IPsec Issues ASA 8.0 and Watchguard XTM 510
Hi Everyone,
I am trying to merge two networks, one using an ASA 5510 as its edge device, and the other using a Watchguard XTM 510. For some reason, when a connection is initiated from the Watchguard side, phase 1 complets with MM_ACTIVE, but when the ASA initiates, IKE shows the following status:
IKE Peer: x.x.x.145 (Watchguard Side)
Type : L2L Role : initiator
Rekey : no State : MM_WAIT_MSG6
Regardless, however, even at MM_ACTIVE, phase 1 resets and phase 2 never begins and so a connection is never made. I have collected a debug from both sides and they are as follows
ASA IP: x.x.x.60
Watchguard IP: x.x.x.145
ASA:
Jan 07 06:51:02 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x2f6a83f)
Jan 07 06:51:02 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:02 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:02 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=e57925a0) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 07 06:51:04 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x2f6a840)
Jan 07 06:51:04 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:04 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:04 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=6bfb344) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 07 06:51:06 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x2f6a841)
Jan 07 06:51:06 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:06 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:06 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=51a5ab4d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 07 06:51:08 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, IKE SA MM:7a82c06c rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0
Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, IKE SA MM:7a82c06c terminating: flags 0x01000002, refcnt 0, tuncnt 0
Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, sending delete/delete with reason message
Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing IKE delete payload
Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:08 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=1ef674ce) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jan 07 06:51:08 [IKEv1]: Ignoring msg to mark SA with dsID 2019328 dead because SA deleted
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing SA payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Oakley proposal is acceptable
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing VID payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Received DPD VID
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing VID payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Received NAT-Traversal ver 02 VID
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing IKE SA payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 5
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing ISAKMP SA payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing NAT-Traversal VID ver 02 payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing Fragmentation VID + extended capabilities payload
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 284
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing ke payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing ISA_KE payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing nonce payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing NAT-Discovery payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, computing NAT Discovery hash
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing NAT-Discovery payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, computing NAT Discovery hash
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing ke payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing nonce payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing Cisco Unity VID payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing xauth V6 VID payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Send IOS VID
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing VID payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing NAT-Discovery payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, computing NAT Discovery hash
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing NAT-Discovery payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, computing NAT Discovery hash
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, Connection landed on tunnel_group x.x.x.145
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Generating keys for Responder...
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 368
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, processing ID payload
Jan 07 06:51:19 [IKEv1 DECODE]: Group = x.x.x.145, IP = x.x.x.145, ID_IPV4_ADDR ID received
x.x.x.145
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, processing hash payload
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Computing hash for ISAKMP
Jan 07 06:51:19 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, Connection landed on tunnel_group x.x.x.145
Jan 07 06:51:19 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Freeing previously allocated memory for authorization-dn-attributes
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing ID payload
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing hash payload
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Computing hash for ISAKMP
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing dpd vid payload
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 107
Jan 07 06:51:19 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, PHASE 1 COMPLETED
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, Keep-alive type for this connection: DPD
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Starting P1 rekey timer: 64800 seconds.
Jan 07 06:51:23 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Duplicate Phase 1 packet detected. Retransmitting last packet.
Jan 07 06:51:23 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, P1 Retransmit msg dispatched to MM FSM
Jan 07 06:51:23 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Responder resending last msg
Jan 07 06:51:27 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Duplicate Phase 1 packet detected. Retransmitting last packet.
Jan 07 06:51:27 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, P1 Retransmit msg dispatched to MM FSM
Jan 07 06:51:27 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Responder resending last msg
Jan 07 06:51:31 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Duplicate Phase 1 packet detected. Retransmitting last packet.
Jan 07 06:51:31 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, P1 Retransmit msg dispatched to MM FSM
Jan 07 06:51:31 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Responder resending last msg
Jan 07 06:51:32 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x7a794f28)
Jan 07 06:51:32 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:32 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:32 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=96f50614) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 07 06:51:34 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x7a794f29)
Jan 07 06:51:34 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:34 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:34 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=f17efc6e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 07 06:51:36 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x7a794f2a)
Jan 07 06:51:36 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:36 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:36 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=a4d9cf11) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 07 06:51:38 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, IKE SA MM:7b9076bf rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0
Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, IKE SA MM:7b9076bf terminating: flags 0x01000002, refcnt 0, tuncnt 0
Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, sending delete/delete with reason message
Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing IKE delete payload
Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:38 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=f1d3a895) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jan 07 06:51:38 [IKEv1]: Ignoring msg to mark SA with dsID 2023424 dead because SA deleted
Watchguard:
<158>Jan 7 13:57:11 iked[1976]: unsupported WG notification event - 524293
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCreateIsakmpSA: init vpnDpdSequenceNum = 384341539(Isakmp SA 0x81b26a0)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)MainMode: recv 1st msg pcy [newbury] peer x.x.x.60:500 (Ct=324)
<156>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Phase 1 started by peer with policy [newbury] from x.x.x.60:500 main mode
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloads : Payload(SA) Len(172)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(24)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeProposalNtoH : Recv SPI(0x03 0000 0000 0x28) SPI(0000 0000 0000 0000)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_NAT-T_VID(first 4bytes: 0x9180cb90)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)P1__Mode: NAT-T negotiated [newbury] peer 0xd5534a3c:500
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeProposalHtoN : net order spi(0000 0000 0000 0000)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Sending second message with policy [newbury] to x.x.x.60:500 main mode
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Received third message with policy [newbury] from x.x.x.60:500 main mode
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(4) Len(196)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(10) Len(24)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(12)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(130) Len(24)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(130) Len(24)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_XAUTH06_VID(first 4bytes: 0x89260009)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Sending fourth message with policy [newbury] to x.x.x.60:500 main mode
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Received fifth message with policy [newbury] from x.x.x.60:500 main mode
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : SAState.sState(7)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkePrepareIsakmpKeyMat()
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkeCipherMsg()
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(5) Len(35)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(8) Len(24)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_DPD_VID(first 4bytes: 0x13d7caaf)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Enable DPD locally
<156>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)WARNING: Mismatched ID settings at peer x.x.x.60:500 caused an authentication failure
<155>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Process 5/6 Msg : failed to process ID payload
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Cannot process MM ID payload from x.x.x.60:500 to x.x.x.145 cookies i=4114a226 2bd42182 r=40856ef5 71cb0439
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)ike_process_pkt : ProcessData returned error (-1)
<158>Jan 7 13:57:17 iked[1976]: unsupported WG notification event - 524293
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Phase 1 IkeRetryTimeout:: Retrying 1st phase.. (Gateway newbury)
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Received fifth message with policy [newbury] from x.x.x.60:500 main mode
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : SAState.sState(7)
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkePrepareIsakmpKeyMat()
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkeCipherMsg()
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(5) Len(35)
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(8) Len(24)
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_DPD_VID(first 4bytes: 0x13d7caaf)
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Enable DPD locally
<156>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)WARNING: Mismatched ID settings at peer x.x.x.60:500 caused an authentication failure
<155>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Process 5/6 Msg : failed to process ID payload
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Cannot process MM ID payload from x.x.x.60:500 to x.x.x.145 cookies i=4114a226 2bd42182 r=40856ef5 71cb0439
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)ike_process_pkt : ProcessData returned error (-1)
<158>Jan 7 13:57:21 iked[1976]: unsupported WG notification event - 524293
<158>Jan 7 13:57:24 iked[1976]: (x.x.x.145<->x.x.x.60)Phase 1 IkeRetryTimeout:: Retrying 1st phase.. (Gateway newbury)
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)Received fifth message with policy [newbury] from x.x.x.60:500 main mode
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : SAState.sState(7)
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkePrepareIsakmpKeyMat()
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkeCipherMsg()
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(5) Len(35)
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(8) Len(24)
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_DPD_VID(first 4bytes: 0x13d7caaf)
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)Enable DPD locally
<156>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)WARNING: Mismatched ID settings at peer x.x.x.60:500 caused an authentication failure
<155>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)Process 5/6 Msg : failed to process ID payload
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)Cannot process MM ID payload from x.x.x.60:500 to x.x.x.145 cookies i=4114a226 2bd42182 r=40856ef5 71cb0439
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)ike_process_pkt : ProcessData returned error (-1)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Phase 1 IkeRetryTimeout:: Retrying 1st phase.. (Gateway newbury)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Received fifth message with policy [newbury] from x.x.x.60:500 main mode
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : SAState.sState(7)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkePrepareIsakmpKeyMat()
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkeCipherMsg()
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(5) Len(35)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(8) Len(24)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_DPD_VID(first 4bytes: 0x13d7caaf)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Enable DPD locally
<156>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)WARNING: Mismatched ID settings at peer x.x.x.60:500 caused an authentication failure
<155>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Process 5/6 Msg : failed to process ID payload
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Cannot process MM ID payload from x.x.x.60:500 to x.x.x.145 cookies i=4114a226 2bd42182 r=40856ef5 71cb0439
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)ike_process_pkt : ProcessData returned error (-1)
Any insight you can provide in this regard would be greatly appreciated.
