[rspan in 'hub+spoke' topology]
Hi,
I have the topology depicted in the attached drawing.
What we want to achieve is to enable rspan to replicate monitored traffic from access switches (3550 spokes) to a core switch (6500 hub).
The configuration in general is working and looks like this:
HUB:
monitor session 1 destination interface Gix/y
monitor session 1 source remote vlan z
SPOKES:
monitor session 1 source interface Gix/y
monitor session 1 destination remote vlan z
As stated previosly the environment is working, but...we're having one problem. The uplinks from the spokes to the hub are almost full. After doing some troubleshooting, we found that span traffic is being replicated by the hub to the spokes. The reason I say this is that when i remove the rspan vlan (on the core switch) from the uplink to the hubs the output traffic from core to access (or input on the access switches) goes down in the same amount being received by the network analyzer. when i add the vlan on the uplink trunk again, the traffic going out of the core to the access switches goes up by the same amount being sent to the network analyzer.
Like i said, the rspan part seems to be working fine, but the uplinks to the access switches are getting full because the hub switch is copying the span traffic to all uplinks which is not what we want.
Two questions here:
1.- Is this the way rspan is supposed to work in this environment?
2.- if not, is there a way to turn off this behavior or does it sound like a bug to you?
Thanks in advance!
c.
Hello,
in Hub and Spoke - as in any other L3VPN - traffic will flow in the opposite direction of IP routing updates. In a Hub and Spoke setup the spoke sites should get routing updates from the hub site. Thus one faces a split horizon problem: updates learned at the hub CE from a neighbor (PE) will not be sent back over the same interface to that neighbor. Hence the simple solution is: one VRF and interface to announce spoke routes from the PE to the hub CE and another interface terminating in a second VRF to announce the routes from the hub CE back into the MPLS VPN environment.
Just as a side note: this results in an unusual load pattern on the two hub CE interfaces. Both interfaces will have nearly only load in one direction.
Hope this helps! Please rate all posts.
Regards, Martin
Similar Messages
-
Multiple Spanning Tree in a Hub and Spoke topology?
My company is planning to implement Multiple Spanning tree into our hub and spoke topology. Is that possible?
Should I divide up the vlans into instances based on assigned switch or assigned department?
Thank You.hi, everyone,
i have search a internet draft to describe this situation, "Using an LSA Options Bit to Prevent Looping in BGP/MPLS IP VPNs", from "http://www.ietf.org/internet-drafts/draft-ietf-ospf-2547-dnbit-03.txt"
does anyone can tell me how can disable this function and clear the "DN" bit on a cisco router? thanks very much. -
Hello,
I would like to clearly understand if when i use P2P webcam or Audio publishing, that is when i use the recipientIDs array, if the App swith from 2P2 to hub-spoke protocol, for any reason, what exactly changes for the user?
Does the stream will still be delivered to the users listed in recipientIDs but with a different protocol which will involve server and cost money (which P2P does not), or does it mean that the stream will be delivered to every user connected to the room, ignoring the recipientIDs value?
You probably understood that i don't really know what hub-spoke is exactly
Thanks a lot
SebHi,
So hub-spoke and p2p protocol is room based. If your room stream connection is p2p based, then all streams irrespective of recipientIDs being set or not , will be p2p and similarly all streams will be hub-spoke if your room connection is hub-spoke irrespective of recipientIDs. There is no mix and match of the two protocols in the room.
You can get the value of current connection by using streamMnager.isP2P property which says whether the connection will be hub-spoke or p2p . Every stream will follow the protocol.
I haven’t tried p2p with recipientIDs but it should work fine.
Our default is p2p unless one of your connected user have some firewall, user limitation(in case of player 10), player version or connection(rtmfp or not). In that case, every stream seamlessly switches to hub-spoke and vice versa from hub-spoke to p2p if that user is no longer there.
Hope this clears things
Thanks
Regards
Hironmay Basu -
VPN hub and spoke topology, hub using two interfaces
Hi,
I'm facing a problem with Cisco ASA 5500 running software 8.4.
I know, i know, VPN hub and spoke was already discussed many times. But all these discussions are about a hub using only one interface, the outside/public interfcae.
My topology is slightly different.
LAN-A - VPN peer A <--> (Internet) <--> (outside if)-ASA-B-(inside if) <--> (corporate network) <--> (outside if)-ASA-C-(inside if) <--> LAN-C
VPN communication should flow between LAN-A and LAN-C.
Phase I and phase II are working on both tunnels (A-B, B-C). Therefore cryptomaps should be right.
IPsec SA for tunnel A-B is explicit for LAN-A and LAN-C.
IPsec SA for tunnel B-C connects any with LAN-C.
What I can see on ASA-B is incoming traffic from LAN-A on tunnel A-B.
That does not trigger an SA for tunnel B-C!
Traffic initiated from LAN-C, I can see on ASA-B as incoming traffic, SA for LAN-A to LAN-C is build up on tunnel B-C.
Traffic seems to enter tunnel A-B as I can see outgoing traffic on ASA-B.
Of course, NAT exemption is configured for traffic between LAN-A and LAN-C.
Why doesn't incoming traffic from LAN-A initiate SA on tunnel B-C?
It looks like incoming traffic from LAN-A enters ASA-B and is dropped or send anywhere but the right direction.
I admit I'm clueless.
Any help would be appreciated.
Thanks folks.Analyzing the config files you revealed the inactiv NAT exemption for traffic flow between LAN-A and LAN-C.
Furthermore a static route fro LAN-C out the inside interface was missing.
Fixing both communication works fine.
Thanks for the real good support. -
Full Mesh to Hub Spoke Connectivity
I have implemented MPLS VPN. Currently running as a full mesh connectivity. I
need to implement and configure a hub and spoke connectivity due to the
business requirement.
I have 4 spokes and 1 hub. For each spokes, they shouldn't communicate
with spoke, only to hub and vice-versa.
What is the appropriate and best practise for me to implement and configuring for such scenario?
