L2L VPN Issue - one subnet not reachable

Similar Messages

• Howto start VPN when host is not reachable

  Hi there,
  I have secured my Email access via iPhone.
  For that I set it up to use my email servers internal hostname (not know on the public net). Due to that i have to open a VPN tunnel everytime I want to exchange mails.
  Is there a way with the iPhone Configuration Utility (or else) to set up a profile that automatically opens the VPN when the host is called?
  I'd grateful if anyone can help!
  André

  I don't believe so, no.

• L2L VPN issues with new network

  I've added a new network for a customer's firewall and I'm trying to get that network across the existing VPN tunnel to their DR site. The new network is 10.133.133.0/24 and I'm trying to get it to connect to 10.1.14.0/24 on the other side of the tunnel.
  I'm missing something, though, because when I do a packet-tracer to simulate traffic, it dies before getting encrypted. The output is below.
  What am I missing to get this traffic to even attempt to go across the tunnel?
  4344-FWL001#packet-tracer input backup icmp 10.133.133.10 0 0 10.1.14.20
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   0.0.0.0         0.0.0.0         outside
  Phase: 2
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group backup_acl in interface backup
  access-list backup_acl extended permit ip 10.133.133.0 255.255.255.0 10.1.14.0 255.255.255.0
  Additional Information:
  Phase: 3
  Type: CONN-SETTINGS
  Subtype:
  Result: ALLOW
  Config:
  class-map class-default
  match any
  policy-map global_policy
  class class-default
    set connection decrement-ttl
  service-policy global_policy global
  Additional Information:
  Phase: 4
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 5
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 6
  Type: NAT-EXEMPT
  Subtype:
  Result: ALLOW
  Config:
    match ip backup 10.133.133.0 255.255.255.0 outside 10.1.14.0 255.255.255.0
      NAT exempt
      translate_hits = 40, untranslate_hits = 0
  Additional Information:
  Phase: 7
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  nat (backup) 1 0.0.0.0 0.0.0.0
    match ip backup any outside any
      dynamic translation to pool 1 (216.211.133.59 [Interface PAT])
      translate_hits = 254, untranslate_hits = 18
  Additional Information:
  Phase: 8
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  nat (backup) 1 0.0.0.0 0.0.0.0
    match ip backup any outside any
      dynamic translation to pool 1 (216.211.133.59 [Interface PAT])
      translate_hits = 254, untranslate_hits = 18
  Additional Information:
  Phase: 9
  Type: VPN
  Subtype: encrypt
  Result: DROP
  Config:
  Additional Information:
  Result:
  input-interface: backup
  input-status: up
  input-line-status: up
  output-interface: outside
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule

  And what I get from isakmp debug:
  Feb 28 13:41:26 [IKEv1]: Group = 216.203.46.252, IP = 216.203.46.252, QM FSM error (P2 struct &0xc9f39e68, mess id 0xe0ba04c)!
  Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, IKE QM Initiator FSM error history (struct &0xc9f39e68)  , :  QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
  Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, sending delete/delete with reason message
  Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing blank hash payload
  Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing IPSec delete payload
  Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing qm hash payload
  Feb 28 13:41:26 [IKEv1]: IP = 216.203.46.252, IKE_DECODE SENDING Message (msgid=216bc3cb) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
  Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, IKE Deleting SA: Remote Proxy 10.1.14.0, Local Proxy 10.133.133.0
  Feb 28 13:41:26 [IKEv1]: Group = 216.203.46.252, IP = 216.203.46.252, Removing peer from correlator table failed, no match!
  Feb 28 13:41:26 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xb161983b
  Feb 28 13:41:29 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
  Feb 28 13:41:29 [IKEv1]: Group = 216.203.46.252, IP = 216.203.46.252, IKE Initiator: New Phase 2, Intf backup, IKE Peer 216.203.46.252  local Proxy Address 10.133.133.0, remote Proxy Address 10.1.14.0,  Crypto map (outside_map)
  Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, Oakley begin quick mode
  Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, IKE got SPI from key engine: SPI = 0x9b973b9b
  Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, oakley constucting quick mode
  Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing blank hash payload
  Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing IPSec SA payload
  Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing IPSec nonce payload
  Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing proxy ID
  Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, Transmitting Proxy Id:
    Local subnet:  10.133.133.0  mask 255.255.255.0 Protocol 0  Port 0
    Remote subnet: 10.1.14.0  Mask 255.255.255.0 Protocol 0  Port 0
  Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing qm hash payload
  Feb 28 13:41:29 [IKEv1]: IP = 216.203.46.252, IKE_DECODE SENDING Message (msgid=150b2ab3) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168
  Feb 28 13:41:29 [IKEv1]: IP = 216.203.46.252, IKE_DECODE RECEIVED Message (msgid=cabc11c) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 224
  Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, processing hash payload
  Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, processing notify payload
  Feb 28 13:41:29 [IKEv1]: Group = 216.203.46.252, IP = 216.203.46.252, Received non-routine Notify message: Invalid ID info (18)
  I suspect the configs don't match on both sides, but getting info from the other side of the tunnel is like pulling teeth.

• In our enterprise MPLS network we are using 192.168.20.0/24 subnet, in this subnet we have not assigned the IP 192.168.20.200/30 & 204/30, But still these subnets are reachable . Are these NNI IP ...Please explain.

  In our enterprise MPLS network we are using 192.168.20.0/24 subnet, in this subnet we have not assigned the IP 192.168.20.200/30 & 204/30, But still these subnets are reachable . Are these NNI IP ...Please explain.

  I have checked with ISP, there response is like below:
  Those are the NNI to GBNET IPs for Dominican Republic. They are Network IPs. You should be able to ping them-that means they are working.
  WANRT01#show  ip route | include 192.168.20.20
  B        192.168.20.200/30 [20/0] via 192.168.20.226, 02:18:29
  B        192.168.20.204/30 [20/0] via 192.168.20.226, 02:18:29
  Here its shows from any of our MPLS site we are able to trace the IP and it seems like, 192.168.20.204/30 is one more site but in actual its not.
  INMUMWANRT01#ping 192.168.20.205
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.20.205, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 224/232/260 ms
  INMUMWANRT01#trace              
  INMUMWANRT01#traceroute 192.168.20.205
  Type escape sequence to abort.
  Tracing the route to 192.168.20.205
  VRF info: (vrf in name/id, vrf out name/id)
    1 192.168.20.226 24 msec 24 msec 24 msec
    2 192.168.20.206 [AS 8035] 232 msec 232 msec 252 msec
    3 192.168.20.205 [AS 8035] 224 msec 224 msec *

• TS4088 I have a MacBook pro that has power issues and will not start but the hardrive is fine.  I do not want to lose all of my files so I was wondering if it's possible to transfer my hardrive from a older Macbook pro to a new one if I were to purchase o

  I have a MacBook pro that has power issues and will not start but the hardrive is fine.  I do not want to lose all of my files so I was wondering if it's possible to transfer my hardrive from a older Macbook pro to a new one if I were to purchase a new one?  Also, the software is not updated as the computer hasn't worked for about 2 months. 
  Also, if it is possible to transfer the hardrive, would my iTunes music transfer as well?  It is not saved in the cloud.
  Thanks for your help, it is much appreciated.

