"Discoverying Proxy" across a IPSEC Tunnel over wireless

Bear with me here, there are lot of moving parts in this puzzle, and I'm unsure where to look.
Users are using IE7 (some IE8's), group policy has "Automatically Detect Settings", and we have published a WPAD DNS entry, and are hosting the PAC file on the S370 box.  We're very early in our deployment, so we're still functioning in "Monitor mode", till management has some information, and will direct us on what traffic they will allow .
The majority of users are located at our main site, the same site our Proxy is at, these users are having zero problems.  For all intents and purposes, they don't even know the proxy is there.
about 30% of our users are located at remote sites.  They are connected via an IPSEC L2L VPN tunnel  (ASA5505 at remote site, connecting to an ASA5550 at main site)
The users using a wired connection work fine
Wireless users, connecting via LWAPP accesspoints (Wireless LAN controller version 4.2.176.0) at the remote sites, experience a delay connecting to the proxy, usually a few minutes.  I actually believe that they are bypassing the proxy, since it takes two minutes.  Unfortually, most of my users at the remote sites are wireless.
Thing's I'm immediately going to try are upgrading to the latest version of WLAN controller software, and then open a TAC case on the wireless LAN controller, but before I do this,  has anyone run across something similar to this before?  (Proxy discovery having issues across an IPSEC tunnel)
Mike

Hi Javier,
Please explain to me how I should explain this technically elaborate issue to either ISP tech support? :-P
Well, I tried my best and ended up on the phone for 5 hours with 6 different techs between Verizon and TWC BC. I should get paid for explaining them the basics of networking.
Anyhow, my last desperate attempt was to ask the tech to reboot my ONT so I'd get a new IP. Maybe some traffic balancer or filter didn't like my source and destination IP combination. Maybe it was cursed.
Ring. Ring. I finally got an awesome tech (John) from Verizon who actually knew what he was talking about. I connected my Verizon supplied router again and asked if he could log into it or run pings from it remotely (to show him that I'm not crazy). Though other techs told me that was not possible, he did in just a few seconds without much pain. He saw the pings failing as well. Then he said pings from the Verizon ONT gateway were successful, so I assumed it must have been an issue somewhere in Verizon's neck of the (network) woods where the problem persisted.
Long story short: The new IP address worked like a charm and no more packet drops.

Similar Messages

  • Not Seeing NAT Translations Across GRE IPSec Tunnel

    Hello,
    I have a P2P GRE over IPSec tunnel beween two 3725s using NAT overload and the Internet as transport. I can reach the backside networks, tunnel endpoints, etc., and I have verified that the traffic is being encrypted. What I am not seeing however are any NAT translations taking place. They must be happeing because my traffic is being routed through the tunnel via the public interfaces. I am assuming that this is a result of the checksum being altered when the translation is done.
    Would I be correct in assuming that I could use something like NAT Transparency or IPSec over TCP/UDP to fix the problem and begin seeing NAT translations?
    Thanks for any help you guys may be able to provide!
    Anthony, CCNA (Network/Voice)

    Can you send over the configurations
    You seem to have a phase 1 issue, it's not negotiating correctly.
    Thanks

  • RV042 ipsec tunneling over tcp

    I'm trying to connect to a Cisco ASA 5520 that requires ipsec over tcp. Is it possible to do this with an rv042? Thanks.

    Hi,
    RV042 support IPSec only on UDP 500 and 4500. No option to encapsulate it in a TCP packet.

