ASA or 871 l2l ipsec to SSG - 140: tunnel is up, but no traffic
Hello
I am currently troubleshooting an ipsec VPN l2l between
1. ASA 7.2 (4) SSG - 140
2 cisco 871W to SSG - 140
In both scenarios the tunnel is well established and the traffic is in the tunnel, but nothing comes out. Of all the encap, but no decap
Looks a routing problem, but we cannot find anything on the two sites.
So maybe I m running in a (known) problem between equipment cisco VPN and SSG-140?
I've searched the forum, but can not find any idea on this subject.
If anyone has an idea the most welcome.
What is a proxy-id problem? Cause they set up stuff like 10.1.1.0/24 and I configure 10.1.1.0 0.0.0.255
Thanks in advance!
Tom, I have not seen the downloaded configs or poster. I would focus on the asa as it's easier to troubleshoot. You can use the ease of packet trace to verify that the syn is sent through the encrypted and external interface. Also gives you the ability to capture. Of course, the problem is that the traffic is encrypted. A syn packet is small and hard to distinguish. Try to send a ping from 10 to 1000 pkt size and see if you can locate in the capture (ipsec will add about 80 bytes). You will need to do a quiet moment to make it easier. Assuming that you can identify the packages, you can repeat the capture and ask someone to do the same thing at the remote end. Also, try to do the ping from the remote device and see if you can capture packets. My guess is that there is something wrong at the other end or a firewall drop packets (ip prot 50) esp. If you want to send the config, display, capture of the [email protected] / * / I can take a look. Matthew
Tags: Cisco Security
Similar Questions
-
ASA 8.6 - l2l IPsec tunnel established - not possible to ping
Hello world
I have a problem of configuration of the CISCO ASA 5512-x (IOS 8.6).
The IPsec tunnel is created between ASA and an another non-CISCO router (hereinafter "router"). I can send packets ping from router to ASA, but ASA is NOT able to meet these demands. Sending requests of ASA is also NOT possible.
I'm trying to interconnect with the network 192.168.2.0/24 (CISCO, interface DMZ) premises and 192.168.3.0/24 (router).
The CISCO ASA has a static public IP address. The router has a dynamic IP address, so I use the dynamic-map option...
Here is the output of "show run":
---------------------------------------------------------------------------------------------------------------------------------------------
ASA 1.0000 Version 2
!
ciscoasa hostname
activate oBGOJTSctBcCGoTh encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface GigabitEthernet0/0
nameif outside
security-level 0
address IP X.X.X.X 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
IP 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passive FTP mode
internal subnet object-
192.168.0.0 subnet 255.255.255.0
object Web Server external network-ip
host Y.Y.Y.Y
Network Web server object
Home 192.168.2.100
network vpn-local object - 192.168.2.0
Subnet 192.168.2.0 255.255.255.0
network vpn-remote object - 192.168.3.0
subnet 192.168.3.0 255.255.255.0
outside_acl list extended access permit tcp any object Web server
outside_acl list extended access permit tcp any object webserver eq www
access-list l2l-extensive list allowed ip, vpn-local - 192.168.2.0 vpn-remote object - 192.168.3.0
dmz_acl access list extended icmp permitted an echo
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 DMZ
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (DMZ, outside) static static vpn-local destination - 192.168.2.0 vpn-local - 192.168.2.0, 192.168.3.0 - remote control-vpn vpn-remote control - 192.168.3.0
!
internal subnet object-
NAT dynamic interface (indoor, outdoor)
Network Web server object
NAT (DMZ, outside) Web-external-ip static tcp www www Server service
Access-Group global dmz_acl
Route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
IKEv1 crypto ipsec transform-set ikev1-trans-set esp-3des esp-md5-hmac
Crypto ipsec ikev2 proposal ipsec 3des-GNAT
Esp 3des encryption protocol
Esp integrity md5 Protocol
Crypto dynamic-map dynMidgeMap 1 match l2l-address list
Crypto dynamic-map dynMidgeMap 1 set pfs
Crypto dynamic-map dynMidgeMap 1 set ikev1 ikev1-trans-set transform-set
Crypto dynamic-map dynMidgeMap 1 set ikev2 ipsec-proposal 3des-GNAT
Crypto dynamic-map dynMidgeMap 1 life span of seconds set association security 28800
Crypto dynamic-map dynMidgeMap 1 the value reverse-road
midgeMap 1 card crypto ipsec-isakmp dynamic dynMidgeMap
midgeMap interface card crypto outside
ISAKMP crypto identity hostname
IKEv2 crypto policy 1
3des encryption
the md5 integrity
Group 2
FRP md5
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal midgeTrialPol group policy
attributes of the strategy of group midgeTrialPol
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
enable IPSec-udp
tunnel-group midgeVpn type ipsec-l2l
tunnel-group midgeVpn General-attributes
Group Policy - by default-midgeTrialPol
midgeVpn group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:fa02572f9ff8add7bbfe622a4801e606
: end
------------------------------------------------------------------------------------------------------------------------------
X.X.X.X - ASA public IP
Y.Y.Y.Y - a web server
Z.Z.Z.Z - default gateway
-------------------------------------------------------------------------------------------------------------------------------
ASA PING:
ciscoasa # ping DMZ 192.168.3.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.3.1, time-out is 2 seconds:
?????
