"Discoverying Proxy" across a IPSEC Tunnel over wireless
Bear with me here, there are lot of moving parts in this puzzle, and I'm unsure where to look.
Users are using IE7 (some IE8's), group policy has "Automatically Detect Settings", and we have published a WPAD DNS entry, and are hosting the PAC file on the S370 box. We're very early in our deployment, so we're still functioning in "Monitor mode", till management has some information, and will direct us on what traffic they will allow .
The majority of users are located at our main site, the same site our Proxy is at, these users are having zero problems. For all intents and purposes, they don't even know the proxy is there.
about 30% of our users are located at remote sites. They are connected via an IPSEC L2L VPN tunnel (ASA5505 at remote site, connecting to an ASA5550 at main site)
The users using a wired connection work fine
Wireless users, connecting via LWAPP accesspoints (Wireless LAN controller version 4.2.176.0) at the remote sites, experience a delay connecting to the proxy, usually a few minutes. I actually believe that they are bypassing the proxy, since it takes two minutes. Unfortually, most of my users at the remote sites are wireless.
Thing's I'm immediately going to try are upgrading to the latest version of WLAN controller software, and then open a TAC case on the wireless LAN controller, but before I do this, has anyone run across something similar to this before? (Proxy discovery having issues across an IPSEC tunnel)
Mike
Hi Javier,
Please explain to me how I should explain this technically elaborate issue to either ISP tech support? :-P
Well, I tried my best and ended up on the phone for 5 hours with 6 different techs between Verizon and TWC BC. I should get paid for explaining them the basics of networking.
Anyhow, my last desperate attempt was to ask the tech to reboot my ONT so I'd get a new IP. Maybe some traffic balancer or filter didn't like my source and destination IP combination. Maybe it was cursed.
Ring. Ring. I finally got an awesome tech (John) from Verizon who actually knew what he was talking about. I connected my Verizon supplied router again and asked if he could log into it or run pings from it remotely (to show him that I'm not crazy). Though other techs told me that was not possible, he did in just a few seconds without much pain. He saw the pings failing as well. Then he said pings from the Verizon ONT gateway were successful, so I assumed it must have been an issue somewhere in Verizon's neck of the (network) woods where the problem persisted.
Long story short: The new IP address worked like a charm and no more packet drops.
Similar Messages
-
Not Seeing NAT Translations Across GRE IPSec Tunnel
Hello,
I have a P2P GRE over IPSec tunnel beween two 3725s using NAT overload and the Internet as transport. I can reach the backside networks, tunnel endpoints, etc., and I have verified that the traffic is being encrypted. What I am not seeing however are any NAT translations taking place. They must be happeing because my traffic is being routed through the tunnel via the public interfaces. I am assuming that this is a result of the checksum being altered when the translation is done.
Would I be correct in assuming that I could use something like NAT Transparency or IPSec over TCP/UDP to fix the problem and begin seeing NAT translations?
Thanks for any help you guys may be able to provide!
Anthony, CCNA (Network/Voice)Can you send over the configurations
You seem to have a phase 1 issue, it's not negotiating correctly.
Thanks -
RV042 ipsec tunneling over tcp
I'm trying to connect to a Cisco ASA 5520 that requires ipsec over tcp. Is it possible to do this with an rv042? Thanks.
Hi,
RV042 support IPSec only on UDP 500 and 4500. No option to encapsulate it in a TCP packet. -
Unexpected case IPv4 tunnel over IPv6 ?
hi,
I wonder if there is one use case one can think of that is not possible with Cisco IOS:
Establish a IPsec tunnel over an IPv6 network tranporting both IPv4 and Ipv6 traffic. Even IPsec tunnel over an IPv6 network transporting IPv4 only does not work.
I tried several things in my lab but couldn't get it running.
I tried to search the net for my use case but I only find the other way round.
Question: is it possible to achieve connectivity of the following IPv4 addresses over an IIPsec tunnel over Ipv6 network?
Ultimately, the same tunnel should be capable transporting both. A dedicated Tunnel for IPv4 and IPv6 tunnel on the same routers would also be OK.
