Cisco ASA5512-SSD120-K9
Dear All,
I would like to ask everyone based on below question:
Is that this Cisco ASA model (ASA5512-SSD120-K9) have ESA (Email Security Appliance) function and feature? if not, please kindly recommend which Cisco ASA model have this feature or function.
Thanks.
Dara
ESA functionality is not built into any ASA model.
ESA deployment options include dedicated physical or virtual appliances and cloud-based options.
Similar Messages
-
Can I Use an ASA5512-SSD120-K9 as Firewall Only and Purchase CX Licenses Later?
Hello,
I'm thinking of purchasing a new ASA 5512-x, part number ASA5512-SSD120-K9 and just using it as a plain firewall (as if it was part number ASA5512-K9) and purchase the CX license(s) at a later date when funds are available. Is there any reason I can't do this? I know the SmartNet service contract on the NGFW version will cost about $70 more per year, but other than that will I have any problems?
Thanks very much.Sure, that's a supported path. When you're ready you can just order the AVC, WSE and/or IPS subscriptions you want to add. You'll probably want to update the CX boot and system images at that time as they are being updated pretty frequently with bug fixes and enhancements.
The only downside is that you may miss out on some bundle discounts that are typically offered when buying the subscriptions as part of a new purchase. -
i have cisco asa5512-x fw ed with basic license. i need to add IPS to it.
do i need module or only license or both? and i have another cisco 5520-k9 with security plus and also need to add IPS to it?For your 5512 you need the SSD and the license for FirePOWER.
For the 5520 you would need a hw-module (AIP-SSM) and a license for the already EOS/EOL announced legacy IPS. That's probably not worth investing in. -
ASA5512-K9 CX AVC and Web Security Essentials
I have purchased the ASA5512-K9 with the CX AVC and Web Security Essentials L-ASA5512-AW1Y as recommended by a Cisco pre-sales representative and my reseller for my environment. I had previously believed from the documentation on the Cisco site that all X generation models had the CX software included on them in the state that they are sold. Now in trying to configure the ASA5512, and with further reading of the setup documentation, I have discovered that I do not have the capability to access the CX functionality with this model 'as is', and this combination does not appear to be appropriate. It appears that the CX software module is not actually included on the ASA5512-K9 model, but rather only on the ASA5512-SSD120-K9 model. Could someone please verify for me that I have understood this correctly?
If it is, then please advise if I should exchange the ASA5512-K9 for an ASA5512-SSD120-K9 to get the combination of this subscription license and ASA model working. Am I correct in that the ASA5512-K9 model does not have a solid state drive on it already and so I can not download and install the CX software on it? As an alternative, is it possible to purchase a Cisco solid state drive seperately, plug it into the ASA5512-K9, download the CX software, and then install it on this new drive in the ASA5512-K9?
I would greatly appreciate guidance from anyone who has experience with the ASA5512 line and CX. I was unable to find help from Cisco pre-sales and technical support for this question via phone or online chat, and my reseller has been unable to answer this question for me so far.Hi!
According to many documents, i.e. page 3 of http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps6120/white_paper_c11-727394.pdf
An SSD is required to run AVC and WSE on ASA 5500-X Series Next-Generation Firewalls. SSD bundles have the ASA CX software image pre-loaded, and customers receive a free 60-day trial of the WSE and AVC subscriptions.
An SSD bundle is ASA5512-SSD120-K8 (or ASA5512-SSD120-K9). So If you happened to buy ASA5512-K9 - Then you definitely need this SSD option - ASA5500X-SSD120=.
Cheers. -
Hi,
We purchased a Cisco ASA5512- 250 VPN Bundle, we want to evaluate Web Security Essentials so have purchased the SSD120 disk and installed into the hot plug slot. I am now struggling to find out what to do next, is there a software package I need to install into the ASDM, there isn't a great deal of information on this topic on the forums. If someone could point me to how the best way to get this running. The firewall is not in production as yet but need to get this installed ASAP.
Thanks In AdvanceHi Paul,
1. HTTPS decryption is currenty not supported. It's in a roadmap and should be supported in one of next SW releases.
2. CDA is mapping ad-user to machine IP as you already wrote. So if users are sharing same IP (in a terminal server environment for example) this is not supported configuration. I'll try to find out if there is someting in the roadmap. -
Does ASA 5512-x has antivirus ?
Dear All,
Does ASA 5512-x has antivirus ?
what are different between ASA5512-SSD120-K9 and ASA5512-FPWR-K9?
Best Regards,
RechardDear all Expert,
Do you have any advice on this ?
Best Regards,
Rechard -
I have started the process of replacing our CX module with the SRF module and have faced an issue in the early going. I have the Module loaded on the ASA, and the Defense Center VM installed and license files installed. However, when I attempt to add the SRF module to the Defense Center as a new device, I am unable to select any licenses. When looking at the licensing available on the Defense Center, it shows two available for URL Filtering and Malware, but I am unable to select them.
Any ideas? Am I supposed to register the SRF module on the ASA? I couldn't find a way to do that, and all documentation seemed to point to doing it at the Defense Center.
Thanks,
MarkYou need to make sure that they ordered the CTRL license.
You need it to license the device.
Cisco ASA 5500-X FirePOWER Services Upgrade Licenses
Part Number
Description
ASA5512-CTRL-LIC=
Cisco ASA5512 FirePOWER Services Upgrade Control License
ASA5515-CTRL-LIC=
Cisco ASA5515 FirePOWER Services Upgrade Control License
ASA5525-CTRL-LIC=
Cisco ASA5525 FirePOWER Services Upgrade Control License
ASA5545-CTRL-LIC=
Cisco ASA5545 FirePOWER Services Upgrade Control License
ASA5555-CTRL-LIC=
Cisco ASA5555 FirePOWER Services Upgrade Licenses Control License -
NAT ASA5512 8.6(1)2 in and out
Hello Everyone,
This is my first post so please forgive me if I miss something. I have an ASA5512 running 8.6(1)2 that I am trying to NAT a public IP address from my ISP to multiple phone systems on the inside of my network. One of these phone systems is at the same site as the ASA5512 and I have no problems getting this one to work with my current config. The problem comes when I apply the same type of NAT rule that works at the main site to allow NAT to the other sites. These sites are connected via a point-to-point system from our ISP. The point-to-point does not seem to be an issue as I can ping any device at our other sites and I can RDP into computers and servers at the others sites. I can also call internally between sites but when I try to call the other sites from my cell I cant get through. Also when I forward one of the extensions at the others sites to my cell and then call internally I do not get an outside line.
