Configure CPN Between Asa-Astaro
Hi All
I have a ASA 5510, I have configure 2 VPN, router 850-ASA is OK, but I can't establish the other VPN ASA-Astaro, the error is:
Jul 09 15:35:57 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, QM FSM error (P2 struct &0x3bcd8c0, mess id 0x4f4f1e75)!
Jul 09 15:35:57 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Jul 09 15:35:57 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, Removing peer from correlator table failed, no match!
Jul 09 15:36:03 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Jul 09 15:36:03 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, Removing peer from correlator table failed, no match!
My configuration for VPN is:
ACL:
access-list Internet_cryptomap_40 extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list Internet_cryptomap_60 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
VPN:
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Internet_map 20 match address Internet_cryptomap_20_1
crypto map Internet_map 20 set peer 186.1.10.74
crypto map Internet_map 20 set transform-set ESP-3DES-MD5
crypto map Internet_map 20 set security-association lifetime seconds 86400
crypto map Internet_map 20 set security-association lifetime kilobytes 4608000
crypto map Internet_map 20 set nat-t-disable
crypto map Internet_map 40 match address Internet_cryptomap_40
crypto map Internet_map 40 set peer 165.98.233.180
crypto map Internet_map 40 set transform-set ESP-3DES-MD5
crypto map Internet_map 40 set security-association lifetime seconds 86400
crypto map Internet_map 40 set security-association lifetime kilobytes 4608000
crypto map Internet_map 60 match address Internet_cryptomap_60
crypto map Internet_map 60 set peer 200.50.2.114
crypto map Internet_map 60 set transform-set ESP-3DES-MD5
crypto map Internet_map 60 set security-association lifetime seconds 28800
crypto map Internet_map 60 set security-association lifetime kilobytes 4608000
crypto map Internet_map interface Internet
isakmp identity address
isakmp enable Internet
isakmp enable management
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group 186.1.10.74 type ipsec-l2l
tunnel-group 186.1.10.74 ipsec-attributes
pre-shared-key *
tunnel-group 165.98.233.180 type ipsec-l2l
tunnel-group 165.98.233.180 ipsec-attributes
pre-shared-key *
tunnel-group 200.50.2.114 type ipsec-l2l
tunnel-group 200.50.2.114 ipsec-attributes
pre-shared-key *
Thanks in Advanced
Regards
Take a look at this:
http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K74152394
Similar Messages
-
Communication problem between ASA 5510 and Cisco 3750, L2 Decode drops
Having problem with communication between ASA 5510 an Cisco Catalyst 3750.
Here is the Cisco switch port facing the ASA 5510 configuration:
interface FastEthernet2/0/6
description Trunk to ASA 5510
switchport trunk encapsulation dot1q
switchport trunk native vlan 50
switchport trunk allowed vlan 131,500
switchport mode trunk
switchport nonegotiate
And here is the ASA 5510 port configuration:
interface Ethernet0/3
speed 100
no nameif
no security-level
no ip address
interface Ethernet0/3.500
vlan 500
nameif outside
security-level 0
ip address X.X.X.69 255.255.255.0
There is a default route on ASA to X.X.X.1.
When I try to ping from ASA X.X.X.1 i get:
Sending 5, 100-byte ICMP Echos to 31.24.36.1, timeout is 2 seconds:
Also in the output of show interface eth 0/3 on the ASA i can see that the L2 Decode drop counter increases.
I have also changed the ports on the Switch and ASA but the same error stays.
Any thoughts?I don't see anything wrong with your trunk configuration; I have a similar one working between an ASA 5520 and a Catalyst 3750G.
Maybe you should adjust the "speed 100"? In my experience, partial autoconfiguration results in duplex mis-matches, which results in dropped packets.
I'd try removing the "speed 100" and letting the ASA port autonegotiate with the switch. Alternatively, have both sides set
speed 100
duplex full
and see if things improve.
-- Jim Leinweber, WI State Lab of Hygiene -
Unable to print from HQ to Branch through the VPN tunnel between ASAs
We have site to site VPN configured between ASAs. The VPN tunnel is up and running as desired except for one printer in the subnet. the users in the Hq cannot print in the branch office printer. I have allowed the ip protocols for the printer subnet but still it is not working. When I do a packet trac the traffic for the printer is allwed through the tunnel.
