Cisco 881 ISR IPSec VPN Tunnel does not pass traffic from the vlan.

Similar Messages

• L2L issue, the tunnel does not getting up from one direction

  Hello,
  We have configure a L2L vpn between Asa and 1841 router. We are facing this issue.
  The tunnel is not getting up from the 1841 site never. When we are trying to generate traffic from the ASA site the tunnel is up and we can see decryps and encryps packets.
  Router 1841 Config:
  crypto isakmp policy 100
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp key * address 213.249.XX.XX
  crypto ipsec transform-set XXXXX esp-3des esp-md5-hmac
  crypto map EKO_BG 100 ipsec-isakmp
  set peer 213.249.x.x
  set security-association lifetime seconds 28800
  set transform-set XXXXX
  set pfs group2
  match address 111
  interface FastEthernet0/0.2
  encapsulation dot1Q 3338
  ip address 212.200.30.130 255.255.255.252
  ip nat outside
  ip virtual-reassembly
  crypto map XXXXX
  ip nat pool nat_pool 93.87.XX.XX 93.87.XX.XX prefix-length 29
  ip nat inside source list 101 pool nat_pool overload
  ip nat inside source static 10.70.2.10 93.87.18.161
  ip nat inside source static 10.70.25.10 93.87.18.162
  ip nat inside source static 10.70.36.5 93.87.18.163
  ip nat inside source static 10.70.39.10 93.87.18.164
  ip nat inside source static 10.70.5.10 93.87.18.165
  access-list 101 deny   ip 10.70.200.0 0.0.0.255 any
  access-list 101 permit ip 10.70.0.0 0.0.255.255 any
  access-list 111 permit ip 10.70.200.0 0.0.0.255 172.40.10.100 0.0.0.3
  Asa Config:
  access-list inside_nat0_outbound extended permit ip 172.40.10.100 255.255.255.252 10.70.200.0 255.255.255.0
  access-list outside_cryptomap_320 remark xxxxxxx
  access-list outside_cryptomap_320 extended permit ip 172.40.10.100 255.255.255.252 10.70.200.0 255.255.255.0
  access-list inside_pnat_outbound_V5 extended permit ip host 10.8.x.x 10.70.200.0 255.255.255.0
  pager lines 24
  nat (inside) 9 access-list inside_pnat_outbound_V5
  crypto ipsec transform-set xxxxx esp-3des esp-md5-hmac
  crypto map mymap 150 match address
  crypto map mymap 150 set pfs
  crypto map mymap 150 set peer XXXXXX
  crypto map mymap 150 set transform-set XXX
  crypto map mymap 150 set security-association lifetime seconds 28800
  crypto map mymap 150 set security-association lifetime kilobytes 10000
  crypto map mymap 320 match address outside_cryptomap_320
  crypto map mymap 320 set pfs
  crypto map mymap 320 set peer XXXXX
  crypto map mymap 320 set transform-set XXXXX
  crypto map mymap 320 set security-association lifetime seconds 28800
  crypto map mymap 320 set security-association lifetime kilobytes 4608000
  crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map mymap interface outside
  isakmp policy 150 authentication pre-share
  isakmp policy 150 encryption 3des
  isakmp policy 150 hash md5
  isakmp policy 150 group 2
  tunnel-group 212.200.x.x type ipsec-l2l
  tunnel-group 212.200.x.x ipsec-attributes
  pre-shared-key *
  Please advise.
  Thank you.

  hello Ashley,
  thank you for this info. Now from the router site the tunneling is getting up and I can see packets but althought the tunnel is up it can not make telnet to our server (172.40.10.100) on a specific port.
  We from ASA site can ping router Site and make telnet.
  Any ideas???
  Thank you all from your answers!

• I bought a macbook pro on november 2011 wich had Lion OS installed on it. Playback plug-in in Mainstage 2.1.3 does not play files from the beginning (it leaves out like 50 mSecs or so). Is there a way to revert to Snow Leopard OS?

  I bought a macbook pro on november 2011 wich had Lion OS installed on it. Playback plug-in in Mainstage 2.1.3 does not play files from the beginning (it leaves out like 50 mSecs or so). Is there a way to revert to Snow Leopard OS?

  BrettGoudy wrote:
  ...Is there any way I can install a partition that runs snow leopard on my early 2011 MB pro with what I have (new SSD, New RAM, Current version Lion running, no external drive, lack of original snow leopard disks [I lost them ] and the general 10.6.3 snow leopard boot disks)...
  As the last post suggests, call Apple and order a replacement original disc for about $17.  They will ask you the model and serial numbers.
  Your retail version of Snow Leopard OS 10.6.3 will not work on that Mac as it requires a minimum of OS X 10.6.7 to boot and operate.
  Another alternative is to again borrow another Mac to install your retail Snow Leopard into an external HD or partition, upgrade it to 10.6.8 and then clone it back to a partition on your MBP.

• Does WCCP support traffic from different VLANs(mapped to VRFs)?

  Hello,
  I have the following scenario from the WAN to the Data Center and from the WAN to the Branch:
  1. Router 2800/7200 with three (3) MPLS VRFs (VRF Lite)
  2. Switch 3750 with three (3) WAN VLANs (one for each VRF) and three (3) LAN User Traffic VLANs (one for each ASA Context) and one WAE VLAN
  3. WAE with WCCP enabled for one VLAN in the switch
  4. ASA with three (3) Contexts
  5. Three (3) Internal LANs (one for each Context)
  In summary, there are three flows of traffic which are separated along the way from Branch to Data Center. WAEs are working for one VLAN(VRF1) and WCCP is enabled at the 3750 Switch to do the redirection (not in the router). The question is: does WCCP support traffic from different VLANs (similar to inline 802.1Q) and handle all three flows separate? If so, what should the configuration be at the switch and the WAE?
  Thanks.

