Rejecting IPSec tunnel: no matching crypto map entry for remote proxy on interface outside.

Similar Messages

• Rejecting IPSec tunnel: no matching crypto map entry for remote proxy

  Hi!
  I have already search for this but didn't get an exact answer I'm looking for so I try asking it again (if there is the same question).
  I'm in process of migrating some VPN tunnels with  from a Cisco router to an ASA, everything will keep the same but just the peering IP address. However, some of the tunnel was being torn down since it request for a proxy doesn't match the one configured on our side. And the remote peer said there is no such issue on the previous platform, but now they need to reset the tunnel from time to time.
  Apr 18 2013 07:29:10 asa002 : %ASA-3-713061: Group = 192.168.1.226, IP = 192.168.1.226, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.1.226/255.255.255.255/0/0 local proxy 10.10.9.81/255.255.255.255/0/0 on interface outside
  Apr 18 2013 07:29:10 asa002 : %ASA-3-713902: Group = 192.168.1.226, IP = 192.168.1.226, QM FSM error (P2 struct &0x745e9150, mess id 0x8d7ad777)!
  Apr 18 2013 07:29:10 asa002 : %ASA-3-713902: Group = 192.168.1.226, IP = 192.168.1.226, Removing peer from correlator table failed, no match!
  The remote peer said they did not change the proxy id on their side so it is possibly the old platform will just not setting up the SA without torn down the tunnel while the ASA on the new platform will torn down if there is any mismatch.
  Anyway I have requested the remote side to remove those unmatched entried to avoid the tunnel being torn down, but if there any configuration that is related to this issue? i.e. Just bring up the SA with matched addresses and ignore others, instead of torn down the tunnel.
  Thanks!!
  //Cody

  Are you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
  If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
  access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
  Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
  nat (outside) 1 172.16.0.0 255.255.240.0

• Crypto map entry is incomplete

  Hi
  This is my config below. The error i am recieving is crypto map entry is incomplete. Can someone please take a look and let me know.  Thank you
  ASA(config)# crypto map outside_map 1 match address outside_1_cryptomap
  WARNING: The crypto map entry is incomplete!
  ASA(config)# show run
  : Saved
  ASA Version 8.4(4)1
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.10.10.2 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  ftp mode passive
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network net-local
  subnet 10.10.10.20 255.255.255.0
  object network net-remote
  subnet 10.10.3.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 10.10.10.20 255.255.255.0 10.
  10.3.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (any,any) source static net-local net-local destination static net-remote ne
  t-remote
  object network obj_any
  nat (inside,outside) dynamic interface
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer 96.145.68.82
  crypto map outside_map interface outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 10.10.10.22-10.10.10.231 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  tunnel-group 81.141.29.69 type ipsec-l2l
  tunnel-group 81.141.29.69 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:c2b7cdae5eb0961d822f634f2b36d3dc
  : end
  ASA(config)#

  Hi,
  You lack a "transform-set" configuration from the "crypto map" line.
  For example
  Create the IKEv1 Transform set
  crypto ipsec ikev1 transform-set AES esp-aes esp-sha-hmac
  and
  Use it in the VPN configuration
  crypto map outside_map 1 set ikev1 transform-set AES
  The values ofcourse depend on the your own preference
  Hope this helps
  - Jouni

• Schema entry for Remote Management Policy

  Does anybody know the schema entry for Remote Management Policy in a user
  object? Specifically the entry that says "Use These Settings and Ignore
  Remote Management Policy"?
  Thanks!
  Mike

  On Wed, 20 Apr 2005 18:57:10 GMT, [email protected] wrote:
  > Does anybody know the schema entry for Remote Management Policy in a user
  > object? Specifically the entry that says "Use These Settings and Ignore
  > Remote Management Policy"?
  console one could tell you..
  Marcus Breiden
  Please change -- to - to mail me.
  The content of this mail is my private and personal opinion.
  http://www.edu-magic.net

• Create entry for remote system necessary?