The issue was resolved. Watchguard uses both a "Remote Gateway IP", as well as a "Remote Gateway ID." In most cases, these will have the same IPv4 value. However, in this case, the ASA was using an old FQDN as its ID so it was causing a mismatch with the ID configured for that gateway on the Watchguard side. Once, the ID was changed to the FQDN of the ASA, the tunnel came up and started passing traffic.
Similar Messages
-
IPsec firewall2firewall vpn with wrv200 and watchguard Firebox Pro.
I have a situation that is confounding me. I am trying to connect my wrv200 to a watchguard firebox x1000. The tunnel works on and off. When it is connected it functions properly. However when it disconnects and tries to reestablish a connection it often happens that it hit the following problem(from the WRV200 log): 020 [Fri 07:54:17] "TunnelA" #4: Main mode peer ID is ID_IPV4_ADDR: '10.10.10.254' 021 [Fri 07:54:17] "TunnelA" #4: we require peer to have ID '81.252.20.225', but peer declares '10.10.10.254' 022 [Fri 07:54:17] "TunnelA" #4: sending encrypted notification INVALID_ID_INFORMATION to 81.252.20.225:500 The watchguard is not the WAN gateway for the network, so that is why the peer I.D. is not matching. The people who operate the watchguard say there is nothing they can change. Is there any way to accept this peer i.d. so I can get past this step? thanks, Nick
if this is a gateway to gateway vpn connection , one of the end needs to have a static ip add ...
try changing the MTU size to 1458 .. the firmware on the wrv200 should be latest .. -
Phase 2 tunnel is not going up between PIX 525 and Watchguard
Hi Folks,
Can you please help me in knowing where is the problem liying, currently I am trying to establish a VPN tunnel between PIX firewall and Watchguard , all the parameters of both devices are the same though Phase two tunnel is not coming up.
here is the debug :
crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match MINE hash
hash received: b3 8f bb 0 93 3b 65 e8 35 6f 54 6 c4 6f 59 cc
my nat hash : dd 70 9 ac 35 58 40 da 3b 5b fc 1b 4c 87 d2 11
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match HIS hash
hash received: ba 72 c5 e 5b fb 88 f0 1e f7 8a ba c9 c6 c1 cc
his nat hash : c 4c 89 a5 66 c1 dd 80 76 48 3f a5 b0 f0 56 ed
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP: Created a peer struct for 212.37.17.43, peer port 37905
ISAKMP: Locking UDP_ENC struct 0x3cbb634 from crypto_ikmp_udp_enc_ike_init, count 1
ISAKMP (0): ID payload
next-payload : 8
type : 2
protocol : 17
port : 0
length : 23
ISAKMP (0): Total payload length: 27
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:212.37.17.43/4500 Total VPN Peers:16
VPN Peer: ISAKMP: Peer ip:212.37.17.43/4500 Ref cnt incremented to:1 Total VPN Peers:16
crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 3168983470
ISAKMP (0): processing notify INITIAL_CONTACT
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 484086886
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (basic) of 32000
ISAKMP: encaps is 61433
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:213.210.211.82, dest:212.118.128.233 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 287560609
ISAMKP (0): received DPD_R_U_THERE from peer 213.210.211.82
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANSdebug
ISAKMP (0): retransmitting phase 1 (0)...
Thanks,
IsmailHi Kanishka,
The Phase 2 Parameters are the same also PFS is disabled !
There are some curious things in the debug msg, could you please throw some light on them
ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP: default group 1
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
what does the vendor ID is NAT-T above mean ? Is it say that both sides are using Nat traversal.
Also in ecryption its says encryption 3DES-CBC
i am not sure if this CBC is the culprit. Because thats what watchgaurd uses only it does not have an option for only 3DES.
strange enought that Phase 1 is getting up, I am also questioning myself about the following message appearing in Phase 1:
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match MINE hash
hash received: b3 8f bb 0 93 3b 65 e8 35 6f 54 6 c4 6f 59 cc
my nat hash : dd 70 9 ac 35 58 40 da 3b 5b fc 1b 4c 87 d2 11
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match HIS hash
hash received: ba 72 c5 e 5b fb 88 f0 1e f7 8a ba c9 c6 c1 cc
his nat hash : c 4c 89 a5 66 c1 dd 80 76 48 3f a5 b0 f0 56 ed
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
return status is IKMP_NO_ERROR
how come Phase 1 is coming up though the PIX is claiming that his HASH is not the same as HIS HASH :(
the log messages on WATCH GUARD states that there is no proposal chosen!
why both firewalls are not friends?
I appreciate any input -
I am trying to setup a VRF IPSec to ASA VPN tunnel. VRF IPSec is at head office and ASA is at the customer end. I am successfully establish the tunnel when I initiate a ping from the ASA end (ping was successful). However I am getting error in ipsec stats when I initiate the ping from the head office (ping between the same hosts as before). A debug was captured from the VRF router. I wonder if you can see the problem from the debug. I appreciate your help in advance.
