Site to Site Tunnel - Traffic just flowing in one direction.
Greetings to everyone,
I have configured an IPSec (Site-to-Site) tunnel between an ASA5510 and a Linux Sytem connection a Network A with a Network B in the following way:
* Diagram:
#---------------IPSec-----------------#
private network (A) ---- Linux Router (GW1) -------- WAN -------- (GW2) ASA5510 ---- public network (B)
* Results:
I have checked the IPSec Tunnel on the linux Router and both Phase 1 and Phase 2 are UP. ASDM shows also an IPSec connection with the correct parameters (GW, Local Network, Left Network etc.).
If I have correctly understand it "show crypto iskmp sa", "show crypto ikev1 sa" and "show crypto ipsec sa" show also that the connection is correct and UP.
*Now comes the interesting thing:
If I ping from Network A to Network B, the icmp echo request go thorugh the tunnel and I can see the Rx bytes on the cisco ASA going UP.
If I ping from Network B to Network A, I do not see any Tx Bytes on the Tunnel. The Linux router does not also see any packets going through the tunnel.
When I ping from Network B to Network A, the Firewall Logs ICMP Denies. That means that the traffic from B to A, I do not know why, is not matching the corresponding Tunnel ACL, the icmp packets are being routed to the default gateway instead through the tunnel and they are then matching a less specific droping rule on the main firewall.
*Configurations:
I have specially configured a Crypto Map that matches the Networks in Both directions.
There exists an ACL that permits the traffic in both directions.
There exist a NAT rules that permits traffic between both networks without being NATed, in order for both networks to transmit through the tunnels freely.
* Ideas ?
crypto map?
NAT?
ACL?
interface level security?
Thanks in advance.
Hi Guys,
Thank you all for your help. The packet was being dropped on the "implicit rule", that means that the packet was not finding an ACL to match.
I checked the ACLs that the VPN Wizard generates by itself when used to configure an IPSec connection, and the ACLs where correct and "before" the implicit rule . (They are called by default outside_cryptomap_"number")
It seems that since I am not using "sysopt connection permit-vpn" I have to add the same ACLs to the "Local Network" interface (VPN_LAN).
Since there was inbound ACLs related to the VPN_LAN interface, the firewall jumped directly to the "implicit rule".
So the result is that I have two times the same rules first inbound on the VPN_LAN and second on the default outside_cryptomap ACLs.
Greetings,
Daniel
Similar Messages
-
Tunnel traffic only goes in one direction
I have established the VPN tunnel, verified with show isakmp and ipsec commands as well as watching the real time log in ASDM. The catch is the VPN tunnel can only be initiated from the remote end (Fortigate VPN Firewall) and I can ping from a remote computer, see the ICMP packet enter the tunnel, and see in the log on the ASA the ICMP with the remote source IP and no echo reply is sent back over the tunnel. If I try to ping from behind the local ASA and the tunnel isn't up, it never goes up. I am not sure what the problem is. I setup a different tunnel to my home ASA to ASA and everything works fine between the local ASA (192.168.150.1) and my home ASA (192.168.1.1).
I have been going through the "Most common L2L and Remote Access VPN" troubleshooting doc form Cisco and will turn on NAT-T on both ends, but what else do I need to do?
: Saved
ASA Version 8.2(1)
hostname <HIDDEN>
domain-name <HIDDEN>.com
enable password <HIDDEN> encrypted
passwd <HIDDEN> encrypted
names
dns-guard
interface Vlan1
nameif inside
security-level 100
ip address 192.168.150.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.252
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
banner motd [WARNING]
banner motd If you are not authorised to access this system exit immediately.
banner motd Unauthorised access to this system is forbidden by company policies, national, and
international laws.
banner motd Unauthorised users are subject to criminal and civil penalties as well as company
initiated disciplinary proceedings.
banner motd By entry into this system you acknowledge that you are authorised to access it and
have the level of privilege at which you subsequently operate on this system.
