NTP across IPsec VPN

Trying to get NTP workign across a VPN.  I have a switch that sits behind an ASA doing an IPSEC VPN (the ASA).
The NTP server is on the other side, which the switch is trying to get to.
ntp authtication-key 1 md 5 ****
ntp authenticate
ntp server x.x.x.x key 1
I know the VPN is operating fine as I'm able to pass certain types of traffic.
Why does the " show ntp ass detail" command run on the switch tell me it is  "configured, authenticated, insane ....."
when on the ASA I run "show crypto ips sa" show zero #pkts encaps:
Basically if it is getting "authenticated" to the ntp server, then why would I not see any encapsulation increments?
Or am I just reading this wrong...
Thanks,
Pete

IP to IP is allowed, which should include UDP port 123 on the crypto map.
I understand that authenticated does not mean synce'd. I'm trying to understand how the authenticated mechanism works, which should at least indicate reachability to the ntp server. But why no encryp/decrypt # increments for authenticating ?
I'll try it with the ASA as described here :
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a5641e.shtml

Similar Messages

  • How to nat subnets before establishing site to site ipsec vpn tunnel?

    Hello,
    Coming across requirement which is new to me as I have not done this setup. Details as follows. Hope some1 can help.
    Requirement: nat existing subnets to 192.168.50.0/24 subnet which is allowed at another firewall.
    Existing device: Cisco 5510 where I need to do this NAT.
    Existing scenario in short: I have created vlans on asa by creating sub interfaces.
    Changes done: added new sub int for 192.168.50.0. Added new object as 192.168.50.0 . Now done with creation of acl where traffic from 192.168.50.0 to remote subnets allowed. In NAT object sections done nating 1 to 1 I.e. existing subnet to 192.168.50.0
    Done ipsec vpn setup inc phase 1 & 2.
    Now tried to ping remote hosts but not reachable.
    Pls advice how to make it work.
    I dont any router next to asa 5510. Asa is in routed mode. Next hop to asa is isp's mux.

    Hello. Pls find my answers inline
    I first got the picture that the NAT network is 192.168.50.0/24 and some other networks should be NATed to this.
    Answer: Thats correct.
    Later on it seems that you have configured this to some interface on the ASA?
    Answer: Yes as I have defined vlan's on ASA itself. i.e. other subnets too i.e. 10.x series & 192.168.222.x series. I used Ethernet 0/0 as main interface for all LAN networks and have created sub interfaces i.e. vlan's on it. Using 3COM switch down to ASA to terminate those vlan's & distribute to unmanaged switches. Due to port limitations on ASA I have configured vlans on ASA itself. Ethernet 0/2 is my WAN interfacei.e. ISP link terminates on Eth 0/2 port.
    So  are you attempting to NAT some other LAN networks to this single NAT  network before the traffic heads to the L2L VPN connection on your ASA?
    Answer: Yes thats right. Attempting to NAT multiple networks to single NAT before traffic head to L2L VPN connecting from my ASA 5510 to remote Citrix firewall.
    Can  you then mention what are the source networks and source interfaces for  these networks? What is the destination network at the remote end of  the L2L VPN connection?
    Answer:    Source networks =  10.100.x series & 192.168.222.x series / Destination networks are from 192.168.228.x , 192.168.229.x series.  Remote admin wants us to NAT our multiple subnets to single subnet i.e. 192.168.50.0 and then traffic from this subnet is allowed at remote end.
    Do  you want to just do a NAT Pool of the 192.168.50.0/24 network for all  your Internet users OR does the remote end also have to be able to  connect to some of your sites hosts/servers?
    Answer:  Yes just want to NAT LAN subnets to 192.168.50.0/24 for all LAN users. 1 way access. I am going to access remote servers.
    The new thing for me is how to NAT multiple subnets. I have existing ipsec vpn's where I have added multiple subnets which is traditional set up for me. This requirement is new to me.

  • Profile for Cisco IPsec VPN does not set shared secret correctly

    Hi,
    We have a shared secret configuration for a Cisco IPsec (connecting to an ASA). I can correctly configure a profile for the Cisco IPsec VPN and deliver it to the device. However, the VPN connection fails due to an invalid shared secret. If I then go into the VPN settings on the device itself and manually retype the shared secret, it works fine.
    I have noticed this when generating the mobileconfig profile both from Apple's iPhone Configuration Utility and also when using the MobileIron management platform to generate and push profiles.
    Has anyone else seen this problem? I'm really confident that I'm typing the shared secret correctly in the iPCU generated profile as I've tried it many times. It also has happened across every flavor of iOS 3.x and 4.x (including the 4.2 betas).
    thanks

    Hi,
    Thanks for the reply but it is a bit of a strange one. What makes you think the shared secret we are using - which you don't know - is more than 32 characters long. I can promise you it isn't. There's a bug in the way mobileconfig files are storing the encrypted shared secret values. I've now seen it on a third party mobile device management platform too.