GTO-ClientEdge-RT1#sh cry ipse sa
interface: GigabitEthernet0/0
Crypto map tag: gto_share_map, local addr 192.33.232.209
protected vrf: vrf-veridian
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 173.46.8.98 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 15, #recv errors 0
local crypto endpt.: 192.33.232.209, remote crypto endpt.: 173.46.8.98
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Crypto ISAKMP debugging is on
GTO-ClientEdge-RT1#
Nov 19 22:46:29.702: ISAKMP:(0): SA request profile is veridian-ike-prof
Nov 19 22:46:29.702: ISAKMP: Created a peer struct for 173.46.8.98, peer port 500
Nov 19 22:46:29.702: ISAKMP: New peer created peer = 0x10927E8 peer_handle = 0x80000019
Nov 19 22:46:29.702: ISAKMP: Locking peer struct 0x10927E8, refcount 1 for isakmp_initiator
Nov 19 22:46:29.702: ISAKMP:(0):Setting client config settings 131406B8
Nov 19 22:46:29.702: ISAKMP/xauth: initializing AAA request
Nov 19 22:46:29.702: ISAKMP: local port 500, remote port 500
Nov 19 22:46:29.702: ISAKMP: set new node 0 to QM_IDLE
Nov 19 22:46:29.702: ISAKMP:(0):insert sa successfully sa = 1235BF68
Nov 19 22:46:29.702: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Nov 19 22:46:29.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:29.702: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Nov 19 22:46:29.702: ISAKMP:(0): constructed NAT-T vendor-07 ID
Nov 19 22:46:29.702: ISAKMP:(0): c
GTO-ClientEdgeonstructed NAT-T vendor-03 ID
Nov 19 22:46:29.702: ISAKMP:(0): constructed NAT-T vendor-02 ID
Nov 19 22:46:29.702: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Nov 19 22:46:29.702: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Nov 19 22:46:29.702: ISAKMP:(0): beginning Main Mode exchange
Nov 19 22:46:29.702: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_NO_STATE
Nov 19 22:46:29.702: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.702: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE
Nov 19 22:46:29.702: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:29.702: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Nov 19 22:46:29.702: ISAKMP:(0): processing SA payload. message ID = 0
Nov 19 22:46:29.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:29.702: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov 19 22:46:29.702: ISAKMP:(0): vendor ID is NAT-T v2
Nov 19 22:46:29.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:29.702: ISAKMP:(0): processing IKE frag vendor id payload
Nov 19 22:46:29.702: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov 19 22:46:29.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:29.702: ISAKMP:(0): local preshared key found
Nov 19 22:46:29.702: ISAKMP : Looking for xauth in profile veridian-ike-prof
Nov 19 22:46:29.702: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Nov 19 22:46:29.702: ISAKMP: encryption AES-CBC
Nov 19 22:46:29.702: ISAKMP: keylength of 256
Nov 19 22:46:29.702: ISAKMP: hash SHA
Nov 19 22:46:29.702: ISAKMP: default group 5
Nov 19 22:46:29.702: ISAKMP: auth pre-share
Nov 19 22:46:29.702: ISAKMP: life type in seconds
Nov 19 22:46:29.702: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Nov 19 22:46:29.702: ISAKMP:(0):atts are acceptable. Next payload is 0
Nov 19 22:46:29.702: ISAKMP:(0):Acceptable atts:actual life: 0
Nov 19 22:46:29.702: ISAKMP:(0):Acceptable atts:life: 0
Nov 19 22:46:29.702: ISAKMP:(0):Fill atts in sa vpi_length:4
Nov 19 22:46:29.702: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Nov 19 22:46:29.702: ISAKMP:(0):Returning Actual lifetime: 86400
Nov 19 22:46:29.702: ISAKMP:(0)::Started lifetime timer: 86400.
Nov 19 22:46:29.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:29.706: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov 19 22:46:29.706: ISAKMP:(0): vendor ID is NAT-T v2
Nov 19 22:46:29.706: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:29.706: ISAKMP:(0): processing IKE frag vendor id payload
Nov 19 22:46:29.706: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov 19 22:46:29.706: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:29.706: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Nov 19 22:46:29.706: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_SA_SETUP
Nov 19 22:46:29.706: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.706: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:29.706: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Nov 19 22:46:29.802: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_SA_SETUP
Nov 19 22:46:29.802: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:29.802: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Nov 19 22:46:29.802: ISAKMP:(0): processing KE payload. message ID = 0
Nov 19 22:46:29.806: ISAKMP:(0): processing NONCE payload. message ID = 0
Nov 19 22:46:29.806: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID is Unity
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID seems Unity/DPD but major 86 mismatch
Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID is XAUTH
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023): speaking to another IOS box!
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023):vendor ID seems Unity/DPD but hash mismatch
Nov 19 22:46:29.806: ISAKMP:received payload type 20
Nov 19 22:46:29.806: ISAKMP (9023): His hash no match - this node outside NAT
Nov 19 22:46:29.806: ISAKMP:received payload type 20
Nov 19 22:46:29.806: ISAKMP (9023): No NAT Found for self or peer
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM4 New State = IKE_I_MM4
Nov 19 22:46:29.806: ISAKMP:(9023):Send initial contact
Nov 19 22:46:29.806: ISAKMP:(9023):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Nov 19 22:46:29.806: ISAKMP (9023): ID payload
next-payload : 8
type : 1
address : 192.33.232.209
protocol : 17
port : 500
length : 12
Nov 19 22:46:29.806: ISAKMP:(9023):Total payload length: 12
Nov 19 22:46:29.806: ISAKMP:(9023): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Nov 19 22:46:29.806: ISAKMP:(9023):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM4 New State = IKE_I_MM5
Nov 19 22:46:29.806: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_KEY_EXCH
Nov 19 22:46:29.806: ISAKMP:(9023): processing ID payload. message ID = 0
Nov 19 22:46:29.806: ISAKMP (9023): ID payload
next-payload : 8
type : 1
address : 173.46.8.98
protocol : 17
port : 0
length : 12
Nov 19 22:46:29.806: ISAKMP:(9023): processing HASH payload. message ID = 0
Nov 19 22:46:29.806: ISAKMP:received payload type 17
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID is DPD
Nov 19 22:46:29.806: ISAKMP:(9023):SA authentication status:
authenticated
Nov 19 22:46:29.806: ISAKMP:(9023):SA has been authenticated with 173.46.8.98
Nov 19 22:46:29.806: ISAKMP: Trying to insert a peer 192.33.232.209/173.46.8.98/500/vrf-internet, and inserted successfully 10927E8.
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM5 New State = IKE_I_MM6
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM6 New State = IKE_I_MM6
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Nov 19 22:46:29.806: ISAKMP:(9023):beginning Quick Mode exchange, M-ID of 2851020903
Nov 19 22:46:29.806: ISAKMP:(9023):QM Initiator gets spi
Nov 19 22:46:29.806: ISAKMP:(9023): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE
Nov 19 22:46:29.806: ISAKMP:(9023):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.806: ISAKMP:(9023):Node 2851020903, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 19 22:46:29.810: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) QM_IDLE
Nov 19 22:46:29.810: ISAKMP: set new node 1512038398 to QM_IDLE
Nov 19 22:46:29.810: ISAKMP:(9023): processing HASH payload. message ID = 1512038398
Nov 19 22:46:29.810: ISAKMP:(9023): processing NOTIFY INVALID_ID_INFO protocol 1
spi 0, message ID = 1512038398, sa = 0x1235BF68
Nov 19 22:46:29.810: ISAKMP:(9023):peer does not do paranoid keepalives.
