Switch 2P2 to hub-spoke
Hello,
I would like to clearly understand if when i use P2P webcam or Audio publishing, that is when i use the recipientIDs array, if the App swith from 2P2 to hub-spoke protocol, for any reason, what exactly changes for the user?
Does the stream will still be delivered to the users listed in recipientIDs but with a different protocol which will involve server and cost money (which P2P does not), or does it mean that the stream will be delivered to every user connected to the room, ignoring the recipientIDs value?
You probably understood that i don't really know what hub-spoke is exactly
Thanks a lot
Seb
Hi,
So hub-spoke and p2p protocol is room based. If your room stream connection is p2p based, then all streams irrespective of recipientIDs being set or not , will be p2p and similarly all streams will be hub-spoke if your room connection is hub-spoke irrespective of recipientIDs. There is no mix and match of the two protocols in the room.
You can get the value of current connection by using streamMnager.isP2P property which says whether the connection will be hub-spoke or p2p . Every stream will follow the protocol.
I haven’t tried p2p with recipientIDs but it should work fine.
Our default is p2p unless one of your connected user have some firewall, user limitation(in case of player 10), player version or connection(rtmfp or not). In that case, every stream seamlessly switches to hub-spoke and vice versa from hub-spoke to p2p if that user is no longer there.
Hope this clears things
Thanks
Regards
Hironmay Basu
Similar Messages
-
[rspan in 'hub+spoke' topology]
Hi,
I have the topology depicted in the attached drawing.
What we want to achieve is to enable rspan to replicate monitored traffic from access switches (3550 spokes) to a core switch (6500 hub).
The configuration in general is working and looks like this:
HUB:
monitor session 1 destination interface Gix/y
monitor session 1 source remote vlan z
SPOKES:
monitor session 1 source interface Gix/y
monitor session 1 destination remote vlan z
As stated previosly the environment is working, but...we're having one problem. The uplinks from the spokes to the hub are almost full. After doing some troubleshooting, we found that span traffic is being replicated by the hub to the spokes. The reason I say this is that when i remove the rspan vlan (on the core switch) from the uplink to the hubs the output traffic from core to access (or input on the access switches) goes down in the same amount being received by the network analyzer. when i add the vlan on the uplink trunk again, the traffic going out of the core to the access switches goes up by the same amount being sent to the network analyzer.
Like i said, the rspan part seems to be working fine, but the uplinks to the access switches are getting full because the hub switch is copying the span traffic to all uplinks which is not what we want.
Two questions here:
1.- Is this the way rspan is supposed to work in this environment?
2.- if not, is there a way to turn off this behavior or does it sound like a bug to you?
Thanks in advance!
c.Hello,
in Hub and Spoke - as in any other L3VPN - traffic will flow in the opposite direction of IP routing updates. In a Hub and Spoke setup the spoke sites should get routing updates from the hub site. Thus one faces a split horizon problem: updates learned at the hub CE from a neighbor (PE) will not be sent back over the same interface to that neighbor. Hence the simple solution is: one VRF and interface to announce spoke routes from the PE to the hub CE and another interface terminating in a second VRF to announce the routes from the hub CE back into the MPLS VPN environment.
Just as a side note: this results in an unusual load pattern on the two hub CE interfaces. Both interfaces will have nearly only load in one direction.
Hope this helps! Please rate all posts.
Regards, Martin -
Full Mesh to Hub Spoke Connectivity
I have implemented MPLS VPN. Currently running as a full mesh connectivity. I
need to implement and configure a hub and spoke connectivity due to the
business requirement.
I have 4 spokes and 1 hub. For each spokes, they shouldn't communicate
with spoke, only to hub and vice-versa.
What is the appropriate and best practise for me to implement and configuring for such scenario?
Appreciate your feedbacks and opinion.
regards,
maherok keep all your config in as it is just now. The only issue (personal one I believe) is that you shall be using the same RD everywhere but that shouldnt matter. On your hub site add under the vrf something like Route-target export 99:1. On a your spoke sites add route-target export 99:2 then on the other spoke site route-target export 99:3 until you do them all to 99:x. Then go back to the hub site and do route-target import 99:2 all the way through to x. You can now remove your original route-targets and all shall be fine. A cleaner method would be to completely remove the vrf but thats prolly too much hassle and downtime for your liking :-)
HTH -
Hi,
Can anyone with a similar setup let me know if this will work, I'm due to have BT installed next month and due to where the sockets are located in my house compared to the current Virgin setup I'm going to have to do a bit of re-wiring so was wondering if anyone knows if this will work.
Devices on my home network are in two main locations and I'm trying to minimise the number of long cable runs.
Could I have in one location:
- The home hub and modem
- Connected via cat5 a linux server to the home hub
In a second location I have
- things like TV, media streaming box etc
Would it be possible to run a cat5 cable to a switch like this http://www.netgear.co.uk/business/products/switches/unmanaged-desktop-switches/gs108.aspx from the home hub
And would devices on the switch be able to see my linux box? My thinking is that the swich will autosense an uplink to the hub and let the hub provide things like dhcp.
Hopeing its not that mad a setup and someone has something similar!There is no reason why this should not work but there are a few things to look out for:
1. You will need a crossover cable between the hub and the switch unless either device supports auto MDIX (the ability to detect what is on the other end of the cable and switch to either crossover or straight as required).
2. Speed and duplex issues are often an issue in mixed vendor environments. Setting everything to "auto" on both ends is not always the best bet as autonegotiation often fails. Best to "hard set" both ends to 1000 full duplex if possible.
As for the DHCP bit, assuming the stuff above is setup correctly then DHCP should work fine and your other devices should be able to see your linux server assuming you have setup the IP address correctly. -
I realise that it is possible to turn off wireless using the Hub Manager software, but why doesn't the WPS switch at the back of the hub work?
I enable this within Hub Manager; hold the switch down for a few seconds (as just pushing it has no effect); the wireless light then flashes yellow for a few minutes; it then turns itself back on and goes blue again! Doh!
The Hub Manager says that the button is not compatible with WEP security. Does this include WEP2?
Or is the choice between 'having an on-off button' or 'having security'?
Is this a bug which could be fixed in a firmware update?
Thanks!WPS has nothing to do with turning the wireless off. Have a read of this which explains it all.
http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones. -
Problem connecting belkin wemo switch to hime hub ...
Have a belkin wemo switch which connected to network with no issues using old netgear router.
Now we have upgraded to BTs home hub 4, we cannot get the wemo device to connect to the network,
Has anyone else experienced this and are you able to offer us any advice?The IP subnet is different on the home hubs. Reset your Belkin device to factory default, and set it up again, it should pick up the correct IP and subnet.
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones. -
HUB & SPOKE environment with ASA5512 as the HUB and ASA5505 as spoke.