banner motd You consent by entry into this system to the monitoring of your activities.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.1
name-server <hidden>
domain-name <hidden>.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service rdp tcp
description used for windows remote desktop
port-object eq 3389
object-group service vnc tcp
description used for vnc remote control software
port-object eq 5900
access-list outside_1_cryptomap extended permit ip 192.168.150.0 255.255.255.0 1.2.0.0
255.255.0.0
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 192.168.150.0 255.255.255.0 1.2.0.0
255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.150.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.150.0 255.255.255.0 192.168.1.0
255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.150.0 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http server idle-timeout 120
http 192.168.1.0 255.255.255.0 inside
http 192.168.150.0 255.255.255.0 inside
http 1.2.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.200.0 255.255.255.0 inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer <hiddenpublicip1>
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer <hiddenpublicip2>
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email <hidden>
subject-name CN=<hidden>
serial-number
ip-address 192.168.150.1
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 9f49814d
3082026d 308201d6 a0030201 0202049f 49814d30 0d06092a 864886f7 0d010104
0500307b 31173015 06035504 03130e49 6e656f73 2d44656c 61776172 65316030
12060355 0405130b 4a4d5831 35303434 32394330 1a06092a 864886f7 0d010908
130d3139 322e3136 382e3135 302e3130 2e06092a 864886f7 0d010902 1621496e
656f732d 44656c61 77617265 2e496e65 6f732d44 656c6177 6172652e 636f6d30
1e170d31 31303331 36323333 3730335a 170d3231 30333133 32333337 30335a30
7b311730 15060355 0403130e 496e656f 732d4465 6c617761 72653160 30120603
55040513 0b4a4d58 31353034 34323943 301a0609 2a864886 f70d0109 08130d31
39322e31 36382e31 35302e31 302e0609 2a864886 f70d0109 02162149 6e656f73
2d44656c 61776172 652e496e 656f732d 44656c61 77617265 2e636f6d 30819f30
0d06092a 864886f7 0d010101 05000381 8d003081 89028181 008bc900 70d74224
d5b0dd7f e3ee482d a236c04e 91f237f3 842198d3 30283a64 029d0ac3 19a40674
dd5faa07 ff5cbd76 62183f13 7903bb92 cb69c600 c87fec4e 7c420f55 86b2c3e0
fc948c5e b06e59ee dd9c1500 7578ef88 a06b3395 8f3040a0 71017df0 8e935f2f
fbd83fa0 f7413498 bd36d95e dd00386e 4344f483 2b68174f 9d020301 0001300d
06092a86 4886f70d 01010405 00038181 00275371 8660da69 ebcea01d 5fe969e8
919d0b96 3044f6c6 0052a4cc 14c89ec4 6d89b2e3 05069550 84740f26 6a03f28c
290cba8e 4d339abc a14db63e acc2e041 1a8fc569 fd3fd443 b9f73a6e 4e405cba
a77a4613 5c4c2f76 c861476c d7f4a404 5456c296 964614c2 4e69d02f a8b30c8e
845117de d21d7794 aaaf5866 160ee2bd de
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.150.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 60
management-access inside
dhcpd address 192.168.150.100-192.168.150.131 inside
dhcpd dns 4.2.2.1 4.2.2.2 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.43.244.18 source outside prefer
webvpn
tunnel-group <hiddenpublicip1> type ipsec-l2l
tunnel-group <hiddenpublicip1> ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group <hiddenpublicip2> type ipsec-l2l
tunnel-group <hiddenpublicip2> ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:34326277fd2eb3caaa97e939b52ce4f2
: end
no asdm history enableThanks for your help. There are no NAT devices between the endpoints (the ASA has NAT but I have exempted this traffic from it, don't think I would still need NAT-T).
Here are the results when I try to initiate the VPN from the ASA to the Fortigate, just sits there (if I initiated from the Fortigate it was be State:ACTIVE).
sho crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: x.x.x.x
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
sho crypto ipsec sa
There are no ipsec sas
debug crypto isakmp
HOSTNAME# debug crypto ipsec
HOSTNAME# Mar 20 20:14:43 [IKEv1]: IP = x.x.x.x, Removing peer from p
eer table failed, no match!
