Bundle ID ASA clustering

Similar Questions

• How SSL VPN packages for two ASAs clustered licenses

  Hi all!

  If I have installed two Cisco ASA 5550 (ASA5550-BUN-K9) in failover mode, which I know support only 2 concurrent sessions of SSL VPN and you want to upgrade my boxes to support 15 AnyConnect SSL VPN sessions, how many licenses packages I need to buy?

  An ASA5500-SSL-25 for both boxes or two ASA5500-SSL-25 for one per box?

  Depends on what version of ASA you are running.

  If you are running version 8.3 and above, then you just buy 1 ASA5500-SSL-25 for a failover pair and it would work. If you buy 2 ASA5500-SSL-25, one license per box in failover pair, then the license gets grouped into 50 SSL user license.

  Here is the license information for ASA version 8.3 for failover pair:

  http://www.Cisco.com/en/us/docs/security/ASA/asa83/license_standalone/license_management/license.html#wp1315746

  For ASA running version 8.2 and below, you are required to buy 2 ASA5500-SSL-25 (one of each ASA in the failover pair) as the license should be exactly the same for the pair to failover to work, in the earlier version of the SAA.

  Hope that makes sense.

• Cisco Firepower 4110 Clustering with ASA and DFT

  Hi all

  We have a pair of Cisco 4110 firepower devices and have them clustered for the ASA Security Module.

  There seems to be no option to add an additional logical device for the threat of fire power defence Module, so can only assume this is not supported in an active/active state.

  More on the SAA Module there is no tab of remote access VPN Configuration.

  So my question is how to incorporate the functionality of defense threat in the ASA, I suppose that this would be by the engine unloading in the advanced settings, but requires the SAA be in Active mode / standby and the power of fire threat defense logical device will be available?

  Second question is it would have been better buy the Cisco ASA 5585 X with the Module of firepower in support of all the regular features of the SAA as well as traffic inspection unloading to the module of firepower?

  I found some documentation on the Cisco site, but tend to lose sight of where the reference to FTD and not be supported of the Clustering or RAS VPN not supported by ASA or FXOS docs, so I was hoping for some insight on here.

  Appreciate any clarity around the support of devices 4110 of the firepower and configuration of the FTD and ASA combines the features supported.

  We run ASA v9.6 (2) and FXOS 2.0.1 (86).

  Thanks in advance.

  Mark

  On a firepower 4100 Series chassis, you can run a single logical unit. Several logical devices are supported only on the 9300 firepower that supports up to 3 modules of security.

  So choosing between types of module ASA and DFT (or technically you can also deploy the RADware vDefense Pro but it is mainly for service providers).

  One or the other and never the two.

  The module of the SAA supports remote access VPN over 4110 of firepower. I put one in place personally nothing this month. Have you recorded the chassis with the smart licence and applied ASA licenses (basic an and 3DES / AES)?

  The ASA modules take supported the HA and inter-chassis clustering on the 4100 series hardware.

  If you run picture FTD, there is currently no support for remote access VPN. It is a high priority position of roadmap for a future version (post - 6.2). FTD does not currently support the chassis inter cluster but that should be in version 6.2.

• [ASA] VPN Clustering maximum features and Site to Site

  I have a few questions about VPN Clustering with an ASA.

  1. how many devices can be in a cluster?

  2. I know that it is not possible to use the Site to Site VPN in a cluster, but near my cluster remote access VPN set a tunnel from Site to Site, which is not load balanced and terminated directly at the device of the cluster support?

  To answer your questions: -.

  (1) the max is 10 devices in a cluster

  (2) Yes...

  "Load balancing is effective only on remote sessions initiated with the Cisco VPN Client (version 3.0 and later), the material Cisco VPN 3002 (version 3.5 and later) Client or the ASA 5505 functioning as a simple customer VPN." All other customers, including LAN-to-LAN connections, can connect to a safety device on which load balancing is enabled, but cannot participate in the load balancing. »

  HTH.

• Best practices using clusters to create the queue/notifier/bundles?

  I'm in a block diagram, a queue, the notifier and several instances of cluster of bundle

  that all use the same data structure.   There is a typedef of cluster for the data structure.

