate_hits = 0
    3 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0   destination static obj-10.200.1.0 obj-10.200.1.0 no-proxy-arp
        translate_hits = 0, untranslate_hits = 0
    4 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0   destination static obj-192.168.3.0 obj-192.168.3.0 no-proxy-arp
        translate_hits = 0, untranslate_hits = 0
    5 (inside) to (outside) source static obj-192.168.1.2 interface   service obj-tcp-source-eq-22 obj-tcp-source-eq-5922
        translate_hits = 0, untranslate_hits = 0
    6 (inside) to (outside) source static obj-192.168.1.10 interface   service obj-tcp-source-eq-5125 obj-tcp-source-eq-5125
        translate_hits = 0, untranslate_hits = 9094
    7 (inside) to (outside) source static obj-192.168.1.10 interface   service obj-tcp-source-eq-80 obj-tcp-source-eq-80
        translate_hits = 0, untranslate_hits = 126
    8 (inside) to (outside) source static obj-192.168.1.119 interface   service obj-udp-source-eq-69 obj-udp-source-eq-69
        translate_hits = 0, untranslate_hits = 0
    9 (inside) to (outside) source static obj-192.168.1.51 interface   service obj-tcp-source-eq-443 obj-tcp-source-eq-5980
        translate_hits = 0, untranslate_hits = 195
    10 (inside) to (outside) source static obj-192.168.1.114 obj-96.43.39.27 
        translate_hits = 0, untranslate_hits = 0
    11 (inside) to (CoreNetwork) source dynamic obj-192.168.1.0 interface   destination static obj-216.163.29.244 obj-216.163.29.244
        translate_hits = 107, untranslate_hits = 0
    12 (inside) to (outside) source dynamic Inside interface 
        translate_hits = 35387, untranslate_hits = 2940
    Manual NAT Policies (Section 3)
    1 (inside) to (outside) source dynamic any interface 
        translate_hits = 291, untranslate_hits = 78

    I just recently got the triple play package from verizon with fios too.  And of course the Actiontec is total crap.  The very first night it rebooted over and over again.  What good is an internet connection you can't use right... Anyways, I have a cisco 831 that i use for a VPN to work, and so, I decided to put that up front.
    Anyways, had the same problem.  First I setup my router to bridge the connetion from the Actiontec to my router.  So it goes Broadband Moca -> Actiontec LAN -(eth cable)-> Cisco WAN port.  This worked great, except now my vod didn't work.  So then I found this article....
    http://www.dslreports.com/forum/r19559467-How-To-MI424WR-Network-Bridge-working-FIOS-TV
    It was genius, add a second bridge from the Cisco LAN -(eth cable)-> Actiontec WAN -> local Moca.    And then put DHCP relay on the bridge.  Everything worked again, hooray.  then I added an access list, and there went my vod again. 
    So then I spent about two hours turning ports on and off and such, finally I figured it out.  You'll need to allow inbound established tcp connections that internal hosts create.  This will get back your guide and allow the vod menu to work again.  then you have to allow inbound connections on udp port 21310.  I applied it and lo and behold vod is back.  Now my only problem is that the 831 only has a 10 Mb/s ethernet WAN, so I can't get HD VOD but ah well.  I'll upgrade one of these days to an 851 or 871.
    Here's what the access lists should look like in IOS:
    permit tcp any host (your external IP address) established
    permit udp any host (your external IP address) eq 21310
    probably is going to be a little bit different since you have an ASA but I think you get the idea.

  • Remote access vpn ESP problem

    I have remote access vpn configured on cisco 2901 router. Everything works good exept ipad 2 3g. When i am connecting with ipad from 3g network it connects but  it is unable to access corporate resources. I talked to my telephone provaider and they told me that they have some nat problems with ESP. and adviced me to force vpn clients to use udp ports 500 and 4500. How i have to configure my router to accomplish this ?
    Thanks in advance

    Hello,
    Isakmp uses port UDP 500 for the managment connection establishment ( Phase 1).
    NAT-T ( used when they are nat devices in between two VPN endpoints) uses port UDP 4500.
    So on your Router NAT-T is configured by default, all you got to do is if you have an ACL on the outside interface allow this traffic (Isakamp and NAT T) On some of the newer IOS versions you do not have to apply the ACL as by default the VPN traffic (encrypted traffic bypasses the ACL).
    So your requirement is done by default, great thing right!! You can let your Telephone provider you are ready for the test.
    Julio
    Do rate all helpful posts!!

