Cisco Movi 4.2 Presence issues.

Hi Experts,
I did a search and saw that similar question was asked various times. However, it did not applied in my scenario. I am having a Cisco Telepresence VCS Expressway starter pack running on X6.1 firmware.
I was login to my Movi account and saw "User 1" is online under my favourite list. When I tried connecting to "User 1", I got the error "Call failed - The user could not be found. The user is offline or does not exist" (User 1 was never online).
I logout my Movi accounrt and login again. This time round, "User 1" is offline.
The other time was "User 2" saw "User 3" was in Busy status but "User 3" was never online. User 2's PC was rebooted and re-login into Movi and saw User 3 offline.
Anything that I should do to overcome this?
Thanks

Hi,
Is there any reason why use "Treat as Authenticated" instead of "Check
Credentials"?, We notice that when set to "Treat As Authenticated", user
can login with any password? Our default zone is set to "Check
credentials". Please advise, thanks.
Best regards
Yeoh Wee Nam, CTS-D
aljaiswa
05-04-12 11:37 AM
Please respond to
"[email protected]"
To
Tandberg SUPPORT/NETe2Asia@NETe2Asia
cc
Subject
- Re: Cisco Movi 4.2 Presence issues.
Home
Re: Cisco Movi 4.2 Presence issues.
created by Alok Jaiswal in TelePresence - View the full discussion
Hi Wee,
I addition to what Magnus has pointed out i would like you to check the
bug "CSCtt34812".
The condition you were saying could be related to bug mentioned where the
MOVI after deregistering doesn't publish its OFFLINE status and shows
online. I can't say much but it would be more clear with logs.
workaround: Change the Default Zone's authentication policy from "Do Not
Check Credentials" to "Treat As Authenticated"
for more details refer to Cisco BUG tool kit and check the release notes
for Cisco Jabber 4.3
http://www.cisco.com/en/US/docs/telepresence/endpoint/movi/release_note/Jabber_Video_Release_Notes_4-3.pdf
The bug would be fixed in combination of x7.x and jabber 4.3
Thanks
Alok
Reply to this message by going to Home
Start a new discussion in TelePresence at Home

Similar Messages

Cisco Phone Control and Presence 8.6.1.1185 with IBM Lotus Notes 8.5.2 (Integrated Sametime Client 8.0.2) - No presence status visible

Hi community,
I am trying to integrate Cisco Unified Presence 8.6.1.10000-34 with IBM Lotus Notes 8.5.2 with the integrated Sametime Client version 8.0.2 via the Cisco Plugins 8.6.1.1185.
Phone control is working fine, whereas the presence status is not shown (= no handset symbol next to the Sametime user). When I look in the preferences of the plugin, I can see that the plugin has connected successfully to the CUCM (8.6.2.20000-2),whereas the connection to the CUPS has not been established.
The user id as well as the password are all the same on all systems. Here is a description of what I have configured via the ciscocfg.exe tool:
Feature Control:
- Enable Phone Status -> checked
- Enable Dial Using Cisco IP Communicator -> unchecked (not required)
- Enable Control Desk Phone -> checked
- Default Mode -> Control Desk Phone
Control Desk Phone Settings:
- Voicemail Pilot Number -> left blank (no voicemail)
- Cisco Unified Communications Manager
     - Servers -> IP address of CUCM
     - Read Only -> unchecked
     - Use as Default CUCM -> checked
     - Synchronize Credentials -> checked
          - Use Sametime Credentials -> checked
Use Secure Connection: -> not required
LDAP Phone Attributes: -> not required
Phone Status Settings:
- Cisco Unified Presence Servers -> IP address of CUPS
- Read Only -> unchecked
- Synchronize Credentials -> checked
     - Use Sametime Credentials -> checked
- Sametime User ID Mapping
     - Use Business Card Attribute -> MailAddress
     - Remove Domain -> checked
- Display Off-Hook Status Only -> unchecked
At the moment I don't see an error in the configuration, but maybe I am wrong. Could anyone please tell me what the error could be?
Thanks a lot in advance!
Kind regards,
Igor