  Of course, each of these objects (define the queue, set notifier, bundle)

  you want to know how do you define the cluster.

  What is considered best practices?

  (1) create a dummy instance of the cluster across data structure

  definition is necessary (and hide all on the public Service)

  (2) create only one instance and son at all places, it is necessary

  But there is no stream on this thread: it's only the cluster * definition *.

  which is used, so this seems to clutter the comic.

  (3) create only one instance of the cluster control and use local variables

  everywhere else the definition of cluster is required.  It's _value_ is never

  assigned or given read-so no problem with race conditions.

  (4) another way?

  If you were to clean up someone else's code, how do you expect

  See this Treaty?

  It occurred to me during this writing that here where I

  "unbundle...... code bundle" I could wire the original beam to the

  the two "unbundle" and "bundle" - but that would be too complicated

  and the size of the comics with useless thread?

  Thank you and best regards,

  -- J.

  Hi Jeff,

  I think that this question is about "sharing" the typedef and not how share data (?)  If the cluster control is registered as a typedef (or a strict typedef) but NOT SIMPLY as a CONTROL, then when a Diagram-constant of the typedef is created, it will be updated when you update the .ctl typedef!  (and there is no FP control to hide )  Of course if the typdef is already available "close" if necessary, you will be able to use instead - save a spacer of diagram.

  See you soon.

• ASA VPN Clustering

  I have 4 pairs of HA VPN in 4 different geographic regions of the world.  Cisco ASA supports the Alliance of more than 2 VPN servers?  Given that the AnyConnect client does not have the ability to store login as the old client IPSec profiles I need a way to provide 1 hostname which will be used for all 4 VPN servers.  Any suggestions?

  Eric

  You will be very happy.  Read this.

  https://supportforums.Cisco.com/document/58711/AnyConnect-optimal-gateway-selection-operation

  In short, AnyConnect can store profiles.  However, it is best to create the same profile and store it on each VPN cluster allow users to shoot their next login.

  On the modern Windows OS the XML profile is stored in:

  %ProgramData%\Cisco\Cisco AnyConnect secure mobility Client\Profile

• ASA not found (error 2)

  Hi all

  I never thought this would happen, but it seems that I can't install itunes more.

  After that my original HARD drive has failed and took the old library iTunes with it, I went to a drive C: SSD + D: HARD disk drive.

  Obviously, iTunes install goes on (as recommended) C. The installation went without problems.

  Now, when I try to launch it I get the "Apple Application Support not found, necessary for the performance of iTunes, reinstall etc. Error 2 (sometimes with "Windows error 5" as well).

  The steps I've tried: complete the removal and reinstallation, removal of all traces of file and registry, manual reinstall post-installation of ASA (it allows me to fix, which means that it is definitely installed). I am the admin of this PC with Win7 64 bit.

  When I try to install each component of the iTunes install manually (AAS-Hello-AMDS-ASU-iTunes) I get iTunes to start the first launch config, and then it crashes with 'is not properly installed error 42404 ".

  Is there a way to start APSDaemon.exe manually?

  Any suggestions?

  UPD: When I run the x 64 folder AAS VersionCheckMe.exe all else fails. Making x 86 past version control, but fails on "version of Windows, the name of the specified module. 1.0.0.1 < 1.2.0.0 >"

  I went ahead and install QT for good measure. He launched and seems to work fine. Manual installation of the x 86 QT-bundled AAS fails because of the "new version", likely that of iTunes. Always the same problem with iTunes so

• Programmatically update nested arrays of Clusters? (What is the best way?)

  I have an array of configuration files that is loaded at startup. Then, I need to update the values in this table of configuration values. The attached VI works, but I was wondering if this is the best way. It seems not scalable I added elements that I do need to update (mostly because the real configuration file has a lot more items).

  What is the best way to update an element of tables nested clusters?

  In this version shortened:

  When I click on "Set a new value" it should set the updated for the selected Config values #, # test, a subtest #.

  

  Back panel:

  

  Thank you!

