debugging of router acl

Hello, what is the best method to debug specific router access control lists in IOS 12.2? I would like to see if everything works as expected. I'm active on the acl interface and tried debugging 'debug ip error access-list', but gives me output for ACL only. Thank you.

Hello

Best way to check is to put the newspaper at the end of the access list

access-list 1 permit 5.6.0.0 0.0.255.255 connect

Journal

(Optional) Causes a message to record information on the package corresponding to the registration to be returned to the console. (The level of messages logged to the console is controlled by the console command record.)

The message contains the access list number, whether the packet was permitted or denied, the source address and the number of packets. The message is generated for the first packet that matches, and then at 5 minute intervals, including the number of packets permitted or denied in the interval of 5 minutes before.

Nilesh

Tags: Cisco Security

Similar Questions

Traffic Internet PIN for router ACL

Hello, I create a router-on-a-stick typical configuration where remote locations running IOS Cisco direct Internet traffic out through an IPSec tunnel that ends on an ASA5510. I'm 99% it and can't seem to move between the rays and the Internet. I'm looking for advice on how to configure properly the ACL entering the router WAN interfaces spoke.

My question is, what I specifically authorize the return of Internet traffic in the router speaks ACL? I was under the impression that what allows the Hub ASA IPSec traffic would include traffic Internet has hairpined through the ASA and I wouldn't need a specific ACL entry to addresses of Internet sources.

The router has spoken, I work now is a 3620 running IOS 12.3.26. When I configure the ACL entering on the WAN Interface to allow only the esp/isakmp Hub ASA, I'm not able to receive traffic from the Internet. If I remove the inbound ACL everything works fine. Here are the current incoming ACL from the laboratory network router:

access-list authorized note 130 incoming WAN connections

Note access-list 130 IPSec

Note LAN Access - list 130 subnets

access-list 130 allow ip 192.168.75.0 0.0.0.255 192.168.168.0 0.0.0.255

access-list 130 allow ip 192.168.50.0 0.0.0.255 192.168.168.0 0.0.0.255

access-list 130 allow ip 10.199.199.0 0.0.0.255 192.168.168.0 0.0.0.255

Note access-list 130 HUB ASA

access-list 130 permit udp host 172.16.1.4 host 172.16.1.21 eq non500-isakmp

access-list 130 permit udp host 172.16.1.4 host 172.16.1.21 eq isakmp

access-list 130 allow esp 172.16.1.4 host 172.16.1.21

access-list 130 allow host 172.16.1.4 ahp 172.16.1.21

Note access-list 130 NTP to the router

access-list 130 permit udp host 192.43.244.18 ntp host 172.16.1.21 eq eq ntp

access-list 130 authorized note ICMP traffic

access-list 130 permit icmp any echo host 172.16.1.21

access-list 130 permit icmp any any echo response

access-list 130 permit icmp any any source-quench

access-list 130 permit icmp any a package-too-big

access-list 130 allow icmp all once exceed

access-list 130 refuse icmp a whole

access-list 130 authorized note circulation of Managment

Note 130-list of access allow ssh

access list 130 permit tcp any any eq 22

With the list above applied inbound access on my WAN Interface, internal hosts are able to ping Internet addresses (allowing a response to ICMP echo) but cannot browse the Internet.

Should I enable a firewall on the router policy to allow the return of the Internet traffic? I thought that rule of ESP permits that would cover.

Any help is appreciated!

Dan

Dan

Unless you're running the IOS Firewall feature on your spoke routers then the router is unable to keep the State of outbound connections. So yes, you will need to also allow the traffic unencrypted in your inbound ACLs on the WAN interface because once the traffic is decrypted, it is then checked against the acl on the interface, see this link to order operations.

http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

On ASA/Pix firewalls you can tell the device to check against the acl on the external interface once that traffic has been decrypted with the command "sysopt connection" but I'm not aware of a similar option for IOS.

Jon

ALS IP Cisco 2901 and POLITICS with dual gateways LAN-based ROUTING

Hello

I am configuring a failover solution combined with the ACB using two bridges already configured. See the attached diagram.

I currently have two ASA 5505 and a 2901.

According to the example: http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/861-c... I've set up the following in the 2901:

Interface Port - channel1.1
encapsulation dot1Q 1 native
IP 192.168.200.100 255.255.255.0
intellectual property policy map RM-Comcast-traffic route

IP route 0.0.0.0 0.0.0.0 192.168.200.200 track 1
IP route 0.0.0.0 0.0.0.0 192.168.200.150 track 2
Route IP 10.10.10.1 255.255.255.252 192.168.200.150

IP extended ACL-Comcast-traffic access list
object-group permit COMCAST_Routed 192.168.200.0 0.0.0.255 any

RM-Comcast-traffic route map permit 1
corresponds to the IP ACL-Comcast-traffic
set ip next-hop check availability 10.10.10.2 1 excerpt 2

object-group service COMCAST_Routed
Eq ftp TCP
TCP eq www
TCP eq ftp - data

ALS IP 1
ICMP echo - 192.168.200.200
threshold 2
timeout of 1000
frequency 30
IP SLA annex 1 point of life to always start-time now

ALS IP 2
10.10.10.2 ICMP echo
threshold 2
timeout of 1000
frequency 30
IP SLA annex 2 to always start-time life now

track 1 accessibility of als 1 ip
Track 2 accessibility of ALS 2 ip

I did some tests and the part of failover seems to work but the configuration of the ACB does not work as expected. Only thing missing track 1 each time delivering properly and trak 2 is declining.

Any help clarifying the feasibility and practicality of this configuration is greatly appreciated.

Dan

Adding a value of AD won't fix ACB (sorry if I gave that impression).

On the client that you are testing with can you look it's the example routing table ' netstat - nr ' example and see what it shows in terms of gateways.

It can be that you want to debug your routing policy to see what is happening on the router.

Jon

PowerConnect 6200 ACL does not seem to work

Hello

I have a total of four 6248 s two groups at different locations that are configured with VRRP + OSPF. I tried to set up a simple ACL on either a VLAN to allow a portion of the traffic and block everything else, but I can't make it work. I have tried many combinations to try to get this working, but so far without success. It's just a simple ACL, which should allow the web/http traffic on the 10.1.30.100 server and blocks everything else.

The only type of ACE that seem to work are either a "deny ip any any" or "permit ip any any" If you try an ACE with a destination host and subnet mask 0.0.0.0 it's just all this blocking. Has anyone else had problems of the ACL or is it just my incompetence in preventing me from getting the 6200 ACL work properly? I didn't have this problem, get the ACL list to work on our Cisco 2811 routers, just at the moment where I tried on the PC6248s.
1. config
2. int vlan 720
3. no ip-group vlan720-in in access
4. output
5. No list of access-vlan720-en
6. access-list vlan720-in permit tcp any 10.1.30.100 0.0.0.0 eq 80
7. int vlan 720
8. IP access-group vlan720-in in
9. output
10. output
11. copy, run start
12. There
Just an update on this issue. I worked with Dell to determine why the ACL does not seem to work. We discovered that the 6200 apply ACL to the traffic as a VLAN ACL Cisco card as opposed to a router ACL entry. This causes the ACL to apply to not only routed or transferred but also traffic switched in the same VLAN.

This has been the source of my problems that my traffic is not limited to a single 6200. I developed a simple laboratory to check that the 6200 applied traffic switched in the same VLAN ACL.

First the 6200 has one ACL applied to VLAN5 both PC1 and PC2 are in VLAN 5. They are both on the same subnet 192.168.5.0/24. The ACL has a statement of "permit icmp any one" but nothing else. The PC1 and PC2 are running Windows XP Pro with IIS is installed for the test. The firewall on both is disabled.

PC #1 IP: 192.168.5.2/24
PC #2 IP: 192.168.5.3/24

[6200]
|    |
|    |
|   [2950T #2] <-->[PC #2]
|
|
[2950T #1] <-->[PC #1]

In this scenario PC1 and PC2 can ping each other without problem because of the permit icmp any any statement, but you cannot access the IIS site on each of the other computers.

Dell said that this is normal and if you want communication VLAN VLAN you 'license ip ' to make it work properly. I also found that traffic back from other VLANs were also denied because of the ACL applied on all of the incoming traffic. As a solution, the license statement should be included for ALL traffic back to the limited subnet other subnets. So in this case "ip enable any ".