Nov 19 22:46:29.810: ISAKMP:(9023):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 173.46.8.98)
Nov 19 22:46:29.810: ISAKMP:(9023):deleting node 1512038398 error FALSE reason "Informational (in) state 1"
Nov 19 22:46:29.810: ISAKMP:(9023):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Nov 19 22:46:29.810: ISAKMP:(9023):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 19 22:46:29.810: ISAKMP: set new node 260072841 to QM_IDLE
Nov 19 22:46:29.810: ISAKMP:(9023): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE
Nov 19 22:46:29.810: ISAKMP:(9023):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.810: ISAKMP:(9023):purging node 260072841
Nov 19 22:46:29.810: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Nov 19 22:46:29.810: ISAKMP:(9023):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Nov 19 22:46:29.810: ISAKMP:(9023):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 173.46.8.98)
Nov 19 22:46:29.810: ISAKMP: Unlocking peer struct 0x10927E8 for isadb_mark_sa_deleted(), count 0
Nov 19 22:46:29.810: ISAKMP: Deleting peer node by peer_reap for 173.46.8.98: 10927E8
Nov 19 22:46:29.810: ISAKMP:(9023):deleting node -1443946393 error FALSE reason "IKE deleted"
Nov 19 22:46:29.810: ISAKMP:(9023):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:29.810: ISAKMP:(9023):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Nov 19 22:46:29.810: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE-RT1#
GTO-ClientEdge-RT1#sh cry isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
173.46.8.98 192.33.232.209 MM_NO_STATE 9023 ACTIVE (deleted) veridian-ike-prof
IPv6 Crypto ISAKMP SA
GTO-ClientEdge-RT1#
Nov 19 22:46:59.702: ISAKMP:(0): SA request profile is veridian-ike-prof
Nov 19 22:46:59.702: ISAKMP: Created a peer struct for 173.46.8.98, peer port 500
Nov 19 22:46:59.702: ISAKMP: New peer created peer = 0x10927E8 peer_handle = 0x8000001A
Nov 19 22:46:59.702: ISAKMP: Locking peer struct 0x10927E8, refcount 1 for isakmp_initiator
Nov 19 22:46:59.702: ISAKMP:(0):Setting client config settings 1CA9BE8
Nov 19 22:46:59.702: ISAKMP/xauth: initializing AAA request
Nov 19 22:46:59.702: ISAKMP: local port 500, remote port 500
Nov 19 22:46:59.702: ISAKMP: set new node 0 to QM_IDLE
Nov 19 22:46:59.702: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 1235C984
Nov 19 22:46:59.702: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Nov 19 22:46:59.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Nov 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-07 ID
Nov
GTO-ClientEdge 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-03 ID
Nov 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-02 ID
Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Nov 19 22:46:59.702: ISAKMP:(0): beginning Main Mode exchange
Nov 19 22:46:59.702: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_NO_STATE
Nov 19 22:46:59.702: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.702: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE
Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Nov 19 22:46:59.702: ISAKMP:(0): processing SA payload. message ID = 0
Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov 19 22:46:59.702: ISAKMP:(0): vendor ID is NAT-T v2
Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0): processing IKE frag vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov 19 22:46:59.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:59.702: ISAKMP:(0): local preshared key found
Nov 19 22:46:59.702: ISAKMP : Looking for xauth in profile veridian-ike-prof
Nov 19 22:46:59.702: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Nov 19 22:46:59.702: ISAKMP: encryption AES-CBC
Nov 19 22:46:59.702: ISAKMP: keylength of 256
Nov 19 22:46:59.702: ISAKMP: hash SHA
Nov 19 22:46:59.702: ISAKMP: default group 5
Nov 19 22:46:59.702: ISAKMP: auth pre-share
Nov 19 22:46:59.702: ISAKMP: life type in seconds
Nov 19 22:46:59.702: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Nov 19 22:46:59.702: ISAKMP:(0):atts are acceptable. Next payload is 0
Nov 19 22:46:59.702: ISAKMP:(0):Acceptable atts:actual life: 0
Nov 19 22:46:59.702: ISAKMP:(0):Acceptable atts:life: 0
Nov 19 22:46:59.702: ISAKMP:(0):Fill atts in sa vpi_length:4
Nov 19 22:46:59.702: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Nov 19 22:46:59.702: ISAKMP:(0):Returning Actual lifetime: 86400
Nov 19 22:46:59.702: ISAKMP:(0)::Started lifetime timer: 86400.
Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov 19 22:46:59.702: ISAKMP:(0): vendor ID is NAT-T v2
Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0): processing IKE frag vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Nov 19 22:46:59.702: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_SA_SETUP
Nov 19 22:46:59.702: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Nov 19 22:46:59.798: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_SA_SETUP
Nov 19 22:46:59.798: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:59.798: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Nov 19 22:46:59.798: ISAKMP:(0): processing KE payload. message ID = 0
Nov 19 22:46:59.802: ISAKMP:(0): processing NONCE payload. message ID = 0
Nov 19 22:46:59.802: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.802: ISAKMP:(9024): vendor ID is Unity
Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.802: ISAKMP:(9024): vendor ID seems Unity/DPD but major 108 mismatch
Nov 19 22:46:59.802: ISAKMP:(9024): vendor ID is XAUTH
Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.802: ISAKMP:(9024): speaking to another IOS box!
Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.802: ISAKMP:(9024):vendor ID seems Unity/DPD but hash mismatch
Nov 19 22:46:59.802: ISAKMP:received payload type 20
Nov 19 22:46:59.802: ISAKMP (9024): His hash no match - this node outside NAT
Nov 19 22:46:59.802: ISAKMP:received payload type 20
Nov 19 22:46:59.802: ISAKMP (9024): No NAT Found for self or peer
Nov 19 22:46:59.802: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:59.802: ISAKMP:(9024):Old State = IKE_I_MM4 New State = IKE_I_MM4
Nov 19 22:46:59.802: ISAKMP:(9024):Send initial contact
Nov 19 22:46:59.802: ISAKMP:(9024):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Nov 19 22:46:59.802: ISAKMP (9024): ID payload
next-payload : 8
type : 1
address : 192.33.232.209
protocol : 17
port : 500
length : 12
Nov 19 22:46:59.802: ISAKMP:(9024):Total payload length: 12
Nov 19 22:46:59.802: ISAKMP:(9024): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Nov 19 22:46:59.802: ISAKMP:(9024):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.802: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:59.802: ISAKMP:(9024):Old State = IKE_I_MM4 New State = IKE_I_MM5
Nov 19 22:46:59.806: ISAKMP (9024): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_KEY_EXCH
Nov 19 22:46:59.806: ISAKMP:(9024): processing ID payload. message ID = 0
Nov 19 22:46:59.806: ISAKMP (9024): ID payload
next-payload : 8
type : 1
address : 173.46.8.98
protocol : 17
port : 0
length : 12
Nov 19 22:46:59.806: ISAKMP:(9024): processing HASH payload. message ID = 0
Nov 19 22:46:59.806: ISAKMP:received payload type 17
Nov 19 22:46:59.806: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.806: ISAKMP:(9024): vendor ID is DPD
Nov 19 22:46:59.806: ISAKMP:(9024):SA authentication status:
authenticated
Nov 19 22:46:59.806: ISAKMP:(9024):SA has been authenticated with 173.46.8.98
Nov 19 22:46:59.806: ISAKMP: Trying to insert a peer 192.33.232.209/173.46.8.98/500/vrf-internet, and inserted successfully 10927E8.