  A better approach is to use the standard bundle/unbundle and the subset model table index table/replace. A component of Inplace Structure using simplified, as shown:

  

• conversion of clusters

  I have two clusters with digital items:

  1: a, b, c and d

  2: a, b, e

  Now, I want to convert the first group to another.

  What is the best way to do it?

  Ungroup data in Cluster 1, connect a and b to the corresponding items on a fiber for Cluster 2.  Connect the desired value on the element f of the bundle.

  Lynn

  

• Scan of the Bundle chain by name

  I would like to take the output of "channel Scan and feed in a bundle by name.» There is no existing group so I wonder if I can use a constant of Cluster for the cluster of the entry. If so how the cluster constant is defined.

  My goal is to read strings ini file sections, split names and boundaries and put them in a cluster or array of clusters that can be stored as inhabitants of TestStand or FileGlobals.

  Thank you

  JVH

  jvh75021 wrote:

  There is no existing group so I wonder if I can use a constant of Cluster for the cluster of the entry. If so how the cluster constant is defined.

  There is something very common to do during initialization - group things upwards into a cluster and carry it around to use throughout the program, in sub - vi, etc.. I am happy that you are not only throw all in local or global sections!

  Yep, you will use just a constant Cluster across the first time it was packaged. Take this constant initial cluster, simply create your cluster of output known > constant. So to answer your question, the constant of cluster is defined by the known output.

  However, if this cluster ever changes during development and it will be , you are going to change every single cluster within sub - vi and an initial constant... or... you'll accompany Ben to advise and do a TypeDef!

• Group by name and not only bundle

  Hi all

  I just got myself used to clusters, son and shift registers instead to use local variables

  I have a simple question that may seem too simple!

  I use a lot of berries and want to use bundle/unbundle by name rather than just bundle/unbundle for obvious reasons.

  But since I was constantly using to initialize arrays, it has no name and so cannot use the bundle by name.

  Is there a way to get around this? (I know nothing!)

  Beginning and end of code attached images.

  Right click on any one of the constants (in) and select 'Visible-> Label', by assigning a label, you can change the name of the element in the cluster.

  Tone

• Power of fire threat defense on ASA (features HA)

  Hello

  Soon, we will deploy a pair of ASA5525-x in our data center. I had planned for them to be grouped and executed several contexts. These contexts would be a combination of routed and transparent modes. I also intend to perform the Services of firepower.

  I recently learned that DFT is a unified version of the code of the ASA and code of firepower. Something that I'm still not sure about is whether FTD will allow patterns clusters, multiple and routed/transparent contexts.

  Any who can comment on whether these features are taken in charge and if not, if they are on the roadmap?

  Thank you for your time.

  Clustering - not yet on the 5500-X series. Should be soon though.

  Multiple context - No. Targeted for a future release, but no date hired.

  Routed and transparent - Yes.

• Need help - Cisco ASA with the power of fire

  Hello

  Currently, we use asa 5510 without function of firepower. Our goal is to publish web servers and microsoft lync with reverse proxy method. control internet traffic, apply extensions individual file not to download, management of bandwidth etc.

  Is it possible if we add firepower on asa 5510... Please guide me... Thank you

  Power of fire must be installed on the new series X of the SAA.  5512 x, x 5515, 5525 x, etc.

  If you have a 5510, you probably want a 5512 x with an SSD.  Cisco has beams of firepower include the ASAx with SSD and the license of firepower.

  Adds that you must also Firesight management software, and there is a license bundle of 2 camera for under $ 500 that you can install on VMWare.

  Firepower is not reverse proxy, it's transparent online packages, analysis and filtering by URL / Application / and threat mitigation.

  If you want a reverse proxy, you should look into Microsoft ISA server or a Proxy Server reverse dedicated Web.  Cisco gave its product Web Director, who has done this function.

  You can host Web sites behind a firewall of ASA without proxy reverse.  And the ASA has an inspection of the request for HTTP traffic, responsible for watching HTTP requests.  The firepower to the ASA system also has specific signatures that monitor traffic to the web servers and prevent specific vulnerabilities that are known on those servers, so if that is what you want the Reverse Proxy for, then the power of fire module would probably cover your needs.