  • Unexpected case IPv4 tunnel over IPv6 ?

    hi,
    I wonder if there is one use case one can think of that is not possible with Cisco IOS:
    Establish a IPsec tunnel over an IPv6 network tranporting both IPv4 and Ipv6 traffic. Even IPsec tunnel over an IPv6 network transporting IPv4 only does not work.
    I tried several things in my lab but couldn't get it running.
    I tried to search the net for my use case but I only find the other way round.
    Question: is it possible to achieve connectivity of the following IPv4 addresses over an IIPsec tunnel over Ipv6 network?
    Ultimately, the same tunnel should be capable transporting both. A dedicated Tunnel for IPv4 and IPv6 tunnel on the same routers would also be OK.
         Svr A                (  )                Svr B
        +----+             , `,( .)              +----+
        |    |   +----+   ( .(  ...)    +----+   |    |
        |    |---| R1 |---`    .....)---| R2 |---|    |
        |    |   +----+    ( ......)    +----+   |    |
        +----+                                   +----+
    10.0.23.1/24          IPv6 only          10.0.42.1/24
                            network

    Same/similar question but the case is instead of Site to Site VPN, it would be using the Cisco VPN Client.  The host on the left side is connected to an IPv6-only network.  They need to communicate with IPv4 devices across the Internet (behind a Cisco ASA).
    Is this possible?
    Cisco VPN Client         (  )                Cisco ASA    +----+             , `,( .)              +----+    |    |   +----+   ( .(  ...)    +----+   |    |    |    |---| R1 |---`    .....)---| R2 |---|    |----IPv4 network    |    |   +----+    ( ......)    +----+   |    |    +----+                                   +----+IPv6-only HOST        IPv6 Network         has IPv6 Interface on public side
    alexander.koeppe wrote:hi,I wonder if there is one use case one can think of that is not possible with Cisco IOS:Establish a IPsec tunnel over an IPv6 network tranporting both IPv4 and Ipv6 traffic. Even IPsec tunnel over an IPv6 network transporting IPv4 only does not work.I tried several things in my lab but couldn't get it running.I tried to search the net for my use case but I only find the other way round.Question: is it possible to achieve connectivity of the following IPv4 addresses over an IIPsec tunnel over Ipv6 network?Ultimately, the same tunnel should be capable transporting both. A dedicated Tunnel for IPv4 and IPv6 tunnel on the same routers would also be OK.                           ,_     Svr A                (  )                Svr B     +----+             , `,( .)              +----+    |    |   +----+   ( .(  ...)    +----+   |    |     |    |---| R1 |---`    .....)---| R2 |---|    |     |    |   +----+    ( ......)    +----+   |    |     +----+                                   +----+ 10.0.23.1/24          IPv6 only          10.0.42.1/24                        network

