REMOVING IPSEC VPN CONFIG FROM PIX 6.3 FIREWALL

Hey,
we have pix 6.3 serving as internet firewall and we are int process of replacing it with new ASA Device. currently there are several site to site and remote vpn are configured for access purposes. 
i tried to remove one site2site ipsec vpn from pix and it starts acting like a loop generating the same error with qty that processor got 100% CPU, couldn't logged in through normal ssh so i connected via console and place back the isakmp and crypto map commands back in and the error stops.
My purpose of this question is that how can i remove vpn config from pix without generating any error is there any formal process or order of removing rules from pix or we can do it one by one no order is required.
MY PROCESS OF REMOVING CONFIG:
REMOVE THE ACCESS-LIST INSIDEOUT AND OUTSIDE IN COMMANDS 
REMOVE THE OBJECTS AND OBJECTS GROUPS
REMOVE THE VPN DEFINED ACCESS-LIST FOR INTERESTING TRAFFIC
REMOVE CRYPTO MAP TRANSFORM-SET
REMOVE ISAKMP-POLICY
REMOVE CRYPTO MAP 
WE DO USE ISAKMP SHARED KAY MECHANISM "I DID NOT REMOVE THAT "
BUT AS SOON AS I REMOVE THE CRYPTO MAP FROM THE PIX I GOT THIS ERROR
IPSEC(crypto_map_check): crypto map XYZ 20 incomplete.  No peer or access-list specified.
20 IS THE ISAKMP POLICY NUMBER & Peer and Access-list was removed from pix
any help would great
regards

Hi
You could do either of 2 things.
1) Enable NAT-Traversal on your ASA
2) Add the following on your pix :
fixup protocol esp-ike
This allows one IPSEC connection to run through PAT.
HTH
Jon

Similar Messages

  • [SOLVED] l2tp-ipsec-vpn-daemon from AUR fails to build

    Please let me know if there are other details that require posting:-
    ==> Starting build()...
    /usr/bin/qmake -o qttmp-Release.mk -after "OBJECTS_DIR=build/Release" "DESTDIR=dist/Release" nbproject/qt-Release.pro
    mv -f qttmp-Release.mk nbproject/qt-Release.mk
    make -f nbproject/qt-Release.mk dist/Release/L2tpIPsecVpnControlDaemon
    make[1]: Entering directory '/tmp/yaourt-tmp-nimda/aur-l2tp-ipsec-vpn-daemon/src/l2tp-ipsec-vpn-daemon'
    g++ -c -pipe -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4 -Wall -W -D_REENTRANT -fPIE -DQT_NO_DEBUG -DQT_NETWORK_LIB -DQT_CORE_LIB -I/usr/lib/qt/mkspecs/linux-g++ -Inbproject -isystem /usr/include/qt -isystem /usr/include/qt/QtNetwork -isystem /usr/include/qt/QtCore -Isrc/generated -I. -o build/Release/main.o src/main.cpp
    g++ -c -pipe -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4 -Wall -W -D_REENTRANT -fPIE -DQT_NO_DEBUG -DQT_NETWORK_LIB -DQT_CORE_LIB -I/usr/lib/qt/mkspecs/linux-g++ -Inbproject -isystem /usr/include/qt -isystem /usr/include/qt/QtNetwork -isystem /usr/include/qt/QtCore -Isrc/generated -I. -o build/Release/VpnClientConnection.o src/VpnClientConnection.cpp
    src/VpnClientConnection.cpp: In member function 'void VpnClientConnection::readyRead()':
    src/VpnClientConnection.cpp:133:99: error: 'class QString' has no member named 'toAscii'
    ::syslog(LOG_DEBUG|LOG_DAEMON, "Executing command %s", m_strActiveCommand.toAscii().constData());
    ^
    src/VpnClientConnection.cpp:140:75: error: 'class QString' has no member named 'toAscii'
    if (COMMANDS[iCommand].pPipe->write(strCommand.toAscii().constData()) == strCommand.length())
    ^
    src/VpnClientConnection.cpp:159:63: error: 'class QString' has no member named 'toAscii'
    if (::mkfifo(strCommandParts[1].toAscii().constData(), DEFFILEMODE) == 0)
    ^
    src/VpnClientConnection.cpp:161:84: error: 'class QString' has no member named 'toAscii'
    const int iChmodResult(::chmod(strCommandParts[1].toAscii().constData(), DEFFILEMODE));
    ^
    src/VpnClientConnection.cpp:168:87: error: 'class QString' has no member named 'toAscii'
    const int iChownResult(::chown(strCommandParts[1].toAscii().constData(), pPwdInfo->pw_uid, pPwdInfo->pw_gid));
    ^
    src/VpnClientConnection.cpp:193:77: error: 'const class QString' has no member named 'toAscii'
    if (COMMANDS[iCommand].pPipe->write(str.toAscii().constData()) != str.length())
    ^
    src/VpnClientConnection.cpp: In member function 'void VpnClientConnection::onCommandError(QProcess::ProcessError)':
    src/VpnClientConnection.cpp:250:96: error: 'class QString' has no member named 'toAscii'
    ::syslog(LOG_DEBUG|LOG_DAEMON, "Command %s finished with error code %d", m_strActiveCommand.toAscii().constData(), ERR_COMMAND_FAILED_TO_START + iError);
    ^
    src/VpnClientConnection.cpp: In member function 'void VpnClientConnection::onCommandFinished(int)':
    src/VpnClientConnection.cpp:257:95: error: 'class QString' has no member named 'toAscii'
    ::syslog(LOG_DEBUG|LOG_DAEMON, "Command %s finished with exit code %d", m_strActiveCommand.toAscii().constData(), iExitCode);
    ^
    src/VpnClientConnection.cpp: In member function 'bool VpnClientConnection::send(VpnClientConnection::ResponseType, VpnClientConnection::ResponseResult, const QString&)':
    src/VpnClientConnection.cpp:268:118: error: 'const class QString' has no member named 'toAscii'
    m_pSocket->write((QString::number(responseType) + " " + QString::number(resultCode) + " " + strCommand + '\n').toAscii().constData());
    ^
    src/VpnClientConnection.cpp: In member function 'bool VpnClientConnection::send(VpnClientConnection::ResponseType, VpnClientConnection::ResponseInformation)':
    src/VpnClientConnection.cpp:281:108: error: 'const class QString' has no member named 'toAscii'
    m_pSocket->write((QString::number(responseType) + " " + QString::number(responseInformation) + '\n').toAscii().constData());
    ^
    src/VpnClientConnection.cpp: In member function 'bool VpnClientConnection::send(VpnClientConnection::ResponseType, const QString&)':
    src/VpnClientConnection.cpp:294:78: error: 'const class QString' has no member named 'toAscii'
    m_pSocket->write((QString::number(responseType) + " " + strOutputline).toAscii().constData());
    ^
    nbproject/qt-Release.mk:319: recipe for target 'build/Release/VpnClientConnection.o' failed
    make[1]: *** [build/Release/VpnClientConnection.o] Error 1
    make[1]: Leaving directory '/tmp/yaourt-tmp-nimda/aur-l2tp-ipsec-vpn-daemon/src/l2tp-ipsec-vpn-daemon'
    Makefile:62: recipe for target 'build' failed
    make: *** [build] Error 2
    ==> ERROR: A failure occurred in build().
    Aborting...
    ==> ERROR: Makepkg was unable to build l2tp-ipsec-vpn-daemon.
    Last edited by n1md4 (2014-06-06 09:47:25)

    Have you tried 0.9.9-2 from the comments: https://aur.archlinux.org/packages/l2tp … pn-daemon/ ?

  • Removing vpn icon from tool bar

    How do I remove the VPN icon from the tool bar on my MAC Pro. See attachment.

