IPSec S2S tunnel can not up

We have about 9 1900 routers and 1 ASA 5510 for partail mesh VPN network. So 8 1900 connect to 1 1900 and ASA located in HQ and datacenter. All worked well however there is one site running really strange. The tunnel between 1900 is up for a while and down. Reboot router seems to be the only fix. But tunnel to ASA does not seem to be down at all.
The issue happened again today, we rebooted the router on site but tunnel still not up. DEBUG shows:
deleting SA reason "Death by retransmission P1 "
I can see alot of
Apr 24 19:57:55.271: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
To me it seems like the IDE packet sent but never got reply and timed out. I did also check on the other end, the HQ. All other tunnels are still running fine on that router, just this remote site. Plus I got the similiar output when debugging on HQ router.
One thing do notice though, there was no match on both router for the ACL to match/permit ESP traffic... I asked on-site staff to reboot the modem used in remote site.
But I still want to ask here to see if you guys there is also other things I also would need to check.
Thanks,

Hello,
The Inspect rule instruct the traffic for that class to be inspected by the router, (the router creates inspection table). this inspection table matches the outgoing traffic and directly permits return traffic for that class. So if your inspecting ICMP, your router should directly permits ICMP replies.
However, with the Pass rule, you would need to policies, the first one matches outging traffic class and the second policy permits the inbound traffic or whether permiting one of the two. The Pass rule means to pass traffic inbound or outbound but it doesnt creats any inspection. As you know , once you create ZBF, each traffic between Zone members is denied by default unless you explicitly permit traffic from one zone to another using the "pass" rule or "inspect" rule under the required policy.
Regards,
Mohamed

Similar Messages

Site-2-Site IPSEC VPN tunnel will not come up.

Hello Experts,
Just wondering if I can get some help on setting up a IPSEC VPN tunnel between a Cisco 2921 and ASA 550x. Below is the config
show run | s crypto
crypto pki token default removal timeout 0
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxxxxxxxxxxxxxxxxxxx address A.A.A.A
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
mode transport
crypto map ICQ-2-ILAND 1 ipsec-isakmp
set peer A.A.A.A
set transform-set ESP-AES128-SHA
match address iland_london_s2s_vpn
crypto map ICQ-2-ILAND
The config on the remote end has not been shared with me, so I don't know if I am doing something wrong locally or if the remote end is wrongly configured.
The command Sh crypto isakmp sa displays the following
show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
A.A.A.A    B.B.B.B   MM_NO_STATE       1231 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
show crypto session
Crypto session current status
Interface: GigabitEthernet0/0
Session status: DOWN-NEGOTIATING
Peer: A.A.A.A port 500
IKEv1 SA: local B.B.B.B/500 remote A.A.A.A/500 Inactive
IKEv1 SA: local B.B.B.B/500 remote A.A.A.A/500 Inactive
IPSEC FLOW: permit ip 10.20.111.0/255.255.255.0 10.120.1.0/255.255.255.0
        Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 10.10.0.0/255.255.0.0 10.120.1.0/255.255.255.0
        Active SAs: 0, origin: crypto map
The debug logs from the debug crypto isakmp command are listed below.
ISAKMP:(0): local preshared key found
Dec 6 08:51:52.019: ISAKMP : Scanning profiles for xauth ...
Dec 6 08:51:52.019: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
Dec 6 08:51:52.019: ISAKMP:      encryption AES-CBC
Dec 6 08:51:52.019: ISAKMP:      keylength of 128
Dec 6 08:51:52.019: ISAKMP:      hash SHA
Dec 6 08:51:52.019: ISAKMP:      default group 2
Dec 6 08:51:52.019: ISAKMP:      auth pre-share
Dec 6 08:51:52.019: ISAKMP:      life type in seconds
Dec 6 08:51:52.019: ISAKMP:      life duration (basic) of 28800
Dec 6 08:51:52.019: ISAKMP:(0):atts are acceptable. Next payload is 0
Dec 6 08:51:52.019: ISAKMP:(0):Acceptable atts:actual life: 0
Dec 6 08:51:52.019: ISAKMP:(0):Acceptable atts:life: 0
Dec 6 08:51:52.019: ISAKMP:(0):Basic life_in_seconds:28800
Dec 6 08:51:52.019: ISAKMP:(0):Returning Actual lifetime: 28800
Dec 6 08:51:52.019: ISAKMP:(0)::Started lifetime timer: 28800.
Dec 6 08:51:52.019: ISAKMP:(0): processing vendor id payload
Dec 6 08:51:52.019: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Dec 6 08:51:52.019: ISAKMP:(0): vendor ID is NAT-T v2
Dec 6 08:51:52.019: ISAKMP:(0): processing vendor id payload
Dec 6 08:51:52.019: ISAKMP:(0): processing IKE frag vendor id payload
Dec 6 08:51:52.019: ISAKMP:(0):Support for IKE Fragmentation not enabled
Dec 6 08:51:52.019: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Dec 6 08:51:52.019: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Dec 6 08:51:52.019: ISAKMP:(0): sending packet to A.A.A.A my_port 500 peer_port 500 (I) MM_SA_SETUP
Dec 6 08:51:52.019: ISAKMP:(0):Sending an IKE IPv4 Packet.
Dec 6 08:51:52.019: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Dec 6 08:51:52.019: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Dec 6 08:51:52.155: ISAKMP (0): received packet from A.A.A.A dport 500 sport 500 Global (I) MM_SA_SETUP
Dec 6 08:51:52.155: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Dec 6 08:51:52.155: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Dec 6 08:51:52.155: ISAKMP:(0): processing KE payload. message ID = 0
Dec 6 08:51:52.175: ISAKMP:(0): processing NONCE payload. message ID = 0
Dec 6 08:51:52.175: ISAKMP:(0):found peer pre-shared key matching A.A.A.A
Dec 6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
Dec 6 08:51:52.175: ISAKMP:(1227): vendor ID is Unity
Dec 6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
Dec 6 08:51:52.175: ISAKMP:(1227): vendor ID seems Unity/DPD but major 92 mismatch
Dec 6 08:51:52.175: ISAKMP:(1227): vendor ID is XAUTH
Dec 6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
Dec 6 08:51:52.175: ISAKMP:(1227): speaking to another IOS box!
Dec 6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
Dec 6 08:51:52.175: ISAKMP:(1227):vendor ID seems Unity/DPD but hash mismatch
Dec 6 08:51:52.175: ISAKMP:received payload type 20
Dec 6 08:51:52.175: ISAKMP (1227): His hash no match - this node outside NAT
Dec 6 08:51:52.175: ISAKMP:received payload type 20
Dec 6 08:51:52.175: ISAKMP (1227): No NAT Found for self or peer
Dec 6 08:51:52.175: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Dec 6 08:51:52.179: ISAKMP:(1227):Old State = IKE_I_MM4 New State = IKE_I_MM4
Dec 6 08:51:52.179: ISAKMP:(1227):Send initial contact
Dec 6 08:51:52.179: ISAKMP:(1227):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Dec 6 08:51:52.179: ISAKMP (1227): ID payload
        next-payload : 8
        type         : 1
        address      : B.B.B.B
        protocol     : 17
        port         : 500
        length       : 12
Dec 6 08:51:52.179: ISAKMP:(1227):Total payload length: 12
Dec 6 08:51:52.179: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) MM_KEY_EXCH
Dec 6 08:51:52.179: ISAKMP:(1227):Sending an IKE IPv4 Packet.
Dec 6 08:51:52.179: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Dec 6 08:51:52.179: ISAKMP:(1227):Old State = IKE_I_MM4 New State = IKE_I_MM5
Dec 6 08:51:52.315: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) MM_KEY_EXCH
Dec 6 08:51:52.315: ISAKMP:(1227): processing ID payload. message ID = 0
Dec 6 08:51:52.315: ISAKMP (1227): ID payload
        next-payload : 8
        type         : 1
        address      : A.A.A.A
        protocol     : 17
        port         : 0
        length       : 12
Dec 6 08:51:52.315: ISAKMP:(0):: peer matches *none* of the profiles
Dec 6 08:51:52.315: ISAKMP:(1227): processing HASH payload. message ID = 0
Dec 6 08:51:52.315: ISAKMP:received payload type 17
Dec 6 08:51:52.315: ISAKMP:(1227): processing vendor id payload
Dec 6 08:51:52.315: ISAKMP:(1227): vendor ID is DPD
Dec 6 08:51:52.315: ISAKMP:(1227):SA authentication status:
        authenticated
Dec 6 08:51:52.315: ISAKMP:(1227):SA has been authenticated with A.A.A.A
Dec 6 08:51:52.315: ISAKMP: Trying to insert a peer B.B.B.B/A.A.A.A/500/, and inserted successfully 2B79E8BC.
Dec 6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Dec 6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM5 New State = IKE_I_MM6
Dec 6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Dec 6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM6 New State = IKE_I_MM6
Dec 6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Dec 6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Dec 6 08:51:52.315: ISAKMP:(1227):beginning Quick Mode exchange, M-ID of 1511581970
Dec 6 08:51:52.315: ISAKMP:(1227):QM Initiator gets spi
Dec 6 08:51:52.315: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) QM_IDLE
Dec 6 08:51:52.315: ISAKMP:(1227):Sending an IKE IPv4 Packet.
Dec 6 08:51:52.315: ISAKMP:(1227):Node 1511581970, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Dec 6 08:51:52.315: ISAKMP:(1227):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Dec 6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Dec 6 08:51:52.315: ISAKMP:(1227):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Dec 6 08:51:52.455: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) QM_IDLE
Dec 6 08:51:52.455: ISAKMP: set new node -1740216573 to QM_IDLE
Dec 6 08:51:52.455: ISAKMP:(1227): processing HASH payload. message ID = 2554750723
Dec 6 08:51:52.455: ISAKMP:(1227): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 0, message ID = 2554750723, sa = 0x2B78D574
Dec 6 08:51:52.455: ISAKMP:(1227):deleting node -1740216573 error FALSE reason "Informational (in) state 1"
Dec 6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Dec 6 08:51:52.455: ISAKMP:(1227):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Dec 6 08:51:52.455: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) QM_IDLE
Dec 6 08:51:52.455: ISAKMP: set new node 1297146574 to QM_IDLE
Dec 6 08:51:52.455: ISAKMP:(1227): processing HASH payload. message ID = 1297146574
Dec 6 08:51:52.455: ISAKMP:(1227): processing DELETE payload. message ID = 1297146574
Dec 6 08:51:52.455: ISAKMP:(1227):peer does not do paranoid keepalives.
Dec 6 08:51:52.455: ISAKMP:(1227):deleting SA reason "No reason" state (I) QM_IDLE       (peer A.A.A.A)
Dec 6 08:51:52.455: ISAKMP:(1227):deleting node 1297146574 error FALSE reason "Informational (in) state 1"
Dec 6 08:51:52.455: ISAKMP: set new node -1178304129 to QM_IDLE
Dec 6 08:51:52.455: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) QM_IDLE
Dec 6 08:51:52.455: ISAKMP:(1227):Sending an IKE IPv4 Packet.
Dec 6 08:51:52.455: ISAKMP:(1227):purging node -1178304129
Dec 6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Dec 6 08:51:52.455: ISAKMP:(1227):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Dec 6 08:51:52.455: ISAKMP:(1227):deleting SA reason "No reason" state (I) QM_IDLE       (peer A.A.A.A)
Dec 6 08:51:52.455: ISAKMP: Unlocking peer struct 0x2B79E8BC for isadb_mark_sa_deleted(), count 0
Dec 6 08:51:52.455: ISAKMP: Deleting peer node by peer_reap for A.A.A.A: 2B79E8BC
Dec 6 08:51:52.455: ISAKMP:(1227):deleting node 1511581970 error FALSE reason "IKE deleted"
Dec 6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Dec 6 08:51:52.455: ISAKMP:(1227):Old State = IKE_DEST_SA New State = IKE_DEST_SA
would appreciate any help you can provide.
Regards,
Sidney Dsouza