  The VRF awareness for 12.4(T) is still probably 8-12 months out. VRF aware WCCP features are definitely in the pipeline, but nothing has been publically published on availability timelines.
  It's now publically available on the forum... but , I've only found it on the 3750 and 3550 documentation.
  at the 3750 you will need to place the redirect statement on each of the VLANs, ip wccp 61 redirect in
  Kindly find here GRE Tunnel with VRF Configuration Example:
  http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801e1294.shtml
  I have gotten as far as the WAE registering the router:
  "WCCP configuration for TCP Promiscuous service 61 and 62 succeeded.
  WCCP configuration for TCP Promiscuous succeeded.Please remember to
  configure WCCP service 61 and 62 on the corresponding router."
  wae01#sh wccp router
  Router Information for Service: TCP Promiscuous 61
  Routers Configured and Seeing this Wide Area Engine(1)
  Router Id Sent To Recv ID
  0.0.0.0 209.1.1.1 0000022F
  The router registers the WAE as a WCCP client:
  router04#
  "*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 61 acquired on WCCP
  client 209.1.1.2"
  "*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 62 acquired on WCCP
  client 209.1.1.2"
  The router however cannot figure out what its ID is and does not see
  itself as a WCCP group router.
  router04#sh ip wccp
  Global WCCP information:
  Router information:
  Router Identifier: -not yet determined-
  Protocol Version: 2.0
  Service Identifier: 61
  Number of Service Group Clients: 1
  Number of Service Group Routers: 0
  Total Packets s/w Redirected: 0
  Process: 0
  Fast: 0
  CEF: 0
  Redirect access-list: ACCELERATED-TRAFFIC
  Total Packets Denied Redirect: 0
  Total Packets Unassigned: 25957
  Group access-list: -none-
  Total Messages Denied to Group: 0
  Total Authentication failures: 0
  Total Bypassed Packets Received: 0
  This is a short summary of important commands for working with VRF's.
  View the VRF instances and the associated interfaces.
  ml-mr-c6-gs#show ip vrf
  Name Default RD Interfaces
  blurvrf 100:2 Vlan215
  Vlan326
  tgvrf 100:1 Vlan132
  Vlan325
  TenGigabitEthernet1/1
  ml-mr-c6-gs#
  Show the routing table for a specific VRF.
  ml-mr-c6-gs#show ip route vrf tgvrf
  Routing Table: tgvrf
  Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
  D - EIGRP, EX - EIGRP external,
  ---More--
  Gateway of last resort is 128.117.243.57 to network 0.0.0.0
  O E2 192.52.106.0/24 [110/1] via 128.117.243.57, 1d19h, Vlan325
  O E2 192.168.150.0/24 [110/160] via 128.117.243.57, 1d19h, Vlan325
  172.17.0.0/29 is subnetted, 3 subnets
  O E2 172.17.1.16 [110/0] via 128.117.243.57, 1d19h, Vlan325
  O E2 172.17.1.8 [110/1] via 128.117.243.57, 1d19h, Vlan325
  O E2 172.17.1.0 [110/1] via 128.117.243.57, 1d19h, Vlan325
  --More--
  Debugging should otherwise be similar to a regular switch or router.
  Final Teragrid VRF Design and Diagrams
  http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/final.shtml
  Teragrid Testbed Design
  http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/testbed.shtml
  Cisco 4500 Series Switch Cisco IOS s/w config guide 12.1(20)EW
  Configuring VRF-Lite
  http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/vrf.html
  sachin garg

• Site-2-Site IPSEC VPN tunnel will not come up.

