Ipsec ikev1 ASA Tunnel droping down.
Greetings people.
I have a typical ISAKMP/IKEV1 Hub-and-spoke topology.
My hub is ASA5510 and spokes are 5505.
On one of the spokes 5505 , I have two tunnels , one to the HUB and another to another SPOKE.
The tunnel to the HUB from asa 5505 is breaking as soon as some traffic gets trough, or sometimes in general. The breaks during the production hours occur every 20 minutes someties every hour. The tunnel comes back pretty fast, in a couple of minutes but still it is breaking. I have an asa846-k8 image on the spoke.
The interesting thing that the tunnel on that spoke to the other spoke is not breaking so often, but it does not have so much traffic on it, as the problematic one.
I have checked the configurations, and the tunnel settings are the same on both sides like the auth protocol, the DH group and similar.
I will post some configs here. I also have tried to use the debug crypto ikev1 but did not get anything useful there.
SPOKE
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto map CoCo_map 1 match address CoCo_cryptomap
crypto map CoCo_map 1 set pfs
crypto map CoCo_map 1 set peer xxx.xxx.xxx.xxx
crypto map CoCo_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
HUB
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer x.x.x.x.
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map interface outside
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
If there is any more conf outputs I will be glad to send. I have tried to collect some info with PRTG Asa VPN SNMP traffic sensor but no luck in getting it to work.
Thanks in advance.
hi,
Perfect Forward Secrecy (PFS)—PFS ensures that a given IPsec SA key was not derived from any other secret, like some other keys. In other words, if someone breaks a key, PFS ensures that the attacker is not able to derive any other key. If PFS is not enabled, someone can potentially break the IKE SA secret key, copy all the IPsec protected data, and then use knowledge of the IKE SA secret in order to compromise the IPsec SAs setup by this IKE SA. With PFS, breaking IKE does not give an attacker immediate access to IPsec. The attacker needs to break each IPsec SA individually. The Cisco IOS IPsec implementation uses PFS group 1 (D-H 768 bit) by default.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml
HTH
Similar Messages
-
IPsec over GRE tunnel's line protocol is down but able to ping the tunnel destination
>>both routers are located in different countries and connected with ISP
>>IPsec over GRE tunnel is configured on both the routers
>>tunnel's line protocol is down for both the ends but able to reach the tunnel destination with tunnel source
>>Packet is not receiving on the router_1 and but could see packets are getting encrypting on the Router_2
>>ISP is not finding any issue with their end
>>Please guide me how i can fix this issue and what need to be check on this ????
========================
Router_1#sh run int Tunnel20
Building configuration...
Current configuration : 272 bytes
interface Tunnel20
bandwidth 2048
ip address 3.85.129.141 255.255.255.252
ip mtu 1412
ip flow ingress
delay 1
cdp enable
tunnel source GigabitEthernet0/0/3
tunnel destination 109.224.62.26
end
===================
Router_1#sh int Tunnel20
Tunnel20 is up, line protocol is up>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Keepalive is not set
Hardware is Tunnel
Description: *To CRPrgEIQbaghd01 - 2Mb GRE over Shared ISP Gateway*
Internet address is 3.85.129.141/30
MTU 17916 bytes, BW 2048 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 195.27.20.14 (GigabitEthernet0/0/3), destination 109.224.62.26
Tunnel Subblocks:
src-track:
Tunnel20 source tracking subblock associated with GigabitEthernet0/0/3
Set of tunnels with source GigabitEthernet0/0/3, 32 members (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 1w6d, output 14w4d, output hang never
Last clearing of "show interface" counters 2y5w
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1565172427 packets input, 363833090294 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1778491917 packets output, 1555959948508 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
=============================
Router_1#ping 109.224.62.26 re 100 sou 195.27.20.14
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 109.224.62.26, timeout is 2 seconds:
Packet sent with a source address of 195.27.20.14
Success rate is 92 percent (92/100), round-trip min/avg/max = 139/142/162 ms
Router_1#
============================================
Router_1#sh cry ip sa pe 109.224.62.26 | in caps
#pkts encaps: 831987306, #pkts encrypt: 831987306, #pkts digest: 831987306
#pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611
Router_1#sh clock
15:09:45.421 UTC Thu Dec 25 2014
Router_1#
===================
Router_1#sh cry ip sa pe 109.224.62.26 | in caps
#pkts encaps: 831987339, #pkts encrypt: 831987339, #pkts digest: 831987339
#pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611>>>>>>>>>>>>>>>>>>>>Traffic is not receiving from Router 2
Router_1#sh clock
15:11:36.476 UTC Thu Dec 25 2014
Router_1#
===================
Router_2#sh run int Tu1
Building configuration...
Current configuration : 269 bytes
interface Tunnel1
bandwidth 2000
ip address 3.85.129.142 255.255.255.252
ip mtu 1412
ip flow ingress
load-interval 30
keepalive 10 3
cdp enable
tunnel source GigabitEthernet0/0
tunnel destination 195.27.20.14
end
Router_2#
=======================
Router_2#sh run | sec cry
crypto isakmp policy 10
authentication pre-share
crypto isakmp key Router_2 address 195.27.20.14
crypto isakmp key Router_2 address 194.9.241.8
crypto ipsec transform-set ge3vpn esp-3des esp-sha-hmac
mode transport
crypto map <Deleted> 10 ipsec-isakmp
set peer 195.27.20.14
set transform-set ge3vpn
match address Router_2
crypto map <Deleted> 20 ipsec-isakmp
set peer 194.9.241.8
set transform-set ge3vpn
match address Router_1
crypto map <Deleted>
Router_2#
====================================
Router_2#sh cry ip sa pe 195.27.20.14 | in caps
#pkts encaps: 737092521, #pkts encrypt: 737092521, #pkts digest: 737092521
#pkts decaps: 828154572, #pkts decrypt: 828154572, #pkts verify: 828154572>>>>>>>>>>>>Traffic is getting encrypting from router 2
Router_2#sh clock
.15:10:33.296 UTC Thu Dec 25 2014
Router_2#
========================
Router_2#sh int Tu1
Tunnel1 is up, line protocol is down>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Down
Hardware is Tunnel
Internet address is 3.85.129.142/30
MTU 17916 bytes, BW 2000 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (10 sec), retries 3
Tunnel source 109.224.62.26 (GigabitEthernet0/0), destination 195.27.20.14
Tunnel Subblocks:
src-track:
Tunnel1 source tracking subblock associated with GigabitEthernet0/0
Set of tunnels with source GigabitEthernet0/0, 2 members (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 1w6d, output 00:00:02, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 14843
Queueing strategy: fifo
Output queue: 0/0 (size/max)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
1881547260 packets input, 956465296 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1705198723 packets output, 2654132592 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
=============================
Router_2#ping 195.27.20.14 re 100 sou 109.224.62.26
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 195.27.20.14, timeout is 2 seconds:
Packet sent with a source address of 109.224.62.26
Success rate is 94 percent (94/100), round-trip min/avg/max = 136/143/164 ms
Router_2#
=========================Hello.
First of all, try to reset IPSec (clear crypto isakmp sa ..., clear crypto session ...).
Configure inbound ACL on the router to match esp protocol and check if the packets arrive.
Please provide full output "show crypto ipsec sa"
from both sides. -
I am trying to setup a VRF IPSec to ASA VPN tunnel. VRF IPSec is at head office and ASA is at the customer end. I am successfully establish the tunnel when I initiate a ping from the ASA end (ping was successful). However I am getting error in ipsec stats when I initiate the ping from the head office (ping between the same hosts as before). A debug was captured from the VRF router. I wonder if you can see the problem from the debug. I appreciate your help in advance.