Hi Anuj,
thanks for responding. Here are the logs from the debug crypto ipsec
Dec 10 15:54:38.099 UTC: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= B.B.B.B:500, remote= A.A.A.A:500,
    local_proxy= 10.20.0.0/255.255.0.0/0/0 (type=4),
    remote_proxy= 10.120.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Dec 10 15:54:38.671 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
thats all that appeared after pinging the remote subnet.

Cisco 881 ISR IPSec VPN Tunnel does not pass traffic from the vlan.

I have a cisco 881 ISR Router with a site-to-site IPsec vpn tunnel to a mikrotik device on the other end (I inherited this from my client). The tunnel is constructed properly and is up, however traffic does not pass or get routed to the FA4 interface. I see in my packet captures that it hits the vlan1 interface (vlans are required on the L2 ports) and does not pass to the tunnel.
This is my configuration:
141Kerioth#sh config
Using 3763 out of 262136 bytes
! Last configuration change at 01:02:41 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
141Kerioth#do wr mem
              ^
% Invalid input detected at '^' marker.
141Kerioth#wr mem
Building configuration...
[OK]
141Kerioth#sh run
Building configuration...
Current configuration : 5053 bytes
! Last configuration change at 01:38:06 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
memory-size iomem 10
crypto pki trustpoint TP-self-signed-580381394
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-580381394
revocation-check none
rsakeypair TP-self-signed-580381394
crypto pki certificate chain TP-self-signed-580381394
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35383033 38313339 34301E17 0D313430 35323231 38323333
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3538 30333831
33393430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B001A012 2CA6970C 0648798B 2A786704 84F2D989 83974B19 9B4287F2 4503D2C9
173F23C4 FF34D160 202A7565 4A1CE08B 60B3ADAE 6E19EE6E 9CD39E72 71F9650E
930F22FE C4441F9C 2D7DD420 71F75DFC 3CCAC94E BA304685 E0E62658 A3E8D01C
D01D7D6A 5AF0B0E6 3CF6AF3A B7E51F83 9BF6D38E 65254E1F 71369718 ADADD691
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014D6 24878F12 1FFADF2F 537A438E 6DD7FB6B D79E4130 1D060355
1D0E0416 0414D624 878F121F FADF2F53 7A438E6D D7FB6BD7 9E41300D 06092A86
4886F70D 01010505 00038181 00771667 FCA66002 8AB9E5FB F210012F C50B586F
9A9640BB 45B4CEFD 030A38C0 E610AAC8 B41EF3C4 E55810F9 B2C727CF C1DEFCF1
0846E7BC 1D95420E 5DADB5F8 EFE7EB37 B5433B80 4FF787D4 B1F2A527 06F065A4
00522E97 A9D2335C E83C4AE1 E68D7A41 9D0046A7 ADCC282B 7527F84D E71CC567
14EF37EA 15E57AD0 3C5D01F3 EF
        quit
ip dhcp excluded-address 10.0.16.1
ip dhcp pool ccp-pool
import all
network 10.0.16.0 255.255.255.0
default-router 10.0.16.1
dns-server 8.8.8.8
lease 0 2
ip domain name kerioth.com
ip host hostname.domain z.z.z.z
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip cef
no ipv6 cef
license udi pid CISCO881-K9 sn FTX180483DD
username admin privilege 15 secret 4 CmmfIy.RPySmo4Q2gEIZ2jlr3J.bTBAszoe5Bry0z4c
username meadowbrook privilege 0 password 0 $8UBr#Ux
username meadowbrook autocommand exit
policy-map type inspect outbound-policy
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
crypto isakmp key 141Township address z.z.z.z
crypto isakmp keepalive 10
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
crypto map mymap 10 ipsec-isakmp
set peer z.z.z.z
set transform-set TS
match address 115
interface Loopback0
no ip address
interface Tunnel1
no ip address
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
description $FW_OUTSIDE_WAN$
ip address 50.y.y.y 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map mymap
interface Vlan1
description $ETH_LAN$
ip address 10.0.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 115 interface Vlan1 overload
ip nat inside source list 199 interface FastEthernet4 overload
ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 50.x.x.x
access-list 110 deny   ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 110 permit ip 10.0.16.0 0.0.0.255 any
access-list 115 permit ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 144 permit icmp host c.c.c.c host 10.0.1.50
access-list 144 permit icmp host p.p.p.p host 10.0.16.105
access-list 199 permit ip a.a.a.a 0.0.0.255 any
no cdp run
route-map nonat permit 10
match ip address 100
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 30 0
privilege level 15
transport preferred ssh
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
cns trusted-server all-agents x.x.x.x
cns trusted-server all-agents hostname
cns trusted-server all-agents hostname.domain
cns id hardware-serial
cns id hardware-serial event
cns id hardware-serial image
cns event hostname.domain 11011
cns config initial hostname.domain 80
cns config partial hostname.domain 80
cns exec 80
end

Why do you have following command on the PIX?
crypto map outside_map 40 set transform-set 165.228.x.x
Also you have this transform set on the PIX:
crypto ipsec transform-set 10.112.60.0 esp-aes-256 esp-sha-hmac
This does not match the transfor set on the router:
crypto ipsec transform-set tritest esp-3des esp-md5-hmac
Where are you using the access-list/route-map
101 ?

