Cisco 5520: removed crypto map still in effect

Similar Messages

• I am not able to remove crypto map SONZOGNI^@

  Please,show me the command to remove crypto map SONZOGNI^@ .
  Command "no crypto map SONZOGNI^@" doesn't work,the response is crypto map unexisting.
  The Router model is 3640.
  Thanks
  12.0
  service timestamps debug datetime localtime show-timezone
  service timestamps log datetime localtime show-timezone
  service password-encryption
  boot system flash:c3640-is40-mz.120-24.bin
  logging buffered 32000 debugging
  no logging console
  ip subnet-zero
  no ip source-route
  no ip finger
  no ip domain-lookup
  isdn switch-type primary-net5
  crypto map SONZOGNI^@ 1
  set peer cisco-sonzogni
  match address sonzogni-encrypt
  clock timezone CET 1
  clock summer-time CET-SUM recurring last Sun Mar 3:00 last Sun Oct 3:00
  call-history-mib max-size 200

  Try no crypto map SONZOGNI^@" 1, you have to mention the 1 also.

• PING is unavailable after CRYPTO MAP on interface

  Hi guys,
  I have problem with ping to public IP of my router (Cisco 2801) I checked all my ACLs but only when I remove crypto map from interface PING is going well. 
  interface FastEthernet0/0
   description ---LAN---$FW_INSIDE$
   ip address 192.168.28.31 255.255.255.0
   ip access-group 103 in
   ip nat inside
   ip virtual-reassembly
   duplex auto
   speed auto
   no mop enabled
  interface FastEthernet0/1
   description ---WAN---$FW_OUTSIDE$$ES_LAN$
   ip address 109.68.238.175 255.255.255.224
   ip access-group 104 in
   no ip proxy-arp
   ip nat outside
   ip virtual-reassembly
   duplex auto
   speed 10 
   crypto map MAIN
   and crypto map MAIN 
  crypto map MAIN 1 ipsec-isakmp 
   description a1
   set peer 180.94.84.177
   set peer 180.94.84.181
   set transform-set a1 
   match address a1
  crypto map MAIN 2 ipsec-isakmp 
   description a2 
   set peer 67.159.45.250
   set transform-set a2 
   match address a2
  and ACLs for this MAIN crypto 
  ip access-list extended a1
   remark CCP_ACL Category=4
   permit ip host 192.168.28.31 host 10.150.82.43
   permit ip host 192.168.28.30 host 10.150.82.43
   permit ip host 192.168.28.31 host 10.150.82.73
   permit ip host 192.168.28.30 host 10.150.82.73
   permit icmp any any
  ip access-list extended a2
   remark CCP_ACL Category=20
   permit ip host 192.168.28.31 host 67.159.51.2
   permit ip host 192.168.28.30 host 67.159.51.2
   permit ip host 192.168.28.31 host 67.159.51.14
   permit ip host 192.168.28.30 host 67.159.51.14
   permit ip host 192.168.28.31 host 67.159.51.10
   permit ip host 192.168.28.30 host 67.159.51.10
   permit icmp any any
  ACL for inbound in WAN interface
  access-list 104 remark CCP_ACL Category=17
  access-list 104 permit udp host 180.94.84.177 host 109.68.238.175 eq non500-isakmp
  access-list 104 permit udp host 180.94.84.177 host 109.68.238.175 eq isakmp
  access-list 104 permit esp host 180.94.84.177 host 109.68.238.175
  access-list 104 permit ahp host 180.94.84.177 host 109.68.238.175
  access-list 104 permit ip host 67.159.51.10 host 192.168.28.30
  access-list 104 permit ip host 67.159.51.10 host 192.168.28.31
  access-list 104 permit ip host 67.159.51.14 host 192.168.28.30
  access-list 104 permit ip host 67.159.51.14 host 192.168.28.31
  access-list 104 permit ip host 67.159.51.2 host 192.168.28.30
  access-list 104 permit ip host 67.159.51.2 host 192.168.28.31
  access-list 104 permit udp host 180.94.84.181 host 109.68.238.175 eq non500-isakmp
  access-list 104 permit udp host 180.94.84.181 host 109.68.238.175 eq isakmp
  access-list 104 permit esp host 180.94.84.181 host 109.68.238.175
  access-list 104 permit ahp host 180.94.84.181 host 109.68.238.175
  access-list 104 permit ip host 10.150.82.73 host 192.168.28.30
  access-list 104 permit ip host 10.150.82.73 host 192.168.28.31
  access-list 104 permit ip host 10.150.82.43 host 192.168.28.30
  access-list 104 permit ip host 10.150.82.43 host 192.168.28.31
  access-list 104 permit udp host 67.159.45.250 host 109.68.238.175 eq non500-isakmp
  access-list 104 permit udp host 67.159.45.250 host 109.68.238.175 eq isakmp
  access-list 104 permit esp host 67.159.45.250 host 109.68.238.175
  access-list 104 permit ahp host 67.159.45.250 host 109.68.238.175
  access-list 104 permit icmp any any
  access-list 104 permit esp any host 67.159.45.250
  access-list 104 permit udp any host 67.159.45.250 eq non500-isakmp
  access-list 104 permit udp any host 67.159.45.250 eq isakmp
  access-list 104 permit ahp any host 67.159.45.250
  Please show me where is problem in my configs, I try to change my config several time but problem still exist 