  • Pix 501 IPSec VPN no LAN access and no ping

    Hello,
    I am attempting to setup an IPSec VPN in a basic small business  scenario. I am able to connect to my pix 501 via IPSec VPN and browse  the internet but I am unable to ping or connect to any devices in the  remote LAN. Here is my config
    show config:
    nterface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password xxxxx encrypted
    passwd xxxxxx encrypted
    hostname pixfirewall
    domain-name domain.local
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 195.7.x.x BLR-Quadria
    name 176.76.1.0 LAN-CEPIC
    name 176.76.1.40 ADMIN
    name 176.76.1.253 SRV-Linux
    name 212.234.98.224 ADSL-Quadria
    name 81.80.252.129 sylob
    name 176.76.1.33 poste-pcanywhere
    name 176.76.1.179 TEST
    name 10.1.1.0 VPN_CLIENT
    name 176.76.1.100 SRVSVG01
    name 176.76.1.116 SRV-ERP01
    name 176.76.1.50 SRV-ERP00
    object-group network WAN-Quadria
      network-object BLR-Quadria 255.255.255.248
      network-object ADSL-Quadria 255.255.255.248
    object-group network SRV-CEPIC
      network-object SRV-Linux 255.255.255.255
      network-object ADMIN 255.255.255.255
      network-object SRVSVG01 255.255.255.255
      network-object SRV-ERP00 255.255.255.255
      network-object SRV-ERP01 255.255.255.255
    object-group service TCP-Linux-Quadria tcp
      port-object eq 1812
      port-object eq 222
      port-object eq 10000
    object-group service TCP-TSE-Quadria tcp
      port-object eq 3389
    object-group service PCAnywhereUDP udp
      port-object range pcanywhere-status pcanywhere-status
    access-list outside_access_in permit tcp object-group WAN-Quadria host 195.7.x.x object-group TCP-Linux-Quadria
    access-list outside_access_in permit tcp object-group WAN-Quadria interface outside object-group TCP-TSE-Quadria
    access-list outside_access_in permit tcp any host 195.7.x.x eq pcanywhere-data
    access-list outside_access_in permit udp any host 195.7.x.x object-group PCAnywhereUDP
    access-list outside_access_in permit tcp any host 195.7.x.x eq smtp
    access-list inside_outbound_nat0_acl permit ip LAN-CEPIC 255.255.255.0 VPN_CLIENT 255.255.255.224
    access-list outside_cryptomap_dyn_20 permit ip any VPN_CLIENT 255.255.255.224
    access-list inside_access_in permit icmp LAN-CEPIC 255.255.255.0 any
    access-list inside_access_in permit ip VPN_CLIENT 255.255.255.0 any
    access-list CEPIC_VPN_CLIENT_splitTunnelAcl permit ip LAN-CEPIC 255.255.255.0 any
    access-list outside_cryptomap_dyn_40 permit ip any VPN_CLIENT 255.255.255.224
    pager lines 24
    logging on
    logging console debugging
    logging buffered debugging
    logging trap debugging
    mtu outside 1500
    mtu inside 1500
    ip address outside pppoe setroute
    ip address inside 176.76.1.254 255.255.255.0
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    ip audit name attaque attack action alarm drop reset
    ip audit name info info action alarm drop reset
    ip audit interface outside info
    ip audit interface outside attaque
    ip audit interface inside info
    ip audit interface inside attaque
    ip audit info action alarm
    ip audit attack action alarm
    ip audit signature 2000 disable
    ip audit signature 2003 disable
    ip local pool VPN_POOL 10.1.1.10-10.1.1.20
    pdm location ADMIN 255.255.255.255 inside
    pdm location SRV-Linux 255.255.255.255 inside
    pdm location BLR-Quadria 255.255.255.248 outside
    pdm location ADSL-Quadria 255.255.255.248 outside
    pdm location LAN-CEPIC 255.255.255.0 inside
    pdm location poste-pcanywhere 255.255.255.255 inside
    pdm location sylob 255.255.255.255 outside
    pdm location TEST 255.255.255.255 inside
    pdm location 10.10.10.0 255.255.255.224 outside
    pdm location VPN_CLIENT 255.255.255.0 inside
    pdm location VPN_CLIENT 255.255.255.224 outside
    pdm location SRVSVG01 255.255.255.255 inside
    pdm location SRV-ERP00 255.255.255.255 inside
    pdm location SRV-ERP01 255.255.255.255 inside
    pdm group WAN-Quadria outside
    pdm group SRV-CEPIC inside
    pdm logging debugging 100
    pdm history enable
    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 10 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp 195.7.x.x 81 SRV-Linux www netmask 255.255.255.255 0 0
    static (inside,outside) tcp 195.7.x.x 222 SRV-Linux ssh netmask 255.255.255.255 0 0
    static (inside,outside) tcp 195.7.x.x 10000 SRV-Linux 10000 netmask 255.255.255.255 0 0
    static (inside,outside) tcp 195.7.x.x 1812 SRV-Linux 1812 netmask 255.255.255.255 0 0
    static (inside,outside) tcp 195.7.x.x 3389 ADMIN 3389 netmask 255.255.255.255 0 0
    static (inside,outside) tcp 195.7.x.x smtp SRV-Linux smtp netmask 255.255.255.255 0 0
    static (inside,outside) tcp 195.7.x.x pcanywhere-data poste-pcanywhere pcanywhere-data netmask 255.255.255.255 0 0
    static (inside,outside) udp 195.7.x.x pcanywhere-status poste-pcanywhere pcanywhere-status netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication enable console LOCAL
    aaa authentication http console LOCAL
    aaa authentication serial console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    aaa authorization command LOCAL
    ntp server 193.55.130.2 source inside
    ntp server 80.67.179.98 source outside
    ntp server 194.2.0.28 source outside prefer
    http server enable
    http BLR-Quadria 255.255.255.248 outside
    http ADSL-Quadria 255.255.255.248 outside
    http ADMIN 255.255.255.255 inside
    http LAN-CEPIC 255.255.255.0 inside
    snmp-server host inside SRV-Linux
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt noproxyarp outside
    sysopt noproxyarp inside
    service resetinbound
    service resetoutside
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map client authentication LOCAL
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup CEPIC_VPN_CLIENT address-pool VPN_POOL
    vpngroup CEPIC_VPN_CLIENT dns-server 176.76.1.2 ADMIN
    vpngroup CEPIC_VPN_CLIENT wins-server ADMIN
    vpngroup CEPIC_VPN_CLIENT default-domain domain.local
    vpngroup CEPIC_VPN_CLIENT split-tunnel CEPIC_VPN_CLIENT_splitTunnelAcl
    vpngroup CEPIC_VPN_CLIENT idle-time 1800
    vpngroup CEPIC_VPN_CLIENT password ********
    telnet timeout 5
    ssh BLR-Quadria 255.255.255.248 outside
    ssh ADSL-Quadria 255.255.255.248 outside
    ssh LAN-CEPIC 255.255.255.0 inside
    ssh timeout 5
    management-access inside
    console timeout 0
    vpdn group pppoe_group request dialout pppoe
    vpdn group pppoe_group localname xxxxx
    vpdn group pppoe_group ppp authentication chap
    vpdn username xxxx password xxxxx store-local
    username vg_vpn password xxxxx encrypted privilege 3
    username test password xxxxxx encrypted privilege 3
    username quadria password xxxxx encrypted privilege 15
    username jml_vpn password xxxxx encrypted privilege 3
    username jr_vpn password xxxxx encrypted privilege 3
    username js_vpn password xxxxx encrypted privilege 3
    privilege show level 0 command version
    privilege show level 0 command curpriv
    privilege show level 3 command pdm
    privilege show level 3 command blocks
    privilege show level 3 command ssh
    privilege configure level 3 command who
    privilege show level 3 command isakmp
    privilege show level 3 command ipsec
    privilege show level 3 command vpdn
    privilege show level 3 command local-host
    privilege show level 3 command interface
    privilege show level 3 command ip
    privilege configure level 3 command ping
    privilege show level 3 command uauth
    privilege configure level 5 mode enable command configure
    privilege show level 5 command running-config
    privilege show level 5 command privilege
    privilege show level 5 command clock
    privilege show level 5 command ntp
    privilege show level 5 mode configure command logging
    privilege show level 5 command fragment
    terminal width 80
    Cryptochecksum:
    I know this is a basic question but I would really appreaciate the help!
    Thanks so much,