  • VPN connection problem

    I am currently unable to connect to my VPN server with either of 2 Lion machines 2010 white MacBook and a black MacBook .  I run iVPN (L2TP) on an old PPC Mac Mini, my iPhone and iPad still connect instantly.  When the Lion machines try to connect for they try for about a minute and fail returning  "The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator."  I currently have my router setup to port foward and use a dynamic DNS.  I tried connecting straight to the VPN directly by changing to the internal LAN IP still no luck.  Any suggestions

    I've been out of my SonicWall VPN since I upgraded to Lion last week.  Found a trick and succeeded.  I had to reconfigure the settings on the Sonicwall and make sure that the phase 1 and phase 2 authentications were using AES encryption rather than 3DES.
    That did the trick and I was back in.
    Of course now my 10.6.8 clients are out - I'll post more on that front if I figure it out.

  • Vpn authentication problem

    I have 2 AD account in 2 domain, Singapore and China. Both dom are under 1 forest. Problem is when I used Cisco VPN to connect to Singapore firewall but used China AD account & password, authentication failed. But when I used Cisco VPN to connect to China firewall but used Singapore AD account & password, authentication works. Why ? Please help an thanks.

    Muhammad,
    I think you have an issue with your AD search order....try adding the domain OU prefix with a "\" then the username i.e:-
    domain\username
    HTH.

  • VPN tunnel Problem

    Hi all ,
    I need create VPN tunnels between two  ASAs devices . And these devices are connected through DSL . And as you know in this case we use private outside IP address , because there is  a NAT device at the outside . The problem is that no VPN tunnel is created even though all the parameters and the pre-shared-key are typical .

    I hve allready configured following configuration.
    no crypto map newmap interface outside
    no crypto map newmap 171 set peer 195.11.199.144
    no isakmp key ********* address 195.11.199.144 netmask 255.255.255.255 no-xauth no-config-mode
    crypto map newmap 171 set peer 195.11.204.5
    isakmp key ******** address 195.11.204.5 netmask 255.255.255.255 no-xauth no-config-mode
    clear crypto ipsec sa
    clear crypto isakmp sa
    crypto map newmap interface outside
    Setting were applied successfully however Still VPN tunnel is not been initiated.

  • VPN Communication Problem

    I have created a working VPN between a remote PC with Cisco VPN Client and Easy VPN server on Cisco 1802 (DSL). The Router has an dynamic external IP and is accessible over DynDNS. The problem is not the VPN connetion, but the communication between the remote PC and LAN behind the router.
    Ping functions to all devices on the LAN
    telnet 25 functions
    DNS functions
    Access to shares is taking ages, functions then sometimes, usually runs it into a Timeout
    HTTP is taking ages and breaks then
    Remotedesktop to a 2k server breaks
    Remotedesktop to a 2k3 server opens the server window, but before the login mask breaks
    Application Security Log of the SDM:
    JAN 16 14:09:35.902 PC Time DROP PKT Dropping tcp pkt 192.168.121.15:80 => 192.168.122.5:4293
    JAN 16 14:11:35.662 PC Time DROP PKT Dropping tcp pkt 192.168.122.5:4302 => 192.168.121.15:3389
    Any idea's what's wrong with the config?

    Hi there,
    I see some issues here:
    1. Increase the value in the command:
    ip tcp synwait-time 10
    2. Remove following command from the interface Dialer0 config:
    ip route-cache flow
    3. On the VPN client PC, open the SetMTU utiliy (in the VPN client folder) and set the MTU on the interface to 1300.
    Start the above steps and test after each.
    Please rate if this helped.
    Regards,
    Daniel