Success rate is 0% (0/5)
PING from router (debug on CISCO):
NAT ciscoasa #: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 0 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 1 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 2 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = len 3 = 40
-------------------------------------------------------------------------------------------------------------------------------
ciscoasa # show the road outside
Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP
i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone
* - candidate by default, U - static route by user, o - ODR
P periodical downloaded static route
Gateway of last resort is Z.Z.Z.Z to network 0.0.0.0
C Z.Z.Z.0 255.255.255.0 is directly connected to the outside of the
S 192.168.3.0 255.255.255.0 [1/0] via Z.Z.Z.Z, outdoors
S * 0.0.0.0 0.0.0.0 [1/0] via Z.Z.Z.Z, outdoors
-------------------------------------------------------------------------------------------------------------------------------
Do you have an idea that I am wrong? Probably some bad NAT/ACL I suppose, but I could always find something only for 8.4 iOS and not 8.6... Perhaps and no doubt I already missed the configuration with the unwanted controls, but I've tried various things...
Please, if you have an idea, let me know! Thank you very much!
Hello
I've never used "global" option in ACL, but it looks to be the origin of the problem. Cisco doc.
"The global access rules are defined as a special ACL that is processed for each interface on the device for incoming traffic in the interface. Thus, although the ACL is configured once on the device, it acts as an ACL defined for Management In secondary interface-specific. (Global rules are always in the direction of In, never Out Management). "
You ACL: access-list extended dmz_acl to any any icmp echo
For example, when you launch the ASA, there is an echo response from the router on the external interface--> global can block.
Then to initiate router, the ASA Launches echo-reply being blocked again.
Try to add permit-response to echo as well.
In addition, you can use both "inspect icmp" in world politics than the ACL.
If none does not work, you can run another t-shoot with control packet - trace on SAA.
THX
MS
-
Cisco ASA - l2l IPSEC tunnel two dynamic hosts
Hello
I have two firewall Cisco ASA an i want to made a l2l between two ipsec tunnel, the problem is that both parties have a dynamic IP, on both sides I have configured dyndns, can I did an ipsec tunnel using dyndns name such as address peer?
Hello
ASA supports only the RFC compliant method for updates used with dynamic DNS, not updates HTTP, such as dyndns.org and others use.
i.e. https://tools.cisco.com/bugsearch/bug/CSCsk25102/?reffering_site=dumpcrOn ASA, it is not possible to configure the tunnel between two dynamic peers.
You will need to have a static end to configure static to dynamic IP.For routers, you can follow this link.
I hope this helps.Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
L2l IPsec question: 0 packages decrypted!
Hello
We have implemented a solution for IPSec-l2l between HQ and remote sites. The last being a ship, we opted for the dynamic Ipsec l2l solution to static using two ASAs. However, the solution fails to certain ports. In fact, the tunnel is established and the packets are encrypted on the ASA remote. However, no packet is decrypted. HQ sees not all encrypted packets. It looks like something between the two does not prevent IPSec packets to reach the HQ...
How could ensure us that the solution works always regardless of any ACL or NAT between the two?
Excerpts of the "sh crypto ipsec his" cmd for a positive and result negative as well as the configuration of the remote control - ASA IPsec.
Distance - ASA # sh crypto isakmp his
Interface: outside
Tag crypto map: CMAP, seq num: 10, local addr: 172.16.1.215extended vpn ip 10.240.192.0 access list allow 255.255.255.0 10.0.0.0 255.0.0.0
local ident (addr, mask, prot, port): (10.240.192.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.0.0.0/255.0.0.0/0/0)
current_peer: 146.40.75.33#pkts program: 28, encrypt #pkts: 28, #pkts digest: 28
decaps #pkts: 15, #pkts decrypt: 15, #pkts check: 15
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 28, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 172.16.1.215, remote Start crypto. : 146.40.75.33
Distance - ASA # sh crypto isakmp his
Interface: outside
Tag crypto map: CMAP, seq num: 10, local addr: 168.240.6.11extended vpn ip 10.240.192.0 access list allow 255.255.255.0 10.0.0.0 255.0.0.0
local ident (addr, mask, prot, port): (10.240.192.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.0.0.0/255.0.0.0/0/0)
current_peer: 146.40.75.33#pkts program: 45, #pkts encrypt: 45, #pkts digest: 45
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 28, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 168.240.6.11, remote Start crypto. : 146.40.75.33
Remote control - ASA config
extended vpn ip 10.240.192.0 access list allow 255.255.255.0 10.0.0.0 255.0.0.0
10.240.192.0 IP Access-list extended sheep 255.255.255.0 allow 10.0.0.0 255.0.0.0
Global 1 interface (outside)
NAT (inside) 0 access-list sheep
NAT (inside) 1 0.0.0.0 0.0.0.0Crypto ipsec transform-set esp-sha-3des esp-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto CMAP 10 corresponds to the vpn address
card crypto CMAP 10 set pfs Group1
card crypto CMAP 10 set peer 146.40.75.33card crypto CMAP 10 value transform-set esp-3des-sha
card crypto CMAP 10 set phase 1-mode aggressive Group1
card crypto CMAP 10 set reverse-road
CMAP outside crypto map interface
ISAKMP crypto identity hostname
crypto ISAKMP allow outside
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 1
life 86400
No encryption isakmp nat-traversaltunnel-group 146.40.75.33 type ipsec-l2l
IPSec-attributes tunnel-group 146.40.75.33
pre-shared key *.Thanks for your help!
Franc
Hello
The first output shows two packets encrypted/decrypted on the ASA remote.
At this point, the VPN worked very well? What was different?
