Connection recv error in jolt connection
Hi,
We have Java GUI client connecting to the Tuxedo server thru Jolt.
When we try to do some operation that connects to server after the GUI is idle for a about an hour we get Jolt error "Connection recv error" , sometimes we also get the error "Connection send error".
Wanted to know what causes this error, we are connecting the GUI in RETAINED mode option.
I could not get much in edocs on this, please let me know anyone encountered such problem and what really causes to throw this error.
I have pasted the error below:
bea.jolt.TransactionException: Connection recv error\nbea.jolt.SessionException: Connection recv error\nbea.jolt.JoltException: [6] NwHdlr.recv(): Network Error\njava.net.SocketException: Connection reset
at bea.jolt.JoltTransaction.begin(JoltTransaction.java:337)
at bea.jolt.JoltRemoteService.call(JoltRemoteService.java:278)
at bea.jolt.JoltRemoteService.call(JoltRemoteService.java:257)
Thanks
gowardhan
Hi Gowardhan,
My comments are in line.
Wayne
Gowardhan Reddy wrote:
Hi Wayne,
Thanks for your reply.
The disconnect seems to be happening due to network problem.
Can you please help us understand the difference between a connection recv and connection send error? When we get a recv error does that mean a message was sucessfully sent to the server and the error was in receiving the response? [Wayne] I assume you use "call" method of JoltRemoteService class. This
method encapsulates send and recv action in a try{} block. So whether
send or recv throw exceptions depends on when the connection
disconnected. I guess most exceptions were regarding send. When a recv
error happens, I think the message was sent successfully except some
rare situation, that is message transmission seems OK for client, but at
that time the network disconnected.
We tried with ANY option and the problem doesnt seem to happen when we connect with -j ANY option. We have a range of 50 ports reserved for Jolt connection and network maybe dropping the idle connections.
What is difference in using -T option with ANY or just the RETAINED option, as it looks using ANY option without -T specified is same as RETAINED option. Will the server be able to push/connect to GUI in case of ANY option after the timeout value is reached?[Wayne] I think -T option will override the RETAINED option. That is to
say even you give a retained mode for connection, -T may also disconnect
the clients in a specified idle time. But if the client is closed due to
inactive timeout, JSH should have some message in ULOG like "... timed
out due to inactivity".
There is no error logged in ULOG.
Thanks
Gowardhan
Similar Messages
-
WPA2 Security and Recv Errors.
Copy of a post I posted a couple of hours ago in the Airport Extreme 802.11n forum. As the issue could be MBP related I thought I'd post here too. Any (relevant) suggestions most welcome. Thanks.
In the ongoing quest to try and find out as much as I can about what was causing my AEBS to crash I noticed while looking at the Network Utility Info tab (Utilities/Network Utility/Network Interface (en1) that there were a large number of recv errors and they were increasing as I watched. It was rather like watching a ticker.
I did a bit of research and noticed that some people related the issue to WPA so I did a test.
I stopped the AEBS. Network Utility Reported
Sent Packets 5617335
Send Errors 4
Recv Packets 32254109
Recv Errors 46323
Collisions 0
I'd been watching the recv errors creep up.
I turned off security on the AEBS
An hour later I had
Sent Packets 5821527
Send Errors 4
Recv Packets 32860781
Recv Errors 46323
Collisions 0
So in an hour of hard use, no errors - they just stopped.
I then stopped the AEBS and turned WPA2 back on.
I got this about a minute or perhaps two after re-starting the router.
Sent Packets 5823694
Send Errors 4
Recv Packets 32864168
Recv Errors 46377
Collisions 0
That was about 20 mins ago. Errors are now at 46728 sorry 46729, sorrry 46754, Sorry 46784
You get the idea.
I wonder if anyone has any ideas? My concern is that it could be that the high error rate could be related to the AEBS crashes.
Thanks for reading.
Cheers.
POST -http://discussions.apple.com/thread.jspa?threadID=1134458&tstart=0Thanks Ned.
I just tried on a new Core 2 2.4 which I happened to have lying around
Same thing. Errors when WPA 2 enabled, none when WPA 2 turned off. This is running n at 5ghz. Mind you, the errors on the new machine were in the hundreds and the errors on mine are in the thousands.
At 10.18 I had 73820 errors
At 10.44 I had 78662 errors
At 10.55 I had 79263 errors - I turned off WPA2
At 11.05 I have 79263 errors - ie none since I turned off WPA2
With the Santa rosa machine, I moved a 7gb file from my Airport Disk and got 300 errors with WPA2
Moved the same file again without WPA2 and got none.
I haven't tried 11g yet - only have so much time, but to be honest - and I understand you mean for diagnostic purposes - if they stop at 11g it doesn't help much as I need 11n or I would have stuck with the 54g Belkin I bought 3 years ago for $10. I'll try it a little later though out of deference.
If you get a chance, if you could take a look at your recv errors (assuming you use WPA2) I'd be very grateful.
Cheers. -
Error files in db1\sysman\recv\errors
Windows 2003 SP1 ORACLE 10.2.0.3
There are a lot of error files being generated in \sysman\recv\errors for every database on the server. How can I stop this? It is bieng generated every minute. Can someone help?
RegardsThe error is under db1\taldorcl1.*******_DDEMO\sysman\recv\errors. When the DBCONSOLE service is stopped, the errors are not generated. There is no user code running on the database. After the DBCONSOLE service is restarted, the errors start appearing.
Please help! -
ORACLE INFRA_HOME/(server_dbname)/sysman/recv/errors
Hi
I have recently installed oracle application server on windows server 2003.
and I also configured our system on this application and working fine with no problem.
The problem is that there are many errors generated under ORACLE INFRA_HOME/(server_dbname)/sysman/recv/errors filling up my hard disk.
The Files like A0000000064.err_2007_06_29_17_45_53.
The content of the files are similar, and begin with:-
=============================
Time: 2011-12-17 16:53:49
From: http://testapp:1830/emd/main
-->
<UPLOAD OMS_PROTOCOL_VERSION="10.1.0.2.0" UPLOAD_TYPE="metadata" EMD_URL="http://testapp:1830/emd/main" MERGE_TIMESTAMP="2011-12-17 16:53:49">
<ROWSET OMS_PROTOCOL_VERSION="10.1.0.2.0" TABLE="MGMT_TARGET_PROP_DEFS">
<ROW>
<TARGET_TYPE>oracle_database</TARGET_TYPE>
<TYPE_META_VER>3.1</TYPE_META_VER>
<PROPERTY_NAME>OracleHome</PROPERTY_NAME>
<PROPERTY_TYPE>INSTANCE</PROPERTY_TYPE>
<PROPERTY_DISPLAY_NAME>Oracle home path</PROPERTY_DISPLAY_NAME>
<PROPERTY_DISPLAY_NLSID>OracleHome_iprop</PROPERTY_DISPLAY_NLSID>
<REQUIRED_FLAG>0</REQUIRED_FLAG>
<CREDENTIAL_FLAG>0</CREDENTIAL_FLAG>
<DEFAULT_VALUE/>
===================================
What can I do to stop these generated files?
Thank you.Hi,
Anyone have any solution on this error?
I have Oracle DB 10g 10.2.0.3 installed on Windows 2003 32-bit.
c:/oracle/product/10.2.0/db_1/demo_crcl/sysman/recv/errors keeps increasing until 211 GB.
Any kind helps are highly appreciated.
Thanks. -
ERROR CREATED UNDER \SYSMAN\RECV\ERRORS FILLING UP THE HARD DISK
I am using Content DB 10.2.0.0.1 with Infrastucture 10.1.2.0.2 on Windows 2003, and have the situation as described in Bug No. 6164515 on Metalink:
"ERROR CREATED UNDER \SYSMAN\RECV\ERRORS FILLING UP THE HARD DISK
Files like A0000000064.err_2007_06_29_17_45_53 are created in %ORACLE_HOME%\clin-app-01_oasinfra\sysman\recv\errors\ one every minute on the oracle infrastructure instance, filling up the hard disk and bringing the application to a hault."
