NAT migration on 8.2.4 to 9.1.2

Hi,
I have new ASA 5545-X firewall with 9.1.2 software (default) and I want to replace old 5540 with current configuration on version 8.2.4
I copied the current asa 5540 config (old ver) to new asa 5545-x and start with the current configuration (copy flash:old_asa_conf running-config) and most of the commands have been migrated except the NAT configuration.
It is hard to manually change the NAT configuration as old asa config having more than 200 plus nat types configured.
Just want to know is this a normal behavior, why it didnt migrat the NAT configuration.?, do I have to manually configure the all NAT types configured in old asa ver.
We can't even downgrade to 8.3 or 8.4 as new asa 5545-x supports 8.6.x and above. In that case will 8.6 code will automatically migrate the NAT config on old config with ver 8.2.4.?
Appreciate if someone can advise me this as it will be hard to configure all NAT configuration to new version.
thanks..

Hi pkillurcco and Marvin,
Thanks for you for your time on this and interest.
I was trying with http://www.tunnelsup.com/nat-converter and it helped me to some extend. however it can not convert the dynamic policy nat where you have match with ACL with destination port.
Then I did convert the following NAT by manually, however when I tried with packet tracer it gave me xlate error.
Here is the original policy nat.
access-list inside_nat_outbound extended permit tcp object-group LAN-SUBNETS host 89.211.xx.yy object-group http-https
global (outside) 1 interface
nat (inside) 1 access-list inside_nat_outbound
Here is the new nat once converted manualy,
nat (inside,outside) source dynamic LAN-SUBNETS interface destination static 89.211.xx.yy 89.211.xx.yy service obj_http obj_http
below is the packet tracer output which giving the xlate error.
xxx-xx-FW01# packet-tracer input inside tcp 10.130.100.1 80 89.211.xx.yy 80 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
I would appreciate if you can advise me what exactly cause the above error. As per old ver config, when packet going from given source to the destination IP and the ports, it should do the PAT on outside interface. If I simply nat the source/destination IP to the interface it would allow to access rest of the ports as well.I have such many ACLs used for policy NAT with many interfaces in the old config and its working fine.
It would be better if I can find a tool to convert them as its going to be hectic for converting them manually and prone to be more error. If not I just need how to configure dynamic policy nat according to ACLs with destination ports as I given above.
thanks in advance.

Similar Messages

ASA Migration Problems

Hi,
I'm trying to migrate a configuration of an ASA 5520(Version: ASA 8.0(5)) to an ASA 5585 (Version: 8.4(2)). I keep getting some errors which are included below. I've been struggling with these for some copule of weeks and read the documentation on cisco.com (
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html) and also some pages on this forum. Some lines are written in bold of which I wasn't able to find any information about. Any help is appreciated. Thanks.
INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201203062349.log'
Reading from flash...
!!!!!!!!!!!!!!!!!!!WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
WARNING: MIGRATION: Failed to create acl element to track during migration
*** Output from config line 1291, "access-group outside_acc..."
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1292, "access-group inside_acce..."
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1293, "access-group DMZ_access_..."
WARNING: MIGRATION: During migration of access-list <XXXXXXX> expanded
this object-group ACE
permit object-group DM_INLINE_SERVICE_5 XXX 255.255.255.0 DMZnet 255.255.255.0
WARNING: MIGRATION: Failed to create acl element to track during migration
*** Output from config line 1298, "access-group XXXXX..."
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 2
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 3
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 4
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 5
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 6
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 7
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 8
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 9
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 10
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 11
*** Output from config line 1797, "service-policy global-po..."
NAT migration logs:
The following 'nat' command didn't have a matching 'global' rule on interface 'dmz' and was not migrated.
nat (inside) 1 access-list inside_nat_outbound
WARNING: The following identity NAT was not migrated. If required, an appropriate bypass NAT rule needs to be added.
global (outside) 10 interface
nat (inside) 0 logserver 255.255.255.255
WARNING: The following identity NAT was not migrated. If required, an appropriate bypass NAT rule needs to be added.
nat (inside) 0 logserver 255.255.255.255
The following 'nat' command didn't have a matching 'global' rule on interface 'dmz' and was not migrated.
nat (inside) 1 icnetwork 255.255.0.0
ERROR: MIGRATION: No memory to create migrated service-policy element
The following 'nat' command didn't have a matching 'global' rule on interface 'TAV' and was not migrated.
nat (dmz) 1 access-list dmz_nat_outbound
INFO: NAT migration completed.
ERROR: an object-group with the same name (egitim) exist.
WARNING: Failed to create an object for name 'egitim' in the following ACL:
access-list DMZ_access_in extended permit tcp host 9.1.1.90 object-group egitim any

Ummm,
Did you possibly try the default username/password combination? (cisco/cisco) It should then prompt you to change these settings once you gain access. I'm not familiar with how the migration works, if it transitions the user accounts over or you end up starting from scratch. Give that a try and hopefully it gets you into your new system.

5505 8.1 to 5512X 8.4 Migration help

Good day;
I have a 5505 running pre 8.3 code (8.1) so all the programming is pre new style NAT.
Is there an offline tool I can use to download the config from the 5505, and convert it to 8.4 config to place into the 5512X? Ideally i'd rather not upgrade the 5505 just to convert the config.
Thanks.

Hi,
Seems to me that you either have to get access to the below tool through TAC or Account team
Web-Based NAT Migration Tool for ASA 5500 Series Appliances
Cisco offers a web-based migration tool at http://gypsy.cisco.com/migration.html as an alternative option for upgrading pre-Release 8.3 ASA Software configurations to ASA Software Release 8.4 (Figure 1). Please leverage TAC or your account team for access to this internal migration tool.
Or you will have to manually rewrite the new NAT configurations if you are not going to upgrade the ASA5505 to the new software.
I would imagine though that your current ASA5505 NAT configuration probably aint that big? If so you could always post it here with changed public IP addresses and I could provide the new format configurations.
Also, here is a link to a NAT 8.3+ document I wrote on the CSC
https://supportforums.cisco.com/docs/DOC-31116
And here is a great document comparing old and new NAT format
https://supportforums.cisco.com/docs/DOC-9129
- Jouni

Acrobat Reader 8 and 10 coexistence on Windows 7: How to choose the default version

My organisation has installed Acrobat 8 and then Acrobat 10 with the option to keep the version 8 installed. This works fine as we can start both versions independently (after making sure one or the other verion is not running).
One of the old application we use only works with acrobat reader 8 (the only reason why kept it!) but when I try to generate a PDF using PDF creator, the way the application works, acrobat reader X is called when it should be calling reader 8 (the app reads an ini file where the path to 8 is specified).
I found a workaround to make the app call the 8 without touching the file association (when you double click on a pdf, it is opened with reader X) but i am not sure it is "supported" :
in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AcroRd32.exe i have changed the "default" value to "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\AcroRd32.exe" and left the "Path" value set to "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe"
Do you think this could be a correct solution to our problem so that we can make the changes to the app to work properly on X and get rid of reader 8?
any help would be appreciated!

