Cisco ASA Backup Restore Certificates
I have a Cisco ASA 5505 as a BOVPN endpoint using certificates. The config is complete and I now need to back it up and restore to a cold standby Cisco ASA 5505 that will sit on the shelf until something goes wrong.
Problem is I cannot restore my certifcates to the standby.
Can someone point me to a process please.
I have tried the backup and restore wizard in ASDM and to be honest it didn't work.
Please help.
Thanks,
Martin,
Wouldn't it be simpler to put the two in failover for a few minutes (sync is done automatically on bulk sync).
Otherwise I can suggest to export the certificate in PKCS12 (cert + RSA) from active unit and import it into the "standby".
Active:
ciscoasa(config)# crypto ca export TEST pkcs12 cisco123
Standby:
ciscoasa(config)# crypto ca import TESTBLA pkcs12 cisco123
Marcin
Similar Messages
-
NPS and Cisco ASA 5510 - AnyConnect Certificate based authentication
Hi everyone,
Hoping someone can help please.
We're trying to go for a single VPN solution at our company, as we currently have a few through, when buying other companies.
We're currently running a 2008 R2 domain, so we're looking at NPS and we have Cisco ASA 5510 devices for the VPN side.
What we would like to achieve, is certificate based authentication. So, user laptop has certificate applied via group policy based on domain membership and group settings, then user goes home. They connect via Cisco AnyConnect via the Cisco ASA 5510 and
then that talks to MS 2008 R2 NPS and authenticates for VPN access and following that, network connectivity.
Has anyone implemented this before and if so, are there any guides available please?
Many Thanks,
Dean.Hi Dean,
Thanks for posting here.
Yes, this is possible . But we have guide about a sample that using Windows based server (RRAS) to act as VPN server and working with Windows RADIUS/NPS server and use certificate based authentication method (Extensible Authentication Protocol-Transport
Layer Security (EAP-TLS) or PEAP-TLS without smart cards) for reference :
Checklist: Configure NPS for Dial-Up and VPN Access
http://technet.microsoft.com/en-us/library/cc754114.aspx
Thanks.
Tiger Li
Tiger Li
TechNet Community Support -
Cisco ASA 5505 and comodo SSL certificate
Hey All,
I am having an issue with setting up the SSL certificate piece of the Cisco AnyConnect VPN. I purchased the certificate and installed it via the ASDM under Configuration > Remote Access VPN > Certificate Management > Identity Certificates. I also placed the CA 2 piece under the CA Certificates. I have http redirect to https and under my browser it is green.
Once the AnyConnect client installs and automatically connects i get no errors or anything. The minute I disconnect and try to reconnect again, I get the "Untrusted VPN Server Certificate!" which isn't true because the connection information is https://vpn.mydomain.com and the SSL Cert is setup as vpn.mydomain.com.
On that note it lists the IP address instead of the vpn.mydomain.com as the untrusted piece of this. Now obviously I don't have the IP address as part of the SSL cert, just the web address. On the web side I have an A record setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.
What am I missing here? I can post config if anyone needs it.
(My Version of ASA Software is 9.0 (2) and ASDM Version 7.1 (2))It's AnyConnect version 3.0. I don't know about the EKU piece. I didn't know that was required. I will attach my config.
ASA Version 9.0(2)
hostname MyDomain-firewall-1
domain-name MyDomain.com
enable password omitted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd omitted
names
name 10.0.0.13.1 MyDomain-Inside description MyDomain Inside
name 10.200.0.0 MyDomain_New_IP description MyDomain_New
name 10.100.0.0 MyDomain-Old description Inside_Old
name XXX.XXX.XX.XX Provider description Provider_Wireless
name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505
name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests
ip local pool MyDomain-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0
ip local pool MyDomain-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address Cisco_ASA_5505 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address Provider 255.255.255.252
boot system disk0:/asa902-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.0.3.21
domain-name MyDomain.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network MyDomain-Employee
subnet 192.168.208.0 255.255.255.0
description MyDomain-Employee
object-group network Inside-all
description All Networks
network-object MyDomain-Old 255.255.254.0
network-object MyDomain_New_IP 255.255.192.0
network-object host MyDomain-Inside
access-list inside_access_in extended permit ip any4 any4
access-list split-tunnel standard permit host 10.0.13.1
pager lines 24
logging enable
logging buffered errors
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Inside-all Inside-all destination static RVP-Employee RVP-Employee no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.XX 1
route inside MyDomain-Old 255.255.254.0 MyDomain-Inside 1
route inside MyDomain_New_IP 255.255.192.0 MyDomain-Inside 1
route inside Outside_Wireless 255.255.255.0 MyDomain-Inside 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
action terminate
dynamic-access-policy-record "Network Access Policy Allow VPN"
description "Must have the Network Access Policy Enabled to get VPN access"
aaa-server LDAP_Group protocol ldap
aaa-server LDAP_Group (inside) host 10.0.3.21
ldap-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
ldap-group-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MyDomain,dc=MyDomainNET,dc=local
server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http MyDomain_New_IP 255.255.192.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
no validation-usage
no accept-subordinates
no id-cert-issuer
crl configure
crypto ca trustpoint VPN
enrollment terminal
fqdn vpn.mydomain.com
subject-name CN=vpn.mydomain.com,OU=IT
keypair vpn.mydomain.com
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca server
shutdown
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
omitted
quit
crypto ca certificate chain VPN
certificate
omitted
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate ca
omitted
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint VPN
telnet timeout 5
ssh MyDomain_New_IP 255.255.192.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
ssl trust-point VPN outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4
anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 5
anyconnect profiles MyDomain-employee disk0:/MyDomain-employee.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 10.0.3.21
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
default-domain value MyDomain.com
group-policy MyDomain-Employee internal
group-policy MyDomain-Employee attributes
wins-server none
dns-server value 10.0.3.21
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value MyDomain.com
webvpn
anyconnect profiles value MyDomain-employee type user
username MyDomainadmin password omitted encrypted privilege 15
tunnel-group MyDomain-Employee type remote-access
tunnel-group MyDomain-Employee general-attributes
address-pool MyDomain-Employee-Pool
authentication-server-group LDAP_Group LOCAL
default-group-policy MyDomain-Employee
tunnel-group MyDomain-Employee webvpn-attributes
group-alias MyDomain-Employee enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1c7e3d7ff324e4fd7567aa21a96a8b22
: end
asdm image disk0:/asdm-712.bin
asdm location MyDomain_New_IP 255.255.192.0 inside
asdm location MyDomain-Inside 255.255.255.255 inside
asdm location MyDomain-Old 255.255.254.0 inside
no asdm history enable -
Installation of wildcard certificate on Cisco ASA 5525-X (9.1(3))
Hello
I would very much appreciate your help in regards to installation of a wildcard certificate on our Cisco ASA 5525-X.