    There is a checkbox in the VPN-Connection under your Network-Settings.
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

  • Site-to-Site VPN between ASA & PIX

    Hi everyone,
    If this has been posted before, which it probably has, I apologize in advance.
    Basically, I have to configure a VPN between our NY ASA and a PIX we shipped to our LA office. The PIX is replacing an old Cisco router. The ASA is our main device which is configured for multiple VPN connections (and I have not touched this) and still has the old VPN config from that old Cisco router.
    On my part, I configured the PIX with the same pre-share key, and security protocols as the old router. When I checked the log files of the ASA I see the error message: "tunnel manager has failed to establish an l2l sa all configured ike versions failed to establish the tunnel."
    Since this is my first time setting up a PIX, I'm thinking there might be something the matter with my config, though I'm not exactly sure. The PIX config is as follows:
    interface Ethernet0
      nameif Outside
      security-level 0
      ip address 173.xxx.xxx.xxx 255.255.255.224
    interface Ethernet1
      nameif Inside
      security-level 100
      ip address 192.168.xxx.xxx 255.255.255.0
    interface Ethernet2
      shutdown
      no nameif
      no security-level
      no ip address
    ftp mode passive
    dns server-group DefaultDNS
      domain-name xxxxxx.xxxxx.org
    access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.5.0 255.255.255.0
    access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.6.0 255.255.255.0
    access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.7.0 255.255.255.0
    access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.8.0 255.255.255.0
    access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 10.12.40.0 255.255.255.0
    pager lines 24
    mtu Outside 1500
    mtu Inside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any Outside
    no asdm history enable
    arp timeout 14400
    global (Outside) 1 173.xxx.xxx.xxx netmask 255.255.255.224
    nat (Inside) 2 192.168.0.0 255.0.0.0
    nat (Inside) 1 0.0.0.0 0.0.0.0
    route Outside 0.0.0.0 0.0.0.0 173.xxx.xxx.xxx 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto ipsec df-bit clear-df Outside
    crypto map mymap 1 match address acl_vpn
    crypto map mymap 1 set pfs
    crypto map mymap 1 set peer 69.18.xxx.xxx
    crypto map mymap 1 set transform-set myset
    crypto map mymap 1 set security-association lifetime seconds 28800
    crypto map mymap 1 set security-association lifetime kilobytes 4608000
    crypto isakmp identity address
    crypto isakmp enable Outside
    crypto isakmp policy 10
      authentication pre-share
      encryption aes
      hash sha
      group 2
      lifetime 5000
    crypto isakmp policy 20
      authentication pre-share
      encryption 3des
      hash md5
      group 2
      lifetime 10000
    crypto isakmp policy 65535
      authentication pre-share
      encryption 3des
      hash sha
      group 2
      lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    tunnel-group 69.18.xxx.xxx type ipsec-l2l
    tunnel-group 69.18.xxx.xxx ipsec-attributes
      pre-shared-key *
    class-map inspection_default
      match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
      parameters
      parameters
    policy-map global_policy
      class inspection_default
       inspect dns preset_dns_map
       inspect ftp
       inspect h323 h225
       inspect h323 ras
       inspect netbios
       inspect rsh
       inspect rtsp
       inspect skinny
       inspect esmtp
       inspect sqlnet
       inspect sunrpc
       inspect tftp
       inspect sip
       inspect xdmcp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:ff5fe6ea51385f0d3f6580a5fdd73d40
    : end
    If you need further information, please let me know. Also any feedback would be greatly appreciated.
    Thanks,
    -Sasha

    Also,
    It would seem to me that you have not configured NAT0 for the VPN traffic
    This in most cases matches exactly the ACL used in the Crypto Map configurations.
    I suggest that you use another ACL for this purpose though to avoid any future problems
    access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.5.0 255.255.255.0
    access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.6.0 255.255.255.0
    access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.7.0 255.255.255.0
    access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.8.0 255.255.255.0
    access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 10.12.40.0 255.255.255.0
    nat (inside) 0 access-list NAT0
    The below command seems to be useless since it doesnt have a match "global" configuration for ID 2
    nat (Inside) 2 192.168.0.0 255.0.0.0
    - Jouni

  • IPsec VPN IOS - ASA

    Hi,
    I'm in the process of migrating some old IOS IPsec VPN configurations from IOS to ASA.
    What immediately becomes a problem is that there is no way to virtualize the routing tables on a single ASA. The original IOS setups uses separate VRF:s for each customers and therefore overlapping LAN networks or even VPN pools aint a problem.
    This has been in the past avoided (in other ASAs) by using default route for each customer interface on the ASA (with different metric). With this we can have overlapping LAN networks for the customer. Though the limit for the customer links become = metric value range. So basically even if we had an ASA with support for 1000 Vlans we still couldnt use this setup as we would run out of usable metric values for the default routes pointing to the customer links/networks.
    So looking at the above situation it seems we would just need to have a load of ASAs with support for 250 Vlans handling each customer groups and not a single ASA which could handle all the VPNs (if theres more than the mentioned approx. 250)
    Another option is I guess using a single link on the ASA for all the customer with a tunneled default route and handling the virtualisation on the core device by using PBR to route the packets to different VRF. This in turn would create alot of more configurations on the core device and a single VPN configuration/connection would become harder to manage.
    Has anyone run into a similiar situation and how have you handled it? Have you moved to another device manufacturer or sticked with the IOS perhaps? Its unfortunate that the ASA can't handle this by itself.
    - Jouni

    Hi,
    I've heard from our local Cisco contact that L2L VPN is coming. (Though in his words most people were waiting for Client VPN support, as were we) L2L VPN only provides minimal help to our situation as most connections are Client VPN.
    Basically the ultimate goal is to eventually migrate all IPsec Client VPN users to start using AnyConnect.
    The goal now is to get the old IPsec Client and L2L VPNs of the current device so we can remove the actual 6509/VPN/FWSM device from the network. (Because of the old hardware)
    Even though we have newer IOS devices in our network we would rather keep the Client VPN off the IOS devices. So the idea was to quickly move the Client VPNs to ASA and L2L VPN to another IOS device (by moving the L2L VPN peer IP address to the newer IOS device along with the configurations)
    We also started considering hosting the VPN services on a more high end device(s) which could support everything we need. In this case the ASA seemed a natural choice. Then again IOS gives alot more flexibility and the most important to us is the ability to virtualise routing.
    I've read that AnyConnect VPN has also come to IOS devices.
    Quick Google search gives this Cisco document
    http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080af314a.shtml#intro
    How is the AnyConnect on IOS compared to ASA? Would IOS devices at some point (or already?) become a viable option for hosting all the VPNs? (The use of AnyConnect and Clientless VPN has kept us away from continuing with IOS)
    Also on another note, I guess I missed one thing when writing the original post.
    I guess you can actually use specific routes on the ASA for the overlapping customer networks with different metrics (instead of the default routes with different metrics) This would enable you to handle the routing for more customer links than when simply using default routes towards each customer link with different metric. As now each network range could overlap on 255 customers.
    Heres a small sample of a lab configuration of that kind of situation
    interface GigabitEthernet0/0
    description TRUNK
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/0.1000
    description ASIAKAS-1
    vlan 1000
    nameif asiakas-1
    security-level 100
    ip address 172.32.100.2 255.255.255.0
    interface GigabitEthernet0/0.2000
    description ASIAKAS-2
    vlan 2000
    nameif asiakas-2
    security-level 100
    ip address 172.32.200.2 255.255.255.0
    route asiakas-1 10.10.10.0 255.255.255.0 172.32.100.1 1
    route asiakas-2 10.10.10.0 255.255.255.0 172.32.200.1 2
    group-policy ASIAKAS-1-GP attributes
    vlan 1000
    group-policy ASIAKAS-2-GP attributes
    vlan 2000
    Basically to my understanding in the above situation the "vlan xxxx" configuration under group-policy defines the eggress interface of the traffic from the VPN and therefore the route for vlan2000/GigabitEthernet0/0.2000 would apply in the case (and provide the next-hop IP) where the VPN user was connecting with a connection using group-policy ASIAKAS-2-GP
    I tested this setup and it seemed to work fine. Though this would naturally be an administrative nightmare to manage. (As would be the PBR solution mentioned in the original post)
    I'm not sure if I'm making any sense
    - Jouni

