ASA 8.4 (3) - applying NAT breaks my tunnel from site to site - "Routing failed.

Similar Questions

• tunnel from site to site between router IOS and ASA

  I've combed through the configs on both sides of this tunnel 4 x now and the look of policies as they match. I applied the http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml note

  My crypto lsits access are good and my nat on the side of IOS are provided with a map of the route and look good. On the SAA traffic side on the side of the remote tunnel ASA is exempt from NAT. Each side already has a site to another tunnel configuration, so I added the appropriate lines to the existing cryptographic cards which include peers, transform set and match address 'access-list. The polcies crypto isakmp on both ends are compatible. I have attached some configs and debugs (from router IOS), but essentially the newspaper on the SAA starts with the phase 1 is complete and then routing not received notification message, no proposal chosen readings and then it goes to IKE lost the connection to a remote peer, connection, drop table correlator counterpart has failed, no match, the deletion and finally disconnected session reason lost service.

  Their other tunnel stay standing as well as the configuration of remote access vpn connection is good.

  I found a note that recommends checking any access security-list, so I removed the, but no luck, and a Cisco associated with a hub, but had a healthy logic

  Is displayed normally with the

  Cisco VPN 3000 correspondent

  message hub: no proposal

  Chosen (14). This is a result of the

  being host-to-host connections.

  The configuration of the router has the

  IPSec proposals ordered so that the

  proposal selected for the router

  with the access list, but not the

  peer. The access list has a larger

  network including the host that

  a cutting traffic.

  Make the router for this proposal

  hub to router connection

  first in line, so that it corresponds to the

  specific to the host first.

  but that didn't work either.

  Thank you

  Bill

  Bill,

  Take a look at this

  000610: * PCTime 10:42:15.094 Sep 27: ISAKMP: (2039): need XAUTH

  000611: * 10:42:15.094 PCTime sep 27: ISAKMP: node set 920927400 to CONF_XAUTH

  000612: * 27 sep 10:42:15.094 PCTime: ISAKMP/xauth: application XAUTH_USER_NAME_V2 attribute

  000613: * 27 sep 10:42:15.094 PCTime: ISAKMP/xauth: application XAUTH_USER_PASSWORD_V2 attribute

  000614: * 27 sep 10:42:15.094 PCTime: ISAKMP: (2039): launch peer 74.92.97.166 config. ID = 920927400

  000615: * 27 sep 10:42:15.094 PCTime: ISAKMP: (2039): lot of 74.92.97.166 sending peer_port my_port 4500 4500 (R) CONF_XAUTH

  -Other - 000616: * PCTime 10:42:15.094 Sep 27: ISAKMP: (2039): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

  000617: * PCTime 10:42:15.094 Sep 27: ISAKMP: (2039): former State = new State IKE_P1_COMPLETE = IKE_XAUTH_REQ_SENT

  It should not go to extend the authentication. Since you have the client and the L2L on the same router and clients are configured for Extended authentication, the router will ask for XAUTH unless you configure the "No.-xauth" command after the pre-shared key

  Please implement the command:

  ISAKMP crypto keys in clear text address 74.92.97.166 No.-xauth

  Thank you

  Gilbert

• Tunnel from site to site ASA with U turn to config

  Hello

  I have a VPN tunnel site race between ASA 5510 (8.2) and Cisco PIX506 (remote site). I need allow remote users to surf the net. I was looking for in the documentation here and circulation activated to enter/exit the same interface on the ASA (same-security-traffic intra-interface permit), however it still something lack. I don't know how to fix this...

  ASA is configured for NAT inside customers to a single public IP address (VPN tunnel ends also at this interface)

  ASA:

  Global 1 208.x.x.x (outside)
  NAT (inside) - 0 no.-Nat-VPN access list
  NAT (inside) 1 0.0.0.0 0.0.0.0

  So when packets Internet comes through the tunnel, there need be sent on the same interface and NATted (but for the tunnel at work I had to exempt intrested NAT traffic). What is the cause of a problem?

  Hello

  NAT rules should be like this:

  Global 1 208.x.x.x (outside)
  NAT (outside) 1 mask x.x.x.x--> pool VPN

  With the foregoing, you are from the VPN clients out to the Internet.

  You can always leave the SHEEP ACL for the VPN itself traffic.

  Federico.