Can anyone suggest what can be preventing from printing?When other printers in the same subnet can be reached, I would first control the IP-settings of the printer. In my experience it's most likely a wrong subnet-mask or gateway.
-
Problem with a s2s IP SEC between ASA and Adtran
I'm having a problem getting this tunnel to come up. What info would you guys need to help me out? I'm just cutting my teeth on networking i've always had guys to defer these problems to but I dont right now....
This is what keeps popping up in the logs
6
Dec 08 2012
12:19:13
713172
Group = x.x.x.x, IP = x.x.x.x, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
and
6
Dec 08 2012
12:19:13
302015
OutsideIP
500
x.x.x.x
500
Built outbound UDP connection 1088 for outside:x.x.x.x/500 (x.x.x.x/500) to identity:OutsideIP/500 (OutsideIP/500)
and
4
Dec 08 2012
12:19:33
713903
Group = x.x.x.x, IP = x.x.x.x Information Exchange processing failed
there's a couple more logs, let me know if ya'll need anything else to help.a copy of the configuration of the ASA would help and also advise which vpn tunnel is to the adtran device.
also, if you can run the following debug:
debug cry isa
debug cry ipsec
and share the output when you try to ping between the 2 LANs. -
Can't get L2L VPN up between ASA and Fortinet (IKEv2)
Hi,
I'm having issues getting a L2L tunnel up between a Cisco ASA and a Fortinet. This is the first tunnel being setup with IKEv2. The ASA is complaining that it can't find a matching policy.
The Fortinet device is configured by other party and I have confirmed that they are using the agreed settings.
Configuration from the ASA:
crypto ipsec ikev2 ipsec-proposal AES-3DES-SHA1
protocol esp encryption 3des
protocol esp integrity sha-1
crypto map VPN 100 match address ABC
crypto map VPN 100 set pfs group5
crypto map VPN 100 set peer x.x.x.x
crypto map VPN 100 set ikev2 ipsec-proposal AES-3DES-SHA1
crypto map VPN 100 set security-association lifetime seconds 28800
crypto map VPN interface outside
crypto ikev2 policy 10
encryption aes-256 3des
integrity sha256 sha
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key blablabla
ikev2 local-authentication pre-shared-key blablabla
Debugs say that there is no matching policy:
IKEv2-PROTO-3: (97): Get peer authentication method
IKEv2-PROTO-3: (97): Get peer's preshared key for x.x.x.x
IKEv2-PROTO-3: (97): Verify authentication data
IKEv2-PROTO-3: (97): Use preshared key for id x.x.x.x, key len 15
IKEv2-PROTO-2: (97): Processing auth message
IKEv2-PROTO-1: (97): Failed to find a matching policy
IKEv2-PROTO-1: (97): Received Policies:
ESP: Proposal 1: 3DES SHA96
IKEv2-PROTO-1: (97): Failed to find a matching policy
IKEv2-PROTO-1: (97): Expected Policies:
IKEv2-PROTO-5: (97): Failed to verify the proposed policies
IKEv2-PROTO-1: (97): Failed to find a matching policyDear Robert,
The above error from ASA indicates there may be a problem with your preshared key..Both Local and remotre sites...or an Out of Synce problem to the remote end/peer. Give more details about ur Watchguard version with what application it is running..Send the complete log of
1. sh crypto ipsec sa
2. sh crypto isakmp sa
3. debug crypto isa 255
4. debug crypto ipsec 255 -
Issue bringing up VPN between ASA and Checkpoint - HELP
Hi all
We are having major issues bringing up a vpn between our ASA and third party checkpoint, it seems if the checkpoint initiates the connection it works, but if we initiate it from the ASA it doesnt come up.
on the ASA I see the following
any ideas what this is ?
7
Jan 30 2014
11:52:03
715065
IP = 159.50.93.1, IKE MM Initiator FSM error history (struct &0x79c4bb68) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRYPhase 2 failures means several things:
Encryption domain (interesting traffics) fail to match. Checkpoint tends to supper net network together, by design,
Phase 2 parameters such as ESP, PFS and seconds timeouts do not match.