Setup:
We have two Cisco ASA 5525-X in a active/passive failover setup. The ASA is to be used for AnyConnect SSL VPN. I am trying to install our wildcard certificate on the firewall, but unfortunately with no luck so far. As a bonus information, I previously had a test setup (Stand alone ASA 5510 - 8.2(5)), where I did manage to install the certificate. I do believe I am performing the same steps, but still no luck. Could it be due to that I am running a failover setup now and didn't previously or maybe that I am running different software versions? Before you ask, I've tried to do an export on the test firewall (crypto ca export vpn.trustpoint pkcs12 mysecretpassword) but this actually also failed (ERROR: A required certificate or keypair was not found) even though the cert was imported successfully and is working as it should in the lab.
Configuration in regards to certificate:
crypto key generate rsa label vpn.company.dk modulus 2048
crypto ca trustpoint vpn.trustpoint
keypair vpn.company.dk
fqdn none
subject-name CN=*.company.dk,C=DK
!id-usage ssl-ipsec
enrollment terminal
crl configure
crypto ca authenticate vpn.trustpoint
! <import intermediate certificate>
crypto ca enroll vpn.trustpoint
! <send CSR to CA>
crypto ca import vpn.trustpoint certificate
! <import SSL cert received back from CA>
ssl trust-point vpn.trustpoint outside
Problem:
When I try to import the certificate I receive the following error:
crypto ca import vpn.trustpoint certificate
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.
Would you like to continue with this enrollment? [yes/no]: yes
% The fully-qualified domain name will not be included in the certificate
Enter the base 64 encoded certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----
quit
ERROR: Failed to parse or verify imported certificate
Question:
- Does any one of you have any pointers in regards to what is going wrong?
- Especially in regards to fqdn and CN, I also have a question. My config
fqdn none
subject-name CN=*.company.dk,C=DK
would that be correct? I've read online, that fqdn has to be none, and CN should be *.company.dk when using a wildcard certificate. However when I generate the CSR and also when I try to import the certificate, I receive the following warning: "The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems".
So do you have insight or pointers which might help me?
Thank you in advanceI also have a wildcard cert for my SSL VPN ASAs.
When i import the cert I use ASDM instead of CLI...
I import the wildcard as a *.pfx file and type in the password. works fine...
Perhaps the format is incorrect?
Also, my "hostname.domain.lan" does not match my "company.domain.com" fqdn domain but it still works. I only apply this wildcard cert to the outside interface not inside.
Not sure if this helps but give ASDM a try? -
Cisco ASA 5585-X SSP-20 SSL wildcard SSL certificate support ?
Hello
i want to verify if Cisco ASA 5585-X SSP-20 supports Wildcard SSL's.
CheersSupports them how?
As certificates issued to the ASA and properly bound to it's interfaces to support SSL VPN or ASDM access - yes.
You can configure a wildcard (or any other) certificate improperly and cause things not to work. However it's not a limitation of the device's operating system not supporting it. -
Installing 3rd party certificate in Cisco ASA
Hi,
We have configured an CSR in Cisco ASA for 3rd party CA to generate the certificate, however, the CSR configuration was lost because of some reason.
How can we install this certificate without the CSR in Cisco ASA. Or we have to generate another certificate from CA, it will be chargebale for the new certificate.
Anyone can help to advise ?
Thanks
VeonYou don't need the CSR once you have received the certificate from the third party certificate vendor. Just upload the CA Root certificate and the identity certificate from the certificate vendor to the ASA.
Here is configuration guide for your reference:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml
Hope that helps. -
Cisco ASA 5505 Password Problem
I recently ran into a telnet, console, and enable password issue that was unexpected and I am hoping someone can explain what happened.
I had two working Cisco ASA 5505's that were two end-points of a Site-to-Site VPN. I had used the ASDM file management tools to copy disk0 startup-config.cfg to a file named old-startup-config.cfg on disk0, on both ASA systems, and I wanted those two files to function as good working startup-config backups that I could return to, right there on the firewall, if I had to. I also used the ASDM file management tools to make configuration "zip" backups to my local computer. I am aware that the actual startup-config file is some type of hidden file.
I had made some changes to both Cisco ASA 5505s, but no password changes, and everything was working great and was reloading great. Then, I suddenly found that I needed to revert back to the old working configurations that I had backed up previously. I used the ASDM file management tools to copy old-startup-config.cfg back to startup-config.cfg on disk0 on both machines. I think I may have also issued the CLI command copy old-startup-config.cfg startup-config. I asked both systems to reload without writing the running-config's to memory.
When the systems reloaded, the console, telnet, and enable passwords were no longer recognized on the CLI and Web interface. The interfaces loaded normally, but the passwords didn't work and the cisco default passwords didn't work either. I had to go to each unit's physical location and perform a power cycle and console password recovery.
I am not sure why that happened. Is the startup-config.cfg file on disk0 an altered version of the actual startup-config configuration with missing or encrypted password credentials? I would have never guessed in a million years that my procedure would have knocked out the enable password.
Instead of copy startup-config.cfg old-startup-config.cfg, should I have issued the command copy startup-config old-startup-config.cfg to make a local backup of a working configuration?
I have one more semi-related question. If one uses ASDM file management to create a zip backup of a startup-config or running-config and then proceeds to restore a running-config, when does the restored running-config take effect?If password recovery is disabled then you are locked out hard. You have to sacrifice the config to "re-admin" the appliance. Sorry for the bad news but that's the way it is by design. If there was a "back door" it would hardly be a security appliance would it?
-
Move SSL Cert from one device to another on Cisco ASA
Hello Everyone,
Is it possible to move SSL certificate + Key from one cisco asa to another ? I hope its possible and if someone can guide me towards correct documentation that would be perfect.
thank you
ManishWe have an ASA5550 running 8.2(5) that we're using as a VPN terminator; it died yesterday when we had a power glitch in the data center, and we're temporarily installing a spare 5510 (we don't have a spare 5550) until it's replaced. But the RSA keys on the spare don't match the ones on the old firewall, so when we try to install the old cert it fails:
ERROR: Keypair cannot be found for trustpoint UMVPN3-INCOMMON-MAY2020.
