Phase 2 issue in IPSEC site-to-site
Hi All,
I have got an issue while creating an IPSEC site-to-site VPN between cisco2901-15.2(4)M3 ---> cisco861-12.4
Phase#1 is successfully up but when i'm putting command #show crypto ipsec sa i can't see encry & decry packets.
below is the running-conifgs and show crypto output for both side
cisco2901:-
Current configuration : 5668 bytes
! Last configuration change at 17:08:59 PCTime Mon Feb 3 2014 by ciscodxb
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname DXB-CIT
boot-start-marker
boot-end-marker
logging buffered 52000
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
clock timezone PCTime 4 0
ip cef
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.10.1 192.168.10.9
ip dhcp excluded-address 192.168.10.101 192.168.10.254
ip dhcp pool dxb-pool
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 80.xxx.xx.xx 213.xxx.xxx.xx
ip domain name channelit
ip name-server 80.xx.xx.xx
ip name-server 213.xx.xx.xx
no ipv6 cef
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-1231038404
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1231038404
revocation-check none
rsakeypair TP-self-signed-1231038404
crypto pki certificate chain TP-self-signed-1231038404
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323331 30333834 3034301E 170D3134 30313331 31333230
30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32333130
33383430 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100ECF1 71B270A3 EFBC3609 C136BC9B 7D54A077 33286BF1 45558928 6DF96244
2DAF0A50 E5DA03C6 E87AD7AE 4544C6B0 2649AE20 83C5F9F1 FA73B5BF 5CC421DE
1FA66C70 FD39938F 8E46AA22 2996FBF9 6C739C35 13F1A287 651A1904 57898B3F
F076A50E F4955677 6D0BD4B3 57FB590D 851500DC D789A175 FA0F18BD 1A982438
63730203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14546BDB F740F993 E0A596EF 93D4991E 751C4240 7F301D06
03551D0E 04160414 546BDBF7 40F993E0 A596EF93 D4991E75 1C42407F 300D0609
2A864886 F70D0101 05050003 8181000E 1FDDF0E2 8D04EFD3 850F2417 B49E1B6B
04CFFED3 D89C032E FEB03641 B5BC830B D60E8F8A 8EB28EA4 1242ECB5 01E91511
08A59585 27260A9F C8470C48 0E5797F8 3C04DE38 3213CF77 ADCACC53 D6771D55
6E6C0027 F11BE11E 06F9BC8A 1C7C3874 9C4B937D 35D0DB0F 0328FC38 DE9916AC
FE4AD16D 1EA2CF64 316146D5 A960DB
quit
voice-card 0
license udi pid CISCO2901/K9 sn FCZ1716C4QT
hw-module pvdm 0/0
username cisco
username ciscodxb privilege 15 password 0 cisco
username compumate privilege 15 secret 4 YCR80zERMiSH2RJpMWWOYdaDiHRm0U6p9mGMCktErQ2
redundancy
crypto ctcp
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxxxx address 41.xxx.xx.xx
crypto isakmp client configuration group CITDXB
key xxxxxx
pool SDM_POOL_1
crypto isakmp profile ciscocp-ike-profile-1
match identity group xxxxx
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set Dxb-to-Nigeria esp-3des esp-md5-hmac
mode tunnel
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
crypto dynamic-map hq-vpn 11
set security-association lifetime seconds 86400
set transform-set CHANNEL-DUBAI
crypto map Dxb-to-Nigeria 1 ipsec-isakmp
set peer 41.xxx.xxx.xxx
set transform-set Dxb-to-Nigeria
match address 110
crypto map VPN 1 ipsec-isakmp dynamic hq-vpn
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$ETH-WAN$
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
description $ES_WAN$
ip address 80.xxx.xxx.xxx 255.255.255.252
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map Dxb-to-Nigeria
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
ip local pool SDM_POOL_1 192.168.20.20 192.168.20.50
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat source list 100 interface GigabitEthernet0/1 overload
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
ip sla auto discovery
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 101 deny ip 192.168.10.0 0.0.0.255 41.206.13.192 0.0.0.7
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 110 permit ip 192.168.10.0 0.0.0.255 41.206.13.192 0.0.0.7
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
mgcp profile default
gatekeeper
shutdown
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input telnet ssh
line vty 5 15
access-class 23 in
transport input telnet ssh
scheduler allocate 20000 1000
end
DXB-CIT#show cry
DXB-CIT#show crypto isa
DXB-CIT#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
41.xxx.xxx.xx 80.xxx.xx.xx QM_IDLE 1011 ACTIVE
IPv6 Crypto ISAKMP SA
DXB-CIT#show cry
DXB-CIT#show crypto ips
DXB-CIT#show crypto ipsec sa
interface: GigabitEthernet0/1
Crypto map tag: Dxb-to-Nigeria, local addr 80.xxx.xx.xx
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (41.xxx.xx.xx/255.255.255.248/0/0)
current_peer 41.xxx.xx.xxx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1467, #recv errors 0
local crypto endpt.: 80.xxx.xxx.xx, remote crypto endpt.: 41.xxx.xx.xx
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
cisco861:-
crypto pki trustpoint TP-self-signed-2499926077
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2499926077
revocation-check none
rsakeypair TP-self-signed-2499926077
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name [email protected]
revocation-check crl
crypto pki certificate chain TP-self-signed-2499926077
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32343939 39323630 3737301E 170D3032 30333031 30303036
32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34393939
32363037 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C1D0 0C45FD24 19ECECA0 9F7686A4 42B81E39 F6485ED8 66EBFBF3 4F3DCD64
25D4C2C7 5B56E7EF 7BF1963F F0406CBB 9B782A92 7925BA63 C761D92A 9E97CA4A
4D83CDD3 4B9811B9 734D84AB EFD85F9D 82541A09 4C2B580F E3302B67 97F93286
6D908B49 D936A0D1 78AB3829 56896990 9008E8EC 0333B1F1 8AACD0B2 4BCE81E3
A4A10203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 14434954 5F322E79 6F757264 6F6D6169 6E2E636F 6D301F06
03551D23 04183016 8014E7CE C4274196 09907466 DE068815 C9987EDF 4712301D
0603551D 0E041604 14E7CEC4 27419609 907466DE 068815C9 987EDF47 12300D06
092A8648 86F70D01 01040500 03818100 B546F76E B5A79129 95A37822 132F6685
E5541CD5 0818A4FE 83AD17AC 9C18AAC2 C137AF00 43FB787C 30534B0C 7D494FA8
ACC28C3E 7CBC3BB5 92FAFD2C 5D1766FF 2C8CACE0 E523C53E 7617A9AF 7AD8FDF3
35CD6184 8BB076E4 FBDF86B3 92EA9488 B173ABBD F42B1CA1 ECCB586B 882CC097
DEE688A7 E04797CB 7ED73ED3 E9FFC8D0
quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
ip source-route
ip dhcp excluded-address 10.10.10.1
ip cef
ip domain name yourdomain.com
username emma privilege 15 password 0 PasemmaY
username admin privilege 15 secret 5 $1$GHAV$CuyCKFpaEVCRcTX4jTNzp/
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp policy 7
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key &dtej4$ address 41.xxx.xx.xxx
crypto isakmp key ch@nn#l!t address 41.xx.xx.xx
crypto isakmp key t3l3comch@nn3l&mtn address 196.xx.xx.xx
crypto isakmp key CITDENjan2014 address 80.xxx.xx.xx
crypto ipsec transform-set MTN-TCWA esp-3des esp-sha-hmac
crypto ipsec transform-set channelit esp-3des esp-md5-hmac
crypto ipsec transform-set MTNG-TCWA esp-3des esp-md5-hmac
crypto ipsec transform-set CHANNEL-DUBAI esp-3des esp-md5-hmac
crypto map CHANNEL-DUBAI 14 ipsec-isakmp
set peer 80.xxx.xx.xxx
set transform-set CHANNEL-DUBAI
match address 160
crypto map MTNVPN local-address FastEthernet4
crypto map MTNVPN 10 ipsec-isakmp
set peer 41.xxx.xx.xx
set transform-set MTN-TCWA
match address 101
crypto map MTNVPN 11 ipsec-isakmp
set peer 41.xxx.xx.x
set transform-set channelit
match address 150
crypto map MTNVPN 12 ipsec-isakmp
set peer 196.xxx.xx.xx
set transform-set MTNG-TCWA
match address MTNG
archive
log config
hidekeys
ip tcp synwait-time 5
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description This interface connect MTN Fibre
ip address 41.206.xx.xxx 255.255.255.252
duplex auto
speed auto
crypto map MTNVPN
interface Vlan1
description This interface connects to CIT LAN
ip address 41.xxx.xx.xxx 255.255.255.248
ip tcp adjust-mss 1452
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 41.xxx.xx.xx
ip route 10.93.128.128 255.255.255.224 41.xxx.xx.x
ip route 10.109.95.64 255.255.255.240 41.xxx.xx.xxx
ip route 10.135.45.0 255.255.255.224 196.xxx.xx.xx
ip route 10.199.174.225 255.255.255.255 41.xxx.xx.xxx
ip route 192.168.10.0 255.255.255.0 80.xxx.xxx.xxx
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip access-list extended MTNG
permit ip 41.xxx.xx.xxx0.0.0.7 10.135.45.0 0.0.0.31
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit any
access-list 101 permit ip 41.206.13.192 0.0.0.7 host 41.206.4.75
access-list 101 permit ip 41.206.13.192 0.0.0.7 10.109.95.64 0.0.0.15
access-list 101 permit ip 41.206.13.192 0.0.0.7 10.109.95.120 0.0.0.7
access-list 101 permit ip 41.206.13.192 0.0.0.7 host 10.199.174.225
access-list 101 permit ip 41.206.13.192 0.0.0.7 10.197.197.64 0.0.0.31
access-list 101 permit ip 41.206.13.192 0.0.0.7 10.197.197.96 0.0.0.31
access-list 150 permit ip host 41.206.13.193 10.197.212.224 0.0.0.31
access-list 150 permit ip host 41.206.13.194 10.197.212.224 0.0.0.31
access-list 150 permit ip host 41.206.13.195 10.197.212.224 0.0.0.31
access-list 150 permit ip host 41.206.13.196 10.197.212.224 0.0.0.31
access-list 150 permit ip host 41.206.13.197 10.197.212.224 0.0.0.31
access-list 150 permit ip host 41.206.13.198 10.197.212.224 0.0.0.31
access-list 160 permit ip 41.206.xx.xxx 0.0.0.7 192.168.10.0 0.0.0.255
no cdp run
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^C
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
^C
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
scheduler max-task-time 5000
end
CIT_2#show cry
CIT_2#show crypto isa
CIT_2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
41.xxx.xx.xxx 80.xxx.xx.xxx QM_IDLE 2003 0 ACTIVE
IPv6 Crypto ISAKMP SA
CIT_2#show cry
CIT_2#show crypto ips
CIT_2#show crypto ipsec sa
interface: FastEthernet4
Crypto map tag: MTNVPN, local addr 41.xxx.xx.xx
protected vrf: (none)
local ident (addr/mask/prot/port): (41.xxx.xx.xxx/255.255.255.248/0/0)
remote ident (addr/mask/prot/port): (41.xxx.x.xx/255.255.255.255/0/0)
current_peer 41.xxx.xx.xxxport 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 41.xxx.xx.xx, remote crypto endpt.: 41.xxx.xx.xxx
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (41.xxx.xx.xxx/255.255.255.248/0/0)
remote ident (addr/mask/prot/port): (10.109.95.120/255.255.255.248/0/0)
current_peer 41.xxx.xx.xxx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 41.xxx.xx.xx, remote crypto endpt.: 41.xxx.xx.xx
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
@Marcin
any suggestion to fix the issue????
i mean if i'll put below commands will i be able to fix the issue???
crypto map MTNVPN 12 ipsec-isakmp
set peer 80.xxx.xx.xxx
set transform-set CHANNEL-DUBAI
match address 160
Similar Messages
-
Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall
Hi,
I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
3
Nov 21 2012
07:11:09
713061
Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
5
Nov 21 2012
07:11:09
713119
Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
Here is from the syntax: show crypto isakmp sa
Result of the command: "show crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 195.149.180.254
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Result of the command: "show crypto ipsec sa"
interface: outside
Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
current_peer:195.149.180.254
#pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
#pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: E715B315
inbound esp sas:
spi: 0xFAC769EB (4207372779)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38738/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xE715B315 (3876958997)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38673/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
And here are my Accesslists and vpn site to site config:
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 84600
crypto isakmp nat-traversal 40
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CustomerCryptoMap 10 match address VPN_Tunnel
crypto map CustomerCryptoMap 10 set pfs group5
crypto map CustomerCryptoMap 10 set peer 195.149.180.254
crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
crypto map CustomerCryptoMap interface outside
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
nat (inside) 0 access-list nonat
All these remote networks are at the Main Site Clavister Firewall.
