EzVPN in 7606S with SPA-IPSEC2 - 2G

Hello...

PLS, I need help.

I am trying to set up a router 7606 S with SPA-IPSEC - 2 G for EzVPN but I have no idea on how.

I read some examples of documentation centre 7606, but with the current configuration in our router I do not know how to do it.

The router has the SPA installed in the Groove 3, G3/0/0 interfaces and G3/0/1.  The router has the interface G2/0/0 is connected to our provider and we connected directly to the network interfaces. That is to say: not VLAN, not trunks, ports configured as IP ports directly connected to the network.

Where can I find an example of EzVPN configuration?

Does anyone has an idea to do a simple config?

Thanks in advance...

Here are all the configuration guide for the router 7600 Series SPA IPSEC module:

http://www.Cisco.com/univercd/CC/TD/doc/product/core/cis7600/76sipspa/sipspasw/76vpnspa/76cfvpn1.htm

There are 2 modes with SPA-IPSec module:

(1) connection crypto mode

(2) mode VRF

This will determine how interfaces are connected, and once you have the above configured, EzVPN configuration is identical to normal router config.

I hope this helps.

Post edited by: Jennifer Halim

Tags: Cisco Security

Similar Questions

  • help with SPA 3102 (question graphcal)

    HI guys here is my situation (I draw so it would be easier for future reference):

    I want to pick up A phone and dial the Ext 101 101, 102 for Ext 102 and so on.
    also, I want to put routed my call for location 2 location 1 for example transferring calls to 104.

    any help would be really appreciated even a starting point as for example the configuration of spa to route my call not NAT, so it can connect to the other.

    castro69 wrote:
    also, I want to put routed my call for location 2 location 1 for example transferring calls to 104.
    any help would be really appreciated even a starting point as for example the configuration of spa to route my call not NAT, so it can connect to the other.

    I guess that's an analog PBX, otherwise you wouldn't need the SPA3102 through the internet.

    For communications between the SPA3102, I would use direct ip call, using the external ip address and the sip port numbers.  Think that the SPA3102 is two separate cards inside the box where treat you everyone with its sip port number added to the external ip address common.

    I would setup port sip distinctive numbers on each of the baths to keep things straight.  You have a number of separate port for tabs of line 1 and line PSTN.  You will need to send these to the SPA3102 adapter port numbers in their respective routers or firewall of the router will reject incoming packets on the internetI would also convey the port range rtp for voice, flow packs.
    On each tab of the line 1 and RTC, you define NAT Mapping Enable: YES, not record, make call without Reg Yes, years call without Reg No. I put your external ip address on the Sip tab under EXT IP.  This will tell the SPA3102 to use this address in the sip signaling. I assume you are using static external ip addresses.   On each tab of the line 1 you would activate IP Dial Yes.

    The analog PBX is connected to the FXO port on one of the Spa.  You should check the voltage level hung up and won and then set the line parameter usage on the RTC of the SPA line tab to halfway between the two readings.  You can read the levels of tension on the PSTN line tab.  Calls to the PBX of the PSTN line tab will go through the voip to PSTN gateway.  I set up the catwalk with http authentication and configure a user name and password.

    Details are starting to become quite complicated.  I'd get running through steps.  Get a job step before moving on to the next step.

    The 1st step would be to get A phone call/receive calls to a PBX.  You can configure the line 1 for FXS phone attached A to use port location PSTN 2 as the proxy using http authentication, and you can then dial the extensions you want to call.  Location 1 SPA3102 will send a guest of the sip Protocol to the tab location 2 SPA3102 from pstn line and the SPA3102 will dial the number on the FXO port to the PBX.

    For calls coming from the other direction of a PBX to slot 2 SPA3102 the only place where you can connect a voip call is in the SPA3102 numbering plan.  If you want to call only phone that is easy, install you just dialers-messengers automatic telephone in the pstn-to-voip dial plan.

    I'm not clear about what you want to do with phone B I take is Extension 104.

    I like your designs.  Can save a lot of words.

  • EZVPN connection fails with the error "Split tunnel higher than max attributes...."