The old ASA is dead, so we can't do a straight export/import - all we have to work with is what's in yesterday's config backup...
I gather there's no way to extract the original keys from this; is there any way to recover in this case? Or must we export the certs from the ASAs with a "crypto ca export" and save copies of these in a secure location? -
Cisco NCS install signed certificate
Hello!
I have difficulties to install wildcard certificate(*.domain.com) into Cisco NCS Prime.
admin#ncs key importkey key.pem cert.perm repository ftpRepo
INFO: no staging url defined, using local space. rval:2
INFO: no staging url defined, using local space. rval:2
The WCS server is running
Changes will take affect on the next server restart
Importing RSA key and matching certificate
Everything looks good! But after server restart I see old, self-signed certificate.
Please help me with this issue.restore.log:
Mon Mar 4 15:37:29 NOVT 2013: dowload of 2015_02_16.crt from repository ftpRepo: success.
Mon Mar 4 15:37:29 NOVT 2013: dowload of 2015_02_16.key from repository ftpRepo: success.
ADE.log:
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: transfer: cars_xfer_util.c[125] [admin]: full url is ftp://10.54.111.20/2015_02_16.key
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:backup: br_backup.c[41] [admin]: flushing the staging area
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: locks:file: lock.c[385] [admin]: released backup lock
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[252] [admin]: running date
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[52] [admin]: created backup history lock file
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[76] [admin]: obtained backup history lock
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[160] [admin]: loaded history file /var/log/restore.log
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[118] [admin]: stored backup history file
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[118] [admin]: stored backup history file
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[90] [admin]: released backup history lock
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[310] [admin]: added record to history
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: locks:file: lock.c[371] [admin]: obtained backup lock
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: config:backup: br_stage.c[72] [admin]: staging config set to default settings
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:backup: br_backup.c[41] [admin]: flushing the staging area
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: locks:file: lock.c[371] [admin]: obtained repos-mgr lock
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: config:repository: rm_repos_cfg.c[173] [admin]: loaded repository ftpRepo
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: locks:file: lock.c[385] [admin]: released repos-mgr lock
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: transfer: cars_xfer.c[54] [admin]: ftp copy in of 2015_02_16.crt requested
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: transfer: cars_xfer_util.c[92] [admin]: ftp get source - 2015_02_16.crt
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: transfer: cars_xfer_util.c[93] [admin]: ftp get destination - /opt/CSCOncs/migrate/restore/2015_02_16.crt
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: transfer: cars_xfer_util.c[112] [admin]: initializing curl
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: transfer: cars_xfer_util.c[125] [admin]: full url is ftp://10.54.111.20/2015_02_16.crt
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:backup: br_backup.c[41] [admin]: flushing the staging area
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: locks:file: lock.c[385] [admin]: released backup lock
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[252] [admin]: running date
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[76] [admin]: obtained backup history lock
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[160] [admin]: loaded history file /var/log/restore.log
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[118] [admin]: stored backup history file
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[118] [admin]: stored backup history file
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[90] [admin]: released backup history lock
Mar 4 15:37:29 sib-ncs01 debugd[3452]: [6990]: backup-restore:history: br_history.c[310] [admin]: added record to history
keyadmin-0-1.log:
03/01/13 16:00:14.962 INFO [system] [main] Setting management interface address to 10.54.11.108
03/01/13 16:00:14.968 INFO [system] [main] Setting peer server interface address to 10.54.11.108
03/01/13 16:00:14.968 INFO [system] [main] Setting client interface address to 10.54.11.108
03/01/13 16:00:14.968 INFO [system] [main] Setting local host name to sib-ncs01
03/01/13 16:00:17.647 INFO [admin] [main] The WCS server is running
03/01/13 16:00:17.647 INFO [admin] [main] Changes will take affect on the next server restart
03/01/13 16:00:17.647 INFO [admin] [main] Importing RSA key and matching certificate
Other logs dont show issues. -
CISCO ASA Clientless VPN Host Scan
Hi All
We open up Internet Explorer 8 on local PC, then we are connecting using clientless vpn to a CISCO ASA 5520 8.0(4), we are getting an issue with the local internet explorer browser closing after 20 mins. The content accessed from the VPN is still available but all local Internet Explorer processes are terminated.
When i look at the hostscan.log i get TOKEN_SUCESS followed by TOKEN_LOGGEDON for the first 20 mins. After 20 minutes i get TOKEN_INVALID followed by the browser kill command which is closing internet explorer. This is effecting all users. If i close the SSL VPN completly the same issue occurs after exactly 20 mins. The session below was started at 14:23:34 and we recieve TOKEN_LOGGEDON at 14:45:50 but TOKEN_INVALID at 14:46:50.
Hope someone can help?
Ian
Host Scan.Log:
[Tue Oct 09 14:45:50.296 2012][libcsd][info][asa_parse_dap_response] parsing DAP response.
[Tue Oct 09 14:45:50.296 2012][libcsd][debug][asa_parse_dap_response] TOKEN_LOGGEDON
[Tue Oct 09 14:45:50.296 2012][libcsd][debug][asa_parse_dap_response] no scan interval, defaulting to 60 sec.
[Tue Oct 09 14:45:50.296 2012][libcsd][debug][cache_cleaner_check_browsers] cache cleaner enabled, verifying browser is still open.
[Tue Oct 09 14:45:50.343 2012][libcsd][debug][run_loop] sleeping for 60 seconds.
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][run_loop] awake.
[Tue Oct 09 14:46:50.349 2012][libcsd][all][scan] performing scan.
[Tue Oct 09 14:46:50.349 2012][libcsd][info][process_system_scans] scanning system...
