DMVPN + IPSec protected VRFs; IPSec SAs established only on one tunnel interface
Hello folks!
I have a setup between two Cisco ISR routers, running IOS 15.1(4)M3. I have tried to establish DMVPN connectivity with two VRFs (ie. two tunnel interfaces per router) between the routers and it mostly seems to be working as I expected. But... IPSec SAs seem to get tied to only one of the tunnel interface, not two (one per direction) per tunnel interface as they should. There's no MPLS backbone in between the routers, only "global VRF", routed IP network.
Command "show crypto ipsec sa" or indirectly a missing OSPF neighborhood between the routers verifies the erroneuous situation. Occasionally, after an "interface tunnel[ 0 or 1] shut, no shut" or "clear crypto sa" command I seem to get it up and running, two SAs per tunnel interface, but if I reboot either one of the routers or just clear the IPSec SA, they most likely will appear under either one of two tunnel interfaces. So, what should I change to instruct the router setup SAs correctly, two SAs (one per direction) per tunnel interface?
I'll enclose appropriate parts of the configurations and output of command "show crypto ipsec sa".
I think I figured it out, for anyone who might stumble across this post in the future. It looks like you need to add the shared keyword to the tunnel protection command. ie...
interface tunnel 0
tunnel protection ipsec profile MyProfile shared
end
I should note that one of the first things I tried was to created a separate IPSec profile for each unique tunnel interface. It ended up not fixing the problem and I had to go with the solution above.
Similar Messages
-
Protect PDF file to open only in one machine.
Hi. Friends.
In my project I have to protect my PDF file such that once the user download the PDF file in his machine it should work only on his/her machine. Trying to open file in other machine should be restricted. All this things I have to do using .NET technology.
Any help or suggestion would be highly appreciated. Thanks.Thanks Bernd for your suggestion. I will try to do using DRM
-
Disappearing tunnel keepalives with tunnel interface in vrf
Dear all
I have an annoying problem with a gre tunnel using keepalives and the tunnel interface on the PE residing in a vrf.
The background for my setup is an ethernet WAN link to our customer where the interface doesn't go down when the link fails.
Therefore I want to use an gre tunnel with keepalive in order to use static routes.
The tunnel setup is as follows:
1. PE, 6509, Sup720, IOS 12.2(18)SXF7
interface FastEthernet8/13
ip address xx.yy.zz.241 255.255.255.252
speed 10
duplex full
no mop enabled
interface Tunnel813
ip vrf forwarding CUSTOMER
ip address 10.0.0.101 255.255.255.252
keepalive 5 3
tunnel source xx.yy.zz.241
tunnel destination xx.yy.zz.242
end
2. CE, 1803, IOS 12.4(15)T8
interface FastEthernet0
bandwidth 5000
ip address xx.yy.zz.242 255.255.255.252
speed 10
full-duplex
interface Tunnel0
ip address 10.0.0.102 255.255.255.252
keepalive 5 3
tunnel source xx.yy.zz.242
tunnel destination xx.yy.zz.241
The problem is PE sends and receives keepalives and brings up the tunnel. CE on the other hand sends but doesn't receive keepalives.
As far as I have learned from former discussions the problem comes from tunnel and physical interface belonging to different routing instances. If I put the tunnel interface on PE into the global routing instance all the keepalives reach their destinations as expected.
I read about a solution involving "tunnel vrf" on th etunnel configuration. This command is not present in my IOS version but AFAIK it is only necessary for having the underlying physical interface in a vrf as well.
Furthermore I read about "mls mpls tunnel-recir" but I am not sure whether this might solve the issue here. And equally important: Can I safely turn on this feature on a running system with quite a lot of vrf customers without any trouble?
Any hint and/or advise is greatly appreciated here.
Thanks a lot in advance,
GrischaWow, this is old, but...
While they may or may not be officially supported, GRE tunnels do work with vrf's if you both put the tunnel interface in the VRF AND the physical interface the tunnel runs over, AND use the tunnel vrf command. Then everything is in the same routing table and it works. For example:
PE:
vrf definition vrf1
rd 1:1
address-family ipv4
route-target export 1:1
route-target import 1:1
exit-address-family
interface Ethernet0/0
vrf forwarding vrf1
ip address 192.168.1.1 255.255.255.0
interface Tunnel1
vrf forwarding vrf1
ip address 1.1.1.1 255.255.255.252
keepalive 1 3
tunnel source Ethernet0/0
tunnel destination 192.168.1.2
tunnel vrf vrf1
router bgp 12345
bgp log-neighbor-changes
address-family vpnv4
! Provider stuff - i.e., route reflector for MPLS network
exit-address-family
address-family ipv4 vrf vrf1
neighbor 1.1.1.2 remote-as 64512
neighbor 1.1.1.2 activate
neighbor 1.1.1.2 default-originate
exit-address-family
CE:
interface Ethernet0/0
ip address 192.168.1.2 255.255.255.0
interface Tunnel1
ip address 1.1.1.2 255.255.255.252
keepalive 1 3
tunnel source Ethernet0/0
tunnel destination 192.168.1.1
router bgp 64512
bgp log-neighbor-changes
! network statements perhaps
! redistribute static perhaps
neighbor 1.1.1.1 remote-as 12345
neighbor 1.1.1.1 update-source Tunnel1
neighbor 1.1.1.1 soft-reconfiguration inbound
Of course you don't need to run BGP, but you can. -
I am trying to setup a VRF IPSec to ASA VPN tunnel. VRF IPSec is at head office and ASA is at the customer end. I am successfully establish the tunnel when I initiate a ping from the ASA end (ping was successful). However I am getting error in ipsec stats when I initiate the ping from the head office (ping between the same hosts as before). A debug was captured from the VRF router. I wonder if you can see the problem from the debug. I appreciate your help in advance.