And in addition to Julios advice (9.x is a great release also in my opinion): You should be aware that you have to upgrade in a couple of small steps so that the config can be migrated. I would first upgrade to the latest 8.0 release and then to the latest 8.2. That should go really smooth. The next upgrade to 8.4 will need many manual corrections for the NAT-migration as the automatic migration has never worked well for my ASAs and I have never heard that anyone was happy with the result of the automatic migration. After that, the last step to the latest v9 will again run quite smooth.
But as usual, read the release-notes to be aware of problems that are specific to your environment.
Sent from Cisco Technical Support iPad App

ASASM question

I have a design requirement that needs using ASASM on a 6509.
The upstream device are a single physical trunk link that connects to the 6509. Below is the drawing:
I understand I need to assign a port on the 6509 as a trunk port. It became trouble for me between the MSFC and the ASA (IN RED).
Is this configure as a trunk link as well? I guess my working option would be configured as an access link.
In that case, it became simplier since it has only one logical outside interface on the ASA.
It seems i would not be able to configured as trunk (between the MSFC and ASA) anyway, since the ASA will be pointing to a single ip (gateway) at the MSFC anyway, right? and also, there will be multiple subinterfaces on the ASA.
Just want to throw in here if anyone has experience on this before. thank you.

Hi,
Correct. ASASM should migrate automatically configuration about ACLs if there is NAT about it is pretty much because version and not model.
You can refer to NAT configuration format in following links:
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
https://supportforums.cisco.com/docs/DOC-9129
And here are Web-Based NAT Migration Tool to obtain the similar results about NAT upgrade:
http://www.packetbin.com/scripts/ciscoPix84NATGenerator/
http://www.tunnelsup.com/tup/2013/05/18/nat-converter/
Johan.

Quick question re: migration of nat exemption from asa pre-8.2 to post-8.2

I am going through http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.pdf and I have a question about nat exemption. According to the guide above, the migration of nat exemption will look like this:
access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.252.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
object network obj-vLan201
subnet vLan201 255.255.255.0
object network obj-172.19.252.0
subnet 172.19.252.0 255.255.255.0
nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.252.0 obj-172.19.252.0
My question is this: if acl inside_nat0_outbound has multiple ACEs, does the migrated configuration contain a separate "nat (inside,any)" statement for each ACE in the original pre-8.3 config, like this?
access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.252.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.253.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
object network obj-vLan201
subnet vLan201 255.255.255.0
object network obj-172.19.252.0
subnet 172.19.252.0 255.255.255.0
object network obj-172.19.253.0
subnet 172.19.253.0 255.255.255.0
nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.252.0 obj-172.19.252.0
nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.253.0 obj-172.19.253.0
Our current acl has about twenty entries, which would make for twenty nat statements, if this is right.
Thanks,
-Mathew

Hi,
Default behaviour for NAT past 8.2 software level is to let traffic flow through the ASA without NAT. Before that "nat-control" setting on the ASA defined if the traffic needed a NAT configuration or not.
If your NAT0 / NAT Exempt configurations contain statements meant for VPN connections then you have to make new ones for those.
Are the entries in your old NAT0 configurations meant for traffic between different networks in your own LAN or are they meant for different VPN connections? Or perhaps both.
But as you said, moving to the new software does mean that even some simple NAT configuration will now contain more configurations than in the old software.
- Jouni

Migrating from ASA5510(8.4.1) to 5525x (9.1x).. Should I be NAT worried?

I recently attempted to move from a ASA 5510 over to a spare 5520 running the same code (8.4.1) and ran into a problem with NAT to the Internet. I had set the same public IP address due to several vendors accepting only this certain address. So, when I migrated to the new 5520, NAT on this address did not work, meaning no traffic outbound would pass. However, if I change to another Public address no problems with traffic passing as expected.
So my question is, I am migrating to a scratch-built 5525x using 9.1x code and will be using the same Public NAT address as on the 5510. Should I expect traffic to pass as expected or do I need to migrate to another address? Logic is telling me there should be no issues, but recent experience is making me jittery...
Thanks for any comments
Dave

Your recent experience may not have had anything to do with NAT per se even though that's how it manifested itself most obviously to you.
I suspect it may have had to do with your upstream gateway's arp cache. I have often seen when replacing hardware that we need to ask the ISP to flush their ARP cache so they can re-learn the new MAC address association to your pre-existing IP.
In any case, NAT should not be adversely affected when migrating from 8.4(1) to 9.1(x).

NAT config for IP migration

Hi, I want to use NAT for IP migration for a number of our servers. All the configuration examples just seem to use an ip nat inside source static statement assuming you want the client to talk to the old IP address. I'm hoping to have a solution in place where I can change client IP addresses one at a time, and if they call on the new IP address they'll get a response, if they have not been changed over yet they'll get a response as well. I know we could just bind secondary addresses to the servers but we would rather not go that way if possible.
Thanks

check out the following link on Configuring NAT for IP Address Conservation :
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a008044eddc.html

IVR-NAT mode migration

Hello folks,
i am preparing to upgrade my MDS 9513 (rev 2) and MDS 9222i to 5.2.6a code. Looking at the release notes for 5.2.x i see that i will first need to upgrade to 5.0.x and then to 5.2.x. Another caveat that i see is that we currently use IVR without IVR-NAT and this configuration is no longer support in 5.2.x. Release notes provide the commands to migrate to IVR-NAT mode that seem to be relatively simple. I understand that this will require an outage.
Has anyone done this recently, any pitfalls ? Did your IVR topology, zones stay intact ?
Thanks

