IPSEC tunnel sa local ident is an odd IP range

Similar Messages

• IPSec Tunnel established but not able to reach remote Local subnet

  Hi,
  We established IPsec Tunnel. It was active but I found following issue. Please give your suggestion to troubleshoot it.
  1. 192.168.50.0/24 (Site A) able to reach 192.168.90.0/24. (Site B) and Vice Versa
  2. 192.168.30.0/24 (Site C) able to reach 192.168.50.0/24 (Site A) but not vice versa.
  3. 192.168.10.0/24, 155.220.21.175 (Site A) reaches up to 192.168.90.0/24 (Site B) and vice versa. but not reach to 192.168.50.0/24 (Site A)
  Want to access 192.168.30.0/24, 192.168.10.0/24, 155.220.21.175 (Site C) from 192.168.50.0/24 (Site A)
  Additionally Tunnel only established if active traffice send from site B.
  Thanks & Rgds,
  Dhaval Dikshit

  Thanks, Punit. Additionalily I found following error, it might reach us to nearer to solution. Please suggest if any suggetion.
  When I'm doing packet tracer from site B I got following massage.
  ASA# packet-trace input outside tcp 192.168.50.220 2000 155.220.21.175 21 detail
  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xc959c928, priority=1, domain=permit, deny=false
          hits=143495595, user_data=0x0, cs_id=0x0, l3_type=0x8
          src mac=0000.0000.0000, mask=0000.0000.0000
          dst mac=0000.0000.0000, mask=0100.0000.0000
  Phase: 2
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   155.220.21.175  255.255.255.255 inside
  Phase: 3
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group outside_access_in in interface outside
  access-list outside_access_in extended permit ip object-group Tas_Tunnel host 155.220.21.175 log
  object-group network Tas_Tunnel
  network-object host 192.168.50.50
  network-object host 192.168.50.65
  network-object host 192.168.50.220
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xca246310, priority=12, domain=permit, deny=false
          hits=1, user_data=0xc793bcc0, cs_id=0x0, flags=0x0, protocol=0
          src ip=192.168.50.220, mask=255.255.255.255, port=0
          dst ip=155.220.21.175, mask=255.255.255.255, port=0, dscp=0x0
  Phase: 4
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xc959f4d8, priority=0, domain=inspect-ip-options, deny=true
          hits=3443418, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
          src ip=0.0.0.0, mask=0.0.0.0, port=0
          dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
  Phase: 5
  Type: INSPECT
  Subtype: inspect-ftp
  Result: ALLOW
  Config:
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect ftp
  service-policy global_policy global
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xc962fa60, priority=70, domain=inspect-ftp, deny=false
          hits=11, user_data=0xc962f8b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
          src ip=0.0.0.0, mask=0.0.0.0, port=0
          dst ip=0.0.0.0, mask=0.0.0.0, port=21, dscp=0x0
  Phase: 6
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xc9f1c290, priority=12, domain=ipsec-tunnel-flow, deny=true
          hits=167708, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
          src ip=0.0.0.0, mask=0.0.0.0, port=0
          dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
  Phase: 7
  Type: NAT-EXEMPT
  Subtype: rpf-check
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xc965a700, priority=6, domain=nat-exempt-reverse, deny=false
          hits=2, user_data=0xc965a490, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
          src ip=192.168.50.220, mask=255.255.255.255, port=0
          dst ip=155.220.21.175, mask=255.255.255.255, port=0, dscp=0x0
  Phase: 8
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Reverse Flow based lookup yields rule:
  in  id=0xc95ea328, priority=0, domain=inspect-ip-options, deny=true
          hits=17273465, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
          src ip=0.0.0.0, mask=0.0.0.0, port=0
          dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
  Phase: 9
  Type: VPN
  Subtype: encrypt
  Result: DROP
  Config:
  Additional Information:
  Reverse Flow based lookup yields rule:
  out id=0xca2f4c98, priority=70, domain=encrypt, deny=false
          hits=2, user_data=0x0, cs_id=0xc9dd8d90, reverse, flags=0x0, protocol=0
          src ip=155.220.21.175, mask=255.255.255.255, port=0
          dst ip=192.168.50.192, mask=255.255.255.192, port=0, dscp=0x0
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: inside
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  Thanks & Rgrds,
  Dhaval Dikshit

• Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall

  Hi,
  I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
  When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
  After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
  They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
  Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
  3
  Nov 21 2012
  07:11:09
  713902
  Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
  3
  Nov 21 2012
  07:11:09
  713902
  Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
  3
  Nov 21 2012
  07:11:09
  713061
  Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
  5
  Nov 21 2012
  07:11:09
  713119
  Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
  Here is from the syntax: show crypto isakmp sa
  Result of the command: "show crypto isakmp sa"
     Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 195.149.180.254
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  Result of the command: "show crypto ipsec sa"
  interface: outside
      Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
        access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
        local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
        current_peer:195.149.180.254
        #pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
        #pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: E715B315
      inbound esp sas:
        spi: 0xFAC769EB (4207372779)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 5, }
           slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
           sa timing: remaining key lifetime (kB/sec): (38738/2061)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0xE715B315 (3876958997)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 5, }
           slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
           sa timing: remaining key lifetime (kB/sec): (38673/2061)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  And here are my Accesslists and vpn site to site config:
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 84600
  crypto isakmp nat-traversal 40
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map CustomerCryptoMap 10 match address VPN_Tunnel
  crypto map CustomerCryptoMap 10 set pfs group5
  crypto map CustomerCryptoMap 10 set peer 195.149.180.254
  crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
  crypto map CustomerCryptoMap interface outside
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
  nat (inside) 0 access-list nonat
  All these remote networks are at the Main Site Clavister Firewall.
  Best Regards
  Michael

  Hi,
  I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
  If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
  Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
  I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
  Maybe you could try to change the Encryption Domain configurations a bit and test it then.
  You could also maybe take some debugs on the Phase2 and see if you get anymore  hints as to what could be the problem when only one network is working for the L2L VPN.
  - Jouni

• The tale of two IPSec Tunnels...