  • VPN CLIENT PROBLEM

    Hi
    I have a problem with ping in VPN Client,
    In this senario, the VPN client should be able to ping PC-4 through ASA-1 (Site-A)but it could not.
    The router is able to ping Z.Z.Z.0/24.
    The Tunnel and VPN client are working.
    1. PC-1 can connect to ASA-1 and ping Network 20.20.0.0/16 and 10.10.10.0/24 but cannot ping PC-4.
    2. PC-2 can ping PC-1 and PC-3 but cannot ping PC-4.
    3. If PC-3 gateway be 10.10.10.1 , It can ping Z.Z.Z.2.
    4. If PC-3 gateway be 10.10.10.20 , It cannot ping Z.Z.Z.2.
    5. ASA-1 can ping ASA-2 and 10.10.10.1/24 but cannot ping Z.Z.Z.2.
    6. ASA-2 can ping ASA-1 and Z.Z.Z.2.
    This is my config on ASA-1 and ASA-2:
    hostname ASA-1
    interface G0/0
    nameif Outside
    security-level 0
    ip address x.x.x.1 255.255.255.224
    NO SHUT
    interface G0/3
    nameif Inside
    security-level 100
    ip address 20.20.0.1 255.255.0.0
    NO SHUT
    route Outside 0.0.0.0 0.0.0.0 x.x.x.2 1
    object-group network DM_INLINE_NETWORK_1
    network-object 10.10.10.0 255.255.255.0
    network-object 20.20.0.0 255.255.0.0
    network-object z.z.z.0 255.255.255.0
    ip local pool ATA 20.20.0.20-20.20.20.255 mask 255.255.0.0
    access-list 100 extended permit icmp any any
    access-group 100 in interface Outside
    global (Outside) 1 interface
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 1
    lifetime 86400
    crypto isakmp policy 20
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp enable Outside
    tunnel-group y.y.y.1 type ipsec-l2l
    tunnel-group y.y.y.1 ipsec-attributes
    pre-shared-key 1234
    group-policy ATA internal
    group-policy ATA attributes
    vpn-tunnel-protocol IPSec
    username TEST password TEST privilege 0
    username TEST attributes
    vpn-group-policy ATA
    tunnel-group ATA type remote-access
    tunnel-group ATA general-attributes
    address-pool ATA
    default-group-policy ATA
    tunnel-group ATA ipsec-attributes
    pre-shared-key 1234
    access-list Outside_1_Cryptomap extended permit ip 20.20.0.0 255.255.0.0 z.z.z.0 255.255.255.0
    access-list Outside_1_Cryptomap extended permit ip 20.20.0.0 255.255.0.0 10.10.10.0 255.255.255.0
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map Outside_map 1 set pfs group1
    crypto map Outside_map 1 set peer y.y.y.200
    crypto map Outside_map 1 match address Outside_1_Cryptomap
    crypto map Outside_map 1 set transform-set ESP-3DES-SHA
    crypto map Outside_map 1 set security-association lifetime kilobytes 10000
    crypto map Outside_map interface Outside
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group2
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA
    crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    access-list Inside_nat0_Outside extended permit ip 20.20.0.0 255.255.0.0 10.10.10.0 255.255.255.0
    access-list Inside_nat0_Outside extended permit ip 20.20.0.0 255.255.0.0 z.z.z.0 255.255.255.0
    access-list Inside_nat0_Outside extended permit ip object-group DM_INLINE_NETWORK_1 20.20.0.0 255.255.224.0
    nat (Inside) 0 access-list Inside_nat0_Outside
    nat (Inside) 1 0.0.0.0 0.0.0.0
    policy-map global_policy
    class inspection_default
      inspect icmp
    same-security-traffic permit intra-interface
    management-access Inside
    hostname ASA-2
    interface E0/0
    nameif Outside
    security-level 0
    ip address y.y.y.1 255.255.255.192
    NO SHUT
    interface E0/3
    nameif Inside
    security-level 100
    ip address 10.10.10.20 255.255.255.0
    NO SHUT
    route Outside 0.0.0.0 0.0.0.0 y.y.y.2 1
    route Inside z.z.z.0 255.255.255.0 10.10.10.1 1
    access-list 100 extended permit icmp any any
    access-group 100 in interface Outside
    global (Outside) 1 interface
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 1
    lifetime 86400
    crypto isakmp enable Outside
    tunnel-group x.x.x.1 type ipsec-l2l
    tunnel-group x.x.x.1 ipsec-attributes
    pre-shared-key 1234
    access-list Outside_1_Cryptomap extended permit ip 10.10.10.0 255.255.255.0 20.20.0.0 255.255.0.0
    access-list Outside_1_Cryptomap extended permit ip z.z.z.0 255.255.255.0 20.20.0.0 255.255.0.0
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map Outside_map 1 set pfs group1
    crypto map Outside_map 1 set peer x.x.x.1
    crypto map Outside_map 1 match address Outside_1_Cryptomap
    crypto map Outside_map 1 set transform-set ESP-3DES-SHA
    crypto map Outside_map 1 set security-association lifetime kilobytes 10000
    crypto map Outside_map interface Outside
    access-list Inside_nat0_Outside extended permit ip 10.10.10.0 255.255.255.0 20.20.0.0 255.255.0.0
    access-list Inside_nat0_Outside extended permit ip z.z.z.0 255.255.255.0 20.20.0.0 255.255.0.0
    nat (Inside) 0 access-list Inside_nat0_Outside
    nat (Inside) 1 0.0.0.0 0.0.0.0
    policy-map global_policy
    class inspection_default
      inspect icmp
    same-security-traffic permit intra-interface
    management-access Inside
    Regards

