Cisco ASA5505 sla monitoring

Similar Messages

• Cisco ASA SLA monitoring

  I'm trying to configure an SLA on some of our ASAs and I want to monitor the hostname of a destination rather than the IP address.  The CLI gives me an option to enter IP or hostname, but when I try and use a name rather than an IP address I get:
  (config-sla-monitor)# type echo protocol ipIcmpEcho ?
  sla-monitor mode commands/options:
    Hostname or A.B.C.D  IP address or hostname
  (config-sla-monitor)# type echo protocol ipIcmpEcho google.com
                                                                 ^
  ERROR: % Invalid Hostname
  (config)# ping google.com
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 173.194.37.128, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 40/46/50 ms
  Any ideas or suggestions?  I've tried local hostnames just to make sure it wasn't a resolution issue.  Substituting with the IP address works fine.  We just have a particluar vendor we depend on that has a propensity to change IP addresses to a cloud app we depend on and not tell us.
  If this posts answers your question or is helpful, please consider rating it and/or marking as answered.       

  Hi,
  Always used the IP address so I have no previous expirience of configuring with hostname.
  The Command Reference is very vague with regards to the definition of the hostname.
  Initially I thought that he problem might be that the DNS lookups are not enabled on the ASA so it is not able to determine the IP address itself.
  This didnt seem to make a difference.
  Then I configured the following
  name 1.1.1.1 test
  After which it accepted the command with the hostname configured as "test".
  So I am guessing the hostname refers to the "name" configurations of the  ASA and if that is the case then I would consider it a pretty useless option.
  I tried to configure an "object network GOOGLE" that uses "fqdn www.google.com" but it doesnt accept this "object" as the value for the hostname. So I am not really sure if I am missing something with regards to what else could be entered there other than something referenced in the "name" configuration.
  On a quick search I could not find anything online in which someone is actually using a hostname instead of the IP address.
  Also slightly adding to the confusion is the fact that the Configuration Guide makes no mention of hostname when giving instructions on configuring the target which to monitor for route tracking.
  Starting to seem to me that there is no option to use a DNS name as the target for monitoring.
  - Jouni

• IP SLA Monitor on Cisco 2911

  Dear all,
  I have a cisco 2911 router that is located in my head office LAN and I use this router to connect to my branch networks. I want to configure IP SLA Monitor on this router to track my WAN Links but it does not support the command IP SLA Monitor. My IOS VERSION is  c2900-universalk9-mz.SPA.151-2.T1.bin. Please help tell me how I can configure IP SLA on my router.
  Any assistance will be highly appreciated.

  The Data Technology Package License part number SL-29-DATA-K9 was changed to the AppX Technology Package License that includes DATA and WAAS features with part number SL-29-APP-K9.
  SL-29-APP-K9 (AppX License for Cisco 2900 Series) - USD 1,000.00
  Please check the Change in Product Part Number Announcement for the Cisco 2900 Series Integrated Services Routers Data Technology Package Licenses link below for your reference(s): 
  http://www.cisco.com/c/en/us/products/collateral/routers/2900-series-integrated-services-routers-isr/eos-eol-notice-c51-730946.html

• ASA5510 sla monitor does not fail back

  I've been down this path before and never got a resolution to this issue.
  ASA5510 Security Plus
  Primary ISP conn is Comcast cable
  Secondary ISP conn is fract T1
  I duplicated the SLA code from http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
  When I pull the conn from primary ISP the default route to the secondary comes up
  When I reconnect the primary the default route to the secondary does not go away.
  I must either reload the ASA or remove/readd the two default outside routes.
  Anyone have this same experience and could lend a hand?
  Are there any commands I might have in my config that break SLA?
  If so I would have hoped either the Configuration Guide or Command Reference for 8.2 would say so, but I don't see any mentioned.
  I'm working remotely with my customer so I can't play with this except on off-hours.
  ASA running 8.2(2) so as to use AnyConnect Essentials.
  Thx,
  Phil