• ASA between tunnel from site to site

  Hello

  I have a site to tunnel between 2 ASAs. An ASA is behind the University and another in our data center. Unversity offers Internet services and they have the ASA that controls incoming traffic. We used to have problems of tunnel where the stale SAs were inactive and deleted in the center of data due to timeout or other unknown reasons. Subsequently discovered that ASA9.1.5 behind the University had the bug do not remove obsolete entries. After decommissioning of the code to 8.4.6 version we don't see any problems. And not work as usual. Unversity guy said that he added some ACL on the external interface to allow our Datacenter IP to forward VPN traffic.

  https://Quickview.cloudapps.Cisco.com/QuickView/bug/CSCup37416

  My Question even before adding these tunnels ACLs works but was not remove obsolete entries. I think that, after upgrade, it became stable. Unversity guys said after the addition of the ACL, it may have stabilized the question.

  Can anyone can highlight here what's happening?

  Thanks in advance.

  Hi Vishnu,

  Adding the ACL on the external interface doesn't have any report with the entries in table ASP for VPN traffic.

  ASP duplicate entries are caused from crypto ACL and interesting traffic.

  ASP table displayed duplicate entries ASP and traffic hit an entry ASP.
  that is out of date and the traffic on ITS special is blackholed which led to the interruption of the VPN traffic.

  It has no connection with the ACL interface.

  Hope it meets your request.

  Kind regards

  Aditya

  Please evaluate the useful messages.

• How to end a vpn connection from site to site on ASA 5510

  Hi guys,.

  I would like to know if there is a command that I can use to break a connection from site to site and restart it whenever I want.

  I don't want to use the close command since I use the specific interface as an exit point on the internet.

  In this case, you can configure just one incomplete crypto map entry, for example: just keep 'peers set' not configured until you establish the vpn tunnel, and then add the command "set by the peers.

  If you disable the tunnel, just remove the 'set by the peers' command for this particular VPN tunnel.

• ASA 8.4 (1) source-nat over vpn site-to-site

  I'm setting up a tunnel vpn site-to-site and require nat for the local and remote side. The remote side will be nat to

  10.2.255.128/25 on their face before they reach our network, so I have to only source-nat our servers via the tunnel to them. Should I just do the static NAT, then let the whole subnet through the acl of valuable traffic as the config below? I don't think I should use twice a nat because I'm not trying to make the destination nat on the firewall. Servers with us will 10.2.255.128/25 and I would like to preserve it through the ASA.

  network of the ServerA object

  host 10.1.0.1

  NAT 10.2.255.1 static (inside, outside)

  network of the object server b

  host 10.1.0.2

  NAT 10.2.255.2 static (inside, outside)

  the object server c network

  host 10.1.0.3

  NAT 10.2.255.3 static (inside, outside)

  the LOCAL_SUBNET object-group network

  object-network 10.2.255.0 255.255.255.128

  the REMOTE_SUBNET object-group network

  object-network 10.2.255.128 255.255.255.128

  VPN_ACL list extended access permitted ip object-group LOCAL_SUBNET-group of objects REMOTE_SUBNET

  Thank you

  Your configuration is correct, but I have a few comments.  Remember that NAT occurs before the delivery of your servers will be translated into 10.2.255.2 and 10.2.255.3 and then sent through the tunnel, so your encryption field is correct.

  Is your internet firewall as well? What your servers out of the internet?  They will be translated to 10.2.255.2 and 10.2.255.3 and who will fail in internet routing is.  If these servers access the internet through the firewall, I would recommend a configuration like this for each of your servers:

  network of the ServerA_NAT object

  Home 10.2.255.1

  NAT static ServerA ServerA_NAT destination (indoor, outdoor) static source REMOTE_SUBNET REMOTE_SUBNET

  This will use destination basic NAT for traffic VPN and NAT everything to a public IP address for the internet traffic.  Of course, if this is not your internet connection firewall can do abstraction.

• ASA (v9.1) VPN from Site to Site with IKEv2 and certificates CEP/NDE MS

  Hi all

  I am currently a problem with VPN Site to Site with IKEv2 and certifiactes as an authentication method.

  Here is the configuration:

  We have three locations with an any to any layer 2 connection. I created each ASA (ASA5510 worm 9.1) to establish one VPN of Site connection to the other for the other two places. Setting this up with pre shared keys and certificates that are signed by the CA MS administrator manually work correctly.

  But when we try to enroll these certificates through the Protocol, CEP/NDE his does not work.

  Here are my steps:

  1 configure the CA Turstpoint to apply to the certification authority

  2. request that the CA through the SCEP protocol works fine

  3. set up a Trustpoint and a pair of keys for the S2S - VPN connection

  4. registration form identity certificate CA via the SCEP Protocol with a one time password works fine

  5. set the trustpoint created as for the S2S - VPN IKEv2 authentication method.

