GRE tunnels will not come on VPN IPsec/GRE
Hi all
We have 400 + remote sites that connect to our central location (and a backup site) using Cisco routers with vpn IPSec/GRE tunnels. We use a basic model for the creation of tunnels, so there is very little chance of a bad configuration on each router. Remote sites use Cisco 831 s, central sites use Cisco 2821 s. There is a site where the tunnels WILL refuse just to come.
Routers are able to ping their public IP addresses, so it is not a routing problem, but gre endpoints cannot ping. There is no NATing involved, two routers directly accessing the Internet. The assorded display orders seem to indicate that the SAs are properly built, but newspapers, it seems that last part just don't is finished, and the GRE tunnels come not only upward.
The attached log file, it seems that both its IPSEC & ISAKMP are created @ 00:25:14, then QM_PHASE2 end @ 00:25:15.
00:25:15: ISAKMP: (0:10:HW:2): node error 1891573546 FALSE reason for deletion "(wait) QM.
00:25:15: ISAKMP: (0:10:HW:2): entrance, node 1891573546 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
00:25:15: ISAKMP: (0:10:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
00:25:15: ISAKMP (0:268435467): received 208.XX packet. Dport 500 sport Global 500 (I) QM_IDLE yy.11
00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 1572231461/50
00:25:15: ISAKMP: (0:11:HW:2): error in node-1931380074 FALSE reason for deletion "(wait) QM.
00:25:15: ISAKMP: (0:11:HW:2): entrance, node-1931380074 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
00:25:15: ISAKMP: (0:11:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 310818168/50
I don't have the remote router log file, and is very long, so I joined her. Before that I captured the log file, I enabled debugging ipsec & isakmp and immediately authorized the SAs.
Assorted useful details and matching orders of show results:
Cisco IOS Software, C831 (C831-K9O3SY6-M), Version 12.4 (25), RELEASE SOFTWARE (fc1)
There are 2 connections of IPSEC/GRE tunnel:
Tunnel101: KC (208.YY. ZZ.11) - remote control (74.WW. XX.35)
Tunnel201: Dallas (208.XX. YY.11) - remote control (74.WW. XX.35)
Site-382-831 #sho ip int br
Interface IP-Address OK? Method State Protocol
FastEthernet1 unassigned YES unset down down
FastEthernet2 unassigned YES unset upward, upward
FastEthernet3 unassigned YES unset upward, upward
FastEthernet4 unassigned YES unset upward, upward
Ethernet0 10.3.82.10 YES NVRAM up up
Ethernet1 74.WW. XX.35 YES NVRAM up up
Ethernet2 172.16.1.10 YES NVRAM up up
Tunnel101 1.3.82.46 YES NVRAM up toward the bottom<>
Tunnel201 1.3.82.62 YES NVRAM up toward the bottom<==== ="">====>
NVI0 unassigned don't unset upward upwards
Site-382-831 #.
Site-382-831 #sho run int tunnel101
Building configuration...
Current configuration: 277 bytes
!
interface Tunnel101
Description % connected to the 2nd KC BGP 2821 - PRI - B
IP 1.3.82.46 255.255.255.252
IP mtu 1500
IP virtual-reassembly
IP tcp adjust-mss 1360
KeepAlive 3 3
source of tunnel Ethernet1
destination of the 208.YY tunnel. ZZ.11
end
Site-382-831 #.
Site-382-831 #show isakmp crypto his
status of DST CBC State conn-id slot
208.XX. YY.11 74.WW. XX.35 QM_IDLE ASSETS 0 11
208.YY. ZZ.11 74.WW. XX.35 QM_IDLE 10 0 ACTIVE
Site-382-831 #.
Site-382-831 #.
Site-382-831 #show detail of the crypto isakmp
Code: C - IKE configuration mode, D - Dead Peer Detection
NAT-traversal - KeepAlive, N - K
X - IKE extended authentication
PSK - GIPR pre-shared key - RSA signature
renc - RSA encryption
C - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
11 74.WW. XX.35 208.XX. YY.11 ACTIVE 3des sha psk 1 23:56:09
Connection-id: motor-id = 11:2 (hardware)
74.WW 10. XX.35 208.YY. ZZ.11 ACTIVE 3des sha psk 1 23:56:09
Connection-id: motor-id = 10:2 (hardware)
Site-382-831 #.