I can't seem to get by the error's. Phase 1 completes, then the errors start, 7.0.0.2 recieved non-routine notify message no proposal choosen, connection terminated for peer 7.0.0.2 reason peer terminate remote proxy N/A local Proxy N/A, 7.0.0.2 removing peer from correlator table failed, no match, seesion being torn down reason user requested, group 7.0.0.2 automatic NAT detection status remote end is not behind NAT device, this end is not behind NAT device. The other end the ASA5512 I get IP 7.1.0.2 no valid authentication type found for the tunnel group, Remote end is not behind NAT device, the DAP records were selected for connection DfltAccessPolicy, Phase 1 completed, All IPSEC SA proposals found unacceptable, IP 7.1.0.2 QM FSM error, removing peer from correlator table failed no match, 7.1.0.2 session being torn down reason Phase 2 Mismatch, 7.1.0.2 session disconnected type IKEV1, recevied encrypted packet with no matchin SA dropping.
I have searched internet and found many results however as changes implemented I always end back at this point. Any HELP would be greatly appreciated. Lost two days in the LAB. I will post configs. This a test soon to go into production. Thanks
Ken
ASA1# sho run
: Saved
ASA Version 9.1(2)
hostname ASA1
domain-name TEST1.CA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface GigabitEthernet0/0
nameif Outside
security-level 100
ip address 7.0.0.2 255.255.255.0
interface GigabitEthernet0/1
nameif AS1toR1
security-level 50
ip address 1.0.0.2 255.255.255.0
interface GigabitEthernet0/2
nameif AS1toR2
security-level 50
ip address 3.0.0.2 255.255.255.0
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
ftp mode passive
dns domain-lookup Outside
dns domain-lookup AS1toR1
dns domain-lookup AS1toR2
dns domain-lookup management
dns server-group DefaultDNS
name-server 201.201.201.201
domain-name TEST1.CA
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-1.0.0.0
object network 2.0.0.0
subnet 2.0.0.0 255.255.255.0
object network 6.0.0.0
subnet 6.0.0.0 255.255.255.0
object network 7.1.0.0
subnet 7.1.0.0 255.255.255.0
object network 8.0.0.0
subnet 8.0.0.0 255.255.255.0
object network 9.0.0.0
subnet 9.0.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object 1.0.0.0 255.255.255.0
network-object 3.0.0.0 255.255.255.0
network-object object 2.0.0.0
network-object object 8.0.0.0
object-group network DM_INLINE_NETWORK_4
network-object object 6.0.0.0
network-object object 9.0.0.0
object-group network DM_INLINE_NETWORK_1
network-object object 6.0.0.0
network-object object 9.0.0.0
object-group network DM_INLINE_NETWORK_2
network-object 1.0.0.0 255.255.255.0
network-object 3.0.0.0 255.255.255.0
network-object object 2.0.0.0
network-object object 8.0.0.0
object-group network DM_INLINE_NETWORK_5
network-object 1.0.0.0 255.255.255.0
network-object 3.0.0.0 255.255.255.0
network-object object 2.0.0.0
network-object object 8.0.0.0
object-group network DM_INLINE_NETWORK_6
network-object object 6.0.0.0
network-object object 9.0.0.0
access-list HEADEND extended permit ip any any
access-list hq-to-vpnend extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_4
access-list vpnend-to-hq extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list Outside_cryptomap_15 extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list Outside_access_in extended permit ip any any
access-list Outside_access_in extended permit icmp any4 any4
access-list AS1toR2_access_in extended permit icmp any4 any4
access-list AS1toR2_access_in extended permit ip any any
access-list AS1toR1_access_in extended permit ip any any
access-list AS1toR1_access_in extended permit icmp any4 any4
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu AS1toR1 1500
mtu AS1toR2 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group Outside_access_in in interface Outside
access-group AS1toR1_access_in in interface AS1toR1
access-group AS1toR2_access_in in interface AS1toR2
router ospf 1
network 1.0.0.0 255.255.255.0 area 0
network 3.0.0.0 255.255.255.0 area 0
network 7.0.0.0 255.255.255.0 area 0
log-adj-changes
route Outside 0.0.0.0 0.0.0.0 7.0.0.1 125
route Outside 6.0.0.0 255.255.255.0 7.0.0.1 125
route Outside 9.0.0.0 255.255.255.0 7.0.0.1 125
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
eou allow none
http server enable
http 192.168.1.2 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection preserve-vpn-flows
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set MAP-VPN1 esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 match address Outside_cryptomap_15
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set ikev1 transform-set MAP-VPN1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set reverse-route
crypto dynamic-map DYNMAP 10 set pfs
crypto dynamic-map DYNMAP 10 set ikev1 transform-set MAP-VPN1
crypto dynamic-map DYNMAP 10 set reverse-route
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map HQ2REMOTE 10 ipsec-isakmp dynamic DYNMAP
crypto map HQ2REMOTE interface Outside
crypto ca trustpool policy
crypto ikev1 enable Outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign local reuse-delay 30
vpn load-balancing
interface lbpublic Outside
interface lbprivate AS1toR1
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Outside
no anyconnect-essentials
group-policy DfltGrpPolicy attributes
wins-server value 10.10.10.10
dns-server value 201.201.201.201
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
split-tunnel-network-list value HEADEND
default-domain value TEST1.CA
webvpn
activex-relay disable
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup general-attributes
secondary-authentication-server-group LOCAL
authorization-server-group LOCAL
nat-assigned-to-public-ip Outside
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
ikev1 user-authentication none
tunnel-group DefaultWEBVPNGroup general-attributes
secondary-authentication-server-group LOCAL
tunnel-group DefaultWEBVPNGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
ikev1 user-authentication none
tunnel-group-map default-group DefaultL2LGroup
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 24
subscribe-to-alert-group configuration periodic monthly 24
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:022709234965ad8943628e790ed5ed1f
: end
ASA1#
ASA2# sho run
: Saved
ASA Version 8.2(5)
hostname ASA2
domain-name TEST2.CA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 14
interface Ethernet0/1
switchport access vlan 24
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
switchport access vlan 4
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan4
nameif management.
security-level 0
ip address 192.168.1.101 255.255.255.0
management-only
interface Vlan14
nameif Outside
security-level 100
ip address dhcp setroute
interface Vlan24
nameif Inside
security-level 50
ip address 6.0.0.2 255.255.255.0
ftp mode passive
dns domain-lookup management.
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
domain-name TEST2.CA
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object 1.0.0.0 255.255.255.0
network-object 2.0.0.0 255.255.255.0
network-object 3.0.0.0 255.255.255.0
network-object 8.0.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 6.0.0.0 255.255.255.0
network-object 9.0.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_5
network-object 1.0.0.0 255.255.255.0
network-object 2.0.0.0 255.255.255.0
network-object 3.0.0.0 255.255.255.0
network-object 8.0.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object 6.0.0.0 255.255.255.0
network-object 9.0.0.0 255.255.255.0
access-list vpnend-to-hq extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list REMOTEEND extended permit ip any any
access-list hq-to-vpnend extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list Outside_access_in extended permit ip any any
access-list Outside_access_in extended permit icmp any any
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu management. 1500
mtu Outside 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
router ospf 1
network 6.0.0.0 255.255.255.0 area 0
network 7.1.0.0 255.255.255.0 area 0
log-adj-changes
route Outside 1.0.0.0 255.255.255.0 7.0.0.2 125
route Outside 2.0.0.0 255.255.255.0 7.0.0.2 125
route Outside 3.0.0.0 255.255.255.0 7.0.0.2 125
route Outside 8.0.0.0 255.255.255.0 7.0.0.2 125
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
network-acl REMOTEEND
eou allow none
http server enable
http 0.0.0.0 0.0.0.0 management.
