Crypto Map Dynamic IP Reconnection Issues

Hello,
We are connecting using at each remote site a Cisco 837 router with a ISDN modem as a passthrough to a PIX Firewall.
Each time the ISDN connection drops the Cisco box either requires a reboot or the crypto map to be restarted before anyone can connect through to the PIX. Has anyone got any ideas please?
Many Thanks
Mark

It'll be because the PIX doesn't recognise that the tunnel has gone down, and therefore still tries the old tunnel and nothing works, until you reboot the PIX or clear down the tunnels. All this does is make the PIX build new tunnels and everything works.
You need to enable ISAKMP keepalives on both ends so that they'll determine that the other end has gone down and reset their own tunnels, allowing new ones to be built.
Use:
crypto isakmp keepalive 30
on the router, and:
isakmp keepalive 30
on the PIX and they'll send keepalives every 30 seconds then and quickly know if the other end has died.

Similar Messages

Multiple Crypto Maps on Single Outside Interface

Hi, I had the following crypto map configured on my ASA5505 to allow Cisco IPSec VPN clients to connect from the outside:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
I'm trying now to set up an additional crypto map - a static configuration to establish a tunnel with Windows Azure services. The configuration they gave me is:
crypto map azure-crypto-map 10 match address azure-vpn-acl
crypto map azure-crypto-map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
crypto map azure-crypto-map 10 set transform-set azure-ipsec-proposal-set
crypto map azure-crypto-map interface outside
However, when I apply that configuration, my Cisco IPSec clients can no longer connect. I believe my problem is that last line:
crypto map azure-crypto-map interface outside
which blows away my original line:
crypto map outside_map interface outside
It seems I'm stuck with picking just one of the maps to apply to the outside interface. Is there a way to apply both of these maps to the outside interface to allow both IPSec tunnels to be created? We're running ASA version 8.4(7)3.

Hi,
You can use the same "crypto map"
Just add
crypto map outside_map 10 match address azure-vpn-acl
crypto map outside_map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
crypto map outside_map 10 set transform-set azure-ipsec-proposal-set
Your dynamic VPN Clients will continue to work just fine as their "crypto map" statements are with the lowest priority/order in the "crypto map" configurations (65535) and the L2L VPN is higher (10)
And what I mean with the above is that when a L2L VPN connections is formed from the remote end it will naturally match the L2L VPN configurations you have with "crypto map" configurations using the number "10". Then when a VPN Client connects it will naturally not match the number "10" specific configurations and will move to the next entry and will match it (65535)
If you would happen to configure a new L2L VPN connection then you could give it the number "11" for example and everything would still be fine.
Hope this helps
- Jouni

Crypto Map on Loopback interface or Physical Interface

Dear All,
When we try to apply the crypto map on any physical interface or the loopback interface on WS-6506-E, it is showing the error. But the same i could apply on VLAN interface. Can anyone explain me what is the issue..?
6506(config)#interface loopback 3
6506(config-if)#crypto map XXXX
ERROR: Crypto Map configuration is not supported on the given interface
Any hardware limitation?

This was proven to break CEF in the past and is a bad design choice by default.
Newer release do not allow you to configure this.
If you're curious if it will work for you check releases prior to 15.x.
M.

Crypto map entry is incomplete

Hi
This is my config below. The error i am recieving is crypto map entry is incomplete. Can someone please take a look and let me know. Thank you
ASA(config)# crypto map outside_map 1 match address outside_1_cryptomap
WARNING: The crypto map entry is incomplete!
ASA(config)# show run
: Saved
ASA Version 8.4(4)1
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.2 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network net-local
subnet 10.10.10.20 255.255.255.0
object network net-remote
subnet 10.10.3.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.10.20 255.255.255.0 10.
10.3.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (any,any) source static net-local net-local destination static net-remote ne
t-remote
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 96.145.68.82
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.10.22-10.10.10.231 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 81.141.29.69 type ipsec-l2l
tunnel-group 81.141.29.69 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c2b7cdae5eb0961d822f634f2b36d3dc
: end
ASA(config)#

Hi,
You lack a "transform-set" configuration from the "crypto map" line.
For example
Create the IKEv1 Transform set
crypto ipsec ikev1 transform-set AES esp-aes esp-sha-hmac
and
Use it in the VPN configuration
crypto map outside_map 1 set ikev1 transform-set AES
The values ofcourse depend on the your own preference
Hope this helps
- Jouni