Appreciate your feedbacks and opinion.
regards,
maherok keep all your config in as it is just now. The only issue (personal one I believe) is that you shall be using the same RD everywhere but that shouldnt matter. On your hub site add under the vrf something like Route-target export 99:1. On a your spoke sites add route-target export 99:2 then on the other spoke site route-target export 99:3 until you do them all to 99:x. Then go back to the hub site and do route-target import 99:2 all the way through to x. You can now remove your original route-targets and all shall be fine. A cleaner method would be to completely remove the vrf but thats prolly too much hassle and downtime for your liking :-)
HTH -
HUB & SPOKE environment with ASA5512 as the HUB and ASA5505 as spoke.
I can't seem to get by the error's. Phase 1 completes, then the errors start, 7.0.0.2 recieved non-routine notify message no proposal choosen, connection terminated for peer 7.0.0.2 reason peer terminate remote proxy N/A local Proxy N/A, 7.0.0.2 removing peer from correlator table failed, no match, seesion being torn down reason user requested, group 7.0.0.2 automatic NAT detection status remote end is not behind NAT device, this end is not behind NAT device. The other end the ASA5512 I get IP 7.1.0.2 no valid authentication type found for the tunnel group, Remote end is not behind NAT device, the DAP records were selected for connection DfltAccessPolicy, Phase 1 completed, All IPSEC SA proposals found unacceptable, IP 7.1.0.2 QM FSM error, removing peer from correlator table failed no match, 7.1.0.2 session being torn down reason Phase 2 Mismatch, 7.1.0.2 session disconnected type IKEV1, recevied encrypted packet with no matchin SA dropping.
I have searched internet and found many results however as changes implemented I always end back at this point. Any HELP would be greatly appreciated. Lost two days in the LAB. I will post configs. This a test soon to go into production. Thanks
Ken
ASA1# sho run
: Saved
ASA Version 9.1(2)
hostname ASA1
domain-name TEST1.CA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface GigabitEthernet0/0
nameif Outside
security-level 100
ip address 7.0.0.2 255.255.255.0
interface GigabitEthernet0/1
nameif AS1toR1
security-level 50
ip address 1.0.0.2 255.255.255.0
interface GigabitEthernet0/2
nameif AS1toR2
security-level 50
ip address 3.0.0.2 255.255.255.0
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
ftp mode passive
dns domain-lookup Outside
dns domain-lookup AS1toR1
dns domain-lookup AS1toR2
dns domain-lookup management
dns server-group DefaultDNS
name-server 201.201.201.201
domain-name TEST1.CA
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-1.0.0.0
object network 2.0.0.0
subnet 2.0.0.0 255.255.255.0
object network 6.0.0.0
subnet 6.0.0.0 255.255.255.0
object network 7.1.0.0
subnet 7.1.0.0 255.255.255.0
object network 8.0.0.0
subnet 8.0.0.0 255.255.255.0
object network 9.0.0.0
subnet 9.0.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object 1.0.0.0 255.255.255.0
network-object 3.0.0.0 255.255.255.0
network-object object 2.0.0.0
network-object object 8.0.0.0
object-group network DM_INLINE_NETWORK_4
network-object object 6.0.0.0
network-object object 9.0.0.0
object-group network DM_INLINE_NETWORK_1
network-object object 6.0.0.0
network-object object 9.0.0.0
object-group network DM_INLINE_NETWORK_2
network-object 1.0.0.0 255.255.255.0
network-object 3.0.0.0 255.255.255.0
network-object object 2.0.0.0
network-object object 8.0.0.0
object-group network DM_INLINE_NETWORK_5
network-object 1.0.0.0 255.255.255.0
network-object 3.0.0.0 255.255.255.0
network-object object 2.0.0.0
network-object object 8.0.0.0
object-group network DM_INLINE_NETWORK_6
network-object object 6.0.0.0
network-object object 9.0.0.0
access-list HEADEND extended permit ip any any
access-list hq-to-vpnend extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_4
access-list vpnend-to-hq extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list Outside_cryptomap_15 extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list Outside_access_in extended permit ip any any
access-list Outside_access_in extended permit icmp any4 any4
access-list AS1toR2_access_in extended permit icmp any4 any4
access-list AS1toR2_access_in extended permit ip any any
access-list AS1toR1_access_in extended permit ip any any
access-list AS1toR1_access_in extended permit icmp any4 any4
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu AS1toR1 1500
mtu AS1toR2 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group Outside_access_in in interface Outside
access-group AS1toR1_access_in in interface AS1toR1
access-group AS1toR2_access_in in interface AS1toR2
router ospf 1
network 1.0.0.0 255.255.255.0 area 0
network 3.0.0.0 255.255.255.0 area 0
network 7.0.0.0 255.255.255.0 area 0
log-adj-changes
route Outside 0.0.0.0 0.0.0.0 7.0.0.1 125
route Outside 6.0.0.0 255.255.255.0 7.0.0.1 125
route Outside 9.0.0.0 255.255.255.0 7.0.0.1 125
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
eou allow none
http server enable
http 192.168.1.2 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection preserve-vpn-flows
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set MAP-VPN1 esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 match address Outside_cryptomap_15
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set ikev1 transform-set MAP-VPN1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set reverse-route
crypto dynamic-map DYNMAP 10 set pfs
crypto dynamic-map DYNMAP 10 set ikev1 transform-set MAP-VPN1
crypto dynamic-map DYNMAP 10 set reverse-route
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map HQ2REMOTE 10 ipsec-isakmp dynamic DYNMAP
crypto map HQ2REMOTE interface Outside
crypto ca trustpool policy
crypto ikev1 enable Outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign local reuse-delay 30
vpn load-balancing
interface lbpublic Outside
interface lbprivate AS1toR1
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Outside
no anyconnect-essentials
group-policy DfltGrpPolicy attributes
wins-server value 10.10.10.10
dns-server value 201.201.201.201
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
split-tunnel-network-list value HEADEND
default-domain value TEST1.CA
webvpn
activex-relay disable
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup general-attributes
secondary-authentication-server-group LOCAL
authorization-server-group LOCAL
nat-assigned-to-public-ip Outside
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
ikev1 user-authentication none
tunnel-group DefaultWEBVPNGroup general-attributes
secondary-authentication-server-group LOCAL
tunnel-group DefaultWEBVPNGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
ikev1 user-authentication none
tunnel-group-map default-group DefaultL2LGroup
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 24
subscribe-to-alert-group configuration periodic monthly 24
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:022709234965ad8943628e790ed5ed1f
: end
ASA1#
ASA2# sho run
: Saved
ASA Version 8.2(5)
hostname ASA2
domain-name TEST2.CA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 14
interface Ethernet0/1
switchport access vlan 24
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
switchport access vlan 4
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan4
nameif management.
security-level 0
ip address 192.168.1.101 255.255.255.0
management-only
interface Vlan14
nameif Outside
security-level 100
ip address dhcp setroute
interface Vlan24
nameif Inside
security-level 50
ip address 6.0.0.2 255.255.255.0
ftp mode passive
dns domain-lookup management.