Why don't you put in relevance configuration on the ASA and if possible, ask the checkpoint firewall guy to do the following on the firewall:
- output of "uname -a" and "fw ver"
- is this Nokia, Windows or Secureplatform Checkpoint?
- run the following commands on the firewall: "debug ike off", "debug ike trunc" and send you the ike.elg file. That file can be decoded with the IKEView.exe and it will tell you exactly where things are wrong.
Disable/turn OFF kilobytes timeouts is not the solution. -
IPSec ikev2 between ASA and Cisco Router
Hi,
i try to do IPSec with ikev2 (SHA2) between ASA and Cisco Router, without success. Any one can help me ?
- Remote site (Router) with dynamic public IP -> Dynamic crypto map on the ASA
- Authentication with Certificats
- integrity sha2
I try a lot of configurations without success.
Thanks for your help.
MicThe more secure ike policy should have the higher priority which is a smaller number. So I would configure there the following way (policy 30 only if really needed):
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ikev1 policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 43200
The Cisco VPN Client is EOL and not supported any longer. And yes, by default DH group 2 is used. But that can be configured by a parameter in the PCF-file.
There are two (three) better options:
Best option with very little needed configuration:
Move to AnyConnect with TLS. AnyConnect is the actual Cisco client that is also supported with Windows 8.x. The legacy IPsec client isn't.
Best option with a little stronger crypto but more configuration:
Move to AnyConnect with IPsec/IKEv2.
Move to a third-party client like shrew.net. I didn't use that client since a couple of years any more, but it's quite flexible and also has a config for a better DH-group.
For option 1) and 2) there is an extra license needed, but thats not very expensive. -
Unable to establish site to site vpn between asa 5505 an 5510
Hi ALL expert
We are now plan to form a site to site IPSec VPN tunnel between ASA 5505 (ASA Version 8.4) and ASA 5510 (ASA Version 8.0) but failure, would you please teach me how to establish it? Any reference guide?
HugoHere are the links to the cisco config-guides:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/site2sit.html
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_site2site.html
In addition to VPN you need to look into NAT exemption:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1043541
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_overview.html#wpxref25608
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_rules.html#wp1232160
And lots of examples:
http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Is it possible to Configure VPC Between N5010 and 6513
Hello Gents,
Please let me know if we can configure VPC Between N5010 and 6513(coreswitch).
IF Yes, Does it have any loops or abnormal traiffc behaviour ?
Please refer the attached mail for current network diagram
1) I would like to establish VPC Between N5010 and Cisco 6513 switch
2) if yes, Does the upstream devices above 6513 core switch will forward the traffic from all the
6513 ports connected to N5000 ports or 6513 will send traffic from one up link and block other
uplink ports as part of STP.
3) Is VSS on 6513 is required for Point #1
Please refer some links on this as well.
Appreciate your quick response.
Thanks and Regards,
KA.Hi Karim ,
You can use this one - you can consider your 6k the FEX as in this example
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/configuration_guide_c07-543563.html
On the portchannel to 6k will not configure :
"switchport mode fex-fabric"
"fex associate 100"
This configuration in indended to be used with FEX.
Regards
Dan -
Error while configuring SSO between Portal 7.0 and Operating System.
Dear all,
I am having an issue,i need to configure SSO between the Portal 7.0 and operating System.I have followed both the Kerberos as well as spNego wizard methods,but i am not able to configure UME settings as we are using datasourceConfiguration_abap.xml. I tried to edit the datasource confuiguration file but after editing the server is not starting.
Please let me know the steps i have to do to edit the datasourceConfiguration_abap.xml
We are not able to Map the Service USer to the UME CONFIGURATION XML File.
Thanks
Ravi.SRavi,
If you have successfully configured the SSO, please pass on the document if any you have.
Regards,
Mohammad. -
What are the configuration need between R3 and XI when we use RFC sync adap
hi,
What are the configuration need between R3 and XI when we use RFC sync adapter.
Regards
siva.if its the sender adapter ref:
RFC adapter
Sender- /people/michal.krawczyk2/blog/2005/03/29/configuring-the-sender-rfc-adapter--step-by-step
Receiver;
http://help.sap.com/saphelp_nw04/helpdata/en/c8/e80440a832e369e10000000a155106/content.htm
Also;
trouble shooting rfc/soap -
/people/shabarish.vijayakumar/blog/2008/01/08/troubleshooting--rfc-and-soap-scenarios-updated-on-20042009 -
Change MTU for just one Site-to-Site VPN between ASAs?