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][update_file] updating file (C:\Users\REMOVED\AppData\Local\Cisco\Cisco HostScan\lib\libdesktop.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][verify_file] verifying file: C:\Users\ REMOVED \AppData\Local\Cisco\Cisco HostScan\lib\libdesktop.dll
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][verify_file] file has been verified: (C:\Users\ REMOVED \AppData\Local\Cisco\Cisco HostScan\lib\libdesktop.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] path not absolute, file signature not checked (kernel32.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] attempting to load library (kernel32.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] library (kernel32.dll) loaded
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_os] os (Windows 7) version (Service Pack 1) arch (x64) proclevel (unknown)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_location] location (REMOVED)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_csdtype] csd protection (cache cleaner)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_csdtype] csd version (3.5.841)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_hostname] hostname (REMOVED)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (135)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (445)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (3389)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (5500)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (6051)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (6129)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (47002)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (47006)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (47007)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (49152)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (49153)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (49154)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (49175)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (49179)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (49184)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (9089)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (139)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (123)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (500)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (4500)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (5355)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (6004)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (64000)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (64246)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (1900)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (50907)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (53973)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (56922)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (57555)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (57906)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (59441)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (60837)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (60919)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (63966)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (64019)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (64955)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (65202)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (137)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (138)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (1900)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (60918)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_macaddrs] found MAC addr (6431.5034.738f)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_applications] No removable applications installed.
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][cert_init] initializing certificate subsystem ...
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][cert_init] mozilla cert store enabled
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][cert_init] capi cert store enabled
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][moz_init] initializing mozilla certificate module...
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] path not absolute, file signature not checked (kernel32.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] attempting to load library (kernel32.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] library (kernel32.dll) loaded
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][reg_open_key] checking 32-bit registry hive: SOFTWARE\Mozilla\Mozilla Firefox.
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][moz_init] unable to load mozilla libs.
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][moz_init] initializing mozilla certificate module... failed
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][moz_free_api] not initialized
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][moz_free_api] not initialized
[Tue Oct 09 14:46:50.349 2012][libcsd][warn][cert_init] failed to initialize mozilla certificates
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] path not absolute, file signature not checked (Crypt32.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] attempting to load library (Crypt32.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] library (Crypt32.dll) loaded
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][cert_init] initializing certificate subsystem ... done
[Tue Oct 09 14:46:50.349 2012][libcsd][warn][cert_get_user_certs_prop_list] mozilla certificates not initialized.
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][cert_free] de-initializing certificate subsystem ...
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][cert_free] de-initialization of capi certificated completed.
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][cert_free] de-initializing certificate subsystem ... done
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_file_verify_trust] verifying file trust (C:\Users\ REMOVED \AppData\Local\Cisco\Cisco HostScan\lib\libdesktop.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] path not absolute, file signature not checked (Wintrust.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] attempting to load library (Wintrust.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] library (Wintrust.dll) loaded
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] file signature verified(C:\Users\ REMOVED \AppData\Local\Cisco\Cisco HostScan\lib\libdesktop.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] attempting to load library (C:\Users\ REMOVED \AppData\Local\Cisco\Cisco HostScan\lib\libdesktop.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] library (C:\Users\ REMOVED \AppData\Local\Cisco\Cisco HostScan\lib\libdesktop.dll) loaded
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB958830)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2425227)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2479943)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2491683)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2503665)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2506014)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2506212)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2507618)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2509553)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2510531)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2511455)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2518869)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2532531)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2533552)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2534111)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2536275)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2536276)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2539635)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2544521)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2544893)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2552343)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2556532)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2560656)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2564958)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2567680)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2570947)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2572077)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2579686)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2584146)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2585542)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2588516)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2598845)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2618444)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2618451)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2619339)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2620704)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2620712)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2631813)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2633952)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2639417)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2641690)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2644615)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2656356)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB958488)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB976902)
[Tue Oct 09 14:46:50.895 2012][libcsd][info][process_host_scans] scanning environment...
[Tue Oct 09 14:46:50.895 2012][libcsd][info][process_inspector_scans] scanning for security software...
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][process_inspector_scans] no inspector list items.
[Tue Oct 09 14:46:50.895 2012][libcsd][info][scan_perform_scan] scanning complete.
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.os.version="Windows 7"
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.os.servicepack="Service Pack 1"
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.os.architecture="x64"
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.os.processor_level="unknown"
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.policy.location=" REMOVED "
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.device.protection="cache cleaner"
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.device.protection_version="3.5.841"
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.device.hostname=" REMOVED "
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.device.port["135"]="true"
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.device.port["445"]="true"
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.device.port["3389"]="true"
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.device.port["5500"]="true"
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.device.port["6051"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["6129"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["47002"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["47006"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["47007"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["49152"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["49153"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["49154"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["49175"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["49179"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["49184"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["9089"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["139"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["123"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["500"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["4500"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["5355"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["6004"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["64000"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["64246"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["1900"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["50907"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["53973"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["56922"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["57555"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["57906"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["59441"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["60837"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["60919"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["63966"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["64019"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["64955"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["65202"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["137"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["138"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["1900"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["60918"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.MAC["6431.5034.738f"]="true"
CERTIFICATE INFO REMOVED
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB958830"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2425227"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2479943"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2491683"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2503665"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2506014"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2506212"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2507618"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2509553"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2510531"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2511455"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2518869"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2532531"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2533552"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2534111"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2536275"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2536276"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2539635"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2544521"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2544893"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2552343"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2556532"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2560656"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2564958"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2567680"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2570947"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2572077"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2579686"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2584146"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2585542"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2588516"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2598845"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2618444"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2618451"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2619339"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2620704"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2620712"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2631813"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2633952"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2639417"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2641690"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2644615"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2656356"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB958488"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB976902"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_setpeer] setting peer
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_setpeer] setting l2 peer: (REMOVED)
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_setpeer] setting peer done. peer = REMOVED, referrer = REMOVED
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][asa_post_dap] sending results to: (REMOVED /+CSCOE+/sdesktop/scan.xml?reusebrowser=1)
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_setcookie] setting cookie
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_setcookie] setting cookie: (sdesktop=70E341AC00B5735F069D5FFE)
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_addheader] adding http header
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_addheader] adding http header: (Cookie: sdesktop=70E341AC00B5735F069D5FFE)
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_addheader] adding http header done
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_setcookie] setting cookie done
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_setredircount] setting redirects
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_setredircount] setting redirects: (10)
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_setredircount] setting redirects done
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][asa_post_dap] sending results to: (REMOVED /+CSCOE+/sdesktop/scan.xml?reusebrowser=1)
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_post] posting data
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][process_response_headers] processing http response headers
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][process_response_headers] getting http headers from l2
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][process_response_headers] getting http headers headers from l2 done
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][parse_response_headers] parsing http headers
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][dump_http_headers] --- Http Response Headers ---
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][dump_http_headers] HTTP-Version: 1.1
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][dump_http_headers] Status-Code: 200
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][dump_http_headers] Cache-Control: no-cache
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][dump_http_headers] Connection: Keep-Alive
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][dump_http_headers] Date: Tue, 09 Oct 2012 13:46:50 GMT
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][dump_http_headers] Pragma: no-cache
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][dump_http_headers] Transfer-Encoding: chunked
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][dump_http_headers] Content-Type: text/xml
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][dump_http_headers] Server: Cisco AWARE 2.0
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][dump_http_headers] --------------------
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][parse_response_headers] parsing http headers done
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][process_response_headers] processing http response headers done
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][hs_transport_post] posting data done
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][asa_post_dap] results sent to (REMOVED).