Hi all,
here are some additions to my above post:
Servers and clients used:
1x CUCM 8.6.2.20000-2
1x CUPS 8.6.1.10000-34
1x IBM Lotus Domino Messaging Express Server 8.5.2
1x Sametime Entry Server 8.5.2 (on top of the Domino server)
2x IBM Lotus Notes 8.5.2 with integrated Sametime 8.0.2
2x Cisco Phone Control and Presence with Lotus Sametime (PCAP) 8.6.1.1185
2x Cisco Unified Personal Communicator 8.5.5.19839
Setup:
- CUCM, CUPS and CUPC are working fine, i.e. Desk Phone control via CUPC, as well as availability and presence status are working without issues
- IBM Lotus Domino server is the LDAP Directory, the Sametime Entry Server is installed on top of the Domino server and uses the Domino Directory
- User ID and password on CUCM/CUPS match the ShortName field and password in Domino
- The PCAP plug-in has been manually deployed to both Notes clients with the following configuration:
     - Enable Phone Status -> active
     - Desk Phone Control -> active
     - no credential synchronization for CUCM and CUPS, i.e. every user must fill the user details himself
     - Sametime User ID Mapping is implemented via the LDAP Attribute uid (which is equal to the user id in CUCM)
     - LDAP configuration filled in with details of the Domino server
Phone Control is working fine, also the connection to the LDAP server (Domino) is fine. However, when I type in the credentials for the CUPS server login, I can see (in Troubleshooting pane) that the user (pparker) is connected to the CUPS server for a short period of time and then gets disconnected. After that no connection is possible to the CUPS server, i.e. status is always disconnected.
I have collected the Tomcat (EPASSoap00010.log and security00010.log) logs via RTMT and compared them to the logs from the PCAP plugin. The relevant time period is from 15:14 to 15:17. In the Tomcat logs I can see that the authentication is successful (see attached files), however in the log of PCAP plugin I can see the following messages:
2012/02/03 15:14:35.281 WARNUNG Credential is rejected. Nothing to retry ::class.method=com.cisco.sametime.phonestatus.cup.CUPPresenceWatcher.answerChallenge() ::thread=CT_CALLBACK.1 ::loggername=com.cisco.sametime.phonestatus.cup
2012/02/03 15:14:35.281 WARNUNG #### Connection rejected presence server ::class.method=com.cisco.sametime.phonestatus.cup.CUPPresenceWatcher.onPresenceServerConnectionRejected() ::thread=CT_CALLBACK.1 ::loggername=com.cisco.sametime.phonestatus.cup
2012/02/03 15:14:35.281 WARNUNG Credential is rejected. Nothing to retry ::class.method=com.cisco.sametime.phonestatus.cup.CUPPresenceWatcher.answerChallenge() ::thread=CT_CALLBACK.2 ::loggername=com.cisco.sametime.phonestatus.cup
2012/02/03 15:14:35.281 WARNUNG #### Connection rejected presence server ::class.method=com.cisco.sametime.phonestatus.cup.CUPPresenceWatcher.onPresenceServerConnectionRejected() ::thread=CT_CALLBACK.2 ::loggername=com.cisco.sametime.phonestatus.cup
I don't understand why the connection is rejected although the Sametime Internal ID and CUPS User ID match. Does anyone know what the issue could be?
All posts are very much appreciated!
Thanks a lot in advance!
Kind regards,
Igor

Different movement types for goods issue via outbound delivery

Hi gurus,
How can I use different movement types for goods issue via outbound delivery?
Thanks&Best Regards,
Burcu

To use different schedule lines, we need different item types and different document types. Is that right?
Is there a user exit in outbound delivery to post goods issue?
Thanks...

Different movement types for Goods Issue for different Order Types

Hello Experts,
Can we maintain different movement types for Goods Issue for different Order Types at the time of automatic creation of reservations?
Thanks and regards,
Satyajit

Satyajit,
Folow the link given,
Re: How to add new movement types when creating reservation?
Hope this helps you.
SmanS

Movement Type for Good Issue and Good Consumption in Table S032

Hi Gurus,
Would like to ask what are the movement type used in Good Consumption and good issue in Table S032.
Thank you in advance
Best Regards,
Julius Calugay

Hi
If a goods movement is an goods issue and if its going to reduce the inventory stock/value (goods issue posting causes an update of the consumption statistics of the material) , then its going to be an goods consumption also - ex. issue to a cost center/order
If a goods movement does not affect the inventory value but change in stock, then its only a goods issue - ex. transfer posting
If a goods movement is not an goods issue, but it reduces the inventory stock/value, then its only a goods consumption - ex. receipt of materials in a subcontract PO, here the raw materials is assumed as consumed for the finished product receipt.
Thanks !
E.Avudaiappan

Movement Type for Goods Issue to Project

Hi All
Could you please tell me which movement type use for issue to Investment Project and issue for Customer Project ?
Regards,
Thang

Dear Cao,
Refer this link which will give some important information about Movement Types.
http://help.sap.com/saphelp_40b/helpdata/ru/fc/6cec6eb435d1118b3f0060b03ca329/content.htm
Regards,
Sandeep

Movement type for goods issue in intercompany STO business scenario

Hi, everyone,
In intercompany STO scenario, firstly we should create a purchase order with a transfer order type just like as UB,
then we use T-code: VL10B to create the delivery note by referencing the purchase order created in first step, in succession, billing, goods reciept.
Actually I have a question about the movement type in goods issue process. The standard is 643 deliveried by SAP.
Can I customize the movement type in intercompany STO business scenario