  Now I did it also for the other site of the VPN Tunnel. But when I ping on a host that is on a different location to make appear the Tunnel VPN - the VPN session is not established. In the debugs I see that there are a few problems during authentication of the remote peer.

  On the MS that I see that the certifactes of identity for both ASAs are communicated and not revoked or pending state. The certificate based on the model of the "IPSec (Offline).

  When the CA-Admin and a certificate me manually based on a copy of the model of "Domaincontroller" connection is successfully established.

  So I would like to know which is the correct certificate for IP-Sec peers template to use for the Protocol, CEP and MS Enterprise CA (its server 2008R2 of Microsoft Enterprise)?

  Anyone done this before?

  ASA requires that the local and Remote certificate contains EKU IP Security Tunnel Endpoint (1.3.6.1.5.5.7.3.6) (aka IP Security Tunnel termination). You can create a Microsoft CA model to add.

  If you absolutely must go with the 'bad' cert, there is a command

  ignore-ipsec-keyusage

  but it is obsolete and not recommended.

  Meanwhile at the IETF:

  RFC 4809

  3.1.6.3 extended Key use

  Extended Key Usage (EKU) indications are not required.  The presence
  or lack of an EKU MUST NOT cause an implementation to fail an IKE
  connection.
  

• ASA ASA from Site to Site VPN IPSec Tunnel

  Any help would be greatly appreciated...

  I have two devices Cisco ASA with a Site for the configuration of the tunnel VPN IPSec Site as follows: -.

  Site #1 - Cisco ASA running version 8.2 (1) with an internal range of 10.0.0.x/24

  Site #2 - Cisco ASA running version 8.2 (1) with an internal range of 10.1.1.x/24

  Site #1 is simple and has a dynamic NAT rule which translates all of the inside and the outside (public IP) of the SAA.

  Internet access works very well in all workstations of this site.  A static route is configured to redirect all traffic to a public router upstream.

  Site #2 is slightly more complicated; the Cisco ASA is configured with 10.1.1.254/24 as its interior IP address and 10.1.2.254/24 as its external IP address.  A dynamic NAT rule is configured to translate everything inside as the 10.1.2.254 (outside) address of the ASA.  A default static route is then configured to redirect all traffic to a Draytek device on 10.1.2.253.  This device then performs its own private Public NAT.  Again the Internet works fine all hosts inside the Cisco ASA (10.1.1.x)

  The IPSec tunnel is created with the networks local and remote endpoint as above (10.0.0.x/24) and (10.1.1.x/24).  The Draytek at the Site #2 device is configured with a form of DMZ that allows essentially ALL traffic toward the front directly on the external interface of the ASA (10.1.2.254).  The Phase 1 and Phase 2 negotiation of the tunnel ends correctly, and the tunnel is formed without any problem.  However, all traffic passing on networks ICMP does not end and the Syslog reports the following-

  Site #1-

  6

  January 19, 2011

  15:27:21

  302020

  ZEFF-SB-01_LAN

  1

  10.1.1.51

  0

  Built of outbound ICMP connection for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1

  6

  January 19, 2011

  15:27:23

  302021

  10.1.1.51

  0

  ZEFF-SB-01_LAN

  1

  Connection of ICMP disassembly for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1

  Site #2-

  6

  January 19, 2011

  15:24:47

  302020

  10.1.1.51

  0

  10.0.0.30

  1

  Built of outbound ICMP connection for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1

  6

  January 19, 2011

  15:24:49

  302021

  10.0.0.30

  1

  10.1.1.51

  0

  Connection of disassembly for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1 ICMP

  It's the same for any form of traffic passing over the tunnel.  The ACL is configured to allow segments of LAN out to any destination.  At this point, I left scratching my head, as my original theory was to blame the Draytek, but after reading the documentation given to the DMZ host configuration, it appears this parameter is configured all traffic is simply forwarded to the IP address (in this case, the Cisco ASA interface outside).

  Anyone can shed light on a possible cause of this problem?

  Thank you

  Nick

  did you bypass the vpn traffic between 10.0.0 and 10.1.1 to be NAT - ed on the two ASA?

  Please provide the following information

  -set up the tunnel

  -show the isa cry his

  -show the ipsec cry his

  -ping of the site 1 site 2 via tunnel

  -capture "crypto ipsec to show his" once again

  -ping from site 2 to 1 by the tunnel of the site

  -capture "crypto ipsec to show his" once again

  -two ASA configuration.