  Pls. read and try the workaround.
  CSCtc16148    SLA monitor fails to fail back when ip verify reverse is applied
  Symptom:
  Route Tracking may fail to fail back to the primary link/route when restored.
  Conditions:
  SLA monitor must configured along with ip verify reverse path on the tracked interface.
  Workaround:
  1. Remove ip verify reverse path off of the tracked interface
  or
  2. add a static route to the SLA target out the primary tracked interface.
  [Wrap text]  [Edit this enclosure]
  Release-note: Added 09/23/2009 20:28:24 by kusankar
  [Unwrap text]  [Edit this enclosure]
  Release-note: Added 09/23/2009 20:28:24 by kusankar
  [Uwrap text]  [Edit this enclosure]
  fixed-in-broadview-8.3.1.1_interim-by-cl104097: Added 03/23/2010 11:54:08 by perforce
  fixed-in-broadview-8.3.1.1_interim-by-cl104097: Added 03/23/2010 11:54:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-broadview-8.3.1.1_interim-by-cl104097&ext=&type=FILE
  fixed-in-broadview-8.3.1.1_interim-by-cl104097: Added 03/23/2010 11:54:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://
  [UnWrap text]  [Edit this enclosure]
  fixed-in-broadview-8.3.1.1_interim-by-cl104097: Added 03/23/2010 11:54:08 by perforce
  [Wrap Text]  [Edit this enclosure]
  fixed-in-broadview-8.3.1.1_interim-by-cl104097: Added 03/23/2010 11:54:08 by perforce
  [Uwrap text]  [Edit this enclosure]
  fixed-in-broadview-8.3.1_fcs_throttle-by-cl103850: Added 03/22/2010 15:48:05 by perforce
  fixed-in-broadview-8.3.1_fcs_throttle-by-cl103850: Added 03/22/2010 15:48:05 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-broadview-8.3.1_fcs_throttle-by-cl103850&ext=&type=FILE
  fixed-in-broadview-8.3.1_fcs_throttle-by-cl103850: Added 03/22/2010 15:48:05 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://
  [UnWrap text]  [Edit this enclosure]
  fixed-in-broadview-8.3.1_fcs_throttle-by-cl103850: Added 03/22/2010 15:48:05 by perforce
  [Wrap Text]  [Edit this enclosure]
  fixed-in-broadview-8.3.1_fcs_throttle-by-cl103850: Added 03/22/2010 15:48:05 by perforce
  [Uwrap text]  [Edit this enclosure]
  fixed-in-broadview-bennu-by-cl101314: Added 02/18/2010 19:06:08 by perforce
  fixed-in-broadview-bennu-by-cl101314: Added 02/18/2010 19:06:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-broadview-bennu-by-cl101314&ext=&type=FILE
  fixed-in-broadview-bennu-by-cl101314: Added 02/18/2010 19:06:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://
  [UnWrap text]  [Edit this enclosure]
  fixed-in-broadview-bennu-by-cl101314: Added 02/18/2010 19:06:08 by perforce
  [Wrap Text]  [Edit this enclosure]
  fixed-in-broadview-bennu-by-cl101314: Added 02/18/2010 19:06:08 by perforce
  [Uwrap text]  [Edit this enclosure]
  fixed-in-broadview-idfw-by-cl101317: Added 02/18/2010 19:09:07 by perforce
  fixed-in-broadview-idfw-by-cl101317: Added 02/18/2010 19:09:07 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-broadview-idfw-by-cl101317&ext=&type=FILE
  fixed-in-broadview-idfw-by-cl101317: Added 02/18/2010 19:09:07 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://
  [UnWrap text]  [Edit this enclosure]
  fixed-in-broadview-idfw-by-cl101317: Added 02/18/2010 19:09:07 by perforce
  [Wrap Text]  [Edit this enclosure]
  fixed-in-broadview-idfw-by-cl101317: Added 02/18/2010 19:09:07 by perforce
  [Uwrap text]  [Edit this enclosure]
  fixed-in-broadview-logging-ng-by-cl101311: Added 02/18/2010 19:03:08 by perforce
  fixed-in-broadview-logging-ng-by-cl101311: Added 02/18/2010 19:03:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-broadview-logging-ng-by-cl101311&ext=&type=FILE
  fixed-in-broadview-logging-ng-by-cl101311: Added 02/18/2010 19:03:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://
  [UnWrap text]  [Edit this enclosure]
  fixed-in-broadview-logging-ng-by-cl101311: Added 02/18/2010 19:03:08 by perforce
  [Wrap Text]  [Edit this enclosure]
  fixed-in-broadview-logging-ng-by-cl101311: Added 02/18/2010 19:03:08 by perforce
  [Uwrap text]  [Edit this enclosure]
  fixed-in-broadview-main-by-cl101300: Added 02/18/2010 18:27:07 by perforce
  fixed-in-broadview-main-by-cl101300: Added 02/18/2010 18:27:07 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-broadview-main-by-cl101300&ext=&type=FILE
  fixed-in-broadview-main-by-cl101300: Added 02/18/2010 18:27:07 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://
  [UnWrap text]  [Edit this enclosure]
  fixed-in-broadview-main-by-cl101300: Added 02/18/2010 18:27:07 by perforce
  [Wrap Text]  [Edit this enclosure]
  fixed-in-broadview-main-by-cl101300: Added 02/18/2010 18:27:07 by perforce
  [Uwrap text]  [Edit this enclosure]
  fixed-in-sedona-64bit-by-cl101362: Added 02/19/2010 04:52:24 by perforce
  fixed-in-sedona-64bit-by-cl101362: Added 02/19/2010 04:52:24 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-sedona-64bit-by-cl101362&ext=&type=FILE
  fixed-in-sedona-64bit-by-cl101362: Added 02/19/2010 04:52:24 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://
  [UnWrap text]  [Edit this enclosure]
  fixed-in-sedona-64bit-by-cl101362: Added 02/19/2010 04:52:24 by perforce
  [Wrap Text]  [Edit this enclosure]
  fixed-in-sedona-64bit-by-cl101362: Added 02/19/2010 04:52:24 by perforce
  [Uwrap text]  [Edit this enclosure]
  fixed-in-sedona-bv64-by-cl101426: Added 02/19/2010 11:42:41 by perforce
  fixed-in-sedona-bv64-by-cl101426: Added 02/19/2010 11:42:41 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-sedona-bv64-by-cl101426&ext=&type=FILE
  fixed-in-sedona-bv64-by-cl101426: Added 02/19/2010 11:42:41 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://
  [UnWrap text]  [Edit this enclosure]
  fixed-in-sedona-bv64-by-cl101426: Added 02/19/2010 11:42:41 by perforce
  [Wrap Text]  [Edit this enclosure]
  fixed-in-sedona-bv64-by-cl101426: Added 02/19/2010 11:42:41 by perforce
  [Uwrap text]  [Edit this enclosure]
  fixed-in-sedona-main-by-cl101297: Added 02/18/2010 18:24:15 by perforce
  fixed-in-sedona-main-by-cl101297: Added 02/18/2010 18:24:15 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-sedona-main-by-cl101297&ext=&type=FILE
  fixed-in-sedona-main-by-cl101297: Added 02/18/2010 18:24:15 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://
  [UnWrap text]  [Edit this enclosure]
  fixed-in-sedona-main-by-cl101297: Added 02/18/2010 18:24:15 by perforce
  [Wrap Text]  [Edit this enclosure]
  fixed-in-sedona-main-by-cl101297: Added 02/18/2010 18:24:15 by perforce
  [Uwrap text]  [Edit this enclosure]
  fixed-in-titan-8.2.2_fcs_throttle-by-cl101307: Added 02/18/2010 18:57:08 by perforce
  fixed-in-titan-8.2.2_fcs_throttle-by-cl101307: Added 02/18/2010 18:57:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-titan-8.2.2_fcs_throttle-by-cl101307&ext=&type=FILE
  fixed-in-titan-8.2.2_fcs_throttle-by-cl101307: Added 02/18/2010 18:57:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://
  [UnWrap text]  [Edit this enclosure]
  fixed-in-titan-8.2.2_fcs_throttle-by-cl101307: Added 02/18/2010 18:57:08 by perforce
  [Wrap Text]  [Edit this enclosure]
  fixed-in-titan-8.2.2_fcs_throttle-by-cl101307: Added 02/18/2010 18:57:08 by perforce
  [Uwrap text]  [Edit this enclosure]
  fixed-in-titan-bennu-by-cl101294: Added 02/18/2010 18:24:08 by perforce
  fixed-in-titan-bennu-by-cl101294: Added 02/18/2010 18:24:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-titan-bennu-by-cl101294&ext=&type=FILE
  fixed-in-titan-bennu-by-cl101294: Added 02/18/2010 18:24:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://
  [UnWrap text]  [Edit this enclosure]
  fixed-in-titan-bennu-by-cl101294: Added 02/18/2010 18:24:08 by perforce
  [Wrap Text]  [Edit this enclosure]
  fixed-in-titan-bennu-by-cl101294: Added 02/18/2010 18:24:08 by perforce
  [Uwrap text]  [Edit this enclosure]
  fixed-in-titan-main-by-cl101282: Added 02/18/2010 16:48:04 by perforce
  fixed-in-titan-main-by-cl101282: Added 02/18/2010 16:48:04 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-titan-main-by-cl101282&ext=&type=FILE
  fixed-in-titan-main-by-cl101282: Added 02/18/2010 16:48:04 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://
  [UnWrap text]  [Edit this enclosure]
  fixed-in-titan-main-by-cl101282: Added 02/18/2010 16:48:04 by perforce
  [Wrap Text]  [Edit this enclosure]
  fixed-in-titan-main-by-cl101282: Added 02/18/2010 16:48:04 by perforce
  [Uwrap text]  [Edit this enclosure]
  sla-mon-sh-tech: Added 09/23/2009 20:43:52 by kusankar
  sla-mon-sh-tech: Added 09/23/2009 20:43:52 by kusankarCan not view this .log file attachment inline, please click on the following link to view the attachment.
  http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=sla-mon-sh-tech&ext=log&type=FILE
  sla-mon-sh-tech: Added 09/23/2009 20:43:52 by kusankarCan not view this .log file attachment inline, please click on the following link to view the attachment.
  http://
  [UnWrap text]  [Edit this enclosure]
  sla-mon-sh-tech: Added 09/23/2009 20:43:52 by kusankar
  [Wrap Text]  [Edit this enclosure]
  sla-mon-sh-tech: Added 09/23/2009 20:43:52 by kusankar
  [Uwrap text]  [Edit this enclosure]
  static-analysis-titan-main: Added 02/18/2010 16:48:07 by perforce
  static-analysis-titan-main: Added 02/18/2010 16:48:07 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=static-analysis-titan-main&ext=&type=FILE
  static-analysis-titan-main: Added 02/18/2010 16:48:07 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
  http://
  [UnWrap text]  [Edit this enclosure]
  static-analysis-titan-main: Added 02/18/2010 16:48:07 by perforce
  [Wrap Text]  [Edit this enclosure]
  static-analysis-titan-main: Added 02/18/2010 16:48:07 by perforce
  -KS