I have such log generation too, for a few month nearly 10 Gb of logs have been generated. The content of the files are similar, and begin with:
<!--
Time: 2008-12-09 18:54:48
From: http://contentdb:1830/emd/main
-->
<UPLOAD OMS_PROTOCOL_VERSION="10.1.0.2.0" UPLOAD_TYPE="severity" EMD_URL="http://contentdb:1830/emd/main" MERGE_TIMESTAMP="2008-12-09 18:54:48">
<ROWSET OMS_PROTOCOL_VERSION="10.1.0.2.0" TABLE="MGMT_METRIC_ERRORS">
What can i do to stop this generation?
Is it possible to disable logging, or i need to apply some patch?
Thank you.Hi,
Anyone have any solution on this error?
I have Oracle DB 10g 10.2.0.3 installed on Windows 2003 32-bit.
c:/oracle/product/10.2.0/db_1/demo_crcl/sysman/recv/errors keeps increasing until 211 GB.
Any kind helps are highly appreciated.
Thanks. -
How to disable the XML file produced under SYSMAN/RECV/ERRORS folder of EM?
Under $ORACLE_HOME/sysman directory where 10G Grid Control management server installed there is a SYSMAN/RECV/ERRORS subdirectory that contains files that were uploaded by the agents but could not be processed by the management server;
[root@tcellhost errors]# pwd
/u01/app/oracle/oracle/product/10.2.0/db_1/tcellhost.tcelldomain_tcell/sysman/recv/errors
[root@tcellhost errors]# ls
B0000000001.err_2007_02_22_15_14_59 B0000000001.err_2007_03_15_22_01_53 B0000000003.err_2007_02_23_21_16_21
B0000000001.err_2007_02_23_11_01_00 B0000000002.err_2007_02_22_15_14_59 B0000000003.err_2007_02_23_21_19_21
B0000000001.err_2007_02_23_21_15_23 B0000000002.err_2007_02_23_21_15_23 B0000000003.err_2007_02_23_21_19_44
B0000000001.err_2007_02_23_21_16_21 B0000000002.err_2007_02_23_21_16_21 B0000000003.err_2007_02_23_21_25_18
B0000000001.err_2007_02_23_21_19_21 B0000000002.err_2007_02_23_21_19_21 B0000000003.err_2007_02_23_21_28_59
B0000000001.err_2007_02_23_21_19_44 B0000000002.err_2007_02_23_21_19_44 B0000000003.err_2007_02_23_21_29_17
B0000000001.err_2007_02_23_21_20_22 B0000000002.err_2007_02_23_21_25_18 B0000000003.err_2007_02_24_22_55_59
B0000000001.err_2007_02_23_21_25_18 B0000000002.err_2007_02_23_21_28_59 B0000000003.err_2007_03_05_08_07_30
B0000000001.err_2007_02_23_21_28_59 B0000000002.err_2007_02_23_21_29_16 B0000000003.err_2007_03_05_08_22_44
B0000000001.err_2007_02_23_21_29_15 B0000000002.err_2007_02_24_22_55_59 B0000000003.err_2007_03_05_08_22_57
B0000000001.err_2007_02_24_00_06_39 B0000000002.err_2007_03_05_08_07_30 B0000000004.err_2007_02_24_22_56_26
B0000000001.err_2007_02_24_22_55_59 B0000000002.err_2007_03_05_08_22_44 B0000000005.err_2007_02_24_22_56_26
B0000000001.err_2007_03_05_08_07_30 B0000000002.err_2007_03_05_08_22_57 B0000000006.err_2007_02_24_22_56_27
B0000000001.err_2007_03_05_08_22_44 B0000000003.err_2007_02_22_15_14_59
B0000000001.err_2007_03_05_08_22_57 B0000000003.err_2007_02_23_21_15_23
[root@tcellhost errors]# more B0000000001.err_2007_03_15_22_01_53
<!--
Time: 2007-03-15 22:01:51
From: http://tcellhost.tcelldomain:3938/emd/main
-->
<UPLOAD OMS_PROTOCOL_VERSION="10.1.0.2.0" UPLOAD_TYPE="severity" EMD_URL="http://tcellhost.tcelldomain:3938/emd/main" MERGE_TIMEST
AMP="2007-03-15 22:01:51">
<ROWSET OMS_PROTOCOL_VERSION="10.1.0.2.0" TABLE="MGMT_SEVERITY">
<ROW>
<TARGET_GUID>F580A92FBEDDFE7A5754D45B3CB71375</TARGET_GUID>
<METRIC_GUID>D6438569B496BC9205481E8A70F92F1E</METRIC_GUID>
<KEY_VALUE>SYS_tcellhost</KEY_VALUE>
<COLLECTION_TIMESTAMP>2007-03-15 22:01:48</COLLECTION_TIMESTAMP>
<SEVERITY_CODE>20</SEVERITY_CODE>
<MESSAGE>User SYS logged on from tcellhost.</MESSAGE>
<MESSAGE_NLSID>UserAudit_username_alertmessage</MESSAGE_NLSID>
<MESSAGE_PARAMS><![CDATA[SYS&tcellhost]]></MESSAGE_PARAMS>
</ROW>
</ROWSET>
</UPLOAD>
How can I disable this feature since after some time it fills up the file system?
Thank you, best regards.
TongucMyself I did stop (forever) the dbconsole then
rm -r $ORACLE_HOME/myhost.mydomain.com_MYSID
not sure if this is an acceptable workaround ;-) -
2008 Aluminum MacBook 2.4 Recv Errors Cisco Switch
Something odd I recently encountered with my wife's 2008 Aluminum MacBook. Since it was purchased several years ago, it has almost exclusively been used on wireless. This model uses the NVIDIA MCP79-1 chipset with 9400m graphics.
While waiting for some large files to transfer, I opened up Network Utility and noticed that it is showing Recv Errors between 5% and 10%. There was no issue transferring multi-GB files and there was no packet loss when an IP address on my internal LAN was ping'ed for several hours. It is almost as if Network Utility sees something bad with the packet, but the packet doesn't drop.
The MacBook is running 10.8.2 and is plugged in to a Cisco Small Business SG200-26 managed switch at Gig speed.
Things I have tried:
• New cables, shorter and longer cables. Cat5e/Cat6
• Multiple ports on the switch
• Hard coded both the switch and the Mac to 100Mbps Full Duplex
• Disabled all QoS and special routing (basically everything can talk to everything all on one VLAN now)
• Stole cable from my iMac and plugged in the MacBook...still has receive errors. iMac had 1.5 million packets transferred with none lost.
• Safe Boot
• Zapped PRAM and reset SMC
• Enabled firewall with only key ports open (DHCP, DNS, ICMP, etc)
• Tried both enabling and disabling flow control on the switch
One thing worked, but doesn't make sense.
• Daisy chained an old Fore Systems ES2810 10/100 managed switch to the Cisco Small Business SG200-26 and plugged the MacBook into the Fore switch. The MacBook no longer shows receive errors.
None of my other Macs experience this issue (Mid 2007 iMac, 2009 Mac mini, PowerBook G3/500)
iMac is on 10.8.2, Mac mini on 10.6.8 (Rosetta support) and PowerBook G3 on 10.4.11.