GTO-ClientEdge-RT1#sh cry ipse sa
interface: GigabitEthernet0/0
Crypto map tag: gto_share_map, local addr 192.33.232.209
protected vrf: vrf-veridian
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 173.46.8.98 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 15, #recv errors 0
local crypto endpt.: 192.33.232.209, remote crypto endpt.: 173.46.8.98
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Crypto ISAKMP debugging is on
GTO-ClientEdge-RT1#
Nov 19 22:46:29.702: ISAKMP:(0): SA request profile is veridian-ike-prof
Nov 19 22:46:29.702: ISAKMP: Created a peer struct for 173.46.8.98, peer port 500
Nov 19 22:46:29.702: ISAKMP: New peer created peer = 0x10927E8 peer_handle = 0x80000019
Nov 19 22:46:29.702: ISAKMP: Locking peer struct 0x10927E8, refcount 1 for isakmp_initiator
Nov 19 22:46:29.702: ISAKMP:(0):Setting client config settings 131406B8
Nov 19 22:46:29.702: ISAKMP/xauth: initializing AAA request
Nov 19 22:46:29.702: ISAKMP: local port 500, remote port 500
Nov 19 22:46:29.702: ISAKMP: set new node 0 to QM_IDLE
Nov 19 22:46:29.702: ISAKMP:(0):insert sa successfully sa = 1235BF68
Nov 19 22:46:29.702: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Nov 19 22:46:29.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:29.702: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Nov 19 22:46:29.702: ISAKMP:(0): constructed NAT-T vendor-07 ID
Nov 19 22:46:29.702: ISAKMP:(0): c
GTO-ClientEdgeonstructed NAT-T vendor-03 ID
Nov 19 22:46:29.702: ISAKMP:(0): constructed NAT-T vendor-02 ID
Nov 19 22:46:29.702: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Nov 19 22:46:29.702: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Nov 19 22:46:29.702: ISAKMP:(0): beginning Main Mode exchange
Nov 19 22:46:29.702: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_NO_STATE
Nov 19 22:46:29.702: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.702: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE
Nov 19 22:46:29.702: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:29.702: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Nov 19 22:46:29.702: ISAKMP:(0): processing SA payload. message ID = 0
Nov 19 22:46:29.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:29.702: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov 19 22:46:29.702: ISAKMP:(0): vendor ID is NAT-T v2
Nov 19 22:46:29.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:29.702: ISAKMP:(0): processing IKE frag vendor id payload
Nov 19 22:46:29.702: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov 19 22:46:29.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:29.702: ISAKMP:(0): local preshared key found
Nov 19 22:46:29.702: ISAKMP : Looking for xauth in profile veridian-ike-prof
Nov 19 22:46:29.702: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Nov 19 22:46:29.702: ISAKMP: encryption AES-CBC
Nov 19 22:46:29.702: ISAKMP: keylength of 256
Nov 19 22:46:29.702: ISAKMP: hash SHA
Nov 19 22:46:29.702: ISAKMP: default group 5
Nov 19 22:46:29.702: ISAKMP: auth pre-share
Nov 19 22:46:29.702: ISAKMP: life type in seconds
Nov 19 22:46:29.702: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Nov 19 22:46:29.702: ISAKMP:(0):atts are acceptable. Next payload is 0
Nov 19 22:46:29.702: ISAKMP:(0):Acceptable atts:actual life: 0
Nov 19 22:46:29.702: ISAKMP:(0):Acceptable atts:life: 0
Nov 19 22:46:29.702: ISAKMP:(0):Fill atts in sa vpi_length:4
Nov 19 22:46:29.702: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Nov 19 22:46:29.702: ISAKMP:(0):Returning Actual lifetime: 86400
Nov 19 22:46:29.702: ISAKMP:(0)::Started lifetime timer: 86400.
Nov 19 22:46:29.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:29.706: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov 19 22:46:29.706: ISAKMP:(0): vendor ID is NAT-T v2
Nov 19 22:46:29.706: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:29.706: ISAKMP:(0): processing IKE frag vendor id payload
Nov 19 22:46:29.706: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov 19 22:46:29.706: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:29.706: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Nov 19 22:46:29.706: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_SA_SETUP
Nov 19 22:46:29.706: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.706: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:29.706: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Nov 19 22:46:29.802: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_SA_SETUP
Nov 19 22:46:29.802: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:29.802: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Nov 19 22:46:29.802: ISAKMP:(0): processing KE payload. message ID = 0
Nov 19 22:46:29.806: ISAKMP:(0): processing NONCE payload. message ID = 0
Nov 19 22:46:29.806: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID is Unity
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID seems Unity/DPD but major 86 mismatch
Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID is XAUTH
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023): speaking to another IOS box!
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023):vendor ID seems Unity/DPD but hash mismatch
Nov 19 22:46:29.806: ISAKMP:received payload type 20
Nov 19 22:46:29.806: ISAKMP (9023): His hash no match - this node outside NAT
Nov 19 22:46:29.806: ISAKMP:received payload type 20
Nov 19 22:46:29.806: ISAKMP (9023): No NAT Found for self or peer
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM4 New State = IKE_I_MM4
Nov 19 22:46:29.806: ISAKMP:(9023):Send initial contact
Nov 19 22:46:29.806: ISAKMP:(9023):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Nov 19 22:46:29.806: ISAKMP (9023): ID payload
next-payload : 8
type : 1
address : 192.33.232.209
protocol : 17
port : 500
length : 12
Nov 19 22:46:29.806: ISAKMP:(9023):Total payload length: 12
Nov 19 22:46:29.806: ISAKMP:(9023): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Nov 19 22:46:29.806: ISAKMP:(9023):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM4 New State = IKE_I_MM5
Nov 19 22:46:29.806: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_KEY_EXCH
Nov 19 22:46:29.806: ISAKMP:(9023): processing ID payload. message ID = 0
Nov 19 22:46:29.806: ISAKMP (9023): ID payload
next-payload : 8
type : 1
address : 173.46.8.98
protocol : 17
port : 0
length : 12
Nov 19 22:46:29.806: ISAKMP:(9023): processing HASH payload. message ID = 0
Nov 19 22:46:29.806: ISAKMP:received payload type 17
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID is DPD
Nov 19 22:46:29.806: ISAKMP:(9023):SA authentication status:
authenticated
Nov 19 22:46:29.806: ISAKMP:(9023):SA has been authenticated with 173.46.8.98
Nov 19 22:46:29.806: ISAKMP: Trying to insert a peer 192.33.232.209/173.46.8.98/500/vrf-internet, and inserted successfully 10927E8.
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM5 New State = IKE_I_MM6
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM6 New State = IKE_I_MM6
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Nov 19 22:46:29.806: ISAKMP:(9023):beginning Quick Mode exchange, M-ID of 2851020903
Nov 19 22:46:29.806: ISAKMP:(9023):QM Initiator gets spi
Nov 19 22:46:29.806: ISAKMP:(9023): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE
Nov 19 22:46:29.806: ISAKMP:(9023):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.806: ISAKMP:(9023):Node 2851020903, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 19 22:46:29.810: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) QM_IDLE
Nov 19 22:46:29.810: ISAKMP: set new node 1512038398 to QM_IDLE
Nov 19 22:46:29.810: ISAKMP:(9023): processing HASH payload. message ID = 1512038398
Nov 19 22:46:29.810: ISAKMP:(9023): processing NOTIFY INVALID_ID_INFO protocol 1
spi 0, message ID = 1512038398, sa = 0x1235BF68
Nov 19 22:46:29.810: ISAKMP:(9023):peer does not do paranoid keepalives.