GRE traffic can not pass through LRT224 IPSec Tunnel

Hi,
We have a trouble when using Cisco Router GRE tunnel plus LRT224 IPSec Gateway-Gateway Tunnel.
We found after reboot, GRE packets can not pass trough LRT224 IPSec tunnel. need to restart serval time then gre will back to normal.
Besides that, GRE keepalive packets can not pass trough LRT224 IPSec Tunnel.
please help. I had tried to upgrade to latest firmware version.
Firmware Version : v1.0.3.09 (Dec 26 2014 14:28:46)
A-END:
interface Tunnel1
ip address 10.216.80.105 255.255.255.252
ip mtu 1400
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf hello-interval 3
ip ospf cost 10000
tunnel source 10.216.81.2
tunnel destination 10.216.80.90
end
B-END:
interface Tunnel11
ip address 10.216.80.110 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf cost 10000
ip ospf hello-interval 3
tunnel source 10.216.80.91
tunnel destination 10.216.81.3
end
CISCO2911 <> LRT224 <> INTERNET <> LRT224 <> CISCO 2621
San

Can you post the results from the below command for the Cisco Routers?
IOS Command: "sh version"
Why not static route without NAT through the LRT224 IPSec VPN?
Just curious why did you use LRT224's for the Site to Site VPN instead of the Cisco Routers?
Please remember to Kudo those that help you.
Linksys
Communities Technical Support

I can Ping FW inside interface but can not connect to remote resources

dear all
i configer my asa 5520 through ASDM to enable VPN Connection , i follow the cisco steps and it works fine and the anyconnect version 3.1 in Windows 8 - one day troubleshoot for this point only - can connect and have an IP address from the range , but i have something wrong in NAT may be because all guides talking about old ASDM ( NAT Exempt) but i am confeused to apply it on the new ASDM.
i can ping the inside interface from my labtop which using anyconnect , but i can not access anything else inside my network
Please anyone has a solution , please describe it using ASDM , thanks for help
This is my configuration
interface GigabitEthernet0/1
description
nameif SRV_ZONE
security-level 50
ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet0/2
description
nameif TRUST_ZONE
security-level 100
ip address 172.17.200.1 255.255.255.0
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif MGMT
security-level 0
ip address 10.10.10.1 255.255.255.0
dns server-group DefaultDNS
domain-name xxx.xxx.xxx
object network obj-192.168.1.11
host 192.168.1.11
object network obj-xxx.xxx.xxx.xxx
host xxx.xxx.xxx.xxx
object service obj-tcp-source-eq-25
service tcp source eq smtp
object network obj-192.168.1.12
host 192.168.1.12
object network obj-xxx.xxx.xxx.xxx
host xxx.xxx.xxx.xxx
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object service obj-tcp-eq-25
service tcp destination eq smtp
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-172.17.8.8
host 172.17.8.8
object network obj-172.17.0.0
subnet 172.17.0.0 255.255.0.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
object network obj_any-04
subnet 0.0.0.0 0.0.0.0
object network obj_any-05
subnet 0.0.0.0 0.0.0.0
object network obj_any-06
subnet 0.0.0.0 0.0.0.0
object network obj.172.17.8.115
host 172.17.8.115
object network obj.xxx.xxx.xxx.xxx
host xxx.xxx.xxx.xxx
object service http
service tcp source eq www destination eq www
object network obj.xxx.xxx.xxx.xxx
host xxx.xxx.xxx.xxx
object service https
service tcp source eq https destination eq https
object service newservice
service tcp source eq pop3 destination eq pop3
object network mail
host 172.17.8.8
description mail
object network 192.168.1.11
host 192.168.1.11
description smtp
object service smtpnew
service tcp source eq 587 destination eq 587
object network VPN_RANGE
description VPN ACCESS RANGE
object network VPN_PoOL
subnet 172.17.16.0 255.255.255.0
description vpn
object-group network DM_INLINE_NETWORK_1
network-object host 192.168.1.11
network-object host 192.168.1.12
object-group network Eighth_Floor
network-object 172.17.8.0 255.255.255.0
object-group service WEB_SERVICES
service-object tcp destination eq www
object-group network ENT_SERVERS
network-object host 192.168.1.11
network-object host 192.168.1.1
object-group network DM_INLINE_NETWORK_2
network-object 172.17.200.0 255.255.255.0
network-object 172.17.8.0 255.255.255.0
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
port-object eq smtp
object-group service web tcp
port-object eq www
port-object eq xxx
port-object eq ftp
port-object eq xxx
port-object eq xxx
object-group service xxx_Web_and_Email
service-object object http
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
access-list DMZ_access_in extended permit ip 192.168.1.0 255.255.255.0 172.17.0.0 255.255.0.0
access-list DMZ_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list justice_splitTunnelAcl standard permit 10.100.100.0 255.255.255.0
access-list xxx-VPN_splitTunnelAcl remark vpn
access-list xxx-VPN_splitTunnelAcl standard permit 172.17.16.0 255.255.255.0
access-list xxx-VPN_splitTunnelAcl standard permit any
access-list cap extended permit tcp any host xxx.xxx.xxx.xxx eq smtp log
access-list cap1 extended permit tcp host 192.168.1.11 any eq smtp
access-list SRV_ZONE_nat_outbound extended permit tcp 192.168.1.0 255.255.255.0 any eq smtp
access-list SRV_ZONE_nat_outbound extended permit ip host 192.168.1.11 any
access-list TRUST_ZONE_access_in extended permit ip host 172.17.88.108 any
access-list TRUST_ZONE_access_in extended permit object-group DM_INLINE_PROTOCOL_2 10.10.3.0 255.255.255.0 any
access-list TRUST_ZONE_access_in extended permit object-group DM_INLINE_PROTOCOL_3 10.10.50.0 255.255.255.0 any
access-list TRUST_ZONE_access_in extended permit ip 172.17.8.0 255.255.255.0 any
access-list TRUST_ZONE_access_in extended permit ip 172.17.200.0 255.255.255.0 any
access-list TRUST_ZONE_access_in extended permit ip 172.17.0.0 255.255.0.0 host 192.168.1.12
access-list TRUST_ZONE_cryptomap extended permit ip xxx.xxx.xxx.xxx 255.255.255.248 any
access-list outside_access_in extended permit tcp any host 192.168.1.11 eq smtp
access-list outside_access_in extended permit tcp any host 172.17.8.8 eq www
access-list outside_access_in extended permit tcp any host 192.168.1.12 object-group web
access-list outside_access_in extended permit tcp any host 172.17.8.8 eq pop3
access-list outside_access_in extended permit ip 172.17.16.0 255.255.255.0 any inactive
access-list vpn remark vpn
access-list vpn standard permit 172.17.16.0 255.255.255.0
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging host TRUST_ZONE 172.17.8.100
mtu INT_ZONE 1500
mtu SRV_ZONE 1500
mtu TRUST_ZONE 1500
mtu MGMT 1500
ip local pool VPN_POOL 172.17.16.100-172.17.16.254 mask 255.255.255.0
ip verify reverse-path interface INT_ZONE
ip verify reverse-path interface SRV_ZONE
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any SRV_ZONE
icmp permit any TRUST_ZONE
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (SRV_ZONE,INT_ZONE) source static obj-192.168.1.11 obj-xxx.xxx.xxx.xxx service any obj-tcp-source-eq-25
nat (SRV_ZONE,INT_ZONE) source static obj-192.168.1.12 obj-xxx.xxx.xxx.xxx
nat (SRV_ZONE,INT_ZONE) source dynamic obj-192.168.1.0 interface service obj-tcp-eq-25 obj-tcp-eq-25
nat (INT_ZONE,SRV_ZONE) source static any any destination static 192.168.1.11 obj-172.17.8.8 service obj-tcp-source-eq-25 obj-tcp-source-eq-25
nat (TRUST_ZONE,INT_ZONE) source static VPN_PoOL VPN_PoOL destination static VPN_PoOL VPN_PoOL
object network obj_any
nat (SRV_ZONE,INT_ZONE) dynamic obj-0.0.0.0
object network obj_any-01
nat (SRV_ZONE,MGMT) dynamic obj-0.0.0.0
object network obj-172.17.8.8
nat (TRUST_ZONE,INT_ZONE) static xxx.xxx.xxx.xxx service tcp www www
object network obj-172.17.0.0
nat (TRUST_ZONE,SRV_ZONE) static 172.17.0.0
object network obj_any-02
nat (TRUST_ZONE,INT_ZONE) dynamic interface
object network obj_any-03
nat (TRUST_ZONE,SRV_ZONE) dynamic interface
object network obj_any-04
nat (TRUST_ZONE,INT_ZONE) dynamic obj-0.0.0.0
object network obj_any-05
nat (TRUST_ZONE,SRV_ZONE) dynamic obj-0.0.0.0
object network obj_any-06
nat (TRUST_ZONE,MGMT) dynamic obj-0.0.0.0
object network obj.172.17.8.115
nat (TRUST_ZONE,INT_ZONE) static obj.xxx.xxx.xxx.xxx service tcp www www
object network mail
nat (TRUST_ZONE,INT_ZONE) static obj-xxx.xxx.xxx.xxx service tcp pop3 pop3
nat (TRUST_ZONE,INT_ZONE) after-auto source static obj-172.17.8.8 obj-xxx.xxx.xxx.xxx service https https
access-group outside_access_in in interface INT_ZONE
access-group DMZ_access_in in interface SRV_ZONE
access-group TRUST_ZONE_access_in in interface TRUST_ZONE
route INT_ZONE 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route TRUST_ZONE 10.10.0.0 255.255.0.0 172.17.200.254 1
route TRUST_ZONE 10.11.0.0 255.255.0.0 172.17.200.254 1
route TRUST_ZONE 10.12.0.0 255.255.0.0 172.17.200.254 1
route TRUST_ZONE 10.13.0.0 255.255.0.0 172.17.200.254 1
route TRUST_ZONE 172.17.0.0 255.255.0.0 172.17.200.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
http server enable
http 172.17.8.0 255.255.255.0 TRUST_ZONE
http 172.17.8.155 255.255.255.255 TRUST_ZONE
http 172.17.8.45 255.255.255.255 TRUST_ZONE
http 10.10.10.2 255.255.255.255 MGMT
http 192.168.1.12 255.255.255.255 SRV_ZONE
http 0.0.0.0 0.0.0.0 INT_ZONE
http 172.17.200.0 255.255.255.0 TRUST_ZONE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map pol 1 match address TRUST_ZONE_cryptomap
crypto dynamic-map pol 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map INT_ZONE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map TRUST_ZONE_map0 1 ipsec-isakmp dynamic pol
crypto map TRUST_ZONE_map0 interface TRUST_ZONE
crypto map INT_ZONE_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map INT_ZONE_map0 interface INT_ZONE
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn SEC-xxx-FW1
subject-name CN=SEC-xxx-FW1
no client-types
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=SEC-xxx-FW1
keypair sslvpnkeypair
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
    57f4e52e 6b851966 77515d62 c209a0df 1c32ce94 bb90cbce 497cfd04 6745ea85
    efb75f85 2ae1ad35 344d94ab 915e01ab d3292626 ac697a52 b4ed6632 d3ed2332 ae
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate e6054352
    c64f3661 30f14c3d 06b5f039 9f14560d 3b154fd1 42782268 7531689e 8e547d91
    85e88415 e326f653 74733a6c a3f5c935 f7e83f56 f6
quit
crypto isakmp enable INT_ZONE
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 INT_ZONE
ssh 172.17.8.0 255.255.255.0 TRUST_ZONE
ssh 10.10.10.2 255.255.255.255 MGMT
ssh timeout 5
console timeout 0
management-access TRUST_ZONE
vpn load-balancing
interface lbpublic INT_ZONE
interface lbprivate INT_ZONE
priority-queue INT_ZONE
tx-ring-limit 256
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host number-of-rate 3
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint1 INT_ZONE
webvpn
enable INT_ZONE
svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy xxx-VPN internal
group-policy xxx-VPN attributes
dns-server value xx.xx.xx.xx xx.xx.xx.xx
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value xxx-VPN_splitTunnelAcl
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol webvpn
group-policy GPNEW internal
group-policy GPNEW attributes
dns-server value 172.17.8.41
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
default-domain value xxx.xxx.xxx
address-pools value VPN_POOL
username VPNAM password xxx encrypted
username VPNAM attributes
service-type remote-access
vpn-group-policy xxx-VPN
tunnel-group xxx-VPN type remote-access
tunnel-group xxx-VPN general-attributes
dhcp-server 172.17.8.41
tunnel-group xxx-VPN ipsec-attributes
pre-shared-key *****
tunnel-group pol type ipsec-l2l
tunnel-group pol ipsec-attributes
pre-shared-key *****
trust-point ASDM_TrustPoint0
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
address-pool VPN_POOL
default-group-policy GPNEW
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
inspect pptp
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:78a941e3f509dec8f3570c60061eedaa
: end