  I'm trying to set up an ipsec tunnel at a particular site, and I am just stumped at this point.  I have two sites I'm working with, a test site on my bench and the other actual site at another location.  Both are ASA 5510's, both are running ASA v8.2(5).  The test site has a 3560 off of it, and the production site has a 3750 stack off it.  I don't think that part should matter, though.
  I used the wizard to create the ipsec configuration on both devices, test and prod, and used the same naming on both to help compare.  The test site connects and I can ssh to the 3560 behind it just fine.  The production site, however, cannot connect to that 3750 or ping it to save my life.  I've poured through the configs on both, and although there are just a couple of differences, the two ASA's are pretty close in configs.
  At first I thought it was an acl issue, but I've filtered the logs by syslog id 106023 to watch for denys by access group.  When I try to connect to the 3750, I get absolutely no entry in the log that anything is being denied, so I figure that's not it.
  Then I thought it may be a routing issue.  The one difference between the two sites is that the test site is using eigrp to disperse routes between the asa and switch, while the production site is using static routes.  But I also didn't think that would've mattered, because on the static route switch I even put a static route in there to the vpn network which didn't make a difference.
  I've also run packet traces on the firewall when doing a ping, and on the test siteI see echo requests and replies.  Oon the production site I only see requests, no replies.  My encap counters don't increment during pings, but the decap counters do, which make sense.
  Other things to note:  The test site that works also has a site-to-site vpn up and runnning, so you'll see that in the config as well.  Client is Mac OS X 10.6.8, using the Cisco IPSec Config.
  I'm hoping someone can look at my configs and tell me if they see anything I'm missing on them that could help solve my problems.  I'd appreciate it!  Thanks
  Test Site that works
  Production Site that Doesn't
  testasa01-5510# sh run
  : Saved
  ASA Version 8.2(5)
  hostname testasa01-5510
  names
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address <outsideif> 255.255.255.240
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 10.39.194.2 255.255.255.248
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  no ip address
  management-only
  boot system disk0:/asa825-k8.bin
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  access-list inside_access_in extended permit ip 10.39.0.0 255.255.0.0 any log disable
  access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
  access-list inside_nat0_outbound extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
  access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.16.139.0 255.255.255.240
  access-list outside_cryptomap extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
  access-list remoteaccess extended permit ip 172.16.139.0 255.255.255.240 any log disable
  tcp-map WSOptions
    tcp-options range 24 31 allow
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  ip local pool vpn_ip_pool 172.16.139.0-172.16.139.10 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-713.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 100 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 100 10.39.0.0 255.255.0.0
  access-group inside_access_in in interface inside
  router eigrp 100
  network 10.0.0.0 255.0.0.0
  passive-interface default
  no passive-interface inside
  route outside 0.0.0.0 0.0.0.0 <outsideif> 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 10.0.0.0 255.0.0.0 management
  http 10.0.0.0 255.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map1 1 match address outside_cryptomap
  crypto map outside_map1 1 set pfs group1
  crypto map outside_map1 1 set peer 209.242.145.200
  crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map1 interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption aes-256
  hash sha    
  group 2
  lifetime 86400
  crypto isakmp policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 70
  authentication crack
  encryption aes
  hash sha    
  group 2
  lifetime 86400
  crypto isakmp policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 110
  authentication rsa-sig
  encryption 3des
  hash sha    
  group 2
  lifetime 86400
  crypto isakmp policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 150
  authentication pre-share
  encryption des
  hash sha    
  group 2
  lifetime 86400
  crypto isakmp policy 170
  authentication pre-share
  encryption 3des
  hash sha
  group 1
  lifetime 86400
  telnet timeout 5
  ssh 10.0.0.0 255.0.0.0 inside
  ssh 0.0.0.0 0.0.0.0 management
  ssh timeout 60
  console timeout 0
  management-access inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server <server> source inside
  webvpn
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol IPSec
  group-policy RemoteAccess internal
  group-policy RemoteAccess attributes
  dns-server value 8.8.8.8
  vpn-filter value remoteaccess
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value RemoteAccess_splitTunnelAcl
  split-tunnel-all-dns disable
  vlan none
  tunnel-group RemoteAccess type remote-access
  tunnel-group RemoteAccess general-attributes
  address-pool vpn_ip_pool
  default-group-policy RemoteAccess
  tunnel-group RemoteAccess ipsec-attributes
  pre-shared-key *****
  tunnel-group 111.222.333.444 type ipsec-l2l
  tunnel-group 111.222.333.444
  general-attributes
  default-group-policy GroupPolicy1
  tunnel-group 111.222.333.444
  ipsec-attributes
  pre-shared-key *****
  class-map WSOptions-class
  match any
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  class WSOptions-class
    set connection advanced-options WSOptions
  policy-map type inspect ip-options ip-options-map
  parameters
    eool action allow
    nop action allow
    router-alert action allow
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  : end
  mp01-5510asa# sh run
  : Saved
  ASA Version 8.2(5)
  hostname mp01-5510asa
  names
  interface Ethernet0/0
  nameif inside
  security-level 100
  ip address 10.29.194.2 255.255.255.252
  interface Ethernet0/1
  nameif dmz
  security-level 50