  Don't forget that until the next quarter firepower system has no decryption on the box, and you might want to wait that the feature is released and put in place, so that you know what size firewall you need protect your network with the SSL decryption.  I believe that the ASA5512x is testing at 75 Mbps stream decrypted via the fire power module, which is about half of what was before CX, then you could use the sizing numbers CX and extrapolate until Cisco releases official decryption numbers.

• Cluster ASA with IPS

  Hello

  I intend to group 4 ASA firewall between 2 domain controllers.

  I would like to know if the ASA IPS device is also grouped with the ASAs 4 or I have to buy the hardware module ASA IPS?

  In the case where I will need to buy the module hardware IPS ASA it will work as a single module or it could also be clustered?

  Thank you very much for the help.

  Kind regards

  J

  The Documentation States that the IPS is managed individually by unit. So every unit will have it of own IPS and protects the traffic he sees. Without a config-replication available for IPS, you should plan to use a system management as MSC company to ensure that all units have the same configuration.

• L2l 1941 to ASA VPN

  Hi all

  I have a strange problem, trying to establish a VPN between my camera (1941) and a distance of ASA.

  The question is, can I say is that the IKE phase precipitates after MM6. I'm not an expert in the present, but I'll try to explain to the best of my knowledge

  Here's a cry full debugging isakmp:
  * 05:12:05.187 Jun 10: ISAKMP: (1001): serving SA., his is 3AD3BE6C, delme is 3AD3BE6C

  * Jun 10 05:12:05.259: ISAKMP: (0): profile of THE request is (NULL)

  * 05:12:05.259 Jun 10: ISAKMP: created a struct peer 41.223.4.83, peer port 500

  * 05:12:05.259 Jun 10: ISAKMP: new created position = 0x4B475724 peer_handle = 0 x 80000004

  * 05:12:05.259 Jun 10: ISAKMP: lock struct 0x4B475724, refcount 1 to peer isakmp_initiator

  * 05:12:05.259 Jun 10: ISAKMP: 500 local port, remote port 500

  * 05:12:05.263 Jun 10: ISAKMP: set new node 0 to QM_IDLE

  * 05:12:05.263 Jun 10: ISAKMP: find a dup her to the tree during the isadb_insert his 3AD3BE6C = call BVA

  * 05:12:05.263 Jun 10: ISAKMP: (0): cannot start aggressive mode, try the main mode.

  * 05:12:05.263 Jun 10: ISAKMP: (0): pair found pre-shared key matching 41.223.4.83

  * Jun 10 05:12:05.263: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID

  * Jun 10 05:12:05.263: ISAKMP: (0): built the seller-07 ID NAT - t

  * Jun 10 05:12:05.263: ISAKMP: (0): built of NAT - T of the seller-03 ID

  * Jun 10 05:12:05.263: ISAKMP: (0): built the seller-02 ID NAT - t

  * 05:12:05.263 Jun 10: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

  * 05:12:05.263 Jun 10: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1

   

  * Jun 10 05:12:05.263: ISAKMP: (0): Beginner Main Mode Exchange

  * Jun 10 05:12:05.263: ISAKMP: (0): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) MM_NO_STATE

  * 05:12:05.263 Jun 10: ISAKMP: (0): sending a packet IPv4 IKE.

  * 05:12:05.475 Jun 10: ISAKMP (0): received 41.223.4.83 packet dport 500 sport Global 500 (I) MM_NO_STATE

  * 05:12:05.475 Jun 10: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

  * 05:12:05.475 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2

   

  * Jun 10 05:12:05.475: ISAKMP: (0): treatment ITS payload. Message ID = 0

  * Jun 10 05:12:05.475: ISAKMP: (0): load useful vendor id of treatment

  * Jun 10 05:12:05.475: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69

  * 05:12:05.475 Jun 10: ISAKMP (0): provider ID is NAT - T RFC 3947

  * Jun 10 05:12:05.475: ISAKMP: (0): load useful vendor id of treatment

  * Jun 10 05:12:05.475: ISAKMP: (0): IKE frag vendor processing id payload

  * 05:12:05.475 Jun 10: ISAKMP: (0): IKE Fragmentation support not enabled

  * 05:12:05.475 Jun 10: ISAKMP: (0): pair found pre-shared key matching 41.223.4.83

  * Jun 10 05:12:05.475: ISAKMP: (0): pre-shared key local found

  * 05:12:05.475 Jun 10: ISAKMP: analysis of the profiles for xauth...

