Communicate Directly Between VPN Tunnel Sites

Similar Messages

• ASA 5505 site-to-site VPN tunnel and client VPN sessions

  Hello all
  I have several years of general networking experience, but I have not yet had to set up an ASA from the ground up, so please bear with me.
  I have a client who needs to establish a VPN tunnel from his satellite office (Site A) to his corporate office (Site Z).  His satellite office will have a single PC sitting behind the ASA.  In addition, he needs to be able to VPN from his home (Site H) to Site A to access his PC.
  The first question I have is about the ASA 5505 and the various licensing options.  I want to ensure that an ASA5505-BUN-K9 will be able to establish the site-to-site tunnel as well as allow him to use either the IPsec or SSL VPN client to connect from Site H to Site A.  Would someone please confirm or deny that for me?
  Secondly, I would like to verify that no special routing or configuration would need to take place in order to allow traffic not destined for Site Z (i.e., general web browsing or other traffic to any resource that is not part of the Site Z network) to go out his outside interface without specifically traversing the VPN tunnel (split tunneling?)
  Finally, if the client were to establish a VPN session from Site H to Site A, would that allow for him to connect directly into resources at Site Z without any special firewall security rules?  Since the VPN session would come in on the outside interface, and the tunnel back to Site Z goes out on the same interface, would this constitute a split horizon scenario that would call for a more complex config, or will the ASA handle that automatically without issue?
  I don't yet have the equipment in-hand, so I can't provide any sample configs for you to look over, but I will certainly do so once I've got it.
  Thanks in advance for any assistance provided!

  First question:
  Yes, 5505 will be able to establish site-to-site tunnel, and he can use IPSec vpn client, and SSL VPN (it comes with 2 default SSL VPN license).
  Second question:
  Yes, you are right. No special routing is required. All you need to configure is site-to-site VPN between Site A and Site Z LAN, and the internet traffic will be routed via Site A internet. Assuming you have all the NAT statement configured for that.
  Last question:
  This needs to be configured, it wouldn't automatically allow access to Site Z when he VPNs in to Site A.
  Here is what needs to be configured:
  1) Split tunnel ACL for VPN Client should include both Site Z and Site A LAN subnets.
  2) On site A configures: same-security-traffic permit intra-interface
  3) Crypto ACL for the site-to-site tunnel between Site Z and Site A needs to include the VPN Client pool subnet as follows:
  On Site Z:
  access-list permit ip
  On Site A:
  access-list permit ip
  4) NAT exemption on site Z needs to include vpn client pool subnet as well.
  Hope that helps.
  Message was edited by: Jennifer Halim

• Cannot establish site-site vpn tunnel through ASA 9.1(2)

  Hi,
  We use ASA 9.1(2) to filter traffic in/out of our organisation. A dept within the organisation also have a firewall. They want to establish a site-site VPN tunnel with a remote firewall. We have allowed full access between the public address of the dept firewall and the remote firewall and full access between the remote firewall address and the dept firewall address . We do not use NAT.
  The site-site VPN tunnel fails to establish.
  The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?
  Has anyone encountered issues with ASA 9.1(2) interfering with site-site tunnels?
  Regards

  >The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?
  Yes, in that case, no IPsec-pass-through is needed. All you need is (in both directions):
  UDP/500
  UDP/4500 (also if you don't use NAT, the remote gateway could be located behind a NAT gateway)
  IP/50
  for testing ICMP/Echo
  If you allowed full IP-access between these two endpoints, it is more than enough.
  When they start testing, do you see a connection on your ASA. There should be at least UDP/500 traffic.
  Can the two gateways ping each other? 

• VPN tunnel between 2 RRAS servers, both performing NAT with 2 network connections

  I have a need to configure an IPSEC policy between 2 networks.  Both servers are located at separate offices, are virtual, are 2008 R2 standard,  and only perform the function of NAT between a public IP and the LAN.  They each have 1 network
  adapter with a public address and 1 adapter with an internal LAN address.  I would like to setup an IPSEC policy between these 2 RRAS so that both LAN's can communicate.
  My question's; would this be the best method to get this accomplished?  If not, what are best practices?  Does anyone have documentation for this type of setup?
  I can create a policy between 2 servers, each behind each RRAS vm, but I'd like to keep domain controllers, AD, etc. out of this and not exposed - just have RRAS handle it.

  What you need to do is look for a guide to site to site VPN which you can follow. There are plenty out there of varying degrees of clarity and accuracy.
    The situation briefly is that each site operates normally using its router as a NAT device to provide Internet access for the LAN. In addition, each router is configured to provide a router to router VPN link. Each router has a static route to forward
  traffic for the subnet of the other site through the VPN tunnel.
  The net result is that a client wanting Internet access uses NAT to give it an Internet connection. If instead the client wants to access the other site, the request is sent through the VPN tunnel. There is no confusion because Internet addresses must be
  public and the site addresses are private. This is all transparent to the client because it is all handled by the routers. The client simply sends the packet to the default gateway. 
    The private traffic between sites is encrypted and encapsulated while it is crossing the Internet. The Internet routers see only the public address on the wrapper. The other site sees only the private IP of the packet after it has been unencapsulated
  and decrypted. The two sites behave as if they were linked by an IP router, but the operation is slow because of the delay in getting the packets from site to site.  
  Sorry about the link. http://www.youtube.com/watch?v=m-sakEbVDQ4
  Bill