GTO-ClientEdge-RT1#sh cry ipse sa
interface: GigabitEthernet0/0
Crypto map tag: gto_share_map, local addr 192.33.232.209
protected vrf: vrf-veridian
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 173.46.8.98 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 15, #recv errors 0
local crypto endpt.: 192.33.232.209, remote crypto endpt.: 173.46.8.98
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Crypto ISAKMP debugging is on
GTO-ClientEdge-RT1#
Nov 19 22:46:29.702: ISAKMP:(0): SA request profile is veridian-ike-prof
Nov 19 22:46:29.702: ISAKMP: Created a peer struct for 173.46.8.98, peer port 500
Nov 19 22:46:29.702: ISAKMP: New peer created peer = 0x10927E8 peer_handle = 0x80000019
Nov 19 22:46:29.702: ISAKMP: Locking peer struct 0x10927E8, refcount 1 for isakmp_initiator
Nov 19 22:46:29.702: ISAKMP:(0):Setting client config settings 131406B8
Nov 19 22:46:29.702: ISAKMP/xauth: initializing AAA request
Nov 19 22:46:29.702: ISAKMP: local port 500, remote port 500
Nov 19 22:46:29.702: ISAKMP: set new node 0 to QM_IDLE
Nov 19 22:46:29.702: ISAKMP:(0):insert sa successfully sa = 1235BF68
Nov 19 22:46:29.702: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Nov 19 22:46:29.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:29.702: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Nov 19 22:46:29.702: ISAKMP:(0): constructed NAT-T vendor-07 ID
Nov 19 22:46:29.702: ISAKMP:(0): c
GTO-ClientEdgeonstructed NAT-T vendor-03 ID
Nov 19 22:46:29.702: ISAKMP:(0): constructed NAT-T vendor-02 ID
Nov 19 22:46:29.702: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Nov 19 22:46:29.702: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Nov 19 22:46:29.702: ISAKMP:(0): beginning Main Mode exchange
Nov 19 22:46:29.702: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_NO_STATE
Nov 19 22:46:29.702: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.702: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE
Nov 19 22:46:29.702: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:29.702: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Nov 19 22:46:29.702: ISAKMP:(0): processing SA payload. message ID = 0
Nov 19 22:46:29.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:29.702: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov 19 22:46:29.702: ISAKMP:(0): vendor ID is NAT-T v2
Nov 19 22:46:29.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:29.702: ISAKMP:(0): processing IKE frag vendor id payload
Nov 19 22:46:29.702: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov 19 22:46:29.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:29.702: ISAKMP:(0): local preshared key found
Nov 19 22:46:29.702: ISAKMP : Looking for xauth in profile veridian-ike-prof
Nov 19 22:46:29.702: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Nov 19 22:46:29.702: ISAKMP: encryption AES-CBC
Nov 19 22:46:29.702: ISAKMP: keylength of 256
Nov 19 22:46:29.702: ISAKMP: hash SHA
Nov 19 22:46:29.702: ISAKMP: default group 5
Nov 19 22:46:29.702: ISAKMP: auth pre-share
Nov 19 22:46:29.702: ISAKMP: life type in seconds
Nov 19 22:46:29.702: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Nov 19 22:46:29.702: ISAKMP:(0):atts are acceptable. Next payload is 0
Nov 19 22:46:29.702: ISAKMP:(0):Acceptable atts:actual life: 0
Nov 19 22:46:29.702: ISAKMP:(0):Acceptable atts:life: 0
Nov 19 22:46:29.702: ISAKMP:(0):Fill atts in sa vpi_length:4
Nov 19 22:46:29.702: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Nov 19 22:46:29.702: ISAKMP:(0):Returning Actual lifetime: 86400
Nov 19 22:46:29.702: ISAKMP:(0)::Started lifetime timer: 86400.
Nov 19 22:46:29.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:29.706: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov 19 22:46:29.706: ISAKMP:(0): vendor ID is NAT-T v2
Nov 19 22:46:29.706: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:29.706: ISAKMP:(0): processing IKE frag vendor id payload
Nov 19 22:46:29.706: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov 19 22:46:29.706: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:29.706: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Nov 19 22:46:29.706: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_SA_SETUP
Nov 19 22:46:29.706: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.706: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:29.706: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Nov 19 22:46:29.802: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_SA_SETUP
Nov 19 22:46:29.802: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:29.802: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Nov 19 22:46:29.802: ISAKMP:(0): processing KE payload. message ID = 0
Nov 19 22:46:29.806: ISAKMP:(0): processing NONCE payload. message ID = 0
Nov 19 22:46:29.806: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID is Unity
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID seems Unity/DPD but major 86 mismatch
Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID is XAUTH
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023): speaking to another IOS box!