Svr A ( ) Svr B
+----+ , `,( .) +----+
| | +----+ ( .( ...) +----+ | |
| |---| R1 |---` .....)---| R2 |---| |
| | +----+ ( ......) +----+ | |
+----+ +----+
10.0.23.1/24 IPv6 only 10.0.42.1/24
networkSame/similar question but the case is instead of Site to Site VPN, it would be using the Cisco VPN Client. The host on the left side is connected to an IPv6-only network. They need to communicate with IPv4 devices across the Internet (behind a Cisco ASA).
Is this possible?
Cisco VPN Client ( ) Cisco ASA +----+ , `,( .) +----+ | | +----+ ( .( ...) +----+ | | | |---| R1 |---` .....)---| R2 |---| |----IPv4 network | | +----+ ( ......) +----+ | | +----+ +----+IPv6-only HOST IPv6 Network has IPv6 Interface on public side
alexander.koeppe wrote:hi,I wonder if there is one use case one can think of that is not possible with Cisco IOS:Establish a IPsec tunnel over an IPv6 network tranporting both IPv4 and Ipv6 traffic. Even IPsec tunnel over an IPv6 network transporting IPv4 only does not work.I tried several things in my lab but couldn't get it running.I tried to search the net for my use case but I only find the other way round.Question: is it possible to achieve connectivity of the following IPv4 addresses over an IIPsec tunnel over Ipv6 network?Ultimately, the same tunnel should be capable transporting both. A dedicated Tunnel for IPv4 and IPv6 tunnel on the same routers would also be OK. ,_ Svr A ( ) Svr B +----+ , `,( .) +----+ | | +----+ ( .( ...) +----+ | | | |---| R1 |---` .....)---| R2 |---| | | | +----+ ( ......) +----+ | | +----+ +----+ 10.0.23.1/24 IPv6 only 10.0.42.1/24 network -
Help on establishing Ipsec tunnel btw 1941 and ASA
We are creating an Ipsec tunnel over the internet to another site but is not working, could someone help me on what could be happening?
My config:
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname XXXX
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable XXXXX
enable password XXXXXX
no aaa new-model
no ipv6 cef
ip source-route
ip cef
ip domain name yourdomain.com
ip name-server XXX.XXX.XXX.XXX
ip name-server XXX.XXX.XXX.XXX
multilink bundle-name authenticated
password encryption aes
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-4075439344
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4075439344
revocation-check none
rsakeypair TP-self-signed-4075439344
crypto pki certificate chain TP-self-signed-4075439344
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303735 34333933 3434301E 170D3131 30393139 30323236
34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30373534
33393334 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A35E B6AC0BE0 57A53B45 8CF23671 F91A18AC 09F29E6D AEC70F4D EF3BDCD6
269BFDED 44E26A98 7A1ABCAA DB756AFC 719C3D84 8B605C2A 7E99AF79 B72A84BC
89046B2D 967BB775 978EF14D A0BD8036 523B2AE1 1890EB38 BCA3333B 463D1267
22050A4F EAF4985A 7068024A A0425CE7 D3ADF5F5 C02B2941 67C9B654 6A7EF689
049B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1408B59A 57733D6E 157876B3 72A91F28 F8D95BAB D2301D06
03551D0E 04160414 08B59A57 733D6E15 7876B372 A91F28F8 D95BABD2 300D0609
2A864886 F70D0101 05050003 81810094 ED574BFE 95868A5D B539A70F 228CC08C
E26591C2 16DF19AB 7A177688 D7BB1CCB 5CFE4CB6 25F0DDEB 640E6EFA 58636DC0
238750DD 1ACF8902 96BB39B5 5B2F6DEC CB97CF78 23510943 E09801AF 8EB54020
DF496E25 B787126F D1347022 58900537 844EF865 36CB8DBD 79918E4B 76D00196
DD9950CB A40FC91B 4BCDE0DC 1B217A
quit
license udi pid CISCO1941/K9 sn FTX1539816K
license boot module c1900 technology-package securityk9
username XXXXXXXXXXXXXX
redundancy
crypto isakmp policy 60
encr aes
authentication pre-share
group 2
crypto isakmp key XXXXXXX address XXX.XXX.XXX.XXX
crypto isakmp profile mode
keyring default
self-identity address
match identity host XXX.XXX.XXX.XXX
initiate mode aggressive
crypto ipsec transform-set VPNbrasil esp-aes esp-sha-hmac
crypto map outside 60 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set transform-set VPNbrasil
set pfs group2
match address vpnbrazil