• Configure a VPN client and Site to Site VPN tunnel

  Hi, I'm setting up a test network between 2 sites. SiteA has a 515E PIX and SiteB has a 501 PIX. Both sites have been setup with a site to site VPN tunnel, see SiteA config below. I also require that remote clients using Cisco VPN client 3.6 be able to connect into SiteA, be authenticated, get DHCP info and connect to hosts inside the network. However, when I add these config lines, see below, to SiteA PIX it stops the vpn tunnel to SiteB. However, the client can conect and do as needed so that part of my config is correct but I cannot see why the site to site vpn tunnel is then no longer.
  SiteA config with working VPN tunnel to SiteB:
  SITE A
  PIX Version 6.3(1)
  interface ethernet0 auto
  interface ethernet1 auto
  interface ethernet2 auto shutdown
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  nameif ethernet2 webdmz security20
  enable password xxx
  passwd xxx
  hostname SiteA-pix
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol ils 389
  fixup protocol rsh 514
  fixup protocol rtsp 554
  no fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  names
  name 200.x.x.0 SiteA_INT
  name 201.x.x.201 SiteA_EXT
  name 200.x.x.254 PIX_INT
  name 10.10.10.0 SiteB_INT
  name 11.x.x.11 SiteB_EXT
  access-list inside_outbound_nat0_acl permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
  access-list outside_cryptomap_20 permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
  access-list acl_inside permit icmp any any
  access-list acl_inside permit ip any any
  access-list acl_outside permit ip any any
  access-list acl_outside permit icmp any any
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  mtu webdmz 1500
  ip address outside SiteA_EXT 255.x.x.128
  ip address inside PIX_INT 255.255.0.0
  no ip address webdmz
  ip audit info action alarm
  ip audit attack action alarm
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_outbound_nat0_acl
  route outside 0.0.0.x.x.0.0 201.201.201.202 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto map outside_map 20 ipsec-isakmp
  crypto map outside_map 20 match address outside_cryptomap_20
  crypto map outside_map 20 set peer SiteB_EXT
  crypto map outside_map 20 set transform-set ESP-DES-MD5
  crypto map outside_map interface outside
  isakmp enable outside
  isakmp key secret address SiteB_EXT netmask 255.255.255.255 no-xauth no-config-mode
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  terminal width 80
  SiteA-pix(config)#
  Lines I add for Cisco VPN clients is attached
  I entered each line one by one and did a reload and sh crypto map all was OK until I entered the crypto map VPNPEER lines.
  Anyone any ideas what this can be?
  Thanks

  Heres my config:
  PIX Version 6.3(1)
  interface ethernet0 auto
  interface ethernet1 auto
  interface ethernet2 auto shutdown
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  nameif ethernet2 webdmz security20
  enable password xxx
  passwd xxx
  hostname SiteA-pix
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol ils 389
  fixup protocol rsh 514
  fixup protocol rtsp 554
  no fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  names
  name 200.x.x.0 SiteA_INT
  name 201.x.x.201 SiteA_EXT
  name 200.x.x.254 PIX_INT
  name 10.10.10.0 SiteB_INT
  name 11.11.11.11 SiteB_EXT
  access-list inside_outbound_nat0_acl permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
  access-list outside_cryptomap_20 permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
  access-list acl_inside permit icmp any any
  access-list acl_inside permit ip any any
  access-list acl_outside permit ip any any
  access-list acl_outside permit icmp any any
  access-list 80 permit ip SiteA_INT 255.255.0.0 200.220.0.0 255.255.0.0
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  mtu webdmz 1500
  ip address outside SiteA_EXT 255.255.255.128
  ip address inside PIX_INT 255.255.0.0
  no ip address webdmz
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool pix_inside 200.x.x.100-200.220.200.150
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_outbound_nat0_acl
  route outside 0.0.0.0 0.0.0.x.x.201.202 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server RADIUS (inside) host 200.200.200.20 letmein timeout 10
  aaa-server LOCAL protocol local
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set AAADES esp-3des esp-md5-hmac
  crypto dynamic-map DYNOMAP 10 match address 80
  crypto dynamic-map DYNOMAP 10 set transform-set AAADES
  crypto map outside_map 20 ipsec-isakmp
  crypto map outside_map 20 match address outside_cryptomap_20
  crypto map outside_map 20 set peer SiteB_EXT
  crypto map outside_map 20 set transform-set ESP-DES-MD5
  crypto map outside_map 30 ipsec-isakmp dynamic DYNOMAP
  crypto map outside_map client authentication RADIUS
  crypto map outside_map interface outside
  isakmp enable outside
  isakmp key secret address SiteB_EXT netmask 255.255.255.255 no-xauth no-config-mode
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  isakmp policy 30 authentication pre-share
  isakmp policy 30 encryption 3des
  isakmp policy 30 hash sha
  isakmp policy 30 group 2
  isakmp policy 30 lifetime 86400
  vpngroup Remote address-pool pix_inside
  vpngroup Remote dns-server 200.200.200.20
  vpngroup Remote wins-server 200.200.200.20
  vpngroup Remote default-domain mycorp.co.uk
  vpngroup Remote idle-time 1800
  vpngroup Remote password password
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  terminal width 80
  I will attach debug output later today.
  Thanks

• How can I improve performance over a Branch Office IPsec vpn tunnel between and SA540 and an SA520