Hello Dynamoxxx,
- Yes, many customer did the migration from IVR NON-NAT to IVR NAT without issue. There is disruption for IVR zone only, since the active zoneset need to be deactivated.
- Confirmed, IVR topology and zones stay intact after this process.
To migrate to IVR-NAT mode, follow these steps:
1. Stop or divert all applications on servers that depend on IVR.
–If CFS distribution is not enabled for IVR, then perform steps 2 through 4 on all switches where IVR is enabled.
–If CFS distribution is enabled for IVR, then enter the ivr commit command following step 2, step 3, and step 4 to distribute the changes to other switches.
2. Deactivate the IVR zone set by entering the no ivr zoneset activate command.
3. Enable IVR NAT by entering the ivr nat command.
4. Activate the IVR zone set by entering the ivr zoneset activate command.
5. Start or reestablish all application that were stopped in step 1.
The network can now run in IVR-NAT mode.
Also, you can use Fabric Manager GUI to enable IVR-NAT as follow:
1. SAN --- > Fabric xx --- > All VSANs --- > IVR --- > Deactivate Zoneset
2. SAN --- > Fabric xx --- > All VSANs --- > IVR --- > action --- > Check box "Enable IVR NAT" --- > Click enable button --- > Click CFS
3. Zone --- > right click IVR --- > edit Local Full Zone Database --- > Select zoneset --- > Activate
Hope this help

Microsoft Migration accelerator - Process Server NAT?

For the MS MA process server (on premises server), one of the requirements is a NAT setup to an external IP. Do we have any control over what port the server will be using? The reason I ask is 80 and 443 on this specific IP are already
consumed and being used for other servers, so I cant NAT those ports to the PS box.
Any insight here would be excellent. Thanks!

PS server polls to CS server on port 443 for registration and sync the data for reports.
MT server in azure pulls the replication data from process server through ports 9080 and 9443 (If secure options enabled on replications). MT server will connect to PS server through NAT IP and required ports to be enabled are 9080 and 9443.
Thx-Gopi

Exchange server using interface IP after migrating from 8.2 to 9.1

hi,
i recently upgraded an ASA pair from 5510 (ASA OS 8.2) to 5512 (ASA OS 9.1). Many of the services are working fine including VPN after some tweaking and modifications in the new configuration, however the exchange server is not sending the traffic from its designated public IP which is mentioned in NAT statements. Exchange is using the public interface IP of the firewall for outbound communication. If i try to telnet from outside to the public IP addresses of the exchange server its giving proper response. kindly help me with this issue. i believe this is some NAT related issue.
OLD configuration (relevant part only)
access-list out_in extended permit tcp any host 213.42.201.35 eq www
access-list out_in extended permit tcp any host 213.42.201.35 eq https
access-list out_in extended permit icmp any host 213.42.201.35
access-list out_in extended permit tcp any host 213.42.201.35 eq smtp
static (DMZ,outside) tcp 213.42.201.35 www 172.16.2.200 www netmask 255.255.255.255
static (inside,outside) tcp 213.42.201.35 https 192.168.190.57 https netmask 255.255.255.255
static (DMZ,outside) 213.42.201.35 172.16.2.11 netmask 255.255.255.255
access-list out_in extended permit tcp any host 213.42.201.34 eq smtp
static (DMZ,outside) 213.42.201.34 172.16.2.21 netmask 255.255.255.255
New Configuraion
object network obj-172.16.2.21
host 172.16.2.21
description Created during name migration
object network obj-172.16.2.11
host 172.16.2.11
access-list out_in extended permit icmp any host 172.16.2.11
access-list out_in extended permit tcp any host 172.16.2.11 eq smtp
access-list out_in extended permit tcp any host 172.16.2.21 eq smtp
nat (inside,outside) static 213.42.201.35 service tcp https https
object network obj-192.168.0.0
nat (inside,outside) dynamic interface dns
object network obj-192.168.0.0-01
nat (inside,DMZ) dynamic 172.16.2.254 dns
object network obj_any
nat (inside,outside) dynamic obj-0.0.0.0
object network obj_any-01
nat (inside,DMZ) dynamic obj-0.0.0.0
object network obj-172.16.2.21
nat (DMZ,outside) static 213.42.201.34
object network obj-172.16.2.11
nat (DMZ,outside) static 213.42.201.35 service tcp smtp smtp
regards
Najeeb

Hi Najeeb,
If you are able to reach out to your SMTP via Public IP address , 172.16.2.11 will be using public IP address 213.42.201.35 for mail delivery (SMTP service alone) . Server 172.16.2.21 will be using Public IP address 213.42.201.34 for any traffic including SMTP , to double check this open your IE on your 172.16.2.21 google it for what is my IP address , you will see your public ip address 213.42.201.34 on your google results .
At any point time your both server will never use your outside interface for any external communication
The issue is exchange is sending the outgoing traffic via the outside interface of my firewall (213.42.201.46).
HTH
Sandy