I guess I'm beginning to wonder if there is some kind of broadcast traffic that the other NICs in the Macs are able to properly process. Anyone else have a strange issue with this model and certain switches?Same thing just happened to me again. My aluminum Macbook was hibernated all morning. I took it to Starbucks for lunch, and when it came out of hibernation, the trackpad was working just fine. However, about 20-25 minutes later, while typing in a online form textbox (in Firefox), the trackpad's tap-to-click stopped working and I could not move the mouse pointer for a few seconds. I even tried to physically click on the trackpad, but that didn't work either. A few seconds later, everything started working again. It seems as though there's some kind of process running that interferes with the trackpad's operation. Or, perhaps, this has something to do with the heat factor - the trackpad stops operating when it reaches a certain temperature, and as the temperature passes that mark, it starts working again.
Please post to this thread if you have similar problems. There are reports about the same issue on Macrumors.com. At this point, Apple needs to know about this problem and should start working on addressing it. Hopefully, this is a software problem and can be corrected with a software update.
Thanks! -
Request giving Socket communication error at call=recv: error.
Hi All,
My requirement goes like this for OBIEE 11G :
I have two requests(analysis) and I want to show either of them at a given time based on a Dashboard prompt. I have set a Presentation variable {PV} for this Prompt whcih always hays two values A and B.
My first request is like this :
Dim 1 Measure 1 ( this should be shown when I select Dashboard Prompt A.
My second request is:
Dim 2 Measure 2 ( this should be shown when I select Dashboard Prompt B.
I have to use the Guided Navigation ( Sectional Condition in 11g)
When Dashboard Prompt A is selected Section 1 i.e. Request 1 should be shown when Dashboard Prompt B is selected then it should show request 2.
To achieve this in request 1 I have added a extra filter '@{PV}' is equal to/is in 'A' and in request 2 I have added a extra filter '@{PV}' is equal to/is in 'B' so as when we select B in Prompt the first request should 'No Results' so as I can achieve my Guided Navigation.
But to my surprise when I select B in the Dashboard Prompt the first request throws an error.
Error Details
Error Codes: OPR4ONWY:U9IM8TAC:OI2DL65P
State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 12002] Socket communication error at call=recv: (Number=10038) An operation was attempted on something that is not a socket. (HY000)
Please help me out with this regards as I was able to achieve this functionality easily in 10G OBIEE.
Regards,
BhavikHi,
Mistakenly my machine got restarted and after that when I tried to start OPMN services,its showing all the processes alive but after that ,while restarting BI services from windows
its throwing an error of unexpectedly shutting down of services.
My NQS log says:
[nQSError: 12010] Communication error connecting to remote end point: address = 192.168.10.209; port = 80.
[nQSError: 46119] Failed to open HTTP connection to server 192.168.10.209 at port 80.
I have checked that IP is still same. What is the issue behind it?
This is very urgent.I have already posted this issues many times but didn't get any response So please help. -
I want to make sure: Send/Recve Errors and Lost Packets on Ping - HOW BAD?
Greetings!
Still relatively new to MBP and Mac OS - ramping up fast on account of having to troll Forums for info about MBP's not so reliable WiFi performance...
*ANOTHER QUESTION:* I get a lot of Send and Receive errors - as monitored by Network Utility.app when on my wireless network. Actually 10-20 after just 1/2 hour of WiFi activity. Going thru a Linksys WRT54GL router into a HughesNet satellite modem. AND, if I PING another device on my wireless network, I often get LOST PACKETS. All an indication that at least in my case - and I hear the same many Forums denizens complain about similar issues.
N*ow, as I download important stuff* through the wireless network - say, the current many updates/upgrades for Mac OS X and the MBP, do such occurrences render the downloads unreliable? I do not get any message of incomplete download or such as Install such wirelessly downloaded upgrades, but I am concerned about applying upgrades which would have been damaged by such xmission errors. OR, perhaps errors are flagged and "corrected" somehow??
Meanwhile, I have recently started to download -especially upgraged - via a direct LAN connection between my MBP and the satellite modem. However, seems to be a setback to me, especially since my most mundane among my Win machines have no trouble communicating over the wireless network.
I'll appreciate assistance!
- Roger TI don't know about wireless, as I only have dial up. And I have an iBook and not a MBP. But I frequently lose internet connection part way through a software update, probably due to the local antiquated phone lines. About all that happens is that the download has to be done over completely. It never picks up where it left off, so I assume the partial download is just gone as if it had never been downloaded. I would guess the same would be true of wireless downloads.
Good luck! -
I have tried using appletviewer to open the repository editor and got a "bea.jolt.serviceexception service not available GETKEYS" error. Then I tried to load the jrepository using
java bea.jolt.admin.jbld //localhost:15000 bulk_upload.txt
and got the same error. My CLASSPATH looks OK based on the documentation, and the default jrepository is in place. Both JSL and JREPSVR boot OK.
Any ideas most welcome
Sueyour jrepository might be corrupt .
can you see GETKEYS when you do
cat jrepository | grep GETKEY -
Error during connect to the instance Content Server MAXDB-XSERVER Receive
We rebooted this mornning a PROD Instance with SAPDB!
Second Instance is a Content Server. Now, we got an error during connect via
DBM Gui to Maxdb 7.6.06.04
2011-08-19 10:06:32 577 ERR 11926 XSERVER Receive packet, Ref:8 - socket recv error (110:Connection timed out
Environment variable : 1. Insctance PROD
2. Instance Prod Content Server
We couldnt connect to the database Instnce via DBMgui and also DB50 all collected data are visible, but its possible to start
DBACOCKPIT, analyse DB analyser : Message
Info Size of data cache 260306 pages, 99.98% in use, size of converter cache 1762 pages
Its seems so regarding to the Info of DB Analyser: Instance CSP (sap1) is up since 2011-06-10 12:20:10 that the Content server
didnt recognize that there was a boot this morning!!
In DBACOCKPIT it seems to be o.k. ! We could not boot the PROD Host asap again, because of the maintenance time window!
Where we could check more featur. of the content server. The processes seems to be o.k.!> Near the same problem occurs on our backup content server MAXDB!
> The backup runs during this situation a expanded longer time as normal. I get in DBM Gui today always the error code -4 socket recieve error, the Icon goes green, but there isnt any possibility to analyse the check area -> Diagnosis Files, to improof the status via gui! Via tc DBACOCKPIT i could connect to the instance and get some data! For example, If i try to stop the DB analsyser, its not possible.
I would stop the full gui and also end all dbm*.exe processes in the task manager and start it new.
Markus -
Unable to pass traffic for new vpn connection
Scenario:
I have three sites all connected ( full mesh) with IPsec/GRE tunnels and these work fine. I attempted to add a satellite office to one our sites. The sat device is a 3rd party device and is behind a rotuer/fw device. The IPSec tunnel (non-gre) appears to come up but no traffic passes.
When I ping 192.168.3.1 from the sat device (monitored using tcpdump), it cause the tunnel to come up but I don't see the Cisco side replying back.
The 192.168.180.0/24 network is at the Sat office and the 192.168.3.0/24 network is at the main office.
If I initiate a ping from the Cisco side, it doesn't prompt the tunnel to come up. ???? Any ideas?