I find it a bit annoying that ACL is applied in the form of maps of VLAN not like real incoming router ACL as they are on similar Cisco devices as the 3750. So there is a work around. I hope they can solve the problem in a future update, because I really think that the 6200 is a great device.

Here you can see the difference between VLAN ACLs cards and router entry ACL where they are applied in what concerns local traffic to VLAN.
http://www.Cisco.com/en/us/docs/switches/LAN/catalyst3750/software/release/12.2_25_see/configuration/guide/swacl.html#wp1572522

New ACL on top

Hello need help.

I am trying to add new ACL but its end will my permit list how can add on top of my router?

ASA, I can make on the top by adding the line however not sure how do in the router

access-list 101 deny ip host 192.168.5.2 192.168.50.9
access list 101 ip allow a whole
access-list 101 deny ip host 192.168.5.2 192.168.50.20

Thank you

Hello

A little rusty on the router ACL side myself too and forgot the differences between different types of ACL.

Can you check the output of the following command

See ip 101 access list

To my knowledge, which should show the ACL with the sequence/line numbers. If Yes, then I guess you could first remove the ACL line you added at the end of the ACL and then try this

101 extended IP access list
15 deny ip host 192.168.5.2 192.168.60.20

Where the 15 is the number of line/sequence where to add the entry to the ACL. By default, the router should start from 10 and then go up in increments of 10. (10,20,30,40 and so on) With some ACL that I tend not to issue those line/sequence numbers differently then I can leave enough space between the rules if I need to add something later without remove and redo the real ACL.

If for any reason you are not able to add the line to the correct place as described above, I guess you can always restore the ACL. But in the case of routers depends on the use of the ACL in my view it should probably be removed from the use there where ever its used so that the withdrawal does not problems. To my understanding by removing an ACL that is used in the 'line vty 0 4' and configurations "interface" could cause traffic to get blocked so its usually best to remove the ACL of the service before doing it.

I hope that I don't remember anything wrong :)

-Jouni

tunnel from site to site between router IOS and ASA

I've combed through the configs on both sides of this tunnel 4 x now and the look of policies as they match. I applied the http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml note

My crypto lsits access are good and my nat on the side of IOS are provided with a map of the route and look good. On the SAA traffic side on the side of the remote tunnel ASA is exempt from NAT. Each side already has a site to another tunnel configuration, so I added the appropriate lines to the existing cryptographic cards which include peers, transform set and match address 'access-list. The polcies crypto isakmp on both ends are compatible. I have attached some configs and debugs (from router IOS), but essentially the newspaper on the SAA starts with the phase 1 is complete and then routing not received notification message, no proposal chosen readings and then it goes to IKE lost the connection to a remote peer, connection, drop table correlator counterpart has failed, no match, the deletion and finally disconnected session reason lost service.

Their other tunnel stay standing as well as the configuration of remote access vpn connection is good.

I found a note that recommends checking any access security-list, so I removed the, but no luck, and a Cisco associated with a hub, but had a healthy logic

Is displayed normally with the

Cisco VPN 3000 correspondent

message hub: no proposal

Chosen (14). This is a result of the

being host-to-host connections.

The configuration of the router has the

IPSec proposals ordered so that the

proposal selected for the router

with the access list, but not the

peer. The access list has a larger

network including the host that

a cutting traffic.

Make the router for this proposal

hub to router connection

first in line, so that it corresponds to the

specific to the host first.

but that didn't work either.

Thank you

Bill

Bill,

Take a look at this

000610: * PCTime 10:42:15.094 Sep 27: ISAKMP: (2039): need XAUTH

000611: * 10:42:15.094 PCTime sep 27: ISAKMP: node set 920927400 to CONF_XAUTH

000612: * 27 sep 10:42:15.094 PCTime: ISAKMP/xauth: application XAUTH_USER_NAME_V2 attribute

000613: * 27 sep 10:42:15.094 PCTime: ISAKMP/xauth: application XAUTH_USER_PASSWORD_V2 attribute

000614: * 27 sep 10:42:15.094 PCTime: ISAKMP: (2039): launch peer 74.92.97.166 config. ID = 920927400

000615: * 27 sep 10:42:15.094 PCTime: ISAKMP: (2039): lot of 74.92.97.166 sending peer_port my_port 4500 4500 (R) CONF_XAUTH

-Other - 000616: * PCTime 10:42:15.094 Sep 27: ISAKMP: (2039): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

000617: * PCTime 10:42:15.094 Sep 27: ISAKMP: (2039): former State = new State IKE_P1_COMPLETE = IKE_XAUTH_REQ_SENT

It should not go to extend the authentication. Since you have the client and the L2L on the same router and clients are configured for Extended authentication, the router will ask for XAUTH unless you configure the "No.-xauth" command after the pre-shared key

Please implement the command:

ISAKMP crypto keys in clear text address 74.92.97.166 No.-xauth

Thank you

Gilbert

SSL VPN and routing problem

Hi all

I have a strange architecture including VPN and I have a few problems that I am not able to solve:

-J' use the ssl vpn gateway to allocate internal IP addresses of the local network described in the schema (8.8.2.0 or 8.8.3.0 according to the tunnel-group network.

-The purpose is for vpn clients directly access the internal network.

This works very well if there are strictly internal communications within the network. But recently, we have installed an application that needs to access both networks. No problem, I thought, but I was wrong, there seems to be a problem of routing inherent in the architecture in place.

Let me explain the problem:

-When I access the VPN, for example I will gave the 8.8.3.5 ip address.

-Im running the application that needs to open a page on the web server, located at 8.8.2.120

-l'asa receive my tcp syn datagram and forward it directly to the directly connected interface fa0/1 (based on the routing table)

-the web server returns the response, but he sends on its default gateway which is the cisco 6509.

-6509 it sends its vlan svi 2000

- and finally the ASA it receives on its interface fa0/2 but seems he falls as she opened a tcp on fa0/1 connection and receives the response on fa0/2.

I want it's traffic by tunnel to bypass the connected roads and transmit it to a default gateway of tunnel. This would ensure that the path for the request and the response would be the same.

I would like to know if there are orders of debugging for routing decisions validate my theory?

Do you know of any response to solve this problem?

Thanks a lot for your help.

When you configure the TCP State derivation always think ' which way is the SYN package coming?

Routing failed messages always have source and destination, are of course copied the entire message?

BTW, instead of letting clients SSL addresses attributed to vlan2000? Why not give them a separate subnet and the road back via correct interface?

I would also check your config and the routing :-) table

Marcin

Site to SIte VPN through a NAT device

I have, I am having trouble running a vpn site-to site between two 3725 routers running c3725-advsecurityk9-mz124 - 15 T 1, that I hope I can get some help with, I am probably missing something here. The VPN ran very well when both VPN routers were connected directly to the internet and had on WAN interfaces public IP addresses, but I had to move one of the firewall inside on a private IP address. Installation is now as below

Router VPN one (192.168.248.253) - internal company network - Fortigate FW - internet-(217.155.113.179) router VPN B

The fortigate FW is doing some translations address
-traffic between 192.168.248.253 and 217.155.113.179 has its source in 37.205.62.5
-traffic between 217.155.113.179 and 37.205.62.5 has its destination translated to 192.168.248.253
-Firewall rules allow all traffic between the 2 devices, no port locking enabled.

-The 37.205.62.5 address is used by anything else.

I basically have a GRE tunnel between two routers, and I'm trying to encrypt it.

