GDOI IPsec SA Failures
Need help understanding IPSEC Packet errors running in a GDOI environment.
Everything runs fine for hours (random # of hours) and then we receive the following errors;
(ip) vrf/dest_addr= /1.1.1.1, src_addr= 2.2.2.2, prot= 50 Dec 21 05:34:09 EST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC pa
cket.
Each time this happened, it took a CLEAR CRYPTO GDOI to get traffic going again.
It doesn't appear to be anything related to Rekeying and it's confusing because the Prot reported in the message is 50 (ESP) - so it appears that traffic is still being sent encrypted.
We are using VPN Hardware accelaration ( AIM-VPN/SSL-3) and I don't see any errors there.
I'm not certain where to look next - any help out there?
What we found is that the return reply, from what appears to be because of Netflow payload being fragmented, is the cause of the IPSEC error.
If we open the "do not encrypt" acl to include not just the initial UDP + Port for the NetFlow send, but also include all IP, we are able to get Netflow traffic across and eliminate the IPSEC error.
Although this is working, it is not ideal.
Are there any options to avoid Netflow payload fragmentation?
Initially, MTU size had to be set to 1400 for GETVPN traffic to flow successfully in both directions. This looks to be impacting Netflow.
Thanks.
Similar Messages
-
This is a strange one, and unfortunately I cannot find any literature in either the TAC Case collections or support documentation.
I am running a GDOI VPN. It has been humming along nicely, until the following started appearing in the group member logs (group members are 1801's):
%GDOI-3-GM_NO_IPSEC_FLOWS : IPSec FLOW limit possibly reached
Once this started happening, the encpryption (or rather the ability to decrpyt) between group members simply stopped with the next change of keys.
All group memebers are still active participants in the GDOI VPN, they just can't encypt or decrpyt targeted traffic sucessfully (so they are registered with the keyserver, and have the current service policy etc).
The only way to get the group memeber to properly participate in the mesh again is to reload it, which isn't the ideal fix obviously.
Anyone with ideas ?
I am guessing it revolves around this:
%GDOI-3-GM_NO_IPSEC_FLOWS : IPSec FLOW limit possibly reachedA small update of sorts.
Turning OFF the onboard crypto engine on an affected 1801 has resolved the issue.
If I turn it back on again it seems to continue working.
Resetting it is obviously flushing some kind of buffer.
It doesn't answer the question though of what is causing it and why, and more importantly how to prevent it in future...... -
IPsec VTI over NAT IKE Phase I Failure
Hey everyone,
I have two routers and an ASA with one of the routers sitting behind the ASA. I have a VTI configuration between the two routers, the regular GRE traffic passes through just fine but after applying an IPsec profile to the interfaces, IKE Phase I never completes. I have the configurations and debugs posted below. Thank you in advance for your help. I have confirmed reachability and there are no access list issues.
Router 1:
crypto ipsec transform-set SEC esp-aes 256 esp-md5-hmac
mode tunnel
crypto ipsec profile IPSEC
set transform-set SEC
interface Tunnel2
ip address 172.16.1.1 255.255.255.252
tunnel source 200.1.1.1
tunnel destination 200.1.1.2
tunnel protection ipsec profile IPSEC
crypto isakmp key SECURITYKEY address 200.1.1.2
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 2
ASA:
static (inside,outside) 200.1.1.2 10.1.1.1 netmask 255.255.255.255
Router 2:
interface Tunnel121
ip address 172.16.1.2 255.255.255.252
ip nat inside
ip virtual-reassembly
tunnel source 10.1.1.1
tunnel destination 200.1.1.1
tunnel protection ipsec profile IPSEC
crypto ipsec transform-set SEC esp-aes 256 esp-md5-hmac
mode tunnel
crypto ipsec profile IPSEC
set transform-set SEC
crypto isakmp key SECURITYKEY address 200.1.1.1
crypto isakmp policy 2
encr aes 256
hash md5
authentication pre-share
group 2
R2#debug crypto isakmp
R2#
R2#
May 7 14:30:35 CDT: ISAKMP (0:134218444): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 7 14:30:35 CDT: ISAKMP:(0:716:SW:1): phase 1 packet is a duplicate of a previous packet.
May 7 14:30:35 CDT: ISAKMP:(0:716:SW:1): retransmitting due to retransmit phase 1
May 7 14:30:35 CDT: ISAKMP (0:134218443): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE
May 7 14:30:36 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 1 QM_IDLE ...
May 7 14:30:36 CDT: ISAKMP (0:134218444): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
May 7 14:30:36 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 1 QM_IDLE
May 7 14:30:36 CDT: ISAKMP:(0:716:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:30:42 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 2 QM_IDLE -1092494630 ...
May 7 14:30:42 CDT: ISAKMP (0:134218444): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
May 7 14:30:42 CDT: ISAKMP (0:134218444): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2
May 7 14:30:42 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 2 -1092494630 QM_IDLE
May 7 14:30:42 CDT: ISAKMP:(0:716:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:30:45 CDT: ISAKMP (0:134218444): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 7 14:30:45 CDT: ISAKMP:(0:716:SW:1): phase 1 packet is a duplicate of a previous packet.
May 7 14:30:45 CDT: ISAKMP:(0:716:SW:1): retransmitting due to retransmit phase 1
May 7 14:30:46 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 1 QM_IDLE ...
May 7 14:30:46 CDT: ISAKMP (0:134218444): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
May 7 14:30:46 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 1 QM_IDLE
May 7 14:30:46 CDT: ISAKMP:(0:716:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:30:52 CDT: ISAKMP: received ke message (3/1)
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):peer does not do paranoid keepalives.
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):deleting SA reason "P1 delete notify (in)" state (R) QM_IDLE (peer 200.1.1.1)
May 7 14:30:52 CDT: ISAKMP:(0:715:SW:1):peer does not do paranoid keepalives.
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 2 QM_IDLE -1092494630 ...
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):peer does not do paranoid keepalives.
May 7 14:30:52 CDT: ISAKMP: set new node 1345361410 to QM_IDLE
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):purging node 1345361410
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):deleting SA reason "No reason" state (R) QM_IDLE (peer 200.1.1.1)
May 7 14:30:52 CDT: ISAKMP: Unlocking IKE struct 0x656AA2B0 for isadb_mark_sa_deleted(), count 0
May 7 14:30:52 CDT: ISAKMP: Deleting peer node by peer_reap for 200.1.1.1: 656AA2B0
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):deleting node -1092494630 error FALSE reason "IKE deleted"
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA
May 7 14:30:55 CDT: ISAKMP (0:134218444): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE
May 7 14:31:05 CDT: ISAKMP:(0:715:SW:1):purging node 1843499205
May 7 14:31:05 CDT: ISAKMP (0:134218444): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE
May 7 14:31:15 CDT: ISAKMP:(0:715:SW:1):purging SA., sa=64E4AB14, delme=64E4AB14
May 7 14:31:42 CDT: ISAKMP:(0:716:SW:1):purging node -1092494630
May 7 14:31:45 CDT: ISAKMP (0:0): received packet from 200.1.1.1 dport 500 sport 500 Global (N) NEW SA
May 7 14:31:45 CDT: ISAKMP: Created a peer struct for 200.1.1.1, peer port 500
May 7 14:31:45 CDT: ISAKMP: New peer created peer = 0x656AA2B0 peer_handle = 0x80000514
May 7 14:31:45 CDT: ISAKMP: Locking peer struct 0x656AA2B0, IKE refcount 1 for crypto_isakmp_process_block
May 7 14:31:45 CDT: ISAKMP: local port 500, remote port 500
May 7 14:31:45 CDT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 64E4AB14
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 69 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
May 7 14:31:45 CDT: ISAKMP (0:0): vendor ID is NAT-T v7
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 200.1.1.1
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): local preshared key found
May 7 14:31:45 CDT: ISAKMP : Scanning profiles for xauth ...
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 5 policy
May 7 14:31:45 CDT: ISAKMP: encryption DES-CBC
May 7 14:31:45 CDT: ISAKMP: hash SHA
May 7 14:31:45 CDT: ISAKMP: default group 1
May 7 14:31:45 CDT: ISAKMP: auth pre-share
May 7 14:31:45 CDT: ISAKMP: life type in seconds
May 7 14:31:45 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against priority 5 policy
May 7 14:31:45 CDT: ISAKMP: encryption 3DES-CBC
May 7 14:31:45 CDT: ISAKMP: hash SHA
May 7 14:31:45 CDT: ISAKMP: default group 2
May 7 14:31:45 CDT: ISAKMP: auth pre-share
May 7 14:31:45 CDT: ISAKMP: life type in seconds
May 7 14:31:45 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against priority 5 policy
May 7 14:31:45 CDT: ISAKMP: encryption AES-CBC
May 7 14:31:45 CDT: ISAKMP: keylength of 256
May 7 14:31:45 CDT: ISAKMP: hash SHA
May 7 14:31:45 CDT: ISAKMP: default group 2
May 7 14:31:45 CDT: ISAKMP: auth pre-share
May 7 14:31:45 CDT: ISAKMP: life type in seconds
May 7 14:31:45 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Diffie-Hellman group offered does not match policy!
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 4 against priority 5 policy
May 7 14:31:45 CDT: ISAKMP: encryption AES-CBC
May 7 14:31:45 CDT: ISAKMP: keylength of 256
May 7 14:31:45 CDT: ISAKMP: hash SHA
May 7 14:31:45 CDT: ISAKMP: default group 5
May 7 14:31:45 CDT: ISAKMP: auth pre-share
May 7 14:31:45 CDT: ISAKMP: life type in seconds
May 7 14:31:45 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID seems Unity/DPD but major 69 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
May 7 14:31:45 CDT: ISAKMP (0:134218445): vendor ID is NAT-T v7
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID is NAT-T v3
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID is NAT-T v2
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): constructed NAT-T vendor-07 ID
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2
May 7 14:31:45 CDT: ISAKMP (0:134218445): received packet from 200.1.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing KE payload. message ID = 0
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing NONCE payload. message ID = 0
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):found peer pre-shared key matching 200.1.1.1
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SKEYID state generated
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID is Unity
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID is DPD
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): speaking to another IOS box!
May 7 14:31:45 CDT: ISAKMP (0:134218445): NAT found, the node inside NAT
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4
May 7 14:31:45 CDT: ISAKMP (0:134218445): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing ID payload. message ID = 0
May 7 14:31:45 CDT: ISAKMP (0:134218445): ID payload
next-payload : 8
type : 1
address : 200.1.1.1
protocol : 17
port : 0
length : 12
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):: peer matches *none* of the profiles
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing HASH payload. message ID = 0
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 64E4AB14
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SA authentication status:
authenticated
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): Process initial contact,
bring down existing phase 1 and 2 SA's with local 10.1.1.1 remote 200.1.1.1 remote port 4500
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SA authentication status:
authenticated
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SA has been authenticated with 200.1.1.1
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Detected port floating to port = 4500
May 7 14:31:45 CDT: ISAKMP: Trying to insert a peer 10.1.1.1/200.1.1.1/4500/, and inserted successfully 656AA2B0.
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Setting UDP ENC peer struct 0x661D688C sa= 0x64E4AB14
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
May 7 14:31:45 CDT: ISAKMP (0:134218445): ID payload
next-payload : 8
type : 1
address : 10.1.1.1
protocol : 17
port : 0
length : 12
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Total payload length: 12
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
May 7 14:31:52 CDT: ISAKMP: received ke message (1/1)
May 7 14:31:52 CDT: ISAKMP: set new node 0 to QM_IDLE
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE )
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1):beginning Quick Mode exchange, M-ID of -1201835538
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1):Node -1201835538, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
May 7 14:31:52 CDT: ISAKMP:(0:716:SW:1):purging SA., sa=64E55FE0, delme=64E55FE0
May 7 14:31:55 CDT: ISAKMP (0:134218445): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 7 14:31:55 CDT: ISAKMP:(0:717:SW:1): phase 1 packet is a duplicate of a previous packet.