    Hi,
    You could try to change the Split Tunnel ACL to Standard ACL
    First removing it from the VPN configuration and then removing the ACL and creating it as Standard type ACL
    Current
    access-list CEPIC_VPN_CLIENT_splitTunnelAcl permit ip LAN-CEPIC 255.255.255.0 any
    New
    access-list CEPIC_VPN_CLIENT_splitTunnelAcl standard permit LAN-CEPIC 255.255.255.0
    You could also try adding
    fixup protocol icmp
    fixup protocol icmp error
    Have you monitored the logs while you are attempting to connect to the LAN network?
    - Jouni

  • Policy based l2l ipsec vpn - Need XAUTH problem

    Hi,
    I have a problem that I can see some solutions for but they do not work.
    I have a p2p IPSec vpn that worked before I added a remote access VPN configuration (which works perfectly).
    As per documentation I employed isakmp policy to allow the mixed tunnels. Now whenever I try to send traffic across the l2l link I am getting the following debug results which tell me the remote router is demanding XAUTH.
    Sep  8 09:53:12: ISAKMP:(2015):Total payload length: 12
    Sep  8 09:53:12: ISAKMP:(2015): sending packet to [source] my_port 500 peer_port 500 (R) MM_KEY_EXCH
    Sep  8 09:53:12: ISAKMP:(2015):Sending an IKE IPv4 Packet.
    Sep  8 09:53:12: ISAKMP:(2015):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Sep  8 09:53:12: ISAKMP:(2015):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE
    Sep  8 09:53:12: ISAKMP:(2015):Need XAUTH
    Sep  8 09:53:12: ISAKMP: set new node 1635909437 to CONF_XAUTH  
    Sep  8 09:53:12: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
    Sep  8 09:53:12: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
    Sep  8 09:53:12: ISAKMP:(2015): initiating peer config to [source]. ID = 1635909437
    Sep  8 09:53:12: ISAKMP:(2015): sending packet to [source] my_port 500 peer_port 500 (R) CONF_XAUTH  
    Sep  8 09:53:12: ISAKMP:(2015):Sending an IKE IPv4 Packet.
    Sep  8 09:53:12: ISAKMP:(2015):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    Sep  8 09:53:12: ISAKMP:(2015):Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_REQ_SENT
    Sep  8 09:53:12: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH  
    Sep  8 09:53:20: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH  
    Sep  8 09:53:27: ISAKMP:(2015): retransmitting phase 2 CONF_XAUTH    1635909437 ...
    Sep  8 09:53:27: ISAKMP (2015): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
    Sep  8 09:53:27: ISAKMP (2015): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
    Sep  8 09:53:27: ISAKMP:(2015): retransmitting phase 2 1635909437 CONF_XAUTH  
    Sep  8 09:53:27: ISAKMP:(2015): sending packet to [source] my_port 500 peer_port 500 (R) CONF_XAUTH  
    Sep  8 09:53:27: ISAKMP:(2015):Sending an IKE IPv4 Packet.
    Sep  8 09:53:28: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH  
    Sep  8 09:53:36: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH  
    Sep  8 09:53:42: ISAKMP:(2015): retransmitting phase 2 CONF_XAUTH    1635909437 ...
    Sep  8 09:53:42: ISAKMP (2015): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
    Sep  8 09:53:42: ISAKMP (2015): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
    Sep  8 09:53:42: ISAKMP:(2015): retransmitting phase 2 1635909437 CONF_XAUTH  
    Sep  8 09:53:42: ISAKMP:(2015): sending packet to [source] my_port 500 peer_port 500 (R) CONF_XAUTH  
    Sep  8 09:53:42: ISAKMP:(2015):Sending an IKE IPv4 Packet.
    Sep  8 09:53:44: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH  
    Sep  8 09:53:44: ISAKMP: set new node 2054552354 to CONF_XAUTH  
    Sep  8 09:53:44: ISAKMP:(2015): processing HASH payload. message ID = 2054552354
    Sep  8 09:53:44: ISAKMP:(2015): processing DELETE payload. message ID = 2054552354
    Sep  8 09:53:44: ISAKMP:(2015):peer does not do paranoid keepalives.
    So it looks like Phase 1 is completing sans XAUTH.
    Here is my crypto configurations:
    crypto keyring s2s 
      pre-shared-key address [source] key [key]
    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2
    lifetime 28800
    crypto isakmp policy 5
    encr 3des
    authentication pre-share
    lifetime 28800
    crypto isakmp policy 10
    authentication pre-share
    lifetime 28800
    crypto isakmp client configuration group [RA_GROUP]
    key [key2]
    dns 192.168.7.7
    wins 192.168.7.222
    domain ninterface.com
    pool SDM_POOL_1
    acl 100
    max-users 6
    netmask 255.255.255.0
    crypto isakmp profile ciscocp-ike-profile-1
       match identity group [RA_GROUP]
       client authentication list ciscocp_vpn_xauth_ml_1
       isakmp authorization list ciscocp_vpn_group_ml_1
       client configuration address respond
       virtual-template 1
    crypto isakmp profile ISA_PROF
       keyring s2s
       match identity address [source] 255.255.255.255
    crypto isakmp profile softclient
       match identity group [RA_GROUP]
       client authentication list ciscocp_vpn_xauth_ml_1
       isakmp authorization list ciscocp_vpn_grop_ml_1
       client configuration address respond
    crypto ipsec security-association lifetime seconds 86400
    crypto ipsec transform-set VPN_T_BW esp-3des esp-sha-hmac
    crypto ipsec transform-set MY-SET esp-aes 256 esp-sha-hmac
    crypto ipsec transform-set trans-rem esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec df-bit clear
    crypto ipsec profile CiscoCP_Profile1
    set transform-set ESP-3DES-SHA
    set isakmp-profile ciscocp-ike-profile-1
    crypto dynamic-map [RA_GROUP] 77
    set transform-set trans-rem
    set isakmp-profile softclient
    reverse-route
    crypto map clientmap client authentication list RAD_GRP
    crypto map clientmap isakmp authorization list rtr-remote
    crypto map clientmap client configuration address respond
    crypto map clientmap 77 ipsec-isakmp dynamic [RA_GROUP]
    crypto map [RA_GROUP] client configuration address respond
    crypto map remote-map isakmp authorization list rtr-remote
    crypto map rtp 10 ipsec-isakmp
    set peer [source]
    set transform-set MY-SET
    set pfs group2
    match address 111
    It's a bit of a dogs breakfast as I am just now implementing policy.
    I was successful at blocking xauth before I was using policy by adding no_xauth to the end of my key statement but I cannot work out how to add this while using policy.
    I'm betting something simple I've missed.
    Thanks for your help!