• ASA /Router -SNMP Trap when IP SLA monitored (ICMP timeout)

  Hi,
  I am looking for some solution for my below requirment
  Requirment is :
  How do I configure ASA or Router to send SNMP Trap when IP SLA monitored  features enabled (ICMP request or 900 millisecond delay from destination IP)
  Thanks in advance..

  Hi,
  Maybe this thread might help you?
  https://supportforums.cisco.com/thread/2039293
  I have not personally configured these type of SLA configurations on an ASA other than for testing purposes. We handle Dual ISP setups outside the ASA firewalls.
  - Jouni

• Ip sla monitoring on asa ver 7.0 (6)

  how to configure ip sla monitoring on asa ver 7.0 (6) ?

  Hello,
  In fact was introduced on 7.2.(1)
  Components Used
  The information in this document is based on these software and hardware versions:
  Cisco PIX Security Appliance 515E with software version 7.2(1) or later
  Cisco Adaptive Security Device Manager 5.2(1) or later
  Related Products
  You can also use this configuration with the Cisco ASA 5500 Series Security Appliance version 7.2(1).
  Please rate helpful posts,
  Julio

• Cisco IP SLA - RTTMON MIB - Problem setting values

  Hi,
  I am trying to use Cisco IP SLA to monitor QOS for voice data. I want to create a SLA operation from my NMS. I am using the RTTMON-MIB for this purpose. I was testing it out by creating an ICMP Echo operation, and I set the below values
  rttMonCtrlAdminRttType.1 -Integer 9
  rttMonEchoAdminProtocol.1 -Integer 27
  rttMonEchoAdminTargetAddress.1 -OctetString "172.22.202.12"
  rttMonEchoAdminTargetPort.1 -Integer 8000
  rttMonEchoAdminInterval.1 -Integer 20
  rttMonEchoAdminNumPackets.1 -Integer 100
  rttMonCtrlAdminStatus.1 -Integer 4
  rttMonScheduleAdminRttStartTime.1 -TimeTicks 1
  rttMonScheduleAdminRttLife.1 -Integer 2147483647
  I have set these values for an INDEX 1, using snmpset_requests. Can anyone tell me as to how do I go about with the indexing. I just chose 1 for the above eg and set the values. But I see the  rttMonCtrlAdminIndex oid has not been updated with the new entry. Neither am I able to set the value of index as 1 for this oid using snmpset.
  Can anyone please tell me how the indexing is done? Should I set the value of the index?
  The other question is the format for the target ipadress? This OID accepts IP address as an Octet String. So '172.22.202.24' is ok? or should I convert it into some other format.
  Regards
  Roycey

  The admin index is a random number which you must generate.  It can be between 1 and 2147483647.   Use your management station's pseudo-random number generator to pick an initial value.  Then test it by polling rttMonCtrlAdminStatus for that index.  If a row exists, pick a new index.
  Yes, the IP address is of type OCTET STRING.  You are setting it correctly.