In the config below you can see that Ive applied the same NAT and ACL rules to the adminphonesystem and the deltaphonesystem objects. The adminphonesystem can make calls and recieve them with no issues. The deltaphonesystem cannot make or recieve calls from outside our network. Only internal calls are working for the deltaphonesystem. Ive done packet traces in every which way and corrected any issues that I have found with no fix to the problem. So I cleaned up my config and posted it here. Really hope someone can give me a few pointers in getting this problem solved.
On another note I have a Cisco ASA5505 with smartnet support. So i throw it in place of the 5512 and call cisco support. A tech calls me back and we get everything working perfectly on the 5505 with a few simple rules. I say thank you and have a nice. Then I throw the 5512 back in and replicate the rules from the 5505 that were working. Both of these units are using the new NAT setup that was released after 8.3. To my surprise the 5512 doesnt work even though I have the same rules as the 5505. If anyone can answer that side question please do.
ASA Version 8.6(1)2
hostname AdminASA
domain-name
enable password encrypted
passwd encrypted
names
interface GigabitEthernet0/0
shutdown
no nameif
security-level 0
no ip address
interface GigabitEthernet0/1
nameif Outside
security-level 0
ip address 76.320.333.43 255.255.255.224
interface GigabitEthernet0/2
nameif Inside
security-level 100
ip address 10.1.99.1 255.255.255.0
interface GigabitEthernet0/3
nameif P2P
security-level 100
ip address 10.2.99.2 255.255.255.0
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name corp.centermh.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network DeltaNetwork
subnet 10.1.96.0 255.255.255.0
object network GunnisonNetwork
subnet 10.1.97.0 255.255.255.0
object network MiamiNetwork
subnet 10.1.98.0 255.255.255.0
object network NuclaNetwork
subnet 10.1.93.0 255.255.255.0
object network TellurideNetwork
subnet 10.1.94.0 255.255.255.0
object network AdminPhoneSystem
host 10.1.99.225
description Inside IP Address of Admin Phone System
object network DeltaPhoneSystem
host 10.1.96.225
description Internal IP Address of Delta Phone System
object network AdminPhonePublic
host 76.320.333.48
description Public IP Address of Admin Phone System
object network FastTrackPhone
host 234.213.124.81
description FastTrack SIP Trunk Authtication IP Address
object network FastTrackMonitor
host 290.230.195.8
description FastTrack Monitoring server
object network DeltaPhonePublic
host 76.320.333.51
description Public IP Address of Delta Phone System
object-group icmp-type ICMP-All
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object time-exceeded
icmp-object timestamp-reply
icmp-object timestamp-request
icmp-object traceroute
icmp-object alternate-address
icmp-object conversion-error
icmp-object mask-reply
icmp-object mask-request
icmp-object mobile-redirect
icmp-object parameter-problem
icmp-object redirect
icmp-object router-advertisement
icmp-object router-solicitation
icmp-object source-quench
icmp-object unreachable
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list global_access extended permit icmp object FastTrackMonitor any object-group ICMP-All
access-list Local_access_in extended permit ip any any
access-list MPLS_access_in extended permit ip any any
access-list CTN_access_in extended permit object-group TCPUDP object FastTrackPhone object DeltaPhoneSystem eq sip
access-list CTN_access_in extended permit icmp object FastTrackPhone object DeltaPhoneSystem object-group ICMP-All
access-list CTN_access_in extended permit object-group TCPUDP object FastTrackPhone object AdminPhoneSystem eq sip
access-list CTN_access_in extended permit icmp object FastTrackPhone object AdminPhoneSystem object-group ICMP-All
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu P2P 1500
mtu management 1500
ip local pool vpnUsers 10.1.99.200-10.1.99.210 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (Inside,Outside) source static DeltaPhoneSystem DeltaPhonePublic no-proxy-arp
nat (Inside,Outside) source static AdminPhoneSystem AdminPhonePublic no-proxy-arp
nat (P2P,Outside) after-auto source dynamic any interface
nat (Inside,Outside) after-auto source dynamic any interface
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group P2P_access_in in interface P2P
access-group global_access global
route Outside 0.0.0.0 0.0.0.0 76.320.333.42 6
route P2P 10.1.93.0 255.255.255.0 10.2.99.1 1
route P2P 10.1.94.0 255.255.255.0 10.2.99.1 1
route P2P 10.1.95.0 255.255.255.0 10.2.99.1 1
route P2P 10.1.96.0 255.255.255.0 10.2.99.1 1
route P2P 10.1.97.0 255.255.255.0 10.2.99.1 1
route P2P 10.1.98.0 255.255.255.0 10.2.99.1 1
route P2P 10.2.93.0 255.255.255.0 10.2.99.1 2
route P2P 10.2.94.0 255.255.255.0 10.2.99.1 2
route P2P 10.2.95.0 255.255.255.0 10.2.99.1 2
route P2P 10.2.96.0 255.255.255.0 10.2.99.1 2
route P2P 10.2.97.0 255.255.255.0 10.2.99.1 2
route P2P 10.2.98.0 255.255.255.0 10.2.99.1 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.99.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 10.1.99.0 255.255.255.0 Inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 128.138.140.44 prefer
webvpn
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
username privilege 15
username privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
contact-email-addr
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 8
subscribe-to-alert-group configuration periodic monthly 8
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: endHi,
If I am not mistaken then atleast one big problem is the source interface in the other NAT configuration command
You have this
nat (Inside,Outside) source static DeltaPhoneSystem DeltaPhonePublic no-proxy-arp
Yet you have this "object network" and "route"
object network DeltaPhoneSystem
host 10.1.96.225
route P2P 10.1.96.0 255.255.255.0 10.2.99.1 1
So seems to me that your NAT configuration should be
nat (P2P,Outside) source static DeltaPhoneSystem DeltaPhonePublic no-proxy-arp
Just as a side note, I personally prefer to configure Static NAT with Network Object NAT. With those configurations your Static NAT configurations would look like this
object network DeltaPhoneSystem
host 10.1.96.225
nat (P2P,Outside) static 76.320.333.51
object network AdminPhoneSystem
host 10.1.99.225
nat (Inside,Outside) static 76.320.333.48
Also one very important note, if you are using multiple public subnets on your ASA "Outside" interface then the way this is implemented by your ISP has a lot of meaning.