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][hs_transport_get_data] getting data
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][hs_transport_get_data] --- http data ---
todo
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][hs_transport_get_data] getting data done
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][hs_transport_get_data] getting data
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][hs_transport_get_data] --- http data ---
todo
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][hs_transport_get_data] getting data done
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][asa_post_dap] headend response: (<?xml version="1.0" encoding="ISO-8859-1"?>
<hostscan><status>TOKEN_INVALID</status></hostscan>
[Tue Oct 09 14:46:50.926 2012][libcsd][info][asa_parse_dap_response] parsing DAP response.
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][asa_parse_dap_response] TOKEN_INVALID
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][asa_parse_dap_response] no scan interval, defaulting to 60 sec.
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][browser_restore] restoring browser settings.
[Tue Oct 09 14:46:50.957 2012][libcsd][info][browser_kill] killing browser: iexplore.exe with pid (2400)
[Tue Oct 09 14:46:50.957 2012][libcsd][info][browser_kill] killing browser: iexplore.exe with pid (6944)
[Tue Oct 09 14:46:50.957 2012][libcsd][info][browser_kill] killing browser: iexplore.exe with pid (2396)
[Tue Oct 09 14:46:50.957 2012][libcsd][info][browser_kill] killing browser: iexplore.exe with pid (1436)
[Tue Oct 09 14:46:50.957 2012][libcsd][info][browser_kill] killing browser: iexplore.exe with pid (532)
[Tue Oct 09 14:46:50.957 2012][libcsd][debug][restore_ie_history] restoring IE history.Windows 8 clientless SSL VPN is officially supported as of 9.0(2) and 9.1(2) codes:
Clientless SSL VPN: Windows 8 Support: http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html
Maybe upgrading your code will fix it...
Patrick -
Setting up site to site vpn with cisco asa 5505
I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
IP of remote office router is 71.37.178.142
IP of the main office firewall is 209.117.141.82
Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
ciscoasa# show run
: Saved
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password TMACBloMlcBsq1kp encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 209.117.141.82
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username [email protected] password ********* store-local
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd enable inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
: end
ciscoasa#
Thanks!Hi Mandy,
By using following access list define Peer IP as source and destination
access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
you are not defining the interesting traffic / subnets from both ends.
Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
!.1..source subnet(called local encryption domain) at your end 192.168.200.0
!..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
!..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
!...at your end 192.168.200.0
!..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
!...at other end 192.168.100.0
Please use Baisc Steps as follows:
A. Configuration in your MAIN office having IP = 209.117.141.82 (follow step 1 to 6)
Step 1.
Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
Step 2.
Config ISAKMP Policy with minimum 4 parameters are to be config for
crypto isakmp policy 10
authentication pre-share ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
encryption aes-256 --->2nd parameter of ISAKMP Policy is OK
hash sha ---> 3rd parameter of ISAKMP Policy is OK
group 5 ---> 4th parameter of ISAKMP Policy is OK
lifetime 86400 ------ > this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
Step 3.
Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
Use following command:
crypto isakmp key 0 CISCO123 address 71.37.178.142
or , but not both
crypto isakmp key 6 CISCO123 address71.37.178.142
step 4.
Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
Here is yours one:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
or
crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
ah-sha-hmac or ah-md5-hmac
crypto ipsec transform-set TSET1 ah-sha-hmac
or
crypto ipsec transform-set TSET1 ah-md5-hmac
Step 5.
Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
crypto map ipsec-isakmp
1. Define peer -- called WHO to set tunnel with
2. Define or call WHICH - Transform Set
3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
Like in your case it is but ipsec-isakmp keyword missing in the ;ast
crypto map outside_map 10 ipsec-isakmp
1. set peer 209.117.141.82 -----> is correct as this is your other side peer called WHO in my step
2. set transform-set TSET1 -----> is correct as this is WHICH, and only one transform set can be called
!..In you case it is correct
!...set transform-set ESP-AES-256-SHA (also correct)
3. match address outside_1_cryptomap ---->Name of the extended ACL define as WHAT to pass through this tunnel
4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
Step 6.
Now apply this one crypto MAP to your OUTSIDE interface always
interface outside
crypto map outside_map
Configure the same but just change ACL on other end in step one by reversing source and destination
and also set the peer IP of this router in other end.
So other side config should look as follows:
B. Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
Step 7.
Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
Step 8.
Config ISAKMP Policy with minimum 4 parameters are to be config for
crypto isakmp policy 10
authentication pre-share ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
encryption aes-256 --->2nd parameter of ISAKMP Policy is OK
hash sha ---> 3rd parameter of ISAKMP Policy is OK
group 5 ---> 4th parameter of ISAKMP Policy is OK
lifetime 86400 ------ > this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
Step 9.
Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
Use following command:
crypto isakmp key 0 CISCO123 address 209.117.141.82
or , but not both
crypto isakmp key 6 CISCO123 address 209.117.141.82
step 10.
Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
Here is yours one:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
or
crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
ah-sha-hmac or ah-md5-hmac
crypto ipsec transform-set TSET1 ah-sha-hmac
or
crypto ipsec transform-set TSET1 ah-md5-hmac
Step 11.
Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
crypto map ipsec-isakmp
1. Define peer -- called WHO to set tunnel with
2. Define or call WHICH - Transform Set, only one is permissible
3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
Like in your case it is but ipsec-isakmp keyword missing in the ;ast
crypto map outside_map 10 ipsec-isakmp
1. set peer 209.117.141.82 -----> is correct as this is your other side peer called WHO in my step
2. set transform-set TSET1 -----> is correct as this is WHICH, and only one transform set can be called
!..In you case it is correct
!...set transform-set ESP-AES-256-SHA (also correct)
3. match address outside_1_cryptomap ---->Name of the extended ACL define as WHAT to pass through this tunnel
4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
Step 12.