Best Regards
MichaelHi,
I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
Maybe you could try to change the Encryption Domain configurations a bit and test it then.
You could also maybe take some debugs on the Phase2 and see if you get anymore hints as to what could be the problem when only one network is working for the L2L VPN.
- Jouni -
Site to site VPN re-connection issue
Hi I done site -to -site VPN between two UC 560 and I am able to make call too. Both site I am using DDNS FQDN. Now I am facing these problems,
1. When ever any of the site gone down , it is taking around 45 minute to get reconnect the VPN.
2. With in 2 minute Dialer interface is getting WAN IP address from service provider and it is updating with Dyndns also. But while checking crypto session details from my local UC I can see the peer address is not changing or showing none.
please help me to overcome this issue
I tested by restarting ROUTER-A UC560
Please find the status of remote site:
ROUTER-B#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
2.50.37.13 86.99.72.10 MM_NO_STATE 2004 ACTIVE (deleted)
ROUTER-B#sh crypto isa saIPv4 Crypto ISAKMP SA
dst src state conn-id status
ROUTER-A#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
ROUTER-B#sho crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Dialer0
Session status: UP-NO-IKE
Peer: 86.99.72.10 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.10.0/255.255.255.0 192.168.50.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 12452 drop 0 life (KB/Sec) 4477633/1050
Outbound: #pkts enc'ed 15625 drop 228 life (KB/Sec) 4477628/1050
ROUTER-A# sho crypto session det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Virtual-Access2
Session status: DOWN
Peer: port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.50.0/255.255.255.0 192.168.10.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Interface: Dialer0
Session status: DOWN
Peer: port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.50.0/255.255.255.0 192.168.10.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 23 life (KB/Sec) 0/0
**** Here I can see the peer IP is 86.99.72.10, but address had been changed to 92.98.211.242 in ROUTER-A
Please see the debug crypto isakpm
ROUTER-A#debug crypto isakmp
Crypto ISAKMP debugging is on
ROUTER-A#terminal monitor
000103: Aug 6 18:40:48.083: ISAKMP:(0): SA request profile is (NULL)
000104: Aug 6 18:40:48.083: ISAKMP: Created a peer struct for , peer port 500
000105: Aug 6 18:40:48.083: ISAKMP: New peer created peer = 0x86682AAC peer_handle = 0x80000031
000106: Aug 6 18:40:48.083: ISAKMP: Locking peer struct 0x86682AAC, refcount 1 for isakmp_initiator
000107: Aug 6 18:40:48.083: ISAKMP: local port 500, remote port 500
000108: Aug 6 18:40:48.083: ISAKMP: set new node 0 to QM_IDLE
000109: Aug 6 18:40:48.083: ISAKMP:(0):insert sa successfully sa = 8B4EBE04
000110: Aug 6 18:40:48.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000111: Aug 6 18:40:48.083: ISAKMP:(0):No pre-shared key with !
000112: Aug 6 18:40:48.083: ISAKMP:(0): No Cert or pre-shared address key.
000113: Aug 6 18:40:48.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000114: Aug 6 18:40:48.083: ISAKMP: Unlocking peer struct 0x86682AAC for isadb_unlock_peer_delete_sa(), count 0
000115: Aug 6 18:40:48.083: ISAKMP: Deleting peer node by peer_reap for : 86682AAC
000116: Aug 6 18:40:48.083: ISAKMP:(0):purging SA., sa=8B4EBE04, delme=8B4EBE04
000117: Aug 6 18:40:48.083: ISAKMP:(0):purging node 2113438140
000118: Aug 6 18:40:48.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000119: Aug 6 18:40:48.083: ISAKMP: Error while processing KMI message 0, error 2.
000120: Aug 6 18:41:18.083: ISAKMP:(0): SA request profile is (NULL)
000121: Aug 6 18:41:18.083: ISAKMP: Created a peer struct for , peer port 500
000122: Aug 6 18:41:18.083: ISAKMP: New peer created peer = 0x8668106C peer_handle = 0x80000032
000123: Aug 6 18:41:18.083: ISAKMP: Locking peer struct 0x8668106C, refcount 1 for isakmp_initiator
000124: Aug 6 18:41:18.083: ISAKMP: local port 500, remote port 500
000125: Aug 6 18:41:18.083: ISAKMP: set new node 0 to QM_IDLE
000126: Aug 6 18:41:18.083: ISAKMP:(0):insert sa successfully sa = 86685DFC
000127: Aug 6 18:41:18.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000128: Aug 6 18:41:18.083: ISAKMP:(0):No pre-shared key with !
000129: Aug 6 18:41:18.083: ISAKMP:(0): No Cert or pre-shared address key.
000130: Aug 6 18:41:18.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000131: Aug 6 18:41:18.083: ISAKMP: Unlocking peer struct 0x8668106C for isadb_unlock_peer_delete_sa(), count 0
000132: Aug 6 18:41:18.083: ISAKMP: Deleting peer node by peer_reap for : 8668106C
000133: Aug 6 18:41:18.083: ISAKMP:(0):purging SA., sa=86685DFC, delme=86685DFC
000134: Aug 6 18:41:18.083: ISAKMP:(0):purging node 379490091
000135: Aug 6 18:41:18.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000136: Aug 6 18:41:18.083: ISAKMP: Error while processing KMI message 0, error 2.
000137: Aug 6 18:42:48.083: ISAKMP:(0): SA request profile is (NULL)
000138: Aug 6 18:42:48.083: ISAKMP: Created a peer struct for , peer port 500
000139: Aug 6 18:42:48.083: ISAKMP: New peer created peer = 0x86691200 peer_handle = 0x80000033
000140: Aug 6 18:42:48.083: ISAKMP: Locking peer struct 0x86691200, refcount 1for isakmp_initiator
000141: Aug 6 18:42:48.083: ISAKMP: local port 500, remote port 500
000142: Aug 6 18:42:48.083: ISAKMP: set new node 0 to QM_IDLE
000143: Aug 6 18:42:48.083: ISAKMP:(0):insert sa successfully sa = 866E1758
000144: Aug 6 18:42:48.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000145: Aug 6 18:42:48.083: ISAKMP:(0):No pre-shared key with !
000146: Aug 6 18:42:48.083: ISAKMP:(0): No Cert or pre-shared address key.
000147: Aug 6 18:42:48.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000148: Aug 6 18:42:48.083: ISAKMP: Unlocking peer struct 0x86691200 for isadb_unlock_peer_delete_sa(), count 0
000149: Aug 6 18:42:48.083: ISAKMP: Deleting peer node by peer_reap for : 86691200
000150: Aug 6 18:42:48.083: ISAKMP:(0):purging SA., sa=866E1758, delme=866E1758
000151: Aug 6 18:42:48.083: ISAKMP:(0):purging node -309783810
000152: Aug 6 18:42:48.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000153: Aug 6 18:42:48.083: ISAKMP: Error while processing KMI message 0, error 2.
000154: Aug 6 18:43:18.083: ISAKMP:(0): SA request profile is (NULL)
000155: Aug 6 18:43:18.083: ISAKMP: Created a peer struct for , peer port 500
000156: Aug 6 18:43:18.083: ISAKMP: New peer created peer = 0x8668106C peer_handle = 0x80000034
000157: Aug 6 18:43:18.083: ISAKMP: Locking peer struct 0x8668106C, refcount 1 for isakmp_initiator
000158: Aug 6 18:43:18.083: ISAKMP: local port 500, remote port 500
000159: Aug 6 18:43:18.083: ISAKMP: set new node 0 to QM_IDLE
000160: Aug 6 18:43:18.083: ISAKMP:(0):insert sa successfully sa = 8B4AB780
000161: Aug 6 18:43:18.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000162: Aug 6 18:43:18.083: ISAKMP:(0):No pre-shared key with !
000163: Aug 6 18:43:18.083: ISAKMP:(0): No Cert or pre-shared address key.
000164: Aug 6 18:43:18.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000165: Aug 6 18:43:18.083: ISAKMP: Unlocking peer struct 0x8668106C for isadb _unlock_peer_delete_sa(), count 0
000166: Aug 6 18:43:18.083: ISAKMP: Deleting peer node by peer_reap for : 8668106C
000167: Aug 6 18:43:18.083: ISAKMP:(0):purging SA., sa=8B4AB780, delme=8B4AB78 0
000168: Aug 6 18:43:18.083: ISAKMP:(0):purging node 461611358
000169: Aug 6 18:43:18.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000170: Aug 6 18:43:18.083: ISAKMP: Error while processing KMI message 0, erro r 2.
000171: Aug 6 18:44:48.083: ISAKMP:(0): SA request profile is (NULL)
000172: Aug 6 18:44:48.083: ISAKMP: Created a peer struct for , peer port 500
000173: Aug 6 18:44:48.083: ISAKMP: New peer created peer = 0x8B4A25C8 peer_handle = 0x80000035
000174: Aug 6 18:44:48.083: ISAKMP: Locking peer struct 0x8B4A25C8, refcount 1 for isakmp_initiator
000175: Aug 6 18:44:48.083: ISAKMP: local port 500, remote port 500
000176: Aug 6 18:44:48.083: ISAKMP: set new node 0 to QM_IDLE
000177: Aug 6 18:44:48.083: ISAKMP:(0):insert sa successfully sa = 8B4EC7E8
000178: Aug 6 18:44:48.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000179: Aug 6 18:44:48.083: ISAKMP:(0):No pre-shared key with !
000180: Aug 6 18:44:48.083: ISAKMP:(0): No Cert or pre-shared address key.
000181: Aug 6 18:44:48.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000182: Aug 6 18:44:48.083: ISAKMP: Unlocking peer struct 0x8B4A25C8 for isadb_unlock_peer_delete_sa(), count 0
000183: Aug 6 18:44:48.083: ISAKMP: Deleting peer node by peer_reap for : 8B4A25C8
000184: Aug 6 18:44:48.083: ISAKMP:(0):purging SA., sa=8B4EC7E8, delme=8B4EC7E8
000185: Aug 6 18:44:48.083: ISAKMP:(0):purging node -1902909277
000186: Aug 6 18:44:48.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000187: Aug 6 18:44:48.083: ISAKMP: Error while processing KMI message 0, error 2.