  Nik
  As far as I know the technically correct answer to your question is Yes you can configure a crypto map on the inside interface. But it leads to a question of why would you want to do that? The function of the crypto map is to provide IPSec protection services to traffic passing through that interface. Why would you want IPSec on traffic going through your inside interface?
  I am also puzzled by the partial config that you posted. Why do you have the internal "private" network and the Internet reachable network as primary and secondary on the same interface?
  HTH
  Rick

• Crypto map removing itself after reload

  Hello,
  I just set up my site tot site vpn with a pix box and a cisco 3745.
  The pix box is fine but the 3745 when ever I reload it the crypto map is not applied to the interface after the reload.

  Hello,
  I did issue a write memory.
  sh ver
  Cisco IOS Software, 3700 Software (C3745-ADVENTERPRISEK9-M), Version 12.4(25), R                                                                             ELEASE SOFTWARE (fc2)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2009 by Cisco Systems, Inc.
  Compiled Tue 21-Apr-09 14:41 by prod_rel_team
  ROM: System Bootstrap, Version 12.2(8r)T2, RELEASE SOFTWARE (fc1)
  FIBERJGX-3745-01 uptime is 3 hours, 49 minutes
  System returned to ROM by reload at 01:32:53 UTC Fri Jul 5 2013
  System restarted at 01:34:09 UTC Fri Jul 5 2013
  System image file is "slot0:c3745-adventerprisek9-mz.124-25.bin"
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected]
  Cisco 3745 (R7000) processor (revision 2.0) with 243712K/18432K bytes of memory.
  Processor board ID JMX0837L5AU
  R7000 CPU at 350MHz, Implementation 39, Rev 3.3, 256KB L2, 2048KB L3 Cache
  2 FastEthernet interfaces
  DRAM configuration is 64 bits wide with parity disabled.
  151K bytes of NVRAM.
  31360K bytes of ATA System CompactFlash (Read/Write)
  125952K bytes of ATA Slot0 CompactFlash (Read/Write)
  Configuration register is 0x2102

• "Crypto map" to inside/internal interface. Possible?