  Hello Experts,
  Just wondering if I can get some help on setting up a IPSEC VPN tunnel between a Cisco 2921 and ASA 550x. Below is the config
  show run | s crypto
  crypto pki token default removal timeout 0
  crypto isakmp policy 1
  encr aes
  authentication pre-share
  group 2
  lifetime 28800
  crypto isakmp key xxxxxxxxxxxxxxxxxxxxxx address A.A.A.A
  crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
  mode transport
  crypto map ICQ-2-ILAND 1 ipsec-isakmp
  set peer A.A.A.A
  set transform-set ESP-AES128-SHA
  match address iland_london_s2s_vpn
  crypto map ICQ-2-ILAND
  The config on the remote end has not been shared with me, so I don't know if I am doing something wrong locally or if the remote end is wrongly configured.
  The command Sh crypto isakmp sa displays the following
  show crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  A.A.A.A    B.B.B.B   MM_NO_STATE       1231 ACTIVE (deleted)
  IPv6 Crypto ISAKMP SA
  show crypto session
  Crypto session current status
  Interface: GigabitEthernet0/0
  Session status: DOWN-NEGOTIATING
  Peer: A.A.A.A port 500
    IKEv1 SA: local B.B.B.B/500 remote A.A.A.A/500 Inactive
    IKEv1 SA: local B.B.B.B/500 remote A.A.A.A/500 Inactive
    IPSEC FLOW: permit ip 10.20.111.0/255.255.255.0 10.120.1.0/255.255.255.0
          Active SAs: 0, origin: crypto map
    IPSEC FLOW: permit ip 10.10.0.0/255.255.0.0 10.120.1.0/255.255.255.0
          Active SAs: 0, origin: crypto map
  The debug logs from the debug crypto isakmp command are listed below.
  ISAKMP:(0): local preshared key found
  Dec  6 08:51:52.019: ISAKMP : Scanning profiles for xauth ...
  Dec  6 08:51:52.019: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
  Dec  6 08:51:52.019: ISAKMP:      encryption AES-CBC
  Dec  6 08:51:52.019: ISAKMP:      keylength of 128
  Dec  6 08:51:52.019: ISAKMP:      hash SHA
  Dec  6 08:51:52.019: ISAKMP:      default group 2
  Dec  6 08:51:52.019: ISAKMP:      auth pre-share
  Dec  6 08:51:52.019: ISAKMP:      life type in seconds
  Dec  6 08:51:52.019: ISAKMP:      life duration (basic) of 28800
  Dec  6 08:51:52.019: ISAKMP:(0):atts are acceptable. Next payload is 0
  Dec  6 08:51:52.019: ISAKMP:(0):Acceptable atts:actual life: 0
  Dec  6 08:51:52.019: ISAKMP:(0):Acceptable atts:life: 0
  Dec  6 08:51:52.019: ISAKMP:(0):Basic life_in_seconds:28800
  Dec  6 08:51:52.019: ISAKMP:(0):Returning Actual lifetime: 28800
  Dec  6 08:51:52.019: ISAKMP:(0)::Started lifetime timer: 28800.
  Dec  6 08:51:52.019: ISAKMP:(0): processing vendor id payload
  Dec  6 08:51:52.019: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  Dec  6 08:51:52.019: ISAKMP:(0): vendor ID is NAT-T v2
  Dec  6 08:51:52.019: ISAKMP:(0): processing vendor id payload
  Dec  6 08:51:52.019: ISAKMP:(0): processing IKE frag vendor id payload
  Dec  6 08:51:52.019: ISAKMP:(0):Support for IKE Fragmentation not enabled
  Dec  6 08:51:52.019: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Dec  6 08:51:52.019: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
  Dec  6 08:51:52.019: ISAKMP:(0): sending packet to A.A.A.A my_port 500 peer_port 500 (I) MM_SA_SETUP
  Dec  6 08:51:52.019: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Dec  6 08:51:52.019: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Dec  6 08:51:52.019: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
  Dec  6 08:51:52.155: ISAKMP (0): received packet from A.A.A.A dport 500 sport 500 Global (I) MM_SA_SETUP
  Dec  6 08:51:52.155: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Dec  6 08:51:52.155: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
  Dec  6 08:51:52.155: ISAKMP:(0): processing KE payload. message ID = 0
  Dec  6 08:51:52.175: ISAKMP:(0): processing NONCE payload. message ID = 0
  Dec  6 08:51:52.175: ISAKMP:(0):found peer pre-shared key matching A.A.A.A
  Dec  6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
  Dec  6 08:51:52.175: ISAKMP:(1227): vendor ID is Unity
  Dec  6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
  Dec  6 08:51:52.175: ISAKMP:(1227): vendor ID seems Unity/DPD but major 92 mismatch
  Dec  6 08:51:52.175: ISAKMP:(1227): vendor ID is XAUTH
  Dec  6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
  Dec  6 08:51:52.175: ISAKMP:(1227): speaking to another IOS box!
  Dec  6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
  Dec  6 08:51:52.175: ISAKMP:(1227):vendor ID seems Unity/DPD but hash mismatch
  Dec  6 08:51:52.175: ISAKMP:received payload type 20
  Dec  6 08:51:52.175: ISAKMP (1227): His hash no match - this node outside NAT
  Dec  6 08:51:52.175: ISAKMP:received payload type 20
  Dec  6 08:51:52.175: ISAKMP (1227): No NAT Found for self or peer
  Dec  6 08:51:52.175: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Dec  6 08:51:52.179: ISAKMP:(1227):Old State = IKE_I_MM4  New State = IKE_I_MM4
  Dec  6 08:51:52.179: ISAKMP:(1227):Send initial contact
  Dec  6 08:51:52.179: ISAKMP:(1227):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
  Dec  6 08:51:52.179: ISAKMP (1227): ID payload
          next-payload : 8
          type         : 1
          address      : B.B.B.B
          protocol     : 17
          port         : 500
          length       : 12
  Dec  6 08:51:52.179: ISAKMP:(1227):Total payload length: 12
  Dec  6 08:51:52.179: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) MM_KEY_EXCH
  Dec  6 08:51:52.179: ISAKMP:(1227):Sending an IKE IPv4 Packet.
  Dec  6 08:51:52.179: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Dec  6 08:51:52.179: ISAKMP:(1227):Old State = IKE_I_MM4  New State = IKE_I_MM5
  Dec  6 08:51:52.315: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) MM_KEY_EXCH
  Dec  6 08:51:52.315: ISAKMP:(1227): processing ID payload. message ID = 0
  Dec  6 08:51:52.315: ISAKMP (1227): ID payload
          next-payload : 8
          type         : 1
          address      : A.A.A.A
          protocol     : 17
          port         : 0
          length       : 12
  Dec  6 08:51:52.315: ISAKMP:(0):: peer matches *none* of the profiles
  Dec  6 08:51:52.315: ISAKMP:(1227): processing HASH payload. message ID = 0
  Dec  6 08:51:52.315: ISAKMP:received payload type 17
  Dec  6 08:51:52.315: ISAKMP:(1227): processing vendor id payload
  Dec  6 08:51:52.315: ISAKMP:(1227): vendor ID is DPD
  Dec  6 08:51:52.315: ISAKMP:(1227):SA authentication status:
          authenticated
  Dec  6 08:51:52.315: ISAKMP:(1227):SA has been authenticated with A.A.A.A
  Dec  6 08:51:52.315: ISAKMP: Trying to insert a peer B.B.B.B/A.A.A.A/500/,  and inserted successfully 2B79E8BC.
  Dec  6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Dec  6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM5  New State = IKE_I_MM6
  Dec  6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Dec  6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM6  New State = IKE_I_MM6
  Dec  6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Dec  6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
  Dec  6 08:51:52.315: ISAKMP:(1227):beginning Quick Mode exchange, M-ID of 1511581970
  Dec  6 08:51:52.315: ISAKMP:(1227):QM Initiator gets spi
  Dec  6 08:51:52.315: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) QM_IDLE
  Dec  6 08:51:52.315: ISAKMP:(1227):Sending an IKE IPv4 Packet.
  Dec  6 08:51:52.315: ISAKMP:(1227):Node 1511581970, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
  Dec  6 08:51:52.315: ISAKMP:(1227):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
  Dec  6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
  Dec  6 08:51:52.315: ISAKMP:(1227):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  Dec  6 08:51:52.455: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) QM_IDLE
  Dec  6 08:51:52.455: ISAKMP: set new node -1740216573 to QM_IDLE
  Dec  6 08:51:52.455: ISAKMP:(1227): processing HASH payload. message ID = 2554750723
  Dec  6 08:51:52.455: ISAKMP:(1227): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
          spi 0, message ID = 2554750723, sa = 0x2B78D574
  Dec  6 08:51:52.455: ISAKMP:(1227):deleting node -1740216573 error FALSE reason "Informational (in) state 1"
  Dec  6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
  Dec  6 08:51:52.455: ISAKMP:(1227):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  Dec  6 08:51:52.455: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) QM_IDLE
  Dec  6 08:51:52.455: ISAKMP: set new node 1297146574 to QM_IDLE
  Dec  6 08:51:52.455: ISAKMP:(1227): processing HASH payload. message ID = 1297146574
  Dec  6 08:51:52.455: ISAKMP:(1227): processing DELETE payload. message ID = 1297146574
  Dec  6 08:51:52.455: ISAKMP:(1227):peer does not do paranoid keepalives.
  Dec  6 08:51:52.455: ISAKMP:(1227):deleting SA reason "No reason" state (I) QM_IDLE       (peer A.A.A.A)
  Dec  6 08:51:52.455: ISAKMP:(1227):deleting node 1297146574 error FALSE reason "Informational (in) state 1"
  Dec  6 08:51:52.455: ISAKMP: set new node -1178304129 to QM_IDLE
  Dec  6 08:51:52.455: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) QM_IDLE
  Dec  6 08:51:52.455: ISAKMP:(1227):Sending an IKE IPv4 Packet.
  Dec  6 08:51:52.455: ISAKMP:(1227):purging node -1178304129
  Dec  6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  Dec  6 08:51:52.455: ISAKMP:(1227):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA
  Dec  6 08:51:52.455: ISAKMP:(1227):deleting SA reason "No reason" state (I) QM_IDLE       (peer A.A.A.A)
  Dec  6 08:51:52.455: ISAKMP: Unlocking peer struct 0x2B79E8BC for isadb_mark_sa_deleted(), count 0
  Dec  6 08:51:52.455: ISAKMP: Deleting peer node by peer_reap for A.A.A.A: 2B79E8BC
  Dec  6 08:51:52.455: ISAKMP:(1227):deleting node 1511581970 error FALSE reason "IKE deleted"
  Dec  6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Dec  6 08:51:52.455: ISAKMP:(1227):Old State = IKE_DEST_SA  New State = IKE_DEST_SA
  would appreciate any help you can provide.
  Regards,
  Sidney Dsouza

  Hi Anuj,
  thanks for responding. Here are the logs from the debug crypto ipsec
  Dec 10 15:54:38.099 UTC: IPSEC(sa_request): ,
    (key eng. msg.) OUTBOUND local= B.B.B.B:500, remote= A.A.A.A:500,
      local_proxy= 10.20.0.0/255.255.0.0/0/0 (type=4),
      remote_proxy= 10.120.1.0/255.255.255.0/0/0 (type=4),
      protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
      lifedur= 3600s and 4608000kb,
      spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
  Dec 10 15:54:38.671 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
  thats all that appeared after pinging the remote subnet.