Mar 20 20:14:43 [IKEv1]: IP = x.x.x.x, Error: Unable to remove PeerTblEntry
Mar 20 20:15:18 [IKEv1]: IP = x.x.x.x, Removing peer from peer table failed
, no match!
Mar 20 20:15:18 [IKEv1]: IP = x.x.x.x, Error: Unable to remove PeerTblEntr -
Port Disable for traffic flowing only one direction
Hi,
We use some Catalyst Express 500 and ESW-520 in our company.
But with the Catalyst Express 500 we have problem that we can't arrive to explain.
Some Gi port turn disable with this log error message :
Description: Gi1: This port is disabled because the traffic is flowing only in one direction. The cause might be incorrect cabling.
Recommendation: Make sure that cable is properly connected to the ports. For fiber connections, ensure that the transmit and receive fibers are connected correctly. Disable and Enable the port.
For the recommandation the cable is right, we change it and we change the switch by an other and the probleme continue.
If we change with a ESW-520 the problem don't arrive, but we can't change all our old switch for moment.
Any idea about this problem?Hi Guys,
Thank you all for your help. The packet was being dropped on the "implicit rule", that means that the packet was not finding an ACL to match.
I checked the ACLs that the VPN Wizard generates by itself when used to configure an IPSec connection, and the ACLs where correct and "before" the implicit rule . (They are called by default outside_cryptomap_"number")
It seems that since I am not using "sysopt connection permit-vpn" I have to add the same ACLs to the "Local Network" interface (VPN_LAN).
Since there was inbound ACLs related to the VPN_LAN interface, the firewall jumped directly to the "implicit rule".
So the result is that I have two times the same rules first inbound on the VPN_LAN and second on the default outside_cryptomap ACLs.
Greetings,
Daniel -
ASR1K 5xE1 MFR Frame relay traffic not forwarding in one direction
Dear Techies,
Hope all is well !
Im doing this inter-op testing with Alcatel device for frame-relay and MFRs and got stuck at this situation which is actually mind boggling and I think i might be missing something "silly" :-(
Its a simple setup of
1. My ASR 1002-X with a LAN (Gig0/0/0) port is connected to a traffic generator.(ixia).
2. ASR WAN port is a 5xE1 bundled into a MFR circuit.
3. WAN link goes to a Alcatel box giving me my FR-DCE with E1s over MFR.
Issue is , I can send traffic to max throughput with flow initiated from LAN to WAN bit NOT the reverse flow initiated from WAN side to LAN port. I see traffic coming into my 5xE1s (1.8 mbps each) but the traffic just wont go to the LAN side , somewhere it gets "stuck" or "dropped".
PING works fine from both sides.......but sending traffic is not possible !!
