Netflow- IOS vs ASA
Hello,
What is difference in-between netflow on IOS and ASA ?
Also I want to know does the Next-Generation ASA, ASA with FirePower - NBAR2 features as available on IOS ISR-G2 ?
or they still use old NSEL feature?
Thanks,
Hi,
I think this would help:-
https://supportforums.cisco.com/document/30471/netflow-asa
Thanks and Regards,
Vibhor Amrodia
Similar Messages
-
CSM 4.4sp1 netflow configuration for ASA
Hi,
We are running Cisco Security Manager 4.4 service pack 1 and our ASA's are all running 9.0.2/9.1.1
I've hit a problem with export to netflow from my ASA firewalls configured through CSM.
We configure the netflow export under platform/logging and enable flow export. Looking at the "show flow-export counters" on the ASA very few flows are exported however and no netflow shows up in our netflow analyzer.
Looking at the deployment this is what is deployed (for netflow):
! COMMENT: Bulk request written; reading response...
Line# 2. (SUCCESS) Sent (Fri Jun 07 08:50:05 CEST 2013): flow-export template timeout-rate 1
Received (Fri Jun 07 08:50:05 CEST 2013):
Line# 3. (SUCCESS) Sent (Fri Jun 07 08:50:05 CEST 2013): flow-export destination outside 146.2.217.125 19996
Received (Fri Jun 07 08:50:05 CEST 2013):
Line# 4. (SUCCESS) Sent (Fri Jun 07 08:50:05 CEST 2013): flow-export delay flow-create 60
As I understand it I need to match what traffic to export to netflow which is setup as a service policy rule. I cannot find any option to export to netflow under the service policy rules however (only IPS,CXSC, Connection Settings, QoS, CSC, User statistics and Scansafe).
I configured a flexconfig to append to the configuration and this seems to export the data until the next time a policy is pushed. The configuration changes done by the flexconfig are then removed from the ASA and netflow stops working.
My flexconfig (append) looks like this:
access-list netflow-hosts extended permit ip any any
class-map NetFlow-traffic
match access-list netflow-hosts
policy-map global_policy
class NetFlow-traffic
flow-export event-type all destination X.X.X.X
Have anybody found a way to get netflow export work correctly when configured using CSM?
-MichelTry adding in the following line under flexconfig with the rest of your netflow configurations.
flow-export template timeout-rate 1
These are my flexconfig on my firewalls using CSM:
access-list global_mpc extended permit ip any any
class-map global-class
match access-list global_mpc
policy-map global_policy
class global-class
flow-export event-type all destination x.x.x.x
flow-export template timeout-rate 1 -
Hello my friends,
I have been trying to establish VPN connectivity between IOS cisco router and ASA firewall over the internet - no luck so far. I think I am missing some important bit of the configuration.
Here are my configuration commands:
Router:
crypto isakmp policy 20
encryption 3des
auth pre-share
hash md5
group 2
crypto isakmp key XXX address 103.252.AAA.AAA
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto map MAP 5 ipsec-isakmp
set transform 3DES-MD5
match address VPN
set peer 103.252.AAA.AAA
ip access-list extended VPN
permit ip 10.110.25.0 0.0.0.255 10.10.0.0 0.0.255.255
permit icmp 10.110.25.0 0.0.0.255 10.10.0.0 0.0.255.255
ASA commands:
sysopt connection permit-vpn
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
tunnel-group 203.167.BBB.BBB type ipsec-l2l
tunnel-group 203.167.BBB.BBB ipsec-attributes
pre-shared-key XXX
access-list LIST permit ip 10.10.0.0 255.255.0.0 10.110.25.0 255.255.255.0
access-list LIST permit icmp 10.10.0.0 255.255.0.0 10.110.25.0 255.255.255.0
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto map VPN 10 set transform-set 3DES-MD5
crypto map VPN 10 match address LIST
crypto map VPN 10 set peer 203.167.BBB.BBB
crypto map VPN interface outside
Do you have any idea what is wrong? Thank you a lot in advance.I managed to get this from the show crypto ipsec sa
local crypto endpt.: 203.167.BBB.BBB, remote crypto endpt.: 103.252.AAA.AAA
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local crypto endpt.: 203.167.BBB.BBB, remote crypto endpt.: 103.252.AAA.AAA
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
And details from show crypto session detail
Interface: GigabitEthernet0/1
Session status: DOWN
Peer: 103.252.AAA.AAA port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit 1 10.110.25.0/255.255.255.0 10.10.0.0/255.255.0.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0 -
How to setup netflow V9 on ASA
Hi Forumers'
want to check out how to configure the ASA to support netflow V9, either in ASDM or CLI mode as welcome.