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set MAP-VPN1 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set MAP-VPN1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map HQ2REMOTE 15 match address vpnend-to-hq
crypto map HQ2REMOTE 15 set pfs
crypto map HQ2REMOTE 15 set connection-type originate-only
crypto map HQ2REMOTE 15 set peer 7.0.0.2
crypto map HQ2REMOTE 15 set transform-set MAP-VPN1
crypto map HQ2REMOTE 15 set security-association lifetime seconds 28800
crypto map HQ2REMOTE 15 set security-association lifetime kilobytes 4608000
crypto map HQ2REMOTE 15 set reverse-route
crypto map HQ2REMOTE 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map HQ2REMOTE interface Outside
crypto isakmp enable Outside
crypto isakmp policy 15
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp ipsec-over-tcp port 10000
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface Outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption 3des-sha1
webvpn
enable Outside
group-policy DfltGrpPolicy attributes
wins-server value 10.10.10.10
dns-server value 201.201.201.201
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-network-list value REMOTEEND
default-domain value TEST2.CA
smartcard-removal-disconnect disable
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup general-attributes
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultWEBVPNGroup ipsec-attributes
pre-shared-key *****
tunnel-group 7.0.0.2 type ipsec-l2l
tunnel-group 7.0.0.2 ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
tunnel-group-map default-group 7.0.0.2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0d04273f55e788e2a4ad4d025084d33d
: end
ASA2#Jon,
Getting same errors as when we first started. Access list mismatch skipping dynamic map DYNMAP.
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing ke payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing ISA_KE payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing nonce payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received Cisco Unity client VID
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received xauth V6 VID
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing NAT-Discovery payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing NAT-Discovery payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing ke payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing nonce payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing Cisco Unity VID payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing xauth V6 VID payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Send IOS VID
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing VID payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Discovery payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Discovery payload
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultL2LGroup
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Generating keys for Responder...
ASA1# Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:18:47 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.1.0.2
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing hash payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Computing hash for ISAKMP
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing VID payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Received DPD VID
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultL2LGroup
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing ID payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing hash payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Computing hash for ISAKMP
Mar 03 13:18:47 [IKEv1 DEBUG]IP = 7.1.0.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing dpd vid payload
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, PHASE 1 COMPLETED
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, Keep-alive type for this connection: DPD
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Starting P1 rekey timer: 24480 seconds.
Mar 03 13:18:47 [IKEv1 DECODE]IP = 7.1.0.2, IKE Responder starting QM: msg id = 9389754e
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=9389754e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing hash payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing SA payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing nonce payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:18:47 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.1.0.2
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Received remote Proxy Host data in ID Payload: Address 7.1.0.2, Protocol 0, Port 0
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:18:47 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.0.0.2
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Received local Proxy Host data in ID Payload: Address 7.0.0.2, Protocol 0, Port 0
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing notify payload
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, QM IsRekeyed old sa not found by addr
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Skipping dynamic map DYNMAP sequence 10: access-list mismatch.
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 7.1.0.2/255.255.255.255/0/0 local proxy 7.0.0.2/255.255.255.255/0/0 on interface Outside
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending notify message
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing blank hash payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing qm hash payload
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=ee315fa4) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 236
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, QM FSM error (P2 struct &0x00007fffa05e1840, mess id 0x9389754e)!
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE QM Responder FSM error history (struct &0x00007fffa05e1840) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending delete/delete with reason message
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Removing peer from correlator table failed, no match!
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE SA MM:7adaeddd rcv'd Terminate: state MM_ACTIVE flags 0x0001c042, refcnt 1, tuncnt 0
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE SA MM:7adaeddd terminating: flags 0x0101c002, refcnt 0, tuncnt 0
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending delete/delete with reason message
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing blank hash payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing IKE delete payload
Mar 03 13:18:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing qm hash payload
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=f9d973c5) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Mar 03 13:18:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Session is being torn down. Reason: crypto map policy not found
Mar 03 13:18:47 [IKEv1]Ignoring msg to mark SA with dsID 200704 dead because SA deleted
Mar 03 13:18:47 [IKEv1]IP = 7.1.0.2, Received encrypted packet with no matching SA, dropping
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing SA payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Oakley proposal is acceptable
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal ver 02 VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal ver 03 VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal RFC VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Received Fragmentation VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing IKE SA payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing ISAKMP SA payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Traversal VID ver RFC payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing Fragmentation VID + extended capabilities payload
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing ke payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing ISA_KE payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing nonce payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Received Cisco Unity client VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Received xauth V6 VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing NAT-Discovery payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, processing NAT-Discovery payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing ke payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing nonce payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing Cisco Unity VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing xauth V6 VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Send IOS VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Discovery payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Discovery payload
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultL2LGroup
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Generating keys for Responder...
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:19:17 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.1.0.2
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing hash payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Computing hash for ISAKMP
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing VID payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Received DPD VID
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultL2LGroup
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing ID payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing hash payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Computing hash for ISAKMP
Mar 03 13:19:17 [IKEv1 DEBUG]IP = 7.1.0.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing dpd vid payload
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, PHASE 1 COMPLETED
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, Keep-alive type for this connection: DPD
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Starting P1 rekey timer: 24480 seconds.
Mar 03 13:19:17 [IKEv1 DECODE]IP = 7.1.0.2, IKE Responder starting QM: msg id = 3af2253f
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=3af2253f) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing hash payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing SA payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing nonce payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:19:17 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.1.0.2
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Received remote Proxy Host data in ID Payload: Address 7.1.0.2, Protocol 0, Port 0
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:19:17 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.0.0.2
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Received local Proxy Host data in ID Payload: Address 7.0.0.2, Protocol 0, Port 0
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing notify payload
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, QM IsRekeyed old sa not found by addr
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Skipping dynamic map DYNMAP sequence 10: access-list mismatch.
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 7.1.0.2/255.255.255.255/0/0 local proxy 7.0.0.2/255.255.255.255/0/0 on interface Outside
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending notify message
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing blank hash payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing qm hash payload
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=d4ee1beb) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 236
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, QM FSM error (P2 struct &0x00007fff9f9787e0, mess id 0x3af2253f)!
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE QM Responder FSM error history (struct &0x00007fff9f9787e0) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending delete/delete with reason message
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Removing peer from correlator table failed, no match!