• IPSEC VPN from Site to Site - NAT problem with address management

  Hi all

  I have two Cisco ASA 5505 performing of IPSEC Site to Site VPN. All traffic inside each firewall through the VPN tunnel and I have full connectivity. From site A, I can connect to the inside address of the ASA at the site B and launch of the ASDM or SSH, etc.

  The problem I have is when I'm logged on the ASA site B management traffic is given the external address. I created this as interesting traffic to get it to go through the VPN but I need to use the inside address of ASA B. The following is possible:

  • If I can make the ASA Site B to use inside interface as its address management (I already have management access to the inside Interface)
  • I have NAT can address external interfaces to Site B before moving through the VPN tunnel management traffic so that it appears to come from Site B inside the address
  • I can NAT VPN traffic as it appears in the Site A for management traffic to Site B on the right address.

  The problem is that my PRACTICE Please also come from this address and I need the application before being on an internal address to even if my CA.

  Thanks for any help.

  Ian

  Thanks, I understand what you are trying to achieve now.

  However, I think that I don't have good news for you. Unfortunately PEIE request can be initiated of the SAA within the interface, as there is no option to start the query from the inside interface. With other features of management such as AAA, logging, you have an option to specify what ASA desired originally to demand from interface, but CEP doesn't have this option.

  Here's how you can configure under the trustpoint crypto, but unfortunately by specifying the interface doesn't not part of option:

  http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/C5.html#wp2262210

• Why Ai CC 2014, when I use a pathfinder on two objects tool, their anchor points break a bit from where they were? I search in all the nod to under VIEW options & could not find the culprit. Help, please!

  Why Ai CC 2014, when I use a pathfinder on two objects tool, their anchor points break a bit from where they were? I search in all the nod to under VIEW options & could not find the culprit. Help, please!

  It looks like "snap to grid of pixels" just once more.

  Uncheck the box "align new objects to the pixel grid" in the menu of the transformation Panel.

  Select the objects and uncheck "snap to grid of pixels" in the transformation Panel.

• ASA ASA Site2Site VPN with dynamic NAT in version 8.2

  I did everything for NAT to 9.x and I don't have much at all with NAT in 8.2 and earlier with this configuration.

  I have some local subnets:

  172.30.1.0/24
  172.30.16.0/24
  172.30.3.0/24
  172.30.12.0/24
  172.30.7.0/24
  172.30.35.0/24

  who will need to access a remote subnet:

  10.31.255.128/25

  and the requirement is to NAT the following text:

  A lot of requirement much NAT.
  172.30.1.0/24 NAT at 192.168.104.0/24
  172.30.16.0/24 NAT at 192.168.105.0/24
  172.30.3.0/24 NAT at 192.168.108.0/24
  172.30.12.0/24 NAT at 192.168.106.0/24
  172.30.7.0/24 NAT at 192.168.107.0/24
  172.30.35.0/24 NAT at 192.168.103.0/24

  When you go to the 10.31.255.128/25 subnet.

  Here's what I think, I need and I'm looking for confirmation and/or messages.

  Config group *.

  object-group, LAN using a NAT-NETWORKS
  192.168.104.0 subnet 255.255.255.0
  192.168.105.0 subnet 255.255.255.0
  192.168.108.0 subnet 255.255.255.0
  192.168.106.0 subnet 255.255.255.0
  192.168.107.0 subnet 255.255.255.0
  192.168.103.0 subnet 255.255.255.0

  Group of objects to REMOTE-network
  subnet 10.31.255.128 255.255.255.128

  ACL for the crypto-card *.

  REMOTE_cryptomap_72 list extended access permitted ip object-group LOCAL-using a NAT-NETWORKS-group of objects to REMOTE-NETWORK

  Config NAT

  NAT (inside) 10 172.30.1.0 255.255.255.0
  NAT (inside) 20 172.30.16.0 255.255.255.0
  NAT (inside) 30 172.30.3.0 255.255.255.0
  NAT (inside) 40 172.30.12.0 255.255.255.0
  NAT (inside) 50 172.30.7.0 255.255.255.0
  NAT (inside) 60 172.30.35.0 255.255.255.0

  Global (outside) 10 192.168.104.0 255.255.255.0
  Global (outside) 20 192.168.105.0 255.255.255.0
  Global (outside) 30 192.168.108.0 255.255.255.0
  Global (outside) 40 192.168.106.0 255.255.255.0
  Global (outside) 50 192.168.107.0 255.255.255.0
  Global (outside) 60 192.168.103.0 255.255.255.0

  This sets up the set of transformation which is called in the Crypto map.* *.