Nov 19 22:46:29.810: ISAKMP:(9023):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 173.46.8.98)
Nov 19 22:46:29.810: ISAKMP:(9023):deleting node 1512038398 error FALSE reason "Informational (in) state 1"
Nov 19 22:46:29.810: ISAKMP:(9023):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Nov 19 22:46:29.810: ISAKMP:(9023):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 19 22:46:29.810: ISAKMP: set new node 260072841 to QM_IDLE
Nov 19 22:46:29.810: ISAKMP:(9023): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE
Nov 19 22:46:29.810: ISAKMP:(9023):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.810: ISAKMP:(9023):purging node 260072841
Nov 19 22:46:29.810: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Nov 19 22:46:29.810: ISAKMP:(9023):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Nov 19 22:46:29.810: ISAKMP:(9023):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 173.46.8.98)
Nov 19 22:46:29.810: ISAKMP: Unlocking peer struct 0x10927E8 for isadb_mark_sa_deleted(), count 0
Nov 19 22:46:29.810: ISAKMP: Deleting peer node by peer_reap for 173.46.8.98: 10927E8
Nov 19 22:46:29.810: ISAKMP:(9023):deleting node -1443946393 error FALSE reason "IKE deleted"
Nov 19 22:46:29.810: ISAKMP:(9023):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:29.810: ISAKMP:(9023):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Nov 19 22:46:29.810: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE-RT1#
GTO-ClientEdge-RT1#sh cry isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
173.46.8.98 192.33.232.209 MM_NO_STATE 9023 ACTIVE (deleted) veridian-ike-prof
IPv6 Crypto ISAKMP SA
GTO-ClientEdge-RT1#
Nov 19 22:46:59.702: ISAKMP:(0): SA request profile is veridian-ike-prof
Nov 19 22:46:59.702: ISAKMP: Created a peer struct for 173.46.8.98, peer port 500
Nov 19 22:46:59.702: ISAKMP: New peer created peer = 0x10927E8 peer_handle = 0x8000001A
Nov 19 22:46:59.702: ISAKMP: Locking peer struct 0x10927E8, refcount 1 for isakmp_initiator
Nov 19 22:46:59.702: ISAKMP:(0):Setting client config settings 1CA9BE8
Nov 19 22:46:59.702: ISAKMP/xauth: initializing AAA request
Nov 19 22:46:59.702: ISAKMP: local port 500, remote port 500
Nov 19 22:46:59.702: ISAKMP: set new node 0 to QM_IDLE
Nov 19 22:46:59.702: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 1235C984
Nov 19 22:46:59.702: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Nov 19 22:46:59.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Nov 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-07 ID
Nov
GTO-ClientEdge 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-03 ID
Nov 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-02 ID
Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Nov 19 22:46:59.702: ISAKMP:(0): beginning Main Mode exchange
Nov 19 22:46:59.702: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_NO_STATE
Nov 19 22:46:59.702: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.702: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE
Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Nov 19 22:46:59.702: ISAKMP:(0): processing SA payload. message ID = 0
Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov 19 22:46:59.702: ISAKMP:(0): vendor ID is NAT-T v2
Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0): processing IKE frag vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov 19 22:46:59.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:59.702: ISAKMP:(0): local preshared key found
Nov 19 22:46:59.702: ISAKMP : Looking for xauth in profile veridian-ike-prof
Nov 19 22:46:59.702: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Nov 19 22:46:59.702: ISAKMP: encryption AES-CBC
Nov 19 22:46:59.702: ISAKMP: keylength of 256
Nov 19 22:46:59.702: ISAKMP: hash SHA
Nov 19 22:46:59.702: ISAKMP: default group 5
Nov 19 22:46:59.702: ISAKMP: auth pre-share
Nov 19 22:46:59.702: ISAKMP: life type in seconds
Nov 19 22:46:59.702: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Nov 19 22:46:59.702: ISAKMP:(0):atts are acceptable. Next payload is 0
Nov 19 22:46:59.702: ISAKMP:(0):Acceptable atts:actual life: 0
Nov 19 22:46:59.702: ISAKMP:(0):Acceptable atts:life: 0
Nov 19 22:46:59.702: ISAKMP:(0):Fill atts in sa vpi_length:4
Nov 19 22:46:59.702: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Nov 19 22:46:59.702: ISAKMP:(0):Returning Actual lifetime: 86400
Nov 19 22:46:59.702: ISAKMP:(0)::Started lifetime timer: 86400.
Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov 19 22:46:59.702: ISAKMP:(0): vendor ID is NAT-T v2
Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0): processing IKE frag vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Nov 19 22:46:59.702: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_SA_SETUP
Nov 19 22:46:59.702: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Nov 19 22:46:59.798: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_SA_SETUP
Nov 19 22:46:59.798: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:59.798: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Nov 19 22:46:59.798: ISAKMP:(0): processing KE payload. message ID = 0
Nov 19 22:46:59.802: ISAKMP:(0): processing NONCE payload. message ID = 0
Nov 19 22:46:59.802: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.802: ISAKMP:(9024): vendor ID is Unity
Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.802: ISAKMP:(9024): vendor ID seems Unity/DPD but major 108 mismatch
Nov 19 22:46:59.802: ISAKMP:(9024): vendor ID is XAUTH
Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.802: ISAKMP:(9024): speaking to another IOS box!
Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.802: ISAKMP:(9024):vendor ID seems Unity/DPD but hash mismatch
Nov 19 22:46:59.802: ISAKMP:received payload type 20
Nov 19 22:46:59.802: ISAKMP (9024): His hash no match - this node outside NAT
Nov 19 22:46:59.802: ISAKMP:received payload type 20
Nov 19 22:46:59.802: ISAKMP (9024): No NAT Found for self or peer
Nov 19 22:46:59.802: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:59.802: ISAKMP:(9024):Old State = IKE_I_MM4 New State = IKE_I_MM4
Nov 19 22:46:59.802: ISAKMP:(9024):Send initial contact
Nov 19 22:46:59.802: ISAKMP:(9024):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Nov 19 22:46:59.802: ISAKMP (9024): ID payload
next-payload : 8
type : 1
address : 192.33.232.209
protocol : 17
port : 500
length : 12
Nov 19 22:46:59.802: ISAKMP:(9024):Total payload length: 12
Nov 19 22:46:59.802: ISAKMP:(9024): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Nov 19 22:46:59.802: ISAKMP:(9024):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.802: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:59.802: ISAKMP:(9024):Old State = IKE_I_MM4 New State = IKE_I_MM5
Nov 19 22:46:59.806: ISAKMP (9024): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_KEY_EXCH
Nov 19 22:46:59.806: ISAKMP:(9024): processing ID payload. message ID = 0
Nov 19 22:46:59.806: ISAKMP (9024): ID payload
next-payload : 8
type : 1
address : 173.46.8.98
protocol : 17
port : 0
length : 12
Nov 19 22:46:59.806: ISAKMP:(9024): processing HASH payload. message ID = 0
Nov 19 22:46:59.806: ISAKMP:received payload type 17
Nov 19 22:46:59.806: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.806: ISAKMP:(9024): vendor ID is DPD
Nov 19 22:46:59.806: ISAKMP:(9024):SA authentication status:
authenticated
Nov 19 22:46:59.806: ISAKMP:(9024):SA has been authenticated with 173.46.8.98
Nov 19 22:46:59.806: ISAKMP: Trying to insert a peer 192.33.232.209/173.46.8.98/500/vrf-internet, and inserted successfully 10927E8.
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_I_MM5 New State = IKE_I_MM6
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_I_MM6 New State = IKE_I_MM6
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Nov 19 22:46:59.806: ISAKMP:(9024):beginning Quick Mode exchange, M-ID of 920032514
Nov 19 22:46:59.806: ISAKMP:(9024):QM Initiator gets spi
Nov 19 22:46:59.806: ISAKMP:(9024): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE
Nov 19 22:46:59.806: ISAKMP:(9024):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.806: ISAKMP:(9024):Node 920032514, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 19 22:46:59.806: ISAKMP (9024): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) QM_IDLE
Nov 19 22:46:59.806: ISAKMP: set new node -165090978 to QM_IDLE
Nov 19 22:46:59.806: ISAKMP:(9024): processing HASH payload. message ID = 4129876318
Nov 19 22:46:59.806: ISAKMP:(9024): processing NOTIFY INVALID_ID_INFO protocol 1
spi 0, message ID = 4129876318, sa = 0x1235C984
Nov 19 22:46:59.806: ISAKMP:(9024):peer does not do paranoid keepalives.