    Ok so on investigation I can see that my 3am hackjob was worse than I thought :|
    I can see that above I have 2 different crypto maps where I thought I had combined them into one. I have now changed
    crypto map rtp 10 ipsec-isakmp
    set peer [source]
    set transform-set MY-SET
    set pfs group2
    match address 111
    to
    crypto map clientmap 10 ipsec-isakmp
    set peer [source]
    set transform-set MY-SET
    set pfs group2
    match address 111
    Still getting the same problem so I'll keep investigating but if anything sticks out let me know
    b

  • IPSEC VPN Address Overlap Without Translation?

    I am wondering if it's possible to have an ipsec vpn between 2 subnets that are the same WITHOUT translating them.
    eg: in configurations and normal circumstances, if site 1 = 192.168.1.0 and site 2 = 192.168.1.0, a translation occurs in between both vpn devices that says "hey private 192.168.1.0 = 1.1.1.1 once it leaves out the private interface" and the other says "hey private 192.168.1.0  = 2.2.2.2 once it leaves out the private interface" then those 2 new spaces can talk (1.1.1.1 & 2.2.2.2)
    the problem is I currently run a T1 which allows 1 address space on both sides, which is how it's setup. You plug anything on site 2 it pulls dhcp & internet from the main router on site a . The special equipment in question is setup as if both sides of the T1 is the same local network, and a device on each side talks to each other as a 192.168.1.240 and 192.168.1.245 across the T1 line.   If I change site 2  (which is last case scenario) to another address space, then I would have to change all the equipment to a new address space on site 2 while changing site 1 to look at the new addresses. I am trying avoid this. Is it possible?
    I know it sounds weird but maybe I was thinking there's a way to do static. Say on Site 1 you say "192.168.1.2 is on the other side of the vpn. when you see 192.168.1.2 know to go over vpn" although site 1 itself is 192.168.1.0 .
    is that possible? thanks

    Generally speaking no it won't work because at each site all 192.168.1.x clients think every other 192.168.1.x client is local and so never send traffic to their default gateway ie. the VPN device.
    If the two devices that needed to communicate were using different IPs (even though it's the same IP subnet) you could potentially add host routes to the clients route table pointing to the VPN device and then each VPN device has a host specific route for that IP pointing to the outside IP but that would mean two things -
    1) the client in a site could not talk to another client in the same site with that IP because you are routing it to the VPN device
    and
    2) the VPN device couldn't talk to that client either because you have told it to route traffic for that IP via the VPN tunnel.
    But to be totally honest I am not convinced this would work.
    Basically you either need to readdress or do NAT, it would be a lot less hassle and would actually work.
    Jon

  • Looking for help to set up l2tp Ipsec vpn on asa 5055

    I am trying to set up a L2tp Ipsec vpn on asa 5055 and I am using windows 8.1 build in VPN client to connect to it. I got the following error. Anyone has experence please help.
    Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, All IPSec SA proposals found unacceptable!
    Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, sending notify message
    Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing blank hash payload
    Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing ipsec notify payload for msg id 1
    Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing qm hash payload
    Apr 17 22:48:21 [IKEv1]IP = 209.171.88.81, IKE_DECODE SENDING Message (msgid=6a50f8f9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, QM FSM error (P2 struct &0xad6946b8, mess id 0x1)!
    Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, IKE QM Responder FSM error history (struct &0xad6946b8)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, 
    EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, 
    EV_COMP_HASH
    Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, sending delete/delete with reason message
    Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, Removing peer from correlator table failed, no match!
    Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, IKE SA MM:d8870fa5 rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tuncnt 0
    Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, IKE SA MM:d8870fa5 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
    Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, sending delete/delete with reason message
    Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing blank hash payload
    Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing IKE delete payload
    Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing qm hash payload
    Apr 17 22:48:21 [IKEv1]IP = 209.171.88.81, IKE_DECODE SENDING Message (msgid=232654dc) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
    Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, Session is being torn down. Reason: Phase 2 Mismatch
    I am new to this so I don't know what I should do next. Thanks