Rejecting IPSec tunnel: no matching crypto map entry for remote proxy

Hi!
I have already search for this but didn't get an exact answer I'm looking for so I try asking it again (if there is the same question).
I'm in process of migrating some VPN tunnels with from a Cisco router to an ASA, everything will keep the same but just the peering IP address. However, some of the tunnel was being torn down since it request for a proxy doesn't match the one configured on our side. And the remote peer said there is no such issue on the previous platform, but now they need to reset the tunnel from time to time.
Apr 18 2013 07:29:10 asa002 : %ASA-3-713061: Group = 192.168.1.226, IP = 192.168.1.226, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.1.226/255.255.255.255/0/0 local proxy 10.10.9.81/255.255.255.255/0/0 on interface outside
Apr 18 2013 07:29:10 asa002 : %ASA-3-713902: Group = 192.168.1.226, IP = 192.168.1.226, QM FSM error (P2 struct &0x745e9150, mess id 0x8d7ad777)!
Apr 18 2013 07:29:10 asa002 : %ASA-3-713902: Group = 192.168.1.226, IP = 192.168.1.226, Removing peer from correlator table failed, no match!
The remote peer said they did not change the proxy id on their side so it is possibly the old platform will just not setting up the SA without torn down the tunnel while the ASA on the new platform will torn down if there is any mismatch.
Anyway I have requested the remote side to remove those unmatched entried to avoid the tunnel being torn down, but if there any configuration that is related to this issue? i.e. Just bring up the SA with matched addresses and ignore others, instead of torn down the tunnel.
Thanks!!
//Cody

Are you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
nat (outside) 1 172.16.0.0 255.255.240.0

Troubles using VRF-aware IPsec w/ crypto maps

I'm trying to get a lab setup to work with a C2951 (15.2(4)M4) peering with an ASA 5510 (9.1(2)). The config is based on crypto maps, since I want the C2951 to be the initiating side, and as far as I understand, VTIs wouldn't be working together with the ASA due to the default 'any' crypto statements that are being applied on SVTIs.
So I've set up this IKEv1-, crypto map-based lab, and the tunnel strictly won't come up; it seems that crypto doesn't find any interesting traffic at all (no debug crypto isakmp output pops up).
What I'm doing for testing is issuing a VRF Ping from a loopback interface of the C2951. I was following the following cheat sheet to configure the IOS box:
https://supportforums.cisco.com/docs/DOC-13524
Please see the attached config files and the setup drawing.
This is the way I'm testing it:
C2951#sh deb
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
C2951#
C2951#ping vrf test 10.0.0.1 source lo 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 40.0.0.1
Success rate is 0 percent (0/5)
C2951#
Any hints for me, please?

There are no VRF routes left in the config, and I've cleared the global and the VRF routing table. Even rebooted the box. Still only half of the Pings get answered. There are no crypto ipsec errors, so it should have something to do with routing...but what?
C2951#sh crypto ipsec sa
interface: GigabitEthernet0/0
    Crypto map tag: OUR-MAP, local addr 30.0.0.2
   protected vrf: test
   local ident (addr/mask/prot/port): (40.0.0.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
   current_peer 20.0.0.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
    #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 30.0.0.2, remote crypto endpt.: 20.0.0.1
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xEB02ACDA(3942821082)
     PFS (Y/N): Y, DH group: group5
     inbound esp sas:
      spi: 0x1A943A9F(445921951)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 18009, flow_id: ISM VPN:9, sibling_flags 80000040, crypto map: OUR-MAP
        sa timing: remaining key lifetime (k/sec): (4225929/3571)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xEB02ACDA(3942821082)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 18010, flow_id: ISM VPN:10, sibling_flags 80000040, crypto map: OUR-MAP
        sa timing: remaining key lifetime (k/sec): (4225928/3571)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     outbound ah sas:
     outbound pcp sas:
C2951#sh ip route 10.0.0.0
% Network not in table
C2951#sh ip route vrf test 10.0.0.0
Routing Table: test
Routing entry for 10.0.0.0/24, 1 known subnets
S        10.0.0.0 [1/0] via 20.0.0.1, GigabitEthernet0/0