  You computer is probably perfectly repairable, but if you want a new one anyway, it is perfectly possible to transfer the data from the faulty one.
  But it would be a mistake to simply put the old HD in the new computer.
  These are the steps:
  Remove Hard drive from faulty computer. (very easy on Unibody MBPs, do-able but not so easy on older MBPs)
  Put it in a cheap enclosure
  Connect it the new computer
  Boot up new computer.
  If the new computer has never been run before the Setup Assistant will ask if you want to import your apps, data, settings etc from either another mac, another HD connected to the Mac or a Time Machine back up.
  Obviously chose the second option (another HD connected to this Mac) and follow prompts.
  If the new computer has already been run (so Setup Assistant doesn't run when you boot it up), you will need to use Migration Assistant...or run the installer again so that Setup Assistant runs again.
  Message was edited by: Mike Boreham...added sec on line

• L2L VPN not coming up

  I am using GNS3 to build a tunnel between an ASA and a router.
  Below are my configurations but the tunnel is not coming, can anyone spot what's wrong with my configs? Or could it be because of bugs on GNS3?
  ciscoasa# sho running-config crypto
  crypto ipsec transform-set MySET esp-aes esp-sha-hmac
  access-list VPN_Traffic extended permit ip 12.123.15.0 255.255.255.0 192.168.10.0 255.255.255.0
  crypto map SampleVPN 100 match address VPN_Traffic
  crypto map SampleVPN 100 set peer 10.123.5.2
  crypto map SampleVPN 100 set transform-set MySET
  crypto map SampleVPN interface outside
  crypto isakmp enable outside
  crypto isakmp policy 100
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  tunnel-group VPN type ipsec-l2l
  tunnel-group VPN ipsec-attributes
  pre-shared-key 1234
  R1#sho run | sec crypto
  crypto isakmp policy 100
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp key 1234 address 12.152.45.2 no-xauth
  crypto ipsec transform-set MySET esp-aes esp-sha-hmac
  ip access-list extended VPN_Traffic
  permit ip 192.168.10.0 0.0.0.255 12.123.15.0 0.0.0.255
  crypto map VPN 100 ipsec-isakmp
  set peer 12.152.45.2
  set transform-set MySET
  match address VPN_Traffic
  interface f0/0
  crypto map VPN
  Here are the debugs from the router...
  *Feb 18 15:59:03.971: ISAKMP:(0): SA request profile is (NULL)
  *Feb 18 15:59:03.971: ISAKMP: Created a peer struct for 12.152.45.2, peer port 500
  *Feb 18 15:59:03.971: ISAKMP: New peer created peer = 0x65C73CCC peer_handle = 0x80000004
  *Feb 18 15:59:03.975: ISAKMP: Locking peer struct 0x65C73CCC, refcount 1 for isakmp_initiator
  *Feb 18 15:59:03.975: ISAKMP: local port 500, remote port 500
  *Feb 18 15:59:03.975: ISAKMP: set new node 0 to QM_IDLE
  *Feb 18 15:59:03.975: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 6568F26C
  *Feb 18 15:59:03.979: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
  *Feb 18 15:59:03.979: ISAKMP:(0):found peer pre-shared key matching 12.152.45.2
  *Feb 18 15:59:03.983: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
  *Feb 18 15:59:03.983: ISAKMP:(0): constructed NAT-T vendor-07 ID
  *Feb 18 15:59:03.983: ISAKMP:(0): constructed NAT-T vendor-03 ID
  *Feb 18 15:59:03.987: ISAKMP:(0): constructed NAT-T vendor-02 ID
  *Feb 18 15:59:03.987: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  *Feb 18 15:59:03.987: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
  *Feb 18 15:59:03.987: ISAKMP:(0): beginning Main Mode exchange
  *Feb 18 15:59:03.991: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_NO_STATE
  *Feb 18 15:59:03.991: ISAKMP:(0):Sending an IKE IPv4 Packet......
  Success rate is 0 percent (0/5)
  R1#
  *Feb 18 15:59:13.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
  *Feb 18 15:59:13.991: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
  *Feb 18 15:59:13.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
  *Feb 18 15:59:13.995: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_NO_STATE
  *Feb 18 15:59:13.995: ISAKMP:(0):Sending an IKE IPv4 Packet.
  *Feb 18 15:59:14.043: ISAKMP (0:0): received packet from 12.152.45.2 dport 500 sport 500 Global (I) MM_NO_STATE
  *Feb 18 15:59:14.047: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  *Feb 18 15:59:14.047: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
  *Feb 18 15:59:14.051: ISAKMP:(0): processing SA payload. message ID = 0
  *Feb 18 15:59:14.055: ISAKMP:(0): processing vendor id payload
  *Feb 18 15:59:14.055: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  *Feb 18 15:59:14.055: ISAKMP:(0): vendor ID is NAT-T v2
  *Feb 18 15:59:14.055: ISAKMP:(0)
  R1#: processing vendor id payload
  *Feb 18 15:59:14.059: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
  *Feb 18 15:59:14.059: ISAKMP:(0):found peer pre-shared key matching 12.152.45.2
  *Feb 18 15:59:14.059: ISAKMP:(0): local preshared key found
  *Feb 18 15:59:14.059: ISAKMP : Scanning profiles for xauth ...
  *Feb 18 15:59:14.063: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy
  *Feb 18 15:59:14.063: ISAKMP:      encryption 3DES-CBC
  *Feb 18 15:59:14.063: ISAKMP:      hash MD5
  *Feb 18 15:59:14.063: ISAKMP:      default group 2
  *Feb 18 15:59:14.063: ISAKMP:      auth pre-share
  *Feb 18 15:59:14.063: ISAKMP:      life type in seconds
  *Feb 18 15:59:14.067: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
  *Feb 18 15:59:14.067: ISAKMP:(0):atts are acceptable. Next payload is 0
  *Feb 18 15:59:14.071: ISAKMP:(0): processing vendor id payload
  *Feb 18 15:59:14.071: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  *Feb 18 15:59:14.071: ISAK
  R1#
  R1#MP:(0): vendor ID is NAT-T v2
  *Feb 18 15:59:14.071: ISAKMP:(0): processing vendor id payload
  *Feb 18 15:59:14.075: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
  *Feb 18 15:59:14.075: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  *Feb 18 15:59:14.075: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
  *Feb 18 15:59:14.079: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
  *Feb 18 15:59:14.079: ISAKMP:(0):Sending an IKE IPv4 Packet.
  *Feb 18 15:59:14.079: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  *Feb 18 15:59:14.079: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
  R1#
  *Feb 18 15:59:23.291: ISAKMP:(0):purging node -49064826
  *Feb 18 15:59:23.291: ISAKMP:(0):purging node -330154301
  *Feb 18 15:59:24.079: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
  *Feb 18 15:59:24.079: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
  *Feb 18 15:59:24.079: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
  *Feb 18 15:59:24.083: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
  *Feb 18 15:59:24.083: ISAKMP:(0):Sending an IKE IPv4 Packet.
  *Feb 18 15:59:24.111: ISAKMP (0:0): received packet from 12.152.45.2 dport 500 sport 500 Global (I) MM_SA_SETUP
  *Feb 18 15:59:24.111: ISAKMP:(0):Notify has no hash. Rejected.
  *Feb 18 15:59:24.111: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM3
  *Feb 18 15:59:24.115: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
  *Feb 18 15:59:24.115: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM3
  R1#ping ip 12.123.15.2 source loo0
  *Feb 18 15:59:24.115: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 12.152.45.2
  R1#ping ip 12.123.15.2 source loo0
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 12.123.15.2, timeout is 2 seconds:
  Packet sent with a source address of 192.168.10.1
  *Feb 18 15:59:33.295: ISAKMP:(0):purging SA., sa=6568EB18, delme=6568EB18
  *Feb 18 15:59:33.967: ISAKMP: set new node 0 to QM_IDLE
  *Feb 18 15:59:33.971: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.123.5.2, remote 12.152.45.2)
  *Feb 18 15:59:33.971: ISAKMP: Error while processing SA request: Failed to initialize SA
  *Feb 18 15:59:33.975: ISAKMP: Error while processing KMI message 0, error 2..
  Success rate is 0 percent (0/5)
  R1#
  *Feb 18 16:00:18.975: ISAKMP: quick mode timer expired.
  *Feb 18 16:00:18.975: ISAKMP:(0):src 10.123.5.2 dst 12.152.45.2, SA is not authenticated
  *Feb 18 16:00:18.975: ISAKMP:(0):peer does not do paranoid keepalives.
  *Feb 18 16:00:18.979: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_SA_SETUP (peer 12.152.45.2)
  *Feb 18 16:00:18.983: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_SA_SETUP (peer 12.152.45.2)
  *Feb 18 16:00:18.983: ISAKMP: Unlocking peer struct 0x65C73CCC for isadb_mark_sa_deleted(), count 0
  *Feb 18 16:00:18.987: ISAKMP: Deleting peer node by peer_reap for 12.152.45.2: 65C73CCC
  R1#
  *Feb 18 16:00:18.987: ISAKMP:(0):deleting node 1582877960 error FALSE reason "IKE deleted"
  *Feb 18 16:00:18.987: ISAKMP:(0):deleting node 814986207 error FALSE reason "IKE deleted"
  *Feb 18 16:00:18.991: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  *Feb 18 16:00:18.991: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_DEST_SA
  R1#
  *Feb 18 16:01:08.987: ISAKMP:(0):purging node 1582877960
  *Feb 18 16:01:08.987: ISAKMP:(0):purging node 814986207
  R1#
  *Feb 18 16:01:18.991: ISAKMP:(0):purging SA., sa=6568F26C, delme=6568F26C