  Hello,
  I just deployed one Cisco SA540 and three SA520s.
  The SA540 is at the Main Site.
  The three SA520s are the the spoke sites.
  Main Site:
  Downstream Speed: 32 Mbps
  Upstream Speed: 9.4 Mbps
  Spoke Site#1:
  Downstream Speed: 3.6 Mbps
  Upstream Speed: 7.2 Mbps (yes, the US is faster than the DS at the time the speed test was taken).
  The SA tunnels are "Established"
  I see packets being tranmsitted and received.
  Pinging across the tunnel has an average speed of 32 ms (which is good).
  DNS resolves names to ip addresses flawlessly and quickly across the Inter-network.
  But it takes from 10 to 15 minutes to log on to the domain from the Spoke Site#1 to the Main Site across the vpn tunnel.
  It takes about 15 minutes to print across the vpn tunnel.
  The remedy this, we have implemented Terminal Services across the Internet.
  Printing takes about 1 minute over the Terminal Service Connection, while it takes about 15 minutes over the VPN.
  Logging on to the network takes about 10 minutes over the vpn tunnel.
  Using an LOB application takes about 2 minutes per transaction across the vpn tunnel; it takes seconds using Terminal Services.
  I have used ASAs before in other implementation without any issues at all.
  I am wondering if I replaced the SAs with ASAs, that they may fix my problem.
  I wanted to go Small Business Pro, to take advantage of the promotions and because I am a Select Certified Partner, but from my experience, these SA vpn tunnels are unuseable.
  I opened a case with Small Business Support on Friday evening, but they couldnt even figure out how to rename an IKE Policy Name (I figured out that you had to delete the IKE Policy; you cannot rename them once they are created).
  Maybe the night weekend shift has a skeleton crew, and the best engineers are available at that time or something....i dont know.
  I just know that my experience with the Cisco TAC has been great for the last 10 years.
  My short experience with the Cisco Small Business Support Center has not been as great at all.
  Bottom Line:
  I am going to open another case with the Day Shift tomorrow and see if they can find a way to speed things up.
  Now this is not just happening between the Main Site and Spoke Site #1 above. It is also happeninng between the Main Site and Spoke #2 (I think Spoke#2 has a Download Speed of about 3Mbps and and Upload Speed of about 0.5 Mbps.
  Please help.
  I would hate to dismiss SA5xx series without making sure it is not just a simple configuration setting.

  Hi Anthony,
  I agree!.  My partner wants to just replace the SA5xxs with ASAs, as we have never had problems with ASA vpn performance.
  But I want to know WHY this is happening too.
  I will definitely run a sniffer trace to see what is happening.
  Here are some other things I have learned from the Cisco Small Business Support Center (except for Item 1 which I learned from you!)
  1.  Upgrade the SA540 at the Main Site to 2.1.45.
  2a. For cable connections, use the standard MTU of 1500 bytes.
  2.b For DSL, use the following command to determine the largets MTU that will be sent without packet fragmentation:
  ping -f -l packetsize
  Perform the items below to see if this increases performance:
  I was told by the Cisco Small Business Support Center that setting up a Manual Policy is not recommended; I am not sure why they stated this.
  3a. Lower the IKE encryption algorithm from "AES-128" to DES.
  3b. Lower the IKE authentication algorithm to MD5
  3c. Also do the above for the VPN Policy
  Any input is welcome!

• Multiple Site-Site VPN Tunnel on a Single PiX Firewall

  I cureently have a site to site VPN tunnel (VPN1) between HK (Pix ver 6.1(2) & Leeds (ASA version 7.2(2). I am in the process of migrating the VPN tunnel to a newly deployed 10 Mb internet link in Leeds which has a Pix 506E Ver 7.0(2). I have decided to create a 2nd VPN tunnel to HK (VPN2) and will shutdown VPN1 when VPN2 is up.
  On the HK PIX I am using the same isakmp policy, transform-set and have created another crypto map for the the new VPN (VPN2).
  On passing intersting traffic to establish the new tunnel for the Leeds end, I am gettting the following debugging errors.
  Feb 04 15:06:42 [IKEv1]: QM FSM error (P2 struct &0x1b24150, mess id 0x47595d7)!
  Feb 04 15:06:42 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!
  Feb 04 15:06:42 [IKEv1]: QM FSM error (P2 struct &0x1b24860, mess id 0x9cafcd4d)!
  Feb 04 15:06:42 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!
  sh Feb 04 15:06:47 [IKEv1]: QM FSM error (P2 struct &0x1d085d0, mess id 0x458d4091)!
  Feb 04 15:06:47 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!
  sh crypto isakmp sa
  Active SA: 1
  Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1 IKE Peer: 192.168.0.1
  Type : L2L Role : initiator
  Rekey : no State : MM_ACTIVE
  Site HK - PIX1(192.168.0.1)
  crypto ipsec transform-set chevvie esp-des esp-md5-hmac
  (crypto map for existing VPN (VPN1)
  crypto map transam 1 ipsec-isakmp
  crypto map transam 1 match address 101
  crypto map transam 1 set peer 192.168.0.2
  crypto map transam 1 set transform-set chevvie
  (New Crpto Map for new VPN (VPN2)
  crypto map transam 2 ipsec-isakmp
  crypto map transam 2 match address 101
  crypto map transam 2 set peer 192.168.0.3
  crypto map transam 2 set transform-set chevvie
  crypto map transam interface outside
  isakmp enable outside
  isakmp key ****** address 192.168.0.2 netmask 255.255.255.255
  isakmp key ev0lut10n address 192.168.0.3 netmask 255.255.255.255
  isakmp identity address
  isakmp policy 1 authentication pre-share
  isakmp policy 1 encryption des
  isakmp policy 1 hash md5
  isakmp policy 1 group 1
  isakmp policy 1 lifetime 1000
  isakmp am-disable
  floodguard enable
  sysopt connection permit-ipsec
  no sysopt route dnat
  Site - Leeds PIX2 (192.168.0.3)
  crypto ipsec transform-set ford esp-des esp-md5-hmac
  crypto map VPNHK 2 match address outside_crypto_acl
  crypto map VPNHK 2 set peer 192.168.0.1
  crypto map VPNHK 2 set transform-set ford
  crypto map VPNHK interface outside
  isakmp identity address
  isakmp enable outside
  isakmp policy 1 authentication pre-share
  isakmp policy 1 encryption des
  isakmp policy 1 hash md5
  isakmp policy 1 group 1
  isakmp policy 1 lifetime 1000
  isakmp am-disable
  tunnel-group 192.168.0.1 type ipsec-l2l
  tunnel-group 192.168.0.1 ipsec-attributes
  pre-shared-key ev0lut10n
  sysopt connection permit-ipsec
  Your assistance will be grately appreciated.