interface Tunnel0
ip unnumbered GigabitEthernet0/1
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description WAN
ip address XXX.XXX.XXX.XXX 255.255.255.248
ip nat outside
no ip virtual-reassembly in
duplex full
speed 100
crypto map outside
interface GigabitEthernet0/1
description Intercon_LAN
ip address XXX.XXX.XXX.XXX 255.255.255.252
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
crypto map outside
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 2 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX name Internet
ip access-list extended natvpnout
permit ip host XXX.XXX.XXX.XXX any
permit ip any any
ip access-list extended vpnbrazil
permit icmp XXX.XXX.XXX.XXX 0.0.0.255 any
permit icmp any XXX.XXX.XXX.XXX 0.0.0.255
permit ip any any
access-list 1 permit any
access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.1 log
access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.7
access-list 3 permit XXX.XXX.XXX.XXX
access-list 23 permit XXX.XXX.XXX.XXX 0.0.0.7
access-list 23 permit any log
control-plane
b!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input all
telnet transparent
line vty 5
access-class 23 in
privilege level 15
login
transport input all
telnet transparent
line vty 6 15
access-class 23 in
access-class 23 out
privilege level 15
login local
transport input telnet ssh
transport output all
Could someone please help me on what could be wrong? and What tests should I do?
Rds,
Luiztry a simple configuration w/o isakmp proflies
have a look at this link:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml -
i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec
Jose,
It sounds like you currently have an IPsec Virtual Tunnel Interface (VTI) configured. By this, I mean that you have a Tunnel interface running in "tunnel mode ipsec ipv4" rather than having a crypto map applied to a physical interface. In the days before VTIs, it was necessary to configure GRE over IPsec in order to pass certain types of traffic across an encrypted channel. When using pure IPsec with crypto maps, you cannot pass multicast traffic without implementing GRE over IPsec. Today, IPsec VTIs and GRE over IPsec accomplish what is effectively the same thing with a few exceptions. For example, by using GRE over IPsec, you can configure multiple tunnels between two peers by means of tunnels keys, pass many more types of traffic rather than IP unicast and multicast (such as NHRP as utilized by DMVPN), and you can also configure multipoint GRE tunnels whereas VTIs are point to point.
Here's a document which discusses VTIs in more depth: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.html#GUID-A568DA9D-56CF-47C4-A866-B605804179E1
HTH,
Frank -
AP registration over IPSEC Tunnel(ASA)
Guys,
I have my WAP sitting behind ASA and have ipsec tunnel between ASA and router.below is the topology:-
WAP>>ASA<<< IPSEC TUNNEL>>> Router<<<WLC
Recently we have replaced router with ASA 5505 for security reasons and since then WAP is not able to registered to WLC. we have VPN tunnel up and working. Even WAP is able to ping to WLC ip address.
Do we have any special configuration in my ASA considering my above topology. I can confirm that capwap and lwap ports are opened in asa.
Please let me know if some one has faced this issue before.Hi,
I hope you have already allowed the below mentioned ports as per your requirement.
You must enable these ports:
Enable these UDP ports for LWAPP traffic:
Data - 12222
Control - 12223
Enable these UDP ports for mobility traffic:
16666 - 16666
16667 - 16667
Enable UDP ports 5246 and 5247 for CAPWAP traffic.
TCP 161 and 162 for SNMP (for the Wireless Control System [WCS])
These ports are optional (depending on your requirements):
UDP 69 for TFTP
TCP 80 and/or 443 for HTTP or HTTPS for GUI access
TCP 23 and/or 22 for Telnet or SSH for CLI access
Also if it goes over the IPSec VPN, MTU size for the path between AP and WLC should be of 1500, if it has the lesser MTU, then communication fails.