  • Link to configuration convertor tool from PIX to ASA

                       Hi,
    I have been looking unsuccessfully for the Cisco tool that take the PIX config an dconvert it to ASA (PIX 5125 to ASA 5520). I was wondering if I need that and if its a Yes, where I can find that Tool on the Cisco Site please?
    Regards,
    Masood

    hello again,
    this cofiguration has really confused me since it has the standby keyword under the inside interface!? I do not want to change any configs under the inside interface of my current PIX confiuration.
    Would you please be able to tell me what I need to type on the ASAs to configure them for this cable based failover?
    here is what the link you suggested has listed which ias confusing since it has the standby keyowrd under the inside interface?
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 172.22.1.252 255.255.255.0 standby 172.22.1.253
    no shut
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
    no shut
    interface Ethernet0/2
    nameif dmz
    security-level 50
    ip address 192.168.60.1 255.255.255.0 standby 192.168.60.2
    no shut interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 172.22.1.252 255.255.255.0 standby 172.22.1.253
    no shut
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
    no shut
    interface Ethernet0/2
    nameif dmz
    security-level 50
    ip address 192.168.60.1 255.255.255.0 standby 192.168.60.2
    no shut
    and the STANDBY:
    failover
    failover lan unit secondary
    failover lan interface failover Ethernet0/3
    failover key *****
    failover interface ip failover 192.168.55.1 255.255.255.0 standby 192.168.55.2
    Now, I already have the configs from PIX 525 which I am going to paste directly onto the ASA which has been doengraded to 8.2.3.
    so how does it works with the failover configuration?
    can you please advise on how I go about the followings:
    1- configure failover before I past the PIX config onto the ASA?
    2- paste config for PIX 525 onto the ASA which I have already downgraded the ASA to 8.2.3 version.
    Please advise.
    Regards,
    Masood

  • Pix 501 IPSec VPN no LAN access and no ping

    Hello,
    I am attempting to setup an IPSec VPN in a basic small business  scenario. I am able to connect to my pix 501 via IPSec VPN and browse  the internet but I am unable to ping or connect to any devices in the  remote LAN. Here is my config
    show config:
    nterface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password xxxxx encrypted
    passwd xxxxxx encrypted
    hostname pixfirewall
    domain-name domain.local
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 195.7.x.x BLR-Quadria
    name 176.76.1.0 LAN-CEPIC
    name 176.76.1.40 ADMIN
    name 176.76.1.253 SRV-Linux
    name 212.234.98.224 ADSL-Quadria
    name 81.80.252.129 sylob
    name 176.76.1.33 poste-pcanywhere
    name 176.76.1.179 TEST
    name 10.1.1.0 VPN_CLIENT
    name 176.76.1.100 SRVSVG01
    name 176.76.1.116 SRV-ERP01
    name 176.76.1.50 SRV-ERP00
    object-group network WAN-Quadria
      network-object BLR-Quadria 255.255.255.248
      network-object ADSL-Quadria 255.255.255.248
    object-group network SRV-CEPIC
      network-object SRV-Linux 255.255.255.255
      network-object ADMIN 255.255.255.255
      network-object SRVSVG01 255.255.255.255
      network-object SRV-ERP00 255.255.255.255
      network-object SRV-ERP01 255.255.255.255
    object-group service TCP-Linux-Quadria tcp
      port-object eq 1812
      port-object eq 222
      port-object eq 10000
    object-group service TCP-TSE-Quadria tcp
      port-object eq 3389
    object-group service PCAnywhereUDP udp
      port-object range pcanywhere-status pcanywhere-status
    access-list outside_access_in permit tcp object-group WAN-Quadria host 195.7.x.x object-group TCP-Linux-Quadria
    access-list outside_access_in permit tcp object-group WAN-Quadria interface outside object-group TCP-TSE-Quadria
    access-list outside_access_in permit tcp any host 195.7.x.x eq pcanywhere-data
    access-list outside_access_in permit udp any host 195.7.x.x object-group PCAnywhereUDP
    access-list outside_access_in permit tcp any host 195.7.x.x eq smtp
    access-list inside_outbound_nat0_acl permit ip LAN-CEPIC 255.255.255.0 VPN_CLIENT 255.255.255.224
    access-list outside_cryptomap_dyn_20 permit ip any VPN_CLIENT 255.255.255.224
    access-list inside_access_in permit icmp LAN-CEPIC 255.255.255.0 any
    access-list inside_access_in permit ip VPN_CLIENT 255.255.255.0 any
    access-list CEPIC_VPN_CLIENT_splitTunnelAcl permit ip LAN-CEPIC 255.255.255.0 any
    access-list outside_cryptomap_dyn_40 permit ip any VPN_CLIENT 255.255.255.224
    pager lines 24
    logging on
    logging console debugging
    logging buffered debugging
    logging trap debugging
    mtu outside 1500
    mtu inside 1500
    ip address outside pppoe setroute
    ip address inside 176.76.1.254 255.255.255.0
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    ip audit name attaque attack action alarm drop reset
    ip audit name info info action alarm drop reset
    ip audit interface outside info
    ip audit interface outside attaque
    ip audit interface inside info
    ip audit interface inside attaque
    ip audit info action alarm
    ip audit attack action alarm
    ip audit signature 2000 disable
    ip audit signature 2003 disable
    ip local pool VPN_POOL 10.1.1.10-10.1.1.20
    pdm location ADMIN 255.255.255.255 inside
    pdm location SRV-Linux 255.255.255.255 inside
    pdm location BLR-Quadria 255.255.255.248 outside
    pdm location ADSL-Quadria 255.255.255.248 outside
    pdm location LAN-CEPIC 255.255.255.0 inside
    pdm location poste-pcanywhere 255.255.255.255 inside
    pdm location sylob 255.255.255.255 outside
    pdm location TEST 255.255.255.255 inside
    pdm location 10.10.10.0 255.255.255.224 outside
    pdm location VPN_CLIENT 255.255.255.0 inside
    pdm location VPN_CLIENT 255.255.255.224 outside
    pdm location SRVSVG01 255.255.255.255 inside
    pdm location SRV-ERP00 255.255.255.255 inside
    pdm location SRV-ERP01 255.255.255.255 inside
    pdm group WAN-Quadria outside
    pdm group SRV-CEPIC inside
    pdm logging debugging 100
    pdm history enable
    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 10 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp 195.7.x.x 81 SRV-Linux www netmask 255.255.255.255 0 0
    static (inside,outside) tcp 195.7.x.x 222 SRV-Linux ssh netmask 255.255.255.255 0 0
    static (inside,outside) tcp 195.7.x.x 10000 SRV-Linux 10000 netmask 255.255.255.255 0 0
    static (inside,outside) tcp 195.7.x.x 1812 SRV-Linux 1812 netmask 255.255.255.255 0 0
    static (inside,outside) tcp 195.7.x.x 3389 ADMIN 3389 netmask 255.255.255.255 0 0
    static (inside,outside) tcp 195.7.x.x smtp SRV-Linux smtp netmask 255.255.255.255 0 0
    static (inside,outside) tcp 195.7.x.x pcanywhere-data poste-pcanywhere pcanywhere-data netmask 255.255.255.255 0 0
    static (inside,outside) udp 195.7.x.x pcanywhere-status poste-pcanywhere pcanywhere-status netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication enable console LOCAL
    aaa authentication http console LOCAL
    aaa authentication serial console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    aaa authorization command LOCAL
    ntp server 193.55.130.2 source inside
    ntp server 80.67.179.98 source outside
    ntp server 194.2.0.28 source outside prefer
    http server enable
    http BLR-Quadria 255.255.255.248 outside
    http ADSL-Quadria 255.255.255.248 outside
    http ADMIN 255.255.255.255 inside
    http LAN-CEPIC 255.255.255.0 inside
    snmp-server host inside SRV-Linux
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt noproxyarp outside
    sysopt noproxyarp inside
    service resetinbound
    service resetoutside
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map client authentication LOCAL
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup CEPIC_VPN_CLIENT address-pool VPN_POOL
    vpngroup CEPIC_VPN_CLIENT dns-server 176.76.1.2 ADMIN
    vpngroup CEPIC_VPN_CLIENT wins-server ADMIN
    vpngroup CEPIC_VPN_CLIENT default-domain domain.local
    vpngroup CEPIC_VPN_CLIENT split-tunnel CEPIC_VPN_CLIENT_splitTunnelAcl
    vpngroup CEPIC_VPN_CLIENT idle-time 1800
    vpngroup CEPIC_VPN_CLIENT password ********
    telnet timeout 5
    ssh BLR-Quadria 255.255.255.248 outside
    ssh ADSL-Quadria 255.255.255.248 outside
    ssh LAN-CEPIC 255.255.255.0 inside
    ssh timeout 5
    management-access inside
    console timeout 0
    vpdn group pppoe_group request dialout pppoe
    vpdn group pppoe_group localname xxxxx
    vpdn group pppoe_group ppp authentication chap
    vpdn username xxxx password xxxxx store-local
    username vg_vpn password xxxxx encrypted privilege 3
    username test password xxxxxx encrypted privilege 3
    username quadria password xxxxx encrypted privilege 15
    username jml_vpn password xxxxx encrypted privilege 3
    username jr_vpn password xxxxx encrypted privilege 3
    username js_vpn password xxxxx encrypted privilege 3
    privilege show level 0 command version
    privilege show level 0 command curpriv
    privilege show level 3 command pdm
    privilege show level 3 command blocks
    privilege show level 3 command ssh
    privilege configure level 3 command who
    privilege show level 3 command isakmp
    privilege show level 3 command ipsec
    privilege show level 3 command vpdn
    privilege show level 3 command local-host
    privilege show level 3 command interface
    privilege show level 3 command ip
    privilege configure level 3 command ping
    privilege show level 3 command uauth
    privilege configure level 5 mode enable command configure
    privilege show level 5 command running-config
    privilege show level 5 command privilege
    privilege show level 5 command clock
    privilege show level 5 command ntp
    privilege show level 5 mode configure command logging
    privilege show level 5 command fragment
    terminal width 80
    Cryptochecksum:
    I know this is a basic question but I would really appreaciate the help!
    Thanks so much,