    Hello

    We have ASA 5520 acting as the VPN server and the router Cisco 1941 as EZVPN client. These last days of customer is not able to establish the vpn connection. 1941 continuous router generates the below the log messages

    ---------------

    001569: Jul 22 ABC 12:19:05.883: CRYPTO-4-EZVPN_SA_LIMIT %: EZVPN (VPNGROUP) Split tunnel attributes (51) greater than max allowed split attributes (50)

    001574: Jul 22 ABC 12:19:07.835: % CRYPTO-6-EZVPN_CONNECTION_DOWN: user (customer) = vpn_user group = VPNGROUP Client_public_addr = Server_public_addr =

    004943: Jul 22 ABC 11:32:42.247: % IP_VFR-4-FRAG_TABLE_OVERFLOW: Dialer1: the table fragment has reached its maximum 16

    ---------------

    Future prospects for aid and the suggestion of experts

    Thank you

    Israr Ahmad

    Yes, your split tunnel access-list is too big, and he has reached the maximum number of lines.

    Try to reduce the number of ACL for your tunnel of split ACL maybe combining the subnets if possible.

  • having problems connecting to some websites with spa3102

    Hello

    I have problems connecting to some websites with spa 3102.

    The error message I get is as follows.

    The connection was reset

    The connection to the server was reset while the page is loading.

    * The site may be temporarily unavailable or too busy. Try again in a few
    moments.

    * If you are unable to load any pages, check your computer's network
    connection.

    * If your computer or network is protected by a firewall or proxy, make sure that
    that Firefox is permitted to access the Web.

    When I connect to my ISP modem directrly, so I'm able to connect to these Web sites.

    Any ideas?

    I already had the latest firmware (software Version: 5.1.10 (GW))

    But I think the problem is now resolved. Sites that I couldn't visit were my suppliers Web hosting and my own domain. Previously, I had activated attacking and that my hoster somehow registeren my mac address.

    Here are the settings that I had to change the spa3102.

    MAC Clone settings
    The Service Enable MAC Clone: Yes cloned MAC address: xxxxxxxxxxxx

    thx for your help.

  • SPA 2102 back 10 MB support

    Hello

    I have ADSL 10 MB when I connect wrtp54g and I test the speed with the speed of download of this http://speedtest.vonage.com costume is always about 9980 kb/s and 988 Kbps in upload is but when I connect SPA 2102, I always get the download speed on 6760 to 7010 Kbps in upload is even 988 Kbps if I disconnect SPA 2102 and connect wrtp54g I'll be back as the download speed 9980 Kbps and upload is 988 Kbps

    What is the problem with SPA 2102?

    Thank you

    Thanks for your replay

    But when I put the SPA2102 behind the sound quality is not the same when one computer that downloads why I buy the SPA2102 be before the router.

    By the way, my wireless router is Linksys WRT54GX Firmware Version: 1.02.15 

    Le WRTP also is phone adapter, but the problem with this one, it's still drop off the internet that's why I decide to replace it with SPA2102

    Thank you

  • Cisco ezvpn ASAs cannot ping each other inside interfaces

    I have a set ezvpn in place with a 5506 (position B) client-side and a 5520 (location A) server-side. I have successfully connected vpn, and traffic flows. My problem is that I can't SSH in the location b. investigate this more than I can not ping is within the interface of the ASA opposing, or the machines inside each ASA ASA.

    I found the following links that describes a scenario similar to mine, but nothing on one of them helped me.
    http://www.experts-exchange.com/questions/28388142/cannot-ping-ASA-5505-inside-interface-across-VPN.html
    https://www.fir3net.com/firewalls/Cisco/Cisco-ASA-proxy-ARP-gotcha.html
    https://supportforums.Cisco.com/discussion/11755586/Cisco-ASA-VPN-established-cant-ping

    I joined sanitized versions of these two configs. Any help is appreciated.

    Hi Adam

    The site of B I'm not able to see "management of access to inside. Please try to set up the same. He could solve the problem.