Can you get me your WLC and ASA OS versions?
Regards
Karthik -
i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec
Hi josedilone19
GRE is used when you need to pass Broadcast or multicast traffic. That's the main function of GRE.
Generic Routing Encapsulation (GRE) is a protocol that encapsulates packets in order to route other protocols over IP networks
However there are some other important aspect to consider:
In contrast to IP-to-IP tunneling, GRE tunneling can transport multicast and IPv6 traffic between networks
GRE tunnels encase multiple protocols over a single-protocol backbone.
GRE tunnels provide workarounds for networks with limited hops.
GRE tunnels connect discontinuous sub-networks.
GRE tunnels allow VPNs across wide area networks (WANs).
-Hope this helps - -
Can ASA send it's syslogs over it's own IPsec tunnel?
I'd like to send syslogs etc sourced on an ASA to a destination that is connected via an IPsec tunnel on the ASA sourcing the traffic. Is this possible?
I'd have to have a a no-nat matching the traffic and also "same-security-traffic permit intra-interface". But which interface would I put on my "logging host" statement?
Appreciate any pointers* Yes, the ASA can source traffic which can be sent over an IPSec tunnel.
* For a syslog, you will want to create a site-to-site VPN connection (as opposed to configuring the ASA as a VPN head-end).
* You will not need the 'same-security-traffic permit intra-interface' command -- the syslog traffic is being source from the ASA itself -- the syslog traffic is not being sourced 'from an interface'.
* You will not need the 'no-nat' command either. Once again the syslog traffic is not traversing from one interface to another interface; therefore, an xlate will not be created.
* When configuring your site-to-site VPN tunnel, you must specify 'interesting' traffic which is to be encrypted. Traffic from the ASA to the Syslog server should be marked as interesting (by matching the ACL which defines interesting traffic).
* you specific the interface off which the syslog server resides in the 'logging host' command.
In other words:
* say your syslog server has IP address 1.1.1.1 which resides on the Internet.
* say your outside interface on your ASA has an ip address of 200.200.200.200
* say your syslog server is located at a remote operations center which reside on the Internet. You will create a VPN tunnel from the remote operations center to your ASA (site-to-site tunnel). Create an ACL for interesting traffic that says to 'permit ip host 200.200.200.200 host 1.1.1.1' to mark traffic as interesting from the ASA to the syslog server.
* you will specify the outside interface in your 'logging host' command.
THINGS YOU DON'T NEED:
Because the syslog traffic is not transitting from one interface to another interface:
* you do not need to configure an ACL to permit syslog traffic to leave the ASA to go to the syslog server
* you do not need to configure NAT. An xlate is not required.
Let me know if this gets you going. I would be happy to set this up in a lab environment to provide you a sample configuration if you need it. I don't have a syslog server but could demonstrate this by running administrative traffic to and from the ASA via the VPN tunnel.
Regards,
Troy -
Rejecting IPSec tunnel: no matching crypto map entry for remote proxy
Hi!
I have already search for this but didn't get an exact answer I'm looking for so I try asking it again (if there is the same question).
I'm in process of migrating some VPN tunnels with from a Cisco router to an ASA, everything will keep the same but just the peering IP address. However, some of the tunnel was being torn down since it request for a proxy doesn't match the one configured on our side. And the remote peer said there is no such issue on the previous platform, but now they need to reset the tunnel from time to time.
Apr 18 2013 07:29:10 asa002 : %ASA-3-713061: Group = 192.168.1.226, IP = 192.168.1.226, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.1.226/255.255.255.255/0/0 local proxy 10.10.9.81/255.255.255.255/0/0 on interface outside
Apr 18 2013 07:29:10 asa002 : %ASA-3-713902: Group = 192.168.1.226, IP = 192.168.1.226, QM FSM error (P2 struct &0x745e9150, mess id 0x8d7ad777)!
Apr 18 2013 07:29:10 asa002 : %ASA-3-713902: Group = 192.168.1.226, IP = 192.168.1.226, Removing peer from correlator table failed, no match!