Nov 19 22:46:59.806: ISAKMP:(9024):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 173.46.8.98)
Nov 19 22:46:59.806: ISAKMP:(9024):deleting node -165090978 error FALSE reason "Informational (in) state 1"
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 19 22:46:59.806: ISAKMP: set new node 1564252651 to QM_IDLE
Nov 19 22:46:59.806: ISAKMP:(9024): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE
Nov 19 22:46:59.806: ISAKMP:(9024):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.806: ISAKMP:(9024):purging node 1564252651
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Nov 19 22:46:59.810: ISAKMP:(9024):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 173.46.8.98)
Nov 19 22:46:59.810: ISAKMP: Unlocking peer struct 0x10927E8 for isadb_mark_sa_deleted(), count 0
Nov 19 22:46:59.810: ISAKMP: Deleting peer node by peer_reap for 173.46.8.98: 10927E8
Nov 19 22:46:59.810: ISAKMP:(9024):deleting node 920032514 error FALSE reason "IKE deleted"
Nov 19 22:46:59.810: ISAKMP:(9024):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:59.810: ISAKMP:(9024):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Nov 19 22:46:59.810: ISAKMP (9024): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE-RT1#ASA doesn't like what you're sending.
Nov 19 22:46:29.810: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) QM_IDLE Nov 19 22:46:29.810: ISAKMP: set new node 1512038398 to QM_IDLE Nov 19 22:46:29.810: ISAKMP:(9023): processing HASH payload. message ID = 1512038398Nov 19 22:46:29.810: ISAKMP:(9023): processing NOTIFY INVALID_ID_INFO protocol 1
Check what's happening around QM1 on ASA.
For reference working debugs:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bce100.shtml -
No Internet access when easy vpn tunnel is down.
Hi.
I have an error. i have a 819 router. with a Easy vpn tunnel.
And i am using the Identical Addressing feature, where i nat vlan1 over loopback0
I also have a vlan2 where i dont use identical addressing.
I have the Easy vpn tunnel configured on loopback0 and vlan2
from Vlan1 i nat to looopback0 with
ip nat inside source static Network 192.168.250.0 192.168.5.0 /24
and i nat outside with
ip nat inside source list INET interface GigabitEhternet0 Overload
ip access-list extended INET
permit ip 192.168.5.0 0.0.0.255 any
When tunnel is up, there is internet from vlan1, vlan2 and loopback0
But when the tunnel is Down, i can only get internet from Vlan2 and loopback0
The route for the tunnel is 0.0.0.0, i need all data to go to the vpn when its up. and to the internet when its Down.
Any ideas?
Thanks.That is correct.
Config.
controller Cellular 0
no cdp run
track 1 ip sla 1 reachability
default-state up
ip tcp synwait-time 10
ip ftp source-interface Vlan1
ip ssh rsa keypair-name Router.yourdomain.com
crypto ipsec client ezvpn VPN-Cel
connect auto
group VPN key -key-
mode network-extension
peer 12.12.12.12
virtual-interface 1
username RouterCel password Password
xauth userid mode local
crypto ipsec client ezvpn VPN-Eth
connect auto
group PANTst key -key-
backup VPN-Cel track 1
mode network-extension
peer 12.12.12.12
virtual-interface 1
username Router password Password
xauth userid mode local
interface Loopback0
ip address 192.168.6.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly in
crypto ipsec client ezvpn VPN-Cel inside
crypto ipsec client ezvpn VPN-Eth inside
interface Cellular0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect CCP_LOW out
ip virtual-reassembly in
ip verify unicast reverse-path
encapsulation slip
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer string hspa-R7
dialer-group 1
no peer default ip address
async mode interactive
crypto ipsec client ezvpn VPN-Cel
interface FastEthernet0
no ip address
interface FastEthernet1
switchport access vlan 2
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface GigabitEthernet0
ip dhcp client route track 1
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect CCP_LOW out
ip virtual-reassembly in
duplex auto
speed auto
crypto ipsec client ezvpn VPN-Eth
interface Serial0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
clock rate 2000000
interface Virtual-Template1 type tunnel
no ip address
ip nat outside
ip virtual-reassembly in
tunnel mode ipsec ipv4
interface Vlan1
ip address 192.168.250.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
no autostate
interface Vlan2
ip address 192.168.16.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
no autostate
crypto ipsec client ezvpn VPN-Cel inside
crypto ipsec client ezvpn VPN-Eth inside
interface Dialer2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip local policy route-map myRoutes
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list INTERNET interface GigabitEthernet0 overload
ip nat inside source static network 192.168.250.0 192.168.6.0 /24
ip route 0.0.0.0 0.0.0.0 Cellular0 254
ip route 8.8.4.4 255.255.255.255 Cellular0
ip access-list extended INTERNET
permit ip 192.168.6.0 0.0.0.255 any
permit ip 192.168.16.0 0.0.0.255 any
ip sla auto discovery
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0
ip sla schedule 1 life forever start-time now
dialer-list 1 protocol ip list 1
dialer-list 2 protocol ip permit
route-map myRoutes permit 10
match ip address 101
set ip next-hop dynamic dhcp
access-list 1 permit any
access-list 23 permit 12.12.12.12
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 101 permit icmp any host 8.8.8.8 echo
control-plane -
Remote alert notification when s2s tunnel tears down
Does anyone have any insight on how to set up an alert notification (say email) natively whenever a s2s tunnel comes down. Currently experiencing some infrequent s2s issues on an ASA5510 - IOS 8.0(3)
You create a class for that level and then have it emailed to you.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml -
L2TP script to initiate a router reload when tunnel goes down - working
Hi,
Just thought I would post a working EEM script on doing a router reload when the L2TP tunnel goes down....
I am using a 3825 router to initiate a site-to-site tunnel with a 3rd party vpn service - StrongVPN. On the odd occasion when the tunnel goes down, the l2tp tunnel state goes to "no session left" and the virtual-ppp1 interface - which is tied to the l2tp vpn - goes down. Unfortunately, because I have no control on the far end router, the only way to bring it back up is thru a router reload....
Here you go:
event manager applet L2TP-DOWN
event syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-PPP1, changed state to down"
action 1.0 syslog msg "The L2TP VPN is down"
action 1.1 cli command "enable"
action 1.2 cli command "reload in 10" pattern "confirm"
action 1.3 cli command ""
action 1.4 syslog msg "EEM scheduled reload in 10 minutes"
event manager applet L2TP-UP
event syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-PPP1, changed state to up"
action 1.0 syslog msg "The L2TP VPN is up"
action 1.1 cli command "enable"
action 1.2 cli command "reload cancel"
JasonHi Arie,
So, here is the script I am using....
When the L2TP tunnel goes to "no sessions left", the virtual-ppp1 interface goes down. That's the typical message I get when it goes down. So, when I reboot the router, the script shows the message that the virtual-ppp1 interface is up when the L2TP tunnel comes up. I checked the debugs and that is the behaviour when the tunnel goes up / down...
Here you go:
event manager applet L2TP-DOWN
event syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-PPP1, changed state to down"
action 1.0 syslog msg "The L2TP VPN is down"
action 1.1 cli command "enable"
action 1.2 cli command "reload in 10" pattern "confirm"
action 1.3 cli command ""
action 1.4 syslog msg "EEM scheduled reload in 10 minutes"
event manager applet L2TP-UP
event syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-PPP1, changed state to up"
action 1.0 syslog msg "The L2TP VPN is up"
action 1.1 cli command "enable"
action 1.2 cli command "reload cancel"
Thanks. -
ASA is tearing down vpn connections aleatorily
Cisco ASA5510 running 8.0.4 is tering down vpn connections aleatorily. The user close a vpn conection with ASA by Cisco or another client, browse a server and start a file tranfer. Aleatorily the file transfer stops, the vpn still up, the user still can browse the server, but the transfer stops with a network connection error. Some times is on beginning of file, sometimes is on midle or on final of file, sometimes it works. We tried many users and many servers, with the same behavior. Without vpn the transfer works fine. The log messages are like that
Oct 25 2012 20:23:50 ciscoasa : %ASA-6-302014: Teardown TCP connection 6360702 for dmz_sp:10.120.7.56/58119 to inside:172.18.1.3/8800 duration 0:00:00 bytes 9389 TCP Reset-O (vpnbmb)
Any idea about what is the problem? Could be ipsec packets out of sequence? How do I check the ipsec sequence number?Cisco ASA5510 running 8.0.4 is tering down vpn connections aleatorily. The user close a vpn conection with ASA by Cisco or another client, browse a server and start a file tranfer. Aleatorily the file transfer stops, the vpn still up, the user still can browse the server, but the transfer stops with a network connection error. Some times is on beginning of file, sometimes is on midle or on final of file, sometimes it works. We tried many users and many servers, with the same behavior. Without vpn the transfer works fine. The log messages are like that
Oct 25 2012 20:23:50 ciscoasa : %ASA-6-302014: Teardown TCP connection 6360702 for dmz_sp:10.120.7.56/58119 to inside:172.18.1.3/8800 duration 0:00:00 bytes 9389 TCP Reset-O (vpnbmb)
Any idea about what is the problem? Could be ipsec packets out of sequence? How do I check the ipsec sequence number? -
Two ASA tunnels, only some remote peers are reachable
Hi, very strange issue here ...