The second output shows encrypted packets on the ASA remote but no decrypted.
You mentioned that the HQ site does not show decrypted packets either.
It seems that the ASA remote sends the traffic in the tunnel, but they never reached the HQ site.
This can happen when there is a problem of route, NAT problem or some sort of VPN filter.
To understand this better explain what the difference was between the first and the second scenario.
Federico.
-
Client VPN und Cisco asa 5505 tunnel work but no traffic
Hi all
I am new to this forum and Don t have a lot of experience with Cisco, so I hope I can get help from specialists.
I have the following problem:
I installed und konfigured ASA 5505 for use with vpn client. I would like to access the local network from outside through vpn.
To test, I installed ASA 5505 with ADSL (pppoe) and tried to give access to the internal network.
Of course whenever I have recive the supplier's different IP address, but it didn't is not a problem reconfigure in the vpn client.
After the connection is established (vpn tunnel work) I can see my external network packets. But I Don t have any connection to the internal network.
I erased my setup yesterday and tried to reconfigure ASA again. I didn t tested yesterday, because it was too late. And I know that I Don t have the authorization rule at present by the ACL. But I think I'm having the same problem again. (tunnel but no traffic).
What I did wrong. Could someone let me know what I have to do today.
With hope for your help Dimitri.
ASA configuration after reset and basic configuration: works to the Internet from within the course.
: Saved
: Written by enable_15 to the CEDT 20:29:18.909 Sunday, August 29, 2010
!
ASA Version 8.2 (2)
!
ciscoasa hostname
activate 2KFQnbNIdI.2KYOU encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
PPPoE client vpdn group home
IP address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system Disk0: / asa822 - k8.bin
passive FTP mode
clock timezone THATS 1
clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name 194.25.0.60
Server name 194.25.0.68
DM_INLINE_TCP_1 tcp service object-group
port-object eq www
EQ object of the https port
inside_access_in list extended access permitted udp 192.168.1.0 255.255.255.0 no matter what eq field open a debug session
inside_access_in list extended access permitted tcp 192.168.1.0 255.255.255.0 any object-group DM_INLINE_TCP_1 open a debug session
inside_access_in list extended access deny ip any any debug log
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.0.0 255.255.0.0
permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.128
homegroup_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
IP local pool homepool 192.168.10.1 - 192.168.10.100 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-625 - 53.bin
ASDM location 192.168.0.0 255.255.0.0 inside
ASDM location 192.168.10.0 255.255.255.0 inside
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
inside_access_in access to the interface inside group
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
VPDN group home request dialout pppoe
VPDN group House localname 04152886790
VPDN group House ppp authentication PAP
VPDN username 04152886790 password 1
dhcpd outside auto_config
!
dhcpd address 192.168.1.5 - 192.168.1.36 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
TFTP server 192.168.1.5 inside c:/tftp-root
WebVPN
Group Policy inner residential group
attributes of the strategy of group home group
value of 192.168.1.1 DNS server
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list homegroup_splitTunnelAcl
username user01 encrypted password privilege 0 v5P40l1UGvtJa7Nn
user01 username attributes
VPN-strategy group home group
tunnel-group home group type remote access
attributes global-tunnel-group home group
address homepool pool
Group Policy - by default-homegroup
tunnel-group group residential ipsec-attributes
pre-shared-key ciscotest
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:930e6cddf25838e47ef9633dc2f07acb
: end
Hello
Normally, you want a static public IP address on the ASA to allow it to receive connections from VPN clients (avoid to change the IP address all the time).
If you connect via VPN, check the following:
1. the tunnel is established:
HS cry isa his
Must say QM_IDLE or MM_ACTIVE
2 traffic is flowing (encrypted/decrypted):
HS cry ips its
3. Enter the command:
management-access inside
And check if you can PING the inside ASA VPN client IP.
4. check that the default gateway for the LAN internal ASA within intellectual property (or there is a road to the ASA to send traffic to the VPN clients).
Federico.
-
WRVS4400N ASA 5540 L2L IPSec connection
I have a remote WRVS4400N with a dynamic outside the address that opens a connection to an ASA 5540 with a static address.
I'm all set on the side of the ASA. My questions concern the 4400N. It does not seem to have a very robust configuration/configuration available for L2L tunnels. For one my encryption is limited to 3DES.
But I wonder if I'm missing something in the config. I have to configure L2L tunnels to two other firewalls. One firewall has 3 non-contiguous networks, and the other has 2. I have 5 tunnels configuration, this is the only way? What I'd like to see is 2 tunnels, one for each firewall distance, but then each tunnel would have access to networks (like on the side of the ASA), is anyway to do this? Perhaps a useful command line for this unit?
My other question concerns the tunnel-groups I've implemented on my ASA, and I do not want to use the proper names... However I can't seem to find a way to allow this to happen on the side of 4400N... I mean, I need a way to create a 'keyword' identifier or a "firewall identifier" on the 4400N and I do not see an appropriate field in the web interface. Someone at - it ideas?
Thanks in advance.
Hi WS, the WRVS router does not support a complete tunnel configuration or routes to have a multi site configuration. You would need a separate tunnel for each location.
Traditionally, the WRVS router was not a good game on any platform ASA. In most cases, I saw when a tunnel has put in place will be the router WRVS crash in an hour or less due to low memory. If you run a scenario where the WRVS stops responding or the tunnel down, this is the likely scenario.