  ip address 172.16.29.1 255.255.255.0
  interface Ethernet0/2
  description
  nameif backup
  security-level 0
  ip address <backupif> 255.255.255.252
  interface Ethernet0/3
  description
  speed 100
  duplex full
  nameif outside
  security-level 0
  ip address <outsideif> 255.255.255.248
  interface Management0/0
  nameif management
  security-level 100
  ip address 10.29.199.11 255.255.255.0
  management-only
  banner login Authorized Use Only
  boot system disk0:/asa825-k8.bin
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  object-group network DM_INLINE_NETWORK_1
  network-object 10.29.1.0 255.255.255.0
  network-object 10.29.15.0 255.255.255.0
  network-object 10.29.199.0 255.255.255.0
  network-object 10.29.200.0 255.255.255.0
  network-object 10.29.31.0 255.255.255.0
  access-list inside_access_in extended permit ip 10.29.0.0 255.255.0.0 any log warnings
  access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any log warnings
  access-list inside_access_in extended permit ip 192.168.29.0 255.255.255.0 any log warnings
  access-list inside_access_in extended permit ip 10.29.32.0 255.255.255.0 any log warnings
  access-list outside_access_in extended permit ip any host 50.59.30.116 log warnings
  access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
  access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.254.29.0 255.255.255.0 log warnings
  access-list remoteaccess extended permit ip 10.254.29.0 255.255.255.0 any log warnings
  access-list RemoteAccess2_splitTunnelAcl standard permit 10.29.0.0 255.255.0.0
  pager lines 24
  logging enable
  logging list acl-messages message 106023
  logging buffered acl-messages
  logging asdm acl-messages
  mtu inside 1500
  mtu dmz 1500
  mtu backup 1500
  mtu outside 1500
  mtu management 1500
  ip local pool vpn_ip_pool3 10.254.29.0-10.254.29.10 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-645.bin
  asdm history enable
  arp timeout 14400
  global (inside) 201 interface
  global (dmz) 101 interface
  global (backup) 101 interface
  global (outside) 101 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 101 10.29.1.0 255.255.255.0
  nat (inside) 101 10.29.15.0 255.255.255.0
  nat (inside) 101 10.29.31.0 255.255.255.0
  nat (inside) 101 10.29.32.0 255.255.255.0
  nat (inside) 101 10.29.199.0 255.255.255.0
  nat (inside) 101 10.29.200.0 255.255.255.0
  nat (inside) 101 192.168.29.0 255.255.255.0
  static (inside,outside) <outsideif> 10.29.15.10 netmask 255.255.255.255
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 50.59.30.113 1 track 1
  route backup 0.0.0.0 0.0.0.0 205.179.122.165 254
  route management 10.0.0.0 255.0.0.0 10.29.199.1 1
  route inside 10.29.0.0 255.255.0.0 10.29.194.1 1
  route inside 192.168.29.0 255.255.255.0 10.29.194.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  aaa authentication enable console LOCAL
  http server enable
  http 10.0.0.0 255.0.0.0 management
  http 10.0.0.0 255.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sla monitor 100
  type echo protocol ipIcmpEcho 74.125.239.16 interface outside
  num-packets 3
  frequency 10
  sla monitor schedule 100 life forever start-time now
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  track 1 rtr 100 reachability
  telnet timeout 5
  ssh 10.0.0.0 255.0.0.0 inside
  ssh 10.0.0.0 255.0.0.0 management
  ssh timeout 60
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 10.200.1.41 source inside
  webvpn
  group-policy RemoteAccess internal
  group-policy RemoteAccess attributes
  dns-server value 8.8.8.8
  vpn-filter value remoteaccess
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value RemoteAccess_splitTunnelAcl
  split-tunnel-all-dns disable
  vlan none
  tunnel-group RemoteAccess type remote-access
  tunnel-group RemoteAccess general-attributes
  address-pool vpn_ip_pool3
  default-group-policy RemoteAccess
  tunnel-group RemoteAccess ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect icmp
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  testasa01-5510# sh crypto ipsec sa
  interface: outside
      Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
        local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
        remote ident (addr/mask/prot/port): (172.16.139.1/255.255.255.255/0/0)
        current_peer: <peer ip>, username: blah
        dynamic allocated peer ip: 172.16.139.1
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
        path mtu 1500, ipsec overhead 82, media mtu 1500
        current outbound spi: 0A7F396F
        current inbound spi : E87AF806
      inbound esp sas:
        spi: 0xE87AF806 (3900372998)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, }
           slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
           sa timing: remaining key lifetime (sec): 3587
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x7FFFFFFF
      outbound esp sas:
        spi: 0x0A7F396F (176109935)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, }
           slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
           sa timing: remaining key lifetime (sec): 3587
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  mp01-5510asa# sh crypto ipsec sa
  interface: outside
      Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
        local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
        remote ident (addr/mask/prot/port): (10.254.29.1/255.255.255.255/0/0)
        current_peer: <peer ip>, username: blah
        dynamic allocated peer ip: 10.254.29.1
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
        path mtu 1500, ipsec overhead 82, media mtu 1500
        current outbound spi: 096265D4
        current inbound spi : F5E4780C
      inbound esp sas:
        spi: 0xF5E4780C (4125390860)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, }
           slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
           sa timing: remaining key lifetime (sec): 3576
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x001FFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0x096265D4 (157443540)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, }
           slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
           sa timing: remaining key lifetime (sec): 3576
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001