IPSec VRF Aware (Crypto Map)

Hello!
I have some problem with configuring vrf aware Ipsec (Crypto Map).
Any traffic (from subnet 10.6.6.248/29) do not pass trouth router, but if i run command "ping vrf inside 10.5.5.1 source gi 0/1.737" it working well.
Configuration below:
ip vrf outside
rd 1:1
ip vrf inside
rd 2:2
track 10 ip sla 10 reachability
ip sla schedule 10 life forever start-time now
crypto keyring outside vrf outside
pre-shared-key address 10.10.10.100 key XXXXXX
crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp profile AS_outside
vrf inside
keyring outside
match identity address 10.10.10.100 255.255.255.255 outside
isakmp authorization list default
crypto ipsec transform-set ESP-AESesp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
crypto map outside 10 ipsec-isakmp
set peer 10.10.10.100
set security-association idle-time 3600
set transform-set ESP-AES
set pfs group2
set isakmp-profile AS_outside
match address inside_access
ip route vrf inside 10.5.5.0 255.255.255.0 GigabitEthernet0/0.806 10.10.10.100 track 10
ip access-list extended inside_access
permit ip 10.6.6.248 0.0.0.7 10.5.5.0 0.0.0.255
icmp-echo 10.10.10.100 source-interface GigabitEthernet0/0.806
vrf outside
interface GigabitEthernet0/0.806
ip vrf forwarding outside
ip address 10.10.10.101 255.255.255.0
crypto-map outside
interface GigabitEthernet0/1.737
ip vrf forwarding inside
ip address 10.6.6.252 255.255.255.248

Hello Frank!
>> 1. You may want to consider removing the "track 10" from your static route to eliminate any issues that this could be causing.
I tried it before. Nothing changes.
>> 2. If you teardown the tunnel, can the traffic from your end client (not the ping generated locally) cause the tunnel to build? If not, you may want to use netflow or ACL counters to verify that your packets are hitting the inside interface.
It is also checked. netflow present counters and ACL counters not present. Source ip is 10.6.6.254/29.
show command below:
ISR-vpn-1#show ip cef vrf inside exact-route 10.6.6.254 10.5.5.1
10.6.6.254 -> 10.5.5.1 => IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
ISR-vpn-1#show ip cef vrf inside 10.24.1.0/24 internal
10.5.5.0/24, epoch 0, RIB[S], refcount 5, per-destination sharing
sources: RIB
feature space:
NetFlow: Origin AS 0, Peer AS 0, Mask Bits 24
ifnums:
GigabitEthernet0/0.806(24): 10.10.10.100
path 22D160E8, path list 22AC27E8, share 1/1, type attached nexthop, for IPv4
nexthop 10.10.10.100 GigabitEthernet0/0.806, adjacency IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
output chain: IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)

Crypto map gone wrong

We've noticed a very strange issue on our Cisco 3800 router.
The router is hosting multiple Site to Site VPN connections. All of the VPNs are working fine.
While doing some routine diagnostigs we've noticed that one of the VPN's crypto maps is not displayed correctrly as you can see in the image below.
I checked the associated ACL and the last entry is displayed correctly.
I also tried to recreate the acl to see if that will fix this.
Only this crypto map is displayed like this. All of the other are displaing just fine.
I noticed that if I remove the last statement from the ACL then the crypto map will be displayed correctly.
What could be the reason for this phenomenon?
Can this cause any connectivity issues in the future?

Access-lists, FW (ZBF, CBAC) and all other features work on SVTI same way they would work on a physical or other logical interfaces (with very few exceptions).

Crypto map removing itself after reload

Hello,
I just set up my site tot site vpn with a pix box and a cisco 3745.
The pix box is fine but the 3745 when ever I reload it the crypto map is not applied to the interface after the reload.