May 7 14:31:55 CDT: ISAKMP:(0:717:SW:1): retransmitting due to retransmit phase 1
May 7 14:31:56 CDT: ISAKMP:(0:717:SW:1): retransmitting phase 1 QM_IDLE ...
May 7 14:31:56 CDT: ISAKMP (0:134218445): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
May 7 14:31:56 CDT: ISAKMP:(0:717:SW:1): retransmitting phase 1 QM_IDLE
May 7 14:31:56 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
R2#
R2#
R2#
R2#un
May 7 14:32:02 CDT: ISAKMP:(0:717:SW:1): retransmitting phase 2 QM_IDLE -1201835538 ...
May 7 14:32:02 CDT: ISAKMP (0:134218445): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
May 7 14:32:02 CDT: ISAKMP (0:134218445): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
May 7 14:32:02 CDT: ISAKMP:(0:717:SW:1): retransmitting phase 2 -1201835538 QM_IDLE
May 7 14:32:02 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
The specific portion of the debug that has caught my attention is as follows toward the end:
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1):Node -1201835538, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
May 7 14:31:52 CDT: ISAKMP:(0:716:SW:1):purging SA., sa=64E55FE0, delme=64E55FE0
May 7 14:31:55 CDT: ISAKMP (0:134218445): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 7 14:31:55 CDT: ISAKMP:(0:717:SW:1): phase 1 packet is a duplicate of a previous packet.Thank you for the suggestions Sokakkar. I did just what you asked with
undebug all
debug crypto condition peer ipv4
debug crypto isakmp
this is a production environment and I have altered the information for privacy reasons. So I am not able to reload either of the devices.
The debugs are as follows:
R1 DEBUGS:
R1#debug crypto isakmp
Crypto ISAKMP debugging is on
R1#
*May 8 20:14:18.668: ISAKMP:(6151):purging node -1205767715
*May 8 20:14:28.140: ISAKMP: local port 500, remote port 500
*May 8 20:14:28.144: ISAKMP: set new node 0 to QM_IDLE
*May 8 20:14:28.144: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 45FED9E4
*May 8 20:14:28.144: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*May 8 20:14:28.144: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:28.144: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*May 8 20:14:28.144: ISAKMP:(0): constructed NAT-T vendor-07 ID
*May 8 20:14:28.144: ISAKMP:(0): constructed NAT-T vendor-03 ID
*May 8 20:14:28.144: ISAKMP:(0): constructed NAT-T vendor-02 ID
*May 8 20:14:28.144: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*May 8 20:14:28.144: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*May 8 20:14:28.144: ISAKMP:(0): beginning Main Mode exchange
*May 8 20:14:28.144: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*May 8 20:14:28.144: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 8 20:14:28.356: ISAKMP (0:0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
*May 8 20:14:28.356: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 8 20:14:28.356: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*May 8 20:14:28.356: ISAKMP:(0): processing SA payload. message ID = 0
*May 8 20:14:28.356: ISAKMP:(0): processing vendor id payload
*May 8 20:14:28.356: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*May 8 20:14:28.356: ISAKMP (0:0): vendor ID is NAT-T v7
*May 8 20:14:28.356: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:28.356: ISAKMP:(0): local preshared key found
*May 8 20:14:28.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*May 8 20:14:28.356: ISAKMP: encryption AES-CBC
*May 8 20:14:28.356: ISAKMP: keylength of 256
*May 8 20:14:28.356: ISAKMP: hash SHA
*May 8 20:14:28.356: ISAKMP: default group 5
*May 8 20:14:28.356: ISAKMP: auth pre-share
*May 8 20:14:28.356: ISAKMP: life type in seconds
*May 8 20:14:28.356: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:28.356: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 8 20:14:28.356: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:28.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 15 policy
*May 8 20:14:28.360: ISAKMP: encryption AES-CBC
*May 8 20:14:28.360: ISAKMP: keylength of 256
*May 8 20:14:28.360: ISAKMP: hash SHA
*May 8 20:14:28.360: ISAKMP: default group 5
*May 8 20:14:28.360: ISAKMP: auth pre-share
*May 8 20:14:28.360: ISAKMP: life type in seconds
*May 8 20:14:28.360: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:28.360: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 8 20:14:28.360: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:28.360: ISAKMP:(0):Checking ISAKMP transform 1 against priority 20 policy
*May 8 20:14:28.360: ISAKMP: encryption AES-CBC
*May 8 20:14:28.360: ISAKMP: keylength of 256
*May 8 20:14:28.360: ISAKMP: hash SHA
*May 8 20:14:28.360: ISAKMP: default group 5
*May 8 20:14:28.360: ISAKMP: auth pre-share
*May 8 20:14:28.360: ISAKMP: life type in seconds
*May 8 20:14:28.360: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:28.360: ISAKMP:(0):Diffie-Hellman group offered does not match policy!
*May 8 20:14:28.360: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:28.360: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy
*May 8 20:14:28.360: ISAKMP: encryption AES-CBC
*May 8 20:14:28.360: ISAKMP: keylength of 256
*May 8 20:14:28.360: ISAKMP: hash SHA
*May 8 20:14:28.360: ISAKMP: default group 5
*May 8 20:14:28.360: ISAKMP: auth pre-share
*May 8 20:14:28.360: ISAKMP: life type in seconds
*May 8 20:14:28.360: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:28.360: ISAKMP:(0):atts are acceptable. Next payload is 0
*May 8 20:14:28.360: ISAKMP:(0):Acceptable atts:actual life: 0
*May 8 20:14:28.360: ISAKMP:(0):Acceptable atts:life: 0
*May 8 20:14:28.360: ISAKMP:(0):Fill atts in sa vpi_length:4
*May 8 20:14:28.360: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*May 8 20:14:28.360: ISAKMP:(0):Returning Actual lifetime: 86400
*May 8 20:14:28.360: ISAKMP:(0)::Started lifetime timer: 86400.
*May 8 20:14:28.360: ISAKMP:(0): processing vendor id payload
*May 8 20:14:28.360: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*May 8 20:14:28.360: ISAKMP (0:0): vendor ID is NAT-T v7
*May 8 20:14:28.360: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 8 20:14:28.360: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*May 8 20:14:28.360: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*May 8 20:14:28.360: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 8 20:14:28.360: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 8 20:14:28.360: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*May 8 20:14:28.580: ISAKMP (0:0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*May 8 20:14:28.580: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 8 20:14:28.580: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*May 8 20:14:28.580: ISAKMP:(0): processing KE payload. message ID = 0
*May 8 20:14:28.672: ISAKMP:(0): processing NONCE payload. message ID = 0
*May 8 20:14:28.672: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:28.672: ISAKMP:(6153): processing vendor id payload
*May 8 20:14:28.672: ISAKMP:(6153): vendor ID is Unity
*May 8 20:14:28.672: ISAKMP:(6153): processing vendor id payload
*May 8 20:14:28.672: ISAKMP:(6153): vendor ID is DPD
*May 8 20:14:28.672: ISAKMP:(6153): processing vendor id payload
*May 8 20:14:28.672: ISAKMP:(6153): speaking to another IOS box!
*May 8 20:14:28.672: ISAKMP (0:6153): NAT found, the node outside NAT
*May 8 20:14:28.672: ISAKMP:(6153):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 8 20:14:28.672: ISAKMP:(6153):Old State = IKE_I_MM4 New State = IKE_I_MM4
*May 8 20:14:28.672: ISAKMP:(6151):purging SA., sa=45291908, delme=45291908
*May 8 20:14:28.672: ISAKMP:(6153):Send initial contact
*May 8 20:14:28.672: ISAKMP:(6153):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*May 8 20:14:28.672: ISAKMP (0:6153): ID payload
next-payload : 8
type : 1
address : 200.1.1.1
protocol : 17
port : 0
length : 12
*May 8 20:14:28.672: ISAKMP:(6153):Total payload length: 12
*May 8 20:14:28.672: ISAKMP:(6153): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*May 8 20:14:28.672: ISAKMP:(6153):Sending an IKE IPv4 Packet.
*May 8 20:14:28.676: ISAKMP:(6153):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 8 20:14:28.676: ISAKMP:(6153):Old State = IKE_I_MM4 New State = IKE_I_MM5
*May 8 20:14:33.780: %CRYPTO-4-IKMP_NO_SA: IKE message from 200.1.1.2 has no SA and is not an initialization offer
R1#
*May 8 20:14:38.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH...
*May 8 20:14:38.672: ISAKMP (0:6153): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*May 8 20:14:38.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH
*May 8 20:14:38.672: ISAKMP:(6153): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*May 8 20:14:38.672: ISAKMP:(6153):Sending an IKE IPv4 Packet.
R1#
*May 8 20:14:48.664: ISAKMP:(6152):purging node 1194713063
*May 8 20:14:48.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH...
*May 8 20:14:48.672: ISAKMP (0:6153): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*May 8 20:14:48.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH
*May 8 20:14:48.672: ISAKMP:(6153): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*May 8 20:14:48.672: ISAKMP:(6153):Sending an IKE IPv4 Packet.
R1#
*May 8 20:14:58.140: ISAKMP: local port 500, remote port 500
*May 8 20:14:58.140: ISAKMP: set new node 0 to QM_IDLE
*May 8 20:14:58.140: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 45FEE170
*May 8 20:14:58.140: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*May 8 20:14:58.140: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:58.140: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*May 8 20:14:58.140: ISAKMP:(0): constructed NAT-T vendor-07 ID
*May 8 20:14:58.140: ISAKMP:(0): constructed NAT-T vendor-03 ID
*May 8 20:14:58.140: ISAKMP:(0): constructed NAT-T vendor-02 ID
*May 8 20:14:58.140: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*May 8 20:14:58.140: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*May 8 20:14:58.140: ISAKMP:(0): beginning Main Mode exchange
*May 8 20:14:58.140: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*May 8 20:14:58.140: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 8 20:14:58.352: ISAKMP (0:0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
*May 8 20:14:58.352: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 8 20:14:58.352: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*May 8 20:14:58.352: ISAKMP:(0): processing SA payload. message ID = 0
*May 8 20:14:58.356: ISAKMP:(0): processing vendor id payload
*May 8 20:14:58.356: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*May 8 20:14:58.356: ISAKMP (0:0): vendor ID is NAT-T v7
*May 8 20:14:58.356: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:58.356: ISAKMP:(0): local preshared key found
*May 8 20:14:58.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*May 8 20:14:58.356: ISAKMP: encryption AES-CBC
*May 8 20:14:58.356: ISAKMP: keylength of 256
*May 8 20:14:58.356: ISAKMP: hash SHA
*May 8 20:14:58.356: ISAKMP: default group 5
*May 8 20:14:58.356: ISAKMP: auth pre-share
*May 8 20:14:58.356: ISAKMP: life type in seconds
*May 8 20:14:58.356: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:58.356: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 8 20:14:58.356: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:58.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 15 policy
*May 8 20:14:58.356: ISAKMP: encryption AES-CBC
*May 8 20:14:58.356: ISAKMP: keylength of 256
*May 8 20:14:58.356: ISAKMP: hash SHA
*May 8 20:14:58.356: ISAKMP: default group 5
*May 8 20:14:58.356: ISAKMP: auth pre-share
*May 8 20:14:58.356: ISAKMP: life type in seconds
*May 8 20:14:58.356: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:58.356: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 8 20:14:58.356: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:58.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 20 policy
*May 8 20:14:58.356: ISAKMP: encryption AES-CBC
*May 8 20:14:58.356: ISAKMP: keylength of 256
*May 8 20:14:58.356: ISAKMP: hash SHA
*May 8 20:14:58.356: ISAKMP: default group 5
*May 8 20:14:58.356: ISAKMP: auth pre-share
*May 8 20:14:58.356: ISAKMP: life type in seconds
*May 8 20:14:58.356: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:58.356: ISAKMP:(0):Diffie-Hellman group offered does not match policy!
