L2L VPN not coming up

Similar Messages

• L2L VPN not coming up, or is it?

  I've been banging my head against a wall trying to figure this one out and I'm stumped. I've been trying to setup a LAN to LAN VPN between our network (Pix515e) and AT&T (IOS Router). AT&T provided the following configuration information.
  ATT's peer address is 209.183.xxx.yyy
  IKE Phase I settings:
  3des
  sha1 or md5
  pre-shared key
  DH group 2
  IPSec phase II settings:
  3des
  Sha
  Pre-shared key:****
  ATT's ACL or Local/Remote Network List:
  permit ip 192.168.80.0 0.0.0.255 192.168.3.0 0.0.0.15
  Here is my config, which should match theirs. You can also see my hit counters are climbing for NoNat and Interesting traffic.
  IPSEC Configuration
  access-list ATTIPSecACL permit ip 192.168.3.0 255.255.255.240 192.168.80.0 255.255.255.0
  crypto ipsec transform-set att esp-3des esp-sha-hmac
  crypto map SSVPN 9 ipsec-isakmp
  crypto map SSVPN 9 match address ATTIPSecACL
  crypto map SSVPN 9 set peer 209.183.xxx.yyy
  crypto map SSVPN 9 set transform-set att
  isakmp key ******** address 209.183.xxx.yyy netmask 255.255.255.255 no-xauth no-config-mode
  isakmp policy 7 authentication pre-share
  isakmp policy 7 encryption 3des
  isakmp policy 7 hash md5
  isakmp policy 7 group 2
  isakmp policy 7 lifetime 28800
  isakmp policy 9 authentication pre-share
  isakmp policy 9 encryption 3des
  isakmp policy 9 hash sha
  isakmp policy 9 group 2
  isakmp policy 9 lifetime 28800
  access-list ATTIPSecACL line 1 permit ip 192.168.3.0 255.255.255.240 192.168.80.0 255.255.255.0 (hitcnt=161)
  access-list nonat line 16 permit ip 192.168.3.0 255.255.255.240 192.168.80.0 255.255.255.0 (hitcnt=5312)
  Due to size limits, I will post the debug in a second post.

  Here is the output from debug crypto isakmp, ipsec, and engine
  ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
  ISAKMP (0): beginning Main Mode exchange
  crypto_isakmp_process_block:src:209.183.xxx.yyy, dest:63.167.xxx.yyy spt:500 dpt:500
  OAK_MM exchange
  ISAKMP (0): processing SA payload. message ID = 0
  ISAKMP (0): Checking ISAKMP transform 1 against priority 7 policy
  ISAKMP: encryption 3DES-CBC
  ISAKMP: hash MD5
  ISAKMP: default group 2
  ISAKMP: auth pre-share
  ISAKMP: life type in seconds
  ISAKMP: life duration (basic) of 28800
  ISAKMP (0): atts are acceptable. Next payload is 0
  ISAKMP (0): processing vendor id payload
  ISAKMP (0:0): vendor ID is NAT-T
  ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
  ISAKMP (0:0): constructed HIS NAT-D
  ISAKMP (0:0): constructed MINE NAT-D
  ISAKMP (0:0): Detected port floating
  return status is IKMP_NO_ERROR
  crypto_isakmp_process_block:src:209.183.xxx.yyy, dest:63.167.xxx.yyy spt:500 dpt:500
  OAK_MM exchange
  ISAKMP (0): processing KE payload. message ID = 0
  ISAKMP (0): processing NONCE payload. message ID = 0
  ISAKMP (0): processing vendor id payload
  ISAKMP (0): processing vendor id payload
  ISAKMP (0): remote peer supports dead peer detection
  ISAKMP (0): processing vendor id payload
  ISAKMP (0): speaking to another IOS box!
  ISAKMP (0): processing vendor id payload
  ISAKMP (0): received xauth v6 vendor id
  ISAKMP (0:0): Detected NAT-D payload
  ISAKMP (0:0): NAT match MINE hash
  ISAKMP (0:0): Detected NAT-D payload
  ISAKMP (0:0): NAT match HIS hash
  ISAKMP (0): ID payload
  next-payload : 8
  type : 1
  protocol : 17
  port : 500
  length : 8
  ISAKMP (0): Total payload length: 12
  return status is IKMP_NO_ERROR
  crypto_isakmp_process_block:src:209.183.xxx.yyy, dest:63.167.xxx.yyy spt:500 dpt:500
  OAK_MM exchange
  ISAKMP (0): processing ID payload. message ID = 0
  ISAKMP (0): processing HASH payload. message ID = 0
  ISAKMP (0): SA has been authenticated
  ISAKMP (0): beginning Quick Mode exchange, M-ID of -1073275296:c0071e60IPSEC(key
  _engine): got a queue event...
  IPSEC(spi_response): getting spi 0x1ceb70cb(485191883) for SA
  from 209.183.xxx.yyy to 63.167.xxx.yyy for prot 3
  return status is IKMP_NO_ERROR
  ISAKMP (0): sending INITIAL_CONTACT notify
  ISAKMP (0): sending NOTIFY message 24578 protocol 1
  VPN Peer: ISAKMP: Added new peer: ip:209.183.xxx.yyy/500 Total VPN Peers:5
  VPN Peer: ISAKMP: Peer ip:209.183.xxx.yyy/500 Ref cnt incremented to:1 Total VPNPeers:5
  crypto_isakmp_process_block:src:209.183.xxx.yyy, dest:63.167.xxx.yyy spt:500 dpt:500
  ISAKMP (0): processing NOTIFY payload 14 protocol 3
  spi 485191883, message ID = 8338705
  ISAKMP (0): deleting spi 3413175068 message ID = 3221692000
  return status is IKMP_NO_ERR_NO_TRANSIPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 63.167.xxx.yyy, remote= 209.183.xxx.yyy,
  local_proxy= 192.168.3.0/255.255.255.240/0/0 (type=4),
  remote_proxy= 192.168.80.0/255.255.255.0/0/0 (type=4)
  ISAKMP (0): beginning Quick Mode exchange, M-ID of -1084598074:bf5a58c6IPSEC(key_engine): got a queue event...
  IPSEC(spi_response): getting spi 0x9f947e5(167331813) for SA
  from 209.183.xxx.yyy to 63.167.xxx.yyy for prot 3
  crypto_isakmp_process_block:src:209.183.xxx.yyy, dest:63.167.xxx.yyy spt:500 dpt:500
  ISAKMP (0): processing NOTIFY payload 14 protocol 3
  spi 167331813, message ID = 689271268
  ISAKMP (0): deleting spi 3846699273 message ID = 3210369222
  return status is IKMP_NO_ERR_NO_TRANS