  Crypto ipsec transform-set ikev1 REMOTE-SET esp-3des esp-sha-hmac

  This sets up the Crypto map.* *.

  address for correspondence card crypto outside_map 72 REMOTE_cryptomap_72
  peer set card crypto outside_map 72 5.5.5.4
  card crypto outside_map 72 set transform-set REMOTE-SET ikev1
  outside_map card crypto 72 the value reverse-road

  Implements IKE *.

  IKEv1 crypto policy 72
  sha hash
  preshared authentication
  Group 2
  lifetime 28800
  3des encryption

  Sets up the Group of tunnel (connection profile) *.

  tunnel-group 5.5.5.4 type ipsec-l2l
  IPSec-attributes tunnel-group 5.5.5.4
  IKEv1 pre-shared-key * TBD *.

  Thank you

  Mike

  With your existing global declarations, my suggestion should meet the requirement. Here is some additional info: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/gu...

• ASA 8.3 - SSL VPN - NAT problem

  Need help to find how to configure anyconnect VPN with VPN client using a NAT networking internal.

  There are many items on the side - how to disable NAT for vpn pool.

  I need to create the gateway VPN to the complex international lnetwork, vpnpool is out of range of regular subnet of that network, so it's going to be questions witout NAT routing.

  I so need to vpn clients connected to be PATed to . The problem is that there is also a dynamic to PAT rule for the ordinary acccess Iternet which translates as 'rules NAT asymmetry... "error.

  Create two times different NAT rules and moving them on up/down makes no difference. There are also some hidden rules of vpn setup :-(that could not be seen.

  V8.3 seems is destroying trust in Cisco firewall...

  Thank you.

  Stan,

  Something like this works for me.

  192.168.0.0/24---routeur--172.16.0.0/24 ASA-= cloud = host. (the tunnel he get IP address of 'over' pool, which is also connected to the inside)

  BSNs-ASA5520-10 (config) # clear xlate
  INFO: 762 xlates deleted
  BSNs-ASA5520-10 (config) # sh run nat
  NAT (inside, outside) static all of a destination SHARED SHARED static
  !
  NAT source auto after (indoor, outdoor) dynamic one interface
  BSNs-ASA5520-10 (config) # sh run object network
  network of the LOCAL_NETWORK object
  192.168.0.0 subnet 255.255.255.0
  The SHARED object network
  172.16.0.0 subnet 255.255.255.0
  BSNs-ASA5520-10 (config) # sh run ip local pool
  IP local pool ALL 10.0.0.100 - 10.0.0.200
  local IP ON 172.16.0.100 pool - 172.16.0.155
  BSNs-ASA5520-10 (config) # sh run tunne
  BSNs-ASA5520-10 (config) # sh run tunnel-group
  attributes global-tunnel-group DefaultWEBVPNGroup
  address pool ON

  If I get your drift... bypass inside and outside is not really necessary on Cisco equipment as it should work straight out of the box via the proxy arp, but I'm not face or solution providers for remote access.

  Marcin

• ASA 8.4. (1) Nat ignored rules

  Hi all!

  I'm having some problems with NAT, the packet does not match the nat rule (which I believe it should be) and is not choose the right output interface. So card crypto never started

  This is the relevant config:

  Interface Port - channel2.4

  Description Public TESA ADSL internet connection

  VLAN 7

  nameif PublicTESA

  security-level 5

  address IP PUBLIC_IP1 255.255.255.128

  Interface Port - channel2.1

  BT internet connection, used for (VPN) platforms description

  VLAN 4

  nameif PublicBT

  security-level 5

  address IP PUBLIC_IP2 255.255.255.252

  Interface Port - channel1.1

  Description user VLAN

  VLAN 100

  nameif users

  security-level 70

  IP 172.16.30.10 255.255.255.0

  network of the net users object

  172.16.30.0 subnet 255.255.255.0

  NET description users

  object EXTERNAL_COMPANY_NAME-remote control-net-1 network

  Home 172.21.250.206

  Tunel l2l net remote 1 description

  object EXTERNAL_COMPANY_NAME-remote control-net-2 network

  172.21.248.0 subnet 255.255.255.0

  Tunel l2l description remote control 2 net

  object-group network EXTERNAL_COMPANY_NAME-Local-networking-group

  LANs Description L2L EXTERNAL_COMPANY_NAME

  users-net network object

  object-group network EXTERNAL_COMPANY_NAME-remote control-nets-group

  remote networks Description L2L EXTERNAL_COMPANY_NAME

  network-object POLCIA-remote control-net-1

  network-object POLICIA-remote control-net-2

  destination of EXTERNAL_COMPANY_NAME-Local-networks-EXTERNAL_COMPANY_NAME Local-networking-group static NAT (PublicBT everything) static source EXTERNAL_COMPANY_NAME-remote control-nets-group EXTERNAL_COMPANY_NAME-remote control-nets-group