Server 2012 R2 RRAS NAT VPN connectivity issues

Hello all,
I'm having trouble making IKEv2 connections to my VPN server from the Internet after changing my home lab network infrastructure to use Server 2012 R2 RRAS NAT routing. Despite all of the appearances of a proper configuration, it appears that NAT-T is not
working properly.
Let me preface my questions/issues with some critical infrastructure disclosures/explanations to help troubleshoot this issue:
1. This is a home lab environment with no impact to corporate production systems in any way. All information garnered from help in this session is understood to be as-is.
2. The entire environment is on Server 2012 R2 Hyper-V. I’ve configured trunking on all of the layer 2 (Cisco Catalyst switch) etherchannels, and I’ve configured trunking on the Hyper-V vSwitches. I have no issue with internal routing or NAT or with attaching
to VPN from an internal VLAN, which indicates that routing (Layer 3) is not at issue here since everything goes where it should.
3. The NAT server and the VPN server are two separate Windows Server 2012 R2 Std. Hyper-V VMs. The NAT server has 1 NAT uplink to/from my ISP and 5 router interfaces (NICs with no gateways specified). I have a static IP, so it’s not an IP changing anywhere.
I have all of the port forwarding on the public NAT interface configured properly. Email, web, and application access work fine from out-to-in. The VPN server has 2 NICs: one on a VPN VLAN and the other on an internal VLAN.
4. I ran Netmon from my corporate office and saw that IKEv2 traffic to my host over UDP 500 was successful (I got a response back), but the connection to UDP 4500 was attempted 3 times and then fails. Since UDP 4500 is the NAT-T port, I’m thinking this is
where the fault is occurring. I also ran Netmon from the NAT router itself and found that traffic was flowing from the Internet to the VPN server up the stack to Layer 3.
5. As a test, I turned off Windows firewall on both the VPN server and the NAT server. This made no difference, so firewall is not at play here.
6. My certificates are configured properly with my external VPN address and appropriate SANs pointing to the public IP address. These same certificates worked without issue prior to the migration to Server 2012 R2 RRAS as my NAT router.
The actual error I'm receiving is Error 809 which indicates a problem with the connectivity to the VPN server, presumably through the NAT router. Prior to the change to virtual routing, I was using a Linksys E3000 with L2TP/PPTP passthrough enabled and had
no issues connecting to my VPN server remotely.
Some questions I have specifically regarding Server 2012 R2 RRAS and NAT:
1. Is NAT-T "turned on" by default? Are there any settings required through netsh or elsewhere that I might have overlooked to enable NAT Traversal?
2. How can I test if NAT-T is working outside of VPN testing?
3. Is it Microsoft's recommendation/requirement that VPN and NAT be collocated on the same server? I noticed in the NAT forwarding rules that the pre-defined L2TP forwarder says "L2TP on this server." Does that indicate that L2TP can't pass beyond
that server? What are the security implications for running VPN from the router?
Any help would be appreciated. I've been troubleshooting this issue for 2 weeks and cannot seem to find any documentation or help on this issue. I'm hoping if others have similar issues, this post will help point them in the right direction. I have netmon
captures to assist with troubleshooting if it comes to that. I'm certain this is NAT-T at this point, but I just can't prove it beyond a shadow of a doubt, and I have customers who have asked about using Microsoft RRAS for routing. I can't, in good conscience,
recommend it if NAT-T is problematic since most companies want some sort of VPN solution for their environment.
Respectfully yours,
Ron Arestia

Hi Ron,
Please try to create and configure the AssumeUDPEncapsulationContextOnSendRule registry value.
For detailed information, please refer to the link below:
http://support.microsoft.com/kb/926179
Best Regards.
Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