*May 8 20:14:58.356: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:58.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy
*May 8 20:14:58.356: ISAKMP: encryption AES-CBC
*May 8 20:14:58.356: ISAKMP: keylength of 256
*May 8 20:14:58.356: ISAKMP: hash SHA
*May 8 20:14:58.356: ISAKMP: default group 5
*May 8 20:14:58.356: ISAKMP: auth pre-share
*May 8 20:14:58.356: ISAKMP: life type in seconds
*May 8 20:14:58.356: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:58.356: ISAKMP:(0):atts are acceptable. Next payload is 0
*May 8 20:14:58.356: ISAKMP:(0):Acceptable atts:actual life: 0
*May 8 20:14:58.356: ISAKMP:(0):Acceptable atts:life: 0
*May 8 20:14:58.356: ISAKMP:(0):Fill atts in sa vpi_length:4
*May 8 20:14:58.356: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*May 8 20:14:58.356: ISAKMP:(0):Returning Actual lifetime: 86400
*May 8 20:14:58.356: ISAKMP:(0)::Started lifetime timer: 86400.
*May 8 20:14:58.356: ISAKMP:(0): processing vendor id payload
*May 8 20:14:58.356: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*May 8 20:14:58.356: ISAKMP (0:0): vendor ID is NAT-T v7
*May 8 20:14:58.356: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 8 20:14:58.356: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*May 8 20:14:58.356: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*May 8 20:14:58.356: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 8 20:14:58.360: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 8 20:14:58.360: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*May 8 20:14:58.580: ISAKMP (0:0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*May 8 20:14:58.580: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 8 20:14:58.580: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*May 8 20:14:58.580: ISAKMP:(0): processing KE payload. message ID = 0
*May 8 20:14:58.668: ISAKMP:(0): processing NONCE payload. message ID = 0
*May 8 20:14:58.668: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:58.668: ISAKMP:(6154): processing vendor id payload
*May 8 20:14:58.668: ISAKMP:(6154): vendor ID is Unity
*May 8 20:14:58.668: ISAKMP:(6154): processing vendor id payload
*May 8 20:14:58.668: ISAKMP:(6154): vendor ID is DPD
*May 8 20:14:58.668: ISAKMP:(6154): processing vendor id payload
*May 8 20:14:58.668: ISAKMP:(6154): speaking to another IOS box!
*May 8 20:14:58.668: ISAKMP (0:6154): NAT found, the node outside NAT
*May 8 20:14:58.668: ISAKMP:(6154):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 8 20:14:58.668: ISAKMP:(6154):Old State = IKE_I_MM4 New State = IKE_I_MM4
*May 8 20:14:58.668: ISAKMP:(6152):purging SA., sa=45FEB894, delme=45FEB894
*May 8 20:14:58.668: ISAKMP:(6154):Send initial contact
*May 8 20:14:58.668: ISAKMP:(6154):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*May 8 20:14:58.668: ISAKMP (0:6154): ID payload
next-payload : 8
type : 1
address : 200.1.1.1
protocol : 17
port : 0
length : 12
*May 8 20:14:58.668: ISAKMP:(6154):Total payload length: 12
*May 8 20:14:58.672: ISAKMP:(6154): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*May 8 20:14:58.672: ISAKMP:(6154):Sending an IKE IPv4 Packet.
*May 8 20:14:58.672: ISAKMP:(6154):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 8 20:14:58.672: ISAKMP:(6154):Old State = IKE_I_MM4 New State = IKE_I_MM5
*May 8 20:14:58.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH...
*May 8 20:14:58.672: ISAKMP (0:6153): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*May 8 20:14:58.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH
*May 8 20:14:58.672: ISAKMP:(6153): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*May 8 20:14:58.672: ISAKMP:(6153):Sending an IKE IPv4 Packet.
R2 DEBUGS:
R2#debug crypto isakmp
Crypto ISAKMP debugging is on
R2#
May 8 15:17:52 CDT: ISAKMP: set new node 0 to QM_IDLE
May 8 15:17:52 CDT: ISAKMP:(0:1991:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE )
May 8 15:17:52 CDT: ISAKMP:(0:1991:SW:1):beginning Quick Mode exchange, M-ID of -1574699992
May 8 15:17:52 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:17:52 CDT: ISAKMP:(0:1991:SW:1):Node -1574699992, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
May 8 15:17:52 CDT: ISAKMP:(0:1991:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
May 8 15:17:52 CDT: ISAKMP:(0:1990:SW:1):purging SA., sa=64E62620, delme=64E62620
May 8 15:17:57 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 8 15:17:57 CDT: ISAKMP:(0:1991:SW:1): phase 1 packet is a duplicate of a previous packet.
May 8 15:17:57 CDT: ISAKMP:(0:1991:SW:1): retransmitting due to retransmit phase 1
May 8 15:17:58 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 1 QM_IDLE ...
May 8 15:17:58 CDT: ISAKMP (0:134219719): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
May 8 15:17:58 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 1 QM_IDLE
May 8 15:17:58 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:02 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 2 QM_IDLE -1574699992 ...
May 8 15:18:02 CDT: ISAKMP (0:134219719): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
May 8 15:18:02 CDT: ISAKMP (0:134219719): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
May 8 15:18:02 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 2 -1574699992 QM_IDLE
May 8 15:18:02 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:07 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 8 15:18:07 CDT: ISAKMP:(0:1991:SW:1): phase 1 packet is a duplicate of a previous packet.
May 8 15:18:07 CDT: ISAKMP:(0:1991:SW:1): retransmitting due to retransmit phase 1
May 8 15:18:08 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 1 QM_IDLE ...
May 8 15:18:08 CDT: ISAKMP (0:134219719): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
May 8 15:18:08 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 1 QM_IDLE
May 8 15:18:08 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:12 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 2 QM_IDLE -1574699992 ...
May 8 15:18:12 CDT: ISAKMP (0:134219719): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
May 8 15:18:12 CDT: ISAKMP (0:134219719): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2
May 8 15:18:12 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 2 -1574699992 QM_IDLE
May 8 15:18:12 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:17 CDT: ISAKMP: local port 500, remote port 500
May 8 15:18:17 CDT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 64E62620
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 69 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
May 8 15:18:17 CDT: ISAKMP (0:0): vendor ID is NAT-T v7
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 200.1.1.1
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): local preshared key found
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 5 policy
May 8 15:18:17 CDT: ISAKMP: encryption DES-CBC
May 8 15:18:17 CDT: ISAKMP: hash SHA
May 8 15:18:17 CDT: ISAKMP: default group 1
May 8 15:18:17 CDT: ISAKMP: auth pre-share
May 8 15:18:17 CDT: ISAKMP: life type in seconds
May 8 15:18:17 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against priority 5 policy
May 8 15:18:17 CDT: ISAKMP: encryption 3DES-CBC
May 8 15:18:17 CDT: ISAKMP: hash SHA
May 8 15:18:17 CDT: ISAKMP: default group 2
May 8 15:18:17 CDT: ISAKMP: auth pre-share
May 8 15:18:17 CDT: ISAKMP: life type in seconds
May 8 15:18:17 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against priority 5 policy
May 8 15:18:17 CDT: ISAKMP: encryption AES-CBC
May 8 15:18:17 CDT: ISAKMP: keylength of 256
May 8 15:18:17 CDT: ISAKMP: hash SHA
May 8 15:18:17 CDT: ISAKMP: default group 2
May 8 15:18:17 CDT: ISAKMP: auth pre-share
May 8 15:18:17 CDT: ISAKMP: life type in seconds
May 8 15:18:17 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Diffie-Hellman group offered does not match policy!
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 4 against priority 5 policy
May 8 15:18:17 CDT: ISAKMP: encryption AES-CBC
May 8 15:18:17 CDT: ISAKMP: keylength of 256
May 8 15:18:17 CDT: ISAKMP: hash SHA
May 8 15:18:17 CDT: ISAKMP: default group 5
May 8 15:18:17 CDT: ISAKMP: auth pre-share
May 8 15:18:17 CDT: ISAKMP: life type in seconds
May 8 15:18:17 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID seems Unity/DPD but major 69 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
May 8 15:18:17 CDT: ISAKMP (0:134219720): vendor ID is NAT-T v7
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID is NAT-T v3
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID is NAT-T v2
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): constructed NAT-T vendor-07 ID
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2
May 8 15:18:17 CDT: ISAKMP (0:134219720): received packet from 200.1.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing KE payload. message ID = 0
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing NONCE payload. message ID = 0
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):found peer pre-shared key matching 200.1.1.1
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SKEYID state generated
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID is Unity
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID is DPD
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): speaking to another IOS box!
May 8 15:18:17 CDT: ISAKMP (0:134219720): NAT found, the node inside NAT
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4
May 8 15:18:17 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1): phase 1 packet is a duplicate of a previous packet.
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1): retransmitting due to retransmit phase 1
May 8 15:18:17 CDT: ISAKMP (0:134219720): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing ID payload. message ID = 0
May 8 15:18:17 CDT: ISAKMP (0:134219720): ID payload
next-payload : 8
type : 1
address : 200.1.1.1
protocol : 17
port : 0
length : 12
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):: peer matches *none* of the profiles
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing HASH payload. message ID = 0
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 64E62620
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SA authentication status:
authenticated
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): Process initial contact,
bring down existing phase 1 and 2 SA's with local 10.64.11.253 remote 200.1.1.1 remote port 4500
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):received initial contact, deleting SA
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):peer does not do paranoid keepalives.
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 200.1.1.1)
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SA authentication status:
authenticated
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SA has been authenticated with 200.1.1.1
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Detected port floating to port = 4500
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Setting UDP ENC peer struct 0x0 sa= 0x64E62620
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
May 8 15:18:17 CDT: ISAKMP: set new node 231359858 to QM_IDLE
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):purging node 231359858
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
May 8 15:18:17 CDT: ISAKMP (0:134219720): ID payload
next-payload : 8
type : 1
address : 10.64.11.253
protocol : 17
port : 0
length : 12
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Total payload length: 12
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):deleting SA reason "No reason" state (R) QM_IDLE (peer 200.1.1.1)
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):deleting node -1574699992 error FALSE reason "IKE deleted"
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
R2#
May 8 15:18:22 CDT: ISAKMP: set new node 0 to QM_IDLE
May 8 15:18:22 CDT: ISAKMP:(0:1992:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE )
May 8 15:18:22 CDT: ISAKMP:(0:1992:SW:1):beginning Quick Mode exchange, M-ID of 1324849371
May 8 15:18:22 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:22 CDT: ISAKMP:(0:1992:SW:1):Node 1324849371, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
May 8 15:18:22 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
May 8 15:18:27 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE
May 8 15:18:27 CDT: ISAKMP (0:134219720): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 8 15:18:27 CDT: ISAKMP:(0:1992:SW:1): phase 1 packet is a duplicate of a previous packet.
May 8 15:18:27 CDT: ISAKMP:(0:1992:SW:1): retransmitting due to retransmit phase 1
May 8 15:18:28 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 1 QM_IDLE ...
May 8 15:18:28 CDT: ISAKMP (0:134219720): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
May 8 15:18:28 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 1 QM_IDLE
May 8 15:18:28 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
R2#
May 8 15:18:32 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 2 QM_IDLE 1324849371 ...
May 8 15:18:32 CDT: ISAKMP (0:134219720): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
May 8 15:18:32 CDT: ISAKMP (0:134219720): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
May 8 15:18:32 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 2 1324849371 QM_IDLE
May 8 15:18:32 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
R2#
May 8 15:18:37 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE
May 8 15:18:37 CDT: ISAKMP (0:134219720): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 8 15:18:37 CDT: ISAKMP:(0:1992:SW:1): phase 1 packet is a duplicate of a previous packet.