thanks god
i solve the problem
the problem is in NAT
i creat an object with the ip address host from VPN pool and name it vpn
then i do the nat from inside to that host as the following picture...
trust zone is the inside zone
vpn is the outside vpn host...
thanks and hope it helps anyone else...

ASA 5505 VPN Can not connect clients

Hi,
I tried to search for an answer to this question but I couldn't find the answer.
I configured the VPN on the ASA, I can not get a client to connect to the ASA I've tried and search for an answer and I really need som help!
Any help is greatly appreciated.
: Saved
ASA Version 7.2(2)
hostname
domain-name
enable password
names
ddns update method
ddns both
interface Vlan1
nameif inside
security-level 100
ddns update hostname
ddns update
dhcp client update dns
ip address 192.168.1.1 255.255.255.0
ospf cost 10
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.0
ospf cost 10
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server
name-server
domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list EasyVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list OUTSIDE_IN_ACL extended permit ip any any
access-list OUTSIDE_IN_ACL extended permit icmp any interface outside
access-list Remote-VPN_splitTunnelAcl standard permit any
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list Bild_splitTunnelAcl standard permit any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool TKK 192.168.1.200-192.168.1.220 mask 255.255.255.224
ip local pool VPN-Pool 192.168.254.1-192.168.254.10 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound
static (inside,inside) tcp interface 3389 access-list inside_nat_static
static (inside,inside) tcp interface ftp access-list inside_nat_static_2
static (outside,inside) x.x.x.x 192.168.1.0 netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server value 192.168.1.253
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission
to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy EasyVPN internal
group-policy EasyVPN attributes
dns-server value 192.168.1.253
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EasyVPN_splitTunnelAcl
default-domain value xxx.se
group-policy Remote-VPN internal
group-policy Remote-VPN attributes
dns-server value 192.168.1.253
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Remote-VPN_splitTunnelAcl
default-domain value xxx.se
group-policy CiscoASA internal
group-policy CiscoASA attributes
dns-server value 192.168.1.253 x.x.x.x
vpn-tunnel-protocol IPSec webvpn
group-policy Bild internal
group-policy Bild attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Bild_splitTunnelAcl
username User attributes
vpn-group-policy DfltGrpPolicy
username Bild password encrypted privilege 0
username Bild attributes
vpn-group-policy Bild
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 160 set pfs
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 180 set pfs
crypto dynamic-map outside_dyn_map 180 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map outside_dyn_map 200 set pfs
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 220 set pfs
crypto dynamic-map outside_dyn_map 220 set transform-set ESP-DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
tunnel-group DefaultRAGroup general-attributes
address-pool vpn
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group Bild type ipsec-ra
tunnel-group Bild general-attributes
address-pool TKK
default-group-policy Bild
tunnel-group Bild ipsec-attributes
pre-shared-key *
tunnel-group CiscoASA type ipsec-ra
tunnel-group CiscoASA general-attributes
address-pool vpn
default-group-policy CiscoASA
tunnel-group CiscoASA ipsec-attributes
pre-shared-key *
tunnel-group EasyVPN type ipsec-ra
tunnel-group EasyVPN general-attributes
address-pool vpn
default-group-policy EasyVPN
tunnel-group EasyVPN ipsec-attributes
pre-shared-key *
tunnel-group Remote-VPN type ipsec-ra
tunnel-group Remote-VPN general-attributes
address-pool VPN-Pool
default-group-policy Remote-VPN
tunnel-group Remote-VPN ipsec-attributes
pre-shared-key *
class-map global-class
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global-policy
class global-class
inspect ftp
inspect icmp
inspect pptp
service-policy global-policy global
prompt hostname context
Cryptochecksum:8cdda33b1993ba7bb33db88d996e939c
: end