hi,
The following are the scenarios of cross plant goods movements:
Alternate plant procurement of purchased items
Alternate plant production
Plant-to-plant goods transfer of grouped project stock
Stock transfer without reference to a stock transfer order (STO)
1 Step 301
1 Step reversal 302
Stock transfer with reference to an STO in the receiving plant without SD
2 Steps - 351 and 101
2 Steps reversal 102 and 352
Stock transfer with reference to an STO in the receiving plant with SD delivery
2 Steps 641 and 101
2 Steps reversal 102 and 642
1 Step 647
1 Step reversal 648
Movement Type & Description
301 / 302
Goods receipt into production order in another plant. This is a one-step, cross-plant stock transfer. This movement type does not use STOs but behaves like a goods receipt of stock, except that the stock comes from another plant into the current plant. Movement 302 is the reverse of 301.
351 / 352
Stock transfer that is in transit between two plants. This is a twostep, cross-plant stock transfer, because after movement 351, you do not immediately see the stock in the receiving plant. After movement 351, the stock is in transit between the two plants. Only after you have performed a goods receipt (movement 101/102)of this in-transit stock into the receiving plant can you see this stock in the receiving plant. Movement 352 is the reverse of 351.
641 / 642
Stock transfer that is in transit between two plants, with delivery documents (Sales and Distribution). This is a two-step, cross-plant transfer of stock, because after movement 641, you do not immediately see the stock in the receiving plant. After movement 641, the stock is in transit between the two plants. Only after you have performed a goods receipt (movement 101/102 ) of this in-transit stock into the receiving plant can you see this stock in the receiving plant. Movement 642 is the reverse of 641.
647 / 648
Stock transfer to another plant, with delivery documents (Sales and Distribution), with STO. This is a one-step, cross-plant stock transfer because after movement 647, you cannot immediately see the stock in the receiving plant. The stock is never in transit with this movement type, but the stock is transferred with reference to an STO with Sales and Distribution documents. Movement 648 is the reverse of 647.
regards,
Siddharth

Cisco Jabber for Windows Voicemail issue

At this I'm in processing of implementation Cisco Jabber UC solution for big Company.
I use CUCM 9.1.2, Cisco IM and Presence 9.1.2, CUC 9.1.2, Cisco Jabber for Windows 9.6.1.
I have issue in Cisco Jabber with VoiceMail Integration - when I leave voice message for any user,
than this message is arrived only him Cisco IP Phone, but not in him Cisco Jabber.
From Cisco Jabber Connectivity status in help menu I see that VoiceMail service is successfully connected
and I see VoiceMail button in Cisco Jabber.
How can I resolve this issue?

Have you configured the UC Service profile on CUCM with both Voicemail server and mailbox servers?

UCCX 7.0.1SR4 and Presence issue

Hi
I have configured the presence AXL user to that of my cups username and everything validates okay. My CUPC client works fine and can view all contacts so the LDAP profile is correct.
However, when I try to search for contacts within CDA I recieve the message
CDAUI2067 Search did not complete successfully, and only partial results are displayed. Contact technical support.
I have taken a wireshark trace of the LDAP transaction between UCCX and LDAP server and the response is fine with correct response i.e. valid search yet the application errors.
Anyone had similar issues
Paul

Problem When searching for subject matter experts from the Contact List page,
no names are found, and this error message appears: âCDAUI2067
search did not complete successfully, and only partial results are
displayed. Contact technical support.â
Solution This error occurs when the parameters on the Unified Presence Cluster
Settings page are not configured correctly. There are two possible
causes of this problem: the user credentials are incorrect or the
hostname/IP address is incorrect.
NOTE: The user specified on the Cisco Unified Presence Cluster
Settings page must be able to perform SOAP queries and must
be associated with the same profile in LDAP that agents are
associated with.
To diagnose and resolve the problem, complete the following steps.
1. Choose Cisco Unified Presence Settings > Cisco Unified Presence
Cluster Settings.
Desktop Administrator Problems
April 2009 85
2. Click Verify.
â If the hostname/IP address are incorrect, this error message
appears: âCDAUI2033 Error communicating with the Unified
Presence Server.â
â If the user credentials are incorrect, this error message
appears: âCDAUI2034 Invalid Cisco Unified Presence Cluster
user credentials. Configured user must be able to run SOAP
queries.â
3. Type the correct information in the appropriate fields, then click
Verify to test the information you just entered. A message should
appear, stating that the transaction was successful.
4. Click Save.

WRVS4400S Cisco Router to Fortinet VPN Issue

I created the VPN between WRCS4400N and Fortinet 111c and tunnel is up. When i am pinging my cisco subnet (10.0.20.0) from fortinet, its pinging. But when i am pinging fortinet (10.0.1.8) or any ip of this subnet from cisco router its not pinging.
I have real IP on my Fortinet and dyndns on Cisco Router. The simple diagram is attached for my vpn network. I think its routing issue, i have to add route in cisco router but i don't know what route i have to add there in order work the vpn perfectly. kindly help...

Hi Muhammad,
since this question is about a product in the Cisco Small Business / Linksys range, I suggest you move it to the community, where you will have a better chance of getting expert advice.
best regards,
Herbert
Cisco Moderator

Cisco 4500X IOS upgrade through ISSU

Hi,
I am having 2 number of cisco 4500x switch and configured with VSS
so one switch is active and another switch is standby.
I am panning to upgrade IOS through ISSU
i read in document that it required auto boot enable in switch.
My switch current Configuration register = 0x2101
do i need to change config register or this will ok. If need to change then what will be auto boot and after IOS upgrade do i need to change it again.
Please help....