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023):vendor ID seems Unity/DPD but hash mismatch
Nov 19 22:46:29.806: ISAKMP:received payload type 20
Nov 19 22:46:29.806: ISAKMP (9023): His hash no match - this node outside NAT
Nov 19 22:46:29.806: ISAKMP:received payload type 20
Nov 19 22:46:29.806: ISAKMP (9023): No NAT Found for self or peer
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM4 New State = IKE_I_MM4
Nov 19 22:46:29.806: ISAKMP:(9023):Send initial contact
Nov 19 22:46:29.806: ISAKMP:(9023):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Nov 19 22:46:29.806: ISAKMP (9023): ID payload
next-payload : 8
type : 1
address : 192.33.232.209
protocol : 17
port : 500
length : 12
Nov 19 22:46:29.806: ISAKMP:(9023):Total payload length: 12
Nov 19 22:46:29.806: ISAKMP:(9023): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Nov 19 22:46:29.806: ISAKMP:(9023):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM4 New State = IKE_I_MM5
Nov 19 22:46:29.806: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_KEY_EXCH
Nov 19 22:46:29.806: ISAKMP:(9023): processing ID payload. message ID = 0
Nov 19 22:46:29.806: ISAKMP (9023): ID payload
next-payload : 8
type : 1
address : 173.46.8.98
protocol : 17
port : 0
length : 12
Nov 19 22:46:29.806: ISAKMP:(9023): processing HASH payload. message ID = 0
Nov 19 22:46:29.806: ISAKMP:received payload type 17
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID is DPD
Nov 19 22:46:29.806: ISAKMP:(9023):SA authentication status:
authenticated
Nov 19 22:46:29.806: ISAKMP:(9023):SA has been authenticated with 173.46.8.98
Nov 19 22:46:29.806: ISAKMP: Trying to insert a peer 192.33.232.209/173.46.8.98/500/vrf-internet, and inserted successfully 10927E8.
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM5 New State = IKE_I_MM6
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM6 New State = IKE_I_MM6
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Nov 19 22:46:29.806: ISAKMP:(9023):beginning Quick Mode exchange, M-ID of 2851020903
Nov 19 22:46:29.806: ISAKMP:(9023):QM Initiator gets spi
Nov 19 22:46:29.806: ISAKMP:(9023): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE
Nov 19 22:46:29.806: ISAKMP:(9023):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.806: ISAKMP:(9023):Node 2851020903, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 19 22:46:29.810: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) QM_IDLE
Nov 19 22:46:29.810: ISAKMP: set new node 1512038398 to QM_IDLE
Nov 19 22:46:29.810: ISAKMP:(9023): processing HASH payload. message ID = 1512038398
Nov 19 22:46:29.810: ISAKMP:(9023): processing NOTIFY INVALID_ID_INFO protocol 1
spi 0, message ID = 1512038398, sa = 0x1235BF68
Nov 19 22:46:29.810: ISAKMP:(9023):peer does not do paranoid keepalives.
Nov 19 22:46:29.810: ISAKMP:(9023):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 173.46.8.98)
Nov 19 22:46:29.810: ISAKMP:(9023):deleting node 1512038398 error FALSE reason "Informational (in) state 1"
Nov 19 22:46:29.810: ISAKMP:(9023):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Nov 19 22:46:29.810: ISAKMP:(9023):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 19 22:46:29.810: ISAKMP: set new node 260072841 to QM_IDLE
Nov 19 22:46:29.810: ISAKMP:(9023): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE
Nov 19 22:46:29.810: ISAKMP:(9023):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.810: ISAKMP:(9023):purging node 260072841
Nov 19 22:46:29.810: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Nov 19 22:46:29.810: ISAKMP:(9023):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Nov 19 22:46:29.810: ISAKMP:(9023):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 173.46.8.98)
Nov 19 22:46:29.810: ISAKMP: Unlocking peer struct 0x10927E8 for isadb_mark_sa_deleted(), count 0
Nov 19 22:46:29.810: ISAKMP: Deleting peer node by peer_reap for 173.46.8.98: 10927E8
Nov 19 22:46:29.810: ISAKMP:(9023):deleting node -1443946393 error FALSE reason "IKE deleted"
Nov 19 22:46:29.810: ISAKMP:(9023):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:29.810: ISAKMP:(9023):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Nov 19 22:46:29.810: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE-RT1#
GTO-ClientEdge-RT1#sh cry isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
173.46.8.98 192.33.232.209 MM_NO_STATE 9023 ACTIVE (deleted) veridian-ike-prof
IPv6 Crypto ISAKMP SA
GTO-ClientEdge-RT1#
Nov 19 22:46:59.702: ISAKMP:(0): SA request profile is veridian-ike-prof
Nov 19 22:46:59.702: ISAKMP: Created a peer struct for 173.46.8.98, peer port 500
Nov 19 22:46:59.702: ISAKMP: New peer created peer = 0x10927E8 peer_handle = 0x8000001A
Nov 19 22:46:59.702: ISAKMP: Locking peer struct 0x10927E8, refcount 1 for isakmp_initiator
Nov 19 22:46:59.702: ISAKMP:(0):Setting client config settings 1CA9BE8
Nov 19 22:46:59.702: ISAKMP/xauth: initializing AAA request
Nov 19 22:46:59.702: ISAKMP: local port 500, remote port 500
Nov 19 22:46:59.702: ISAKMP: set new node 0 to QM_IDLE
Nov 19 22:46:59.702: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 1235C984
