IPSEC packets are not encrypted

Hello (and Happy Thanksgiving to those in the USA),
We recently swapped our ASA and re-applied the saved config to the new device. There is a site-to-site VPN that works and a remote client VPN that does not. We use some Cisco VPN clients and some Shrew Soft VPN clients.I've compared the config of the new ASA to that of the old ASA and I cannot find any differences (but the remote client VPN was working on the old ASA). The remote clients do connect and a tunnel is established but they are unable to pass traffic. Systems on the network where the ASA is located are able to access the internet.
Output of sho crypto isakmp sa (ignore peer #1, that is the working site-to-site VPN)
   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA d
Total IKE SA: 2
1   IKE Peer: xx.168.155.98
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
2   IKE Peer: xx.211.206.48
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
Output of sho crypto ipsec sa (info regarding site-to-site VPN removed). Packets are decrypted but not encrypted.
    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: publi
c-ip
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.20.1.100/255.255.255.255/0/0)
      current_peer: xx.211.206.48, username: me
      dynamic allocated peer ip: 10.20.1.100
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0
      local crypto endpt.: public-ip/4500, remote crypto endpt.: xx.211.206.48/4
500
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: 7E0BF9B9
      current inbound spi : 41B75CCD
    inbound esp sas:
      spi: 0x41B75CCD (1102535885)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28776
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
      spi: 0xC06BF0DD (3228299485)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, Rekeyed}
         slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28774
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x000003FF 0xFFF80001
    outbound esp sas:
      spi: 0x7E0BF9B9 (2114714041)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28774
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
      spi: 0xCBF945AC (3422111148)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, Rekeyed}
         slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28772
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
Config from ASA
: Saved
: Written by me at 19:56:37.957 pst Tue Nov 26 2013
ASA Version 8.2(4)
hostname mfw01
domain-name company.int
enable password xxx encrypted
passwd xxx encrypted
names
name xx.174.143.97 cox-gateway description cox-gateway
name 172.16.10.0 iscsi-network description iscsi-network
name 192.168.1.0 legacy-network description legacy-network
name 10.20.50.0 management-network description management-network
name 10.20.10.0 server-network description server-network
name 10.20.20.0 user-network description user-network
name 192.168.1.101 private-em-imap description private-em-imap
name 10.20.10.2 private-exchange description private-exchange
name 10.20.10.3 private-ftp description private-ftp
name 192.168.1.202 private-ip-phones description private-ip-phones
name 10.20.10.6 private-kaseya description private-kaseya
name 192.168.1.2 private-mitel-3300 description private-mitel-3300
name 10.20.10.1 private-pptp description private-pptp
name 10.20.10.7 private-sharepoint description private-sharepoint
name 10.20.10.4 private-tportal description private-tportal
name 10.20.10.8 private-xarios description private-xarios
name 192.168.1.215 private-xorcom description private-xorcom
name xx.174.143.99 public-exchange description public-exchange
name xx.174.143.100 public-ftp description public-ftp
name xx.174.143.101 public-tportal description public-tportal
name xx.174.143.102 public-sharepoint description public-sharepoint
name xx.174.143.103 public-ip-phones description public-ip-phones
name xx.174.143.104 public-mitel-3300 description public-mitel-3300
name xx.174.143.105 public-xorcom description public-xorcom
name xx.174.143.108 public-remote-support description public-remote-support
name xx.174.143.109 public-xarios description public-xarios
name xx.174.143.110 public-kaseya description public-kaseya
name xx.174.143.111 public-pptp description public-pptp
name 192.168.2.0 Irvine_LAN description Irvine_LAN
name xx.174.143.98 public-ip
name 10.20.10.14 private-RevProxy description private-RevProxy
name xx.174.143.107 public-RevProxy description Public-RevProxy
name 10.20.10.9 private-XenDesktop description private-XenDesktop
name xx.174.143.115 public-XenDesktop description public-XenDesktop
name 10.20.1.1 private-gateway description private-gateway
name 192.168.1.96 private-remote-support description private-remote-support
interface Ethernet0/0
nameif public
security-level 0
ip address public-ip 255.255.255.224
interface Ethernet0/1
speed 100
duplex full
nameif private
security-level 100
ip address private-gateway 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.0.1 255.255.255.0
management-only
ftp mode passive
clock timezone pst -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name mills.int
object-group service ftp
service-object tcp eq ftp
service-object tcp eq ftp-data
object-group service DM_INLINE_SERVICE_1
group-object ftp
service-object udp eq tftp
object-group service DM_INLINE_TCP_1 tcp
port-object eq 40
port-object eq ssh
object-group service web-server
service-object tcp eq www
service-object tcp eq https
object-group service DM_INLINE_SERVICE_2
service-object tcp eq smtp
group-object web-server
object-group service DM_INLINE_SERVICE_3
service-object tcp eq ssh
group-object web-server
object-group service kaseya
service-object tcp eq 4242
service-object tcp eq 5721
service-object tcp eq 8080
service-object udp eq 5721
object-group service DM_INLINE_SERVICE_4
group-object kaseya
group-object web-server
object-group service DM_INLINE_SERVICE_5
service-object gre
service-object tcp eq pptp
object-group service VPN
service-object gre
service-object esp
service-object ah
service-object tcp eq pptp
service-object udp eq 4500
service-object udp eq isakmp
object-group network MILLS_VPN_VLANS
network-object 10.20.1.0 255.255.255.0
network-object server-network 255.255.255.0
network-object user-network 255.255.255.0
network-object management-network 255.255.255.0
network-object legacy-network 255.255.255.0
object-group service InterTel5000
service-object tcp range 3998 3999
service-object tcp range 6800 6802
service-object udp eq 20001
service-object udp range 5004 5007
service-object udp range 50098 50508
service-object udp range 6604 7039
service-object udp eq bootpc
service-object udp eq tftp
service-object tcp eq 4000
service-object tcp eq 44000
service-object tcp eq www
service-object tcp eq https
service-object tcp eq 5566
service-object udp eq 5567
service-object udp range 6004 6603
service-object tcp eq 6880
object-group service DM_INLINE_SERVICE_6
service-object icmp
service-object tcp eq 2001
service-object tcp eq 2004
service-object tcp eq 2005
object-group service DM_INLINE_SERVICE_7
service-object icmp
group-object InterTel5000
object-group service DM_INLINE_SERVICE_8
service-object icmp
service-object tcp eq https
service-object tcp eq ssh
object-group service RevProxy tcp
description RevProxy
port-object eq 5500
object-group service XenDesktop tcp
description Xen
port-object eq 8080
port-object eq 2514
port-object eq 2598
port-object eq 27000
port-object eq 7279
port-object eq 8000
port-object eq citrix-ica
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_8 any host public-ip
access-list public_access_in extended permit object-group VPN any host public-ip
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_7 any host public-ip-phones
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_1 any host public-ftp
access-list public_access_in extended permit tcp any host public-xorcom object-group DM_INLINE_TCP_1
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_2 any host public-exchange
access-list public_access_in extended permit tcp any host public-RevProxy object-group RevProxy
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_3 any host public-remote-support
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_6 any host public-xarios
access-list public_access_in extended permit object-group web-server any host public-sharepoint
access-list public_access_in extended permit object-group web-server any host public-tportal
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_4 any host public-kaseya
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_5 any host public-pptp