May 8 15:18:37 CDT: ISAKMP:(0:1992:SW:1): retransmitting due to retransmit phase 1
May 8 15:18:38 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 1 QM_IDLE ...
May 8 15:18:38 CDT: ISAKMP (0:134219720): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
R2#
R2#
May 8 15:18:38 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 1 QM_IDLE
May 8 15:18:38 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDL -
Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall
Hi,
I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
3
Nov 21 2012
07:11:09
713061
Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
5
Nov 21 2012
07:11:09
713119
Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
Here is from the syntax: show crypto isakmp sa
Result of the command: "show crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 195.149.180.254
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Result of the command: "show crypto ipsec sa"
interface: outside
Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
current_peer:195.149.180.254
#pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
#pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: E715B315
inbound esp sas:
spi: 0xFAC769EB (4207372779)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38738/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xE715B315 (3876958997)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38673/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
And here are my Accesslists and vpn site to site config:
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 84600
crypto isakmp nat-traversal 40
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CustomerCryptoMap 10 match address VPN_Tunnel
crypto map CustomerCryptoMap 10 set pfs group5
crypto map CustomerCryptoMap 10 set peer 195.149.180.254
crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
crypto map CustomerCryptoMap interface outside
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
nat (inside) 0 access-list nonat
All these remote networks are at the Main Site Clavister Firewall.
Best Regards
MichaelHi,
I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
Maybe you could try to change the Encryption Domain configurations a bit and test it then.
You could also maybe take some debugs on the Phase2 and see if you get anymore hints as to what could be the problem when only one network is working for the L2L VPN.
- Jouni -
ASA 5505 - L2TP over IPsec - Remote Address shows outside interface address
Using an ASA 5505 for firewall and VPN. We've enabled L2TP over IPsec to allow Windows clients to connect without third party software.
The devices complete the connection and authenticate fine, but then are unable to hit any internal resources. Split tunneling seems to be working, as they can still hit outside resources. Packet tracer shows tcp flowing freely between VPN clients (192.168.102.0/24) and internal resources (192.168.100.0/24). Even the NAT translation looks good in packet tracer.
I pulled up the session details for one of the VPN clients in the ASDM and under the IPsecOverNatT details, it is showing the VPN client's remote address correctly, but displays the local address as the address assigned to the outside interface (which the client is using to connect.) This seems to be the problem, as viewing detailed connection logs shows the internal resources trying to send packets back to the outside interface rather than the VPN client's assigned internal addresses. Details:
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: [OUTSIDE INTERFACE ADDRESS]
local ident (addr/mask/prot/port): ([OUTSIDE INTERFACE ADDRESS]/255.255.255.255/17/1701)
remote ident (addr/mask/prot/port): ([VPN CLIENT ADDRESS]/255.255.255.255/17/0)
current_peer: [VPN CLIENT ADDRESS], username: vpnuser
dynamic allocated peer ip: 192.168.102.1 [This is what I think it should be showing for local ident]
dynamic allocated peer ip(ipv6): 0.0.0.0
#pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
#pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 16, #pkts comp failed: 0, #pkts decomp failed: 0
#post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (rcv): 0,
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: [OUTSIDE INTERFACE ADDRESS]/4500, remote crypto endpt.: [VPN CLIENT ADDRESS]/8248
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 05BFAE20
current inbound spi : CF85B895
inbound esp sas:
spi: 0xCF85B895 (3481647253)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Transport, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 77824, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4373998/3591)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000FFFFD
outbound esp sas:
spi: 0x05BFAE20 (96448032)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Transport, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 77824, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4373999/3591)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Any ideas? The remote clients connect but when internal resources try to send traffic to the VPN clients, the packets are directed to the outside interface address instead of the local address assigned to the VPN client.I have what I believe to be a similar issue. Site to site vpn is working well. That is site b can ping and send traffic to site A but Site A can not. Site B is a 3rd party vpn router. Site A is a Cisco 5505.
It appears that when the crypto map inserts the route into the routing table it shows the route via the outside IP of the outside interface and not the IP of Site B. in the crypto map I can see the proper ip address for the peer. I can't figure out why when it inserts the route that it uses the wrong ip address -
Is there a limit to the number of concurrent L2TP/IPSec VPN connections in Snow Leopard
Hi,
I'm currently running an L2TP/IPSec service from a Snow Leopard server VM running on the latest version of Lion Server ( Had loads of issues with Lion VPN connectivity from outside our network when I first upgraded the physical server to Lion. quickest way to get the service back was to run an S/L VM. I know that there have been some changes to Lion in the VPN area, but this works... sort of;;;)
I've got an IP address pool of 20 addresses confgured as this is only for ICT staff members. Each user has a local userid/password on the S/L server. For me, things just work.
iPhone, iPad, OS X lion client they all work and I've had about 3 simultaneous connections up and running.However, the majority of staff users use Windows 7 client machines and they're been reporting sporadic connection failures where one moment they can get connected and the next they can't. I'm currently wondring if there is some concurrent limit setting they are hitting and are getting slung off because I've got other users using the service. It would be a bit strange if S/L can only support 2 or 3 connections out of the box.
Then again it might be VMWare Fusion (Vsn 4.1.1) thats the problem.
Any help apppreciated
Rgds
AlexYou have to count to have about 30GB at least free on the startup disk, after you have the library loaded.
On the external you have space enough.
As far as I know there is no limit for iPhoto, but I suggest to not let it grow too much, because everything will become sluggish, also making backups. It should be possible to split up in more libraries, one that is really actual and one that is the past. Physical splitting up I mean, not smart collections. You can switch libraries by holding the Alt(option) at startup of iPhoto. -
Remote site redundancy IPSEC VPN between 2911 and ASA
We already have IPSEC VPN connectivity established between sites but would like to introduce some resilience/redundancy at a remote site.
Site A has an ASA with one internet circuit.
Site B has a Cisco 2911 with one internet circuit and we have established site-to-site IPSEC VPN connectivity between the 2911 and the ASA.
Prior to getting the new internet circuit, Site B had a Cisco 877 with an ADSL line which are still available but aren’t currently in use.
The internet circuit at Site B has dropped a few times recently so we would like to make use of the ADSL circuit (and potentially the 877 router too) as a backup.
What is the best way of achieving this?
We thought about running HSRP between the 877 and 2911 routers at Site B and, in the event of a failure of the router or internet circuit, traffic would failover to the 877 and ADSL.
However, how would Site A detect the failure? Can we simply rely on Dead Peer Detection and list the public IP address of the internet circuit at Site B first with the public IP address used on the ADSL line second in the list on the ASA? What would happen in a failover scenario and, just as important, when service was restored – I’m not sure DPD would handle that aspect correctly?
I’ve read briefly elsewhere that GRE might be best to use in this scenario – but I can’t use GRE on the ASA. I have an L3 switch behind the ASA which I may be able to make use of? But I don’t want to disrupt the existing IPSEC VPN connectivity already established between the ASA and the 2911. Can I keep IPSEC between the ASA and 2911 but then run GRE between the L3 switch and the 2911? If so, how would this best be achieved? And how could I also introduce the 877 and ADSL line into things to achieve the neccessary redundancy?
Any help/advice would be appreciated!Hello,
I don't think GRE tunnel that you could set up on the switch behind ASA would be really helpfull. Still site-2-site tunnel you want to establish between ASA and some routers, but still it is ASA which needs to make decision about which peer to connect to.
Possible solution would be to do HSRP between both routers on LAN side and with two independent tunnels/crypto maps (one on each of them). On ASA you would need to set up two hosts in set peer. Problem of this solution is that if one router at side B is going to go down and second ADSL line will take over ASA will not do preempt after you main Internet connection is up again. This would happen after ADSL Internet connection will be down.
Solution to that would be to assign two different public IP addressess on two different interfaces of ASA. Then you attach two crypto maps to both interfaces and by using sla monitor (let's say icmp to main router, if it does not respond then you change routing for remote LAN to second interface) you are selecting which crypto map (with one peer this time) should be used.
I hope what I wrote makes some sense. -
Cisco/IPsec VPN built-in service of 10.6.1 does not work!
Hello,
I have been using for a while in Leopard (10.5) the Cisco VPN client delivered by Cisco company until I upgrade to Snow Leopard (10.6.1) which comes with a native built-in Cisco VPN client and I gave it a try in order to replace my dedicated Cisco app.
I set up the Cisco VPN service in System Preferences > Network with the same settings than those used in the Cisco client but the connection fails when it is launched from the 10.6 network VPN service... while it works perfect when launched from the Cisco app itself.
I need to activate a VPN connection in order to connect from home to my enterprise server and I have to respect the VPN settings the network administrator of my enterprise put in place.
Those are very common:
1. Host name
2. Group name + Group password
3. Domain name\Userid + User password
4. RSA pass code (random code provided by a specific RSA keyfob)
5. Transport is IPsec over UDP
According to my testings, I would say that:
1. The connection to the host is OK.
2. The validation of the group name + group psw is OK.
3. The validation of the userid + user psw is OK.
4. The RSA pass code is rejected.
According to my enterprise network engineer's investigations, the possible reasons of the connection failure could be:
1. the UDP protocol is not (well) supported by the client service.
2. and/or the extended authentification phase (aka "Xauth") is not working as it should.
As far as I can see in other VPN clients, there is usually an option to select whether the transport is run over TCP or over UDP. Unfortunately, I have not been able to find such option in 10.6.
In my opinion, it could be either a bug or an (undesired) limitation of the Apple VPN service. In both cases, it requires a quick fix from Apple as, for time being, this issue prevents me and many of us connecting to our enterprise servers when we are far from its local network.Thank you for your answers which confirm the limitation of the Apple VPN solution to the TCP transport only.
I have to say that I do not understand such a decision from Apple since the UDP protocol is very common in the enterprise world.
I will thus have to rely on the Cisco app itself. Is the version 4.9.01 (0080) the correct one for SL as well?
Thank you! -
IPSEC packets are not encrypted
Hello (and Happy Thanksgiving to those in the USA),
We recently swapped our ASA and re-applied the saved config to the new device. There is a site-to-site VPN that works and a remote client VPN that does not. We use some Cisco VPN clients and some Shrew Soft VPN clients.I've compared the config of the new ASA to that of the old ASA and I cannot find any differences (but the remote client VPN was working on the old ASA). The remote clients do connect and a tunnel is established but they are unable to pass traffic. Systems on the network where the ASA is located are able to access the internet.
Output of sho crypto isakmp sa (ignore peer #1, that is the working site-to-site VPN)
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA d
Total IKE SA: 2
1 IKE Peer: xx.168.155.98
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: xx.211.206.48
Type : user Role : responder
Rekey : no State : AM_ACTIVE
Output of sho crypto ipsec sa (info regarding site-to-site VPN removed). Packets are decrypted but not encrypted.
