Rejecting IPSec tunnel: no matching crypto map entry for remote proxy on interface outside.
Hi,
I have read a problem where the VPN between an ISP and ourselves started dropping sessions. I have rebuilt the crypto map and tried to dig deeper into my config and some basic troubleshooting while I await the ISP to respond.
Any ideas?
Thanks Steve
https://supportforums.cisco.com/thread/255085
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution10
5 Jun 13 15:46:25 713904 IP = 209.183.xxx.xxx, Received encrypted packet with no matching SA, dropping
4 Jun 13 15:46:25 113019 Group = 209.183.xxx.xxx, Username = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Removing peer from correlator table failed, no match!
3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, QM FSM error (P2 struct &0xda90f540, mess id 0x76c09eb7)!
3 Jun 13 15:46:25 713061 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.0.0/255.255.240.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
5 Jun 13 15:46:25 713119 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, PHASE 1 COMPLETED
6 Jun 13 15:46:25 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = 209.183.xxx.xxx
6 Jun 13 15:46:25 713172 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Are you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
nat (outside) 1 172.16.0.0 255.255.240.0
Similar Messages
-
Rejecting IPSec tunnel: no matching crypto map entry for remote proxy
Hi!
I have already search for this but didn't get an exact answer I'm looking for so I try asking it again (if there is the same question).
I'm in process of migrating some VPN tunnels with from a Cisco router to an ASA, everything will keep the same but just the peering IP address. However, some of the tunnel was being torn down since it request for a proxy doesn't match the one configured on our side. And the remote peer said there is no such issue on the previous platform, but now they need to reset the tunnel from time to time.
Apr 18 2013 07:29:10 asa002 : %ASA-3-713061: Group = 192.168.1.226, IP = 192.168.1.226, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.1.226/255.255.255.255/0/0 local proxy 10.10.9.81/255.255.255.255/0/0 on interface outside
Apr 18 2013 07:29:10 asa002 : %ASA-3-713902: Group = 192.168.1.226, IP = 192.168.1.226, QM FSM error (P2 struct &0x745e9150, mess id 0x8d7ad777)!
Apr 18 2013 07:29:10 asa002 : %ASA-3-713902: Group = 192.168.1.226, IP = 192.168.1.226, Removing peer from correlator table failed, no match!
The remote peer said they did not change the proxy id on their side so it is possibly the old platform will just not setting up the SA without torn down the tunnel while the ASA on the new platform will torn down if there is any mismatch.
Anyway I have requested the remote side to remove those unmatched entried to avoid the tunnel being torn down, but if there any configuration that is related to this issue? i.e. Just bring up the SA with matched addresses and ignore others, instead of torn down the tunnel.
Thanks!!
//CodyAre you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
nat (outside) 1 172.16.0.0 255.255.240.0 -
Crypto map entry is incomplete
Hi
This is my config below. The error i am recieving is crypto map entry is incomplete. Can someone please take a look and let me know. Thank you
ASA(config)# crypto map outside_map 1 match address outside_1_cryptomap
WARNING: The crypto map entry is incomplete!
ASA(config)# show run
: Saved
ASA Version 8.4(4)1
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.2 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network net-local
subnet 10.10.10.20 255.255.255.0
object network net-remote
subnet 10.10.3.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.10.20 255.255.255.0 10.
10.3.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (any,any) source static net-local net-local destination static net-remote ne
t-remote
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 96.145.68.82
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.10.22-10.10.10.231 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 81.141.29.69 type ipsec-l2l
tunnel-group 81.141.29.69 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c2b7cdae5eb0961d822f634f2b36d3dc
: end
ASA(config)#Hi,
You lack a "transform-set" configuration from the "crypto map" line.
For example
Create the IKEv1 Transform set
crypto ipsec ikev1 transform-set AES esp-aes esp-sha-hmac
and
Use it in the VPN configuration
crypto map outside_map 1 set ikev1 transform-set AES
The values ofcourse depend on the your own preference
Hope this helps
- Jouni -
Schema entry for Remote Management Policy
Does anybody know the schema entry for Remote Management Policy in a user
object? Specifically the entry that says "Use These Settings and Ignore
Remote Management Policy"?
Thanks!
MikeOn Wed, 20 Apr 2005 18:57:10 GMT, [email protected] wrote:
> Does anybody know the schema entry for Remote Management Policy in a user
> object? Specifically the entry that says "Use These Settings and Ignore
> Remote Management Policy"?
console one could tell you..