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE SA MM:47629a55 rcv'd Terminate: state MM_ACTIVE flags 0x0001c042, refcnt 1, tuncnt 0
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE SA MM:47629a55 terminating: flags 0x0101c002, refcnt 0, tuncnt 0
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending delete/delete with reason message
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing blank hash payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing IKE delete payload
Mar 03 13:19:17 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing qm hash payload
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=c7a1c363) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Mar 03 13:19:17 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Session is being torn down. Reason: crypto map policy not found
Mar 03 13:19:17 [IKEv1]Ignoring msg to mark SA with dsID 204800 dead because SA deleted
Mar 03 13:19:17 [IKEv1]IP = 7.1.0.2, Received encrypted packet with no matching SA, dropping
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing SA payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Oakley proposal is acceptable
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal ver 02 VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal ver 03 VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal RFC VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received Fragmentation VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing IKE SA payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing ISAKMP SA payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Traversal VID ver RFC payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing Fragmentation VID + extended capabilities payload
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing ke payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing ISA_KE payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing nonce payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received Cisco Unity client VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received xauth V6 VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing NAT-Discovery payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing NAT-Discovery payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing ke payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing nonce payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing Cisco Unity VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing xauth V6 VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Send IOS VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Discovery payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Discovery payload
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultL2LGroup
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Generating keys for Responder...
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:19:47 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.1.0.2
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing hash payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Computing hash for ISAKMP
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing VID payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Received DPD VID
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultL2LGroup
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing ID payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing hash payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Computing hash for ISAKMP
Mar 03 13:19:47 [IKEv1 DEBUG]IP = 7.1.0.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing dpd vid payload
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, PHASE 1 COMPLETED
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, Keep-alive type for this connection: DPD
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Starting P1 rekey timer: 24480 seconds.
Mar 03 13:19:47 [IKEv1 DECODE]IP = 7.1.0.2, IKE Responder starting QM: msg id = 3383044c
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=3383044c) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing hash payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing SA payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing nonce payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:19:47 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.1.0.2
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Received remote Proxy Host data in ID Payload: Address 7.1.0.2, Protocol 0, Port 0
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 13:19:47 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.0.0.2
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Received local Proxy Host data in ID Payload: Address 7.0.0.2, Protocol 0, Port 0
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing notify payload
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, QM IsRekeyed old sa not found by addr
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Skipping dynamic map DYNMAP sequence 10: access-list mismatch.
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 7.1.0.2/255.255.255.255/0/0 local proxy 7.0.0.2/255.255.255.255/0/0 on interface Outside
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending notify message
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing blank hash payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing qm hash payload
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=f717942f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 236
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, QM FSM error (P2 struct &0x00007fff9f9787e0, mess id 0x3383044c)!
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE QM Responder FSM error history (struct &0x00007fff9f9787e0) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending delete/delete with reason message
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Removing peer from correlator table failed, no match!
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE SA MM:74a1793f rcv'd Terminate: state MM_ACTIVE flags 0x0001c042, refcnt 1, tuncnt 0
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE SA MM:74a1793f terminating: flags 0x0101c002, refcnt 0, tuncnt 0
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending delete/delete with reason message
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing blank hash payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing IKE delete payload
Mar 03 13:19:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing qm hash payload
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=883e1938) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Mar 03 13:19:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Session is being torn down. Reason: crypto map policy not found
Mar 03 13:19:47 [IKEv1]Ignoring msg to mark SA with dsID 208896 dead because SA deleted
Mar 03 13:19:47 [IKEv1]IP = 7.1.0.2, Received encrypted packet with no matching SA, dropping
ASA1# undebug all
ASA1#
ASA2#
ASA2#
ASA2# debug crypto isakmp 127
ASA2# Mar 03 08:58:34 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE Initiator: New Phase 1, Intf Outside, IKE Peer 7.0.0.2 local Proxy Address 7.1.0.2, remote Proxy Address 7.0.0.2, Crypto map (HQ2REMOTE)
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing ISAKMP SA payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing NAT-Traversal VID ver 02 payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing NAT-Traversal VID ver 03 payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing NAT-Traversal VID ver RFC payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing Fragmentation VID + extended capabilities payload
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing SA payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Oakley proposal is acceptable
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Received NAT-Traversal RFC VID
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Received Fragmentation VID
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing ke payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing nonce payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing Cisco Unity VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing xauth V6 VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Send IOS VID
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing NAT-Discovery payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, computing NAT Discovery hash
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, constructing NAT-Discovery payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, computing NAT Discovery hash
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing ke payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing ISA_KE payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing nonce payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Received Cisco Unity client VID
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Received xauth V6 VID
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, processing NAT-Discovery payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, computing NAT Discovery hash
Mar 03 08:58:34 [IKEv1 DEBUG]
ASA2# : IP = 7.0.0.2, processing NAT-Discovery payload
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, computing NAT Discovery hash
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, Connection landed on tunnel_group 7.0.0.2
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, Generating keys for Initiator...
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing ID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing hash payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, Computing hash for ISAKMP
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing dpd vid payload
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 08:58:34 [IKEv1]: Group = 7.0.0.2, IP = 7.0.0.2, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, processing ID payload
Mar 03 08:58:34 [IKEv1 DECODE]: Group = 7.0.0.2, IP = 7.0.0.2, ID_IPV4_ADDR ID received
7.0.0.2
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, processing hash payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, Computing hash for ISAKMP
Mar 03 08:58:34 [IKEv1 DEBUG]: IP = 7.0.0.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, processing VID payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, Received DPD VID
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, Connection landed on tunnel_group 7.0.0.2
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, Oakley begin quick mode
Mar 03 08:58:34 [IKEv1 DECODE]: Group = 7.0.0.2, IP = 7.0.0.2, IKE Initiator starting QM: msg id = ea585f90
Mar 03 08:58:34 [IKEv1]: Group = 7.0.0.2, IP = 7.0.0.2, PHASE 1 COMPLETED
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, Keep-alive type for this connection: DPD
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, Starting P1 rekey timer: 27360 seconds.