    Hi,
    My suggestion to your puzzle  is to  either load your ASDM real time log and observe the logs while one host tries to ping each other and take notes on the log , this should provide you with  information  and some clues on what the issue could be.  You may also try  to packet capture in ASA-2  , either way,  I would start with easiest one which is  realtime log on ASDM.
    Could you provide the folloing:
    1 - Post output of    c:\ipconfig /all    from PC-4  z.z.z.2/24
    2 - Post output of     show ip route     from Router   where PC-4 subnet is routed from
    Regards

  • VPN / NAT Problem

    Hi I have quite a complex (to explain) VPN problem, I've built a model in GNS3 but I still cant get it to work. here is the topology
    1. SiteW is the main site, if W-CLient wants to talk to S-Client (on SiteS) the traffic is simply NATTED to 106.200.194.240 and sent there (this works fine).
    2. SiteB is a new site, Ive set that up with a Site to Site VPN, that works fine.
    New Requirement
    If a user at SiteB wants to Talk to a Client at SiteS, then the traffic should go over the existing VPN to W-FW1 then get decrypted and routed there. This is the bit I CANNOT despite HOURS of tweaking and testing get to work.
    What I've done
    On W-FW2
    Added Site S to the existing interesting traffic ACL and added a 'NO NAT' for it like so;
    object network S-CLIENTS
    subnet 65.253.1.0 255.255.255.0
    access-list VPN-INTERESTING-TRAFIC extended permit ip object B-CLIENTS object S-CLIENTS
    nat (inside,outside) source static B-CLIENTS B-CLIENTS destination static S-CLIENTS S-CLIENTS
    On W-FW1
    Added Site S to the existing interesting traffic ACL and added a 'NO NAT' for it like so;
    object network S-CLIENTS
    subnet 65.253.1.0 255.255.255.0
    access-list VPN-INTERESTING-TRAFIC extended permit ip object S-CLIENTS object B-CLIENTS
    nat (inside,outside) source static S-CLIENTS S-CLIENTS destination static B-CLIENTS B-CLIENTS
    At this point packet tracer said the traffic was being blocked by ACL so I added
    access-list inbound extended permit ip object B-CLIENTS object S-CLIENTS
    access-list inbound extended permit icmp object B-CLIENTS object S-CLIENTS
    access-group inbound in interface outside
    Now Packet Tracer was happy, Still B-Client Cannot Ping S-Client!
    W-FW1 can ping S-Client
    Attempting to ping S-Client from B-Client brings up the tunnel (phase 1 and 2) but no traffic ever travels BACK to B-Client.
    Running Wireshark on the 106.200.194.1 interface of S-FW1 whilst attempting to ping 65.253.1.10 from S-FW1 shows traffic (as expected) but if I ping from B-Client it gets nothing (so I'm assuming the traffic never gets out of W-FW1
    Help!

    First check if the packet from the S client is making it back to the W-F1. 
    Configure Captures on the interface that is connected to the 106.200.194 subnet. 
    #cap capin interface <interface name> match ip host <sclient ip> host <bclient ip>
    #show cap capin
    Capture is bidirectional. Hence no need to enable it in the opposite direction.
    If the packet is seen coming back from the  Sclient and still not getting encrypted then do asp drop capture to see if the ASA is dropping it
    #capture asp type asp-drop all
    send the traffic.
    #show cap asp | in <Sclient IP>
    If the packet is see in this capture then the ASA is dropping it.
    Then do a packet tracer to see why it is dropping it.
    #packet-t input <Sclient connected interface name> icmp <sclient IP> 8 0 <b client IP> det.
    Check why the packet is dropping.
    if the capin capture does not see the reply packet then check the reply path and routing.