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_I_MM5 New State = IKE_I_MM6
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_I_MM6 New State = IKE_I_MM6
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Nov 19 22:46:59.806: ISAKMP:(9024):beginning Quick Mode exchange, M-ID of 920032514
Nov 19 22:46:59.806: ISAKMP:(9024):QM Initiator gets spi
Nov 19 22:46:59.806: ISAKMP:(9024): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE
Nov 19 22:46:59.806: ISAKMP:(9024):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.806: ISAKMP:(9024):Node 920032514, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 19 22:46:59.806: ISAKMP (9024): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) QM_IDLE
Nov 19 22:46:59.806: ISAKMP: set new node -165090978 to QM_IDLE
Nov 19 22:46:59.806: ISAKMP:(9024): processing HASH payload. message ID = 4129876318
Nov 19 22:46:59.806: ISAKMP:(9024): processing NOTIFY INVALID_ID_INFO protocol 1
spi 0, message ID = 4129876318, sa = 0x1235C984
Nov 19 22:46:59.806: ISAKMP:(9024):peer does not do paranoid keepalives.
Nov 19 22:46:59.806: ISAKMP:(9024):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 173.46.8.98)
Nov 19 22:46:59.806: ISAKMP:(9024):deleting node -165090978 error FALSE reason "Informational (in) state 1"
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 19 22:46:59.806: ISAKMP: set new node 1564252651 to QM_IDLE
Nov 19 22:46:59.806: ISAKMP:(9024): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE
Nov 19 22:46:59.806: ISAKMP:(9024):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.806: ISAKMP:(9024):purging node 1564252651
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Nov 19 22:46:59.810: ISAKMP:(9024):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 173.46.8.98)
Nov 19 22:46:59.810: ISAKMP: Unlocking peer struct 0x10927E8 for isadb_mark_sa_deleted(), count 0
Nov 19 22:46:59.810: ISAKMP: Deleting peer node by peer_reap for 173.46.8.98: 10927E8
Nov 19 22:46:59.810: ISAKMP:(9024):deleting node 920032514 error FALSE reason "IKE deleted"
Nov 19 22:46:59.810: ISAKMP:(9024):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:59.810: ISAKMP:(9024):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Nov 19 22:46:59.810: ISAKMP (9024): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE-RT1#ASA doesn't like what you're sending.
Nov 19 22:46:29.810: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) QM_IDLE Nov 19 22:46:29.810: ISAKMP: set new node 1512038398 to QM_IDLE Nov 19 22:46:29.810: ISAKMP:(9023): processing HASH payload. message ID = 1512038398Nov 19 22:46:29.810: ISAKMP:(9023): processing NOTIFY INVALID_ID_INFO protocol 1
Check what's happening around QM1 on ASA.
For reference working debugs:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bce100.shtml -
Hello All
I will be grateful if someone can assist me with this please.
I am having issues with this setup and the VPN tunnel shows down. Can someone please advice where i may be going wrong. the test setup as below and i have also attached the current configs.
VPN_RTR#sh crypto session
Crypto session current status
Interface: GigabitEthernet0/1.84
Session status: DOWN
Peer: 1.1.1.2 port 500
IPSEC FLOW: permit ip host 10.10.10.1 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
Interface: GigabitEthernet0/1.85
Session status: DOWN
Peer: 1.1.1.6 port 500
IPSEC FLOW: permit ip host 10.10.11.1 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto mapHello,
Modify your ACL on both routers to identify interesting traffic which will be encrypted, in your case traffic beteen loopbacks in same VRF.
INETSERV1_TEST
ip access-list extended P1-VPN
permit ip host 10.10.10.1 host 192.168.0.1
ip access-list extended P3-VPN
permit ip host 10.10.11.1 host 192.168.1.1
VPN_RTR
ip access-list extended P1-VPN
permit ip host 192.168.0.1 host 10.10.10.1
ip access-list extended P3-VPN
permit ip host 192.168.1.1 host 10.10.11.1
After this change, you should be able to ping between loopbacks.
Best Regards
Please rate all helpful posts and close solved questions -
ASA DMZ zone and Unix proxy server
Hi.
i have router which all nat translation done at here. i have a asa and core sw.
192.168.1930.0/24 subnet my user and some server are located at this subnet. this subnet created at core sw.
int vlan 393
ip address 192.168.193.1 255.255.255.0
core sw connected to asa inside interface.asa inside interface ip 172.30.30.1 and at core sw site this port access vlan 8 which is
int vlan 8
ip address 172.30.30.2
at core sw at i have a default route to asa.
ip route 0.0.0.0 0.0.0.0 172.30.30.1
and asa site
route inside 192.168.193.0 255.255.255.0 172.30.30.2
all of them are ok.
i think that is ok.
at asa i have dmz zone which ip address:
interface Ethernet0/1
description connect to CoreSW
nameif inside
security-level 100
ip address 172.30.30.1 255.255.255.0 standby 172.30.30.3
interface Ethernet0/2
description DMZ zone connect mail server
nameif DMZ
security-level 50
ip address 172.16.10.1 255.255.255.0 standby 172.16.10.2
my proxy server inside interface connected to asa dmz zone and ip address 172.16.10.254 and outside interface is connected asa outside site which mean that is same subnet of asa outside interface which is 10.0.0.254 and then 10.0.0.254 i do static nat at router. i have no problem at nat translation.
i want my 192.168.193.0 subnet pass througth from proxy when this subnet want to connet internet.
i wrote
static (inside,DMZ) 192.168.193.0 192.168.193.0 netmask 255.255.255.0
and access-list
access-list from_dmz_to_in extended permit ip host 172.16.10.254 any
access-group from_dmz_to_in in interface DMZ
at this time what is up?
the user can not access internet and what i do? i wrote proxy server inside ip and default port 3128 at user internet explorer properties.
internet explorerr--tools-properties-connection-lan settting and show there 172.16.10.254 and port 3128.
at this time my user connect internet when i wrote this. when i remove this they can not connect internet
but i do not want write anything at my user. how i solved this?
after that one problem occur.
when my server to do nslookup it can not work.
i thnik that it is true because we have only one port 3128 is open and my server need udp 53.so it can not work
how i solve this issue?
as you see my access-list all of is open and i do
static (inside,DMZ) 192.168.193.0 192.168.193.0 netmask 255.255.255.0
it is this wrong proxy connection???
musti change proxy server inside interface to other device or asa other interface?
thanks.There is 2 way the proxy server can work, ie: either transparent or explicit proxy.
From your explaination, explicit proxy works just fine when you configure the proxy settings on your browser.
The reason why transparent proxy does not work is because:
1) When user browser connects to the Internet, the ASA default gateway is via the outside interface, that is why the Internet traffic is not being routed transparently towards your proxy server which is connected to the DMZ interface.