Site-382-831 #.
Site-382-831 #show crypto ipsec his
Interface: Ethernet1
Tag crypto map: IPVPN_MAP, local addr 74.WW. XX.35
protégé of the vrf: (none)
ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
Remote ident (addr, mask, prot, port): (208.YY. ZZ.11/255.255.255.255/47/0)
current_peer 208.YY. ZZ.11 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 21, #recv errors 0
local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.YY. ZZ.11
Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
current outbound SPI: 0x45047D1D (1157922077)
SAS of the esp on arrival:
SPI: 0x15B97AEA (364477162)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: C83X_MBRD:4, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4486831/1056)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0x45047D1D (1157922077)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: C83X_MBRD:3, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4486744/1056)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE
outgoing ah sas:
outgoing CFP sas:
protégé of the vrf: (none)
ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
Remote ident (addr, mask, prot, port): (208.XX. YY.11/255.255.255.255/47/0)
current_peer 208.XX. YY.11 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 21, #recv errors 0
local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.XX. YY.11
Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
current outbound SPI: 0xE82A86BC (3895101116)
SAS of the esp on arrival:
SPI: 0x539697CA (1402378186)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2008, flow_id: C83X_MBRD:8, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4432595/1039)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xE82A86BC (3895101116)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2001, flow_id: C83X_MBRD:1, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4432508/1039)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE
outgoing ah sas:
outgoing CFP sas:
Site-382-831 #.
Site-382-831 #.
Site-382-831 #show crypto ipsec his | Pkts Inc. | life
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4486831/862)
calendar of his: service life remaining (k/s) key: (4486738/862)
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4432595/846)
calendar of his: service life remaining (k/s) key: (4432501/846)
Site-382-831 #.
Site-382-831 #.
Site-382-831 #show crypto isakmp policy
World IKE policy
Priority protection Suite 10
encryption algorithm: three key triple a
hash algorithm: Secure Hash Standard
authentication method: pre-shared Key
Diffie-Hellman group: #1 (768 bits)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: - Data Encryption STANDARD (56-bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bits)
lifetime: 86400 seconds, no volume limit
Site-382-831 #.
Site-382-831 #show crypto card
"IPVPN_MAP" 101-isakmp ipsec crypto map
Description: at the 2nd KC BGP 2821 - PRI - B
Peer = 208.YY. ZZ.11
Extend the PRI - B IP access list
access list PRI - B allowed will host 74.WW. XX.35 the host 208.YY. ZZ.11
Current counterpart: 208.YY. ZZ.11
Life safety association: 4608000 Kbytes / 3600 seconds
PFS (Y/N): N
Transform sets = {}
IPVPN,
}
"IPVPN_MAP" 201-isakmp ipsec crypto map
Description: 2nd Dallas BGP 2821 - s-B
Peer = 208.XX. YY.11
Expand the list of IP SEC-B access
s - B allowed will host 74.WW access list. XX.35 the host 208.XX. YY.11
Current counterpart: 208.XX. YY.11
Life safety association: 4608000 Kbytes / 3600 seconds
PFS (Y/N): N
Transform sets = {}
IPVPN,
}
Interfaces using crypto card IPVPN_MAP:
Ethernet1
Site-382-831 #.
Tunnel between KC & the remote site configuration is:
Distance c831 - KC
crypto ISAKMP policy 10
BA 3des
preshared authentication
!
PRI-B-382 address 208.YY isakmp encryption key. ZZ.11
!
Crypto ipsec transform-set esp-3des esp-sha-hmac IPVPN
transport mode
!