  Config (non working site) looks fine(unless I missed something:)) . You may want to add :
  access-list RemoteAccess_splitTunnelAcl standard permit 192.168.29.0 255.255.255.0
  Try by taking out vpnfilter :  vpn-filter value remoteaccess
  To further t-shoot, try using packet tracer from ASA to the client...
  https://supportforums.cisco.com/docs/DOC-5796
  Thx
  MS

• Help getting GRE IPsec tunnel setup

  We are setting up an old office building as an offsite data center. The network cosists on a PIX 501 firewall and a 2811 router.  I am attempting to setup a GRE tunnel over IPsec back to the main office.  The main office consists of a PIX515, a 2821 router, and a 2921 router.  
  There is also an ASA5510 in our main office that is used as our primary connection for all of our external services and as a GRE endpoint for our other offices.  The PIX515 is used to connect our main office clients to the internet and we would like traffic between it and our offsite data center to go across it as well.   The default route is to use the ASA.   We used policy based routing on the 2821 and 2921 routers to direct the appropriate traffic to the PIX515.   
  I have attached a PDF that shows a general overview. 
  Right now I am not able to get the tunnel setup.  It appears that the offsite datacenter is sending packets but is not receiving any when I issue the “show crypto ipsec sa” commands on both firewalls.  I will show the output of that command below. 
  Main Office
  The external address     198.40.227.50.
  The loopback address   10.254.10.6
  The tunnel address        10.2.60.1
  Offsite Datacenter
  The external address     198.40.254.178
  The loopback address   10.254.60.6
  The tunnel address        10.2.60.2
  The main office PIX515 Config (Edited – if I am missing something that you need please let me know).
  PIX Version 7.2(2)
  interface Ethernet0
  mac-address 5475.d0ba.5012
  nameif outside
  security-level 0
  ip address 198.40.227.50 255.255.255.240
  interface Ethernet1
  nameif inside
  security-level 100
  ip address 10.10.10.3 255.255.0.0
  access-list outside_cryptomap_60 extended permit gre host 10.254.10.6 host 10.254.60.6
  access-list outside_cryptomap_60 extended permit ip host 10.254.10.6 host 10.254.60.6
  global (outside) 1 interface
  nat (outside) 1 10.60.0.0 255.255.0.0
  nat (inside) 0 access-list noNat
  route outside 0.0.0.0 0.0.0.0 198.40.227.49 1
  route inside 10.60.0.0 255.255.0.0 10.10.10.1 1
  route inside 10.254.10.6 255.255.255.255 10.10.10.253 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto dynamic-map ClientVPN_dyn_map 10 set transform-set ESP-3DES-SHA
  crypto map cr-lakeavemap 10 match address outside_cryptomap_60
  crypto map cr-lakeavemap 10 set peer 198.40.254.178
  crypto map cr-lakeavemap 10 set transform-set ESP-3DES-SHA
  crypto map cr-lakeavemap 65535 ipsec-isakmp dynamic ClientVPN_dyn_map
  crypto map cr-lakeavemap interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp nat-traversal  20
  tunnel-group DefaultRAGroup ipsec-attributes
  isakmp keepalive threshold 10 retry 2
  tunnel-group 198.40.254.178 type ipsec-l2l
  tunnel-group 198.40.254.178 ipsec-attributes
  The offsite datacenter PIX501 config (again edited)
  PIX Version 6.3(5)
  interface ethernet0 auto
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  access-list crvpn permit gre host 10.254.60.6 host 10.254.10.6
  access-list crvpn permit ip host 10.254.60.6 host 10.254.10.6
  mtu outside 1500
  mtu inside 1500
  ip address outside 198.40.254.178 255.255.255.240
  ip address inside 10.60.10.2 255.255.0.0
  route outside 0.0.0.0 0.0.0.0 198.40.254.177 1
  route inside 10.2.60.2 255.255.255.255 10.60.10.1 1
  route inside 10.254.60.6 255.255.255.255 10.60.10.1 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map ClientVPN_dyn_map 10 match address ClientVPN
  crypto dynamic-map ClientVPN_dyn_map 10 set transform-set ESP-3DES-SHA
  crypto map cr-lakeavemap 10 ipsec-isakmp
  crypto map cr-lakeavemap 10 match address crvpn
  crypto map cr-lakeavemap 10 set peer 198.40.227.50
  crypto map cr-lakeavemap 10 set transform-set ESP-3DES-SHA
  crypto map cr-lakeavemap 65535 ipsec-isakmp dynamic ClientVPN_dyn_map
  crypto map cr-lakeavemap client authentication LOCAL
  crypto map cr-lakeavemap interface outside
  isakmp enable outside
  isakmp key ******** address 198.40.227.50 netmask 255.255.255.255
  isakmp identity address
  isakmp keepalive 10
  isakmp nat-traversal 20
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption 3des
  isakmp policy 10 hash sha
  isakmp policy 10 group 2
  isakmp policy 10 lifetime 86400
  Output of the “show crypto ipsec sa” command
  From the main office
  Crypto map tag: cr-lakeavemap, seq num: 10, local addr: 198.40.227.50
         access-list outside_cryptomap_60 permit gre host 10.254.10.6 host 10.254.60.6
         local ident (addr/mask/prot/port): (10.254.10.6/255.255.255.255/47/0)
         remote ident (addr/mask/prot/port): (10.254.60.6/255.255.255.255/47/0)
         current_peer: 198.40.254.178
         #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
         #pkts decaps: 18867, #pkts decrypt: 18867, #pkts verify: 18867
         #pkts compressed: 0, #pkts decompressed: 0
         #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
         #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
         #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
         #send errors: 0, #recv errors: 0
         local crypto endpt.: 198.40.227.50, remote crypto endpt.: 198.40.254.178
         path mtu 1500, ipsec overhead 58, media mtu 1500
         current outbound spi: D78E63C9
        inbound esp sas:
        spi: 0x5D63434C (1566786380)
           transform: esp-3des esp-sha-hmac none
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 2, crypto-map: cr-lakeavemap
           sa timing: remaining key lifetime (kB/sec): (4274801/7527)
           IV size: 8 bytes
           replay detection support: Y
      outbound esp sas:
        spi: 0xD78E63C9 (3616433097)
           transform: esp-3des esp-sha-hmac none
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 2, crypto-map: cr-lakeavemap
           sa timing: remaining key lifetime (kB/sec): (4275000/7527)
           IV size: 8 bytes
           replay detection support: Y
  From the offsite datacenter
     local  ident (addr/mask/prot/port): (10.254.60.6/255.255.255.255/47/0)
     remote ident (addr/mask/prot/port): (10.254.10.6/255.255.255.255/47/0)
     current_peer: 198.40.227.50:500
     dynamic allocated peer ip: 0.0.0.0
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 22360, #pkts encrypt: 22360, #pkts digest 22360
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
      #send errors 1156, #recv errors 0
       local crypto endpt.: 198.40.254.178, remote crypto endpt.: 198.40.227.50
       path mtu 1500, ipsec overhead 56, media mtu 1500
       current outbound spi: 5d63434c
       inbound esp sas:
        spi: 0xd78e63c9(3616433097)
          transform: esp-3des esp-sha-hmac ,
          in use settings ={Tunnel, }
          slot: 0, conn id: 1, crypto map: cr-lakeavemap
          sa timing: remaining key lifetime (k/sec): (4608000/6604)
          IV size: 8 bytes
          replay detection support: Y
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0x5d63434c(1566786380)
          transform: esp-3des esp-sha-hmac ,
          in use settings ={Tunnel, }
          slot: 0, conn id: 2, crypto map: cr-lakeavemap
          sa timing: remaining key lifetime (k/sec): (4607792/6596)
          IV size: 8 bytes
          replay detection support: Y
       outbound ah sas:
       outbound pcp sas:
  I'm not sure where the issue lies and have beat my head on this for awhile so any help/insight is greatly appreciated.  If there is anything else you'd like to see please let me know. 