• L2L VPN Issue - one subnet not reachable

  Hi Folks,
  I have a strange issue with a new VPN connection and would appreciate any help.
  I have a pair of Cisco asa 5540s configured as a failover pair (code version 8.2(5)).   
  I have recently added 2 new L2L VPNs - both these VPNs are sourced from the same interface on my ASA (called isp), and both are to the same customer, but they terminate on different firewalls on the cusomter end, and encrypt traffic from different customer subnets.    There's a basic network diagram attached.
  VPN 1 - is for traffic from the customer subnet 10.2.1.0/24.    Devices in this subnet should be able to access 2 subnets on my network - DMZ 211 (192.168.211.0./24) and DMZ 144 (192.168.144.0/24).    This VPN works correctly.
  VPN 2 - is for traffic from the customer subnet 192.168.1.0/24.    Devices in  this subnet should be able to access the same 2 subnets on my network - DMZ 211  (192.168.211.0./24) and DMZ 144 (192.168.144.0/24).    This VPN is not working correctly - the customer can access DMZ 144, but not DMZ 211.
  There are isakmp and ipsec SAs for both VPNs.    I've noticed that the packets encaps/decaps counter does not increment when the customer sends test traffic to DMZ 211.  This counter does increment when they send test traffic to DMZ144.   I can also see traffic sent to DMZ 144 from the customer subnet 192.168.1.0/24 in packet captures on the DMZ 144 interface of the ASA.   I cannot see similar traffic in captures on the DMZ211 interface (although I can see traffic sent to DMZ211 if it is sourced from 10.2.1.0/24 - ie when it uses VPN1)
  Nat exemption is configured for both 192.168.1.0/24 and 10.2.1.0/24.
  There is a route to both customer subnets via the same next hop.
  There is nothing in the logs toindicate that traffic from 192.168.1.0/24 is being dropped
  I suspect that this may be an issue on the customer end, but I'd like to be able to prove that.   Specifically, I would really like to be able to capture traffic destined to DMZ 211 on the isp interface of the firewall after it has been decrypted - I don't know if this can be done however, and I haven'treally found a good way to prove or disprove that VPN traffic from 192.168.1.0/24 to DMZ211 is arriving at the isp interface of my ASA, and to show what's happening to that traffic after it arrives.
  Here is the relevant vpn configuration:
  crypto map MY_CRYPTO_MAP 90 match address VPN_2
  crypto map MY_CRYPTO_MAP 90 set peer 217.154.147.221
  crypto map MY_CRYPTO_MAP 90 set transform-set 3dessha
  crypto map MY_CRYPTO_MAP 90 set security-association lifetime seconds 86400
  crypto map MY_CRYPTO_MAP 100 match address VPN_1
  crypto map MY_CRYPTO_MAP 100 set peer 193.108.169.48
  crypto map MY_CRYPTO_MAP 100 set transform-set 3dessha
  crypto map MY_CRYPTO_MAP 100 set security-association lifetime seconds 86400
  crypto map MY_CRYPTO_MAP interface isp
  ASA# sh access-list VPN_2
  access-list VPN_2; 6 elements; name hash: 0xa902d2f4
  access-list VPN_2 line 1 extended permit ip object-group VPN_2_NETS 192.168.1.0 255.255.255.0 0x56c7fb8f
    access-list VPN_2 line 1 extended permit ip 192.168.144.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=45) 0x93b6dc21
    access-list VPN_2 line 1 extended permit ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=6) 0x0abf7bb9
    access-list VPN_2 line 1 extended permit ip host 192.168.146.29 192.168.1.0 255.255.255.0 (hitcnt=8) 0xcc48a56e
  ASA# sh access-list VPN_1
  access-list VPN_1; 3 elements; name hash: 0x30168cce
  access-list VPN_1 line 1 extended permit ip 192.168.144.0 255.255.252.0 10.2.1.0 255.255.255.0 (hitcnt=6) 0x61759554
  access-list VPN_1 line 2 extended permit ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=3) 0xa602c97c
  access-list VPN_1 line 3 extended permit ip host 192.168.146.29 10.2.1.0 255.255.255.0 (hitcnt=0) 0x7b9f32e3
  nat (dmz144) 0 access-list nonatdmz144
  nat (dmz211) 0 access-list nonatdmz211
  ASA# sh access-list nonatdmz144
  access-list nonatdmz144; 5 elements; name hash: 0xbf28538e
  access-list nonatdmz144 line 1 extended permit ip 192.168.144.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0x20121683
  access-list nonatdmz144 line 2 extended permit ip 192.168.144.0 255.255.255.0 172.28.2.0 255.255.254.0 (hitcnt=0) 0xbc8ab4f1
  access-list nonatdmz144 line 3 extended permit ip 192.168.144.0 255.255.255.0 194.97.141.160 255.255.255.224 (hitcnt=0) 0xce869e1e
  access-list nonatdmz144 line 4 extended permit ip 192.168.144.0 255.255.255.0 172.30.0.0 255.255.240.0 (hitcnt=0) 0xd3ec5035
  access-list nonatdmz144 line 5 extended permit ip 192.168.144.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=0) 0x4c9cc781
  ASA# sh access-list nonatdmz211 | in 192.168\.1\.
  access-list nonatdmz1 line 3 extended permit ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0x2bbfcfdd
  ASA# sh access-list nonatdmz211 | in 10.2.1.
  access-list nonatdmz1 line 4 extended permit ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=0) 0x8a836d91
  route isp 192.168.1.0 255.255.255.0 137.191.234.33 1
  route isp 10.2.1.0 255.255.255.0 137.191.234.33 1
  Thanks in advance to anyone who gets this far!