    Also on the instruction of the ASA takes place nat can you please try to add keywords 'search non-proxy-arp route'.

    something like:

    nat (inside,outside) source static (Location A)_Networks (Location A)_Networks destination static (location B)-remote_network (location B)-remote_network no-proxy-arp route-lookup
    as I have noted problems with inside access to interface via the VPN when those keywords are not applied. If I remember correctly 8.6.x ASA version had a bug regarding the same. Cordially Véronique

  • SPA 112 Port Sip does not change

    Good day, there is a problem with spa 112. I want to use the different sip as 23405 port, I have change in web graphical interface under SIP PORT is aplied but really no, spa 112 continue to connect on port 5060? y at - it any resolution to this problem? version is 1.4.0

    Peripheral SPA are supported in the SMB community, you might want to settle this.

  • IPSec tunnels does not work

    I have 2 Cat6, with IPsec SPA card, while the other did not.

    I tried setting IPsec tunnel between them, but somehow can't bring up the tunnel, can someone help me to watch set it up?

    A (with SPA):

    crypto ISAKMP policy 1

    BA aes 256

    preshared authentication

    Group 5

    ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0

    ISAKMP crypto keepalive 10

    Crypto ipsec transform-set esp - aes 256 esp-sha-hmac testT1

    !

    Crypto ipsec profile P1

    Set transform-set testT1

    !

    Crypto call admission limit ike his 3000

    !

    Crypto call admission limit ike in-negotiation-sa 115

    !

    interface Tunnel962

    Loopback962 IP unnumbered

    tunnel GigabitEthernet2/37.962 source

    tunnel destination 172.16.16.6

    ipv4 ipsec tunnel mode

    Profile of tunnel P1 ipsec protection

    interface GigabitEthernet2/37.962

    encapsulation dot1Q 962

    IP 172.16.16.5 255.255.255.252

    interface Loopback962

    1.1.4.200 the IP 255.255.255.255

    IP route 2.2.4.200 255.255.255.255 Tunnel962

    B (wuthout SPA):

    crypto ISAKMP policy 1

    BA aes 256

    preshared authentication

    Group 5

    ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0

    !

    !

    Crypto ipsec transform-set esp - aes 256 esp-sha-hmac T1

    !

    Crypto ipsec profile P1

    game of transformation-T1

    interface Tunnel200

    Loopback200 IP unnumbered

    tunnel GigabitEthernet2/1.1 source

    tunnel destination 172.16.16.5

    ipv4 ipsec tunnel mode

    Profile of tunnel T1 ipsec protection

    interface Loopback200

    2.2.4.200 the IP 255.255.255.255

    interface GigabitEthernet2/1.1

    encapsulation dot1Q 962

    IP 172.16.16.6 255.255.255.252

    IP route 1.1.4.200 255.255.255.255 Tunnel200

    I can ping from 172.16.16.6 to 172.16.16.5, but the tunnel just can not upwards. When I turned on "debugging ipsec cry ' and ' debug cry isa", nothing comes out, when I trun on 'cry of debugging sciences', I got:

    "00:25:17: crypto_engine_select_crypto_engine: can't handle more."

    Hello

    You need a map of IPSEC SPA on chassis B do IPSEC encryption. Please see the below URL for more details.

    Without a SPA-IPSEC - 2G or IPsec VPN Services Module of acceleration, the IPsec network security feature (configured with the crypto ipsec command) is supported in the software only for administrative for Catalyst 6500 series switches and routers for the Cisco 7600 Series connections.

    http://www.Cisco.com/en/us/docs/switches/LAN/catalyst6500/IOS/12.2SXF/native/release/notes/OL_4164.html

    Kind regards

    Arul

    * Rate pls if it helps *.

  • Lost comunication in VPn tunnel after session claire encryption

    Hello!

    EzVPN with DVIT.

    Everything works (it has communication with remote local networks, I can ping) up to this I type:

    Claire crypto his

    After this command, the tunnel is restarted, the tunnel is UP, but the communication does not come back (I can't ping inside).

    on, client and server, I have

    invalid-spi-recovery crypto ISAKMP
    ISAKMP crypto keepalive 10 periodicals

    What is the code for the server EZVPN are you with DVTI? You can go on this bug.

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCth39861

    Try to reload the zone and see if the tunnel back upwards once and issue the command erase again and see if the IPP disappears.

  • IPsec Security Association keep it up

    Hello community,

    Customer has about 50 distance 871 s (home) with IP phones.

    Main site has ASA 5510 sheltering the CUCM.

    Problem is...