ASR CONFIG
controller SONET 0/3/0
framing sdh
clock source line
aug mapping au-4
au-4 1 tug-3 1
mode c-12
tug-2 1 e1 1 unframed
tug-2 1 e1 2 unframed
tug-2 1 e1 3 unframed
tug-2 2 e1 1 unframed
tug-2 2 e1 2 unframed
tug-2 2 e1 3 unframed
au-4 1 tug-3 2
mode c-12
tug-2 1 e1 1 unframed
tug-2 1 e1 2 unframed
tug-2 1 e1 3 unframed
au-4 1 tug-3 3
mode c-12
interface MFR1
no ip address
encapsulation frame-relay IETF
load-interval 30
frame-relay multilink bid 10MB-PiPe
frame-relay multilink bandwidth-class a
frame-relay lmi-type ansi
interface MFR1.1 point-to-point
ip address 10.10.17.2 255.255.255.0
frame-relay interface-dlci 100
interface GigabitEthernet0/0/0
no ip address
load-interval 30
negotiation auto
interface GigabitEthernet0/0/0.110
encapsulation dot1Q 110
ip address 11.11.11.1 255.255.255.0
interface Serial0/3/0.1/1/1/1:0
no ip address
encapsulation frame-relay MFR1
frame-relay multilink lid First-Link
interface Serial0/3/0.1/1/1/2:0
no ip address
encapsulation frame-relay MFR1
frame-relay multilink lid Second-Link
interface Serial0/3/0.1/1/1/3:0
no ip address
encapsulation frame-relay MFR1
frame-relay multilink lid Third-Link
interface Serial0/3/0.1/1/2/1:0
no ip address
encapsulation frame-relay MFR1
frame-relay multilink lid Fourth-Link
interface Serial0/3/0.1/1/2/2:0
no ip address
encapsulation frame-relay MFR1
frame-relay multilink lid Fifth-Link
SDH_FR#sh frame-relay mul
SDH_FR#sh frame-relay multilink
Bundle: MFR1, State = up, class = A, fragmentation disabled
BID = 10MB-PiPe
Bundle links:
Serial0/3/0.1/1/1/1:0, HW state = up, link state = Up, LID = First-Link
Serial0/3/0.1/1/2/2:0, HW state = up, link state = Up, LID = Fifth-Link
Serial0/3/0.1/1/2/1:0, HW state = up, link state = Up, LID = Fourth-Link
Serial0/3/0.1/1/1/3:0, HW state = up, link state = Up, LID = Third-Link
Serial0/3/0.1/1/1/2:0, HW state = up, link state = Up, LID = Second-Link
SDH_FR#
SDH_FR#
SDH_FR#
SDH_FR#sh fram
SDH_FR#sh frame-relay pvc 100
PVC Statistics for interface MFR1 (Frame Relay DTE)
DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = MFR1.1
input pkts 8045 output pkts 8044 in bytes 515748
out bytes 527920 dropped pkts 0 in pkts dropped 0
out pkts dropped 0 out bytes dropped 0
in FECN pkts 0 in BECN pkts 0 out FECN pkts 0
out BECN pkts 0 in DE pkts 0 out DE pkts 0
out bcast pkts 0 out bcast bytes 0
5 minute input rate 1000 bits/sec, 2 packets/sec
5 minute output rate 1000 bits/sec, 2 packets/sec
pvc create time 01:07:58, last time pvc status changed 01:07:58
fragment type end-to-end fragment size 1400
SDH_FR#
SDH_FR#
SDH_FR#
SDH_FR#
SDH_FR#
SDH_FR#
SDH_FR#ping 10.10.17.1-------------------------------------------------------------------------- THIS IS ALCATEL SIDE FROM TRAFFIC HAS TO COME.
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.17.1, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
SDH_FR#
SDH_FR#
SDH_FR#sh frame-relay traffic
Frame Relay statistics:
ARP requests sent 0, ARP replies sent 0
ARP request recvd 0, ARP replies recvd 0
SDH_FR#What is the access rate of the head end?
Are you using a codec other than G711?
How many total sites are involved, what protocols are you running?
From the math, 32K is not enough CIR to ensure 4 calls proper Bandwidth. At what point is the voice degrading, is is choppy missing message, sound, jitter, echo or after 1, 2 or 3 calls.
Even if you are using G729a, voice packets could be dropped. Not to say that it is here, but look at the FRS stats to see ip packets are being dropped.
Traffic shaping is always recommended, rtp header compression will help, but the trade-off is around a 20% CPU hit.
If you implement traffic shapping , it needs to be done throughout the network as queueing delays related to data on other slow links and at the headend (specifically here) could be the cause of the distortion alone. I would at least try traffic shapping first, then if the problem doen't go away, increase CIR for Voice, if there are still issues, implement LLQ. -
Sometimes the question comes up of the top of the screen" do you want to save this password" which is great. But it does not always come up...this is the problem. I can't seem to locate where to find this application? Can you help?