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, IKE got SPI from key engine: SPI = 0xe5aab4b5
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, oakley constucting quick mode
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing blank hash payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing IPSec SA payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing IPSec nonce payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing proxy ID
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, Transmitting Proxy Id:
Local host: 7.1.0.2 Protocol 0 Port 0
Remote host: 7.0.0.2 Protocol 0 Port 0
Mar 03 08:58:34 [IKEv1 DECODE]: Group = 7.0.0.2, IP = 7.0.0.2, IKE Initiator sending Initial Contact
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing qm hash payload
Mar 03 08:58:34 [IKEv1 DECODE]: Group = 7.0.0.2, IP = 7.0.0.2, IKE Initiator sending 1st QM pkt: msg id = ea585f90
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE SENDING Message (msgid=ea585f90) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE RECEIVED Message (msgid=602db3a7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 236
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, processing hash payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, processing notify payload
Mar 03 08:58:34 [IKEv1]: Group = 7.0.0.2, IP = 7.0.0.2, Received non-routine Notify message: Invalid ID info (18)
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE RECEIVED Message (msgid=29ddd81f) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, processing hash payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, processing delete
Mar 03 08:58:34 [IKEv1]: Group = 7.0.0.2, IP = 7.0.0.2, Connection terminated for peer 7.0.0.2. Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, sending delete/delete with reason message
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing blank hash payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing IPSec delete payload
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, constructing qm hash payload
Mar 03 08:58:34 [IKEv1]: IP = 7.0.0.2, IKE_DECODE SENDING Message (msgid=2a8b25a9) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 64
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, IKE Deleting SA: Remote Proxy 7.0.0.2, Local Proxy 7.1.0.2
Mar 03 08:58:34 [IKEv1]: Group = 7.0.0.2, IP = 7.0.0.2, Removing peer from correlator table failed, no match!
Mar 03 08:58:34 [IKEv1 DEBUG]: Group = 7.0.0.2, IP = 7.0.0.2, IKE SA MM:7362cee8 terminating: flags 0x0100c822, refcnt 0, tuncnt 0
Mar 03 08:58:34 [IKEv1]: Group = 7.0.0.2, IP = 7.0.0.2, Session is being torn down. Reason: User Requested
Mar 03 08:58:34 [IKEv1]: Ignoring msg to mark SA with dsID 217088 dead because SA deleted
Mar 03 08:58:34 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xe5aab4b5
ASA2# undebug all
ASA2#
Thanks,
Ken -
Connection fall back to hub-n-spoke
Hi,
I wonder if anyone here knows the answer... I am trying the p2p sample code. Every time, users can log in with the RTMFP protocol. But as soon as they start the audio or video, the connections fall back to bub n spoke mode. All Flash players are 10.0 or 10.1. I am using the source code for 10.0. and the SDK is updated. Any help would be appreciated.
Thanks
DannyThanks, Hironmay.
I guess I need to clarify one thing: it does states 'Current connection: Hub-spoke' in the right panel (I didn't give you the accurate text because it was based on my memory, sorry). And this text appeared whenevery a second user connect to the room (flash player 10.1, same network) . I think the connection did fall back, as the souce code of the text change is the following:
protected function onConnectionTypeChange(p_evt:StreamEvent):void
connChange.text += "Current Connection:" + ((sess.streamManager.isP2P)?"P2P":"Hub n Spoke") + "\n" ;
I think the isP2P is false when the switching happened.
Here is the new log I found today -it has something related to NetSream.Connect.Closed when the switching happened.
[SWF] C:\data\project\PrjRoot\lccsChatRoom\bin-debug\lccsChatRoom.swf\[[DYNAMIC]]\6 - 323,354 bytes after decompression
warning: unable to bind to property 'userManager' on class 'com.adobe.rtc.session::ConnectSessionContainer'
Wed Sep 1 07:26:08 GMT-0400 2010 LCCS SDK Version : 1.2.0 Player Version : WIN 10,1,53,64
07:26:08 GMT-0400 requestInfo https://connectnow.acrobat.com/wxg250/classroom1?mode=xml&glt=g:&x=0.04513606382533908
07:26:11 GMT-0400 authentication status: 200
07:26:11 GMT-0400 authentication request complete
07:26:11 GMT-0400 requestInfo https://connectnow.acrobat.com/wxg250/classroom1?gak=c2Vzc2lvbklEKmJSdEk0NmxYTmZHcXZybUNOd zdGcU0qYXBwTnVtKjEwMDgqYXBwSG9zdCpyb3hvMXoy&mode=xml&x=0.19403704069554806
07:26:11 GMT-0400 #TicketService# ticket received: 1u1ia5xp2vp5z
07:26:11 GMT-0400 Getting FMS at https://na2.collaboration.adobelivecycle.com/fms?ticket=1u1ia5xp2vp5z&proto=rtmfp, attempt #1/3
07:26:12 GMT-0400 result: <fms>
<origin>fms5.acrobat.com</origin>
<proto_ports>rtmfp:1935,rtmps:443</proto_ports>
<retry_attempts>2</retry_attempts>
</fms>
07:26:12 GMT-0400 protocols: [object ProtocolPortPair],[object ProtocolPortPair]
07:26:12 GMT-0400 [attempt 1 of 2] Connecting to 0/1: rtmfp://fms5.acrobat.com/cocomo/na2-sdk-63afa1af-db2b-413d-8b10-78c4b567889f/classroom1 #startProtosConnect#
07:26:12 GMT-0400 tempNetStatusHandler 0/2,NetConnection.Connect.Success
07:26:12 GMT-0400 isTunneling? false
07:26:12 GMT-0400 is using RTMPS? false
07:26:12 GMT-0400 RECEIVED LOGIN AT SESSION
07:26:12 GMT-0400 .user descriptor from server [object]
07:26:12 GMT-0400 \\
07:26:12 GMT-0400 .role [number]= 100
07:26:12 GMT-0400 .affiliation [number]= 100
07:26:12 GMT-0400 .userID [string]= WCD-4FE008C648440EF2992015B9
07:26:12 GMT-0400 .displayName [string]= D Wang
07:26:13 GMT-0400 RECEIVENODES UserManager
07:26:13 GMT-0400 receiveAllSynchData UserManager
07:26:13 GMT-0400 RECEIVENODES FileManager
07:26:13 GMT-0400 receiveAllSynchData FileManager
07:26:13 GMT-0400 checkManagerSync:[object FileManager]
07:26:13 GMT-0400 RECEIVENODES AVManager
07:26:13 GMT-0400 receiveAllSynchData AVManager
07:26:13 GMT-0400 checkManagerSync:[object StreamManager]
07:26:13 GMT-0400 RECEIVENODES RoomManager
07:26:13 GMT-0400 receiveAllSynchData RoomManager
07:26:13 GMT-0400 checkManagerSync:[object RoomManager]
07:26:13 GMT-0400 checkManagerSync:[object UserManager]
07:26:21 GMT-0400 mainNetStatusHandler: NetStream.Connect.Success
07:26:23 GMT-0400 mainNetStatusHandler: NetStream.Connect.Success
07:27:32 GMT-0400 mainNetStatusHandler: NetStream.Connect.Closed
07:27:32 GMT-0400 mainNetStatusHandler: NetStream.Connect.Success
07:27:32 GMT-0400 mainNetStatusHandler: NetStream.Connect.Closed
07:27:32 GMT-0400 mainNetStatusHandler: NetStream.Connect.Closed
07:27:32 GMT-0400 mainNetStatusHandler: NetStream.Connect.Closed
07:28:42 GMT-0400 mainNetStatusHandler: NetConnection.Connect.NetworkChange
07:28:42 GMT-0400 mainNetStatusHandler: NetConnection.Connect.NetworkChange
07:28:42 GMT-0400 mainNetStatusHandler: NetConnection.Connect.NetworkChange
07:28:42 GMT-0400 mainNetStatusHandler: NetConnection.Connect.NetworkChange
==========the following logs were gnereated after the second user closed the page --Danny's note===========
07:30:05 GMT-0400 mainNetStatusHandler: NetStream.Connect.Success
07:30:05 GMT-0400 mainNetStatusHandler: NetStream.Connect.Success
07:35:04 GMT-0400 mainNetStatusHandler: NetConnection.Connect.NetworkChange
07:35:04 GMT-0400 mainNetStatusHandler: NetConnection.Connect.NetworkChange
07:35:04 GMT-0400 mainNetStatusHandler: NetConnection.Connect.NetworkChange
07:35:04 GMT-0400 mainNetStatusHandler: NetConnection.Connect.NetworkChange -
Switch or Hub to "extend" network with WRT54GS
Hello...