  Darragh
  Clearing the counters was a good idea. If the counter is not incrementing and if ping from the remote side is not causing the VPN to come up it certainly confirms that something is not working right.
  It might be interesting to wait till the SAs time out and go inactive and then test again with the ping from the remote subnet that is not working. Turn on debug for ISAKMP and see if there is any attempt to negotiate. Especially if you do not receive any attempt to initiate ISAKMP from then then that would be one way to show that there is a problem on the remote side.
  Certainly the ASA does have the ability to do packet capture. I have used that capability and it can be quite helpful. I have not tried to do a capture on the outside interface for incoming VPN traffic and so am not sure whether you would be capturing the encrypted packet or the de-encrypted packet. You can configure an access list to identify traffic to capture and I guess that you could write an access list that included both the peer addresses as source and destination to capture the encrypted traffic and entries that were the un-encrypted source and destination subnets to capture traffic after de-encryption.
  HTH
  Rick

• L2L VPN Decrypted Traffic Not Exiting ASA

  Hi,
  I have a pair of ASAs runing version 9.1 at the remote site and 8.4 (4) at the local site. When sending traffic over the tunnel from the local to remote, I can see in the IPSec SA the encap packet count increasing locally and the decap count increasing on the remote ASAs but no traffic is egressing the remote ASA's interfaces.
  Here is the remote ASAs config:
  GigabitEthernet0/0       outside                x.x.x.123       255.255.255.192GigabitEthernet0/1.701   dev_1                  10.140.0.1      255.255.255.0crypto map VPN-Z 10 match address acl_temp_vpncrypto map VPN-Z 10 set pfs crypto map VPN-Z 10 set peer x.x.x.67 crypto map VPN-Z 10 set ikev1 transform-set ESP-3DES-SHAcrypto map VPN-Z 10 set security-association lifetime seconds 28800crypto map VPN-Z 10 set security-association lifetime kilobytes 4608000crypto map VPN-Z 10 set nat-t-disablecrypto map VPN-Z interface outsideaccess-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 object-group zx-subs (hitcnt=5) 0x3e8360b3 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 10.0.0.0 255.0.0.0 (hitcnt=0) 0x5cf3e6d1 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 172.16.0.0 255.240.0.0 (hitcnt=15) 0x73407a52 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0xe1b9579c access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 x.x.x.224 255.255.255.224 (hitcnt=0) 0x894cf410 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 x.x.x.0 255.255.255.192 (hitcnt=0) 0xa879a3f1tunnel-group x.x.x.67 type ipsec-l2ltunnel-group x.x.x.67 ipsec-attributes ikev1 pre-shared-key *****nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subs
  Here is the ipsec sa stats
  Crypto map tag: VPN-Zanox, seq num: 10, local addr: x.x.x.123access-list acl_temp_vpn extended permit ip 10.140.0.0 255.255.0.0 172.16.0.0 255.240.0.0       local ident (addr/mask/prot/port): (10.140.0.0/255.255.0.0/0/0)      remote ident (addr/mask/prot/port): (172.16.0.0/255.240.0.0/0/0)      current_peer: x.x.x.67      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0      #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
  With a dump on the dev_1 interface
  capture dev type raw-data interface dev_1 [Capturing - 0 bytes]   match tcp any any
  With packet tracer the egress interface is correct but in the capture there appears to be nothing traversing the interface.
  Can any body see anything wrong wiht this config or any suggestions as to might be going wrong?
  Thanks
  James