Now apply this one crypto MAP to your OUTSIDE interface always
interface outside
crypto map outside_map
Now initite a ping
Here is for your summary:
IPSec: Site to Site - Routers
Configuration Steps
Phase 1
Step 1: Configure Mirrored ACL/Crypto ACL for Interesting Traffic
Step 2: Configure ISAKMP Policy
Step 3: Configure ISAKMP Key
Phase 2
Step 4: Configure Transform Set
Step 5: Configure Crypto Map
Step 6: Apply Crypto Map to an Interface
To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
Router#debug crpyto isakmp
Router#debug crpyto ipsec
Router(config)# logging buffer 7
Router(config)# logging buffer 99999
Router(config)# logging console 6
Router# clear logging
Configuration
In R1:
(config)# access-list 101 permit ipo host 10.1.1.1 host 10.1.2.1
(config)# crypto isakmp policy 10
(config-policy)# encryption 3des
(config-policy)# authentication pre-share
(config-policy)# group 2
(config-policy)# hash sha1
(config)# crypto isakmp key 0 cisco address 2.2.2.1
(config)# crypto ipsec transform-set TSET esp-3des sha-aes-hmac
(config)# crypto map CMAP 10 ipsec-isakmp
(config-crypto-map)# set peer 2.2.2.1
(config-crypto-map)# match address 101
(config-crypto-map)# set transform-set TSET
(config)# int f0/0
(config-if)# crypto map CMAP
Similarly in R2
Verification Commands
#show crypto isakmp SA
#show crypto ipsec SA
Change to Transport Mode, add the following command in Step 4:
(config-tranform-set)# mode transport
Even after doing this change, the ipsec negotiation will still be done through tunnel mode if pinged from Loopback to Loopback. To overcome this we make changes to ACL.
Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
(config)# crypto isakmp peer address 2.2.2.1
(config-peer)# set aggressive-mode password cisco
(config-peer)# set aggressive-mode clien-endpoint ipv4-address 2.2.2.1
Similarly on R2.
The below process is for the negotiation using RSA-SIG (PKI) as authentication type
Debug Process:
After we debug, we can see the negotiation between the two peers. The first packet of the interesting traffic triggers the ISAKMP (Phase1) negotiation. Important messages are marked in BOLD and explanation in RED
R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
Mar 2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) // Router tried to find any IPSec SA matching the outgoing connection but no valid SA has been found in Security Association Database (SADB)
Mar 2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
Mar 2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
Mar 2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
Mar 2 16:18:42.939: ISAKMP: local port 500, remote port 500
Mar 2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE
Mar 2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
Mar 2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
Mar 2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
Mar 2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Mar 2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
Mar 2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
Mar 2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
Mar 2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Mar 2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
Mar 2 16:18:42.947:.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R2(config)# ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
Mar 2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
Mar 2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Mar 2 16:18:42.947: ISAKMP: encryption 3DES-CBC
Mar 2 16:18:42.947: ISAKMP: hash SHA
Mar 2 16:18:42.947: ISAKMP: default group 2
Mar 2 16:18:42.947: ISAKMP: auth RSA sig
Mar 2 16:18:42.947: ISAKMP: life type in seconds
Mar 2 16:18:42.947: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Mar 2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
Mar 2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
Mar 2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
Mar 2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
Mar 2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Mar 2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
Mar 2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
Mar 2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
Mar 2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Mar 2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
Mar 2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
Mar 2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Mar 2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
Mar 2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Mar 2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
Mar 2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
Mar 2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
Mar 2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
Mar 2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
Mar 2 16:18:43.007: Choosing trustpoint CA_Server as issuer
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
Mar 2 16:18:43.007: ISAKMP:received payload type 20
Mar 2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
Mar 2 16:18:43.007: ISAKMP:received payload type 20
Mar 2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
Mar 2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4 New State = IKE_I_MM4
Mar 2 16:18:43.011: ISAKMP:(1008):Send initial contact
Mar 2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
Mar 2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
Mar 2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
Mar 2 16:18:43.011: ISAKMP (1008): ID payload
next-payload : 6
type : 2
FQDN name : R2
protocol : 17
port : 500
length : 10
Mar 2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
Mar 2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
Mar 2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
Mar 2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Mar 2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4 New State = IKE_I_MM5
Mar 2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
// "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
Mar 2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
Mar 2 16:18:43.047: ISAKMP (1008): ID payload
next-payload : 6
type : 2
FQDN name : ASA1
protocol : 0
port : 0
length : 12
Mar 2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
Mar 2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
Mar 2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
Mar 2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
Mar 2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
Mar 2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
Mar 2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
Mar 2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
Mar 2 16:18:43.067: ISAKMP:received payload type 17
Mar 2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
Mar 2 16:18:43.067: ISAKMP:(1008):SA authentication status:
authenticated
Mar 2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
Mar 2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/, and inserted successfully 46519678. // SA inserted into SADB
Mar 2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5 New State = IKE_I_MM6
Mar 2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6 New State = IKE_I_MM6
Mar 2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Mar 2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
Mar 2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
Mar 2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE
Mar 2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Mar 2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Mar 2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Mar 2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Mar 2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
Mar 2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
Mar 2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
Mar 2 16:18:43.079: ISAKMP: attributes in transform:
Mar 2 16:18:43.079: ISAKMP: SA life type in seconds
Mar 2 16:18:43.079: ISAKMP: SA life duration (basic) of 3600
Mar 2 16:18:43.079: ISAKMP: SA life type in kilobytes
Mar 2 16:18:43.079: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Mar 2 16:18:43.079: ISAKMP: encaps is 1 (Tunnel)
Mar 2 16:18:43.079: ISAKMP: authenticator is HMAC-SHA
Mar 2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
Mar 2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
Mar 2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
Mar 2 16:18:43.083: inbound SA from 20.1.1.10 to 40.1.1.1 (f/i) 0/ 0
(proxy 1.1.1.1 to 2.2.2.2)
Mar 2 16:18:43.083: has spi 0xA9A66D46 and conn_id 0
Mar 2 16:18:43.083: lifetime of 3600 seconds
Mar 2 16:18:43.083: lifetime of 4608000 kilobytes
Mar 2 16:18:43.083: outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
(proxy 2.2.2.2 to 1.1.1.1)
Mar 2 16:18:43.083: has spi 0x2B367FB4 and conn_id 0
Mar 2 16:18:43.083: lifetime of 3600 seconds
Mar 2 16:18:43.083: lifetime of 4608000 kilobytes
Mar 2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE
Mar 2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
Mar 2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Mar 2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
Verification Commands
#show crypto isakmp SA
#show crypto ipsec SA
Kindly rate if you find the explanation useful !!