• Cisco ASA5505 Logging

  This is likely a very basic question....
  I've got a new Cisco ASA5505 and I'm trying to see some logs at console level. Currently when I do a sh logging I simply get the below. I was expecting or I have seen on other PIX/ASA's system messages.
  Any ideas on what command I need to run in order to enable these messages?
  mipsasa01# sh logging
  Syslog logging: enabled
  Facility: 20
  Timestamp logging: disabled
  Standby logging: disabled
  Deny Conn when Queue Full: disabled
  Console logging: disabled
  Monitor logging: disabled
  Buffer logging: disabled
  Trap logging: disabled
  History logging: disabled
  Device ID: disabled
  Mail logging: disabled
  ASDM logging: level informational, 7108 messages logged

  The "show log" displays what is known as the buffer log. Your buffer logging is disabled. Use the config cmd "logging buffered " to enable it. You can adjust the size of the buffer with "logging buffer-size ". I think the buffer space is allocated in memory so don't go overboard.
  http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/l2.html#wp1729451

• IP SLA Monitor /Tracking 2921

  I am looking or IOS code for a Cisco 2921/K9 that will allow me to do IP SLA Tracking. The current code "c2900-universalk9-mz.SPA.151-4.M.bin" will only allow me to sset up IP SLA responder or IP SLA Server but  NOT IP SLA Monitor or IP SLA RTR.
  I have used the Cisco feature set research tool and chose what it recommended but to no avail.
  Am I missing something? Will the Server or Responder perform tracking?
  Thanks in advance to anyone who can  assist..
  ~g

  Dear All,
  I have the same problem with C2921. I want to config IP SLA for my C2921 but it seems do not support. The below for your reference.
  ####### Do not have option monitor
  ip sla ?
    key-chain  Use MD5 Authentication for IP SLAs Control Messages
    responder  Enable IP SLAs Responder
    server     IPPM server configuration
  Show version
  System image file is "flash0:c2900-universalk9-mz.SPA.151-4.M1.bin"
  License Info:
  License UDI:
  Device#   PID                   SN
  *0        CISCO2921/K9          FGL153913PM    
  Technology Package License Information for Module:'c2900'
  Technology    Technology-package           Technology-package
                Current       Type           Next reboot 
  ipbase        ipbasek9      Permanent      ipbasek9
  security      None          None           None
  uc            None          None           None
  data          None          None           None
  Please kindly advise what ios I can use for configuring IP SLA. there're any problem with my licence for that
  Best Regards,
  Binh

• Problem with traffic over Remote Access VPN (Cisco ASA5505)