i follow the PRTG guide it doens't seem success to make the detection on netflow activity,
please advice
NoelHello Joel,
This video should help you confirm that the ASA NetFlow configuration is setup correctly.
Jake -
Is netflow supported on the ASA? I have been look on teh net with no luck can soemone point the way or tell me if this not possible?
TIA!!Rick - thanks for your response. It would be nice to see NBAR or Netflow type stats on the ASA, when the ASA is performing VPN functions.
Would syslog or something else give me those type of stats?
Thanks,
Steve -
IOS to ASA VPN Creating Multiple ISAKMP SAs
Hello. I'm running a IPSec VPN between a 5520 ASA and a 2811 router. The ASA has a static IP and the router has a DHCP interface.
The VPN seems to work fine once I get done clearing old SAs, but each new IPSEC SA creates a new ISAKMP SA on the router? There are multiple subnets that need to create multiple IPSEC SAs. Eventually I can clear the older ISAKMP SAs and get all the traffic on one ISAKMP SA, but until I clear older SAs, new associations won't form. Does anyone know why the router (initiator) would keep creating new ISAKMP SAs and not use an established one?
Using PSK, aggressive mode and no PFS. ASA has another dynamic crypto map with lower priority than this one. Using FQDN for identity on the router. Anyone seen this problem? ASA version 8.2(5) and IOS is 12.4(20)T1.
Must be something I'm not understanding. The ASA says no established SA and drops the new SA attempt until I clear older ISAKMP SAs out of the router. Interesting, the first few IPSec SAs form when the tunnel initially comes up. I assume the initial requests are getting cached and work immediately after the first ISAKMP SA forms, but subsequent IPSec SA attempts will fail. Once all subnets are talking with 1 ISAKMP SA, rekeys don't cause any problems. Since the router subnets have to instantiate the new IPSec SAs, this is a real pain to go through anytime the WAN/VPN fails.
Thanks for any ideas,
KeithKeith,
Would you happen to have a snippet of your config on your router? Debugging logs from the router would help as well.
And perhaps a 'show crypto isakmp sa' and 'show crypto ipsec sa'
-Chris -
How netflow works with ASA Firepower and Virtual Defense ?
Hi,
In the discovery rules of the Virtual Defense, i can see that's it's possible to configure netflow source. I have a pair of Cisco 4500X as the core switch L3, and would like to send a flow to the IPS.
I configure the switch like that :
flow record IPV4-FLOW-RECORD
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect interface input
collect interface output
collect counter bytes long
collect counter packets long
flow exporter Firepower
source Vlan12
destination IP_OF_tHE_ASA_IPS_MODULE
flow monitor IPV4-FLOW
exporter Firepower
cache timeout inactive 30
cache timeout active 60
cache entries 1000
record IPV4-FLOW-RECORD
vlan configuration 100-102 ip flow monitor IPV4-FLOW input
It's the correct configuration ? Can't see how to check in Virtual Defense if it's receive netflow packetsSOLUTION!
Install a second NIC bind vmnet0 to eth1 instead of eth0
Details:
Goal was to have the Host OS (Ubuntu 8.04) which is running an Apache web server also serve as an e-mail gateway (SpamTitan) since on a heavy day the web server might hit 5% CPU.
Why but a whole new machine, right?
