Failover link in a C65K VSS with ASA-SM

Hi
Just experienced a coombined tcp flood/ udp flood attack, which caused both ASAs to go active :-(
Active:
01:56:05 ASA-SM1 : %ASA-1-105043: (Primary) Failover interface failed
01:56:09 ASA-SM1 : %ASA-1-105042: (Primary) Failover interface OK
01:56:32 ASA-SM1 : %ASA-1-103001: (Primary) No response from other firewall (reason code = 3).
01:56:47 ASA-SM1 : %ASA-1-103001: (Primary) No response from other firewall (reason code = 4).
The standby ASA said ' failover off' but a reload of the standby fixed the dual active problem:
Standby:
ASA-SM1# sh failo
Failover Off
Failover unit Secondary
Failover LAN Interface: folink Vlan998 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
ASA-SM1# sh failo state
                    State          Last Failure Reason      Date/Time
This host -   Secondary
                     Disabled       None
Other host -   Primary
                    Not Detected   Comm Failure    01:55:59
'Service-policy in' on the uplink interface (was 512/10 before):
embryonic-conn-max 256 per-client-embryonic-max 5
Questions:
1. possible causes for the com failure (memory exhaust ?) Any good commands for checking ?
2. The failover link:
In an ASA appliance setup it is recomended to etasblish a dedicated physical failover link between til ASAs - What about ASA-SM in a VSS setup - does it make sense to establish a f.ex physical 1G link for failover, and if yes: won't there be a loop issue with this and the fo vlan on the VSL link ?
3. What is "interface policy 1" in the 'sh failo' command output ?
Thanks
Jesper

Hello Adrian,
Don't know if this is the cause of your issue, but I was thinking about scenario in which after your ISP interface is doing DOWN and UP your IP address is being changed.
IOS itself is not deleting isakmp SA because the interface on which you have crypto map attached is down, so the SA will be still up on IOS. On ASA itself since you have default configuration you have DPD (dead peer detection) turned on probably after 10 seconds crypto sa will go down since no DPD reply received.
IOS will continue to send encrypted traffic towards ASA, but for ASA tunnel is dead and it will ignore these packets (there should be something in logs), but router will never know it since it has DPDs turned off.
It could also happen if you are getting the same IP address from you ISP, but Internet outages are longer than 30seconds.
Solution would be to turn on DPDs on IOS:
crypto isakmp keepalives TIME_IN_SECONDS periodic
Defailts about DPDs:
https://supportforums.cisco.com/docs/DOC-8554
Regards,

Similar Messages

ASA failover link over the etherchannel connected switches

Hello,
We have two ASA firewalls located in different locations.
Firewalls are in Active/Standby modes.
Failover links of firewalls are connected to two different switches.
These switches are connected to each other with two dark fibers aggregated to Etherchannel (source-mac address mode)
When one of fiber links fails and then immediately is connected again, secondary ASA is going to Active state and then to Standy state again.
Please see the output bellow.
The holddown timer is set to 15 seconds.
What could be the cause of this state change?
ciscoasa# sh failover history
==========================================================================
From State To State Reason
==========================================================================
22:54:20 GET Apr 4 2014
Standby Ready Just Active HELLO not heard from mate
22:54:20 GET Apr 4 2014
Just Active Active Drain HELLO not heard from mate
22:54:20 GET Apr 4 2014
Active Drain Active Applying Config HELLO not heard from mate
22:54:20 GET Apr 4 2014
Active Applying Config Active Config Applied HELLO not heard from mate
22:54:20 GET Apr 4 2014
Active Config Applied Active HELLO not heard from mate
22:54:42 GET Apr 4 2014
Active Cold Standby Failover state check
22:54:43 GET Apr 4 2014
Cold Standby Sync Config Failover state check
22:55:36 GET Apr 4 2014
Sync Config Sync File System Failover state check
22:55:36 GET Apr 4 2014
Sync File System Bulk Sync Failover state check
22:55:51 GET Apr 4 2014
Bulk Sync Standby Ready Failover state check

Maybe spanning tree recalculation. I know you said there was an etherchannel but I would make sure it is built properly. Also run "Show spanning-tree detail" on the switches after you unplug/replug and check when the last topology change was.