The static NAT statement configured on the ASA does not perform redirection. If you would like to transparently route the internet traffic towards the proxy server on DMZ, you would need to route the traffic towards the proxy server. With the current topology that you have, it is not achievable on the ASA. ASA does not support Policy Based Routing, nor it supports WCCP when the user and the proxy server is on different interfaces.
2) Also need to find out if the proxy server itself supports transparent proxy.
Otherwise, since explicit proxy works, why don't you just push the proxy settings to the browser via Active Directory Group Policy? -
RE: Case 59063: performance issues w/ C TLIB and Forte3M
Hi James,
Could you give me a call, I am at my desk.
I had meetings all day and couldn't respond to your calls earlier.
-----Original Message-----
From: James Min [mailto:jminbrio.forte.com]
Sent: Thursday, March 30, 2000 2:50 PM
To: Sharma, Sandeep; Pyatetskiy, Alexander
Cc: sophiaforte.com; kenlforte.com; Tenerelli, Mike
Subject: Re: Case 59063: performance issues w/ C TLIB and Forte 3M
Hello,
I just want to reiterate that we are very committed to working on
this issue, and that our goal is to find out the root of the problem. But
first I'd like to narrow down the avenues by process of elimination.
Open Cursor is something that is commonly used in today's RDBMS. I
know that you must test your query in ISQL using some kind of execute
immediate, but Sybase should be able to handle an open cursor. I was
wondering if your Sybase expert commented on the fact that the server is
not responding to commonly used command like 'open cursor'. According to
our developer, we are merely following the API from Sybase, and open cursor
is not something that particularly slows down a query for several minutes
(except maybe the very first time). The logs show that Forte is waiting for
a status from the DB server. Actually, using prepared statements and open
cursor ends up being more efficient in the long run.
Some questions:
1) Have you tried to do a prepared statement with open cursor in your ISQL
session? If so, did it have the same slowness?
2) How big is the table you are querying? How many rows are there? How many
are returned?
3) When there is a hang in Forte, is there disk-spinning or CPU usage in
the database server side? On the Forte side? Absolutely no activity at all?
We actually have a Sybase set-up here, and if you wish, we could test out
your database and Forte PEX here. Since your queries seems to be running
off of only one table, this might be the best option, as we could look at
everything here, in house. To do this:
a) BCP out the data into a flat file. (character format to make it portable)
b) we need a script to create the table and indexes.
c) the Forte PEX file of the app to test this out.
d) the SQL staement that you issue in ISQL for comparison.
If the situation warrants, we can give a concrete example of
possible errors/bugs to a developer. Dial-in is still an option, but to be
able to look at the TOOL code, database setup, etc. without the limitations
of dial-up may be faster and more efficient. Please let me know if you can
provide this, as well as the answers to the above questions, or if you have
any questions.
Regards,
At 08:05 AM 3/30/00 -0500, Sharma, Sandeep wrote:
James, Ken:
FYI, see attached response from our Sybase expert, Dani Sasmita. She has
already tried what you suggested and results are enclosed.
++
Sandeep
-----Original Message-----
From: SASMITA, DANIAR
Sent: Wednesday, March 29, 2000 6:43 PM
To: Pyatetskiy, Alexander
Cc: Sharma, Sandeep; Tenerelli, Mike
Subject: Re: FW: Case 59063: Select using LIKE has performance
issues
w/ CTLIB and Forte 3M
We did that trick already.
When it is hanging, I can see what is doing.
It is doing OPEN CURSOR. But not clear the exact statement of the cursor
it is trying to open.
When we run the query directly to Sybase, not using Forte, it is clearly
not opening any cursor.
And running it directly to Sybase many times, the response is always
consistently fast.
It is just when the query runs from Forte to Sybase, it opens a cursor.
But again, in the Forte code, Alex is not using any cursor.
In trying to capture the query,we even tried to audit any statementcoming
to Sybase. Same thing, just open cursor. No cursor declaration anywhere.==============================================
James Min
Technical Support Engineer - Forte Tools
Sun Microsystems, Inc.
1800 Harrison St., 17th Fl.
Oakland, CA 94612
james.minsun.com
510.869.2056
==============================================
Support Hotline: 510-451-5400
CUSTOMERS open a NEW CASE with Technical Support:
http://www.forte.com/support/case_entry.html
CUSTOMERS view your cases and enter follow-up transactions:
http://www.forte.com/support/view_calls.htmlEarthlink wrote:
Contrary to my understanding, the <font face="courier">with_pipeline</font> procedure runs 6 time slower than the legacy <font face="courier">no_pipeline</font> procedure. Am I missing something? Well, we're missing a lot here.
Like:
- a database version
- how did you test
- what data do you have, how is it distributed, indexed
and so on.
If you want to find out what's going on then use a TRACE with wait events.
All nessecary steps are explained in these threads:
HOW TO: Post a SQL statement tuning request - template posting
http://oracle-randolf.blogspot.com/2009/02/basic-sql-statement-performance.html
Another nice one is RUNSTATS:
http://asktom.oracle.com/pls/asktom/ASKTOM.download_file?p_file=6551378329289980701 -
Issues with Exchange Account and Q10
Well, I hate to be writing this, but I'm hoping that there might be someone out there that can help get past some first day issues I am experiencing.
The background: I have a long history with legacy BlackBerry devices, and almost as much history with iOS devices. My most recent phone was an iPhone 4S, and I make extensive use of iCloud to keep my iMacs, iPhone, and iPad connected in real-time. The setup worked. It wasn't perfect, but it worked. However, because I used to have a BlackBerry device (most recent the 9930) and because I don't use the iPhone for more than e-mail, iMessage, and phone calls (generally speaking), I decided to give the newest BlackBerry device a shot. So I bought a Q10.
At this point I feel compelled to say that the hardware is everything I had hoped it to be. It's solid, has a good weight, and appears to be made very well. I have no complaints with the hardware, including the keyboard (a big selling factor for me), so I won't really get into the hardware as the issues I am experiencing all have to do with the OS. Let me also say that I am very familiar with the iCloud integration issues (missing Contact photos and disabled Calendar sync), so I'm not voicing a complaint over those issues in this thread.
I have connected my Exchange account. I used to have everything in Exchange before I moved my entire computing world over to Apple, and now I keep Exchange around for e-mail. Therefore, I have no contacts, no tasks, no notes, very limited calendar entries, and a massive amount of e-mail on the Exchange server. However, to test everything out, I have added a single contact record so I can see it show up on the phone and be able to test two-way sync between the Q10 and Exchange. And here is where the first issues crop up. It looks like Exchange connects and then disconnects at random. For example, if I open my Contacts on the phone, I see the one contact (called John Doe). Then, as the phone is sitting there with the screen on, the contact will disappear and I will see a "Start adding contact to your contact list" notice on the screen. Then, after a short period of time, the single contact will return. It is important to note that the entire time this is happening, the All Contacts option is selected in the list so that all available contacts are shown. Additionally, I have SIM card contacts turned off, but if I alter the selection in the view list (All Contacts, Favorites, etc.), the SIM contacts will re-appear when I return to the All Contacts view. At the same time, even though I have turned off SIM Contacts in the settings, the setting has reverted to show SIM Contacts. If I turn off the setting again, SIM Contacts still show up. Possibly related: I can't delete contacts on the SIM card, no matter how many times I try, and it now it seems that I can't get SIM Contacts to go away in the Contacts app.