When it did not work right away I went into troubleshooting mode and tried several different things as mentioned above. Which led me to the idea to create my own VM of SpamTitan and bind it to a different NIC.
Before I went that far I tried reassigning vmnet0 from eth0 to my newly installed eth1 and running it. That seems to have done the trick!
So now the setup is:
eth0 192.168.2.4
eth1 192.168.2.5
vmnet0 192.168.2.6
With vmnet0 bridged to eth1
Why is it working now and not before?
I am unsure. It is not a Linux thing because I tried both Windows XP and OS X 10.5 with the same result. I think it has more to do with primary network and associated services than Host OS.
If anyone has any insight please let me know. Otherwise I am going to chase it down later.
Thanks again for your responses! -
ACS Shell Command Authorization Sets on IOS and ASA/PIX Configuration
Hi,
I need to activate a control privileges of users on various devices.
I found this interesting document:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
and using a router with IOS 124-11.XV1 work normally while using a switch 2960-24TC with IOS 12.2.25SEE3 not working.
All users (read and full access) access on a not priviledge mode.
WHY?
I have a ACS v3.3 build 2
I have a 2960-24TC with IOS 12.2.25SEE3
I tried with a acs v4.1 without success.
Thanks.If you want user to fall directly in enable mode,then you should have this command,
aaa authorization exec default group tacacs+ if-authenticated
Bring users/groups in at level 15
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter "15" in the adjacent field
Regards,
~JG -
Hi,
I'm in the process of migrating some old IOS IPsec VPN configurations from IOS to ASA.
What immediately becomes a problem is that there is no way to virtualize the routing tables on a single ASA. The original IOS setups uses separate VRF:s for each customers and therefore overlapping LAN networks or even VPN pools aint a problem.
This has been in the past avoided (in other ASAs) by using default route for each customer interface on the ASA (with different metric). With this we can have overlapping LAN networks for the customer. Though the limit for the customer links become = metric value range. So basically even if we had an ASA with support for 1000 Vlans we still couldnt use this setup as we would run out of usable metric values for the default routes pointing to the customer links/networks.
So looking at the above situation it seems we would just need to have a load of ASAs with support for 250 Vlans handling each customer groups and not a single ASA which could handle all the VPNs (if theres more than the mentioned approx. 250)
Another option is I guess using a single link on the ASA for all the customer with a tunneled default route and handling the virtualisation on the core device by using PBR to route the packets to different VRF. This in turn would create alot of more configurations on the core device and a single VPN configuration/connection would become harder to manage.
Has anyone run into a similiar situation and how have you handled it? Have you moved to another device manufacturer or sticked with the IOS perhaps? Its unfortunate that the ASA can't handle this by itself.
- JouniHi,
I've heard from our local Cisco contact that L2L VPN is coming. (Though in his words most people were waiting for Client VPN support, as were we) L2L VPN only provides minimal help to our situation as most connections are Client VPN.
Basically the ultimate goal is to eventually migrate all IPsec Client VPN users to start using AnyConnect.
The goal now is to get the old IPsec Client and L2L VPNs of the current device so we can remove the actual 6509/VPN/FWSM device from the network. (Because of the old hardware)
Even though we have newer IOS devices in our network we would rather keep the Client VPN off the IOS devices. So the idea was to quickly move the Client VPNs to ASA and L2L VPN to another IOS device (by moving the L2L VPN peer IP address to the newer IOS device along with the configurations)
We also started considering hosting the VPN services on a more high end device(s) which could support everything we need. In this case the ASA seemed a natural choice. Then again IOS gives alot more flexibility and the most important to us is the ability to virtualise routing.
I've read that AnyConnect VPN has also come to IOS devices.
Quick Google search gives this Cisco document
http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080af314a.shtml#intro
How is the AnyConnect on IOS compared to ASA? Would IOS devices at some point (or already?) become a viable option for hosting all the VPNs? (The use of AnyConnect and Clientless VPN has kept us away from continuing with IOS)
Also on another note, I guess I missed one thing when writing the original post.