  Hello,
  is it necessary to start in CEN transaction RZ21 u2192 Technical infrastructure u2192 Configure Central System u2192 Create entry for remote system.
  What is the result of this transaction and why is a <sid>adm user needed?
  Thanks

  Hello,
  I take you mean you have a JMS queue created in an Oracle database (A) and you want to propagate messages to a JMS queue create in an Oracle database (B)?
  If that is the case you use normal AQ propagation. You can follow <Note:102771.1> as an example changing the ADT as appropriate, etc.
  MGW is only to be used for Oracle to 3rd-party propagation.
  Thanks
  Peter

• IPSec Tunnel established but not able to reach remote Local subnet

  Hi,
  We established IPsec Tunnel. It was active but I found following issue. Please give your suggestion to troubleshoot it.
  1. 192.168.50.0/24 (Site A) able to reach 192.168.90.0/24. (Site B) and Vice Versa
  2. 192.168.30.0/24 (Site C) able to reach 192.168.50.0/24 (Site A) but not vice versa.
  3. 192.168.10.0/24, 155.220.21.175 (Site A) reaches up to 192.168.90.0/24 (Site B) and vice versa. but not reach to 192.168.50.0/24 (Site A)
  Want to access 192.168.30.0/24, 192.168.10.0/24, 155.220.21.175 (Site C) from 192.168.50.0/24 (Site A)
  Additionally Tunnel only established if active traffice send from site B.
  Thanks & Rgds,
  Dhaval Dikshit

  Thanks, Punit. Additionalily I found following error, it might reach us to nearer to solution. Please suggest if any suggetion.
  When I'm doing packet tracer from site B I got following massage.
  ASA# packet-trace input outside tcp 192.168.50.220 2000 155.220.21.175 21 detail
  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xc959c928, priority=1, domain=permit, deny=false
          hits=143495595, user_data=0x0, cs_id=0x0, l3_type=0x8
          src mac=0000.0000.0000, mask=0000.0000.0000
          dst mac=0000.0000.0000, mask=0100.0000.0000
  Phase: 2
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   155.220.21.175  255.255.255.255 inside
  Phase: 3
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group outside_access_in in interface outside
  access-list outside_access_in extended permit ip object-group Tas_Tunnel host 155.220.21.175 log
  object-group network Tas_Tunnel
  network-object host 192.168.50.50
  network-object host 192.168.50.65
  network-object host 192.168.50.220
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xca246310, priority=12, domain=permit, deny=false
          hits=1, user_data=0xc793bcc0, cs_id=0x0, flags=0x0, protocol=0
          src ip=192.168.50.220, mask=255.255.255.255, port=0
          dst ip=155.220.21.175, mask=255.255.255.255, port=0, dscp=0x0
  Phase: 4
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xc959f4d8, priority=0, domain=inspect-ip-options, deny=true
          hits=3443418, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
          src ip=0.0.0.0, mask=0.0.0.0, port=0
          dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
  Phase: 5
  Type: INSPECT
  Subtype: inspect-ftp
  Result: ALLOW
  Config:
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect ftp
  service-policy global_policy global
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xc962fa60, priority=70, domain=inspect-ftp, deny=false
          hits=11, user_data=0xc962f8b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
          src ip=0.0.0.0, mask=0.0.0.0, port=0
          dst ip=0.0.0.0, mask=0.0.0.0, port=21, dscp=0x0
  Phase: 6
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xc9f1c290, priority=12, domain=ipsec-tunnel-flow, deny=true
          hits=167708, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
          src ip=0.0.0.0, mask=0.0.0.0, port=0
          dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
  Phase: 7
  Type: NAT-EXEMPT
  Subtype: rpf-check
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xc965a700, priority=6, domain=nat-exempt-reverse, deny=false
          hits=2, user_data=0xc965a490, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
          src ip=192.168.50.220, mask=255.255.255.255, port=0
          dst ip=155.220.21.175, mask=255.255.255.255, port=0, dscp=0x0
  Phase: 8
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Reverse Flow based lookup yields rule:
  in  id=0xc95ea328, priority=0, domain=inspect-ip-options, deny=true
          hits=17273465, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
          src ip=0.0.0.0, mask=0.0.0.0, port=0
          dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
  Phase: 9
  Type: VPN
  Subtype: encrypt
  Result: DROP
  Config:
  Additional Information:
  Reverse Flow based lookup yields rule:
  out id=0xca2f4c98, priority=70, domain=encrypt, deny=false
          hits=2, user_data=0x0, cs_id=0xc9dd8d90, reverse, flags=0x0, protocol=0
          src ip=155.220.21.175, mask=255.255.255.255, port=0
          dst ip=192.168.50.192, mask=255.255.255.192, port=0, dscp=0x0
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: inside
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  Thanks & Rgrds,
  Dhaval Dikshit