  • Help on establishing Ipsec tunnel btw 1941 and ASA

       We are creating an Ipsec tunnel over the internet to another site but is not working, could someone help me on what could be happening?
    My config:
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname XXXX
    boot-start-marker
    boot-end-marker
    logging buffered 51200 warnings
    enable XXXXX
    enable password XXXXXX
    no aaa new-model
    no ipv6 cef
    ip source-route
    ip cef
    ip domain name yourdomain.com
    ip name-server XXX.XXX.XXX.XXX
    ip name-server XXX.XXX.XXX.XXX
    multilink bundle-name authenticated
    password encryption aes
    crypto pki token default removal timeout 0
    crypto pki trustpoint TP-self-signed-4075439344
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-4075439344
    revocation-check none
    rsakeypair TP-self-signed-4075439344
    crypto pki certificate chain TP-self-signed-4075439344
    certificate self-signed 01
      3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 34303735 34333933 3434301E 170D3131 30393139 30323236
      34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30373534
      33393334 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100A35E B6AC0BE0 57A53B45 8CF23671 F91A18AC 09F29E6D AEC70F4D EF3BDCD6
      269BFDED 44E26A98 7A1ABCAA DB756AFC 719C3D84 8B605C2A 7E99AF79 B72A84BC
      89046B2D 967BB775 978EF14D A0BD8036 523B2AE1 1890EB38 BCA3333B 463D1267
      22050A4F EAF4985A 7068024A A0425CE7 D3ADF5F5 C02B2941 67C9B654 6A7EF689
      049B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
      551D2304 18301680 1408B59A 57733D6E 157876B3 72A91F28 F8D95BAB D2301D06
      03551D0E 04160414 08B59A57 733D6E15 7876B372 A91F28F8 D95BABD2 300D0609
      2A864886 F70D0101 05050003 81810094 ED574BFE 95868A5D B539A70F 228CC08C
      E26591C2 16DF19AB 7A177688 D7BB1CCB 5CFE4CB6 25F0DDEB 640E6EFA 58636DC0
      238750DD 1ACF8902 96BB39B5 5B2F6DEC CB97CF78 23510943 E09801AF 8EB54020
      DF496E25 B787126F D1347022 58900537 844EF865 36CB8DBD 79918E4B 76D00196
      DD9950CB A40FC91B 4BCDE0DC 1B217A
            quit
    license udi pid CISCO1941/K9 sn FTX1539816K
    license boot module c1900 technology-package securityk9
    username XXXXXXXXXXXXXX
    redundancy
    crypto isakmp policy 60
    encr aes
    authentication pre-share
    group 2
    crypto isakmp key XXXXXXX address XXX.XXX.XXX.XXX
    crypto isakmp profile mode
       keyring default
       self-identity address
       match identity host XXX.XXX.XXX.XXX
       initiate mode aggressive
    crypto ipsec transform-set VPNbrasil esp-aes esp-sha-hmac
    crypto map outside 60 ipsec-isakmp
    set peer XXX.XXX.XXX.XXX
    set transform-set VPNbrasil
    set pfs group2
    match address vpnbrazil
    interface Tunnel0
    ip unnumbered GigabitEthernet0/1
    interface Embedded-Service-Engine0/0
    no ip address
    shutdown
    interface GigabitEthernet0/0
    description WAN
    ip address XXX.XXX.XXX.XXX 255.255.255.248
    ip nat outside
    no ip virtual-reassembly in
    duplex full
    speed 100
    crypto map outside
    interface GigabitEthernet0/1
    description Intercon_LAN
    ip address XXX.XXX.XXX.XXX 255.255.255.252
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map outside
    ip forward-protocol nd
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list 2 interface GigabitEthernet0/1 overload
    ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX name Internet
    ip access-list extended natvpnout
    permit ip host XXX.XXX.XXX.XXX any
    permit ip any any
    ip access-list extended vpnbrazil
    permit icmp XXX.XXX.XXX.XXX 0.0.0.255 any
    permit icmp any XXX.XXX.XXX.XXX 0.0.0.255
    permit ip any any
    access-list 1 permit any
    access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.1 log
    access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.7
    access-list 3 permit XXX.XXX.XXX.XXX
    access-list 23 permit XXX.XXX.XXX.XXX 0.0.0.7
    access-list 23 permit any log
    control-plane
    b!
    line con 0
    login local
    line aux 0
    line 2
    no activation-character
    no exec
    transport preferred none
    transport input all
    transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
    stopbits 1
    line vty 0 4
    access-class 23 in
    privilege level 15
    login local
    transport input all
    telnet transparent
    line vty 5
    access-class 23 in
    privilege level 15
    login
    transport input all
    telnet transparent
    line vty 6 15
    access-class 23 in
    access-class 23 out
    privilege level 15
    login local
    transport input telnet ssh
    transport output all
    Could someone please help me on what could be wrong? and What tests should I do?
    Rds,
    Luiz

    try a simple configuration w/o isakmp proflies
    have a look at this link:
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml

  • When do i have to use a gre over ipsec tunnel? i have heard that when i m using a routing protocol and vpn site to site i need a gre tunnel

    i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec

    Jose,
    It sounds like you currently have an IPsec Virtual Tunnel Interface (VTI) configured. By this, I mean that you have a Tunnel interface running in "tunnel mode ipsec ipv4" rather than having a crypto map applied to a physical interface. In the days before VTIs, it was necessary to configure GRE over IPsec in order to pass certain types of traffic across an encrypted channel. When using pure IPsec with crypto maps, you cannot pass multicast traffic without implementing GRE over IPsec. Today, IPsec VTIs and GRE over IPsec accomplish what is effectively the same thing with a few exceptions. For example, by using GRE over IPsec, you can configure multiple tunnels between two peers by means of tunnels keys, pass many more types of traffic rather than IP unicast and multicast (such as NHRP as utilized by DMVPN), and you can also configure multipoint GRE tunnels whereas VTIs are point to point.
    Here's a document which discusses VTIs in more depth: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.html#GUID-A568DA9D-56CF-47C4-A866-B605804179E1
    HTH,
    Frank

  • AP registration over IPSEC Tunnel(ASA)

    Guys, 
    I have my WAP sitting behind ASA and have ipsec tunnel between ASA and router.below is the topology:-
    WAP>>ASA<<< IPSEC TUNNEL>>> Router<<<WLC
    Recently we have replaced router with ASA 5505 for security reasons and since then WAP is not able to registered to WLC. we have VPN tunnel up and working. Even WAP is able to ping to WLC ip address.
    Do we have any special configuration in my ASA considering my above topology. I can confirm that capwap and lwap ports are opened in asa.
    Please let me know if some one has faced this issue before.

    Hi,
    I hope you have already allowed the below mentioned ports as per your requirement.
    You must enable these ports:
    Enable these UDP ports for LWAPP traffic:
    Data - 12222
    Control - 12223
    Enable these UDP ports for mobility traffic:
    16666 - 16666
    16667 - 16667
    Enable UDP ports 5246 and 5247 for CAPWAP traffic.
    TCP 161 and 162 for SNMP (for the Wireless Control System [WCS])
    These ports are optional (depending on your requirements):
    UDP 69 for TFTP
    TCP 80 and/or 443 for HTTP or HTTPS for GUI access
    TCP 23 and/or 22 for Telnet or SSH for CLI access
    Also if it goes over the IPSec VPN, MTU size  for the path between AP and WLC should be of 1500, if it has the lesser MTU, then communication fails.
    Can you get me your WLC and ASA OS versions?
    Regards
    Karthik

  • When do i have to use a gre over ipsec tunnel? i have heard that when i m using a routing protocol and vpn site to site i need a

    i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec

    Hi josedilone19
    GRE is used when you need to pass Broadcast or multicast traffic.  That's the main function of GRE.
    Generic Routing Encapsulation (GRE) is a protocol that encapsulates packets in order to route other protocols over IP networks
    However there are some other important aspect to consider: 
    In contrast to IP-to-IP tunneling, GRE tunneling can transport multicast and IPv6 traffic between networks
    GRE tunnels encase multiple protocols over a single-protocol backbone.
    GRE tunnels provide workarounds for networks with limited hops.
    GRE tunnels connect discontinuous sub-networks.
    GRE tunnels allow VPNs across wide area networks (WANs).
    -Hope this helps -

  • Can ASA send it's syslogs over it's own IPsec tunnel?

    I'd like to send syslogs etc sourced on an ASA to a destination that is connected via an IPsec tunnel on the ASA sourcing the traffic. Is this possible?
    I'd have to have a a no-nat matching the traffic and also "same-security-traffic permit intra-interface". But which interface would I put on my "logging host" statement?
    Appreciate any pointers