If the ISP has configured one public subnet between its gateway device and your ASA and routed the other subnet(s) towards the ASAs "Outside" interface IP address then there is no problem.
If the ISP has configured both (or all) public subnets on their gateway interface (others as "secondary" subnets) then you will (to my understanding) run into a problem with ARP with nonconnected networks on the ASA.To correct this you would require you to either change the setup to the first option with the ISP or update your ASA software to 9.0(2) or possibly 9.1(2) to get access to the command "arp permit-nonconnected"
Here is the section from the patch notes that also explains the commands purpose
ARP cache additions for non-connected subnets
The ASA ARP cache only contains entries from directly-connected subnets by default. You can now enable the ARP cache to also include non-directly-connected subnets. We do not recommend enabling this feature unless you know the security risks. This feature could facilitate denial of service (DoS) attack against the ASA; a user on any interface could send out many ARP replies and overload the ASA ARP table with false entries.
You may want to use this feature if you use:
•Secondary subnets.
•Proxy ARP on adjacent routes for traffic forwarding.
We introduced the following command: arp permit-nonconnected.
Also available in 8.4(5).
If you want to take a look at a NAT 8.3+ document I made here on the CSC then follow this link
https://supportforums.cisco.com/docs/DOC-31116
Hopefully the above helps with your problem
Please do remember to mark the reply as the correct answer if it answered your question.
Ask more if needed
- Jouni -
Configure the syslog of ASA 5512-X for display on Cisco Prime Infrastructure 2.1
Hi, I'm working on implementing the Cisco Prime Infrastructure 2.1 and want to display the syslog about ASA5512-X with Software Version 9.2.
What would be the procedure for configuring?
Thanks in advance.Hi,
Enable "logging host x.x.x.x " command to enable logging
check the below link:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/monitor_syslog.html#68764
FYI: Prime Infrastructure support only SEV 0,1,2 syslogs as of now.
Operate > alarm and events > syslogs
Thanks-
Afroz
****Ratings Encourages Contributors ***** -
HUB & SPOKE environment with ASA5512 as the HUB and ASA5505 as spoke.
I can't seem to get by the error's. Phase 1 completes, then the errors start, 7.0.0.2 recieved non-routine notify message no proposal choosen, connection terminated for peer 7.0.0.2 reason peer terminate remote proxy N/A local Proxy N/A, 7.0.0.2 removing peer from correlator table failed, no match, seesion being torn down reason user requested, group 7.0.0.2 automatic NAT detection status remote end is not behind NAT device, this end is not behind NAT device. The other end the ASA5512 I get IP 7.1.0.2 no valid authentication type found for the tunnel group, Remote end is not behind NAT device, the DAP records were selected for connection DfltAccessPolicy, Phase 1 completed, All IPSEC SA proposals found unacceptable, IP 7.1.0.2 QM FSM error, removing peer from correlator table failed no match, 7.1.0.2 session being torn down reason Phase 2 Mismatch, 7.1.0.2 session disconnected type IKEV1, recevied encrypted packet with no matchin SA dropping.
I have searched internet and found many results however as changes implemented I always end back at this point. Any HELP would be greatly appreciated. Lost two days in the LAB. I will post configs. This a test soon to go into production. Thanks
Ken
ASA1# sho run
: Saved
ASA Version 9.1(2)
hostname ASA1
domain-name TEST1.CA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface GigabitEthernet0/0
nameif Outside
security-level 100
ip address 7.0.0.2 255.255.255.0
interface GigabitEthernet0/1
nameif AS1toR1
security-level 50
ip address 1.0.0.2 255.255.255.0
interface GigabitEthernet0/2
nameif AS1toR2
security-level 50
ip address 3.0.0.2 255.255.255.0
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
ftp mode passive
dns domain-lookup Outside
dns domain-lookup AS1toR1
dns domain-lookup AS1toR2
dns domain-lookup management
dns server-group DefaultDNS
name-server 201.201.201.201
domain-name TEST1.CA
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-1.0.0.0
object network 2.0.0.0
subnet 2.0.0.0 255.255.255.0
object network 6.0.0.0
subnet 6.0.0.0 255.255.255.0
object network 7.1.0.0
subnet 7.1.0.0 255.255.255.0
object network 8.0.0.0
subnet 8.0.0.0 255.255.255.0
object network 9.0.0.0
subnet 9.0.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object 1.0.0.0 255.255.255.0
network-object 3.0.0.0 255.255.255.0
network-object object 2.0.0.0
network-object object 8.0.0.0
object-group network DM_INLINE_NETWORK_4
network-object object 6.0.0.0
network-object object 9.0.0.0
object-group network DM_INLINE_NETWORK_1
network-object object 6.0.0.0
network-object object 9.0.0.0
object-group network DM_INLINE_NETWORK_2
network-object 1.0.0.0 255.255.255.0
network-object 3.0.0.0 255.255.255.0
network-object object 2.0.0.0
network-object object 8.0.0.0
object-group network DM_INLINE_NETWORK_5
network-object 1.0.0.0 255.255.255.0
network-object 3.0.0.0 255.255.255.0
network-object object 2.0.0.0
network-object object 8.0.0.0
object-group network DM_INLINE_NETWORK_6
network-object object 6.0.0.0
network-object object 9.0.0.0
access-list HEADEND extended permit ip any any
access-list hq-to-vpnend extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_4
access-list vpnend-to-hq extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list Outside_cryptomap_15 extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list Outside_access_in extended permit ip any any
access-list Outside_access_in extended permit icmp any4 any4
access-list AS1toR2_access_in extended permit icmp any4 any4
access-list AS1toR2_access_in extended permit ip any any
access-list AS1toR1_access_in extended permit ip any any
access-list AS1toR1_access_in extended permit icmp any4 any4
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu AS1toR1 1500
mtu AS1toR2 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group Outside_access_in in interface Outside
access-group AS1toR1_access_in in interface AS1toR1
access-group AS1toR2_access_in in interface AS1toR2