    When user1 calls user2 there no audio data (since there is no built between remote users IPsec security association).

    The fact that user1 called user2 built IPsec between ROUTER1 and ASA, but since there is no IPsec security association for users between ROUTER2 and ASA, audio fails.

    If User2 calls user1 now, then the call is successful, because the SAs are built:

    IPsec security association between ROUTER1 and ASA for the traffic of user1 and user2

    IPsec security association between ROUTER2 and ASA for the user1 user2 traffic

    So, the problem is that both parties must open up traffic to make this work.

    What I did to solve the problem, is to configure IP SLA on routers to send a PING packet every 10 minutes at their home by peers (thus keeping the SAs between remote sites all the time).

    IP SLA works, but I'm looking for a better way to solve the problem of having to manually launch the traffic (DMVPN or running as one routing protocol does not work with the ASA through the tunnel).

    I guess to increase life expectancy IPsec Security Association is another option.

    Looking to get recommendations, thanks!

    Federico.

    Hi Federico,.

    Have you considered EzVPN/Easy VPN, with ASA like server EzVPN configuration and Clients (routers/ASA5505) as clients of EzVPN? This would create the tunnel as soon as it is configured.

    In addition, apart from the increase in the life expectancy of the AA (which is basically report to generate a new key stage 2), you can configure vpn-idle-timeout to be 'none' in the group-policy framework of the SAA.

    Any thoughts?

    Kind regards

    Praveen

  • You can import a file html in Board reflow?

    Hi, I need to make a retrospective corrections to a spa of html with the edge... code, I built it would be great if you could open a "file" not only a project of reflow and then save as a new project...

    I have some problems with spa html that I wrote in the manual before css media queries do not work in chrome and good reflow would be a quick fix option...

    HI -.

    Thank you for using reflow.

    You can import from a Photoshop file, but unfortunately, you cannot import a file existing in the reflow html.

    VIC

  • Problem with Instalation 900 SPA

    Hi all
    I am about to install a new VOIP system in our offices.  We are only a small office, but reasonably busy and I only need three to five extensions.  I already have the material and I'm reasonably confident (famous last words!) by installing the system with a SIP line and connected to a normal telephone line for the downturn.  I'm NOT sure about a field.  Prime material

    SPA9000
    SPA3102
    962/942 SPA phones

    OK now my desktop system consists of a server with SBS2003 with NIC TWO one for LAN and WAN cards.  Workstations and other elements are connected by ethernet to a D Link switch which is connected to the NIC1 and the NIC 2 connects to a telephone line Draytek router/ADSL broadband.  Internet access is of course provided to workstations using DHCP.  Everything works well at the present time.

    Now that I do not understand is the SPA 9000 connectivity and the SPA3102 which has an FXO port to the telephone line.  As I don't have only one telephone line how to connect theat line to the router AND the SPA3102.

    I hope that explains my question

    Thanks for any help

    You will connect the WAN port on the SPA9000 to the switch and then together "Network Interface Proxy" WAN under the label to join automatically, in which case your SBS2003 has no problem handling of multicast SIP, IP of SPA phones. You must manually register the SPA3102 to the SPA9000, you set a proxy which is the IP address of the SPA9000, you can verify that proxy address by clicking on one of the IP phones that automatically, then you put a User ID user defined. You can test if it works by calling locally and User ID on one of the IP phones.

  • SPA 3201 - problem with incoming calls

    Hello

    I installed a new SPA 3102 connected to a mini Server asterisk; catches of phone line to connect to the existing line of the Earth and the phone.
    The unit has current firmware, and the one and only ethernet cable taken in the WAN port - these two steps make a working direction. I can dial a number on the phone, the call goes through the asterisk and goes out to the PSTN.
    The other way, however, does not work: I get syslog entries that the call is detected, but the device doesn't send what anyone on the server (as checked with wireshark)
    The dial plan is
    (S0<:1234>)
    but I also tried
    (S0<>[email protected] / * />)
    and some variations more

    This is syslog entries:

    FXO:start CNDD
    Number of the caller analysis = callingnumber
    -Caller ID:
    -Name = (null)
    -Number distance = callingnumber
    -Dialable number = (null)
    -No reason number = (null)
    FXO:CNDD = name, number is callingnumber
    FXO:stop CNDD
    Phone = FXO:CNDD name = callingnumber
    Your RTC AUD:Stop
    FXO: on the hook
    Your RTC AUD:Stop
    the next sequence is repeated several times, probably as long as the line is actually ringing
    FXO:start CNDD
    Your RTC AUD:Stop
    FXO: on the hook
    Your RTC AUD:Stop
    FXO:stop CNDD

    Where would I look next?