Hello Tarun,
Please find below the steps to perform the ISSU:
ISSU Prerequisites
Before one can perform an ISSU, there are a few prerequisites one must verify for a successful ISSU. The following list explains what is initially required.
• Must be using a redundant Cisco Catalyst 4500 switch with symmetric hardware (that is, supervisors, memory, rommon, NFL daughter card, and so on).
• Both new and old Cisco IOS Software images must be preloaded to the file system on both supervisors.
• SSO must be configured and working properly.
• Config register must be configured to autoboot (that is, the value should have a "2" in the lowest byte).
45010R-203# sh bootvar | i register
Configuration register is 0x2102
Standby Configuration register is 0x2102
Several commands are available to verify if SSO is enabled:
4510R-203# sh module | b Redundancy
Mod  Redundancy role     Operating mode      Redundancy status
----+-------------------+-------------------+-------------------
1   Standby Supervisor   SSO                  Standby hot
2   Active Supervisor    SSO                 Active
45010R-203# sh redundancy states
       my state = 13 -ACTIVE
     peer state = 8   -STANDBY HOT
           Mode = Duplex
           Unit = Secondary
        Unit ID = 2
Redundancy Mode (Operational) =  Stateful Switchover
Redundancy Mode (Configured)  =  Stateful Switchover
Redundancy State              =  Stateful Switchover
             <snip>
4507R-ISSU# sh run | b redundancy
redundancy
mode  sso
As a step prior to the beginning of the ISSU process, the new version of the Cisco IOS Software image needs to be loaded into both the active and standby supervisors' file systems. Both active and standby supervisor need to contain both the new and old images in the file system. In order to store both new and old images, the supervisors should be upgraded to contain sufficient amounts of flash memory prior to the ISSU process.
The new images can be downloaded into both supervisors using commands such as:
copy tftp: bootflash:
copy tftp: slavebootflash:
The example below illustrates this verification:
4510R-203#dir
Directory of bootflash:/
1  -rwx 13636500 Sep 6 2006 03:18:58 -08:00 cat4500-entservices-mz.122-31.SGA
2  -rwx 13747611 Sep 9 2006 03:19:58 -08:00 cat4500-entservices-mz.122-31.SGA1
4510R-203#dir slavebootflash:
Directory of slavebootflash:/
1  -rwx 13636500 Sep 6 2006 03:18:58 -08:00 cat4500-entservices-mz.122-31.SGA
2  -rwx 13747611 Sep 9 2006 03:19:58 -08:00 cat4500-entservices-mz.122-31.SGA1
Once this check is verified, one can now proceed with the ISSU process.
The ISSU process is started by typing the "issu loadversion" command on the active supervisor. This command directs the active supervisor to begin the ISSU process. The active supervisor, through intersupervisor communications, checks that the requested image has been downloaded into both the active and standby supervisors' file systems. If the required images are not present, the command is rejected, and an appropriate warning is generated.
If the "issu loadversion" command is successful, the switch transitions into the "Load Version" ISSU state. The standby supervisor will reset and boot with the new version of the Cisco IOS Software image loaded into the file system.
The following actions take place when the command is implemented:
1. The standby supervisor (B) is reset.
2. The standby supervisor (B) is booted with the new Cisco IOS Software image: Release 12.2(31)SGA1.
3. If both Cisco IOS Software images are declared as compatible, the standby supervisor moves into SSO mode and is fully stateful for all compatible clients and applications. Compatibility allows for in-service software upgrade or downgrade between two versions to succeed with minimal service effect.
4. If both Cisco IOS Software images are incompatible, the system moves into RPR mode, and the ISSU process is terminated with an appropriate message to the user. Images are declared incompatible when "required" clients or applications are not interoperable between two Cisco IOS Software releases.
5. Standby "B" reaches the standby HOT state.
6. The user has an option to abort the ISSU process by issuing the "issu abortversion" command.
7. The "issu loadversion" command also supports a "forced" option that allows the operator to force the system into entering RPR mode when incompatibility is detected.
Note: When performing an ISSU, disable manual switchovers. Performing manual switchovers during the issu process is strongly discouraged. The current implementation does not prevent it, but it does display a warning to the user.
An example of the CLI for implementing the issu loadversion command is displayed below.
On the active supervisor, one would issue the following command:
4510R-203#issu loadversion 1 bootflash:cat4500-entservices-mz.122-31.SGA1 2 slavebootflash: cat4500-entservices-mz.122-31.SGA1
Syntax - issu loadversion active-slot active-image-new standby-slot standby-image-new
The second step of the ISSU process is to perform the issu runversion CLI.
The user can issue the " issu runversion" command when:
1. The ISSU state is "Load Version"; this can be verified with the "show issu state detail" CLI.
2. The standby supervisor is running the new version of the software.
3. The standby supervisor has moved into the "Standby Hot " state.