  Hi,
  when you applied the tunnel-group VPN, you should have seen a warning telling that tunnel-group can have name only if it's for remote-access VPN, or certificate authentication is used. so, L2L vpn with pre-shared keys can only have tunnel-groups named as the peer IP address.
  Mashal

• HT203167 I bought two audio books on iTunes but they will not play. My old books play without issue but the new ones do not.

  I bought two audio books on iTunes but they will not play. My old books play without issue but the new ones do not.

  Did you copy your actual iTunes content from your computer before reinstalling iTunes, or did you just copy your iTunes library which only contains the pointers to your songs / books locations ?
  You might, depending upon your country and if they are still in your country's store, be able to redownload your music purchases and your ibooks via the Purchased link under Quick Links on the right-hand side of the iTunes store homepage - you will need to delete the entries from your library (where you are getting the 'unable to locate' messages) before they will potentially show with the cloud icon against them in Purchased for redownloading.
  Or copy them from your backup of your downloads/library and add them to your iTunes library via File > Add To Library

• L2L VPN Decrypted Traffic Not Exiting ASA

  Hi,
  I have a pair of ASAs runing version 9.1 at the remote site and 8.4 (4) at the local site. When sending traffic over the tunnel from the local to remote, I can see in the IPSec SA the encap packet count increasing locally and the decap count increasing on the remote ASAs but no traffic is egressing the remote ASA's interfaces.
  Here is the remote ASAs config:
  GigabitEthernet0/0       outside                x.x.x.123       255.255.255.192GigabitEthernet0/1.701   dev_1                  10.140.0.1      255.255.255.0crypto map VPN-Z 10 match address acl_temp_vpncrypto map VPN-Z 10 set pfs crypto map VPN-Z 10 set peer x.x.x.67 crypto map VPN-Z 10 set ikev1 transform-set ESP-3DES-SHAcrypto map VPN-Z 10 set security-association lifetime seconds 28800crypto map VPN-Z 10 set security-association lifetime kilobytes 4608000crypto map VPN-Z 10 set nat-t-disablecrypto map VPN-Z interface outsideaccess-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 object-group zx-subs (hitcnt=5) 0x3e8360b3 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 10.0.0.0 255.0.0.0 (hitcnt=0) 0x5cf3e6d1 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 172.16.0.0 255.240.0.0 (hitcnt=15) 0x73407a52 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0xe1b9579c access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 x.x.x.224 255.255.255.224 (hitcnt=0) 0x894cf410 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 x.x.x.0 255.255.255.192 (hitcnt=0) 0xa879a3f1tunnel-group x.x.x.67 type ipsec-l2ltunnel-group x.x.x.67 ipsec-attributes ikev1 pre-shared-key *****nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subs
  Here is the ipsec sa stats
  Crypto map tag: VPN-Zanox, seq num: 10, local addr: x.x.x.123access-list acl_temp_vpn extended permit ip 10.140.0.0 255.255.0.0 172.16.0.0 255.240.0.0       local ident (addr/mask/prot/port): (10.140.0.0/255.255.0.0/0/0)      remote ident (addr/mask/prot/port): (172.16.0.0/255.240.0.0/0/0)      current_peer: x.x.x.67      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0      #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
  With a dump on the dev_1 interface
  capture dev type raw-data interface dev_1 [Capturing - 0 bytes]   match tcp any any
  With packet tracer the egress interface is correct but in the capture there appears to be nothing traversing the interface.
  Can any body see anything wrong wiht this config or any suggestions as to might be going wrong?
  Thanks
  James

  Hi Javier,
  Packet-tracer output with a temp ACL to permit ip any any inbound on the outside interface:
  l-de-ham-asa-01/act(config)# packet-tracer input outside tcp 172.22.0.90 1234 10.140.0.10 22Phase: 1Type: UN-NATSubtype: staticResult: ALLOWConfig:nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subsAdditional Information:NAT divert to egress interface dev_1Untranslate 10.140.0.10/22 to 10.140.0.10/22Phase: 2Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in   0.0.0.0         0.0.0.0         outsidePhase: 3Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group acl_outside in interface outsideaccess-list acl_outside extended permit ip any any access-list acl_outside remark Zugriffsrichtlinie fuer ICMP Antworten aus dem InternetAdditional Information:Phase: 4Type: CONN-SETTINGSSubtype: Result: ALLOWConfig:Additional Information:Phase: 5Type: NATSubtype: Result: ALLOWConfig:nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subsAdditional Information:Static translate 172.22.0.90/1234 to 172.22.0.90/1234Phase: 6Type: NATSubtype: per-sessionResult: ALLOWConfig:       Additional Information:Phase: 7Type: IP-OPTIONSSubtype: Result: ALLOWConfig:Additional Information:Phase: 8Type: VPNSubtype: ipsec-tunnel-flowResult: DROPConfig:Additional Information:Result:input-interface: outsideinput-status: upinput-line-status: upoutput-interface: dev_1output-status: upoutput-line-status: upAction: dropDrop-reason: (acl-drop) Flow is denied by configured rule
  This is the same result from another site that has an L2L VPN configured.
  ASP drop capture to follow...

• Remote access Vpn issue

  Dear All,
  I have configured remote access vpn without using split tunnel.Everything is working fine.I can access all the inside network which is allowed in acl.
  I am facing strange issue now. I have created a pool for remote access vpn with a range 192.168.5.8/29.I can access my internal subnets 10.10.0.0/16.
  I have below acess-list for acl-in.
  access-list acl-in extended permit ip object-group vpnclients 192.168.5.8 255.255.255.248
  object-group network vpnclients
  network-object host 10.110.100.26
  network-object host 10.106.100.15
  network-object host 10.10.10.6
  network-object host 10.10.20.82
  network-object host 10.110.100.48
  network-object host 10.10.20.53
  network-object host 10.10.20.54
  network-object host 10.60.100.1
  network-object host 10.10.10.75
  network-object host 10.10.20.100
  network-object host 10.10.130.136
  network-object host 10.106.100.16
  network-object host 10.106.100.9
  network-object host 10.170.100.1
  network-object host 10.170.100.2
  network-object host 10.170.100.21
  network-object host 10.101.100.20
  network-object host 10.170.100.25
  So whichever IPs i have called in vpnclient group is able to access via RA vpn.Issue is when i try to access internal network of 192.168.198.0/24, i am able to access it without adding in vpnclient group. Even for 192.168.197.0/24,192.168.197.0/24 the same. But for 10.10.0.0/16 we can access only after adding in vpnclient group. Any one has face this issue before. Is this because of same network i mean 192.168.0.0 something like that.There is no other staement in acl-in for 192.168.0.0
  Regards
  -Danesh Ahammad

  Hi,
  If i read correctly you made the RA vpn "without"  split tunnel, correct? if that is the case, all of the traffic will traverse the vpn connection (tunnel all) , the access-list "acl-in" is of no use to it.
  try converting it to use split tunnel, i am sure that way you can not access resources that are not mentioned in the list.
  ~Harry

• Any ideas how to better troubleshoot VPN issue?