Marcus Breiden
Please change -- to - to mail me.
The content of this mail is my private and personal opinion.
http://www.edu-magic.net -
Create entry for remote system necessary?
Hello,
is it necessary to start in CEN transaction RZ21 u2192 Technical infrastructure u2192 Configure Central System u2192 Create entry for remote system.
What is the result of this transaction and why is a <sid>adm user needed?
ThanksHello,
I take you mean you have a JMS queue created in an Oracle database (A) and you want to propagate messages to a JMS queue create in an Oracle database (B)?
If that is the case you use normal AQ propagation. You can follow <Note:102771.1> as an example changing the ADT as appropriate, etc.
MGW is only to be used for Oracle to 3rd-party propagation.
Thanks
Peter -
IPSec Tunnel established but not able to reach remote Local subnet
Hi,
We established IPsec Tunnel. It was active but I found following issue. Please give your suggestion to troubleshoot it.
1. 192.168.50.0/24 (Site A) able to reach 192.168.90.0/24. (Site B) and Vice Versa
2. 192.168.30.0/24 (Site C) able to reach 192.168.50.0/24 (Site A) but not vice versa.
3. 192.168.10.0/24, 155.220.21.175 (Site A) reaches up to 192.168.90.0/24 (Site B) and vice versa. but not reach to 192.168.50.0/24 (Site A)
Want to access 192.168.30.0/24, 192.168.10.0/24, 155.220.21.175 (Site C) from 192.168.50.0/24 (Site A)
Additionally Tunnel only established if active traffice send from site B.
Thanks & Rgds,
Dhaval DikshitThanks, Punit. Additionalily I found following error, it might reach us to nearer to solution. Please suggest if any suggetion.
When I'm doing packet tracer from site B I got following massage.
ASA# packet-trace input outside tcp 192.168.50.220 2000 155.220.21.175 21 detail
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc959c928, priority=1, domain=permit, deny=false
hits=143495595, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 155.220.21.175 255.255.255.255 inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip object-group Tas_Tunnel host 155.220.21.175 log
object-group network Tas_Tunnel
network-object host 192.168.50.50
network-object host 192.168.50.65
network-object host 192.168.50.220
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca246310, priority=12, domain=permit, deny=false
hits=1, user_data=0xc793bcc0, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.50.220, mask=255.255.255.255, port=0
dst ip=155.220.21.175, mask=255.255.255.255, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc959f4d8, priority=0, domain=inspect-ip-options, deny=true
hits=3443418, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect ftp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc962fa60, priority=70, domain=inspect-ftp, deny=false
hits=11, user_data=0xc962f8b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=21, dscp=0x0
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9f1c290, priority=12, domain=ipsec-tunnel-flow, deny=true
hits=167708, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc965a700, priority=6, domain=nat-exempt-reverse, deny=false
hits=2, user_data=0xc965a490, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=192.168.50.220, mask=255.255.255.255, port=0
dst ip=155.220.21.175, mask=255.255.255.255, port=0, dscp=0x0
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc95ea328, priority=0, domain=inspect-ip-options, deny=true
hits=17273465, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xca2f4c98, priority=70, domain=encrypt, deny=false
hits=2, user_data=0x0, cs_id=0xc9dd8d90, reverse, flags=0x0, protocol=0
src ip=155.220.21.175, mask=255.255.255.255, port=0
dst ip=192.168.50.192, mask=255.255.255.192, port=0, dscp=0x0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Thanks & Rgrds,
Dhaval Dikshit -
Keep Map Image For Remote Reference
Maybe I'm the last to realize this, but if you don't have a 3G iPad, but want a way to keep a map image for reference later, perhaps while driving where you might not have Internet access, try this:
Before you go, and while your iPad has Internet access, call up one or more map images of the area you are interested in at a good magnification and while holding down the HOME key, momentarily click the SLEEP button. This will cause a snapshot of your iPad screen to be saved permanently in your photo storage area.
Later, while driving, when you need to get your bearings again, simply turn your iPad on and review the previously saved images.Good idea. Even if you have 3G, you can do this for the entire route and save download data.
...and if traveling, there are apps that show rest areas.... -
Map entries for our businesses are wrong
We have been reporting this problem for over a year. Our car dealership, which has been at the same single location since the 1970's, is showing at two locations. Only one is correct.