000188: Aug 6 18:45:18.083: ISAKMP:(0): SA request profile is (NULL)
000189: Aug 6 18:45:18.083: ISAKMP: Created a peer struct for , peer port 500
000190: Aug 6 18:45:18.083: ISAKMP: New peer created peer = 0x8668106C peer_handle = 0x80000036
000191: Aug 6 18:45:18.083: ISAKMP: Locking peer struct 0x8668106C, refcount 1 for isakmp_initiator
000192: Aug 6 18:45:18.083: ISAKMP: local port 500, remote port 500
000193: Aug 6 18:45:18.083: ISAKMP: set new node 0 to QM_IDLE
000194: Aug 6 18:45:18.083: ISAKMP:(0):insert sa successfully sa = 86685DFC
000195: Aug 6 18:45:18.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000196: Aug 6 18:45:18.083: ISAKMP:(0):No pre-shared key with !
000197: Aug 6 18:45:18.083: ISAKMP:(0): No Cert or pre-shared address key.
000198: Aug 6 18:45:18.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000199: Aug 6 18:45:18.083: ISAKMP: Unlocking peer struct 0x8668106C for isadb_unlock_peer_delete_sa(), count 0
000200: Aug 6 18:45:18.083: ISAKMP: Deleting peer node by peer_reap for : 8668106C
000201: Aug 6 18:45:18.083: ISAKMP:(0):purging SA., sa=86685DFC, delme=86685DFC
000202: Aug 6 18:45:18.083: ISAKMP:(0):purging node 1093064733
000203: Aug 6 18:45:18.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000204: Aug 6 18:45:18.083: ISAKMP: Error while processing KMI message 0, error 2.
000205: Aug 6 18:46:48.083: ISAKMP:(0): SA request profile is (NULL)
000206: Aug 6 18:46:48.083: ISAKMP: Created a peer struct for , peer port 500
000207: Aug 6 18:46:48.083: ISAKMP: New peer created peer = 0x86682BE0 peer_handle = 0x80000037
000208: Aug 6 18:46:48.083: ISAKMP: Locking peer struct 0x86682BE0, refcount 1 for isakmp_initiator
000209: Aug 6 18:46:48.083: ISAKMP: local port 500, remote port 500
000210: Aug 6 18:46:48.083: ISAKMP: set new node 0 to QM_IDLE
000211: Aug 6 18:46:48.083: ISAKMP:(0):insert sa successfully sa = 866E1758
000212: Aug 6 18:46:48.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000213: Aug 6 18:46:48.083: ISAKMP:(0):No pre-shared key with !
000214: Aug 6 18:46:48.083: ISAKMP:(0): No Cert or pre-shared address key.
000215: Aug 6 18:46:48.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000216: Aug 6 18:46:48.083: ISAKMP: Unlocking peer struct 0x86682BE0 for isadb_unlock_peer_delete_sa(), count 0
000217: Aug 6 18:46:48.083: ISAKMP: Deleting peer node by peer_reap for : 86682BE0
000218: Aug 6 18:46:48.083: ISAKMP:(0):purging SA., sa=866E1758, delme=866E1758
000219: Aug 6 18:46:48.083: ISAKMP:(0):purging node -1521272284
000220: Aug 6 18:46:48.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000221: Aug 6 18:46:48.083: ISAKMP: Error while processing KMI message 0, error 2.
000222: Aug 6 18:47:03.131: ISAKMP (0): received packet from 2.50.37.13 dport 500 sport 500 Global (N) NEW SA
000223: Aug 6 18:47:03.131: ISAKMP: Created a peer struct for 2.50.37.13, peer port 500
000224: Aug 6 18:47:03.131: ISAKMP: New peer created peer = 0x8668106C peer_handle = 0x80000038
000225: Aug 6 18:47:03.131: ISAKMP: Locking peer struct 0x8668106C, refcount 1 for crypto_isakmp_process_block
000226: Aug 6 18:47:03.131: ISAKMP: local port 500, remote port 500
000227: Aug 6 18:47:03.131: ISAKMP:(0):insert sa successfully sa = 8B4C1924
000228: Aug 6 18:47:03.131: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000229: Aug 6 18:47:03.131: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
000230: Aug 6 18:47:03.131: ISAKMP:(0): processing SA payload. message ID = 0
000231: Aug 6 18:47:03.131: ISAKMP:(0): processing vendor id payload
000232: Aug 6 18:47:03.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
000233: Aug 6 18:47:03.131: ISAKMP (0): vendor ID is NAT-T RFC 3947
000234: Aug 6 18:47:03.131: ISAKMP:(0): processing vendor id payload
000235: Aug 6 18:47:03.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
000236: Aug 6 18:47:03.131: ISAKMP (0): vendor ID is NAT-T v7
000237: Aug 6 18:47:03.131: ISAKMP:(0): processing vendor id payload
000238: Aug 6 18:47:03.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
000239: Aug 6 18:47:03.131: ISAKMP:(0): vendor ID is NAT-T v3
000240: Aug 6 18:47:03.131: ISAKMP:(0): processing vendor id payload
000241: Aug 6 18:47:03.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
000242: Aug 6 18:47:03.131: ISAKMP:(0): vendor ID is NAT-T v2
000243: Aug 6 18:47:03.131: ISAKMP:(0):found peer pre-shared key matching 2.50.37.13
000244: Aug 6 18:47:03.131: ISAKMP:(0): local preshared key found
000245: Aug 6 18:47:03.131: ISAKMP : Scanning profiles for xauth ... sdm-ike-profile-1
000246: Aug 6 18:47:03.131: ISAKMP:(0): Authentication by xauth preshared
000247: Aug 6 18:47:03.131: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
000248: Aug 6 18:47:03.131: ISAKMP: encryption 3DES-CBC
000249: Aug 6 18:47:03.131: ISAKMP: hash SHA
000250: Aug 6 18:47:03.131: ISAKMP: default group 2
000251: Aug 6 18:47:03.131: ISAKMP: auth pre-share
000252: Aug 6 18:47:03.131: ISAKMP: life type in seconds
000253: Aug 6 18:47:03.131: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
000254: Aug 6 18:47:03.135: ISAKMP:(0):atts are acceptable. Next payload is 0
000255: Aug 6 18:47:03.135: ISAKMP:(0):Acceptable atts:actual life: 1800
000256: Aug 6 18:47:03.135: ISAKMP:(0):Acceptable atts:life: 0
000257: Aug 6 18:47:03.135: ISAKMP:(0):Fill atts in sa vpi_length:4
000258: Aug 6 18:47:03.135: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
000259: Aug 6 18:47:03.135: ISAKMP:(0):Returning Actual lifetime: 1800
000260: Aug 6 18:47:03.135: ISAKMP:(0)::Started lifetime timer: 1800.
000261: Aug 6 18:47:03.135: ISAKMP:(0): processing vendor id payload
000262: Aug 6 18:47:03.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
000263: Aug 6 18:47:03.135: ISAKMP (0): vendor ID is NAT-T RFC 3947
000264: Aug 6 18:47:03.135: ISAKMP:(0): processing vendor id payload
000265: Aug 6 18:47:03.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
000266: Aug 6 18:47:03.135: ISAKMP (0): vendor ID is NAT-T v7
000267: Aug 6 18:47:03.135: ISAKMP:(0): processing vendor id payload
000268: Aug 6 18:47:03.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
000269: Aug 6 18:47:03.135: ISAKMP:(0): vendor ID is NAT-T v3
000270: Aug 6 18:47:03.135: ISAKMP:(0): processing vendor id payload
000271: Aug 6 18:47:03.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
000272: Aug 6 18:47:03.135: ISAKMP:(0): vendor ID is NAT-T v2
000273: Aug 6 18:47:03.135: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000274: Aug 6 18:47:03.135: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
000275: Aug 6 18:47:03.135: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
000276: Aug 6 18:47:03.135: ISAKMP:(0): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) MM_SA_SETUP
000277: Aug 6 18:47:03.135: ISAKMP:(0):Sending an IKE IPv4 Packet.
000278: Aug 6 18:47:03.135: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000279: Aug 6 18:47:03.135: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
000280: Aug 6 18:47:03.191: ISAKMP (0): received packet from 2.50.37.13 dport 500 sport 500 Global (R) MM_SA_SETUP
000281: Aug 6 18:47:03.191: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000282: Aug 6 18:47:03.191: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
000283: Aug 6 18:47:03.191: ISAKMP:(0): processing KE payload. message ID = 0
000284: Aug 6 18:47:03.199: ISAKMP:(0): processing NONCE payload. message ID = 0
000285: Aug 6 18:47:03.203: ISAKMP:(0):found peer pre-shared key matching 2.50.37.13
000286: Aug 6 18:47:03.203: ISAKMP:(2001): processing vendor id payload
000287: Aug 6 18:47:03.203: ISAKMP:(2001): vendor ID is DPD
000288: Aug 6 18:47:03.203: ISAKMP:(2001): processing vendor id payload
000289: Aug 6 18:47:03.203: ISAKMP:(2001): speaking to another IOS box!
000290: Aug 6 18:47:03.203: ISAKMP:(2001): processing vendor id payload
000291: Aug 6 18:47:03.203: ISAKMP:(2001): vendor ID seems Unity/DPD but major 223 mismatch
000292: Aug 6 18:47:03.203: ISAKMP:(2001): vendor ID is XAUTH
000293: Aug 6 18:47:03.203: ISAKMP:received payload type 20
000294: Aug 6 18:47:03.203: ISAKMP (2001): His hash no match - this node outside NAT
000295: Aug 6 18:47:03.203: ISAKMP:received payload type 20
000296: Aug 6 18:47:03.203: ISAKMP (2001): No NAT Found for self or peer
000297: Aug 6 18:47:03.203: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000298: Aug 6 18:47:03.203: ISAKMP:(2001):Old State = IKE_R_MM3 New State = IKE_R_MM3
000299: Aug 6 18:47:03.203: ISAKMP:(2001): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) MM_KEY_EXCH
000300: Aug 6 18:47:03.203: ISAKMP:(2001):Sending an IKE IPv4 Packet.
000301: Aug 6 18:47:03.203: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000302: Aug 6 18:47:03.203: ISAKMP:(2001):Old State = IKE_R_MM3 New State = IKE_R_MM4
000303: Aug 6 18:47:03.295: ISAKMP (2001): received packet from 2.50.37.13 dport 500 sport 500 Global (R) MM_KEY_EXCH
000304: Aug 6 18:47:03.295: ISAKMP:(2001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000305: Aug 6 18:47:03.295: ISAKMP:(2001):Old State = IKE_R_MM4 New State = IKE_R_MM5
000306: Aug 6 18:47:03.295: ISAKMP:(2001): processing ID payload. message ID = 0
000307: Aug 6 18:47:03.295: ISAKMP (2001): ID payload
next-payload : 8
type : 1
address : 2.50.37.13
protocol : 17
port : 500
length : 12
000308: Aug 6 18:47:03.295: ISAKMP:(0):: peer matches *none* of the profiles
000309: Aug 6 18:47:03.295: ISAKMP:(2001): processing HASH payload. message ID = 0
000310: Aug 6 18:47:03.295: ISAKMP:(2001): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 0x8B4C1924
000311: Aug 6 18:47:03.295: ISAKMP:(2001):SA authentication status:
authenticated
000312: Aug 6 18:47:03.295: ISAKMP:(2001):SA has been authenticated with 2.50.37.13
000313: Aug 6 18:47:03.295: ISAKMP:(2001):SA authentication status:
authenticated
000314: Aug 6 18:47:03.295: ISAKMP:(2001): Process initial contact,
bring down existing phase 1 and 2 SA's with local 92.98.211.242 remote 2.50.37.13 remote port 500
000315: Aug 6 18:47:03.295: ISAKMP: Trying to insert a peer 92.98.211.242/2.50.37.13/500/, and inserted successfully 8668106C.