  How could the HK PIX decide which tunnel to use if you apply the same ACL to both? You have to choose a different subnet to Leeds2.
  Peter

• Unable to print from HQ to Branch through the VPN tunnel between ASAs

  We have site to site VPN configured between ASAs. The VPN tunnel is up and running as desired except for one printer in the subnet. the users in the Hq cannot print in the branch office printer. I have allowed the ip protocols for the printer subnet but still it is not working. When I do a packet trac the traffic for the printer is allwed through the tunnel.
  Can anyone suggest what can be preventing from printing?

  When other printers in the same subnet can be reached, I would first control the IP-settings of the printer. In my experience it's most likely a wrong subnet-mask or gateway.

• Cisco ASA 5505 Site to Site VPN tunnel up, but not passing traffic

  Thanks to a previous thread, I do have a 5505 up and running, and passing data....
  https://supportforums.cisco.com/message/3900751
  Now I am trying to get a IPSEC VPN tunnel working.
  I actually have it up (IKE phase 1 & 2 both passed), but it is not sending/receiving data through the tunnel.
  The networks concerned:
  name 10.0.0.0  Eventual  (HQ Site behind Firewall)
  name 1.1.1.0  CFS  (Public Network Gateway for Palo Alto Firewall - Firewall IP: 1.1.1.1)
  name 2.2.2.0  T1  (Remote site - Outside interface of 5505: 2.2.2.2)
  name 10.209.0.0  Local  (Remote Network - internal interface of 5505: 10.209.0.3)
  On a ping to the HQ network from behind the ASA, I get....
  portmap translation creation failed for icmp src inside:10.209.0.9 dst inside:10.0.0.33 (type 8, code 0)
  I am suspecting that there is a NAT error and/or a lack of a static route for the rest of the 10.0.0.0 traffic, and that I may have to exempt/route the traffic for the HQ network (10.0.0.0), but I haven't been able to get the correct entries to make it work.
  Below is the config.
  Can anyone see if there is something sticking out?
  : Saved
  ASA Version 8.2(5)
  hostname ciscoasa
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 10.0.0.0 Eventual
  name 10.209.0.0 Local
  name 2.2.2.0 T1
  name 1.1.1.0 CFS
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 0
  ip address 10.209.0.3 255.0.0.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 2.2.2.2 255.255.255.248
  time-range Indefinite
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object icmp
  protocol-object udp
  protocol-object tcp
  object-group network DM_INLINE_NETWORK_1
  network-object Eventual 255.0.0.0
  network-object T1 255.255.255.248
  network-object CFS 255.255.255.240
  access-list outside_1_cryptomap extended permit ip Local 255.255.255.0 object-group DM_INLINE_NETWORK_1
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any outside
  icmp permit any inside
  asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 67.139.113.217 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http Eventual 255.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 1.1.1.1
  crypto map outside_map 1 set transform-set ESP-3DES-MD5
  crypto map outside_map 1 set phase1-mode aggressive
  crypto map outside_map interface outside
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 28800
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 10.209.0.201-10.209.0.232 inside
  dhcpd dns 8.8.8.8 8.8.4.4 interface inside
  dhcpd auto_config outside interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  group-policy FTMGP internal
  group-policy FTMGP attributes
  vpn-idle-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 general-attributes
  default-group-policy FTMGP
  tunnel-group 1.1.1.1 ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  call-home reporting anonymous
  Cryptochecksum:701d8da28ee256692a1e49d904e9cb04
  : end
  asdm location Eventual 255.0.0.0 inside
  asdm location Local 255.255.255.0 inside
  asdm location T1 255.255.255.248 inside
  asdm location CFS 255.255.255.240 inside
  asdm history enable
  Thank You.