• Cisco ASA & Router Site to Site VPN up but not passing traffic

  Dear all,
  Please help me the attached document vpn issue, site-to-site vpn is up but I am not able to passing traffic.
  Advance Thanks
  ahossain

  ASA#
  ASA Version 8.2(1)
  hostname Active
  domain-name test.com
  interface Ethernet0/0
  description LAN/STATE Failover Interface
  interface Ethernet0/1
  speed 100
  nameif outside
  security-level 0
  ip address 212.71.53.38 255.255.255.224 standby 212.71.53.37
  interface Ethernet0/2
  nameif DMZ
  security-level 50
  ip address 192.168.50.1 255.255.255.0 standby 192.168.50.4
  interface Ethernet0/3
  description INSIDE
  speed 100
  nameif inside
  security-level 100
  ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
  interface Management0/0
  shutdown
  no nameif
  no security-level
  no ip address
  boot system disk0:/asa821-k8.bin
  boot config disk0:/running-config
  ftp mode passive
  dns server-group DefaultDNS
  domain-name test.com
  access-list deny-flow-max 1
  access-list alert-interval 2
  access-list allow extended permit ip any any
  access-list VPN extended permit ip any any
  access-list OUTSIDE extended permit ip any any
  access-list al-outside extended permit ip any host 212.107.106.129
  access-list al-outside extended permit ip any any
  access-list encrypt_acl extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  access-list outside_access_in extended permit ip any any
  access-list inside_access_out extended permit ip any any
  access-list DMZ_access_out extended permit ip any any
  access-list inside_access_in extended permit ip any any
  access-list DMZ_access_in extended permit ip any any
  access-list outside_access_in_1 extended permit ip any any
  access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  pager lines 24
  mtu outside 1500
  mtu DMZ 1500
  mtu inside 1500
  failover
  failover lan unit primary
  failover lan interface failover Ethernet0/0
  failover key *****
  failover link failover Ethernet0/0
  failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any outside
  icmp permit any DMZ
  icmp permit any inside
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  access-group outside_access_in_1 in interface outside
  route outside 0.0.0.0 0.0.0.0 212.71.53.36 1
  route outside 10.2.2.0 255.255.255.0 212.71.53.36 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication http console LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  service resetoutside
  crypto ipsec transform-set mal esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map mal 10 set peer 212.107.106.129
  crypto map IPSec_map 10 match address encrypt_acl
  crypto map IPSec_map 10 set peer 212.107.106.129
  crypto map IPSec_map 10 set transform-set mal
  crypto map IPSec_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 0.0.0.0 0.0.0.0 outside
  crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp key XXXXXX address 212.71.53.38
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec transform-set mal esp-3des esp-md5-hmac
  crypto map mal 10 ipsec-isakmp
  set peer 212.71.53.38
  set transform-set mal
  match address 120
  interface Loopback0
  ip address 10.3.3.1 255.255.255.0
  ip virtual-reassembly in
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  ip address 172.20.34.54 255.255.255.252
  ip nat outside
  ip virtual-reassembly in
  load-interval 30
  duplex auto
  speed auto
  crypto map mal
  interface GigabitEthernet0/1
  ip address 212.107.106.129 255.255.255.248
  ip nat outside
  ip virtual-reassembly in
  no ip route-cache
  duplex auto
  speed auto
  crypto map mal
  interface GigabitEthernet0/2
  description *!* LAN *!*
  ip address 10.2.2.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  ip forward-protocol nd
  ip http server
  ip http secure-server
  ip nat pool OUTPOOL 212.107.106.132 212.107.106.132 netmask 255.255.255.248
  ip nat inside source route-map nonat pool OUTPOOL overload
  ip route 0.0.0.0 0.0.0.0 172.20.34.53
  ip route 10.1.1.0 255.255.255.0 212.107.106.130
  ip route 192.168.50.0 255.255.255.0 212.71.53.38
  ip access-list extended outside
  remark CCP_ACL Category=1
  permit ip any any log
  ip access-list extended outside1
  remark CCP_ACL Category=1
  permit ip any any log
  access-list 110 permit tcp 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 120 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 130 deny   ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 130 deny   ip 10.2.2.0 0.0.0.255 192.168.50.0 0.0.0.255
  access-list 130 permit ip 10.2.2.0 0.0.0.255 any
  route-map nonat permit 10
  match ip address 130
  control-plane
  ASA Version 8.2(1)
  hostname Active
  domain-name test.com
  interface Ethernet0/0
  description LAN/STATE Failover Interface
  interface Ethernet0/1
  speed 100
  nameif outside
  security-level 0
  ip address 212.71.53.38 255.255.255.224 standby 212.71.53.37
  interface Ethernet0/2
  nameif DMZ
  security-level 50
  ip address 192.168.50.1 255.255.255.0 standby 192.168.50.4
  interface Ethernet0/3
  description INSIDE
  speed 100
  nameif inside
  security-level 100
  ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
  interface Management0/0
  shutdown
  no nameif
  no security-level
  no ip address
  boot system disk0:/asa821-k8.bin
  boot config disk0:/running-config
  ftp mode passive
  dns server-group DefaultDNS
  domain-name test.com
  access-list deny-flow-max 1
  access-list alert-interval 2
  access-list allow extended permit ip any any
  access-list VPN extended permit ip any any
  access-list OUTSIDE extended permit ip any any
  access-list al-outside extended permit ip any host 212.107.106.129
  access-list al-outside extended permit ip any any
  access-list encrypt_acl extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  access-list outside_access_in extended permit ip any any
  access-list inside_access_out extended permit ip any any
  access-list DMZ_access_out extended permit ip any any
  access-list inside_access_in extended permit ip any any
  access-list DMZ_access_in extended permit ip any any
  access-list outside_access_in_1 extended permit ip any any
  access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  pager lines 24
  mtu outside 1500
  mtu DMZ 1500
  mtu inside 1500
  failover
  failover lan unit primary
  failover lan interface failover Ethernet0/0
  failover key *****
  failover link failover Ethernet0/0
  failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any outside
  icmp permit any DMZ
  icmp permit any inside
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  access-group outside_access_in_1 in interface outside
  route outside 0.0.0.0 0.0.0.0 212.71.53.36 1
  route outside 10.2.2.0 255.255.255.0 212.71.53.36 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication http console LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  service resetoutside
  crypto ipsec transform-set mal esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map mal 10 set peer 212.107.106.129
  crypto map IPSec_map 10 match address encrypt_acl
  crypto map IPSec_map 10 set peer 212.107.106.129
  crypto map IPSec_map 10 set transform-set mal
  crypto map IPSec_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 0.0.0.0 0.0.0.0 outside
  ==================================================================
  Remote-Router#
  crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp key XXXXXX address 212.71.53.38
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec transform-set mal esp-3des esp-md5-hmac
  crypto map mal 10 ipsec-isakmp
  set peer 212.71.53.38
  set transform-set mal
  match address 120
  interface Loopback0
  ip address 10.3.3.1 255.255.255.0
  ip virtual-reassembly in
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  ip address 172.20.34.54 255.255.255.252
  ip nat outside
  ip virtual-reassembly in
  load-interval 30
  duplex auto
  speed auto
  crypto map mal
  interface GigabitEthernet0/1
  ip address 212.107.106.129 255.255.255.248
  ip nat outside
  ip virtual-reassembly in
  no ip route-cache
  duplex auto
  speed auto
  crypto map mal
  interface GigabitEthernet0/2
  description *!* LAN *!*
  ip address 10.2.2.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  ip forward-protocol nd
  ip http server
  ip http secure-server
  ip nat pool OUTPOOL 212.107.106.132 212.107.106.132 netmask 255.255.255.248
  ip nat inside source route-map nonat pool OUTPOOL overload
  ip route 0.0.0.0 0.0.0.0 172.20.34.53
  ip route 10.1.1.0 255.255.255.0 212.107.106.130
  ip route 192.168.50.0 255.255.255.0 212.71.53.38
  ip access-list extended outside
  remark CCP_ACL Category=1
  permit ip any any log
  ip access-list extended outside1
  remark CCP_ACL Category=1
  permit ip any any log
  access-list 110 permit tcp 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 120 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 130 deny   ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 130 deny   ip 10.2.2.0 0.0.0.255 192.168.50.0 0.0.0.255
  access-list 130 permit ip 10.2.2.0 0.0.0.255 any
  route-map nonat permit 10
  match ip address 130
  control-plane