    Hi,
    You could try to change the Split Tunnel ACL to Standard ACL
    First removing it from the VPN configuration and then removing the ACL and creating it as Standard type ACL
    Current
    access-list CEPIC_VPN_CLIENT_splitTunnelAcl permit ip LAN-CEPIC 255.255.255.0 any
    New
    access-list CEPIC_VPN_CLIENT_splitTunnelAcl standard permit LAN-CEPIC 255.255.255.0
    You could also try adding
    fixup protocol icmp
    fixup protocol icmp error
    Have you monitored the logs while you are attempting to connect to the LAN network?
    - Jouni

  • Cisco 881 ISR IPSec VPN Tunnel does not pass traffic from the vlan.

    I have a cisco 881 ISR Router with a site-to-site IPsec vpn tunnel to a mikrotik device on the other end (I inherited this from my client). The tunnel is constructed properly and is up, however traffic does not pass or get routed to the FA4 interface. I see in my packet captures that it hits the vlan1 interface (vlans are required on the L2 ports) and does not pass to the tunnel.
    This is my configuration:
    141Kerioth#sh config
    Using 3763 out of 262136 bytes
    ! Last configuration change at 01:02:41 UTC Mon May 26 2014 by admin
    version 15.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname 141Kerioth
    boot-start-marker
    boot-end-marker
    logging buffered 51200 warnings
    aaa new-model
    141Kerioth#do wr mem
                  ^
    % Invalid input detected at '^' marker.
    141Kerioth#wr mem
    Building configuration...
    [OK]
    141Kerioth#sh run
    Building configuration...
    Current configuration : 5053 bytes
    ! Last configuration change at 01:38:06 UTC Mon May 26 2014 by admin
    version 15.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname 141Kerioth
    boot-start-marker
    boot-end-marker
    logging buffered 51200 warnings
    aaa new-model
    aaa authentication login default local
    aaa authentication ppp default local
    aaa session-id common
    memory-size iomem 10
    crypto pki trustpoint TP-self-signed-580381394
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-580381394
     revocation-check none
     rsakeypair TP-self-signed-580381394
    crypto pki certificate chain TP-self-signed-580381394
     certificate self-signed 01
      30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
      30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 35383033 38313339 34301E17 0D313430 35323231 38323333
      365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
      532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3538 30333831
      33393430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
      B001A012 2CA6970C 0648798B 2A786704 84F2D989 83974B19 9B4287F2 4503D2C9
      173F23C4 FF34D160 202A7565 4A1CE08B 60B3ADAE 6E19EE6E 9CD39E72 71F9650E
      930F22FE C4441F9C 2D7DD420 71F75DFC 3CCAC94E BA304685 E0E62658 A3E8D01C
      D01D7D6A 5AF0B0E6 3CF6AF3A B7E51F83 9BF6D38E 65254E1F 71369718 ADADD691
      02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
      23041830 168014D6 24878F12 1FFADF2F 537A438E 6DD7FB6B D79E4130 1D060355
      1D0E0416 0414D624 878F121F FADF2F53 7A438E6D D7FB6BD7 9E41300D 06092A86
      4886F70D 01010505 00038181 00771667 FCA66002 8AB9E5FB F210012F C50B586F
      9A9640BB 45B4CEFD 030A38C0 E610AAC8 B41EF3C4 E55810F9 B2C727CF C1DEFCF1
      0846E7BC 1D95420E 5DADB5F8 EFE7EB37 B5433B80 4FF787D4 B1F2A527 06F065A4
      00522E97 A9D2335C E83C4AE1 E68D7A41 9D0046A7 ADCC282B 7527F84D E71CC567
      14EF37EA 15E57AD0 3C5D01F3 EF
            quit
    ip dhcp excluded-address 10.0.16.1
    ip dhcp pool ccp-pool
     import all
     network 10.0.16.0 255.255.255.0
     default-router 10.0.16.1
     dns-server 8.8.8.8
     lease 0 2
    ip domain name kerioth.com
    ip host hostname.domain z.z.z.z
    ip name-server 8.8.8.8
    ip name-server 4.2.2.2
    ip cef
    no ipv6 cef
    license udi pid CISCO881-K9 sn FTX180483DD
    username admin privilege 15 secret 4 CmmfIy.RPySmo4Q2gEIZ2jlr3J.bTBAszoe5Bry0z4c
    username meadowbrook privilege 0 password 0 $8UBr#Ux
    username meadowbrook autocommand exit
    policy-map type inspect outbound-policy
    crypto isakmp policy 1
     encr 3des
     authentication pre-share
     group 5
    crypto isakmp key 141Township address z.z.z.z
    crypto isakmp keepalive 10
    crypto ipsec transform-set TS esp-3des esp-sha-hmac
     mode tunnel
    crypto map mymap 10 ipsec-isakmp
     set peer z.z.z.z
     set transform-set TS
     match address 115
    interface Loopback0
     no ip address
    interface Tunnel1
     no ip address
    interface FastEthernet0
     no ip address
    interface FastEthernet1
     no ip address
    interface FastEthernet2
     no ip address
    interface FastEthernet3
     no ip address
    interface FastEthernet4
     description $FW_OUTSIDE_WAN$
     ip address 50.y.y.y 255.255.255.240
     ip nat outside
     ip virtual-reassembly in
     duplex auto
     speed auto
     crypto map mymap
    interface Vlan1
     description $ETH_LAN$
     ip address 10.0.16.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly in
     ip tcp adjust-mss 1452
    ip forward-protocol nd
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list 115 interface Vlan1 overload
    ip nat inside source list 199 interface FastEthernet4 overload
    ip nat inside source route-map nonat interface FastEthernet4 overload
    ip route 0.0.0.0 0.0.0.0 50.x.x.x
    access-list 110 deny   ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
    access-list 110 permit ip 10.0.16.0 0.0.0.255 any
    access-list 115 permit ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
    access-list 144 permit icmp host c.c.c.c host 10.0.1.50
    access-list 144 permit icmp host p.p.p.p host 10.0.16.105
    access-list 199 permit ip a.a.a.a 0.0.0.255 any
    no cdp run
    route-map nonat permit 10
     match ip address 100
    line con 0
     no modem enable
    line aux 0
    line vty 0 4
     access-class 1 in
     exec-timeout 30 0
     privilege level 15
     transport preferred ssh
     transport input ssh
    line vty 5 15
     access-class 23 in
     privilege level 15
     transport input telnet ssh
    cns trusted-server all-agents x.x.x.x
    cns trusted-server all-agents hostname
    cns trusted-server all-agents hostname.domain
    cns id hardware-serial
    cns id hardware-serial event
    cns id hardware-serial image
    cns event hostname.domain 11011
    cns config initial hostname.domain 80
    cns config partial hostname.domain 80
    cns exec 80
    end