We have another store that opened a year ago and moved to a new building in August. Siri is still delivering people to the old store which is 15 miles away, even though the map is correct.
Is there any reporting tools out there that work faster? Or that allow you to report that Siri's directions are screwed up?The only reporting mechanism available is the opne within the Maps apps or Apple feedback form: http://www.apple.com/feedback/
-
Mapping Issue for IDoc to JDBC interface
Hi All,
I am having problem in implementing logic in IDoc to JDBC interface where I have to filter out E1WBB07-KSCHL = VKP0.
Source IDoc structure is like ->
E1WBB01(occ 0 -1000)
|-> E1WBB03 (occ 0-100)
|-> E1WBB07(occ 0-1000)
|-> KSCHL
DATAB
DATBI
Now, For each KSCHL = VKA0 there should be a duplicate VKP0 record. From these 2 records only the VKA0 should get processed and VKP0 ignored.
Duplicates for VKP0 and VKA0 can be identified by identical DATAB and DATBI.
Suppose, in one E1WBB03 segment,there are 4 E1WBB07 segment having following values.
1: KSCHL=VKP0, DATAB=20102011, DATBI=25102011
2: KSCHL=VKP0, DATAB=26102011, DATBI=30102011
3: KSCHL=VKA0, DATAB=26102011, DATBI=30102011
4: KSCHL=VKP0, DATAB=01112011, DATBI=31129999
2 & 3 are duplicates. From these, 2 should get dropped.
As a result only 1, 3 and 4 should get processed.
How can I proceed with this..?...I have tried some work around but not able to do it successfully. Is a UDF required to compare DATAB and DATBI. If yes how it can be written.?
Thnx in advance,
Praveen.chk below mapping:
change the context of DATAB, DATAB1 and KSCHL to E1WBB03 (right click-> context) in all the mappings shown below
1)
DATAB
------------concat-----sort----splibyvalue(value change)-----collapse context---TargetNode
DATBI
2)
DATAB
------------concat-----sortbykey \
DATBI / \
KSCHL------------/ \
----------------------------------------FormatByExample----sort-----UDF1----Target KSCHL
DATAB /
----concat---sort--splibyvalue(value change)-
DATBI
3)
DATAB
---concat ( ; )-----sort-splibyvalue(value change)---collapse context--splitbyvalue (each value)--UDF2---TargetDATAB
DATBI
4)
DATAB
------------concat ( ; )-----sort----splibyvalue(value change)-----collapse context--splitbyvalue (each value)--UDF3---TargetDATABI
DATBI
UDF1: execution type : all values of a context...input: var1
int a=var1.length;
int count=0;
if(a>=2)
for(int i=0;i<a;i++)
if(var1<i>.equals("VKA0"))
count= count+1;
else
result.addValue(var1[0]);
if(count>1)
for(int i=0;i<count;i++)
result.addValue("VKA0");
UDF2:execution type: single value...input: var1
String [] temp= var1.split(";");
return temp[0];
UDF3: execution type: single value...input: var1
String [] temp= var1.split(";");
return temp[1]; -
Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall
Hi,
I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
3
Nov 21 2012
07:11:09
713061
Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
5
Nov 21 2012
07:11:09
713119
Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
Here is from the syntax: show crypto isakmp sa
Result of the command: "show crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 195.149.180.254
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Result of the command: "show crypto ipsec sa"
interface: outside
Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
current_peer:195.149.180.254
#pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
#pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: E715B315
inbound esp sas:
spi: 0xFAC769EB (4207372779)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38738/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xE715B315 (3876958997)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38673/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
And here are my Accesslists and vpn site to site config:
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 84600
crypto isakmp nat-traversal 40
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CustomerCryptoMap 10 match address VPN_Tunnel
crypto map CustomerCryptoMap 10 set pfs group5
crypto map CustomerCryptoMap 10 set peer 195.149.180.254
crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
crypto map CustomerCryptoMap interface outside
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
nat (inside) 0 access-list nonat
All these remote networks are at the Main Site Clavister Firewall.
Best Regards
MichaelHi,
I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
Maybe you could try to change the Encryption Domain configurations a bit and test it then.
You could also maybe take some debugs on the Phase2 and see if you get anymore hints as to what could be the problem when only one network is working for the L2L VPN.