  * 05:12:05.475 Jun 10: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1

  * 05:12:05.475 Jun 10: ISAKMP: AES - CBC encryption

  * 05:12:05.475 Jun 10: ISAKMP: keylength 256

  * 05:12:05.475 Jun 10: ISAKMP: SHA hash

  * 05:12:05.475 Jun 10: ISAKMP: group by default 2

  * 05:12:05.475 Jun 10: ISAKMP: pre-shared key auth

  * 05:12:05.475 Jun 10: ISAKMP: type of life in seconds

  * 05:12:05.475 Jun 10: ISAKMP: life (basic) of 28800

  * 05:12:05.475 Jun 10: ISAKMP: (0): atts are acceptable
  . Next payload is 0
  * 05:12:05.475 Jun 10: ISAKMP: (0): Acceptable atts: real life: 0
  * 05:12:05.475 Jun 10: ISAKMP: (0): Acceptable atts:life: 0
  * 05:12:05.475 Jun 10: ISAKMP: (0): base life_in_seconds:28800
  * 05:12:05.475 Jun 10: ISAKMP: (0): return real life: 28800
  * 05:12:05.475 Jun 10: ISAKMP: (0): timer life Started: 28800.
   
  * Jun 10 05:12:05.511: ISAKMP: (0): load useful vendor id of treatment
  * Jun 10 05:12:05.511: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
  * 05:12:05.511 Jun 10: ISAKMP (0): provider ID is NAT - T RFC 3947
  * Jun 10 05:12:05.511: ISAKMP: (0): load useful vendor id of treatment
  * Jun 10 05:12:05.511: ISAKMP: (0): IKE frag vendor processing id payload
  * 05:12:05.511 Jun 10: ISAKMP: (0): IKE Fragmentation support not enabled
  * 05:12:05.511 Jun 10: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  * 05:12:05.511 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2
   
  * Jun 10 05:12:05.511: ISAKMP: (0): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) MM_SA_SETUP
  * 05:12:05.511 Jun 10: ISAKMP: (0): sending a packet IPv4 IKE.
  * 05:12:05.511 Jun 10: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  * 05:12:05.511 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3
   
  * 05:12:05.727 Jun 10: ISAKMP (0): received 41.223.4.83 packet dport 500 sport Global 500 (I) MM_SA_SETUP
  * 05:12:05.727 Jun 10: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  * 05:12:05.727 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4
   
  * Jun 10 05:12:05.727: ISAKMP: (0): processing KE payload. Message ID = 0
  * Jun 10 05:12:05.759: ISAKMP: (0): processing NONCE payload. Message ID = 0
  * 05:12:05.759 Jun 10: ISAKMP: (0): pair found pre-shared key matching 41.223.4.83
  * Jun 10 05:12:05.759: ISAKMP: (1003): load useful vendor id of treatment
  * Jun 10 05:12:05.759: ISAKMP: (1003): provider ID is the unit
  * Jun 10 05:12:05.759: ISAKMP: (1003): load useful vendor id of treatment
  * Jun 10 05:12:05.759: ISAKMP: (1003): provider ID seems the unit/DPD but major incompatibility of 104
  * Jun 10 05:12:05.759: ISAKMP: (1003): provider ID is XAUTH
  * Jun 10 05:12:05.759: ISAKMP: (1003): load useful vendor id of treatment
  * Jun 10 05:12:05.763: ISAKMP: (1003): addressing another box of IOS
  !
  * Jun 10 05:12:05.763: ISAKMP: (1003): load useful vendor id of treatment
  * 05:12:05.763 Jun 10: ISAKMP: (1003): vendor ID seems the unit/DPD but hash mismatch
  * 05:12:05.763 Jun 10: ISAKMP: receives the payload type 20
  * 05:12:05.763 Jun 10: ISAKMP (1003): sound not hash no match - this node outside NAT
  * 05:12:05.763 Jun 10: ISAKMP: receives the payload type 20
  * 05:12:05.763 Jun 10: ISAKMP (1003): No. NAT found for oneself or peer
  * 05:12:05.763 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  * 05:12:05.763 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM4 = IKE_I_MM4
   