    Why do you have following command on the PIX?
    crypto map outside_map 40 set transform-set 165.228.x.x
    Also you have this transform set on the PIX:
    crypto ipsec transform-set 10.112.60.0 esp-aes-256 esp-sha-hmac
    This does not match the transfor set on the router:
    crypto ipsec transform-set tritest esp-3des esp-md5-hmac
    Where are you using the access-list/route-map
    101 ?

  • Site to site vpn from pix to Azure

    Hello,
    I've created a site to site vpn from pix to azure using vpn wizard.
    in monitoring tab in IKE SAs I can see the status of the connection is QM_IDLE
    and in IPSec VPNs I can see a row for this vpn but no packet is transferring.
    Please let me know if anybody knows what I am doing wrong with this?

    Hi,
    So seems the L2L VPN connection is up but no traffic is flowing?
    I would presume that in that case the L2L VPN connection is probably negotiated from the side of Azure.
    You might be missing NAT0 configuration for the subnets/addresses configured on the L2L VPN connection. This would explain atleast why connection could be up (negotiated from remote site) but no traffic was flowing (not having proper nat configuration would make it so that traffic from your side would not match the VPN configurations)
    Naturally we could take a look at the PIX configurations.
    - Jouni

  • How to remove a Java instance from the config tools

    Hi,
    I would like to remove a java instance from the config tool since that server does not exist anymore.  Is there a way?
    Please le me know.
    Thanks
    Jean

    Jean,
    I think you can do this if you remove the entries of your Instance from instance.properties file located under the below path.Take a backup of the file first then do the changes and Restart the server once done.
    /usr/sap/SID/JCInstanceno/j2ee/cluster/instance.properties
    Hope this helps.

  • Internet access via hairpinning for Spoke to Hub IPSec VPN

    I have a hub and spoke configuration with a number of site-to-site IPsec VPNs from 857's terminating on an 1811 at the hub. Also in the mix is a client-to-site (EZVPN) which also terminates at the hub.
    I need to ensure all traffic destined for the internet goes out through the hub 1811. I've looked at trying to use a form of hairpinning so that "interesting traffic" from remote sites gets NATted at the hub router to the internet.
    I have seen a number of configurations (in these forums) where internet-directed traffic from EZVPN clients is forced via a hairpin out via the hub router. I am trying to emulate that feature with the site-to-site IPSec VPNs - where internet directed traffic from spokes must go through the hub router, and not be permitted to go directly to the internet from the spoke routers.
    Attached are configs for the hub router and one of the spoke routers, and a pdf diagram.
    I can get traffic to the internet (in my test lab) from the lookback connector (1.1.1.1) by extended command pings, I have connectivity from the spoke1 lan to the hub lan (pings again); but not from the spoke1 lan to the internet via the hub router.
    Thanks in advance for any help
    Phil

    Thanks, guys. Yes, those two access lists did need some attention.
    I've changed the access list on the spoke router from
    access-list 120 permit ip 192.168.8.0 0.0.0.255 192.168.0.0 0.0.255.255
    to
    access-list 120 permit ip 192.168.8.0 0.0.0.255 any
    which allows traffic from the spoke lan out to the internet via the hub router. I've also taken NAT off the spoke router.
    But I also need to change the matching access list on the hub router. I changed the old access list from
    access-list 121 permit ip 192.168.0.0 0.0.255.255 192.168.8.0 0.0.0.255
    to
    access-list 121 permit ip any 192.168.8.0 0.0.0.255
    but I couldn't pass any traffic over the VPN. If I remove access-list 121 completely, then traffic does pass, but the crypto map on the hub router becomes "incomplete".
    When the tunnel is up, and passing traffic, I can ping an internet address (in my lab), but not all traffic is getting through. Every second ping times out, often there are 3 or 4 pings that time out.
    Any suggestions as to what to do with the access list (121) on the hub router, and what can I do to get more reliable results (i.e. get every ping to work)?
    TIA
    Phil

  • IPSec VPN b/w ISA500 and RV042

    2013-07-30 11:37:04
    Information
    IPsec VPN
    msg=Could not change to directory '/etc/ipsec.d/crls';
    2013-07-30 11:37:04
    Information
    IPsec VPN
    msg=Could not change to directory '/etc/ipsec.d/ocspcerts': /;
    2013-07-30 11:37:04
    Information
    IPsec VPN
    msg=Could not change to directory '/etc/ipsec.d/aacerts': /;
    2013-07-30 11:37:04
    Information
    IPsec VPN
    msg=  error in X.509 certificate default.pem;
    2013-07-30 11:37:04
    Information
    IPsec VPN
    msg=  loaded CA cert file 'default.pem' (2745 bytes);
    2013-07-30 11:37:04
    Information
    IPsec VPN
    msg=  loaded CA cert file 'default_crt.pem' (1070 bytes);
    2013-07-30 11:37:04
    Information
    IPsec VPN
    msg=  error in X.509 certificate default_key.pem;
    2013-07-30 11:37:04
    Information
    IPsec VPN
    msg=  loaded CA cert file 'default_key.pem' (1675 bytes);
    2013-07-30 11:37:04
    Information
    IPsec VPN
    msg=Changed path to directory '/mnt/shiner/certificate';
    2013-07-30 11:37:04
    Information
    IPsec VPN
    msg=loading secrets from "/tmp/etc/ipsec.d/S2S.secrets";
    2013-07-30 11:37:04
    Information
    IPsec VPN
    msg=  loaded CA cert file 'default.pem' (2745 bytes);
    2013-07-30 11:37:04
    Information
    IPsec VPN
    msg=  loaded CA cert file 'default_crt.pem' (1070 bytes);
    2013-07-30 11:37:04
    Information
    IPsec VPN
    msg=  error in X.509 certificate default_key.pem;
    2013-07-30 11:37:04
    Information
    IPsec VPN
    msg=  loaded CA cert file 'default_key.pem' (1675 bytes);
    2013-07-30 11:37:04
    Information
    IPsec VPN
    msg=Changed path to directory '/mnt/shiner/certificate';
    2013-07-30 11:37:04
    Information
    IPsec VPN
    msg=loading secrets from "/tmp/etc/ipsec.d/S2S.secrets";
    2013-07-30 11:37:04
    Information
    IPsec VPN
    msg=loading secrets from "/etc/ipsec.secrets";
    2013-07-30 11:37:04
    Information
    IPsec VPN
    msg=forgetting secrets;
    2013-07-30 11:37:04
    Information
    IPsec VPN
    msg=added connection description "Tunnel0";
    2013-07-30 11:37:02
    Information
    IPsec VPN
    msg="Alabang" #117: deleting state (STATE_MAIN_R1);
    2013-07-30 11:37:02
    Information
    IPsec VPN
    msg="Alabang": deleting connection;
    2013-07-30 11:36:55
    Warning
    IPsec VPN
    msg="Alabang" #117: STATE_MAIN_R1: sent MR1, expecting MI2;
    2013-07-30 11:36:55
    Error
    IPsec VPN
    msg=ERROR: "Alabang" #117: sendto on ppp0 to 112.209.172.XXX:500 failed in STATE_MAIN_R0. Errno 101: Network is unreachable;
    2013-07-30 11:36:55
    Information
    IPsec VPN
    msg="Alabang" #117: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1;
    2013-07-30 11:36:55
    Information
    IPsec VPN
    msg="Alabang" #117: responding to Main Mode;
    2013-07-30 11:36:55
    Warning
    IPsec VPN
    msg=packet from 112.209.172.XXX:500: received Vendor ID payload [Dead Peer Detection];
    2013-07-30 11:36:46
    Information
    IPsec VPN
    msg=Could not change to directory '/etc/ipsec.d/crls';
    2013-07-30 11:36:46
    Information
    IPsec VPN
    msg=Could not change to directory '/etc/ipsec.d/ocspcerts': /;
    ==============================================================
    Site 1 = Cisco ISA 500. Named as CHI
    Site 2 = Cisco RV042. Named as Alabang
    Shown above is the logs from my ISA 570 IPSec VPN. I have set the same settings for my IKE Policies and my Transform Sets. Attached are the screenshots of my the VPN Settings of my 2 systems. It does show in the table above that the 112.209.172.XXX is unreachable, but please look at screen6.bmp and see that I can very well ping the RV042 system. Please feel free to ask me for more info about my setup.
    On a side note, take a look at Screen5.bmp. This screenie shows that I have an existing WORKING VPN connection to another site with a Linksys RV042, named as Villa. So as you can also see in the screenshot, it has a VPN setup for CHI but it can not connect. Hence my problem above. The VPN setting for Villa is the same as CHI (PFS, IKE, Transforms, PFS).