- Jouni -
Guys was checking ASA config and we have many IPSEC tunnels
one of the IPSEC tunnel has follwoing
crypto map clientmap 40 set transform-set ESP-3DES-MD5 ESP-3DES-SHA
whats does the second means normally oter IPSEC has
crypto map clientmap 14 set transform-set ESP-3DES-MD5
what is a clientmap anyway will appriciate if someone plz explainHi,
The "crypto map" settings belong to the Phase II portion of your VPN tunnel (with some exceptions).
Here you usually define the following paratemers (most common):
1- Protected traffic, "match address" command.
2- Transform-set, integrity and authentication.
3- VPN peer.
So the transform-set "ESP-3DES-SHA" probably is "esp-3des esp-sha-hmac" which means:
ESP with the 3DES encryption algorithm.
ESP with the SHA (HMAC variant) authentication algorithm,
Now, you can have many valid combinations like "ESP-3DES-SHA" and "ESP-3DES-MD5", this would be useful in case you do not know which transform-set the other side of the tunnel has configured (there must be at least one perfect match).
Here is good link to set up L2L tunnels on ASAs:
Configuring LAN-to-LAN VPNs
Hope to help.
Portu.
Please rate any helpful posts -
Crypto map mymap command I am not familiar with
I have the following commands in a new pix I am taking over and I am not sure what they do?
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
any help would be appreciatedHi .. they are used for remote VPNs:
1.- crypto map mymap client configuration address initiate
explanation: Use the crypto map mymap for remote vpn clients and the PIX Firewall will attempt to set IP addresses for each client.
2.- crypto map mymap client configuration address respond
explanation: Use the crypto map mymap for remote vpn clients and the PIX Firewall will accept requests for IP addresses from any
requesting client.
I hope it helps .. please rate if it does !! -
IPSec VRF Aware (Crypto Map)
Hello!
I have some problem with configuring vrf aware Ipsec (Crypto Map).
Any traffic (from subnet 10.6.6.248/29) do not pass trouth router, but if i run command "ping vrf inside 10.5.5.1 source gi 0/1.737" it working well.
Configuration below:
ip vrf outside
rd 1:1
ip vrf inside
rd 2:2
track 10 ip sla 10 reachability
ip sla schedule 10 life forever start-time now
crypto keyring outside vrf outside
pre-shared-key address 10.10.10.100 key XXXXXX
crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp profile AS_outside
vrf inside
keyring outside
match identity address 10.10.10.100 255.255.255.255 outside
isakmp authorization list default
crypto ipsec transform-set ESP-AESesp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
crypto map outside 10 ipsec-isakmp
set peer 10.10.10.100
set security-association idle-time 3600
set transform-set ESP-AES
set pfs group2
set isakmp-profile AS_outside
match address inside_access
ip route vrf inside 10.5.5.0 255.255.255.0 GigabitEthernet0/0.806 10.10.10.100 track 10
ip access-list extended inside_access
permit ip 10.6.6.248 0.0.0.7 10.5.5.0 0.0.0.255
icmp-echo 10.10.10.100 source-interface GigabitEthernet0/0.806
vrf outside
interface GigabitEthernet0/0.806
ip vrf forwarding outside
ip address 10.10.10.101 255.255.255.0
crypto-map outside
interface GigabitEthernet0/1.737
ip vrf forwarding inside
ip address 10.6.6.252 255.255.255.248Hello Frank!
>> 1. You may want to consider removing the "track 10" from your static route to eliminate any issues that this could be causing.
I tried it before. Nothing changes.
>> 2. If you teardown the tunnel, can the traffic from your end client (not the ping generated locally) cause the tunnel to build? If not, you may want to use netflow or ACL counters to verify that your packets are hitting the inside interface.
It is also checked. netflow present counters and ACL counters not present. Source ip is 10.6.6.254/29.
show command below:
ISR-vpn-1#show ip cef vrf inside exact-route 10.6.6.254 10.5.5.1
10.6.6.254 -> 10.5.5.1 => IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
ISR-vpn-1#show ip cef vrf inside 10.24.1.0/24 internal
10.5.5.0/24, epoch 0, RIB[S], refcount 5, per-destination sharing
sources: RIB
feature space:
NetFlow: Origin AS 0, Peer AS 0, Mask Bits 24
ifnums:
GigabitEthernet0/0.806(24): 10.10.10.100
path 22D160E8, path list 22AC27E8, share 1/1, type attached nexthop, for IPv4
nexthop 10.10.10.100 GigabitEthernet0/0.806, adjacency IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
output chain: IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete) -
Using Crypto Maps and IPsec Static VTI's on the same router
Is it possible to configure both crypto maps and IPsec static VTI's on the same router? What platforms have this capability? What IOS version do I need?