    I found a tip in an ongoing discussion, and in fact this has solved the problem: "PSTN ring timeout" must be longer than the time to ring + break from the ring, and "Time of response to PSTN" must be short enough

    Unfortunately, if incomplete description of configuration. There are so many dial plans to set, but it has not specified that have configured it.

    Please read before RTC call the SPA3102 to VOIP. I hope this will help you.

  • Cisco SPA with problem of DHCP Options 66

    Dear all,
    I have a problem of my phone Cisco SPA for the autodeploiement.
    If I manually enter the page configuration and paste "[- pwd - password user uid] http:///dms/def/spa$PSN.cfg" in the profile rule. Everything works perfectly.
    However, we would like to do in the provision of zero touch, I add the "[- pwd - password user uid] http:///dms/def/spa$PSN.cfg"DHCP Options 66. " The SPA phone seems impossible to get the 66 Options parameter. It shows that "/ spa$ PSN.cfg" in the rule of profiles.
    I'm sure that the DHCP server works perfectly.
    Can anyone help on this?

    Kind regards

    Desmond

    You cannot use the custom during initial deployment (zero touch) password. DHCP can be used to deliver key to the device in this way.

    Ok. What are the options you have?

    You my use of the configuration file, compiled with SPC type -target option. It encrypt the file by using the password from each device Mac so you need no password given to the device - device can calculate the password required their Mac. It provides just basic security level - insensitive user, like me, know the algorithm used for password generation so that it can calculate the password and decrypt the file.

    You can use HTTPS with mutual certificate authentication to deliver XML or SPC configuration form. All phones have the unique client certificate, then you can be sure that the request has been issued by the unit. It offers a high level of security.

    There are also a few other possibilities, but disclosed so that information on the goal you want to hit, so I can't list.

    Just note that DHCP will meet anyone, in addition, the answer may broadcast (therefore handed to anyone, even without prior request). If you deliver critical data via DHCP, you can consider them publicly available. Security resulting is without security.

  • EzVPN between Cisco ASA 5505 (with NEM mode) and Ciscoo 881 Roure

    Hi friends,

    I configured the Cisco ASA 5505 and Cisco router with DMVPN 881. 3 offices works very well but one office remains failure. I did the same configuration for all facilities but this router does not work. Any ideas?

    Please find below the exit of 881 router Cisco:

    YF2_Tbilisi_router #.
    * 4 August 09:31:26.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:31:26.793 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
    * 4 August 09:31:26.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:31:26.793: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:31:26.793 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:31:36.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:31:36.793 4 August: ISAKMP (0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
    * 4 August 09:31:36.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:31:36.793: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:31:36.793 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 09:31:44.929 4 August: ISAKMP: (0): serving SA., its is 88961 B 34, delme is 88961 B 34
    * 4 August 09:31:46.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:31:46.793 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

    * 09:31:46.793 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
    * 09:31:46.793 4 August: % CRYPTO-6-EZVPN_CONNECTION_DOWN: user (customer) = group = Youth_Facility_2 Server_public_addr = 1.1.1.1
    * 4 August 09:31:46.793: ISAKMP:isadb_key_addr_delete: no key for address 1.1.1.1 (root NULL)
    * 09:31:46.793 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
    * 09:31:46.793 4 August: ISAKMP: Unlocking counterpart struct 0x8AA90C50 for isadb_mark_sa_deleted(), count 0
    * 09:31:46.793 4 August: ISAKMP: delete peer node by peer_reap for 1.1.1.1: 8AA90C50
    * 09:31:46.793 4 August: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    * 09:31:46.793 4 August: ISAKMP: (0): former State = new State IKE_I_AM1 = IKE_DEST_SA