Best Regards
Sachin Garg -
Cisco ASA 5505 Firewall Not Allowing Incoming Traffic
Hello,
I am wondering if there is a very friendly cisco guru out there who can help me out. I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall. I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one. Unfortunately, my script is not working with the 5505. Can someone please let me know what I am doing wrong with the following script? I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults. I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network.
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
ip address outside xxx.xxx.xxx.94 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
global (outside) 1 xxx.xxx.xxx.95
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0 0 xxx.xxx.xxx.93
access-group 100 in interface outside
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static
static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.96 eq wwwHey Craig,
Based on your commands I think you were using 6.3 version on PIX and now you must be moving to ASA ver 8.2.x.
On 8.4 for interface defining use below mentioned example :
int eth0/0
ip add x.x.x.x y.y.y.y
nameif outside
no shut
int eth0/1
ip add x.x.x.x y.y.y.y
nameif inside
no shut
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
global (outside) 1 xxx.xxx.xxx.95
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www
route outside 0 0 xxx.xxx.xxx.93
access-group 100 in interface outside
You can use two global statements as first statement would be used a dynamic NAT and second as PAT.
If you're still not able to reach.Paste your entire config and version that you are using on ASA. -
Cisco ASA 5505 Remote Access IP/Sec VPN Connectivity Issues
We have a Cisco ASA that we use just for Remote Access VPN. It uses UDP and was working fine for about 2 months. Recently clients have had intermittent issues when connecting from home. The following message is display by the Cisco VPN Client :
"Secure VPN connection terminated locally by the Client. Reason 412: The remote peer is no longer responding"
Upon looking at a client side packet capture, I notice that no response is being given back to the client for the udp packets sent to the ASA on udp 500. If I login to the ASA from the LAN and send a single ping FROM the ASA, then the client can connect without issue. I don't understand the significance of the needed outbound ping since ping is not used by the client to test if the ASA is alive.
Once again this is a remote access udp ip/sec VPN. I set most of it up with the VPN wizard and then backed up the config. The issue started happening at least a month after setup (maybe two) and I restored to the saved config just in-case, but the issue remains.
Any insight would be greatly appreciated.
I'm using IOS 831 and have tried 821 and 823 as one thread that I found recommended downgraded to 821.
Thanks much,
JustinJavier,
I logged into the ASA last time the VPN went down. I issued the following commands:
debug crypto isakmp 190
debug crypto ipsec 190
capture outside-cap interface outside match udp any any
I then used a remote access tool to access the client and tried to connect. I got absolutely nothing from debugging. So I issued the following command:
show capture outside | include 500
and also got nothing. So I issued the following command:
ping 4.2.2.2
Upon which my normal deug messaged began to showup, so I issued the show capture outside command again and recieved the expected output below:
1: 15:44:18.570160 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 868
2: 15:44:18.579269 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 444
3: 15:44:18.703866 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 172
4: 15:44:18.706567 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
5: 15:44:18.831499 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
6: 15:44:19.024061 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
7: 15:44:19.111963 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 60
8: 15:44:19.517185 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 204
9: 15:44:19.521350 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
10: 15:44:19.522723 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 252
11: 15:44:42.121957 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 868
12: 15:44:42.130822 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 444
13: 15:44:42.228397 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 172
14: 15:44:42.231036 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
15: 15:44:42.329557 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
16: 15:44:42.521091 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
17: 15:44:42.610167 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
18: 15:44:42.649258 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 204
19: 15:44:42.653790 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 252
20: 15:44:42.789342 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 1036
21: 15:44:42.792119 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
22: 15:44:42.800846 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 188
23: 15:44:42.892120 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
34: 15:44:54.446220 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
35: 15:44:54.447913 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
70: 15:45:01.825000 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 100
174: 15:45:03.417764 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 500
377: 15:45:07.881500 802.1Q vlan#2 P0 REMOTE_IP.10000 > OFFICE_IP.10000: udp 100 1: 15:44:18.570160 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 868
2: 15:44:18.579269 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 444
3: 15:44:18.703866 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 172
4: 15:44:18.706567 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
5: 15:44:18.831499 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
6: 15:44:19.024061 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
7: 15:44:19.111963 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 60
8: 15:44:19.517185 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 204
9: 15:44:19.521350 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
10: 15:44:19.522723 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 252
11: 15:44:42.121957 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 868
12: 15:44:42.130822 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 444
13: 15:44:42.228397 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 172
14: 15:44:42.231036 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
15: 15:44:42.329557 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
16: 15:44:42.521091 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
17: 15:44:42.610167 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
18: 15:44:42.649258 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 204
19: 15:44:42.653790 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 252
20: 15:44:42.789342 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 1036
21: 15:44:42.792119 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
22: 15:44:42.800846 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 188
23: 15:44:42.892120 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
34: 15:44:54.446220 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
35: 15:44:54.447913 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
70: 15:45:01.825000 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 100
174: 15:45:03.417764 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 500
377: 15:45:07.881500 802.1Q vlan#2 P0 REMOTE_IP.10000 > OFFICE_IP.10000: udp 100
It would seem as if no traffic reached the ASA until some outbound traffic to an arbitrary public IP. In this case I sent an echo request to a public DNS server. It seems almost like a state-table issue although I don't know how ICMP ties in.
Once again, any insight would be greatly appreciated.
Thanks,
Justin -
Cisco ASA 5505 - Can't Login from Public & Local IP Anymore!
Hello,
We've a Cisco ASA 5505 connected directly to Verizon FiOS Circuit (ONT) box using Ethernet cable. As per the existing documention that I have, the previous configured this as a dedicated router to establish a seperate VPN connection our software provider. They assigned both Public Static and Local Static IP address. When I try to ping the public IP address, it says request time out; so the public IP address is no longer working.
When I ping the local IP address of 192.168.100.11, it responds. The SolarWind tool also shows Always UP signal. How can I login into this router either from remotely or locally to check the configuration, backup and do the fimrware upgrade?
I also tried to connect my laptop directly to the ASA 5505 router LAN port. After 3 minutes, I'm able to connect to Internet without any issues. However I don't know the IP address to use to login.
Any advice would be greatly appreciated. Thank you.