router ospf 1
network 1.0.0.0 255.255.255.0 area 0
network 3.0.0.0 255.255.255.0 area 0
network 7.0.0.0 255.255.255.0 area 0
log-adj-changes
route Outside 0.0.0.0 0.0.0.0 7.0.0.1 125
route Outside 6.0.0.0 255.255.255.0 7.0.0.1 125
route Outside 9.0.0.0 255.255.255.0 7.0.0.1 125
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
eou allow none
http server enable
http 192.168.1.2 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection preserve-vpn-flows
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set MAP-VPN1 esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 match address Outside_cryptomap_15
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set ikev1 transform-set MAP-VPN1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set reverse-route
crypto dynamic-map DYNMAP 10 set pfs
crypto dynamic-map DYNMAP 10 set ikev1 transform-set MAP-VPN1
crypto dynamic-map DYNMAP 10 set reverse-route
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map HQ2REMOTE 10 ipsec-isakmp dynamic DYNMAP
crypto map HQ2REMOTE interface Outside
crypto ca trustpool policy
crypto ikev1 enable Outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign local reuse-delay 30
vpn load-balancing
interface lbpublic Outside
interface lbprivate AS1toR1
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Outside
no anyconnect-essentials
group-policy DfltGrpPolicy attributes
wins-server value 10.10.10.10
dns-server value 201.201.201.201
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
split-tunnel-network-list value HEADEND
default-domain value TEST1.CA
webvpn
activex-relay disable
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup general-attributes
secondary-authentication-server-group LOCAL
authorization-server-group LOCAL
nat-assigned-to-public-ip Outside
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
ikev1 user-authentication none
tunnel-group DefaultWEBVPNGroup general-attributes
secondary-authentication-server-group LOCAL
tunnel-group DefaultWEBVPNGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
ikev1 user-authentication none
tunnel-group-map default-group DefaultL2LGroup
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 24
subscribe-to-alert-group configuration periodic monthly 24
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:022709234965ad8943628e790ed5ed1f
: end
ASA1#
ASA2# sho run
: Saved
ASA Version 8.2(5)
hostname ASA2
domain-name TEST2.CA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 14
interface Ethernet0/1
switchport access vlan 24
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
switchport access vlan 4
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan4
nameif management.
security-level 0
ip address 192.168.1.101 255.255.255.0
management-only
interface Vlan14
nameif Outside
security-level 100
ip address dhcp setroute
interface Vlan24
nameif Inside
security-level 50
ip address 6.0.0.2 255.255.255.0
ftp mode passive
dns domain-lookup management.
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
domain-name TEST2.CA
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object 1.0.0.0 255.255.255.0
network-object 2.0.0.0 255.255.255.0
network-object 3.0.0.0 255.255.255.0
network-object 8.0.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 6.0.0.0 255.255.255.0
network-object 9.0.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_5
network-object 1.0.0.0 255.255.255.0
network-object 2.0.0.0 255.255.255.0
network-object 3.0.0.0 255.255.255.0
network-object 8.0.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object 6.0.0.0 255.255.255.0
network-object 9.0.0.0 255.255.255.0
access-list vpnend-to-hq extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list REMOTEEND extended permit ip any any
access-list hq-to-vpnend extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list Outside_access_in extended permit ip any any
access-list Outside_access_in extended permit icmp any any
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu management. 1500
mtu Outside 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
router ospf 1
network 6.0.0.0 255.255.255.0 area 0
network 7.1.0.0 255.255.255.0 area 0
log-adj-changes
route Outside 1.0.0.0 255.255.255.0 7.0.0.2 125
route Outside 2.0.0.0 255.255.255.0 7.0.0.2 125
route Outside 3.0.0.0 255.255.255.0 7.0.0.2 125
route Outside 8.0.0.0 255.255.255.0 7.0.0.2 125
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
network-acl REMOTEEND
eou allow none
http server enable
http 0.0.0.0 0.0.0.0 management.
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set MAP-VPN1 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set MAP-VPN1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map HQ2REMOTE 15 match address vpnend-to-hq
crypto map HQ2REMOTE 15 set pfs
crypto map HQ2REMOTE 15 set connection-type originate-only
crypto map HQ2REMOTE 15 set peer 7.0.0.2
crypto map HQ2REMOTE 15 set transform-set MAP-VPN1
crypto map HQ2REMOTE 15 set security-association lifetime seconds 28800
crypto map HQ2REMOTE 15 set security-association lifetime kilobytes 4608000
crypto map HQ2REMOTE 15 set reverse-route
crypto map HQ2REMOTE 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map HQ2REMOTE interface Outside
crypto isakmp enable Outside
crypto isakmp policy 15
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp ipsec-over-tcp port 10000
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface Outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption 3des-sha1
webvpn
enable Outside
group-policy DfltGrpPolicy attributes
wins-server value 10.10.10.10
dns-server value 201.201.201.201
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-network-list value REMOTEEND
default-domain value TEST2.CA
smartcard-removal-disconnect disable
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup general-attributes
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultWEBVPNGroup ipsec-attributes
pre-shared-key *****
tunnel-group 7.0.0.2 type ipsec-l2l
tunnel-group 7.0.0.2 ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
tunnel-group-map default-group 7.0.0.2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0d04273f55e788e2a4ad4d025084d33d
: end
ASA2#Jon,
Getting same errors as when we first started. Access list mismatch skipping dynamic map DYNMAP.