The router shows below

Card crypto SERVER-RTR #show
"S2S_VPN" 10 ipsec-isakmp crypto map
Peer = 217.155.113.179
Expand the access IP 101 list
access-list 101 permit gre 192.168.248.253 host 217.155.113.179
Current counterpart: 217.155.113.179
Life safety association: 4608000 Kbytes / 3600 seconds
PFS (Y/N): N
Transform sets = {}
STRONG,
}
Interfaces using crypto card S2S_VPN:
FastEthernet0/1

SERVER-RTR #show crypto sessio
Current state of the session crypto

Interface: FastEthernet0/1
The session state: down
Peer: 217.155.113.179 port 500
FLOW IPSEC: allowed 47 192.168.248.253 host 217.155.113.179
Active sAs: 0, origin: card crypto

Interface: FastEthernet0/1
The session state: IDLE-UP
Peer: 217.155.113.179 port 4500
IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 Active
IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 inactive
IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 inactive

Router B shows below

Card crypto BSU - RTR #show
"S2S_VPN" 10 ipsec-isakmp crypto map
Peer = 37.205.62.5
Expand the access IP 101 list
access-list 101 permit gre 217.155.113.179 host 37.205.62.5
Current counterpart: 37.205.62.5
Life safety association: 4608000 Kbytes / 3600 seconds
PFS (Y/N): N
Transform sets = {}
STRONG,
}
Interfaces using crypto card S2S_VPN:
FastEthernet0/1

BSU - RTR #show sess crypto
Current state of the session crypto

Interface: FastEthernet0/1
The session state: down
Peer: 37.205.62.5 port 500
FLOW IPSEC: allowed 47 217.155.113.179 host 37.205.62.5
Active sAs: 0, origin: card crypto

Interface: FastEthernet0/1
The session state: IDLE-UP
Peer: 37.205.62.5 port 4500
IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 Active
IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 inactive
IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 inactive

I can see counters incrementing on the ACL on both routers, so I don't know the traffic free WILL is interesting.

Here are a few debugs too
--------------
Router

Debug crypto ISAKMP

* 23:07:10.898 Mar 2: ISAKMP: (1024): purge the node 940426884
* 23:07:10.898 Mar 2: ISAKMP: (1024): purge the node 1837874301
* 23:07:10.898 Mar 2: ISAKMP: (1024): purge the node-475409474
* 23:07:20.794 Mar 2: ISAKMP (0:0): received 217.155.113.179 packet dport 500 sport 500 SA NEW Global (N)
* 23:07:20.794 Mar 2: ISAKMP: created a struct peer 217.155.113.179, peer port 500
* 23:07:20.794 Mar 2: ISAKMP: new position created post = 0x64960C04 peer_handle = 0x80000F0E
* 23:07:20.794 Mar 2: ISAKMP: lock struct 0x64960C04, refcount 1 to peer crypto_isakmp_process_block
* 23:07:20.794 Mar 2: ISAKMP: 500 local port, remote port 500
* 23:07:20.794 Mar 2: ISAKMP: find a dup her to the tree during the isadb_insert his 6464D3F0 = call BVA
* 23:07:20.794 Mar 2: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 23:07:20.794 Mar 2: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1

* 2 Mar 23:07:20.794: ISAKMP: (0): treatment ITS payload. Message ID = 0
* 2 Mar 23:07:20.794: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.794: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 23:07:20.798 Mar 2: ISAKMP (0:0): provider ID is NAT - T RFC 3947
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
* 23:07:20.798 Mar 2: ISAKMP (0:0): provider ID is NAT - T v7
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID is NAT - T v3
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID is NAT - T v2
* 23:07:20.798 Mar 2: ISAKMP: (0): pair found pre-shared key matching 217.155.113.179
* 2 Mar 23:07:20.798: ISAKMP: (0): pre-shared key local found
* 23:07:20.798 Mar 2: ISAKMP: analysis of the profiles for xauth...
* 23:07:20.798 Mar 2: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
* 23:07:20.798 Mar 2: ISAKMP: DES-CBC encryption
* 23:07:20.798 Mar 2: ISAKMP: SHA hash
* 23:07:20.798 Mar 2: ISAKMP: default group 1
* 23:07:20.798 Mar 2: ISAKMP: pre-shared key auth
* 23:07:20.798 Mar 2: ISAKMP: type of life in seconds
* 23:07:20.798 Mar 2: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
* 23:07:20.798 Mar 2: ISAKMP: (0): atts are acceptable. Next payload is 0
* 23:07:20.798 Mar 2: ISAKMP: (0): Acceptable atts: real life: 0
* 23:07:20.798 Mar 2: ISAKMP: (0): Acceptable atts:life: 0
* 23:07:20.798 Mar 2: ISAKMP: (0): fill atts in his vpi_length:4
* 23:07:20.798 Mar 2: ISAKMP: (0): fill atts in his life_in_seconds:86400
* 23:07:20.798 Mar 2: ISAKMP: (0): return real life: 86400
* 23:07:20.798 Mar 2: ISAKMP: (0): timer life Started: 86400.

* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 23:07:20.798 Mar 2: ISAKMP (0:0): provider ID is NAT - T RFC 3947
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
* 23:07:20.798 Mar 2: ISAKMP (0:0): provider ID is NAT - T v7
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID is NAT - T v3
* 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 2 Mar 23:07:20.798: ISAKMP: (0): provider ID is NAT - T v2
* 23:07:20.798 Mar 2: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 23:07:20.798 Mar 2: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1

* 2 Mar 23:07:20.802: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
* 2 Mar 23:07:20.802: ISAKMP: (0): lot of 217.155.113.179 sending my_port 500 peer_port 500 (R) MM_SA_SETUP
* 23:07:20.802 Mar 2: ISAKMP: (0): sending a packet IPv4 IKE.
* 23:07:20.802 Mar 2: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 23:07:20.802 Mar 2: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2

* 23:07:20.822 Mar 2: ISAKMP (0:0): received 217.155.113.179 packet 500 Global 500 (R) sport dport MM_SA_SETUP
* 23:07:20.822 Mar 2: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 23:07:20.822 Mar 2: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3

* 2 Mar 23:07:20.822: ISAKMP: (0): processing KE payload. Message ID = 0
* 2 Mar 23:07:20.850: ISAKMP: (0): processing NONCE payload. Message ID = 0
* 23:07:20.854 Mar 2: ISAKMP: (0): pair found pre-shared key matching 217.155.113.179
* 2 Mar 23:07:20.854: ISAKMP: (1027): load useful vendor id of treatment
* 2 Mar 23:07:20.854: ISAKMP: (1027): provider ID is the unit
* 2 Mar 23:07:20.854: ISAKMP: (1027): load useful vendor id of treatment
* 2 Mar 23:07:20.854: ISAKMP: (1027): provider ID is DPD
* 2 Mar 23:07:20.854: ISAKMP: (1027): load useful vendor id of treatment
* 2 Mar 23:07:20.854: ISAKMP: (1027): addressing another box of IOS!
* 23:07:20.854 Mar 2: ISAKMP: receives the payload type 20
* 23:07:20.854 Mar 2: ISAKMP (0:1027): NAT found, the node inside the NAT
* 23:07:20.854 Mar 2: ISAKMP: receives the payload type 20
* 23:07:20.854 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 23:07:20.854 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM3 = IKE_R_MM3

* 2 Mar 23:07:20.854: ISAKMP: (1027): lot of 217.155.113.179 sending my_port 500 peer_port 500 (R) MM_KEY_EXCH
* 23:07:20.854 Mar 2: ISAKMP: (1027): sending a packet IPv4 IKE.
* 23:07:20.858 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 23:07:20.858 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM3 = IKE_R_MM4

* 23:07:20.898 Mar 2: ISAKMP: (1024): serving SA., his is 64D5723C, delme is 64D5723C
* 23:07:20.902 Mar 2: ISAKMP (0:1027): received 217.155.113.179 packet dport 4500 4500 Global (R) MM_KEY_EXCH sport
* 23:07:20.902 Mar 2: ISAKMP: (1027): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 23:07:20.902 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM4 = IKE_R_MM5