  Hi Javier,
  Packet-tracer output with a temp ACL to permit ip any any inbound on the outside interface:
  l-de-ham-asa-01/act(config)# packet-tracer input outside tcp 172.22.0.90 1234 10.140.0.10 22Phase: 1Type: UN-NATSubtype: staticResult: ALLOWConfig:nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subsAdditional Information:NAT divert to egress interface dev_1Untranslate 10.140.0.10/22 to 10.140.0.10/22Phase: 2Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in   0.0.0.0         0.0.0.0         outsidePhase: 3Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group acl_outside in interface outsideaccess-list acl_outside extended permit ip any any access-list acl_outside remark Zugriffsrichtlinie fuer ICMP Antworten aus dem InternetAdditional Information:Phase: 4Type: CONN-SETTINGSSubtype: Result: ALLOWConfig:Additional Information:Phase: 5Type: NATSubtype: Result: ALLOWConfig:nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subsAdditional Information:Static translate 172.22.0.90/1234 to 172.22.0.90/1234Phase: 6Type: NATSubtype: per-sessionResult: ALLOWConfig:       Additional Information:Phase: 7Type: IP-OPTIONSSubtype: Result: ALLOWConfig:Additional Information:Phase: 8Type: VPNSubtype: ipsec-tunnel-flowResult: DROPConfig:Additional Information:Result:input-interface: outsideinput-status: upinput-line-status: upoutput-interface: dev_1output-status: upoutput-line-status: upAction: dropDrop-reason: (acl-drop) Flow is denied by configured rule
  This is the same result from another site that has an L2L VPN configured.
  ASP drop capture to follow...

• L2L VPN-8.4(3)

  Hi,
  We are setting up IPSec L2L tunnel with our client.  Client will access some of our internal servers through vpn tunnel. Client are natting his internal networks with public ip 121.16.141.x. We have below servers IPs which client would access.
  10.150.20.131
  10.150.20.132
  I have prepared config for VPN tunnel but not preety sure that it is correct so looking for your help on this.
  ======================================
  object-group network server_IP
  network-object host 10.150.20.131
  network-object host 10.150.20.132
  object network client_IP
  host 121.16.141.x
  nat (inside,outside) source static server_IP server_IP destination static client_IP client_IP no-proxy-arp
  access-list VPN extended permit ip object-group server_IP object client_IP
  crypto map outside_map 6 match address VPN
  crypto map outside_map 6 set peer <<client FW outside interface ip(y.y.y.y) >>
  crypto map outside_map 6 set ikev1 transform-set ESP-3DES-MD5
  crypto map outside_map 6 set security-association lifetime seconds 28800
  crypto map outside_map 6 set security-association lifetime kilobytes 4608000
  tunnel-group y.y.y.y type ipsec-l2l
  tunnel-group y.y.y.y ipsec-attributes
  ikev1 pre-shared-key *****
  =========================================================
  Pls confirm if this config is correct..

  Hi,
  Well there is couple of options
  You can configure Filter ACL for the L2L VPN.
  You can configure "no sysopt connection permit-vpn".
  While configuring the VPN Filter is the easiest way to restrict connections coming from VPNs WHEN you have a lot of existing VPN connections, I still wouldnt recommend it as a first choice as it can get a bit complicated.
  The second option is something that I personally like BUT using it depends on your current environment.
  If you were to add the command "no sysopt connection permit-vpn" THEN ANY connection coming through VPN connections through the "outside" interface of your ASA would need to have a permitting ACL rule on the "outside" interface ACL.
  So judging by your number in the "crypto map" configuration which is "6" I assume you have multiple L2L VPN configurations atleast, possibly remote access VPN also?
  If this is the case then you would have to first create ACL rules to define what connections can be initiated behind VPN connections on each of those connections BEFORE enabling the command I mention. If you didnt then all connections from the direction of the remote host or remote network would start to get blocked by the ASA.
  When you enable that command you could basically use the "outside" interface ACL to allow and deny traffic that is coming through VPN just like it was coming through Internet.
  So if you are able to preconfigure the ACL rules for all of your existing VPN connections THEN I would recommend using the "no sysopt connection permit-vpn" to BLOCK ALL connections coming through VPN connections UNLESS they are allowed in the interface ACL of "outside" interface.
  Hope I made any sense
  Naturally ask more if needed
  - Jouni