The following actions take place when the " issu runversion" command is executed:
1. A switchover occurs; that is, the standby (B) becomes the new active, and the old active (A) is rebooted and comes up as a standby.
2. A timer called "Rollback Timer" is started with a previously configured value.
3. Move both supervisors to "Run Version" state.
4. If the command "issu acceptversion" is not issued before the "Rollback timer" fires, then the entire ISSU process is aborted via the automatic rollback.
5. If the active supervisor console connectivity is established and the "issu acceptversion" command is issued, then the rollback timer is stopped.
6. The user has an option to abort the ISSU process by issuing the "issu abortversion" command.
An example of the CLI for implementing the issu runversion command is displayed below:
On the active supervisor, one would issue the following command:
4510R-203#issu runversion 2 slavebootflash:cat4500-entservices-mz.122-31.SGA1
Syntax - issu runversion standby-slot [standby-image-new]
Prior to issuing the `issu acceptversion' command the system will be counting down the rollback timer. If `issu acceptversion' is not completed before rollback timer expires an automatic abort will occur. This command stops the "Rollback Timer." This command serves as a feedback mechanism. This is an optional command and can be skipped in the ISSU process with the "issu commitversion" CLI.
If this command is not issued within 45 minutes (default) from the time the standby supervisor moves into the "Standby Hot" state, it is assumed that the new active supervisor is not reachable and the entire ISSU process is rolled back to the previous version of the software. The acceptversion is not intended for long-term network operation. It is also important to note that none of the features available on the new version will work yet.
The following actions take place when the command is implemented:
1. The "Rollback Timer" is terminated. This means that the rollback timer is not looked at anymore. Therefore, the system can run in this state for an extended period.
2. The user has an option to abort the ISSU process by issuing the command "issu abortversion."
Aborting the ISSU process now causes the newly active supervisor (B) to fail over to the standby supervisor (A) running the old image and will also cause the rebooting supervisor (B) to load the original image. The issu acceptversion halts the rollback timer and helps ensure the ISSU process is not automatically aborted during the process.
An example of the CLI for implementing the issu acceptversion command is displayed below:
On the "New" active supervisor, one would issue the following command:
4510R-203#issu acceptversion 2
% Rollback timer stopped. Please issue the commitversion command.
Syntax - issu acceptversion active-slot-number
This is the last stage of the ISSU procedure. Once the user is satisfied with the new version of software, this must be committed by issuing the "issu commitversion" command. This command resets the standby supervisor and boots it with a new version of the software (same as the active supervisor). This concludes the ISSU process, and the new version of software is permanently committed on both supervisors. Since this is the conclusion of the ISSU process, the system can not be reverted back to the previous version of the software from this point onward as a part of this upgrade cycle. However, if for any reason users wish to go back to the previous version of the software, they can do so by starting a new upgrade/downgrade process.
The following actions take place if the command is implemented:
1. The standby supervisor (A) is reset and booted with the new version of Cisco IOS Software image.
2. The standby supervisor (A) moves into the "Standby Hot" state in SSO mode and is fully stateful for all clients/applications that are compatible.
3. Both supervisors are moved into "Final State," which is the same as "Initial State."
4. Users can initiate switchovers from this point onward.
An example of the CLI for implementing the issu commitversion command is displayed below:
4510R-203#issu commitversion 1
Syntax - issu commitversion standby-slot-number
ISSU Process: issu abortversion
One can abort the ISSU process at any stage manually (prior to issuing the issu commitversion command) by issuing the exec-level issu abortversion command. The ISSU process also aborts on its own if the software detects a failure.
If a user aborts the process after issuing the issu loadversion command, then the standby supervisor engine is reset and reloaded with the original software.
If the process is aborted after a user enters either the issu runversion or issu acceptversion command, then a second switchover is performed to the new standby supervisor engine that is still running the original software version.
The supervisor engine that had been running the new software is reset and reloaded with the original software version. The command is accepted only in "Load Version" or "Run Version" states. In "Load Version" state, the active supervisor is running an old image and the standby supervisor is running new image.
Syntax - issu abortversion active-slot [active-image-new]
Let me know if you have any questions.