Nov 19 22:46:59.702: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Nov 19 22:46:59.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Nov 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-07 ID
Nov
GTO-ClientEdge 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-03 ID
Nov 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-02 ID
Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Nov 19 22:46:59.702: ISAKMP:(0): beginning Main Mode exchange
Nov 19 22:46:59.702: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_NO_STATE
Nov 19 22:46:59.702: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.702: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE
Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Nov 19 22:46:59.702: ISAKMP:(0): processing SA payload. message ID = 0
Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov 19 22:46:59.702: ISAKMP:(0): vendor ID is NAT-T v2
Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0): processing IKE frag vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov 19 22:46:59.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:59.702: ISAKMP:(0): local preshared key found
Nov 19 22:46:59.702: ISAKMP : Looking for xauth in profile veridian-ike-prof
Nov 19 22:46:59.702: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Nov 19 22:46:59.702: ISAKMP: encryption AES-CBC
Nov 19 22:46:59.702: ISAKMP: keylength of 256
Nov 19 22:46:59.702: ISAKMP: hash SHA
Nov 19 22:46:59.702: ISAKMP: default group 5
Nov 19 22:46:59.702: ISAKMP: auth pre-share
Nov 19 22:46:59.702: ISAKMP: life type in seconds
Nov 19 22:46:59.702: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Nov 19 22:46:59.702: ISAKMP:(0):atts are acceptable. Next payload is 0
Nov 19 22:46:59.702: ISAKMP:(0):Acceptable atts:actual life: 0
Nov 19 22:46:59.702: ISAKMP:(0):Acceptable atts:life: 0
Nov 19 22:46:59.702: ISAKMP:(0):Fill atts in sa vpi_length:4
Nov 19 22:46:59.702: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Nov 19 22:46:59.702: ISAKMP:(0):Returning Actual lifetime: 86400
Nov 19 22:46:59.702: ISAKMP:(0)::Started lifetime timer: 86400.
Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov 19 22:46:59.702: ISAKMP:(0): vendor ID is NAT-T v2
Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0): processing IKE frag vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Nov 19 22:46:59.702: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_SA_SETUP
Nov 19 22:46:59.702: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Nov 19 22:46:59.798: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_SA_SETUP
Nov 19 22:46:59.798: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:59.798: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Nov 19 22:46:59.798: ISAKMP:(0): processing KE payload. message ID = 0
Nov 19 22:46:59.802: ISAKMP:(0): processing NONCE payload. message ID = 0
Nov 19 22:46:59.802: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.802: ISAKMP:(9024): vendor ID is Unity
Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.802: ISAKMP:(9024): vendor ID seems Unity/DPD but major 108 mismatch
Nov 19 22:46:59.802: ISAKMP:(9024): vendor ID is XAUTH
Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.802: ISAKMP:(9024): speaking to another IOS box!
Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.802: ISAKMP:(9024):vendor ID seems Unity/DPD but hash mismatch
Nov 19 22:46:59.802: ISAKMP:received payload type 20
Nov 19 22:46:59.802: ISAKMP (9024): His hash no match - this node outside NAT
Nov 19 22:46:59.802: ISAKMP:received payload type 20
Nov 19 22:46:59.802: ISAKMP (9024): No NAT Found for self or peer
Nov 19 22:46:59.802: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:59.802: ISAKMP:(9024):Old State = IKE_I_MM4 New State = IKE_I_MM4
Nov 19 22:46:59.802: ISAKMP:(9024):Send initial contact
Nov 19 22:46:59.802: ISAKMP:(9024):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Nov 19 22:46:59.802: ISAKMP (9024): ID payload
next-payload : 8
type : 1
address : 192.33.232.209
protocol : 17
port : 500
length : 12
Nov 19 22:46:59.802: ISAKMP:(9024):Total payload length: 12
Nov 19 22:46:59.802: ISAKMP:(9024): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Nov 19 22:46:59.802: ISAKMP:(9024):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.802: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:59.802: ISAKMP:(9024):Old State = IKE_I_MM4 New State = IKE_I_MM5
Nov 19 22:46:59.806: ISAKMP (9024): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_KEY_EXCH
Nov 19 22:46:59.806: ISAKMP:(9024): processing ID payload. message ID = 0
Nov 19 22:46:59.806: ISAKMP (9024): ID payload
next-payload : 8
type : 1
address : 173.46.8.98
protocol : 17
port : 0
length : 12
Nov 19 22:46:59.806: ISAKMP:(9024): processing HASH payload. message ID = 0
Nov 19 22:46:59.806: ISAKMP:received payload type 17
Nov 19 22:46:59.806: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.806: ISAKMP:(9024): vendor ID is DPD
Nov 19 22:46:59.806: ISAKMP:(9024):SA authentication status:
authenticated
Nov 19 22:46:59.806: ISAKMP:(9024):SA has been authenticated with 173.46.8.98
Nov 19 22:46:59.806: ISAKMP: Trying to insert a peer 192.33.232.209/173.46.8.98/500/vrf-internet, and inserted successfully 10927E8.