  Hi
  I've changed the VPN IP pool on a previously functioning VPN setup on a Cisco ASA5505, I've updated IP addresses everywhere it seemed appropriate, but now the VPN is no longer working. I am testing with a Cisco IPSec client, but the same happens with the AnyConnect client. Clients connect, but cannot access resources on the LAN. Split tunneling also doesn't work, internet is not accessible once VPN is connected.
  I found a NAT exempt rule to not be correctly specified, but after fixing this, the problem still persists.
  : Saved:ASA Version 8.2(1) !hostname ciscoasadomain-name our-domain.comenable password xxxxxxxx encryptedpasswd xxxxxxxx encryptednamesname 172.17.1.0 remote-vpn!interface Vlan1 nameif inside security-level 100 ip address 10.1.1.2 255.0.0.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group adslrealm ip address pppoe setroute !interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!ftp mode passiveclock timezone SAST 2dns domain-lookup insidedns domain-lookup outsidedns server-group DefaultDNS name-server 10.1.1.138 name-server 10.1.1.54 domain-name our-domain.comsame-security-traffic permit inter-interfacesame-security-traffic permit intra-interfaceobject-group network utobject-group protocol TCPUDP protocol-object udp protocol-object tcpaccess-list no_nat extended permit ip 10.0.0.0 255.0.0.0 remote-vpn 255.255.255.0 access-list split-tunnel standard permit 10.0.0.0 255.0.0.0 access-list outside_access_in extended permit tcp any interface outside eq https access-list outside_access_in extended permit tcp any interface outside eq 5061 access-list outside_access_in extended permit tcp any interface outside eq 51413 access-list outside_access_in extended permit udp any interface outside eq 51413 access-list outside_access_in extended permit tcp any interface outside eq 2121 access-list outside_access_in extended permit udp any interface outside eq 2121 access-list inside_access_out extended deny ip any 64.34.106.0 255.255.255.0 access-list inside_access_out extended deny ip any 69.25.20.0 255.255.255.0 access-list inside_access_out extended deny ip any 69.25.21.0 255.255.255.0 access-list inside_access_out extended deny ip any 72.5.76.0 255.255.255.0 access-list inside_access_out extended deny ip any 72.5.77.0 255.255.255.0 access-list inside_access_out extended deny ip any 216.52.0.0 255.255.0.0 access-list inside_access_out extended deny ip any 74.201.0.0 255.255.0.0 access-list inside_access_out extended deny ip any 64.94.0.0 255.255.0.0 access-list inside_access_out extended deny ip any 69.25.0.0 255.255.0.0 access-list inside_access_out extended deny tcp any any eq 12975 access-list inside_access_out extended deny tcp any any eq 32976 access-list inside_access_out extended deny tcp any any eq 17771 access-list inside_access_out extended deny udp any any eq 17771 access-list inside_access_out extended permit ip any any pager lines 24logging enablelogging asdm informationalmtu inside 1500mtu outside 1500ip local pool VPNPool 172.17.1.1-172.17.1.254icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list no_natnat (inside) 1 10.0.0.0 255.0.0.0static (inside,outside) tcp interface 5061 10.1.1.157 5061 netmask 255.255.255.255 static (inside,outside) tcp interface https 10.1.1.157 4443 netmask 255.255.255.255 static (inside,outside) tcp interface 51413 10.1.1.25 51413 netmask 255.255.255.255 static (inside,outside) udp interface 51413 10.1.1.25 51413 netmask 255.255.255.255 static (inside,outside) tcp interface 2121 10.1.1.25 2121 netmask 255.255.255.255 static (inside,outside) udp interface 2121 10.1.1.25 2121 netmask 255.255.255.255 access-group outside_access_in in interface outsidetimeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00dynamic-access-policy-record DfltAccessPolicyaaa-server AD protocol ldapaaa-server AD (inside) host 10.1.1.138 ldap-base-dn dc=our-domain,dc=com ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password * ldap-login-dn cn=ciscoasa,cn=Users,dc=ourdomain,dc=com server-type auto-detectaaa authentication ssh console AD LOCALaaa authentication telnet console LOCAL http server enable 4343http 0.0.0.0 0.0.0.0 outsidehttp 10.0.0.0 255.0.0.0 insidehttp remote-vpn 255.255.255.0 insidesnmp-server host inside 10.1.1.190 community oursnmpsnmp-server host inside 10.1.1.44 community oursnmpno snmp-server locationno snmp-server contactsnmp-server community *****snmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto dynamic-map dyn1 1 set transform-set FirstSetcrypto dynamic-map dyn1 1 set reverse-routecrypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map mymap 1 ipsec-isakmp dynamic dyn1crypto map mymap interface outsidecrypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=ciscoasa crl configurecrypto ca trustpoint CA1 revocation-check crl none enrollment retry period 5 enrollment terminal fqdn ciscoasa.our-domain.com subject-name CN=ciscoasa.our-domain.com, OU=Department, O=Company, C=US, St=New York, L=New York keypair ciscoasa.key crl configurecrypto ca certificate chain ASDM_TrustPoint0 certificate xxxxxxx    ...  quitcrypto ca certificate chain CA1 certificate xxxxxxxxxxxxxx    ...  quit certificate ca xxxxxxxxxxxxx    ...  quitcrypto isakmp enable outsidecrypto isakmp policy 1 authentication rsa-sig encryption 3des hash md5 group 2 lifetime 86400crypto isakmp policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400crypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400ssh 10.0.0.0 255.0.0.0 insidessh timeout 5console timeout 0vpdn group adslrealm request dialout pppoevpdn group adslrealm localname username6@adslrealmvpdn group adslrealm ppp authentication papvpdn username username6@adslrealm password ********* store-localvpdn username username@adsl-u password ********* store-localvpdn username username2@adslrealm password ********* dhcpd auto_config outside!threat-detection basic-threatthreat-detection scanning-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptntp server x.x.x.x source outsidessl trust-point ASDM_TrustPoint0 outsidewebvpn port 4343 enable outside svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3 svc enablegroup-policy defaultgroup internalgroup-policy defaultgroup attributes dns-server value 10.1.1.138 10.1.1.54 split-tunnel-policy tunnelspecified split-tunnel-network-list value split-tunnel default-domain value our-domain.comgroup-policy DfltGrpPolicy attributes dns-server value 10.1.1.138 10.1.1.54 vpn-tunnel-protocol IPSec l2tp-ipsec svc split-tunnel-policy tunnelspecified split-tunnel-network-list value split-tunnel address-pools value VPNPool webvpn  svc ask none default svcusername person1 password xxxxxxx encryptedusername admin password xxxxxxxx encrypted privilege 15username person2 password xxxxxxxxx encryptedusername person3 password xxxxxxxxxx encryptedtunnel-group DefaultRAGroup general-attributes address-pool VPNPool default-group-policy defaultgrouptunnel-group DefaultRAGroup ipsec-attributes trust-point CA1tunnel-group OurCompany type remote-accesstunnel-group OurCompany general-attributes address-pool VPNPooltunnel-group OurCompany webvpn-attributes group-alias OurCompany enable group-url https://x.x.x.x/OurCompany enabletunnel-group OurIPSEC type remote-accesstunnel-group OurIPSEC general-attributes address-pool VPNPool default-group-policy defaultgrouptunnel-group OurIPSEC ipsec-attributes pre-shared-key * trust-point CA1!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters  message-length maximum 512policy-map type inspect sip sip-map parameters  max-forwards-validation action drop log  state-checking action drop log  rtp-conformance policy-map global_policy class inspection_default  inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect netbios   inspect tftp   inspect icmp   inspect pptp   inspect sip sip-map !             service-policy global_policy globalprompt hostname context Cryptochecksum:xxxxxxxxxxxxxxxxx: end
  I've checked all the debug logs I could think of and tried various troubleshooting steps. Any ideas?
  Regards
  Lionel