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing ke payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing ISA_KE payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing nonce payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received Cisco Unity client VID
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received xauth V6 VID
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing NAT-Discovery payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing NAT-Discovery payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing ke payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing nonce payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing Cisco Unity VID payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing xauth V6 VID payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Send IOS VID
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing VID payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Discovery payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Discovery payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultL2LGroup
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Generating keys for Responder...
ASA1# Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:18:47 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.1.0.2
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing hash payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Computing hash for ISAKMP
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing VID payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Received DPD VID
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultL2LGroup
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing ID payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing hash payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Computing hash for ISAKMP
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing dpd vid payload
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, PHASE 1 COMPLETED
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, Keep-alive type for this connection: DPD
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Starting P1 rekey timer: 24480 seconds.
Mar 03 13:18:47 [IKEv1 DECODE]IP = 7.1.0.2, IKE Responder starting QM: msg id = 9389754e
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=9389754e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing hash payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing SA payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing nonce payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:18:47 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.1.0.2
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Received remote Proxy Host data in ID Payload: Address 7.1.0.2, Protocol 0, Port 0
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:18:47 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.0.0.2
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Received local Proxy Host data in ID Payload: Address 7.0.0.2, Protocol 0, Port 0
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing notify payload
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, QM IsRekeyed old sa not found by addr
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Skipping dynamic map DYNMAP sequence 10: access-list mismatch.
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 7.1.0.2/255.255.255.255/0/0 local proxy 7.0.0.2/255.255.255.255/0/0 on interface Outside
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending notify message
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing blank hash payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing qm hash payload
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=ee315fa4) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 236
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, QM FSM error (P2 struct &0x00007fffa05e1840, mess id 0x9389754e)!
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE QM Responder FSM error history (struct &0x00007fffa05e1840) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending delete/delete with reason message
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Removing peer from correlator table failed, no match!
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE SA MM:7adaeddd rcv'd Terminate: state MM_ACTIVE flags 0x0001c042, refcnt 1, tuncnt 0
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE SA MM:7adaeddd terminating: flags 0x0101c002, refcnt 0, tuncnt 0
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending delete/delete with reason message
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing blank hash payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing IKE delete payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing qm hash payload
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=f9d973c5) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Session is being torn down. Reason: crypto map policy not found
Mar 03 13:18:47 [IKEv1]Ignoring msg to mark SA with dsID 200704 dead because SA deleted
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, Received encrypted packet with no matching SA, dropping
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing SA payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Oakley proposal is acceptable
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal ver 02 VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal ver 03 VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal RFC VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Received Fragmentation VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing IKE SA payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing ISAKMP SA payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Traversal VID ver RFC payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing Fragmentation VID + extended capabilities payload
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing ke payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing ISA_KE payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing nonce payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Received Cisco Unity client VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Received xauth V6 VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing NAT-Discovery payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing NAT-Discovery payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing ke payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing nonce payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing Cisco Unity VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing xauth V6 VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Send IOS VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Discovery payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Discovery payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultL2LGroup
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Generating keys for Responder...
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:19:17 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.1.0.2
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing hash payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Computing hash for ISAKMP
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Received DPD VID
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultL2LGroup
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing ID payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing hash payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Computing hash for ISAKMP
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing dpd vid payload
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, PHASE 1 COMPLETED
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, Keep-alive type for this connection: DPD
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Starting P1 rekey timer: 24480 seconds.
Mar 03 13:19:17 [IKEv1 DECODE]IP = 7.1.0.2, IKE Responder starting QM: msg id = 3af2253f
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=3af2253f) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing hash payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing SA payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing nonce payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:19:17 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.1.0.2
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Received remote Proxy Host data in ID Payload: Address 7.1.0.2, Protocol 0, Port 0
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:19:17 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.0.0.2
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Received local Proxy Host data in ID Payload: Address 7.0.0.2, Protocol 0, Port 0
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing notify payload
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, QM IsRekeyed old sa not found by addr
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Skipping dynamic map DYNMAP sequence 10: access-list mismatch.
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 7.1.0.2/255.255.255.255/0/0 local proxy 7.0.0.2/255.255.255.255/0/0 on interface Outside
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending notify message
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing blank hash payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing qm hash payload
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=d4ee1beb) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 236
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, QM FSM error (P2 struct &0x00007fff9f9787e0, mess id 0x3af2253f)!
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE QM Responder FSM error history (struct &0x00007fff9f9787e0) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending delete/delete with reason message
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Removing peer from correlator table failed, no match!
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE SA MM:47629a55 rcv'd Terminate: state MM_ACTIVE flags 0x0001c042, refcnt 1, tuncnt 0
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE SA MM:47629a55 terminating: flags 0x0101c002, refcnt 0, tuncnt 0
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending delete/delete with reason message
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing blank hash payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing IKE delete payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing qm hash payload
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=c7a1c363) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Session is being torn down. Reason: crypto map policy not found
Mar 03 13:19:17 [IKEv1]Ignoring msg to mark SA with dsID 204800 dead because SA deleted
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, Received encrypted packet with no matching SA, dropping
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing SA payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Oakley proposal is acceptable
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal ver 02 VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal ver 03 VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal RFC VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received Fragmentation VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing IKE SA payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing ISAKMP SA payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Traversal VID ver RFC payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing Fragmentation VID + extended capabilities payload
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing ke payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing ISA_KE payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing nonce payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received Cisco Unity client VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received xauth V6 VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing NAT-Discovery payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing NAT-Discovery payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing ke payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing nonce payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing Cisco Unity VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing xauth V6 VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Send IOS VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Discovery payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Discovery payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultL2LGroup
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Generating keys for Responder...