Interesting Presence issue and changing the domain

I've got an interesting problem that I recently posted about in a different discussion forum.
Basically I've got a presence setup. This is federated with an OCS. The OCS domain is something like company.com This is the same as the email domain, and the SIP uri's are sip:[email protected]
The issue is that when the presence server was set up, the proxy domain was set as something like cmp.local. cmp.local is the domain for the entire internal MS infrastructure. The problem appears to be that this conflicts with the internal domain. So when looking up in the directory instead of getting the OCS domain it gets replaced with the cmp.local. Functionally this results in the jabber client being unable to add federated OCS contacts from the directory as they just get added as internal jabber contacts.
I'm thinking of changing the domain on the presence server to something like jabber-cmp.local, i.e. a domain that doesnt exist. Once we migrate to jabber we'll change the domain again back to company.local so we can federate externally properly. Does anyone have any experience of doing something similar? Any pitfalls anyone can point out?

Federation can only be setup a few ways
- Intra domain (company.com   federated to im.company.com)
- inter domain (company.com federated to abc.com)
- Intra domain partitioned (Company.com federated to company.com)
You need to define this to make any of the with CUPS 8.6.4 (you should run latest and greatest).   Now, depending on which version OCS you have R1 or R2 is important as well.
Put the CUPS server in the domain you want it in. Some of the SIP paramenters can be pushed for Jabber 4 windows XML file IE:
msRTCSIP-PrimaryUserAddress
true
sip:>

Cisco Jabber for Windows Certificate Issues

Hi,
I have configured a Cisco Jabber with device security mode "Encrypted". Once I use this mode I am getting a error message in Cisco Jabber as:
"The certificate enrollment for secure computer calling has not been activated. Contact your system administrator."
The softphone feature is not working because of this.
Do you have any fix for this issue?
Thanks,
VJ

Hi Jonathan,
I have one more issue with Cisco Jabber using authentication string. The authentication string works fine with the Jabber and softphone functionality is working.
Now the problem is: if the single user has two Jabber clients, one installed on laptop and second on desktop, the authentication string window is presented to the jabber client which logs in first. For example is I login from my laptop the window pops up to enter the authentication string. But now when I open the Jabber on my desktop it doesn't give me option to enter the authentication string and the softphone doesn't work.
Thanks,
Vaijanath