    * Yes, the ASA can source traffic which can be sent over an IPSec tunnel.
    * For a syslog, you will want to create a site-to-site VPN connection (as opposed to configuring the ASA as a VPN head-end).
    * You will not need the 'same-security-traffic permit intra-interface' command -- the syslog traffic is being source from the ASA itself -- the syslog traffic is not being sourced 'from an interface'.
    * You will not need the 'no-nat' command either. Once again the syslog traffic is not traversing from one interface to another interface; therefore, an xlate will not be created.
    * When configuring your site-to-site VPN tunnel, you must specify 'interesting' traffic which is to be encrypted. Traffic from the ASA to the Syslog server should be marked as interesting (by matching the ACL which defines interesting traffic).
    * you specific the interface off which the syslog server resides in the 'logging host' command.
    In other words:
    * say your syslog server has IP address 1.1.1.1 which resides on the Internet.
    * say your outside interface on your ASA has an ip address of 200.200.200.200
    * say your syslog server is located at a remote operations center which reside on the Internet. You will create a VPN tunnel from the remote operations center to your ASA (site-to-site tunnel). Create an ACL for interesting traffic that says to 'permit ip host 200.200.200.200 host 1.1.1.1' to mark traffic as interesting from the ASA to the syslog server.
    * you will specify the outside interface in your 'logging host' command.
    THINGS YOU DON'T NEED:
    Because the syslog traffic is not transitting from one interface to another interface:
    * you do not need to configure an ACL to permit syslog traffic to leave the ASA to go to the syslog server
    * you do not need to configure NAT. An xlate is not required.
    Let me know if this gets you going. I would be happy to set this up in a lab environment to provide you a sample configuration if you need it. I don't have a syslog server but could demonstrate this by running administrative traffic to and from the ASA via the VPN tunnel.
    Regards,
    Troy

  • Rejecting IPSec tunnel: no matching crypto map entry for remote proxy

    Hi!
    I have already search for this but didn't get an exact answer I'm looking for so I try asking it again (if there is the same question).
    I'm in process of migrating some VPN tunnels with  from a Cisco router to an ASA, everything will keep the same but just the peering IP address. However, some of the tunnel was being torn down since it request for a proxy doesn't match the one configured on our side. And the remote peer said there is no such issue on the previous platform, but now they need to reset the tunnel from time to time.
    Apr 18 2013 07:29:10 asa002 : %ASA-3-713061: Group = 192.168.1.226, IP = 192.168.1.226, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.1.226/255.255.255.255/0/0 local proxy 10.10.9.81/255.255.255.255/0/0 on interface outside
    Apr 18 2013 07:29:10 asa002 : %ASA-3-713902: Group = 192.168.1.226, IP = 192.168.1.226, QM FSM error (P2 struct &0x745e9150, mess id 0x8d7ad777)!
    Apr 18 2013 07:29:10 asa002 : %ASA-3-713902: Group = 192.168.1.226, IP = 192.168.1.226, Removing peer from correlator table failed, no match!
    The remote peer said they did not change the proxy id on their side so it is possibly the old platform will just not setting up the SA without torn down the tunnel while the ASA on the new platform will torn down if there is any mismatch.
    Anyway I have requested the remote side to remove those unmatched entried to avoid the tunnel being torn down, but if there any configuration that is related to this issue? i.e. Just bring up the SA with matched addresses and ignore others, instead of torn down the tunnel.
    Thanks!!
    //Cody

    Are you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
    If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
    access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
    Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
    nat (outside) 1 172.16.0.0 255.255.240.0

  • Rejecting IPSec tunnel: no matching crypto map entry for remote proxy on interface outside.

    Hi,
    I have read a problem where the VPN between an ISP and ourselves started dropping sessions. I have rebuilt the crypto map and tried to dig deeper into my config and some basic troubleshooting while I await the ISP to respond.
    Any ideas?
    Thanks Steve
    https://supportforums.cisco.com/thread/255085
    http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution10
    5 Jun 13 15:46:25 713904 IP = 209.183.xxx.xxx, Received encrypted packet with no matching SA, dropping
    4 Jun 13 15:46:25 113019 Group = 209.183.xxx.xxx, Username = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
    3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Removing peer from correlator table failed, no match!
    3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, QM FSM error (P2 struct &0xda90f540, mess id 0x76c09eb7)!
    3 Jun 13 15:46:25 713061 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.0.0/255.255.240.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
    5 Jun 13 15:46:25 713119 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, PHASE 1 COMPLETED
    6 Jun 13 15:46:25 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = 209.183.xxx.xxx
    6 Jun 13 15:46:25 713172 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