Hi Fredrik,
I see your acl "outside_nat0_outbound" set on inside interface for no nat, but I do not see, the acl is being defined anywhere on your config.
I also strongly recommand create your vpn-pool to be different subnet rather being as same as your inside ip of your ASA.
so, let assume your vpn pool is 192.168.255.1-254/24
so, your no-nat for inside will look like this below.
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.255.0 255.255.255.0
Let me know, if this helps.
thanks

Phase 2 tunnel is not going up between PIX 525 and Watchguard

Hi Folks,
Can you please help me in knowing where is the problem liying, currently I am trying to establish a VPN tunnel between PIX firewall and Watchguard , all the parameters of both devices are the same though Phase two tunnel is not coming up.
here is the debug :
crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match MINE hash
hash received: b3 8f bb 0 93 3b 65 e8 35 6f 54 6 c4 6f 59 cc
my nat hash : dd 70 9 ac 35 58 40 da 3b 5b fc 1b 4c 87 d2 11
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match HIS hash
hash received: ba 72 c5 e 5b fb 88 f0 1e f7 8a ba c9 c6 c1 cc
his nat hash : c 4c 89 a5 66 c1 dd 80 76 48 3f a5 b0 f0 56 ed
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP: Created a peer struct for 212.37.17.43, peer port 37905
ISAKMP: Locking UDP_ENC struct 0x3cbb634 from crypto_ikmp_udp_enc_ike_init, count 1
ISAKMP (0): ID payload
next-payload : 8
type : 2
protocol : 17
port : 0
length : 23
ISAKMP (0): Total payload length: 27
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:212.37.17.43/4500 Total VPN Peers:16
VPN Peer: ISAKMP: Peer ip:212.37.17.43/4500 Ref cnt incremented to:1 Total VPN Peers:16
crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 3168983470
ISAKMP (0): processing notify INITIAL_CONTACT
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 484086886
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (basic) of 32000
ISAKMP: encaps is 61433
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:213.210.211.82, dest:212.118.128.233 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 287560609
ISAMKP (0): received DPD_R_U_THERE from peer 213.210.211.82
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANSdebug
ISAKMP (0): retransmitting phase 1 (0)...
Thanks,
Ismail

Hi Kanishka,
The Phase 2 Parameters are the same also PFS is disabled !
There are some curious things in the debug msg, could you please throw some light on them
ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP: default group 1
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
what does the vendor ID is NAT-T above mean ? Is it say that both sides are using Nat traversal.
Also in ecryption its says encryption 3DES-CBC
i am not sure if this CBC is the culprit. Because thats what watchgaurd uses only it does not have an option for only 3DES.
strange enought that Phase 1 is getting up, I am also questioning myself about the following message appearing in Phase 1:
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match MINE hash
hash received: b3 8f bb 0 93 3b 65 e8 35 6f 54 6 c4 6f 59 cc
my nat hash : dd 70 9 ac 35 58 40 da 3b 5b fc 1b 4c 87 d2 11
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match HIS hash
hash received: ba 72 c5 e 5b fb 88 f0 1e f7 8a ba c9 c6 c1 cc
his nat hash : c 4c 89 a5 66 c1 dd 80 76 48 3f a5 b0 f0 56 ed
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
return status is IKMP_NO_ERROR
how come Phase 1 is coming up though the PIX is claiming that his HASH is not the same as HIS HASH :(
the log messages on WATCH GUARD states that there is no proposal chosen!
why both firewalls are not friends?
I appreciate any input

I can not to connect to nated address

Hi
I have server with real address 10.173.1.242, i created static nat to address 10.164.32.15, but I can not to connect to address 10.164.32.15 from IP 10.161.111.130, here is config of ASA:
Peter
ASA Version 8.0(5)
names
interface GigabitEthernet0/0
nameif intranet
security-level 30
ip address 10.164.241.1 255.255.255.0 standby 10.164.241.2
interface GigabitEthernet0/1
nameif cdi
security-level 80
ip address 10.173.241.1 255.255.255.0 standby 10.173.241.2
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
interface GigabitEthernet0/2.491
vlan 491
nameif service491
security-level 50
ip address 10.173.1.241 255.255.255.0 standby 10.173.1.240
interface GigabitEthernet0/2.492
vlan 492
nameif service492
security-level 50
ip address 10.173.2.241 255.255.255.0 standby 10.173.2.240
interface GigabitEthernet0/2.493
vlan 493
nameif service493
security-level 50
ip address 10.173.3.241 255.255.255.0 standby 10.173.3.240
interface GigabitEthernet0/2.500
vlan 500
nameif service500
security-level 50
ip address 10.173.0.241 255.255.255.0 standby 10.173.0.240
interface GigabitEthernet0/2.550
vlan 550
nameif service550
security-level 50
no ip address
interface GigabitEthernet0/3
description LAN Failover Interface
boot system disk0:/asa805-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name t-dc.sk
access-list cdi-in extended permit icmp any any log debugging
access-list cdi-in extended deny ip any any
access-list intranet-in extended permit ip 10.161.111.0 255.255.255.0 host 10.0.0.0 log debugging
access-list intranet-in extended permit ip 10.164.32.0 255.255.255.0 host 10.0.0.0 log debugging
access-list intranet-in extended deny ip any any
access-list service491-in extended permit icmp any any log debugging
access-list service491-in extended deny ip any any
access-list service492-in extended deny ip any any
access-list service493-in extended deny ip any any
access-list service500-in extended deny ip any any
access-list service550-in extended deny ip any any
access-list cap extended permit ip any any
pager lines 24
logging buffered debugging
logging trap debugging
logging asdm debugging
logging host service491 10.173.1.242
mtu intranet 1500
mtu cdi 1500
mtu service491 1500
mtu service492 1500
mtu service493 1500
mtu service500 1500
mtu service550 1500
mtu mngmt 1500
ip local pool pool1 10.31.250.129-10.31.250.255 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover interface ip failover 172.16.10.1 255.255.255.252 standby 172.16.10.2
no monitor-interface intranet
no monitor-interface cdi
no monitor-interface mngmt
icmp unreachable rate-limit 1 burst-size 1
icmp permit any intranet
icmp permit any cdi
icmp permit any service491
icmp permit any service492
icmp permit any service493
icmp permit any service500
icmp permit any service550
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
static (service491,intranet) 10.164.32.15 10.173.1.242 netmask 255.255.255.255
access-group intranet-in in interface intranet
access-group cdi-in in interface cdi
access-group service491-in in interface service491
access-group service492-in in interface service492
access-group service493-in in interface service493
access-group service500-in in interface service500
access-group service550-in in interface service550
route intranet 0.0.0.0 0.0.0.0 10.164.241.5 1
route cdi 10.97.0.0 255.255.0.0 10.173.241.5 1
route cdi 10.168.0.0 255.255.0.0 10.173.241.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.t-dc.sk
keypair sslvpnkeypair
crl configure
crypto ca certificate chain localtrust
certificate c116474f
    308201e7 30820150 a0030201 020204c1 16474f30 0d06092a 864886f7 0d010104
    bce 90a3424e
    f9f040e2 95c69b91 779b8a
quit
no crypto isakmp nat-traversal
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust intranet
webvpn
enable intranet
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
svc enable
group-policy GrpPolicy-ssl1 internal
group-policy GrpPolicy-ssl1 attributes
vpn-tunnel-protocol svc
tunnel-group ssl1 type remote-access
tunnel-group ssl1 general-attributes
address-pool pool1
default-group-policy GrpPolicy-ssl1
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:be82cd121bde8e5de3981453caa201f0
: end