• Public-to-Public L2L VPN no return traffic

  Hello all,
  I'm hoping someone can give me a little help. I've researched the web and have read many forums, but I still can't get this to work. One of our vendors requires using a public ip address to setup a site-to-site IPSEC vpn. We only have one public ip address and that will be used for the vpn endpoint and for internet access for the local network. I've setup policy NAT from our local network to the outside interface. I'm also using the outside ip address for the crypto map. The tunnel setups successfully and the Tx count increases anytime I try to ping the remote network, but the ping fails and the Rx count does not increase. According to our vendor, we should be able to ping the remote network and connect using port 443. When trying to connect using port 443, I see a SYN timeout in the logs. I'm not sure if the problem is on their end and they're rejecting our traffic, or if something is misconfigured on our end. I'd like to make sure that I have everything configured correctly before I go and point fingers at them. Any help would be appreciated. Thanks.
  Local Network - 10.10.9.0/24
  Remote Network - 20.20.41.0/24
  Remote Peer - 20.20.60.193
  ASA Version 8.2(5)
  hostname ciscoasa
  domain-name
  names
  name 10.10.9.3 VPN description VPN Server
  name 10.10.9.4 IntranetMySQL description MySQL For Webserver
  name 192.168.0.100 IIS_Webserver
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  switchport access vlan 3
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.10.9.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 71.***.***.162 255.255.255.0
  interface Vlan3
  nameif dmz
  security-level 50
  ip address 192.168.0.254 255.255.255.0
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 10.10.9.1
    domain-name
  same-security-traffic permit inter-interface
  object-group service VPN_TCP
  description VPN TCP Connection
  service-object tcp eq 1195
  object-group service VPN_UDP
  description VPN UDP Port
  service-object udp eq 1194
  object-group service VPN_HTTPS
  description VPN HTTPS Web Server
  service-object tcp eq 943
  service-object udp eq 943
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service WebServer
  service-object tcp eq 8001
  object-group service DM_INLINE_SERVICE_1
  service-object tcp-udp eq www
  service-object tcp eq https
  object-group service VPN_HTTPS_UDP udp
  port-object eq 943
  object-group service WCF_WebService tcp
  port-object eq 808
  object-group service RDP tcp
  port-object eq 3389
  object-group service RDP_UDP udp
  port-object eq 3389
  object-group service DM_INLINE_SERVICE_2
  service-object tcp-udp eq www
  service-object tcp eq https
  object-group service *_Apache tcp
  port-object eq 8001
  object-group service *_ApacheUDP udp
  port-object eq 8001
  object-group service IIS_SQL_Server tcp
  port-object eq 1433
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq www
  port-object eq https
  object-group service File_Sharing tcp
  port-object eq 445
  object-group service File_Sharing_UDP udp
  port-object eq 445
  object-group service MySQL tcp
  port-object eq 3306
  object-group service Http_Claims_Portal tcp
  port-object eq 8080
  object-group service Http_Claims_PortalUDP udp
  port-object eq 8080
  object-group service RTR_Portal tcp
    description Real Time Rating Portal
  port-object eq 8081
  object-group service RTR_PortalUDP udp
  port-object eq 8081
  object-group service DM_INLINE_SERVICE_3
  service-object tcp-udp eq www
  service-object tcp eq https
  access-list outside_access_in extended permit udp any 70.***.***.0 255.255.255.0 eq 1194
  access-list outside_access_in extended permit tcp any any eq 1195
  access-list outside_access_in extended permit object-group VPN_HTTPS any any
  access-list outside_access_in extended permit tcp any interface outside eq 943
  access-list outside_access_in extended permit tcp any any eq 8001
  access-list inside_access_in extended permit tcp any any
  access-list outside_access_in_1 extended permit tcp any interface outside eq 943
  access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_1 host 71.***.***.165 host 71.***.***.162
  access-list outside_access_in_2 extended permit object-group TCPUDP any any inactive
  access-list outside_access_in_2 extended permit icmp any any
  access-list outside_access_in_2 extended permit object-group VPN_HTTPS any host 71.***.***.162
  access-list outside_access_in_2 remark VPN TCP Ports
  access-list outside_access_in_2 extended permit tcp any host 71.***.***.162 eq 1195
  access-list outside_access_in_2 extended permit udp any host 71.***.***.162 eq 1194
  access-list outside_access_in_2 remark Palm Insure Apache Server
  access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group *_Apache inactive
  access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group *_ApacheUDP inactive
  access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group MySQL inactive
  access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group Http_Claims_Portal inactive
  access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group Http_Claims_PortalUDP inactive
  access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group RTR_Portal inactive
  access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group RTR_PortalUDP inactive
  access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_3 any host 71.***.***.164 inactive
  access-list outside_access_in_2 remark RTR Access Rule for Internal VM's