• Keep Map Image For Remote Reference

  Maybe I'm the  last to realize this, but if you don't have a 3G iPad, but want a way to keep a map image for reference later, perhaps while driving where you might not have Internet access, try this:
  Before you go, and while your iPad has Internet access, call up one or more map images of the area you are interested in at a good magnification and while holding down the HOME key, momentarily click the SLEEP button.  This will cause a snapshot of your iPad screen to be saved permanently in your photo storage area.  
  Later, while driving, when you need to get your bearings again, simply turn your iPad on and review the previously saved images. 

  Good idea. Even if you have 3G, you can do this for the entire route and save download data.
  ...and if traveling, there are apps that show rest areas....

• Map entries for our businesses are wrong

  We have been reporting this problem for over a year. Our car dealership, which has been at the same single location since the 1970's, is showing at two locations. Only one is correct.
  We have another store that opened a year ago and moved to a new building in August. Siri is still delivering people to the old store which is 15 miles away, even though the map is correct.
  Is there any reporting tools out there that work faster? Or that allow you to report that Siri's directions are screwed up?

  The only reporting mechanism available is the opne within the Maps apps or Apple feedback form: http://www.apple.com/feedback/

• Mapping Issue for IDoc to JDBC interface

  Hi All,
    I am having problem in implementing logic in IDoc to JDBC interface where I have to filter out E1WBB07-KSCHL = VKP0.
    Source IDoc structure is like ->
  E1WBB01(occ 0 -1000)
    |-> E1WBB03 (occ 0-100)
              |-> E1WBB07(occ 0-1000)
                       |-> KSCHL
                            DATAB
                            DATBI
  Now, For each KSCHL = VKA0 there should be a duplicate VKP0 record. From these 2 records only the VKA0 should get processed and VKP0 ignored.
  Duplicates for VKP0 and VKA0 can be identified by identical DATAB and DATBI.
  Suppose, in one  E1WBB03 segment,there are 4 E1WBB07 segment having following values.
  1: KSCHL=VKP0, DATAB=20102011, DATBI=25102011
  2: KSCHL=VKP0, DATAB=26102011, DATBI=30102011
  3: KSCHL=VKA0, DATAB=26102011, DATBI=30102011
  4: KSCHL=VKP0, DATAB=01112011, DATBI=31129999
  2 & 3 are duplicates. From these, 2 should get dropped.
  As a result only 1, 3 and 4 should get  processed.
  How can I proceed with this..?...I have tried some work around but not able to do it successfully. Is a UDF required to compare DATAB and DATBI. If yes how it can be written.?
  Thnx in advance,
  Praveen.