• Remote Access VPN connecting but not passing traffic

  I have a remote access VPN configured on a device here. I'm able to connect a device and it assigns me an IP address out of the pool, and injects the routes to its local network, but I'm not able to pass any traffic through the VPN and none of the IPSec SA counters increment for the dial-in connection. I've compared the config here to the samples from documentation and I don't know what I'm missing. Config is below.
  3118-FWL001(config)# sho run
  : Saved
  ASA Version 7.2(3)
  hostname 3118-FWL001
  domain-name rr-rentals.com
  enable password hEgvNHfNHV8zypPu encrypted
  names
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.10.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 199.X.X.162 255.255.255.248
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  passwd 2KFQnbNIdI.2KYOU encrypted
  banner exec
  banner exec
  banner exec
  banner exec Any attempted or unauthorized access, use, or modification is prohibited.
  banner exec Unauthorized users may face criminal and/or civil penalties.
  banner exec The use of this system may be monitored and recorded.
  banner exec If the monitoring reveals possible evidence of criminal activity, Adhost can
  banner exec provide the records to law enforcement.
  banner exec Be safe!  Do not share your access information with anyone!
  banner exec
  banner exec
  banner exec
  banner asdm
  banner asdm
  banner asdm
  banner asdm Any attempted or unauthorized access, use, or modification is prohibited.
  banner asdm Unauthorized users may face criminal and/or civil penalties.
  banner asdm The use of this system may be monitored and recorded.
  banner asdm If the monitoring reveals possible evidence of criminal activity, Adhost can
  banner asdm provide the records to law enforcement.
  banner asdm Be safe!  Do not share your access information with anyone!
  banner asdm
  banner asdm
  banner asdm
  ftp mode passive
  dns server-group DefaultDNS
   domain-name rr-rentals.com
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  access-list outside_acl extended permit ip any host 199.X.X.163
  access-list outside_acl extended permit icmp any any echo
  access-list outside_acl extended permit icmp any any echo-reply
  access-list outside_acl extended permit tcp 216.X.X.64 255.255.255.192 any
  access-list outside_acl extended permit tcp host 76.X.X.166 any eq 3389
  access-list outside_acl extended permit tcp 67.X.X.192 255.255.255.224 any eq 3389
  access-list outside_acl extended permit tcp any any eq ftp
  access-list outside_acl extended permit tcp any any eq ftp-data
  access-list outside_acl extended permit tcp host 72.X.X.71 any eq 3389
  access-list outside_acl extended permit tcp host 26.X.X.155 any eq 3389
  access-list outside_acl extended permit tcp host 24.X.X.155 any eq 3389
  access-list outside_acl extended permit icmp any any unreachable
  access-list outside_acl extended permit icmp any any time-exceeded
  access-list outside_acl extended permit tcp host 71.X.X.170 any eq 3389
  access-list outside_acl extended permit tcp host 24.X.X.200 any eq 3389
  access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list outside_4_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0
  access-list outside_3_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list rr-vpn_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
  access-list rr-vpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging buffer-size 1048576
  logging buffered debugging
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpnpool 192.168.20.1-192.168.20.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-523.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) 199.X.X.163 192.168.10.2 netmask 255.255.255.255
  access-group outside_acl in interface outside
  route outside 0.0.0.0 0.0.0.0 199.X.X.161 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  aaa authentication enable console LOCAL
  aaa authentication serial console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 216.X.X.64 255.255.255.192 outside
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sysopt connection tcpmss 1200
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 50.X.X.58
  crypto map outside_map 1 set transform-set ESP-AES-128-SHA
  crypto map outside_map 2 match address outside_2_cryptomap
  crypto map outside_map 2 set pfs
  crypto map outside_map 2 set peer 75.X.X.253
  crypto map outside_map 2 set transform-set ESP-AES-128-SHA
  crypto map outside_map 3 match address outside_3_cryptomap
  crypto map outside_map 3 set pfs
  crypto map outside_map 3 set peer 173.X.X.69
  crypto map outside_map 3 set transform-set ESP-AES-128-SHA
  crypto map outside_map 4 match address outside_4_cryptomap
  crypto map outside_map 4 set pfs
  crypto map outside_map 4 set peer 70.X.X.194
  crypto map outside_map 4 set transform-set ESP-AES-128-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
   authentication pre-share
   encryption aes
   hash sha
   group 5
   lifetime 86400
  crypto isakmp policy 30
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet timeout 5
  ssh 192.168.10.2 255.255.255.255 inside
  ssh 192.168.0.0 255.255.0.0 inside
  ssh 216.X.X.64 255.255.255.192 outside
  ssh 50.X.X.58 255.255.255.255 outside
  ssh timeout 60
  ssh version 2
  console timeout 0
  management-access inside
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
    inspect icmp error
  service-policy global_policy global
  tftp-server outside 216.X.X.116 3118-FWL001.config
  group-policy rr-vpn internal
  group-policy rr-vpn attributes
   dns-server value 216.X.X.12 66.X.X.11
   vpn-tunnel-protocol IPSec
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value rr-vpn_splitTunnelAcl
  username rrlee password B6rKS8LmKC50oIXK encrypted privilege 0
  username rrlee attributes
   vpn-group-policy rr-vpn
  username cschirado password QYICGrOFAZ9iPWpp encrypted privilege 0
  username cschirado attributes
   vpn-group-policy rr-vpn
  username daniel password SZsXZCSuVXcFn9NB encrypted privilege 15
  username adhostadm password 7P2Y2Ow1o0.VSjvh encrypted privilege 15
  username troy password amZKsxVU.8N9kKPb encrypted privilege 0
  username troy attributes
   vpn-group-policy rr-vpn
  username troyr password Hek9zbMrM6wEDSfi encrypted privilege 15
  username druiz password 33oau7XOcvhJ3DMv encrypted privilege 0
  username druiz attributes
   vpn-group-policy rr-vpn
  username theresa password qWsPnR.vfjXzlunC encrypted privilege 0
  username theresa attributes
   vpn-group-policy rr-vpn
  username kevin password R5DPfUVhzGCEg6pu encrypted privilege 0
  username kevin attributes
   vpn-group-policy rr-vpn
  username andrea password MyhIPdH6UJQDon77 encrypted privilege 0
  username andrea attributes
   vpn-group-policy rr-vpn
  tunnel-group 50.X.X.58 type ipsec-l2l
  tunnel-group 50.X.X.58 ipsec-attributes
   pre-shared-key *
  tunnel-group 75.X.X.253 type ipsec-l2l
  tunnel-group 75.X.X.253 ipsec-attributes
   pre-shared-key *
  tunnel-group 72.X.X.71 type ipsec-l2l
  tunnel-group 72.X.X.71 ipsec-attributes
   pre-shared-key *
  tunnel-group 173.X.X.69 type ipsec-l2l
  tunnel-group 173.X.X.69 ipsec-attributes
   pre-shared-key *
  tunnel-group rr-vpn type ipsec-ra
  tunnel-group rr-vpn general-attributes
   address-pool vpnpool
   default-group-policy rr-vpn
  tunnel-group rr-vpn ipsec-attributes
   pre-shared-key *
  tunnel-group 70.X.X.194 type ipsec-l2l
  tunnel-group 70.X.X.194 ipsec-attributes
   pre-shared-key *
  prompt hostname context