UPDATE: I'm able to find the way! I need to use https to login! I'm able to download ASDM tool and login! Thanks to these resources:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9f9.shtml
http://cyruslab.wordpress.com/2010/09/09/how-to-download-asdm-from-asa5505-and-install-it/Hi Srinath,
If that ASA5505 has factory-default configuration on it , then it probably has 192.168.1.1 ip address on the LAN side and has got dhcp server turned on to provide you ip address dynamically the moment you hook up a machine to it directly or through a switch.
If you've access to ASDM.
You can go the Configuration Tab>>Device Management>>Device Access and turn on the SSH & Telnet from the LAN interface because by default only HTTPS/ASDM is enabled on LAN interface.
You will still need to generate crypto keys and create a username in order to get ssh working
For this you can click at the TOP at TOOLS>> Command Line Interface.
And in the box below type this
crypto key generate rsa modulus 1024
add a username
username <> password <> priv 15
and enable aaa authentication for ssh like this
aaa authentication ssh console LOCAL
Let me know if this helps.
Puneet -
L2TP on Cisco ASA 5505, just doesn't work??!
This is pretty urgent, client expects me to have this up by lunch today
So, there is this Cisco ASA 5505 ver 8.4.
Most things work but now I want to setup a vpn connection...
I have done this 2 ways, first by using the "VPN Wizard" in ASDM and then 5 hours later removing everything and configuring from cli.
And it just doesn't work, client (WinXP & Win7) gets "error 792" and sometimes "error 789" (both indicating problem with phase 1, I'm pretty sure of that)
Googling on those gives a few suggestions none works.
All I get in the log on Cisco is the "Error processing payload: Payload ID: 1"
Googling on that only comes up with a few pages telling me this message is caused by an error. (Yeah, I could never have guessed...)
For the cli config, I followed this tutorial carefully (3 times actually...)
http://www.cisco.com/en/US/docs/secu...html#wp1117464
I'm using PSK for IPSec, entered same on Cisco and client - checked several times, this is not a password/PSK issue.
Ports opened on Cisco: 500, 1701, 4500
(For a try I opened all ports, no change.)
And here's the "show run":
Code:
ASA Version 8.4(2)
hostname ciscoasa
enable password <string> encrypted
passwd <string> encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address #.#.#.# 255.255.255.252
interface Vlan7
description VLAN till kontor
no forward interface Vlan2
nameif kontor
security-level 100
ip address 172.16.5.1 255.255.255.0
ftp mode passive
clock timezone GMT 0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Webserver
host 192.168.5.2
object network Webserver443
host 192.168.5.2
object network rdp
host 192.168.5.2
object network vpnserver
host 192.168.5.2
object service vpn-service-group
object network VPN
host 192.168.5.2
object-group service Webports tcp-udp
description Portar för webbserver
port-object eq 443
port-object eq www
object-group service DM_INLINE_TCP_1 tcp
group-object Webports
port-object eq www
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service VPNports tcp-udp
port-object eq 1701
port-object eq 4500
port-object eq 500
object-group service RDP tcp-udp
port-object eq 3389
object-group service vpn-services tcp-udp
port-object eq 1701
port-object eq 500
access-list outside_access_in extended permit tcp any object Webserver eq www
access-list outside_access_in_1 extended permit tcp any object Webserver object-group DM_INLINE_TCP_1
access-list outside_access_in_1 remark Ãppnar för vpn
access-list outside_access_in_1 extended permit object-group TCPUDP any any object-group VPNports
access-list outside_access_in_1 extended permit object-group TCPUDP any any object-group RDP
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu kontor 1500
ip local pool vpn1 10.10.10.10-10.10.10.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network obj_any
nat (inside,outside) dynamic interface
object network Webserver
nat (inside,outside) static interface service tcp www www
object network Webserver443
nat (inside,outside) static interface service tcp https https
object network rdp
nat (inside,outside) static interface service tcp 3389 3389
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 79.142.243.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev2 ipsec-proposal 3DES-SHA
protocol esp encryption aes-256 aes-192 aes 3des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal 3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
.... (sorry, not giving you the cert...)
crypto ikev2 policy 1
encryption 3des
integrity sha
group 2 1
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 1
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
l2tp tunnel hello 100
dhcpd dns 8.8.8.8
dhcpd auto_config outside
dhcpd address 192.168.5.11-192.168.5.36 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
address-pools value vpn1
group-policy DfltGrpPolicy attributes
dns-server value 79.142.240.10
vpn-tunnel-protocol l2tp-ipsec
address-pools value vpn1
username test password <string> nt-encrypted
username someoneelse password <string> nt-encrypted privilege 15
username someoneelse attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
service-type admin
username someone password <string> nt-encrypted privilege 0
tunnel-group DefaultRAGroup general-attributes
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group vpn1 type remote-access
tunnel-group vpn1 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:dd92aa6707dc63e8ed7dad47cfecdd47
: end
In Pingvino Veritas!I lmost got it working now, new problem is that the connection is immediately ended.
Logs shows that client is authenticated and assigned an ip.
From the logs, all happens during one second:
IPAA: Client assigned ip-address from local pool
IPAA: Local pool request succeeded for tunnel-group
IPAA: Freeing local pool address
L2TP Tunnel created, tunnel_id is 24
L2TP Tunnel deleted, tunnel_id =24
IPSEC: An outbound remote access SA has been deleted
IPSEC: An inbound remote access SA has been deleted
Session is being torn down. Reason: L2TP initiated
Teardown UDP connection
Maybe you are looking for
-
User Exit for KP90 to add Company Code
Hi Experts, I need to add company code to the selection criteria of the KP90 transaction and thereby clear plan data by company code. Please let me know the User Exit for the same or the way i should search for one. Or shall i instead create a Z pro
-
ESS Configuration for Homepage Framework
I am an experienced web developer but new to SAP web Technologies and any info is much appreciated... I now have an understanding how the SAP IMG configuration affects the SAP Portal ESS interface but ultimately what tells the ESS Portal to use the
-
I updated my computer with the I Photo June 2012 program and now I can not open I photo or shut off the computer because I get a message that says "The library needs to be updated to work with this version of I Photo' I have no other updates to in
-
After downloading the newest update my mac won't play videos!
today I downloaded the new itunes and quicktime update. Now quicktime will not work anymore. videos will not play it and the menu wont pop up at all...
-
Não consigo em hipótese alguma logar com o usuário SYSTEM, no "htmldb login", fiz tudo o que pede Installer Guide, no SQL Command Line eu consigo logar com este usuário. Alguém sabe o que fazer????