Brief overview ..... I have one ASA with two tunnels. Each going to a different 3rd party Checkpoint firewall (site A, site B)
Each site has two servers (A1, A2, B1, B2)
I can only connect to A1 and B1. any connection to A2 and B2 fails.
I have defined B2 and A2 in the crypto map to be protected.
If I only have B2 or A2 in the crypto map ACL then the tunnel fails. Phase 1 does not come up. Its as if the ASA is ignoring the entries for B2 and A2.
ASA running 8.4(2).
I have also trashed the VPN and built via the wizard, same result.
Any thoughts greatly appreciated.
Regards
PaulHi,
To my understanding the Phase1 should not be affected by the configurations you set in the Phase2 ACL defining interesting traffic.
Though it would naturally mean that your VPN negotiation would still fail.
It would seem to me that if the secondary A2 and B2 addresses dont work along with the A1 and B1 or even alone by themselves that the remote ends would have been configured incorrectly. Though it would seem wierd if this happens on 2 different connections. Unless ofcourse the same person handled the remote end configurations?
If you want we could certainly check your ASAs configurations for any problems after which you could ask the remote site management to go through the configurations.
You have also the ability to use the "packet-tracer" command to define what is happening.
The format is this
packet-tracer input tcp
Just modify the above to suite your situation. The is the ASA interface behind which your connecting host is. (Dont use ASA interface IP addresses as the source)
Can you take the above command output when you are trying to connect to A2 and B2 hosts. Please take the command output twice from each and then copy/paste the second commands output here on the forums. Why I ask you to take the output twice is because you would need the first command just to bring up the L2L VPN connection and it coudlnt go through completely. The second command output should on the other hand succeed if configurations are correct. If it doesnt go through then the problem is probably configurations between the local and remote site.
You can also use the command "show crypto ipsec sa peer " to see if the both devices of the L2L VPN Connection have been able to form the connection.
- Jouni -
IPsec Issues ASA 8.0 and Watchguard XTM 510
Hi Everyone,
I am trying to merge two networks, one using an ASA 5510 as its edge device, and the other using a Watchguard XTM 510. For some reason, when a connection is initiated from the Watchguard side, phase 1 complets with MM_ACTIVE, but when the ASA initiates, IKE shows the following status:
IKE Peer: x.x.x.145 (Watchguard Side)
Type : L2L Role : initiator
Rekey : no State : MM_WAIT_MSG6
Regardless, however, even at MM_ACTIVE, phase 1 resets and phase 2 never begins and so a connection is never made. I have collected a debug from both sides and they are as follows
ASA IP: x.x.x.60
Watchguard IP: x.x.x.145
ASA:
Jan 07 06:51:02 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x2f6a83f)
Jan 07 06:51:02 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:02 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:02 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=e57925a0) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 07 06:51:04 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x2f6a840)
Jan 07 06:51:04 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:04 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:04 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=6bfb344) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 07 06:51:06 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x2f6a841)
Jan 07 06:51:06 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:06 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:06 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=51a5ab4d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 07 06:51:08 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, IKE SA MM:7a82c06c rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0
Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, IKE SA MM:7a82c06c terminating: flags 0x01000002, refcnt 0, tuncnt 0
Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, sending delete/delete with reason message
Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing IKE delete payload
Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:08 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=1ef674ce) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jan 07 06:51:08 [IKEv1]: Ignoring msg to mark SA with dsID 2019328 dead because SA deleted
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing SA payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Oakley proposal is acceptable
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing VID payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Received DPD VID
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing VID payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Received NAT-Traversal ver 02 VID
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing IKE SA payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 5
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing ISAKMP SA payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing NAT-Traversal VID ver 02 payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing Fragmentation VID + extended capabilities payload
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 284
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing ke payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing ISA_KE payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing nonce payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing NAT-Discovery payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, computing NAT Discovery hash
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing NAT-Discovery payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, computing NAT Discovery hash
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing ke payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing nonce payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing Cisco Unity VID payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing xauth V6 VID payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Send IOS VID
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing VID payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing NAT-Discovery payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, computing NAT Discovery hash
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing NAT-Discovery payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, computing NAT Discovery hash
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, Connection landed on tunnel_group x.x.x.145
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Generating keys for Responder...
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 368
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, processing ID payload
Jan 07 06:51:19 [IKEv1 DECODE]: Group = x.x.x.145, IP = x.x.x.145, ID_IPV4_ADDR ID received
x.x.x.145
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, processing hash payload
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Computing hash for ISAKMP
Jan 07 06:51:19 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, Connection landed on tunnel_group x.x.x.145
Jan 07 06:51:19 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Freeing previously allocated memory for authorization-dn-attributes
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing ID payload
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing hash payload
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Computing hash for ISAKMP
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing dpd vid payload
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 107
Jan 07 06:51:19 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, PHASE 1 COMPLETED
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, Keep-alive type for this connection: DPD
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Starting P1 rekey timer: 64800 seconds.
Jan 07 06:51:23 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Duplicate Phase 1 packet detected. Retransmitting last packet.
Jan 07 06:51:23 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, P1 Retransmit msg dispatched to MM FSM
Jan 07 06:51:23 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Responder resending last msg
Jan 07 06:51:27 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Duplicate Phase 1 packet detected. Retransmitting last packet.
Jan 07 06:51:27 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, P1 Retransmit msg dispatched to MM FSM
Jan 07 06:51:27 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Responder resending last msg
Jan 07 06:51:31 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Duplicate Phase 1 packet detected. Retransmitting last packet.