  * 05:12:05.763 Jun 10: ISAKMP: (1003): send initial contact
  * 05:12:05.763 Jun 10: ISAKMP: (1003): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
  * 05:12:05.763 Jun 10: ISAKMP (1003): payload ID
  next payload: 8
  type: 1
  address: 82.117.193.82
  Protocol: 17
  Port: 500
  Length: 12
  * 05:12:05.763 Jun 10: ISAKMP: (1003): the total payload length: 12
  * Jun 10 05:12:05.763: ISAKMP: (1003): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) MM_KEY_EXCH
  * 05:12:05.763 Jun 10: ISAKMP: (1003): sending a packet IPv4 IKE.
  * 05:12:05.763 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  * 05:12:05.763 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM4 = IKE_I_MM5
   
  * 05:12:05.975 Jun 10: ISAKMP (1003): received 41.223.4.83 packet dport 500 sport Global 500 (I) MM_KEY_EXCH
  * Jun 10 05:12:05.975: ISAKMP: (1003): payload ID for treatment. Message ID = 0
  * 05:12:05.975 Jun 10: ISAKMP (1003): payload ID
  next payload: 8
  type: 1
  address: 41.223.4.83
  Protocol: 17
  Port: 0
  Length: 12
  * Jun 10 05:12:05.975: ISAKMP: (0): peer games * no * profiles
  * Jun 10 05:12:05.975: ISAKMP: (1003): HASH payload processing
  . Message ID = 0
  * 05:12:05.975 Jun 10: ISAKMP: received payload type 17
  * 05:12:05.979 Jun 10: ISAKMP: (1003): SA authentication status:
  authenticated
  * 05:12:05.979 Jun 10: ISAKMP: (1003): SA has been authenticated with 41.223.4.83
  * 05:12:05.979 Jun 10: ISAKMP: try to insert a 82.117.193.82/41.223.4.83/500/peer and inserted 4 B 475724 successfully.
  * 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  * 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM5 = IKE_I_MM6
   
  * 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  * 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM6 = IKE_I_MM6
   
  * 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  * 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE
   
  * 05:12:05.979 Jun 10: ISAKMP: (1003): start Quick Mode Exchange, M - ID 2434392874
  * 05:12:05.979 Jun 10: ISAKMP: (1003): initiator QM gets spi
  * Jun 10 05:12:05.979: ISAKMP: (1003): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) QM_IDLE
  * 05:12:05.979 Jun 10: ISAKMP: (1003): sending a packet IPv4 IKE.
  * 05:12:05.979 Jun 10: ISAKMP: (1003): entrance, node 2434392874 = IKE_MESG_INTERNAL, IKE_INIT_QM
  * 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_QM_READY = IKE_QM_I_QM1
  * 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
  * 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
   
  * 05:12:06.195 Jun 10: ISAKMP (1003): received 41.223.4.83 packet dport 500 sport Global 500 (I) QM_IDLE
  * 05:12:06.195 Jun 10: ISAKMP: node set 169965215 to QM_IDLE
  * Jun 10 05:12:06.195: ISAKMP: (1003): HASH payload processing
  . Message ID = 169965215
  * Jun 10 05:12:06.195: ISAKMP: (1003): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3
  0, message ID SPI = 169965215, a = 0x3AD3BE6C
  * 05:12:06.199 Jun 10: ISAKMP: (1003): error suppression node 169965215 FALSE reason 'informational (en) State 1.
  * 05:12:06.199 Jun 10: ISAKMP: (1003): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
  * 05:12:06.199 Jun 10: ISAKMP: (1003): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
   
  * 05:12:06.199 Jun 10: ISAKMP (1003): received 41.223.4.83 packet dport 500 sport Global 500 (I) QM_IDLE
  * 05:12:06.199 Jun 10: ISAKMP: node set 1149953416 to QM_IDLE
  * Jun 10 05:12:06.199: ISAKMP: (1003): HASH payload processing. Message ID = 1149953416
  * Jun 10 05:12:06.199: ISAKMP: (1003): treatment of payload to DELETE
  . Message ID = 1149953416
  * 05:12:06.199 Jun 10: ISAKMP: (1003): peer does not paranoid KeepAlive.
   