access-list public_access_in extended permit ip any host public-XenDesktop
access-list private_access_in extended permit icmp any any
access-list private_access_in extended permit ip any any
access-list VPN_Users_SplitTunnelAcl standard permit server-network 255.255.255.0
access-list VPN_Users_SplitTunnelAcl standard permit user-network 255.255.255.0
access-list VPN_Users_SplitTunnelAcl standard permit management-network 255.255.255.0
access-list VPN_Users_SplitTunnelAcl standard permit 10.20.1.0 255.255.255.0
access-list VPN_Users_SplitTunnelAcl standard permit legacy-network 255.255.255.0
access-list private_nat0_outbound extended permit ip object-group MILLS_VPN_VLANS Irvine_LAN 255.255.255.0
access-list private_nat0_outbound extended permit ip object-group MILLS_VPN_VLANS 10.20.1.96 255.255.255.240
access-list private_nat0_outbound extended permit ip object-group MILLS_VPN_VLANS 10.90.2.0 255.255.255.0
access-list public_1_cryptomap extended permit ip object-group MILLS_VPN_VLANS Irvine_LAN 255.255.255.0
access-list public_2_cryptomap extended permit ip object-group MILLS_VPN_VLANS 10.90.2.0 255.255.255.0
pager lines 24
logging enable
logging list Error-Events level warnings
logging monitor warnings
logging buffered warnings
logging trap warnings
logging asdm warnings
logging mail warnings
logging host private private-kaseya
logging permit-hostdown
logging class auth trap alerts
mtu public 1500
mtu private 1500
mtu management 1500
ip local pool VPN_Users 10.20.1.100-10.20.1.110 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (public) 101 interface
nat (private) 0 access-list private_nat0_outbound
nat (private) 101 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
static (private,public) public-ip-phones private-ip-phones netmask 255.255.255.255 dns
static (private,public) public-ftp private-ftp netmask 255.255.255.255 dns
static (private,public) public-xorcom private-xorcom netmask 255.255.255.255 dns
static (private,public) public-exchange private-exchange netmask 255.255.255.255 dns
static (private,public) public-RevProxy private-RevProxy netmask 255.255.255.255 dns
static (private,public) public-remote-support private-remote-support netmask 255.255.255.255 dns
static (private,public) public-xarios private-xarios netmask 255.255.255.255 dns
static (private,public) public-sharepoint private-sharepoint netmask 255.255.255.255 dns
static (private,public) public-tportal private-tportal netmask 255.255.255.255 dns
static (private,public) public-kaseya private-kaseya netmask 255.255.255.255 dns
static (private,public) public-pptp private-pptp netmask 255.255.255.255 dns
static (private,public) public-XenDesktop private-XenDesktop netmask 255.255.255.255 dns
access-group public_access_in in interface public
access-group private_access_in in interface private
route public 0.0.0.0 0.0.0.0 cox-gateway 1
route private server-network 255.255.255.0 10.20.1.254 1
route private user-network 255.255.255.0 10.20.1.254 1
route private management-network 255.255.255.0 10.20.1.254 1
route private iscsi-network 255.255.255.0 10.20.1.254 1
route private legacy-network 255.255.255.0 10.20.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
ldap attribute-map admin-control
  map-name  comment Privilege-Level
ldap attribute-map allow-dialin
  map-name  msNPAllowDialin IETF-Radius-Class
  map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE IPSecUsers
ldap attribute-map mills-vpn_users
  map-name  msNPAllowDialin IETF-Radius-Class
  map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin True IPSecUsers
ldap attribute-map network-admins
  map-name  memberOf IETF-Radius-Service-Type
  map-value memberOf FALSE NOACCESS
  map-value memberOf "Network Admins" 6
dynamic-access-policy-record DfltAccessPolicy
aaa-server Mills protocol nt
aaa-server Mills (private) host private-pptp
nt-auth-domain-controller ms01.mills.int
aaa-server Mills_NetAdmin protocol ldap
aaa-server Mills_NetAdmin (private) host private-pptp
server-port 389
ldap-base-dn ou=San Diego,dc=mills,dc=int
ldap-group-base-dn ou=San Diego,dc=mills,dc=int
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-password *
ldap-login-dn cn=asa,ou=Service Accounts,ou=San Diego,dc=mills,dc=int
server-type microsoft
ldap-attribute-map mills-vpn_users
aaa-server NetworkAdmins protocol ldap
aaa-server NetworkAdmins (private) host private-pptp
ldap-base-dn ou=San Diego,dc=mills,dc=int
ldap-group-base-dn ou=San Diego,dc=mills,dc=int
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-password *
ldap-login-dn cn=asa,ou=Service Accounts,ou=San Diego,dc=mills,dc=int
server-type microsoft
ldap-attribute-map network-admins
aaa-server ADVPNUsers protocol ldap
aaa-server ADVPNUsers (private) host private-pptp
ldap-base-dn ou=San Diego,dc=mills,dc=int
ldap-group-base-dn ou=San Diego,dc=mills,dc=int
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-password *
ldap-login-dn cn=asa,ou=Service Accounts,ou=San Diego,dc=mills,dc=int
server-type microsoft
ldap-attribute-map mills-vpn_users
aaa authentication enable console ADVPNUsers LOCAL
aaa authentication http console ADVPNUsers LOCAL
aaa authentication serial console ADVPNUsers LOCAL
aaa authentication telnet console ADVPNUsers LOCAL
aaa authentication ssh console ADVPNUsers LOCAL
http server enable
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 public
http 0.0.0.0 0.0.0.0 private
snmp-server host private private-kaseya poll community ***** version 2c
snmp-server location Mills - San Diego
snmp-server contact Mills Assist
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp private
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map public_map 1 match address public_1_cryptomap
crypto map public_map 1 set pfs
crypto map public_map 1 set peer xx.168.155.98
crypto map public_map 1 set transform-set ESP-3DES-MD5 ESP-AES-128-SHA
crypto map public_map 1 set nat-t-disable
crypto map public_map 1 set phase1-mode aggressive
crypto map public_map 2 match address public_2_cryptomap
crypto map public_map 2 set pfs group5
crypto map public_map 2 set peer xx.181.134.141
crypto map public_map 2 set transform-set ESP-AES-128-SHA
crypto map public_map 2 set nat-t-disable
crypto map public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map public_map interface public
crypto isakmp enable public
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 28800
telnet 0.0.0.0 0.0.0.0 private
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 public
ssh 0.0.0.0 0.0.0.0 private
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.2-192.168.0.254 management
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authenticate
ntp server 216.129.110.22 source public
ntp server 173.244.211.10 source public
ntp server 24.124.0.251 source public prefer
webvpn
enable public
svc enable
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol svc
group-policy IPSecUsers internal
group-policy IPSecUsers attributes
wins-server value 10.20.10.1
dns-server value 10.20.10.1
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Users_SplitTunnelAcl
default-domain value mills.int
address-pools value VPN_Users
group-policy Irvine internal
group-policy Irvine attributes
vpn-tunnel-protocol IPSec
username admin password Kra9/kXfLDwlSxis encrypted
tunnel-group VPN_Users type remote-access
tunnel-group VPN_Users general-attributes
address-pool VPN_Users
authentication-server-group Mills_NetAdmin
default-group-policy IPSecUsers
tunnel-group VPN_Users ipsec-attributes
pre-shared-key *
tunnel-group xx.189.99.114 type ipsec-l2l
tunnel-group xx.189.99.114 general-attributes
default-group-policy Irvine
tunnel-group xx.189.99.114 ipsec-attributes
pre-shared-key *
tunnel-group xx.205.23.76 type ipsec-l2l
tunnel-group xx.205.23.76 general-attributes
default-group-policy Irvine
tunnel-group xx.205.23.76 ipsec-attributes
pre-shared-key *
tunnel-group xx.168.155.98 type ipsec-l2l
tunnel-group xx.168.155.98 general-attributes
default-group-policy Irvine
tunnel-group xx.168.155.98 ipsec-attributes
pre-shared-key *
class-map global-class
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global-policy
class global-class
  inspect dns
  inspect esmtp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sip 
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
service-policy global-policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5d5c963680401d150bee94b3c7c85f7a
Maybe my eyes are glazing over from looking at this for too long. Does anything look wrong? Maybe I missed a command that would not show up in the config?
Thanks in advance to all who take a look.