ASA redundant failover links

Hi,
We are setting up a new ASA which is in multi context mode. I was wondering if it is possible to setup redundant failover and state links? I know that it is possible to run failover on one link and state on another, or both over the same link, but is it possible to have both failover and state running on 2 links? For example, failover and state on ten1/0 as well as failover and state on ten1/1.
Hope I have explained my question well enough. If not I will try to explain better.
thanks

I would suggest to make a redundant logical link and attach two physical links to it. Than during failover link configuration specify your redundant link as a failover link. Not sure if it works but dont see any obstacles for this solution to fail..

How to correct start failover after loosing disk0 on one of ASA

Hello, guys.
I have some problems with correct answer. One CF in one of ASA had died from active/standby failover cluster few days ago.
So all works perfectly.
But now I have:
asa-5520/act# sh fail
Failover On
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
Version: Ours 8.4(4), Mate 8.4(2)
Last Failover at: 00:25:50 UTC Jun 14 2012
This host: Secondary - Active
Active time: 161347 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.4(4)) status (Up Sys)
Interface internet (x.x.x.1): Normal (Waiting)
Interface inside (10.137.250.1): Normal (Waiting)
Interface management (192.168.1.1): Link Down (Waiting)
slot 1: empty
Other host: Primary - Failed
Active time: 24695466 (sec)
slot 0: ASA5520 hw/sw rev (1.0/8.4(2)) status (Unknown/Unknown)
Interface internet (x.x.x.2): Unknown (Monitored)
Interface inside (10.137.250.2): Unknown (Monitored)
Interface management (0.0.0.0): Unknown (Waiting)
slot 1: empty
Он failover unit Primary has died internal flash card (disk0). So a card had replaced, I've booted up ASA via tftp, copied files (image file, asdm file and startup-config from live ASA).
So I have a quiestion. I have startup-config from unit secondary. As I understand, I can simply change in config the next:
failover lan unit secondary
to failover lan primary
It will be correct?
Or I can make on current secondary command:
failover lan primary
And boot up another ASA with config from secondary?
So, appriciate any help, and I can't experiment with commands, because it's very production

As I understand correctly, my steps will be next:
On new ASA without any configuration (almost clean) I'll enter:
ASA(config)#failover lan unit primary
ASA(config)#failover lan interface failover GigabitEthernet0/2
ASA(config)#failover link failover GigabitEthernet0/2
ASA(config)#failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2
ASA(config)# interface GigabitEthernet0/2
ASA(config-if)#no shut
ASA(config-if)#exit
ASA(config)#failover
And after that configuration will be synced from active (secondary) to standby (primary) unit without any downtimes and traffic corraption. Yes?

Active/Standby And failover link configuration mode

Hi everyone,
When config failover link of ASA in Active Standby mode.
When we config failover int say gi0/1
config t
int gi0/1
failover lan int gi0/1
Need to confirm we do this from interface config mode only or we can do this from global config also ????????
Whe we assign IP to this int we do that from global config mode ????
Regards
Mahesh
Message was edited by: mahesh parmar
Message was edited by: mahesh parmar

Hi,
Actually the ASA lets you insert a lot of command what ever mode you are under.
In the output you posted is a very important thing to notice
configure mode commands/options:
WORD Specify the interface name
As you can see, the output lists only one option and before that it mentions that this is a "configure mode" command
So even if you entered the command under the interface configuration mode, it would still be entered as a global/configure command mode.
Take the following thing for example
I want to check what configuration options I have with the command "failover"
So I enter the following to my ASA
ASA(config)# failover ?
configure mode commands/options:
interface              Configure the IP address to be used for failover and/or
                              stateful update information
interface-policy    Set the policy for failover due to interface failures
key                       Configure the failover shared secret or key
lan                       Specify the unit as primary or secondary or configure the
                               interface and vlan to be used for failover communication
mac                      Specify the virtual mac address for a dynamic interface
polltime                Configure failover poll interval
timeout                 Specify the failover reconnect timeout value for
                               asymmetrically routed sessions
exec mode commands/options:
active          Make this system to be the active unit of the failover pair
exec            Execute command on the designated unit
reload-standby Force standby unit to reboot
reset           Force a unit or failover group to an unfailed state
As you can see, the ASA tells us that there are different additional command parameters after the "failover" command that can be used. Some of them can be used either in Exec or Configuration mode.
- Jouni

Failover link

Hello,
On an ASA 5520 active, standby pair, what will result if the failover link or interface goes down or fails. Will both devices become active?
If yes, how to prevent this. We want it in such a way that if such a situation happens, there should be only Active and the other one should be standby.
Thanks in advance!