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
domain-name TEST2.CA
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object 1.0.0.0 255.255.255.0
network-object 2.0.0.0 255.255.255.0
network-object 3.0.0.0 255.255.255.0
network-object 8.0.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 6.0.0.0 255.255.255.0
network-object 9.0.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_5
network-object 1.0.0.0 255.255.255.0
network-object 2.0.0.0 255.255.255.0
network-object 3.0.0.0 255.255.255.0
network-object 8.0.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object 6.0.0.0 255.255.255.0
network-object 9.0.0.0 255.255.255.0
access-list vpnend-to-hq extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list REMOTEEND extended permit ip any any
access-list hq-to-vpnend extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list Outside_access_in extended permit ip any any
access-list Outside_access_in extended permit icmp any any
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu management. 1500
mtu Outside 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
router ospf 1
network 6.0.0.0 255.255.255.0 area 0
network 7.1.0.0 255.255.255.0 area 0
log-adj-changes
route Outside 1.0.0.0 255.255.255.0 7.0.0.2 125
route Outside 2.0.0.0 255.255.255.0 7.0.0.2 125
route Outside 3.0.0.0 255.255.255.0 7.0.0.2 125
route Outside 8.0.0.0 255.255.255.0 7.0.0.2 125
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
network-acl REMOTEEND
eou allow none
http server enable
http 0.0.0.0 0.0.0.0 management.
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set MAP-VPN1 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set MAP-VPN1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map HQ2REMOTE 15 match address vpnend-to-hq
crypto map HQ2REMOTE 15 set pfs
crypto map HQ2REMOTE 15 set connection-type originate-only
crypto map HQ2REMOTE 15 set peer 7.0.0.2
crypto map HQ2REMOTE 15 set transform-set MAP-VPN1
crypto map HQ2REMOTE 15 set security-association lifetime seconds 28800
crypto map HQ2REMOTE 15 set security-association lifetime kilobytes 4608000
crypto map HQ2REMOTE 15 set reverse-route
crypto map HQ2REMOTE 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map HQ2REMOTE interface Outside
crypto isakmp enable Outside
crypto isakmp policy 15
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp ipsec-over-tcp port 10000
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface Outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption 3des-sha1
webvpn
enable Outside
group-policy DfltGrpPolicy attributes
wins-server value 10.10.10.10
dns-server value 201.201.201.201
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-network-list value REMOTEEND
default-domain value TEST2.CA
smartcard-removal-disconnect disable
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup general-attributes
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultWEBVPNGroup ipsec-attributes
pre-shared-key *****
tunnel-group 7.0.0.2 type ipsec-l2l
tunnel-group 7.0.0.2 ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
tunnel-group-map default-group 7.0.0.2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0d04273f55e788e2a4ad4d025084d33d
: end
ASA2#Jon,
Getting same errors as when we first started. Access list mismatch skipping dynamic map DYNMAP.
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing ke payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing ISA_KE payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing nonce payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received Cisco Unity client VID
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received xauth V6 VID
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing NAT-Discovery payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing NAT-Discovery payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing ke payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing nonce payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing Cisco Unity VID payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing xauth V6 VID payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Send IOS VID
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing VID payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Discovery payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Discovery payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultL2LGroup
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Generating keys for Responder...
ASA1# Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:18:47 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.1.0.2
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing hash payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Computing hash for ISAKMP
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing VID payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Received DPD VID
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultL2LGroup
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing ID payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing hash payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Computing hash for ISAKMP
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing dpd vid payload
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, PHASE 1 COMPLETED
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, Keep-alive type for this connection: DPD
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Starting P1 rekey timer: 24480 seconds.
Mar 03 13:18:47 [IKEv1 DECODE]IP = 7.1.0.2, IKE Responder starting QM: msg id = 9389754e
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=9389754e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing hash payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing SA payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing nonce payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:18:47 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.1.0.2
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Received remote Proxy Host data in ID Payload: Address 7.1.0.2, Protocol 0, Port 0
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:18:47 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.0.0.2
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Received local Proxy Host data in ID Payload: Address 7.0.0.2, Protocol 0, Port 0
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing notify payload
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, QM IsRekeyed old sa not found by addr
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Skipping dynamic map DYNMAP sequence 10: access-list mismatch.
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 7.1.0.2/255.255.255.255/0/0 local proxy 7.0.0.2/255.255.255.255/0/0 on interface Outside
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending notify message
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing blank hash payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing qm hash payload
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=ee315fa4) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 236
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, QM FSM error (P2 struct &0x00007fffa05e1840, mess id 0x9389754e)!
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE QM Responder FSM error history (struct &0x00007fffa05e1840) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending delete/delete with reason message
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Removing peer from correlator table failed, no match!