  Hi, I have a two routers on a point to point VPN where the "Crypto Map" statement is assigned to the external interface as normal. This works fine but I need each router to present a different IP address to that of the external interface.
  For example:
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  lifetime 3600
  crypto isakmp key privatekey address 4.4.4.4 no-xauth
  crypto ipsec transform-set 3des esp-3des esp-sha-hmac
  crypto map VPN 1 ipsec-isakmp
  set peer 4.4.4.4
  set transform-set 3des
  match address vpn
  interface FastEthernet0/0
  ip address 4.4.4.4 255.255.255.252
  ip nat outside
  ip virtual-reassembly
  speed 10
  full-duplex
  no cdp enable
  crypto map VPN
  interface FastEthernet0/1
  ip address 8.8.8.8 255.255.255.248
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  Instead of the "4.4.4.4" being presented to the other side of the VPN, I need the 8.8.8.8 to be presented. I've tried just changing the Crypto statements as below but it still presents the 4.4.4.4 probably due to the interface the Crypto map is applied
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  lifetime 3600
  crypto isakmp key privatekey address 8.8.8.8 no-xauth
  crypto ipsec transform-set 3des esp-3des esp-sha-hmac
  crypto map VPN 1 ipsec-isakmp
  set peer 8.8.8.8
  set transform-set 3des
  match address vpn
  How can I make sure that 8.8.8.8 is what's presented at the other end?
  Thanks
  Andy

  Hi Andy,
  I would suggest the following command:
  crypto map local-address
  http://tools.cisco.com/squish/9c85B
  To specify and name an identifying interface to be used by the crypto map for IPSec traffic, use the crypto map local-address command in global configuration mode. To remove this command from the configuration, use the no form of this command.
  crypto map map-name local-address interface-id
  no crypto map map-name local-address
  Example:
  interface loopback0
       ip address 4.2.2.2 255.255.255.252
  crypto map mymap local-address loopback0
  interface S0
        crypto map mymap
  Of course you need to make sure the remote end can reach this additional IP address.
  Let me know if you have any questions.
  Please rate any post that you find useful.

• Multiple Crypto Maps on Single Outside Interface

  Hi, I had the following crypto map configured on my ASA5505 to allow Cisco IPSec VPN clients to connect from the outside:
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  I'm trying now to set up an additional crypto map - a static configuration to establish a tunnel with Windows Azure services. The configuration they gave me is:
  crypto map azure-crypto-map 10 match address azure-vpn-acl
  crypto map azure-crypto-map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
  crypto map azure-crypto-map 10 set transform-set azure-ipsec-proposal-set
  crypto map azure-crypto-map interface outside
  However, when I apply that configuration, my Cisco IPSec clients can no longer connect. I believe my problem is that last line:
  crypto map azure-crypto-map interface outside
  which blows away my original line:
  crypto map outside_map interface outside
  It seems I'm stuck with picking just one of the maps to apply to the outside interface. Is there a way to apply both of these maps to the outside interface to allow both IPSec tunnels to be created? We're running ASA version 8.4(7)3.

  Hi,
  You can use the same "crypto map"
  Just add
  crypto map outside_map 10 match address azure-vpn-acl
  crypto map outside_map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
  crypto map outside_map 10 set transform-set azure-ipsec-proposal-set
  Your dynamic VPN Clients will continue to work just fine as their "crypto map" statements are with the lowest priority/order in the "crypto map" configurations (65535) and the L2L VPN is higher (10)
  And what I mean with the above is that when a L2L VPN connections is formed from the remote end it will naturally match the L2L VPN configurations you have with "crypto map" configurations using the number "10". Then when a VPN Client connects it will naturally not match the number "10" specific configurations and will move to the next entry and will match it (65535)
  If you would happen to configure a new L2L VPN connection then you could give it the number "11" for example and everything would still be fine.
  Hope this helps
  - Jouni

• [ERR]crypto map WARNING: This crypto map is incomplete

  i have PIX 501 ver6.3(5) when i setup VPN i get this error message
  WARNING:This crypto map is incomplete to remedy the situation add a peer and a valid access-list to this crypto map.
  although it seems fine in sh conf command
  but tunnel is not started
  when i review log i found
  sa_request,ISAKMP Phase 1 exchange started