* 2 Mar 23:07:20.902: ISAKMP: (1027): payload ID for treatment. Message ID = 0
* 23:07:20.902 Mar 2: ISAKMP (0:1027): payload ID
next payload: 8
type: 1
address: 217.155.113.179
Protocol: 17
Port: 0
Length: 12
* 2 Mar 23:07:20.902: ISAKMP: (0): peer games * no * profiles
* 2 Mar 23:07:20.906: ISAKMP: (1027): HASH payload processing. Message ID = 0
* 2 Mar 23:07:20.906: ISAKMP: (1027): treatment protocol NOTIFIER INITIAL_CONTACT 1
SPI 0, message ID = 0, a = 6464D3F0
* 23:07:20.906 Mar 2: ISAKMP: (1027): SA authentication status:
authenticated
* 23:07:20.906 Mar 2: ISAKMP: (1027): SA has been authenticated with 217.155.113.179
* 23:07:20.906 Mar 2: ISAKMP: (1027): port detected floating port = 4500
* 23:07:20.906 Mar 2: ISAKMP: try to find found and existing peer 192.168.248.253/217.155.113.179/4500/ peer 648EAD00 to reuse existing, free 64960 04
* 23:07:20.906 Mar 2: ISAKMP: Unlocking counterpart struct 0x64960C04 Reuse existing peer count 0
* 23:07:20.906 Mar 2: ISAKMP: delete peer node by peer_reap for 217.155.113.179: 64960 04
* 23:07:20.906 Mar 2: ISAKMP: lock struct 0x648EAD00, refcount 2 for peer peer reuse existing
* 23:07:20.906 Mar 2: ISAKMP: (1027): SA authentication status:
authenticated
* 2 Mar 23:07:20.906: ISAKMP: (1027): process of first contact.
lowering existing phase 1 and 2 with local 192.168.248.253 217.155.113.179 remote remote port 4500
* 23:07:20.906 Mar 2: ISAKMP: (1026): received first contact, delete SA
* 23:07:20.906 Mar 2: ISAKMP: (1026): peer does not paranoid KeepAlive.

* 23:07:20.906 Mar 2: ISAKMP: (1026): deletion of 'Initial of receive Contact' State HIS reason (R) QM_IDLE (post 217.155.113.179)
* 23:07:20.906 Mar 2: ISAKMP: (0): cannot decrement IKE Call Admission Control incoming_active stat because he's already 0.
* 23:07:20.906 Mar 2: ISAKMP: (1027): UDP ENC parameter counterpart struct 0x0 his = 0x6464D3F0
* 23:07:20.906 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 23:07:20.906 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM5 = IKE_R_MM5

* 23:07:20.910 Mar 2: ISAKMP: node set-98987637 to QM_IDLE
* 2 Mar 23:07:20.910: ISAKMP: (1026): lot of 217.155.113.179 sending peer_port my_port 4500 4500 (R) QM_IDLE
* 23:07:20.910 Mar 2: ISAKMP: (1026): sending a packet IPv4 IKE.
* 23:07:20.910 Mar 2: ISAKMP: (1026): purge the node-98987637
* 23:07:20.910 Mar 2: ISAKMP: (1026): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
* 23:07:20.910 Mar 2: ISAKMP: (1026): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA

* 23:07:20.910 Mar 2: ISAKMP: (1027): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
* 23:07:20.910 Mar 2: ISAKMP (0:1027): payload ID
next payload: 8
type: 1
address: 192.168.248.253
Protocol: 17
Port: 0
Length: 12
* 23:07:20.910 Mar 2: ISAKMP: (1027): the total payload length: 12
* 2 Mar 23:07:20.914: ISAKMP: (1027): lot of 217.155.113.179 sending peer_port my_port 4500 4500 (R) MM_KEY_EXCH
* 23:07:20.914 Mar 2: ISAKMP: (1027): sending a packet IPv4 IKE.
* 23:07:20.914 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 23:07:20.914 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE

* 23:07:20.914 Mar 2: ISAKMP: (1026): deletion of 'Initial of receive Contact' State HIS reason (R) QM_IDLE (post 217.155.113.179)
* 23:07:20.914 Mar 2: ISAKMP: Unlocking counterpart struct 0x648EAD00 for isadb_mark_sa_deleted(), count 1
* 23:07:20.914 Mar 2: ISAKMP: (1026): error suppression node 334747020 FALSE reason 'IKE deleted.
* 23:07:20.914 Mar 2: ISAKMP: (1026): node-1580729900 error suppression FALSE reason 'IKE deleted.
* 23:07:20.914 Mar 2: ISAKMP: (1026): node-893929227 error suppression FALSE reason 'IKE deleted.
* 23:07:20.914 Mar 2: ISAKMP: (1026): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 23:07:20.914 Mar 2: ISAKMP: (1026): former State = new State IKE_DEST_SA = IKE_DEST_SA

* 23:07:20.914 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
* 23:07:20.914 Mar 2: ISAKMP: (1027): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

* 23:07:20.930 Mar 2: ISAKMP (0:1026): received 217.155.113.179 packet dport 4500 4500 Global (R) MM_NO_STATE sport
* 23:07:20.934 Mar 2: ISAKMP (0:1027): received 217.155.113.179 packet dport 4500 4500 Global (R) QM_IDLE sport
* 23:07:20.934 Mar 2: ISAKMP: node set 1860263019 to QM_IDLE
* 2 Mar 23:07:20.934: ISAKMP: (1027): HASH payload processing. Message ID = 1860263019
* 2 Mar 23:07:20.934: ISAKMP: (1027): treatment ITS payload. Message ID = 1860263019
* 23:07:20.934 Mar 2: ISAKMP: (1027): proposal of IPSec checking 1
* 23:07:20.934 Mar 2: ISAKMP: turn 1, ESP_AES
* 23:07:20.934 Mar 2: ISAKMP: attributes of transformation:
* 23:07:20.934 Mar 2: ISAKMP: program is 3 (Tunnel-UDP)
* 23:07:20.934 Mar 2: ISAKMP: type of life in seconds
* 23:07:20.934 Mar 2: ISAKMP: life of HIS (basic) 3600
* 23:07:20.934 Mar 2: ISAKMP: type of life in kilobytes
* 23:07:20.934 Mar 2: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
* 23:07:20.934 Mar 2: ISAKMP: key length is 128
* 23:07:20.934 Mar 2: ISAKMP: (1027): atts are acceptable.
* 2 Mar 23:07:20.934: ISAKMP: (1027): IPSec policy invalidated proposal with error 32
* 2 Mar 23:07:20.934: ISAKMP: (1027): politics of ITS phase 2 is not acceptable! (local 192.168.248.253 remote 217.155.113.179)
* 23:07:20.938 Mar 2: ISAKMP: node set 1961554007 to QM_IDLE
* 23:07:20.938 Mar 2: ISAKMP: (1027): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 1688526152, message ID = 1961554007
* 2 Mar 23:07:20.938: ISAKMP: (1027): lot of 217.155.113.179 sending peer_port my_port 4500 4500 (R) QM_IDLE
* 23:07:20.938 Mar 2: ISAKMP: (1027): sending a packet IPv4 IKE.
* 23:07:20.938 Mar 2: ISAKMP: (1027): purge the node 1961554007
* 23:07:20.938 Mar 2: ISAKMP: (1027): error suppression node 1860263019 REAL reason "QM rejected."
* 23:07:20.938 Mar 2: ISAKMP: (1027): entrance, node 1860263019 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
* 23:07:20.938 Mar 2: ISAKMP: (1027): former State = new State IKE_QM_READY = IKE_QM_READY
* 23:07:24.510 Mar 2: ISAKMP: set new node 0 to QM_IDLE
* 2 Mar 23:07:24.510: ITS a exceptional applications (100.100.213.56 local port 4500, 100.100.213.84 remote port 4500)
* 2 Mar 23:07:24.510: ISAKMP: (1027): sitting IDLE. From QM immediately (QM_IDLE)
* 23:07:24.510 Mar 2: ISAKMP: (1027): start Quick Mode Exchange, M - ID 670698820
* 23:07:24.510 Mar 2: ISAKMP: (1027): initiator QM gets spi
* 2 Mar 23:07:24.510: ISAKMP: (1027): lot of 217.155.113.179 sending peer_port my_port 4500 4500 (R) QM_IDLE
* 23:07:24.510 Mar 2: ISAKMP: (1027): sending a packet IPv4 IKE.
* 23:07:24.514 Mar 2: ISAKMP: (1027): entrance, node 670698820 = IKE_MESG_INTERNAL, IKE_INIT_QM
* 23:07:24.514 Mar 2: ISAKMP: (1027): former State = new State IKE_QM_READY = IKE_QM_I_QM1
* 23:07:24.530 Mar 2: ISAKMP (0:1027): received 217.155.113.179 packet dport 4500 4500 Global (R) QM_IDLE sport
* 23:07:24.534 Mar 2: ISAKMP: node set 1318257670 to QM_IDLE
* 2 Mar 23:07:24.534: ISAKMP: (1027): HASH payload processing. Message ID = 1318257670
* 2 Mar 23:07:24.534: ISAKMP: (1027): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 3268378219, message ID = 1318257670, a = 6464D3F0
* 2 Mar 23:07:24.534: ISAKMP: (1027): removal of spi 3268378219 message ID = 670698820
* 23:07:24.534 Mar 2: ISAKMP: (1027): node 670698820 REAL reason error suppression "remove larval.
* 23:07:24.534 Mar 2: ISAKMP: (1027): error suppression node 1318257670 FALSE reason 'informational (en) State 1.
* 23:07:24.534 Mar 2: ISAKMP: (1027): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
* 23:07:24.534 Mar 2: ISAKMP: (1027): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