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_I_MM5 New State = IKE_I_MM6
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_I_MM6 New State = IKE_I_MM6
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Nov 19 22:46:59.806: ISAKMP:(9024):beginning Quick Mode exchange, M-ID of 920032514
Nov 19 22:46:59.806: ISAKMP:(9024):QM Initiator gets spi
Nov 19 22:46:59.806: ISAKMP:(9024): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE
Nov 19 22:46:59.806: ISAKMP:(9024):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.806: ISAKMP:(9024):Node 920032514, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 19 22:46:59.806: ISAKMP (9024): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) QM_IDLE
Nov 19 22:46:59.806: ISAKMP: set new node -165090978 to QM_IDLE
Nov 19 22:46:59.806: ISAKMP:(9024): processing HASH payload. message ID = 4129876318
Nov 19 22:46:59.806: ISAKMP:(9024): processing NOTIFY INVALID_ID_INFO protocol 1
spi 0, message ID = 4129876318, sa = 0x1235C984
Nov 19 22:46:59.806: ISAKMP:(9024):peer does not do paranoid keepalives.
Nov 19 22:46:59.806: ISAKMP:(9024):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 173.46.8.98)
Nov 19 22:46:59.806: ISAKMP:(9024):deleting node -165090978 error FALSE reason "Informational (in) state 1"
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 19 22:46:59.806: ISAKMP: set new node 1564252651 to QM_IDLE
Nov 19 22:46:59.806: ISAKMP:(9024): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE
Nov 19 22:46:59.806: ISAKMP:(9024):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.806: ISAKMP:(9024):purging node 1564252651
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Nov 19 22:46:59.810: ISAKMP:(9024):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 173.46.8.98)
Nov 19 22:46:59.810: ISAKMP: Unlocking peer struct 0x10927E8 for isadb_mark_sa_deleted(), count 0
Nov 19 22:46:59.810: ISAKMP: Deleting peer node by peer_reap for 173.46.8.98: 10927E8
Nov 19 22:46:59.810: ISAKMP:(9024):deleting node 920032514 error FALSE reason "IKE deleted"
Nov 19 22:46:59.810: ISAKMP:(9024):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:59.810: ISAKMP:(9024):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Nov 19 22:46:59.810: ISAKMP (9024): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE-RT1#ASA doesn't like what you're sending.
Nov 19 22:46:29.810: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) QM_IDLE Nov 19 22:46:29.810: ISAKMP: set new node 1512038398 to QM_IDLE Nov 19 22:46:29.810: ISAKMP:(9023): processing HASH payload. message ID = 1512038398Nov 19 22:46:29.810: ISAKMP:(9023): processing NOTIFY INVALID_ID_INFO protocol 1
Check what's happening around QM1 on ASA.
For reference working debugs:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bce100.shtml -
Multiple DMVPNs within separate VRF's using crypto keyring
Hi All,
I have deployed ASR's within a service provider environment acting as the DMVPN hubs for multiple customers networks contained within their own VRFs.
In each case from the tunnel perspective the iVRF and fVRF are the same for a specific customer and crypto key rings are used to associate pre-shared-keys.
When the box was first deployed a test network was built without using keyrings, but still using the VRF's as shown in the snippet. However I cannot get the configuration to work using keyrings, hence cannot add additional customers. It would appear that IKE phase 2 is not completing.
An initial bug scrub has come up clear so I'm guessing i must be missing something.
Current firmware: Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.0(1)S)
-- snippet of test configuration --
crypto keyring CUST1 vrf CUST1
pre-shared-key address 10.10.10.0 255.255.255.0 key **CRYPTOKEY_CUST1**
crypto isakmp profile CUST1_PROFILE
vrf CUST1
keyring CUST1
match identity address 0.0.0.0
crypto ipsec transform-set CUST1 esp-aes 256 esp-sha-hmac
mode transport
interface Tunnel1
bandwidth 1000
ip vrf forwarding CUST1
ip address 10.10.10.1 255.255.255.0
no ip redirects
ip nhrp authentication CUST1
ip nhrp map multicast dynamic
ip nhrp network-id 10101010
ip nhrp holdtime 450
ip nhrp registration no-unique
no ip split-horizon
delay 1000
tunnel source GigabitEthernet0/0/0.1010
tunnel mode gre multipoint
tunnel key 1010
tunnel vrf CUST1
tunnel protection ipsec profile CUST1_PROFILE shared
Any help would be great.
Best regards
MickConfig wise, you do not need "vrf CUST1" inside the profile, GRE will do handoff for you.
Hard to say where the problem is without more debugs ;-)
M. -
Hello,
I have a scenario that has IPSec inside of IPSec. Below is how:
From our Data Center, we have IPSec to ISP. For our remote sites serviced by this IPS, ISP assigns a priavate IP Address to WAN port on Cisco router. Let this private IP Address be 10.254.254.29/24. All traffic that originates from remote site comes in to our data center. We do one-to-one private-public NAT for this 10.254.254.29 address. Let the public IP address be 172.16.16.16 (I know it is not public, but for sake of discussion).
Our customers establish IPSec tunnel from their HQ to this NAT'd IP Address (172.16.16.16).
What we are experiencing is about 75% degradation in data rate. Comparision is as below:
When we download a 5 MB file from Internet to PC at Remote site (10.254.254.29), it takes about a minute. But a 5MB file download from HQ, it takes between 4-5 minutes.
Any thoughts???
Thanks in advance,
Paresh.double encryption i'm sure is adding tons of overhead. check for fragmentation along the path.
-
Can I create a password protected page for member's only?
Can I create a password protected page for member's only?