  i could successfully establish VPN with another FW cisco 501 6.3
  but still can't fix my dilemma which i connect to Huawei Eudemon 500‎
  sh isakmp
  PIX Version 6.3(5)‎
  interface ethernet0 10full
  interface ethernet1 100full
  nameif ethernet0 outside security0‎
  nameif ethernet1 inside security100 ‎
  access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP1‎
  access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP2‎
  access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP1‎
  access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP2 ‎
  global (outside) 1 interface‎
  nat (inside) 0 access-list inside_outbound_nat0_acl
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ‎
  crypto ipsec security-association lifetime seconds 3600‎
  crypto map outside_map 100 ipsec-isakmp
  crypto map outside_map 100 match address outside_cryptomap_100‎
  crypto map outside_map 100 set peer remote peer
  crypto map outside_map 100 set transform-set ESP-3DES-SHA
  crypto map outside_map 100 set security-association lifetime seconds 3600 kilobytes 1843200‎
  crypto map outside_map interface outside
  isakmp enable outside
  ‎ ‎
  isakmp key ******** address remote peer netmask 255.255.255.255 no-xauth no-config-mode ‎
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption 3des
  isakmp policy 20 hash sha‎
  isakmp policy 20 group 2‎
  isakmp policy 20 lifetime 86400‎
  sh crypto map
  Crypto Map: "outside_map" interfaces: { outside }‎
  Crypto Map "outside_map" 100 ipsec-isakmp
  Peer = remote peer
  access-list outside_cryptomap_100; 2 elements‎
  access-list outside_cryptomap_100 line 1 permit ip host 10.102.0.11 host remote internal IP1 ‎‎(hitcnt=14) ‎
  access-list outside_cryptomap_100 line 2 permit ip host 10.102.0.11 host remote internal IP2 ‎‎(hitcnt=6) ‎
  Current peer: remote peer
  Security association lifetime: 1843200 kilobytes/3600 seconds‎
  PFS (Y/N): N
  Transform sets={ ESP-3DES-SHA, }‎
  Crypto Map: "set" interfaces: { }‎

• Rejecting IPSec tunnel: no matching crypto map entry for remote proxy

  Hi!
  I have already search for this but didn't get an exact answer I'm looking for so I try asking it again (if there is the same question).
  I'm in process of migrating some VPN tunnels with  from a Cisco router to an ASA, everything will keep the same but just the peering IP address. However, some of the tunnel was being torn down since it request for a proxy doesn't match the one configured on our side. And the remote peer said there is no such issue on the previous platform, but now they need to reset the tunnel from time to time.
  Apr 18 2013 07:29:10 asa002 : %ASA-3-713061: Group = 192.168.1.226, IP = 192.168.1.226, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.1.226/255.255.255.255/0/0 local proxy 10.10.9.81/255.255.255.255/0/0 on interface outside
  Apr 18 2013 07:29:10 asa002 : %ASA-3-713902: Group = 192.168.1.226, IP = 192.168.1.226, QM FSM error (P2 struct &0x745e9150, mess id 0x8d7ad777)!
  Apr 18 2013 07:29:10 asa002 : %ASA-3-713902: Group = 192.168.1.226, IP = 192.168.1.226, Removing peer from correlator table failed, no match!
  The remote peer said they did not change the proxy id on their side so it is possibly the old platform will just not setting up the SA without torn down the tunnel while the ASA on the new platform will torn down if there is any mismatch.
  Anyway I have requested the remote side to remove those unmatched entried to avoid the tunnel being torn down, but if there any configuration that is related to this issue? i.e. Just bring up the SA with matched addresses and ignore others, instead of torn down the tunnel.
  Thanks!!
  //Cody

  Are you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
  If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
  access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
  Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
  nat (outside) 1 172.16.0.0 255.255.240.0

• Rejecting IPSec tunnel: no matching crypto map entry for remote proxy on interface outside.

  Hi,
  I have read a problem where the VPN between an ISP and ourselves started dropping sessions. I have rebuilt the crypto map and tried to dig deeper into my config and some basic troubleshooting while I await the ISP to respond.
  Any ideas?
  Thanks Steve
  https://supportforums.cisco.com/thread/255085
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution10
  5 Jun 13 15:46:25 713904 IP = 209.183.xxx.xxx, Received encrypted packet with no matching SA, dropping
  4 Jun 13 15:46:25 113019 Group = 209.183.xxx.xxx, Username = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
  3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Removing peer from correlator table failed, no match!
  3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, QM FSM error (P2 struct &0xda90f540, mess id 0x76c09eb7)!
  3 Jun 13 15:46:25 713061 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.0.0/255.255.240.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
  5 Jun 13 15:46:25 713119 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, PHASE 1 COMPLETED
  6 Jun 13 15:46:25 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = 209.183.xxx.xxx
  6 Jun 13 15:46:25 713172 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