I have the following...
DSL modem -> WRT54GS
Now...I have 2 computers, 1 Xbox360 and a PS3 running wired, as well as a Wii running wireless. I am adding another Xbox360 and find myself out of ports on the router, so.....I would like to "split" one of the connections into 2.
Is it better to use a switch, or a hub. I am probably going to do the PS3 and one of the Xbox's, and they won't be on at the same time, if that makes any difference.
What would you guys use??you r most welcome !
good luck for setting up your new ntw .. -
Hub and spoke VPN issue - probably simple
Hello,
I setup a Hub & Spoke VPN configuration as a temporary solution to get phones working at a client with 5 Sites.
Site A: HQ and main PBX System - Cisco ASA 5520
Sites B-E: Remote Sites with PBX systems with ASA 5505's
I configured my crypto access-lists to allow all interesting traffic to/from all sites, and it's working for the most part.
Refer to this short discussion for further reference
https://supportforums.cisco.com/message/4162268#4162268
Recently the customer started saying sometimes the call forwarding between sites isn't working correctly. Upon further testing, it seems that you have to ping to/from both ends of the Spokes before traffic will start passing through properly.
E.g.
Site B wants to talk to Site C
I need to initiate a ping on Site B to Site C which fails
Initiate a ping on Site C to Site B and the first packet drops, then the rest go through
Initiate Ping on Site B to Site C and all works just fine.
Traffic going to/from Site A to/from any remote site (Sites B-E) works fine 100% of the time.
This is happening for all remote sites. When traffic has been initiated on both ends, it works just fine, but after a specific timeout it appears to stop working.
Probably something simple I'm missing. Any help is greatly appreciated.
(Also, kind of silly but I realize that I didn't need same-security-traffic on each spoke, correct?)The purpose of doing VPN is that you want 2 or more different networks seamlessly become line 1 common network. Your class B network having 192.168.0.0 and class C networks 192.168.10.0 are in the same network sine both are in the network 192.168.x.x network. Try to consider changing the Class B network into 192.169.0.0 or you can change the Class C network into 192.169.10.0.
-
DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 HUB Router
Hi Guys,
I'm in a mess, I have Cisco 877-K9 router which sits behind an ASA 5510 FW.
The Design :
Cisco 877-K9 DSL router (DSL with Static IP) ( DMVPN HUB )
||
ASA 5510 Firewall (Outside INT with Static IP / Inside INT LAN) (PAT & ACL)
||
Switch
||
LAN
Now my problem is, My Dmvpn configuration works just fine, I'm able to ping from my Cisco 877 to any Spoke & vise versa.
I'm also able to Ping from my LAN to any Spoke Tunnel IP, but Im not able to ping any LAN IP at Spoke site nor am I able to ping my LAN from any Spoke site.
I've googled alot but have come at designs where the ASA's are behind the Cisco Routers and not infront.
Any help in this regards is highly appreciated. I really need this to work. Attached are the config files....
Thanks,
Aj.Thanks to both of you guys for replying. I should've been more descriptive in my initial post, but just thought of getting more ideas.
All the troubleshooting was done before posting the problem, and to clearify the things, Please find below the results.
1) what RProtocol r u using?
a) It's OSPF
2) if ur using OSPF, try show ip route on the hub and spoke to verify the hub/spoke routes are learned via OSPF
a) I did the "show ip route" and bothe the HUB and Spokes get their routes defined
(on the HUB if I used "network 192.9.201.0 255.255.255.0 area 0" I coudln't get routes advertised on spokes)
(I changed to "redistribute static subnests" and I was able to get Hub routes advertised")
3) are your tunnels config correctly? try show crypto ipsec sa
a) They are as they should be and "show crypto ipsec sa" comes up with proper in/out encrypted data
4) on your hub'spoke do a debug ip icmp
a) Did that as well, and If I do a debug on a Spoke and ping from my HUB to that spoke on the tunnel IP, I get proper src/dest results, but If I ping from HUB to Spoke on a client IP behind the Spoke, It pings but does not show any result on the Spoke debug.
I'm able to ping all the Spoke's Tunnel IPs and clients behind the Spokes from the HUB router, but not from either the ASA nor the clients on my LAN.
Additional to the info above, Please also note :
I did notice something that, from my HUB router, which is also my DSL Modem, I'm unable to ping any clients behind the ASA.
So I guess I'm stuck on the point that My Cisco HUB is unable to talk to my LAN, If I can get the HUB to talk to the internal LAN, I would be able to ping clients on LAN from any Spoke or clients behind Spokes.
From HUB router I'm able to ping clients behind Spokes.
Does that give any Ideas ?
Thanks in Advance.
Aj. -
Hi all,
I have 2 DMVPN HUBs and 20 spokes and on one of these have strange status of DMVPN - NHRP (what does it mean? i didn't find explanation what that status is bad or good, is it mean that spoke could'n get NBMA address of HUB through NHRP?). Could anyone explain what does it mean?
#show dmvpn
Interface: Tunnel4, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 7.#.#.3 10.5.5.1 UP 1d18h S
1 7.#.#.4 10.5.5.2 NHRP 1d18h S
Spoke's configuration.