  • VPN (PPTP) problem

    Hi
    I have a weird VPN problem on my macbook. I'm trying to connect to a Windows 2000 Server though VPN dialup (PPTP), it connects, seems like I'm getting an IP, but I cannot access anything on the network.
    VPN dialup works fine from my iMac, so I know it's not a server issue.
    Any one have any suggestions?
    Thanks

    I had this issue too.
    I don't know much about this sort of thing, but my network admin makes me go to terminal every time and enter this in
    sudo route add 10.10.0.0/16 10.10.7.1

  • VPN 3000 problem

    I have 2 CVPN 3000 at my institution. They have both software version 4.7.2.L-k9. Thay also have WebVPN running.
    Lately something strange has been happening. One VPN loses connection (ping keepalives stop working) and no one can connect. When this happens I change the dns A record of the vpn service to the 2nd CVPN and, after a while, that 2nd CVPN stops responding. Can this be an attack? What can I search for in the logfile? The logfile cannot handle more than 15, 20 minutes.
    Thanks in advance.

    I have captured some traffic directed to the SSL port. There alots of TCP retransmission packets (ack dup).
    Disabling SSL service I have the CVPN running for a day now.. it seems the problems have stopped. Of course nw I don?t have WebVPN service.
    Any suggestions? Has anyone experienced such a problem?
    Tx

  • VPN setup problem

    I have installed Snow Leopard Server on a new XServe. I have updated to 10.6.2.
    Other services are working Related to VPN I have configured the VPN Service using L2TP.
    I have no additional network routing defined.
    Every time I try to setup a connection (from my macbook pro --> running snow leopard 10.6.2) I get the following log messages:
    2009-11-15 14:44:41 CET Incoming call... Address given to client = 192.168.1.160
    Sun Nov 15 14:44:41 2009 : Directory Services Authentication plugin initialized
    Sun Nov 15 14:44:41 2009 : Directory Services Authorization plugin initialized
    Sun Nov 15 14:44:41 2009 : L2TP incoming call in progress from '192.168.1.15'...
    Sun Nov 15 14:44:41 2009 : L2TP received SCCRQ
    Sun Nov 15 14:44:41 2009 : L2TP sent SCCRP
    Sun Nov 15 14:44:41 2009 : L2TP received SCCCN
    Sun Nov 15 14:44:41 2009 : L2TP received ICRQ
    Sun Nov 15 14:44:41 2009 : L2TP sent ICRP
    Sun Nov 15 14:44:41 2009 : L2TP received ICCN
    Sun Nov 15 14:44:41 2009 : L2TP connection established.
    Sun Nov 15 14:44:41 2009 : using link 0
    Sun Nov 15 14:44:41 2009 : Using interface ppp0
    Sun Nov 15 14:44:41 2009 : Connect: ppp0 <--> socket[34:18]
    Sun Nov 15 14:44:41 2009 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth eap> <magic 0x7dd4d1cd> <pcomp> <accomp>]
    Sun Nov 15 14:44:41 2009 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x1e217556> <pcomp> <accomp>]
    Sun Nov 15 14:44:41 2009 : lcp_reqci: returning CONFACK.
    Sun Nov 15 14:44:41 2009 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x1e217556> <pcomp> <accomp>]
    Sun Nov 15 14:44:41 2009 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth eap> <magic 0x7dd4d1cd> <pcomp> <accomp>]
    Sun Nov 15 14:44:41 2009 : sent [LCP EchoReq id=0x0 magic=0x7dd4d1cd]
    Sun Nov 15 14:44:41 2009 : sent [EAP Request id=0x1 Identity ]
    Sun Nov 15 14:44:41 2009 : rcvd [LCP EchoReq id=0x0 magic=0x1e217556]
    Sun Nov 15 14:44:41 2009 : sent [LCP EchoRep id=0x0 magic=0x7dd4d1cd]
    Sun Nov 15 14:44:41 2009 : rcvd [LCP EchoRep id=0x0 magic=0x1e217556]
    Sun Nov 15 14:44:41 2009 : rcvd [EAP Response id=0x1 Identity <"]
    Sun Nov 15 14:44:47 2009 : LCP terminated by peer (Failed to authenticate ourselves to peer)
    Sun Nov 15 14:44:47 2009 : sent [LCP TermAck id=0x2]
    Sun Nov 15 14:44:47 2009 : L2TP received CDN
    Sun Nov 15 14:44:47 2009 : Connection terminated.
    Sun Nov 15 14:44:47 2009 : L2TP disconnecting...
    Sun Nov 15 14:44:47 2009 : L2TP sent CDN
    Sun Nov 15 14:44:47 2009 : L2TP sent StopCCN
    Sun Nov 15 14:44:47 2009 : L2TP disconnected
    2009-11-15 14:44:47 CET --> Client with address = 192.168.1.160 has hungup
    What does that mean:
    "Failed to authenticate ourselves to peer" ???
    Are there some configurations which can solve this problem ???
    Best regards
    Andreas