* 23:07:40.898 Mar 2: ISAKMP: (1025): purge the node-238086324
* 23:07:40.898 Mar 2: ISAKMP: (1025): purge the node-1899972726
* 23:07:40.898 Mar 2: ISAKMP: (1025): purge the node-321906720

Router B
----------
Debug crypto ISAKMP

1d23h: ISAKMP: (0): profile of THE request is (NULL)
1d23h: ISAKMP: created a struct peer 37.205.62.5, peer port 500
1d23h: ISAKMP: new position created post = 0x652C3B54 peer_handle = 0x80000D8C
1d23h: ISAKMP: lock struct 0x652C3B54, refcount 1 to peer isakmp_initiator
1d23h: ISAKMP: 500 local port, remote port 500
1d23h: ISAKMP: set new node 0 to QM_IDLE
1d23h: ISAKMP: find a dup her to the tree during the isadb_insert his 652CBDC4 = call BVA
1d23h: ISAKMP: (0): cannot start aggressive mode, try the main mode.
1d23h: ISAKMP: (0): pair found pre-shared key matching 37.205.62.5
1d23h: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
1d23h: ISAKMP: (0): built the seller-07 ID NAT - t
1d23h: ISAKMP: (0): built of NAT - T of the seller-03 ID
1d23h: ISAKMP: (0): built the seller-02 ID NAT - t
1d23h: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
1d23h: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1

1d23h: ISAKMP: (0): Beginner Main Mode Exchange
1d23h: ISAKMP: (0): lot of 37.205.62.5 sending my_port 500 peer_port 500 (I) MM_NO_STATE
1d23h: ISAKMP: (0): sending a packet IPv4 IKE.
1d23h: ISAKMP (0:0): received 37.205.62.5 packet dport 500 sport Global 500 (I) MM_NO_STATE
1d23h: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2

1d23h: ISAKMP: (0): treatment ITS payload. Message ID = 0
1d23h: ISAKMP: (0): load useful vendor id of treatment
1d23h: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
1d23h: ISAKMP (0:0): provider ID is NAT - T RFC 3947
1d23h: ISAKMP: (0): pair found pre-shared key matching 37.205.62.5
1d23h: ISAKMP: (0): pre-shared key local found
1d23h: ISAKMP: analysis of the profiles for xauth...
1d23h: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
1d23h: ISAKMP: DES-CBC encryption
1d23h: ISAKMP: SHA hash
1d23h: ISAKMP: default group 1
1d23h: ISAKMP: pre-shared key auth
1d23h: ISAKMP: type of life in seconds
1d23h: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
1d23h: ISAKMP: (0): atts are acceptable. Next payload is 0
1d23h: ISAKMP: (0): Acceptable atts: real life: 0
1d23h: ISAKMP: (0): Acceptable atts:life: 0
1d23h: ISAKMP: (0): fill atts in his vpi_length:4
1d23h: ISAKMP: (0): fill atts in his life_in_seconds:86400
1d23h: ISAKMP: (0): return real life: 86400
1d23h: ISAKMP: (0): timer life Started: 86400.

1d23h: ISAKMP: (0): load useful vendor id of treatment
1d23h: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
1d23h: ISAKMP (0:0): provider ID is NAT - T RFC 3947
1d23h: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1d23h: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2

1d23h: ISAKMP: (0): lot of 37.205.62.5 sending my_port 500 peer_port 500 (I) MM_SA_SETUP
1d23h: ISAKMP: (0): sending a packet IPv4 IKE.
1d23h: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1d23h: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3

1d23h: ISAKMP (0:0): received 37.205.62.5 packet dport 500 sport Global 500 (I) MM_SA_SETUP
1d23h: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4

1d23h: ISAKMP: (0): processing KE payload. Message ID = 0
1d23h: ISAKMP: (0): processing NONCE payload. Message ID = 0
1d23h: ISAKMP: (0): pair found pre-shared key matching 37.205.62.5
1d23h: ISAKMP: (1034): load useful vendor id of treatment
1d23h: ISAKMP: (1034): provider ID is the unit
1d23h: ISAKMP: (1034): load useful vendor id of treatment
1d23h: ISAKMP: (1034): provider ID is DPD
1d23h: ISAKMP: (1034): load useful vendor id of treatment
1d23h: ISAKMP: (1034): addressing another box of IOS!
1d23h: ISAKMP: receives the payload type 20
1d23h: ISAKMP: receives the payload type 20
1d23h: ISAKMP (0:1034): NAT found, the node outside NAT
1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1d23h: ISAKMP: (1034): former State = new State IKE_I_MM4 = IKE_I_MM4

1d23h: ISAKMP: (1034): send initial contact
1d23h: ISAKMP: (1034): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
1d23h: ISAKMP (0:1034): payload ID
next payload: 8
type: 1
address: 217.155.113.179
Protocol: 17
Port: 0
Length: 12
1d23h: ISAKMP: (1034): the total payload length: 12
1d23h: ISAKMP: (1034): lot of 37.205.62.5 sending peer_port my_port 4500 4500 (I) MM_KEY_EXCH
1d23h: ISAKMP: (1034): sending a packet IPv4 IKE.
1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1d23h: ISAKMP: (1034): former State = new State IKE_I_MM4 = IKE_I_MM5

1d23h: ISAKMP: (1031): serving SA., his is 652D60C8, delme is 652D60C8
1d23h: ISAKMP (0:1033): received 37.205.62.5 packet dport 4500 sport Global 4500 (I) QM_IDLE
1d23h: ISAKMP: node set 33481563 to QM_IDLE
1d23h: ISAKMP: (1033): HASH payload processing. Message ID = 33481563
1d23h: ISAKMP: receives the payload type 18
1d23h: ISAKMP: (1033): treatment remove with load useful reason
1d23h: ISAKMP: (1033): remove the doi = 1
1d23h: ISAKMP: (1033): remove Protocol id = 1
1d23h: ISAKMP: (1033): remove spi_size = 16
1d23h: ISAKMP: (1033): remove the spis num = 1
1d23h: ISAKMP: (1033): delete_reason = 11
1d23h: ISAKMP: (1033): load DELETE_WITH_REASON, processing of message ID = 33481563, reason: Unknown delete reason!
1d23h: ISAKMP: (1033): peer does not paranoid KeepAlive.

1d23h: ISAKMP: (1033): deletion of 'Initial of receive Contact' State HIS reason (I) QM_IDLE (post 37.205.62.5)
1d23h: ISAKMP: (1033): error suppression node 33481563 FALSE reason 'informational (en) State 1.
1d23h: ISAKMP: node set 1618266182 to QM_IDLE
1d23h: ISAKMP: (1033): lot of 37.205.62.5 sending peer_port my_port 4500 4500 (I) QM_IDLE
1d23h: ISAKMP: (1033): sending a packet IPv4 IKE.
1d23h: ISAKMP: (1033): purge the node 1618266182
1d23h: ISAKMP: (1033): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
1d23h: ISAKMP: (1033): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA

1d23h: ISAKMP (0:1034): received 37.205.62.5 packet dport 4500 sport Global 4500 (I) MM_KEY_EXCH
1d23h: ISAKMP: (1034): payload ID for treatment. Message ID = 0
1d23h: ISAKMP (0:1034): payload ID
next payload: 8
type: 1
address: 192.168.248.253
Protocol: 17
Port: 0
Length: 12
1d23h: ISAKMP: (0): peer games * no * profiles
1d23h: ISAKMP: (1034): HASH payload processing. Message ID = 0
1d23h: ISAKMP: (1034): SA authentication status:
authenticated
1d23h: ISAKMP: (1034): SA has been authenticated with 37.205.62.5
1d23h: ISAKMP: try to insert a 217.155.113.179/37.205.62.5/4500/ peer and found existing in a 643BCA10 to reuse, free 652C3B54
1d23h: ISAKMP: Unlocking counterpart struct 0x652C3B54 Reuse existing peer count 0
1d23h: ISAKMP: delete peer node by peer_reap for 37.205.62.5: 652C3B54
1d23h: ISAKMP: lock struct 0x643BCA10, refcount 2 for peer peer reuse existing
1d23h: ISAKMP: (1034): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP: (1034): former State = new State IKE_I_MM5 = IKE_I_MM6

1d23h: ISAKMP: (1033): deletion of 'Initial of receive Contact' State HIS reason (I) QM_IDLE (post 37.205.62.5)
1d23h: ISAKMP: (0): cannot decrement IKE Call Admission Control outgoing_active stat because he's already 0.
1d23h: ISAKMP: Unlocking counterpart struct 0x643BCA10 for isadb_mark_sa_deleted(), count 1
1d23h: ISAKMP: (1033): error suppression node 1267924911 FALSE reason 'IKE deleted.
1d23h: ISAKMP: (1033): error suppression node 1074093103 FALSE reason 'IKE deleted.
1d23h: ISAKMP: (1033): node-183194519 error suppression FALSE reason 'IKE deleted.
1d23h: ISAKMP: (1033): error suppression node 33481563 FALSE reason 'IKE deleted.
1d23h: ISAKMP: (1033): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP: (1033): former State = new State IKE_DEST_SA = IKE_DEST_SA

1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1d23h: ISAKMP: (1034): former State = new State IKE_I_MM6 = IKE_I_MM6

1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1d23h: ISAKMP: (1034): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE

1d23h: ISAKMP: (1034): start Quick Mode Exchange, M - ID 1297417008
1d23h: ISAKMP: (1034): initiator QM gets spi
1d23h: ISAKMP: (1034): lot of 37.205.62.5 sending peer_port my_port 4500 4500 (I) QM_IDLE
1d23h: ISAKMP: (1034): sending a packet IPv4 IKE.
1d23h: ISAKMP: (1034): entrance, node 1297417008 = IKE_MESG_INTERNAL, IKE_INIT_QM
1d23h: ISAKMP: (1034): former State = new State IKE_QM_READY = IKE_QM_I_QM1
1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
1d23h: ISAKMP: (1034): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

1d23h: ISAKMP (0:1034): received 37.205.62.5 packet dport 4500 sport Global 4500 (I) QM_IDLE
1d23h: ISAKMP: node set-874376893 to QM_IDLE
1d23h: ISAKMP: (1034): HASH payload processing. Message ID =-874376893
1d23h: ISAKMP: (1034): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 56853244, message ID =-874376893, his 652CBDC4 =
1d23h: ISAKMP: (1034): removal of spi 56853244 message ID = 1297417008
1d23h: ISAKMP: (1034): node 1297417008 REAL reason error suppression "remove larval.
1d23h: ISAKMP: (1034): node-874376893 error suppression FALSE reason 'informational (en) State 1.
1d23h: ISAKMP: (1034): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
1d23h: ISAKMP: (1034): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

1d23h: ISAKMP (0:1034): received 37.205.62.5 packet dport 4500 sport Global 4500 (I) QM_IDLE
1d23h: ISAKMP: node set 439453045 to QM_IDLE
1d23h: ISAKMP: (1034): HASH payload processing. Message ID = 439453045
1d23h: ISAKMP: (1034): treatment ITS payload. Message ID = 439453045
1d23h: ISAKMP: (1034): proposal of IPSec checking 1
1d23h: ISAKMP: turn 1, ESP_AES
1d23h: ISAKMP: attributes of transformation:
1d23h: ISAKMP: program is 3 (Tunnel-UDP)
1d23h: ISAKMP: type of life in seconds
1d23h: ISAKMP: life of HIS (basic) 3600
1d23h: ISAKMP: type of life in kilobytes
1d23h: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
1d23h: ISAKMP: key length is 128
1d23h: ISAKMP: (1034): atts are acceptable.
1d23h: ISAKMP: (1034): IPSec policy invalidated proposal with error 32
1d23h: ISAKMP: (1034): politics of ITS phase 2 is not acceptable! (local 217.155.113.179 remote 37.205.62.5)
1d23h: ISAKMP: node set 1494356901 to QM_IDLE
1d23h: ISAKMP: (1034): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 1687353736, message ID = 1494356901
1d23h: ISAKMP: (1034): lot of 37.205.62.5 sending peer_port my_port 4500 4500 (I) QM_IDLE
1d23h: ISAKMP: (1034): sending a packet IPv4 IKE.
1d23h: ISAKMP: (1034): purge the node 1494356901
1d23h: ISAKMP: (1034): error suppression node 439453045 REAL reason "QM rejected."
1d23h: ISAKMP: (1034): entrance, node 439453045 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
1d23h: ISAKMP: (1034): former State = new State IKE_QM_READY = IKE_QM_READY
1d23h: ISAKMP: (1032): purge the node 1513722556
1d23h: ISAKMP: (1032): purge the node-643121396
1d23h: ISAKMP: (1032): purge the node 1350014243
1d23h: ISAKMP: (1032): purge the node 83247347

Hi Nav,

I'm happy it's working now. Your interpretation is correct. Transport mode IPSEC encrypts the payload, while tunnel mode figure the whole ip packet (original header / payload) and inserts a new ip header. Thus, the tunnel mode is used for ipsec site to site VPN and transport is used for point to point VPN ipsec. GRE is used with ipsec, all packages will be encapsulated with a GRE header first, so, essentially, this is a point to point VPN ipsec.

The problem that you are having with tunnel mode, the router's package is going to be wrapped with the header 192.168.248.253 GRE source 217.155.113.179 destination. The whole package is then encrypted and a new header is added with the same source/destination. This new header will be coordinated by the FW, but not incorporated or encrypted GRE header. When the packet arrives at Router B, after decrypt them the package, router B will see the GRE header, which is different from that of source/destination tunnel she uses. This breaks the GRE tunnel and the routing between router A and router B Protocol.

HTH,

Lei Tian

Practice number of devices for EA3500

I have a question about a practice number of devices that may be taken in charge for by my EA3500 router. I currently have 9 devices almost always wirelesly. My ISP is 20 Mbps down and 5 members to the top. I noticed that the default maximum number of devices is 50, which is extremely high.

Because all devices are activley download / download continuously, what are your thoughts on a number of devices resoanable. In my case, three of the devices are used for streaming music/movies (they are the highest priority), the others are for the general internet communication.

During visits to the family, I could have up to 6 more smart phones that use the connection of comments.

Any advice?

Bill

The typical rule for residential Linksys routers would be 32 wireless clients. LAN clients can be as much as you have available IP addresses in your DHCP Pool.

IMO, the reality is that once you get on 30 devices (depending on each load of the device) on a single residential router, they can start to be overworked. To what point adding Wireless Routers\Access Points to a part of the large workload hand router is a good idea. Once you get above 50 devices, you should consider moving in ranges of products SMB as a dedicated router wired (no WiFi) and Access Points. SMB devices are designed to handle workloads higher than residential products and they offer more features like advance VLAN, set subnet IP, Custom, routing, ACL, QOS, and virtual SSID. These technologies give you more control on how bandwidth is used and routed.

Cisco ASA FTD software vs of firepower

Hello

I am confused between stuff Firepower FTD and software services of firepower. So is my questions based on what I understand:

With fire power module Services Software:

1. you have your normal OS ASA and then you download the power of Fire Services. Or is the compatible Firewall always comes with the power of Fire Services software pre installed?

2. so ASA will do - routing, ACLs, NAT, VPN

Software Services of firepower will be - STROKE, filtering URL, NGIPS, and AMP

This interpretation is correct?

3 ASA as well as firepower Services software can be managed by ASDM and CLI. But only firepower Services software can be managed by the management center of firepower that is only 4 of the power of Fire Services software mentioned above functions can be controlled by the management center of firepower.