000316: Aug 6 18:47:03.295: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000317: Aug 6 18:47:03.295: ISAKMP:(2001):Old State = IKE_R_MM5 New State = IKE_R_MM5
000318: Aug 6 18:47:03.295: ISAKMP:(2001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
000319: Aug 6 18:47:03.295: ISAKMP (2001): ID payload
next-payload : 8
type : 1
address : 92.98.211.242
protocol : 17
port : 500
length : 12
000320: Aug 6 18:47:03.295: ISAKMP:(2001):Total payload length: 12
000321: Aug 6 18:47:03.295: ISAKMP:(2001): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) MM_KEY_EXCH
000322: Aug 6 18:47:03.295: ISAKMP:(2001):Sending an IKE IPv4 Packet.
000323: Aug 6 18:47:03.295: ISAKMP:(2001):Returning Actual lifetime: 1800
000324: Aug 6 18:47:03.299: ISAKMP: set new node -1235582904 to QM_IDLE
000325: Aug 6 18:47:03.299: ISAKMP:(2001):Sending NOTIFY RESPONDER_LIFETIME protocol 1
spi 2291695856, message ID = 3059384392
000326: Aug 6 18:47:03.299: ISAKMP:(2001): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) MM_KEY_EXCH
000327: Aug 6 18:47:03.299: ISAKMP:(2001):Sending an IKE IPv4 Packet.
000328: Aug 6 18:47:03.299: ISAKMP:(2001):purging node -1235582904
000329: Aug 6 18:47:03.299: ISAKMP: Sending phase 1 responder lifetime 1800
000330: Aug 6 18:47:03.299: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000331: Aug 6 18:47:03.299: ISAKMP:(2001):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
000332: Aug 6 18:47:03.299: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
000333: Aug 6 18:47:03.299: ISAKMP:(2001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
000334: Aug 6 18:47:03.307: ISAKMP (2001): received packet from 2.50.37.13 dport 500 sport 500 Global (R) QM_IDLE
000335: Aug 6 18:47:03.307: ISAKMP: set new node -687536412 to QM_IDLE
000336: Aug 6 18:47:03.307: ISAKMP:(2001): processing HASH payload. message ID = 3607430884
000337: Aug 6 18:47:03.307: ISAKMP:(2001): processing SA payload. message ID = 3607430884
000338: Aug 6 18:47:03.307: ISAKMP:(2001):Checking IPSec proposal 1
000339: Aug 6 18:47:03.307: ISAKMP: transform 1, ESP_3DES
000340: Aug 6 18:47:03.307: ISAKMP: attributes in transform:
000341: Aug 6 18:47:03.307: ISAKMP: encaps is 1 (Tunnel)
000342: Aug 6 18:47:03.307: ISAKMP: SA life type in seconds
000343: Aug 6 18:47:03.307: ISAKMP: SA life duration (basic) of 3600
000344: Aug 6 18:47:03.307: ISAKMP: SA life type in kilobytes
000345: Aug 6 18:47:03.307: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
000346: Aug 6 18:47:03.307: ISAKMP: authenticator is HMAC-SHA
000347: Aug 6 18:47:03.307: ISAKMP:(2001):atts are acceptable.
000348: Aug 6 18:47:03.307: ISAKMP:(2001): processing NONCE payload. message ID = 3607430884
000349: Aug 6 18:47:03.311: ISAKMP:(2001): processing ID payload. message ID = 3607430884
000350: Aug 6 18:47:03.311: ISAKMP:(2001): processing ID payload. message ID = 3607430884
000351: Aug 6 18:47:03.311: ISAKMP:(2001):QM Responder gets spi
000352: Aug 6 18:47:03.311: ISAKMP:(2001):Node 3607430884, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
000353: Aug 6 18:47:03.311: ISAKMP:(2001):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
000354: Aug 6 18:47:03.311: ISAKMP:(2001): Creating IPSec SAs
000355: Aug 6 18:47:03.311: inbound SA from 2.50.37.13 to 92.98.211.242 (f/i) 0/ 0
(proxy 192.168.10.0 to 192.168.50.0)
000356: Aug 6 18:47:03.311: has spi 0x4C5A127C and conn_id 0
000357: Aug 6 18:47:03.311: lifetime of 3600 seconds
000358: Aug 6 18:47:03.311: lifetime of 4608000 kilobytes
000359: Aug 6 18:47:03.311: outbound SA from 92.98.211.242 to 2.50.37.13 (f/i) 0/0
(proxy 192.168.50.0 to 192.168.10.0)
000360: Aug 6 18:47:03.311: has spi 0x1E83EC91 and conn_id 0
000361: Aug 6 18:47:03.311: lifetime of 3600 seconds
000362: Aug 6 18:47:03.311: lifetime of 4608000 kilobytes
000363: Aug 6 18:47:03.311: ISAKMP:(2001): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) QM_IDLE
000364: Aug 6 18:47:03.311: ISAKMP:(2001):Sending an IKE IPv4 Packet.
000365: Aug 6 18:47:03.311: ISAKMP:(2001):Node 3607430884, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
000366: Aug 6 18:47:03.311: ISAKMP:(2001):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
000367: Aug 6 18:47:03.323: ISAKMP (2001): received packet from 2.50.37.13 dport 500 sport 500 Global (R) QM_IDLE
000368: Aug 6 18:47:03.323: ISAKMP:(2001):deleting node -687536412 error FALSE reason "QM done (await)"
000369: Aug 6 18:47:03.323: ISAKMP:(2001):Node 3607430884, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
000370: Aug 6 18:47:03.323: ISAKMP:(2001):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
000371: Aug 6 18:47:53.323: ISAKMP:(2001):purging node -687536412
ROUTER-A# sho crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
92.98.211.242 2.50.37.13 QM_IDLE 2001 ACTIVE
RUNNING CONFIGURATION OF ROUTER-A
Building configuration...
Current configuration : 29089 bytes
! Last configuration change at 21:31:11 PST Tue Aug 7 2012 by administrator
version 15.1
parser config cache interface
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
service compress-config
service sequence-numbers
hostname xxxxxxxxxxXX
boot-start-marker
boot-end-marker
enable secret 4 LcV6aBcc/53FoCJjXQMd7rBUDEpeevrK8V5jQVoJEhU
aaa new-model
aaa authentication login default local
aaa authentication login Foxtrot_sdm_easyvpn_xauth_ml_1 local
aaa authorization network Foxtrot_sdm_easyvpn_group_ml_1 local
aaa session-id common
clock timezone ZP4 4 0
clock summer-time PST recurring
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-4070447007
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4070447007
revocation-check none
rsakeypair TP-self-signed-4070447007
crypto pki certificate chain TP-self-signed-4070447007
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303730 34343730 3037301E 170D3132 30373331 30353139
30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30373034
34373030 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BBA6 F2C9A163 B7EAB25D 6C538A5B 29832F58 6B95D2C0 1FBE0E72 BD4E9585
6230CAD1 8DA4E337 5A11332C 36EAFF86 02D8C977 6CD2AA50 D76FB97F 52AE73AD
E777194B 011C95EB E2A588B4 3A7D618E F1D03E3F EF1A60FB 26372B63 9395002D
38126CC5 EA79E23C 40E0F331 76E7731E D03E2CE8 F1A0B5E9 B83AA780 D566A679
599F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14C8BC47 90602FB0 18A8821A 85A3444F 874E2292 27301D06
03551D0E 04160414 C8BC4790 602FB018 A8821A85 A3444F87 4E229227 300D0609
2A864886 F70D0101 05050003 8181001B D0EA74FE 7EDD03FE 68733D87 6434D20B
80481807 DD4A488E FFEFA631 245F396F 5CADF523 1438A70B CA113994 9798483D
F59221EA 09EDB8FC 6D1DBBAE FE7FE4B9 E79F064F E930F347 B1CAD19B 01F5989A
8BCFDB1D 906163A4 C467E809 E988B610 FE613177 A815DFB0 97839F92 4A682E8F
43F08787 E08CBE70 E98DEBE7 BCD8B8
quit
dot11 syslog
ip source-route
ip cef
ip dhcp relay information trust-all
ip dhcp excluded-address 10.1.1.1 10.1.1.9
ip dhcp excluded-address 10.1.1.241 10.1.1.255
ip dhcp excluded-address 192.168.50.1 192.168.50.9
ip dhcp excluded-address 192.168.50.241 192.168.50.255
ip dhcp pool phone
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
option 150 ip 10.1.1.1
ip dhcp pool data
import all
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
ip inspect WAAS flush-timeout 10
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp router-traffic
ip inspect name SDM_LOW udp router-traffic
ip inspect name SDM_LOW vdolive
ip ddns update method sdm_ddns1
HTTP
add http://xxxxxxxs:[email protected]/nic/update?system=dyndns&[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://xxxxxxx:[email protected]/nic/update?system=dyndns&[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 2 0 0 0
interval minimum 1 0 0 0
no ipv6 cef
multilink bundle-name authenticated
stcapp ccm-group 1
stcapp
trunk group ALL_FXO
max-retry 5
voice-class cause-code 1
hunt-scheme longest-idle
voice call send-alert
voice rtp send-recv
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
no supplementary-service h450.2
no supplementary-service h450.3
supplementary-service h450.12
sip
no update-callerid
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g729r8
voice class h323 1
call start slow
voice class cause-code 1
no-circuit
voice register global
mode cme
source-address 10.1.1.1 port 5060
load 9971 sip9971.9-2-2
load 9951 sip9951.9-2-2
load 8961 sip8961.9-2-2
voice translation-rule 1000
rule 1 /.*/ //
voice translation-rule 1112
rule 1 /^9/ //
voice translation-rule 1113
rule 1 /^82\(...\)/ /\1/
voice translation-rule 1114
rule 1 /\(^...$\)/ /82\1/
voice translation-rule 2002
rule 1 /^6/ //
voice translation-rule 2222
rule 1 /^91900......./ //
rule 2 /^91976......./ //
voice translation-profile CALLER_ID_TRANSLATION_PROFILE
translate calling 1111
voice translation-profile CallBlocking
translate called 2222
voice translation-profile OUTGOING_TRANSLATION_PROFILE
translate called 1112
voice translation-profile XFER_TO_VM_PROFILE
translate redirect-called 2002
voice translation-profile multisiteInbound
translate called 1113
voice translation-profile multisiteOutbound
translate calling 1114
voice translation-profile nondialable
translate called 1000
voice-card 0
dspfarm
dsp services dspfarm
fax interface-type fax-mail
license udi pid UC560-FXO-K9 sn FHK1445F43M
archive
log config
logging enable
logging size 600
hidekeys
username administrator privilege 15 secret 4 LcV6aBcc/53FoCJjXQMd7rBUDEpeevrK8V5jQVoJEhU
username pingerID password 7 06505D771B185F
ip tftp source-interface Vlan90
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 1800
crypto isakmp key xxxxxxx address 0.0.0.0 0.0.0.0
crypto isakmp client configuration group EZVPN_GROUP_1
key xxxxxxx
dns 213.42.20.20
pool SDM_POOL_1
save-password
max-users 20
crypto isakmp profile sdm-ike-profile-1
match identity group EZVPN_GROUP_1
client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1
isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
crypto map multisite 1 ipsec-isakmp
description XXXXXXX
set peer xxxxxxxxxx.dyndns.biz dynamic
set transform-set ESP-3DES-SHA
match address 105
qos pre-classify
interface GigabitEthernet0/0
description $ETH-WAN$
no ip address
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface Integrated-Service-Engine0/0
description Interface used to manage integrated application modulecue is initialized with default IMAP group
ip unnumbered Vlan90
ip nat inside
ip virtual-reassembly in
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
interface GigabitEthernet0/1/0
switchport mode trunk
switchport voice vlan 100
no ip address
macro description cisco-switch
interface GigabitEthernet0/1/1
switchport voice vlan 100
no ip address
macro description cisco-phone
spanning-tree portfast
interface GigabitEthernet0/1/2
no ip address
macro description cisco-desktop
spanning-tree portfast
interface GigabitEthernet0/1/3
description Interface used to communicate with integrated service module
switchport access vlan 90
no ip address
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
interface Virtual-Template1 type tunnel
ip unnumbered Vlan1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
interface Vlan1
description $FW_INSIDE$
ip address 192.168.50.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
h323-gateway voip bind srcaddr 192.168.50.1
interface Vlan90
description $FW_INSIDE$
ip address 10.1.10.2 255.255.255.252
ip access-group 103 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
interface Vlan100
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
interface Dialer0
description $FW_OUTSIDE$
mtu 1492
ip ddns update hostname xxxxxxxxxx.dyndns.biz
ip ddns update sdm_ddns1
ip address negotiated
ip access-group 104 in