  Hi,
  I've recently upgraded my WLAN router to a brand new AVM FRITZ!Box WLAN 7390, in part for its VPN capabilities.
  So far, I've been unable to create a working connection.
  AVM's VPN is based on Cisco IPSec, and they provide a step-by-step procedure on how configure a Mac-based VPN connection (http://www.avm.de/de/Service/Service-Portale/Service-Portal/VPN_Interoperabilita et/16206.php - unfortunately only available in German, sorry). Following it, I still can't get it to work. Contacting their support I got first the same procedure and after pointing out I already followed it a "we don't support other vendors".
  Funny enough, I got a second VPN connection to my work's VPN server just fine, though admittedly there we have a true Cisco box.
  My initial setup was based on a 192.x.x.x net on my AVM, I could establish a VPN connection but coudn't ping/ssh/http/you-name-the-protocol in either direction. Our companies net is a 10.x.x.x net so, and as I have also VMware fusion running on my Mac with DHCP enabled on a different 192.x.x.x net plus a third 192.x.x.x net from my Wifi access I decided to reconfigure my AVM net to a 172.x.x.x net and stop VMware services for the tests (ie simplify as much as I could to help troubleshoot).
  Alas, instead of being able to establish a non-working VPN connection, now I ain't able to get the tunnel up. IKE Phase 1 completes but Phase 2 doesn't.
  Here's the relevant section from kernel.log:
  Dec 30 11:47:57 jupiter configd[16]: IPSec connecting to server <myservernameismybusiness>.dyndns.info
  Dec 30 11:47:57 jupiter configd[16]: SCNC: start, triggered by SystemUIServer, type IPSec, status 0
  Dec 30 11:47:57 jupiter configd[16]: IPSec Phase1 starting.
  Dec 30 11:47:57 jupiter racoon[1910]: IPSec connecting to server 77.x.x.x
  Dec 30 11:47:57 jupiter racoon[1910]: Connecting.
  Dec 30 11:47:57 jupiter racoon[1910]: IPSec Phase1 started (Initiated by me).
  Dec 30 11:47:57 jupiter racoon[1910]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
  Dec 30 11:47:58 jupiter racoon[1910]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
  Dec 30 11:47:58 jupiter racoon[1910]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
  Dec 30 11:47:58 jupiter racoon[1910]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).
  Dec 30 11:47:58 jupiter racoon[1910]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
  Dec 30 11:47:58 jupiter racoon[1910]: IKE Packet: transmit success. (Information message).
  Dec 30 11:47:58 jupiter racoon[1910]: IKEv1 Information-Notice: transmit success. (ISAKMP-SA).
  Dec 30 11:47:58 jupiter racoon[1910]: IPSec Phase1 established (Initiated by me).
  Dec 30 11:47:58 jupiter racoon[1910]: IPSec Extended Authentication requested.
  Dec 30 11:47:58 jupiter configd[16]: IPSec requesting Extended Authentication.
  Dec 30 11:48:01 jupiter configd[16]: IPSec sending Extended Authentication.
  Dec 30 11:48:01 jupiter racoon[1910]: IKE Packet: transmit success. (Mode-Config message).
  Dec 30 11:48:01 jupiter racoon[1910]: IPSec Extended Authentication sent.
  Dec 30 11:48:02 jupiter racoon[1910]: IKEv1 XAUTH: success. (XAUTH Status is OK).
  Dec 30 11:48:02 jupiter racoon[1910]: IPSec Extended Authentication Passed.
  Dec 30 11:48:02 jupiter racoon[1910]: IKE Packet: transmit success. (Mode-Config message).
  Dec 30 11:48:02 jupiter racoon[1910]: IKEv1 Config: retransmited. (Mode-Config retransmit).
  Dec 30 11:48:02 jupiter racoon[1910]: IPSec Network Configuration requested.
  Dec 30 11:48:03 jupiter racoon[1910]: IPSec Network Configuration established.
  Dec 30 11:48:03 jupiter racoon[1910]: IKE Packet: receive success. (MODE-Config).
  Dec 30 11:48:03 jupiter configd[16]: IPSec Network Configuration started.
  Dec 30 11:48:03 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-ADDRESS = 172.77.7.14.
  Dec 30 11:48:03 jupiter configd[16]: IPSec Network Configuration: SAVE-PASSWORD = 1.
  Dec 30 11:48:03 jupiter configd[16]: IPSec Network Configuration: DEFAULT-ROUTE = local-address 172.77.7.14/32.
  Dec 30 11:48:03 jupiter configd[16]: host_gateway: write routing socket failed, command 2, No such process
  Dec 30 11:48:03 jupiter configd[16]: IPSec Phase2 starting.
  Dec 30 11:48:03 jupiter configd[16]: IPSec Network Configuration established.
  Dec 30 11:48:03 jupiter configd[16]: IPSec Phase1 established.
  Dec 30 11:48:03 jupiter configd[16]: event_callback: Address added. previous interface setting (name: en1, address: 192.168.43.242), current interface setting (name: utun0, family: 1001, address: 172.77.7.14, subnet: 255.255.255.255, destination: 172.77.7.14).
  Dec 30 11:48:03 jupiter racoon[1910]: IPSec Phase2 started (Initiated by me).
  Dec 30 11:48:03 jupiter racoon[1910]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
  Dec 30 11:48:03 jupiter configd[16]: network configuration changed.
  Dec 30 11:48:03 jupiter configd[16]: IPSec port-mapping update for en1 ignored: VPN is the Primary interface. Public Address: ac4d070e, Protocol: None, Private Port: 0, Public Port: 0
  Dec 30 11:48:03 jupiter configd[16]:
  Dec 30 11:48:03 jupiter configd[16]: setting hostname to "jupiter.local"
  Dec 30 11:48:03 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
  Dec 30 11:48:06 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
  Dec 30 11:48:07 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
  Dec 30 11:48:09 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
  Dec 30 11:48:09 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
  Dec 30 11:48:12 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
  Dec 30 11:48:13 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
  Dec 30 11:48:15 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
  Dec 30 11:48:15 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
  Dec 30 11:48:18 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
  Dec 30 11:48:18 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
  Dec 30 11:48:21 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
  Dec 30 11:48:21 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
  Dec 30 11:48:24 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
  Dec 30 11:48:25 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
  Dec 30 11:48:27 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
  Dec 30 11:48:27 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
  Dec 30 11:48:30 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
  Dec 30 11:48:30 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
  Dec 30 11:48:33 jupiter configd[16]: IPSec disconnecting from server 77.x.x.x
  Dec 30 11:48:33 jupiter racoon[1910]: IPSec disconnecting from server 77.x.x.x
  Dec 30 11:48:33 jupiter racoon[1910]: IKE Packet: transmit success. (Information message).
  Dec 30 11:48:33 jupiter racoon[1910]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).
  Dec 30 11:48:33 jupiter configd[16]: SCNC Controller: service_ending_verify_primaryservice, waiting for PrimaryService. status = 1
  Dec 30 11:48:33 jupiter configd[16]:
  Dec 30 11:48:33 jupiter configd[16]: network configuration changed.
  Dec 30 11:48:33 jupiter configd[16]: SCNC Controller: ipv4_state_changed, done waiting for ServiceID.
  Dec 30 11:48:33 jupiter configd[16]:
  Dec 30 11:48:33 jupiter configd[16]: setting hostname to "jupiter"
  When connecting to my work-place it looks like:
  Dec 30 12:33:14 jupiter configd[16]: IPSec connecting to server <mycompanyismybusiness>.ch
  Dec 30 12:33:14 jupiter configd[16]: SCNC: start, triggered by SystemUIServer, type IPSec, status 0
  Dec 30 12:33:14 jupiter configd[16]: IPSec Phase1 starting.
  Dec 30 12:33:14 jupiter racoon[1976]: IPSec connecting to server 62.x.x.x
  Dec 30 12:33:14 jupiter racoon[1976]: Connecting.
  Dec 30 12:33:14 jupiter racoon[1976]: IPSec Phase1 started (Initiated by me).
  Dec 30 12:33:14 jupiter racoon[1976]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
  Dec 30 12:33:14 jupiter racoon[1976]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
  Dec 30 12:33:14 jupiter racoon[1976]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
  Dec 30 12:33:14 jupiter racoon[1976]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).
  Dec 30 12:33:14 jupiter racoon[1976]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
  Dec 30 12:33:14 jupiter racoon[1976]: IPSec Phase1 established (Initiated by me).
  Dec 30 12:33:15 jupiter racoon[1976]: IPSec Extended Authentication requested.
  Dec 30 12:33:15 jupiter configd[16]: IPSec requesting Extended Authentication.
  Dec 30 12:33:21 jupiter configd[16]: IPSec sending Extended Authentication.
  Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: transmit success. (Mode-Config message).
  Dec 30 12:33:21 jupiter racoon[1976]: IPSec Extended Authentication sent.
  Dec 30 12:33:21 jupiter racoon[1976]: IKEv1 XAUTH: success. (XAUTH Status is OK).
  Dec 30 12:33:21 jupiter racoon[1976]: IPSec Extended Authentication Passed.
  Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: transmit success. (Mode-Config message).
  Dec 30 12:33:21 jupiter racoon[1976]: IKEv1 Config: retransmited. (Mode-Config retransmit).
  Dec 30 12:33:21 jupiter racoon[1976]: IPSec Network Configuration requested.
  Dec 30 12:33:21 jupiter racoon[1976]: IPSec Network Configuration established.
  Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: receive success. (MODE-Config).
  Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration started.
  Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-ADDRESS = 10.100.1.18.
  Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-MASK = 255.255.255.0.
  Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: SAVE-PASSWORD = 1.
  Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-DNS = 10.100.1.129.
  Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: SPLIT-INCLUDE.
  Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: DEF-DOMAIN = iw.local.
  Dec 30 12:33:21 jupiter configd[16]: host_gateway: write routing socket failed, command 2, No such process
  Dec 30 12:33:21 jupiter configd[16]: installed route: (address 10.100.1.0, gateway 10.100.1.18)
  Dec 30 12:33:21 jupiter configd[16]: IPSec Phase2 starting.
  Dec 30 12:33:21 jupiter racoon[1976]: IPSec Phase2 started (Initiated by me).
  Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
  Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration established.
  Dec 30 12:33:21 jupiter configd[16]: IPSec Phase1 established.
  Dec 30 12:33:21 jupiter configd[16]: event_callback: Address added. previous interface setting (name: en1, address: 192.168.43.242), current interface setting (name: utun0, family: 1001, address: 10.100.1.18, subnet: 255.255.255.0, destination: 10.100.1.18).
  Dec 30 12:33:21 jupiter configd[16]: network configuration changed.
  Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: receive success. (Initiator, Quick-Mode message 2).
  Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).
  Dec 30 12:33:21 jupiter racoon[1976]: IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).
  Dec 30 12:33:21 jupiter racoon[1976]: IPSec Phase2 established (Initiated by me).
  Dec 30 12:33:21 jupiter configd[16]: IPSec Phase2 established.
  An earlies test in a Starbucks around here had the same result, during looking at the netstat -nr output I found I got onto a 10.x.x.x net on the Wifi and still could connect to the (different) 10.x.x.x net at work.
  My TCP/IP Networking course was around 2000, but the default route seen in the non-working log section looks like bullsh*t to me anyhow: DEFAULT-ROUTE = local-address 172.77.7.14/32
  On the other hand, the Phase 2 message seem to indicate a different mode for Phase 2 between the working and the non-working one.
  This is from the exported config of my AVM box:
  **** CFGFILE:vpn.cfg
  * /var/flash/vpn.cfg
  * Wed Dec 28 16:01:09 2011
  vpncfg {
          connections {
                  enabled = yes;
                  conn_type = conntype_user;
                  name = "[email protected]";
                  always_renew = no;
                  reject_not_encrypted = no;
                  dont_filter_netbios = yes;
                  localip = 0.0.0.0;
                  local_virtualip = 0.0.0.0;
                  remoteip = 0.0.0.0;
                  remote_virtualip = 172.77.7.14;
                  remoteid {
                          key_id = "<mykeyismybusiness>";
                  mode = phase1_mode_aggressive;
                  phase1ss = "all/all/all";
                  keytype = connkeytype_pre_shared;
                  key = "<mykeyismybusiness>";
                  cert_do_server_auth = no;
                  use_nat_t = no;
                  use_xauth = yes;
                  xauth {
                          valid = yes;
                          username = "<myuserismybusiness>";
                          passwd = "<mypasswordismybusiness>";
                  use_cfgmode = no;
                  phase2localid {
                          ipnet {
                                  ipaddr = 0.0.0.0;
                                  mask = 0.0.0.0;
                  phase2remoteid {
                          ipaddr = 172.22.7.14;
                  phase2ss = "esp-all-all/ah-none/comp-all/no-pfs";
                  accesslist =
                               "permit ip 172.22.7.0 255.255.255.240 172.22.7.14 255.255.255.255";
          ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
                              "udp 0.0.0.0:4500 0.0.0.0:4500";
  // EOF
  **** END OF FILE ****
  I also noticed an extra "IPSec port-mapping update for en1 ignored" message in the non-working log section, but I'm not sure a) how significant that might be, and b) how to find out what the ignored update might have been to decide whether not ignoring it would help.
  A quick test with the AnyConnect Client from Cisco didn't help either, apparently it establishes an https connection first as I got a window which certificate details from my QNAP behind the AVM Box (I got a port forward for https to it)
  So I'm looking for any ideas how to better troubleshoot this VPN issue...
  Many thanks in advance!
  BR,
  Alex