I guess you can actually use specific routes on the ASA for the overlapping customer networks with different metrics (instead of the default routes with different metrics) This would enable you to handle the routing for more customer links than when simply using default routes towards each customer link with different metric. As now each network range could overlap on 255 customers.
Heres a small sample of a lab configuration of that kind of situation
interface GigabitEthernet0/0
description TRUNK
no nameif
no security-level
no ip address
interface GigabitEthernet0/0.1000
description ASIAKAS-1
vlan 1000
nameif asiakas-1
security-level 100
ip address 172.32.100.2 255.255.255.0
interface GigabitEthernet0/0.2000
description ASIAKAS-2
vlan 2000
nameif asiakas-2
security-level 100
ip address 172.32.200.2 255.255.255.0
route asiakas-1 10.10.10.0 255.255.255.0 172.32.100.1 1
route asiakas-2 10.10.10.0 255.255.255.0 172.32.200.1 2
group-policy ASIAKAS-1-GP attributes
vlan 1000
group-policy ASIAKAS-2-GP attributes
vlan 2000
Basically to my understanding in the above situation the "vlan xxxx" configuration under group-policy defines the eggress interface of the traffic from the VPN and therefore the route for vlan2000/GigabitEthernet0/0.2000 would apply in the case (and provide the next-hop IP) where the VPN user was connecting with a connection using group-policy ASIAKAS-2-GP
I tested this setup and it seemed to work fine. Though this would naturally be an administrative nightmare to manage. (As would be the PBR solution mentioned in the original post)
I'm not sure if I'm making any sense
- Jouni -
Looking for a Cisco config doc that talks at Netflow reporting via SNMPv3.
We have serveral routers (7600) that do not support Netflow (only on flexwan card), so our plan is to use SNMPv3 reporting.
I have a Cisco Netflow document reporting via SNMPv2c but cannot find any good examples using SNMPv3.
Thanks
FrankHello Racquel,
You cannot explicitly view netflow messages within MARS. Once the MARS starts to see a flow of netflow messages it will collect and collate the information for 7 days (including a weekend). This will then produce a baseline for this netflow source. After 7 days MARS will switch from collecting to monitoring. In monitoring state MARS will, using predefined internal metrics, determine if newer netflow records indicate exceptional traffic. If this is the case, then the MARS will generate an incident on the GUI. Over time, the MARS will adjust the baseline values using the received netflow records.
If you select to store IOS or ASA netflow records (admin -> system setup -> netflow configuration), then the records will be written to the internal database and archived (if configured). This will impact disk usage but would mean that if you needed to recover the MARS from archive after failure (re-image or RMA) then you could recover the baseline settings. Also, if you write them to disk, you can then export the raw netflow records to a file (admin -> system maintenance -> retrieve raw messages), but you need will to provide some external means of processing them.
Matthew -
ASA 5505 VPN with backup route
We are looking to set up a site-to-site VPN with a backup over a T1. We have a remote site with a 1841 router. This router has a PTP T1 back to a secondary location with a 2811. Due to location, the only option we had to get additional bandwidth was to have a cable modem installed. We want to set a site-to-site up to our primary location, with a backup route over the T1 in the event the cable modem goes down. We have an ASA 5505 at the remote location, and an ASA 5540 at the primary. In addition, we want to split the traffic across the two connections. Since the wireless controllers are anchored back to the secondary location, we want to send that traffic over the PTP T1 and the rest of the traffic over the VPN. We also need to have a backup route for the wireless traffic to send across the VPN in the event the T1 goes down.
Go to this link and scroll down to Site to Site VPN (L2L) with IOS and Site to Site VPN (L2L) with ASA, you can use the links example depicting your scenario requirements, where one end is dynamic and other static for Ipsec L2L IOS-to-ASA or ASA-to-IOS.
The best solution obiosly is having static IP addressing, make that clear with your client , but these exmaples are very good solution for your problem.
Keep in mind that the DHCP dynamic side will always be the initiator to bring up the tunnel , not the static side.
http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html
Regards -
PIX, ASA or VPN concentrator & dynamic VPN
Hi all,
I need help what to use and how to do next.