    * 4 August 09:31:47.805: del_node 2.2.2.2 src dst 1.1.1.1:500 fvrf 0 x 0, ivrf 0 x 0
    * 09:31:47.805 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

    * 4 August 09:31:47.805: ISAKMP: (0): profile of THE request is (NULL)
    * 09:31:47.805 4 August: ISAKMP: created a struct peer 1.1.1.1, peer port 500
    * 09:31:47.805 4 August: ISAKMP: new created position = 0x8AA90C50 peer_handle = 0 x 80004819
    * 09:31:47.805 4 August: ISAKMP: lock struct 0x8AA90C50, refcount 1 to peer isakmp_initiator
    * 09:31:47.805 4 August: ISAKMP: (0): client configuration parameters 87531228 adjustment
    * 09:31:47.805 4 August: ISAKMP: 500 local port, remote port 500
    * 09:31:47.805 4 August: ISAKMP: find a dup her to the tree during his B 88961, 34 = isadb_insert call BVA
    * 4 August 09:31:47.805: ISAKMP: (0): set up client mode.
    * 4 August 09:31:47.805: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
    * 4 August 09:31:47.805: ISAKMP: (0): built the seller-07 ID NAT - t
    * 4 August 09:31:47.805: ISAKMP: (0): built of NAT - T of the seller-03 ID
    * 4 August 09:31:47.805: ISAKMP: (0): built the seller-02 ID NAT - t
    * 4 August 09:31:47.805: ISKAMP: more send buffer from 1024 to 3072
    * 09:31:47.805 4 August: ISAKMP: (0): ITS been pre-shared key and XAUTH authentication using id ID_KEY_ID type
    * 09:31:47.805 4 August: ISAKMP (0): payload ID
    next payload: 13
    type: 11
    Group ID: Youth_Facility_2
    Protocol: 17
    Port: 0
    Length: 24
    * 09:31:47.805 4 August: ISAKMP: (0): the total payload length: 24
    * 09:31:47.809 4 August: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
    * 09:31:47.809 4 August: ISAKMP: (0): former State = new State IKE_READY = IKE_I_AM1

    * 4 August 09:31:47.809: ISAKMP: (0): Beginner aggressive Mode Exchange
    * 4 August 09:31:47.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:31:47.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:31:57.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:31:57.809 4 August: ISAKMP (0): increment the count of errors on his, try 1 5: retransmit the phase 1
    * 4 August 09:31:57.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:31:57.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:31:57.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:32:07.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:32:07.809 4 August: ISAKMP (0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
    * 4 August 09:32:07.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:32:07.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:32:07.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:32:17.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:32:17.809 4 August: ISAKMP (0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
    * 4 August 09:32:17.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:32:17.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:32:17.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:32:27.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:32:27.809 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
    * 4 August 09:32:27.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:32:27.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:32:27.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:32:37.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:32:37.809 4 August: ISAKMP (0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
    * 4 August 09:32:37.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:32:37.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:32:37.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 09:32:46.793 4 August: ISAKMP: (0): serving SA., his is 872E1504, delme is 872E1504
    * 4 August 09:32:47.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:32:47.809 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

    * 09:32:47.809 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
    * 09:32:47.809 4 August: % CRYPTO-6-EZVPN_CONNECTION_DOWN: user (customer) = group = Youth_Facility_2 Server_public_addr = 1.1.1.1
    * 4 August 09:32:47.809: ISAKMP:isadb_key_addr_delete: no key for address 1.1.1.1 (root NULL)
    * 09:32:47.809 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
    * 09:32:47.809 4 August: ISAKMP: Unlocking counterpart struct 0x8AA90C50 for isadb_mark_sa_deleted(), count 0
    * 09:32:47.809 4 August: ISAKMP: delete peer node by peer_reap for 1.1.1.1: 8AA90C50
    * 09:32:47.809 4 August: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    * 09:32:47.809 4 August: ISAKMP: (0): former State = new State IKE_I_AM1 = IKE_DEST_SA

    * 4 August 09:32:48.909: del_node src 2.2.2.2:500 dst 1.1.1.1:500 fvrf 0 x 0, ivrf 0 x 0
    * 09:32:48.909 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