  Ok, found a small typo in my config (had at one point a 172.77.7.14 instead of the 172.22.7.14), no I can also connect from the 172.x.x.x net but still no ping etc. The relevant section of the log looks now like this:
  Dec 30 16:44:27 jupiter configd[16]: IPSec connecting to server <myservernameismybusiness>.dyndns.info
  Dec 30 16:44:27 jupiter configd[16]: SCNC: start, triggered by SystemUIServer, type IPSec, status 0
  Dec 30 16:44:28 jupiter configd[16]: IPSec Phase1 starting.
  Dec 30 16:44:28 jupiter racoon[2183]: IPSec connecting to server 77.x.x.x
  Dec 30 16:44:28 jupiter racoon[2183]: Connecting.
  Dec 30 16:44:28 jupiter racoon[2183]: IPSec Phase1 started (Initiated by me).
  Dec 30 16:44:28 jupiter racoon[2183]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
  Dec 30 16:44:28 jupiter racoon[2183]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
  Dec 30 16:44:28 jupiter racoon[2183]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
  Dec 30 16:44:28 jupiter racoon[2183]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).
  Dec 30 16:44:28 jupiter racoon[2183]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
  Dec 30 16:44:28 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
  Dec 30 16:44:28 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (ISAKMP-SA).
  Dec 30 16:44:28 jupiter racoon[2183]: IPSec Phase1 established (Initiated by me).
  Dec 30 16:44:28 jupiter racoon[2183]: IPSec Extended Authentication requested.
  Dec 30 16:44:28 jupiter configd[16]: IPSec requesting Extended Authentication.
  Dec 30 16:44:31 jupiter configd[16]: IPSec sending Extended Authentication.
  Dec 30 16:44:31 jupiter racoon[2183]: IKE Packet: transmit success. (Mode-Config message).
  Dec 30 16:44:31 jupiter racoon[2183]: IPSec Extended Authentication sent.
  Dec 30 16:44:32 jupiter racoon[2183]: IKEv1 XAUTH: success. (XAUTH Status is OK).
  Dec 30 16:44:32 jupiter racoon[2183]: IPSec Extended Authentication Passed.
  Dec 30 16:44:32 jupiter racoon[2183]: IKE Packet: transmit success. (Mode-Config message).
  Dec 30 16:44:32 jupiter racoon[2183]: IKEv1 Config: retransmited. (Mode-Config retransmit).
  Dec 30 16:44:32 jupiter racoon[2183]: IPSec Network Configuration requested.
  Dec 30 16:44:33 jupiter racoon[2183]: IPSec Network Configuration established.
  Dec 30 16:44:33 jupiter racoon[2183]: IKE Packet: receive success. (MODE-Config).
  Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration started.
  Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-ADDRESS = 172.22.7.14.
  Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration: SAVE-PASSWORD = 1.
  Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-DNS = 172.22.7.1.
  Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration: DEFAULT-ROUTE = local-address 172.22.7.14/32.
  Dec 30 16:44:33 jupiter configd[16]: host_gateway: write routing socket failed, command 2, No such process
  Dec 30 16:44:33 jupiter configd[16]: IPSec Phase2 starting.
  Dec 30 16:44:33 jupiter racoon[2183]: IPSec Phase2 started (Initiated by me).
  Dec 30 16:44:33 jupiter racoon[2183]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
  Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration established.
  Dec 30 16:44:33 jupiter configd[16]: IPSec Phase1 established.
  Dec 30 16:44:33 jupiter configd[16]: event_callback: Address added. previous interface setting (name: en1, address: 192.168.43.242), current interface setting (name: utun0, family: 1001, address: 172.22.7.14, subnet: 255.255.255.255, destination: 172.22.7.14).
  Dec 30 16:44:33 jupiter configd[16]: network configuration changed.
  Dec 30 16:44:33 jupiter racoon[2183]: IKE Packet: receive success. (Initiator, Quick-Mode message 2).
  Dec 30 16:44:33 jupiter racoon[2183]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).
  Dec 30 16:44:33 jupiter racoon[2183]: IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).
  Dec 30 16:44:33 jupiter racoon[2183]: IPSec Phase2 established (Initiated by me).
  Dec 30 16:44:33 jupiter configd[16]: IPSec Phase2 established.
  Dec 30 16:44:43 jupiter racoon[2183]: IKE Packet: receive failed. (MODE-Config).
  Dec 30 16:44:48 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
  Dec 30 16:44:48 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
  Dec 30 16:44:48 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
  Dec 30 16:44:48 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
  Dec 30 16:44:48 jupiter racoon[2183]: IKE Packet: receive success. (Information message).
  Dec 30 16:45:03 jupiter configd[16]: setting hostname to "jupiter.local"
  followed by lots of:
  Dec 30 16:45:03 jupiter racoon[2183]: IKE Packet: receive failed. (MODE-Config).
  Dec 30 16:45:08 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
  Dec 30 16:45:08 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
  Dec 30 16:45:08 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
  Dec 30 16:45:08 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
  Dec 30 16:45:08 jupiter racoon[2183]: IKE Packet: receive success. (Information message).
  Dec 30 16:45:28 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
  Dec 30 16:45:28 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
  Dec 30 16:45:28 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
  Dec 30 16:45:29 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
  Dec 30 16:45:29 jupiter racoon[2183]: IKE Packet: receive success. (Information message).
  Dec 30 16:45:49 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
  Dec 30 16:45:49 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
  Dec 30 16:45:49 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
  Dec 30 16:45:50 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
  Dec 30 16:45:50 jupiter racoon[2183]: IKE Packet: receive success. (Information message).
  Dec 30 16:46:10 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
  Dec 30 16:46:10 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
  Dec 30 16:46:10 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
  Dec 30 16:46:10 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
  Dec 30 16:46:10 jupiter racoon[2183]: IKE Packet: receive success. (Information message).
  Dec 30 16:46:30 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
  Dec 30 16:46:30 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
  Dec 30 16:46:30 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
  Dec 30 16:46:30 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
  Dec 30 16:46:30 jupiter racoon[2183]: IKE Packet: receive success. (Information message).