Jan 07 06:51:31 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, P1 Retransmit msg dispatched to MM FSM
Jan 07 06:51:31 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Responder resending last msg
Jan 07 06:51:32 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x7a794f28)
Jan 07 06:51:32 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:32 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:32 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=96f50614) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 07 06:51:34 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x7a794f29)
Jan 07 06:51:34 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:34 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:34 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=f17efc6e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 07 06:51:36 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x7a794f2a)
Jan 07 06:51:36 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:36 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:36 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=a4d9cf11) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 07 06:51:38 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, IKE SA MM:7b9076bf rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0
Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, IKE SA MM:7b9076bf terminating: flags 0x01000002, refcnt 0, tuncnt 0
Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, sending delete/delete with reason message
Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing IKE delete payload
Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:38 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=f1d3a895) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jan 07 06:51:38 [IKEv1]: Ignoring msg to mark SA with dsID 2023424 dead because SA deleted
Watchguard:
<158>Jan 7 13:57:11 iked[1976]: unsupported WG notification event - 524293
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCreateIsakmpSA: init vpnDpdSequenceNum = 384341539(Isakmp SA 0x81b26a0)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)MainMode: recv 1st msg pcy [newbury] peer x.x.x.60:500 (Ct=324)
<156>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Phase 1 started by peer with policy [newbury] from x.x.x.60:500 main mode
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloads : Payload(SA) Len(172)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(24)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeProposalNtoH : Recv SPI(0x03 0000 0000 0x28) SPI(0000 0000 0000 0000)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_NAT-T_VID(first 4bytes: 0x9180cb90)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)P1__Mode: NAT-T negotiated [newbury] peer 0xd5534a3c:500
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeProposalHtoN : net order spi(0000 0000 0000 0000)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Sending second message with policy [newbury] to x.x.x.60:500 main mode
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Received third message with policy [newbury] from x.x.x.60:500 main mode
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(4) Len(196)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(10) Len(24)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(12)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(130) Len(24)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(130) Len(24)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_XAUTH06_VID(first 4bytes: 0x89260009)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Sending fourth message with policy [newbury] to x.x.x.60:500 main mode
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Received fifth message with policy [newbury] from x.x.x.60:500 main mode
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : SAState.sState(7)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkePrepareIsakmpKeyMat()
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkeCipherMsg()
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(5) Len(35)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(8) Len(24)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_DPD_VID(first 4bytes: 0x13d7caaf)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Enable DPD locally
<156>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)WARNING: Mismatched ID settings at peer x.x.x.60:500 caused an authentication failure
<155>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Process 5/6 Msg : failed to process ID payload
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Cannot process MM ID payload from x.x.x.60:500 to x.x.x.145 cookies i=4114a226 2bd42182 r=40856ef5 71cb0439
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)ike_process_pkt : ProcessData returned error (-1)
<158>Jan 7 13:57:17 iked[1976]: unsupported WG notification event - 524293
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Phase 1 IkeRetryTimeout:: Retrying 1st phase.. (Gateway newbury)
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Received fifth message with policy [newbury] from x.x.x.60:500 main mode
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : SAState.sState(7)
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkePrepareIsakmpKeyMat()
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkeCipherMsg()
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(5) Len(35)
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(8) Len(24)
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_DPD_VID(first 4bytes: 0x13d7caaf)
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Enable DPD locally
<156>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)WARNING: Mismatched ID settings at peer x.x.x.60:500 caused an authentication failure
<155>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Process 5/6 Msg : failed to process ID payload
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Cannot process MM ID payload from x.x.x.60:500 to x.x.x.145 cookies i=4114a226 2bd42182 r=40856ef5 71cb0439
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)ike_process_pkt : ProcessData returned error (-1)
<158>Jan 7 13:57:21 iked[1976]: unsupported WG notification event - 524293
<158>Jan 7 13:57:24 iked[1976]: (x.x.x.145<->x.x.x.60)Phase 1 IkeRetryTimeout:: Retrying 1st phase.. (Gateway newbury)
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)Received fifth message with policy [newbury] from x.x.x.60:500 main mode
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : SAState.sState(7)
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkePrepareIsakmpKeyMat()
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkeCipherMsg()
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(5) Len(35)
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(8) Len(24)
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_DPD_VID(first 4bytes: 0x13d7caaf)
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)Enable DPD locally
<156>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)WARNING: Mismatched ID settings at peer x.x.x.60:500 caused an authentication failure
<155>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)Process 5/6 Msg : failed to process ID payload
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)Cannot process MM ID payload from x.x.x.60:500 to x.x.x.145 cookies i=4114a226 2bd42182 r=40856ef5 71cb0439
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)ike_process_pkt : ProcessData returned error (-1)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Phase 1 IkeRetryTimeout:: Retrying 1st phase.. (Gateway newbury)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Received fifth message with policy [newbury] from x.x.x.60:500 main mode
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : SAState.sState(7)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkePrepareIsakmpKeyMat()
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkeCipherMsg()
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(5) Len(35)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(8) Len(24)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_DPD_VID(first 4bytes: 0x13d7caaf)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Enable DPD locally
<156>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)WARNING: Mismatched ID settings at peer x.x.x.60:500 caused an authentication failure
<155>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Process 5/6 Msg : failed to process ID payload
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Cannot process MM ID payload from x.x.x.60:500 to x.x.x.145 cookies i=4114a226 2bd42182 r=40856ef5 71cb0439
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)ike_process_pkt : ProcessData returned error (-1)
Any insight you can provide in this regard would be greatly appreciated.The issue was resolved. Watchguard uses both a "Remote Gateway IP", as well as a "Remote Gateway ID." In most cases, these will have the same IPv4 value. However, in this case, the ASA was using an old FQDN as its ID so it was causing a mismatch with the ID configured for that gateway on the Watchguard side. Once, the ID was changed to the FQDN of the ASA, the tunnel came up and started passing traffic.
-
WAAS with IPSEC or GRE tunnels
Hello,
I have a client with HQ and remote site, I need to implement WAAS between them.
issue is they are connected GRE over IPsec over MPLS WAAN, is there anything to take care about when implementing WAAS in GRE/IPSEC deployment.
Thanks & BR
MoamenI would keep in mind the following things...
1. Interception - You have to ensure you intercept the traffic outside the tunnels, otherwise you won't get any compression. Hardware based switches like the Cat6K cannot use WCCP on tunnel interfaces. Software based routers can do interception on tunnel interfaces, but don't scale as much as the hardware assisted platforms.
2. Packet size - if you are getting excessive fragmentation, try lowering the Optimized MSS value on the WAEs to under what you need for headers. WAAS default is 1432.
Other then that, what you have is a pretty normal installation situation.
Thanks,
Dan -
Hi,
Trying to build out an xconnect to follow a specific path (a longer path). I cannot get the tunnel to come up. I dont know what I missed. everything else looks ok. All interfaces are up and working, except the tunnel itself.
I've included the MPLS portion of the config, if I missed something let me know. I did enable the MPLS-TE in OSPF on the routers inbetween. I have connectivity inbetween.
Router 1:
ip cef
mpls label protocol ldp
mpls traffic-eng tunnels
mpls label protocol ldp
mpls traffic-eng tunnels
pseudowire-class 5001
encapsulation mpls
preferred-path interface Tunnel5001
interface Loopback10
ip address 10.201.1.4 255.255.255.255
interface Tunnel5001
ip unnumbered Loopback10
tunnel mode mpls traffic-eng
tunnel destination 10.201.1.2
tunnel mpls traffic-eng path-option 1 explicit name strict
tunnel mpls traffic-eng path-selection metric te
interface FastEthernet2/0
xconnect 10.201.1.2 5001 encapsulation mpls pw-class 5001
router ospf 100
router-id 10.201.1.4
mpls traffic-eng router-id Loopback10
mpls traffic-eng area 0
ip route 10.201.1.2 255.255.255.255 Tunnel5001
ip explicit-path name strict enable
next-address 10.201.1.3
next-address 10.201.1.1
next-address 10.201.1.2
Router 2:
ip cef
mpls label protocol ldp
mpls traffic-eng tunnels
pseudowire-class 5001
encapsulation mpls
preferred-path interface Tunnel5001
interface Loopback10
ip address 10.201.1.2 255.255.255.255
interface Tunnel5001
ip unnumbered Loopback10
tunnel mode mpls traffic-eng
tunnel destination 10.201.1.4
tunnel mpls traffic-eng path-option 1 explicit name strict
tunnel mpls traffic-eng path-selection metric te
interface FastEthernet2/0
xconnect 10.201.1.4 5001 encapsulation mpls pw-class 5001
router ospf 102
router-id 10.201.1.2
mpls traffic-eng router-id Loopback10
mpls traffic-eng area 0
ip route 10.201.1.4 255.255.255.255 Tunnel5001
ip explicit-path name strict enable
next-address 10.201.1.1
next-address 10.201.1.3
next-address 10.201.1.4
From router 1. Both Router 1 and Router 2 show the samething.