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:19:47 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.1.0.2
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing hash payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Computing hash for ISAKMP
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Received DPD VID
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultL2LGroup
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing ID payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing hash payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Computing hash for ISAKMP
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing dpd vid payload
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, PHASE 1 COMPLETED
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, Keep-alive type for this connection: DPD
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Starting P1 rekey timer: 24480 seconds.
Mar 03 13:19:47 [IKEv1 DECODE]IP = 7.1.0.2, IKE Responder starting QM: msg id = 3383044c
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=3383044c) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing hash payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing SA payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing nonce payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:19:47 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.1.0.2
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Received remote Proxy Host data in ID Payload: Address 7.1.0.2, Protocol 0, Port 0
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:19:47 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.0.0.2
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Received local Proxy Host data in ID Payload: Address 7.0.0.2, Protocol 0, Port 0
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing notify payload
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, QM IsRekeyed old sa not found by addr
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Skipping dynamic map DYNMAP sequence 10: access-list mismatch.
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 7.1.0.2/255.255.255.255/0/0 local proxy 7.0.0.2/255.255.255.255/0/0 on interface Outside
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending notify message
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing blank hash payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing qm hash payload
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=f717942f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 236
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, QM FSM error (P2 struct &0x00007fff9f9787e0, mess id 0x3383044c)!
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE QM Responder FSM error history (struct &0x00007fff9f9787e0) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending delete/delete with reason message
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Removing peer from correlator table failed, no match!
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE SA MM:74a1793f rcv'd Terminate: state MM_ACTIVE flags 0x0001c042, refcnt 1, tuncnt 0
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE SA MM:74a1793f terminating: flags 0x0101c002, refcnt 0, tuncnt 0
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending delete/delete with reason message
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing blank hash payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing IKE delete payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing qm hash payload
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=883e1938) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Session is being torn down. Reason: crypto map policy not found
Mar 03 13:19:47 [IKEv1]Ignoring msg to mark SA with dsID 208896 dead because SA deleted
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, Received encrypted packet with no matching SA, dropping
ASA1# undebug all
ASA1#
ASA2#
ASA2#
ASA2# debug crypto isakmp 127
ASA2# Mar 03 08:58:34 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE Initiator: New Phase 1, Intf Outside, IKE Peer 7.0.0.2 local Proxy Address 7.1.0.2, remote Proxy Address 7.0.0.2, Crypto map (HQ2REMOTE)
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing ISAKMP SA payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing NAT-Traversal VID ver 02 payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing NAT-Traversal VID ver 03 payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing NAT-Traversal VID ver RFC payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing Fragmentation VID + extended capabilities payload
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing SA payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Oakley proposal is acceptable
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Received NAT-Traversal RFC VID
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Received Fragmentation VID
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing ke payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing nonce payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing Cisco Unity VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing xauth V6 VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Send IOS VID
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing NAT-Discovery payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, computing NAT Discovery hash
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing NAT-Discovery payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, computing NAT Discovery hash
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing ke payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing ISA_KE payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing nonce payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Received Cisco Unity client VID
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Received xauth V6 VID
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing NAT-Discovery payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, computing NAT Discovery hash
Mar 03 08:58:34 [IKEv1 DEBUG]
ASA2# : IP = 7.0.0.2, processing NAT-Discovery payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, computing NAT Discovery hash
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, Connection landed on tunnel_group 7.0.0.2
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, Generating keys for Initiator...
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing ID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing hash payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, Computing hash for ISAKMP
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing dpd vid payload
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 08:58:34 [IKEv1]: Group = 7.0.0.2, IP = 7.0.0.2, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, processing ID payload
Mar 03 08:58:34 [IKEv1 DECODE]: Group = 7.0.0.2, IP = 7.0.0.2, ID_IPV4_ADDR ID received
7.0.0.2
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, processing hash payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, Computing hash for ISAKMP
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, processing VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, Received DPD VID
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, Connection landed on tunnel_group 7.0.0.2
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, Oakley begin quick mode
Mar 03 08:58:34 [IKEv1 DECODE]: Group = 7.0.0.2, IP = 7.0.0.2, IKE Initiator starting QM: msg id = ea585f90
Mar 03 08:58:34 [IKEv1]: Group = 7.0.0.2, IP = 7.0.0.2, PHASE 1 COMPLETED
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, Keep-alive type for this connection: DPD
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, Starting P1 rekey timer: 27360 seconds.
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, IKE got SPI from key engine: SPI = 0xe5aab4b5
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, oakley constucting quick mode
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing blank hash payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing IPSec SA payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing IPSec nonce payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing proxy ID
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, Transmitting Proxy Id:
Local host: 7.1.0.2 Protocol 0 Port 0
Remote host: 7.0.0.2 Protocol 0 Port 0
Mar 03 08:58:34 [IKEv1 DECODE]: Group = 7.0.0.2, IP = 7.0.0.2, IKE Initiator sending Initial Contact
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing qm hash payload
Mar 03 08:58:34 [IKEv1 DECODE]: Group = 7.0.0.2, IP = 7.0.0.2, IKE Initiator sending 1st QM pkt: msg id = ea585f90
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE SENDING Message (msgid=ea585f90) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE RECEIVED Message (msgid=602db3a7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 236
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, processing hash payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, processing notify payload
Mar 03 08:58:34 [IKEv1]: Group = 7.0.0.2, IP = 7.0.0.2, Received non-routine Notify message: Invalid ID info (18)
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE RECEIVED Message (msgid=29ddd81f) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, processing hash payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, processing delete
Mar 03 08:58:34 [IKEv1]: Group = 7.0.0.2, IP = 7.0.0.2, Connection terminated for peer 7.0.0.2. Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, sending delete/delete with reason message
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing blank hash payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing IPSec delete payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing qm hash payload
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE SENDING Message (msgid=2a8b25a9) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 64
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, IKE Deleting SA: Remote Proxy 7.0.0.2, Local Proxy 7.1.0.2
Mar 03 08:58:34 [IKEv1]: Group = 7.0.0.2, IP = 7.0.0.2, Removing peer from correlator table failed, no match!