• How do I configure a VPN Site and Subnets in Lync when clients have /32 Addresses?

  Hello,
  I've found a few people asking this question out in the "interwebs" but no one seems to quite answer their question (Those poor souls).
  In most occasions that I've seen, my customers have configured their VPN networks with a /24 (255.255.255.0) ip address.  However, when those clients connect to the VPN they are actually getting a /32 (255.255.255.255) address. 
  This seems to pose an issue for Lync reporting when it comes to configuring a VPN site and VPN subnets.
  (NOTE:You might ask why these customers are not going about best practice and using split-tunneling?  In this case, they absolutely CANNOT institute split-tunneling so all traffic MUST flow through the VPN tunnel.)
  For example sake, here is how I would imagine to setup a VPN site with subnets in Lync Network Configuration:
  VPN (Site)
      -172.16.33.0  /24 (Subnet)
      -172.16.34.0  /24 (Subnet)
      -172.16.35.0  /24 (Subnet)
  The problem is that when I run a Location Report in Lync to look at call data to/from the VPN site, it's not there. Reason being, the VPN client was given a /32 address which doesn't match up to the /24 I configured in Lync. 
  So, in my mind my options are:
  Create a /32 subnet for each single address corresponding to a VPN client and attach them to the VPN site (What a mess).
  Change the subnet mask for the 3 subnets I've defined to /32 instead of /24 and see what happens even though putting an IP address of 172.16.33.0 /32 doesn't make much sense.
  Remove the subnets and site from Lync because CAC and Bandwidth control are actually useless over VPN.
  Any thoughts on this?
  John K. Boslooper | Lync Technical Specialist | Project Leadership Associates
  Phone: 312.448.2269 | www.projectleadership.net

  Jin,
  /32 addresses are a valid subnet mask, however that means that a host with a IP Address of 192.168.23.4 and a subnet mask of 255.255.255.255 (/32) is the ONLY host on that subnet.
  The VPN configuration is correct.  The /32 mask is common with a Juniper VPN  (which is what they are using) and the DHCP server that is handing out the addresses is the Juniper VPN appliance. 
  They have already started working out a plan to use a different internal DHCP relay which should hand out the addresses correctly. 
  There has to be someone else out there with this issue or that can point out that i'm overlooking one key principal with VPN subnets.
  Anyone? 
  John K. Boslooper | Lync Technical Specialist | Project Leadership Associates Phone: 312.448.2269 | www.projectleadership.net

• Cisco IOS Router to PIX VPN Issues

  Hi Everyone,
  I have a small issue here which someone may be able to shed some light on.
  I have a Cisco IOS router which is terminating a site-to-site VPN connection on the dialer interface. The PIX on the other end is behind a NAT router. The tunnel is being established and one subnet is able to see another when the tunnel is up. The thing we are having an issue is both networks on each side of the VPN contain multiple subnets and i cannot connect to all the subnets over the same tunnel.
  Any ideas.

  Yes all this is setup.
  I have just found out that Cisco IOS can only make connections from 1 network per crypt map unless multiple connections are made from server to host. This is quite disturbing because i have not seen this in any documentation.
  Does anyone know of IOS to PIX IPsec with multiple subnets on each side of the network.