  * 05:12:06.199 Jun 10: ISAKMP: (1003): removal of HIS State "No reason" why (I) QM_IDLE (post 41.223.4.83)
  * 05:12:06.199 Jun 10: ISAKMP: (1003): error suppression node 1149953416 FALSE reason 'informational (en) State 1.
  * 05:12:06.199 Jun 10: ISAKMP: node set 613686650 to QM_IDLE
  * Jun 10 05:12:06.199: ISAKMP: (1003): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) QM_IDLE
  * 05:12:06.199 Jun 10: ISAKMP: (1003): sending a packet IPv4 IKE.
  * 05:12:06.199 Jun 10: ISAKMP: (1003): purge the node 613686650
  * 05:12:06.199 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  * 05:12:06.199 Jun 10: ISAKMP: (1003): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA
   
  * 05:12:06.199 Jun 10: ISAKMP: (1003): removal of HIS State "No reason" why (I) QM_IDLE (post 41.223.4.83)
  * 05:12:06.199 Jun 10: ISAKMP: Unlocking counterpart struct 0x4B475724 for isadb_mark_sa_deleted(), count 0
  * 05:12:06.199 Jun 10: ISAKMP: delete peer node by peer_reap for 41.223.4.83: 4 B 475724
  * 05:12:06.203 Jun 10: ISAKMP: (1003): node-1860574422 error suppression FALSE reason 'IKE deleted.
  * 05:12:06.203 Jun 10: ISAKMP: (1003): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  * 05:12:06.203 Jun 10: ISAKMP: (1003): former State = new State IKE_DEST_SA = IKE_DEST_SA
   
  * 05:12:25.187 Jun 10: ISAKMP: (1002): purge the node 1140237073

  Installed IOS is c1900-universalk9-mz. Spa. 154 - 3.M5.bin

  Before that, I had 15.3, same thing.

  BGPR1 # running sho

  Building configuration...

   

  Current configuration: 5339 bytes

  !

  ! Last configuration change at 05:19:14 UTC Friday, June 10, 2016 by boris

  !

  version 15.4

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  encryption password service

  !

  hostname BGPR1

  !

  boot-start-marker

  start the system flash0:c1900 - universalk9-mz. Spa. 154 - 3.M5.bin

  boot-end-marker

  !

  !

  logging buffered 51200 warnings

  !

  No aaa new-model

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  IP flow-cache timeout active 1

  IP cef

  No ipv6 cef

  !

  Authenticated MultiLink bundle-name Panel

  !

  CTS verbose logging

  !

  Crypto pki trustpoint TP-self-signed-

  enrollment selfsigned

  name of the object cn = IOS-Self-signed-certificate-

  revocation checking no

  rsakeypair TP-self-signed-3992366821

  !

  !

  chain pki crypto TP-self-signed certificates.

  certificate self-signed 01

  quit smoking

  udi pid CISCO1941/K9 sn CF license

  !

  !

  username

  username

  !

  redundancy

  !

  !

  !

  No crypto ikev2 does diagnosis error

  !

  !

  !

  !

  crypto ISAKMP policy 1

  BA aes 256

  preshared authentication

  Group 2

  lifetime 28800

  isakmp encryption key * address 41.223.4.83

  !

  !

  Crypto ipsec transform-set Meridian ah-sha-hmac esp - aes 256

  tunnel mode

  !

  !

  !

  Meridian 10 map ipsec-isakmp crypto

  VODACOM VPN description

  defined by peer 41.223.4.83

  86400 seconds, life of security association set

  the transform-set Meridian value

  match address 100

  !

  !

  !

  !