I highly recommend is not to use the WRVS router for all tunnel with the ASA. If you are looking to stay in the field of small business, a RV220W or a RV042 router would be a much more suitable match.
-Tom
Please mark replied messages useful -
L2l IPSec VPN blocks SQL (ASA v8.4)
Good evening everyone,
I have an ASA 5510 8.4 (2) which has an IPSec VPN site to a 3rd party who run a form any checkpoint running. VPN establishes and allows to access a server in our demilitarized zone on all the ports that we tested (so far HTTP, FTP, SSL, RDP), with the exception of SQL that does not even reach the server. I've got Wireshark running on the DMZ server and if the 3rd party initiates a conversation of TCP of their server on any of the ports on the server I see all desired packages come with the correct IPs ETC (without NAT takes place through the VPN), but when an ODBC client attempts to query the SQL Server on our DMZ zone packets do not reach the level of the server. What I see is the number of bytes of RX on the VPN increases whenever the query is run, but certainly not arriving on the SQL Server.
Also if I come back to the ASA to the old PIX, it replaced with the same VPN configuration but on version 7.x, then it works fine.
While I find some time to clean up the config this weekend, I have ideas.
Thank you very much
Simon.
Hi Simon,.
If you look at the options sys in the ASDM he advises that you still need ACL for traffic. As I understand it, in the old days, when you were in as you pointed out. If you set the ports in this group then Yes, it's a whole and potentially your only protection is the NAT or his absence.
I would like to add an another ACE to the external interface, which allows the source to you DMZ host (see below)
Object-group service GROUP SQL-tcp PORTS
EQ port 1433 object
EQ object Port 1434
Port-object eq 1521
outside_access extended access list permit tcp host 192.168.100.30 DMZ_158-group of objects SQL-PORTS object
Concerning
-
Hello
I'm setting up a VPN router between 871 and ASA 5505 for the first time and having a problem. I have attached my network diagram as well as the configuration of 871 and ASA. Although the VPN tunnel is coming for example sh crypto isakmp his watch QM_IDLE and Exchange ipsec SA is successuful as well, but none of the machine can access each other. Please help as I am in desperate need to operate.
Thank you all,.
Jérôme
Hello
It seems that you are missing some required configuration. See the link below...
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805e8c80.shtml
HTH
MS
* Rate of useful messages *.
-
ASA with several L2L VPN Dynamics
I have an ASA 5510 such as VPN, used for about 30 L2L - VPN concentrator.
I need also some VPN L2L with dynamic peer remote.
While the configuration for a single dyn - VPN is quite simple (as described in several examples), how can I configure the ASA in the case of many dyn - VPN?
Basically, all the VPN - dyn must use the same PSK (the DefaultL2LGroup).
But using the "aggressive" on the remote peer mode, I could use a different PSK for every dyn - VPN:
tunnel-group ipsec-attributes ABCD
pre-shared-key *.
This configuration is correct?
Best regards
Claudio
Hello
Maybe the solutions provided in the following document may also be an option to configure multiple dynamic VPN L2L connections on the SAA
http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a0080bc7d13.shtml
Hope this helps
-Jouni
-
ASA 5505 VPN to IPSec website DOES NOT CONNECT
I spent 2 days already to try to get 2 ASA 5505 to connect by using an IPSec vpn tunnel. I can't understand what im doing wrong, I'm using 192.168.97.0 and 192.168.100.0 as my internal networks that I am trying to connect via a link directly connected on the outside with 50.1.1.1 and 50.1.1.2 interfaces such as addresses (all 24). I also tried with and without active NAT. Here is for both of the ASA configs, the vpn config was conducted by the ASDM, but I also tried the approach of the command-line without success. I followed various guides to the letter online, starting with an empty config and factory default. I also tried the IOS 8.4.
ASA 1 Config ASA 8.3 Version (2)
!
VIC hostname
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.97.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 50.1.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
Shutdown
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
Shutdown
!
boot system Disk0: / asa832 - k8.bin
passive FTP mode
pager lines 24
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.97.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:4745f7cd76c82340ba1e7920dbfd2395
Config ASA2 ASA 8.3 Version (2)
!
hostname QLD
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.100.1 address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 50.1.1.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
Shutdown
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
Shutdown
!
passive FTP mode
network of the SITEA object
192.168.97.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.100.0_24 object
255.255.255.0 subnet 192.168.100.0
outside_1_cryptomap to access extended list ip 192.168.100.0 allow 255.255.255.0 object SITEA
pager lines 24
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 static destination SITEA SITEA
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.100.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
peer set card crypto outside_map 1 50.1.1.1
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
tunnel-group 50.1.1.1 type ipsec-l2l
IPSec-attributes tunnel-group 50.1.1.1
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:d987f3446fe780ab5fbb9d4213b3adff
: end
Hello Mitchell,
Thanks for letting us know the resolution of this topic.
Please answer the question as answered so future users can learn from this topic.
Kind regards
Julio
-
L2l IPSec VPN 3000 and PIX 501
Hello
I have a remote site that has a broadband internet connection and uses a PIX 501. We wanted to connect them with our main office using our VPN 3000 via VPN site-to-site.
I followed the following documentation:
However the L2L session does not appear on the hub when I check the active sessions.
The network diagram, as well as the PIX config and the screenshots of the VPN configuration for the IPSec-L2L tunnel is attached.
Any help or advice are appreciated.
I just noticed that the PIX firewall, the phase 1 paramateres are not configured. You must configure the same PASE 1 and phase 2 settings on both ends of the tunnel.