  Hi
  The bulk of the devices are not even routing through the ASA, internal devices such as IP phones, printers, etc. There is also large wastage of IP addresses which needs to be sorted out at some stage.
  Outside IP address is 196.215.40.160. The DSL modem is configured as an LLC bridge.
  Here are the debug logs when connecting if this helps at all. Nothing is logged when a connection is attempted though.
  Regards
  Lionel
  Oct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 765Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing SA payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing ke payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing ISA_KE payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing nonce payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing ID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received Fragmentation VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  FalseOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received NAT-Traversal RFC VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received NAT-Traversal ver 03 VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received NAT-Traversal ver 02 VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received xauth V6 VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received Cisco Unity client VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received DPD VIDOct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, Connection landed on tunnel_group OurIPSECOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing IKE SA payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, IKE SA Proposal # 1, Transform # 5 acceptable  Matches global IKE entry # 2Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing ISAKMP SA payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing ke payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing nonce payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Generating keys for Responder...Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing ID payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing hash payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Computing hash for ISAKMPOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing Cisco Unity VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing xauth V6 VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing dpd vid payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing NAT-Traversal VID ver 02 payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing NAT-Discovery payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hashOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing NAT-Discovery payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hashOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing Fragmentation VID + extended capabilities payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Send Altiga/Cisco VPN3000/Cisco ASA GW VIDOct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 436Oct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NAT-D (130) + NAT-D (130) + NOTIFY (11) + NONE (0) total length : 128Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing hash payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Computing hash for ISAKMPOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing NAT-Discovery payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hashOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing NAT-Discovery payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hashOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing notify payloadOct 15 17:08:51 [IKEv1]: Group = OurIPSEC, IP = 197.79.9.227, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end   IS   behind a NAT deviceOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing blank hash payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing qm hash payloadOct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=b8b02705) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72Oct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=b8b02705) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 88Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, process_attr(): Enter!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Processing MODE_CFG Reply attributes.Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: primary DNS = 10.1.1.138Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: secondary DNS = 10.1.1.54Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: primary WINS = clearedOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: secondary WINS = clearedOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: split tunneling list = split-tunnelOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: default domain = our-domain.comOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: IP Compression = disabledOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: Split Tunneling Policy = Split NetworkOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: Browser Proxy Setting = no-modifyOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: Browser Proxy Bypass Local = disableOct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, User (person2) authenticated.Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing blank hash payloadOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing qm hash payloadOct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=a2171c19) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64Oct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=a2171c19) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, process_attr(): Enter!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Processing cfg ACK attributesOct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=3257625f) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 164Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, process_attr(): Enter!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Processing cfg Request attributesOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for IPV4 address!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for IPV4 net mask!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for DNS server address!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for WINS server address!Oct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Received unsupported transaction mode attribute: 5Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Application Version!Oct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Client Type: iPhone OS  Client Application Version: 7.0.2Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Banner!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Default Domain Name!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Split DNS!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Split Tunnel List!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Local LAN Include!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for PFS setting!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Save PW setting!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for FWTYPE!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for backup ip-sec peer list!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Client Browser Proxy Setting!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Obtained IP addr (172.17.1.1) prior to initiating Mode Cfg (XAuth enabled)Oct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Assigned private IP address 172.17.1.1 to remote userOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing blank hash payloadOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, construct_cfg_set: default domain = our-domain.comOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Send Client Browser Proxy Attributes!