  !

  the Embedded-Service-Engine0/0 interface

  no ip address

  Shutdown

  !

  interface GigabitEthernet0/0

  Description peer na Telekom

  IP 79.101.96.6 255.255.255.252

  penetration of the IP stream

  stream IP output

  automatic duplex

  automatic speed

  No cdp enable

  !

  interface GigabitEthernet0/1

  Description peer na SBB

  IP 82.117.193.82 255.255.255.252

  penetration of the IP stream

  stream IP output

  automatic duplex

  automatic speed

  No cdp enable

  Meridian of the crypto map

  !

  interface FastEthernet0/0/0

  no ip address

  !

  interface FastEthernet0/0/1

  no ip address
  !
  interface FastEthernet0/0/2
  no ip address
  !
  interface FastEthernet0/0/3
  switchport access vlan 103
  no ip address
  !
  interface Vlan1
  IP 37.18.184.1 255.255.255.0
  penetration of the IP stream
  stream IP output
  !
  interface Vlan103
  IP 10.10.10.1 255.255.255.0
  !
  router bgp 198370
  The log-neighbor BGP-changes
  37.18.184.0 netmask 255.255.255.0
  10.10.10.2 neighbor remote - as 201047
  map of route-neighbor T-OUT 10.10.10.2 out
  neighbour 79.101.96.5 distance - 8400
  neighbor 79.101.96.5 fall-over
  neighbor 79.101.96.5 LOCALPREF route map in
  79.101.96.5 T-OUT out neighbor-route map
  neighbour 82.117.193.81 distance - as 31042
  neighbor 82.117.193.81 fall-over
  neighbor 82.117.193.81 route LocalOnly outside map
  !
  IP forward-Protocol ND
  !
  IP as path access list 10 permit ^ $
  IP as path access list 20 permits ^ $ 31042
  no ip address of the http server
  local IP http authentication
  no ip http secure server
  IP http timeout policy slowed down 60 life 86400 request 10000
  IP flow-export Vlan1 source
  peer of IP flow-export version 5 - as
  37.18.184.8 IP flow-export destination 2055
  !
  IP route 37.18.184.0 255.255.255.0 Null0
  IP route 104.28.15.63 255.255.255.255 79.101.96.5
  IP route 217.26.67.79 255.255.255.255 79.101.96.5
  !
  !
  IP-list of prefixes Filter_IN_Telekom seq 10 permit 0.0.0.0/0
  !
  T-OUT route map permit 10
  match 10 way
  !
  route allowed LOCALPREF 10 map
  set local preference 90
  !
  SBBOnly allowed 10 route map
  20 as path game
  !
  LocalOnly allowed 10 route map
  match 10 way
  !
  !
  m3r1d1an RO SNMP-server community
  Server SNMP ifindex persist
  access-list 100 permit ip host 37.18.184.4 41.217.203.234
  access-list 100 permit ip host 37.18.184.169 41.217.203.234
  !
  control plan
  !
  !
  !
  Line con 0
  Synchronous recording
  local connection
  line to 0
  line 2
  no activation-character
  No exec
  preferred no transport
  transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
  StopBits 1
  line vty 0 4
  privilege level 15
  local connection
  entry ssh transport
  line vty 5 15
  privilege level 15
  local connection
  entry ssh transport
  !
  Scheduler allocate 20000 1000
  !
  end
   
  BGPR1 #.

  BGPR1 #sho cry isa his

  IPv4 Crypto ISAKMP Security Association

  DST CBC conn-State id

  41.223.4.83 82.117.193.82 MM_NO_STATE 1106 ACTIVE (deleted)

  41.223.4.83 82.117.193.82 MM_NO_STATE 1105 ACTIVE (deleted)

  For "sho cry ipsec his" I get only a lot of mistakes to send.

  For the other end, I had all the settings, I have no access to this device, they insist that this is a simple installation and that any problem is on my side.

  I tried to juggle the order of the access list, life card crypto security association and all "googlable" solutions, that I could find.

  Any input appreciated.

  Corresponds to the phase 2 double-checking on the SAA, including PFS.

  crypto ipsec transform-set meridian ah-sha-hmac esp-aes 256  mode tunnel