PASSWORD PROTECTING A PAGE WITH A NICE BOX DESIGNED INTO YOUR PAGE
FINALLY, I'VE FOUND AN ANSWER TO PASSWORDING A PAGE OR SECTION WITH ADOBE MUSE WITH GREAT SIMPLICITY AND ALLOWING YOU TO 'DESIGN' THE PASSWORD BOX INTO YOUR PAGE!!!
Even better is that you don't HAVE to have username AND password (although you could if you wanted to), so just a simple PASSWORD box and enter button DESIGNED BY YOU WITHIN YOUR PAGE, rather than nasty popups etc. Importantly, the password itself is NOT within the source code of your page either!!
The solution is at Jotform.com. I believe you can do this with a FREE ACCOUNT, although it's SUCH a great service for Musers that I paid for a proper account.
Before you do this, create a page on your site saying "Wrong Password. Please go away" or something to that effect. You'll need it for when they enter the wrong password.
So, in Jotform, you just create a new form and:
1. Drag on a password box (it's in the power tools section)
2. Select it and go to Conditions
3. Go to Change Thank You URL after submission
4. Enter: If [name of your password box] field EQUALS TO [enter your password]
5. In the "Then redirect to" box, enter the URL of your protected page and click save
6. In the resulting box click "ADD A NEW CONDITION" and do the SAME as stets 3 to 5 but this time say NOT EQUALS TO" with your same password and in the "Then redirect to" box, enter the URL of your WRONG PASSWORD page and click save
7. Embed the button on your page and you're done!!!
If you want to mess about with the EXACT alignment of a right aligned button and text box, you can go to Preferences and in the box which allows you to add your own custom CSS, enter the following code and mess about with the values until it's perfect for you:
.form-buttons-wrapper { padding-top:3px !important; }#id_2 {margin-left: -50px !important;}
Here's an example, built in Muse: www.hileytv.com/about.html
I hope this helps my fellow Musers!
Marcus -
6500 IPSEC-2G or IPSEC-3G VSS Support
Hello,
We would like to install VSS Chassis with a pair of Sup720-10G Supervisors. Can we use IPSEC-2G or IPSEC-3G cards on SSC-400 with VSS. On the following links the VSS is mentioned to not to be supported but the document is for 12.2 SX IOS Release,
http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/76ovwvpn.html
IPsec VPN SPA supported with virtual switching system (VSS)
N
N
N
N
N
N
May be more recent documentation for these cards supported?
Thanks in Advance,
Best Regards,You can use IDSM2 to analyze the traffic you can try with Promiscous mode
-
Multiple DMVPN instance on the same router one public interface
I know it possible to run multiple instances DMVPN on a router with one public interface.
Question:
If I take one of my site and put it on a different tunnel from all other remote sites will it be able communication to the other site directly? I am running EIGP through the gre Tunnel
example of the hub site:
interface Tunnel100
bandwidth 100000
ip address 192.168.105.254 255.255.255.0
no ip redirects
ip mtu 1400
ip hello-interval eigrp 1 1
ip hold-time eigrp 1 3
no ip next-hop-self eigrp 1
ip nhrp authentication L3GR@RD
ip nhrp map multicast dynamic
ip nhrp map group WAR-881-VPN1 service-policy output SHAPE->20M
ip nhrp map group PLA-2811-VPN1 service-policy output SHAPE->T1(MLPPPx2)
ip nhrp map group LIV-2811-VPN1 service-policy output SHAPE->T1(MLPPPx2)
ip nhrp map group BRM-2811-VPN1 service-policy output SHAPE->T1(MLPPPx2)
ip nhrp map group ELP-2811-VPN1 service-policy output SHAPE->T1(MLPPPx2)
ip nhrp map group RAN-2811-VPN1 service-policy output SHAPE->T1(MLPPPx2)
ip nhrp map group LAB-2911-VPN1 service-policy output SHAPE->T1(MLPPPx2)
ip nhrp map group ORE-2811-VPN1 service-policy output SHAPE->5M
ip nhrp map group VAU-2811-VPN1 service-policy output SHAPE->10M
ip nhrp map group CAVAURTVP001 service-policy output SHAPE->10M
ip nhrp network-id 100
ip nhrp holdtime 600
ip nhrp max-send 1000 every 10
ip nhrp redirect
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
ip summary-address eigrp 1 10.87.0.0 255.255.0.0
load-interval 30
delay 100
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf PUBLIC
tunnel protection ipsec profile IPSEC-DMVPN
interface Tunnel300
bandwidth 100000
ip address 192.168.106.254 255.255.255.0
no ip redirects
ip mtu 1400
ip hello-interval eigrp 1 15
ip hold-time eigrp 1 45
no ip next-hop-self eigrp 1
ip nhrp authentication L3GR@RB
ip nhrp map multicast dynamic
ip nhrp map group CAVAURTVP001 service-policy output SHAPE->10M
ip nhrp network-id 100
ip nhrp holdtime 600
ip nhrp max-send 1000 every 10
ip nhrp redirect
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
ip summary-address eigrp 1 10.87.0.0 255.255.0.0
load-interval 30
delay 100
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf PUBLIC
tunnel protection ipsec profile IPSEC-DMVPN
Thanks the help in advance,
NigelHello Mr Manhurt,
I can help you. But first what is EIGP? -
DMVPN in Cisco 3945 output drop in tunnel interface
I configured DMVPN in Cisco 3945 and checked the tunnel interface. I found out that I have output drop. How can I remove that output drop? I already set the ip mtu to 1400.