Cisco ASA 5505 - IPsec Tunnel issue

Issue with IPsec Child SA
Hi,
I have a site to site VPN tunnel setup with a Cisco ASA5505 and a Checkpoint Firewall. The version of software is 9.22. I am using IKEv2 for Phase 1 encryption. The following is my cisco asa configuration:
hostname GARPR-COM1-WF01
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
description Failover Link
switchport access vlan 950
interface Ethernet0/1
description Outside FW Link
switchport access vlan 999
interface Ethernet0/2
description Inside FW Link
switchport access vlan 998
interface Ethernet0/3
description Management Link
switchport access vlan 6
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan6
nameif management
security-level 100
ip address 10.65.1.20 255.255.255.240
interface Vlan950
description LAN Failover Interface
interface Vlan998
nameif inside
security-level 100
ip address 10.65.1.5 255.255.255.252
interface Vlan999
nameif outside
security-level 0
ip address ************* 255.255.255.248
boot system disk0:/asa922-4-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ***************
object network North_American_LAN
subnet 10.73.0.0 255.255.0.0
description North American LAN
object network Queretaro_LAN
subnet 10.74.0.0 255.255.0.0
description Queretaro_LAN
object network Tor_LAN
subnet 10.75.0.0 255.255.0.0
description Tor LAN
object network Mor_LAN
subnet 10.76.0.0 255.255.0.0
description Mor LAN
object network Tus_LAN
subnet 10.79.128.0 255.255.128.0
description North American LAN
object network Mtl_LAN
subnet 10.88.0.0 255.255.0.0
description Mtl LAN
object network Wic_LAN
subnet 10.90.0.0 255.254.0.0
description Wic LAN
object network Wic_LAN_172
subnet 172.18.0.0 255.255.0.0
description Wic Servers/Legacy Client LAN
object network Mtl_LAN_172
subnet 172.19.0.0 255.255.0.0
description Mtl Servers/Legacy Client LAN
object network Tor_LAN_172
subnet 172.20.0.0 255.255.0.0
description Tor Servers/Legacy Client LAN
object network Bridge_LAN_172
subnet 172.23.0.0 255.255.0.0
description Bridge Servers/Legacy Client LAN
object network Mtl_WLAN
subnet 10.114.0.0 255.255.0.0
description Mtl Wireless LAN
object network Bel_WLAN
subnet 10.115.0.0 255.255.0.0
description Bel Wireless LAN
object network Wic_WLAN
subnet 10.116.0.0 255.255.0.0
description Wic Wireless LAN
object network Mtl_Infrastructure_10
subnet 10.96.0.0 255.255.0.0
description Mtl Infrastructre LAN
object network BA_Small_Site_Blocks
subnet 10.68.0.0 255.255.0.0
description BA Small Sites Blocks
object network Bel_LAN
subnet 10.92.0.0 255.255.0.0
description Bel LAN 10 Network
object network LAN_172
subnet 172.25.0.0 255.255.0.0
description LAN 172 Network
object network Gar_LAN
subnet 10.65.1.0 255.255.255.0
description Gar LAN
object network garpr-com1-wf01.net.aero.bombardier.net
host **************
description Garching Firewall
object-group network BA_Sites
description Internal Networks
network-object object BA_Small_Site_Blocks
network-object object Bel_LAN
network-object object Bel_LAN_172
network-object object Bel_WLAN
network-object object Bridge_LAN_172
network-object object Mtl_Infrastructure_10
network-object object Mtl_LAN
network-object object Mtl_LAN_172
network-object object Mtl_WLAN
network-object object Mor_LAN
network-object object North_American_LAN
network-object object Queretaro_LAN
network-object object Tor_LAN
network-object object Tor_LAN_172
network-object object Tus_LAN
network-object object Wic_LAN
network-object object Wic_LAN_172
network-object object Wic_WLAN
access-list 101 extended permit ip object garpr-com1-wf01.net.aero.bombardier.net object Bel_LAN_172
access-list 101 extended permit ip object Garching_LAN object-group BA_Sites
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap informational
logging asdm informational
logging host outside 172.25.5.102
mtu management 1500
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface Failover_Link Vlan950
failover polltime interface msec 500 holdtime 5
failover key *****
failover interface ip Failover_Link 192.168.124.1 255.255.255.0 standby 192.168.124.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Gar_LAN Gar_LAN destination static BA_Sites BA_Sites no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 ************* 1
route inside 10.65.1.0 255.255.255.255 10.65.1.6 1
route inside 10.65.1.16 255.255.255.240 10.65.1.6 1
route inside 10.65.1.32 255.255.255.240 10.65.1.6 1
route inside 10.65.1.48 255.255.255.240 10.65.1.6 1
route inside 10.65.1.64 255.255.255.240 10.65.1.6 1
route inside 10.65.1.128 255.255.255.128 10.65.1.6 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.65.1.0 255.255.255.0 inside
http 172.25.5.0 255.255.255.0 inside
http 10.65.1.21 255.255.255.255 management
snmp-server host inside 172.25.49.0 community ***** udp-port 161
snmp-server host outside 172.25.49.0 community *****
snmp-server host inside 172.25.5.101 community ***** udp-port 161
snmp-server host outside 172.25.5.101 community *****
snmp-server host inside 172.25.81.88 poll community *****
snmp-server host outside 172.25.81.88 poll community *****
snmp-server location:
snmp-server contact
snmp-server community *****
snmp-server enable traps syslog
crypto ipsec ikev2 ipsec-proposal aes256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association pmtu-aging infinite
crypto map GARCH 10 match address 101
crypto map GARCH 10 set pfs group19
crypto map GARCH 10 set peer *******************
crypto map GARCH 10 set ikev2 ipsec-proposal aes256
crypto map GARCH 10 set security-association lifetime seconds 3600
crypto map GARCH interface outside
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
telnet 10.65.1.6 255.255.255.255 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 172.25.5.0 255.255.255.0 inside
ssh 172.19.9.49 255.255.255.255 inside
ssh 172.25.5.0 255.255.255.0 outside
ssh 172.19.9.49 255.255.255.255 outside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 30
management-access inside
dhcprelay server 172.25.81.1 outside
dhcprelay server 172.25.49.1 outside
dhcprelay enable inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.19.109.41
ntp server 172.19.109.42
ntp server 172.19.9.49 source outside
tunnel-group ********* type ipsec-l2l
tunnel-group ********* ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:25ad9bf6db66a31e840ad96f49cd7e37
: end
I believe when a VPN tunnel is setup there should be one Child sa per subnet. The internal network of 10.65.1.0/24 should be setup with a child sa to the networks that were specified above depending on if there is traffic destined for them. What I am seeing is multiple child sa setup for the same subnet like the example below:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 172.19
          remote selector 172.19.0.0/0 - 172.19.255.255/65535
          remote selector 172.19.0.0/0 - 172.19.255.255/65535
          remote selector 172.19.0.0/0 - 172.19.255.255/65535
          remote selector 172.19.0.0/0 - 172.19.255.255/65535
          remote selector 172.19.0.0/0 - 172.19.255.255/65535
          remote selector 172.19.0.0/0 - 172.19.255.255/65535
          remote selector 172.19.0.0/0 - 172.19.255.255/65535
          remote selector 172.19.0.0/0 - 172.19.255.255/65535
          remote selector 172.19.0.0/0 - 172.19.255.255/65535
          remote selector 172.19.0.0/0 - 172.19.255.255/65535
where for destination network 10.92.0.0/16 there is only one child sa:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 10.92
          remote selector 10.92.0.0/0 - 10.92.255.255/6553
Should this be the case or does anyone have any idea why there is multiple child sa setup for the same subnet?
Thanks
Jonathan

Hi there,
I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
I don't know, the device is too old to stay alive.
thanks

Cisco ASA 5505 VPN connection issue ("Unable to add route")