    Dan,
    Since I'm not a Cisco employee, don't have access to spare ISAs and RVs to setup a lab and test, don't have a setup similar enough to yours to test with, don't have access to your devices, and wouldn't have other than UI access if I did, doing a little trial and error is all I have to work with to assist you.
    That said, it's not random trial and error. From what I'm able to see via your screenshots and explanations, all of your config looks correct. So if everything for Phase 1 & 2 are accurate, then it should work unless there is an interesting traffic mismatch.
    Usually this is pretty straightforward and simple to troubleshoot and confirm. However when you add in additional challenges that come with Multi-WAN support, terminating the VPN on the secondary WAN interface, and PBR, there is a lot of room for possible mistakes as the config is becoming fairly complex.
    So my thought was to remove what I perceived to be the least impacting piece of complexity, which is the custom PBR that is sending those 2 laptops out WAN 2 instead of WAN 1, so that the only non-typical configuration was the VPN terminating on WAN 2.
    Right now I'm assuming the issue isn't the the possibility of the ISA and RV042 being incapable of establishing a VPN. I'm assuming it is either an issue with VPN termination on WAN 2 (which I don't believe is an issue) or something not quite right with PBR and VPN interesting traffic.
    Sent from Cisco Technical Support iPhone App

  • Site-2-Site IPSEC VPN tunnel will not come up.