  Are you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
  If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
  access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
  Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
  nat (outside) 1 172.16.0.0 255.255.240.0

• One crypto map, different tunnel source addresses (secondary)

  Hi,
  I have two devices with two different (public) IP addresses (Cisco 2811 and Cisco 851), which both host some IPSec tunnels (IPSec/ESP/Tunnel mode). I want to move the 851's configuration to the 2811, and remove the 851 from the network. There is a crypto map assigned to the main outside interface of the 2811 with a few entries. The problem is that I cannot change any of the tunnel TEPs, so the IP address of the 851 must be moved onto the 2811 (as a secondary address). Is there anything I can do to use the secondary address as an IPSec tunnel source? Or do I have to do it using NAT and loopback interfaces?

  Source IP addresses for IKE for exchanges leaving out of the same physical interface, ie:
  crypto map to-peer_a 10 ipsec-isakmp
  set peer 10.1.3.1
  set local-address loopback1 <-- new command
  match address 100
  crypto map to-peer_a 20 ipsec-isakmp
  set peer 10.1.3.2
  set local-address loopback2 <-- new command
  match address 101
  Current code allows to specify a local-address for each crypto map only, and not on a per crypto map instance, as suggested above.

• Troubles using VRF-aware IPsec w/ crypto maps

  I'm trying to get a lab setup to work with a C2951 (15.2(4)M4) peering with an ASA 5510 (9.1(2)). The config is based on crypto maps, since I want the C2951 to be the initiating side, and as far as I understand, VTIs wouldn't be working together with the ASA due to the default 'any' crypto statements that are being applied on SVTIs.
  So I've set up this IKEv1-, crypto map-based lab, and the tunnel strictly won't come up; it seems that crypto doesn't find any interesting traffic at all (no debug crypto isakmp output pops up).
  What I'm doing for testing is issuing a VRF Ping from a loopback interface of the C2951. I was following the following cheat sheet to configure the IOS box:
  https://supportforums.cisco.com/docs/DOC-13524
  Please see the attached config files and the setup drawing.
  This is the way I'm testing it:
  C2951#sh deb
  Cryptographic Subsystem:
    Crypto ISAKMP debugging is on
  C2951#
  C2951#ping vrf test 10.0.0.1 source lo 1
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
  Packet sent with a source address of 40.0.0.1
  Success rate is 0 percent (0/5)
  C2951#
  Any hints for me, please?

  There are no VRF routes left in the config, and I've cleared the global and the VRF routing table. Even rebooted the box. Still only half of the Pings get answered. There are no crypto ipsec errors, so it should have something to do with routing...but what?
  C2951#sh crypto ipsec sa
  interface: GigabitEthernet0/0
      Crypto map tag: OUR-MAP, local addr 30.0.0.2
     protected vrf: test
     local  ident (addr/mask/prot/port): (40.0.0.1/255.255.255.255/0/0)
     remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
     current_peer 20.0.0.1 port 500
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
      #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 0
       local crypto endpt.: 30.0.0.2, remote crypto endpt.: 20.0.0.1
       path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
       current outbound spi: 0xEB02ACDA(3942821082)
       PFS (Y/N): Y, DH group: group5
       inbound esp sas:
        spi: 0x1A943A9F(445921951)
          transform: esp-aes esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 18009, flow_id: ISM VPN:9, sibling_flags 80000040, crypto map: OUR-MAP
          sa timing: remaining key lifetime (k/sec): (4225929/3571)
          IV size: 16 bytes
          replay detection support: Y
          Status: ACTIVE(ACTIVE)
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0xEB02ACDA(3942821082)
          transform: esp-aes esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 18010, flow_id: ISM VPN:10, sibling_flags 80000040, crypto map: OUR-MAP
          sa timing: remaining key lifetime (k/sec): (4225928/3571)
          IV size: 16 bytes
          replay detection support: Y
          Status: ACTIVE(ACTIVE)
       outbound ah sas:
       outbound pcp sas:
  C2951#sh ip route 10.0.0.0
  % Network not in table
  C2951#sh ip route vrf test 10.0.0.0
  Routing Table: test
  Routing entry for 10.0.0.0/24, 1 known subnets
  S        10.0.0.0 [1/0] via 20.0.0.1, GigabitEthernet0/0