Marius,
I connected via my VPN client at home and pinged a remote server, attempted to RDP by name and then attempted to RDP by IP address. All were unsuccessful. Here is the packet capture:
72 packets captured
   1: 09:44:06.304671 10.20.1.100.137 > 10.20.10.1.137:  udp 68
   2: 09:44:06.304885 10.20.1.100.54543 > 10.20.10.1.53:  udp 34
   3: 09:44:07.198384 10.20.1.100.51650 > 10.20.10.1.53:  udp 32
   4: 09:44:07.300353 10.20.1.100.54543 > 10.20.10.1.53:  udp 34
   5: 09:44:07.786504 10.20.1.100.137 > 10.20.10.1.137:  udp 68
   6: 09:44:07.786671 10.20.1.100.137 > 10.20.10.1.137:  udp 68
   7: 09:44:07.786855 10.20.1.100.137 > 10.20.10.1.137:  udp 68
   8: 09:44:08.198399 10.20.1.100.51650 > 10.20.10.1.53:  udp 32
   9: 09:44:09.282608 10.20.1.100.61328 > 10.20.10.1.53:  udp 32
  10: 09:44:09.286667 10.20.1.100.137 > 10.20.10.1.137:  udp 68
  11: 09:44:09.286926 10.20.1.100.137 > 10.20.10.1.137:  udp 68
  12: 09:44:09.287201 10.20.1.100.137 > 10.20.10.1.137:  udp 68
  13: 09:44:09.300491 10.20.1.100.54543 > 10.20.10.1.53:  udp 34
  14: 09:44:10.199193 10.20.1.100.51650 > 10.20.10.1.53:  udp 32
  15: 09:44:10.282150 10.20.1.100.61328 > 10.20.10.1.53:  udp 32
  16: 09:44:11.286865 10.20.1.100.137 > 10.20.10.1.137:  udp 68
  17: 09:44:12.302993 10.20.1.100.61328 > 10.20.10.1.53:  udp 32
  18: 09:44:12.785054 10.20.1.100.137 > 10.20.10.1.137:  udp 68
  19: 09:44:13.301101 10.20.1.100.54543 > 10.20.10.1.53:  udp 34
  20: 09:44:14.204029 10.20.1.100.51650 > 10.20.10.1.53:  udp 32
  21: 09:44:14.287323 10.20.1.100.137 > 10.20.10.1.137:  udp 68
  22: 09:44:14.375331 10.20.1.100 > 10.20.10.1: icmp: echo request
  23: 09:44:16.581589 10.20.1.100.137 > 10.20.10.1.137:  udp 50
  24: 09:44:18.083842 10.20.1.100.137 > 10.20.10.1.137:  udp 50
  25: 09:44:18.199879 10.20.1.100.137 > 10.20.10.1.137:  udp 50
  26: 09:44:19.224063 10.20.1.100 > 10.20.10.1: icmp: echo request
  27: 09:44:19.582367 10.20.1.100.137 > 10.20.10.1.137:  udp 50
  28: 09:44:19.704019 10.20.1.100.137 > 10.20.10.1.137:  udp 50
  29: 09:44:20.288193 10.20.1.100.137 > 10.20.10.1.137:  udp 68
  30: 09:44:21.200307 10.20.1.100.137 > 10.20.10.1.137:  udp 50
  31: 09:44:21.786321 10.20.1.100.137 > 10.20.10.1.137:  udp 68
  32: 09:44:23.289535 10.20.1.100.137 > 10.20.10.1.137:  udp 68
  33: 09:44:24.204777 10.20.1.100 > 10.20.10.1: icmp: echo request
  34: 09:44:29.219440 10.20.1.100 > 10.20.10.1: icmp: echo request
  35: 09:44:29.287460 10.20.1.100.137 > 10.20.10.1.137:  udp 68
  36: 09:44:30.787617 10.20.1.100.137 > 10.20.10.1.137:  udp 68
  37: 09:44:32.287887 10.20.1.100.137 > 10.20.10.1.137:  udp 68
  38: 09:45:00.533816 10.20.1.100.137 > 10.20.10.1.137:  udp 50
  39: 09:45:02.018019 10.20.1.100.137 > 10.20.10.1.137:  udp 50
  40: 09:45:03.160239 10.20.1.100.52764 > 10.20.10.1.53:  udp 34
  41: 09:45:03.350354 10.20.1.100.53948 > 10.20.10.1.53:  udp 38
  42: 09:45:03.521960 10.20.1.100.137 > 10.20.10.1.137:  udp 50
  43: 09:45:04.158408 10.20.1.100.52764 > 10.20.10.1.53:  udp 34
  44: 09:45:04.344342 10.20.1.100.53948 > 10.20.10.1.53:  udp 38
  45: 09:45:06.160681 10.20.1.100.52764 > 10.20.10.1.53:  udp 34
  46: 09:45:06.358593 10.20.1.100.53948 > 10.20.10.1.53:  udp 38
  47: 09:45:10.159125 10.20.1.100.52764 > 10.20.10.1.53:  udp 34
  48: 09:45:10.345227 10.20.1.100.53948 > 10.20.10.1.53:  udp 38
  49: 09:45:14.550478 10.20.1.100.59402 > 10.20.10.1.53:  udp 32
  50: 09:45:15.536166 10.20.1.100.59402 > 10.20.10.1.53:  udp 32
  51: 09:45:17.546144 10.20.1.100.59402 > 10.20.10.1.53:  udp 32
  52: 09:45:21.882812 10.20.1.100.137 > 10.20.10.1.137:  udp 50
  53: 09:45:23.379222 10.20.1.100.137 > 10.20.10.1.137:  udp 50
  54: 09:45:24.893386 10.20.1.100.137 > 10.20.10.1.137:  udp 50
  55: 09:45:41.550035 10.20.1.100.137 > 10.20.10.1.137:  udp 50
  56: 09:45:43.029875 10.20.1.100.137 > 10.20.10.1.137:  udp 50
  57: 09:45:44.541979 10.20.1.100.137 > 10.20.10.1.137:  udp 50
  58: 09:46:10.767782 10.20.1.100.137 > 10.20.10.1.137:  udp 68
  59: 09:46:12.261934 10.20.1.100.137 > 10.20.10.1.137:  udp 68
  60: 09:46:13.776250 10.20.1.100.137 > 10.20.10.1.137:  udp 68
  61: 09:46:19.848970 10.20.1.100.137 > 10.20.10.1.137:  udp 68
  62: 09:46:20.113183 10.20.1.100.49751 > 10.20.10.7.3389: S 3288428077:3288428077(0) win 8192
  63: 09:46:21.331251 10.20.1.100.137 > 10.20.10.1.137:  udp 68
  64: 09:46:22.831423 10.20.1.100.137 > 10.20.10.1.137:  udp 68
  65: 09:46:23.101511 10.20.1.100.137 > 10.20.10.1.137:  udp 50
  66: 09:46:23.123254 10.20.1.100.49751 > 10.20.10.7.3389: S 3288428077:3288428077(0) win 8192
  67: 09:46:24.591705 10.20.1.100.137 > 10.20.10.1.137:  udp 50
  68: 09:46:26.115976 10.20.1.100.137 > 10.20.10.1.137:  udp 50
  69: 09:46:28.834276 10.20.1.100.137 > 10.20.10.1.137:  udp 68
  70: 09:46:29.125817 10.20.1.100.49751 > 10.20.10.7.3389: S 3288428077:3288428077(0) win 8192
  71: 09:46:30.342816 10.20.1.100.137 > 10.20.10.1.137:  udp 68
  72: 09:46:31.840746 10.20.1.100.137 > 10.20.10.1.137:  udp 68
72 packets shown