show mpls l2transport vc detail
Local interface: Fa2/0 up, line protocol up, Ethernet up
Destination address: 10.201.1.2, VC ID: 5001, VC status: up
Output interface: Fa1/1, imposed label stack {22}
Preferred path: Tunnel5001, no route
Default path: active
Next hop: 192.168.102.13
Create time: 00:10:13, last status change time: 00:10:13
Last label FSM state change time: 00:10:13
Signaling protocol: LDP, peer 10.201.1.2:0 up
Targeted Hello: 10.201.1.4(LDP Id) -> 10.201.1.2, LDP is UP
Status TLV support (local/remote) : enabled/supported
LDP route watch : enabled
Label/status state machine : established, LruRru
Last local dataplane status rcvd: No fault
Last BFD dataplane status rcvd: Not sent
Last BFD peer monitor status rcvd: No fault
Last local AC circuit status rcvd: No fault
Last local AC circuit status sent: No fault
Last local PW i/f circ status rcvd: No fault
Last local LDP TLV status sent: No fault
Last remote LDP TLV status rcvd: No fault
Last remote LDP ADJ status rcvd: No fault
MPLS VC labels: local 22, remote 22
Group ID: local 0, remote 0
MTU: local 1500, remote 1500
Remote interface description:
Sequencing: receive disabled, send disabled
Control Word: On (configured: autosense)
Dataplane:
SSM segment/switch IDs: 4101/4100 (used), PWID: 1
VC statistics:
transit packet totals: receive 0, send 0
transit byte totals: receive 0, send 0
transit packet drops: receive 0, seq error 0, send 0
show int tun 5001
Tunnel5001 is up, line protocol is down
Hardware is Tunnel
Interface is unnumbered. Using address of Loopback10 (10.201.1.4)
MTU 17936 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 10.201.1.4, destination 10.201.1.2
Tunnel protocol/transport Label Switching
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input never, output never, output hang never
Last clearing of "show interface" counters 00:27:10
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped outHi,
One issue what i can see is, you have mentioned loopback ips in the explicit-path not the interface ip addresses. This can not be strict path and you have to mention next-address as loose (which means router will refer IGP to reach the next-hop)
ip explicit-path name strict enable
next-address 10.201.1.1
next-address 10.201.1.3
next-address 10.201.1.4
Correct way
ip explicit-path name strict enable
next-address loose 10.201.1.1
next-address loose 10.201.1.3
next-address loose 10.201.1.4
To troubleshoot TE
- first you can remove the explicit path and try to bring it up with dynamic path, which will help to confirm that configuration is ok on all routers in the path
- i hope you have configured "ip rsvp" on all physical intrfaces.
- If with dynamic path option also link does not come up, please share output of command "show mpls traffic-eng tunnels tunnel5001
--Pls dont forget to rate helpful posts--
Regards,
Akash -
Hi,
One of my users need to work sometimes in second (not our) office and have access to printer. The problem is that the in the remote and local office there is the same network (10.0.0.0/24). VPN's policy distinguish network 10.0.0.0/24 that should go through the tunnel. The printer in the remote office has IP address 10.0.0.102. Is there any posibility to solve it ? I've tried with access-list:
access-list SPLIT_TUNNEL_LIST standard deny host 10.0.0.102
access-list SPLIT_TUNNEL_LIST standard permit 10.0.0.0 255.255.255.0
but it doesn't work
regards
Hubertsolved by NAT,
regards -
Looking for help to set up l2tp Ipsec vpn on asa 5055
I am trying to set up a L2tp Ipsec vpn on asa 5055 and I am using windows 8.1 build in VPN client to connect to it. I got the following error. Anyone has experence please help.
Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, All IPSec SA proposals found unacceptable!
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, sending notify message
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing blank hash payload
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing ipsec notify payload for msg id 1
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing qm hash payload
Apr 17 22:48:21 [IKEv1]IP = 209.171.88.81, IKE_DECODE SENDING Message (msgid=6a50f8f9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, QM FSM error (P2 struct &0xad6946b8, mess id 0x1)!
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, IKE QM Responder FSM error history (struct &0xad6946b8) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2,
EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2,
EV_COMP_HASH
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, sending delete/delete with reason message
Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, Removing peer from correlator table failed, no match!
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, IKE SA MM:d8870fa5 rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, IKE SA MM:d8870fa5 terminating: flags 0x01000002, refcnt 0, tuncnt 0
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, sending delete/delete with reason message
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing blank hash payload
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing IKE delete payload
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing qm hash payload
Apr 17 22:48:21 [IKEv1]IP = 209.171.88.81, IKE_DECODE SENDING Message (msgid=232654dc) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, Session is being torn down. Reason: Phase 2 Mismatch
I am new to this so I don't know what I should do next. ThanksHere it is. Thanks.
CL-T179-12IH# show run crypto
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint vpn
enrollment self
subject-name CN=174.142.90.17
crl configure
crypto ca trustpool policy
crypto ca certificate chain vpn
certificate 2d181c55
308201ff 30820168 a0030201 0202042d 181c5530 0d06092a 864886f7 0d010105
05003044 31163014 06035504 03130d31 37342e31 34322e39 302e3137 312a3028
06092a86 4886f70d 01090216 1b434c2d 54313739 2d313249 482e7072 69766174
65646e73 2e636f6d 301e170d 31353034 31363033 31393439 5a170d32 35303431
33303331 3934395a 30443116 30140603 55040313 0d313734 2e313432 2e39302e
3137312a 30280609 2a864886 f70d0109 02161b43 4c2d5431 37392d31 3249482e
70726976 61746564 6e732e63 6f6d3081 9f300d06 092a8648 86f70d01 01010500
03818d00 30818902 818100bf 797d1cc1 cfffc634 8c3b2a4b ce27b1c9 3fc3e026
4f6cd8f4 c9675aca b5176cef 7f3df142 35ba4e15 2613d34c 91bb5da3 14b34b6c
71e4ff44 f129046f 7f91e73f 2c9d42f9 93001559 ea6c71c1 1a848073 15da79f7
a41081ee b4cd3cc3 baa7a272 3a5fb32d 66dedee6 5994d4b2 ad9d7489 44ec9eb9
44038a2a 817e935f 1bb7ad02 03010001 300d0609 2a864886 f70d0101 05050003
8181002c 6cee9ae7 a037698a 5690aca1 f01c87db 04d9cbc6 65bda6dc a17fc4b6
b1fd419e 56df108f b06edfe6 ab5a5eb3 5474a7fe 58970da3 23e6bc6e 36ab8f62
d5c442bf 43581eb3 26b8cf26 6a667a8b ddd25a73 a094f0d0 65092ff8 d2a644d8
3d7da7ca efeb9e2f 84807fdf 0cf3d75e bcb65ba4 7b51cb49 f912f516 f95b5d86
da0e01
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint vpn
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400 -
Two Cisco ASA 5505, IPSec Multiple Subnets, Problem with Phase2, DSL
Hi all.
we have following IPSec configuration:
ASA Site 1:
Cisco Adaptive Security Appliance Software Version 9.1(1)
crypto ipsec ikev1 transform-set TSAES esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TSMD5 esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal PropAES256
access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.28.60.0 255.255.254.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.99.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.99.0 255.255.255.0
crypto map CMVPN 5 match address SITE_2
crypto map CMVPN 5 set peer IP_SITE2
crypto map CMVPN 5 set ikev2 ipsec-proposal PropAES256
crypto map CMVPN interface OUTSIDE
route OUTSIDE 172.27.97.0 255.255.255.0 citic-internet-gw 255
route OUTSIDE 172.27.99.0 255.255.255.0 citic-internet-gw 255
tunnel-group IP_SITE2 type ipsec-l2l
tunnel-group IP_SITE2 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
ASA Site 2:
Cisco Adaptive Security Appliance Software Version 9.1(4)
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.28.60.0 255.255.254.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.22.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.22.0.0 255.255.0.0
crypto map CMVPN 10 match address SITE_1
crypto map CMVPN 10 match address SITE_1
crypto map CMVPN 10 set peer IP_SITE1
crypto map CMVPN 10 set ikev2 ipsec-proposal IKEV2AES
crypto map CMVPN 10 set reverse-route
crypto map CMVPN interface OUTSIDE
tunnel-group IP_SITE1 type ipsec-l2l
tunnel-group IP_SITE1 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
We are not able to reach from 172.22.20.x ips 172.27.99.x.
It seems so that the phase2 for this subnet is missing…...... as long as we try to reach from 172.27.99.x any ip in 172.22.20.x.