ip mtu 1452
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname CCCCCC
ppp chap password 7 071739545611015445
ppp pap sent-username CCCCC password 7 122356324SDFDBDB
ppp ipcp dns request
ppp ipcp route default
crypto map multisite
ip local pool SDM_POOL_1 192.168.50.150 192.168.50.160
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http path flash:/gui
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.1.10.1 255.255.255.255 Vlan90
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_5##
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any host 192.168.50.1 eq non500-isakmp
access-list 101 permit udp any host 192.168.50.1 eq isakmp
access-list 101 permit esp any host 192.168.50.1
access-list 101 permit ahp any host 192.168.50.1
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 permit ip any any
access-list 101 permit ip 10.1.10.0 0.0.0.3 any
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark auto generated by SDM firewall configuration##NO_ACES_7##
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp any host 10.1.1.1 eq non500-isakmp
access-list 102 permit udp any host 10.1.1.1 eq isakmp
access-list 102 permit esp any host 10.1.1.1
access-list 102 permit ahp any host 10.1.1.1
access-list 102 permit ip any any
access-list 102 permit tcp 10.1.10.0 0.0.0.3 any eq 2000
access-list 102 permit udp 10.1.10.0 0.0.0.3 any eq 2000
access-list 102 permit ip 192.168.50.0 0.0.0.255 any
access-list 102 permit ip 10.1.10.0 0.0.0.3 any
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 remark auto generated by SDM firewall configuration##NO_ACES_7##
access-list 103 remark SDM_ACL Category=1
access-list 103 permit udp any host 10.1.10.2 eq non500-isakmp
access-list 103 permit udp any host 10.1.10.2 eq isakmp
access-list 103 permit esp any host 10.1.10.2
access-list 103 permit ahp any host 10.1.10.2
access-list 103 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 103 permit udp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 103 permit ip 192.168.50.0 0.0.0.255 any
access-list 103 permit ip 10.1.1.0 0.0.0.255 any
access-list 103 permit ip host 255.255.255.255 any
access-list 103 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_13##
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 104 permit udp any any eq non500-isakmp
access-list 104 permit udp any any eq isakmp
access-list 104 permit esp any any
access-list 104 permit ahp any any
access-list 104 permit ip any any
access-list 104 permit ip 192.168.50.0 0.0.0.255 any
access-list 104 permit ip 10.1.10.0 0.0.0.3 any
access-list 104 permit ip 10.1.1.0 0.0.0.255 any
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 permit ip 10.0.0.0 0.255.255.255 any
access-list 104 permit ip 172.16.0.0 0.15.255.255 any
access-list 104 permit ip 192.168.0.0 0.0.255.255 any
access-list 104 permit ip 127.0.0.0 0.255.255.255 any
access-list 104 permit ip host 255.255.255.255 any
access-list 104 permit ip host 0.0.0.0 any
access-list 105 remark CryptoACL for xxxxxxxxxx
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 106 remark SDM_ACL Category=2
access-list 106 deny ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 106 permit ip 10.1.10.0 0.0.0.3 any
access-list 106 permit ip 192.168.50.0 0.0.0.255 any
access-list 106 permit ip 10.1.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
match ip address 106
snmp-server community public RO
tftp-server flash:/phones/521_524/cp524g-8-1-17.bin alias cp524g-8-1-17.bin
tftp-server flash:/ringtones/Analog1.raw alias Analog1.raw
tftp-server flash:/ringtones/Analog2.raw alias Analog2.raw
tftp-server flash:/ringtones/AreYouThere.raw alias AreYouThere.raw
tftp-server flash:/ringtones/DistinctiveRingList.xml alias DistinctiveRingList.xml
tftp-server flash:/ringtones/RingList.xml alias RingList.xml
tftp-server flash:/ringtones/AreYouThereF.raw alias AreYouThereF.raw
tftp-server flash:/ringtones/Bass.raw alias Bass.raw
tftp-server flash:/ringtones/CallBack.raw alias CallBack.raw
tftp-server flash:/ringtones/Chime.raw alias Chime.raw
tftp-server flash:/ringtones/Classic1.raw alias Classic1.raw
tftp-server flash:/ringtones/Classic2.raw alias Classic2.raw
tftp-server flash:/ringtones/ClockShop.raw alias ClockShop.raw
tftp-server flash:/ringtones/Drums1.raw alias Drums1.raw
tftp-server flash:/ringtones/Drums2.raw alias Drums2.raw
tftp-server flash:/ringtones/FilmScore.raw alias FilmScore.raw
tftp-server flash:/ringtones/HarpSynth.raw alias HarpSynth.raw
tftp-server flash:/ringtones/Jamaica.raw alias Jamaica.raw
tftp-server flash:/ringtones/KotoEffect.raw alias KotoEffect.raw
tftp-server flash:/ringtones/MusicBox.raw alias MusicBox.raw
tftp-server flash:/ringtones/Piano1.raw alias Piano1.raw
tftp-server flash:/ringtones/Piano2.raw alias Piano2.raw
tftp-server flash:/ringtones/Pop.raw alias Pop.raw
tftp-server flash:/ringtones/Pulse1.raw alias Pulse1.raw
tftp-server flash:/ringtones/Ring1.raw alias Ring1.raw
tftp-server flash:/ringtones/Ring2.raw alias Ring2.raw
tftp-server flash:/ringtones/Ring3.raw alias Ring3.raw
tftp-server flash:/ringtones/Ring4.raw alias Ring4.raw
tftp-server flash:/ringtones/Ring5.raw alias Ring5.raw
tftp-server flash:/ringtones/Ring6.raw alias Ring6.raw
tftp-server flash:/ringtones/Ring7.raw alias Ring7.raw
tftp-server flash:/ringtones/Sax1.raw alias Sax1.raw
tftp-server flash:/ringtones/Sax2.raw alias Sax2.raw
tftp-server flash:/ringtones/Vibe.raw alias Vibe.raw
tftp-server flash:/Desktops/CampusNight.png
tftp-server flash:/Desktops/TN-CampusNight.png
tftp-server flash:/Desktops/CiscoFountain.png
tftp-server flash:/Desktops/TN-CiscoFountain.png
tftp-server flash:/Desktops/CiscoLogo.png
tftp-server flash:/Desktops/TN-CiscoLogo.png
tftp-server flash:/Desktops/Fountain.png
tftp-server flash:/Desktops/TN-Fountain.png
tftp-server flash:/Desktops/MorroRock.png
tftp-server flash:/Desktops/TN-MorroRock.png
tftp-server flash:/Desktops/NantucketFlowers.png
tftp-server flash:/Desktops/TN-NantucketFlowers.png
tftp-server flash:Desktops/320x212x16/List.xml
tftp-server flash:Desktops/320x212x12/List.xml
tftp-server flash:Desktops/320x216x16/List.xml
tftp-server flash:/bacdprompts/en_bacd_allagentsbusy.au alias en_bacd_allagentsbusy.au
tftp-server flash:/bacdprompts/en_bacd_disconnect.au alias en_bacd_disconnect.au
tftp-server flash:/bacdprompts/en_bacd_enter_dest.au alias en_bacd_enter_dest.au
tftp-server flash:/bacdprompts/en_bacd_invalidoption.au alias en_bacd_invalidoption.au
tftp-server flash:/bacdprompts/en_bacd_music_on_hold.au alias en_bacd_music_on_hold.au
tftp-server flash:/bacdprompts/en_bacd_options_menu.au alias en_bacd_options_menu.au
tftp-server flash:/bacdprompts/en_bacd_welcome.au alias en_bacd_welcome.au
tftp-server flash:/bacdprompts/en_bacd_xferto_operator.au alias en_bacd_xferto_operator.au
radius-server attribute 31 send nas-port-detail
control-plane
voice-port 0/0/0
station-id number 401
caller-id enable
voice-port 0/0/1
station-id number 402
caller-id enable
voice-port 0/0/2
station-id number 403
caller-id enable
voice-port 0/0/3
station-id number 404
caller-id enable
voice-port 0/1/0
trunk-group ALL_FXO 64
connection plar opx 201
description Configured by CCA 4 FXO-0/1/0-OP
caller-id enable
voice-port 0/1/1
trunk-group ALL_FXO 64
connection plar opx 201
description Configured by CCA 4 FXO-0/1/1-OP
caller-id enable
voice-port 0/1/2
trunk-group ALL_FXO 64
connection plar opx 201
description Configured by CCA 4 FXO-0/1/2-OP
caller-id enable
voice-port 0/1/3
trunk-group ALL_FXO 64
connection plar opx 201
description Configured by CCA 4 FXO-0/1/3-OP
caller-id enable
voice-port 0/4/0
auto-cut-through
signal immediate
input gain auto-control -15
description Music On Hold Port
sccp local Vlan90
sccp ccm 10.1.1.1 identifier 1 version 4.0
sccp
sccp ccm group 1
associate ccm 1 priority 1
associate profile 2 register mtpd0d0fd057a40
dspfarm profile 2 transcode
description CCA transcoding for SIP Trunk Multisite Only
codec g729abr8
codec g729ar8
codec g711alaw
codec g711ulaw
maximum sessions 10
associate application SCCP
dial-peer cor custom
name internal
name local
name local-plus
name international
name national
name national-plus
name emergency
name toll-free
dial-peer cor list call-internal
member internal
dial-peer cor list call-local
member local
dial-peer cor list call-local-plus
member local-plus
dial-peer cor list call-national
member national
dial-peer cor list call-national-plus
member national-plus
dial-peer cor list call-international
member international
dial-peer cor list call-emergency
member emergency
dial-peer cor list call-toll-free
member toll-free
dial-peer cor list user-internal
member internal
member emergency
dial-peer cor list user-local
member internal
member local
member emergency
member toll-free
dial-peer cor list user-local-plus
member internal
member local
member local-plus
member emergency
member toll-free
dial-peer cor list user-national
member internal
member local
member local-plus
member national
member emergency
member toll-free
dial-peer cor list user-national-plus
member internal
member local
member local-plus
member national
member national-plus
member emergency
member toll-free
dial-peer cor list user-international
member internal
member local
member local-plus
member international
member national
member national-plus
member emergency
member toll-free
dial-peer voice 1 pots
destination-pattern 401
port 0/0/0
no sip-register
dial-peer voice 2 pots
destination-pattern 402
port 0/0/1
no sip-register
dial-peer voice 3 pots
destination-pattern 403
port 0/0/2
no sip-register
dial-peer voice 4 pots
destination-pattern 404
port 0/0/3
no sip-register
dial-peer voice 5 pots
description ** MOH Port **
destination-pattern ABC
port 0/4/0
no sip-register
dial-peer voice 6 pots
description ôcatch all dial peer for BRI/PRIö
translation-profile incoming nondialable
incoming called-number .%
direct-inward-dial
dial-peer voice 50 pots
description ** incoming dial peer **
incoming called-number .%
port 0/1/0
dial-peer voice 51 pots
description ** incoming dial peer **
incoming called-number .%
port 0/1/1
dial-peer voice 52 pots
description ** incoming dial peer **
incoming called-number .%
port 0/1/2
dial-peer voice 53 pots
description ** incoming dial peer **
incoming called-number .%
port 0/1/3
dial-peer voice 54 pots
description ** FXO pots dial-peer **
destination-pattern A0
port 0/1/0
no sip-register
dial-peer voice 55 pots
description ** FXO pots dial-peer **
destination-pattern A1
port 0/1/1
no sip-register
dial-peer voice 56 pots
description ** FXO pots dial-peer **
destination-pattern A2
port 0/1/2
no sip-register
dial-peer voice 57 pots
description ** FXO pots dial-peer **
destination-pattern A3
port 0/1/3
no sip-register
dial-peer voice 2000 voip
description ** cue voicemail pilot number **
translation-profile outgoing XFER_TO_VM_PROFILE
destination-pattern 399
b2bua
session protocol sipv2
session target ipv4:10.1.10.1
voice-class sip outbound-proxy ipv4:10.1.10.1
dtmf-relay rtp-nte
codec g711ulaw
no vad
dial-peer voice 58 pots
trunkgroup ALL_FXO
corlist outgoing call-emergency
description **CCA*North American-7-Digit*Emergency**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 9911
forward-digits all
no sip-register
dial-peer voice 59 pots
trunkgroup ALL_FXO
corlist outgoing call-emergency
description **CCA*North American-7-Digit*Emergency**
preference 5
destination-pattern 911
forward-digits all
no sip-register
dial-peer voice 60 pots
trunkgroup ALL_FXO
corlist outgoing call-local
description **CCA*North American-7-Digit*7-Digit Local**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 9[2-9]......