Similar Messages

  • Enabled Message encryption in Office365, but internal mails to other O365 users are not encrypted

    I have enabled Message Encryption in Office365, and tested sending encrypted email to external users (outside my organization) and internal users (both other O365 users and internal users using a local Exchange 2010 server account)
    Encryption Works fine for sending encrypted email to external receipients, and to internal receipients still using Our local exchange2010 server. Bur for internal users migrated to Office365, the emails are for some reason not encrypted.
    Any ideas anyone?

    Works just fine for me. Check the associated transport rules, probably you have the "outside of the organization" predicate. Another possibility is that the "Remove Office 365 Message Encryption" rule/action applies to the messages
    before they are delivered, so check that one as well.

  • How do I set up Thunderbird to send messages that are not encrypted unless I want them to be?

    I have Thunderbird set up through gmail with enigmail and gpg4win 2.2.3 on a 64 bit windows 7 operating system. I went through the Enigmail set up wizard and unchecked the " encrypt by default " but it still sends encrypted email out. What aren't I doing?
    Thanks for helping.
    Dave

    Yes I did choose convenient encryption settings. Actually, I tried both just to be sure, but thanks. You got me into the right area and I found a way but I'm not sure that it's the best way so if somebody knows a better way please let me know. On Thunderbird, click '''tools''', click '''account settings''', click '''open PGP security''' and then '''uncheck '''" '''encrypt messages by default "''' '''uncheck sign messages by default '''and then restart Thunderbird. I don't know if that's the best and the quickest way but it does send unencrypted messages until somebody tells us an easier way. I think that the key to this is that you do all of this through the Thunderbird tools tab and there's no need to touch the settings in Enigmail or gpg4win. Thanks.
    Dave

  • Packet is not sent

    Hi,
    I write tftp client.
    I am trying to send packet to tftp server using the following command :
    sock.send(new DatagramPacket(message,length,ip,tftpPort));
    When I run this on windows and some linux it works OK but in other linux is not.
    I see that the packet is not sent out without exception.
    What can be the cause for this ?
    Thanks

    UDP is a lossy protocol. Can it be that you are not receiving the packets, rather than the packets are not being sent?

  • %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.

    Hi Everyone.
    I was making some changes in  routers and after I rolled back configuration  a gre tunnel won't work. It's GRE Tunnel between a Cisco 7600 and Cisco 2851.
    It seems like 7600 sent packets unencrypted.
    On C2851 is received this message:
    %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
            (ip) vrf/dest_addr= /10.0.0.10, src_addr= 10.0.0.18, prot= 47
    Could you check configuration attached and give any advise.
    Thank you.