  NAT (all, PublicTESA) dynamic source any description of the Nat interface to the internet at the PublicTESA interface

  RESULT:

  If I send a package from User Interface using 172.16.30.41 to 172.21.250.206, he was sent to PubicTESA do NAT with

  PUBLIC_IP1

  I recommend that you open a TAC case, then it can get properly studied.

• Shall not apply after break

  We have a 11r2 primary and standby running on RHEL 5. Lost primary network for a time and locked up VMWare connectivity. The administrator of the virtual computer restarted the primary VM (it was a hard-boot). All this happened while I was gone and when I'm at work, the primary database seems to work. I decided to dig deeper and discover the day before.

  On implementing standby...

  SQL> select * from v$archive_gap;
  
  Thread#: 1
  low_sequence: 123120
  high_sequence: 123120
  
  

  DGMGRL> show configuration
  
  Configuration - prodDB
       Protection Mode: MaxPerformance
       Databases:
            prodDB - Primary database
            prodDB2 - Physical standby database
  Fast-Start Failover: DISABLED
  Configuration Status:
  SUCCESS
  
  

  SQL> select count(*) from v$archived_log where applied='NO';
  
  Count(*): 107
  
  

  SQL> select process, client_process, thread#, sequence#, block#, status from v$managed_standby where process='MRP0' or client_process='LGWR';
  
  Process: MRP0
  Client_Process: N/A
  Thread#: 1
  Sequence#: 123120
  Block#: 0
  Status: WAIT_FOR_LOG
  
  Process: RFS
  Client_Process: LGWR
  Thread#: 1
  Sequence#: 128315
  Block#: 4686
  Status: IDLE
  
  

  DGMGRL> show database prodDB2;
  
  Role: PHYSICAL STANDBY
  Intended State: APPLY-ON
  Transport Lag: 2 days 3 minutes 53 seconds
  Apply Lag: 2 days 3 minutes 53 seconds
  Real Time Query: OFF
  Instance(s): prodDB
  
  

  It seems that all is well (just very far behind), but when I run the last block of code (see the prodDB2 database ;) once again...

  DGMGRL> show database prodDB2;
  
  Role: PHYSICAL STANDBY
  Intended State: APPLY-ON
  Transport Lag: 2 days 1 hour(s) 42 minutes 37 seconds
  Apply Lag: 2 days 1 hour(s) 42 minutes 37 seconds
  Real Time Query: OFF
  Instance(s): prodDB
  
  

  .. .He looks if the massive rear just increases. How can I make sure that everything is everything? I'm still learning Data Guard.

  Thank you

  Hello again;

  One thing you can try if you notice the use ASM and STANDBY_FILE_MANAGEMENT = AUTO on both is to create a tiny new tablespace and then do a log switch. If the new data file is displayed

  you got false information from Oracle. Also if you do not have ASM verify the physical location of the log. You can have transport work and not apply, or both not work or work by the way.

  
  

  Newspapers to alert on both sides are an excellent source of information. Side ensures says usually "waiting for journal...» "This compares to that of the last log on the primary side.

  
  

  Best regards

  
  

  mseberg
  

• ASA: VPN IPSEC Tunnel from 5505(ver=8.47) to 5512 (ver = 9.23)

  Hi-

  We have connected tunnel / VPN configuration between an ASA 5505 - worm = 8.4 (7) and 5512 - worm = 9.2 (3).
  We can only ping in a sense - 5505 to the 5512, but not of vice-versa(5512 to 5505).

  Networks:

  Local: 192.168.1.0 (answering machine)
  Distance: 192.168.54.0 (initiator)

  See details below on our config:

  SH run card cry

  card crypto outside_map 2 match address outside_cryptomap_ibfw
  card crypto outside_map 2 pfs set group5
  outside_map 2 peer XX crypto card game. XX.XXX.XXX
  card crypto outside_map 2 set transform-set ESP-AES-256-SHA ikev1
  crypto map outside_map 2 set ikev2 AES256 ipsec-proposal

  outside_map interface card crypto outside

  Note:
  Getting to hit numbers below on rules/ACL...