If ASA units connected with cross over then no failover will take place.
if using LAN based failover then you will end up with Active-Active and traffic will fail.
Thanks
Ajay

VSS with SUP 2T

Dears
I have 2 no's 6509 chassis in VSS with sup2t and ASA-SM installed, as I know that the dataplane is active for both switches so the cisco says that I we will get the throughput of 4.0 tbps but the ASA-SM only supports 20 gbps, and all vlan interface are created on ASA-SM module so there all bottleneck happens, Customer is not ready to move any vlan interface to the 6509 MSFC by bypassing ASA-SM.
so how the ROI should be explained to the customer of SUP2T with ASA-SM if installed.
thanks

Dear Jon,
1) It's an ASA service module inside the 6500 chassis and not the ASA standalone appliance. All Network in the world will reach to a place where they have to push the traffic to firewall where definitely the speed will reduce from tbps to gbps and not every organization can place high end firewall with 10 GIG ports with better throughput, so from your reply what I understand is that VSS benefits only with an intervlan routing.
Bear in mind that if most of the traffic is routed to remote networks then your uplinks also become bottlenecks although you could probably get more uplink capacity than your ASA gives you.
how to get more uplink capacity ??
Of course there are obviously other benefits with VSS in terms of ease of configuration, redudancy etc. and it really comes down to your priorities.
can you list more.
2) I have read the SUP2t Datasheet saying per slot 80gbps I hope it is half duplex becz if I put 16 port 10 gig module the bandwidth will reach till 160 Gbps , please correct ???
3) I have attached 4 port 40 Gbps module datasheet, so what it says that with all ports sending traffic will reach to 160gbps per slot if a chassis populated with 40 gig module and all set to send traffic with full bandwidth than it only reaches to 1.7 tbps which is less than 2tbps.
4) I have another doubt that 6500 chassis backplane support only 40 gig so incase if the module is sending traffic with 160 gbps than how it handles.
Thanks

PO for LAN failover and stateful failover link?

Hi.. We have 2 x ASA 5520s running ver 9.0. We plan to aggregate the 2 interfaces used for LAN failover and stateful failover into a lacp PO. So both the ASAs are connected to each other directly using these 2 interfaces and then we logically make it a one PO. We then assign the PO intface an ip. Is this supported?

You can use any unused interface (physical, redundant, or EtherChannel) as the failover link. (Source)
That said, It would be an uncommon implementation. I almost always see them on separate physical interfaces.

Waas with asa

we will deploy waas in branch with asa so we will make wccp redirect on asa as asa will terminate vpn with headoffice so we must use wccp on asa is there is any document of sample of configuration to configure wccp with asa

hi,
here is the link:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html#wp1094445
hope it will help

Failover link inteface redundant

hola estoy tratando de configurar un asa active/standby pero a su vez tratanto de que la interface failover link sea una interface redudant segun la documentacio es posible pero al configurar me indica que una interface compartida no es factible , no encuentro la configuracion correcta son dos ASA5525X version
Cisco Adaptive Security Appliance Software Version 8.6(1)2
Device Manager Version 7.0(2)

Hola Julio
claro no hay problema esta es la configuracion actual de mis interfaces y interfaces redundantes quiero utilizar la interfaces G0/5 y G/6 como mi interface failover , no estoy seguro si funcionara?
interface GigabitEthernet0/5
no nameif
no security-level
no ip address
interface GigabitEthernet0/6
no nameif
no security-level
no ip address
interface GigabitEthernet0/7
description LAN/STATE Failover Interface
interface Redundant1
member-interface GigabitEthernet0/2
member-interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.18.100.X 255.255.255.0 standby 172.18.100.X
interface Redundant2
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/3
nameif vpn-outside
security-level 0
ip address 10.245.245.x 255.255.255.0 standby 10.245.245.x
interface Redundant3
description Failover
member-interface GigabitEthernet0/5
member-interface GigabitEthernet0/6
no nameif
no security-level
no ip address
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/7
failover polltime unit msec 500 holdtime 3
failover key *****
failover replication http
failover link failover GigabitEthernet0/7
failover interface ip failover 172.32.254.1 255.255.255.252 standby 172.32.254.2
al configurar esta es la secuencia de error
VPN5525X-VLP(config)# no failover lan interface failover GigabitEthernet0/7
VPN5525X-VLP(config)# no failover link failover GigabitEthernet0/7
VPN5525X-VLP(config)# failover lan interface failover redunda
VPN5525X-VLP(config)# failover lan interface failover redundant3
INFO: Non-failover interface config is cleared on Redundant3 and its sub-interfaces
VPN5525X-VLP(config)# failover link failover Redunan
VPN5525X-VLP(config)# failover link failover Redundant3
VPN5525X-VLP(config)#
VPN5525X-VLP(config)#
VPN5525X-VLP(config)# exit
VPN5525X-VLP# sh run fa
ya esta configurado pero no estoy seguro si funcionara, Julio que asi configurado.
VPN5525X-VLP# sh run failover
failover
failover lan unit primary
failover lan interface failover Redundant3
failover polltime unit msec 500 holdtime 3
failover key *****
failover replication http
failover link failover Redundant3
VPN5525X-VLP#