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Browser Proxy set to No-Modify. Browser Proxy data will NOT be included in the mode-cfg replyOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing qm hash payloadOct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=3257625f) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 210Oct 15 17:09:03 [IKEv1 DECODE]: IP = 197.79.9.227, IKE Responder starting QM: msg id = c9359d2eOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progressOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completedOct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, PHASE 1 COMPLETEDOct 15 17:09:03 [IKEv1]: IP = 197.79.9.227, Keep-alive type for this connection: DPDOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Starting P1 rekey timer: 3420 seconds.Oct 15 17:09:03 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=c9359d2e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 284Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing hash payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing SA payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing nonce payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing ID payloadOct 15 17:09:03 [IKEv1 DECODE]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, ID_IPV4_ADDR ID received172.17.1.1Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Received remote Proxy Host data in ID Payload:  Address 172.17.1.1, Protocol 0, Port 0Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing ID payloadOct 15 17:09:03 [IKEv1 DECODE]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, ID_IPV4_ADDR_SUBNET ID received--10.0.0.0--255.0.0.0Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Received local IP Proxy Subnet data in ID Payload:   Address 10.0.0.0, Mask 255.0.0.0, Protocol 0, Port 0Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, QM IsRekeyed old sa not found by addrOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-TraversalOct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE Remote Peer configured for crypto map: dyn1Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing IPSec SA payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IPSec SA Proposal # 1, Transform # 6 acceptable  Matches global IPSec SA entry # 1Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE: requesting SPI!IPSEC: New embryonic SA created @ 0xCB809F40,     SCB: 0xC9613DB0,     Direction: inbound    SPI      : 0x96A6C295    Session ID: 0x0001D000    VPIF num  : 0x00000002    Tunnel type: ra    Protocol   : esp    Lifetime   : 240 secondsOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE got SPI from key engine: SPI = 0x96a6c295Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, oakley constucting quick modeOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing blank hash payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing IPSec SA payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing IPSec nonce payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing proxy IDOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Transmitting Proxy Id:  Remote host: 172.17.1.1  Protocol 0  Port 0  Local subnet:  10.0.0.0  mask 255.0.0.0 Protocol 0  Port 0Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing qm hash payloadOct 15 17:09:03 [IKEv1 DECODE]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE Responder sending 2nd QM pkt: msg id = c9359d2eOct 15 17:09:03 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=c9359d2e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 152Oct 15 17:09:06 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=c9359d2e) with payloads : HDR + HASH (8) + NONE (0) total length : 52Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing hash payloadOct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, loading all IPSEC SAsOct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Generating Quick Mode Key!Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, NP encrypt rule look up for crypto map dyn1 1 matching ACL Unknown: returned cs_id=c9f22e78; rule=00000000Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Generating Quick Mode Key!Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, NP encrypt rule look up for crypto map dyn1 1 matching ACL Unknown: returned cs_id=c9f22e78; rule=00000000Oct 15 17:09:06 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Security negotiation complete for User (person2)  Responder, Inbound SPI = 0x96a6c295, Outbound SPI = 0x09e97594IPSEC: New embryonic SA created @ 0xCB8F7418,     SCB: 0xC9F6DD30,     Direction: outbound    SPI      : 0x09E97594    Session ID: 0x0001D000    VPIF num  : 0x00000002    Tunnel type: ra    Protocol   : esp    Lifetime   : 240 secondsIPSEC: Completed host OBSA update, SPI 0x09E97594IPSEC: Creating outbound VPN context, SPI 0x09E97594    Flags: 0x00000025    SA   : 0xCB8F7418    SPI  : 0x09E97594    MTU  : 1492 bytes    VCID : 0x00000000    Peer : 0x00000000    SCB  : 0x99890723    Channel: 0xC6691360IPSEC: Completed outbound VPN context, SPI 0x09E97594    VPN handle: 0x001E7FCCIPSEC: New outbound encrypt rule, SPI 0x09E97594    Src addr: 10.0.0.0    Src mask: 255.0.0.0    Dst addr: 172.17.1.1    Dst mask: 255.255.255.255    Src ports      Upper: 0      Lower: 0      Op   : ignore    Dst ports      Upper: 0      Lower: 0      Op   : ignore    Protocol: 0    Use protocol: false    SPI: 0x00000000    Use SPI: falseIPSEC: Completed outbound encrypt rule, SPI 0x09E97594    Rule ID: 0xCB5483E8IPSEC: New outbound permit rule, SPI 0x09E97594    Src addr: 196.215.40.160    Src mask: 255.255.255.255    Dst addr: 197.79.9.227    Dst mask: 255.255.255.255    Src ports      Upper: 4500      Lower: 4500      Op   : equal    Dst ports      Upper: 41593      Lower: 41593      Op   : equal    Protocol: 17    Use protocol: true    SPI: 0x00000000    Use SPI: falseIPSEC: Completed outbound permit rule, SPI 0x09E97594    Rule ID: 0xC9242228Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE got a KEY_ADD msg for SA: SPI = 0x09e97594IPSEC: Completed host IBSA update, SPI 0x96A6C295IPSEC: Creating inbound VPN context, SPI 0x96A6C295    Flags: 0x00000026    SA   : 0xCB809F40    SPI  : 0x96A6C295    MTU  : 0 bytes    VCID : 0x00000000    Peer : 0x001E7FCC    SCB  : 0x985C5DA5    Channel: 0xC6691360IPSEC: Completed inbound VPN context, SPI 0x96A6C295    VPN handle: 0x0020190CIPSEC: Updating outbound VPN context 0x001E7FCC, SPI 0x09E97594    Flags: 0x00000025    SA   : 0xCB8F7418    SPI  : 0x09E97594    MTU  : 1492 bytes    VCID : 0x00000000    Peer : 0x0020190C    SCB  : 0x99890723    Channel: 0xC6691360IPSEC: Completed outbound VPN context, SPI 0x09E97594    VPN handle: 0x001E7FCCIPSEC: Completed outbound inner rule, SPI 0x09E97594    Rule ID: 0xCB5483E8IPSEC: Completed outbound outer SPD rule, SPI 0x09E97594    Rule ID: 0xC9242228IPSEC: New inbound tunnel flow rule, SPI 0x96A6C295    Src addr: 172.17.1.1    Src mask: 255.255.255.255    Dst addr: 10.0.0.0    Dst mask: 255.0.0.0    Src ports      Upper: 0      Lower: 0      Op   : ignore    Dst ports      Upper: 0      Lower: 0      Op   : ignore    Protocol: 0    Use protocol: false    SPI: 0x00000000    Use SPI: falseIPSEC: Completed inbound tunnel flow rule, SPI 0x96A6C295    Rule ID: 0xCB7CFCC8IPSEC: New inbound decrypt rule, SPI 0x96A6C295    Src addr: 197.79.9.227    Src mask: 255.255.255.255    Dst addr: 196.215.40.160    Dst mask: 255.255.255.255    Src ports      Upper: 41593      Lower: 41593      Op   : equal    Dst ports      Upper: 4500      Lower: 4500      Op   : equal    Protocol: 17    Use protocol: true    SPI: 0x00000000    Use SPI: falseIPSEC: Completed inbound decrypt rule, SPI 0x96A6C295    Rule ID: 0xCB9BF828IPSEC: New inbound permit rule, SPI 0x96A6C295    Src addr: 197.79.9.227    Src mask: 255.255.255.255    Dst addr: 196.215.40.160    Dst mask: 255.255.255.255    Src ports      Upper: 41593      Lower: 41593      Op   : equal    Dst ports      Upper: 4500      Lower: 4500      Op   : equal    Protocol: 17    Use protocol: true    SPI: 0x00000000    Use SPI: falseIPSEC: Completed inbound permit rule, SPI 0x96A6C295    Rule ID: 0xCBA7C740Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Pitcher: received KEY_UPDATE, spi 0x96a6c295Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Starting P2 rekey timer: 3417 seconds.Oct 15 17:09:06 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Adding static route for client address: 172.17.1.1 Oct 15 17:09:06 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, PHASE 2 COMPLETED (msgid=c9359d2e)