i corrected "packet-tracer..." there was mistake, 10.161.11.130 instead 10.161.111.130
pna-tdc1# packet-tracer input intranet tcp 10.161.111.130 1025 10.164.32.15 22
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (service491,intranet) 10.164.32.15 10.173.1.242 netmask 255.255.255.255
match ip service491 host 10.173.1.242 intranet any
    static translation to 10.164.32.15
    translate_hits = 0, untranslate_hits = 4
Additional Information:
NAT divert to egress interface service491
Untranslate 10.164.32.15/0 to 10.173.1.242/0 using netmask 255.255.255.255
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group intranet-in in interface intranet
access-list intranet-in extended permit ip 10.161.111.0 255.255.255.0 10.0.0.0 255.0.0.0 log debugging
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (service491,intranet) 10.164.32.15 10.173.1.242 netmask 255.255.255.255
match ip service491 host 10.173.1.242 intranet any
    static translation to 10.164.32.15
    translate_hits = 0, untranslate_hits = 4
Additional Information:
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (service491,intranet) 10.164.32.15 10.173.1.242 netmask 255.255.255.255
match ip service491 host 10.173.1.242 intranet any
    static translation to 10.164.32.15
    translate_hits = 0, untranslate_hits = 4
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2956, packet dispatched to next module
Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 10.173.1.242 using egress ifc service491
adjacency Active
next-hop mac address 0014.4fed.bb6c hits 41
Result:
input-interface: intranet
input-status: up
input-line-status: up
output-interface: service491
output-status: up
output-line-status: up
Action: allow
pna-tdc1#
pna-tdc1#

How to setup an IPSec VPN Tunnel Cisco 2320 Vs RVS4000

Hello all.
This forum has always helped me in all my investigations about VPN and now I'm gonna help everyone with this post.
I have succesfully config an IPSec VPN Tunnel by using a Router Scientific Atlanta Cisco 2320 and a RVS4000 4-Port Gigabit Security Router with VPN.
On the site of Router Scientific Atlanta Cisco 2320 this is some info:
WAN IP: A.A.A.A
Router Local IP: 192.168.5.1
Subnet: 192.168.5.X
Subnet Mask: 255.255.255.0
On the site of RVS4000 4-Port Gigabit Security Router with VPN this is some info:
WAN IP: B.B.B.B
Router Local IP: 192.168.0.10
Subnet: 192.168.0.X
Subnet Mask: 255.255.255.0
Remember that you can not be on the same range of IP, I mean, you can not have 192.168.0.X if the remote network is on 192.168.0.X, you have to change some of the Routers.
I show the configuration on Router Scientific Atlanta Cisco 2320:
I show the configuration on RVS4000 4-Port Gigabit Security Router with VPN:
If all is correctly configured, you should see on Router Scientific Atlanta Cisco 2320 the Status Connected:
If all is correctly configured, you should see on RVS4000 4-Port Gigabit Security Router with VPN the Status Up:
As you can see, I'm connected to the remote Router (RVS4000 4-Port Gigabit Security Router with VPN) by my own web browser accesing by the local IP 192.168.0.10
I have used Authentication MD5, maybe is not the best one but I had no time to test SHA1, I will when I will have time.
I wish that this help to anyone that need to do this.
Best regards!

Hey,
Thanks a ton for posting this out here. I am sure it will be helpful for people trying this out.
Regards,
Prapanch

4 out of 25 VPN tunnel is not getting up.....

Hi Experts,
I have found one strange problem with IPSec VPN, the scenario is like this, our corporate office is connected to its 25 remote office with IPSec VPN, at corporate site, cisco 2811 router is installed and same type of router is installed at each remote site and IPSec VPN is configured between remote office and corporate office and further each remote site router has two other VPN configured which are working properly. Now the problem is, 4 out of 25 remote offices are not getting up with corporate office, I mean the VPN is not getting up for these location. I sit at corporate office and have tried my level best to up these VPN but the problem not getting resolved.
Now the strange problem is that the VPN gets up by itself, after sometime like in 10days or 20days, for sometime and gets down by itself later.
Anyone who can give some insights where the problem could be and how could i troubleshoot the problem?
Thanks in advance for your valuable response

Hi Mike,
Thanks for your reply...
Below are some logs from corporate router with one of the tunnel which is not getting up::
RTR-FTR-PJB#debug crypto isakmp
Crypto ISAKMP debugging is on
RTR-FTR-PJB#ping 172.26.10.1 source l1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.26.10.1, timeout is 2 seconds:
Packet sent with a source address of 172.21.128.1
*Mar 22 12:19:32.147: ISAKMP: local port 500, remote port 500
*Mar 22 12:19:32.147: ISAKMP: set new node 0 to QM_IDLE
*Mar 22 12:19:32.147: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 459BC390
*Mar 22 12:19:32.147: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Mar 22 12:19:32.147: ISAKMP:(0):found peer pre-shared key matching remote_ipsec_peer
*Mar 22 12:19:32.147: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Mar 22 12:19:32.147: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar 22 12:19:32.147: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Mar 22 12:19:32.147: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Mar 22 12:19:32.147: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 22 12:19:32.147: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Mar 22 12:19:32.147: ISAKMP:(0): beginning Main Mode exchange
*Mar 22 12:19:32.147: ISAKMP:(0): sending packet to remote_ipsec_peer my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 22 12:19:32.147: ISAKMP:(0):Sending an IKE IPv4 Packet......
Success rate is 0 percent (0/5)
RTR-FTR-PJB#
*Mar 22 12:19:42.147: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 22 12:19:42.147: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar 22 12:19:42.147: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 22 12:19:42.147: ISAKMP:(0): sending packet to remote_ipsec_peer my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 22 12:19:42.147: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 22 12:19:52.147: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 22 12:19:52.147: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar 22 12:19:52.147: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 22 12:19:52.147: ISAKMP:(0): sending packet to remote_ipsec_peer my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 22 12:19:52.147: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 22 12:20:02.143: ISAKMP: set new node 0 to QM_IDLE
*Mar 22 12:20:02.143: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.100.103.2, remote remote_ipsec_peer)
*Mar 22 12:20:02.147: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 22 12:20:02.147: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Mar 22 12:20:02.147: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 22 12:20:02.147: ISAKMP:(0): sending packet to remote_ipsec_peer my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 22 12:20:02.147: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 22 12:20:03.847: ISAKMP:(0):purging node 1974447943
*Mar 22 12:20:03.847: ISAKMP:(0):purging node -1277953536
*Mar 22 12:20:12.147: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 22 12:20:12.147: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Mar 22 12:20:12.147: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 22 12:20:12.147: ISAKMP:(0): sending packet to remote_ipsec_peer my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 22 12:20:12.147: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 22 12:20:13.847: ISAKMP:(0):purging SA., sa=451DF344, delme=451DF344
*Mar 22 12:20:22.147: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 22 12:20:22.147: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar 22 12:20:22.147: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 22 12:20:22.147: ISAKMP:(0): sending packet to remote_ipsec_peermy_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 22 12:20:22.147: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 22 12:20:32.147: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 22 12:20:32.147: ISAKMP:(0):peer does not do paranoid keepalives.
*Mar 22 12:20:32.147: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer remote_ipsec_peer)
*Mar 22 12:20:32.147: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer remote_ipsec_peer)
*Mar 22 12:20:32.147: ISAKMP:(0):deleting node -1242602279 error FALSE reason "IKE deleted"
*Mar 22 12:20:32.147: ISAKMP:(0):deleting node 275856152 error FALSE reason "IKE deleted"
*Mar 22 12:20:32.147: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 22 12:20:32.147: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
*Mar 22 12:21:22.147: ISAKMP:(0):purging node -1242602279
*Mar 22 12:21:22.147: ISAKMP:(0):purging node 275856152
*Mar 22 12:21:32.147: ISAKMP:(0):purging SA., sa=459BC390, delme=459BC390
RTR-FTR-PJB#debug crypto ipsec
Crypto IPSEC debugging is on
RTR-FTR-PJB#ping 172.26.10.1 source l1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.26.10.1, timeout is 2 seconds:
Packet sent with a source address of 172.21.128.1
*Mar 22 12:23:27.411: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.100.103.2, remote= remote_ipsec_peer,
local_proxy= 172.21.128.0/255.255.252.0/0/0 (type=4),
remote_proxy= 172.26.10.0/255.255.254.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0.....
Success rate is 0 percent (0/5)
RTR-FTR-PJB#
*Mar 22 12:23:57.411: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 10.100.103.2, remote= remote_ipsec_peer,
local_proxy= 172.21.128.0/255.255.252.0/0/0 (type=4),
remote_proxy= 172.26.10.0/255.255.254.0/0/0 (type=4)
*Mar 22 12:23:57.411: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.100.103.2, remote= remote_ipsec_peer,
local_proxy= 172.21.128.0/255.255.252.0/0/0 (type=4),
remote_proxy= 172.26.10.0/255.255.254.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
RTR-FTR-PJB#debug crypto engine
*Mar 22 12:28:59.415: crypto_engine: Generate IKE hash
*Mar 22 12:28:59.415: crypto_engine: Generate IKE hash
*Mar 22 12:28:59.415: crypto_engine: Encrypt IKE packet
*Mar 22 12:28:59.727: crypto_engine: Generate IKE hash
*Mar 22 12:28:59.727: crypto_engine: Encrypt IKE packet
*Mar 22 12:28:59.763: crypto_engine: Decrypt IKE packet
*Mar 22 12:28:59.763: crypto_engine: Generate IKE hash
*Mar 22 12:29:00.099: crypto_engine: Decrypt IKE packet
*Mar 22 12:29:00.099: crypto_engine: Generate IKE hash
*Mar 22 12:29:00.099: crypto_engine: Generate IKE hash
*Mar 22 12:29:00.099: crypto_engine: Encrypt IKE packet
*Mar 22 12:29:00.239: crypto_engine: Generate IKE hash
*Mar 22 12:29:00.239: crypto_engine: Encrypt IKE packet
*Mar 22 12:29:00.271: crypto_engine: Decrypt IKE packet
*Mar 22 12:29:00.271: crypto_engine: Generate IKE hash
*Mar 22 12:29:00.359: crypto_engine: Decrypt IKE packet
*Mar 22 12:29:00.359: crypto_engine: Generate IKE hash
*Mar 22 12:29:00.359: crypto_engine: Generate IKE hash
*Mar 22 12:29:00.363: crypto_engine: Encrypt IKE packet
*Mar 22 12:29:00.403: crypto_engine: Generate IKE hash
Few things i would like mention here are:
1. I am able to ping remote_ipsec_peer from my router.
2. At both routers other tunnels are working fine.
3. NATing is not involved at both sides router, we have static ip at both side and static routes are configured to reach the peer.
Anyone who can provide some insights by looking the above log, where the problem could be?