6500 with ASA module

Hello guys,
I'm designing small-medium branch office (from 100 users scalable up to 500).
My idea was to build this around a pair of 6506-E switches (as collapsed core, utilizing VSS), then at each floor (1 floor = 100 users) have a stack of 3750 switches.
Now, to my question, I want a pair of security appliances, one per each breakout. I was looking at a possibility of putting ASA module into each 6500.
Is it possible, to use 10G X2 module, which are build into 6500's SUP as WAN interface and direct everything it receives on those ports directly into ASA? (I want to have all traffic which will come to the 6500 via SUP's X2 modules to pass through ASA before any further action will be taken).
As fair as I know in order to use VSS together with ASA modules in active/active mode (I will load balance through uplinks on both 6500) I need to use SUP 720-10G, am I right?
Thanks in advance for you insights.
Michal

Thanks guys. Appreciate your feedback!
I will most likely go for the option "Existing ASA 5540 with IPS module" . I hope the IPS module does not limit any bandwidth capability or processing issue of the ASA. My current throughput is 250 Mbps bidirectional.
After looking at the IPS option I am sloghly confused which one I need. Cisco website say:
"...adding the broad range of intrusion prevention and advanced antiworm services delivered by the IPS modules via the AIP SSM and AIP SSC, or the comprehensive malware protection and content security services enabled by the CSC SSM."
Do I need SSM only or both SSM and SSC or CSC SSM? How many module cana be installed on 5540?
Fawad

Redundant Failover link on ASA5500 Series?

Cisco recommends connecting failover link over L2 switch in thier document.
But if L2 switch fails, both ASA's failover I/F will down.
I wonder if there is any way to get redundancy for failover link, like etherchannel.
Or should I prepare two L2 switches to avoid both ASA's I/F down?
Any hints appriciated.

Even if both of the failover interfaces go down it wont affect the traffic flow. Also if the switch is being monitored this will get detected and can be solved easily. If you still want redundant failover links, using seperate switches will be good idea.

Problem with ASA 5505 VPN config

Hi to all,
I have a problem with ASA 5505 remote access vpn. I have site-to-site VPN and I need that my VPN clients can access IP subnets that I have behind site-to-site VPN. All that I have tried I get and error to my log “Flow is a loopback”.
So what I need : for example I need that vpn client with ip 10.0.0.1 can go to 192.168.1.2
My config:
access-list Test_splitTunnelAcl standard permit host 10.0.2.3
access-list Test_splitTunnelAcl standard permit host 10.0.2.4
access-list Test_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list nonat_outside extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
ip local pool VPN_Client_Pool2 10.0.0.1-10.0.0.200 mask 255.255.255.0
nat (outside) 0 access-list nonat_outside
nat (outside) 1 10.0.0.0 255.255.255.0
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Test_splitTunnelAcl
Site-to-Site:
crypto map outside_map 3 set peer 195.233.x.x
access-list outside_3_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_4
object-group network DM_INLINE_NETWORK_2
network-object 10.0.2.0 255.255.255.0
network-object 10.0.3.0 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object host 192.168.2.70
network-object host 192.168.3.55
network-object 192.168.1.0 255.255.255.0
I hope that someone can post an answer and solve my problem

A few things are required:
1) You don't need the following 2 lines, so it can be removed:
nat (outside) 0 access-list nonat_outside
nat (outside) 1 10.0.0.0 255.255.255.0
2) On the ASA, you need to configure:
same-security-traffic permit intra-interface
3) Object group: DM_INLINE_NETWORK_2 needs to include 10.0.0.0/24
4) On the remote lan-to-lan end, the crypto ACL also needs to include 10.0.0.0/24 as the destination subnet.
5) The NAT exemption (NONAT) on the remote lan-to-lan end also needs to include 10.0.0.0/24 as the destination subnet.
Hope that will resolve your problem.