    * 4 August 09:32:48.909: ISAKMP: (0): profile of THE request is (NULL)
    * 09:32:48.909 4 August: ISAKMP: created a struct peer 1.1.1.1, peer port 500
    * 09:32:48.909 4 August: ISAKMP: new created position = 0x8AA90C50 peer_handle = 0 x 80004818
    * 09:32:48.909 4 August: ISAKMP: lock struct 0x8AA90C50, refcount 1 to peer isakmp_initiator
    * 09:32:48.909 4 August: ISAKMP: (0): client setting Configuration parameters 88C05A48
    * 09:32:48.909 4 August: ISAKMP: 500 local port, remote port 500
    * 09:32:48.909 4 August: ISAKMP: find a dup her to the tree during the isadb_insert his 87B57D38 = call BVA
    * 4 August 09:32:48.909: ISAKMP: (0): set up client mode.
    * 4 August 09:32:48.909: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
    * 4 August 09:32:48.909: ISAKMP: (0): built the seller-07 ID NAT - t
    * 4 August 09:32:48.909: ISAKMP: (0): built of NAT - T of the seller-03 ID
    * 4 August 09:32:48.909: ISAKMP: (0): built the seller-02 ID NAT - t
    * 4 August 09:32:48.909: ISKAMP: more send buffer from 1024 to 3072
    * 09:32:48.913 4 August: ISAKMP: (0): ITS been pre-shared key and XAUTH authentication using id ID_KEY_ID type
    * 09:32:48.913 4 August: ISAKMP (0): payload ID
    next payload: 13
    type: 11
    Group ID: Youth_Facility_2
    Protocol: 17
    Port: 0
    Length: 24
    * 09:32:48.913 4 August: ISAKMP: (0): the total payload length: 24
    * 09:32:48.913 4 August: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
    * 09:32:48.913 4 August: ISAKMP: (0): former State = new State IKE_READY = IKE_I_AM1

    * 4 August 09:32:48.913: ISAKMP: (0): Beginner aggressive Mode Exchange
    * 4 August 09:32:48.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:32:48.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:32:58.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:32:58.913 4 August: ISAKMP (0): increment the count of errors on his, try 1 5: retransmit the phase 1
    * 4 August 09:32:58.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:32:58.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:32:58.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:33:08.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:33:08.913 4 August: ISAKMP (0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
    * 4 August 09:33:08.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:33:08.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:33:08.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:33:18.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:33:18.913 4 August: ISAKMP (0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
    * 4 August 09:33:18.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:33:18.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:33:18.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:33:28.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:33:28.913 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
    * 4 August 09:33:28.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:33:28.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:33:28.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.

    There is no DMVPN on the SAA. All that you have configured, is not compatible with the ASA or something another DMVPN then. At least debugging shows that there are some EzVPN involved.

    The debug version, it seems that there is no communication on UDP/500 possible between devices. Maybe something is blocking who?

Maybe you are looking for

  • No cursor in the address after opening new tab bar

    HelloAfter installing FF 29.0.1, when I opened a new tab, the cursor does not focus on the bar address, or something else.If I run FF in safe mode it works and focus on the address bar. If I disable all of my extensions manually and launch FF in norm

  • Satellite A300D-126 downgrade Vista to XP

    Hi all I bought the laptop Toshiba Satellite A300D, model 126, with Windows Vista Home Premium (PSAK4E).These days I tried to install Windows XP Professional with SP2 on my laptop. First, I made a new partition (D :) for the new operating system.I in

  • How can I get a Windows 7 Pro to a ProBook s 4530 recovery Kit

    I have a ProBook s 4530 with Windows 7 Pro. I would like to restore it to factory settings. There is no recovery partition or no BIOS F11 to restore option. Also, there is has installed any software Recovery Manager. Can I get a recovery for my ProBo

  • cannot install Windows Live ID Sign-in Assistant 6.5

    Hi, I have a problem with my games for windows is. When I try to run it, it requires to install cannot install Windows Live ID Sign-in Assistant 6.5. So I downloaded and run the installation. In the middle of it, it stops and begins to restore the fa

  • An other error JIT...

    Hello I'm starting a new thread because I relised that I asked a question answered... ops I get a message simular to the person above. According to me, the only mine was caused by a virus or malwere or l like that. I tried the clean boot with only ru