L2L issue, the tunnel does not getting up from one direction

Hello,
We have configure a L2L vpn between Asa and 1841 router. We are facing this issue.
The tunnel is not getting up from the 1841 site never. When we are trying to generate traffic from the ASA site the tunnel is up and we can see decryps and encryps packets.
Router 1841 Config:
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key * address 213.249.XX.XX
crypto ipsec transform-set XXXXX esp-3des esp-md5-hmac
crypto map EKO_BG 100 ipsec-isakmp
set peer 213.249.x.x
set security-association lifetime seconds 28800
set transform-set XXXXX
set pfs group2
match address 111
interface FastEthernet0/0.2
encapsulation dot1Q 3338
ip address 212.200.30.130 255.255.255.252
ip nat outside
ip virtual-reassembly
crypto map XXXXX
ip nat pool nat_pool 93.87.XX.XX 93.87.XX.XX prefix-length 29
ip nat inside source list 101 pool nat_pool overload
ip nat inside source static 10.70.2.10 93.87.18.161
ip nat inside source static 10.70.25.10 93.87.18.162
ip nat inside source static 10.70.36.5 93.87.18.163
ip nat inside source static 10.70.39.10 93.87.18.164
ip nat inside source static 10.70.5.10 93.87.18.165
access-list 101 deny ip 10.70.200.0 0.0.0.255 any
access-list 101 permit ip 10.70.0.0 0.0.255.255 any
access-list 111 permit ip 10.70.200.0 0.0.0.255 172.40.10.100 0.0.0.3
Asa Config:
access-list inside_nat0_outbound extended permit ip 172.40.10.100 255.255.255.252 10.70.200.0 255.255.255.0
access-list outside_cryptomap_320 remark xxxxxxx
access-list outside_cryptomap_320 extended permit ip 172.40.10.100 255.255.255.252 10.70.200.0 255.255.255.0
access-list inside_pnat_outbound_V5 extended permit ip host 10.8.x.x 10.70.200.0 255.255.255.0
pager lines 24
nat (inside) 9 access-list inside_pnat_outbound_V5
crypto ipsec transform-set xxxxx esp-3des esp-md5-hmac
crypto map mymap 150 match address
crypto map mymap 150 set pfs
crypto map mymap 150 set peer XXXXXX
crypto map mymap 150 set transform-set XXX
crypto map mymap 150 set security-association lifetime seconds 28800
crypto map mymap 150 set security-association lifetime kilobytes 10000
crypto map mymap 320 match address outside_cryptomap_320
crypto map mymap 320 set pfs
crypto map mymap 320 set peer XXXXX
crypto map mymap 320 set transform-set XXXXX
crypto map mymap 320 set security-association lifetime seconds 28800
crypto map mymap 320 set security-association lifetime kilobytes 4608000
crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap interface outside
isakmp policy 150 authentication pre-share
isakmp policy 150 encryption 3des
isakmp policy 150 hash md5
isakmp policy 150 group 2
tunnel-group 212.200.x.x type ipsec-l2l
tunnel-group 212.200.x.x ipsec-attributes
pre-shared-key *
Please advise.
Thank you.

hello Ashley,
thank you for this info. Now from the router site the tunneling is getting up and I can see packets but althought the tunnel is up it can not make telnet to our server (172.40.10.100) on a specific port.
We from ASA site can ping router Site and make telnet.
Any ideas???
Thank you all from your answers!

Can not ping between remote vpn site ???

site A is l2l vpn, site B is network-extend vpn, both connect to same vpn device 5510 at central office and work well. I can ping from central office to both remote sites, But i can not ping between these two vpn sites ? Tried debug icmp, i can see the icmp from side A does reach central office but then disappeared! not sending to side B ?? Please help ...
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network SITE-A
network-object 192.168.42.0 255.255.255.0
object-group network SITE-B
network-object 192.168.46.0 255.255.255.0
access-list OUTSIDE extended permit icmp any any
access-list HOLT-VPN-ACL extended permit ip object-group CBO-NET object-group SITE-A
nat (outside,outside) source static SITE-A SITE-A destination static SITE-B SITE-B
crypto map VPN-MAP 50 match address HOLT-VPN-ACL
crypto map VPN-MAP 50 set peer *.*.56.250
crypto map VPN-MAP 50 set ikev1 transform-set AES-256-SHA
crypto map VPN-MAP interface outside
group-policy REMOTE-NETEXTENSION internal
group-policy REMOTE-NETEXTENSION attributes
dns-server value *.*.*.*
vpn-idle-timeout none
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value REMOTE-NET2
default-domain value *.org
nem enable
tunnel-group REMOTE-NETEXTENSION type remote-access
tunnel-group REMOTE-NETEXTENSION general-attributes
authentication-server-group (inside) LOCAL
default-group-policy REMOTE-NETEXTENSION
tunnel-group REMOTE-NETEXTENSION ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group *.*.56.250 type ipsec-l2l
tunnel-group *.*.56.250 ipsec-attributes
ikev1 pre-shared-key *****
ASA-5510# show route | include 192.168.42
S 192.168.42.0 255.255.255.0 [1/0] via *.*.80.1, outside
ASA-5510# show route | include 192.168.46
S 192.168.46.0 255.255.255.0 [1/0] via *.*.80.1, outside
ASA-5510#
Username : layson-ne Index : 10
Assigned IP : 192.168.46.0 Public IP : *.*.65.201
Protocol : IKEv1 IPsecOverNatT
License : Other VPN
Encryption : 3DES Hashing : SHA1
Bytes Tx : 11667685 Bytes Rx : 1604235
Group Policy : REMOTE-NETEXTENSION Tunnel Group : REMOTE-NETEXTENSION
Login Time : 08:19:12 EST Thu Feb 12 2015
Duration : 6h:53m:29s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
ASA-5510# show vpn-sessiondb l2l
Session Type: LAN-to-LAN
Connection : *.*.56.250
Index : 6 IP Addr : *.*.56.250
Protocol : IKEv1 IPsec
Encryption : 3DES AES256 Hashing : SHA1
Bytes Tx : 2931026707 Bytes Rx : 256715895
Login Time : 02:02:41 EST Thu Feb 12 2015
Duration : 13h:10m:03s