Yes you can and as far as I know I dont think there is a hardware dependency.
VTI mode 'tunnel mode ipsec ipv4' was added in 12.3(14)T.
If you are mixing tunnel protection and crypto map ensure you use iskmp profiles to differentiate somehow that the tunnel IPSec connection is not prcessed on the crypto map!
Here is a rough example (fine tune it as needed):
crypto keyring key1
pre-shared-key address 1.1.1.1 key test123
crypto keyring key2
pre-shared-key address 7.7.7.7 key test777
crypto isakmp profile vpn1
keyring key1
match identity address 1.1.1.1 255.255.255.255
crypto isakmp profile vpn2
keyring key2
match identity address 7.7.7.7 255.255.255.255
crypto ipsec transform-set test esp-des esp-sha-hmac
crypto IPsec profile vpn-tunnel
set transform-set test
set isakmp-profile vpn1
crypto map mymap 1 ipsec-isakmp
set transform-set test
set peer 7.7.7.7
set isakmp-profile vpn2
match address 177
interface Tunnel0
ip address 10.0.51.217 255.255.255.0
tunnel source 2.2.2.2
tunnel destination 1.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile vpn-tunnel
interface Ethernet4
ip add 2.2.2.2 255.255.255.0
crypto map mymap
Regards,
Uwe -
Multiple Crypto Maps on Single Outside Interface
Hi, I had the following crypto map configured on my ASA5505 to allow Cisco IPSec VPN clients to connect from the outside:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
I'm trying now to set up an additional crypto map - a static configuration to establish a tunnel with Windows Azure services. The configuration they gave me is:
crypto map azure-crypto-map 10 match address azure-vpn-acl
crypto map azure-crypto-map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
crypto map azure-crypto-map 10 set transform-set azure-ipsec-proposal-set
crypto map azure-crypto-map interface outside
However, when I apply that configuration, my Cisco IPSec clients can no longer connect. I believe my problem is that last line:
crypto map azure-crypto-map interface outside
which blows away my original line:
crypto map outside_map interface outside
It seems I'm stuck with picking just one of the maps to apply to the outside interface. Is there a way to apply both of these maps to the outside interface to allow both IPSec tunnels to be created? We're running ASA version 8.4(7)3.Hi,
You can use the same "crypto map"
Just add
crypto map outside_map 10 match address azure-vpn-acl
crypto map outside_map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
crypto map outside_map 10 set transform-set azure-ipsec-proposal-set
Your dynamic VPN Clients will continue to work just fine as their "crypto map" statements are with the lowest priority/order in the "crypto map" configurations (65535) and the L2L VPN is higher (10)
And what I mean with the above is that when a L2L VPN connections is formed from the remote end it will naturally match the L2L VPN configurations you have with "crypto map" configurations using the number "10". Then when a VPN Client connects it will naturally not match the number "10" specific configurations and will move to the next entry and will match it (65535)
If you would happen to configure a new L2L VPN connection then you could give it the number "11" for example and everything would still be fine.
Hope this helps
- Jouni
Maybe you are looking for
-
APEX 3.0 print report error (empty file).
I installed BI 10.1.3.2.0 successfully. I tested my convert servlet (which comes with BI Publisher) by trying to go there directly in browser: http://roman:80/xmlpserver/convert I get the message in Firefox: "500 Internal Server Error Servlet error:
-
Dynamic Receiver Determination [W/O using BPM] Sync interface
I have been exploring options w.r.t. performance sensitive service interface. This has following issues : 1. Gets a org code looking up instance and route the msg. accordingly to an RFC and get response back. 2. Prominent answer would be Enhanced rec
-
Organizing photos within albums alphabetically or numerically
My photos are organized on my computer alphabetically or numerically, but when they sync to my iPad they become jumbled inside the albums. How can I get them back in order?
-
I am receiving a date textfield in a string format . say String theDate = "12/25/2002" ; in dd/MM/yyyy format i need to calculate a previous date of this by 1 day. The result is to be in String format say as "12/14/2002" could you pleased provide the
-
Cost to upgrade from pse 5 to pse 13
Does ANYONE still use this forum.