DMVPN phase I fails when migrating from PSK to RSIG

I am currently is the process of migrating my DMVPN network from pre-share key to certificates. Most of the spokes have come up and are working without any issues but there are several that are not making it past phase I. I have included the isakmp debugging from the hub and one of the spokes that are failing. I see that the hub is going QM_IDLE after receiving the certificate from the spoke but it does not look like the spoke ever receives the cert from the hub. I suspect an issue with the ISP but it's not as simple as filtering 500 as all the messages except the cert seem to make it. If I move the spoke back to PSK it works fine. Has anyone seen this issue before and what was the resolution?
DMVPN Hub
Oct 7 19:38:36.213: ISAKMP: local port 500, remote port 500
Oct 7 19:38:36.213: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 7F1AA7CC5920
Oct 7 19:38:36.213: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.213: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Oct 7 19:38:36.214: ISAKMP:(0): processing SA payload. message ID = 0
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 7 19:38:36.214: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Oct 7 19:38:36.214: ISAKMP (0): vendor ID is NAT-T v7
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID is NAT-T v3
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID is NAT-T v2
Oct 7 19:38:36.214: ISAKMP:(0):found peer pre-shared key matching 2.8.51.58
Oct 7 19:38:36.214: ISAKMP:(0): local preshared key found
Oct 7 19:38:36.214: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer 2.8.51.58)
Oct 7 19:38:36.214: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer 2.8.51.58)
Oct 7 19:38:36.214: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy
Oct 7 19:38:36.214: ISAKMP:      encryption 3DES-CBC
Oct 7 19:38:36.214: ISAKMP:      hash MD5
Oct 7 19:38:36.214: ISAKMP:      default group 1
Oct 7 19:38:36.214: ISAKMP:      auth RSA sig
Oct 7 19:38:36.214: ISAKMP:      life type in seconds
Oct 7 19:38:36.214: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
Oct 7 19:38:36.214: ISAKMP:(0):atts are acceptable. Next payload is 3
Oct 7 19:38:36.214: ISAKMP:(0):Acceptable atts:actual life: 0
Oct 7 19:38:36.214: ISAKMP:(0):Acceptable atts:life: 0
Oct 7 19:38:36.214: ISAKMP:(0):Fill atts in sa vpi_length:4
Oct 7 19:38:36.214: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Oct 7 19:38:36.214: ISAKMP:(0): IKE->PKI Start PKI Session state (R) MM_NO_STATE (peer 2.8.51.58)
Oct 7 19:38:36.214: ISAKMP:(0): PKI->IKE Started PKI Session state (R) MM_NO_STATE (peer 2.8.51.58)
Oct 7 19:38:36.214: ISAKMP:(0):Returning Actual lifetime: 86400
Oct 7 19:38:36.214: ISAKMP:(0)::Started lifetime timer: 86400.
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 7 19:38:36.214: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Oct 7 19:38:36.214: ISAKMP (0): vendor ID is NAT-T v7
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID is NAT-T v3
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID is NAT-T v2
Oct 7 19:38:36.214: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.214: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Oct 7 19:38:36.214: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct 7 19:38:36.214: ISAKMP:(0): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) MM_SA_SETUP
Oct 7 19:38:36.214: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.214: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.214: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Oct 7 19:38:36.240: ISAKMP (0): received packet from 2.8.51.58 dport 500 sport 500 Global (R) MM_SA_SETUP
Oct 7 19:38:36.240: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.240: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
Oct 7 19:38:36.240: ISAKMP:(0): processing KE payload. message ID = 0
Oct 7 19:38:36.242: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 7 19:38:36.242: ISAKMP:(38618): processing CERT_REQ payload. message ID = 0
Oct 7 19:38:36.242: ISAKMP:(38618): peer wants a CT_X509_SIGNATURE cert
Oct 7 19:38:36.242: ISAKMP:(38618): peer wants cert issued by cn=Tetra Pak Root CA - G1
Oct 7 19:38:36.242: ISAKMP:(38618): processing vendor id payload
Oct 7 19:38:36.242: ISAKMP:(38618): vendor ID is DPD
Oct 7 19:38:36.242: ISAKMP:(38618): processing vendor id payload
Oct 7 19:38:36.242: ISAKMP:(38618): speaking to another IOS box!
Oct 7 19:38:36.242: ISAKMP:(38618): processing vendor id payload
Oct 7 19:38:36.242: ISAKMP:(38618): vendor ID seems Unity/DPD but major 209 mismatch
Oct 7 19:38:36.242: ISAKMP:(38618): vendor ID is XAUTH
Oct 7 19:38:36.242: ISAKMP:received payload type 20
Oct 7 19:38:36.242: ISAKMP (38618): His hash no match - this node outside NAT
Oct 7 19:38:36.242: ISAKMP:received payload type 20
Oct 7 19:38:36.242: ISAKMP (38618): No NAT Found for self or peer
Oct 7 19:38:36.242: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.242: ISAKMP:(38618):Old State = IKE_R_MM3 New State = IKE_R_MM3
Oct 7 19:38:36.243: ISAKMP:(38618): IKE->PKI Get configured TrustPoints state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.243: ISAKMP:(38618): PKI->IKE Got configured TrustPoints state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.243: ISAKMP:(38618): IKE->PKI Get IssuerNames state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.243: ISAKMP:(38618): PKI->IKE Got IssuerNames state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.243: ISAKMP (38618): constructing CERT_REQ for issuer cn=Tetra Pak Issuing NAD CA 01 - G1,dc=tp1,dc=ad1,dc=tetrapak,dc=com
Oct 7 19:38:36.243: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Oct 7 19:38:36.243: ISAKMP:(38618):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.243: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.243: ISAKMP:(38618):Old State = IKE_R_MM3 New State = IKE_R_MM4
Oct 7 19:38:36.484: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) MM_KEY_EXCH
Oct 7 19:38:36.484: ISAKMP:(38618):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.484: ISAKMP:(38618):Old State = IKE_R_MM4 New State = IKE_R_MM5
Oct 7 19:38:36.484: ISAKMP:(38618): processing ID payload. message ID = 0
Oct 7 19:38:36.484: ISAKMP (38618): ID payload
        next-payload : 6
        type         : 2
        FQDN name    : lvrirt-s2s-01.nvv.net.company.com
        protocol     : 17
        port         : 500
        length       : 42
Oct 7 19:38:36.484: ISAKMP:(38618): processing CERT payload. message ID = 0
Oct 7 19:38:36.484: ISAKMP:(38618): processing a CT_X509_SIGNATURE cert
Oct 7 19:38:36.484: ISAKMP:(38618): IKE->PKI Add peer's certificate state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): PKI->IKE Added peer's certificate state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): IKE->PKI Get PeerCertificateChain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): PKI->IKE Got PeerCertificateChain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): peer's pubkey is cached
Oct 7 19:38:36.485: ISAKMP:(38618): IKE->PKI Validate certificate chain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): PKI->IKE Validate certificate chain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): Unable to get DN from certificate!
Oct 7 19:38:36.485: ISAKMP:(38618): processing SIG payload. message ID = 0
Oct 7 19:38:36.486: ISAKMP:received payload type 17
Oct 7 19:38:36.486: ISAKMP:(38618): processing NOTIFY INITIAL_CONTACT protocol 1
        spi 0, message ID = 0, sa = 0x7F1AA7CC5920
Oct 7 19:38:36.486: ISAKMP:(38618):SA authentication status:
        authenticated
Oct 7 19:38:36.486: ISAKMP:(38618):SA has been authenticated with 2.8.51.58
Oct 7 19:38:36.486: ISAKMP:(38618):SA authentication status:
        authenticated
Oct 7 19:38:36.486: ISAKMP:(38618): Process initial contact,
bring down existing phase 1 and 2 SA's with local 15.18.1.1 remote 2.8.51.58 remote port 500
Oct 7 19:38:36.486: ISAKMP:(38617):received initial contact, deleting SA
Oct 7 19:38:36.486: ISAKMP:(38617):peer does not do paranoid keepalives.
Oct 7 19:38:36.486: ISAKMP:(38617):deleting SA reason "Receive initial contact" state (R) QM_IDLE       (peer 2.8.51.58)