Cisco config
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key secret address x.x.x.x
crypto isakmp key secret address x.x.x.x
crypto isakmp key secret address 7.7.7.7
crypto isakmp keepalive 10 5 periodic
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association replay window-size 1024
crypto ipsec transform-set vpn_set esp-3des esp-md5-hmac
crypto ipsec transform-set f5_set esp-3des esp-sha-hmac
crypto map vpnmap 31 ipsec-isakmp
set peer x.x.x.x
set transform-set vpn_set
match address 131
crypto map vpnmap 32 ipsec-isakmp
set peer x.x.x.x
set transform-set vpn_set
match address 132
crypto map vpnmap 33 ipsec-isakmp
set peer 7.7.7.7
set transform-set f5_set
match address 133
interface Tunnel31
bandwidth 1200000
ip address 172.16.31.34 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 5.5.5.5
tunnel destination x.x.x.x
interface Tunnel32
bandwidth 1200000
ip address 172.16.31.57 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 5.5.5.5
tunnel destination x.x.x.x
interface FastEthernet0/1
bandwidth 51200
ip address 50.50.50.1
ip access-group 101 in
ip flow ingress
ip flow egress
ip nat outside
ip inspect ISP2-cbac out
ip virtual-reassembly
duplex auto
speed auto
crypto map vpnmap
ip nat inside source route-map nonat interface FastEthernet0/1 overload
partial acl
access-list 101 permit udp host 7.7.7.7 any eq isakmp
access-list 101 permit udp host 7.7.7.7 eq isakmp any
access-list 101 permit esp host 7.7.7.7 any
route-map nonat permit 41
match ip address 175
access-list 133 permit ip 192.168.3.0 0.0.0.255 192.168.180.0 0.0.0.255
access-list 175 deny ip 192.168.3.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 175 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 175 deny ip 192.168.3.0 0.0.0.255 192.168.180.0 0.0.0.255
access-list 175 permit ip 192.168.3.0 0.0.0.255 any
ip route 0.0.0.0 0.0.0.0 50.50.50.x
ip route 10.1.0.0 255.255.0.0 Tunnel32
ip route 172.18.1.0 255.255.255.0 192.168.3.254
ip route 172.18.2.0 255.255.255.0 192.168.3.254
ip route 172.18.3.2 255.255.255.255 Service-Engine0/0
ip route 192.168.1.0 255.255.255.0 Tunnel31
ip route 192.168.2.0 255.255.255.0 Tunnel32
ip route 192.168.10.0 255.255.255.0 192.168.3.254
sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
50.50.50.1 7.7.7.7 QM_IDLE 1003 ACTIVE
sh crypto isa sa
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.180.0/255.255.255.0/0/0)
current_peer 7.7.7.7 port 35381
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 50.50.50.1, remote crypto endpt.: 7.7.7.7
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xFF024E3E(4278341182)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0x8E538667(2387838567)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2007, flow_id: FPGA:7, sibling_flags 80000046, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4493323/82118)
IV size: 8 bytes
replay detection support: Y replay window size: 1024
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xFF024E3E(4278341182)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2008, flow_id: FPGA:8, sibling_flags 80000046, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4493323/82118)
IV size: 8 bytes
replay detection support: Y replay window size: 1024
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
DEBUG
#show debug
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto ISAKMP Error debugging is on
Crypto IPSEC debugging is on
Crypto IPSEC Error debugging is on
#sh log | inc 7.7.7.7
000202: *Aug 12 02:20:16.006: ISAKMP:(1003): sending packet to 7.7.7.7 my_port 500 peer_port 35381
(R) QM_IDLE
000207: *Aug 12 02:20:16.046: ISAKMP (1003): received packet from 7.7.7.7 dport 500 sport 35381
Global (R) QM_IDLE
000211: *Aug 12 02:20:16.046: ISAKMP:(1003): DPD/R_U_THERE_ACK received from peer 7.7.7.7,
sequence 0x1C6F72FD
000287: *Aug 12 02:20:25.962: ISAKMP:(1003): sending packet to 7.7.7.7 my_port 500 peer_port 35381
(R) QM_IDLE
000292: *Aug 12 02:20:25.998: ISAKMP (1003): received packet from 7.7.7.7 dport 500 sport 35381
Global (R) QM_IDLE
000296: *Aug 12 02:20:25.998: ISAKMP:(1003): DPD/R_U_THERE_ACK received from peer 7.7.7.7,
sequence 0x1C6F72FE
000389: *Aug 12 02:20:35.542: ISAKMP:(1003): sending packet to 7.7.7.7 my_port 500 peer_port 35381
(R) QM_IDLE
000394: *Aug 12 02:20:35.578: ISAKMP (1003): received packet from 7.7.7.7 dport 500 sport 35381
Global (R) QM_IDLE
000398: *Aug 12 02:20:35.582: ISAKMP:(1003): DPD/R_U_THERE_ACK received from peer 7.7.7.7,
sequence 0x1C6F72FF
000402: *Aug 12 02:20:36.582: ISAKMP (1003): received packet from 7.7.7.7 dport 500 sport 35381
Global (R) QM_IDLE
000409: *Aug 12 02:20:36.586: ISAKMP:(1003):DPD/R_U_THERE received from peer 7.7.7.7, sequence
0x5FF
000413: *Aug 12 02:20:36.586: ISAKMP:(1003): sending packet to 7.7.7.7 my_port 500 peer_port 35381
(R) QM_IDLE
#sh log | inc 7.7.7.7
000847: *Aug 12 02:21:24.163: ISAKMP:(1003): sending packet to 7.7.7.7 my_port 500 peer_port 35381
(R) QM_IDLE
000852: *Aug 12 02:21:24.203: ISAKMP (1003): received packet from 7.7.7.7 dport 500 sport 35381
Global (R) QM_IDLE
3rd party device:
# racoonctl -l show-sa isakmp
Destination Cookies ST S V E Created Phase2
50.50.50.1.500 e1866e9ee2830764:575a7489971701ad 9 I 10 M 2013-08-11 20:04:57 1
[root@ltm1:Active:Disconnected] log # racoonctl -l show-sa isakmp
Destination Cookies ST S V E Created Phase2
50.50.50.1.500 e1866e9ee2830764:575a7489971701ad 9 I 10 M 2013-08-11 20:04:57 1
# racoonctl -l show-sa ipsec
192.168.180.5 50.50.50.1
esp mode=tunnel spi=2387838567(0x8e538667) reqid=62829(0x0000f56d)
E: 3des-cbc 74583bf5 4fe29310 07603be7 d52516d6 7269c35f 51b24a52
A: hmac-sha1 c0d2254c ea2ec11a 6a22bf41 dad35582 00d91a30
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Aug 11 20:04:59 2013 current: Aug 11 21:18:57 2013
diff: 4438(s) hard: 5184000(s) soft: 4147200(s)
last: Aug 11 21:18:56 2013 hard: 0(s) soft: 0(s)
current: 421660(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3635 hard: 0 soft: 0
sadb_seq=1 pid=8526 refcnt=0
50.50.50.1 192.168.180.5
esp mode=tunnel spi=4278341182(0xff024e3e) reqid=62828(0x0000f56c)
E: 3des-cbc 3bc26d98 0a230000 54c64896 e1a68815 6c696a15 f6779541
A: hmac-sha1 96de21a0 b5f52539 0616acfa b5a09994 03306e92
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Aug 11 20:04:59 2013 current: Aug 11 21:18:57 2013
diff: 4438(s) hard: 5184000(s) soft: 4147200(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=8526 refcnt=0Scenario:
I have three sites all connected ( full mesh) with IPsec/GRE tunnels and these work fine. I attempted to add a satellite office to one our sites. The sat device is a 3rd party device and is behind a rotuer/fw device. The IPSec tunnel (non-gre) appears to come up but no traffic passes.
When I ping 192.168.3.1 from the sat device (monitored using tcpdump), it cause the tunnel to come up but I don't see the Cisco side replying back.
The 192.168.180.0/24 network is at the Sat office and the 192.168.3.0/24 network is at the main office.
If I initiate a ping from the Cisco side, it doesn't prompt the tunnel to come up. ???? Any ideas?