Hi -
I'm setting up a Site-to-Site Cisco VPN between ASAs. I'm being told by the remote site engineer to set the maximum MTU at 1362.
Is it possible to set the MTU for one specific site-to-site VPN on my ASA 5510 Security Plus to MTU 1362? I see my interfeces are all set at 1500.
If not, would you recommend I setup a subinterface on my inside network router and a subinterface on the ASA with an MTU of 1362 to get around this issue? Then use this subinterface for traffic from my inside network to transverse through prior to hitting the VPN.
Thank you.I would not worry too much about UDP traffics. I rather concentrate on TCP traffics because almost all of the issues will be TCP.
Therefore, I would set the MSS value to 1362 or may be like 1300: sysopt connection tcp-mss 1300
That will solve most of your issues. -
How we archieve configuration for Cisco ASA 5500 series appliances
Hi,
We need to archieve configuration for Cisco ASA 5500 series appliances.
We have Cisco works LMS 3.0.1.
Device package installed is 4.2
Any help would be appricated.
Thanks in advance.
SamirHi ,
Thanks for your answer.
Right now we are using TACAS to login in to the ASA. That means we need single username and password to login via
Cisoworks. Am I correct ?
Waiting for your reply.
thanks,
Samir -
How to configure SingleSignOn between GRC and BOBJ 4.1
How to configure SingleSignOn between GRC and BOBJ 4.1?
We have configured the System entitlement in BOBJ CMC. But didn't do anything on the GRC system.
User can login from BOBJ to GRC with password but not with SSO.
We haven't configured SNC . I don't this for this simple flow, we need to have SNC.
We haven't set up the Trust certificate exchange as well between BOBJ and GRC.
Please help us to know what are the mandatory settings need to be done to create a Relational connection for a ERP/GRC system from BOBJ client tool IDT?
thanks,
TilakHow to configure SingleSignOn between GRC and BOBJ 4.1?
We have configured the System entitlement in BOBJ CMC. But didn't do anything on the GRC system.
User can login from BOBJ to GRC with password but not with SSO.
We haven't configured SNC . I don't this for this simple flow, we need to have SNC.
We haven't set up the Trust certificate exchange as well between BOBJ and GRC.
Please help us to know what are the mandatory settings need to be done to create a Relational connection for a ERP/GRC system from BOBJ client tool IDT?
thanks,
Tilak -
Configure ssh between two hosts as a ROOT user
Hi Experts,
I have tried several times to configure ssh between two hosts but didn't get success. Can some please help me to configure ssh as a root.
I have freshly installed two solaris 10 VM's.
Thanks~
Edited by: user12108503 on Jun 3, 2013 1:28 PMHi,
I have changed the config file and still getting exactly same error message.
/etc/ssh/ssh_config: line 32: Bad configuration option: PermitRootLogin
/etc/ssh/ssh_config: terminating, 1 bad configuration options
Please help.
Thanks~
Maybe you are looking for
-
Hi This is the first time i am creating the datasource in the BI 7.0. I want to pull the data from the flatfile. In create datasource, Fields tab--> i have entered few filed names and their descriptions, data type and lenghts. But when i activate the
-
Problem when changing connection to SQL Anywhere during runtime
I designed a report in the Crystal Reports 2008 designer using a JDBC connection to a SQL Anywhere 11.0.1 database. Everything works fine, I´m able to preview the report in the designer. But when loading and running the same report in a Eclipse-based
-
How to pass parameters on ForcedURL defined
Hi, I have an URL iView which is called from another iview with a link. I want to set the URL of this iview dinamically, including on it some parameter. I have configured the following properties: Forced URL - Enabled: Yes Forced URL - Parameter Name
-
Help - Is my G4 ibook dead?
I have a G4 12" ibook that stopped starting up. When I press the power switch, there is no "chime" sound and display remains blank (slight grey). Power to set is ok and when Caps Lock is applied, the LED will light up. I have tried to reset the PMU a
-
I wonder if sap provides version control tool like clearcase or RSS. my requirement is that we can control the code changes for diffrent environments.