    This are the related client side log entries:
    Sun Nov 15 14:44:40 2009 : L2TP connecting to server '192.168.1.10' (192.168.1.10)...
    Sun Nov 15 14:44:40 2009 : IPSec connection started
    Sun Nov 15 14:44:40 2009 : IPSec phase 1 client started
    Sun Nov 15 14:44:40 2009 : IPSec phase 1 server replied
    Sun Nov 15 14:44:41 2009 : IPSec phase 2 started
    Sun Nov 15 14:44:41 2009 : IPSec phase 2 established
    Sun Nov 15 14:44:41 2009 : IPSec connection established
    Sun Nov 15 14:44:41 2009 : L2TP sent SCCRQ
    Sun Nov 15 14:44:41 2009 : L2TP received SCCRP
    Sun Nov 15 14:44:41 2009 : L2TP sent SCCCN
    Sun Nov 15 14:44:41 2009 : L2TP sent IRCQ
    Sun Nov 15 14:44:41 2009 : L2TP received ICRP
    Sun Nov 15 14:44:41 2009 : L2TP sent ICCN
    Sun Nov 15 14:44:41 2009 : L2TP connection established.
    Sun Nov 15 14:44:41 2009 : using link 0
    Sun Nov 15 14:44:41 2009 : Using interface ppp0
    Sun Nov 15 14:44:41 2009 : Connect: ppp0 <--> socket[34:18]
    Sun Nov 15 14:44:41 2009 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x1e217556> <pcomp> <accomp>]
    Sun Nov 15 14:44:41 2009 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <auth eap> <magic 0x7dd4d1cd> <pcomp> <accomp>]
    Sun Nov 15 14:44:41 2009 : lcp_reqci: returning CONFACK.
    Sun Nov 15 14:44:41 2009 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <auth eap> <magic 0x7dd4d1cd> <pcomp> <accomp>]
    Sun Nov 15 14:44:41 2009 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x1e217556> <pcomp> <accomp>]
    Sun Nov 15 14:44:41 2009 : sent [LCP EchoReq id=0x0 magic=0x1e217556]
    Sun Nov 15 14:44:41 2009 : rcvd [LCP EchoReq id=0x0 magic=0x7dd4d1cd]
    Sun Nov 15 14:44:41 2009 : sent [LCP EchoRep id=0x0 magic=0x1e217556]
    Sun Nov 15 14:44:41 2009 : rcvd [EAP Request id=0x1 Identity ]
    Sun Nov 15 14:44:41 2009 : sent [EAP Response id=0x1 Identity <"]
    Sun Nov 15 14:44:47 2009 : Connection terminated.
    Sun Nov 15 14:44:47 2009 : rcvd [EAP Request id=0x2 EAP KRB <00003f000001000101>]
    Sun Nov 15 14:44:47 2009 : L2TP disconnecting...
    Sun Nov 15 14:44:47 2009 : L2TP sent CDN
    Sun Nov 15 14:44:47 2009 : L2TP sent StopCCN
    Sun Nov 15 14:44:47 2009 : L2TP disconnected

Maybe you are looking for

  • Remove custom messge

    Hello, I lost my phone, and sent a custom message to the phone. The person who found the phone, was kind to return the phone to me. But how do I remove the message from the screen? It stays on the screen. When I login with my BB ID on the website, I

  • Side bars not accessible FF 4.0b2 on Toshiba AC100 (Android 2.2)

    Having now got FF installed, albeit not the latest beta, I have a couple of issues. 1. The AC100 does not have a touch screen, so the swipe left/right gestures on my HTC Desire, which bring the side bars on to the screen, can't be used. 2. Page navig

  • Can't see package body in SQL Developer version 2.1.1.64

    When I go to the object browser, I can see all of the package specs but can't seem to get to the package body. I can access the package body just fine through Toad, so I don't think it is an Oracle user issue. Help?

  • What's up with forums registration?

    Recently I have been asked to sign in again when visiting these forums. The thingummy asks me to enter my e-mail address and password (neither of which have changed at my end). If I follow that Forums is Migrating rigmarole I get repeated error messa

  • Date difference based on the conditions is giving wrong values

    Hi, In creating the formula for conditional date difference calculation, i.e., if (sto date is 0) then (act date - mat rel date) else (sto date is not equal to 0) then (sto date - mat rel date) So I tried with, (sto date == 0) * (act date - mat rel d