  Here are the results of the commands you requested. I'm not able to ping either direction.
  Thanks,
  James
  3118-FWL001# sho cry isa sa
     Active SA: 5
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 5
  1   IKE Peer: 50.34.254.58
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  2   IKE Peer: 173.10.71.69
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  3   IKE Peer: 75.151.109.253
      Type    : L2L             Role    : initiator
      Rekey   : no              State   : MM_ACTIVE
  4   IKE Peer: 70.99.88.194
      Type    : L2L             Role    : initiator
      Rekey   : no              State   : MM_ACTIVE
  5   IKE Peer: 216.211.143.85
      Type    : user            Role    : responder
      Rekey   : no              State   : AM_ACTIVE
  3118-FWL001# sho cry ips sa
  interface: outside
      Crypto map tag: outside_dyn_map, seq num: 20, local addr: 199.21.66.162
        local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.20.2/255.255.255.255/0/0)
        current_peer: 216.211.143.85, username: kevin
        dynamic allocated peer ip: 192.168.20.2
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 199.21.66.162, remote crypto endpt.: 216.211.143.85
        path mtu 1500, ipsec overhead 58, media mtu 1500
        current outbound spi: CBF94621
      inbound esp sas:
        spi: 0x8D8279CA (2374138314)
           transform: esp-3des esp-sha-hmac none
           in use settings ={RA, Tunnel, }
           slot: 0, conn_id: 200, crypto-map: outside_dyn_map
           sa timing: remaining key lifetime (sec): 28715
           IV size: 8 bytes
           replay detection support: Y
      outbound esp sas:
        spi: 0xCBF94621 (3422111265)
           transform: esp-3des esp-sha-hmac none
           in use settings ={RA, Tunnel, }
           slot: 0, conn_id: 200, crypto-map: outside_dyn_map
           sa timing: remaining key lifetime (sec): 28715
           IV size: 8 bytes
           replay detection support: Y
      Crypto map tag: outside_map, seq num: 1, local addr: 199.21.66.162
        access-list outside_1_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
        current_peer: 50.34.254.58
        #pkts encaps: 15356573, #pkts encrypt: 15356573, #pkts digest: 15356573
        #pkts decaps: 9021115, #pkts decrypt: 9021114, #pkts verify: 9021114
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 15356573, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 199.21.66.162, remote crypto endpt.: 50.34.254.58
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: FE16571B
      inbound esp sas:
        spi: 0x78BD7E4F (2025684559)
           transform: esp-aes esp-sha-hmac none
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 86, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (4263158/5788)
           IV size: 16 bytes
           replay detection support: Y
      outbound esp sas:
        spi: 0xFE16571B (4262876955)
           transform: esp-aes esp-sha-hmac none
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 86, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (4064653/5788)
           IV size: 16 bytes
           replay detection support: Y
      Crypto map tag: outside_map, seq num: 4, local addr: 199.21.66.162
        access-list outside_4_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
        current_peer: 70.99.88.194
        #pkts encaps: 491814, #pkts encrypt: 491814, #pkts digest: 491814
        #pkts decaps: 416810, #pkts decrypt: 416810, #pkts verify: 416810
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 491814, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 199.21.66.162, remote crypto endpt.: 70.99.88.194
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: 533F55E1
      inbound esp sas:
        spi: 0xE2F461AD (3807666605)
           transform: esp-aes esp-sha-hmac none
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 194, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (4273818/27167)
           IV size: 16 bytes
           replay detection support: Y
      outbound esp sas:
        spi: 0x533F55E1 (1396659681)
           transform: esp-aes esp-sha-hmac none
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 194, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (4266133/27167)
           IV size: 16 bytes
           replay detection support: Y
      Crypto map tag: outside_map, seq num: 2, local addr: 199.21.66.162
        access-list outside_2_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
        current_peer: 75.151.109.253
        #pkts encaps: 207718, #pkts encrypt: 207718, #pkts digest: 207718
        #pkts decaps: 142739, #pkts decrypt: 142739, #pkts verify: 142739
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 207722, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 199.21.66.162, remote crypto endpt.: 75.151.109.253
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: 8D74AC18
      inbound esp sas:
        spi: 0x0CF7F70B (217577227)
           transform: esp-aes esp-sha-hmac none
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 195, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (4274490/23242)
           IV size: 16 bytes
           replay detection support: Y
      outbound esp sas:
        spi: 0x8D74AC18 (2373233688)
           transform: esp-aes esp-sha-hmac none
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 195, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (4270718/23242)
           IV size: 16 bytes
           replay detection support: Y
      Crypto map tag: outside_map, seq num: 3, local addr: 199.21.66.162
        access-list outside_3_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
        current_peer: 173.10.71.69
        #pkts encaps: 3427935, #pkts encrypt: 3427935, #pkts digest: 3427935
        #pkts decaps: 2006044, #pkts decrypt: 2006044, #pkts verify: 2006044
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 3427935, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 199.21.66.162, remote crypto endpt.: 173.10.71.69
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: 2E8A6147
      inbound esp sas:
        spi: 0x467968AB (1182361771)
           transform: esp-aes esp-sha-hmac none
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 154, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (4270213/18597)
           IV size: 16 bytes
           replay detection support: Y
      outbound esp sas:
        spi: 0x2E8A6147 (780820807)
           transform: esp-aes esp-sha-hmac none
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 154, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (4162093/18597)
           IV size: 16 bytes
           replay detection support: Y
  3118-FWL001# sho run route
  route outside 0.0.0.0 0.0.0.0 199.21.66.161 1