    Here it is. Thanks.
    CL-T179-12IH# show run crypto
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec ikev2 ipsec-proposal DES
     protocol esp encryption des
     protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
     protocol esp encryption 3des
     protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
     protocol esp encryption aes
     protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
     protocol esp encryption aes-192
     protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
     protocol esp encryption aes-256
     protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint vpn
     enrollment self
     subject-name CN=174.142.90.17
     crl configure
    crypto ca trustpool policy
    crypto ca certificate chain vpn
     certificate 2d181c55
        308201ff 30820168 a0030201 0202042d 181c5530 0d06092a 864886f7 0d010105
        05003044 31163014 06035504 03130d31 37342e31 34322e39 302e3137 312a3028
        06092a86 4886f70d 01090216 1b434c2d 54313739 2d313249 482e7072 69766174
        65646e73 2e636f6d 301e170d 31353034 31363033 31393439 5a170d32 35303431
        33303331 3934395a 30443116 30140603 55040313 0d313734 2e313432 2e39302e
        3137312a 30280609 2a864886 f70d0109 02161b43 4c2d5431 37392d31 3249482e
        70726976 61746564 6e732e63 6f6d3081 9f300d06 092a8648 86f70d01 01010500
        03818d00 30818902 818100bf 797d1cc1 cfffc634 8c3b2a4b ce27b1c9 3fc3e026
        4f6cd8f4 c9675aca b5176cef 7f3df142 35ba4e15 2613d34c 91bb5da3 14b34b6c
        71e4ff44 f129046f 7f91e73f 2c9d42f9 93001559 ea6c71c1 1a848073 15da79f7
        a41081ee b4cd3cc3 baa7a272 3a5fb32d 66dedee6 5994d4b2 ad9d7489 44ec9eb9
        44038a2a 817e935f 1bb7ad02 03010001 300d0609 2a864886 f70d0101 05050003
        8181002c 6cee9ae7 a037698a 5690aca1 f01c87db 04d9cbc6 65bda6dc a17fc4b6
        b1fd419e 56df108f b06edfe6 ab5a5eb3 5474a7fe 58970da3 23e6bc6e 36ab8f62
        d5c442bf 43581eb3 26b8cf26 6a667a8b ddd25a73 a094f0d0 65092ff8 d2a644d8
        3d7da7ca efeb9e2f 84807fdf 0cf3d75e bcb65ba4 7b51cb49 f912f516 f95b5d86
        da0e01
      quit
    crypto ikev2 policy 1
     encryption aes-256
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 policy 10
     encryption aes-192
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 policy 30
     encryption 3des
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 policy 40
     encryption des
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 enable outside client-services port 443
    crypto ikev2 remote-access trustpoint vpn
    crypto ikev1 enable outside
    crypto ikev1 policy 10
     authentication crack
     encryption aes-256
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 20
     authentication rsa-sig
     encryption aes-256
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 30
     authentication pre-share
     encryption aes-256
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 40
     authentication crack
     encryption aes-192
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 50
     authentication rsa-sig
     encryption aes-192
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 60
     authentication pre-share
     encryption aes-192
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 70
     authentication crack
     encryption aes
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 80
     authentication rsa-sig
     encryption aes
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 90
     authentication pre-share
     encryption aes
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 100
     authentication crack
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 110
     authentication rsa-sig
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 120
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 130
     authentication crack
     encryption des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 140
     authentication rsa-sig
     encryption des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 150
     authentication pre-share
     encryption des
     hash sha
     group 2
     lifetime 86400

  • Cisco Jabber Client for Windows 9.7 Can't Connect to Other IPSec VPN Clients Over Clustered ASAs

    Environment:
    2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
    Both ASAs are at version 8.4(5)6
    IPSec VPN Client version: 5.0.07.440 (64-bit)
    Jabber for Windows v9.7.0 build 18474
    Issue:
      If I am an IPSec VPN user…
       I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
       I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
    In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)

    Portu,
    Thanks for your quick reply.
    Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above.  I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
    I can, though, do whatever you want on the Linux router.  Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
    As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this.  (But I might need a bit of handholding if I need to set up a  wireshark andor tcpdump.)
    Thanks again.

  • Cisco Jabber Client for Windows 9.7 Can't Connect IPSec VPN Clients over two ASAs

    Environment:
    2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
    Both ASAs are at version 8.4(5)6
    IPSec VPN Client version: 5.0.07.440 (64-bit)
    Jabber for Windows v9.7.0 build 18474
    Issue:
      If I am an IPSec VPN user…
       I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
       I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
    In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)

    Portu,
    Thanks for your quick reply.
    Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above.  I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
    I can, though, do whatever you want on the Linux router.  Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
    As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this.  (But I might need a bit of handholding if I need to set up a  wireshark andor tcpdump.)
    Thanks again.