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE SA MM:7adaeddd rcv'd Terminate: state MM_ACTIVE flags 0x0001c042, refcnt 1, tuncnt 0
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE SA MM:7adaeddd terminating: flags 0x0101c002, refcnt 0, tuncnt 0
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending delete/delete with reason message
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing blank hash payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing IKE delete payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing qm hash payload
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=f9d973c5) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Session is being torn down. Reason: crypto map policy not found
Mar 03 13:18:47 [IKEv1]Ignoring msg to mark SA with dsID 200704 dead because SA deleted
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, Received encrypted packet with no matching SA, dropping
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing SA payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Oakley proposal is acceptable
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal ver 02 VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal ver 03 VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal RFC VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Received Fragmentation VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing IKE SA payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing ISAKMP SA payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Traversal VID ver RFC payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing Fragmentation VID + extended capabilities payload
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing ke payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing ISA_KE payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing nonce payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Received Cisco Unity client VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Received xauth V6 VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing NAT-Discovery payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing NAT-Discovery payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing ke payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing nonce payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing Cisco Unity VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing xauth V6 VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Send IOS VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Discovery payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Discovery payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultL2LGroup
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Generating keys for Responder...
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:19:17 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.1.0.2
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing hash payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Computing hash for ISAKMP
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Received DPD VID
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultL2LGroup
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing ID payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing hash payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Computing hash for ISAKMP
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing dpd vid payload
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, PHASE 1 COMPLETED
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, Keep-alive type for this connection: DPD
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Starting P1 rekey timer: 24480 seconds.
Mar 03 13:19:17 [IKEv1 DECODE]IP = 7.1.0.2, IKE Responder starting QM: msg id = 3af2253f
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=3af2253f) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing hash payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing SA payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing nonce payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:19:17 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.1.0.2
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Received remote Proxy Host data in ID Payload: Address 7.1.0.2, Protocol 0, Port 0
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:19:17 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.0.0.2
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Received local Proxy Host data in ID Payload: Address 7.0.0.2, Protocol 0, Port 0
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing notify payload
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, QM IsRekeyed old sa not found by addr
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Skipping dynamic map DYNMAP sequence 10: access-list mismatch.
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 7.1.0.2/255.255.255.255/0/0 local proxy 7.0.0.2/255.255.255.255/0/0 on interface Outside
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending notify message
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing blank hash payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing qm hash payload
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=d4ee1beb) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 236
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, QM FSM error (P2 struct &0x00007fff9f9787e0, mess id 0x3af2253f)!
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE QM Responder FSM error history (struct &0x00007fff9f9787e0) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending delete/delete with reason message
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Removing peer from correlator table failed, no match!
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE SA MM:47629a55 rcv'd Terminate: state MM_ACTIVE flags 0x0001c042, refcnt 1, tuncnt 0
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE SA MM:47629a55 terminating: flags 0x0101c002, refcnt 0, tuncnt 0
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending delete/delete with reason message
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing blank hash payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing IKE delete payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing qm hash payload
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=c7a1c363) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Session is being torn down. Reason: crypto map policy not found
Mar 03 13:19:17 [IKEv1]Ignoring msg to mark SA with dsID 204800 dead because SA deleted
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, Received encrypted packet with no matching SA, dropping
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing SA payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Oakley proposal is acceptable
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal ver 02 VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal ver 03 VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal RFC VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received Fragmentation VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing IKE SA payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing ISAKMP SA payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Traversal VID ver RFC payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing Fragmentation VID + extended capabilities payload
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing ke payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing ISA_KE payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing nonce payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received Cisco Unity client VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received xauth V6 VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing NAT-Discovery payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing NAT-Discovery payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing ke payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing nonce payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing Cisco Unity VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing xauth V6 VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Send IOS VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Discovery payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Discovery payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultL2LGroup
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Generating keys for Responder...
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:19:47 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.1.0.2
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing hash payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Computing hash for ISAKMP
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Received DPD VID
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultL2LGroup
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing ID payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing hash payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Computing hash for ISAKMP
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing dpd vid payload
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, PHASE 1 COMPLETED
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, Keep-alive type for this connection: DPD
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Starting P1 rekey timer: 24480 seconds.
Mar 03 13:19:47 [IKEv1 DECODE]IP = 7.1.0.2, IKE Responder starting QM: msg id = 3383044c
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=3383044c) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing hash payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing SA payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing nonce payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:19:47 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.1.0.2
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Received remote Proxy Host data in ID Payload: Address 7.1.0.2, Protocol 0, Port 0
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:19:47 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.0.0.2
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Received local Proxy Host data in ID Payload: Address 7.0.0.2, Protocol 0, Port 0
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing notify payload
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, QM IsRekeyed old sa not found by addr
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Skipping dynamic map DYNMAP sequence 10: access-list mismatch.
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 7.1.0.2/255.255.255.255/0/0 local proxy 7.0.0.2/255.255.255.255/0/0 on interface Outside
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending notify message
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing blank hash payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing qm hash payload
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=f717942f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 236
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, QM FSM error (P2 struct &0x00007fff9f9787e0, mess id 0x3383044c)!
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE QM Responder FSM error history (struct &0x00007fff9f9787e0) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending delete/delete with reason message
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Removing peer from correlator table failed, no match!
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE SA MM:74a1793f rcv'd Terminate: state MM_ACTIVE flags 0x0001c042, refcnt 1, tuncnt 0
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE SA MM:74a1793f terminating: flags 0x0101c002, refcnt 0, tuncnt 0
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending delete/delete with reason message
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing blank hash payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing IKE delete payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing qm hash payload
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=883e1938) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Session is being torn down. Reason: crypto map policy not found
Mar 03 13:19:47 [IKEv1]Ignoring msg to mark SA with dsID 208896 dead because SA deleted
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, Received encrypted packet with no matching SA, dropping
ASA1# undebug all
ASA1#
ASA2#
ASA2#
ASA2# debug crypto isakmp 127
ASA2# Mar 03 08:58:34 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE Initiator: New Phase 1, Intf Outside, IKE Peer 7.0.0.2 local Proxy Address 7.1.0.2, remote Proxy Address 7.0.0.2, Crypto map (HQ2REMOTE)
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing ISAKMP SA payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing NAT-Traversal VID ver 02 payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing NAT-Traversal VID ver 03 payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing NAT-Traversal VID ver RFC payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing Fragmentation VID + extended capabilities payload
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing SA payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Oakley proposal is acceptable
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Received NAT-Traversal RFC VID
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Received Fragmentation VID
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing ke payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing nonce payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing Cisco Unity VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing xauth V6 VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Send IOS VID
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing NAT-Discovery payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, computing NAT Discovery hash
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing NAT-Discovery payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, computing NAT Discovery hash
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing ke payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing ISA_KE payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing nonce payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Received Cisco Unity client VID
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Received xauth V6 VID
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing NAT-Discovery payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, computing NAT Discovery hash
Mar 03 08:58:34 [IKEv1 DEBUG]
ASA2# : IP = 7.0.0.2, processing NAT-Discovery payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, computing NAT Discovery hash
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, Connection landed on tunnel_group 7.0.0.2
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, Generating keys for Initiator...