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: publi
c-ip
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.20.1.100/255.255.255.255/0/0)
current_peer: xx.211.206.48, username: me
dynamic allocated peer ip: 10.20.1.100
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: public-ip/4500, remote crypto endpt.: xx.211.206.48/4
500
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 7E0BF9B9
current inbound spi : 41B75CCD
inbound esp sas:
spi: 0x41B75CCD (1102535885)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28776
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
spi: 0xC06BF0DD (3228299485)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, Rekeyed}
slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28774
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x000003FF 0xFFF80001
outbound esp sas:
spi: 0x7E0BF9B9 (2114714041)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28774
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
spi: 0xCBF945AC (3422111148)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, Rekeyed}
slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28772
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Config from ASA
: Saved
: Written by me at 19:56:37.957 pst Tue Nov 26 2013
ASA Version 8.2(4)
hostname mfw01
domain-name company.int
enable password xxx encrypted
passwd xxx encrypted
names
name xx.174.143.97 cox-gateway description cox-gateway
name 172.16.10.0 iscsi-network description iscsi-network
name 192.168.1.0 legacy-network description legacy-network
name 10.20.50.0 management-network description management-network
name 10.20.10.0 server-network description server-network
name 10.20.20.0 user-network description user-network
name 192.168.1.101 private-em-imap description private-em-imap
name 10.20.10.2 private-exchange description private-exchange
name 10.20.10.3 private-ftp description private-ftp
name 192.168.1.202 private-ip-phones description private-ip-phones
name 10.20.10.6 private-kaseya description private-kaseya
name 192.168.1.2 private-mitel-3300 description private-mitel-3300
name 10.20.10.1 private-pptp description private-pptp
name 10.20.10.7 private-sharepoint description private-sharepoint
name 10.20.10.4 private-tportal description private-tportal
name 10.20.10.8 private-xarios description private-xarios
name 192.168.1.215 private-xorcom description private-xorcom
name xx.174.143.99 public-exchange description public-exchange
name xx.174.143.100 public-ftp description public-ftp
name xx.174.143.101 public-tportal description public-tportal
name xx.174.143.102 public-sharepoint description public-sharepoint
name xx.174.143.103 public-ip-phones description public-ip-phones
name xx.174.143.104 public-mitel-3300 description public-mitel-3300
name xx.174.143.105 public-xorcom description public-xorcom
name xx.174.143.108 public-remote-support description public-remote-support
name xx.174.143.109 public-xarios description public-xarios
name xx.174.143.110 public-kaseya description public-kaseya
name xx.174.143.111 public-pptp description public-pptp
name 192.168.2.0 Irvine_LAN description Irvine_LAN
name xx.174.143.98 public-ip
name 10.20.10.14 private-RevProxy description private-RevProxy
name xx.174.143.107 public-RevProxy description Public-RevProxy
name 10.20.10.9 private-XenDesktop description private-XenDesktop
name xx.174.143.115 public-XenDesktop description public-XenDesktop
name 10.20.1.1 private-gateway description private-gateway
name 192.168.1.96 private-remote-support description private-remote-support
interface Ethernet0/0
nameif public
security-level 0
ip address public-ip 255.255.255.224
interface Ethernet0/1
speed 100
duplex full
nameif private
security-level 100
ip address private-gateway 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.0.1 255.255.255.0
management-only
ftp mode passive
clock timezone pst -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name mills.int
object-group service ftp
service-object tcp eq ftp
service-object tcp eq ftp-data
object-group service DM_INLINE_SERVICE_1
group-object ftp
service-object udp eq tftp
object-group service DM_INLINE_TCP_1 tcp
port-object eq 40
port-object eq ssh
object-group service web-server
service-object tcp eq www
service-object tcp eq https
object-group service DM_INLINE_SERVICE_2
service-object tcp eq smtp
group-object web-server
object-group service DM_INLINE_SERVICE_3
service-object tcp eq ssh
group-object web-server
object-group service kaseya
service-object tcp eq 4242
service-object tcp eq 5721
service-object tcp eq 8080
service-object udp eq 5721
object-group service DM_INLINE_SERVICE_4
group-object kaseya
group-object web-server
object-group service DM_INLINE_SERVICE_5
service-object gre
service-object tcp eq pptp
object-group service VPN
service-object gre
service-object esp
service-object ah
service-object tcp eq pptp
service-object udp eq 4500
service-object udp eq isakmp
object-group network MILLS_VPN_VLANS
network-object 10.20.1.0 255.255.255.0
network-object server-network 255.255.255.0
network-object user-network 255.255.255.0
network-object management-network 255.255.255.0
network-object legacy-network 255.255.255.0
object-group service InterTel5000
service-object tcp range 3998 3999
service-object tcp range 6800 6802
service-object udp eq 20001
service-object udp range 5004 5007
service-object udp range 50098 50508
service-object udp range 6604 7039
service-object udp eq bootpc
service-object udp eq tftp
service-object tcp eq 4000
service-object tcp eq 44000
service-object tcp eq www
service-object tcp eq https
service-object tcp eq 5566
service-object udp eq 5567
service-object udp range 6004 6603
service-object tcp eq 6880
object-group service DM_INLINE_SERVICE_6
service-object icmp
service-object tcp eq 2001
service-object tcp eq 2004
service-object tcp eq 2005
object-group service DM_INLINE_SERVICE_7
service-object icmp
group-object InterTel5000
object-group service DM_INLINE_SERVICE_8
service-object icmp
service-object tcp eq https
service-object tcp eq ssh
object-group service RevProxy tcp
description RevProxy
port-object eq 5500
object-group service XenDesktop tcp
description Xen
port-object eq 8080
port-object eq 2514
port-object eq 2598
port-object eq 27000
port-object eq 7279
port-object eq 8000
port-object eq citrix-ica
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_8 any host public-ip
access-list public_access_in extended permit object-group VPN any host public-ip
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_7 any host public-ip-phones
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_1 any host public-ftp
access-list public_access_in extended permit tcp any host public-xorcom object-group DM_INLINE_TCP_1
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_2 any host public-exchange
access-list public_access_in extended permit tcp any host public-RevProxy object-group RevProxy
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_3 any host public-remote-support
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_6 any host public-xarios
access-list public_access_in extended permit object-group web-server any host public-sharepoint
access-list public_access_in extended permit object-group web-server any host public-tportal
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_4 any host public-kaseya
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_5 any host public-pptp
access-list public_access_in extended permit ip any host public-XenDesktop
access-list private_access_in extended permit icmp any any
access-list private_access_in extended permit ip any any
access-list VPN_Users_SplitTunnelAcl standard permit server-network 255.255.255.0
access-list VPN_Users_SplitTunnelAcl standard permit user-network 255.255.255.0
access-list VPN_Users_SplitTunnelAcl standard permit management-network 255.255.255.0
access-list VPN_Users_SplitTunnelAcl standard permit 10.20.1.0 255.255.255.0
access-list VPN_Users_SplitTunnelAcl standard permit legacy-network 255.255.255.0
access-list private_nat0_outbound extended permit ip object-group MILLS_VPN_VLANS Irvine_LAN 255.255.255.0
access-list private_nat0_outbound extended permit ip object-group MILLS_VPN_VLANS 10.20.1.96 255.255.255.240
access-list private_nat0_outbound extended permit ip object-group MILLS_VPN_VLANS 10.90.2.0 255.255.255.0
access-list public_1_cryptomap extended permit ip object-group MILLS_VPN_VLANS Irvine_LAN 255.255.255.0
access-list public_2_cryptomap extended permit ip object-group MILLS_VPN_VLANS 10.90.2.0 255.255.255.0
pager lines 24
logging enable
logging list Error-Events level warnings
logging monitor warnings
logging buffered warnings
logging trap warnings
logging asdm warnings
logging mail warnings
logging host private private-kaseya
logging permit-hostdown
logging class auth trap alerts
mtu public 1500
mtu private 1500
mtu management 1500
ip local pool VPN_Users 10.20.1.100-10.20.1.110 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (public) 101 interface
nat (private) 0 access-list private_nat0_outbound
nat (private) 101 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
static (private,public) public-ip-phones private-ip-phones netmask 255.255.255.255 dns
static (private,public) public-ftp private-ftp netmask 255.255.255.255 dns
static (private,public) public-xorcom private-xorcom netmask 255.255.255.255 dns
static (private,public) public-exchange private-exchange netmask 255.255.255.255 dns
static (private,public) public-RevProxy private-RevProxy netmask 255.255.255.255 dns
static (private,public) public-remote-support private-remote-support netmask 255.255.255.255 dns
static (private,public) public-xarios private-xarios netmask 255.255.255.255 dns
static (private,public) public-sharepoint private-sharepoint netmask 255.255.255.255 dns
static (private,public) public-tportal private-tportal netmask 255.255.255.255 dns
static (private,public) public-kaseya private-kaseya netmask 255.255.255.255 dns
static (private,public) public-pptp private-pptp netmask 255.255.255.255 dns
static (private,public) public-XenDesktop private-XenDesktop netmask 255.255.255.255 dns
access-group public_access_in in interface public
access-group private_access_in in interface private
route public 0.0.0.0 0.0.0.0 cox-gateway 1
route private server-network 255.255.255.0 10.20.1.254 1
route private user-network 255.255.255.0 10.20.1.254 1
route private management-network 255.255.255.0 10.20.1.254 1
route private iscsi-network 255.255.255.0 10.20.1.254 1
route private legacy-network 255.255.255.0 10.20.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
ldap attribute-map admin-control
map-name comment Privilege-Level
ldap attribute-map allow-dialin
map-name msNPAllowDialin IETF-Radius-Class
map-value msNPAllowDialin FALSE NOACCESS
map-value msNPAllowDialin TRUE IPSecUsers
ldap attribute-map mills-vpn_users
map-name msNPAllowDialin IETF-Radius-Class
map-value msNPAllowDialin FALSE NOACCESS
map-value msNPAllowDialin True IPSecUsers
ldap attribute-map network-admins
map-name memberOf IETF-Radius-Service-Type
map-value memberOf FALSE NOACCESS
map-value memberOf "Network Admins" 6
dynamic-access-policy-record DfltAccessPolicy
aaa-server Mills protocol nt
aaa-server Mills (private) host private-pptp
nt-auth-domain-controller ms01.mills.int
aaa-server Mills_NetAdmin protocol ldap
aaa-server Mills_NetAdmin (private) host private-pptp
server-port 389
ldap-base-dn ou=San Diego,dc=mills,dc=int
ldap-group-base-dn ou=San Diego,dc=mills,dc=int
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-password *
ldap-login-dn cn=asa,ou=Service Accounts,ou=San Diego,dc=mills,dc=int
server-type microsoft
ldap-attribute-map mills-vpn_users
aaa-server NetworkAdmins protocol ldap
aaa-server NetworkAdmins (private) host private-pptp
ldap-base-dn ou=San Diego,dc=mills,dc=int
ldap-group-base-dn ou=San Diego,dc=mills,dc=int
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-password *
ldap-login-dn cn=asa,ou=Service Accounts,ou=San Diego,dc=mills,dc=int
server-type microsoft
ldap-attribute-map network-admins
aaa-server ADVPNUsers protocol ldap
aaa-server ADVPNUsers (private) host private-pptp
ldap-base-dn ou=San Diego,dc=mills,dc=int
ldap-group-base-dn ou=San Diego,dc=mills,dc=int
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-password *
ldap-login-dn cn=asa,ou=Service Accounts,ou=San Diego,dc=mills,dc=int
server-type microsoft
ldap-attribute-map mills-vpn_users
aaa authentication enable console ADVPNUsers LOCAL
aaa authentication http console ADVPNUsers LOCAL
aaa authentication serial console ADVPNUsers LOCAL
aaa authentication telnet console ADVPNUsers LOCAL
aaa authentication ssh console ADVPNUsers LOCAL
http server enable
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 public
http 0.0.0.0 0.0.0.0 private
snmp-server host private private-kaseya poll community ***** version 2c
snmp-server location Mills - San Diego
snmp-server contact Mills Assist
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp private
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map public_map 1 match address public_1_cryptomap
crypto map public_map 1 set pfs
crypto map public_map 1 set peer xx.168.155.98
crypto map public_map 1 set transform-set ESP-3DES-MD5 ESP-AES-128-SHA
crypto map public_map 1 set nat-t-disable
crypto map public_map 1 set phase1-mode aggressive
crypto map public_map 2 match address public_2_cryptomap
crypto map public_map 2 set pfs group5
crypto map public_map 2 set peer xx.181.134.141
crypto map public_map 2 set transform-set ESP-AES-128-SHA
crypto map public_map 2 set nat-t-disable
crypto map public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map public_map interface public
crypto isakmp enable public
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 28800
telnet 0.0.0.0 0.0.0.0 private
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 public
ssh 0.0.0.0 0.0.0.0 private
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.2-192.168.0.254 management
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authenticate
ntp server 216.129.110.22 source public
ntp server 173.244.211.10 source public
ntp server 24.124.0.251 source public prefer
webvpn
enable public
svc enable
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol svc
group-policy IPSecUsers internal
group-policy IPSecUsers attributes
wins-server value 10.20.10.1
dns-server value 10.20.10.1
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Users_SplitTunnelAcl
default-domain value mills.int
address-pools value VPN_Users
group-policy Irvine internal
group-policy Irvine attributes
vpn-tunnel-protocol IPSec
username admin password Kra9/kXfLDwlSxis encrypted
tunnel-group VPN_Users type remote-access
tunnel-group VPN_Users general-attributes
address-pool VPN_Users
authentication-server-group Mills_NetAdmin
default-group-policy IPSecUsers
tunnel-group VPN_Users ipsec-attributes
pre-shared-key *
tunnel-group xx.189.99.114 type ipsec-l2l
tunnel-group xx.189.99.114 general-attributes
default-group-policy Irvine
tunnel-group xx.189.99.114 ipsec-attributes
pre-shared-key *
tunnel-group xx.205.23.76 type ipsec-l2l
tunnel-group xx.205.23.76 general-attributes
default-group-policy Irvine
tunnel-group xx.205.23.76 ipsec-attributes
pre-shared-key *
tunnel-group xx.168.155.98 type ipsec-l2l
tunnel-group xx.168.155.98 general-attributes
default-group-policy Irvine
tunnel-group xx.168.155.98 ipsec-attributes
pre-shared-key *
class-map global-class
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global-policy
class global-class
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
service-policy global-policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5d5c963680401d150bee94b3c7c85f7a
Maybe my eyes are glazing over from looking at this for too long. Does anything look wrong? Maybe I missed a command that would not show up in the config?