  I'm just re-engaging on the firewall this afternoon, but right now I'm getting request timed out on the pings....
  Here's the output requested:
  Result of the command: "show crypto isakmp sa"
  Active SA: 1
  Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1 IKE Peer: 1.1.1.1
  Type : L2L Role : initiator
  Rekey : no State : AM_ACTIVE
  Result of the command: "show crypto ipsec sa"
  interface: outside
  Crypto map tag: outside_map, seq num: 1, local addr: 2.2.2.2
  access-list outside_1_cryptomap extended permit ip 10.209.0.0 255.255.255.0 10.0.0.0 255.0.0.0
  local ident (addr/mask/prot/port): (Local/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port): (Eventual/255.0.0.0/0/0)
  current_peer: 1.1.1.1
  #pkts encaps: 84, #pkts encrypt: 84, #pkts digest: 84
  #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 84, #pkts comp failed: 0, #pkts decomp failed: 0
  #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
  #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
  #send errors: 0, #recv errors: 0
  local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
  path mtu 1500, ipsec overhead 58, media mtu 1500
  current outbound spi: 8FC06BD1
  current inbound spi : 42EC16F4
  inbound esp sas:
  spi: 0x42EC16F4 (1122768628)
  transform: esp-3des esp-md5-hmac no compression
  in use settings ={L2L, Tunnel, PFS Group 2, }
  slot: 0, conn_id: 4096, crypto-map: outside_map
  sa timing: remaining key lifetime (kB/sec): (62207/28464)
  IV size: 8 bytes
  replay detection support: Y
  Anti replay bitmap:
  0x00000000 0x00000001
  outbound esp sas:
  spi: 0x8FC06BD1 (2411752401)
  transform: esp-3des esp-md5-hmac no compression
  in use settings ={L2L, Tunnel, PFS Group 2, }
  slot: 0, conn_id: 4096, crypto-map: outside_map
  sa timing: remaining key lifetime (kB/sec): (62201/28464)
  IV size: 8 bytes
  replay detection support: Y
  Anti replay bitmap:
  0x00000000 0x00000001
  Here's the current config:
  : Saved
  ASA Version 8.2(5)
  hostname ciscoasa
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 10.0.0.0 Eventual
  name 10.209.0.0 Local
  name 67.139.113.216 T1
  name 1.1.1.0 IntegraCFS
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 0
  ip address 10.209.0.3 255.0.0.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 2.2.2.2 255.255.255.248
  time-range Indefinite
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object icmp
  protocol-object udp
  protocol-object tcp
  object-group network DM_INLINE_NETWORK_1
  network-object Eventual 255.0.0.0
  network-object T1 255.255.255.248
  network-object IntegraCFS 255.255.255.240
  access-list outside_1_cryptomap extended permit ip Local 255.255.255.0 object-group DM_INLINE_NETWORK_1
  access-list No_NAT extended permit ip Local 255.255.255.0 Eventual 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit any outside
  asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list No_NAT
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 2.2.2.0 1
  route outside Eventual 255.255.255.0 1.1.1.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http Eventual 255.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 1.1.1.1
  crypto map outside_map 1 set transform-set ESP-3DES-MD5
  crypto map outside_map 1 set security-association lifetime kilobytes 65535
  crypto map outside_map 1 set phase1-mode aggressive
  crypto map outside_map interface outside
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 28800
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 10.209.0.201-10.209.0.232 inside
  dhcpd dns 8.8.8.8 8.8.4.4 interface inside
  dhcpd auto_config outside interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  group-policy FTMGP internal
  group-policy FTMGP attributes
  vpn-idle-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 general-attributes
  default-group-policy FTMGP
  tunnel-group 1.1.1.1 ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  service-policy global_policy global
  prompt hostname context
  call-home reporting anonymous
  Cryptochecksum:301e573544ce0f89b3c597bdfe2c414a
  : end
  asdm location Eventual 255.0.0.0 inside
  asdm location Local 255.255.255.0 inside
  asdm location T1 255.255.255.248 inside
  asdm location IntegraCFS 255.255.255.240 inside
  asdm history enable

• Cisco ASA 5520 Site-to-site VPN TUNNELS disconnection problem

  Hi,
  i recently purchased a Cisco ASA 5520 and running firmware v. 8.4(2) and ASDM v. 6.4(5)106.
  I have installed 50 Site-to-Site VPN tunnels, and they work fine.
  but randomly the VPN Tunnels keep disconnecting and few seconds after it connects it self automaticly....
  it happens when there is no TRAFIC on, i suspect.
  in ASDM in Group Policies under DfltGrpPolicy (system default) i have "idle timeout" to "UNLMITED" but still they keep disconnecting and connecting again... i have also verified that all VPN TUNNELS are using this Group Policie. and all VPN tunnels have "Idle Timeout: 0"
  this is very annoying as in my case i have customers having a RDP (remote dekstop client) open 24/7 and suddenly it gets disconnected due to no traffic ?
  in ASDM under Monitoring -> VPN .. i can see all VPN tunnels recently disconnected in "Login Time Duration"... some 30minutes, 52minutes, 40minutes and some 12 minutes ago.. and so on... they dont DISCONNECT at SAME time.. all randomly..
  i dont WANT the VPN TUNNELS to disconnect, i want them to RUN until we manually disconnect them.
  Any idea?
  Thanks,
  Daniel

  What is the lifetime value configured for in your crypto policies?
  For example:
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400

• 2 VPN Tunnels between 2 devices on separate links

  Hello,
  I have a 2811 connected to two different ISPs, implying I have 2 separate interfaces for both links. I initially setup a VPN tunnel to a 3rd party remote site on one of the links/interfaces. I am now required to setup an additonal VPN tunnel to the same remote site on the other interface/link. When I finish the config and run tests, I get an error saying that the crypto map is not applied on the correct interface and that the peer is being routed through a non-crypto map interface.
  One thing I would like to know is if it is possible to configure the router to establish these two tunnels on the different links/interfaces to the same peer. Please note that the first VPN tunnel is still active, but the other one has just refused to come up. Please see the snippets of my router config below:
  crypto ipsec transform-set ABCD esp-3des esp-md5-hmac
  crypto isakmp policy 4
  encr 3des
  hash md5
  authentication pre-share
  group 5
  crypto isakmp policy 5
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp policy 6
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key 123key address x.x.130.130
  crypto map SDM_CMAP_1 3 ipsec-isakmp
  description VPN Tunnel to ABCD on x.x.130.130
  set peer x.x.130.130
  set transform-set ABCD
  set pfs group5
  match address ABCD
  crypto map SDM_CMAP_2 1 ipsec-isakmp
  description description PROD VPN Tunnel to ABCD
  set peer x.x.130.130
  set transform-set ABCD
  set pfs group5
  match address ABCD_PROD
  interface FastEthernet0/1
  description ISP1 WAN INTERFACE$ETH-WAN$
  ip address a.a.42.66 255.255.255.252
  ip nbar protocol-discovery
  ip flow ingress
  ip flow egress
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  auto discovery qos
  crypto map SDM_CMAP_1
  interface FastEthernet0/2/0
  description ISP2_WAN_INTERFACE
  ip address y.y.12.94 255.255.255.192
  ip nbar protocol-discovery
  ip flow ingress
  ip flow egress
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  auto discovery qos
  crypto map SDM_CMAP_2
  ip access-list extended ABCD
  permit ip host 172.30.50.2 host x.x.130.138
  ip access-list extended ABCD_PROD
  permit ip host 172.19.205.31 host x.x.130.134
  ip route 0.0.0.0 0.0.0.0 a.a.42.65
  So its the tunnel running on ISP1 that is fine while the tunnel on ISP2 is not coming up.
  While pasting this though, I just realized there is no default route for ISP2, could this be the problem and would adding another default route not create some sort of loop?
  Regards,
  Femi