Saved Password Editor extension has a feature that allows you to add passwords / usernames to Firefox manually. <br />
https://addons.mozilla.org/en-US/firefox/addon/60265 -
VoIP QoS for Site-to-Site Tunnel
Hi all,
I need some help with setting up QoS for VoIP between two Cisco ASA 5505 with Site-to-Site VPN.
There is no need for bandwith reservation, only DSCP 46 (EF) should be highest and DSCP 26 second highest queue and the rules should only apply to a site-to-site VPN.
Usually i try to configure the ASAs via ASDM and found out in the Cisco Documentations how to setup QoS for the DSCP bits with a Service Policy and how to set up QoS for a Site-to-Site VPN (Service Policy Rule -> Traffic Match). But how do i configure the QoS for a DSCP bit to only apply to a Site-to-Site Tunnel? And how do i configure different priorities for the two DSCP bits, is this defined by the order of Service Policies?
The QoS has to be enabled on both ASAs for the inside interface?
Thanks in advance
TobiasHi Collin,
ok so from the document i think this has to be added on both ASAs to prioritize DSCP 46. Could you have a quick look if this is all i need?
class-map voice_traffic
match dscp ef
class-map data
match tunnel-group <Tunnel Name>
match flow ip destination-address
policy-map voice_policy
class voice_traffic
priority
class Data
police output 200000 37500
service-policy voice_policy interface outside
But there is still the question how two configure another DSCP bit for priority 2, I could not find out how this is done, neither CLI nor ASDM. Any ideas?
BR
Tobias -
Site to Site tunnel: ESP request discarded
Hello. I've got a site to site tunnel configured in an ASA-5540 (8.3) and at first working fine. After several hours, the tunnel is disconnected and I this log appear without stopping:
%ASA-7-710006: ESP request discarded from "tunnel IP peer" to outside_int:"my tunnel IP"
I can't figure out why the tunnel stop working and the meaning of this message. The explanation in Cisco documents does't fix to me.
Thanks.Hi,
At HQ ASA atleast the NAT0 configuration is wrong
You have configured this
nat (inside) 5 access-list inside_nat0_outbound
This isnt NAT0 however. It would be configured with ID 5 if you had a corresponding "global" commands using ID 5 also. It would be a Dynamic Policy NAT/PAT.
The NAT0 configurations should use the ID 0
If an existing NAT0 "nat" statement/configuration already exists then you would use the existing ACL to define the traffic that doesnt need NAT
So your configuration should probably be this
nat (inside) 0 access-list inside_nat0_outbound
I can't see a different in the actual L2L VPN configurations though there are some configurations that are not visible that might affect connectivity BUT the above mentioned NAT0 configurations is clearly a problem.
Hope this helps
Please remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni -
SNMP reporting down through Site to Site tunnel
Hello all,
I have a question that you might answer.
We monitor a Site to Site tunnel via SNMP and we receive a down message every 2 hours and 22 minutes. It automatically reports up again in less than a minute. This is reported because of SNMP traffic, not an unanswered ping.
The message looks like this:
Event: Down
Name: XXX
Document: Network
Address: W.X.Y.Z
Probe Type: SNMP Traffic (port 161 SNMPv1)
Condition:
Time since last reported down: 2 hours, 22 minutes, 28 seconds Device's up time: 184 days, 20 hours, 5 minutes, 43 seconds
Do you know what could cause this behaviour?
Thanks in advance.
Best regards,
IgorAny ideas? Could it be any kind of VPN Site to Site timeout?
-
2800 w/ site-site tunnel using NAT and user tunnels
I am using a 2800 to terminate a site-site IPSec tunnel using a crypto map. It is also used to terminate several user tunnels.
Because of overlapping private address space there is a source NAT rule in place that overloads addresses prior to routing them across the site-site tunnel.
The problem is that the user tunnels are not able to communicate with any host located on the far end of the site-site tunnel. The site-site tunnel (and it's NAT) works just fine for users coming from any other interface on the 2800.