For example, on CVPN 3000, you have configured settings Phase 1 as 3DES, pre-shared key etc... We have the same configuration on the PIX firewall too.
Here is an example of sample config
I hope this helps!
-
ASA 55xx Defintion "Max IPSec Sessions.
Hello
I was responsible for the modernization of our current remote site VPN Tunnel project.
Rather than the collection of different configurations and protocols, I want to standardize it
so that all every site has an IPSec Tunnel from Site to Site.
I just need to clarify the definition of 'Site to site and remote access VPN maximum Sessions'
to help me decide in which ASA 5500 model I need.
(http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html)
We will need the connections for connections site to site 210,
each location has a static WAN IP address and a subnet.
So, I guess that the 5510, with its 250 ' maximum session limit "would be OK for our needs?
However, will be the "Maximum virtual interfaces (VLANS)", which is only 50, limit me - makes a VPN site-to site class tunnel as a virtual interface?
Or is there some other limiting factors that I need to consider?
Thanks a lot for your time,.
Chris Herridge
Chris
One site to the other tunnel do not catalogue as a virtual interface. So you shouldn't have a problem with this aspect.
I suggest that you get (or upgrade to) the Security Plus license - which increases many things including the number of virtual interfaces.
With 210 remote sites, I wonder what that the amount of traffic you are dealing with and if put through the 5510 could be a problem. If you look at the 5520, you get much more memory and a better/more battery power to provide more capacity.
HTH
Rick
-
ASA Cisco IPSEC VPN tunnel has not managed the traffic
Hi guys
I am trying to set up a new connection IPSEC VPN between a Cisco ASA 5520 (verion 8.4 (4)) and Checkpoint Firewall. I managed to establish the phases IKE and IPSEC and I can see the tunnel is UP. But I can't see any traffic through the tunnel. I checked the cryptomap both ends and try to test with a contionuous ping from within the network of the SAA.
I made a screenshot of ICMP packets but cannot see in ASA. I welcomed the icmp inside ASA interface.
I did a package tracer and it ends with a fall of vpn - filter the packets. But can not see any configured filters...
Your help is very appreciated...
Thank you
You probably need to add nat negate statements:-something like.
object-group network OBJ-LOCAL
Network 10.155.176.0 255.255.255.0
object-group network OBJ / remote
object-network 192.168.101.0 255.255.255.0
NAT static OBJ-LOCALOBJ-LOCAL source destination (indoor, outdoor) static OBJ-REMOTE OBJ-REMOTE-no-proxy-arpYou are running 8.4 nat 0 has been amortized
-
ASA 5505 VPN Client Ipsec config problems
I configured the asa the wizard to Setup vpn, but this still does not work properly. Vpn connect without problem, but I can't access all the resources on the 192.168.1.x subnet. Don't know what I'm missing here, here's a copy of my config.
ASA Version 8.0 (3)
!
host name
domain name
activate the password
names of
!
interface Vlan1
nameif inside
security-level 100
192.168.1.3 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
"Public ip" 255.255.255.0 IP address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd
passive FTP mode
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name 192.168.1.28
domain fmrs.org
GroupVpn_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
vpngroup_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
outside_access_in list extended access permit tcp any any eq pptp
outside_access_in list extended access will permit a full
inside_nat0_outbound list of allowed ip extended access all 192.168.99.0 255.255.255.0
inside_nat0_outbound list of allowed ip extended access entire 192.168.1.0 255.255.255.0
inside_access_in to access ip 192.168.1.0 scope list allow 255.255.255.0 any
access extensive list ip 192.168.99.0 inside_access_in allow 255.255.255.0 any
inside_access_in list of allowed ip extended access all 192.168.99.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask 192.168.99.2 - 192.168.99.100 255.255.255.0 IP local pool GroupPool
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 602.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 192.168.1.0 255.255.255.0
public static tcp (indoor, outdoor) interface 192.168.1.62 pptp pptp netmask 255.255.255.255
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 66.76.199.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
RADIUS protocol AAA-server fmrsdc
fmrsdc AAA-server 192.168.1.28
Timeout 5
fmrsasa key
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow inside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
No vpn-addr-assign aaa
No dhcp vpn-addr-assign
Console timeout 0
dhcpd outside auto_config
!a basic threat threat detection
Statistics-list of access threat detection
GroupVpn internal group policy
GroupVpn group policy attributes
value of server WINS 192.168.1.28
value of server DNS 192.168.1.28
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list GroupVpn_splitTunnelAcl
FMRs.org value by default-field
ID password cisco
tunnel-group GroupVpn type remote access
attributes global-tunnel-group GroupVpn
address pool GroupPool
authentication-server-group fmrsdc
Group Policy - by default-GroupVpn
IPSec-attributes tunnel-group GroupVpn
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the pptp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:b5df903e690566360b38735b6d79e65e
: endPlease configure the following:
ISAKMP nat-traversal crypto
management-access inside
You should be able to ping of the SAA within the IP 192.168.1.3
-
8.2 ASA failure phase2 ike ipsec
I used the wizard to access remote vpn, IPSEC on an ASA 5510 security + running os version 8.2.
Group: adminsbbs
User: adminuser
When connecting using the client, it says «fixing communications...» "and then it flashes and it is disconnected. Hoping the following debug output to help you will help me, so I didn't enter the config.
What seems to be the cause of failure of the phase 2 of IKE?