interface Tunnel4
bandwidth 15000
ip address 10.5.5.20 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp map multicast dynamic
ip nhrp map multicast 7.#.#.3
ip nhrp map multicast 7.#.#.4
ip nhrp map 10.5.5.1 7.#.#.3
ip nhrp map 10.5.5.2 7.#.#.4
ip nhrp network-id 101
ip nhrp nhs 10.5.5.1
ip nhrp nhs 10.5.5.2
zone-member security outside
ip tcp adjust-mss 1380
delay 100
keepalive 10 3
tunnel source GigabitEthernet0/2
tunnel mode gre multipoint
tunnel key 111000
tunnel protection ipsec profile dmvpnMarcin,
thank you again for quick reply)
It very strange because i follow yours tshooting steps and what i got bellow:
1.Spoke can ping NBMA address of two HUBs
2. Every HUB can reach NBMA address of spoke
3. I switch on debuging on spoke and HUBs and I see request packet of NHRP to every HUBs
Debug on spoke:
000332: May 23 10:47:53.408 MSK: NHRP: Attempting to send packet via DEST 10.5.5.1
000333: May 23 10:47:53.408 MSK: NHRP: NHRP successfully resolved 10.5.5.1 to NBMA 7.#.#.3
000334: May 23 10:47:53.408 MSK: NHRP: Encapsulation succeeded. Tunnel IP addr 7.#.#.3
000335: May 23 10:47:53.408 MSK: NHRP: Send Registration Request via Tunnel4 vrf 0, packet size: 92
000336: May 23 10:47:53.408 MSK: src: 10.5.5.20, dst: 10.5.5.1
000337: May 23 10:47:53.408 MSK: NHRP: 120 bytes out Tunnel4
000338: May 23 10:47:53.408 MSK: NHRP: Resetting retransmit due to hold-timer for 10.5.5.1
000339: May 23 10:47:53.408 MSK: NHRP: Attempting to send packet via DEST 10.5.5.2
000340: May 23 10:47:53.408 MSK: NHRP: NHRP successfully resolved 10.5.5.2 to NBMA 7.#.#.4
000341: May 23 10:47:53.408 MSK: NHRP: Encapsulation succeeded. Tunnel IP addr 7.#.#.4
000342: May 23 10:47:53.408 MSK: NHRP: Send Registration Request via Tunnel4 vrf 0, packet size: 92
000343: May 23 10:47:53.408 MSK: src: 10.5.5.20, dst: 10.5.5.2
000344: May 23 10:47:53.408 MSK: NHRP: 120 bytes out Tunnel4
000345: May 23 10:47:53.408 MSK: NHRP: Resetting retransmit due to hold-timer for 10.5.5.2
000346: May 23 10:47:53.412 MSK: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel4, changed state to up
000347: May 23 10:47:53.412 MSK: NHRP: Receive Registration Reply via Tunnel4 vrf 0, packet size: 112
000348: May 23 10:47:53.412 MSK: NHRP: netid_in = 0, to_us = 1
000349: May 23 10:47:53.412 MSK: NHRP: NHS 10.5.5.1 Tunnel4 vrf 0 Cluster 0 Priority 0 Transitioned to 'RE' from 'E'
000350: May 23 10:47:53.412 MSK: NHRP: NHS-UP: 10.5.5.1
000351: May 23 10:47:54.920 MSK: NHRP: Setting retrans delay to 4 for nhs dst 10.5.5.2
000352: May 23 10:47:54.920 MSK: NHRP: Attempting to send packet via DEST 10.5.5.2
000353: May 23 10:47:54.920 MSK: NHRP: NHRP successfully resolved 10.5.5.2 to NBMA 7.#.#.4
000354: May 23 10:47:54.920 MSK: NHRP: Encapsulation succeeded. Tunnel IP addr 7.#.#.4
000355: May 23 10:47:54.920 MSK: NHRP: Send Registration Request via Tunnel4 vrf 0, packet size: 92
000356: May 23 10:47:54.920 MSK: src: 10.5.5.20, dst: 10.5.5.2
and i don't see any logs related of this spoke on second HUB!
So... NHRP packet loss on the way to second HUB,but i can't guess about reason why is happend -
Mac Mini G4 refuses to sleep due to KVM switcher
I have a KVM switcher + powered USB hub hooked up between my Mac Mini G4 and a PC- while the PC is able to enter standby mode, my Mac always wakes up within 3 seconds of entering sleep mode. Belkin tech support said this is due to the Mac receiving USB signals (albeit me not moving the mouse, touching the keyboard, etc), and told me to ask Apple how to disable this feature.
Ideally, I'd like the computer only to wake up from a keyboard signal, but the powered hub might be making that unfeasible. However, I'm okay with taking the Mac out of sleep mode by pressing the button on its back.
Can anyone tell me how to fix this (as my LCD monitor's output is beginning to suffer)?
Thanks,
JamieHi, Jamie. Welcome to the Discussions.
1. You wrote: "I have a KVM switcher + powered USB hub"It's unclear if you mean:
a. Two separate peripheral devices, i.e. KVM switchbox and a powered USB hub.
b. One peripheral device that performs both functions.1.1. Which is it, (a) or (b)?
1.2. If (b), is the USB hub is connected to each computer, or the KVM switchbox? If the former, try the latter. Don't connect the same USB hub directly two two computers2. You wrote: "Belkin tech support said this is due to the Mac receiving USB signals (albeit me not moving the mouse, touching the keyboard, etc), and told me to ask Apple how to disable this feature."If you make any change to USB devices (power them on or off, connect or disconnect them) on a USB chain that connects to the Mac, then the Mac will wake.
This feature cannot be disabled: it is a function of the circuitry.
If you look at the "USB Ports" section of the "Devices and Ports" chapter of the Mac Mini G4 Developer Note, in the subsection entitled "USB Features" you will see:"Wake Up From Sleep
USB devices can provide a remote wakeup function for the computer. The USB root hub in the computer is set to support remote wakeup whenever a device is attached to or disconnected from the bus. The keyboard that comes with the computer uses this method to wake the computer on a key press.
Connect and Resume
The Intrepid ASIC contains special circuitry that allows the computer to wake from sleep mode on connect, disconnect, and resume events. Compatible USB devices should support the USB-suspend mode defined in the USB specification."Therefore, if you put your Mini to sleep, then connect, disconnect, power-on, or power-off a USB device on any USB chain connected to the Mini, the Mini will wake.
3. It may also be that either the KVM switchbox or USB Hub (whether alone or a combined device) could be defective. I one had a similar problem where I'd put one of my Macs to sleep and it would wake immediately. Turned out to be a bad Belkin USB hub. Removing the hub restored normal sleep function.
Good luck!
Dr. Smoke
Author: Troubleshooting Mac® OS X -
Is there a USB 3.0 Hub that really works with the Mac Mini?
My Mac Mini's four USB 3.0 ports work fine with my four USB Seagate GoFlex 3.0 hard drives. The drives mount at startup, and perform at expected USB 3.0 speeds. But, when I connect the drives to a USB 3.0 HUB to free up the Mac's USB ports for other devices, typically two of the USB Seagate drives will mount at startup, but two won't. There's a fix for this: after startup, I simply disconnect AC power from the drives that didn't mount, and reconnect the power a few seconds later. Now all my drives are mounted, they perform properly, and other USB devices connected to other Mac Mini USB ports (a mouse, a USB midi interface) work just fine as well. It's annoying, though, to have to perform this extra disconnect-reconnect step every time. I've tried two different USB 3.0 HUBs -- one from Uspeed and one from Satechi -- and I have exactly the same problem with both. Question: Is anybody else experiencing the same thing with a late 2012 Mac Mini and a USB 3.0 Hub? Has anybody found a 3.0 Hub that doesn't have this issue with the Mac Mini?
The USB 3.0 hub instability problems extend beyond the Mac-Mini, as addressed below.