  • ASA 5505 IPSEC VPN connected but can't access to LAN

    ASA : 8.2.5
    ASDM: 6.4.5
    LAN: 10.1.0.0/22
    VPN Pool: 172.16.10.0/24
    Hi, we purcahsed a new ASA 5505 and try to setup IPSEC VPN via ASDM; i just simply run the Wizards, setup vpnpool, split tunnelling,etc.
    I can connect to the ASA by using cisco VPN client and internet works fine on the local PC, but it cannot access to the LAN (can't ping. can't remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile i created worked fine.
    Below is my configure, do I mis-configure anything?
    ASA Version 8.2(5)
    hostname asatest
    domain-name XXX.com
    enable password 8Fw1QFqthX2n4uD3 encrypted
    passwd g9NiG6oUPjkYrHNt encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.1.1.253 255.255.252.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address XXX.XXX.XXX.XXX 255.255.255.240
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    dns server-group DefaultDNS
    domain-name vff.com
    access-list vpntest_splitTunnelAcl standard permit 10.1.0.0 255.255.252.0
    access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.252.0 172.16.10.0 255.255.255.0
    pager lines 24
    logging enable
    logging timestamp
    logging trap warnings
    logging asdm informational
    logging device-id hostname
    logging host inside 10.1.1.230
    mtu inside 1500
    mtu outside 1500
    ip local pool vpnpool 172.16.10.1-172.16.10.254 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server AD protocol nt
    aaa-server AD (inside) host 10.1.1.108
    nt-auth-domain-controller 10.1.1.108
    http server enable
    http 10.1.0.0 255.255.252.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 10.1.0.0 255.255.252.0 inside
    ssh timeout 20
    console timeout 0
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy vpntest internal
    group-policy vpntest attributes
    wins-server value 10.1.1.108
    dns-server value 10.1.1.108
    vpn-tunnel-protocol IPSec l2tp-ipsec
    password-storage disable
    ip-comp disable
    re-xauth disable
    pfs disable
    ipsec-udp disable
    ipsec-udp-port 10000
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpntest_splitTunnelAcl
    default-domain value XXX.com
    split-tunnel-all-dns disable
    backup-servers keep-client-config
    address-pools value vpnpool
    username admin password WeiepwREwT66BhE9 encrypted privilege 15
    username user5 password yIWniWfceAUz1sUb encrypted privilege 5
    username user3 password umNHhJnO7McrLxNQ encrypted privilege 3
    tunnel-group vpntest type remote-access
    tunnel-group vpntest general-attributes
    address-pool vpnpool
    authentication-server-group AD
    authentication-server-group (inside) AD
    default-group-policy vpntest
    strip-realm
    tunnel-group vpntest ipsec-attributes
    pre-shared-key BEKey123456
    peer-id-validate nocheck
    privilege cmd level 3 mode exec command perfmon
    privilege cmd level 3 mode exec command ping
    privilege cmd level 3 mode exec command who
    privilege cmd level 3 mode exec command logging
    privilege cmd level 3 mode exec command failover
    privilege cmd level 3 mode exec command packet-tracer
    privilege show level 5 mode exec command import
    privilege show level 5 mode exec command running-config
    privilege show level 3 mode exec command reload
    privilege show level 3 mode exec command mode
    privilege show level 3 mode exec command firewall
    privilege show level 3 mode exec command asp
    privilege show level 3 mode exec command cpu
    privilege show level 3 mode exec command interface
    privilege show level 3 mode exec command clock
    privilege show level 3 mode exec command dns-hosts
    privilege show level 3 mode exec command access-list
    privilege show level 3 mode exec command logging
    privilege show level 3 mode exec command vlan
    privilege show level 3 mode exec command ip
    privilege show level 3 mode exec command ipv6
    privilege show level 3 mode exec command failover
    privilege show level 3 mode exec command asdm
    privilege show level 3 mode exec command arp
    privilege show level 3 mode exec command route
    privilege show level 3 mode exec command ospf
    privilege show level 3 mode exec command aaa-server
    privilege show level 3 mode exec command aaa
    privilege show level 3 mode exec command eigrp
    privilege show level 3 mode exec command crypto
    privilege show level 3 mode exec command vpn-sessiondb
    privilege show level 3 mode exec command ssh
    privilege show level 3 mode exec command dhcpd
    privilege show level 3 mode exec command vpnclient
    privilege show level 3 mode exec command vpn
    privilege show level 3 mode exec command blocks
    privilege show level 3 mode exec command wccp
    privilege show level 3 mode exec command dynamic-filter
    privilege show level 3 mode exec command webvpn
    privilege show level 3 mode exec command module
    privilege show level 3 mode exec command uauth
    privilege show level 3 mode exec command compression
    privilege show level 3 mode configure command interface
    privilege show level 3 mode configure command clock
    privilege show level 3 mode configure command access-list
    privilege show level 3 mode configure command logging
    privilege show level 3 mode configure command ip
    privilege show level 3 mode configure command failover
    privilege show level 5 mode configure command asdm
    privilege show level 3 mode configure command arp
    privilege show level 3 mode configure command route
    privilege show level 3 mode configure command aaa-server
    privilege show level 3 mode configure command aaa
    privilege show level 3 mode configure command crypto
    privilege show level 3 mode configure command ssh
    privilege show level 3 mode configure command dhcpd
    privilege show level 5 mode configure command privilege
    privilege clear level 3 mode exec command dns-hosts
    privilege clear level 3 mode exec command logging
    privilege clear level 3 mode exec command arp
    privilege clear level 3 mode exec command aaa-server
    privilege clear level 3 mode exec command crypto
    privilege clear level 3 mode exec command dynamic-filter
    privilege cmd level 3 mode configure command failover
    privilege clear level 3 mode configure command logging
    privilege clear level 3 mode configure command arp
    privilege clear level 3 mode configure command crypto
    privilege clear level 3 mode configure command aaa-server
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4
    : end

    I change  a Machine's gateway to this ASA and capture again, now we can see some reply.
    All ohter PCs and switches gateway are point to another ASA, maybe that's the reason why i didn't work?
    what's the recommanded way to make our LAN to have two 2 gateways(for load balance or backup router, etc)?
    add two gateways to all PCs and swtichwes?
    1: 18:15:48.307875 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
       2: 18:15:49.777685 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
       3: 18:15:51.377147 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
       4: 18:15:57.445777 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
       5: 18:15:58.856324 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
       6: 18:16:00.395090 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
       7: 18:16:06.483464 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
       8: 18:16:08.082805 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
       9: 18:16:09.542406 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
      10: 18:16:20.640424 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
      11: 18:16:20.642193 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
      12: 18:16:21.169607 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
      13: 18:16:21.171210 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
      14: 18:16:22.179556 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
      15: 18:16:22.181142 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
      16: 18:16:23.237673 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
      17: 18:16:23.239291 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
      18: 18:16:27.676402 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 50
      19: 18:16:29.246935 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 50
      20: 18:16:30.676921 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 50
      21: 18:16:49.539660 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request
      22: 18:16:54.952602 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request
      23: 18:17:04.511463 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request