• Problem with VPN timeout on Cisco ASA5505

  Hi i'm sorry if it's vague, but i'm coming here without any  config simply because i don't have access.
  At work we have 1 Cisco ASA5505 which is used for IPSEC VPN only.
  We have 4-5 users that work 100% from the VPN (8h per day 40h per week)
  The problem we have will be the disconnection.
  We have 1 user that will never never never have the problem (he can stay log all 8h if he wants to)
  The 2nd user can get disconnected, but mostly if the VPN stays on for too long without any action.
  Me and the other user can get frequent Disconnection in a day, but  it's all random (1 days i can get disconnected 0 times and the next day 3 times)
  I am using Mac OS 10.7 (just like the one that never gets disconnected and the one that gets disconnected randomly)
  The other person who gets disconnected alot is on Windows 7 32 bits with Cisco Client.
  On my side when i get disconnected there is 2 problem i see (it will happen to the windows person too)
  1) When i'm working on servers sometimes i won't be able to click anywhere and i see that my connection is still on, so i need to close it manually wait 2 minutes then reconnect.
  2) When i check my VPN connection it simply disconnected alone.
  Thanks for possible solutions.   (also the windows client had another PC Before and she said it never disconnected, but it started on new PC)  (Before she was on WinXP)
  Thanks

  Hi i'm sorry if it's vague, but i'm coming here without any  config simply because i don't have access.
  At work we have 1 Cisco ASA5505 which is used for IPSEC VPN only.
  We have 4-5 users that work 100% from the VPN (8h per day 40h per week)
  The problem we have will be the disconnection.
  We have 1 user that will never never never have the problem (he can stay log all 8h if he wants to)
  The 2nd user can get disconnected, but mostly if the VPN stays on for too long without any action.
  Me and the other user can get frequent Disconnection in a day, but  it's all random (1 days i can get disconnected 0 times and the next day 3 times)
  I am using Mac OS 10.7 (just like the one that never gets disconnected and the one that gets disconnected randomly)
  The other person who gets disconnected alot is on Windows 7 32 bits with Cisco Client.
  On my side when i get disconnected there is 2 problem i see (it will happen to the windows person too)
  1) When i'm working on servers sometimes i won't be able to click anywhere and i see that my connection is still on, so i need to close it manually wait 2 minutes then reconnect.
  2) When i check my VPN connection it simply disconnected alone.
  Thanks for possible solutions.   (also the windows client had another PC Before and she said it never disconnected, but it started on new PC)  (Before she was on WinXP)
  Thanks

• IP SLA Monitor

  Hi all!
  We are using IP SLA to monitor the WAN IP from a client:
  ip sla monitor 1
  type echo protocol ipIcmpEcho 192.168.251.206 source-interface GigabitEthernet0/1
  request-data-size 10
  timeout 2000
  threshold 4000
  frequency 5
  ip sla monitor schedule 1 life forever start-time now
  track 104 rtr 1 reachability
  delay down 8 up 30
  When the link is down, traffic is switched to another link. The problem is that when we are doing maintenance with the problem link, any  oscillation (up/down) causes the link to be switched back to the link with problem. The only solution we found for this case is to give a shutdown on the interface that is being repaired.
  Does anyone know what I can do to prevent traffic is switched to the link that is being repaired?
  Appreciate any help

  Hi Sachin!
  I think it would be interesting to increase the monitoring time, if the main link becomes down. You know  I can  how do this without using load balancing (HSRP, VRRP, GLBP ...)? Because we are monitoring the wan interface of the client, ie, on the other end of the cloud.
  Thanks.

• Cisco video camera monitoring software from remote location

  Hello
  What is the best way to use the  Cisco video camera monitoring software from remote location.
  I am talking about the AVMS / SWVMS software.
  I am thinking of either a vpn tunnel or Remote Desktop (Terminal Services).
  I would like to use the vpn tunnel, but am afraid that the encryption/decryption of all data will drastically slow down the data throughput.
  THanks,
  Cliff
  CCO: clifford.gormley

  Hi Clifford,
  Thank you for posting. I use the AVMS software remotely and it works good. At first I changed the http ports of each camera and forwarded those ports in the router. I set up the cameras in the remote AVMS software with the WAN IP address and port number. That worked quite well. I then decided to try to reach the cameras through a VPN tunnel. I found that it worked perfectly and I was able to view up to 6 cameras. Your results will vary depending on how much bandwidth you have at each end. The important thing is the upload speed at the camera end of the tunnel. I have anywhere from 3-4 Mbps at any given time for the upload speed at the camera side and 30-40 Mbps download speed at the AVMS server side. I have also used UltraVNC to view the AVMS server through the tunnel and that worked well. Note that if you view the AVMS software using RDP you will see a black screen where the video should be. This is a limitation of RDP, not the software.
  Please reply if you have any questions.

• SLA Monitoring

  I have 2 static routes from source to destination on ASA. I want to give preference to first path and the second path will be the backup path. In case if first path will goes down only then the second path will be used. For this I want to enable SLA monitoring. If i will set number of packets=100, Frequency=20 sec, Timeout= 2sec. I want that when all the 100 packets will be dropped only the backup path will be used. 
  How can i set this requirement?
  Regards,
  Mukesh Kumar
  Network Engineer
  Spooster IT Services

  Hello Mukesh ,
  I understand that you are trying to achieve redundancy using ipsla track feature and at the same time you want some delay ( you said untill 100 packets are dropped ) in installing secondary route in RIB .
  Kindly correct me if wrong .
  As a simpler solution , I think you can add delay in number of seconds under track statement , that will achieve same thing but in terms of seconds . So lets say if you have threshold to 20 seconds and delay of 60 seconds , in case of failure condition router will wait untill IPSLA is triggered 3 times with consecutive failures ( as per frequency ) .
  Anyways , in case you still need IPSLA track feature based on number of packets drop , please see below as per my understanding :
  As you say you will set number of packets = 100 , i assume you are using ICMP-jitter based IPSLA and that can report such drops in reaction configuration . you can use "traponly" keyword to have a log generated when configured number of drop threshold is reached ( kindly ensure to have ip sla logging trap configured ) . 
  Now you can use this log ( threshold exceeded ) as trigger for an EEM script and do whatever changes are needed in configuration ( eg, static route AD manipulation etc ) .
  hope to help .
  For any further help please let me know .
  Regards
  Sunil Bhadauria

• Linksys Switches/Routers that support CISCO IP SLA Responder feature

  Hi there, I'm looking for a Linksys Switch or Router that does support Cisco IP SLA Responder, this allows for measuring one way delay, etc.
  I'd appreciate if somebody can help me identifying a Linksys device supporting this.
  Thanks!
  From Cisco website:
  "...Cisco IOS IP SLA Responder is a Cisco IOS Software component whose functionality is to respond to Cisco IOS IP SLA request packets....Some of the newer Linksys devices also support this feature...."

  Cisco sold Linksys to Belkin quite a while ago. Linksys business products are typically for the SMB market.
  For the SLA feature you are asking about I have used the Cisco 1921.
  Please remember to Kudo those that help you.
  Linksys
  Communities Technical Support