  Hello Marcin,
  When you said I didnt need to put both ISPs into VRF, i assume you meant that I only needed to put on f the ISPs into VRF, specifically the other ISP I was trying to establish a new VPN connection over?
  I did read the cheat sheet thoroughly and also went through some other documents. However, I still cound not get out of the router as the router kept complaining about routing issues:
  1. The peer must be routed through the crypto map interface. The following peer(s) are  routed through non-crypto map interface - a.b.130.130
  2. The tunnel traffic destination must be routed through the crypto map interface. The following destinations are routed through non-crypto map interface - a.b.130.134
  Below is the config I applied but I didnt get traffic out of the router still to even attempt to establish a connection:
  ip vrf PROD_INTCON
  rd 100:1
  route-target export 100:1
  route-target import 100:1
  ip vrf ISP2
  rd 101:1
  route-target export 101:1
  route-target import 101:1
  crypto keyring NI2-keyring vrf ISP2
    pre-shared-key address a.b.130.130 key xxxxx
  crypto isakmp policy 4
  encr 3des
  hash md5
  authentication pre-share
  group 5
  crypto isakmp policy 5
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp policy 6
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp profile NI2-profile
  vrf PROD_INTCON
  keyring NI2-keyring
  match identity address a.b.130.130 255.255.255.255 ISP2
  isakmp authorization list default
  crypto ipsec transform-set NI2set esp-3des esp-md5-hmac
  crypto map SDM_CMAP_2 1 ipsec-isakmp
  description PROD VPN Tunnel to NI2
  set peer a.b.130.130
  set transform-set NI2set
  set pfs group5
  set isakmp-profile NI2-profile
  match address NI2_ACL
  reverse-route
  interface FastEthernet0/2/0
  ip vrf forwarding ISP2
  ip address z.y.12.94 255.255.255.192
  crypto map SDM_CMAP_2
  interface FastEthernet0/2/1.603
  description PROD_INTCON_ZONE
  encapsulation dot1Q 603
  ip vrf forwarding PROD_INTCON
  ip address 172.19.205.1 255.255.255.0
  ip flow ingress
  ip nat inside
  ip virtual-reassembly
  ip route vrf ISP2 0.0.0.0 0.0.0.0 z.y.12.65
  ip route vrf PROD_INTCON a.b.130.134 255.255.255.255 FastEthernet0/2/0 z.y.12.65
  ip access-list extended NI2_ACL
  permit ip host 172.19.205.31 host a.b.130.134

• VPN remote site tunnel-all with web and email filtering at core

  I'm helping a client setup a 'tunnel-all' VPN from remotes to the core.  That's not difficult - there's enough commentary in the community and I can set it up in the lab.  The rub comes with the location of the web filter box in particular - it's currently in-line with the inside interface of the ASA.
  What does the topology for a typical tunnel-all VPN with web filtering at the core look like?  Can't put my hands on any quickly.
  We only have one ISP conn at this time.  I have a layer-3 switch at the core too.
  Thx

  Hi,
  Thats a good question.
  I haven't thought about this part of VPN filtering much as I've usually had to open only a few ports. But if you really need to open all traffic from local to remote, you will also be doing the same for the other direction in the same ACL ACE rule.
  The only thing I can come up with right now is to stop using VPN Filter list and change the "sysopt" setting so that ASA wont let VPN traffic past the outside interface without checing the outside interface ACL
  The Configuration command (8.2) is the following:
  sysopt connection permit-vpn
  For traffic that enters the adaptive security appliance through a VPN tunnel and is then decrypted, use the sysopt connection permit-vpn command  in global configuration mode to allow the traffic to bypass interface  access lists. Group policy and per-user authorization access lists still  apply to the traffic. To disable this feature, use the no form of this command. sysopt connection permit-vpn no sysopt connection permit-vpn
  Though if you change this setting, you will have to take this into account with every VPN Client or L2L VPN you have configured so far.
  After this you can create rules on your outside interface access-list to limit remote user access to your local network. From local to remote networks you can use the access-lists assigned to each interface in question.
  Hope this helps
  - Jouni

• VPN tunnels for multiple sites

  Hi, i am building new vpn tunnels for multple sites using 2 ASR 1004, and 100 remote devices cisco 2800 routers.
  I am thinking of using getvpn to do it, am i thinking correct ????? can i use DMVPN ???? what is else there ???
  thanks 

  Is there a need for branch to branch communication?  If so, I would go with the DMVPN option using a single tier, dual DMVPN cloud topology which will allow for spoke to spoke communication.
  Matt

• Site-2-Site IPSEC VPN tunnel will not come up.