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing ID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing hash payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, Computing hash for ISAKMP
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing dpd vid payload
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 08:58:34 [IKEv1]: Group = 7.0.0.2, IP = 7.0.0.2, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, processing ID payload
Mar 03 08:58:34 [IKEv1 DECODE]: Group = 7.0.0.2, IP = 7.0.0.2, ID_IPV4_ADDR ID received
7.0.0.2
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, processing hash payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, Computing hash for ISAKMP
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, processing VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, Received DPD VID
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, Connection landed on tunnel_group 7.0.0.2
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, Oakley begin quick mode
Mar 03 08:58:34 [IKEv1 DECODE]: Group = 7.0.0.2, IP = 7.0.0.2, IKE Initiator starting QM: msg id = ea585f90
Mar 03 08:58:34 [IKEv1]: Group = 7.0.0.2, IP = 7.0.0.2, PHASE 1 COMPLETED
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, Keep-alive type for this connection: DPD
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, Starting P1 rekey timer: 27360 seconds.
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, IKE got SPI from key engine: SPI = 0xe5aab4b5
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, oakley constucting quick mode
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing blank hash payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing IPSec SA payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing IPSec nonce payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing proxy ID
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, Transmitting Proxy Id:
Local host: 7.1.0.2 Protocol 0 Port 0
Remote host: 7.0.0.2 Protocol 0 Port 0
Mar 03 08:58:34 [IKEv1 DECODE]: Group = 7.0.0.2, IP = 7.0.0.2, IKE Initiator sending Initial Contact
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing qm hash payload
Mar 03 08:58:34 [IKEv1 DECODE]: Group = 7.0.0.2, IP = 7.0.0.2, IKE Initiator sending 1st QM pkt: msg id = ea585f90
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE SENDING Message (msgid=ea585f90) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE RECEIVED Message (msgid=602db3a7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 236
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, processing hash payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, processing notify payload
Mar 03 08:58:34 [IKEv1]: Group = 7.0.0.2, IP = 7.0.0.2, Received non-routine Notify message: Invalid ID info (18)
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE RECEIVED Message (msgid=29ddd81f) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, processing hash payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, processing delete
Mar 03 08:58:34 [IKEv1]: Group = 7.0.0.2, IP = 7.0.0.2, Connection terminated for peer 7.0.0.2. Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, sending delete/delete with reason message
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing blank hash payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing IPSec delete payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing qm hash payload
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE SENDING Message (msgid=2a8b25a9) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 64
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, IKE Deleting SA: Remote Proxy 7.0.0.2, Local Proxy 7.1.0.2
Mar 03 08:58:34 [IKEv1]: Group = 7.0.0.2, IP = 7.0.0.2, Removing peer from correlator table failed, no match!
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, IKE SA MM:7362cee8 terminating: flags 0x0100c822, refcnt 0, tuncnt 0
Mar 03 08:58:34 [IKEv1]: Group = 7.0.0.2, IP = 7.0.0.2, Session is being torn down. Reason: User Requested
Mar 03 08:58:34 [IKEv1]: Ignoring msg to mark SA with dsID 217088 dead because SA deleted
Mar 03 08:58:34 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xe5aab4b5
ASA2# undebug all
ASA2#
Thanks,
Ken -
Considerations for 802.1x Port Based and Wi-Fi Certificate Authentication
Lately, we have been going back and for with the thought of doing certificate authentication for Wi-Fi and Port. We have Server 2012 PKI and CA and it seems fairly straight forward to pump out a certificate to a user and have them authenticate with their
certificate to a RADIUS/NPS. However, every time I mention our thoughts with consultants or others they seem to cringe saying that they've seen this deployment cripple networks.
We have almost 50 branch retail locations (with hub-spoke topology - all have VPN tunnels to corporate and also a disaster recovery location) and their internet isn't always super stable and they absolutely need to have network access at all times because
they are running Point Of Sale. Right now, if their internet fails, they can remain functional because we have the necessary pieces at all locations to keep a Windows network going but I'm afraid that if we force 802.1x certificate authentication for the switch
ports and Wi-Fi that if their internet goes down, they won't be able to authenticate since the authentication server will be at corporate. I am curious as to how people deal with:
1. Fail over to a disaster recovery authentication server if Corporate connection goes down
and:
2. If internet fails locally and can no longer communicate with any authentication server. Is there some sort of scale-out? It seems complicated since (if I'm not mistaken) it needs access to the CRL to validate certificates and also a Network Policy Server
for the authentication and so on.
What we're really trying to accomplish is to prevent people from bringing in a laptop or device with an Ethernet port and removing an existing device and plugging into the port in its place. MAC filtering doesn't seem like a good solution on a large scale,
nor a super secure option so it seemed like 802.1x certificate seemed to be the most flexible without having to go full NAP/NAC. Anyhow, sorry for the lengthy post and I really appreciate your time in advance!Re-authentication could be triggered by the NPS, the switch / AP or the client:
NPS: There is a bunch of attributes to be configured in the Network Policy that determine the time a machine can remain connected such as Idle Timeout and Session Timeout. (When WEP was still common the session timeout had been used to enforce
a change of the insecure key.) Otherwise, the machine should remain connected as far as NPS is concerned.