At long last we're seeing progress in getting 2012 Macs to work with USB 3.0 hubs. As discussed on this and other discussion groups I've had a horrible time with my MacBook Pro Retina being unstable with USB 3.0 hubs. I know many of you have also or you wouldn't be reading this posting.
In June 2012 I bought one of the first 2012 MacBook Pro's with a Retina display. It's been a battle since with Apple selling what appears to be an incompatible or unstable system to effectively communicate with the USB 3.0 hubs. You'll see vendors now making comments that Apple is the source of the problem.
I've been through USB 3.0 issues with two MacBook Pro Retina laptops. I've also tested a Uspeed hub, with 3 portable USB 3.0 drives connected, at the Apple Store. This was on a newer model MacBook Pro Retina, and also on a 27" iMac. All had instances where drives failed to mount during the short period allowed for testing. (Because of time constraints, we were unable to test at the Store for spontaneous and unprovoked unmounting of drives connected to the hub. These problems have existed since the beginning on my rMBP.)
I am now on my 20th hub that has been purchased, or provided for testing. They varied from 4-Port to 10-Port powered hubs and involved 11 brand names. Comments were posted on Amazon, Tiger, and others for most of the ones purchased, and some that were tested. Some, like the HooToo specifically warned against use with Macs in the manufacturer's manual and, as I learned, for good reason. That was reflected in my comments for the drive on Amazon.
The Plugable 7-Port USB 3.0 powered aluminum-finish hub that I have been testing since October 13 was provided by Plugable after the first one, purchased through Amazon, was returned as unreliable. This 3rd, and newer generation Plugable hub uses the VIA VL812 chipset with the new version 90.81 firmware. My experience over the last 4+ weeks with this hub has been solid. While there have been problems with Eject errors, none were traced to the hub electronics. (Problems with intermittent connections at the cable connectors appeared to be the cause of the disconnect errors. Almost all of the failures were traced to intermittent Micro-B connectors, but that's another story.)
In addition to the greatly improved reliability of this hub, I find several features of this Plugable to be a plus including:
The plug engages fully to the "hilt" when plugged into the hub giving a solid connection, as occurs on the MacBook Pro Retina USB 3.0 ports. Others hubs typically had a gap between the "hilt" of the connecting end, and the hub allowing for lateral movement. With some hubs this allowed for intermittent connections if the cable was disturbed.
The on/off switch on the hub allows the hub to be powered down when not in use.
The full size Type-B connectors on the cable at the hub end engage solidly. Hubs with Micro-B connectors have presented intermittent connections in the cable connector.
The aluminum case looks attractive with Macs, IMO, but not a reason to buy.
Overall, Plugable's support is the best I've encountered. I've found their response to questions to be prompt and thorough. This, coupled with their online support articles has put them at the top of my list. They provide news and information that I've not found with other hub vendors.
The article titled "Plugable USB 3.0 7 Port Hub Firmware History" at the below link gives insight into the history of the problems that we've been having with the USB 3.0 hubs on Macs and the firmware updates, regardless of the brand of hub you have. Apparently, if you have the VIA VL 812 chipset, firmware version 85.81, you're in safe territory.
http://plugable.com/2013/10/30/plugable-usb-3-0-hub-firmware-upgrades2
(One of the Plugable hubs appears identical to the black 7-Port Uspeed hub, and both use the VIA VL 812 chipset. They appear to be from the same manufacturer with the real difference appearing to be in the VL812 version of the firmware in the hub.)
Some of the firmware can be upgraded, and some can't. Contact Plugable or Anker if you're affected.
Uspeed has made improvements, but they were still unstable as of the last one I received for testing. In her last reply on 10/13/13 Sunnie with AnkerDirect Customer Support stated:
Unfortunately, the new Firmware version (908x) does not work with the model "68UNHUB-B7U" you have. The hub bellow has much less complaints about Mac issue. We suggest that you order this one.
http://www.amazon.com/gp/product/B009Z9M3DY
AnkerDirect Customer Support
Note that the above hub recommended by Anker has an 8th port just for charging iOS devices. Some will see this as a plus. However, the lack of such a port is not seen as a big problem. It's easy and relatively inexpensive to purchase extra 5V power adapters for charging, which is my preference. Plugging and unplugging devices on a hub that is powered "On" presents the potential for movement of the cables. This could interrupt a cable connection and disconnect a drive during data transfer resulting in corrupted files. With 7 and 10 port hubs, and all the cables needed, this gets risky.
I believe the USB 3.0 hub issues we're having are the result of poor design of the Mac's USB 3.0 implementation at the start. Unstable hubs that I've had a friend with Windows 7 test, said they "performed like a dream" on his PCs. This indicates the problem is with Macs, not the (twenty) hubs I've used.
A statement from a support person dealing with USB 3.0 hubs tells what's I've long suspected: " -- the evidence is pointing to something specific to the Apple design (perhaps external to the chipset, like the signal re-driver….."
If you're having USB 3.0 problems, be sure to let Apple know by sending in a Feedback comment to Apple at:
http://www.apple.com/feedback/
I'm told they read and treat the feedback seriously (although the duration of this USB 3.0 problem makes me wonder if Mavericks and iOS 7 haven't had a higher priority and distracted from this. Microsoft got USB 3.0 right, how about it Apple?) -
Hi,
I have a G5 running tiger (soon to be running leopard hopefully) with a DVI cinema display.
I have a PC that I use for testing my work on the Web. I was able to switch back and forth easily with a Belkin KVM switch back when I was using a VGA monitor. But I can't seem to find a KVM switch that works with my current setup.
Any suggestions?
Cheers!Would this model work for me?
http://cgi.ebay.com/ATEN-2-port-USB-DVI-KVM-Switch-w-USB-HUB-CS-1762-New_W0QQite mZ200007236312QQcmdZViewItem
Maybe you are looking for
-
Print text file to client side printer
Hi all, I have a character mode report which will print to a client side dot matrix printer in 6i. After converted to 10g, we cannot print to the client side printer (because we don't want to map so many print queue from the AS). So, I try to generat
-
Lost Adobe trials during restore, help please
Two days ago I downloaded PS and Dreamweaver trials. I had to do a restore and when I looked; all new Adobe programs were gone. What should I do to get back to the trials I have already downloaded?
-
Problem with get_attribute for a new input field in ICWebclient
Hi experts, I have an issue in ICWebClient. I have copied the stnd tcode and CRM_IC and added my own view with 5 fields. I will enter a value in the name field in that layout and click CONTINUE button. It will take me to other page.In this page there
-
J2ee services in tcp/ip port 80
Hello Unix server will not allow to open socket lower then 1024, unless process run as root. how can I run portal (or any other J2ee service) in port 80 under unix? TNX Erez
-
Lib32-nvidia-utils version problem [Solved]
Hi, first of all sorry if this is the wrong place to put this secondly I'd have a go myself in fixing this but i'm not that comfortable in package building just yet. I notice there has been an update to the lib32-nvidia-utils package on 2010-09-15 wh