CORE-ROUTER#sh int tunnel 20
Tunnel20 is up, line protocol is up
Hardware is Tunnel
Description: <Voice Tunneling to HO>
Internet address is 172.15.X.X./X
MTU 17878 bytes, BW 1024 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 10.15.X.X (GigabitEthernet0/1)
Tunnel Subblocks:
src-track:
Tunnel20 source tracking subblock associated with GigabitEthernet0/1
Set of tunnels with source GigabitEthernet0/1, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport multi-GRE/IP
Key 0x3EA, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1438 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "tunnel_protection_profile_2")
Last input 00:00:01, output never, output hang never
--More-- Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 7487
Queueing strategy: fifo
Output queue: 0/0 (size/max)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
48007 packets input, 4315254 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
42804 packets output, 4638561 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
interface Tunnel20
description <Bayantel Voice tunneling>
bandwidth 30720
ip address 172.15.X.X 255.255.255.128
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 20
no ip split-horizon eigrp 20
ip nhrp authentication 0r1x@IT
ip nhrp map multicast dynamic
ip nhrp network-id 1002
ip nhrp holdtime 300
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0/1
tunnel mode gre multipoint
tunnel key 1002
tunnel protection ipsec profile tunnel_protection_profile_2 sharedHi,
Thanks for the input. If the radio is sending out the packet but client did not receive, not output drop should be seen since packet is sent out, right?
From my understanding, output drop is related to congested interface. Outgoing interface cannot take the rate packets coming in and thus droping it. What I don't understand is input and output rate has not reached limit yet. Also input queue is seeing drop of packet as well even though input queue is empty.
Any idea? -
Traffic only allowed one-way for VPN connected computers
Hello,
I currently have an ASA 5505. I have set it up as a remote access SSL VPN. My computers can connect to the VPN just fine. They just can't access the internal LAN (192.168.250.0). They can't ping the inside interface of the ASA, or any of the machines. It seems like all traffic is blocked for them. The strange thing is that when someone is connected to the VPN, I can ping that VPN-connect machine from the ASA and other machines inside the LAN. It seems the traffic only allows one way. I have messed with ACL's with no avail. Any suggestions please?
DHCP Pool: 192.168.250.20-50 --> For LAN
VPN Pool: 192.168.250.100 and 192.168.250.101
Outside interface grabs DHCP from modem
Inside interface: 192.168.1.1
Current Running Config:
: Saved
ASA Version 8.2(5)
hostname HardmanASA
enable password ###### encrypted
passwd ####### encrypted
names
interface Ethernet0/0
switchport access vlan 20
interface Ethernet0/1
switchport access vlan 10
interface Ethernet0/2
switchport access vlan 10
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
switchport access vlan 10
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan10
nameif inside
security-level 100
ip address 192.168.250.1 255.255.255.0
interface Vlan20
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool 192.168.250.100-192.168.250.101 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 192.168.250.0 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.250.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.250.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns 8.8.8.8
dhcpd address 192.168.250.20-192.168.250.50 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool VPN_Pool
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:30fadff4b400e42e73e17167828e046f
: endHello,
I seem to be having the same kind of issue although I cannot ping from either end.
Ive set up a l2tp/ipsec vpn which I am able to connect to and get ip from my ip pool (radius authentication is working).
I tried running:
access-list NAT_0 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list NAT_0
but i get an error msg saying that the syntax of the nat command is deprecated. Im running ASA version 8.4.
Ive fiddled around abit to find the correct syntax but have been unsuccessfull so far.
Any help would be much appreciated
This is a part of my config:
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network AD1
host 192.168.1.31
description AD/RADIUS
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network vpn_hosts
subnet 192.168.2.0 255.255.255.0
access-list AD_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list split-acl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
access-list inside_0_outbound extended permit ip object NETWORK_OBJ_192.168.1.0_24 object vpn_hosts
ip local pool POOL2 192.168.2.2-192.168.2.10 mask 255.255.255.0
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.1.0_25 NETWORK_OBJ_192.168.1.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.1.0_25 NETWORK_OBJ_192.168.1.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static vpn_hosts vpn_hosts
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ########## 1
no vpn-addr-assign aaa
no vpn-addr-assign dhcp -
How to open a pdf file only in one computer
I would like to sell pdf publications by allowing the user to open them only in one computer. I learnt that this has been done the past when I bought some publications but I don't know the way to do it. Could you help me?
thank you
Marcothank you for your support
Best Regards
Marco
Da: Mylenium <[email protected]>
Per: MARCO1 <[email protected]>,
Data: 09/10/2013 11:09
Oggetto: How to open a pdf
file only in one computer
Re: How to open a pdf file only in one computer
created by Mylenium in Downloading, Installing, Setting Up - View the full
discussion
You will havwe to sign up for some service that supports rights
management, use protected PDFs via LiveCyle/ Acrobat Connect or learn how
to create your own ePub stuff using Digital Publishing Suite. In any case,
it will probably cost you money upfront before you make any revenue.
Mylenium
Please note that the Adobe Forums do not accept email attachments. If you
want to embed a screen image in your message please visit the thread in
the forum to embed the image at
http://forums.adobe.com/message/5746873#5746873
Replies to this message go to everyone subscribed to this thread, not
directly to the person who posted the message. To post a reply, either
reply to this email or visit the message page: [
http://forums.adobe.com/message/5746873#5746873]
To unsubscribe from this thread, please visit the message page at [
http://forums.adobe.com/message/5746873#5746873]. In the Actions box on
the right, click the Stop Email Notifications link.