Thanks in advance to all who take a look.Marius,
I connected via my VPN client at home and pinged a remote server, attempted to RDP by name and then attempted to RDP by IP address. All were unsuccessful. Here is the packet capture:
72 packets captured
1: 09:44:06.304671 10.20.1.100.137 > 10.20.10.1.137: udp 68
2: 09:44:06.304885 10.20.1.100.54543 > 10.20.10.1.53: udp 34
3: 09:44:07.198384 10.20.1.100.51650 > 10.20.10.1.53: udp 32
4: 09:44:07.300353 10.20.1.100.54543 > 10.20.10.1.53: udp 34
5: 09:44:07.786504 10.20.1.100.137 > 10.20.10.1.137: udp 68
6: 09:44:07.786671 10.20.1.100.137 > 10.20.10.1.137: udp 68
7: 09:44:07.786855 10.20.1.100.137 > 10.20.10.1.137: udp 68
8: 09:44:08.198399 10.20.1.100.51650 > 10.20.10.1.53: udp 32
9: 09:44:09.282608 10.20.1.100.61328 > 10.20.10.1.53: udp 32
10: 09:44:09.286667 10.20.1.100.137 > 10.20.10.1.137: udp 68
11: 09:44:09.286926 10.20.1.100.137 > 10.20.10.1.137: udp 68
12: 09:44:09.287201 10.20.1.100.137 > 10.20.10.1.137: udp 68
13: 09:44:09.300491 10.20.1.100.54543 > 10.20.10.1.53: udp 34
14: 09:44:10.199193 10.20.1.100.51650 > 10.20.10.1.53: udp 32
15: 09:44:10.282150 10.20.1.100.61328 > 10.20.10.1.53: udp 32
16: 09:44:11.286865 10.20.1.100.137 > 10.20.10.1.137: udp 68
17: 09:44:12.302993 10.20.1.100.61328 > 10.20.10.1.53: udp 32
18: 09:44:12.785054 10.20.1.100.137 > 10.20.10.1.137: udp 68
19: 09:44:13.301101 10.20.1.100.54543 > 10.20.10.1.53: udp 34
20: 09:44:14.204029 10.20.1.100.51650 > 10.20.10.1.53: udp 32
21: 09:44:14.287323 10.20.1.100.137 > 10.20.10.1.137: udp 68
22: 09:44:14.375331 10.20.1.100 > 10.20.10.1: icmp: echo request
23: 09:44:16.581589 10.20.1.100.137 > 10.20.10.1.137: udp 50
24: 09:44:18.083842 10.20.1.100.137 > 10.20.10.1.137: udp 50
25: 09:44:18.199879 10.20.1.100.137 > 10.20.10.1.137: udp 50
26: 09:44:19.224063 10.20.1.100 > 10.20.10.1: icmp: echo request
27: 09:44:19.582367 10.20.1.100.137 > 10.20.10.1.137: udp 50
28: 09:44:19.704019 10.20.1.100.137 > 10.20.10.1.137: udp 50
29: 09:44:20.288193 10.20.1.100.137 > 10.20.10.1.137: udp 68
30: 09:44:21.200307 10.20.1.100.137 > 10.20.10.1.137: udp 50
31: 09:44:21.786321 10.20.1.100.137 > 10.20.10.1.137: udp 68
32: 09:44:23.289535 10.20.1.100.137 > 10.20.10.1.137: udp 68
33: 09:44:24.204777 10.20.1.100 > 10.20.10.1: icmp: echo request
34: 09:44:29.219440 10.20.1.100 > 10.20.10.1: icmp: echo request
35: 09:44:29.287460 10.20.1.100.137 > 10.20.10.1.137: udp 68
36: 09:44:30.787617 10.20.1.100.137 > 10.20.10.1.137: udp 68
37: 09:44:32.287887 10.20.1.100.137 > 10.20.10.1.137: udp 68
38: 09:45:00.533816 10.20.1.100.137 > 10.20.10.1.137: udp 50
39: 09:45:02.018019 10.20.1.100.137 > 10.20.10.1.137: udp 50
40: 09:45:03.160239 10.20.1.100.52764 > 10.20.10.1.53: udp 34
41: 09:45:03.350354 10.20.1.100.53948 > 10.20.10.1.53: udp 38
42: 09:45:03.521960 10.20.1.100.137 > 10.20.10.1.137: udp 50
43: 09:45:04.158408 10.20.1.100.52764 > 10.20.10.1.53: udp 34
44: 09:45:04.344342 10.20.1.100.53948 > 10.20.10.1.53: udp 38
45: 09:45:06.160681 10.20.1.100.52764 > 10.20.10.1.53: udp 34
46: 09:45:06.358593 10.20.1.100.53948 > 10.20.10.1.53: udp 38
47: 09:45:10.159125 10.20.1.100.52764 > 10.20.10.1.53: udp 34
48: 09:45:10.345227 10.20.1.100.53948 > 10.20.10.1.53: udp 38
49: 09:45:14.550478 10.20.1.100.59402 > 10.20.10.1.53: udp 32
50: 09:45:15.536166 10.20.1.100.59402 > 10.20.10.1.53: udp 32
51: 09:45:17.546144 10.20.1.100.59402 > 10.20.10.1.53: udp 32
52: 09:45:21.882812 10.20.1.100.137 > 10.20.10.1.137: udp 50
53: 09:45:23.379222 10.20.1.100.137 > 10.20.10.1.137: udp 50
54: 09:45:24.893386 10.20.1.100.137 > 10.20.10.1.137: udp 50
55: 09:45:41.550035 10.20.1.100.137 > 10.20.10.1.137: udp 50
56: 09:45:43.029875 10.20.1.100.137 > 10.20.10.1.137: udp 50
57: 09:45:44.541979 10.20.1.100.137 > 10.20.10.1.137: udp 50
58: 09:46:10.767782 10.20.1.100.137 > 10.20.10.1.137: udp 68
59: 09:46:12.261934 10.20.1.100.137 > 10.20.10.1.137: udp 68
60: 09:46:13.776250 10.20.1.100.137 > 10.20.10.1.137: udp 68
61: 09:46:19.848970 10.20.1.100.137 > 10.20.10.1.137: udp 68
62: 09:46:20.113183 10.20.1.100.49751 > 10.20.10.7.3389: S 3288428077:3288428077(0) win 8192
63: 09:46:21.331251 10.20.1.100.137 > 10.20.10.1.137: udp 68
64: 09:46:22.831423 10.20.1.100.137 > 10.20.10.1.137: udp 68
65: 09:46:23.101511 10.20.1.100.137 > 10.20.10.1.137: udp 50
66: 09:46:23.123254 10.20.1.100.49751 > 10.20.10.7.3389: S 3288428077:3288428077(0) win 8192
67: 09:46:24.591705 10.20.1.100.137 > 10.20.10.1.137: udp 50
68: 09:46:26.115976 10.20.1.100.137 > 10.20.10.1.137: udp 50
69: 09:46:28.834276 10.20.1.100.137 > 10.20.10.1.137: udp 68
70: 09:46:29.125817 10.20.1.100.49751 > 10.20.10.7.3389: S 3288428077:3288428077(0) win 8192
71: 09:46:30.342816 10.20.1.100.137 > 10.20.10.1.137: udp 68
72: 09:46:31.840746 10.20.1.100.137 > 10.20.10.1.137: udp 68
72 packets shown -
The tale of two IPSec Tunnels...
I'm trying to set up an ipsec tunnel at a particular site, and I am just stumped at this point. I have two sites I'm working with, a test site on my bench and the other actual site at another location. Both are ASA 5510's, both are running ASA v8.2(5). The test site has a 3560 off of it, and the production site has a 3750 stack off it. I don't think that part should matter, though.
I used the wizard to create the ipsec configuration on both devices, test and prod, and used the same naming on both to help compare. The test site connects and I can ssh to the 3560 behind it just fine. The production site, however, cannot connect to that 3750 or ping it to save my life. I've poured through the configs on both, and although there are just a couple of differences, the two ASA's are pretty close in configs.
At first I thought it was an acl issue, but I've filtered the logs by syslog id 106023 to watch for denys by access group. When I try to connect to the 3750, I get absolutely no entry in the log that anything is being denied, so I figure that's not it.
Then I thought it may be a routing issue. The one difference between the two sites is that the test site is using eigrp to disperse routes between the asa and switch, while the production site is using static routes. But I also didn't think that would've mattered, because on the static route switch I even put a static route in there to the vpn network which didn't make a difference.
I've also run packet traces on the firewall when doing a ping, and on the test siteI see echo requests and replies. Oon the production site I only see requests, no replies. My encap counters don't increment during pings, but the decap counters do, which make sense.
Other things to note: The test site that works also has a site-to-site vpn up and runnning, so you'll see that in the config as well. Client is Mac OS X 10.6.8, using the Cisco IPSec Config.