• L2L tunnel up, not passing traffic...all of a sudden

  I've had a tunnel in place on a 5505 to a remote network i don't control...so my troubleshooting there is limited.  But the tunnel has been in place for over a year without issue.  Suddenly it doesn't appear to be passing traffic.  But it is in at least one direction.  
  Remote network:192.168.191.0/24
  Local ASA side: 10.220.78.0/24
  I had a constant ping started from 192.168.191.10 > 10.220.78.23
  Which is a Windows server pinging a Windows workstation.
  When i debug icmp on the ASA i get:
  ICMP echo request from outside:192.168.191.10 to inside:10.220.78.23 ID=1 seq=2866 len=32
  ICMP echo reply from inside:10.220.78.23 to outside:192.168.191.10 ID=1 seq=2866 len=32
  Which confirms to me that the remote network is in fact traversing the tunnel and hitting the 10.220.78.23 device, which is in fact responding, and the reply is being sent out the ASA.
  The tunnel negotiates and comes up any time I reset it, by all accounts it looks correct.
  The problem is not limited to ICMP as I'm unable to net use or map drives, nor can 192.168.191.10 print to the printer at 10.220.78.20.
  But once i saw the icmp trace output I pretty much figured it has to be on the remote end...so....
  My question, can I absolutely infer from this that the issue resides on the remote end?

  Some additional info.  Aside from the ping they have running from the remote network, which is shown in the above icmp trace, if i run packet tracer from the local network to the remote, tunnel's up/traffic is allowed.  Not a big surprise since the tunnel does negotiate and stay up.
  I captured packets from the ASA and I can see the local 10.220.78.23 device sending the reply to 192.168.191.10.  Matching up with the icmp trace.
  I had them run a packet capture on their firewall and confirmed, the ICMP requests from 192.168.191.10 are being encapsulated and sent on the tunnel.  Again confirmed in my mind since i see the requests on the ASA.  But they don't ever see the response.
  There's no tcp adjust mss command on the ASA but there's this in the config:
  ASA# sh run all sys
  no sysopt connection timewait
  sysopt connection tcpmss 1380
  sysopt connection tcpmss minimum 0
  sysopt connection permit-vpn
  sysopt connection reclassify-vpn
  no sysopt connection preserve-vpn-flows
  no sysopt nodnsalias inbound
  no sysopt nodnsalias outbound
  no sysopt radius ignore-secret
  no sysopt noproxyarp inside
  no sysopt noproxyarp outside
  Any other ideas?

• The "Awesome Bar" is not working. It does not recall anything from the Bookmarks

  Just updated to new Firefox. In the past, when I would start to type a site in the address bar firefox would complete it as it was already in my bookmarks. But now it does not do anything. It just sits there waiting for me to complete the address. I could start to type Netf and it automatically finish Netflix.com
  Why is this happening. Also, for the first couple days of the new version I had to go back into Tools, Options and reset things at least 3 or 4 times before they would finally stay the way I wanted them.
  I would tell it Never Remember History and after while I would look and it would say, Remember History. I wanted a Blank Start page, and it kept changing it. It's okay now but the Awesome Bar is not working at all.

  Do your bookmarks show up in the auto-suggest drop-down list?
  ''If not:'' Under Options > Privacy, in the bottom section, does it still show that Firefox should suggest Bookmarks in the Location bar?
  If auto-suggest works but the autofill isn't happening, you could double-check that it has not been disabled here:
  (1) In a new tab, type or paste '''about:config''' in the address bar and press Enter. Click the button promising to be careful.
  (2) In the search box above the list, type or paste '''autof''' and pause while the list is filtered
  (3) If the '''browser.urlbar.autoFill''' preference is bold and "user set" to false, double-click it to switch its value back to the default value of true. That should work in new tabs.
  It's it already true, hmm, I wonder whether this is a private browsing issue? (I didn't test with automatic private browsing.)

• Link posted on Facebook does not import Photo from the site

  When I paste a link to a status line on Facebook, it imports the title and annotation of the page correctly. However, the Facebook does not show any photo from the page (as it does with other websites).
  Is there a way to force Facebook to show a photo alongside the title etc?
  I am trying to post for instance this: http://www.cykasy.cz/Atlas/Cycas_xipholepis.html
  and would like to show some of the pictures on Facebook too.

  It seems that the only solution is to write a piece of code into the header of the page and that will tell facebook where to pull the title, description and the photo from. The code that needs to be inserted is below.
  THE PROBLEM - this solution doesn't work if you have built your site using iweb. Everyone that has iweb has responded to the solution (everywhere this is written about) has said this.
  Does anyone know another work around?
  The solution for anyone without iweb:
  <meta name="title" content="INSERT CONTENT HERE" />
  <meta name="description" content="INSERT CONTENT HERE" />
  <link rel="image_src" href="INSERT LOCATION OF PHOTO WEB ADDRESS HERE" />

• The audio does not play back from the speakers of my laptop, it plays only through headphones ?

  Hi, I am not able to hear playback of audio from the speakers on my laptop. Only if I connect a headphone I am able to hear. Kindly help resolve.
  Regards,
  Vivek. V.