Switch / AP: Depends on the configuration, e.g. re-authentication has to be triggered if the link went down. If a user plugs a cable or accidentally disable WLAN on his machine when the internet link he will not be able to reconnect.
Then I have seen some options similar to the NPS options, and switches could have their own session timeouts or be configured for respecting the radius server's setting.
Client: The term "re-authentication" is also used happens if you have to / want to use both machine and user authentication: When the machine starts up, the machine account is authenticated; when the user logs on the user is authenticated;
when the user logs off the machine is authenticated again. Per GPO you configure the machines for this kind of re-authentication (the default) or use machine-only or user-only authentication instead.
It might be a challenge to manage and test these settings if you have to support many different APs / switches and different WLAN devices.
I would recommend to carefully test it with a pilot group of users.
Would you have any chance to turn off 802.1x on the switches / APs in case of a major outage? I guess not as you would be able to manage them remotely? -
Best device to fit for a project
I'm not sure this is the right section but I try.
For a project (less than 100 branch offices and 2 Headquarters connected in an hub&spoke topology with IPSEC over MPLS among branch and HQ) I’m looking for the best device which cover the following items:
Branch:
Single device
At least two Ethernet interfaces (WAN/LAN)
Ipsec supporting 10-50-100 Mbs
Routing protocols such as BGP-OSPF
NAT
Redundant power supply (some site not but in principle I need it)
HeadQuarter:
Single device with XE intf
At least two Ethernet interfaces (WAN/LAN)
IPSEC supporting up to 7-10 Gbs of IPSEC (the sum of branches)
Routing protocols such as BGP-OSPF
NAT
Redundant power supply
Firewall is not needed, MPLS will be runned by two carrier (this is why single device, there will be two single devices (with hsrp/vrrp) per site each one connected to one MPLS carrier), IPSECs tunnels are on-top of MPLS.
I’m looking for the best solution in terms of scalability and price (very important).
I've an idea in my mind but I'd like to share your experience for the decision...
RegardsHello.
I guess for MPLS you would use GETVPN, so ASA couldn't be an option.
For 10M, I would suggest Cisco 892 or 1921.
Up to 50M - 1941 could be fine (for asymmetrical flow), and 2921 for symmetrical;
Up to 100M - 2921/2951(for asymmetrical) and 3925 for symmetrical.
Not sure what to sugegst for HQ, but it should be anything like ASR1000-ESP20 (sure you need 2 devices for HA).
PS: why do you need NAT on MPLS?
PS2: in HQ I would suggest to split IPSec and NAT roles between different devices (ASA would be best for NAT). -
We have one customer with one ASA and one 3750 switch in headquater. 6 1801 Routers in 6 branches.
All connected via MPLS/BGP provided by ATT. And it was terminated at one port on 3750.
We plan to replace that with Metro Ethernet Hub/Spoke topology since the customer mentioned each office never talks to each other. Later on we found they have IP phones do need to talk with each other at branches.
Question - can we still use the MetroE service but configure routing to make each office talk with each other and how that would work?? I would assume some routings on 3750.
Any info is appreciated. thanks!
BenHi Ben,
It will work for sure since this is what ( in a much more complex scenario) we are implementing in our company since ab few months. Just take care of defining data and voice subnets as technically unrelated so to be free implementing very flexible and easy to manage routing policies. Is ATT providing L3VPN or what?
Hope to help
Alessio
Sent from Cisco Technical Support iPad App -
HT5590 Use caching server with multiple public Addresses?
According to the Apple documentation, to use the caching server, all clients need to share the same public address via nat. On my network with many macs, this would appear to make the caching service useless, as we have multiple public addresses to which our clients are nat'ed (a full class C, to be exact). Is there anyway around this restriction, or am I simply going to be unable to use what looks like it would be a highly usefull service?
Yes, the multiple internal/private subnets mapping to a single public IP is very common in the education/enterprise arena. It is the basic hub-spoke topology:
where all spokes connect to needed resources at the hub, and only the hub is connected to the Internet. In the case of K-12 education, we need to run a content filter (by Federal rules) on student Internet connectivity. The most efficient way to do that is to locate the filter (along with other servers and resources) at the hub and then route all Internet traffic through the hub. Each spoke (and the hub) is a different internal/private network subnet ... 10.65.x.x, 10.66.x.x, etc. In my case I have 3M from each spoke to the hub, and then 45M from the hub to the Internet.
In the "old" days ... pre 10.8 ... we had (and still have for some of our oler 10.4 computers) a software update server at each spoke, and computers at each spoke were configured (with the Apple software update script) to get their updates from the update server at their spoke ... iApps as well as OS apps. This worked perfectly!
Now that Apple, in their Orwellian attempt to monitor and control iApps, has introduced this "either-or" attitude about using a local update server OR caching server (but not giving you the option to get iApps from the local update server) they have really hurt schools like mine. Without being able to serve all updates locally on each spoke, updating becomes impossible when you are tryiing to udpate a lab full of computers, and the iApp alone is 1.2G for EACH computer ...and now it must come from the Internet since the caching server is 'broken.'
I currently have case open with Apple Enterprise Support, and will now also get my K-12 Apple Support Tech invloved. I will share this info with them. Perhaps there is some solution that I do not know about, or perhaps there will be a solution created by Apple for situations like mine. I can't see being the only one with this problem, I just think that I may be one of the first to notice it due to my limiited bandwith situation.
Thanks for your insight. Your original post got me thinking and enabled me to identify what *I* feel is the problem. I will keep this thread updated.
M:> -
InterConnect vs OAS Adapter for Applications
Hi.
Now that OEBS release 12 is available with the OAS Adapter for Oracle Applications (via BPEL) with all its Interfaces, are InterConnect redundant ?
Best regards
JanInterConnect and BPEL are different products and they solve different tasks.
I would have say ESB is replacement for InterConnect and InterConnect is reduntant but I can't.
Because of many features REQUIRED for production integration that we saw in InterConnect is not presented in ESB!