    I went through the configuration and think all required components are in there.
    I would say that we should check routing.
    Error message means that packet recieved as per local policy should have been a IPSEC encrypted packet however it was a plain text packet.
    going further:
    * Please check if tunnel is up and share show crypto ipsec sa from either end.
    * please check if the packets leaving other end are taking right exit interface and if yes are they encrypted or not. you can check this with the help of ACL (disabling CEF if this is not into production and there is no MPLS link involved).

  • %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /x.x.x.x, src_addr= x.x.x.x, prot= 47

    Hi ,
    I am want to crerate a GREover IPsec Tunnel between Cisco ASR 1002 and cisco 3900 i am getting the below error.
    %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /x.x.x.x, src_addr= x.x.x.x, prot= 47
    I have attached the configuration file as well currently working on tunnel 117.
    Site A already have some tunnels up and running but only tunnel 117 is not working which i created now on ASR 1002.
    CAN ANYONE LET ME KNOW WHAT I AM FACING AN ISSUE.

    The first issue that I note is that you have applied the crypto map on the tunnel interface as well as on the physical interface. While there are perhaps still some examples that show this they are based on the operation of quite old IOS versions. The code that you are now running expects the crypto map to be applied only on the physical interface. I suggest that you remove the crypto map from the tunnel interfaces. Try that and let us know if the behavior changes.
    HTH
    Rick

  • Not encrypted dot1x packet from 0012.f0b9.87c3 has been discarded

    I have a very basic config to setup wireless on on an 857W router.
    When I get connected the log fills up the the following message.
    Not encrypted dot1x packet from 0012.f0b9.87c3 has been discarded
    What is causing this?
    Config below
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname Router
    boot-start-marker
    boot-end-marker
    no aaa new-model
    dot11 ssid TESTSSID_1
    vlan 10
    max-associations 10
    authentication open
    authentication key-management wpa
    wpa-psk ascii 0 mywpapskpwd
    dot11 ssid TESTSSID_2
    vlan 20
    max-associations 10
    authentication open
    authentication key-management wpa
    wpa-psk ascii 0 mytestpassword
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.100.1
    ip dhcp pool HOME_1
    network 192.168.100.0 255.255.255.0
    default-router 192.168.100.1
    ip dhcp pool HOME_2
    network 10.20.0.0 255.255.255.0
    default-router 10.20.0.3
    ip cef
    archive
    log config
    hidekeys
    bridge irb
    interface ATM0
    no ip address
    shutdown
    no atm ilmi-keepalive
    dsl operating-mode auto
    interface FastEthernet0
    interface FastEthernet1
    spanning-tree portfast
    interface FastEthernet2
    spanning-tree portfast
    interface FastEthernet3
    interface Dot11Radio0
    no ip address
    no ip route-cache cef
    no ip route-cache
    encryption vlan 10 mode ciphers tkip
    encryption vlan 20 mode ciphers tkip
    broadcast-key change 60
    ssid TESTSSID_1
    ssid TESTSSID_2
    speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
    channel 2452
    station-role root
    world-mode dot11d country GB both
    no cdp enable
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    interface Dot11Radio0.10
    encapsulation dot1Q 10 native
    no ip route-cache
    bridge-group 10
    bridge-group 10 subscriber-loop-control
    bridge-group 10 spanning-disabled
    bridge-group 10 block-unknown-source
    no bridge-group 10 source-learning
    no bridge-group 10 unicast-flooding
    interface Dot11Radio0.20
    encapsulation dot1Q 20
    no ip route-cache
    bridge-group 20
    bridge-group 20 subscriber-loop-control
    bridge-group 20 spanning-disabled
    bridge-group 20 block-unknown-source
    no bridge-group 20 source-learning
    no bridge-group 20 unicast-flooding
    interface Vlan1
    ip address 10.7.12.219 255.255.255.0
    interface Vlan10
    no ip address
    ip virtual-reassembly
    ip tcp adjust-mss 1400
    bridge-group 10
    hold-queue 100 out
    interface Vlan20
    no ip address
    ip virtual-reassembly
    ip tcp adjust-mss 1400
    bridge-group 20
    hold-queue 100 out
    interface BVI10
    ip address 192.168.100.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    interface BVI20
    ip address 10.20.0.3 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 10.7.12.254
    no ip http server
    no ip http secure-server
    control-plane
    bridge 10 protocol ieee
    bridge 10 route ip
    bridge 20 protocol ieee
    bridge 20 route ip
    line con 0
    no modem enable
    line aux 0
    line vty 0 4
    login
    scheduler max-task-time 5000
    end
    Router#

    Too funny... I get clients complain to me about issues and they have drivers that are from 2003 or 2004.
    Now all you have to do is make sure all other devices are on the same firmware. Makes troubleshooting sooooooo much easier.

  • Critical BitLocker Drive Encryption system files are not available

    Hi all,
    We are running into some issues when attempting to configure BitLocker Drive Encryption through the BitLocker UI on Windows Server 2008SP2.
    On running the BitLocker configuration screen we are presented with a message stating that
    ‘Your system volume is not configured correctly to allow you to use BitLocker Drive Encryption. 
    Critical BitLocker Drive Encryption system files are not available’
    We believe this issue may have been caused during a recent hardware migration using the DoubleTake Move software as we encountered a similar issue with the Windows Backup utility not seeing any available HDDs.
    Has anyone else encountered a similar issue and aware of any potential fix?

    I think it should be supported on Windows Server 2008 as it is supported on Windows Vista.
    Can you check whether BdeHdCfg.exe is present in System32 folder. If not can you copy the BdeHdCfg.exe installer from higher version of OS and copy it to the system32 folder on Windows Server 2008 and then run the command with the administrative rights. 
    NOTE : Make sure to change the directory to %SystemDrive%\Windows\System32
    Before running the command.
    Regards, "Gaurav Ranjan" =========== NOTE: Mark as Answer and Vote as Helpful if it helps =======

  • Critical BitLocker Drive Encryption system files are not available- which was working earlier.