• Vpn issue mac issue

  We have a strange issue for one of our customers that recently migrated to our internet service.
  They are trying to vpn to an external ip address not controlled by ourselves. The issue is only on one subnet and isolated to Mac’s, PCs in the same subnet also work fine. They were able to vpn from the MACs before they migrated to our INET solution. They previously used a checkpoint FW for their outside NAT and firewall and now are using a failover pair of asa 5510s. I have packet traced out the firewall and there should be nothing blocked. UDP ports 500 and 4500 are open to the destination ips from the correct subnets. All other subnets with Windows PCs can vpn out to external ip without issue. The users in that subnet with the MACs can also browse internet fine so the routing and nat overloading is also ok
  When they try to initiate a connection from the macs i can see the connection/xlate coming in from a source port of  udp 4500/500 and also a destination of udp 4500/500 instead of a random source port. Just this evening we managed to get one device connected but no others. Would the fact that the source port is claiming 500 and 4500 stop the other macs using the same source ports at the same time to connect out?
  They are using the onboard mac vpn client, he can’t get the Cisco one working at the minute.
  connections:
  UDP OUTSIDE:external ip/4500 INSIDE:192.168.32.157/4500, mac connections
  UDP OUTSIDE:external ip/4500 INSIDE:192.168.32.12/4500,
  UDP OUTSIDE:external ip/4500 INSIDE:192.168.4.23/2672, pc connections
  UDP OUTSIDE:external ip/4500 INSIDE:192.168.4.23/2672
  UDP PAT from INSIDE:192.168.32.12/4500 to OUTSIDE:Outside Address/4500 flags ri idle 0:01:15 timeout 0:00:30
  UDP PAT from INSIDE:192.168.32.12/500 to OUTSIDE:Outside Address/500 flags ri idle 0:01:15 timeout 0:00:30
  Any help would be appreciated, bit of a strange one

  Brian,
  Most Cisco devices will want to do negotiation source and destined port of UDP/500 or UDP/4500.
  It should not matter whethere there are multiple connections unless there  something "smart" on the path.
  On ASA we have this functionality:
  http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/i2.html#wp1761012
  You might want to check if it's enabled or disabled.
  I'm not sure why only Mac clients would be affected, that's odd. Typically Cisco clients and Mas' built in client are behaving almost in the same way during negotiation.
  I think it might make sense to have our TAC investiagte the firewall if you're out of ideas ;-)
  M.

• The system is not reachable, the login data could not be considered

  Hello
  I'm trying to connect via Hana Studio to a Hana One instance I have configured in AWS, following the guides & videos in the Hana Academy.
  When adding the system in Hana studio, I get an error message after inputting the SYSTEM password:
  The system is not reachable, the login data could not be considered
  I've seen another post in the forum where the user solved the issue by resetting the SYSTEM password to a password without special characters, but mine is already "special character" free.
  Are there others who have had difficulties when adding a new system?
  Regards
  Yann

  Hi Swapan,
  Thank you for your attention and message.
  I downloaded the SAP HANA Studio from "Get your own SAP HANA, developer edition on Amazon Web Services (http://scn.sap.com/docs/DOC-28294)", specifically at SAP HANA Studio, developer edition and SAP HANA Client, developer edition, for Windows XP 32-bit. Is this HANA One? How to know the version of HANA server? How to make my Internet or firewall allow me to go out to the JDBC port? I am just learning to deal with these computer-science issues.
  Regards,
  Beiwei 
  Date: Wed, 4 Sep 2013 20:52:41 -0700
  From: [email protected]
  To: [email protected]
  Subject: Re: - The system is not reachable, the login data could not be considered
                                                                                  SAP HANA
      The system is not reachable, the login data could not be considered
      created by Swapan Saha in SAP HANA One Platform on AWS - View the full discussion
  Hi Beiwei,
  I suppose you are using HANA One (which you can only launch today from AWS Marketplace and HANA costs 99 cents/hr). If it is HANA One, which version of HANA One you are using? Please make sure you are using the same version of HANA Studio with HANA Server?  Instance number in HANA One is 00.
  If you HANA One, by default, it will open all the necessary ports. Please make sure you are Internet or your firewall allow you to go out to the JDBC port. If not, you cannot connect your studio behind your firewall with HANA server in the cloud.
  Thanks,
  Swapan
       Reply to this message by replying to this email -or- go to the message on SAP HANA
       Start a new discussion in SAP HANA One Platform on AWS by email or at SAP HANA