Since the ASA device:
asa01 # 29 dec 18:54:16 [IKEv1 DEBUG]: IP = 3.4.249.124, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
29 Dec 18:54: 16 [IKEv1]: IP = 3.4.249.124, connection landed on tunnel_group adminsbbs
29 Dec 18:54: 16 [IKEv1 DEBUG]: Group = adminsbbs, IP = 3.4.249.124, IKE SA proposal # 1, transform # 10 entry overall IKE acceptable matches # 1
29 Dec 18:54: 16 [IKEv1]: Group = adminsbbs, IP = 3.4.249.124, status of automatic NAT detection: remote endpoint IS behind a NAT device this end is NOT behind a NAT device
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, (adminuser) user authenticated.
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, transaction mode attribute unhandled received: 5
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs, name of user = adminuser, IP = 3.4.249.124, Type of Client: Mac OS X Client Application Version: 4.9.01 (0100)
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, assigned private IP 172.16.20.1 remote user address
29 Dec 18:54: 26 [IKEv1 DEBUG]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, fast Mode resumed treatment, Cert/Trans Exch/RM IDDM completed
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, PHASE 1 COMPLETED
29 Dec 18:54: 26 [IKEv1]: IP = 3.4.249.124, Keep-alive type for this connection: DPD
29 Dec 18:54: 26 [IKEv1 DEBUG]: Group = adminsbbs, name of user = adminuser, IP = 3.4.249.124, timer to generate a new key to start P1: 82080 seconds.
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, data received in payload ID remote Proxy Host: address 172.16.20.1, protocol 0, Port 0
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs, username = adminuser, IP = 3.4.249.124, received data IP Proxy local subnet in payload ID: address 0.0.0.0 Mask 0.0.0.0, protocol 0, Port 0
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs, name of user = adminuser, IP = 3.4.249.124, QM IsRekeyed its not found old addr
29 Dec 18:54: 26 [IKEv1 DEBUG]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, only Tunnel UDP-encapsulated and UDP-encapsulated-Transport mode NAT-Traversal-defined selection
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, remote peer IKE configured crypto card: outside_dyn_map
29 Dec 18:54: 26 [IKEv1 DEBUG]: Group = adminsbbs, name of user = adminuser, IP = 3.4.249.124, ITS processing IPSec payload
29 Dec 18:54: 26 [IKEv1]: Phase 2 failed: Mismatched types of class attributes Mode of Encapsulation: RRs would be: UDP Tunnel(NAT-T) Cfg would be: Transport UDP
29 Dec 18:54: 26 [IKEv1]: Phase 2 failed: Mismatched types of class attributes Mode of Encapsulation: RRs would be: UDP Tunnel(NAT-T) Cfg would be: Transport UDP
29 Dec 18:54: 26 [IKEv1]: Phase 2 failed: Mismatched types of class attributes Mode of Encapsulation: RRs would be: UDP Tunnel(NAT-T) Cfg would be: Transport UDP
29 Dec 18:54: 26 [IKEv1]: Phase 2 failed: Mismatched types of class attributes Mode of Encapsulation: RRs would be: UDP Tunnel(NAT-T) Cfg would be: Transport UDP
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs, username = adminuser, IP = 3.4.249.124, IPSec security association proposals found unacceptable.
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs, name of user = adminuser, IP = 3.4.249.124, error QM WSF (P2 struct & 0xcca2f140, mess id 0x374db953).
29 Dec 18:54: 26 [IKEv1 DEBUG]: Group = adminsbbs, name of user = adminuser, IP = 3.4.249.124, case of mistaken IKE responder QM WSF (struct & 0xcca2f140)
, : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2 EV_COMP_HASH 29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, Removing counterpart of table Correlator has failed, no match!
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, Session is be demolished. Reason: Phase 2
29 Dec 18:54: 26 [IKEv1]: ignoring msg SA brand with Iddm 102400 dead because ITS removal
29 Dec 18:54: 26 [IKEv1]: IP = 3.4.249.124, encrypted packet received with any HIS correspondent, drop
The client connection:
Cisco Systems VPN Client Version 4.9.01 (0100)
Copyright (C) 1998-2006 Cisco Systems, Inc. All rights reserved.
Type of client: Mac OS X
Running: Darwin Darwin Kernel Version 10.5.0 10.5.0: Fri Nov 5 23:20:39 PDT 2010. root:XNU-1504.9.17~1/RELEASE_I386 i386
365 19:09:13.384 29/12/2010 Sev = Info/4 CM / 0 x 43100002
Start the login process
366 19:09:13.385 29/12/2010 Sev = WARNING/2 CVPND / 0 x 83400011
Send error - 28 package. ADR DST: 0xAC10D5FF, ADR Src: 0xAC10D501 (DRVIFACE:1158).
367 19:09:13.385 29/12/2010 Sev = WARNING/2 CVPND / 0 x 83400011
Send error - 28 package. ADR DST: 0xAC107FFF, ADR Src: 0xAC107F01 (DRVIFACE:1158).
368 19:09:13.385 29/12/2010 Sev = Info/4 CM / 0 x 43100004
Establish a connection using Ethernet
369 19:09:13.385 12/29/2010 Sev = Info/4 CM / 0 x 43100024
Attempt to connect with the server "1.2.0.14".
370 19:09:13.385 12/29/2010 Sev = Info/4 CVPND / 0 x 43400019
Separation of privileges: binding to the port: (500).