  Hi Joe,
  This should be moved to a VPN forum, however, something comes up Really quickly from the problem. Here:
     #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
  Thats from the Pix on the Main office, so I think the GRE traffic is not either getting or being encrypted. I am assuming this is the IP address of the router behind the main office 10.254.10.6 is that correct?
  If so, I would put a capture on the Pix to see if the GRE traffic is getting to that PIX on the inside (Unencrupted but Encapsulated on GRE) and make sure that it is not being dropped. To ensure that, you can see the logs on the PIX and see if the firewall is dropping the GRE previous being encrypted.
  Also, a packet tracer can be run to ensure that the Traffic has a VPN phase which would indicate that it is following the correct phases and it would be encrypted.
  Let me know.
  Mike Rojas.

• Help on establishing Ipsec tunnel btw 1941 and ASA

     We are creating an Ipsec tunnel over the internet to another site but is not working, could someone help me on what could be happening?
  My config:
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname XXXX
  boot-start-marker
  boot-end-marker
  logging buffered 51200 warnings
  enable XXXXX
  enable password XXXXXX
  no aaa new-model
  no ipv6 cef
  ip source-route
  ip cef
  ip domain name yourdomain.com
  ip name-server XXX.XXX.XXX.XXX
  ip name-server XXX.XXX.XXX.XXX
  multilink bundle-name authenticated
  password encryption aes
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-4075439344
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-4075439344
  revocation-check none
  rsakeypair TP-self-signed-4075439344
  crypto pki certificate chain TP-self-signed-4075439344
  certificate self-signed 01
    3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 34303735 34333933 3434301E 170D3131 30393139 30323236
    34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30373534
    33393334 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100A35E B6AC0BE0 57A53B45 8CF23671 F91A18AC 09F29E6D AEC70F4D EF3BDCD6
    269BFDED 44E26A98 7A1ABCAA DB756AFC 719C3D84 8B605C2A 7E99AF79 B72A84BC
    89046B2D 967BB775 978EF14D A0BD8036 523B2AE1 1890EB38 BCA3333B 463D1267
    22050A4F EAF4985A 7068024A A0425CE7 D3ADF5F5 C02B2941 67C9B654 6A7EF689
    049B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
    551D2304 18301680 1408B59A 57733D6E 157876B3 72A91F28 F8D95BAB D2301D06
    03551D0E 04160414 08B59A57 733D6E15 7876B372 A91F28F8 D95BABD2 300D0609
    2A864886 F70D0101 05050003 81810094 ED574BFE 95868A5D B539A70F 228CC08C
    E26591C2 16DF19AB 7A177688 D7BB1CCB 5CFE4CB6 25F0DDEB 640E6EFA 58636DC0
    238750DD 1ACF8902 96BB39B5 5B2F6DEC CB97CF78 23510943 E09801AF 8EB54020
    DF496E25 B787126F D1347022 58900537 844EF865 36CB8DBD 79918E4B 76D00196
    DD9950CB A40FC91B 4BCDE0DC 1B217A
          quit
  license udi pid CISCO1941/K9 sn FTX1539816K
  license boot module c1900 technology-package securityk9
  username XXXXXXXXXXXXXX
  redundancy
  crypto isakmp policy 60
  encr aes
  authentication pre-share
  group 2
  crypto isakmp key XXXXXXX address XXX.XXX.XXX.XXX
  crypto isakmp profile mode
     keyring default
     self-identity address
     match identity host XXX.XXX.XXX.XXX
     initiate mode aggressive
  crypto ipsec transform-set VPNbrasil esp-aes esp-sha-hmac
  crypto map outside 60 ipsec-isakmp
  set peer XXX.XXX.XXX.XXX
  set transform-set VPNbrasil
  set pfs group2
  match address vpnbrazil
  interface Tunnel0
  ip unnumbered GigabitEthernet0/1
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  description WAN
  ip address XXX.XXX.XXX.XXX 255.255.255.248
  ip nat outside
  no ip virtual-reassembly in
  duplex full
  speed 100
  crypto map outside
  interface GigabitEthernet0/1
  description Intercon_LAN
  ip address XXX.XXX.XXX.XXX 255.255.255.252
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map outside
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source list 2 interface GigabitEthernet0/1 overload
  ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX name Internet
  ip access-list extended natvpnout
  permit ip host XXX.XXX.XXX.XXX any
  permit ip any any
  ip access-list extended vpnbrazil
  permit icmp XXX.XXX.XXX.XXX 0.0.0.255 any
  permit icmp any XXX.XXX.XXX.XXX 0.0.0.255
  permit ip any any
  access-list 1 permit any
  access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.1 log
  access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.7
  access-list 3 permit XXX.XXX.XXX.XXX
  access-list 23 permit XXX.XXX.XXX.XXX 0.0.0.7
  access-list 23 permit any log
  control-plane
  b!
  line con 0
  login local
  line aux 0
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  line vty 0 4
  access-class 23 in
  privilege level 15
  login local
  transport input all
  telnet transparent
  line vty 5
  access-class 23 in
  privilege level 15
  login
  transport input all
  telnet transparent
  line vty 6 15
  access-class 23 in
  access-class 23 out
  privilege level 15
  login local
  transport input telnet ssh
  transport output all
  Could someone please help me on what could be wrong? and What tests should I do?
  Rds,
  Luiz

  try a simple configuration w/o isakmp proflies
  have a look at this link:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml

• Multiple site to site IPSec tunnels to one ASA5510

  Question on ASA VPN tunnels. I have one ASA 5510 in our corporate office, I have two subnets in our corporate office that are configured in the ASA in a Object group. I have a site to site IPSEC tunnel already up and that has been working. I am trying to set up another site to site IPSEC tunnel to a different location that will need to be setup to access the same two subnets. I'm not sure if this can be setup or not, I think I had a problem with setting up two tunnels that were trying to connect to the same subnet but that was between the same two ASA's. Anyways the new tunnel to a new site is not coming up and I want to make sure it is not the subnet issue. The current working tunnel is between two ASA 5510's, the new tunnel we are trying to build is between the ASA and a Sonicwall firewall. Any help would be appreciated.

  Hi,
  Regarding setting up the new L2L VPN connection..
  Should be no problem (to my understanding) to configure the new L2L VPN connection through the other ISP interface (0/3). You will need to atleast route the remote VPN peers IP address towards that link. The L2L VPN forming should add a route for the remote networks through that L2L VPN. If not reverse route injection should handle it in the cryptomap configurations.
  I guess rest of the setup depends on what will be using the 0/0 ISP and what will be using the 0/3 ISP.
  If you are going to put the default route towards the 0/3 ISP you will have to think of something for the 0/0 ISP if some of your local LAN devices are going to use it for Internet also. (Possible routing problems) On the other hand if you have remote VPN Client users using the 0/0 ISP there should be no routing problem for them as they would be initiating connection through that 0/0 ISP link through ASA so ASA should know where to forward the return traffic.
  Most of my 2 ISP setups have been implemented with a router in front of the actual ASA/PIX/FWSM firewalls where the router has performed Policy Routing based on the source IP address from the firewalls and then settings the correct gateway towards the correct ISP.
  - Jouni

• All the traffic go through IPsec tunnel(site to site ) ,but something seems not working correctly

  Hi, all,
    I have seen a good post in google.com about how to make all the client's traffic though IPsec tunnel then out to the Internet from the Main site,now I attach this configuration and application for discussion, and what the problem is that I am still confused with the configuration on Main site ,  I hope anyone who can tell me more detail and how to accomplish it. Any answer will be appreciated , thank you !
  Quote :
  Question ? :
  Mine is a very simple configuration.  I have 2 sites linked via an IPsec tunnel.  Dallas is my Main HQ R1 and Austin R2 is my remote office.  I want all traffic from Austin to route thru the tunnel up to Dallas, then out to the Internet.
  Dallas (Main) Lan Net is: 10.10.200.0/24
  Austin (Remote) LAN Net is: 10.20.2.0/24
  The Dallas (Main) site has a VPN config of:
  Local Net: 0.0.0.0/0
  Remote Net: 10.20.2.0/24
  The Austin (Remote) site has a VPN config of:
  10.20.2.0/24
  Remote Net: 0.0.0.0/0
  The tunnel gets established just fine.  From the Austin LAN clients, I can ping the router at the main site (10.10.200.1).  This is how I know the tunnel is created, but I cannot ping anything beyond the router from the Austin LAN, e.g. 8.8.8.8.
  I'm sure it's something simple I failed to configure.  Anyone have any pointers or hints?
  Answer:
  Thanks to Jimp from the other thread, I was able to see why it was not working.  To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network.
  Once I made this change, Voila!  Traffic from the remote side started heading out to the Internet.  Now all traffic flows thru the Main site.  It makes perfect sense why I needed to make this change, it just took a slap in the head from Jimp to point me in the right direction.
  My question ?
  The answer said "To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network." what this mean and
  how to do it , could anybody give me the specific configuration ? thanks a lot.

  Thank you for Jouni's reply,  following is the configuration on Cisco 2800 router ,no firewall enable, :
  crypto isakmp policy 100
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp key x.x.x address 0.0.0.0 0.0.0.0
  crypto isakmp keepalive 60
  crypto ipsec transform-set IPsectrans esp-3des esp-md5-hmac
  crypto dynamic-map IPsecdyn 100
  set transform-set IPsectrans
  match address 102
  crypto map IPsecmap 100 ipsec-isakmp dynamic IPsecdyn
  interface Loopback1
  ip address 10.10.200.1 255.255.255.0
  interface FastEthernet0/0
  ip address 113.113.1.1 255.255.255.128
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map IPsecmap
  interface FastEthernet0/1
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip route 0.0.0.0 0.0.0.0 113.113.1.2
  ip http server
  no ip http secure-server
  ip nat inside source list 100 interface FastEthernet0/0 overload
  access-list 100 permit ip 192.168.1.0 0.0.0.255 any
  access-list 102 permit ip any 10.20.2.0 0.0.0.255

• Transparent Tunneling and Local Lan Access via VPN Client

  Remote users using Cisco VPN 4.2 connect successfully to a Cisco Pix 515 (ver. 6.3). The client is configured to allow Transparent Tunneling and Local Lan access, but once connected to the Pix, these two options are disabled. What configuration changes are required on the Pix to enable these options? Any assistance will be greatly appreciated.
  Mike Bowyer