I'm hoping someone can look at my configs and tell me if they see anything I'm missing on them that could help solve my problems. I'd appreciate it! Thanks
Test Site that works
Production Site that Doesn't
testasa01-5510# sh run
: Saved
ASA Version 8.2(5)
hostname testasa01-5510
names
interface Ethernet0/0
nameif outside
security-level 0
ip address <outsideif> 255.255.255.240
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.39.194.2 255.255.255.248
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
access-list inside_access_in extended permit ip 10.39.0.0 255.255.0.0 any log disable
access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.16.139.0 255.255.255.240
access-list outside_cryptomap extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list remoteaccess extended permit ip 172.16.139.0 255.255.255.240 any log disable
tcp-map WSOptions
tcp-options range 24 31 allow
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn_ip_pool 172.16.139.0-172.16.139.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
global (outside) 100 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 100 10.39.0.0 255.255.0.0
access-group inside_access_in in interface inside
router eigrp 100
network 10.0.0.0 255.0.0.0
passive-interface default
no passive-interface inside
route outside 0.0.0.0 0.0.0.0 <outsideif> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 management
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs group1
crypto map outside_map1 1 set peer 209.242.145.200
crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 170
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 60
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server <server> source inside
webvpn
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 8.8.8.8
vpn-filter value remoteaccess
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
split-tunnel-all-dns disable
vlan none
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool vpn_ip_pool
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *****
tunnel-group 111.222.333.444 type ipsec-l2l
tunnel-group 111.222.333.444
general-attributes
default-group-policy GroupPolicy1
tunnel-group 111.222.333.444
ipsec-attributes
pre-shared-key *****
class-map WSOptions-class
match any
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class WSOptions-class
set connection advanced-options WSOptions
policy-map type inspect ip-options ip-options-map
parameters
eool action allow
nop action allow
router-alert action allow
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
mp01-5510asa# sh run
: Saved
ASA Version 8.2(5)
hostname mp01-5510asa
names
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.29.194.2 255.255.255.252
interface Ethernet0/1
nameif dmz
security-level 50
ip address 172.16.29.1 255.255.255.0
interface Ethernet0/2
description
nameif backup
security-level 0
ip address <backupif> 255.255.255.252
interface Ethernet0/3
description
speed 100
duplex full
nameif outside
security-level 0
ip address <outsideif> 255.255.255.248
interface Management0/0
nameif management
security-level 100
ip address 10.29.199.11 255.255.255.0
management-only
banner login Authorized Use Only
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object-group network DM_INLINE_NETWORK_1
network-object 10.29.1.0 255.255.255.0
network-object 10.29.15.0 255.255.255.0
network-object 10.29.199.0 255.255.255.0
network-object 10.29.200.0 255.255.255.0
network-object 10.29.31.0 255.255.255.0
access-list inside_access_in extended permit ip 10.29.0.0 255.255.0.0 any log warnings
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any log warnings
access-list inside_access_in extended permit ip 192.168.29.0 255.255.255.0 any log warnings
access-list inside_access_in extended permit ip 10.29.32.0 255.255.255.0 any log warnings
access-list outside_access_in extended permit ip any host 50.59.30.116 log warnings
access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.254.29.0 255.255.255.0 log warnings
access-list remoteaccess extended permit ip 10.254.29.0 255.255.255.0 any log warnings
access-list RemoteAccess2_splitTunnelAcl standard permit 10.29.0.0 255.255.0.0
pager lines 24
logging enable
logging list acl-messages message 106023
logging buffered acl-messages
logging asdm acl-messages
mtu inside 1500
mtu dmz 1500
mtu backup 1500
mtu outside 1500
mtu management 1500
ip local pool vpn_ip_pool3 10.254.29.0-10.254.29.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
asdm history enable
arp timeout 14400
global (inside) 201 interface
global (dmz) 101 interface
global (backup) 101 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 10.29.1.0 255.255.255.0
nat (inside) 101 10.29.15.0 255.255.255.0
nat (inside) 101 10.29.31.0 255.255.255.0
nat (inside) 101 10.29.32.0 255.255.255.0
nat (inside) 101 10.29.199.0 255.255.255.0
nat (inside) 101 10.29.200.0 255.255.255.0
nat (inside) 101 192.168.29.0 255.255.255.0
static (inside,outside) <outsideif> 10.29.15.10 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.59.30.113 1 track 1
route backup 0.0.0.0 0.0.0.0 205.179.122.165 254
route management 10.0.0.0 255.0.0.0 10.29.199.1 1
route inside 10.29.0.0 255.255.0.0 10.29.194.1 1
route inside 192.168.29.0 255.255.255.0 10.29.194.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 management
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 100
type echo protocol ipIcmpEcho 74.125.239.16 interface outside
num-packets 3
frequency 10
sla monitor schedule 100 life forever start-time now
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 100 reachability
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 10.0.0.0 255.0.0.0 management
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.200.1.41 source inside
webvpn
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 8.8.8.8
vpn-filter value remoteaccess
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
split-tunnel-all-dns disable
vlan none
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool vpn_ip_pool3
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
testasa01-5510# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.139.1/255.255.255.255/0/0)
current_peer: <peer ip>, username: blah
dynamic allocated peer ip: 172.16.139.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 0A7F396F
current inbound spi : E87AF806
inbound esp sas:
spi: 0xE87AF806 (3900372998)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3587
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x7FFFFFFF
outbound esp sas:
spi: 0x0A7F396F (176109935)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3587
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
mp01-5510asa# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.254.29.1/255.255.255.255/0/0)
current_peer: <peer ip>, username: blah
dynamic allocated peer ip: 10.254.29.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 096265D4
current inbound spi : F5E4780C
inbound esp sas:
spi: 0xF5E4780C (4125390860)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3576
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x001FFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x096265D4 (157443540)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3576
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001Config (non working site) looks fine(unless I missed something:)) . You may want to add :
access-list RemoteAccess_splitTunnelAcl standard permit 192.168.29.0 255.255.255.0
Try by taking out vpnfilter : vpn-filter value remoteaccess
To further t-shoot, try using packet tracer from ASA to the client...
https://supportforums.cisco.com/docs/DOC-5796
Thx
MS -
[SOLVED] l2tp-ipsec-vpn-daemon from AUR fails to build
Please let me know if there are other details that require posting:-
==> Starting build()...
/usr/bin/qmake -o qttmp-Release.mk -after "OBJECTS_DIR=build/Release" "DESTDIR=dist/Release" nbproject/qt-Release.pro
mv -f qttmp-Release.mk nbproject/qt-Release.mk
make -f nbproject/qt-Release.mk dist/Release/L2tpIPsecVpnControlDaemon
make[1]: Entering directory '/tmp/yaourt-tmp-nimda/aur-l2tp-ipsec-vpn-daemon/src/l2tp-ipsec-vpn-daemon'
g++ -c -pipe -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4 -Wall -W -D_REENTRANT -fPIE -DQT_NO_DEBUG -DQT_NETWORK_LIB -DQT_CORE_LIB -I/usr/lib/qt/mkspecs/linux-g++ -Inbproject -isystem /usr/include/qt -isystem /usr/include/qt/QtNetwork -isystem /usr/include/qt/QtCore -Isrc/generated -I. -o build/Release/main.o src/main.cpp
g++ -c -pipe -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4 -Wall -W -D_REENTRANT -fPIE -DQT_NO_DEBUG -DQT_NETWORK_LIB -DQT_CORE_LIB -I/usr/lib/qt/mkspecs/linux-g++ -Inbproject -isystem /usr/include/qt -isystem /usr/include/qt/QtNetwork -isystem /usr/include/qt/QtCore -Isrc/generated -I. -o build/Release/VpnClientConnection.o src/VpnClientConnection.cpp
src/VpnClientConnection.cpp: In member function 'void VpnClientConnection::readyRead()':
src/VpnClientConnection.cpp:133:99: error: 'class QString' has no member named 'toAscii'
::syslog(LOG_DEBUG|LOG_DAEMON, "Executing command %s", m_strActiveCommand.toAscii().constData());
^
src/VpnClientConnection.cpp:140:75: error: 'class QString' has no member named 'toAscii'
if (COMMANDS[iCommand].pPipe->write(strCommand.toAscii().constData()) == strCommand.length())
^
src/VpnClientConnection.cpp:159:63: error: 'class QString' has no member named 'toAscii'
if (::mkfifo(strCommandParts[1].toAscii().constData(), DEFFILEMODE) == 0)
^
src/VpnClientConnection.cpp:161:84: error: 'class QString' has no member named 'toAscii'
const int iChmodResult(::chmod(strCommandParts[1].toAscii().constData(), DEFFILEMODE));
^
src/VpnClientConnection.cpp:168:87: error: 'class QString' has no member named 'toAscii'
const int iChownResult(::chown(strCommandParts[1].toAscii().constData(), pPwdInfo->pw_uid, pPwdInfo->pw_gid));
^
src/VpnClientConnection.cpp:193:77: error: 'const class QString' has no member named 'toAscii'
if (COMMANDS[iCommand].pPipe->write(str.toAscii().constData()) != str.length())
^
src/VpnClientConnection.cpp: In member function 'void VpnClientConnection::onCommandError(QProcess::ProcessError)':
src/VpnClientConnection.cpp:250:96: error: 'class QString' has no member named 'toAscii'
::syslog(LOG_DEBUG|LOG_DAEMON, "Command %s finished with error code %d", m_strActiveCommand.toAscii().constData(), ERR_COMMAND_FAILED_TO_START + iError);
^
src/VpnClientConnection.cpp: In member function 'void VpnClientConnection::onCommandFinished(int)':
src/VpnClientConnection.cpp:257:95: error: 'class QString' has no member named 'toAscii'
::syslog(LOG_DEBUG|LOG_DAEMON, "Command %s finished with exit code %d", m_strActiveCommand.toAscii().constData(), iExitCode);
^
src/VpnClientConnection.cpp: In member function 'bool VpnClientConnection::send(VpnClientConnection::ResponseType, VpnClientConnection::ResponseResult, const QString&)':
src/VpnClientConnection.cpp:268:118: error: 'const class QString' has no member named 'toAscii'
m_pSocket->write((QString::number(responseType) + " " + QString::number(resultCode) + " " + strCommand + '\n').toAscii().constData());
^
src/VpnClientConnection.cpp: In member function 'bool VpnClientConnection::send(VpnClientConnection::ResponseType, VpnClientConnection::ResponseInformation)':
src/VpnClientConnection.cpp:281:108: error: 'const class QString' has no member named 'toAscii'
m_pSocket->write((QString::number(responseType) + " " + QString::number(responseInformation) + '\n').toAscii().constData());
^
src/VpnClientConnection.cpp: In member function 'bool VpnClientConnection::send(VpnClientConnection::ResponseType, const QString&)':
src/VpnClientConnection.cpp:294:78: error: 'const class QString' has no member named 'toAscii'
m_pSocket->write((QString::number(responseType) + " " + strOutputline).toAscii().constData());
^
nbproject/qt-Release.mk:319: recipe for target 'build/Release/VpnClientConnection.o' failed
make[1]: *** [build/Release/VpnClientConnection.o] Error 1
make[1]: Leaving directory '/tmp/yaourt-tmp-nimda/aur-l2tp-ipsec-vpn-daemon/src/l2tp-ipsec-vpn-daemon'
Makefile:62: recipe for target 'build' failed
make: *** [build] Error 2
==> ERROR: A failure occurred in build().
Aborting...
==> ERROR: Makepkg was unable to build l2tp-ipsec-vpn-daemon.
Last edited by n1md4 (2014-06-06 09:47:25)Have you tried 0.9.9-2 from the comments: https://aur.archlinux.org/packages/l2tp … pn-daemon/ ?
-
IPSec secured L2TPv3 - one way traffic in L2 tunnel
Sigh... after 7 hours battling coming here because I've exhausted all my options to find an answer for my problem.
So here is the topology - standard (boring) IPSec secured L2TPv3 tunnel: on one side - 897 connected to a DSL box, on another side - 1921 with two interfaces.
Purpose to setup a plain L2TPv3 tunnel between those locations so computers plugged into the 897's 8-port switch interface can communicate with number of devices connected to 1921 on other side.