I mean guaranted delivery, hub-spoke topology and many others.
ESB is not solution for integration, but it is a constructor wich you can use to make an integration solution by hands.
Message was edited by:
occ2000 -
EIGRP in a NBMA hub and spoke configuration ?
Hi,
Is there a way to configure EIGRP for a Frame Relay NBMA network using a hub and spoke topology ?
I'm curious that I cannot find any config examples for this, whereas with OSPF in this environment there are plenty of examples.
I'm wondering if EIGRP being a distance-vector protocol this shouldn't be attempted.
PS: I've been at this all day and have only managed to get EIGRP to work in one cofiguration and that was using physical interfaces on all routers and switching off split horizon at the hub router. I used frame-relay map statements with broadcast enabled also.
Any pointers would be appreciated.
Cheers,
Phil.hi phil,,,
here is the configuration for the HUB router
! hostname ABC
interface Ethernet1
ip address 192.168.2.1 255.255.255.0
interface Serial0
no ip address
encapsulation frame relay
no ip mroute cache
interface Serial0.1 multipoint
ip address 192.168.1.1 255.255.255.0
no ip split horizon eigrp 2001 Split Horizons disabled
bandwidth 112 Bandwidth set to the sum of the remote PVCs
frame relay map ip 192.168.1.5 110 broadcast
frame relay map ip 192.168.1.6 130 broadcast
router eigrp 2001 EIGRP routing process
network 192.168.1.0 Networks running EIGRP
you can have appropriate IP addressing as per your design...
you can have some easy configuration at spoke side with compere to HUB router....
regards
Devang -
Hub and Spoke between SA540 and RV120
Hello.
I want to build a "hub and spoke" topology for one of my clients.
For the "HUB" , I'm planning to use an SA540, with a static public IP provided by a 4Mb SDSL.
For the "spokes" (21 at the moment), I'm planning to use RV120. They will be behind a NAT, provided by a "SAGEM LIVEBOX", and a static public IP.
The boss will connect to the HUB using Cisco VPN client, or quickVPN, and get access to all the spokes.
Some spokes will have to connect to each other, via the HUB.
I searched a long time on this forum and reading documentation, but I didn't find at the moment the answer to my question : is this topology suitable with the choosen hardwares ?
AlainAlain,
I would contact someone with the enterprise group with the questions on which enterprise router to use with your topology; I would expect a Cisco ASA5505 or ASA5510 with proper licensing would accomplish this at main office and cisco 800 series at remote offices. For your spokes(remote offices) the RV120 or RVS4000 should work fine if you are trying to route traffic from remote office to main office only. If you are looking to route traffic from remote office to main office then to another remote office. You would need to go all enterprise small business devices. In our small business routers we can’t specify to route traffic to another subnet across the IPSec tunnel. When we make the IPSec tunnel it creates the routes in routing table to the remote host. So we can only route traffic to directly connect IPSec tunnel host. If you need further clarification you can give us a call.
SBSC
1-866-606-1866
TAC (Enterprise Group)
1-800-553-2447
Main office (ASA5505 – ASA5510) --- (Cisco 800 Series) = Remote office
Please clarify with enterprise group.
Thanks
Jasbryan
Cisco Support Engineer
.:|:.:|:. -
Connection fall back to hub-n-spoke
Hi,
I wonder if anyone here knows the answer... I am trying the p2p sample code. Every time, users can log in with the RTMFP protocol. But as soon as they start the audio or video, the connections fall back to bub n spoke mode. All Flash players are 10.0 or 10.1. I am using the source code for 10.0. and the SDK is updated. Any help would be appreciated.
Thanks
DannyThanks, Hironmay.
I guess I need to clarify one thing: it does states 'Current connection: Hub-spoke' in the right panel (I didn't give you the accurate text because it was based on my memory, sorry). And this text appeared whenevery a second user connect to the room (flash player 10.1, same network) . I think the connection did fall back, as the souce code of the text change is the following:
protected function onConnectionTypeChange(p_evt:StreamEvent):void
connChange.text += "Current Connection:" + ((sess.streamManager.isP2P)?"P2P":"Hub n Spoke") + "\n" ;
I think the isP2P is false when the switching happened.
Here is the new log I found today -it has something related to NetSream.Connect.Closed when the switching happened.
[SWF] C:\data\project\PrjRoot\lccsChatRoom\bin-debug\lccsChatRoom.swf\[[DYNAMIC]]\6 - 323,354 bytes after decompression
warning: unable to bind to property 'userManager' on class 'com.adobe.rtc.session::ConnectSessionContainer'
Wed Sep 1 07:26:08 GMT-0400 2010 LCCS SDK Version : 1.2.0 Player Version : WIN 10,1,53,64
07:26:08 GMT-0400 requestInfo https://connectnow.acrobat.com/wxg250/classroom1?mode=xml&glt=g:&x=0.04513606382533908
07:26:11 GMT-0400 authentication status: 200
07:26:11 GMT-0400 authentication request complete
07:26:11 GMT-0400 requestInfo https://connectnow.acrobat.com/wxg250/classroom1?gak=c2Vzc2lvbklEKmJSdEk0NmxYTmZHcXZybUNOd zdGcU0qYXBwTnVtKjEwMDgqYXBwSG9zdCpyb3hvMXoy&mode=xml&x=0.19403704069554806
07:26:11 GMT-0400 #TicketService# ticket received: 1u1ia5xp2vp5z
07:26:11 GMT-0400 Getting FMS at https://na2.collaboration.adobelivecycle.com/fms?ticket=1u1ia5xp2vp5z&proto=rtmfp, attempt #1/3
07:26:12 GMT-0400 result: <fms>
<origin>fms5.acrobat.com</origin>
<proto_ports>rtmfp:1935,rtmps:443</proto_ports>
<retry_attempts>2</retry_attempts>
</fms>
07:26:12 GMT-0400 protocols: [object ProtocolPortPair],[object ProtocolPortPair]