  Hi Mike,
  "Transparent Tunneling" and "Local Lan Access" are two different things. "Transparent Tunneling" is dealing with establishing an IPSec Tunnel even if a NAT device is between your client and the VPN-Headend-Device. "Local LAN Access" is dealing with access to devices in the LAN your VPN-Client-Device is connected to.
  What do you mean exactly with "disabled once the connection is made" ?
  You can check the local LAN Access by having a look at the Route-Table of the VPN-Client:
  Right Click the yellow VPN-lock Icon in System-Tray while the VPN-Connection is active and select "Statistics ...". Have a look at the second register page "route details".
  Are any local LAN routes displayed when your are connected ?
  And - always remember two important restrictions the Online Help of the VPN-Client is mentioning:
  1: This feature works only on one NIC card, the same NIC card as the tunnel.
  2: While connected, you cannot print or browse the local LAN by name; when disconnected, you can print and browse by name.
  Carsten
  PS: Removing Split Tunnel won't enable local LAN access as all traffic would be sent into the IPSec tunnel.

• Static NAT with IPSec tunnel

  Hi,
  I have a hopefully fairly basic question regarding configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office.  I am fairly new to networking so forgive me if I ask some really silly questions!
  I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch.  These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
  There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel.  What I wanted to do was create another vlan, give this a different subnet.  Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall. 
  From my research I came across this article (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
  So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work.  I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside)
  The configuration can be seen below for the NAT part;
  ! Denies vpn interesting traffic but permits all other
  ip access-list extended NAT-Traffic
  deny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255
  deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255
  deny ip 172.19.191.0 0.0.0.255 192.168.128.0 0.0.3.255
  deny ip 172.19.191.0 0.0.0.255 12.15.28.0 0.0.0.255
  deny ip 172.19.191.0 0.0.0.255 137.230.0.0 0.0.255.255
  deny ip 172.19.191.0 0.0.0.255 165.26.0.0 0.0.255.255
  deny ip 172.19.191.0 0.0.0.255 192.56.231.0 0.0.0.255
  deny ip 172.19.191.0 0.0.0.255 192.168.49.0 0.0.0.255
  deny ip 172.19.191.0 0.0.0.255 192.168.61.0 0.0.0.255
  deny ip 172.19.191.0 0.0.0.255 192.168.240.0 0.0.7.255
  deny ip 172.19.191.0 0.0.0.255 205.206.192.0 0.0.3.255
  permit ip any any
  ! create route map
  route-map POLICY-NAT 10
  match ip address NAT-Traffic
  ! static nat
  ip nat inside source static tcp 192.168.1.2 50 85.233.188.47 50 route-map POLICY-NAT extendable
  ip nat inside source static udp 192.168.1.2 123 85.233.188.47 123 route-map POLICY-NAT extendable
  ip nat inside source static udp 192.168.1.2 500 85.233.188.47 500 route-map POLICY-NAT extendable
  ip nat inside source static udp 192.168.1.2 4500 85.233.188.47 4500 route-map POLICY-NAT extendable
  Unfortunately this didn't work as expected, and soon after I configured this the VPN tunnel went down.  Am I right in thinking that UDP port 500 is also the same port used by ISAKMP so by doing this configuration it effectively breaks IPSec?
  Am I along the right lines in terms of configuration?  And if not can anyone point me in the direction of anything that may help at all please?
  Many thanks in advance
  Brian

  Hi,
  Sorry to bump this thread up but is anyone able to assist in configuration?  I am now thinking that if I have another public IP address on the router which is not used for the VPN tunnel I can perform the static NAT using that IP which should not break anything?
  Thanks
  Brian

• IPSec tunnel dropping

  Hello,
  I have set up a IPSec VPN between two 3845 routers:
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key XXXXXXXXXXXX address 1.1.1.1
  crypto ipsec transform-set CTransformSet esp-3des esp-sha-hmac
  crypto map MyCryptoMap local-address GigabitEthernet0/1
  crypto map MyCryptoMap 15 ipsec-isakmp
  set peer 1.1.1.1
  set transform-set CTransformSet
  set pfs group2
  match address CryptoC
  ip access-list extended CryptoC
  permit ip 192.168.1.0 0.0.0.255 1.1.1.0 0.0.0.255
  And similar on the other side. It all works great, once the tunnel is up and running. However if I don't send any data from the 192.168.1 network to the 1.1.1 network for a while (5-10 minutes?), it seems to drop the tunnel, and the first request I make fails (I guess because the tunnel is establishing). Subsequent requests work fine again, but the first one always fails.
  Is there any way to (preferably) make the first request succeed? Or if not, how to make the tunnel not drop after a certain time has passed? I have tried:
  crypto ipsec security-association lifetime kilobytes 536870912
  crypto ipsec security-association lifetime seconds 86400
  crypto isakmp keepalive 10
  ...with no success! "show crypto ipsec sa" tells me there's plenty of time remaining on the inbound and outbound esp:
  sa timing: remaining key lifetime (k/sec): (513953358/5739)

  debug crypto ipsec
  debug crypto isakmp
  I just get this block:
  Jul 19 12:50:48.145: ISAKMP (0:134217734): received packet from 1.1.1.1 dport 500 sport 500 Global (R) QM_IDLE     
  Jul 19 12:50:48.145: ISAKMP: set new node -46235277 to QM_IDLE     
  Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1): processing HASH payload. message ID = -46235277
  Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1): processing NOTIFY DPD/R_U_THERE protocol 1
          spi 0, message ID = -46235277, sa = 64F91240
  Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):deleting node -46235277 error FALSE reason "Informational (in) state 1"
  Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
  Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):DPD/R_U_THERE received from peer 1.1.1.1, sequence 0x4BD2106F
  Jul 19 12:50:48.145: ISAKMP: set new node 32334157 to QM_IDLE     
  Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
          spi 1886462640, message ID = 32334157
  Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1): seq. no 0x4BD2106F
  Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE
  Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):purging node 32334157
  Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
  Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  ... every few minutes. It doesn't seem to be regular: 12:50:48, 12:53:00, 13:04:04, 13:07:36...even though the keepalive is set to 10 seconds. Not sure why that is.
  When it "drops", there's no logging and when it reestablishes there's nothing either. Which seems to suggest it's not actually dropping..... but when I remove the IPSec tunnel, I don't get the problem. So it must be something to do with it.