Does anyone have any ideas? I've gone ahead and attached the existing configuration for those that are brave or incredibly smart :) It is a fairly trashed config though, and I'm still trying to clean it up from where it was.
Thank you VERY much ahead of time,
SteveDuplicate posts. :P
Go here: http://supportforums.cisco.com/discussion/12152361/2nd-site-site-ipsec-tunnel-nat-traversal-setting-fail-establish-however-1st -
How do I unsubscribe from Adobe Creative Cloud and cancel my Adobe ID? I have tried numerous times going to "Cancel my membership" on their site but it just goes through several steps and ends up where I began (i.e. Cancel my membership). Why is it so difficult to unsubscribe? Thks for any advice. Lavandula
Adobe contact information will not help You. The Finnish sites are making the same loop. The worst thing is that they have send me e-post telling that my membership will continue after first year automatically with 60 % higher price. I don't need do anything I will not continue the membership. It seems impossible to end it. The onlys solution seems to be close the credit card.
-
ISAKMP Phase 1 dying for Site to Site tunnel between ASA and Fortigate
I am facing strange issue on my asa and client Fortigate fw.
We have site to site tunnel with 3des and sha and DH-5 on asa
3des sha1 and dh-5 on Fortigate.
Tunnel came up when configured after some time it went down and it is throwing below errors. Please
some one help me here.
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 8
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, constructing ISAKMP SA payload
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, constructing Fragmentation VID + extended capabilities payload
Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 244
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing ke payload
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing ISA_KE payload
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing nonce payload
Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, Unable to compute DH pair while processing SA!<<<<---------Please suggest if DH group 5 does not work with PSK.
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE MM Responder FSM error history (struct &0xcf9255d8) <state>, <event>: MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GEN_DH_KEY-->MM_WAIT_MSG3, EV_PROCESS_MSG-->MM_WAIT_MSG3, EV_RCV_MSG-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_BLD_MSG2, EV_BLD_MSG2
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA MM:5f1fdffc terminating: flags 0x01000002, refcnt 0, tuncnt 0
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, sending delete/delete with reason message
Mum-PRI-ASA#Hey All,
I experienced same issue with my another tunnel. Lately I came to know it was higher level of DH computation which my ASA was not able to perform and ASA reboot worked here. See the logs for tunnel which came up after reboot.
Eror Before Reload
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing ISAKMP SA payload
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing Fragmentation VID + extended capabilities payload
Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 416
Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing SA payload
Aug 06 21:17:33 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 06 21:17:33 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Oakley proposal is acceptable
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Received Fragmentation VID
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, Unable to compute DH pair while processing SA!
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE MM Initiator FSM error history (struct &0xd0778588) , : MM_DONE, EV_ERROR-->MM_BLD_MSG3, EV_GEN_DH_KEY-->MM_WAIT_MSG2, EV_PROCESS_MSG-->MM_WAIT_MSG2, EV_RCV_MSG-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_BLD_MSG1, EV_BLD_MSG1
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE SA MM:64cf4b96 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, sending delete/delete with reason message
Isakmp phase completion After reload
Aug 25 10:40:35 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing SA payload
Aug 25 10:40:35 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 25 10:40:35 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Oakley proposal is acceptable
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Received Fragmentation VID
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing ke payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing nonce payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing Cisco Unity VID payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing xauth V6 VID payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send IOS VID
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing VID payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Aug 25 10:40:35 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 320
SENDING PACKET to xx.xx.xx.xx -
If I set Firefox as my default web browser, the help links on Adobe Dreamweaver and Flash's welcome screens don't connect to the help pages on Adobe's site. It just links to Firefox's start page and stops. The links work properly if Safari is set to the default browser. Please help.
== URL of affected sites ==
http://www.adobe.comHello,
Many site issues can be caused by corrupt cookies or cache. In order to try to fix these problems, the first step is to clear both cookies and the cache.
Note: ''This will temporarily log you out of all sites you're logged in to.''