Remote access VPN with ASA 5510 using DHCP server

Hi,
Can someone please share your knowledge to help me find why I am not able to receive an IP address on remote access VPN connection while I can get an IP address on local DHCP pool?
I am trying to setup remote access VPN with ASA 5510. It works with local dhcp pool but doesn't seem to work when I tried using an existing DHCP server. It is being tested in an internal network as follows:
ASA Version 8.2(5)
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.6.0.12 255.255.254.0
ip local pool testpool 10.6.240.150-10.6.240.159 mask 255.255.248.0 !(worked with this)
route inside 0.0.0.0 0.0.0.0 10.6.0.1 1
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface inside
crypto isakmp enable inside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
vpn-addr-assign aaa
vpn-addr-assign dhcp
group-policy testgroup internal
group-policy testgroup attributes
dhcp-network-scope 10.6.192.1
ipsec-udp enable
ipsec-udp-port 10000
username testlay password *********** encrypted
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
default-group-policy testgroup
dhcp-server 10.6.20.3
tunnel-group testgroup ipsec-attributes
pre-shared-key *****
I got following output when I test connect to ASA with Cisco VPN client 5.0
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDO
4024 bytesR copied in 3.41 0 secs (1341 by(tes/sec)13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 853
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ISA_KE payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received xauth V6 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received DPD VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Fragmentation VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode:        True Aggressive Mode: False
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received NAT-Traversal ver 02 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Cisco Unity client VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, Connection landed on tunnel_group testgroup
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing IKE SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ISAKMP SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for Responder...
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Cisco Unity VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing xauth V6 VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing dpd vid payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Traversal VID ver 02 payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Fragmentation VID + extended capabilities payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Received Cisco Unity client VID
Jan 16 15:39:21 [IKEv1]: Group = testgroup, I
[OK]
kens-mgmt-012# P = 10.15.200.108, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 87
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing MODE_CFG Reply attributes.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary WINS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary WINS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: IP Compression = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling Policy = Disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, User (testlay) authenticated.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg ACK attributes
Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=49ae1bb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 182
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg Request attributes
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 net mask!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DNS server address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for WINS server address!
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Received unsupported transaction mode attribute: 5
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Banner!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Save PW setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Default Domain Name!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split Tunnel List!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split DNS!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for PFS setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Browser Proxy Setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for backup ip-sec peer list!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Application Version!
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Client Type: WinNT Client Application Version: 5.0.07.0440
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for FWTYPE!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DHCP hostname for DDNS is: DEC20128!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for UDP Port!
Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected. No last packet to retransmit.
Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=b04e830f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected. No last packet to retransmit.
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE received response of type [] to a request from the IP address utility
Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Cannot obtain an IP address for remote peer
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE TM V6 FSM error history (struct &0xd8030048) <state>, <event>: TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE AM Responder FSM error history (struct &0xd82b6740) <state>, <event>: AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b terminating: flags 0x0945c001, refcnt 0, tuncnt 0
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending delete/delete with reason message
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing IKE delete payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=9de30522) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Regards,
Lay

For RADIUS you need a aaa-server-definition:
aaa-server NPS-RADIUS protocol radius
aaa-server NPS-RADIUS (inside) host 10.10.18.12
key *****
authentication-port 1812
accounting-port 1813
and tell your tunnel-group to ask that server:
tunnel-group VPN general-attributes
authentication-server-group NPS-RADIUS LOCAL
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Link to a crystal report with prompt from xcelsius dashboard

Hi
How can we make a link to a crystal reports with a country promt?
If I named the prompt ContryParam in Crystal.
And I want to open this crystal report by sending f.eks UK as countryname to this report.
What will the link be seeing as in xcelsius?
How will the connection be made from xcelsius to this spesific crystal report`?
BR
Sadaf

Hey Sadaf,
This example uses prompt# to pass "CA" as a value to the first parameter:
http://<servername>:<port>/CrystalRe
ports/viewrpt.cwr?id=1152&prompt0=CA
search for follwing document title for further reading
Viewing Reports and Documents using URLs

Failover link in a C65K VSS with ASA-SM

Similar Messages

Maybe you are looking for