Likewise, Exchange seems to connect and disconnect from Calendar. I go to the calendar and move day by day to June 15th. I see an entry that I know is from Exchange (I have no other connected calendars at this time), and it is in blue. I change the calendar color to green and the entry changes color, as expected. However, if I jump back to today and then scroll day by day to get to June 15th again, the calendar entry is missing. After a few seconds, the entry re-appears, but it is, once again, in blue. The setting has reverted itself, and it seems like Exchange is completely disconnecting and automatically reconnecting to the phone like I am setting it up again for the first time. Very odd. As I'm typing this, I just saw something odd. I swiped to wake up the phone, and the active frames screen was the visible screen. The calendar app is still running (since I left it running, minimized, when the phone went to sleep) and the date shown in the active card was Jan 1, not Jun 8. Why? The date (and time) on the phone is correct and is set automatically by the cellular system.
Nevertheless, looking at BlackBerry Hub, I see only two e-mails in my Inbox from Exchange, even though I have roughly a dozen in my Inbox. The rest are filed in sub-folders. And bam! Just like that... I get the "Add Accounts" screen while looking at the Hub. In other words, as I was typing this, I first saw two Exchange e-mails and then, out of nowhere, the e-mails disappear and I see the "Add Accounts" screen as if no account has been connected.
So... first question: Is anyone else experiencing this issue? This is very strange, and very frustrating. Second: could this be related to the large amount of e-mails I have stored on Exchange, some of which have large attachments? I selected "Forever" as the sync history length. I have my concerns, however, if this is related to loading historical e-mails onto the phone (in other words, the first sync with Exchange) because there is no reason that I can understand that the phone would blank out as if no account was connected at all. I can understand lag and stuttering while the history is syncing, but not a complete disconnect and reconnect. Considering all of the issues with the one and only contact record disappearing, the calendar entry for Jun 15th disappearing and then reappearing with the wrong calendar color, and e-mail in my Inbox incomplete (two of a dozen e-mails) and ultimately disappearing, I feel like this OS just has some real, significant issues.
Full disclosure: I do want iCloud to work and am a fan of Apple products, but the lack of full iCloud sync support is not a big enough issue for me to want to send back this phone and/or see it fail so miserably. I will happily move my info from iCloud into Exchange, Google, and/or set up a new Exchange account for personal use (Office 365) because I am not wedded to iCloud per se. But, I won't go through that trouble if I can't even get my first account to work properly. It should also be noted that I do have a basic Google account (non-paid) and I had previously attempted to connect to it. However, I was experiencing the exact same issues with contacts disappearing, e-mail disappearing, etc. So I deleted that account. Truth be told, I deleted the Exchange account as well, and then re-connected to Exchange only to test one account at a time. Unfortunately, even with Exchange only, I am seeing very strange and frustrating behavior as described above.
Help... please. I want this to work but the frustration I am feeling is growing worse by the hour.
Model: SQN100-2
OS Release: 10.1.0.2011
OS Version: 10.1.0.2038
Build ID: 525050
IanTo follow-up with this issue:
I ended up performing a security wipe on my device. The security wipe finished, and I was about to reconnect with Exchange when I decided to visit our host's web site to see if they had any articles covering the issues I was experiencing. While they didn't have anything specific, I did find a step-by-step guide to connecting a BB10 device to Exchange... and right there at the end, it said "Do NOT enable memo sync."
I contacted support, and the rep told me that OS 10 has an issue with memo sync and it can cause all sorts of unpredictable behavior. Now, whether or not this is accurate I can say this: So far, the device is not disconnecting and reconnecting like it was before. Problem is, is this a result of not enabling memo sync, or is this a result of the security wipe?
I may have overlooked it, but I don't recall reading anything about that anywhere else. I'm tempted to try re-enabling the memo sync to see if everything blows up again. At least that way I can see for myself if the memo sync is a real issue. Of course, perhaps it's an issue with SherWeb (our host) specifically. Hm...
Anyway, for those that were interested, and for those that may come along in the future with a similar situation, the strange behavior that I first reported is no longer happening. I just don't know if it was a result of a security wipe or a result of not enabling memo sync with Exchange.
Ian -
Since the Mountain Lion OS update today I've had issues with internet connection and e-mail, has anyone else?
That's what I would have thought, but even after saving the setting, as soon as I shut down my computer or log out of Mail, it automatically defaults back to 25. It's a bit frustrating.
Now I just need to figure out how to get rid of those horrible pop-up banners but still have my glass sound and number of emails in the red dot when I get an email...
These little tweaks are the only thing I HATE about upgrading my OS. -
Routing issue between Cisco Nexus and Cisco 4510 R+E Chassis
We have configured Cisco Nexus 7K9 as core and Cisco 4510 R+E as access switches for Server connectivity.
We are experiencing problem in terms of ARP learning and Ping issues between Cisco Nexus and end hosts.Hi,
So you have N7k acting as L3 with servers connected to 4510?.
Do you see the MAC associated with failing ARP in 4510?. Is it happening with all or few servers?. Just to verify if it is connectivity issue between N7k and 4510, you can configure an SVI on 4510 and assign address from same raneg (server/core range) and perform a ping.
This will help narrow down if issue is between server to 4510 or 4510 to N7k.
Thanks,
Nagendra -
I am having major issues with Logic 8 and want to reinstall.
I am having a lot of issues with Logic 8 and want to do a re-install. What is the procedure and what do I need to uninstall first. I need to be careful, because I don't want to affect my Logic 7.
Any suggestions?What problems?
The first thing to do is trash the preferences. As far as affecting Logic 7, once you install 8, 7 is "forgotten" about. I'm assuming your L8 is a real version, not a "borrowed from the interweb" one. -
Consumption acct of materia which issue to maint. ord. and production order
Hi all,
I have one problem with the cost report for maintenance orders.
I have one material code, such as we call A.
Mat. A is issued to production order and also maintenance order.
For production order, consumption account is 123
For maintenance order, consumption account is 456
I have defined new movement type for issuing to Maintenance order is ZB1
in OBYC:
GBB - VRB --> 123
ZB1 --> 456
So for accounting purpose, I can slit these consumption accounts
However, when I go to maintenance order cost reports, systems slit these cost into 2 line
Material A Acct. Cons 123 Plan cost 100 Actual cost 0
Material A Acct. Cons 456 Plan cost 0 Actual cost 120
How can I group into 1 line ?
Edited by: Emily Nguyen on Jun 2, 2009 12:15 PMHi Emily
In OBYC you can configure GL accounts per valuation class.
You cannot configure Movement type wise. Each General modifier is linked with movement types.
We cannot give two consumption accounts for one valuation class in VBR.
Run your plan cost again.
Thanks
Kiran A -
Wifi keeps scanning and dropping even after connected to home network. Never had this issue until the update, and now my phone runs slow and terrible. Horrible update!! Any ideas on a fix?
It's important that you have a steady WiFi connection, ZealousEdge. What phone do you have? Is your phone unable to connect to any WiFi network? If you can, please try deleting the saved WiFi network and re-adding it.