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, IKE SA MM:7362cee8 terminating: flags 0x0100c822, refcnt 0, tuncnt 0
Mar 03 08:58:34 [IKEv1]: Group = 7.0.0.2, IP = 7.0.0.2, Session is being torn down. Reason: User Requested
Mar 03 08:58:34 [IKEv1]: Ignoring msg to mark SA with dsID 217088 dead because SA deleted
Mar 03 08:58:34 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xe5aab4b5
ASA2# undebug all
ASA2#
Thanks,
Ken -
What´s the price for any Cisco ASA security parts?
Hello everybody,
Please, I need to know the prices for the items:
ASA5500X-SSD120=
FS-VMW-2-SW-K9
L-ASA5525-TAM=
I need to implement Cisco IPS with 2 Cisco ASA 5525X.
Thank you.Your local Cisco partner can provide pricing for your area.
The Cisco Support Community is not the place to request price quotes.
Please go to www.cisco.com and refer to the top menu pick "How to Buy" to find an authorized partner / reseller serving your area. -
Hi guy, I just bought ASA 5512-SSD120-K9. with this next generation this ASA firewall, I don understand mux, and don't know what to do next. I have read alot of documents relate to ASA CX,
it said it has AVC,WSE, and IPS come with. But in the quotation i purchased , i saw i bought ASA5512-AI1Y( AVC+IPS), so in case what does it mean? and i don know how can i use IPS,
who know this please guide me some.mmm...just when I thought I was getting the hang of this stuff!
Ok, in peoples opinion, what specific single unit would you recommend for under £200 ($350) - or separate units for the same budget. (Is my budget reasonable?)
As a complete newbie I'm trying to get to grips with all this stuff - advice is pretty thin on the ground around where I live and I really don't want to blow my cash on something that's not suitable, so any advice is GREATLY appreciated.
thnx in advance
steve -
Incoming SMTP issue with an ASA5512-X
I have reviewed numerous support discussions on this particular issue, but I am still unable to properly configure my ASA 5512-X to receive SMTP email. I can send email, and have access to all other services that I setup. I did create a network object for my Mail server and I am fairly certain this issue has something to do with my static NAT setup.
My current configuration is listed below...any assistance would be greatly appreciated.
I am new to the Cisco ASA appliance, and I am learning CLI as I go. I also have ADSM setup.
CONFIGURATION:
: Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2792 MHz, 1 CPU (2 cores)
ASA Version 9.3(1)
names
interface GigabitEthernet0/0
nameif Verizon
security-level 0
ip address 100.39.18.94 255.255.255.0
interface GigabitEthernet0/1
description Local Norco Domain
nameif Norco.local
security-level 100
ip address 10.0.0.10 255.255.255.0
dhcprelay server 10.0.0.1
interface GigabitEthernet0/2
description SCE-DRAS SERVER
nameif SCE-DRAS
security-level 0
ip address 192.168.10.1 255.255.255.0
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
boot system disk0:/asa931-smp-k8.bin
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
dns domain-lookup Verizon
dns domain-lookup Norco.local
dns server-group DefaultDNS
name-server 10.0.0.1
name-server 68.238.96.12
name-server 68.238.64.12
domain-name norco.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object service HTTP-19560
service tcp destination eq 19560
object service HTTP-65535
service tcp destination eq 65535
object service HTTP-8933
service tcp destination eq 8933
object service HTTP-8943
service tcp destination eq 8943
object service RTP
service udp destination range 19560 65535
object service SIP-TCP-8943
service tcp destination range 8933 8943
description IPPHONE - SIP
object service SIP-UDP-8943
service udp destination range 8933 8943
description IPPHONE - SIP
object service smtp
service tcp destination eq smtp
object network SMTP-SERVER
host 10.0.0.1
object-group network IPHONE-SERVERS
description VERIZON IP-PHONE SERVERS
network-object 128.177.14.0 255.255.255.0
network-object 128.177.36.0 255.255.255.0
network-object host 199.19.195.241
network-object host 199.19.195.243
network-object host 199.19.195.250
object-group service GENERAL-ACCESS tcp
description GENERAL SERVICES ACCESS
port-object eq ftp
port-object eq www
port-object eq https
port-object eq smtp
object-group service IP-PHONE-SERVICE
description PHONE SYSTEM ACCESS RULES
service-object object HTTP-19560
service-object object HTTP-65535
service-object object HTTP-8933
service-object object HTTP-8943
service-object object RTP
service-object object SIP-TCP-8943
service-object object SIP-UDP-8943
service-object tcp-udp destination eq 1025
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq domain
service-object udp destination eq ntp
service-object tcp-udp destination eq domain
service-object tcp-udp destination eq www
service-object tcp-udp destination eq sip
service-object tcp destination eq domain
service-object tcp destination eq smtp
service-object tcp destination eq ssh
service-object tcp destination eq telnet
service-object udp destination eq dnsix
service-object udp destination eq www
object-group service General-TCP-UDP-Access
service-object tcp-udp destination eq domain
service-object tcp-udp destination eq www
service-object tcp destination eq domain
service-object tcp destination eq ftp
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq www
service-object udp destination eq ntp
service-object udp destination eq radius
access-list Verizon_access_in extended permit object-group IP-PHONE-SERVICE object-group IPHONE-SERVERS any
access-list Verizon_access_in extended permit tcp any object SMTP-SERVER eq smtp
access-list Verizon_access_out extended permit object-group IP-PHONE-SERVICE any object-group IPHONE-SERVERS
access-list Verizon_access_out extended permit object-group General-TCP-UDP-Access any any
access-list Verizon_access_out extended permit tcp any any eq smtp
access-list SCE-DRAS_access_out extended permit ip any any
access-list SCE-DRAS_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Verizon 1500
mtu Norco.local 1500
mtu SCE-DRAS 1500
mtu management 1500
ip verify reverse-path interface Verizon
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Norco.local,Verizon) source dynamic any interface
nat (SCE-DRAS,Verizon) source dynamic any interface
object network SMTP-SERVER