Oct 7 19:38:36.486: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.486: ISAKMP:(38618):Old State = IKE_R_MM5 New State = IKE_R_MM5
Oct 7 19:38:36.487: ISAKMP: set new node 2177251913 to QM_IDLE
Oct 7 19:38:36.487: ISAKMP:(38617): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
Oct 7 19:38:36.487: ISAKMP:(38617):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.487: ISAKMP:(38617):purging node 2177251913
Oct 7 19:38:36.487: ISAKMP:(38617):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Oct 7 19:38:36.487: ISAKMP:(38617):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Oct 7 19:38:36.487: ISAKMP:(38618): IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.487: ISAKMP:(38618): PKI->IKE Got self CertificateChain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.487: ISAKMP:(38618): IKE->PKI Get SubjectName state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.487: ISAKMP:(38618): PKI->IKE Got SubjectName state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.487: ISAKMP:(38618):My ID configured as IPv4 Addr, but Addr not in Cert!
Oct 7 19:38:36.487: ISAKMP:(38618):Using FQDN as My ID
Oct 7 19:38:36.487: ISAKMP:(38618):SA is doing RSA signature authentication using id type ID_FQDN
Oct 7 19:38:36.487: ISAKMP (38618): ID payload
        next-payload : 6
        type         : 2
        FQDN name    : selurt-dmvpn-01.nvv.net.company.com
        protocol     : 17
        port         : 500
        length       : 44
Oct 7 19:38:36.487: ISAKMP:(38618):Total payload length: 44
Oct 7 19:38:36.487: ISAKMP:(38618): IKE->PKI Get CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.488: ISAKMP:(38618): PKI->IKE Got CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.489: ISAKMP (38618): constructing CERT payload for hostname=selurt-dmvpn-01.nvv.net.company.com,serialNumber=4279180096
Oct 7 19:38:36.489: ISAKMP (38618): constructing CERT payload for cn=Tetra Pak Issuing NAD CA 01 - G1,dc=tp1,dc=ad1,dc=tetrapak,dc=com
Oct 7 19:38:36.489: ISAKMP:(38618): using the TP_NAD_CA trustpoint's keypair to sign
Oct 7 19:38:36.494: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Oct 7 19:38:36.494: ISAKMP:(38618):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.494: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.494: ISAKMP:(38618):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
Oct 7 19:38:36.494: ISAKMP:(38617):deleting SA reason "Receive initial contact" state (R) QM_IDLE       (peer 2.8.51.58)
Oct 7 19:38:36.494: ISAKMP:(38617):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.494: ISAKMP:(38617):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Oct 7 19:38:36.494: ISAKMP:(38618):IKE_DPD is enabled, initializing timers
Oct 7 19:38:36.494: ISAKMP:(38618): IKE->PKI End PKI Session state (R) QM_IDLE       (peer 2.8.51.58)
Oct 7 19:38:36.494: ISAKMP:(38618): PKI->IKE Ended PKI session state (R) QM_IDLE       (peer 2.8.51.58)
Oct 7 19:38:36.494: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
selurt-dmvpn-01#
Oct 7 19:38:36.494: ISAKMP:(38618):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
selurt-dmvpn-01#
Oct 7 19:38:46.492: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:38:46.492: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:38:46.492: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:38:46.992: ISAKMP:(38618): retransmitting phase 1 QM_IDLE      ...
Oct 7 19:38:46.992: ISAKMP (38618): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Oct 7 19:38:46.992: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:38:46.992: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:38:46.992: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:38:56.481: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:38:56.481: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:38:56.481: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:38:56.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE      ...
Oct 7 19:38:56.981: ISAKMP (38618): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Oct 7 19:38:56.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:38:56.981: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:38:56.981: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:39:06.481: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:39:06.481: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:39:06.481: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:39:06.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE      ...
Oct 7 19:39:06.981: ISAKMP (38618): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Oct 7 19:39:06.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:39:06.981: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:39:06.981: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:39:09.880: ISAKMP:(38616):purging SA., sa=7F1AA7721158, delme=7F1AA7721158
selurt-dmvpn-01#
Oct 7 19:39:16.481: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:39:16.481: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:39:16.481: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:39:16.980: ISAKMP:(38618): retransmitting phase 1 QM_IDLE      ...
Oct 7 19:39:16.980: ISAKMP (38618): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Oct 7 19:39:16.980: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:39:16.980: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:39:16.980: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:39:26.481: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:39:26.482: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:39:26.482: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:39:26.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE      ...
Oct 7 19:39:26.981: ISAKMP (38618): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Oct 7 19:39:26.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:39:26.981: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:39:26.981: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:39:36.493: ISAKMP:(38617):purging SA., sa=7F1AA79AD9E0, delme=7F1AA79AD9E0
DMVPN Spoke
Oct 7 19:38:36.181: ISAKMP:(0): SA request profile is (NULL)
Oct 7 19:38:36.181: ISAKMP: Created a peer struct for 15.18.1.1, peer port 500
Oct 7 19:38:36.181: ISAKMP: New peer created peer = 0x2B1F480C peer_handle = 0x80001DF4
Oct 7 19:38:36.181: ISAKMP: Locking peer struct 0x2B1F480C, refcount 1 for isakmp_initiator
Oct 7 19:38:36.181: ISAKMP: local port 500, remote port 500
Oct 7 19:38:36.181: ISAKMP: set new node 0 to QM_IDLE
Oct 7 19:38:36.181: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 2B16C9FC
Oct 7 19:38:36.181: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Oct 7 19:38:36.181: ISAKMP:(0):found peer pre-shared key matching 15.18.1.1
Oct 7 19:38:36.181: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.181: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.181: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct 7 19:38:36.181: ISAKMP:(0): constructed NAT-T vendor-07 ID
Oct 7 19:38:36.181: ISAKMP:(0): constructed NAT-T vendor-03 ID
Oct 7 19:38:36.181: ISAKMP:(0): constructed NAT-T vendor-02 ID
Oct 7 19:38:36.181: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct 7 19:38:36.181: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Oct 7 19:38:36.181: ISAKMP:(0): beginning Main Mode exchange
Oct 7 19:38:36.181: ISAKMP:(0): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct 7 19:38:36.181: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.205: ISAKMP (0): received packet from 15.18.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
Oct 7 19:38:36.205: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.205: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Oct 7 19:38:36.205: ISAKMP:(0): processing SA payload. message ID = 0
Oct 7 19:38:36.205: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.205: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 7 19:38:36.205: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 7 19:38:36.205: ISAKMP:(0):found peer pre-shared key matching 15.18.1.1
Oct 7 19:38:36.205: ISAKMP:(0): local preshared key found
Oct 7 19:38:36.205: ISAKMP : Scanning profiles for xauth ...