What we need is to create remote VPN for many users so that every user is member of more than one group and every group is linked to predefined set of rules, for instance you can access this IPs, ports and so on.
How to do that dynamically? Is it possible to do that with one certificate?
Other question is what to use? ..PIX, ASA, VPN concentrator ?
BR
jlThe PIX and VPNC are both end of sale products now and unless you already have them your only choice is IOS or ASA. Of those two the ASA is the Cisco preffered platform for Remote Access VPNs.
You can map users to groups using Active Directory OUs, let them select a group at logon, have different logon URLs per group etc. However as far as I know this is not possible:
"every user is member of more than one group "
Some links:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml
With remote access IPSEC VPNs you can either define the groups on the ASA or externally on the ACS Server.
Pls. rate if helpful.
Regards
Farrukh -
ASA 5505 VPN with dhcp at endpoint
I have a new customer that I installed an ASA 5505 to replace a Linksys VPN router. They have a main office with a static IP address, 3 branch offices with static IP addresses and 2 branches that are doing DHCP from the ISP for their router address. I have no problem getting the static VPNs up and running. My problem is with the VPN connections that are doing DHCP. I can go in and determine what IP they are currently using and setup a connection and it works fine. The problem is of course when their IP address from the ISP changes, which seems to happen at least daily. What is the proper way to setup a connection that is using DHCP? Also, can you setup multiple connections this way? Currently the 2 locations have different passwords setup in their routers.
I need help ASAP as this customer is getting frustrated quickly. I do not want to lose a customer that I just got over this.
Thanks in advance,
SteveGo to this link and scroll down to Site to Site VPN (L2L) with IOS and Site to Site VPN (L2L) with ASA, you can use the links example depicting your scenario requirements, where one end is dynamic and other static for Ipsec L2L IOS-to-ASA or ASA-to-IOS.
The best solution obiosly is having static IP addressing, make that clear with your client , but these exmaples are very good solution for your problem.
Keep in mind that the DHCP dynamic side will always be the initiator to bring up the tunnel , not the static side.
http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html
Regards -
ASA 5505 Site to Site IPSec VPN WILL NOT CONNECT
I've spent 2 days already trying to get 2 ASA 5505's to connect using an IPSec vpn tunnel. I cannot seem to figure out what im doing wrong, im using 192.168.97.0 and 192.168.100.0 as my internal networks that i'm trying to connect over a directly connected link on the outside interfaces with 50.1.1.1 and 50.1.1.2 as the addresses (all /24). I also tried with and currently without NAT enabled. Here are the configs for both ASA's, the vpn config was done by the ASDM, however i have also tried the command line apporach with no success. I have followed various guides to the letter online, starting from an empty config and from factory default. I have also tried the 8.4 IOS.
ASA 1 Config
ASA Version 8.3(2)
hostname VIC
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.97.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 50.1.1.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
boot system disk0:/asa832-k8.bin
ftp mode passive
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.97.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4745f7cd76c82340ba1e7920dbfd2395
ASA2 Config
ASA Version 8.3(2)
hostname QLD
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 50.1.1.2 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
ftp mode passive
object network SITEA
subnet 192.168.97.0 255.255.255.0
object network NETWORK_OBJ_192.168.100.0_24
subnet 192.168.100.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object SITEA
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static SITEA SITEA
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 50.1.1.1
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 50.1.1.1 type ipsec-l2l
tunnel-group 50.1.1.1 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d987f3446fe780ab5fbb9d4213b3adff
: endHello Mitchell,
Thank you for letting us know the resolution of this topic.
Please answer the question as answered so future users can learn from this topic.
Regards,
Julio -
ASA site-site VPN error using Microsoft Digital Certificates.
Hi,
I configured site-site between ASA's with authentication type as RSA-SIG for Phase1. I got manual certificates from Microsoft CA Server but not able to form the tunnel. Need someones help badly on this issue.