• Public-to-Public L2L VPN no return traffic

  Hello all,
  I'm hoping someone can give me a little help. I've researched the web and have read many forums, but I still can't get this to work. One of our vendors requires using a public ip address to setup a site-to-site IPSEC vpn. We only have one public ip address and that will be used for the vpn endpoint and for internet access for the local network. I've setup policy NAT from our local network to the outside interface. I'm also using the outside ip address for the crypto map. The tunnel setups successfully and the Tx count increases anytime I try to ping the remote network, but the ping fails and the Rx count does not increase. According to our vendor, we should be able to ping the remote network and connect using port 443. When trying to connect using port 443, I see a SYN timeout in the logs. I'm not sure if the problem is on their end and they're rejecting our traffic, or if something is misconfigured on our end. I'd like to make sure that I have everything configured correctly before I go and point fingers at them. Any help would be appreciated. Thanks.
  Local Network - 10.10.9.0/24
  Remote Network - 20.20.41.0/24
  Remote Peer - 20.20.60.193
  ASA Version 8.2(5)
  hostname ciscoasa
  domain-name
  names
  name 10.10.9.3 VPN description VPN Server
  name 10.10.9.4 IntranetMySQL description MySQL For Webserver
  name 192.168.0.100 IIS_Webserver
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  switchport access vlan 3
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.10.9.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 71.***.***.162 255.255.255.0
  interface Vlan3
  nameif dmz
  security-level 50
  ip address 192.168.0.254 255.255.255.0
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 10.10.9.1
    domain-name
  same-security-traffic permit inter-interface
  object-group service VPN_TCP
  description VPN TCP Connection
  service-object tcp eq 1195
  object-group service VPN_UDP
  description VPN UDP Port
  service-object udp eq 1194
  object-group service VPN_HTTPS
  description VPN HTTPS Web Server
  service-object tcp eq 943
  service-object udp eq 943
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service WebServer
  service-object tcp eq 8001
  object-group service DM_INLINE_SERVICE_1
  service-object tcp-udp eq www
  service-object tcp eq https
  object-group service VPN_HTTPS_UDP udp
  port-object eq 943
  object-group service WCF_WebService tcp
  port-object eq 808
  object-group service RDP tcp
  port-object eq 3389
  object-group service RDP_UDP udp
  port-object eq 3389
  object-group service DM_INLINE_SERVICE_2
  service-object tcp-udp eq www
  service-object tcp eq https
  object-group service *_Apache tcp
  port-object eq 8001
  object-group service *_ApacheUDP udp
  port-object eq 8001
  object-group service IIS_SQL_Server tcp
  port-object eq 1433
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq www
  port-object eq https
  object-group service File_Sharing tcp
  port-object eq 445
  object-group service File_Sharing_UDP udp
  port-object eq 445
  object-group service MySQL tcp
  port-object eq 3306
  object-group service Http_Claims_Portal tcp
  port-object eq 8080
  object-group service Http_Claims_PortalUDP udp
  port-object eq 8080
  object-group service RTR_Portal tcp
    description Real Time Rating Portal
  port-object eq 8081
  object-group service RTR_PortalUDP udp
  port-object eq 8081
  object-group service DM_INLINE_SERVICE_3
  service-object tcp-udp eq www
  service-object tcp eq https
  access-list outside_access_in extended permit udp any 70.***.***.0 255.255.255.0 eq 1194
  access-list outside_access_in extended permit tcp any any eq 1195
  access-list outside_access_in extended permit object-group VPN_HTTPS any any
  access-list outside_access_in extended permit tcp any interface outside eq 943
  access-list outside_access_in extended permit tcp any any eq 8001
  access-list inside_access_in extended permit tcp any any
  access-list outside_access_in_1 extended permit tcp any interface outside eq 943
  access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_1 host 71.***.***.165 host 71.***.***.162
  access-list outside_access_in_2 extended permit object-group TCPUDP any any inactive
  access-list outside_access_in_2 extended permit icmp any any
  access-list outside_access_in_2 extended permit object-group VPN_HTTPS any host 71.***.***.162
  access-list outside_access_in_2 remark VPN TCP Ports
  access-list outside_access_in_2 extended permit tcp any host 71.***.***.162 eq 1195
  access-list outside_access_in_2 extended permit udp any host 71.***.***.162 eq 1194
  access-list outside_access_in_2 remark Palm Insure Apache Server
  access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group *_Apache inactive
  access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group *_ApacheUDP inactive
  access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group MySQL inactive
  access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group Http_Claims_Portal inactive
  access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group Http_Claims_PortalUDP inactive
  access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group RTR_Portal inactive
  access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group RTR_PortalUDP inactive
  access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_3 any host 71.***.***.164 inactive
  access-list outside_access_in_2 remark RTR Access Rule for Internal VM's
  access-list outside_access_in_2 extended permit tcp any host 71.***.***.162 object-group Http_Claims_Portal
  access-list outside_access_in_2 remark RTR Access rule for internal VMs
  access-list outside_access_in_2 extended permit udp any host 71.***.***.162 object-group Http_Claims_PortalUDP
  access-list inside_access_in_1 extended permit object-group TCPUDP any any
  access-list inside_access_in_1 extended permit icmp any any
  access-list inside_access_in_1 extended permit esp any any
  access-list inside_access_in_1 extended permit udp any any eq isakmp
  access-list dmz_access_in extended permit ip any any
  access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 any host 70.***.***.252
  access-list dmz_access_in extended permit tcp any host 70.***.***.252 eq www
  access-list dmz_access_in_1 extended permit tcp host IIS_Webserver host 10.10.9.5 object-group DM_INLINE_TCP_1 inactive
  access-list dmz_access_in_1 extended permit object-group TCPUDP any host IIS_Webserver eq www inactive
  access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver eq https inactive
  access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group *_Apache inactive
  access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group *_ApacheUDP inactive
  access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver eq 3389 inactive
  access-list dmz_access_in_1 extended permit udp any host IIS_Webserver eq 3389 inactive
  access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group IIS_SQL_Server inactive
  access-list dmz_access_in_1 extended permit object-group TCPUDP any any inactive
  access-list dmz_access_in_1 extended permit tcp host 10.10.9.5 host IIS_Webserver eq ftp inactive
  access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group MySQL inactive
  access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group Http_Claims_Portal inactive
  access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group Http_Claims_PortalUDP inactive
  access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group RTR_Portal inactive
  access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group RTR_PortalUDP inactive
  access-list inside_nat_static extended permit ip host 10.10.9.1 20.20.41.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip host 71.***.***.162 20.20.41.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 1 interface
  global (dmz) 1 interface
  nat (inside) 1 10.10.9.0 255.255.255.0
  static (inside,outside) tcp interface 943 VPN 943 netmask 255.255.255.255
  static (inside,outside) tcp interface 1195 VPN 1195 netmask 255.255.255.255
  static (inside,outside) tcp interface 1194 VPN 1194 netmask 255.255.255.255
  static (inside,outside) udp interface 1194 VPN 1194 netmask 255.255.255.255
  static (inside,outside) udp interface 1195 VPN 1195 netmask 255.255.255.255
  static (inside,outside) tcp interface ssh IntranetMySQL ssh netmask 255.255.255.255
  static (inside,outside) tcp interface ftp IntranetMySQL ftp netmask 255.255.255.255
  static (dmz,inside) tcp IIS_Webserver 3389 IIS_Webserver 3389 netmask 255.255.255.255
  static (inside,outside) tcp interface www 10.10.9.5 www netmask 255.255.255.255
  static (dmz,outside) tcp 71.***.***.164 3389 IIS_Webserver 3389 netmask 255.255.255.255
  static (dmz,outside) tcp 71.***.***.164 8001 IIS_Webserver 8001 netmask 255.255.255.255
  static (dmz,outside) udp 71.***.***.164 8001 IIS_Webserver 8001 netmask 255.255.255.255
  static (dmz,outside) tcp 71.***.***.164 www IIS_Webserver www netmask 255.255.255.255
  static (dmz,outside) tcp 71.***.***.164 https IIS_Webserver https netmask 255.255.255.255
  static (dmz,outside) tcp 71.***.***.164 ftp IIS_Webserver ftp netmask 255.255.255.255
  static (dmz,outside) tcp 71.***.***.164 3306 IIS_Webserver 3306 netmask 255.255.255.255
  static (dmz,inside) tcp IIS_Webserver 3306 IIS_Webserver 3306 netmask 255.255.255.255
  static (dmz,outside) tcp 71.***.***.164 8080 IIS_Webserver 8080 netmask 255.255.255.255
  static (dmz,outside) udp 71.***.***.164 8080 IIS_Webserver 8080 netmask 255.255.255.255
  static (dmz,inside) tcp IIS_Webserver 8080 IIS_Webserver 8080 netmask 255.255.255.255
  static (dmz,outside) tcp 71.***.***.164 8081 IIS_Webserver 8081 netmask 255.255.255.255
  static (dmz,outside) udp 71.***.***.164 8081 IIS_Webserver 8081 netmask 255.255.255.255
  static (dmz,inside) tcp IIS_Webserver 8081 IIS_Webserver 8081 netmask 255.255.255.255
  static (inside,outside) tcp interface 8080 10.10.9.15 8080 netmask 255.255.255.255
  static (inside,outside) udp interface 8080 10.10.9.15 8080 netmask 255.255.255.255
  static (dmz,outside) 71.***.***.164 IIS_Webserver netmask 255.255.255.255
  static (dmz,inside) IIS_Webserver IIS_Webserver netmask 255.255.255.255
  static (inside,dmz) 10.10.9.5 10.10.9.5 netmask 255.255.255.255
  static (inside,outside) interface  access-list inside_nat_static
  access-group inside_access_in_1 in interface inside
  access-group outside_access_in_2 in interface outside
  access-group dmz_access_in_1 in interface dmz
  route outside 0.0.0.0 0.0.0.0 71.***.***.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 10.10.9.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer 20.20.60.193
  crypto map outside_map 1 set transform-set ESP-AES-256-SHA
  crypto map outside_map 1 set reverse-route
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 86400
  telnet timeout 5
  ssh 10.10.9.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  tunnel-group 20.20.60.193 type ipsec-l2l
  tunnel-group 20.20.60.193 ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous

  Hi,
  If you are using the public IP address of your ASA (that is used as the PAT address for all outbound traffic) as the only source IP address for the L2L VPN you dont really have to build any additional NAT configurations for the L2L VPN connection. So you shouldnt need the "static" configuration you have made.
  static (inside,outside) interface  access-list inside_nat_static
  This is because any traffic from your local LAN will be PATed to the "outside" IP address and when the ASA also sees that the destination network for the connection is part of the L2L VPN configurations, then the traffic should be forwarded to the L2L VPN connection just fine.
  Did you try the connectivity without the "static" configuration?
  For ICMP testing I would add the command
  fixup protocol icmp
  or
  policy-map global_policy
    class inspection_default
     inspect icmp
  Should do the same thing
  - Jouni