    Hello Experts,
    Just wondering if I can get some help on setting up a IPSEC VPN tunnel between a Cisco 2921 and ASA 550x. Below is the config
    show run | s crypto
    crypto pki token default removal timeout 0
    crypto isakmp policy 1
    encr aes
    authentication pre-share
    group 2
    lifetime 28800
    crypto isakmp key xxxxxxxxxxxxxxxxxxxxxx address A.A.A.A
    crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
    mode transport
    crypto map ICQ-2-ILAND 1 ipsec-isakmp
    set peer A.A.A.A
    set transform-set ESP-AES128-SHA
    match address iland_london_s2s_vpn
    crypto map ICQ-2-ILAND
    The config on the remote end has not been shared with me, so I don't know if I am doing something wrong locally or if the remote end is wrongly configured.
    The command Sh crypto isakmp sa displays the following
    show crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id status
    A.A.A.A    B.B.B.B   MM_NO_STATE       1231 ACTIVE (deleted)
    IPv6 Crypto ISAKMP SA
    show crypto session
    Crypto session current status
    Interface: GigabitEthernet0/0
    Session status: DOWN-NEGOTIATING
    Peer: A.A.A.A port 500
      IKEv1 SA: local B.B.B.B/500 remote A.A.A.A/500 Inactive
      IKEv1 SA: local B.B.B.B/500 remote A.A.A.A/500 Inactive
      IPSEC FLOW: permit ip 10.20.111.0/255.255.255.0 10.120.1.0/255.255.255.0
            Active SAs: 0, origin: crypto map
      IPSEC FLOW: permit ip 10.10.0.0/255.255.0.0 10.120.1.0/255.255.255.0
            Active SAs: 0, origin: crypto map
    The debug logs from the debug crypto isakmp command are listed below.
    ISAKMP:(0): local preshared key found
    Dec  6 08:51:52.019: ISAKMP : Scanning profiles for xauth ...
    Dec  6 08:51:52.019: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
    Dec  6 08:51:52.019: ISAKMP:      encryption AES-CBC
    Dec  6 08:51:52.019: ISAKMP:      keylength of 128
    Dec  6 08:51:52.019: ISAKMP:      hash SHA
    Dec  6 08:51:52.019: ISAKMP:      default group 2
    Dec  6 08:51:52.019: ISAKMP:      auth pre-share
    Dec  6 08:51:52.019: ISAKMP:      life type in seconds
    Dec  6 08:51:52.019: ISAKMP:      life duration (basic) of 28800
    Dec  6 08:51:52.019: ISAKMP:(0):atts are acceptable. Next payload is 0
    Dec  6 08:51:52.019: ISAKMP:(0):Acceptable atts:actual life: 0
    Dec  6 08:51:52.019: ISAKMP:(0):Acceptable atts:life: 0
    Dec  6 08:51:52.019: ISAKMP:(0):Basic life_in_seconds:28800
    Dec  6 08:51:52.019: ISAKMP:(0):Returning Actual lifetime: 28800
    Dec  6 08:51:52.019: ISAKMP:(0)::Started lifetime timer: 28800.
    Dec  6 08:51:52.019: ISAKMP:(0): processing vendor id payload
    Dec  6 08:51:52.019: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    Dec  6 08:51:52.019: ISAKMP:(0): vendor ID is NAT-T v2
    Dec  6 08:51:52.019: ISAKMP:(0): processing vendor id payload
    Dec  6 08:51:52.019: ISAKMP:(0): processing IKE frag vendor id payload
    Dec  6 08:51:52.019: ISAKMP:(0):Support for IKE Fragmentation not enabled
    Dec  6 08:51:52.019: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Dec  6 08:51:52.019: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
    Dec  6 08:51:52.019: ISAKMP:(0): sending packet to A.A.A.A my_port 500 peer_port 500 (I) MM_SA_SETUP
    Dec  6 08:51:52.019: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Dec  6 08:51:52.019: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Dec  6 08:51:52.019: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
    Dec  6 08:51:52.155: ISAKMP (0): received packet from A.A.A.A dport 500 sport 500 Global (I) MM_SA_SETUP
    Dec  6 08:51:52.155: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Dec  6 08:51:52.155: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
    Dec  6 08:51:52.155: ISAKMP:(0): processing KE payload. message ID = 0
    Dec  6 08:51:52.175: ISAKMP:(0): processing NONCE payload. message ID = 0
    Dec  6 08:51:52.175: ISAKMP:(0):found peer pre-shared key matching A.A.A.A
    Dec  6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
    Dec  6 08:51:52.175: ISAKMP:(1227): vendor ID is Unity
    Dec  6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
    Dec  6 08:51:52.175: ISAKMP:(1227): vendor ID seems Unity/DPD but major 92 mismatch
    Dec  6 08:51:52.175: ISAKMP:(1227): vendor ID is XAUTH
    Dec  6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
    Dec  6 08:51:52.175: ISAKMP:(1227): speaking to another IOS box!
    Dec  6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
    Dec  6 08:51:52.175: ISAKMP:(1227):vendor ID seems Unity/DPD but hash mismatch
    Dec  6 08:51:52.175: ISAKMP:received payload type 20
    Dec  6 08:51:52.175: ISAKMP (1227): His hash no match - this node outside NAT
    Dec  6 08:51:52.175: ISAKMP:received payload type 20
    Dec  6 08:51:52.175: ISAKMP (1227): No NAT Found for self or peer
    Dec  6 08:51:52.175: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Dec  6 08:51:52.179: ISAKMP:(1227):Old State = IKE_I_MM4  New State = IKE_I_MM4
    Dec  6 08:51:52.179: ISAKMP:(1227):Send initial contact
    Dec  6 08:51:52.179: ISAKMP:(1227):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
    Dec  6 08:51:52.179: ISAKMP (1227): ID payload
            next-payload : 8
            type         : 1
            address      : B.B.B.B
            protocol     : 17
            port         : 500
            length       : 12
    Dec  6 08:51:52.179: ISAKMP:(1227):Total payload length: 12
    Dec  6 08:51:52.179: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) MM_KEY_EXCH
    Dec  6 08:51:52.179: ISAKMP:(1227):Sending an IKE IPv4 Packet.
    Dec  6 08:51:52.179: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Dec  6 08:51:52.179: ISAKMP:(1227):Old State = IKE_I_MM4  New State = IKE_I_MM5
    Dec  6 08:51:52.315: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) MM_KEY_EXCH
    Dec  6 08:51:52.315: ISAKMP:(1227): processing ID payload. message ID = 0
    Dec  6 08:51:52.315: ISAKMP (1227): ID payload
            next-payload : 8
            type         : 1
            address      : A.A.A.A
            protocol     : 17
            port         : 0
            length       : 12
    Dec  6 08:51:52.315: ISAKMP:(0):: peer matches *none* of the profiles
    Dec  6 08:51:52.315: ISAKMP:(1227): processing HASH payload. message ID = 0
    Dec  6 08:51:52.315: ISAKMP:received payload type 17
    Dec  6 08:51:52.315: ISAKMP:(1227): processing vendor id payload
    Dec  6 08:51:52.315: ISAKMP:(1227): vendor ID is DPD
    Dec  6 08:51:52.315: ISAKMP:(1227):SA authentication status:
            authenticated
    Dec  6 08:51:52.315: ISAKMP:(1227):SA has been authenticated with A.A.A.A
    Dec  6 08:51:52.315: ISAKMP: Trying to insert a peer B.B.B.B/A.A.A.A/500/,  and inserted successfully 2B79E8BC.
    Dec  6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Dec  6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM5  New State = IKE_I_MM6
    Dec  6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Dec  6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM6  New State = IKE_I_MM6
    Dec  6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Dec  6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
    Dec  6 08:51:52.315: ISAKMP:(1227):beginning Quick Mode exchange, M-ID of 1511581970
    Dec  6 08:51:52.315: ISAKMP:(1227):QM Initiator gets spi
    Dec  6 08:51:52.315: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) QM_IDLE
    Dec  6 08:51:52.315: ISAKMP:(1227):Sending an IKE IPv4 Packet.
    Dec  6 08:51:52.315: ISAKMP:(1227):Node 1511581970, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
    Dec  6 08:51:52.315: ISAKMP:(1227):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
    Dec  6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    Dec  6 08:51:52.315: ISAKMP:(1227):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
    Dec  6 08:51:52.455: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) QM_IDLE
    Dec  6 08:51:52.455: ISAKMP: set new node -1740216573 to QM_IDLE
    Dec  6 08:51:52.455: ISAKMP:(1227): processing HASH payload. message ID = 2554750723
    Dec  6 08:51:52.455: ISAKMP:(1227): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
            spi 0, message ID = 2554750723, sa = 0x2B78D574
    Dec  6 08:51:52.455: ISAKMP:(1227):deleting node -1740216573 error FALSE reason "Informational (in) state 1"
    Dec  6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
    Dec  6 08:51:52.455: ISAKMP:(1227):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
    Dec  6 08:51:52.455: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) QM_IDLE
    Dec  6 08:51:52.455: ISAKMP: set new node 1297146574 to QM_IDLE
    Dec  6 08:51:52.455: ISAKMP:(1227): processing HASH payload. message ID = 1297146574
    Dec  6 08:51:52.455: ISAKMP:(1227): processing DELETE payload. message ID = 1297146574
    Dec  6 08:51:52.455: ISAKMP:(1227):peer does not do paranoid keepalives.
    Dec  6 08:51:52.455: ISAKMP:(1227):deleting SA reason "No reason" state (I) QM_IDLE       (peer A.A.A.A)
    Dec  6 08:51:52.455: ISAKMP:(1227):deleting node 1297146574 error FALSE reason "Informational (in) state 1"
    Dec  6 08:51:52.455: ISAKMP: set new node -1178304129 to QM_IDLE
    Dec  6 08:51:52.455: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) QM_IDLE
    Dec  6 08:51:52.455: ISAKMP:(1227):Sending an IKE IPv4 Packet.
    Dec  6 08:51:52.455: ISAKMP:(1227):purging node -1178304129
    Dec  6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    Dec  6 08:51:52.455: ISAKMP:(1227):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA
    Dec  6 08:51:52.455: ISAKMP:(1227):deleting SA reason "No reason" state (I) QM_IDLE       (peer A.A.A.A)
    Dec  6 08:51:52.455: ISAKMP: Unlocking peer struct 0x2B79E8BC for isadb_mark_sa_deleted(), count 0
    Dec  6 08:51:52.455: ISAKMP: Deleting peer node by peer_reap for A.A.A.A: 2B79E8BC
    Dec  6 08:51:52.455: ISAKMP:(1227):deleting node 1511581970 error FALSE reason "IKE deleted"
    Dec  6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Dec  6 08:51:52.455: ISAKMP:(1227):Old State = IKE_DEST_SA  New State = IKE_DEST_SA
    would appreciate any help you can provide.
    Regards,
    Sidney Dsouza

    Hi Anuj,
    thanks for responding. Here are the logs from the debug crypto ipsec
    Dec 10 15:54:38.099 UTC: IPSEC(sa_request): ,
      (key eng. msg.) OUTBOUND local= B.B.B.B:500, remote= A.A.A.A:500,
        local_proxy= 10.20.0.0/255.255.0.0/0/0 (type=4),
        remote_proxy= 10.120.1.0/255.255.255.0/0/0 (type=4),
        protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
        lifedur= 3600s and 4608000kb,
        spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
    Dec 10 15:54:38.671 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
    thats all that appeared after pinging the remote subnet.