To clear cache and cookies do the following:
#Go to Firefox > History > Clear recent history or (if no Firefox button is shown) go to Tools > Clear recent history.
#Under "Time range to clear", select "Everything".
#Now, click the arrow next to Details to toggle the Details list active.
#From the details list, check ''Cache'' and ''Cookies'' and uncheck everything else.
#Now click the ''Clear now'' button.
Further information can be found in the [[Clear your cache, history and other personal information in Firefox]] article.
Did this fix your problems? Please report back to us!
Thank you. -
Hi, Since updating to 10.7.2 I cannot make any changes to my web site. I just keep getting the same stupid message asking if I have an account even though I am already logged in. Any thoughts. Thanks
Go and log out of your MobileMe account and then try logging back in again with a dummy username and password. This can help clear it and then just log back in again with your normal username and password.
Note though that iWeb does not require a password or username to use it - this is MobileMe.
Also, start thinking about MobileMe alternatives before you are forced to in June. -
I cannot connect to itunes store but my network connections are fine and I have tried everything on the itunes support site. I just want to authorize my computer. Can anyone help?
If you are still having these type of problems after trying the winsock reset, refer to this article to identify which software in your system is inserting LSP:
iTunes 10.5 for Windows: May see performance issues and blank iTunes Store
http://support.apple.com/kb/TS4123?viewlocale=en_US -
Tunnel Traffic going inside IPSEC tunnel
Hi Everyone,
Site A has IP Sec Tunnel to Site B via ASA.
Now Switch on Site A has GRE tunnel and destination of that tunnel is going inside the IPSEC tunnel.
In other words IPSEC tunnel between 2 sites is also carrying the GRE Tunnel Traffic.
Which command i can run on ASA to know if IPSEC is carrying GRE tunnel traffic or
What line in ASA config will tell me that this IPSEC is also carrying GRE tunnel traffic?
Thanks
MAheshHi Jouni,
I can not put config here.
But here is the info
sh crypto map shows ASA outside interface say GGG this interface has ipsec connection to other site.
also sh conn all | inc GRE shows bunch of output.
It shows ASA outside inetrface which is to WAN say GGG 8 times and it has say subnet range
GRE GGG 10.22.31.4 XY 10.x.x.x.x
GRE GGG 10.22.31.4 XY 10.x.x.x
GRE GGG 10.22.31.3
GRE GGG 10.22.31.3
GRE GGG 10.22.31.3
GRE GGG 10.22.31.4
GRE GGG 10.22.31.4
GRE GGG 10.22.31.4
Where XY is interface of ASA which is next hop to tunnel destination.
IP 10.x.x.x is the tunnel source IP which is loopback on the switch.
Do you know why it has 2 entries for same ASA interface XY ?
Also it has other entries for other ASA interface.
So does number of entries tell us number of GRE connections running ?
Thanks
MAhesh
Message was edited by: mahesh parmar
Maybe you are looking for
-
USB Disk hanging my airport extreme
When I hook my Acomdata disk up to my airport extreme, I've had some weird issues. First time, it worked and I could see it without any problems. Second time, I hooked up another acomdata disk, one with firewire and USB connections (and full of iTune
-
Bridge crashes when building cache
I am trying to index a folder with many images in it. I start Bridge CS4, point it at the folder, and build the cache (with subfolders, with 100% previews), and after a few hours I return to my computer to find that Bridge has crashed. Console messag
-
With my previous Lumia and HTC Windows phones the camera could be turned on via a shortcut (3rd button) when the screen was pinlocked. I thought the ability to do this was a Windows phone requirement, but I've only seen mention of it with Anderoid us
-
i have an ipod 4 can i connect to pc and, using itunes match, store all music off ipod and then transfer to a new ipod 5?
-
Adding drop down list entries...
I am currently designing an order form for various products that my company sells. The form has a number of drop down boxes where the customer can select different products from. Is it possable to have the prices contained in the drop down boxes once