371 19:09:13.387 29/12/2010 Sev = Info/4 CVPND / 0 x 43400019
Separation of privileges: binding to the port: (4500).
372 19:09:13.387 29/12/2010 Sev = Info/6 IKE/0x4300003B
Attempts to establish a connection with 1.2.0.14.
373 19:09:13.471 29/12/2010 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 1.2.0.14
374 19:09:13.538 29/12/2010 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 1.2.0.14
375 19:09:13.538 29/12/2010 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">
376 19:09:13.538 29/12/2010 Sev = Info/5 IKE / 0 x 43000001
Peer is a compatible peer Cisco-Unity
377 19:09:13.538 29/12/2010 Sev = Info/5 IKE / 0 x 43000001
Peer supports XAUTH
378 19:09:13.539 29/12/2010 Sev = Info/5 IKE / 0 x 43000001
Peer supports the DPD
379 19:09:13.539 29/12/2010 Sev = Info/5 IKE / 0 x 43000001
Peer supports NAT - T
380 19:09:13.539 29/12/2010 Sev = Info/5 IKE / 0 x 43000001
Peer supports fragmentation IKE payloads
381 19:09:13.622 29/12/2010 Sev = Info/6 IKE / 0 x 43000001
IOS Vendor ID successful construction
382 19:09:13.622 29/12/2010 Sev = Info/4 IKE / 0 x 43000013
SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) at 1.2.0.14
383 19:09:13.623 12/29/2010 Sev = Info/6 IKE / 0 x 43000055
Sent a keepalive on the IPSec Security Association
384 19:09:13.623 29/12/2010 Sev = Info/4 IKE / 0 x 43000083
IKE port in use - Local Port = 0 x 1194, Remote Port = 0 x 1194
385 19:09:13.623 29/12/2010 Sev = Info/5 IKE / 0 x 43000072
Automatic NAT detection status:
Remote endpoint is NOT behind a NAT device
This effect is behind a NAT device
386 19:09:13.623 29/12/2010 Sev = Info/4 CM/0x4310000E
ITS established Phase 1. 1 crypto IKE Active SA, 0 IKE SA authenticated user in the system
387 19:09:13.639 29/12/2010 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 1.2.0.14
388 19:09:13.639 29/12/2010 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
389 19:09:13.639 12/29/2010 Sev = Info/4 CM / 0 x 43100015
Launch application xAuth
390 19:09:13.825 12/29/2010 Sev = Info/4 IPSEC / 0 x 43700008
IPSec driver started successfully
391 19:09:13.825 29/12/2010 Sev = Info/4 IPSEC / 0 x 43700014
Remove all keys
392 19:09:16.465 29/12/2010 Sev = Info/4 CM / 0 x 43100017
xAuth application returned
393 19:09:16.465 29/12/2010 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to 1.2.0.14
394 19:09:16.480 29/12/2010 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 1.2.0.14
395 19:09:16.480 29/12/2010 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
396 19:09:16.481 29/12/2010 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to 1.2.0.14
397 19:09:16.481 29/12/2010 Sev = Info/4 CM/0x4310000E
ITS established Phase 1. 1 crypto IKE Active SA, 1 IKE SA authenticated user in the system
398 19:09:16.482 29/12/2010 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to 1.2.0.14
399 19:09:16.498 29/12/2010 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 1.2.0.14
400 19:09:16.498 12/29/2010 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
401 19:09:16.498 29/12/2010 Sev = Info/5 IKE / 0 x 43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 172.16.20.1
402 19:09:16.498 29/12/2010 Sev = Info/5 IKE / 0 x 43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.255.0
403 19:09:16.498 29/12/2010 Sev = Info/5 IKE / 0 x 43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 1.2.2.2
404 19:09:16.498 29/12/2010 Sev = Info/5 IKE / 0 x 43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 1.2.2.22
405 19:09:16.498 29/12/2010 Sev = Info/5 IKE/0x4300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000000
406 19:09:16.498 29/12/2010 Sev = Info/5 IKE/0x4300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0 x 00000003
407 19:09:16.498 12/29/2010 Sev = Info/5 IKE/0x4300000F
SPLIT_NET #1
subnet 10.10.10.0 =
mask = 255.255.255.0
Protocol = 0
SRC port = 0
port dest = 0
408 19:09:16.498 29/12/2010 Sev = Info/5 IKE/0x4300000F
SPLIT_NET #2
subnet = 1.2.31.0
mask = 255.255.255.0
Protocol = 0
SRC port = 0
port dest = 0
409 19:09:16.498 29/12/2010 Sev = Info/5 IKE/0x4300000F
SPLIT_NET #3
subnet = 1.2.8.0
mask = 255.255.255.0
Protocol = 0
SRC port = 0
port dest = 0
410 19:09:16.498 29/12/2010 Sev = Info/5 IKE/0x4300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000
411 19:09:16.499 29/12/2010 Sev = Info/5 IKE/0x4300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc. ASA5510 Version 8.2 (2) built by manufacturers on Tuesday, January 11, 10 14:19
412 19:09:16.499 29/12/2010 Sev = Info/5 IKE/0x4300000D
MODE_CFG_REPLY: Attribute = received and by using the NAT - T port number, value = 0 x 00001194
413 19:09:16.499 29/12/2010 Sev = Info/4 CM / 0 x 43100019
Data in mode Config received
414 19:09:16.500 29/12/2010 Sev = Info/4 IKE / 0 x 43000056
Received a request from key driver: local IP = 192.168.0.103, GW IP = 1.2.0.14, Remote IP = 0.0.0.0