Hi Rico,
You need to dynamic-nat (to available IP address) for both side for each remote subset to access the other remote side subnet and so they can access each other subnet as if both originating the traffic from your central location.
example:
Lets say this IP (10.10.10.254) is unused IP at central office, permitted to access remote tunnel "A" and site "B".
object-group network SITE-A
network-object 192.168.42.0 255.255.255.0
object-group network SITE-B
network-object 192.168.46.0 255.255.255.0
nat (outside,outside) source dynamic SITE-A 10.10.10.254 destination
static SITE-B SITE-B
nat (outside,outside) source dynamic SITE-B 10.10.10.254 destination
static SITE-A SITE-A
Hope this helps
Thanks
Rizwan Rafeek

Overlapping lan segments S2S tunnels (the other end)

Is there any way to policy nat incoming vpn S2S tunnel traffic? I know we can policy nat out going to send traffic over a tunnel as something else...
e.g.
my firewall
LAN segment 192.168.10.0/24
1st external firewall with s2s tunnel #1 back to my firewall
LAN 10.10.10.0/24
2nd external firewall with s2s tunnel #2 back to my firewall
LAN 10.10.10.0/24
if no changes can be made to the 1st and 2nd external firewall meaning we cannot get to at leat
one of them so they policy nat out as another subnet....is there any thing we can do
on the "my firewall" ? (any incoming nat policy options or routes over the tunnel peer ip or something or the other???)
and this would be cisco asa's, all three at least.
thank you!

hi, i looked at the document and thank you for responding! my scenario would be a little bit different though wherein we have another pix say "pix-C" which in the pdf would also be using 10.1.0.0/24
we couldn't make a 2nd policy nat for pix-C. we couldnt have a 2nd source and destination ACL used for a 2nd policy map as the pix A would not know which access-list to use...
i know another option is public ip to public ip's for the site to site but that isnt always an option.
So going by the pdf you attached what if there was also a pix-C that is also using 10.1.0.0/24 and we cannot make configuration changes on pix-B or pix-C just only on pix-A ...is there anyway we can have the two site to sites A to B and A to C even though B and C both have 10.1.0.0/24 ?

Windows Replication RPC Problems with IPSec GRE Tunnel

We have been having significant issue in troubleshooting random RPC errors with our directory controllers (MS AD 2008R2) and our distributed file shares. Both services will randomly stop working, throwing RPC errors as the resulting cause. We have been all over both Cisco and Microsoft forums in trying to troubleshoot this problem. I'm trying to the Cisco forums first to see if anyone has any network layer thoughts as to best practices or ways to configure the tunnel.
Our network is simple: two small branch offices connected to each other with two Cisco 2901 ISRs. An IPSec GRE tunnel exists between both offices. Interoffice bandwidth is approximately 10mbps. Pings between offices work, remote desktop works most of the time, file transfers work, and DNS lookups work across both locations. We really don't have a complicated environment, I'd think it wouldn't be too hard to set up. But this just seems to be escaping me. I can't think of anything at the network layer that would be causing problems but I was curious whether anyone else out there with knowledge of small office VPNs might be able to render some thoughts on the matter.
Please let me know if there is anything further people need to see. My next step is MS forums but I wanted to eliminate layer 3 first.
Tunnel Config:
crypto map outside_crypto 10 ipsec-isakmp
set peer x.x.x.x
set transform-set ESP-AES-SHA
match address 102
crypto ipsec df-bit clear
interface Tunnel0
bandwidth 10240
ip address x.x.x.x x.x.x.x
no ip redirects
ip mtu 1420
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1375
tunnel source GigabitEthernet0/0
tunnel destination x.x.x.x
crypto ipsec df-bit clear
end

Hi,
Based on the third-party article below, you can setup VPN connection between Windows VPN client and Cisco firewall:
Step By Step Guide To Setup Windows 7/Vista VPN Client to Remote Access Cisco ASA5500 Firewall
What is the Windows server 2008 R2 for, a RADIUS server? If yes, maybe the links below would be helpful to you:
RADIUS: Configuring Client VPN with Windows 2008 Network Policy Server (NPS) RADIUS Authentication
Configuring RADIUS Server on Windows 2008 R2 for Cisco Device Logins
RADIUS authentication for Cisco switches using w2k8R2 NPS
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
Best regards,
Susie

Remote access VPN with Cisco Router - Can not get the Internal Lan .

Dear Sir ,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .Please see the attachment for Scenario, Configuration and Ping status.
I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Below is the IP address of the device.
Local PC connect with Router -2 (Through MS Loopback) Router -2 Router-1 PC -01
IP Address :10.10.10.2 Mask : 255.255.255.0 F0/01
IP address:10.10.10.1
Mask:255.255.255.0 F0/0
IP Address :20.20.20.1
Mask :255.255.255.0
F0/1
IP address :192.168.1.3
Mask:255.255.255.0
F0/0
IP address :20.20.20.2
Mask :255.255.255.0
F0/1
IP address :192.168.1.1
Mask:255.255.255.0
I can ping from local PC to the network 10.10.10.0 and 20.20.20.0 .Please find the attach file for ping status .So connectivity is ok from my local PC to Remote Router 1 and 2.
Through Cisco remote vpn client, I can get connected with the VPN Router R1 (Please see the VPN Client pic.)But cannot ping the network 192.168.1.0
Need your help to fix the problem.
Router R2 Configuration :!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip tcp synwait-time 5
interface FastEthernet0/0
ip address 20.20.20.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
ip forward-protocol nd
no ip http server
no ip http secure-server
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
end
Router R1 Configuration :
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login USERAUTH local
aaa authorization network NETAUTHORIZE local
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
username vpnuser password 0 strongpassword
ip tcp synwait-time 5
crypto keyring vpnclientskey
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration group remotevpn
key cisco123
dns 192.168.1.2
wins 192.168.1.2
domain mycompany.com
pool vpnpool
acl VPN-ACL
crypto isakmp profile remoteclients
description remote access vpn clients
keyring vpnclientskey
match identity group remotevpn
client authentication list USERAUTH
isakmp authorization list NETAUTHORIZE
client configuration address respond
crypto ipsec transform-set TRSET esp-3des esp-md5-hmac
crypto dynamic-map DYNMAP 10
set transform-set TRSET
set isakmp-profile remoteclients
crypto map VPNMAP 10 ipsec-isakmp dynamic DYNMAP
interface FastEthernet0/0
ip address 20.20.20.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPNMAP
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpnpool 192.168.50.1 192.168.50.10
ip forward-protocol nd
ip route 10.10.10.0 255.255.255.0 FastEthernet0/0
no ip http server
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
ip access-list extended NAT-ACL
deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VPN-ACL
permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
end

Dear All,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .
Please see the attachment for Scenario, Configuration and Ping status. I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Waiting for your responce .
--Milon

IPSec S2S tunnel can not up

Similar Messages

Maybe you are looking for