• IPSec tunnel and policy NAT question

  Hello All!
  I have a router acting as VPN gateway on my end and I need to implement NAT translations on my IPSEC tunnel as follows:
  1. I need to translate incoming IP address of the remote end of IPSec tunnel to some other IP address on our end
  2. I need to translate outgoin IP address of our end of IPSec tunnel to a different IP address
  I have impemented following configuration, but for some reason it is not working, I get packets decrypted on my end, but dont have packets encrypted to send to the other end.
  Here is the configuration
  Remote end  crypto interesting ACL:
  ip access-list extended crypto-interesting-remote
  permit ip host 192.168.1.10 host 10.0.0.10
  My end configuration:
  interface GigabitEthernet0/0
  ip address xxx.xxx.xxx.xxb yyy.yyy.yyy.yyy
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map VPN
  ip access-list extended crypto-interesting-local
  permit ip host 10.0.0.10 host 192.168.1.10
  interface GigabitEthernet0/3
  ip address 172.16.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  speed auto
  ip nat inside source static 172.16.0.20 10.0.0.10   (to translate loca IP address to the one on the crypto-interesting list - exposed to the remote peer - it works)
  ip nat outside source static 192.168.1.10 192.168.168.10 (to translate remote IP address to some other IP address on our end - not working - I get packets decrypted, but no packets encrypted)
  ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
  ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxa
  All the routes are set, crypto ipsec tunnel is up and working and I am wondering if this is possible to achieve two-way NAT translation ?
  Any response highly appreciated!
  Thanks!

  Figured that out.
  The problem was in route
  ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
  should be next-hop IP address instead of interface gigabitethernet0/0
  Apparently packet arrives on the interface but does not pass it, when having route like this, becuase there is no one sitting with 192.168.168.10 ip address on the outside

• Ipsec tunnel possible with Checkpoint ngx 6.5 and Cisco ISR-dual ISP?

  Hi Gurus,
  I have a requirement to fulfill in that there are 2 sites that I need to create an ipsec tunnel. A remote site running a Checkpoint ngx 6.5 and a local site with 2 different ISPs and 2 x ISR 29xx routers for both ISP and hardware redundancy. I have only done the vpn setup with one ISR and ISP1 so far.
  I am planning to have just 1 ISR (ISR1) and ISP1  being active at any given time. If ISP1 or ISR 1 goes out, all traffic should fail over to ISR2 with ISP2.
  is this possible with the ISRs?
  Checkpoint does not appear to allow seeing the different ISRs with 2 possible WAN ip addresses with the same encryption domain or 'interesting traffic', so i am not sure if this work at all.
  BGP won't be used.
  I have looked at ip sla, pbr, and it appears that the best I could achieve would be vpn traffic via ISR1 and ISP1, and could failover only the non vpn traffic to ISR2 and ISP2.  Please correct me if I am wrong....many thanks.
  Any ideas will be greatly appreciated..
  Civicfan

  I found the problem but dont know how to fix it now!
  Problem is on siteB with using the same ACL name "siteA" in both sequence numbers in cryptomap "outside_map"
  crypto map outside_map 9 match address SiteA
  crypto map outside_map 9 set peer 212.89.229.xx
  crypto map outside_map 9 set transform-set ESP-AES-256-SHA
  crypto map outside_map 9 set security-association lifetime seconds 28800
  crypto map outside_map 9 set security-association lifetime kilobytes 4608000
  crypto map outside_map 10 match address SiteA
  crypto map outside_map 10 set peer 212.89.235.yy
  crypto map outside_map 10 set transform-set ESP-AES-256-SHA
  crypto map outside_map 10 set security-association lifetime seconds 28800
  crypto map outside_map 10 set security-association lifetime kilobytes 4608000
  If I remove:
  no crypto map outside_map 9 match address SiteA
  the IPSEC through 2nd ISP on siteA is working correct

• IPSEC tunnel via hostname instead of IP address

  Hi there,
  Is it possible on an ASA 5500 device to connect an IPSEC tunnel via hostname instead of the IP address?  I have a site without a static IP address that is currently connected via Easy VPN but I want to change one of the sites to a regular IPSEC site to site as one side, the one with the dynamic IP, is being changed to SonicWALL.  I will have DDNS setup on the site with the SonicWALL so I want to know if I can point the ASA device to the hostname instead of the IP.
  Thanks ahead of time for anybody with the knowledge to help!

  Hi
  Locally on the firewall you can configure the remote destination ip with a namel-list, is this what you were after?
  name 46.46.2.2 site-to-site
  tunnel-group site-to-site type ipsec-l2l
  tunnel-group site-to-site ipsec-attributes
  pre-shared-key cisco
  Regards
  Nouraj

• 1841 VPN-AIM Maximum IPSec Tunnel Test

  The Cisco website states that an 1841 w/VPN-AIM will support up to 800 IPSec encrypted tunnels. http://www.cisco.com/en/US/products/ps5853/products_data_sheet0900aecd804ff58a.html
  When I do my own IPSec tunnel scalability test it fails at 255. I'm fairly new to working with IPSec and VPNs so I'm probably missing something in the config. Any chance one of you could look at the attached config and see if you find anything wrong? Much appreciated.
  Ryan

  The 1841 router cannot support upto 800 tunnels, this number is huge considering other available alternatives. You should contact your Cisco local account manager and verify the maximum tunnels that the 1841 router could support.