ASA1 Config:
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash sha
group 1
lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
tunnel-group 200.160.126.30 type ipsec-l2l
tunnel-group 200.160.126.30 ipsec-attributes
peer-id-validate cert
trust-point CA1
crypto map outside_map 1 match address vpn
crypto map outside_map 1 set peer 200.160.126.30
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set trustpoint CA1
crypto map outside_map interface outside
access-list vpn extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto ca trustpoint CA1
enrollment terminal
fqdn asa1.cisco.com
keypair my.ca.key
crl configure
ASA-2 Config:
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash sha
group 1
lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address vpn
crypto map outside_map 1 set peer 59.160.128.50
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set trustpoint CA1
crypto map outside_map interface outside
tunnel-group 59.160.128.50 type ipsec-l2l
tunnel-group 59.160.128.50 ipsec-attributes
peer-id-validate cert
trust-point CA1
access-list vpn extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
crypto ca trustpoint CA1
enrollment terminal
fqdn asa2.cisco.com
keypair my.ca.key
crl configure
Debug Output:
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-5-713041: IP = 59.160.128.50, IKE Initiator: New Phase 1, Intf inside, IKE Peer 59.160.128.50 local Proxy Address 172.16.1.0, remote Proxy Address 192.168.1.0, Crypto map (outside_map)
%ASA-7-715046: IP = 59.160.128.50, constructing ISAKMP SA payload
%ASA-7-715046: IP = 59.160.128.50, constructing Fragmentation VID + extended capabilities payload
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
%ASA-7-609001: Built local-host NP Identity Ifc:200.160.126.30
%ASA-7-609001: Built local-host outside:59.160.128.50
%ASA-6-302015: Built outbound UDP connection 122 for outside:59.160.128.50/500 (59.160.128.50/500) to NP Identity Ifc:200.160.126.30/500 (200.160.126.30/500)
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
%ASA-7-715047: IP = 59.160.128.50, processing SA payload
%ASA-7-713906: IP = 59.160.128.50, Oakley proposal is acceptable
%ASA-7-715047: IP = 59.160.128.50, processing VID payload
%ASA-7-715049: IP = 59.160.128.50, Received Fragmentation VID
%ASA-7-715064: IP = 59.160.128.50, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
%ASA-7-715046: IP = 59.160.128.50, constructing ke payload
%ASA-7-715046: IP = 59.160.128.50, constructing nonce payload
%ASA-7-715046: IP = 59.160.128.50, constructing certreq payload
%ASA-7-715046: IP = 59.160.128.50, constructing Cisco Unity VID payload
%ASA-7-715046: IP = 59.160.128.50, constructing xauth V6 VID payload
%ASA-7-715048: IP = 59.160.128.50, Send IOS VID
%ASA-7-715038: IP = 59.160.128.50, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
%ASA-7-715046: IP = 59.160.128.50, constructing VID payload
%ASA-7-715048: IP = 59.160.128.50, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 322
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 322
%ASA-7-715047: IP = 59.160.128.50, processing ke payload
%ASA-7-715047: IP = 59.160.128.50, processing ISA_KE payload
%ASA-7-715047: IP = 59.160.128.50, processing nonce payload
%ASA-7-715047: IP = 59.160.128.50, processing cert request payload
%ASA-7-715047: IP = 59.160.128.50, processing VID payload
%ASA-7-715049: IP = 59.160.128.50, Received Cisco Unity client VID
%ASA-7-715047: IP = 59.160.128.50, processing VID payload
%ASA-7-715049: IP = 59.160.128.50, Received xauth V6 VID
%ASA-7-715047: IP = 59.160.128.50, processing VID payload
%ASA-7-715038: IP = 59.160.128.50, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
%ASA-7-715047: IP = 59.160.128.50, processing VID payload
%ASA-7-715049: IP = 59.160.128.50, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713906: IP = 59.160.128.50, Generating keys for Initiator...