  access-list outside_access_in_2 extended permit tcp any host 71.***.***.162 object-group Http_Claims_Portal
  access-list outside_access_in_2 remark RTR Access rule for internal VMs
  access-list outside_access_in_2 extended permit udp any host 71.***.***.162 object-group Http_Claims_PortalUDP
  access-list inside_access_in_1 extended permit object-group TCPUDP any any
  access-list inside_access_in_1 extended permit icmp any any
  access-list inside_access_in_1 extended permit esp any any
  access-list inside_access_in_1 extended permit udp any any eq isakmp
  access-list dmz_access_in extended permit ip any any
  access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 any host 70.***.***.252
  access-list dmz_access_in extended permit tcp any host 70.***.***.252 eq www
  access-list dmz_access_in_1 extended permit tcp host IIS_Webserver host 10.10.9.5 object-group DM_INLINE_TCP_1 inactive
  access-list dmz_access_in_1 extended permit object-group TCPUDP any host IIS_Webserver eq www inactive
  access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver eq https inactive
  access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group *_Apache inactive
  access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group *_ApacheUDP inactive
  access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver eq 3389 inactive
  access-list dmz_access_in_1 extended permit udp any host IIS_Webserver eq 3389 inactive
  access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group IIS_SQL_Server inactive
  access-list dmz_access_in_1 extended permit object-group TCPUDP any any inactive
  access-list dmz_access_in_1 extended permit tcp host 10.10.9.5 host IIS_Webserver eq ftp inactive
  access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group MySQL inactive
  access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group Http_Claims_Portal inactive
  access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group Http_Claims_PortalUDP inactive
  access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group RTR_Portal inactive
  access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group RTR_PortalUDP inactive
  access-list inside_nat_static extended permit ip host 10.10.9.1 20.20.41.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip host 71.***.***.162 20.20.41.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 1 interface
  global (dmz) 1 interface
  nat (inside) 1 10.10.9.0 255.255.255.0
  static (inside,outside) tcp interface 943 VPN 943 netmask 255.255.255.255
  static (inside,outside) tcp interface 1195 VPN 1195 netmask 255.255.255.255
  static (inside,outside) tcp interface 1194 VPN 1194 netmask 255.255.255.255
  static (inside,outside) udp interface 1194 VPN 1194 netmask 255.255.255.255
  static (inside,outside) udp interface 1195 VPN 1195 netmask 255.255.255.255
  static (inside,outside) tcp interface ssh IntranetMySQL ssh netmask 255.255.255.255
  static (inside,outside) tcp interface ftp IntranetMySQL ftp netmask 255.255.255.255
  static (dmz,inside) tcp IIS_Webserver 3389 IIS_Webserver 3389 netmask 255.255.255.255
  static (inside,outside) tcp interface www 10.10.9.5 www netmask 255.255.255.255
  static (dmz,outside) tcp 71.***.***.164 3389 IIS_Webserver 3389 netmask 255.255.255.255
  static (dmz,outside) tcp 71.***.***.164 8001 IIS_Webserver 8001 netmask 255.255.255.255
  static (dmz,outside) udp 71.***.***.164 8001 IIS_Webserver 8001 netmask 255.255.255.255
  static (dmz,outside) tcp 71.***.***.164 www IIS_Webserver www netmask 255.255.255.255
  static (dmz,outside) tcp 71.***.***.164 https IIS_Webserver https netmask 255.255.255.255
  static (dmz,outside) tcp 71.***.***.164 ftp IIS_Webserver ftp netmask 255.255.255.255
  static (dmz,outside) tcp 71.***.***.164 3306 IIS_Webserver 3306 netmask 255.255.255.255
  static (dmz,inside) tcp IIS_Webserver 3306 IIS_Webserver 3306 netmask 255.255.255.255
  static (dmz,outside) tcp 71.***.***.164 8080 IIS_Webserver 8080 netmask 255.255.255.255
  static (dmz,outside) udp 71.***.***.164 8080 IIS_Webserver 8080 netmask 255.255.255.255
  static (dmz,inside) tcp IIS_Webserver 8080 IIS_Webserver 8080 netmask 255.255.255.255
  static (dmz,outside) tcp 71.***.***.164 8081 IIS_Webserver 8081 netmask 255.255.255.255
  static (dmz,outside) udp 71.***.***.164 8081 IIS_Webserver 8081 netmask 255.255.255.255
  static (dmz,inside) tcp IIS_Webserver 8081 IIS_Webserver 8081 netmask 255.255.255.255
  static (inside,outside) tcp interface 8080 10.10.9.15 8080 netmask 255.255.255.255
  static (inside,outside) udp interface 8080 10.10.9.15 8080 netmask 255.255.255.255
  static (dmz,outside) 71.***.***.164 IIS_Webserver netmask 255.255.255.255
  static (dmz,inside) IIS_Webserver IIS_Webserver netmask 255.255.255.255
  static (inside,dmz) 10.10.9.5 10.10.9.5 netmask 255.255.255.255
  static (inside,outside) interface  access-list inside_nat_static
  access-group inside_access_in_1 in interface inside
  access-group outside_access_in_2 in interface outside
  access-group dmz_access_in_1 in interface dmz
  route outside 0.0.0.0 0.0.0.0 71.***.***.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 10.10.9.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer 20.20.60.193
  crypto map outside_map 1 set transform-set ESP-AES-256-SHA
  crypto map outside_map 1 set reverse-route
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 86400
  telnet timeout 5
  ssh 10.10.9.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  tunnel-group 20.20.60.193 type ipsec-l2l
  tunnel-group 20.20.60.193 ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous

  Hi,
  If you are using the public IP address of your ASA (that is used as the PAT address for all outbound traffic) as the only source IP address for the L2L VPN you dont really have to build any additional NAT configurations for the L2L VPN connection. So you shouldnt need the "static" configuration you have made.
  static (inside,outside) interface  access-list inside_nat_static
  This is because any traffic from your local LAN will be PATed to the "outside" IP address and when the ASA also sees that the destination network for the connection is part of the L2L VPN configurations, then the traffic should be forwarded to the L2L VPN connection just fine.
  Did you try the connectivity without the "static" configuration?
  For ICMP testing I would add the command
  fixup protocol icmp
  or
  policy-map global_policy
    class inspection_default
     inspect icmp
  Should do the same thing
  - Jouni

• AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

  Hi,
  I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
  Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
  The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
  I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
  ping inside 10.10.10.56
  However when I configure the ASA for the AAA group with commands:
  aaa-server ACSAuth protocol radius
  aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
  Then when I do the show run, here is the result:
  aaa-server ACSAuth protocol radius
  aaa-server host 10.10.10.56
  key AcsSecret123
  From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
  (seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
  Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
  Your help will be really appreciated!
  Thanks.
  Best Regards,
  Jo

  AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
  http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

• HA between Dedicated T1 and L2L VPN

  I'm looking for ideas on how to have complete HA between a dedicated T1 and an L2L VPN over the internet.
  We had discussed routing protocol OSPF but would like to avoid the converge issues that could rise and affect other customers in the same DMZ.
  What would be our options if we do not want to use a routing protocol? How could we fail over to the backup line, the L2L, should the T1 fail. I had mentioned changing the metrics but this will not identify a problem on the line should the customers ethernet link goe down.
  Feel free to include an ideas that would use routing protocols.

  I had to revisit this configuration. I had decided since we are not going to use a routing protocol that a floating route between the T1 router and VPN is the best solution. although this should work if the router or Ethernet of the router goes down it should fail if the the Ethernet interface of the router, which has OSPF running between their network and our LAN, does not fail.
  But it is not failing?
  I have attached a diagram.

• Will L2L VPN Drop if i modify the ACL

  hi i have site to site IPSEC VPN established between 2 Sites.
  it has 200+ ACL Lines in it.
  My question is if i add another ACL statement , will it cause tunnel to bounce? just want to make sure i dont make tunnel down in peak production time.
  Regards,
  M

  yes, thats what has been done, but IPSEC SA not coming up for newly added ACL. and showing send errors in output, so i thought to remove and re add the ACL and see if that helps:-s
  sh crypto ipsec sa | b 113.230.74
     remote ident (addr/mask/prot/port): (113.230.74.0/255.255.255.0/0/0)
     current_peer 194.46.82.71 port 500
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 180, #recv errors 0
       local crypto endpt.: 184.100.24.12, remote crypto endpt.: 194.46.82.71
       path mtu 1500, ip mtu 1500
       current outbound spi: 0x0(0)
       inbound esp sas:
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
       outbound ah sas:

• 2811:connecting two ASA5505 l2l VPN's

  Hello,
  We have an HQ site with a 2811 (w/ADVSECURITYK9-M) acting as the firewall. We currently have 1 ASA5505 that has an established ipsec l2l VPN.
  I'm trying to connect a 2nd ASA, but I've noticed I can only add 1 cryptomap to the outside interface.
  A show ver shows 1 Virtual Private Network Module... Surely that doesn't mean only 1 VPN?
  Do I use one crypto map, and add a second 'set peer' & 'match address' inside the crypto map itself?
  Thanks,
  Jason

  Ok, I'm getting closer, but still failing. I was close enough that a VOIP phone registered with the phone system at some point, but not sure why it wont stay connected.
  The original, VPN1 is still connected though.
  I've varified the preshared keys on both ends match.
  Here's an error from the debug of the second ASA, VPN2
  Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, QM FSM error (P2 struct &0x42436b0, mess id 0x374e49ed)!
  Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, Removing peer from correlator table failed, no match!
  Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, QM FSM error (P2 struct &0x42436b0, mess id 0x374e49ed)!
  Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, Removing peer from correlator table failed, no match!
  As far as the ASA configs, everything is the exactly the same, except;
  NEW ASA VPN2 -both asa have object groups 1&2, containing other ip's of the HQ site. these ip's listed here are of VPN1's local lan.
  I imagine I will need to add VPN2's local ip to VPN1's config for objectgroup 1&2, but I don't think that is the reason this wont connect to HQ
  object-group network DM_INLINE_NETWORK_1
  network-object 192.168.26.0 255.255.255.0
  object-group network DM_INLINE_NETWORK_2
  network-object 192.168.26.0 255.255.255.0
  object-group network DM_INLINE_NETWORK_3
  network-object 192.168.27.0 255.255.255.0
  network-object 192.168.1.0 255.255.255.0
  Working ASA VPN1  - not sure exactly how the bolded line works
  no crypto isakmp nat-traversal
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  HQ 2811 -----------------------------------------------------------------------
  Hope I included enough of the router config. Again, VPN1 is working.
  crypto isakmp key VPN1PW address 99.x.x.x
  crypto isakmp key VPN2PW address 108.x.x.x
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec df-bit clear
  crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel to 99.x.x.x VPN1
  set peer 99.x.x.x
  set transform-set ESP-AES-128-SHA
  match address 103
  crypto map SDM_CMAP_1 2 ipsec-isakmp
  description Tunnel to 108.x.x.x VPN2
  set peer 108.x.x.x
  set transform-set ESP-AES-128-SHA
  match address 105
  ****** This next section I dont recall typing in, but it refers to access group 105, but 105 was newly created for the new VPN2.  I didn't not find a corresponding command for access-group 103, which 105 is a copy of 103, except each one includes the others local lan too.
  class-map type inspect match-all sdm-nat-user-protocol--2-1
  match access-group 105
  match protocol user-protocol--2
  interface FastEthernet0/1
  description T1 to  Internet$FW_OUTSIDE$
  ip address 64.x.x.x 255.255.255.248
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map SDM_CMAP_1