Oct 7 19:38:36.205: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.205: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.205: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy
Oct 7 19:38:36.205: ISAKMP:      encryption 3DES-CBC
Oct 7 19:38:36.205: ISAKMP:      hash MD5
Oct 7 19:38:36.205: ISAKMP:      default group 1
Oct 7 19:38:36.205: ISAKMP:      auth RSA sig
Oct 7 19:38:36.205: ISAKMP:      life type in seconds
Oct 7 19:38:36.205: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
Oct 7 19:38:36.205: ISAKMP:(0):atts are acceptable. Next payload is 0
Oct 7 19:38:36.205: ISAKMP:(0):Acceptable atts:actual life: 0
Oct 7 19:38:36.205: ISAKMP:(0):Acceptable atts:life: 0
Oct 7 19:38:36.205: ISAKMP:(0):Fill atts in sa vpi_length:4
Oct 7 19:38:36.205: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Oct 7 19:38:36.205: ISAKMP:(0): IKE->PKI Start PKI Session state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.205: ISAKMP:(0): PKI->IKE Started PKI Session state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.205: ISAKMP:(0):Returning Actual lifetime: 86400
Oct 7 19:38:36.205: ISAKMP:(0)::Started lifetime timer: 86400.
Oct 7 19:38:36.205: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.205: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 7 19:38:36.205: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 7 19:38:36.205: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.205: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Oct 7 19:38:36.209: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_SA_SETUP (peer 15.18.1.1)
Oct 7 19:38:36.209: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_SA_SETUP (peer 15.18.1.1)
Oct 7 19:38:36.209: ISAKMP:(0): IKE->PKI Get IssuerNames state (I) MM_SA_SETUP (peer 15.18.1.1)
Oct 7 19:38:36.209: ISAKMP:(0): PKI->IKE Got IssuerNames state (I) MM_SA_SETUP (peer 15.18.1.1)
Oct 7 19:38:36.209: ISAKMP (0): constructing CERT_REQ for issuer cn=Tetra Pak Root CA - G1
Oct 7 19:38:36.209: ISAKMP:(0): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
Oct 7 19:38:36.209: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.209: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.209: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Oct 7 19:38:36.233: ISAKMP (0): received packet from 15.18.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP
Oct 7 19:38:36.233: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.233: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Oct 7 19:38:36.233: ISAKMP:(0): processing KE payload. message ID = 0
Oct 7 19:38:36.245: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 7 19:38:36.245: ISAKMP:(8329): processing CERT_REQ payload. message ID = 0
Oct 7 19:38:36.245: ISAKMP:(8329): peer wants a CT_X509_SIGNATURE cert
Oct 7 19:38:36.245: ISAKMP:(8329): peer wants cert issued by cn=Tetra Pak Issuing NAD CA 01 - G1,dc=tp1,dc=ad1,dc=tetrapak,dc=com
Oct 7 19:38:36.249: Choosing trustpoint TP_NAD_CA as issuer
Oct 7 19:38:36.249: ISAKMP:(8329): processing vendor id payload
Oct 7 19:38:36.249: ISAKMP:(8329): vendor ID is Unity
Oct 7 19:38:36.249: ISAKMP:(8329): processing vendor id payload
Oct 7 19:38:36.249: ISAKMP:(8329): vendor ID is DPD
Oct 7 19:38:36.249: ISAKMP:(8329): processing vendor id payload
Oct 7 19:38:36.249: ISAKMP:(8329): speaking to another IOS box!
Oct 7 19:38:36.249: ISAKMP:received payload type 20
Oct 7 19:38:36.249: ISAKMP (8329): His hash no match - this node outside NAT
Oct 7 19:38:36.249: ISAKMP:received payload type 20
Oct 7 19:38:36.249: ISAKMP (8329): No NAT Found for self or peer
Oct 7 19:38:36.249: ISAKMP:(8329):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.249: ISAKMP:(8329):Old State = IKE_I_MM4 New State = IKE_I_MM4
Oct 7 19:38:36.249: ISAKMP:(8329):Send initial contact
Oct 7 19:38:36.249: ISAKMP:(8329): IKE->PKI Get self CertificateChain state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.249: ISAKMP:(8329): PKI->IKE Got self CertificateChain state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.249: ISAKMP:(8329): IKE->PKI Get SubjectName state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.249: ISAKMP:(8329): PKI->IKE Got SubjectName state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.249: ISAKMP:(8329):My ID configured as IPv4 Addr, but Addr not in Cert!
Oct 7 19:38:36.249: ISAKMP:(8329):Using FQDN as My ID
Oct 7 19:38:36.249: ISAKMP:(8329):SA is doing RSA signature authentication using id type ID_FQDN
Oct 7 19:38:36.249: ISAKMP (8329): ID payload
        next-payload : 6
        type         : 2
        FQDN name    : lvrirt-s2s-01.nvv.net.company.com
        protocol     : 17
        port         : 500
        length       : 42
Oct 7 19:38:36.249: ISAKMP:(8329):Total payload length: 42
Oct 7 19:38:36.249: ISAKMP:(8329): IKE->PKI Get CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.253: ISAKMP:(8329): PKI->IKE Got CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.253: ISAKMP (8329): constructing CERT payload for hostname=lvrirt-s2s-01.nvv.net.company.com,serialNumber=FCZ163860KW
Oct 7 19:38:36.253: ISKAMP: growing send buffer from 1024 to 3072
Oct 7 19:38:36.253: ISAKMP:(8329): using the TP_NAD_CA trustpoint's keypair to sign
Oct 7 19:38:36.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:38:36.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.449: ISAKMP:(8329):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.449: ISAKMP:(8329):Old State = IKE_I_MM4 New State = IKE_I_MM5
Oct 7 19:38:36.481: ISAKMP (8328): received packet from 15.18.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
Oct 7 19:38:46.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:38:46.449: ISAKMP (8329): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Oct 7 19:38:46.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:38:46.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:38:46.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:38:54.709: ISAKMP:(8327):purging node 1841056658
Oct 7 19:38:54.709: ISAKMP:(8327):purging node -57107868
Oct 7 19:38:56.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:38:56.449: ISAKMP (8329): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Oct 7 19:38:56.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:38:56.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:38:56.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:39:04.709: ISAKMP:(8327):purging SA., sa=3169E824, delme=3169E824
Oct 7 19:39:06.181: ISAKMP: set new node 0 to QM_IDLE
Oct 7 19:39:06.181: ISAKMP:(8329):SA is still budding. Attached new ipsec request to it. (local 2.8.51.58, remote 15.18.1.1)
Oct 7 19:39:06.181: ISAKMP: Error while processing SA request: Failed to initialize SA
Oct 7 19:39:06.181: ISAKMP: Error while processing KMI message 0, error 2.
Oct 7 19:39:06.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:39:06.449: ISAKMP (8329): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Oct 7 19:39:06.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:39:06.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:39:06.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:39:10.261: ISAKMP:(8328):purging node -1445247076
Oct 7 19:39:16.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:39:16.449: ISAKMP (8329): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Oct 7 19:39:16.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:39:16.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:39:16.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:39:20.261: ISAKMP:(8328):purging SA., sa=2AD85BD0, delme=2AD85BD0
Oct 7 19:39:26.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:39:26.449: ISAKMP (8329): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Oct 7 19:39:26.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:39:26.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:39:26.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:39:36.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:39:36.449: ISAKMP:(8329):peer does not do paranoid keepalives.
Oct 7 19:39:36.449: ISAKMP:(8329):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:39:36.449: ISAKMP:(8329):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 15.18.1.1)