• Crypto map gone wrong

  We've noticed a very strange issue on our Cisco 3800 router.
  The router is hosting multiple Site to Site VPN connections. All of the VPNs are working fine.
  While doing some routine diagnostigs we've noticed that one of the VPN's crypto maps is not displayed correctrly as you can see in the image below.
  I checked the associated ACL and the last entry is displayed correctly.
  I also tried to recreate the acl to see if that will fix this.
  Only this crypto map is displayed like this. All of the other are displaing just fine.
  I noticed that if I remove the last statement from the ACL then the crypto map will be displayed correctly.
  What could be the reason for this phenomenon?
  Can this cause any connectivity issues in the future?

  Access-lists, FW (ZBF, CBAC) and all other features work on SVTI same way they would work on a physical or other logical interfaces (with very few exceptions). 

• Crypto Map Dynamic IP Reconnection Issues

  Hello,
  We are connecting using at each remote site a Cisco 837 router with a ISDN modem as a passthrough to a PIX Firewall.
  Each time the ISDN connection drops the Cisco box either requires a reboot or the crypto map to be restarted before anyone can connect through to the PIX. Has anyone got any ideas please?
  Many Thanks
  Mark

  It'll be because the PIX doesn't recognise that the tunnel has gone down, and therefore still tries the old tunnel and nothing works, until you reboot the PIX or clear down the tunnels. All this does is make the PIX build new tunnels and everything works.
  You need to enable ISAKMP keepalives on both ends so that they'll determine that the other end has gone down and reset their own tunnels, allowing new ones to be built.
  Use:
  crypto isakmp keepalive 30
  on the router, and:
  isakmp keepalive 30
  on the PIX and they'll send keepalives every 30 seconds then and quickly know if the other end has died.

• Cisco 5520 ASA Port Forward to Endian Firewall VPN Question

  Hello,
  We have had a VPN operational on our Endian Firewall which uses OpenVPN server on port number 1194.  We recently purchased a Cisco 5520 ASA to put in front of our Endian Firewall and I am still hoping to use our current Endian Firewall VPN server.  So I am thinking the easiest way to make this happen is to port forward all vpn traffic through the ASA to our Endian Firewall to access the VPN.  Anyhow, I am just hoping someone with higher knowledge can let me know if this is the best course of action or if there is another easier or more efficient way of doing this?
  Thanks for your comments in advance I am new to cisco technology,
  Joe        

  Wrong forum, post in "Secuirity - Firewalling". You can move your posting with the Actions panel on the right.

• N97 how to remove ovi maps to get memory free

  My phone always says not enough memory.
  Because the OVI maps cost a lot of money when i am outside my country even when i use offline.
  I decided to remove ovi maps complete to to get memory free.
  So first i removed NOKIA MAPS and OVI Maps Wi-Fi/Network from application manager , installed maps.
  But unfortunately OVI Maps is still on my phone.
  So I tried to remove it from the menu with Optione Organize. But the delete will not show up.
  Can anyone help so i get some memory free ?
  With Kind Regards,
  dikTrom

  diktrom wrote:
  My phone always says not enough memory.
  Because the OVI maps cost a lot of money when i am outside my country even when i use offline.
  I decided to remove ovi maps complete to to get memory free.
  Whats the real issue ? Do you want to regain Memory really or ONLY because OVI Maps cost lot of money (???) . Because with proper settings OVI Maps will be totally FREE anywhere in the world.. Refer this ..
  Maps should be pre-installed and set to Offline mode. Use only Integrated GPS Positioning method... and there should not be any cost incurred...
  Attachments:
  Free Navigation.png ‏402 KB