07:26:12 GMT-0400 [attempt 1 of 2] Connecting to 0/1: rtmfp://fms5.acrobat.com/cocomo/na2-sdk-63afa1af-db2b-413d-8b10-78c4b567889f/classroom1 #startProtosConnect#
07:26:12 GMT-0400 tempNetStatusHandler 0/2,NetConnection.Connect.Success
07:26:12 GMT-0400 isTunneling? false
07:26:12 GMT-0400 is using RTMPS? false
07:26:12 GMT-0400 RECEIVED LOGIN AT SESSION
07:26:12 GMT-0400 .user descriptor from server [object]
07:26:12 GMT-0400 \\
07:26:12 GMT-0400 .role [number]= 100
07:26:12 GMT-0400 .affiliation [number]= 100
07:26:12 GMT-0400 .userID [string]= WCD-4FE008C648440EF2992015B9
07:26:12 GMT-0400 .displayName [string]= D Wang
07:26:13 GMT-0400 RECEIVENODES UserManager
07:26:13 GMT-0400 receiveAllSynchData UserManager
07:26:13 GMT-0400 RECEIVENODES FileManager
07:26:13 GMT-0400 receiveAllSynchData FileManager
07:26:13 GMT-0400 checkManagerSync:[object FileManager]
07:26:13 GMT-0400 RECEIVENODES AVManager
07:26:13 GMT-0400 receiveAllSynchData AVManager
07:26:13 GMT-0400 checkManagerSync:[object StreamManager]
07:26:13 GMT-0400 RECEIVENODES RoomManager
07:26:13 GMT-0400 receiveAllSynchData RoomManager
07:26:13 GMT-0400 checkManagerSync:[object RoomManager]
07:26:13 GMT-0400 checkManagerSync:[object UserManager]
07:26:21 GMT-0400 mainNetStatusHandler: NetStream.Connect.Success
07:26:23 GMT-0400 mainNetStatusHandler: NetStream.Connect.Success
07:27:32 GMT-0400 mainNetStatusHandler: NetStream.Connect.Closed
07:27:32 GMT-0400 mainNetStatusHandler: NetStream.Connect.Success
07:27:32 GMT-0400 mainNetStatusHandler: NetStream.Connect.Closed
07:27:32 GMT-0400 mainNetStatusHandler: NetStream.Connect.Closed
07:27:32 GMT-0400 mainNetStatusHandler: NetStream.Connect.Closed
07:28:42 GMT-0400 mainNetStatusHandler: NetConnection.Connect.NetworkChange
07:28:42 GMT-0400 mainNetStatusHandler: NetConnection.Connect.NetworkChange
07:28:42 GMT-0400 mainNetStatusHandler: NetConnection.Connect.NetworkChange
07:28:42 GMT-0400 mainNetStatusHandler: NetConnection.Connect.NetworkChange
==========the following logs were gnereated after the second user closed the page --Danny's note===========
07:30:05 GMT-0400 mainNetStatusHandler: NetStream.Connect.Success
07:30:05 GMT-0400 mainNetStatusHandler: NetStream.Connect.Success
07:35:04 GMT-0400 mainNetStatusHandler: NetConnection.Connect.NetworkChange
07:35:04 GMT-0400 mainNetStatusHandler: NetConnection.Connect.NetworkChange
07:35:04 GMT-0400 mainNetStatusHandler: NetConnection.Connect.NetworkChange
07:35:04 GMT-0400 mainNetStatusHandler: NetConnection.Connect.NetworkChange -
Hub and spoke VPN issue - probably simple
Hello,
I setup a Hub & Spoke VPN configuration as a temporary solution to get phones working at a client with 5 Sites.
Site A: HQ and main PBX System - Cisco ASA 5520
Sites B-E: Remote Sites with PBX systems with ASA 5505's
I configured my crypto access-lists to allow all interesting traffic to/from all sites, and it's working for the most part.
Refer to this short discussion for further reference
https://supportforums.cisco.com/message/4162268#4162268
Recently the customer started saying sometimes the call forwarding between sites isn't working correctly. Upon further testing, it seems that you have to ping to/from both ends of the Spokes before traffic will start passing through properly.
E.g.
Site B wants to talk to Site C
I need to initiate a ping on Site B to Site C which fails
Initiate a ping on Site C to Site B and the first packet drops, then the rest go through
Initiate Ping on Site B to Site C and all works just fine.
Traffic going to/from Site A to/from any remote site (Sites B-E) works fine 100% of the time.
This is happening for all remote sites. When traffic has been initiated on both ends, it works just fine, but after a specific timeout it appears to stop working.
Probably something simple I'm missing. Any help is greatly appreciated.
(Also, kind of silly but I realize that I didn't need same-security-traffic on each spoke, correct?)The purpose of doing VPN is that you want 2 or more different networks seamlessly become line 1 common network. Your class B network having 192.168.0.0 and class C networks 192.168.10.0 are in the same network sine both are in the network 192.168.x.x network. Try to consider changing the Class B network into 192.169.0.0 or you can change the Class C network into 192.169.10.0.
Maybe you are looking for
-
How can I set up a Dell AIO 922 printer on my Macbook Pro?
I'm running OS X 10.9.2, and I've downloaded a lexmark 5200 series driver like others have said to do, but when I try to add a printer, nothing shows up.
-
How do you contact someone at Apple for a unique problem?
I purchased 4 videos at work for my new IPOD. My card has been charged but I cannot download because the Unioversity I work at has blocked downloads. How do I get my videos or my money back? I am trying to contact Apple with little luck. Between that
-
In need of a combobox optimized for ipad/iphone
Sorry, I'm rather new at this but nearly have an app ready for ipad deployment with only one major hang up. I'm trying to implement a combobox optimized for ipad's touch screen. I've tried using the one found here: http://blog.kevinhoyt.org/?p=548
-
I have had the problem where i wont be able to recieve any calls or texts etc. and was really hoping 3.1.2 would solve this but to much dismay my phone is still experiencing the exact same problems. Everyone looks like they have had success with the
-
Which solution is better for schedules task? Console application or windows service?
I have a "MULTI-LEVEL" XML file that I will be getting on daily basis and I want to accomplish following tasks: 1) I have to read and parse the "MULTI-LEVEL" XML data 2) Then I have to set or create some kind of .net service (c#) that read the xml an