Mike,
Hub sends its cert but spoke never recives that, this is typically a problem with fragmentation handling in transit networks.
Sniff both end you control and check whether you're not missing any fragments on spoke end.
Could be as simple as an MTU problem on your end or could be something in the path attempting reassambly.
Multiple ways to go, check your end, if fragments are missing in transit - start investigating with ISP(s).
M.

Using both Dynamic and Static NAT with two Different Internet facing Subnets

We have two Class C Public Address subnets. We started with Subnet (A) and have many of our Internet accessible devices on it. It is running on a Cisco PIX 515R. We bought a new ASA 5510 8.3(2) and started Migrating the Users and new servers to it so I started with our second Class C Subnet (B). Later on down the road I found out that if the Firewalls Default Gateway is is set to a (B) Interface subnet, then the servers that are statically mapped to a (A) Address will have a (B) address when they communicate out to the internet. So they are receiving packets on their (A) Address, though replying to them with a (B) address.
It was mentioned that I should be able to combine static and dynamic NAT mapping to allow devices behind the firewall to have a fixed external Address when communicating outbound as well as inbound.
So For instance I want the Following: when the Internal Replies I want the reply to come from the mapped IP, not a IP from the Dynamic Pool.
Public IP: 192.168.1.100/24
Internal IP: 10.0.0.100/16
Public IP: 192.168.5.101/24
Internal IP: 10.0.0.101/16
interface Ethernet0/0
description 192.168.1.0/24 Network Outside IP
nameif outside-1
security-level 0
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/1
description 192.168.5.0/24 Network Outside IP
nameif outside-5
security-level 0
ip address 192.168.5.1 255.255.255.0
interface Ethernet0/2
description inside 10.0.0.0/16
nameif inside
security-level 100
ip address 10.0.0.1 255.255.0.0
object network serverA_o
host 192.168.1.100
object network serverA_i
host 10.0.0.100
object network serverB_o
host 192.168.5.101
object network serverB_i
host 10.0.0.101
object network 192-168-1-NAT-POOL
range 192.168.1.50 192.168.1.239
nat (inside,outside-1) source static serverA_i serverA_o
nat (inside,outside-5) source static serverB_i serverB_o
nat (inside,outside-1) source dynamic any 192-168-1-NAT-POOL interface
object network serverA_i
nat (inside,outside-1) static serverA_o
object network serverB_i
nat (inside,outside-5) static serverB_o
route outside-1 0.0.0.0 0.0.0.0 192.168.1.1 1
route outside-5 0.0.0.0 0.0.0.0 192.168.5.1 2
When I set this up my serverB shows a Public IP of something in the 192-168-1-NAT-POOL Not 192.168.5.101
Any Suggestions?
Thanks!

Not sure why I have Multiple Entries. )-: I did think it was Odd. I think it might be because I looking at examples of the new and old styles of NAT.
We have a Single ISP, though have 2 separate non-Contiguous Class C Addresses from them. We host some Servers on one subnet and some on the other.
I'm looking for a way to use both Subnets on the same ASA.
The Connection to the net looks like this:
Internet -> Edge Router Layer3 VLAN Switch
GE0/1.2 - 192.168.1.1 VLAN Tagged --> GE0 - VLAN Tagged
GE0/1.2 - 192.168.5.1 VLAN Tagged -^
Layer3 VLAN Switch Firewall
GE1 192.168.1.0/24 Untagged -> ASA Outside-1
GE2 192.168.5.0/24 Untagged -> ASA Outside-5
Firewall
ASA inside 10.0.0.0/16 -> Switch -> 10.0.0.100
Hope that helps clarify.
I could try to post some sanitized Configs of my PIX and ASA if needed. But the end result I'm trying to do is have the ASA do NAT for multiple Public Subnets.

Migration from PC to Mac without losing application data (savegames etc.)

Hello everyone,
I am migrating from from my old Windows PC onto a MacBook Pro, and I'm having difficulties with iTunes and my iOS devices (iPhone 4, iPad 1). Maybe someone here can help me out, I'd be ever so grateful.
I set up iTunes on my MBP yesterday and logged in to my account. I replaced the empty iTunes Media folder with my old one (which contains all my music, videos and applications) via an external hard drive.
First problem: it wouldn't import these files into my new library automatically. Just showed me an empty library I think I imported the entire iTunes Media folder manually yesterday via "Add to folder". The status right now (after some experimentation) is old iTunes Media folder copied, but nothing imported (that is, I have an empty library).
When I connected my iPhone and tried to synch, I first had to authorize the MacBook for the iPhone. So far, so good. However when I tried to synch iTunes warned me that if I synch, all data on the iPhone will be removed and replaced by the data from my new local library (which is, of couse a copy of my old library, but doesn't store application data like savegames).
I tried to do it via "transfer purchased items from iPhone", which took forever, but yielded the same result: a warning that all data on the iPhone would be erased.
So the question is: How do I connect my iPhone and iPad to iTunes on my new Mac without losing application data like settings and savegames? And why is this so complicated and intransparent? I should be able to just copy my media, say "authorize this Computer, then add iPhone to the registered devices" and then proceed like nothing ever changed.
I searched the net until three in the morning yesterday, but couldn't find anything that sounded safe enough to give it a try.
Thanks in advance and best Regards,
Nate
PS: I do have the backup-folders from my old PC on a USB stick - are those going to help?
Message was edited by: Nathan1980 (Correction)
Message was edited by: Nathan1980

I was fighting this battle the past few days myself; but actually it is REALLY easy now. See here:
http://www.macworld.com/article/146958/2010/03/moveitunes_windowsmac.html
Then, once iTunes was on the Mac, I did this:
1. On the Mac rename ...\iTunes\iTunes Library.itl as ...\iTunes\iTunes Library
2. On the Mac delete ...\iTunes\iTunes Library Genius.itdb (Apparently the PC & Mac versions are not compatible - iTunes will just rebuild it later)
3. Launch iTunes and immediately press & hold down the Option key until a dialog opens asking you to Choose a library. Navigate to the folder/drive you've copied from the PC and open ...\iTunes\iTunes Library.
(thanks to turingtest2 for the above steps)
That was it. Did it yesterday evening. All playlists, libraries, everything copied fine. No problems; no broken links. Perfect.

NAT migration on 8.2.4 to 9.1.2

Similar Messages

Maybe you are looking for