  • IPSec VPN establishment issues 887 - srp527

    Hey Folks,
    I'm having some problems getting an ipsec tunnel established between a cisco 887VA router and a cisco srp527w router.
    I am working from a few text books and some example materials. I have worked through many combinations of what I have got and am still struggling a little bit.
    I look at debug results and it appears as though the policies do not match between the devices:
    Jul 23 05:44:37.759: ISAKMP (0): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (R) MM_NO_STATE
    broute1#
    Jul 23 05:44:57.079: ISAKMP:(0):purging SA., sa=85247558, delme=85247558
    broute1#
    Jul 23 05:45:17.031: ISAKMP (0): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (N) NEW SA
    Jul 23 05:45:17.031: ISAKMP: Created a peer struct for XXX.XXX.XXX.XXX, peer port 500
    Jul 23 05:45:17.035: ISAKMP: New peer created peer = 0x8838C3F8 peer_handle = 0x800021CF
    Jul 23 05:45:17.035: ISAKMP: Locking peer struct 0x8838C3F8, refcount 1 for crypto_isakmp_process_block
    Jul 23 05:45:17.035: ISAKMP: local port 500, remote port 500
    Jul 23 05:45:17.035: ISAKMP:(0):insert sa successfully sa = 87D84664
    Jul 23 05:45:17.035: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Jul 23 05:45:17.035: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1
    Jul 23 05:45:17.035: ISAKMP:(0): processing SA payload. message ID = 0
    Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload
    Jul 23 05:45:17.035: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch
    Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload
    Jul 23 05:45:17.035: ISAKMP:(0): vendor ID is DPD
    Jul 23 05:45:17.035: ISAKMP:(0):No pre-shared key with XXX.XXX.XXX.XXX!
    Jul 23 05:45:17.035: ISAKMP : Scanning profiles for xauth ...
    Jul 23 05:45:17.035: ISAKMP:(0):Checking ISAKMP transform 0 against priority 1 policy
    Jul 23 05:45:17.035: ISAKMP:      life type in seconds
    Jul 23 05:45:17.035: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x53
    Jul 23 05:45:17.035: ISAKMP:      encryption DES-CBC
    Jul 23 05:45:17.035: ISAKMP:      hash SHA
    Jul 23 05:45:17.035: ISAKMP:      auth pre-share
    Jul 23 05:45:17.035: ISAKMP:      default group 1
    Jul 23 05:45:17.035: ISAKMP:(0):Encryption algorithm offered does not match policy!
    Jul 23 05:45:17.035: ISAKMP:(0):atts are not acceptable. Next payload is 0
    Jul 23 05:45:17.035: ISAKMP:(0):no offers accepted!
    Jul 23 05:45:17.035: ISAKMP:(0): phase 1 SA policy not acceptable! (local YYY.YYY.YYY.YYY remote
    XXX.XXX.XXX.XXX)
    Jul 23 05:45:17.035: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
    Jul 23 05:45:17.035: ISAKMP:(0): Failed to construct AG informational message.
    Jul 23 05:45:17.035: ISAKMP:(0): sending packet to XXX.XXX.XXX.XXX my_port 500 peer_port 500 (R) MM_NO_STATE
    Jul 23 05:45:17.035: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Jul 23 05:45:17.035: ISAKMP:(0):peer does not do paranoid keepalives.
    Jul 23 05:45:17.035: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer
    XXX.XXX.XXX.XXX)
    Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload
    Jul 23 05:45:17.035: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch
    Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload
    Jul 23 05:45:17.035: ISAKMP:(0): vendor ID is DPD
    Jul 23 05:45:17.035: ISAKMP (0): FSM action returned error: 2
    Jul 23 05:45:17.035: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Jul 23 05:45:17.035: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1
    Jul 23 05:45:17.039: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer
    XXX.XXX.XXX.XXX)
    Jul 23 05:45:17.039: ISAKMP: Unlocking peer struct 0x8838C3F8 for isadb_mark_sa_deleted(), count 0
    Jul 23 05:45:17.039: ISAKMP: Deleting peer node by peer_reap for XXX.XXX.XXX.XXX: 8838C3F8
    Jul 23 05:45:17.039: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    Jul 23 05:45:17.039: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_DEST_SA
    Here is a slightly trimmed version of my run-fig (took out things i was sure no one would need) and attached are screenshots of the IKE Policy and IPSec Policy from the srp527w
    version 15.1
    hostname broute1
    logging buffered 65535
    logging console informational
    no aaa new-model
    memory-size iomem 10
    clock timezone ESTime 10 0
    crypto pki token default removal timeout 0
    ip source-route
    controller VDSL 0
    operating mode adsl2 annex A
    ip ssh version 2
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    lifetime 28800
    crypto isakmp key PRE_SHARED_KEY_FOR_IKE(I_THINK) hostname REMOTE_HOST
    crypto ipsec transform-set JWRE_BW-1 esp-3des esp-sha-hmac
    crypto map JWRE_BW-1 10 ipsec-isakmp
    set peer XXX.XXX.XXX.XXX
    set transform-set JWRE_BW-1
    match address 101
    interface Loopback0
    no ip address
    interface ATM0
    description --- Internode ADSL ----
    no ip address
    no ip route-cache
    load-interval 30
    no atm ilmi-keepalive
    interface ATM0.1 point-to-point
    no ip route-cache
    pvc 8/35
      tx-ring-limit 3
      encapsulation aal5snap
      pppoe-client dial-pool-number 1
    interface Vlan1
    description Management Interface
    ip address AAA.AAA.AAA.AAA 255.255.255.0
    ip mtu 1452
    ip nat inside
    ip virtual-reassembly in
    no ip route-cache cef
    ip tcp adjust-mss 1420
    interface Dialer1
    description -----INTERNODE ADSL------
    mtu 1492
    ip address negotiated
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly in
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp chap hostname ADSL_USERNAME
    ppp chap password 7 ADSL_PASSWORD
    ppp ipcp dns request accept
    no cdp enable
    crypto map JWRE_BW-1
    logging trap debugging
    access-list 101 permit ip 192.168.7.0 0.0.0.255 10.0.1.0 0.0.0.255
    dialer-list 1 protocol ip permit
    Some specific questions:
    1) on the SRP in the example's I have used (and I have a few SRP->SRP VPN's that work) I see you need to enter the preshared key, I'm not seeing in the examples I have used anything about the IKE preshared key on the IOS box. Does anyone have any examples where you use the preshared key for IKE? I wonder if this is my primary issue as it states clearly in the log that there is no Preshared key :|
    2) I have used a mish mash of names between the various sections as on the SRP the naming convention isnt the same; ie: which parts of the IPSEC negotiation come from the IKE policy section and which from the IPSEC policy section. Do the names really matter across different ends of the VPN?
    3) I notice when I perform this command in the(config-crypto-map)#:
         set peer FQDN
    It is converted to:
         set peer XXX.XXX.XXX.XXX
    Is this expected? I want the device to look at the FQDN as this particular host is using DDNS and not use a static IP address.
    I could ask a million questions but I will leave it for there, if someone can see anything that sticks out (or can answer Q1 in particular) please let me know.
    Thanks in advance for your time and assistance folks.
    B

    If you use Main Mode, you can't use hostname on the isakmp key.
    You can use the hostname if you are using Aggressive mode on IKE, and you would also need to configure:
    crypto isakmp identity hostname
    Plus your router needs to point to a dns server that can resolve the hostname.
    Here is more information on:
    - crypto isakmp key:
    http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c4.html#GUID-E6AD0189-B773-4332-95F0-89AFE7A9E84F
    - crypto isakmp identity:
    http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c4.html#GUID-D3C7A306-A689-4953-9146-D4F2F861C567

  • Troubleshooting IPSEC VPN LAN-toLAN

    PIX 515E's on both ends, one with version 7 of PIX IOS, and one with version 6 -- also, there are no firmware upgrades to the PIX running IOS v6.
    IPSEC VPN drops completely in a completely random fashion, and it comes back up after the SA's are cleared. Is the best step at this point to upgrade the v6 PIX to all current firmware and PIX IOS versions? What would I look for after the upgrades if the issue were not resolved?

    Hi there i had this problem, but my scenario was like having a router connected to two PIX running 6.3 code. After several testing i got it to work in both 6.x and 7.x. I will attach the config for your reference. The configurations have been picked up from the cisco site only, and i believe it works pretty fine. Another thing could you have a debug isakmp sa and debug ipsec running on your pix so that we could find out the problem, post your logs in case you have collected the error messages.
    -Hoogen

Maybe you are looking for

  • I have a macbook pro and use BT homehub 3.  can't work out how to connect my time capsule. can anyone help, thanks.

    I have a macbook pro and use BT homehub 3.  can't work out how to connect my time capsule. can anyone help?  thanks

  • Header for text in report

    Hi All, I have a Infoobject A , which is displayed inside a report. I have set the display as Key and Text. I need a column header for the TEXT. i.e Material Category(Key)   Material category (text) 001                              Saw machine 002   

  • Ess webdynpro java iview personalization problem

    Hi, we have a problem with the personalization dialog of the ESS-WebDynpro JAVA Applications (f.e. CATS, WhoISWho, Adress...) which the end user gets with Ctrl-Right mouseclick. Our portal and HCM Backend use language "DE" (Germany). The personalizat

  • Php 5.2.6 installation how-to with JES7

    hey i am facing difficulties in installing php 5.2.6 with JES7 any useful documentations or guidelines especially how-to documents will be greatly appreciated. thanks in advance.

  • JDeveloper connections

    I just installed application. I am trying to make a connection. It gives me connection refused:. It also does not let me logging to the Enterprise Manager, It seems to ask me for password. Which user name and password am I supposed to use? Thanks, Gu