Cisco config
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key secret address x.x.x.x
crypto isakmp key secret address x.x.x.x
crypto isakmp key secret address 7.7.7.7
crypto isakmp keepalive 10 5 periodic
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association replay window-size 1024
crypto ipsec transform-set vpn_set esp-3des esp-md5-hmac
crypto ipsec transform-set f5_set esp-3des esp-sha-hmac
crypto map vpnmap 31 ipsec-isakmp
set peer x.x.x.x
set transform-set vpn_set
match address 131
crypto map vpnmap 32 ipsec-isakmp
set peer x.x.x.x
set transform-set vpn_set
match address 132
crypto map vpnmap 33 ipsec-isakmp
set peer 7.7.7.7
set transform-set f5_set
match address 133
interface Tunnel31
bandwidth 1200000
ip address 172.16.31.34 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 5.5.5.5
tunnel destination x.x.x.x
interface Tunnel32
bandwidth 1200000
ip address 172.16.31.57 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 5.5.5.5
tunnel destination x.x.x.x
interface FastEthernet0/1
bandwidth 51200
ip address 50.50.50.1
ip access-group 101 in
ip flow ingress
ip flow egress
ip nat outside
ip inspect ISP2-cbac out
ip virtual-reassembly
duplex auto
speed auto
crypto map vpnmap
ip nat inside source route-map nonat interface FastEthernet0/1 overload
partial acl
access-list 101 permit udp host 7.7.7.7 any eq isakmp
access-list 101 permit udp host 7.7.7.7 eq isakmp any
access-list 101 permit esp host 7.7.7.7 any
route-map nonat permit 41
match ip address 175
access-list 133 permit ip 192.168.3.0 0.0.0.255 192.168.180.0 0.0.0.255
access-list 175 deny ip 192.168.3.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 175 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 175 deny ip 192.168.3.0 0.0.0.255 192.168.180.0 0.0.0.255
access-list 175 permit ip 192.168.3.0 0.0.0.255 any
ip route 0.0.0.0 0.0.0.0 50.50.50.x
ip route 10.1.0.0 255.255.0.0 Tunnel32
ip route 172.18.1.0 255.255.255.0 192.168.3.254
ip route 172.18.2.0 255.255.255.0 192.168.3.254
ip route 172.18.3.2 255.255.255.255 Service-Engine0/0
ip route 192.168.1.0 255.255.255.0 Tunnel31
ip route 192.168.2.0 255.255.255.0 Tunnel32
ip route 192.168.10.0 255.255.255.0 192.168.3.254
sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
50.50.50.1 7.7.7.7 QM_IDLE 1003 ACTIVE
sh crypto isa sa
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.180.0/255.255.255.0/0/0)
current_peer 7.7.7.7 port 35381
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 50.50.50.1, remote crypto endpt.: 7.7.7.7
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xFF024E3E(4278341182)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0x8E538667(2387838567)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2007, flow_id: FPGA:7, sibling_flags 80000046, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4493323/82118)
IV size: 8 bytes
replay detection support: Y replay window size: 1024
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xFF024E3E(4278341182)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2008, flow_id: FPGA:8, sibling_flags 80000046, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4493323/82118)
IV size: 8 bytes
replay detection support: Y replay window size: 1024
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
DEBUG
#show debug
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto ISAKMP Error debugging is on
Crypto IPSEC debugging is on
Crypto IPSEC Error debugging is on
#sh log | inc 7.7.7.7
000202: *Aug 12 02:20:16.006: ISAKMP:(1003): sending packet to 7.7.7.7 my_port 500 peer_port 35381
(R) QM_IDLE
000207: *Aug 12 02:20:16.046: ISAKMP (1003): received packet from 7.7.7.7 dport 500 sport 35381
Global (R) QM_IDLE
000211: *Aug 12 02:20:16.046: ISAKMP:(1003): DPD/R_U_THERE_ACK received from peer 7.7.7.7,
sequence 0x1C6F72FD
000287: *Aug 12 02:20:25.962: ISAKMP:(1003): sending packet to 7.7.7.7 my_port 500 peer_port 35381
(R) QM_IDLE
000292: *Aug 12 02:20:25.998: ISAKMP (1003): received packet from 7.7.7.7 dport 500 sport 35381
Global (R) QM_IDLE
000296: *Aug 12 02:20:25.998: ISAKMP:(1003): DPD/R_U_THERE_ACK received from peer 7.7.7.7,
sequence 0x1C6F72FE
000389: *Aug 12 02:20:35.542: ISAKMP:(1003): sending packet to 7.7.7.7 my_port 500 peer_port 35381
(R) QM_IDLE
000394: *Aug 12 02:20:35.578: ISAKMP (1003): received packet from 7.7.7.7 dport 500 sport 35381
Global (R) QM_IDLE
000398: *Aug 12 02:20:35.582: ISAKMP:(1003): DPD/R_U_THERE_ACK received from peer 7.7.7.7,
sequence 0x1C6F72FF
000402: *Aug 12 02:20:36.582: ISAKMP (1003): received packet from 7.7.7.7 dport 500 sport 35381
Global (R) QM_IDLE
000409: *Aug 12 02:20:36.586: ISAKMP:(1003):DPD/R_U_THERE received from peer 7.7.7.7, sequence
0x5FF
000413: *Aug 12 02:20:36.586: ISAKMP:(1003): sending packet to 7.7.7.7 my_port 500 peer_port 35381
(R) QM_IDLE
#sh log | inc 7.7.7.7
000847: *Aug 12 02:21:24.163: ISAKMP:(1003): sending packet to 7.7.7.7 my_port 500 peer_port 35381
(R) QM_IDLE
000852: *Aug 12 02:21:24.203: ISAKMP (1003): received packet from 7.7.7.7 dport 500 sport 35381
Global (R) QM_IDLE
3rd party device:
# racoonctl -l show-sa isakmp
Destination Cookies ST S V E Created Phase2
50.50.50.1.500 e1866e9ee2830764:575a7489971701ad 9 I 10 M 2013-08-11 20:04:57 1
[root@ltm1:Active:Disconnected] log # racoonctl -l show-sa isakmp
Destination Cookies ST S V E Created Phase2
50.50.50.1.500 e1866e9ee2830764:575a7489971701ad 9 I 10 M 2013-08-11 20:04:57 1
# racoonctl -l show-sa ipsec
192.168.180.5 50.50.50.1
esp mode=tunnel spi=2387838567(0x8e538667) reqid=62829(0x0000f56d)
E: 3des-cbc 74583bf5 4fe29310 07603be7 d52516d6 7269c35f 51b24a52
A: hmac-sha1 c0d2254c ea2ec11a 6a22bf41 dad35582 00d91a30
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Aug 11 20:04:59 2013 current: Aug 11 21:18:57 2013
diff: 4438(s) hard: 5184000(s) soft: 4147200(s)
last: Aug 11 21:18:56 2013 hard: 0(s) soft: 0(s)
current: 421660(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3635 hard: 0 soft: 0
sadb_seq=1 pid=8526 refcnt=0
50.50.50.1 192.168.180.5
esp mode=tunnel spi=4278341182(0xff024e3e) reqid=62828(0x0000f56c)
E: 3des-cbc 3bc26d98 0a230000 54c64896 e1a68815 6c696a15 f6779541
A: hmac-sha1 96de21a0 b5f52539 0616acfa b5a09994 03306e92
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Aug 11 20:04:59 2013 current: Aug 11 21:18:57 2013
diff: 4438(s) hard: 5184000(s) soft: 4147200(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=8526 refcnt=0 -
Can't Connect to Pix 501 VPN on Network
Hi All,
I have a software VPN client that connects just fine to the PIX 501 VPN, but I cannot ping or telnet to any services on the LAN. Below is my config and results of show cry ipsec sa. I would appreciate any suggestions to fix this.
It's been a while since I have done this. When I check the DHCP address received from the VPN, the default gateway is missing. IIRC, that is normal. What is strange is that when I ping, Windows does not show any sent packets.