    Are you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
    If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
    access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
    Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
    nat (outside) 1 172.16.0.0 255.255.240.0

  • NAT traffic over a IPSec tunnel (ISR)

    Hi.
    I's suppose to setup i IPSec tunnel between an 1811 and some sort of CheckPoint firewall. The IPSec part isen't that big of a deal, but the system manager on the "CheckPoint side" want the traffic though the tunnel should originate from a public IP-address, and only one source IP-address.
    So, Let say that my ISP have given me 10.10.1.1 - 10.10.1.5, our inside clients have an IP-address from the range 192.168.10.0/24, and the remote application in the "Checkpoint site" has the IP-address 172.16.1.10. The result of this should be:
    IPSec tunnel is created using the 10.10.1.1 IP-address.
    The traffic from the 192.168.1.0/24 clients should access the application at 172.16.1.10 using 10.10.1.2 as source address OVER the IPSec tunnel.
    Is this possible? I guess that it would mean that I have to NAT the traffic going though the IPSec tunnel, but I'm having trouble getting this to work. I have googled all day long looking for something similar.
    Anyone who could shed some light? Any insight appreciated.
    Sheers!
    /Johan Christensson

    Thanks jjohnston1127!
    Well, i guess that it would work, and I wasen't that far off, but got stuck in the "ip nat inside" rule when I where to specify either a pool och an interface. It diden't accur to me that a pool chould just consist of 1 IP-address.
    How ever, this raised a new problem. The "match address" access-list that I use in the crypto map for the IPSec configuration currently looks something like this:
    access-list 150 permit ip host 10.10.1.2 host 172.16.1.10
    If i change it to something like this, the tunnel negotiation get triggerd.
    access-list 150 permit ip 192.168.1.0 0.0.0.255 host 172.16.1.10
    How ever i assume that the negotiation failes because the tunnel configuration in my router has a different "local network" than the "remote network" at the Checkpoint site.
    Is this because that the NAT'ing dosen't get processed before the IPSec configuration?
    Can this behavior be changed?
    Best regards,
    Johan Christensson

  • VLAN's over Internet/IPSec Tunnel

    Hi All !
    I have a problem.
    I have trunked 5 VLANS from various sites over sattelite and have them all ending on a hub router ,
    but my difficulty now is in getting them sent to the HQ over the internet.
    I have thought about only 2 ways of possibly being able to do this
    1. Get a leased Line :-)
    2. and the only feasable alternative ! is to get the VLANs sent per IPSec over the internet but this is my problem....
    How do I get a packet from a VLAN into an IPSec tunnel and vice versa ?
    What equipment would I need ? (more switches/routers)
    Do I need 1 IPSec tunnel for each VLAN to keep them separate from each other ?
    Can someone please help.

    You have posted this same question on the WAN Routing and Switching forum where it has gotten some responses. I suggest that we consolidate the discussion of this question on that forum.
    HTH
    Rick

  • Ipsec tunnel across Avaya 4620 phone terminating to cisco vpn concentrator

    I have been asked to test out an avaya 4620 phone with the vpn remote client installed on it for our home users.
    Here is my problem. The phone connects fine to my concentrator and I have a successful ipsec tunnel built, however, the phone cannot route back to the corportate network. When I look at the tunnel stats, I see bytes received and none transferred. Also, for the ip address of the remote end, I see the ip address that was assigned to it from my local dsl router. My concentrator is supposed to forward dhcp requests on to my internal dhcp server, but this is not occurring. Has anyone seen this before or know where I should start here? any input will be greatly appreciated, thank you all for your time.