  SH-access list. I have 54.0

  permit for access list 6 outside_access_out line scope ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 15931) 0x01aecbcc
  permit for access list 1 outside_cryptomap_ibfw line extended ip object NETWORK_OBJ_192.168.1.0_24 object NETWORK_OBJ_192.168.54.0_24 (hitcnt = 3) 0xa75f0671
  access-list 1 permit line outside_cryptomap_ibfw extended ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 3) 0xa75f0671

  SH run | I have access-group
  Access-group outside_access_out outside interface

  NOTE:
  WE have another working on the 5512 - VPN tunnel we use IKE peer #2 below (in BOLD)...

  HS cry his ikev1

  IKEv1 SAs:

  HIS active: 2
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 2

  1 peer IKE: XX. XX.XXX.XXX
  Type: L2L role: answering machine
  Generate a new key: no State: MM_ACTIVE
  2 IKE peers: XXX.XXX.XXX.XXX
  Type: L2L role: answering machine
  Generate a new key: no State: MM_ACTIVE

  SH run tunnel-group XX. XX.XXX.XXX
  tunnel-group XX. XX.XXX.XXX type ipsec-l2l
  tunnel-group XX. XX.XXX.XXX General-attributes
  Group - default policy - GroupPolicy_XX.XXX.XXX.XXX
  tunnel-group XX. XX.XXX.XXX ipsec-attributes
  IKEv1 pre-shared-key *.
  remote control-IKEv2 pre-shared-key authentication *.

  SH run | I have political ikev1

  ikev1 160 crypto policy
  preshared authentication
  aes-256 encryption
  Group 5
  life 86400

  SH run | I Dynamics
  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
  NAT source auto after (indoor, outdoor) dynamic one interface

  NOTE:
  To from 5512 at 5505-, we can ping a host on the remote network of ASA local

  # ping inside the 192.168.54.20
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 192.168.54.20, wait time is 2 seconds:
  !!!!!
  Success rate is 100 per cent (5/5), round-trip min/avg/max = 30/32/40 ms

  Determination of 192.168.1.79 - local host route to 192.168.54.20 - remote host - derivation tunnel?

  The IPSEC tunnel check - seems OK?

  SH crypto ipsec his
  Interface: outside
  Tag crypto map: outside_map, seq num: 2, local addr: XX.XXX.XXX.XXX

  outside_cryptomap_ibfw to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.54.0 255.255.255.0
  local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.54.0/255.255.255.0/0/0)
  current_peer: XX. XX.XXX.XXX

  #pkts program: 4609, #pkts encrypt: 4609, #pkts digest: 4609
  #pkts decaps: 3851, #pkts decrypt: 3851, #pkts check: 3851
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 4609, model of #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #TFC rcvd: 0, #TFC sent: 0
  #Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : XX.XXX.XXX.XXX/0, remote Start crypto. : XX. XX.XXX.XXX/0
  Path mtu 1500, ipsec 74 (44) generals, media, mtu 1500
  PMTU time remaining: 0, political of DF: copy / df
  Validation of ICMP error: disabled, TFC packets: disabled
  current outbound SPI: CDC99C9F
  current inbound SPI: 06821CBB

  SAS of the esp on arrival:
  SPI: 0x06821CBB (109190331)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
  slot: 0, id_conn: 339968, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (3914789/25743)
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0xFFFFFFFF to 0xFFFFFFFF
  outgoing esp sas:
  SPI: 0xCDC99C9F (3452542111)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
  slot: 0, id_conn: 339968, crypto-card: outside_map
  calendar of his: service life remaining (KB/s) key: (3913553/25743)
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  --> The local ASA 5512 - where we have questions - tried Packet Tracer... seems we receive requests/responses...