forward-digits all
no sip-register
dial-peer voice 61 pots
trunkgroup ALL_FXO
corlist outgoing call-local
description **CCA*North American-7-Digit*Service Numbers**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 9[2-9]11
forward-digits all
no sip-register
dial-peer voice 62 pots
trunkgroup ALL_FXO
corlist outgoing call-national
description **CCA*North American-7-Digit*Long Distance**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 91[2-9]..[2-9]......
forward-digits all
no sip-register
dial-peer voice 63 pots
trunkgroup ALL_FXO
corlist outgoing call-international
description **CCA*North American-7-Digit*International**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 9011T
forward-digits all
no sip-register
dial-peer voice 64 pots
trunkgroup ALL_FXO
corlist outgoing call-toll-free
description **CCA*North American-7-Digit*Toll-Free**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 91800.......
forward-digits all
no sip-register
dial-peer voice 65 pots
trunkgroup ALL_FXO
corlist outgoing call-toll-free
description **CCA*North American-7-Digit*Toll-Free**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 91888.......
forward-digits all
no sip-register
dial-peer voice 66 pots
trunkgroup ALL_FXO
corlist outgoing call-toll-free
description **CCA*North American-7-Digit*Toll-Free**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 91877.......
forward-digits all
no sip-register
dial-peer voice 67 pots
trunkgroup ALL_FXO
corlist outgoing call-toll-free
description **CCA*North American-7-Digit*Toll-Free**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 91866.......
forward-digits all
no sip-register
dial-peer voice 68 pots
trunkgroup ALL_FXO
corlist outgoing call-toll-free
description **CCA*North American-7-Digit*Toll-Free**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 91855.......
forward-digits all
no sip-register
dial-peer voice 2100 voip
corlist incoming call-internal
description **CCA*INTERSITE inbound call to xxxxxxxxxx
translation-profile incoming multisiteInbound
incoming called-number 82...
voice-class h323 1
dtmf-relay h245-alphanumeric
fax protocol cisco
no vad
dial-peer voice 2101 voip
corlist incoming call-internal
description **CCA*INTERSITE outbound calls to xxxxxxxxxx
translation-profile outgoing multisiteOutbound
destination-pattern 81...
session target ipv4:192.168.10.1
voice-class h323 1
dtmf-relay h245-alphanumeric
fax protocol cisco
no vad
no dial-peer outbound status-check pots
telephony-service
sdspfarm units 5
sdspfarm transcode sessions 10
sdspfarm tag 2 mtpd0d0fd057a40
video
fxo hook-flash
max-ephones 138
max-dn 600
ip source-address 10.1.1.1 port 2000
auto assign 1 to 1 type bri
calling-number initiator
service phone videoCapability 1
service phone ehookenable 1
service dnis overlay
service dnis dir-lookup
service dss
timeouts interdigit 5
system message Cisco Small Business
url services http://10.1.10.1/voiceview/common/login.do
url authentication http://10.1.10.1/voiceview/authentication/authenticateOn 12/01/12 12:06, JebediahShapnacker wrote:
>
> Hello.
>
> I would like to setup a site to site VPN between 2 of our site. We have
> Bordermanager .7 on one end and IPCop on the other.
i'm not familiar with Bordermanager version but be sure you're using 3.9
with sp2 and sp2_it1 applied.
There are not specific documents that i'm aware that explains conf
between ipcop and bm but if ipcop behaves as standard ipsec device, you
can use as a guideline some of the docs that explains how to configure
bm with third party firewalls.
- AppNote: CISCO IOS 12.2(11) T with NBM 3.8 Server
Novell Cool Solutions: AppNote
By Upendra Gopu
- BorderManager and Novell Security Manager Site-to-Site VPN
Novell Cool Solutions: Feature
By Jenn Bitondo
- Setting Up an IPSec VPN Tunnel between Nortel and an NBM 3.8.4 Server
Author Info
8 November 2006 - 7:37pm
Submitted by: kchendil
- AppNote: NBM to Openswan: Site-to-site VPN Made Easy
Novell Cool Solutions: AppNote
By Gaurav Vaidya
- AppNote: Interoperability of Cisco PIX 500 and NBM 3.8 VPN
Novell Cool Solutions: AppNote
By Sreekanth Settipalli
Digg This - Slashdot This
Posted: 28 Oct 2004
etc -
Multiple site to site IPSec tunnels to one ASA5510
Question on ASA VPN tunnels. I have one ASA 5510 in our corporate office, I have two subnets in our corporate office that are configured in the ASA in a Object group. I have a site to site IPSEC tunnel already up and that has been working. I am trying to set up another site to site IPSEC tunnel to a different location that will need to be setup to access the same two subnets. I'm not sure if this can be setup or not, I think I had a problem with setting up two tunnels that were trying to connect to the same subnet but that was between the same two ASA's. Anyways the new tunnel to a new site is not coming up and I want to make sure it is not the subnet issue. The current working tunnel is between two ASA 5510's, the new tunnel we are trying to build is between the ASA and a Sonicwall firewall. Any help would be appreciated.
Hi,
Regarding setting up the new L2L VPN connection..
Should be no problem (to my understanding) to configure the new L2L VPN connection through the other ISP interface (0/3). You will need to atleast route the remote VPN peers IP address towards that link. The L2L VPN forming should add a route for the remote networks through that L2L VPN. If not reverse route injection should handle it in the cryptomap configurations.
I guess rest of the setup depends on what will be using the 0/0 ISP and what will be using the 0/3 ISP.
If you are going to put the default route towards the 0/3 ISP you will have to think of something for the 0/0 ISP if some of your local LAN devices are going to use it for Internet also. (Possible routing problems) On the other hand if you have remote VPN Client users using the 0/0 ISP there should be no routing problem for them as they would be initiating connection through that 0/0 ISP link through ASA so ASA should know where to forward the return traffic.
Most of my 2 ISP setups have been implemented with a router in front of the actual ASA/PIX/FWSM firewalls where the router has performed Policy Routing based on the source IP address from the firewalls and then settings the correct gateway towards the correct ISP.
- Jouni -
ISAKMP Phase 1 dying for Site to Site tunnel between ASA and Fortigate
I am facing strange issue on my asa and client Fortigate fw.
We have site to site tunnel with 3des and sha and DH-5 on asa
3des sha1 and dh-5 on Fortigate.
Tunnel came up when configured after some time it went down and it is throwing below errors. Please
some one help me here.
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 8
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, constructing ISAKMP SA payload
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, constructing Fragmentation VID + extended capabilities payload
Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 244
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing ke payload
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing ISA_KE payload
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing nonce payload
Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, Unable to compute DH pair while processing SA!<<<<---------Please suggest if DH group 5 does not work with PSK.
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE MM Responder FSM error history (struct &0xcf9255d8) <state>, <event>: MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GEN_DH_KEY-->MM_WAIT_MSG3, EV_PROCESS_MSG-->MM_WAIT_MSG3, EV_RCV_MSG-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_BLD_MSG2, EV_BLD_MSG2
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA MM:5f1fdffc terminating: flags 0x01000002, refcnt 0, tuncnt 0
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, sending delete/delete with reason message
Mum-PRI-ASA#Hey All,
I experienced same issue with my another tunnel. Lately I came to know it was higher level of DH computation which my ASA was not able to perform and ASA reboot worked here. See the logs for tunnel which came up after reboot.
Eror Before Reload
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing ISAKMP SA payload
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing Fragmentation VID + extended capabilities payload
Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 416
Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing SA payload
Aug 06 21:17:33 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 06 21:17:33 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Oakley proposal is acceptable
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Received Fragmentation VID
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, Unable to compute DH pair while processing SA!
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE MM Initiator FSM error history (struct &0xd0778588) , : MM_DONE, EV_ERROR-->MM_BLD_MSG3, EV_GEN_DH_KEY-->MM_WAIT_MSG2, EV_PROCESS_MSG-->MM_WAIT_MSG2, EV_RCV_MSG-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_BLD_MSG1, EV_BLD_MSG1
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE SA MM:64cf4b96 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, sending delete/delete with reason message
Isakmp phase completion After reload
Aug 25 10:40:35 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing SA payload
Aug 25 10:40:35 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 25 10:40:35 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Oakley proposal is acceptable
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Received Fragmentation VID
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing ke payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing nonce payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing Cisco Unity VID payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing xauth V6 VID payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send IOS VID
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing VID payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Aug 25 10:40:35 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 320
SENDING PACKET to xx.xx.xx.xx -
Hi All,
We have site to site tunnel suddenly the tunnel got disconnected and we recieved error such as
IKE Peer: 196.25.48.3
Type : L2L Role : responder
Rekey : yes State : MM_ACTIVE_REKEY
IKE Peer: 196.25.48.3
Type : L2L Role : responder
Rekey : no State : MM_REKEY_DONE_H2
And after time tunnel was up automotically.When confirmed to far end network admin no changes where made from there side.From our side no changes were made.