  • IPSEC VPN clients can't reach internal nor external resources

    Hi!
    At the moment running ASA 8.3, with fairly much experience of ASA 8.0-8.2, I can't get the NAT right for the VPN clients.
    Im pretty sure it's not ACL's, although I might be wrong.
    The problem is both VPN users can reach internal resources, and vpn users cant reach external resources.
    # Issue 1.
    IPSEC VPN client cannot reach any local (inside) resources. All interfaces are pretty much allow any any, I suspect it has to do with NAT.
    When trying to access an external resource, the "translate_hits" below are changed:
    Auto NAT Policies (Section 2)
    1 (outside) to (outside) source dynamic vpn_nat interface
       translate_hits = 37, untranslate_hits = 11
    When trying to reach a local resource (10.0.0.0/24), the translate hits below are changed:
    5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
        translate_hits = 31, untranslate_hits = 32
    Most NAT, some sensitive data cut:
    Manual NAT Policies (Section 1)
    <snip>
    3 (inside) to (server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
        translate_hits = 0, untranslate_hits = 0
    4 (inside) to (server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
        translate_hits = 0, untranslate_hits = 0
    5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
        translate_hits = 22, untranslate_hits = 23
    Auto NAT Policies (Section 2)
    1 (outside) to (outside) source dynamic vpn_nat interface
        translate_hits = 37, untranslate_hits = 6
    Manual NAT Policies (Section 3)
    1 (something_free) to (something_outside) source dynamic any interface
        translate_hits = 0, untranslate_hits = 0
    2 (something_something) to (something_outside) source dynamic any interface
        translate_hits = 0, untranslate_hits = 0
    3 (inside) to (outside) source dynamic any interface
        translate_hits = 5402387, untranslate_hits = 1519419
    ##  Issue 2, vpn user cannot access anything on internet
    asa# packet-tracer input outside tcp 172.16.32.1 12345 1.2.3.4 443
    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    Phase: 2
    Type: ACCESS-LIST
    Subtype:
    Result: DROP
    Config:
    Implicit Rule
    Additional Information:
    Result:
    input-interface: outside
    input-status: up
    input-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    Relevant configuration snippet:
    interface Vlan2
    nameif outside
    security-level 0
    ip address 1.2.3.2 255.255.255.248
    interface Vlan3
    nameif inside
    security-level 100
    ip address 10.0.0.5 255.255.255.0
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network anywhere
    subnet 0.0.0.0 0.0.0.0
    object network something_free
    subnet 10.0.100.0 255.255.255.0
    object network something_member
    subnet 10.0.101.0 255.255.255.0
    object network obj-ipsecvpn
    subnet 172.16.31.0 255.255.255.0
    object network allvpnnet
    subnet 172.16.32.0 255.255.255.0
    object network OFFICE-NET
    subnet 10.0.0.0 255.255.255.0
    object network vpn_nat
    subnet 172.16.32.0 255.255.255.0
    object-group network the_office
    network-object 10.0.0.0 255.255.255.0
    access-list VPN-TO-OFFICE-NET standard permit 10.0.0.0 255.255.255.0
    ip local pool ipsecvpnpool 172.16.32.0-172.16.32.255 mask 255.255.255.0
    ip local pool vpnpool 172.16.31.1-172.16.31.255 mask 255.255.255.0
    nat (inside,server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
    nat (inside,server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
    nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
    object network vpn_nat
    nat (outside,outside) dynamic interface
    nat (some_free,some_outside) after-auto source dynamic any interface
    nat (some_member,some_outside) after-auto source dynamic any interface
    nat (inside,outside) after-auto source dynamic any interface
    group-policy companyusers attributes
    dns-server value 8.8.8.8 8.8.4.4
    vpn-tunnel-protocol IPSec
    default-domain value company.net
    tunnel-group companyusers type remote-access
    tunnel-group companyusers general-attributes
    address-pool ipsecvpnpool
    default-group-policy companyusers
    tunnel-group companyusers ipsec-attributes
    pre-shared-key *****

    Hi,
    I don't seem to get a reply from 8.8.8.8 no, kind of hard to tell as it's an iphone. To me, all these logs simply says it works like a charm, but still I can get no reply on the phone.
    asa# ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=0 len=28
    ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
    ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=0 len=28
    ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
    ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=256 len=28
    ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
    ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=256 len=28
    ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
    ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=512 len=28
    ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
    ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=512 len=28
    ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
    asa# show capture capo
    12 packets captured
       1: 08:11:59.097590 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
       2: 08:11:59.127129 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
       3: 08:12:00.103876 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
       4: 08:12:00.133293 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
       5: 08:12:01.099253 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
       6: 08:12:01.127572 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
       7: 08:12:52.954464 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
       8: 08:12:52.983866 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
       9: 08:12:56.072811 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
      10: 08:12:56.101007 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
      11: 08:12:59.132897 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
      12: 08:12:59.160941 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
    asa# ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=0 len=28
    ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=0 len=28
    ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=256 len=28
    ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=256 len=28
    ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=512 len=28
    ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=512 len=28
    ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=768 len=28
    ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=768 len=28
    asa# show capture capi
    8 packets captured
       1: 08:15:44.868653 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
       2: 08:15:44.966456 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
       3: 08:15:47.930066 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
       4: 08:15:48.040082 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
       5: 08:15:51.028654 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
       6: 08:15:51.110086 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
       7: 08:15:54.076534 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
       8: 08:15:54.231250 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
    Packet-capture.
    Phase: 1
    Type: CAPTURE
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    MAC Access list
    Phase: 2
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    Phase: 3
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   172.16.32.1     255.255.255.255 outside
    Phase: 4
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group inside_access_in in interface inside
    access-list inside_access_in extended permit ip any any log
    Additional Information:
    Phase: 5
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 6
    Type: INSPECT
    Subtype: np-inspect
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 7     
    Type: DEBUG-ICMP
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 8
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
    Additional Information:
    Static translate 10.0.0.72/0 to 10.0.0.72/0
    Phase: 9
    Type: HOST-LIMIT
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 10
    Type: VPN    
    Subtype: encrypt
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 11
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group outside_access_out out interface outside
    access-list outside_access_out extended permit ip any any log
    Additional Information:
    Phase: 12
    Type: FLOW-CREATION
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 5725528, packet dispatched to next module
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: allow

  • Inbuilt cisco IPSEC vpn client and KeyLife Timeout setting...