    Hello All,
    The E drive  (external USB drive) of server which was encrypted using bitlocker. earlier it was working perfectly fine. On running the BitLocker configuration screen we are getting with a message stating that ‘Your system
    volume is not configured correctly to allow you to use BitLocker Drive Encryption.  Critical BitLocker Drive Encryption system files are not available’
    now whenever we are clicking on E drive it is showing to format the disk.
    can anyone help me to understand which are the files required or repair for bitlocker?
    Thanks & Regards,
    MAsud Hussain

    Hi Masud,
    Do you have any progress at the moment?
    If there are any related error messages in Event Logs, please post them out for further analyzing.
    Best Regards,
    Amy
    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • Not encrypted dot1x packet syslog Alert - what is this?

    Hi, I have a Cisco 877w at home which I just use with my laptop for the internet. Thing is I keep geting this alert on my syslof server, what is it? The MAC address is my laptop which is wirelessly connected.
    May 9 19:48:20.265: *** Not encrypted dot1x packet from 0012.4d8f.170a has been discarded
    May 9 19:49:05.253: *** Not encrypted dot1x packet from 0012.4d8f.170a has been discarded
    May 9 19:49:50.252: *** Not encrypted dot1x packet from 0012.4d8f.170a has been discarded
    May 9 19:50:35.510: *** Not encrypted dot1x packet from 0012.4d8f.170a has been discarded
    May 9 19:51:20.214: *** Not encrypted dot1x packet from 0012.4d8f.170a has been discarded

    Here is the configuration guide which will help you :
    http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_example09186a00808a8d80.shtml

  • Firefox is not abling to open some websites which are noi encrypted.

    while opening some websites like- www.ssc.nic.in , firefox is not abling to open the full content of the website and instead it opens only the "html" view of such websites. When I check out the details from the "view page info" , the info only gives some details like- This website does not supply ownership information. and Connection not encrypted.
    I am not abling to find any settings so that I can change to be able to open the full contents of such websites and not only the html content view.
    So, please suggest me something so that I can open the full content of such websites.

    Clear the cache and the cookies from sites that cause problems.
    "Clear the Cache":
    * Tools > Options > Advanced > Network > Offline Storage (Cache): "Clear Now"
    "Remove Cookies" from sites causing problems:
    * Tools > Options > Privacy > Cookies: "Show Cookies"
    Start Firefox in <u>[[Safe Mode]]</u> to check if one of the extensions is causing the problem (switch to the DEFAULT theme: Firefox (Tools) > Add-ons > Appearance/Themes).
    *Don't make any changes on the Safe mode start window.
    *https://support.mozilla.com/kb/Safe+Mode
    *https://support.mozilla.com/kb/Troubleshooting+extensions+and+themes

  • Why packets are being translated by one route-map and not the other?

    Hi,
    I have 2 NAT rules, each with a route-map to determine which packets are translated. What I don't understand is how to control which NAT rule is applied first..?
    In my config, the first of the following rules is applied first, and then the other. I would like to have it the other way round, the second being applied first, and the first being applied second.
    ip nat inside source route-map NAT_INTERNET_ACCESS_RMAP interface GigabitEthernet0/1 overload
    ip nat inside source static 172.16.101.1 10.10.11.1 route-map NAT_RADIANZ_PIXACCESS_RMAP
    The reason why I want it this way round is because the first rule NAT's almost everything so that I can access the Internet. The second rule NAT's specific traffic to a different address.
    If I want traffic to be NATTED according to the second rule, I have to deny traffic in the first associated ACL, and permit it in the second ACL. That means I basically have to configure each ACL each time I want packets to be matched by the second NAT rule - there must be a better way of doing it!!!
    Any help would be most appreciated.
    Many thanks,
    Michael.

    Hello, here's the basic (shortened list). If I want packets to be matched by NAT_RADIANZ_PIXACCESS_ACL I have to put a deny in NAT_INTERNET_ACCESS_ACL. If I could make sure that the first list is used first, and then anything left over compared against the second, then it would make life/editing much easier...
    Cheers,
    Michael
    ip nat inside source route-map NAT_INTERNET_ACCESS_RMAP interface GigabitEthernet0/1 overload
    ip nat inside source static udp 10.10.11.1 500 10.10.11.1 500 extendable
    ip nat inside source static udp 10.10.11.1 4500 10.10.11.1 4500 extendable
    ip nat inside source static 172.16.101.1 10.10.11.1 route-map NAT_RADIANZ_PIXACCESS_RMAP
    ip access-list extended NAT_INTERNET_ACCESS_ACL
    remark Traffic to Branch A (over VPN)
    deny ip 172.16.101.0 0.0.0.255 192.168.1.0 0.0.0.255
    remark Traffic to Branch B (over VPN)
    deny ip 172.16.101.0 0.0.0.255 172.16.0.0 0.0.0.255
    deny ip 172.16.101.0 0.0.0.255 172.16.1.0 0.0.0.255
    deny ip 172.16.101.0 0.0.0.255 172.16.2.0 0.0.0.255
    deny ip 172.16.101.0 0.0.0.255 172.16.3.0 0.0.0.255
    remark Traffic to Cust A (over VPN)
    deny ip host 172.16.101.1 host 192.168.0.1
    deny ip host 172.16.101.2 host 192.168.0.1
    remark Traffic to Cust B (over VPN)
    deny ip host 172.16.101.1 host 192.168.0.2
    deny ip host 172.16.101.2 host 192.168.0.2
    remark Traffic to Cust C (over Radianz VPN)
    deny ip host 172.16.101.1 host 192.168.0.3
    deny ip host 172.16.101.2 host 192.168.0.3
    remark Traffic to Cust D (over Radianz VPN)
    deny ip host 172.16.101.1 host 192.168.0.4
    deny ip host 172.16.101.2 host 192.168.0.4
    permit ip any any
    ip access-list extended NAT_RADIANZ_PIXACCESS_ACL
    remark Manangement Traffic to Cust C
    permit icmp host 172.16.101.1 host xxx.xxx.xxx.xxx
    permit icmp host 172.16.101.2 host xxx.xxx.xxx.xxx
    permit tcp host 172.16.101.1 host xxx.xxx.xxx.xxx eq 22
    permit tcp host 172.16.101.2 host xxx.xxx.xxx.xxx eq 22
    remark Manangement Traffic to Cust D
    permit icmp host 172.16.101.1 host xxx.xxx.xxx.xxx
    permit icmp host 172.16.101.2 host xxx.xxx.xxx.xxx
    permit tcp host 172.16.101.1 host xxx.xxx.xxx.xxx eq 22
    permit tcp host 172.16.101.2 host xxx.xxx.xxx.xxx eq 22
    route-map NAT_RADIANZ_PIXACCESS_RMAP permit 10
    match ip address NAT_RADIANZ_PIXACCESS_ACL
    set ip next-hop 10.10.11.14
    route-map NAT_INTERNET_ACCESS_RMAP permit 40
    match ip address NAT_INTERNET_ACCESS_ACL
    set ip next-hop xxx.xxx.xxx.xxx