My question is there any other factors for tunnel down reason.I would suggest following-
1) check all parameters both end should be same for phase 1 and 2
2) check pfs setting if configured should be on both side also can be tested removing both end.
3) check crypto acl
4) show ipsec sa to check if some traffic going might be one way.
5) finally run the packet tracer command
packet-tracer input inside 1024 80
it will show you what is happening in packet flow.
Thanks
Ajay -
IPsec Site-to-Site with RSA sign stuck on MM_KEY_EXCH
I am currently studying for CCNA Security, and i would like to be able to configure a Site-to-Site VPN with RSA sig with a windows server 2012 acting as AD and CA. I already have enable scep on windows server 2012 and disable the enrollement challenge password.
Since two days, i am completly stuck on MM_KEY_EXCH error.
Here is my lab:
http://i59.tinypic.com/2502h76.png
I have 3 router 3600 ios 12.4(16) - C3640-JK9S-M.
On the left is my Active Directory/CA with a static nat from 192.168.2.254 to 1.1.1.3, so it can be joined from outside by R2.
On the right, just an outside client.
I am trying to authenticate R1 and R2 with RSA sign from my AD/CA.
I have already tried NAT-T...
The clock on both routers is matching the clock of AD/CA
Some configuration:
R1 (1.1.1.2)
ip domain name cisco.ca
crypto pki trustpoint cisco-WIN-2EV0KQDK78U-CA
enrollment mode ra
enrollment url http://192.168.2.254:80/certsrv/mscep/mscep.dll
fqdn R1.cisco.ca
subject-name cn=R1.cisco.ca
revocation-check none
crypto isakmp policy 1
encr aes 256
hash md5
group 5
lifetime 3600
crypto ipsec transform-set SET esp-aes 256 esp-sha-hmac
crypto map MYMAP 1 ipsec-isakmp
set peer 2.2.2.2
set transform-set SET
set pfs group2
match address VPN
R1#sh crypto pki certificates
Certificate
Status: Available
Certificate Serial Number: 640000001B0C9BE947CCC8FB2B00000000001B
Certificate Usage: General Purpose
Issuer:
cn=cisco-WIN-2EV0KQDK78U-CA-2
dc=cisco
dc=ca
Subject:
Name: R1.cisco.ca
cn=R1.cisco.ca
hostname=R1.cisco.ca
CRL Distribution Points:
ldap:///CN=cisco-WIN-2EV0KQDK78U-CA-2,CN=WIN-2EV0KQDK78U,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN= Configuration,DC=cisco,DC=ca?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 21:15:11 UTC Oct 26 2014
end date: 21:15:11 UTC Oct 25 2016
Associated Trustpoints: cisco-WIN-2EV0KQDK78U-CA
CA Certificate
Status: Available
Certificate Serial Number: 69B4A894E00EC58A47DA9812076DEF2D
Certificate Usage: Signature
Issuer:
cn=cisco-WIN-2EV0KQDK78U-CA-2
dc=cisco
dc=ca
Subject:
cn=cisco-WIN-2EV0KQDK78U-CA-2
dc=cisco
dc=ca
Validity Date:
start date: 00:27:45 UTC Oct 26 2014
end date: 00:37:45 UTC Oct 26 2019
Associated Trustpoints: cisco-WIN-2EV0KQDK78U-CA
R2 (2.2.2.2)
ip domain name cisco.ca
crypto pki trustpoint cisco-WIN-2EV0KQDK78U-CA
enrollment mode ra
enrollment url http://1.1.1.3:80/certsrv/mscep/mscep.dll
fqdn R2.cisco.ca
subject-name cn=R2.cisco.ca
revocation-check none
crypto isakmp policy 1
encr aes 256
hash md5
group 5
lifetime 3600
crypto ipsec transform-set SET esp-aes 256 esp-sha-hmac
crypto map MYMAP 1 ipsec-isakmp
set peer 1.1.1.2
set transform-set SET
set pfs group2
match address VPN
R2(config)#end
R2#sh c
Oct 26 19:27:28.007: %SYS-5-CONFIG_I: Configured from console by consoler
R2#sh cryp
R2#sh crypto pk
R2#sh crypto pki cer
R2#sh crypto pki certificates
Certificate
Status: Available
Certificate Serial Number: 640000001CDFE423EBA20E45EE00000000001C
Certificate Usage: General Purpose
Issuer:
cn=cisco-WIN-2EV0KQDK78U-CA-2
dc=cisco
dc=ca
Subject:
Name: R2.cisco.ca
cn=R2.cisco.ca
hostname=R2.cisco.ca
CRL Distribution Points:
ldap:///CN=cisco-WIN-2EV0KQDK78U-CA-2,CN=WIN-2EV0KQDK78U,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN= Configuration,DC=cisco,DC=ca?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 21:18:03 UTC Oct 26 2014
end date: 21:18:03 UTC Oct 25 2016
Associated Trustpoints: cisco-WIN-2EV0KQDK78U-CA
CA Certificate
Status: Available
Certificate Serial Number: 69B4A894E00EC58A47DA9812076DEF2D
Certificate Usage: Signature
Issuer:
cn=cisco-WIN-2EV0KQDK78U-CA-2
dc=cisco
dc=ca
Subject:
cn=cisco-WIN-2EV0KQDK78U-CA-2
dc=cisco
dc=ca
Validity Date:
start date: 00:27:45 UTC Oct 26 2014
end date: 00:37:45 UTC Oct 26 2019
Associated Trustpoints: cisco-WIN-2EV0KQDK78U-CA
Here are some error that i get:
Oct 26 18:29:50.219: ISAKMP:(0:2:SW:1): processing CERT payload. message ID = 0
Oct 26 18:29:50.223: ISAKMP:(0:2:SW:1): processing a CT_X509_SIGNATURE cert
Oct 26 18:29:50.223: ISAKMP:(0:2:SW:1): peer's pubkey isn't cached
Oct 26 18:29:50.255: ISAKMP:(0:2:SW:1): Unable to get DN from certificate!
Oct 26 18:29:50.255: ISAKMP:(0:2:SW:1): Cert presented by peer contains no OU field.
Oct 26 18:29:50.271: ISAKMP:(0:2:SW:1): processing SIG payload. message ID = 0
Oct 26 18:29:50.271: ISAKMP (134217730): sa->peer.name = , sa->peer_id.id.id_fqdn.fqdn = R2.cisco.ca
Oct 26 18:29:50.271: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.
Oct 26 18:29:50.271: ISAKMP (0:134217730): process_rsa_sig: Querying key pair failed.
Oct 26 18:29:50.271: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 26 18:29:50.271: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
Oct 26 18:35:22.175: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed. The certificate (SN: 640000001CDFE423EBA20E45EE00000000001C) is not yet valid Validity period starts on 21:18:03 UTC Oct 26 2014
Output of show crypto isakmp sa:
R1#sh crypto isakmp sa
dst src state conn-id slot status
1.1.1.2 2.2.2.2 MM_KEY_EXCH 42 0 ACTIVE
1.1.1.2 2.2.2.2 MM_KEY_EXCH 41 0 ACTIVE
1.1.1.2 2.2.2.2 MM_NO_STATE 40 0 ACTIVE (deleted)
1.1.1.2 2.2.2.2 MM_NO_STATE 39 0 ACTIVE (deleted)
I would appreciate if someone can help me on this.
ThanksSorry, Config attached here.
-
Site to Site VPN issues between PIX506 and ASA5505
Hello all, I have a PIX506 running 635, and an ASA5505 running 722. The PIX is at corporate and is setup for remote vpn access. The remote user VPN is working. I have also attempted to do a site to site vpn to the ASA, but its not working correctly. I feel like I am missing something, but I can't figure it out. Your help would be greatly appreciated. Sanitized relevant config is below
Corporate
PIX Version 6.3(5)
access-list split_tunnel permit ip 192.168.119.0 255.255.255.0 10.20.20.0 255.255.255.0
access-list nonat permit ip 192.168.119.0 255.255.255.0 10.20.20.0 255.255.255.0
access-list nonat permit ip 192.168.119.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.119.0 255.255.255.0 172.16.2.0 255.255.255.0
ip address outside xxx.yyy.170.160 255.255.255.0
ip address inside 192.168.119.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list nonat
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set ESP-AES-256-SHA
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address outside_cryptomap_20
crypto map mymap 20 set pfs group2
crypto map mymap 20 set peer aaa.bbb.175.218
crypto map mymap 20 set transform-set ESP-3DES-SHA
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication w2k3
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address aaa.bbb.175.218 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 5
isakmp policy 30 lifetime 86400
vpngroup vpners address-pool ippool
vpngroup vpners dns-server 192.168.119.11
vpngroup vpners default-domain mydomain.local
vpngroup vpners split-tunnel split_tunnel
vpngroup vpners idle-time 1800
vpngroup vpners password ********
Remote Site
ASA Version 7.2(2)
interface Vlan1
nameif inside
security-level 100
ip address 172.16.2.1 255.255.0.0
interface Vlan2
nameif outside
security-level 0
ip address aaa.bbb.175.218 255.255.128.0
access-list outside_20_cryptomap extended permit ip 172.16.2.0 255.255.255.0 192.168.119.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 192.168.119.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer xxx.yyy.170.160
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
tunnel-group xxx.yyy.170.160 type ipsec-l2l
tunnel-group xxx.yyy.170.160 ipsec-attributes
pre-shared-key *I just figured it out. I did not issue the sysopt connection permit-ipsec on the ASA5505. Issuing that command made it work.
-
Routing Issue for Remote Access Clients over Site to Site VPN tunnels
I have a customer that told me that Cisco has an issue when a customer has a topology of let's say 3 sites that have site to site tunnels built and a Remote Access client connects to site A and needs resources at Site B but the PIX won't route to that site. Has this been fixed in the ASA?
Patrick, that was indeed true for a long time.
But now it is fixed in PIX and ASA version 7.x.
Please refer to this document for details:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml -
Cisco ASA Site to Site IPSEC VPN and NAT question
Hi Folks,
I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting up a static static Site to Site IPSEC VPN between sites. Hosts residing at 10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16 will communicate with hosts at 192.168.1.0/24 with translated addresses
Just an example:
Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet should be the same in this case .5)
The same translation for the rest of the communication (Host N2 pings host N3 destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
It sounds a bit confusing for me but i have seen this type of setup before when I worked for managed service provider where we had connection to our clients (Site to Site Ipsec VPN with NAT, not sure how it was setup)
Basically we were communicating with client hosts over site to site VPN but their real addresses were hidden and we were using translated address as mentioned above 10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the same.
Appreciate if someone can shed some light on it.Hi,
Ok so were going with the older NAT configuration format
To me it seems you could do the following:
Configure the ASA1 with Static Policy NAT
access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
access-list INSIDE-NONAT remark L2LVPN NONAT
access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NONAT
You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network
ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
I could test this setup tomorrow at work but let me know if it works out.