We are using similar configuration on many sites and it works correctly expect sites with DSL line.
We can exclude problem with NAT,ACL or routing. The connection is working fine as long as “we open all phase 2 manually” . After re-open (idle timeout) the tunnel the problem comes back.
Thanks in advance for your help.
Regards.
Jan
ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
Session Type: LAN-to-LAN Detailed
Connection : IP ASA Site 2
Index : 3058 IP Addr : IP ASA Site 2
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (3)AES256
Hashing : IKEv2: (1)SHA512 IPsec: (3)SHA1
Bytes Tx : 423634 Bytes Rx : 450526
Login Time : 19:59:35 HKT Tue Apr 29 2014
Duration : 1h:50m:45s
IKEv2 Tunnels: 1
IPsec Tunnels: 3
IKEv2:
Tunnel ID : 3058.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA512
Rekey Int (T): 86400 Seconds Rekey Left(T): 79756 Seconds
PRF : SHA512 D/H Group : 5
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID : 3058.2
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22156 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607648 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 312546 Bytes Rx : 361444
Pkts Tx : 3745 Pkts Rx : 3785
IPsec:
Tunnel ID : 3058.3
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22165 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607952 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 50014 Bytes Rx : 44621
Pkts Tx : 496 Pkts Rx : 503
IPsec:
Tunnel ID : 3058.4
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22324 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607941 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 61074 Bytes Rx : 44461
Pkts Tx : 402 Pkts Rx : 437
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 6648 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
.... after ping from 172.27.99.x any ip in 172.22.20.x.
ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
Session Type: LAN-to-LAN Detailed
Connection : IP ASA Site 2
Index : 3058 IP Addr : IP ASA Site 2
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (4)AES256
Hashing : IKEv2: (1)SHA512 IPsec: (4)SHA1
Bytes Tx : 784455 Bytes Rx : 1808965
Login Time : 19:59:35 HKT Tue Apr 29 2014
Duration : 2h:10m:48s
IKEv2 Tunnels: 1
IPsec Tunnels: 4
IKEv2:
Tunnel ID : 3058.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA512
Rekey Int (T): 86400 Seconds Rekey Left(T): 78553 Seconds
PRF : SHA512 D/H Group : 5
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID : 3058.2
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 20953 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4606335 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 652492 Bytes Rx : 1705136
Pkts Tx : 7419 Pkts Rx : 7611
IPsec:
Tunnel ID : 3058.3
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 20962 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607942 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 60128 Bytes Rx : 52359
Pkts Tx : 587 Pkts Rx : 594
IPsec:
Tunnel ID : 3058.4
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 21121 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607931 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 70949 Bytes Rx : 50684
Pkts Tx : 475 Pkts Rx : 514
IPsec:
Tunnel ID : 3058.5
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 28767 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 961 Bytes Rx : 871
Pkts Tx : 17 Pkts Rx : 14
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 7852 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :Hi,
on 212 is see
tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
tunnel-group 195.xxx.xxx.xxx ipsec-attributes
pre-shared-key
When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
Regards,
Abaji. -
Cisco ASA 5505 Ipsec VPN and random connection dropping issues.
Hello,
We are currently having issues with a ASA 5505 Ipsec VPN. It was configured about 7-8 months ago and has been running very well..up until the last few weeks. For some reason, the VPN tends to randomly disconnect any user clients connected a lot. Furthermore, sometimes it actually connects; however does not put us on the local network for some reason and unable to browse file server. We have tried rebooting the ASA a few times and our ISP Time Warner informed us there are no signs of packet loss but still unable to pinpoint the problem. Sometimes users close out of VPN client completely, reopen several times and then it works. However it's never really consistent enough and hasn't been the last few weeks. No configuration changes have been made to ASA at all. Furthermore, the Cisco Ipsec VPN client version is: 5.0.70
Directly below is our current running config (modded for public). Any help or ideas would be greatly appreciated. Otherwise, if everything looks good...then I will defer back to our ISP Time Warner:
: Saved
ASA Version 8.4(2)
hostname domainasa
domain-name adomain.local
enable password cTfsR84pqF5Xohw. encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 205.101.1.240 255.255.255.248
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.2.60
domain-name adomain.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network SBS_2011
host 192.168.2.60
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.5.192_
27
subnet 192.168.5.192 255.255.255.224
object network Https_Access
host 192.168.2.90
description Spam Hero
object-group network DM_INLINE_NETWORK_1
network-object object SPAM1
network-object object SPAM2
network-object object SPAM3
network-object object SPAM4
network-object object SPAM5
network-object object SPAM6
network-object object SPAM7
network-object object SPAM8
object-group service RDP tcp
description Microsoft RDP
port-object eq 3389
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object SBS_2011 eq smtp
access-list outside_access_in extended permit tcp any object SBS_2011 eq https
access-list outside_access_in extended permit icmp any interface outside
access-list outside_access_in remark External RDP Access
access-list outside_access_in extended permit tcp any object SBS_2011 object-group RDP
access-list domain_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool test 192.168.10.1-192.168.10.5 mask 255.255.255.0
ip local pool VPN_Users 192.168.5.194-192.168.5.22
0 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24
NETWORK_OBJ_192.168.2.0_24
destination static NETWORK_OBJ_192.168.5.192_
27 NETWORK_OBJ_192.168.5.192_
27 no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
object network SBS_2011
nat (inside,outside) static interface service tcp smtp smtp
object network Https_Access
nat (inside,outside) static interface service tcp https https
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 205.101.1.239 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
rd DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.160-192.168.2.19
9 inside
dhcpd dns 192.168.2.60 24.29.99.36 interface inside
dhcpd wins 192.168.2.60 24.29.99.36 interface inside
dhcpd domain adomain interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy domain internal
group-policy domain attributes
wins-server value 192.168.2.60
dns-server value 192.168.2.60
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value domain_splitTunnelAcl
default-domain value adomain.local
username ben password zWCAaitV3CB.GA87 encrypted privilege 0
username ben attributes
vpn-group-policy domain
username sdomain password FATqd4I1ZoqyQ/MN encrypted
username sdomain attributes
vpn-group-policy domain
username adomain password V5.hvhZU4S8NwGg/ encrypted
username adomain attributes
vpn-group-policy domain
service-type admin
username jdomain password uODal3Mlensb8d.t encrypted privilege 0
username jdomain attributes
vpn-group-policy domain
service-type admin
tunnel-group domain type remote-access
tunnel-group domain general-attributes
address-pool VPN_Users
default-group-policy domain
tunnel-group domain ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e2466a5b754
eebcdb0cef
f051bef91d
9
: end
no asdm history enable
Thanks againHello Belnet,
What do the logs show from the ASA.
Can you post them ??
Any other question..Sure..Just remember to rate all of the community answers.
Julio
Maybe you are looking for
-
I got a new nano l am unable to connect it on my computer, l have windows 8. I have deleted itunes and downloaded back on my computer, l still am unable to connect my nano to my computer. When l put my nano on the computer itunes saids "Accessing Itu
-
Samsung monitor (2253LW 22") & iBook G4
I saw this Samsung monitor at Costco (Samsung 2253LW 22" 1680x1050 native resolution), it has both DVI & VGA connections. It's got really great reviews from a lot of websites. I would be using the VGA connector. I guess the resolution on my iBook is
-
Hello all, I’m a new Oracle Administrator and I want to ask the following question: I have one 10g R2 Database Server (myhost.mydomain) running a DB with SID=DB1 on a Linux Redhat Server. There is another 10g R2 Database on a Win2003 server (HOST1) w
-
Premier Elements 11 Won't Open!
Hi! I am running a HP Personal Computer with Windows 7. I have been using Elements 11 for months without problem and have been very pleased with the product. I went to open it today and was unable to. It would not load past the "Welcome Screen," whic
-
Rows as Columns and Columns as Rows
Hi, How to print rows as columns and columns as rows? Suppose I've the following data colA colB X 1 Y 2 Z 3 I want the output to be something like X Y Z 1 2 3. Is this possible? Please let me know. Regards, Jai.