    Hello Andrew, I know this thread is a bit old, but I am in the process of trying to setup some 9630's to VPN into my Corp. HQ.  which is behind a 5510.  the problem I am having is with IKE Phase 2, I keep getting an IKE Phase 2 no Response on the phone and this is what Im getting in the ASA log.
    4|Feb 18 2010|09:05:04|113019|||||Group = test, Username = user, IP = 71.161.x.x, Session disconnected. Session Type: IKE, Duration: 0h:00m:01s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
    3|Feb 18 2010|09:05:04|713902|||||Group = test, Username = user, IP = 71.161.x.x, Removing peer from correlator table failed, no match!
    3|Feb 18 2010|09:05:04|713902|||||Group = test, Username = user, IP = 71.161.x.x, QM FSM error (P2 struct &0xcc259568, mess id 0x8b0aed6d)!
    5|Feb 18 2010|09:05:04|713904|||||Group = test, Username = user, IP = 71.161.x.x, All IPSec SA proposals found unacceptable!
    5|Feb 18 2010|09:05:04|713119|||||Group = test, Username = user, IP = 71.161.x.x, PHASE 1 COMPLETED
    6|Feb 18 2010|09:05:03|713228|||||Group = test, Username = user, IP = 71.161.x.x, Assigned private IP address 5.5.5.1 to remote user
    6|Feb 18 2010|09:05:03|713184|||||Group = test, Username = user, IP = 71.161.x.x, Client Type:   Client Application Version:
    5|Feb 18 2010|09:05:03|713130|||||Group = test, Username = user, IP = 71.161.x.x, Received unsupported transaction mode attribute: 6
    5|Feb 18 2010|09:05:03|713130|||||Group = test, Username = user, IP = 71.161x.x, Received unsupported transaction mode attribute: 5
    6|Feb 18 2010|09:05:03|734001|||||DAP: User user, Addr 71.161.x.x, Connection IPSec: The following DAP records were selected for this connection: DfltAccessPolicy
    and this is what I get when I debug cyrpto isakmp
    RESERVED != 0, PACKET MAY BE CORRUPTFeb 18 11:51:10 [IKEv1]: Group = test, Username = user, IP = 71.161.x.x, QM FSM error (P2 struct &0xcc4d4748, mess id 0x519ff252)!
    Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.212.49, IKE QM Responder FSM error history (struct &0xcc4d4748)  , :  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
    Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, sending delete/delete with reason message
    Feb 18 11:51:10 [IKEv1]: Group = test, Username = user, IP = 71.161.x.x, Removing peer from correlator table failed, no match!
    Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, IKE SA AM:18543029 rcv'd Terminate: state AM_ACTIVE  flags 0x00418041, refcnt 1, tuncnt 0
    Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, IKE SA AM:18543029 terminating:  flags 0x01418001, refcnt 0, tuncnt 0
    Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, sending delete/delete with reason message
    Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, constructing blank hash payload
    Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, constructing IKE delete payload
    Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, constructing qm hash payload
    Feb 18 11:51:10 [IKEv1]: IP = 71.161.x.x, IKE_DECODE SENDING Message (msgid=2b900ae) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
    BEFORE ENCRYPTION
    ISAKMP Header
      Initiator COOKIE: 68 fb e0 7a 90 5c d7 10
      Responder COOKIE: 29 30 54 18 84 da aa d2
      Next Payload: Hash
      Version: 1.0
      Exchange Type: Informational
      Flags: (none)
      MessageID: AE00B902
      Length: 469762048
      Payload Hash
        Next Payload: Delete
        Reserved: 00
        Payload Length: 24
        Data:
          08 4b dc 3d 7c 2b 1b 99 c9 6d 6d 36 14 b9 d1 27
          47 e1 0d d6
      Payload Delete
        Next Payload: None
        Reserved: 00
        Payload Length: 28
        DOI: IPsec
        Protocol-ID: PROTO_ISAKMP
        Spi Size: 16
        # of SPIs: 1
        SPI (Hex dump):
          68 fb e0 7a 90 5c d7 10 29 30 54 18 84 da aa d2
    ISAKMP Header
      Initiator COOKIE: 68 fb e0 7a 90 5c d7 10
      Responder COOKIE: 29 30 54 18 84 da aa d2
      Next Payload: Hash
      Version: 1.0
      Exchange Type: Informational
      Flags: (Encryption)
      MessageID: 02B900AE
      Length: 84
    RESERVED != 0, PACKET MAY BE CORRUPTFeb 18 11:51:10 [IKEv1]: Ignoring msg to mark SA with dsID 1380352 dead because SA deleted
    if you could provide any help it would be greatly appreciated as I have been battling this for a few days now.
    thanks,
    Paul