Thanks,
--Drichards38
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password bgVy005CZTsaMOwR encrypted
passwd bgVy005CZTsaMOwR encrypted
hostname cisco
domain-name xxxxxx.biz
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 1024-2048
fixup protocol ftp 49152-65534
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl-out permit tcp any interface outside eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq telnet
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq 60990
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq echo
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any interface inside eq www
access-list acl_out permit tcp any interface inside eq ftp
access-list acl_out permit tcp any interface inside eq 3389
access-list acl_out permit tcp any interface inside eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq 902
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.0 255.0.0.0
access-list split_tunnel_acl permit ip 10.0.0.0 255.0.0.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside aa.bb.cc.dd 255.255.255.240
ip address inside 192.168.93.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool low_vpn_pool 10.0.1.205-10.0.1.210
pdm location 172.16.0.0 255.255.0.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.93.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.67 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.68 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.69 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.70 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.71 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.72 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.73 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.74 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.75 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.76 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.77 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.78 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 aa.bb.cc.dd 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authorization command LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup MY_VPN address-pool low_vpn_pool
vpngroup MY_VPN dns-server 4.2.2.1
vpngroup MY_VPN default-domain xxxxx.biz
vpngroup MY_VPN split-tunnel split_tunnel_acl
vpngroup MY_VPN idle-time 1800
vpngroup MY_VPN password ********
telnet 0.0.0.0 255.255.255.255 outside
telnet 192.168.93.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd address 192.168.93.230-192.168.93.240 inside
dhcpd dns ff.gg.hh.ii ff.gg.hh.ii
dhcpd lease 65536
dhcpd ping_timeout 750
dhcpd domain xxxxxx.biz
dhcpd auto_config outside
dhcpd enable inside
username xxxx password xxxxxxx encrypted privilege 15
cisco(config)# show cry ipsec sa
interface: outside
Crypto map tag: outside_map, local addr. aa.bb.cc.dd
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.0.1.205/255.255.255.255/0/0)
current_peer: jj.kk.ll.mm:1265
dynamic allocated peer ip: 10.0.1.205
PERMIT, flags={transport_parent,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 38, #pkts decrypt: 38, #pkts verify 38
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: aa.bb.cc.dd, remote crypto endpt.: 97.93.95.133
path mtu 1500, ipsec overhead 64, media mtu 1500
current outbound spi: 3a898e67
inbound esp sas:
spi: 0xeeb64931(4004923697)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 1, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4607993/28610)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3a898e67(982093415)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 2, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4608000/28574)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:I just set the logging to high on all areas of the Cisco VPN client. Below is the resulting log. Everything looks ok from here:
Cisco Systems VPN Client Version 5.0.03.0530
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
29 09:57:02.887 09/03/12 Sev=Info/4 CM/0x63100002
Begin connection process
30 09:57:02.897 09/03/12 Sev=Info/4 CM/0x63100004
Establish secure connection
31 09:57:02.897 09/03/12 Sev=Info/4 CM/0x63100024
Attempt connection with server "a.b.c.d"
32 09:57:02.907 09/03/12 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with a.b.c.d.
33 09:57:02.917 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to a.b.c.d
34 09:57:03.228 09/03/12 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
35 09:57:03.228 09/03/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
36 09:57:03.228 09/03/12 Sev=Info/6 IPSEC/0x6370002C
Sent 47 packets, 0 were fragmented.
37 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
38 09:57:03.979 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from a.b.c.d
39 09:57:04.039 09/03/12 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
40 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
41 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x63000001
Peer supports DPD
42 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
43 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x000000A5
44 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
45 09:57:03.999 09/03/12 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
46 09:57:03.999 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to a.b.c.d
47 09:57:03.999 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
48 09:57:03.999 09/03/12 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x0421, Remote Port = 0x1194
49 09:57:03.999 09/03/12 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
50 09:57:03.999 09/03/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
51 09:57:04.029 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
52 09:57:04.029 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_INITIAL_CONTACT) from a.b.c.d
53 09:57:04.029 09/03/12 Sev=Warning/2 IKE/0xA3000067
Received Unexpected InitialContact Notify (PLMgrNotify:886)
54 09:57:04.039 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
55 09:57:04.039 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from a.b.c.d
56 09:57:04.039 09/03/12 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
57 09:57:04.039 09/03/12 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 2 seconds, setting expiry to 86398 seconds from now
58 09:57:04.039 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
59 09:57:04.039 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from a.b.c.d
60 09:57:04.039 09/03/12 Sev=Info/4 CM/0x63100015
Launch xAuth application
61 09:57:09.327 09/03/12 Sev=Info/4 CM/0x63100017
xAuth application returned
62 09:57:09.327 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to a.b.c.d
63 09:57:09.367 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
64 09:57:09.367 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from a.b.c.d
65 09:57:09.367 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to a.b.c.d
66 09:57:09.367 09/03/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
67 09:57:09.387 09/03/12 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
68 09:57:09.387 09/03/12 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).
69 09:57:09.387 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to a.b.c.d
70 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
71 09:57:09.427 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from a.b.c.d
72 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.0.1.205
73 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 4.2.2.1
74 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = xxxx.biz
75 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
76 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 10.0.0.0
mask = 255.0.0.0
protocol = 0
src port = 0
dest port=0
77 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
78 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
79 09:57:09.427 09/03/12 Sev=Info/4 CM/0x63100019
Mode Config data received
80 09:57:09.427 09/03/12 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 10.0.1.205, GW IP = a.b.c.d, Remote IP = 0.0.0.0
81 09:57:09.437 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to a.b.c.d
82 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
83 09:57:09.477 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from a.b.c.d
84 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds
85 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x63000046
RESPONDER-LIFETIME notify has value of 4608000 kb
86 09:57:09.477 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to a.b.c.d
87 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x63000059
Loading IPsec SA (MsgID=D70550E6 OUTBOUND SPI = 0xB335C6DA INBOUND SPI = 0xE99E1A59)
88 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0xB335C6DA
89 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x63000026
Loaded INBOUND ESP SPI: 0xE99E1A59
90 09:57:09.527 09/03/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.0.1 172.16.0.11 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.0.0 172.16.0.11 172.16.0.11 25
172.16.0.11 255.255.255.255 127.0.0.1 127.0.0.1 25
172.16.255.255 255.255.255.255 172.16.0.11 172.16.0.11 25
224.0.0.0 240.0.0.0 172.16.0.11 172.16.0.11 25
255.255.255.255 255.255.255.255 172.16.0.11 0.0.0.0 1
255.255.255.255 255.255.255.255 172.16.0.11 172.16.0.11 1
91 09:57:10.448 09/03/12 Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=10.0.1.205/255.0.0.0
DNS=4.2.2.1,0.0.0.0
WINS=0.0.0.0,0.0.0.0
Domain=xxxx.biz
Split DNS Names=
92 09:57:10.458 09/03/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.0.1 172.16.0.11 25
10.0.0.0 255.0.0.0 10.0.1.205 10.0.1.205 25
10.0.1.205 255.255.255.255 127.0.0.1 127.0.0.1 25
10.255.255.255 255.255.255.255 10.0.1.205 10.0.1.205 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.0.0 172.16.0.11 172.16.0.11 25
172.16.0.11 255.255.255.255 127.0.0.1 127.0.0.1 25
172.16.255.255 255.255.255.255 172.16.0.11 172.16.0.11 25
224.0.0.0 240.0.0.0 10.0.1.205 10.0.1.205 25
224.0.0.0 240.0.0.0 172.16.0.11 172.16.0.11 25
255.255.255.255 255.255.255.255 10.0.1.205 0.0.0.0 1
255.255.255.255 255.255.255.255 10.0.1.205 10.0.1.205 1
255.255.255.255 255.255.255.255 172.16.0.11 172.16.0.11 1
93 09:57:10.458 09/03/12 Sev=Info/4 CM/0x63100038
Successfully saved route changes to file.