  chk below mapping:
  change the context of DATAB, DATAB1 and KSCHL to E1WBB03 (right click-> context) in all the mappings shown below
  1)
  DATAB
  ------------concat-----sort----splibyvalue(value change)-----collapse context---TargetNode
  DATBI
  2)
  DATAB
  ------------concat-----sortbykey \
  DATBI                    /        \
  KSCHL------------/                 \
  ----------------------------------------FormatByExample----sort-----UDF1----Target KSCHL
  DATAB                                    /
  ----concat---sort--splibyvalue(value change)-
  DATBI
  3)
  DATAB
  ---concat ( ; )-----sort-splibyvalue(value change)---collapse context--splitbyvalue (each value)--UDF2---TargetDATAB
  DATBI
  4)
  DATAB
  ------------concat ( ; )-----sort----splibyvalue(value change)-----collapse context--splitbyvalue (each value)--UDF3---TargetDATABI
  DATBI
  UDF1: execution type : all values of a context...input: var1
  int a=var1.length;
  int count=0;
  if(a>=2)
  for(int i=0;i<a;i++)
  if(var1<i>.equals("VKA0"))
  count= count+1;
  else
  result.addValue(var1[0]);
  if(count>1)
  for(int i=0;i<count;i++)
  result.addValue("VKA0");
  UDF2:execution type: single value...input: var1
  String [] temp= var1.split(";");
  return temp[0];
  UDF3: execution type: single value...input: var1
  String [] temp= var1.split(";");
  return temp[1];

• Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall

  Hi,
  I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
  When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
  After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
  They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
  Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
  3
  Nov 21 2012
  07:11:09
  713902
  Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
  3
  Nov 21 2012
  07:11:09
  713902
  Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
  3
  Nov 21 2012
  07:11:09
  713061
  Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
  5
  Nov 21 2012
  07:11:09
  713119
  Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
  Here is from the syntax: show crypto isakmp sa
  Result of the command: "show crypto isakmp sa"
     Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 195.149.180.254
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  Result of the command: "show crypto ipsec sa"
  interface: outside
      Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
        access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
        local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
        current_peer:195.149.180.254
        #pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
        #pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: E715B315
      inbound esp sas:
        spi: 0xFAC769EB (4207372779)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 5, }
           slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
           sa timing: remaining key lifetime (kB/sec): (38738/2061)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0xE715B315 (3876958997)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 5, }
           slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
           sa timing: remaining key lifetime (kB/sec): (38673/2061)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  And here are my Accesslists and vpn site to site config:
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 84600
  crypto isakmp nat-traversal 40
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map CustomerCryptoMap 10 match address VPN_Tunnel
  crypto map CustomerCryptoMap 10 set pfs group5
  crypto map CustomerCryptoMap 10 set peer 195.149.180.254
  crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
  crypto map CustomerCryptoMap interface outside
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
  nat (inside) 0 access-list nonat
  All these remote networks are at the Main Site Clavister Firewall.
  Best Regards
  Michael

  Hi,
  I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
  If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
  Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
  I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
  Maybe you could try to change the Encryption Domain configurations a bit and test it then.
  You could also maybe take some debugs on the Phase2 and see if you get anymore  hints as to what could be the problem when only one network is working for the L2L VPN.
  - Jouni

• IPSEC tunnel Phase 1 and 2

  Guys was checking ASA config and we have many IPSEC tunnels
  one of the IPSEC tunnel has follwoing
  crypto map clientmap 40 set transform-set ESP-3DES-MD5 ESP-3DES-SHA
  whats does the second means normally oter IPSEC has
  crypto map clientmap 14 set transform-set ESP-3DES-MD5
  what is a clientmap anyway will appriciate if someone plz explain