With Image FTD

4. There is only one image on the firewall. Fix? (I say image because to install the FTD, I need 2 sort files: as a *.lfbff. file and a .pkg file.) Still confused why)

5. all functions mentioned above for ASA as well as those provided by the power of fire Software Services will be managed ONLY by the management center of firepower. This means that even if I have to add a simple ACE then I need to do by using the Management Center? Fix?

Please specify. With FTD/firepower is really confusing. :-(

1. the ASA is available with and without the power of fire pre-installed software module. It no additional cost to specify it with so we (my company that she and other partners) usually set with so she is already there in case the customer wants to activate later.

2. it is the overall track of functions. Duties of firepower require licenses. STROKE is included with the license of control without charge but NGIPS, filtering URL and malware (AMP) are licensed from the features that can be purchased separately.

3 correct. (And you can also manage the ASAs with CSM).

4. a file, a binary image package.

5 correct from 6.0. (Note not all features ASA legacy are currently available in DFT - notably missing are all types of remote VPN access.) Stay tuned for changes to that with the release of 6.1 this summer.

OSPF AD

Hello guys,.

It is my first post here, so be gentle.

I'm playing with OSPF and I came across something that I can't explain.

Installation program:

A router receiving a network from two places:

R5(config-Router) #do sh ip route 155.1.67.0
Routing for 155.1.67.0/24 entry
Known via "ospf 1", distance 110, 66, type inter area metric
155.1.0.3 was last updated on Serial0/0 ago 00:00:16
Routing descriptor blocks:
155.1.0.3, 150.1.3.3, there is, via Serial0/0 00:00:16
Metric route 66, number of shares of traffic is 1
* 155.1.0.1, 150.1.6.6, there is, via Serial0/0 00:00:16
Metric route 66, number of shares of traffic is 1

What I'm trying to do is change the ad for the road from 150.1.6.6, so that it doesn't settle in the routing table:

router ospf 1
Log-adjacency-changes

distance 250 150.1.6.6 0.0.0.0 67

!

access-list 67 allow 155.1.67.0

If I look at the routing table after I applied the config, I get:

O AI 155.1.67.0/24 [110/66] via 155.1.0.3, 00:12:24, Serial0/0
[110/66] via 155.1.0.1, 00:12:24, Serial0/0

If I look at the "debug ip routing" output:

* 04:04:16.198 Mar 1: RT: Add 155.1.67.0/24 via 155.1.0.1, ospf metric [250/66]
* 04:04:16.198 Mar 1: RT: NET-RED 155.1.67.0/24
* 04:04:16.198 Mar 1: RT: Add 155.1.67.0/24 via 155.1.0.3, ospf metric [110/66]
* 04:04:16.198 Mar 1: RT: NET-RED 155.1.67.0/24

If I change the config for ospf with the pub of 255

router ospf 1
Log-adjacency-changes

distance 255 150.1.6.6 0.0.0.0 67

!

access-list 67 allow 155.1.67.0

The road to 150.1.6.6 do not settle, and the "debug ip routing" is:

* 04:20:00.510 Mar 1: RT: Add 155.1.67.0/24 via 155.1.0.3, ospf metric [110/66]
* 04:20:00.510 Mar 1: RT: NET-RED 155.1.67.0/24

Anyone know what is happening? Why doesn't the AD gets changed for the maximum value (255), but not for a smaller.

Thank you

Mihai

When I try to manipulate the AD it changes it for the two routes.

O AI 4.4.4.0 [200/21] via 13.13.13.3, 00:00:51, FastEthernet0/1

[200/21] via 12.12.12.2, 00:00:51, FastEthernet0/0

If I have the value 255 AD, then it is removed as if it were for you as well.

4.0.0.0/24 is divided into subnets, subnets 1

O AI 4.4.4.0 [110/21] via 13.13.13.3, 00:00:02, FastEthernet0/1

If I add then another order of distance, then it works.

4.0.0.0/24 is divided into subnets, subnets 1

O AI 4.4.4.0 [200/21] via 13.13.13.3, 00:00:02, FastEthernet0/1

So if I remove the command 255 distance it does not at all.

O AI 4.4.4.0 [110/21] via 13.13.13.3, 00:00:02, FastEthernet0/1

[110/21] via 12.12.12.2, 00:00:02, FastEthernet0/0

If this function seems not work reliably. If we look at in-LSDB:

R1 #sh ip ospf data sum 4.4.4.0

Router OSPF with ID (1.1.1.1) (process ID 1)

Summary Net link States (zone 0)

Routing Bit set on this LSA

LS age: 1392

Options: (no TOS-capability, DC, upwards)

LS type: Links (Network) summary

The link state ID: 4.4.4.0 (summary network number)

Advertising router: 2.2.2.2

LS number of Seq: 80000002

Checksum: 0x29F3

Length: 28

Network mask: 24

TOS: metric 0: 11

Routing Bit set on this LSA

LS age: 1354

Options: (no TOS-capability, DC, upwards)

LS type: Links (Network) summary

The link state ID: 4.4.4.0 (summary network number)

Advertising router: 3.3.3.3

LS number of Seq: 80000002

Checksum: 0xB0E

Length: 28

Network mask: 24

TOS: metric 0: 11

Via 2.2.2.2 is older. We will try to make one at older 3.3.3.3 and then set distance.

R2 #clear ip ospf proc

Reset ALL OSPF process? [No]: Yes

R1 #sh ip ospf data sum 4.4.4.0

Router OSPF with ID (1.1.1.1) (process ID 1)

Summary Net link States (zone 0)

Routing Bit set on this LSA

LS age: 26

Options: (no TOS-capability, DC, upwards)

LS type: Links (Network) summary

The link state ID: 4.4.4.0 (summary network number)

Advertising router: 2.2.2.2

LS number of Seq: 80000003

Checksum: 0x27F4

Length: 28

Network mask: 24

TOS: metric 0: 11

Routing Bit set on this LSA

LS age: 1569

Options: (no TOS-capability, DC, upwards)

LS type: Links (Network) summary

The link state ID: 4.4.4.0 (summary network number)

Advertising router: 3.3.3.3

LS number of Seq: 80000002

Checksum: 0xB0E

Length: 28

Network mask: 24

TOS: metric 0: 11

R1(config-Router) #do sh run | s router ospf

router ospf 1

router ID 1.1.1.1

Log-adjacency-changes

distance 200 2.2.2.2 0.0.0.0 1

R1(config-Router) #no distance 200 2.2.2.2 0.0.0.0 1

R1(config-Router) #distance 200 3.3.3.3 0.0.0.0 1

R1 (config - Router) #^ Z

R1 #sh ip route

Code: C - connected, S - static, mobile R - RIP, M-, B - BGP

D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone

N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2

E1 - OSPF external type 1, E2 - external OSPF of type 2

i - IS - Su - summary IS, L1 - IS - IS level 1, L2 - IS level - 2

-IS inter area, * - candidate failure, U - static route by user

o - ODR, P - periodic downloaded route static

Gateway of last resort is not set

4.0.0.0/24 is divided into subnets, subnets 1

O AI 4.4.4.0 [200/21] via 13.13.13.3, 00:00:03, FastEthernet0/1

[200/21] via 12.12.12.2, 00:00:03, FastEthernet0/0

So it seems that it only works for the oldest instance of the LSA, but then it changes for the two neighbours. So I can't work reliably on functionality

R1 #sh worm | I have IOS

Cisco IOS Software, software 3700 (C3725-ADVENTERPRISEK9-M), Version 12.4 (15) T10, VERSION of the SOFTWARE (fc3)

Daniel Dib
CCIE #37149

Please evaluate the useful messages.

What layer are FI in the Cisco hierarchical network design model?

What layer are FI in the Cisco hierarchical network design model?

Is this a straigh question? We have a Nexus 7 k for our heart and Port-channel of the FI for them. So for me it layer distribution.

But when we attach to the NAS. Isilon devices we use between the FI and N7K N3K. This would make the N3K and FI both part of the Distribution layer? Would not be considered layer. However, it does not ACL etc. which usually belong to the Distribution layer.

I was wondering thoughts people on it. Is the UCS FI and 'One Off' in the model of 3 layer?

Thank you!