Hello,
I did issue a write memory.
sh ver
Cisco IOS Software, 3700 Software (C3745-ADVENTERPRISEK9-M), Version 12.4(25), R ELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Tue 21-Apr-09 14:41 by prod_rel_team
ROM: System Bootstrap, Version 12.2(8r)T2, RELEASE SOFTWARE (fc1)
FIBERJGX-3745-01 uptime is 3 hours, 49 minutes
System returned to ROM by reload at 01:32:53 UTC Fri Jul 5 2013
System restarted at 01:34:09 UTC Fri Jul 5 2013
System image file is "slot0:c3745-adventerprisek9-mz.124-25.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected]
Cisco 3745 (R7000) processor (revision 2.0) with 243712K/18432K bytes of memory.
Processor board ID JMX0837L5AU
R7000 CPU at 350MHz, Implementation 39, Rev 3.3, 256KB L2, 2048KB L3 Cache
2 FastEthernet interfaces
DRAM configuration is 64 bits wide with parity disabled.
151K bytes of NVRAM.
31360K bytes of ATA System CompactFlash (Read/Write)
125952K bytes of ATA Slot0 CompactFlash (Read/Write)
Configuration register is 0x2102

Crypto map incomplete

I have PIX 515 and trying to add a gateway to gateway VPN tunnel with dynamic IP. I already have two other VPN tunnels configured with static IP. I enter the access-list 110 than the crypto map mymap 20 ipsec-isakmp no problem. than the crypto map mymap 20 match address 101 I get error message Crypto map incomplete. Why am I getting this error and how do I get around it. Thanks.

Yes I have an Incomplete.
crypto ipsec transform-set tr-set esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set tr-set
crypto dynamic-map dynmap 15 set transform-set tr-set
crypto dynamic-map dynmap 15 set security-association lifetime seconds 3600 kilo
bytes 4608000
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set peer 70.106.123.11
crypto map mymap 10 set transform-set tr-set
crypto map mymap 15 ipsec-isakmp
crypto map mymap 15 match address 105
crypto map mymap 15 set peer 67.100.146.217
crypto map mymap 15 set transform-set tr-set
crypto map mymap 20 ipsec-isakmp
! Incomplete
crypto map mymap 6335 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside

Crypto map has incomplete entries message

I'm working on building a configuration on a 5540 running 9.1.2 for L2L VPN. When I reload the device, I get this message:
.WARNING: crypto map has incomplete entries
*** Output from config line 10665, "crypto map L2LVPN interf..."
I seems it's giving me the error on the line where the crypto map is assigned to the outside interface. Unfortunately this message really is not very helpful. I do not have this in production yet. Is there any way I can find out where my problem may be?
Thanks.
Jason

Hi,
This usually indicates that one L2L VPN connection Crypto Map configuration is missing some essential parameter to make it complete.
So issue the command
show run crypto map
Then make sure that the following lines exists
crypto map match address
crypto map set peer
crypto map set ikev1 transform-set
If any of the 3 things mentioned above are missing then the crypto map configuration is deemed incomplete and doesnt have the information needed for that L2L VPN to function.
Atleast this is what it seems to me.
Hope it helps
- Jouni

Cellular reconnectivity issues with 3rd Gen iPad 3G/4G/LTE

I've read a few other threads regarding a reconnection issue with the new (3rd Gen) iPad. I'm creating a discussion so people can put there thoughts here regarding the issues they are having with reconnection of cellular data connections.
I have AT&T 64B iPad Gen 3 with 4G/LTE. Black. Works just fine on wifi and my LTE screams at home and work. Faster than my cable at home. I have noticed something behavior regarding data connection when it's lost (like in a tunnel). I ride DC Metro to work and go through a few tunnels. Of course, my data connection drops in the tunnels. When I come back out the indicator on the iPad indicates 5 bars signal and LTE again. Problem is the data connection isn't there, no matter what app I try. I even get a popup window say my cellular data plan has not been activated (huh?). This isn't true since I am on, and have been using a plan. It does this whether it's 4G or LTE reconnection. Not sure about 3G because I haven't seen 3G icon popup on this iPad yet.
I'm thinking this may be an authentication issue? Else, why would it popup that warning? Anyway, all I do is is go into settings turn cellular data off and back on again and everything is fine.
I'm guessing that there could be a software fix for this in the future as there are quite a bunch of people having this problem with reconnection to cellular.
Please post your issues here in this discussion if you have this problem. Maybe we can figure something out.