I'm trying to get IPSec VPN working onto a new Cisco ASA5505. Pretty standard configuration.
Setup:
* Cisco VPN client on Windows 7 (v5.0.07.0290 x64 on Laptop1 and v5.0.07.0440 x64 on Laptop2)
* PPPoE/NAT and internal DHCP on the ASA were configured with the Startup Wizard in ASDM
NATting is working fine - internal PCs get an IP address in the 192.168.2.0/24 range and can all access the Internet.
I wanted to be able to connect from anywhere to the ASA in order to reach one of the internal servers. Should be pretty basic.
First I tried with the built-in ASDM IPSec Wizard, instructions found here.
VPN clients can connect to the ASA, are connected (until they're manually disconnected), but cannot reach the internal network nor the Internet. Note VPN client can connect fine to a different VPN site (not administered by myself).
Client logs show following error messages:
1 15:53:09.363 02/11/12 Sev=Warning/3     IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
2 15:53:13.593 02/11/12 Sev=Warning/2     CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination     192.168.1.255
Netmask     255.255.255.255
Gateway     172.16.1.1
Interface     172.16.1.101
3 15:53:13.593 02/11/12 Sev=Warning/2     CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100165, Gateway: ac100101.
4 15:54:30.425 02/11/12 Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
5 15:54:31.433 02/11/12 Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
6 15:54:32.445 02/11/12 Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
7 20:50:45.355 02/11/12 Sev=Warning/3     IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
8 20:50:50.262 02/11/12 Sev=Warning/2     CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination     192.168.1.255
Netmask     255.255.255.255
Gateway     172.16.1.1
Interface     172.16.1.100
9 20:50:50.262 02/11/12 Sev=Warning/2     CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100164, Gateway: ac100101.
I've already tried the suggestions from this link, although the problem is different there (as the user can still access the internet, even without split tunneling, which I cannot).
A show run shows the following output (note in the below I have tried a different VPN network: 192.168.3.0/24 instead of 172.16.1.0/24 seen in the Client log)
Result of the command: "sh run"
: Saved
ASA Version 8.2(5)
hostname AsaDWD
enable password kLu0SYBETXUJHVHX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DW-VPDN
ip address pppoe setroute
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool DWD-VPN-Pool 192.168.3.5-192.168.3.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group DW-VPDN request dialout pppoe
vpdn group DW-VPDN localname fa******@SKYNET
vpdn group DW-VPDN ppp authentication pap
vpdn username fa******@SKYNET password *****
dhcpd auto_config outside
dhcpd address 192.168.2.5-192.168.2.36 inside
dhcpd domain DOMAIN interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DWD internal
group-policy DWD attributes
vpn-tunnel-protocol IPSec
username test password ******* encrypted privilege 0
username test attributes
vpn-group-policy DWD
tunnel-group DWD type remote-access
tunnel-group DWD general-attributes
address-pool DWD-VPN-Pool
default-group-policy DWD
tunnel-group DWD ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3e6c9478a1ee04ab2e1e1cabbeddc7f4
: end
I've installed everything using the CLI as well (after a factory reset). This however yielded exactl the same issue.
Following commands have been entered:
ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0
username *** password ****
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp nat-traversal
sysopt connection permit-ipsec
sysopt connection permit-vpn
group-policy dwdvpn internal
group-policy dwdvpn attributes
vpn-tunnel-protocol IPSec
default-domain value DWD
tunnel-group dwdvpn type ipsec-ra
tunnel-group dwdvpn ipsec-attributes
pre-shared-key ****
tunnel-group dwdvpn general-attributes
authentication-server-group LOCAL
default-group-policy dwdvpn
Unfortunately I'm getting the same "AddRoute failed to add a route with metric of 0: code 160" error message.
I'm very confused as this should be a pretty standard setup. I tried to follow the instructions on the Cisco site to the letter...
The only "differences" in my setup are an internal network of 192.168.2.0 (with ASA IP address 192.168.2.254) and PPPoE with DHCP instead of no PPPoE at all.
Does anyone know what's going on?

Yes, I have tried from a different laptop - same results. Using that laptop I can connect to a different IPSec site without issues.
Please find my renewed config below:
DWD-ASA(config)# sh run: Saved:ASA Version 8.2(5) !hostname DWD-ASAenable password ******* encryptedpasswd ****** encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.2.254 255.255.255.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group DWD ip address pppoe setroute !ftp mode passiveaccess-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.224 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500ip local pool vpnpool 192.168.50.10-192.168.50.20 mask 255.255.255.0icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyhttp server enablehttp 192.168.2.0 255.255.255.0 insidehttp 0.0.0.0 0.0.0.0 outsideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map outside_map interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400telnet timeout 5ssh 0.0.0.0 0.0.0.0 outsidessh timeout 5console timeout 0vpdn group DWD request dialout pppoevpdn group DWD localname *****@SKYNETvpdn group DWD ppp authentication papvpdn username *****@SKYNET password ***** dhcpd auto_config outside!dhcpd address 192.168.2.10-192.168.2.40 insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn enable outside svc enablegroup-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpngroup-policy dwdipsec internalgroup-policy dwdipsec attributes vpn-tunnel-protocol IPSec default-domain value DWDDOMusername user1 password ***** encrypted privilege 0username user1 attributes vpn-group-policy dwdipsectunnel-group dwdipsec type remote-accesstunnel-group dwdipsec general-attributes address-pool vpnpool default-group-policy dwdipsectunnel-group dwdipsec ipsec-attributes pre-shared-key *****tunnel-group dwdssl type remote-accesstunnel-group dwdssl general-attributes address-pool vpnpool!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options !service-policy global_policy globalprompt hostname context no call-home reporting anonymousCryptochecksum:f5c8dd644aa2a27374a923671da1c834: endDWD-ASA(config)#

Cisco Movi 4.2 Presence issues.

Similar Messages

Maybe you are looking for