The remote peer said they did not change the proxy id on their side so it is possibly the old platform will just not setting up the SA without torn down the tunnel while the ASA on the new platform will torn down if there is any mismatch.
Anyway I have requested the remote side to remove those unmatched entried to avoid the tunnel being torn down, but if there any configuration that is related to this issue? i.e. Just bring up the SA with matched addresses and ignore others, instead of torn down the tunnel.
Thanks!!
//CodyAre you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
nat (outside) 1 172.16.0.0 255.255.240.0 -
Hi,
I have read a problem where the VPN between an ISP and ourselves started dropping sessions. I have rebuilt the crypto map and tried to dig deeper into my config and some basic troubleshooting while I await the ISP to respond.
Any ideas?
Thanks Steve
https://supportforums.cisco.com/thread/255085
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution10
5 Jun 13 15:46:25 713904 IP = 209.183.xxx.xxx, Received encrypted packet with no matching SA, dropping
4 Jun 13 15:46:25 113019 Group = 209.183.xxx.xxx, Username = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Removing peer from correlator table failed, no match!
3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, QM FSM error (P2 struct &0xda90f540, mess id 0x76c09eb7)!
3 Jun 13 15:46:25 713061 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.0.0/255.255.240.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
5 Jun 13 15:46:25 713119 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, PHASE 1 COMPLETED
6 Jun 13 15:46:25 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = 209.183.xxx.xxx
6 Jun 13 15:46:25 713172 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT deviceAre you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
nat (outside) 1 172.16.0.0 255.255.240.0 -
NAT traffic over a IPSec tunnel (ISR)
Hi.
I's suppose to setup i IPSec tunnel between an 1811 and some sort of CheckPoint firewall. The IPSec part isen't that big of a deal, but the system manager on the "CheckPoint side" want the traffic though the tunnel should originate from a public IP-address, and only one source IP-address.
So, Let say that my ISP have given me 10.10.1.1 - 10.10.1.5, our inside clients have an IP-address from the range 192.168.10.0/24, and the remote application in the "Checkpoint site" has the IP-address 172.16.1.10. The result of this should be:
IPSec tunnel is created using the 10.10.1.1 IP-address.
The traffic from the 192.168.1.0/24 clients should access the application at 172.16.1.10 using 10.10.1.2 as source address OVER the IPSec tunnel.
Is this possible? I guess that it would mean that I have to NAT the traffic going though the IPSec tunnel, but I'm having trouble getting this to work. I have googled all day long looking for something similar.
Anyone who could shed some light? Any insight appreciated.
Sheers!
/Johan ChristenssonThanks jjohnston1127!
Well, i guess that it would work, and I wasen't that far off, but got stuck in the "ip nat inside" rule when I where to specify either a pool och an interface. It diden't accur to me that a pool chould just consist of 1 IP-address.
How ever, this raised a new problem. The "match address" access-list that I use in the crypto map for the IPSec configuration currently looks something like this:
access-list 150 permit ip host 10.10.1.2 host 172.16.1.10
If i change it to something like this, the tunnel negotiation get triggerd.
access-list 150 permit ip 192.168.1.0 0.0.0.255 host 172.16.1.10
How ever i assume that the negotiation failes because the tunnel configuration in my router has a different "local network" than the "remote network" at the Checkpoint site.
Is this because that the NAT'ing dosen't get processed before the IPSec configuration?
Can this behavior be changed?
Best regards,
Johan Christensson -
VLAN's over Internet/IPSec Tunnel
Hi All !
I have a problem.
I have trunked 5 VLANS from various sites over sattelite and have them all ending on a hub router ,
but my difficulty now is in getting them sent to the HQ over the internet.
I have thought about only 2 ways of possibly being able to do this
1. Get a leased Line :-)
2. and the only feasable alternative ! is to get the VLANs sent per IPSec over the internet but this is my problem....
How do I get a packet from a VLAN into an IPSec tunnel and vice versa ?