Please rate if it was helpful
- Jouni -
How to IPsec site to site vpn port forwarding to remote site?
Hi All,
The scenario where a Site to Site VPN tunnel has been established between Site A and Site B. Lan on Site A can ping Lan on Site B. My problem is a Printer behind Site B needs to be accessed by using the WAN IP address of Site A. Also i could not ping the remote lan or printer from the router.
Below are my configure on the Cisco 877 in site A. Would you please advise the solution for that?
Building configuration...
Current configuration : 5425 bytes
! Last configuration change at 15:09:21 PCTime Fri Jun 15 2012 by admin01
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Laverton
boot-start-marker
boot-end-marker
logging message-counter syslog
no logging buffered
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock timezone PCTime 10
crypto pki trustpoint TP-self-signed-1119949081
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1119949081
revocation-check none
rsakeypair TP-self-signed-1119949081
crypto pki certificate chain TP-self-signed-1119949081
certificate self-signed 01
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
69666963 6174652D 31313139 39343930 3831301E 170D3132 30363135 30343032
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31313939
quit
dot11 syslog
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp pool DHCP_LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 61.9.134.49
lease infinite
ip cef
no ipv6 cef
multilink bundle-name authenticated
object-group network VPN
description ---Port Forward to vpn Turnnel---
host 192.168.2.99
username admin01 privilege 15 secret 5 $1$6pJE$ngWtGp051xpSXLAizsX6B.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key mypasswordkey address 0.0.0.0 0.0.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
match address 100
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
archive
log config
hidekeys
no ip ftp passive
interface ATM0
description ---Telstra ADSL---
no ip address
no atm ilmi-keepalive
pvc 8/35
tx-ring-limit 3
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
switchport access vlan 10
shutdown
interface FastEthernet3
interface Vlan1
description ---Ethernet LAN---
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1420
interface Vlan10
ip dhcp relay information trusted
ip dhcp relay information check-reply none
no ip dhcp client request tftp-server-address
no ip dhcp client request netbios-nameserver
no ip dhcp client request vendor-specific
no ip dhcp client request static-route
ip address dhcp
ip nat outside
ip virtual-reassembly
interface Dialer0
description ---ADSL Detail---
ip address negotiated
ip mtu 1460
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp chap hostname [email protected]
ppp chap password 0 mypassword
crypto map SDM_CMAP_1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source static tcp 192.168.2.99 80 interface Dialer0 8000
ip nat inside source static tcp 192.168.2.99 9100 interface Dialer0 9100
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
ip access-list extended NAT
remark CCP_ACL Category=16
remark IPSec Rule
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address NAT
route-map SDM_RMAP_2 permit 1
match ip address 101
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
scheduler max-task-time 5000
end
Your help would be very appreciated!
PS: I know it is easier if i config Site A as the VPN server but in out scenario, we need to access printer from internet over static WAN IP of site A.
Thanks,
ThaiIs there anyone can help please?
-
Site to Site calling issue - Cisco 2911 Dial Peer Configuration
My customer dials from remote site to main site to their main site number, the call by-passes their auto attendant and goes directly to any random available party.
At first fingers were pointing to the their PBX, however we noticed one of their sites that wasn't managed by our company did not have the issue. We cut that site over to our service and the issue started right up. I believe it is possibly due to the way the dial peers are configured and how the calls route into the PBX. Unfortunately I do not understand much about them and curious to know if anyone has any history on a issue similiar to this or any input whatsoever?
Cisco equipment/Dialpeer config below ........
co IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M4, RELEASE SOFTWARE (fc2) - Cisco CISCO2911/K9
dial-peer voice 100 voip
description --- VoIP Dial-Peer ---
translation-profile outgoing 7digit
huntstop
preference 1
service session
destination-pattern .T
progress_ind setup enable 3
session protocol sipv2
session target sip-server
incoming called-number .T
voice-class codec 99
dtmf-relay rtp-nte
fax-relay ecm disable
fax rate 14400
fax nsf 000000
ip qos dscp af41 signaling
no vad
dial-peer voice 150 voip
permission none
description 900 block
huntstop
destination-pattern 1900T
session protocol sipv2
session target sip-server
voice-class codec 99
dtmf-relay rtp-nte
ip qos dscp af41 signaling
no vad
dial-peer voice 151 voip
permission none
description 900 block
huntstop
destination-pattern 900T
session protocol sipv2
session target sip-server
voice-class codec 99
dtmf-relay rtp-nte
ip qos dscp af41 signaling
no vad
dial-peer voice 101 pots
description --- INCOMING Calls from PBX ---
incoming called-number .T
direct-inward-dial
dial-peer voice 1001 pots
description --- Calls to the PBX ---
preference 3
destination-pattern .T
port 0/0/1:23
forward-digits 4
Here is some ISDN debug information
BAD CALL
Protocol Profile = Networking Extensions
0xA11C0201420201008014484152545F20484F54454C535F434C4159544F4E
Component = Invoke component
Invoke Id = 66
Operation = CallingName
Name Presentation Allowed Extended
Name = XXXXXXXXXXX
Display i = ''XXXXXXXXXXX''
Calling Party Number i = 0x2180, ''XXXXXXXXXX''
Plan:ISDN, Type:National
Called Party Number i = 0x80, ''6551''
Plan:Unknown, Type:Unknown
Aug 19 16:10:47.242 GMT: ISDN Se0/0/1:23 Q931: RX <- ALERTING pd = 8 callref = 0xAB15
Channel ID i = 0xA98381
Exclusive, Channel 1
Aug 19 16:11:02.634 GMT: ISDN Se0/0/1:23 Q931: RX <- CONNECT pd = 8 callref = 0xAB15
Channel ID i = 0xA98381
Exclusive, Channel 1
Aug 19 16:11:02.634 GMT: ISDN Se0/0/1:23 Q931: TX -> CONNECT_ACK pd = 8 callref = 0x2B15
GOOD CALL
Protocol Profile = Networking Extensions
0xA116020144020100800E475245454E204D4F554E5441494E
Component = Invoke component
Invoke Id = 68
Operation = CallingName
Name Presentation Allowed Extended
Name = XXXXXXXXXXXXXXXXXX
Display i = ''XXXXXXXXXXX''
Calling Party Number i = 0x2180, ''XXXXXXXXXX''
Plan:ISDN, Type:National
Called Party Number i = 0x80, 'XXXX''
Plan:Unknown, Type:Unknown
Aug 19 16:15:07.999 GMT: ISDN Se0/0/1:23 Q931: RX <- ALERTING pd = 8 callref = 0xAB17
Channel ID i = 0xA98381
Exclusive, Channel 1I done the configration via CCA and the running conf i can see two voip dial peer. this is the site where all trunk line roured. Customer from other site2 needs to call outside by taking line from site1.
dial-peer voice 2100 voip
corlist incoming call-internal
description **CCA*INTERSITE inbound call to SITE 1
translation-profile incoming multisiteInbound
incoming called-number 82...
voice-class h323 1
dtmf-relay h245-alphanumeric
fax protocol cisco
no vad
dial-peer voice 2101 voip
corlist incoming call-internal
description **CCA*INTERSITE outbound calls to SITE2
translation-profile outgoing multisiteOutbound
destination-pattern 81...
session target ipv4:192.168.50.1
voice-class h323 1
dtmf-relay h245-alphanumeric
fax protocol cisco
no vad
no dial-peer outbound status-check pots -
I do not have a problem getting in the iTunes stores. My issue is once on the site I can not use the "search". It says there is a pure virtual function call R6025. How can I solve this problem? Do I have to create a new account? Do I have to uninstall and re-install? Thanks
Thanks so much for your feedback. I really appreciate any input here.
If someone from Adobe could GUARANTEE that this problem would go away if I
purchased CS4, I would pony up the cash and do it. However, I'm skeptical
about that because I just saw someone else post a message on the forum today
who is running CS4 and getting the exact same runtime error as me.
I'll try un-installing and re-installing as Admin, and if that doesn't work,
maybe I can find a used copy of CS3.
In the meantime, I'm also wondering if a Photoshop file can carry any sort
of corrupt metadata inside it once it has errored out? Reason I ask is, I
had to port all of my old PSD files to the new computer, and I only seem to
be getting this error when I attempt to work on one of the files that
previously got the runtime error when they were sitting on my XP machine.
When I create new files from scratch on this new computer, they seem to be
working just fine (at least, for now).
If so, I would probably be smart to never open those troublesome
"errored-out" files again. -
how to handle multiple site to site IPsec vpn on ASA, any best practice to to manage multiple ipsec vpn configurations
before ver 8.3 and after version 8.3 ...8.4.. 9 versions..Hi,
To my understanding you should be able to attach the same cryptomap to the other "outside" interface or perhaps alternatively create a new crypto map that you attach only to your new "outside" interface.
Also I think you will probably need to route the remote peer ip of the VPN connection towards the gateway IP address of that new "outside" and also the remote network found behind the VPN connection.
If you attempt to use VPN Client connection instead of L2L VPN connection with the new "outside" interface then you will run into routing problems as naturally you can have 2 default routes active at the sametime (default route would be required on the new "outside" interface if VPN Client was used since you DONT KNOW where the VPN Clients are connecting to your ASA)
Hope this helps
- Jouni -
How to make change in Issue list across all project sites?
Hi,
We all have issue list in our project sites. We need to add some values to some of the columns in that issue list. The requirement is we need these changes to reflect in all the new sites. Also how to make these changes reflect in current existing sites.
Can anybody suggest a way to achieve this. One thing that i am aware of is creating a new project site template and associating it with EPT but that still not solves the issue for preexisting sites.
Please help asap.
Thanks in advance.Hi SpWrk
If you have already created some sites. You would need to apply these changes either Programetically (Powershell or C#) or Manually.
However, you can take the following approach to avoid this problem in future. (i.e. Your "future" changes will appear in existing sites too). I am writing the procedure breifly but let me know if you need more details on this
1) Create a content type (e.g. "Project issues" at PWA level)
2) Associate this content type with the Issues List in your site template as well any existing project sites. Make it a default content type for Issue lists. save your site template
3) Create all your custom columns in this new Content type (changing OOB issue columns can break your reporting)
4) Your changes to content type should reflect in future sites as well as existing sites (whereever the content type was appiled)
Regards
Hammad Arif EPM Advice Blog
Maybe you are looking for
-
Installed Lion OS 10.7.2 and now Zip Drive 100 will not open
Using iMac Intel in only Apple mode. Zip Drive 100 connected to USB Thank you for your replies to my Zip Drive question. I too cannot understand what happened. Up until I upgraded to Lion OS 10.7.2, I was able to use my 100 Zip Drive. Now it will no
-
Fresh Install of OBIEE(10.1.3.4.1) is not working
1) I have J2EE based containers (OC4J) and HTTP server installed [obiee@neeraj ~]$ opmnctl status Processes in Instance: obieeas.neeraj.kataria.com --------------------------------------------------------------+--------- ias-component | process-type
-
if i add an event on my iphone calendar, should it automatically update it on my icalendar on my mac
-
Alert Configuration for Seeburger Adapter
Dear Team, I would like to know an information. For an example,If I use AS2 adapter on the sender side and File on the receiver side,Can we do the Alert Configuration in XI/PI to capture these errors ? Warm Regards B.Dheepa
-
I am trying to get my applications to go onto itunes so i can transfer it to my new iphone4s
I am trying to get my applications to go onto itunes so i can transfer it to my new iphone4s