  • IPSEC packet has invalid spi

    I have a very simple LAN-2-LAN between two cisco routers running IOS version 12.4(15)T8 as follows:
    RouterA:
    crypto isakmp key test123 address 4.2.97.15 no-xauth
    crypto isakmp policy 1
    encr aes 256
    hash sha
    authentication pre-share
    group 5
    lifetime 86400
    no crypto ipsec nat-transparency udp-encapsulation
    crypto ipsec transform-set tset esp-aes 256 esp-sha-hmac
    crypto map vpn 10 ipsec-isakmp
    set peer 4.2.97.15
    set security-association lifetime seconds 3600
    set transform-set tset
    set pfs group5
    match address vpn
    interface FastEthernet0/0
    ip address 207.15.205.15 255.255.255.0
    speed 100
    full-duplex
    crypto map vpn
    ip access-list extended vpn
    permit ip 129.174.15.0 0.0.0.255 129.174.16.0 0.0.0.255
    RouterB:
    crypto isakmp key test123 address 207.15.205.15 no-xauth
    crypto isakmp policy 1
    encr aes 256
    hash sha
    authentication pre-share
    group 5
    lifetime 86400
    no crypto ipsec nat-transparency udp-encapsulation
    crypto ipsec transform-set tset esp-aes 256 esp-sha-hmac
    crypto map vpn 10 ipsec-isakmp
    set peer 207.15.205.15
    set security-association lifetime seconds 3600
    set transform-set tset
    set pfs group5
    match address vpn
    interface FastEthernet0/0
    ip address 4.2.97.15 255.255.255.0
    speed 100
    full-duplex
    crypto map vpn
    ip access-list extended vpn
    permit ip 129.174.16.0 0.0.0.255 129.174.15.0 0.0.0.255
    Every now and then I am seeing this message in the log file:
    Jul 27 00:25:20.603: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd
    IPSEC packet has invalid spi for destaddr=207.15.205.15, prot=50,
    spi=0x681E0955(1746798933), srcaddr=4.2.97.15.
    Why am I seeing this message?  The VPN peer between two router is very stable without any errors.
    I've asked several ccie consultant folks and none of them is able to provide me with a satifactory answer regarding this message.
    Anyone know why?  Thanks in advance.

    I know its been a while since this was asked but to help anyone who may still want to know here is the reason from Cisco:
    It simply means IPsec Security Associations are out of sync       between the peer devices. As a result, an encrypting device will encrypt       traffic with SAs that its peer does not know about. These packets are dropped       on the peer with the above message logged to the syslog
    Read more here: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080bf6100.shtml
    One of the most common IPsec issues is that SAs can become out of sync       between the peer devices. As a result, an encrypting device will encrypt       traffic with SAs that its peer does not know about. These packets are dropped       on the peer with this message logged to the syslog: Sep  2 13:27:57.707: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet
       has invalid spi for destaddr=20.1.1.2, prot=50, spi=0xB761863E(3076621886),
       srcaddr=10.1.1.1

  • DMVPN Issues - IPsec packets

    Hi All,
    I am currently trying to configure DMVPN for the first time. I have been following the cisco config guide and googling a few other bits however I seem to have hit a brick wall.
    The setup is in a lab environment so i can post up as much info as required but here are the important bits:
    I have 3 Cisco 2821 routers running IOS 12.4(15) with a Layer 3 switch in the middle connecting the "wan" ports together. the routing is working fine, I can ping each router from each other router.
    A few snippets from the hub router config:
    crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac!crypto ipsec profile DMVPN_PRJ set transform-set DMVPN_SET!interface Tunnel0 bandwidth 10000 ip address 172.17.100.1 255.255.255.0 no ip redirects ip mtu 1500 ip nhrp authentication secretid ip nhrp map multicast dynamic ip nhrp network-id 101 ip nhrp holdtime 450 ip tcp adjust-mss 1460 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 10101 tunnel protection ipsec profile DMVPN_PRJ!interface GigabitEthernet0/0 description HQ WAN ip address 1.1.1.1 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto!
    and heres the config on the first spoke router:
    crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac!crypto ipsec profile DMVPN_PRJ set transform-set DMVPN_SET!interface Tunnel0 bandwidth 3000 ip address 172.17.100.10 255.255.255.0 no ip redirects ip mtu 1500 ip nhrp authentication secretid ip nhrp map 172.17.100.1 1.1.1.1 ip nhrp map multicast 1.1.1.1 ip nhrp network-id 101 ip nhrp holdtime 450 ip nhrp nhs 172.17.100.1 ip tcp adjust-mss 1460 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 10101 tunnel protection ipsec profile DMVPN_PRJ!interface GigabitEthernet0/0 description Site 1 WAN ip address 11.11.11.1 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto!
    if I shut/no shut the tunnel0 interface on spoke 1, I get the following error on the hub router:
    Mar 30 13:41:17.075: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.        (ip) vrf/dest_addr= /1.1.1.1, src_addr= 11.11.11.1, prot= 47
    so I feel im missing some config on the spoke side to encrypt the traffic but im not sure what.
    the following are outputs from the spoke router:
    RTR_SITE1#sh dmvpn detailLegend: Attrb --> S - Static, D - Dynamic, I - Incompletea        N - NATed, L - Local, X - No Socket        # Ent --> Number of NHRP entries with same NBMA peer -------------- Interface Tunnel0 info: --------------Intf. is up, Line Protocol is up, Addr. is 172.17.100.10   Source addr: 11.11.11.1, Dest addr: MGRE  Protocol/Transport: "multi-GRE/IP", Protect "DMVPN_PRJ",Tunnel VRF "", ip vrf forwarding ""NHRP Details: NHS:       172.17.100.1  EType:Spoke, NBMA Peers:1# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network----- --------------- --------------- ----- -------- ----- -----------------    1         1.1.1.1    172.17.100.1   IKE    never S       172.17.100.1/32 Interface: Tunnel0Session: [0x48E31B98]  Crypto Session Status: DOWN  fvrf: (none),   IPSEC FLOW: permit 47 host 11.11.11.1 host 1.1.1.1        Active SAs: 0, origin: crypto map   Outbound SPI : 0x       0, transform :    Socket State: ClosedPending DMVPN Sessions:
    RTR_SITE1#sh ip nhrp detail172.17.100.1/32 via 172.17.100.1, Tunnel0 created 00:33:44, never expire  Type: static, Flags: used  NBMA address: 1.1.1.1
    RTR_SITE1#sh crypto ipsec sainterface: Tunnel0    Crypto map tag: Tunnel0-head-0, local addr 11.11.11.1   protected vrf: (none)   local  ident (addr/mask/prot/port): (11.11.11.1/255.255.255.255/47/0)   remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)   current_peer 1.1.1.1 port 500     PERMIT, flags={origin_is_acl,}    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0    #pkts compressed: 0, #pkts decompressed: 0    #pkts not compressed: 0, #pkts compr. failed: 0    #pkts not decompressed: 0, #pkts decompress failed: 0    #send errors 46, #recv errors 0     local crypto endpt.: 11.11.11.1, remote crypto endpt.: 1.1.1.1     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0     current outbound spi: 0x0(0)     inbound esp sas:     inbound ah sas:     inbound pcp sas:     outbound esp sas:     outbound ah sas:     outbound pcp sas:
    All of these commands show up as blank when i run them on the hub router.
    Any help appreciated.
    Thanks