  Hello Experts,
  Just wondering if I can get some help on setting up a IPSEC VPN tunnel between a Cisco 2921 and ASA 550x. Below is the config
  show run | s crypto
  crypto pki token default removal timeout 0
  crypto isakmp policy 1
  encr aes
  authentication pre-share
  group 2
  lifetime 28800
  crypto isakmp key xxxxxxxxxxxxxxxxxxxxxx address A.A.A.A
  crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
  mode transport
  crypto map ICQ-2-ILAND 1 ipsec-isakmp
  set peer A.A.A.A
  set transform-set ESP-AES128-SHA
  match address iland_london_s2s_vpn
  crypto map ICQ-2-ILAND
  The config on the remote end has not been shared with me, so I don't know if I am doing something wrong locally or if the remote end is wrongly configured.
  The command Sh crypto isakmp sa displays the following
  show crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  A.A.A.A    B.B.B.B   MM_NO_STATE       1231 ACTIVE (deleted)
  IPv6 Crypto ISAKMP SA
  show crypto session
  Crypto session current status
  Interface: GigabitEthernet0/0
  Session status: DOWN-NEGOTIATING
  Peer: A.A.A.A port 500
    IKEv1 SA: local B.B.B.B/500 remote A.A.A.A/500 Inactive
    IKEv1 SA: local B.B.B.B/500 remote A.A.A.A/500 Inactive
    IPSEC FLOW: permit ip 10.20.111.0/255.255.255.0 10.120.1.0/255.255.255.0
          Active SAs: 0, origin: crypto map
    IPSEC FLOW: permit ip 10.10.0.0/255.255.0.0 10.120.1.0/255.255.255.0
          Active SAs: 0, origin: crypto map
  The debug logs from the debug crypto isakmp command are listed below.
  ISAKMP:(0): local preshared key found
  Dec  6 08:51:52.019: ISAKMP : Scanning profiles for xauth ...
  Dec  6 08:51:52.019: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
  Dec  6 08:51:52.019: ISAKMP:      encryption AES-CBC
  Dec  6 08:51:52.019: ISAKMP:      keylength of 128
  Dec  6 08:51:52.019: ISAKMP:      hash SHA
  Dec  6 08:51:52.019: ISAKMP:      default group 2
  Dec  6 08:51:52.019: ISAKMP:      auth pre-share
  Dec  6 08:51:52.019: ISAKMP:      life type in seconds
  Dec  6 08:51:52.019: ISAKMP:      life duration (basic) of 28800
  Dec  6 08:51:52.019: ISAKMP:(0):atts are acceptable. Next payload is 0
  Dec  6 08:51:52.019: ISAKMP:(0):Acceptable atts:actual life: 0
  Dec  6 08:51:52.019: ISAKMP:(0):Acceptable atts:life: 0
  Dec  6 08:51:52.019: ISAKMP:(0):Basic life_in_seconds:28800
  Dec  6 08:51:52.019: ISAKMP:(0):Returning Actual lifetime: 28800
  Dec  6 08:51:52.019: ISAKMP:(0)::Started lifetime timer: 28800.
  Dec  6 08:51:52.019: ISAKMP:(0): processing vendor id payload
  Dec  6 08:51:52.019: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  Dec  6 08:51:52.019: ISAKMP:(0): vendor ID is NAT-T v2
  Dec  6 08:51:52.019: ISAKMP:(0): processing vendor id payload
  Dec  6 08:51:52.019: ISAKMP:(0): processing IKE frag vendor id payload
  Dec  6 08:51:52.019: ISAKMP:(0):Support for IKE Fragmentation not enabled
  Dec  6 08:51:52.019: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Dec  6 08:51:52.019: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
  Dec  6 08:51:52.019: ISAKMP:(0): sending packet to A.A.A.A my_port 500 peer_port 500 (I) MM_SA_SETUP
  Dec  6 08:51:52.019: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Dec  6 08:51:52.019: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Dec  6 08:51:52.019: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
  Dec  6 08:51:52.155: ISAKMP (0): received packet from A.A.A.A dport 500 sport 500 Global (I) MM_SA_SETUP
  Dec  6 08:51:52.155: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Dec  6 08:51:52.155: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
  Dec  6 08:51:52.155: ISAKMP:(0): processing KE payload. message ID = 0
  Dec  6 08:51:52.175: ISAKMP:(0): processing NONCE payload. message ID = 0
  Dec  6 08:51:52.175: ISAKMP:(0):found peer pre-shared key matching A.A.A.A
  Dec  6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
  Dec  6 08:51:52.175: ISAKMP:(1227): vendor ID is Unity
  Dec  6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
  Dec  6 08:51:52.175: ISAKMP:(1227): vendor ID seems Unity/DPD but major 92 mismatch
  Dec  6 08:51:52.175: ISAKMP:(1227): vendor ID is XAUTH
  Dec  6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
  Dec  6 08:51:52.175: ISAKMP:(1227): speaking to another IOS box!
  Dec  6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
  Dec  6 08:51:52.175: ISAKMP:(1227):vendor ID seems Unity/DPD but hash mismatch
  Dec  6 08:51:52.175: ISAKMP:received payload type 20
  Dec  6 08:51:52.175: ISAKMP (1227): His hash no match - this node outside NAT
  Dec  6 08:51:52.175: ISAKMP:received payload type 20
  Dec  6 08:51:52.175: ISAKMP (1227): No NAT Found for self or peer
  Dec  6 08:51:52.175: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Dec  6 08:51:52.179: ISAKMP:(1227):Old State = IKE_I_MM4  New State = IKE_I_MM4
  Dec  6 08:51:52.179: ISAKMP:(1227):Send initial contact
  Dec  6 08:51:52.179: ISAKMP:(1227):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
  Dec  6 08:51:52.179: ISAKMP (1227): ID payload
          next-payload : 8
          type         : 1
          address      : B.B.B.B
          protocol     : 17
          port         : 500
          length       : 12
  Dec  6 08:51:52.179: ISAKMP:(1227):Total payload length: 12
  Dec  6 08:51:52.179: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) MM_KEY_EXCH
  Dec  6 08:51:52.179: ISAKMP:(1227):Sending an IKE IPv4 Packet.
  Dec  6 08:51:52.179: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Dec  6 08:51:52.179: ISAKMP:(1227):Old State = IKE_I_MM4  New State = IKE_I_MM5
  Dec  6 08:51:52.315: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) MM_KEY_EXCH
  Dec  6 08:51:52.315: ISAKMP:(1227): processing ID payload. message ID = 0
  Dec  6 08:51:52.315: ISAKMP (1227): ID payload
          next-payload : 8
          type         : 1
          address      : A.A.A.A
          protocol     : 17
          port         : 0
          length       : 12
  Dec  6 08:51:52.315: ISAKMP:(0):: peer matches *none* of the profiles
  Dec  6 08:51:52.315: ISAKMP:(1227): processing HASH payload. message ID = 0
  Dec  6 08:51:52.315: ISAKMP:received payload type 17
  Dec  6 08:51:52.315: ISAKMP:(1227): processing vendor id payload
  Dec  6 08:51:52.315: ISAKMP:(1227): vendor ID is DPD
  Dec  6 08:51:52.315: ISAKMP:(1227):SA authentication status:
          authenticated
  Dec  6 08:51:52.315: ISAKMP:(1227):SA has been authenticated with A.A.A.A
  Dec  6 08:51:52.315: ISAKMP: Trying to insert a peer B.B.B.B/A.A.A.A/500/,  and inserted successfully 2B79E8BC.
  Dec  6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Dec  6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM5  New State = IKE_I_MM6
  Dec  6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Dec  6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM6  New State = IKE_I_MM6
  Dec  6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Dec  6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
  Dec  6 08:51:52.315: ISAKMP:(1227):beginning Quick Mode exchange, M-ID of 1511581970
  Dec  6 08:51:52.315: ISAKMP:(1227):QM Initiator gets spi
  Dec  6 08:51:52.315: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) QM_IDLE
  Dec  6 08:51:52.315: ISAKMP:(1227):Sending an IKE IPv4 Packet.
  Dec  6 08:51:52.315: ISAKMP:(1227):Node 1511581970, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
  Dec  6 08:51:52.315: ISAKMP:(1227):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
  Dec  6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
  Dec  6 08:51:52.315: ISAKMP:(1227):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  Dec  6 08:51:52.455: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) QM_IDLE
  Dec  6 08:51:52.455: ISAKMP: set new node -1740216573 to QM_IDLE
  Dec  6 08:51:52.455: ISAKMP:(1227): processing HASH payload. message ID = 2554750723
  Dec  6 08:51:52.455: ISAKMP:(1227): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
          spi 0, message ID = 2554750723, sa = 0x2B78D574
  Dec  6 08:51:52.455: ISAKMP:(1227):deleting node -1740216573 error FALSE reason "Informational (in) state 1"
  Dec  6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
  Dec  6 08:51:52.455: ISAKMP:(1227):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  Dec  6 08:51:52.455: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) QM_IDLE
  Dec  6 08:51:52.455: ISAKMP: set new node 1297146574 to QM_IDLE
  Dec  6 08:51:52.455: ISAKMP:(1227): processing HASH payload. message ID = 1297146574
  Dec  6 08:51:52.455: ISAKMP:(1227): processing DELETE payload. message ID = 1297146574
  Dec  6 08:51:52.455: ISAKMP:(1227):peer does not do paranoid keepalives.
  Dec  6 08:51:52.455: ISAKMP:(1227):deleting SA reason "No reason" state (I) QM_IDLE       (peer A.A.A.A)
  Dec  6 08:51:52.455: ISAKMP:(1227):deleting node 1297146574 error FALSE reason "Informational (in) state 1"
  Dec  6 08:51:52.455: ISAKMP: set new node -1178304129 to QM_IDLE
  Dec  6 08:51:52.455: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) QM_IDLE
  Dec  6 08:51:52.455: ISAKMP:(1227):Sending an IKE IPv4 Packet.
  Dec  6 08:51:52.455: ISAKMP:(1227):purging node -1178304129
  Dec  6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  Dec  6 08:51:52.455: ISAKMP:(1227):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA
  Dec  6 08:51:52.455: ISAKMP:(1227):deleting SA reason "No reason" state (I) QM_IDLE       (peer A.A.A.A)
  Dec  6 08:51:52.455: ISAKMP: Unlocking peer struct 0x2B79E8BC for isadb_mark_sa_deleted(), count 0
  Dec  6 08:51:52.455: ISAKMP: Deleting peer node by peer_reap for A.A.A.A: 2B79E8BC
  Dec  6 08:51:52.455: ISAKMP:(1227):deleting node 1511581970 error FALSE reason "IKE deleted"
  Dec  6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Dec  6 08:51:52.455: ISAKMP:(1227):Old State = IKE_DEST_SA  New State = IKE_DEST_SA
  would appreciate any help you can provide.
  Regards,
  Sidney Dsouza