  SH cap CAP

  34 packets captured

  1: 16:41:08.120477 192.168.1.79 > 192.168.54.20: icmp: echo request
  2: 16:41:08.278138 192.168.54.20 > 192.168.1.79: icmp: echo request
  3: 16:41:08.278427 192.168.1.79 > 192.168.54.20: icmp: echo reply
  4: 16:41:09.291992 192.168.54.20 > 192.168.1.79: icmp: echo request
  5: 16:41:09.292282 192.168.1.79 > 192.168.54.20: icmp: echo reply

  --> On the ASA 5505 distance - we can ping through the 5512 to the local host (192.168.1.79)

  SH cap A2

  42 packets captured

  1: 16:56:16.136559 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  2: 16:56:16.168860 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  3: 16:56:17.140434 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  4: 16:56:17.171652 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  5: 16:56:18.154426 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
  6: 16:56:18.186178 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
  7: 16:56:19.168417 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request

  --> Package trace on 5512 does no problem... but we cannot ping from host to host?

  entry Packet-trace within the icmp 192.168.1.79 8 0 detailed 192.168.54.20

  Phase: 4
  Type: CONN-SETTINGS
  Subtype:
  Result: ALLOW
  Config:
  class-map default class
  match any
  Policy-map global_policy
  class class by default
  Decrement-ttl connection set
  global service-policy global_policy
  Additional information:
  Direct flow from returns search rule:
  ID = 0x7fffa2d0ba90, priority = 7, area = conn-set, deny = false
  hits = 4417526, user_data = 0x7fffa2d09040, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = output_ifc = any to inside,

  Phase: 5
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
  Additional information:
  Definition of dynamic 192.168.1.79/0 to XX.XXX.XXX.XXX/43904
  Direct flow from returns search rule:
  ID = 0x7fffa222d130, priority = 6, area = nat, deny = false
  hits = 4341877, user_data = 0x7fffa222b970, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = inside, outside = output_ifc

  ...

  Phase: 14
  Type: CREATING STREAMS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  New workflow created with the 7422689 id, package sent to the next module
  Information module for forward flow...
  snp_fp_tracer_drop
  snp_fp_inspect_ip_options
  snp_fp_inspect_icmp
  snp_fp_translate
  snp_fp_adjacency
  snp_fp_fragment
  snp_ifc_stat

  Information for reverse flow...
  snp_fp_tracer_drop
  snp_fp_inspect_ip_options
  snp_fp_translate
  snp_fp_inspect_icmp
  snp_fp_adjacency
  snp_fp_fragment
  snp_ifc_stat

  Result:
  input interface: inside
  entry status: to the top
  entry-line-status: to the top
  output interface: outside
  the status of the output: to the top
  output-line-status: to the top
  Action: allow

  --> On remote ASA 5505 - Packet track is good and we can ping remote host very well... dunno why he "of Nations United-NAT?

  Destination - initiator:
   
  entry Packet-trace within the icmp 192.168.54.20 8 0 detailed 192.168.1.79
   
  ...
  Phase: 4
  Type: UN - NAT
  Subtype: static
  Result: ALLOW
  Config:
  NAT (inside, outside) static source NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
  Additional information:
  NAT divert on exit to the outside interface
  Untranslate 192.168.1.79/0 to 192.168.1.79/0
  ...

  Summary:
  We "don't" ping from a host (192,168.1.79) on 5512 - within the network of the 5505 - inside the network host (192.168.54.20).
  But we can ping the 5505 - inside the network host (192.168.54.20) 5512 - inside the network host (192.168.1.79).

  Please let us know what other details we can provide to help solve, thanks for any help in advance.

  -SP

  Well, I think it is a NAT ordering the issue.

  Basically as static and this NAT rule-

  NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)

  are both in article 1 and in this article, it is done on the order of the rules so it does match the dynamic NAT rule rather than static because that seems to be higher in the order.

  To check just run a 'sh nat"and this will show you what order everthing is in.

  The ASA is working its way through the sections.

  You also have this-

  NAT source auto after (indoor, outdoor) dynamic one interface

  which does the same thing as first statement but is in section 3, it is never used.

  If you do one of two things-

  (1) configure the static NAT statement is above the dynamic NAT in section 1 that is to say. You can specify the command line

  or

  (2) remove the dynamic NAT of section 1 and then your ASA will use the entry in section 3.

  There is a very good document on this site for NAT and it is recommended to use section 3 for your general purpose NAT dynamic due precisely these questions.

  It is interesting on your ASA 5505 you duplicated your instructions of dynamic NAT again but this time with article 2 and the instructions in section 3 that is why your static NAT works because he's put in correspondence before all your dynamic rules.

  The only thing I'm not sure of is you remove the dynamic NAT statement in article 1 and rely on the statement in section 3, if she tears the current connections (sorry can't remember).

  Then you can simply try to rearrange so your static NAT is above it just to see if it works.

  Just in case you want to see the document here is the link-

  https://supportforums.Cisco.com/document/132066/ASA-NAT-83-NAT-operation-and-configuration-format-CLI

  Jon