    Hi Guys
    I am having issues with the in built cisco vpn client on the mac, I am currrently using Mac OSx 10.7.4
    I have a Fortigate 200B device and have setup the IPSec VPN settings to have a keylife of 86400 seconds.
    However the expereince I am having with the mac clients is that after about 50 minutes the users are being asked to re-authencate to the VPN...
    When checkin the debug logs I can see that the peer (mac client) is setting the phase 2 tunnel key lifetime to 3600 seconds which is 1 Hour...
    Usually in IPSec a re-negeotiation process takes place about 10 minutes or so before the key expires..
    My question is where are the VPN settings kept in the Mac... I know it uses Racoon for the IPSec exchange of key and so I would like to tweak the VPN profiles so that the mac sets the lifetime of the key to 86400 instead of 3600 by default...
    Also want to be able to set logging to debug mode for the Racoon application on mac clients.
    Your help is much appreciated
    Kind Regards
    Mohamed

    Hi Tony,
    to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
    CSCsw31922    Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
    You may want to try and ask in the AAA forum if there is anything you can do on ACS...
    hth
    Herbert

  • Cisco IPSec VPN Client and sending a specific Radius A-V value to ACS 5.2

    This setup is to try routing Cisco VPN to either RSA or Entrust from Cisco ACS 5.2, depending on some parameter in incoming AUTH request from Cisco IPSec VPN Client 5.x. Tried playing with pcf files and user names/identity stores, none seems working

    Hi Tony,
    to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
    CSCsw31922    Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
    You may want to try and ask in the AAA forum if there is anything you can do on ACS...
    hth
    Herbert

  • Cisco IPSEC VPN not working after upgrade to Mavericks

    I have been using the Cisco IPSEC VPN for almost 2 years with no issues. When I upgraded to Mavericks this week it stopped working. When i tell it to connect it prompts for password and attempts to connect for about 30 seconds then comes back with the following message...
    VPN Connection
    The negotiation with the VPN server failed. Verify the server address and try reconnecting.
    The address, group, shared secret, user and password are correct. Any help would be greatly appreiated.

    Hry, I'm not sure if this fixes the Cisco IPSec issue, but I can vouch for it fixing the L2TP issue that occurs after tha mavericks upgrade!
    I’ve got L2TP VPN working in Mavericks 10.9 and Server App 3.0.0 / 3.0.1.
    It really is quite a simple fix.
    Obviously, the standard caveats apply: This is a temporary, unsupported, workaround, and only a suggested idea at that. Again, this workaround is NOT supported by Apple.
    Proceed with this workaround on your own equipment at your own risk. And remember the golden rule: Always backup your data!
    OK so here goes… copy and paste the following into termini ONE LINE AT A TIME!
    cd /tmp
    curl -sO http://c5mart.co/mavericks-vpn-fix/racoon.tar.gz
    tar -xzvf racoon.tar.gz
    rm racoon.tar.gz
    sudo chown root:wheel racoon
    sudo chmod 555 racoon
    if [ ! -f /usr/sbin/racoon.mavericks ]; then sudo mv /usr/sbin/racoon /usr/sbin/racoon.mavericks; fi;
    sudo mv racoon /usr/sbin/racoon
    sudo killall racoon
    This works fine for me and I'm running a OSX Server for my entire office.
    …et voilà!

  • Cisco ASA Site to Site IPSEC VPN and NAT question

    Hi Folks,
    I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
    ASA2  is at HQ and ASA1 is a remote site. I have no problem setting up a  static static Site to Site IPSEC VPN between sites. Hosts residing at  10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but  what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16  will communicate with hosts at 192.168.1.0/24 with translated addresses
    Just an example:
    Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with  destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet  should be the same in this case .5)
    The same  translation for the rest of the communication (Host N2 pings host N3  destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
    It sounds a bit confusing for me but i have seen this type of setup  before when I worked for managed service provider where we had  connection to our clients (Site to Site Ipsec VPN with NAT, not sure how  it was setup)
    Basically we were communicating  with client hosts over site to site VPN but their real addresses were  hidden and we were using translated address as mentioned above  10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the  same.
    Appreciate if someone can shed some light on it.

    Hi,
    Ok so were going with the older NAT configuration format
    To me it seems you could do the following:
    Configure the ASA1 with Static Policy NAT 
    access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
    Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
    If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
    On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network 
    access-list INSIDE-NONAT remark L2LVPN NONAT
    access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    nat (inside) 0 access-list INSIDE-NONAT
    You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network 
    ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    I could test this setup tomorrow at work but let me know if it works out.
    Please rate if it was helpful
    - Jouni

Maybe you are looking for

  • Ajuda para recuperação de Arquivo.

    Tenho um Iphone 4S e comprei um 5S tirei umas 2 mil fotos com 5S, ai resolvi passar as coisas que tinha no 4S para 5S como aplicativo, contatos etc. Conectei 4S no Itunes fiz o backup dele por completo, logo em seguida pegeui o 5S conetei no mesmo It

  • PARCONV phase Index could not be created ERROR

    Upgrading Solution Manger 3.2 to 7.0  Windows Nt SQL Server 2000 We are in teh PARCONV phase now and getting errors regarding tables with missing indexes. Example from PARCONV.ELG file: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • What is the keycommand manager and how do you locate it?

    Greetings.  I am brand new to Mac and I was trying to figure out what shortcut I could use to reposition the playhead in Adobe AfterEffects to the beginning because my keyboard doesn't have a home key.  In the process of searching, I found some artic

  • Block Corruption in empty pages in Oracle 11g

    I am using Oracle 11.1.0.7.1 on HP UNIX 11i. On several occasions, I have been seen that block corruptions are reported by rman. I have never seen this problem in previous release of databases; but I have seen it more than once in Oracle 11g. However

  • Issue with ME53N - Display Purchase Requisition

    Hi All, When i am opening the t-code ME53N, am getting the following error : "Company was not supplied in function module interface." Could anybody tell me the reason for the same. Regards, Guddan