415 19:09:16.500 2010-12-29 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK QM * (HASH, SA, NO, ID, ID) to 1.2.0.14
416 19:09:16.517 29/12/2010 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 1.2.0.14
417 19:09:16.517 29/12/2010 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">
418 19:09:16.517 29/12/2010 Sev = Info/5 IKE / 0 x 43000045
Answering MACHINE-LIFE notify has value of 86400 seconds
419 19:09:16.517 29/12/2010 Sev = Info/5 IKE / 0 x 43000047
This SA has been alive for 3 seconds, affecting seconds expired 86397 now
420 19:09:16.518 12/29/2010 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 1.2.0.14
421 19:09:16.518 12/29/2010 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:no_proposal_chosen)="" from="">
422 19:09:16.518 29/12/2010 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK INFO *(HASH, DEL) to 1.2.0.14
423 19:09:16.518 29/12/2010 Sev = Info/4 IKE / 0 x 43000049
IPsec security association negotiation made scrapped, MsgID = FCB95275
424 19:09:16.518 29/12/2010 Sev = Info/4 IKE / 0 x 43000017
Marking of IKE SA delete (I_Cookie = 4BEBFA4F685D02E9 R_Cookie = 6A6CB439CD58F148) reason = DEL_REASON_IKE_NEG_FAILED
425 19:09:16.520 29/12/2010 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 1.2.0.14
426 19:09:16.520 29/12/2010 Sev = Info/4 IKE / 0 x 43000058
Received an ISAKMP for a SA message no assets, I_Cookie = 4BEBFA4F685D02E9 R_Cookie = 6A6CB439CD58F148
427 19:09:16.520 29/12/2010 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" info="" *(dropped)="" from="">
428 19:09:17.217 29/12/2010 Sev = Info/4 IPSEC / 0 x 43700014
Remove all keys
429 19:09:19.719 29/12/2010 Sev = Info/4 IKE/0x4300004B
IKE negotiation to throw HIS (I_Cookie = 4BEBFA4F685D02E9 R_Cookie = 6A6CB439CD58F148) reason = DEL_REASON_IKE_NEG_FAILED
430 19:09:19.719 29/12/2010 Sev = Info/4 CM / 0 x 43100012
ITS phase 1 deleted before first Phase 2 SA is caused by "DEL_REASON_IKE_NEG_FAILED". Crypto 0 Active IKE SA, 0 IKE SA authenticated user in the system
431 19:09:19.719 29/12/2010 Sev = Info/5 CM / 0 x 43100025
Initializing CVPNDrv
432 19:09:19.719 29/12/2010 Sev = Info/4 CVPND/0x4340001F
Separation of privileges: restore MTU on the main interface.
433 19:09:19.719 29/12/2010 Sev = Info/4 IKE / 0 x 43000001
Signal received IKE to complete the VPN connection
434 19:09:20.719 29/12/2010 Sev = Info/4 IPSEC / 0 x 43700014
Remove all keys
435 19:09:20.719 29/12/2010 Sev = Info/4 IPSEC / 0 x 43700014
Remove all keys
436 19:09:20.719 29/12/2010 Sev = Info/4 IPSEC / 0 x 43700014
Remove all keys
437 19:09:20.719 29/12/2010 Sev = Info/4 IPSEC/0x4370000A
IPSec driver successfully stopped
Hello 3moloz123,
Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_MD5
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
1. the reason why the VPN remote access (RA) couldn't form with success before the passage of TRANS_ESP_3DES_MD5 to ESP_3DES_MD5 is the mode of transport is not supported for RA VPN. You must use Tunnel mode for the processing of IPSec together we must maintain the IP header inside so that, once the package is decapsules and decrypted at the head of IPSec end we can transfer the package.
In the newspapers, you can see this failure
29 Dec 18:54: 26 [IKEv1]: Phase 2 failed: Mismatched types of class attributes Mode of Encapsulation: RRs would be: UDP Tunnel(NAT - T) Cfg had: UDP Transport
Repeat x 4
RRS of transformation all sent by the RA Client. Cfg would be is that the dynamic encryption card supports.
2. the isakmp policy change was unnecessary, the Phase 1 session came fine ISAKMP indicating worked. Phase 2 begins only after a successful Phase 1 (session ISAKMP).
After failing to build Phase 2 (child SA) we drop the ISAKMP Security Association since it is not used.
I hope that answers your questions.
Kind regards
Craig
Maybe you are looking for
-
After having downloaded and installed the new Firefox 4.0, I learned 2 extensions could not be installed. A notice would monitor the compatibility and availability and would notify me when those extensions are available. So who's going to happen, I p
-
If I go to the line and try to print a recipe or anything online, it does not print. the printer still does not turn on and it should be. Thank you.
-
Hi I have a problem when I go in the world of warcraft after 30 seconds later, I get disconnected not only Wow, but on the internet and I can't understand why does. So what I did was to look on the fourms to warcraft and couldn't find a solution to m
-
In the LV2009 extract attached, I use the "%b %Y % H: %m %d' for formatting timestamp in a time that looks like this: December 3, 2009 10:33. Now what I want to do, is to receive a string (in this same format) and stuff it back into a TimeStamp. Ho
-
Netflix has disappeared from vista Media Center
In my view, there are a lot of posts about this problem, I tried all the "fixes". Nada. Seriously, this seems to be a big problem. True answers or fixes?