897:
crypto ikev2 keyring key1
peer destination_ip_address
address local_outside_ip_address
pre-shared-key key
crypto ikev2 profile default
match identity remote address 1921_outside_ip_address 255.255.255.255
identity local address 897_outside_ip_address
authentication remote pre-share
authentication local pre-share
keyring local key1
crypto ikev2 dpd 30 3 periodic
controller VDSL 0
ip ssh rsa keypair-name router-key
ip ssh version 2
pseudowire-class DZD
encapsulation l2tpv3
ip local interface Loopback1
ip pmtu
ip dfbit set
ip tos reflect
crypto ipsec transform-set default esp-aes esp-sha-hmac
mode tunnel
crypto ipsec df-bit set
crypto map local 1 ipsec-isakmp
set peer 1921_outside_ip_address
set ikev2-profile default
match address 130
interface Loopback1
ip address 172.16.1.1 255.255.255.255
interface ATM0
no ip address
no atm ilmi-keepalive
interface Ethernet0
no ip address
interface GigabitEthernet0
no ip address
interface GigabitEthernet1
no ip address
interface GigabitEthernet2
no ip address
interface GigabitEthernet3
no ip address
xconnect 172.16.1.2 1 encapsulation l2tpv3 pw-class DZD
interface GigabitEthernet4
no ip address
interface GigabitEthernet5
no ip address
interface GigabitEthernet6
no ip address
interface GigabitEthernet7
no ip address
interface GigabitEthernet8
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface Wlan-GigabitEthernet8
no ip address
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan1
interface Vlan1
ip address 10.97.2.29 255.255.255.0
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ipv6 address autoconfig
ppp authentication pap callin
ppp pap sent-username DSL_username password DSL_password
crypto map local
ip forward-protocol nd
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Dialer1
access-list 130 permit ip host 172.16.1.1 host 172.16.1.2
dialer-list 1 protocol ip permit
c897#
1921:
crypto ikev2 keyring key1
peer 897_outside_ip_address
address 897_outside_ip_address
pre-shared-key key
crypto ikev2 profile default
match identity remote address 897_outside_ip_address 255.255.255.255
identity local address 1921_outside_ip_address
authentication remote pre-share
authentication local pre-share
keyring local key1
crypto ikev2 dpd 30 3 periodic
ip ssh version 2
lldp run
pseudowire-class ZRH
encapsulation l2tpv3
ip local interface Loopback1
ip pmtu
ip dfbit set
ip tos reflect
crypto ipsec transform-set default esp-aes esp-sha-hmac
mode tunnel
crypto ipsec df-bit set
crypto map local 1 ipsec-isakmp
set peer 897_outside_ip_address
set ikev2-profile default
match address 130
interface Loopback1
ip address 172.16.1.2 255.255.255.255
interface Embedded-Service-Engine0/0
no ip address
interface GigabitEthernet0/0
description WAN-ACC
ip address 1921_outside_ip_address 255.255.255.0
duplex auto
speed auto
crypto map local
interface GigabitEthernet0/1
description LAN-Trunk
no ip address
duplex auto
speed auto
xconnect 172.16.1.1 1 encapsulation l2tpv3 pw-class ZRH
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 default_gateway_of_1921
logging host 10.96.2.21
access-list 130 permit ip host 172.16.1.2 host 172.16.1.1
pnc01921#
Note - 1921 is connected to the Nexus 2248TP FEX, here is the config of the interface of the FEX:
pnc00001# sh run int e101/1/6
!Time: Thu May 1 06:15:02 2014
version 5.0(3)N2(2b)
interface Ethernet101/1/6
switchport access vlan 702
Now, IPsec tunnel comes up and does pass traffic - I can ping from one l1 another l1, below is the output from 897:
sh cry ike sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 897_outside_ip_address/500 1921_outside_ip_address/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/76 sec
IPv6 Crypto IKEv2 SA
#sh cry ips sa
interface: Dialer1
Crypto map tag: local, local addr 897_outside_ip_address
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.1.2/255.255.255.255/0/0)
current_peer 1921_outside_ip_address port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 897_outside_ip_address, remote crypto endpt.: 1921_outside_ip_address
path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
current outbound spi: 0x852BF1F2(2234249714)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x5D9DFB1A(1570634522)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000040, crypto map: local
sa timing: remaining key lifetime (k/sec): (4190855/3504)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x852BF1F2(2234249714)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000040, crypto map: local
sa timing: remaining key lifetime (k/sec): (4190863/3504)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
#ping 172.16.1.2 sour l1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/23/24 ms
Now, L2 tunnel shows to be up on both ends as well (output from 897 here)
#sh xconnect all
Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State
UP=Up DN=Down AD=Admin Down IA=Inactive
SB=Standby RV=Recovering NH=No Hardware
XC ST Segment 1 S1 Segment 2 S2
------+---------------------------------+--+---------------------------------+--
UP ac Gi3(Ethernet) UP l2tp 172.16.1.2:1 UP
However, if you look at detailed output of l2tunn, you will see that the tunnel receives traffic from 1921, but does not send anything:
#sh l2tun tunnel all
L2TP Tunnel Information Total tunnels 1 sessions 1
Tunnel id 3504576447 is up, remote id is 2898810219, 1 active sessions
Locally initiated tunnel
Tunnel state is established, time since change 00:19:34
Tunnel transport is IP (115)
Remote tunnel name is pnc01921
Internet Address 172.16.1.2, port 0
Local tunnel name is pnc0DRZD
Internet Address 172.16.1.1, port 0
L2TP class for tunnel is l2tp_default_class
Counters, taking last clear into account:
0 packets sent, 763 received
0 bytes sent, 65693 received
Last clearing of counters never
Counters, ignoring last clear:
0 packets sent, 763 received
0 bytes sent, 65693 received
Control Ns 18, Nr 9
Local RWS 512 (default), Remote RWS 512 (max)
Control channel Congestion Control is disabled
Tunnel PMTU checking enabled
Retransmission time 1, max 1 seconds
Unsent queuesize 0, max 0
Resend queuesize 0, max 2
Total resends 0, ZLB ACKs sent 8
Total out-of-order dropped pkts 0
Total out-of-order reorder pkts 0
Total peer authentication failures 0
Current no session pak queue check 0 of 5
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Control message authentication is disabled
Mirrored situation on other side - 1921 sends packets, but nothing is received:
pnc01921#sh l2tun tunnel all
L2TP Tunnel Information Total tunnels 1 sessions 1
Tunnel id 2898810219 is up, remote id is 3504576447, 1 active sessions
Remotely initiated tunnel
Tunnel state is established, time since change 00:21:15
Tunnel transport is IP (115)
Remote tunnel name is pnc0DRZD
Internet Address 172.16.1.1, port 0
Local tunnel name is pnc01921
Internet Address 172.16.1.2, port 0
L2TP class for tunnel is l2tp_default_class
Counters, taking last clear into account:
815 packets sent, 0 received
69988 bytes sent, 0 received
Last clearing of counters never
Counters, ignoring last clear:
815 packets sent, 0 received
69988 bytes sent, 0 received
Control Ns 9, Nr 20
Local RWS 1024 (default), Remote RWS 512
Control channel Congestion Control is disabled
Tunnel PMTU checking enabled
Retransmission time 1, max 1 seconds
Unsent queuesize 0, max 0
Resend queuesize 0, max 1
Total resends 0, ZLB ACKs sent 18
Total out-of-order dropped pkts 0
Total out-of-order reorder pkts 0
Total peer authentication failures 0
Current no session pak queue check 0 of 5
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Control message authentication is disabled
There is a Windows box plugged into 897's G3 with IP address 10.97.2.25. I can ping from it 897's VLAN1 at 10.97.2.29. However I can't ping anything across the L2TPv3 tunnel. At the same time on that Windows box I can see broadcast traffic coming across the tunnel.
I give up. Anyone has some reasonable suggestion what might be wrong? I suspect that something is wrong at 897's side.
One last question - how can I create svi on 1921 and assign ip address from 10.97.2.0/24 network on it?Anybody? Opened ticket #630128425, no response from Cisco yet..
-
IPSec / Windows / Oracle Client
I am trying to implement IPSec on our Windows 2003 servers to assist with some security compliance issues. For ease use, I have tried the Client (Respond Only) and Server (Request Security) IPSec policies that come with Windows Server by default.
When I do this, my client systems respond with ORA-12571: TNS:packet writer failure, ORA-03114: not connected to ORACLE, ORA-03135: connection lost contact, and other related errors.
The problem resolves itself by deactivating the IPSec policy on the Oracle server.
Is there any setting I can change in Oracle on either the client or server that would prevent this? The Oracle Alert Log shows no record of these issues and the server seems to be working fine.
Thanks in advance.Well, I tunnel (using OpenSSH) some of my Oracle connections via 3 networks to servers over a 1000km away - and I do not have issues relating to Oracle timing out connections because of latency.
TCP is a pretty robust protocol.. I do no see Oracle breaking that type of robustness by being overly sensitive to TCP latency.
More likely this is a problem with Windows itself. Microsoft is well know for not adhering to standards, and twisting these with proprietary interpretations in order to lock the customer and software into a Microsoft Windows only solution.
A TNS packet writer failure is an exception that is typically caused when Oracle uses a socket handle to write data, and the kernel returns an error. Thus the error is not in the Oracle s/w layer, but comes directly from the IP stack in kernel space - a network layer error.
In my case, using ssh tunnels, I would usually see this when a ssh tunnel daemon goes fubar and the listener/proxy for that local (or remote) TCP port forwarder no longer exists.
I cannot recall ever seeing this being caused by Oracle itself.. -
Hi,
Attached is my network topology. I want to encrypt the traffic comes from site A,B, and C to the main router and visa versa.
I think we have two options:
1- Make the main router the IPSec termination for the sites A,B, and C routers.
2- Make Site A Router the IPSec termination for sites B and C and the main router the IPSec termination for site A.
Which one is preferred and why?
Thanks in advance
Abd AlqaderHi
There are a number of things to take into acount here.
1) Does router A do any NAT/PAT on packets going through it. If it does it may be easier to terminate VPN's from B, C on A then start new VPN to main router.
2) Processing power of routers. If you use A as a termination point then it needs to VPN not just for users at Site A but also site B & C.
3) Complexity of configuration. I think if you create separate VPN's for each site to the main site your configuration will be easier.
4) Redundancy. At the moment Router A is single point of failure in that if it goes down B & C also lose connectivity. If you were at some future date to have secondary links from B & C it would make sense to have spearate VPN's rather than aggregate via A.
All things being equal i would look to create individual VPN's from each site but this is a recommendation based o what you have supplied. There may be more factors for you to consider.
HTH
Jon -
Configuring IPSec in Solaris 9
Hello Friends,
I want to configure IPSec in solaris 9 so that a win2k/XP machine can communicate with that solaris m/c using IPSec. Could anybody help me regarding this. I have a basic idea of IPSec. I just want a step by step instructions for how to configure it. I have searched through google and found many docs which instructs how to configure IPSec between solaris only and also between windows only and I have succeeded to do so. But failed to configure it within solaris and windows.
Thanks and Regards
Dipta P Banerjeeyes, you can use oracle thin driver.
Your connection pool configuration is actually using datasource of oracle thin driver.
1) download oracle thin driver from oracle
2) .jar need to be kept in AS_INSTALL/domains/<domain-name>/lib/ext
3) restart AS
4) set all the necessary properties for Oracle thin driver - conn. pool (refer App Server Administration Guide > JDBC Resources > Config. for specific JDBC Drivers > Oracle thin type 4 driver
5) Ping conn. pool
If you are still getting the failure message, please post
1) exception got during ping, from domains/<domain-name>/logs/server.log
2) connection pool configuration
Thanks,
-Jagadish
Maybe you are looking for
-
How to display the values from the table in the screen
Hi, I have created a screen where i will enter the values for the field treshold amount and desc and if i press update button .it will update the new values by overriting the existing values . Now i have got requirement i need to create a button sho
-
When I run this program, the result set show up in the results textarea but it does not start a new line after each record even after inserting the "\n" escape character import java.awt.*; import java.sql.*; import java.awt.event.*; import javax.swin
-
What is the best way to protect it?
I HATE getting scratches or any sort of cosmetical damage on my devices, I am getting my first MBP on Friday, and want to know what the best way to keep it like new is? It won't be leaving the house regularly for a while, but I do have a neoprene cas
-
Sales Order (Returns) for Approval / Reject
Hi, I have a Sales Order of Credit Only Order type. Existing Custom Workflow When the Customer Service creates Sales Order of Order Type Credit Only, it will got to AR dept for Approval/Reject. If the AR dept rejects, then a Notification will flow to
-
How can I identify what OS my Macbook pro is running?
Can't get this computer to tell me what the heck I'm running.