nat (Norco.local,Verizon) static interface service tcp smtp smtp
access-group Verizon_access_in in interface Verizon
access-group Verizon_access_out out interface Verizon
access-group SCE-DRAS_access_in in interface SCE-DRAS
access-group SCE-DRAS_access_out out interface SCE-DRAS
route Verizon 0.0.0.0 0.0.0.0 100.39.18.1 1
route Norco.local 10.10.0.0 255.255.255.0 10.0.0.7 2
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.255.255.0 Norco.local
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
subject-name CN=10.0.0.10,CN=ciscoasa
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_1
enrollment self
subject-name CN=10.0.0.10,CN=ciscoasa
crl configure
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd update dns both override
dhcpd address 192.168.10.2-192.168.10.5 SCE-DRAS
dhcpd dns 68.238.96.12 68.238.64.12 interface SCE-DRAS
dhcpd enable SCE-DRAS
dhcpd address 192.168.1.2-192.168.1.10 management
dhcpd enable management
dhcprelay information trust-all
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 Norco.local
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 Norco.local vpnlb-ip
webvpn
anyconnect-essentials
no error-recovery disable
dynamic-access-policy-record DfltAccessPolicy
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
service-policy global_policy global
smtp-server 10.0.0.1
prompt hostname context
service call-homeHi Murali,
I ran the packet tracer routine...please let me know if I did this correctly...the results are below. The results indicate the traffic is denied by the implicit rule, but I'm not sure why....
ciscoasa(config)# packet-tracer input verizon tcp 209.85.213.176 smtp 100.39.18.94 smtp
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 100.39.18.94 255.255.255.255 identity
Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 100.39.18.1, Verizon
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: Verizon
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule -
HI,
If my Customer buy an ASA5512-K9 and he want to add IPS module into the ASA, is it possible or do he need to replace all of the security Appliance.
Also what are the alternative to provide IPS tp an ASA5512-K9 via the web with firepower
ThanksIt is possible but not recommended to install the legacy Cisco IPS module on an ASA-5512X. That product is approaching end of sales and not being actively marketed.
The ASA with FirePOWER services is the best way forward. To implement that you would need to have the Solid State Drive (SSD) installed. If the ASA wasn't ordered with one, it can be added as a spare. You would then need to order the appropriate subscription service and attach that to the Smartnet coverage on the unit.
There is an ordering guide (partner access required) that your reseller can refer to explaining the options in great detail.
Once you have the necessary purchase completed, there is a Quick Start Guide for setting up the system. -
Software and Licensing confusion for asa5512-ips edition firewall
Hi all, we are looking at purchasing a Cisco ASA 5512-X IPS Edition but we are having a very difficult time trying to figure out what software and licensing we need for it. Can someone please answer the following questions?
1. I see the part number for the software is ASA5512-NI1Y (at least this is what we were told), but I see that some places sell it for over 800 dollars like http://nextwarehouse.com/item/?1518620 and then some sell it for 99 cents, like http://www.pcm.com/p/Cisco-Anti-Virus-&-Security-Software-Licensing/product~dpno~9969455~pdp.ificche - how can this possibly be right? Does the 800 dollar one contain the licenses???
I cannot get a straight answer from Cisco on this, every time I call to ask about it all I get is a sales pitch to buy it from them alone and a promise that someone will call me back "with more details".
2. Is there only one software package for this? As in, if we buy ASA5512-NI1Y will every feature of the firewall be available?
Thanks all, hopefully my questions make some sense as this has been really confusing and frustrating for us.
Mike AndersonThat part number is only for the IPS license of the soon-to-be-discontinued ASA 5512-X with CX module (last day of sales August 17 2015 - reference). It does not include the ASA appliance itself. That said, it is capable of running as a perimeter firewall with basic IPS functionality. No additional software is required (although a support contract on the base ASA appliance is required to add on a current IPS subscription license).
You would be better served with an ASA 5512-X with FirePOWER module. The FirePOWER technology (from the 2013 acquisition of Sourcefire) is more advanced than the signature-based technology in the CX's IPS and will be the strategic platform that is further built upon moving forward.
Any qualified Cisco partner should be able to create a valid quote for you to purchase one.
Maybe you are looking for
-
IPod Shuffle Error (-48) : Windows Vista
Hoping someone can help with my predicament here: I have Windows Vista Ultimate and the most recent version of iTunes. I bought the shuffle new about 2-3 months ago. When I connect my shuffle it always gives me the error in the screenshot below and p
-
Issue with the supshare Report Script Command
Hi All, I have created a report script to extract the Level0 data for the members of the accounts dimension and It does work fine and the performance is also good. However I have a challenge here. The shared members are repeating and therefore I used
-
Where does iTunes save iPad backups on a PC
I'm looking for my backup since it took up a majority of the space left on my laptops HD. I've already checked for User\AppData\Roaming\Apple Computer\MobileSync\Backup\ and I seem to not have the appdata file. I don't know if this matters but its a
-
Messages moving to Pending message state
Hi Using: Weblogic 7.0 with SP2 1. We have an Application server communicating with a JMS Hub that has a two server cluster. This server has an MDB configured dually - one MDB definition listening to
-
I have been wishing for one simple thing since aperture came out...being able to print with a black (or other color) border instead of white. Is there a simple way to do this that I am missing? with photoshop its right there in the print controls whe