%ASA-7-715046: IP = 59.160.128.50, constructing ID payload
%ASA-7-715046: IP = 59.160.128.50, constructing cert payload
%ASA-7-715001: IP = 59.160.128.50, constructing RSA signature
%ASA-7-715076: IP = 59.160.128.50, Computing hash for ISAKMP
%ASA-7-713906: Constructed Signature Len: 128
%ASA-7-713906: Constructed Signature:
0000: 4FB66432 FCA9DA52 5420E6C1 DF8293AC O.d2...RT ......
0010: DE3533F1 7036E5C8 40B11A9D 5C68C884 .53.p6..@...\h..
0020: D4BCA531 BAE87710 09D1AD06 7994CD1B ...1..w.....y...
0030: DCEDB9CE E971F21B 0104C06A 1901FACE .....q.....j....
0040: D1E8AED1 7684DFDA 40E98BC2 E195F3C8 ....v...@.......
0050: 3625E936 E35F47A3 F44BC326 62E99135 6%.6._G..K.&b..5
0060: 88EB90FF 10938CC3 0FFAA576 A9DBD9AD ...........v....
0070: 65592C71 5A13C4C5 8EBA60F6%ASA-7-715034: IP = 59.160.128.50, Constructing IOS keep alive payload: proposal=32767/32767 sec.
%ASA-7-715046: IP = 59.160.128.50, constructing dpd vid payload
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + SIG (9) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 1668
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-715065: IP = 59.160.128.50, IKE MM Initiator FSM error history (struct &0xd8a30d08) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG6, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG6, EV_TIMEOUT-->MM_WAIT_MSG6, NullEvent-->MM_SND_MSG5, EV_SND_MSG-->MM_SND_MSG5, EV_START_TMR-->MM_SND_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG6, EV_TIMEOUT
%ASA-7-713906: IP = 59.160.128.50, IKE SA MM:f2cbbafa terminating: flags 0x0100c022, refcnt 0, tuncnt 0
%ASA-7-713906: IP = 59.160.128.50, sending delete/delete with reason message
%ASA-7-715046: IP = 59.160.128.50, constructing blank hash payload
%ASA-7-715046: IP = 59.160.128.50, constructing IKE delete payload
%ASA-7-715046: IP = 59.160.128.50, constructing qm hash payload
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE SENDING Message (msgid=372e03ac) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
%ASA-3-713902: IP = 59.160.128.50, Removing peer from peer table failed, no match!
%ASA-4-713903: IP = 59.160.128.50, Error: Unable to remove PeerTblEntry
Kindly suggest me for further steps.
Regards,
MonHI Mate ,
your ASA is sending the ASA certificate :
but after that we are recieving an isakmp notify message which tears down the connection ?
somehow the remote peer didn't like the ASA certificate
do you have access to that peer ? is it a CISCO ASA?
is the time synchronized with that side ?
it the CA certificate installed on that peer?
HTH
Mohammad.
Maybe you are looking for
-
Can I store music on an external drive and point iTunes to it?
My wife has a G4 with a 20gig hard drive. Can she buy an external drive and just use that for the music? Would anyone tell me the procedure we would have to do to get this working? She doesn't ever need to disconnect the external hard drive we would
-
Win 7 & FF 28/29. Beta feed. I noticed the Icon first time only two days before. It is square shaped , about the size of the menu icon; with a flag with a five pt. star in the center. Always at the very last place on the toolbar. Rt clk: the remove f
-
I have an iphone 4 and I took a bunch of pics and when i plugged in my phone to the computer nothing happened this time.. How do i get them on my computer? Please help!! ty
-
I want to recover purchased items from the past 6 years so i can have them on my computer
hi im looking to recover past purchases from the past 6.5 years my fiance and i just broke up of 6.5 years and all my music is on her computer and i would like it on my computer so i can use it through other apple devices so i would like to know if y
-
Netflix iPod Touch 1 st Gen Can't Download The App!!!!!
I bought 2 iPod Touch 1 st Generation products back in November of 2011 for chirstmas presents. I downloaded Netflix to these devices and it worked great! Then on christmas morning kids opened the devices and started using them and the devices said n