AndreaS_VZW
Follow us on Twitter @VZWSupport
If my response answered your question please click the "Correct Answer" button under my response. This ensures others can benefit from our conversation. Thanks in advance for your help with this!! -
Creative in the dock over driver issues for older cards and upsetting consumers please read!
To Who this may concern at TOP LEVEL AT Creative's Board It's come to my attention to a very serious issue From Creative,and the story starts from here.
I have just required the Audigy 2 ZS Sound Card so looking to install the latest drivers from CREATIVE'S UK WEBSITE. So I look into the date which is 9/4/200 on Creative's website. However I did abit more investigating into the issues from other consumer's from passed half soaked drivers that Creative are supposed to put right with their half asleep development team(what a joke!!).
AS I did more research? on this issue on the forums and hardware websites, it came across to my attention on a Brazilian I. T. Expert called Daniel Kawakami (surprisesurprise and I don't suppose Creative know anything about him other than trying to kick him the balls for his work to help others with their sound cards very good PR work Creative well done!!!!).So armed with all this information and believe me I have gone into alot of reading in the forums about the issues,and yes Creative Board Of Directors you are entitled to your Copy Rights,for now !!!
So I find out more about this super hero Daniel Kawakami? to Creative's miss givings to put right the Drivers for Consumers let down by Creative, I came across one of the driver updates for the Audigy 2 ZS Sound Card done by Daniel Kawakami, and Bingo most consumer's now have a working drivers by him.
So for all the hard work and precious time this Daniel Kawakami has done for Creative Consumers(including me) YOU SELFISH CREATIVE BOARD OF DIRECTOR'S go and kick him the face, so I will say this to you what about his rights as a creative product consumer? ,his driver copy rights and on top that his right to put things right that your team cannot put right in the first place. This is the EXACT PEOPLE WE NEED IN THIS HIGHLY COMPLICATED IT INDUSTRY, so what do you do you try and do, you bin him.
So Creative I am going to ask some questions and I EXPECT YOU TO ANSWER THEM with me as a CONSUMER OF YOUR PRODUCTS(customer is King not you!!)
1. The drivers you realised on the 9th April 200 are working drivers for the Audigy 2 zs for windows 7 ultimate.
2. So how can you convince me that they are working?
3. At the moment I can only trust Daniel Kawakami's? working drivers, since he has had over whelming praise for his work.What makes me think I can trust you with your drivers.
4. Your Drivers came out on the 9/4/200, Daniel Kawakami's Drivers came out on 9/4/200 its too close a call,since your development Team are too lazy to put things right, how can you convince me that you did not copy his Drivers into your download Driver website(I would not be surprised if you did, as it would certainly be a cost cutting exercise ,and taking away his copy rights for all the work he has done for nothing!!!)
5. Are you going to treat customer and consumers better service and support? in the Future,and that includes me,and 3rd party developers like Daniel Kawakami .
The concussion to all of this, there are lessons to be learned by you Creative for your mis givings and the treatment of customers passed and present and especially the appalling treatment of Daniel Kawakami ,this guy deserves far better for his talent. I Have one message for the President Of Creative ,don't you EVER think you can scare me as a customer and also as Registered? disabled deaf person ,and for that reason I have far more powers you will ever have. For what I have read I am so angry and dismayed when someone like Daniel Kawakami is only trying help others ,but to be treated in this way.
It is only right for me to post this ,because You Creative have hurt? alot people and that includes me. I look forward to the comments and p.m.(if I get any) And Daniel Kawakami? I hope you do read this and all the best for the future ,keep doing what you do ,and once again Creative you should be holding your heads in Shame.
Regards Jonoace U.k.!!! Creative jamais vai responder.
At seria justo se Creative viesse a publico falar de sua incapacidade e que at onde as placas Audigy funcionariam em Vista e ?7.
Mas por?incompet?ncia, pois nem suas novas placas funcionam direito, se era para vender est? mal.
Problemas de memoria superior a 4 gb e tantos outros que Creative no tem respostas;
Drivers de Daniel e Pax so alternativas, mas que tambm tem muitas limitaes.
Sinceramente acho que esta na hora de Creative vir a publico fazer um relato srio, e descrever claramente as limitaes de sua placas colocando um ponto final emexpectativas frustraes eeng dos.
Chega a ser vergonhoso que placas onboard como realtek funcionem melhor que placas Creative;
Realmente, antes era um sonho e orgulho possuir um produto CREATIVE, tornou-se um pesadelo e uma vergonha.
Mas enfim o que fazer, apenas esperar um momento de honestidade por parte de Creative.
Flavio Kern - Audigy 2 ZS
Creative will never respond. So it would be fair if Creative would publish his inability to speak and that even where the plates Audigy would work in Vista and 7. But by incompetence, since neither her new adapter works right, if it was to sell is poorly. Problems of memory above 4 gb, and so many others that Creative does not have answers; Daniel and Pax Drivers are alternati'ves, but which also has many limitations. I honestly think this time Creative come publico do a serious story, and describe clearly the limitations of your cards by putting an end-point on expectations, frustrations and forgeries. It is shameful that onboard realtek cards like that boards Creative work better; Actually, before it was a dream and pride have a CREATIVE product, became a nightmare and a shame. But anyway what to do, just wait a moment of honesty from Creative.
Flavio Kern-Audigy 2 ZS -
My itunes account on windows xp shuts down for no reason. If even try to delete something from my library it shuts down. It wont recognize my iphone and there is an issue with network connectivity and I can't connect to the store. I have already reinstalled itunes and did a system restore on my computer, firewall has been checked, itunes is ok on firewall and virus scan done. Ideas??
Same problem. I can see the itunes store so not a problem with windows firewall. The account is active on my iphone so i know i am not locked out. I can connect the PC to my iphone so i know itunes is working ok. It is just logging into itunes on this pc which doesn't work. Only thing I can think of is that the email address I use for my apple id has been offline for a while and is working again now, I'm wondering whether this has been the case for others who are having this issue?
Maybe you are looking for
-
Hi Experts, Has the Netweaver Gateway 2.0 present in Flash Builder 4.5 premium or should i have add any Add on`s ..??? Thanks, Arun
-
DesignJet 500 unable to print PDF completely
I am trying to print a PDF that is 24 x 36 and it keeps cuting off the border around the PDF. I make sure its set to the correct paper size and use no scaling, chose paper source by PDF page size, and auto-rotate and center. Any ideas?
-
Goods Movements with Handling Units
Hi: Any one knows how can I get make Goods Movement with Handling Units inter plants? I am trying by VLMOVE but this Tcode just has process for into a Plant not for Transfer posting plant to plant., so, I need give out for materials in Handling Unit
-
Workers throw security error when using File class
I am creating a program that is writing/reading large files using the FileStream class. This portion works fine but when I want to use concurrency to prevent the UI from locking it fails. When I check inside Adobe Scout I can see the worker fires a
-
Crashing at start-up for months under Snow Leopard on MacBook
Add-ons: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.8 BuildID: 20100722150226 CrashTime: 1282819578 EMCheckCompatibility: true FramePoisonBase: 00000000f0dea000 FramePoisonSize: 4096 InstallTime: 1282818734 ProductName: Firefox ReleaseChannel: releas