    Thanks for the help
    I was following this guide: http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_DMVPN.html#wp1118625
    I am using NAT, g0/1 on the routers in the LAN interface with a difference 10.x.x.x/24 on each router.
    isakmp policy solved my issue, fixed the MTU as well.
    What do i need to add to allow the 10.x.x.x networks to use the tunnels to communicate? I can now ping each end of the tunnel from both routers but not the LAN interfaces.
    Thanks

  • Windows built-in IKEv2 clients are not finding a valid machine certificate

    Hi All,
    I'm trying to connect windows built-in clients to a Cisco IOS IKEv2 headend. I want to use EAP to authenticate the clients with there AD credentials. For EAP, I need to use certificates so I will use self-signed certificates as I don't have a CA. 
    Once I have ceated a certificate for the headend, i import this on the clients Trusted Root Certification Authorities. But when I try to connect the client to the headend, I get an error message from the client "Error 13806: IKE failed to find valid machine certificate". It seems that Microsoft is having issue with the certificate. 
    Does anyone have an idea what I'm doing wrong? 
    Headend config:
    aaa new-model
    aaa group server radius AAA-AuthC-Group-RA
     server-private v.v.v.v auth-port 1812 acct-port 1813 key secret
    aaa authentication login AAA-AuthC-List-RA group AAA-AuthC-Group-RA
    aaa authorization network AAA-AuthZ-List-RA local 
    crypto pki trustpoint PKI-TP-SS-RA
     enrollment selfsigned
     serial-number none
     fqdn headend
     ip-address none
     subject-name cn=x.x.x.x
     revocation-check none
     rsakeypair PKI-TP-SS-RA-Key 2048
     eku request server-auth 
    ip local pool IKEV2-POOL-RA 10.0.0.10 10.0.0.250
    crypto ikev2 authorization policy IKEV2-AUTHORIZATION-POLICY-RA 
     pool IKEV2-POOL-RA
     dns 10.0.0.1
     netmask 255.255.255.0
    crypto ikev2 proposal IKEV2-PROPOSAL-RA 
     encryption aes-cbc-256
     integrity sha1
     group 2
    crypto ikev2 policy IKEV2-POLICY-RA 
     proposal IKEV2-PROPOSAL-RA
    crypto ikev2 profile IKEV2-PROFILE-RA
     match identity remote key-id mydomain.com
     identity local dn 
     authentication remote eap query-identity
     authentication local rsa-sig
     pki trustpoint PKI-TP-SS-RA
     dpd 60 2 on-demand
     aaa authentication eap AAA-AuthC-List-RA
     aaa authorization group eap list AAA-AuthZ-List-RA
     virtual-template 10
    no crypto ikev2 http-url cert
    crypto ipsec profile IPSEC-PROFILE-AES-256
     set transform-set IPSEC-AES-256 
    crypto ipsec profile IPSEC-PROFILE-AES256-SHA1
     set transform-set IPSEC-AES256-SHA1 
     set ikev2-profile IKEV2-PROFILE-RA
    interface Loopback10
     ip address 10.0.0.1 255.255.255.0
    interface Virtual-Template10 type tunnel
     description FlexVPN-RA tunnel
     bandwidth 20000
     ip unnumbered Loopback10
     ip mtu 1400
     ip flow ingress
     ip tcp adjust-mss 1360
     tunnel mode ipsec ipv4
     tunnel protection ipsec profile IPSEC-PROFILE-AES256-SHA1

    Please tell me where my Mail is getting Elementary School-isized. anyone?
    Mail's Preferences do not affect what is seen at the other end, they are only for local display. To have the recipient see your desired font, you must set it individually for each message in the New Message pane (also you should make it different than what is set in the Preferences, because of a bug). Or you can use custom Stationery.
    A workaround used by some is to create a signature in your desired font and begin your message in the first line of the sig.
    If these options are not satisfactory, best to switch to Entourage or Thunderbird.

Maybe you are looking for

  • How to configure for a remote TM backup?

    Hi, I have TM working in my home office but there are times that I have to spend extended periods away, I would like to know how I can configure my equipment and network to allow me to access the TM backup when not actually on my home LAN. Ben

  • Defining and activating Non Leading Ledger

    Hi! I am facing problem in assigning company code to non leading ledger, system is giving the message: Migration service must be used for production company codes Message no. FAGL_MIG223 The scenario is like below: Head office is at SIngapore, with c

  • HOW CAN I USE WINDOWS ACCES

    I need a programm for my MacbookPro to use the Windows Programm ACCES who have the solution? regarding, Wim van Bekkum

  • OSX 10.3.9 - Blank page when printing to HP LaserJet 2430.

    Hi all, I have a problem with a user who has a G5 running OSX 10.3.9. Initially they were able to print to the printer fine but as of Friday last week it just prints a blank page. The printer is setup on a print server and the Mac has it setup via an

  • Template not updating pages in MAC CS4

    I have Dreamweaver CS4 on a iMAC (latest computer) w/ Lion (recently upgraded).  I had been using Dreamweaver 8 on a PC but moved everything a few months ago.  I updated the template.  When I saved it, Dreamweaver was supposed to ask to update all re