What equipment would I need ? (more switches/routers)
Do I need 1 IPSec tunnel for each VLAN to keep them separate from each other ?
Can someone please help.You have posted this same question on the WAN Routing and Switching forum where it has gotten some responses. I suggest that we consolidate the discussion of this question on that forum.
HTH
Rick -
Ipsec tunnel across Avaya 4620 phone terminating to cisco vpn concentrator
I have been asked to test out an avaya 4620 phone with the vpn remote client installed on it for our home users.
Here is my problem. The phone connects fine to my concentrator and I have a successful ipsec tunnel built, however, the phone cannot route back to the corportate network. When I look at the tunnel stats, I see bytes received and none transferred. Also, for the ip address of the remote end, I see the ip address that was assigned to it from my local dsl router. My concentrator is supposed to forward dhcp requests on to my internal dhcp server, but this is not occurring. Has anyone seen this before or know where I should start here? any input will be greatly appreciated, thank you all for your time.Hello Andrew, I know this thread is a bit old, but I am in the process of trying to setup some 9630's to VPN into my Corp. HQ. which is behind a 5510. the problem I am having is with IKE Phase 2, I keep getting an IKE Phase 2 no Response on the phone and this is what Im getting in the ASA log.
4|Feb 18 2010|09:05:04|113019|||||Group = test, Username = user, IP = 71.161.x.x, Session disconnected. Session Type: IKE, Duration: 0h:00m:01s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
3|Feb 18 2010|09:05:04|713902|||||Group = test, Username = user, IP = 71.161.x.x, Removing peer from correlator table failed, no match!
3|Feb 18 2010|09:05:04|713902|||||Group = test, Username = user, IP = 71.161.x.x, QM FSM error (P2 struct &0xcc259568, mess id 0x8b0aed6d)!
5|Feb 18 2010|09:05:04|713904|||||Group = test, Username = user, IP = 71.161.x.x, All IPSec SA proposals found unacceptable!
5|Feb 18 2010|09:05:04|713119|||||Group = test, Username = user, IP = 71.161.x.x, PHASE 1 COMPLETED
6|Feb 18 2010|09:05:03|713228|||||Group = test, Username = user, IP = 71.161.x.x, Assigned private IP address 5.5.5.1 to remote user
6|Feb 18 2010|09:05:03|713184|||||Group = test, Username = user, IP = 71.161.x.x, Client Type: Client Application Version:
5|Feb 18 2010|09:05:03|713130|||||Group = test, Username = user, IP = 71.161.x.x, Received unsupported transaction mode attribute: 6
5|Feb 18 2010|09:05:03|713130|||||Group = test, Username = user, IP = 71.161x.x, Received unsupported transaction mode attribute: 5
6|Feb 18 2010|09:05:03|734001|||||DAP: User user, Addr 71.161.x.x, Connection IPSec: The following DAP records were selected for this connection: DfltAccessPolicy
and this is what I get when I debug cyrpto isakmp
RESERVED != 0, PACKET MAY BE CORRUPTFeb 18 11:51:10 [IKEv1]: Group = test, Username = user, IP = 71.161.x.x, QM FSM error (P2 struct &0xcc4d4748, mess id 0x519ff252)!
Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.212.49, IKE QM Responder FSM error history (struct &0xcc4d4748) , : QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, sending delete/delete with reason message
Feb 18 11:51:10 [IKEv1]: Group = test, Username = user, IP = 71.161.x.x, Removing peer from correlator table failed, no match!
Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, IKE SA AM:18543029 rcv'd Terminate: state AM_ACTIVE flags 0x00418041, refcnt 1, tuncnt 0
Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, IKE SA AM:18543029 terminating: flags 0x01418001, refcnt 0, tuncnt 0
Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, sending delete/delete with reason message
Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, constructing blank hash payload
Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, constructing IKE delete payload
Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, constructing qm hash payload
Feb 18 11:51:10 [IKEv1]: IP = 71.161.x.x, IKE_DECODE SENDING Message (msgid=2b900ae) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
BEFORE ENCRYPTION
ISAKMP Header
Initiator COOKIE: 68 fb e0 7a 90 5c d7 10
Responder COOKIE: 29 30 54 18 84 da aa d2
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: AE00B902
Length: 469762048
Payload Hash
Next Payload: Delete
Reserved: 00
Payload Length: 24
Data:
08 4b dc 3d 7c 2b 1b 99 c9 6d 6d 36 14 b9 d1 27
47 e1 0d d6
Payload Delete
Next Payload: None
Reserved: 00
Payload Length: 28
DOI: IPsec
Protocol-ID: PROTO_ISAKMP
Spi Size: 16
# of SPIs: 1
SPI (Hex dump):
68 fb e0 7a 90 5c d7 10 29 30 54 18 84 da aa d2
ISAKMP Header
Initiator COOKIE: 68 fb e0 7a 90 5c d7 10
Responder COOKIE: 29 30 54 18 84 da aa d2
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 02B900AE
Length: 84
RESERVED != 0, PACKET MAY BE CORRUPTFeb 18 11:51:10 [IKEv1]: Ignoring msg to mark SA with dsID 1380352 dead because SA deleted
if you could provide any help it would be greatly appreciated as I have been battling this for a few days now.
thanks,
Paul -
Cisco ASA 5505 IPSec tunnel won't establish until remote site attempts to connect
I have a site to site IPSec tunnel setup and operational but periodically the remote site goes down, because of a somewhat reliable internet connection. The only way to get the tunnel to re-establish is to go to the remote site and simply issue a ping from a workstation on the remote network. We were having this same issue with a Cisco PIX 506E but decided to upgrade the hardware and see if that resolve the issue. It ran for well over a year and our assumtions was that the issue was resolved. I was looking in the direction of the security-association lifetime but if we power cycle the unit, I would expect that it would kill the SA but even after power cycling, the VPN does not come up automatically.
Any assistance would be appreciated.
ASA Version 8.2(1)
hostname KRPS-FW
domain-name lottonline.org
enable password uniQue
passwd uniQue
names
interface Vlan1
nameif inside
security-level 100
ip address 10.20.30.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
description Inside Network on VLAN1
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
description Inside Network on VLAN1
ftp mode passive
dns server-group DefaultDNS
domain-name lottonline.org
access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group OUTSIDE_ACCESS_IN in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.20.30.0 255.255.255.0 inside
http 10.20.20.0 255.255.255.0 inside
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYNMAP 65535 set transform-set ESP-AES-256-SHA
crypto map VPNMAP 1 match address KWPS-BITP
crypto map VPNMAP 1 set peer xxx.xxx.xxx.001
crypto map VPNMAP 1 set transform-set ESP-AES-256-SHA
crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
crypto map VPNMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
ssh timeout 5
console timeout 0
management-access inside
tunnel-group xxx.xxx.xxx.001 type ipsec-l2l
tunnel-group xxx.xxx.xxx.001 ipsec-attributes
pre-shared-key somekeyHi there,
I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
I don't know, the device is too old to stay alive.
thanks
Maybe you are looking for
-
I've just brought the laptop and gone through the update saga, everything is working but one thing, the external VGA monitor is only ever accepted as being 1280x1024 despite it being 1600x1200 native. I have tried everything I can think of, uninstall
-
After upgrading to 10.2.0.4
Hi All, os: hp-ux upgrading from 9.2.0.4 to 10.2.0.4 After running catupgrd.sql on my 9.2.0.4 database, i have seen some statements on my Alert log file. Please guide me what may be the reason for this lines. > Thread 1 advanced to log sequence 426 (
-
How to check multiple special characters in this query.
When the master_title has no comma in it, I am getting an empty master_title. This is because INSTR(master_title,',',1,1) is returning 0. In addition, I want to be able to specify other characters besides the comma. Example: ":" "/" "-". Can we fit t
-
Can NOT update my website (Golive 4)
Im a Mac user. My server is itsamac is golive 4 just too old? or is it something else
-
Is there any way to keep my BB device in standby after removing it from the holder ? I press the mute button placing it into standby, but as soon as I pull it out of the holster it comes out of standby. Solved! Go to Solution.