94 09:57:10.458 09/03/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.0.1 172.16.0.11 25
10.0.0.0 255.0.0.0 10.0.1.205 10.0.1.205 1
10.0.1.205 255.255.255.255 127.0.0.1 127.0.0.1 25
10.255.255.255 255.255.255.255 10.0.1.205 10.0.1.205 25
a.b.c.d 255.255.255.255 172.16.0.1 172.16.0.11 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.0.0 172.16.0.11 172.16.0.11 25
172.16.0.1 255.255.255.255 172.16.0.11 172.16.0.11 1
172.16.0.11 255.255.255.255 127.0.0.1 127.0.0.1 25
172.16.255.255 255.255.255.255 172.16.0.11 172.16.0.11 25
224.0.0.0 240.0.0.0 10.0.1.205 10.0.1.205 25
224.0.0.0 240.0.0.0 172.16.0.11 172.16.0.11 25
255.255.255.255 255.255.255.255 10.0.1.205 0.0.0.0 1
255.255.255.255 255.255.255.255 10.0.1.205 10.0.1.205 1
255.255.255.255 255.255.255.255 172.16.0.11 172.16.0.11 1
95 09:57:10.458 09/03/12 Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter
96 09:57:10.508 09/03/12 Sev=Info/4 CM/0x6310001A
One secure connection established
97 09:57:10.618 09/03/12 Sev=Info/4 CM/0x6310003B
Address watch added for 172.16.0.11. Current hostname: toughone, Current address(es): 10.0.1.205, 172.16.0.11.
98 09:57:10.638 09/03/12 Sev=Info/4 CM/0x6310003B
Address watch added for 10.0.1.205. Current hostname: toughone, Current address(es): 10.0.1.205, 172.16.0.11.
99 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
100 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
101 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0xdac635b3 into key list
102 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
103 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0x591a9ee9 into key list
104 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x6370002F
Assigned VA private interface addr 10.0.1.205
105 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x63700037
Configure public interface: 172.16.0.11. SG: a.b.c.d
106 09:57:10.638 09/03/12 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 1.
107 09:57:19.741 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to a.b.c.d
108 09:57:19.741 09/03/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to a.b.c.d, our seq# = 3951445672
109 09:57:19.772 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
110 09:57:19.772 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from a.b.c.d
111 09:57:19.772 09/03/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from a.b.c.d, seq# received = 3951445672, seq# expected = 3951445672
112 09:57:30.257 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to a.b.c.d
113 09:57:30.257 09/03/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to a.b.c.d, our seq# = 3951445673
114 09:57:30.297 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
115 09:57:30.297 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from a.b.c.d
116 09:57:30.297 09/03/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from a.b.c.d, seq# received = 3951445673, seq# expected = 3951445673
117 09:57:40.772 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to a.b.c.d
118 09:57:40.772 09/03/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to a.b.c.d, our seq# = 3951445674
119 09:57:40.802 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
120 09:57:40.802 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from a.b.c.d
121 09:57:40.802 09/03/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from a.b.c.d, seq# received = 3951445674, seq# expected = 3951445674
122 09:57:54.291 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
123 09:58:04.306 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
124 09:58:14.320 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
125 09:58:24.334 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
126 09:58:34.349 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
127 09:58:41.359 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to a.b.c.d
128 09:58:41.359 09/03/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to a.b.c.d, our seq# = 3951445675
129 09:58:41.389 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
130 09:58:41.389 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from a.b.c.d
131 09:58:41.389 09/03/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from a.b.c.d, seq# received = 3951445675, seq# expected = 3951445675
132 09:58:54.378 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
133 09:59:04.392 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
134 09:59:14.406 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
135 09:59:24.421 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
136 09:59:34.435 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
137 09:59:41.946 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to a.b.c.d
138 09:59:41.946 09/03/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to a.b.c.d, our seq# = 3951445676
139 09:59:41.976 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
140 09:59:41.976 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from a.b.c.d
141 09:59:41.976 09/03/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from a.b.c.d, seq# received = 3951445676, seq# expected = 3951445676
142 09:59:54.464 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA -
Remote Access VPN connecting but not passing traffic
I have a remote access VPN configured on a device here. I'm able to connect a device and it assigns me an IP address out of the pool, and injects the routes to its local network, but I'm not able to pass any traffic through the VPN and none of the IPSec SA counters increment for the dial-in connection. I've compared the config here to the samples from documentation and I don't know what I'm missing. Config is below.
3118-FWL001(config)# sho run
: Saved
ASA Version 7.2(3)
hostname 3118-FWL001
domain-name rr-rentals.com
enable password hEgvNHfNHV8zypPu encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 199.X.X.162 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd 2KFQnbNIdI.2KYOU encrypted
banner exec
banner exec
banner exec
banner exec Any attempted or unauthorized access, use, or modification is prohibited.
banner exec Unauthorized users may face criminal and/or civil penalties.
banner exec The use of this system may be monitored and recorded.
banner exec If the monitoring reveals possible evidence of criminal activity, Adhost can
banner exec provide the records to law enforcement.
banner exec Be safe! Do not share your access information with anyone!
banner exec
banner exec
banner exec
banner asdm
banner asdm
banner asdm
banner asdm Any attempted or unauthorized access, use, or modification is prohibited.
banner asdm Unauthorized users may face criminal and/or civil penalties.
banner asdm The use of this system may be monitored and recorded.
banner asdm If the monitoring reveals possible evidence of criminal activity, Adhost can
banner asdm provide the records to law enforcement.
banner asdm Be safe! Do not share your access information with anyone!
banner asdm
banner asdm
banner asdm
ftp mode passive
dns server-group DefaultDNS
domain-name rr-rentals.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_acl extended permit ip any host 199.X.X.163
access-list outside_acl extended permit icmp any any echo
access-list outside_acl extended permit icmp any any echo-reply
access-list outside_acl extended permit tcp 216.X.X.64 255.255.255.192 any
access-list outside_acl extended permit tcp host 76.X.X.166 any eq 3389
access-list outside_acl extended permit tcp 67.X.X.192 255.255.255.224 any eq 3389
access-list outside_acl extended permit tcp any any eq ftp
access-list outside_acl extended permit tcp any any eq ftp-data
access-list outside_acl extended permit tcp host 72.X.X.71 any eq 3389
access-list outside_acl extended permit tcp host 26.X.X.155 any eq 3389
access-list outside_acl extended permit tcp host 24.X.X.155 any eq 3389
access-list outside_acl extended permit icmp any any unreachable
access-list outside_acl extended permit icmp any any time-exceeded
access-list outside_acl extended permit tcp host 71.X.X.170 any eq 3389
access-list outside_acl extended permit tcp host 24.X.X.200 any eq 3389
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_4_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list rr-vpn_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list rr-vpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 1048576
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.20.1-192.168.20.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 199.X.X.163 192.168.10.2 netmask 255.255.255.255
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 199.X.X.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 216.X.X.64 255.255.255.192 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1200
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 50.X.X.58
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 75.X.X.253
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 173.X.X.69
crypto map outside_map 3 set transform-set ESP-AES-128-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 70.X.X.194
crypto map outside_map 4 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.10.2 255.255.255.255 inside
ssh 192.168.0.0 255.255.0.0 inside
ssh 216.X.X.64 255.255.255.192 outside
ssh 50.X.X.58 255.255.255.255 outside
ssh timeout 60
ssh version 2
console timeout 0
management-access inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
service-policy global_policy global
tftp-server outside 216.X.X.116 3118-FWL001.config
group-policy rr-vpn internal
group-policy rr-vpn attributes
dns-server value 216.X.X.12 66.X.X.11
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value rr-vpn_splitTunnelAcl
username rrlee password B6rKS8LmKC50oIXK encrypted privilege 0
username rrlee attributes
vpn-group-policy rr-vpn
username cschirado password QYICGrOFAZ9iPWpp encrypted privilege 0
username cschirado attributes
vpn-group-policy rr-vpn
username daniel password SZsXZCSuVXcFn9NB encrypted privilege 15
username adhostadm password 7P2Y2Ow1o0.VSjvh encrypted privilege 15
username troy password amZKsxVU.8N9kKPb encrypted privilege 0
username troy attributes
vpn-group-policy rr-vpn
username troyr password Hek9zbMrM6wEDSfi encrypted privilege 15
username druiz password 33oau7XOcvhJ3DMv encrypted privilege 0
username druiz attributes
vpn-group-policy rr-vpn
username theresa password qWsPnR.vfjXzlunC encrypted privilege 0
username theresa attributes
vpn-group-policy rr-vpn
username kevin password R5DPfUVhzGCEg6pu encrypted privilege 0
username kevin attributes
vpn-group-policy rr-vpn
username andrea password MyhIPdH6UJQDon77 encrypted privilege 0
username andrea attributes
vpn-group-policy rr-vpn
tunnel-group 50.X.X.58 type ipsec-l2l
tunnel-group 50.X.X.58 ipsec-attributes
pre-shared-key *
tunnel-group 75.X.X.253 type ipsec-l2l
tunnel-group 75.X.X.253 ipsec-attributes
pre-shared-key *
tunnel-group 72.X.X.71 type ipsec-l2l
tunnel-group 72.X.X.71 ipsec-attributes
pre-shared-key *
tunnel-group 173.X.X.69 type ipsec-l2l
tunnel-group 173.X.X.69 ipsec-attributes
pre-shared-key *
tunnel-group rr-vpn type ipsec-ra
tunnel-group rr-vpn general-attributes
address-pool vpnpool
default-group-policy rr-vpn
tunnel-group rr-vpn ipsec-attributes
pre-shared-key *
tunnel-group 70.X.X.194 type ipsec-l2l
tunnel-group 70.X.X.194 ipsec-attributes
pre-shared-key *
prompt hostname contextHere are the results of the commands you requested. I'm not able to ping either direction.