  • Cisco ASA 5505 IPSec tunnel won't establish until remote site attempts to connect

    I have a site to site IPSec tunnel setup and operational but periodically the remote site goes down, because of a somewhat reliable internet connection. The only way to get the tunnel to re-establish is to go to the remote site and simply issue a ping from a workstation on the remote network. We were having this same issue with a Cisco PIX 506E but decided to upgrade the hardware and see if that resolve the issue. It ran for well over a year and our assumtions was that the issue was resolved. I was looking in the direction of the security-association lifetime but if we power cycle the unit, I would expect that it would kill the SA but even after power cycling, the VPN does not come up automatically.
    Any assistance would be appreciated.
    ASA Version 8.2(1)
    hostname KRPS-FW
    domain-name lottonline.org
    enable password uniQue
    passwd uniQue
    names
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.20.30.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address xxx.xxx.xxx.xxx 255.255.255.248
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    description Inside Network on VLAN1
    interface Ethernet0/2
    shutdown
    interface Ethernet0/3
    shutdown
    interface Ethernet0/4
    shutdown
    interface Ethernet0/5
    shutdown
    interface Ethernet0/6
    shutdown
    interface Ethernet0/7
    description Inside Network on VLAN1
    ftp mode passive
    dns server-group DefaultDNS
    domain-name lottonline.org
    access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
    access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
    access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
    access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
    access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
    access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list NONAT
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group OUTSIDE_ACCESS_IN in interface outside
    route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 10.20.30.0 255.255.255.0 inside
    http 10.20.20.0 255.255.255.0 inside
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map DYNMAP 65535 set transform-set ESP-AES-256-SHA
    crypto map VPNMAP 1 match address KWPS-BITP
    crypto map VPNMAP 1 set peer xxx.xxx.xxx.001
    crypto map VPNMAP 1 set transform-set ESP-AES-256-SHA
    crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
    crypto map VPNMAP interface outside
    crypto isakmp enable outside
    crypto isakmp policy 5
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    ssh timeout 5
    console timeout 0
    management-access inside
    tunnel-group xxx.xxx.xxx.001 type ipsec-l2l
    tunnel-group xxx.xxx.xxx.001 ipsec-attributes
    pre-shared-key somekey

    Hi there,
    I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
    I don't know, the device is too old to stay alive.
    thanks

Maybe you are looking for

  • External VGA monitor

    I've just brought the laptop and gone through the update saga, everything is working but one thing, the external VGA monitor is only ever accepted as being 1280x1024 despite it being 1600x1200 native. I have tried everything I can think of, uninstall

  • After upgrading to 10.2.0.4

    Hi All, os: hp-ux upgrading from 9.2.0.4 to 10.2.0.4 After running catupgrd.sql on my 9.2.0.4 database, i have seen some statements on my Alert log file. Please guide me what may be the reason for this lines. > Thread 1 advanced to log sequence 426 (

  • How to check multiple special characters in this query.

    When the master_title has no comma in it, I am getting an empty master_title. This is because INSTR(master_title,',',1,1) is returning 0. In addition, I want to be able to specify other characters besides the comma. Example: ":" "/" "-". Can we fit t

  • Can NOT update my website (Golive 4)

    Im a Mac user. My server is itsamac is golive 4 just too old? or is it something else

  • Force BB To Remain In Stby

    Is there any way to keep my BB device in standby after removing it from the holder ?  I press the mute button placing it into standby, but as soon as I pull it out of the holster it comes out of standby. Solved! Go to Solution.