• L2L VPN with source and destination NAT

  Hello,
  i am new with the ASA 8.4 and was wondering how to tackle the following scenario.
  The diagram is
  Customer ---->>> Firewall --->> L2L VPN --->> Me --->> MPLS ---> Server
  The server is accessible by other tunnels in place but there is no NAT needed. For the tunnel we are talking about it is
  The Customer connects the following way
  Source: 198.1.1.1
  Destination: 192.168.1.1
  It gets to the outside ASA interface which should translate the packets to:
  Source: 10.110.110.1
  Destination: 10.120.110.1
  On the way back, 10.120.110.1 should be translated to 192.168.1.1 only when going to 198.1.1.1
  I did the following configuration which I am not able to test but tomorrow during the migration
  object network obj-198.1.1.1
  host 198.1.1.1
  object network obj-198.1.1.1
  nat (outside,inside) dynamic 10.110.110.1
  For the inside to outside NAT depending on the destination:
  object network Real-IP
    host 10.120.110.1
  object-group network PE-VPN-src
  network-object host 198.1.1.1
  object network Destination-NAT
  host 192.168.1.1
  nat (inside,outside) source static Real-IP Destination-NAT destination static PE-VPN-src PE-VPN-src
  Question is if I should create also the following or not for the outside to inside flow NAT? Or the NAT is done from the inside to outside estatement even if the traffic is always initiated from outside interface?
  object network obj-192.168.1.1
  host 192.168.1.1
  object network obj-192.168.1.1
  nat (outside,inside) dynamic 10.120.110.1

  Let's use a spare ip address in the same subnet as the ASA inside interface for the NAT (assuming that 10.10.10.251 is free (pls kindly double check and use a free IP Address accordingly):
  object network obj-10.10.10.243
    host 10.10.10.243
  object network obj-77.x.x.24
    host 77.x.x.24
  object network obj-10.10.10.251
    host 10.10.10.251
  object network obj-pcA
    host 86.x.x.253
  nat (inside,outside) source static obj-10.10.10.243 obj-77.x.x.24 destination static obj-10.10.10.251 obj-86.x.x.253
  Hope that helps.

• (Request for reporting available) is not coming in Cube

  Hi All,
  I have Cube & DSO.
  I  added fields in DSO & Cube.
  Cube1 has Aggregrates built on it.i added 5 infoobjects on it, Now when i load data from DSO to Cube(Request for reporting available) is not coming up. i cant do reporting on it. can anyone help.
  thanks in advance,
  Kiran.

  Hi ....
  Have you done the Roll up ?
  Since aggregates are there on that cube....until and unless you do the roll up that request will not be available for Reporting...
  Regards,
  Debjani....

• Data from one cube is not coming in the multiprovider

  Hi,
  I have two cubes with a common characterstic.
  I created multiprovider above these two cubes. But data is not coming from the cube 2. The values from cube 2 are showing as 0.
  Can anyone help me out in this?

  Hi ,
  Check the following:-
  1 Check whether you have made the joins properly.
  2 Check data at multiprovider level .
  3 is data available for reporting in both the cubes
  Regards
  Rahul

• IDOC not coming in status 30 for collecting idocs

  Hi All,
  We have a requirement in which we need to collect idocs and send together.
  To achieve I am making Collect idocs in Partner profiles so that it goes in status 30 and hence I can run program RSEOUT00 to make it status 03 and hence write in file as a group of idocs.
  Now inspite of making collect idocs in partner profile, its not coming in status 30 but directly coming in status 03.
  Please let me know what may be the reason for the same.
  Thanks,
  Vivek

  Hi vivek,
  If you have set the Collect Idoc option in partner profile then the IDOC's will be collected , irrespective of kind of port you are using and the packet size doesn't matter in this case.
  It seems to me that the program RSEOUT00 is already scheduled in your system.
  Can you check in SM37 , by putting the program RSEOUT00 and check if any user has scheduled the program.
  Hope this helps.
  Harry

• Field is not coming in selection screen

  Hi all,
  In one of my report there is a field customer group in selection-screen. Report is working fine so i transport request to qas in qas that field is coming on selection screen and its working fine.
  But when i transport same request from qas to prd that field is not coming on selection screen.
  I try 2-3 times by making diffrent diffrent request but still same result. can any body please tell me why its happen in prd??
  regards
  Ankit

  Hi,
  What i would like to suggest u that u need to first
  is u have to convert the R/3 Production systems into the Quality one
  try using tcode BDLS
  read the documentation of BDLS.
  hope this helps u !!
  thanks
  ravi