Start a new discussion in Downloading, Installing, Setting Up at Adobe
Community
For more information about maintaining your forum email notifications
please go to http://forums.adobe.com/message/2936746#2936746.
Il messaggio trasmesso può contenere informazioni di carattere
confidenziale rivolte esclusivamente al destinatario. Ne è vietato l'uso,
la diffusione, la distribuzione o la riproduzione da parte di altre
persone e/o entità diverse da quelle specificate. Nel caso aveste ricevuto
questo messaggio per errore, siete pregati di segnalarlo immediatamente al
mittente e cancellare quanto ricevuto.
This electronic mail transmission may contain confidential information
addressed only to the person(s) named. Any use, distribution, copying or
disclosure by any other person and/or entities other than the intended
recipient is prohibited. If you received this transmission in error,
please inform the sender immediately and delete the material -
My iPhone has two identical options under "iTunes wi-fi sync" that are the same computer. I only have one user on my computer, and I tried moving my iTunes file in Finder to organize it and now my library's not synced with my phone. Help?
I have the same problem. Right now my iPhone 5S shows 3 instances of the computer to which it is connected under Settings » General » iTunes WiFi Sync. I'm having problems connecting and syncing, and this is probably the cause: the phone chooses one of these connections, and it isn't the one that's actually in use. What's probably happening is that the phone and computer establish a connection using a dynamic IP address, the address becomes "disassociated" due to error, another address is associated, the phone retains each address/link, and each link is displayed as if it represents a separate computer (the fact that the name of the computer is identical is ignored, as the only thing that is considered important is the IP address). But that's all conjecture. More important, I'm not sure how to fix the problem. A network reset doesn't do it.
-
Revision: 20754
Revision: 20754
Author: [email protected]
Date: 2011-03-10 03:36:05 -0800 (Thu, 10 Mar 2011)
Log Message:
My latest EndpointPushNotifier change changed the style of the code quite a bit (sorry for that, it was my IDE settings getting in the loop here) I only changed one char line 389.
Modified Paths:
blazeds/trunk/modules/core/src/flex/messaging/client/EndpointPushNotifier.javaI seem to have fixed it by putting <div class="clearfloat"></div> after the navigation bar?
-
ASM disk busy 99% only on one cluster node
Hello,
We have a three node Oracle RAC cluster. Our dba(s) called us and said they are getting OEM critical alers for an asm disk on one node only. I checked and the SAN attached drive does not show the same high utilization on either of the other two nodes. I checked the hardware and it seems fine. If the issue was with the SAN attached disk, we would be seeing the same errors on all three nodes since they share the same disks. The system crashed last week(alert dump in the +asm directories), and at the disk has been busy ever since. I asked if the dba reviewed the ADDM reports and he said he had and that there were no suspicious looking entries that would lead us to the root cause based on those reports. CPU utilization is fine. I am not sure where to look at this point and any help pointing me in the right direction would be appreciated. They do use RMAN, could there be a backup running using those disks only on one node? Has anyone ever seen this before?
Thank you,
Benita Ulisano
Unix/SAN Team
Chicago Public Schools
[email protected]Hi Harish,
Thank you for responding. To answer your question, yes, the disks are all of the same spec and are shared among the three cluster node. The asm disk sdw1 is the one with the issue.
Problem Node: coefsdb02
three nodes in RAC cluster
coefsdb01, coefsdb02, coefsdb03
iostat results for all three nodes - same disk
coefsdb01
Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s avgrq-sz avgqu-sz await svctm %util
sdw1 0.00 1.71 0.12 0.58 1.27 18.78 28.63 0.01 13.38 1.75 0.12
coefsdb02
sdw1 0.11 0.02 4.00 0.62 305.84 21.72 70.93 2.96 12.58 211.95 97.88
coefdb03
sdw1 0.21 0.01 4.70 0.33 224.05 13.52 47.22 0.05 10.11 6.15 3.09
The dba(s) run RMAN backups, but only on coefsdb01.
Benita
Maybe you are looking for
-
HP Officejet Pro 8500A Premium e-All-in-One Printer - A910n and duplex printing.
on the product page where I went to buy the printer it says that this printer can do duplex legal, the info below is from the product page under specs. The problem is that I can printer duplex on legal size paper. Why and how I can fix that, becaus
-
File Access from DB Server/Unix Mounting
We have an Oracle Database that runs on Unix Box and a cold fusion application/web server runs on a Windows box. We have a data intensive stored procedure that gets data from DB, does lot of massaging and then create bunch of html files with sorting
-
I have been getting a message pop up on my screen that says: ###.###.#.# in use by 00:24:36:98:0f:e5, DHCP server ###.###.#.# The #'s are actual numbers of an IP address, but what is that other number and what does this message mean? Should I be worr
-
Update 10.5 on windows xp,error message
went to install te itunes 10.5 update and half way through the isntallation this error message poped up: there is a problem witht the windows installer package,a program run as part of the setup did not finsih as expected,contact ur support package
-
MPEG 4 Plays as a white screen
Hi all, In the past I have had no problems convering files to play on my iphone, until now. I have a new camera which recored in MPEG 4 and all my movies (after 'creating a iphone version') play with a white screen both on the phone and in Itunes. Th