  Hi Anuj,
  thanks for responding. Here are the logs from the debug crypto ipsec
  Dec 10 15:54:38.099 UTC: IPSEC(sa_request): ,
    (key eng. msg.) OUTBOUND local= B.B.B.B:500, remote= A.A.A.A:500,
      local_proxy= 10.20.0.0/255.255.0.0/0/0 (type=4),
      remote_proxy= 10.120.1.0/255.255.255.0/0/0 (type=4),
      protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
      lifedur= 3600s and 4608000kb,
      spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
  Dec 10 15:54:38.671 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
  thats all that appeared after pinging the remote subnet.

• 501 site-to-site vpn tunnel timeout

  What is the maximum session timeout that you can configure on a site-to-site vpn tunnel using 2 pix 501s. 24 hours??
  Thanks for any help, also, if you have documentation (I have looked but with no luck) could you post a link please....
  Thanks,

  There's no timeout setting as such. You can setup ISAKMP and IPSEC lifetimes though.
  For Phase 1, default is 24 Hrs and "0" means infinte.
  isakmp policy 1 lifetime 0
  For phase 2 , default is 28800 seconds.
  crypto map mymap 10 set security-association lifetime seconds 28800
  HEre's the doc :
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027585
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/c.htm#wp1034654
  *Please rate if helped.
  -Kanishka