  Hi,
  The "crypto map" settings belong to the Phase II portion of your VPN tunnel (with some exceptions).
  Here you usually define the following paratemers (most common):
  1- Protected traffic, "match address" command.
  2- Transform-set, integrity and authentication.
  3- VPN peer.
  So the transform-set "ESP-3DES-SHA" probably is "esp-3des esp-sha-hmac" which means:
  ESP with the 3DES encryption algorithm.
  ESP with the SHA (HMAC variant) authentication algorithm,
  Now, you can have many valid combinations like "ESP-3DES-SHA" and "ESP-3DES-MD5", this would be useful in case you do not know which transform-set the other side of the tunnel has configured (there must be at least one perfect match).
  Here is good link to set up L2L tunnels on ASAs:
  Configuring LAN-to-LAN VPNs
  Hope to help.
  Portu.
  Please rate any helpful posts

• Crypto map mymap command I am not familiar with

  I have the following commands in a new pix I am taking over and I am not sure what they do?
  crypto map mymap client configuration address initiate
  crypto map mymap client configuration address respond
  any help would be appreciated

  Hi .. they are used for remote VPNs:
  1.- crypto map mymap client configuration address initiate
  explanation: Use the crypto map mymap for remote vpn clients and the PIX Firewall will attempt to set IP addresses for each client.
  2.- crypto map mymap client configuration address respond
  explanation: Use the crypto map mymap for remote vpn clients and the PIX Firewall will accept requests for IP addresses from any
  requesting client.
  I hope it helps .. please rate if it does !!

• IPSec VRF Aware (Crypto Map)

  Hello!
  I have some problem with configuring vrf aware Ipsec (Crypto Map).
  Any traffic (from subnet 10.6.6.248/29) do not pass trouth router, but if i run command "ping vrf inside 10.5.5.1 source gi 0/1.737" it working well.  
  Configuration below:
  ip vrf outside
   rd 1:1
  ip vrf inside
   rd 2:2
  track 10 ip sla 10 reachability
  ip sla schedule 10 life forever start-time now
  crypto keyring outside vrf outside 
    pre-shared-key address 10.10.10.100 key XXXXXX
  crypto isakmp policy 20
   encr aes 256
   authentication pre-share
   group 2
  crypto isakmp invalid-spi-recovery
  crypto isakmp keepalive 10 periodic
  crypto isakmp profile AS_outside
     vrf inside
     keyring outside
     match identity address 10.10.10.100 255.255.255.255 outside
     isakmp authorization list default
  crypto ipsec transform-set ESP-AESesp-aes 256 esp-sha-hmac 
   mode tunnel
  crypto ipsec df-bit clear
  crypto map outside 10 ipsec-isakmp 
   set peer 10.10.10.100
   set security-association idle-time 3600
   set transform-set ESP-AES 
   set pfs group2
   set isakmp-profile AS_outside
   match address inside_access
  ip route vrf inside 10.5.5.0 255.255.255.0 GigabitEthernet0/0.806 10.10.10.100 track 10
  ip access-list extended inside_access
   permit ip 10.6.6.248 0.0.0.7 10.5.5.0 0.0.0.255
  icmp-echo 10.10.10.100 source-interface GigabitEthernet0/0.806
   vrf outside
  interface GigabitEthernet0/0.806
  ip vrf forwarding outside
  ip address 10.10.10.101 255.255.255.0
  crypto-map outside
  interface GigabitEthernet0/1.737
  ip vrf forwarding inside
  ip address 10.6.6.252 255.255.255.248

  Hello Frank!
  >>  1. You may want to consider removing the "track 10" from your static route to eliminate any issues that this could be causing.
  I tried it before. Nothing changes.
  >> 2. If you teardown the tunnel, can the traffic from your end client (not the ping generated locally) cause the tunnel to build? If not, you may want to use netflow or ACL counters to verify that your packets are hitting the inside interface.
  It is also checked. netflow present counters and ACL counters not present. Source ip is 10.6.6.254/29.
  show command below:
  ISR-vpn-1#show ip cef vrf inside exact-route  10.6.6.254 10.5.5.1
   10.6.6.254  -> 10.5.5.1 => IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
  ISR-vpn-1#show ip cef vrf inside 10.24.1.0/24 internal                
  10.5.5.0/24, epoch 0, RIB[S], refcount 5, per-destination sharing
    sources: RIB 
    feature space:
     NetFlow: Origin AS 0, Peer AS 0, Mask Bits 24
    ifnums:
     GigabitEthernet0/0.806(24): 10.10.10.100
    path 22D160E8, path list 22AC27E8, share 1/1, type attached nexthop, for IPv4
    nexthop 10.10.10.100 GigabitEthernet0/0.806, adjacency IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
    output chain: IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)