Craig

FI can sit to your dist layer. or access. I've seen deployments where they are deployed at the same time, depending on the size of the cluster of the UCS and band network bandwidth. The distribution layer is usually to be where all the magic of layer 3 arrives (routing, ACL, QoS, FW, application of strategies etc.) and UCS being strictly Layer 2, it could be classified as a device to access-layer.

Designs are flexible and as long that you consider oversubscription adjusted, you should be fine with the deployment option.

I hope that others will share their ideas

Kind regards

Robert

Site to site vpn problem

Hello world

I have a problem with the vpn site to site between two cisco routers. The configurations are:

Site has

crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
life 86000
ISAKMP crypto secrettestkey key address x.x.x.x
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac S2S
!
S2S 10 ipsec-isakmp crypto map
defined peer x.x.x.x
game of transformation-S2S
match address S2S

interface FastEthernet4
IP address y.y.y.y 255.255.255.252
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
card crypto S2S
!
!
interface Vlan1
no ip address
!
!
interface Vlan12
IP 192.168.100.1 address 255.255.255.0
IP nat inside
IP virtual-reassembly
!
!
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
overload of IP nat inside source list 100 interface FastEthernet4
IP route 0.0.0.0 0.0.0.0 y.y.y.x
IP route 192.168.14.0 255.255.255.0 y.y.y.x
!
S2S extended IP access list
IP 192.168.100.0 allow 0.0.0.255 192.168.14.0 0.0.0.255
!
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 100 permit ip 192.168.100.0 0.0.0.255 any

Site B

crypto ISAKMP policy 20
BA 3des
preshared authentication
Group 2
life 86000

ISAKMP crypto secrettestkey key address x.x.x.x

Crypto ipsec transform-set esp-3des esp-sha-hmac testS2S

DCMAP 20 ipsec-isakmp crypto map
tunnel test Description
defined peer x.x.x.x
Set transform-set testS2S
match the address testS2S

interface GigabitEthernet0/0
Description. : Outside:.
IP address y.y.y.y 255.255.255.224
IP access-group OUTSIDE2INSIDE in
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
media type rj45
card crypto DCMAP

IP route 192.168.100.0 255.255.255.0 y.y.y.x

testS2S extended IP access list
IP 192.168.14.0 allow 0.0.0.255 192.168.100.0 0.0.0.255

There is also a NAT - T configuration on this site

Tunnel is not coming. The status is MM_NO_STATE

What are the causes of the problem? Please notify.

Hello

Check out the link. Its for remote access IPSec. Try to remove the config and reapply the card encryption.

Second in debugging, see router goes for x-auth.

04:35:44.707 26 Jan: ISAKMP: Config payload REQUEST
26 jan 04:35:44.707: ISAKMP: (2083): no provision of demand
04:35:44.707 26 Jan: ISAKMP: Invalid configuration REQUEST
04:35:44.707 26 Jan: ISAKMP (2083): action of WSF returned the error: 2
04:35:44.707 26 Jan: ISAKMP: (2083): entry = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST

You can disable using xauth No. in the end of statement isakmp key.

# isakmp crypto key 0 abc address x.x.x.x No.-xauth

HTH

Check IP unicast reverse path does not

I configured the ip ip verify unicast reverse path on a Cisco 2611 runs code 12.3 (26). IP cef is enabled at level global but disabled using the no command of cef of cache to route ip on all interfaces except the interface WAN face (serial 0/0).

!

interface Serial0/0

Description connected to the internet

bandwidth 768

IP 100.100.20.10 255.255.255.252

Check IP unicast reverse path

no ip redirection

no ip unreachable

no ip proxy-arp

property intellectual accounting-access violations

NAT outside IP

route IP cache flow

no ip mroute-cache

no fair queue

No cdp enable

!

Whenever I reboot the router, it works for awhile, then no longer works. The traffic meter see ip Unicast RPF drop unexpectedly closed escalating after a few minutes and stays where it stopped.

Industrial property statistics:

RCVD: 35015 total, 346 local destination

format 0 errors, 0 checksum error, 0 number of bad jumps

0 unknown protocol, 17 not a gateway

security failures 0, 0 bad options, 0 with options

Opts: 0 end, nop 0, 0, 0 route open source basic security

timestamp 0, 0 extended security, road record 0

0 stream ID, 0 source route strict, alert 0, cipso 0 0 ump

0 other

Frags: 0 up, 0 time 0 could not back up

0 fragmented, fragments of 0, 0 could not fragment

BCAST: 6 received, 0 envoys

MCAST: 0 a 0 a received, sent

Envoy: 265 generated, 23074 transmitted

Drop: 1 encapsulation failure, 0 pending, 0 without adjacency

120 none route, 467 unicast RPF, 0 forced fall

options 0 denied

Fall: 0 packets with source IP address zero

Fall: 0 packages with inner loop back IP address

Can anyone think of a reason it works for a few seconds after starting, and then stops?

[edit]

I took out the declaration route ip cache flow thought that was up here the problem, but still no change in the meter.

There are several ways you can use for the same purpose, here are some examples:

> LCD

> Policy Based Routing + ACL (two interfaces, scoring on one, deletion via ACL)

> MPF 'drop' keyword

> Black Hole routing (Routes null 0)

> uRPF

Each method has its advantages and disadvantages, ACLs and static routes are difficult to maintain and operate. ACL with the keyword "log" is process switched, making it slower.

Routing black hole works by sending a spoofed traffic (hit the Bogon) to Null0 Null0 being a direct adjacency (sort of the interface) of all routers CEF, it is relatively faster.

uRPF is commonly used with Blackhole triggered remote routing (RTBH). For example, we manage a large organization with several points of entry into the network. Now you know that your network is under attack from back of Source 1.2.3.0/24 with RTBH, all border routers have active uRPF and there is an internal router, known as a 'Router Trigger. You could inject a route in your area of IGP, something like:

IP route 1.2.3.0 255.255.255.0 null0 tag 255

And then all the edge routers would receive this route and with the help of uRPF drop all packets 'source' from the network of the attacker. The process is a little more complicated than that, but I hope you get the idea.

Concerning

Farrukh

I have only a single ID and would like to know if its possible to monitor all the VLANS.

With only one ID I I want to know if it is possible to monitor all my VLAN in the network. I use version 4 ID and VMS MC 1.1.

If I have to set my internal addresses and those which I define as internal are considered as approved, in the case that I have configure a port in my central switch to monitor all the VLANS in my network and connect the ID to the destination monitor port to sniff all the VLAN, VLAN which I consider as an intern?

Also, I have switches catalyst 6006 and 6509 with version 5.1 (3) and 12.1 in each case, can I apply for fleeing to take acctions when an attack is detected?

Is it possible this configuration?

Thanks for any help-

I don't know if the ID is used to detect the specific activity you mentioned. You would need to go through our list of signatures to see if it's possible. You can even submit a new assignment and ask this question again.

As for the actions.

Cat OS 5.3 should allow you to be able to inject a TCP Reset packets through a span port (requires the parameter enable inpackets).

In regards to the blocking with Cat OS 5.3, I don't think that this version supports the VACL. You may need to upgrade the version of the OS to chat if you want to block with VACL, and you also need a PFC and an MSFC on the supervisor.

NOTE: If you have an MSFC making routing you may also block with the traditional router ACL on the MSFC.

On the IOS running native 6509 (where IOS instead of the traditional CatOS runs on the prime contractor), there may be a problem with TCP resets. I don't know if the port of the monitor (equivalent IOS native span port) will allow the incoming TCP resets. You need to browse the documentation.

Some versions of native IOS (I think that what you have newer versions) will also allow you to monitor through the capture of Vlan ACLS feature. If the sensor is followed by a VACL Capture port instead of a port monitor then I think that the TCP reset works OK, but I have not tested.

With native IOS the sensor supports router blocking with the traditional ACL, it does not support blocking with Vlan ACL in native IOS.

NOTE: The difference between router ACL and Vlan ACL is the Vlan ACL is applied to the vlan and applies to all packages comining and at the exit of the Vlan. While the router ACL is actually applied to the INTERFACE of the Vlan where an IP address has been assigned and only applies to packets routed in or off the Vlan.

NOTE: Native IOS requires that the master has an MSFC even load the image.

debugging of router acl

Similar Questions

Maybe you are looking for