Thanks,
James
3118-FWL001# sho cry isa sa
Active SA: 5
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 5
1 IKE Peer: 50.34.254.58
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: 173.10.71.69
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
3 IKE Peer: 75.151.109.253
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
4 IKE Peer: 70.99.88.194
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
5 IKE Peer: 216.211.143.85
Type : user Role : responder
Rekey : no State : AM_ACTIVE
3118-FWL001# sho cry ips sa
interface: outside
Crypto map tag: outside_dyn_map, seq num: 20, local addr: 199.21.66.162
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.20.2/255.255.255.255/0/0)
current_peer: 216.211.143.85, username: kevin
dynamic allocated peer ip: 192.168.20.2
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 199.21.66.162, remote crypto endpt.: 216.211.143.85
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: CBF94621
inbound esp sas:
spi: 0x8D8279CA (2374138314)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 200, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28715
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xCBF94621 (3422111265)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 200, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28715
IV size: 8 bytes
replay detection support: Y
Crypto map tag: outside_map, seq num: 1, local addr: 199.21.66.162
access-list outside_1_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 50.34.254.58
#pkts encaps: 15356573, #pkts encrypt: 15356573, #pkts digest: 15356573
#pkts decaps: 9021115, #pkts decrypt: 9021114, #pkts verify: 9021114
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 15356573, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 199.21.66.162, remote crypto endpt.: 50.34.254.58
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: FE16571B
inbound esp sas:
spi: 0x78BD7E4F (2025684559)
transform: esp-aes esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 86, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4263158/5788)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0xFE16571B (4262876955)
transform: esp-aes esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 86, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4064653/5788)
IV size: 16 bytes
replay detection support: Y
Crypto map tag: outside_map, seq num: 4, local addr: 199.21.66.162
access-list outside_4_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
current_peer: 70.99.88.194
#pkts encaps: 491814, #pkts encrypt: 491814, #pkts digest: 491814
#pkts decaps: 416810, #pkts decrypt: 416810, #pkts verify: 416810
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 491814, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 199.21.66.162, remote crypto endpt.: 70.99.88.194
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 533F55E1
inbound esp sas:
spi: 0xE2F461AD (3807666605)
transform: esp-aes esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 194, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4273818/27167)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x533F55E1 (1396659681)
transform: esp-aes esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 194, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4266133/27167)
IV size: 16 bytes
replay detection support: Y
Crypto map tag: outside_map, seq num: 2, local addr: 199.21.66.162
access-list outside_2_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 75.151.109.253
#pkts encaps: 207718, #pkts encrypt: 207718, #pkts digest: 207718
#pkts decaps: 142739, #pkts decrypt: 142739, #pkts verify: 142739
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 207722, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 199.21.66.162, remote crypto endpt.: 75.151.109.253
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 8D74AC18
inbound esp sas:
spi: 0x0CF7F70B (217577227)
transform: esp-aes esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 195, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4274490/23242)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x8D74AC18 (2373233688)
transform: esp-aes esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 195, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4270718/23242)
IV size: 16 bytes
replay detection support: Y
Crypto map tag: outside_map, seq num: 3, local addr: 199.21.66.162
access-list outside_3_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer: 173.10.71.69
#pkts encaps: 3427935, #pkts encrypt: 3427935, #pkts digest: 3427935
#pkts decaps: 2006044, #pkts decrypt: 2006044, #pkts verify: 2006044
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3427935, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 199.21.66.162, remote crypto endpt.: 173.10.71.69
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 2E8A6147
inbound esp sas:
spi: 0x467968AB (1182361771)
transform: esp-aes esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 154, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4270213/18597)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x2E8A6147 (780820807)
transform: esp-aes esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 154, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4162093/18597)
IV size: 16 bytes
replay detection support: Y
3118-FWL001# sho run route
route outside 0.0.0.0 0.0.0.0 199.21.66.161 1 -
Error while opening Jolt Administration Manager
Hi..
Am using Tuxedo10 R3 on AIX server..
Am trying to use Jolt Admin Console using RE.html..
But am getting this error:
bea.jolt.SessionException: Cannot connect to any //<servername>:<portnumber>.
Reason:NwHdlr: Cannot get address by name.
Below mention is the java version which am using current:
java version "1.6.0"
Can anyone help me in this??
Thanks in advance..Hi Todd,
The Simpapp Servlet is running on WebLogic Server hosted on the Server. So my understanding is that since the Servlet is working fine JSL & JSH are working fine and listenning is happening through the port. We are accesing the application from a remote PC.
We have the following Java Version:
IBM J9 VM (build 2.4, J2RE 1.6.0 IBM J9 2.4 AIX ppc-32 jvmap3260-20090215_29883 (JIT enabled, AOT enabled)
Since this is the latest Java version for AIX it should support Applet.
I issue the command appletviewer RE.html the Applet start up but when I pass my credentials it throws the error which I specified.
should some access be granted for the Applet to use the port?? And will the ServerName parameter be the default name of the server or can we change it anywhere in the UBBCONFIG??
Thanks..
Maybe you are looking for
-
Working Around the Mentioned Limitation
https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1574568 This note states the following u2026.. And this is what we have to do in the upcoming requests..... We have to change the BAPI's related to Purchase order c
-
Is there any standard program for vendor's ageing
Hi friends, There is a standard program for customers ageing(s_alr_87012178).Now i have a requirement for vendors ageing......Is it possible ? helpful answer is rewarded. Thanks & Regards, Anand kumar.
-
Premiere CC rendering delay at 100% (Multiplexing)
When i've tried to export a huge H264 MP4 file, multiplexing happens when rendering hits 100% following with file renaming to "_00_" extension and rewriting from scratch. And if the file size is big, it takes a lot of extra time resulting in unnecess
-
Setting a page background colour
Hi everyone, Im new to InDesign, and am (or at least i thought i was), in the final stages of completing a brochure (A4 landscape format) for my photography business. The brochure Im creating is intended as both a downloadable pdf and also for viewin
-
http://www.jdcdemo.com/seark/test.html I alledgedly set up the style for the links to change background color on the top menu. For some reason which I have not been able to plumb, that ain't happenin' Can someone who knows more that I tell me where