• Using Crypto Maps and IPsec Static VTI's on the same router

  Is it possible to configure both crypto maps and IPsec static VTI's on the same router? What platforms have this capability? What IOS version do I need?

  Yes you can and as far as I know I dont think there is a hardware dependency.
  VTI mode 'tunnel mode ipsec ipv4' was added in 12.3(14)T.
  If you are mixing tunnel protection and crypto map ensure you use iskmp profiles to differentiate somehow that the tunnel IPSec connection is not prcessed on the crypto map!
  Here is a rough example (fine tune it as needed):
  crypto keyring key1
    pre-shared-key address 1.1.1.1 key test123
  crypto keyring key2
    pre-shared-key address 7.7.7.7 key test777
  crypto isakmp profile vpn1
     keyring key1
     match identity address 1.1.1.1 255.255.255.255
  crypto isakmp profile vpn2
     keyring key2
     match identity address 7.7.7.7 255.255.255.255
  crypto ipsec transform-set test esp-des esp-sha-hmac
  crypto IPsec profile vpn-tunnel
  set transform-set test
  set isakmp-profile vpn1
  crypto map mymap 1 ipsec-isakmp
  set transform-set test
  set peer 7.7.7.7
  set isakmp-profile vpn2
  match address 177
  interface Tunnel0
  ip address 10.0.51.217 255.255.255.0
  tunnel source 2.2.2.2
  tunnel destination 1.1.1.1
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile vpn-tunnel
  interface Ethernet4
  ip add 2.2.2.2 255.255.255.0
  crypto map mymap
  Regards,
  Uwe

• Multiple Crypto Maps on Single Outside Interface

  Hi, I had the following crypto map configured on my ASA5505 to allow Cisco IPSec VPN clients to connect from the outside:
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  I'm trying now to set up an additional crypto map - a static configuration to establish a tunnel with Windows Azure services. The configuration they gave me is:
  crypto map azure-crypto-map 10 match address azure-vpn-acl
  crypto map azure-crypto-map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
  crypto map azure-crypto-map 10 set transform-set azure-ipsec-proposal-set
  crypto map azure-crypto-map interface outside
  However, when I apply that configuration, my Cisco IPSec clients can no longer connect. I believe my problem is that last line:
  crypto map azure-crypto-map interface outside
  which blows away my original line:
  crypto map outside_map interface outside
  It seems I'm stuck with picking just one of the maps to apply to the outside interface. Is there a way to apply both of these maps to the outside interface to allow both IPSec tunnels to be created? We're running ASA version 8.4(7)3.

  Hi,
  You can use the same "crypto map"
  Just add
  crypto map outside_map 10 match address azure-vpn-acl
  crypto map outside_map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
  crypto map outside_map 10 set transform-set azure-ipsec-proposal-set
  Your dynamic VPN Clients will continue to work just fine as their "crypto map" statements are with the lowest priority/order in the "crypto map" configurations (65535) and the L2L VPN is higher (10)
  And what I mean with the above is that when a L2L VPN connections is formed from the remote end it will naturally match the L2L VPN configurations you have with "crypto map" configurations using the number "10". Then when a VPN Client connects it will naturally not match the number "10" specific configurations and will move to the next entry and will match it (65535)
  If you would happen to configure a new L2L VPN connection then you could give it the number "11" for example and everything would still be fine.
  Hope this helps
  - Jouni