  Hi
  1) Try a Hard Reset as follows.
  Remove any devices connected to the notebook.  Shut down the notebook, unplug the AC Adapter and then remove the battery.  Hold  down the Power button for 30 seconds.  Re-insert the battery, plug in the AC Adapter and start the notebook - check if the speakers are now working.
  2) Please First check if the speaker icon on the unit is not muted.
  3) Go to device manager and uninstall the Sound driver and restart and unit will install the driver automatically.
  4) Try doing System restore to the date when the unit was working fine.
  5) Try to update the driver from hp.com website for Audio & Bios.
  Let us know how it goes!
  "I work for HP."
  ****Click the (purple thumbs up icon in the lower right corner of a post) to say thanks****
  ****Please mark Accept As Solution if it solves your problem****
  Regards
  Manjunath

• My daughter changed her access code and forgot, how does she access it?  iTunes does not recognize it from the computer (it is registered in my user name).  HELP? Oh the nearest Apple Store is about 40 miles away.

  My daughter forgot her access code to her itouch.  Itunes can't access it when i plug it in.  it is registered under my id.  how do we reset the passcode without the passcode?

  Place the iOS device in Recovery Mode and then connect to your computer and restore via iTunes. The iPod will be erased.
  iOS: Wrong passcode results in red disabled screen        
  If recovery mode does not work try DFU mode.
  How to put iPod touch / iPhone into DFU mode « Karthik's scribblings

• HTTP POST method does not pass parameters to the server

  Hi ,
  I am using SSO using VSJ product and implemented using a filter.
  I have problems as below
  1. Every request to the web server will be intercepted by this vsj filter and if sso does not succeed it will send 403
  2. my system will detect 403 in web.xml and redirect to login page
  3. user key in username and password and log in
  4. after successful login set the HttpSession and redirect to homepage
  Problem is subsquent form submit / ajax call using "POST" method cannot pass any parameters to the servers ( parameters sent using POST will be null in the servers )  ? GET is okay
  If i comment out the vsj filter altogether , everything works as per normal.
  My Question is
  1. Is there anyway to overcome come ?
  2. Is there any method to clear off whatever this sso vsj has set ( clear cookies / start new browser instance / etc ) in order to forget the state
  Any idea?
  Thanks

  Yes.
  here to illustrate
  public MyFilter extends VSJAuthFilter
  *public void doFilter(){*
  *if(session.getAttribute("loginSucces") != true){*
  super.doFilter(); //call VSJ Auth filter to perform SSO in order to get User Principal populated.
  *}else{*
  chain.doFilter(); // normal filter
  My Filter only intercepts *.jsp and *.do
  Basically here is the pattern that i observe
  1. If i hit default url (homepage.do) for the first time it will trigger the super.doFilter() , it will then throw 403 and redirect to login.html , after success and go to homepage , subsequent POST parameter is missing
  2. if i hit the external login page directly just to simulate ( eg : login.html ) it wont trigger this filter , after success and go to homepage , subsequenet POST parameter is okay
  3. GET is always ok
  I am using weblogic server 10.x btw
  Thanks

• IPod touch music does not start songs from the beginning

  the songs on an ipod touch does not start from the beginning how do you fix this

  In your iTunes Library, check the songs to see if they are set to Remember playback position. If they are, turn that off and Sync the iPod with iTunes for these new changes to take effect.
  Highlight a song, right-click/Get Info/Options>Remember playback position:

• The "New Tab" function does not work either from the tab bar, the File drop down menu or using CTRL+T

  The new tab is visible on the the tab bar but clicking on it does not open a new tab.Neither can I open a new tab from the File drop down menu, nor the Ctrl+T method as indicated in the troubleshooting guide.

  Un-install the '''''Ask Toolbar''''' which many users have reported causing that problem.
  *http://support.mozilla.com/en-US/kb/Uninstalling+add-ons
  *http://support.mozilla.com/en-US/kb/Cannot%20uninstall%20an%20add-on
  <br />
  <br />
  '''You need to update the following.''' The Plugin version(s) shown below was/were submitted with your question and is/are out of date. You should update to avoid known security issues with the version(s) you have installed. Click on "More system info..." to the right of your question to see what was included with your question.
  *Adobe Shockwave for Director Netscape plug-in, version 11.5
  *Shockwave Flash 10.1 r102
  *Next Generation Java Plug-in 1.6.0_24 for Mozilla browsers
  #'''''Check your plugin versions''''' on either of the following links':
  #*http://www.mozilla.com/en-US/plugincheck/
  #*https://www-trunk.stage.mozilla.com/en-US/plugincheck/
  #*'''Note: plugin check page does not have information on all plugin versions'''
  #*There are plugin specific testing links available from this page:
  #**http://kb.mozillazine.org/Testing_plugins
  #'''Update Shockwave for Director'''
  #*NOTE: this is not the same as Shockwave Flash; this installs the Shockwave Player.
  #*Use Firefox to download and SAVE the installer to your hard drive from the link in the article below (Desktop is a good place so you can find it).
  #*When the download is complete, exit Firefox (File > Exit)
  #*locate and double-click in the installer you just downloaded, let the install complete.
  #*Restart Firefox and check your plugins again.
  #*'''<u>Download link and more information</u>''': http://support.mozilla.com/en-US/kb/Using+the+Shockwave+plugin+with+Firefox
  #'''Update the [[Managing the Flash plugin|Flash]] plugin''' to the latest version.
  #*Download and SAVE to your Desktop so you can find the installer later
  #*If you do not have the current version, click on the "Player Download Center" link on the "'''Download and information'''" or "'''Download Manual installers'''" below
  #*After download is complete, exit Firefox
  #*Click on the installer you just downloaded and install
  #**Windows 7 and Vista: may need to right-click the installer and choose "Run as Administrator"
  #*Start Firefox and check your version again or test the installation by going back to the download link below
  #*'''Download and information''': http://www.adobe.com/software/flash/about/
  #**Use Firefox to go to the above site to update the Firefox plugin (will also install plugin for most other browsers; except IE)
  #**Use IE to go to the above site to update the IE ActiveX
  #*'''Download Manual installers'''.
  #**http://kb2.adobe.com/cps/191/tn_19166.html#main_ManualInstaller
  #**Note separate links for:
  #***Plugin for Firefox and most other browsers
  #***ActiveX for IE
  #'''Update the [[Java]] plugin''' to the latest version.
  #*Download site: http://www.oracle.com/technetwork/java/javase/downloads/index.html (Java Platform: Download JRE)
  #**'''''Be sure to <u>un-check the Yahoo Toolbar</u> option during the install if you do not want it installed.
  #*Also see "Manual Update" in this article to update from the Java Control Panel in Windows Control Panel: http://support.mozilla.com/en-US/kb/Using+the+Java+plugin+with+Firefox#Updates
  #* Removing old versions (if needed): http://www.java.com/en/download/faq/remove_olderversions.xml
  #* Remove multiple Java Console extensions (if needed): http://kb.mozillazine.org/Firefox_:_FAQs_:_Install_Java#Multiple_Java_Console_extensions
  #*Java Test: http://www.java.com/en/download/help/testvm.xml