I have the same iPad (3rd gen, 4G ATT, 64GB, Black). When it arrived last Friday, everything seemed to work fine, except the cellular data connection. It would constantly drop, and I had to toggle cellular data off and back on to get it back. Also, I was getting really slow speeds (on cellular data only - wifi works fine). I tried some simple fixes (restarting, resetting the network settings, restoring), but I kept having the problem. I finally made an appointment at the Genius Bar, and they immediately gave me a new iPad, saying "it could be a bad antenna." Here is the bad news. Even with the replacement, the connection seems to drop less often, but it still drops. The part that concerns me most is that the data speeds on my iPad are considerably slower than on my iPhone 4S when I test them in the exact same spot (I use the Speed Test app). So on my iphone, I get speeds around 3 Mbps, and on the iPad, I get speeds of less than 1Mbps. I can't see any logical reason that the 3rd gen iPad would not get at least as good or better data speeds as an iPhone 4S. The fact that I have now had two 3rd gen iPads with cellular data problems concerns me. However, it is very hard to tell if this is a software, hardware, or network issue. The fact that my iPhone is running the same update of iOS (5.1), and has no problems would seem to eliminate the software and network as causes, but I can't really be sure. I am going to watch the posts in the support communities for another day or two and then head back to the Genius Bar. Overall I love the new iPad, but this has been a real downer.

I want to create an HTML table of img maps dynamically from DB retrieves...

Hi,
How do I build dynamic HTML code in a function and then populate a HTML region to render it.. (did I say that right?)
I want to create an HTML table of img maps dynamically from DB retrieves...
Thank you, Bill

Vikas and Andy,
Using Andy's code I'll go further...
I want to create a function that returns HTML code that has been built dynamically.
create or replace function "GET_CH_TABLE"
return VARCHAR2
is
HTML_STRING VARCHAR2(2000); -- Create a string variable
BEGIN
HTML_STRING:= '<table align="center">' ||chr(10)||
' <tr>' ||chr(10)||
' <td> TEST ' ||chr(10)||
' /td>' ||chr(10)||
' /tr>' ||chr(10)||
' tr>' ||chr(10)||
' td>' ||chr(10)||
' a href=https:// ............etc. etc.. building the <TABLE> and <TD> cells having whatever I want... example.. changing the name of an image dependant on something else..
return HTML_STRING; -- output the string to the region
--also tried htp.p(HTML_STRING);
END;
=====================================
Building the dynamic HTML is not my problem. It is how to get it into a region and to be read as HTML from a function call...
I'd like the source of the region to be the returned HTML from a function call to GET_CH_TABLE();
but it gives error:
ORA-06550: line 1, column 7: PLS-00221: 'GET_CH_TABLE' is not a procedure or is undefined
ORA-06550: line 1, column 7: PL/SQL: Statement ignored
Debug:
1: begin
2: GET_CH_TABLE();
3: end;
I

Which interface does "crypto map vpn" get assigned to?

I'm setting up a site to site vpn and have been reading some examples, but my 871 uses a vlan so it confuses me a bit. Do I assign the statement crypto map vpn to the vlan1 interface or fe4 which is my WAN side.

Sander
If we knew more about your environment we might be able to give better answers. In general the crypto map is assigned to the outbound layer 3 interface. But I can not tell from your description whether fe4 or VLAN 1 is the outbound layer 3 interface. Does fe4 have an IP configured on it? If so then perhaps it is the outbound layer 3 interface and gets the crypto map. Or perhaps VLAN 1 is the outbound layer 3 interface and gets the crypto map.
If this helps you figure it out that is good. Otherwise perhaps you can provide some clarification of the environment.
HTH
Rick
Sent from Cisco Technical Support iPhone App

Site to Site VPN working without Crypto Map (ASA 8.2(1))

Hi All,
Found a strange situation on our ASA5540 firewall :
We have couple Site to Site VPNs and also enable cleint VPN on the ASA, all are working fine. But found a Site to Site VPN is up and running without crypto map configuration. Is it possible ?
I tried to clear isa sa and clear ipsec sa then the VPN came up again. Also tested it's pingable to remote site thru the VPN.
I did see there is tunnel-group config for the VPN but didn't see any crypto map and ACL.
How does Firewall know which traffic need be encrypted to this VPN tunnel without crypto map?
Is it the bug ?
Thanks in advance,

It might be an easy vpn setup.
Could you post a running config output remove any sensitive info. This could help us answer your question more exactly.

Crypto Map Dynamic IP Reconnection Issues

Similar Messages

Maybe you are looking for