IPVPN_MAP 101 ipsec-isakmp crypto map
Description of 2nd KC BGP 2821 - PRI - B
set of peer 208.YY. ZZ.11
game of transformation-IPVPN
match address PRI - B
!
interface Tunnel101
Description % connected to the 2nd KC BGP 2821 - PRI - B
IP 1.3.82.46 255.255.255.252
IP mtu 1500
KeepAlive 3 3
IP virtual-reassembly
IP tcp adjust-mss 1360
source of tunnel Ethernet1
destination of the 208.YY tunnel. ZZ.11
!
interface Ethernet0
private network Description
IP 10.3.82.10 255.255.255.0
IP mtu 1500
no downtime
!
interface Ethernet1
IP 74.WW. XX.35 255.255.255.248
IP mtu 1500
automatic duplex
IP virtual-reassembly
card crypto IPVPN_MAP
no downtime
!
PRI - B extended IP access list
allow accord 74.WW the host. XX.35 the host 208.YY. ZZ.11
!
KC-2821 *.
PRI-B-382 address 74.WW isakmp encryption key. XX.35
!
PRI-B-382 extended IP access list
allow accord 208.YY the host. ZZ.11 the host 74.WW. XX.35
!
IPVPN_MAP 382 ipsec-isakmp crypto map
Description % connected to the 2nd KC BGP 2821
set of peer 74.WW. XX.35
game of transformation-IPVPN
match address PRI-B-382
!
interface Tunnel382
Description %.
IP 1.3.82.45 255.255.255.252
KeepAlive 3 3
IP virtual-reassembly
IP tcp adjust-mss 1360
IP 1400 MTU
delay of 40000
tunnel of 208.YY origin. ZZ.11
destination of the 74.WW tunnel. XX.35
!
end
Any help would be much appreciated!
Mark
Hello
logs on Site-382-831, only see the crypt but none decrypts, could you check a corresponding entry on the peer and see if has any questions send return traffic?
Site-382-831 #show crypto ipsec his | Pkts Inc. | life
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4486831/862)
calendar of his: service life remaining (k/s) key: (4486738/862)
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4432595/846)
calendar of his: service life remaining (k/s) key: (4432501/846)
Site-382-831 #.
Kind regards
Averroès.
Tags: Cisco Security
Similar Questions
-
Static L2L Tunnel - will not come to the top
Hi all
Currently have a very big problem with a site that I can't go there for the moment.
We have one HUB ASA5505 SEC + a few other ASA connected via VPN L2L. We have static L2L 1 active, 1 dynamic L2L Active, and I am currently trying to add a second static Tunnel L2L.
I checked that each WAN Interface can ping each other, and both devices have full internet connectivity. There is no double nat or being content filtering. I noticed that my Client remote access VPN Cisco will not properly connect through the ASA despite full internet connectivity, but when I connect directly to a modem, I was able to connect properly. So apparently the ISP isn't blocking IPSEC traffic as far as I KNOW.
Static2 uses currently a temporary license of TAC since our license is currently waiting for arrival, but a release of version see the watch all VPN/3des features are enabled.
Here are the configs:
ASA5505-HUB hostname
domain xxxxxxx.local
activate the password xxxxxxxxxxx
names of
name 192.168.9.50 xxxxxxxxx
name 192.168.9.51 xxxxxxxxx xxxxxxxxxx description
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.9.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address xxxxxxxxxxxxx 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 50
IP 10.10.9.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxx
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
DNS lookup field inside
DNS server-group DefaultDNS
Server name xxxxxxxxxx
Server name xxxxxxxxxxxxxxx
domain xxxxxxxxxxxx.local
permit same-security-traffic intra-interface
permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list 101 extended allow icmp a whole
access-list standard split allow 192.168.0.0 255.255.0.0
permit to_static1 to access extended list ip 192.168.0.0 255.255.0.0 192.168.14.0 255.255.255.0
permit to_static2 to access extended list ip 192.168.0.0 255.255.0.0 192.168.16.0 255.255.255.0< this="" is="" the="" problem="">
RTP list extended access udp any permitted any 10000 20000 Beach
RTP list extended access permitted tcp everything any 10000 20000 Beach
pager lines 24
monitor debug logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
mask IP local RA-pool 192.168.99.1 - 192.168.99.126 255.255.255.128
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 75.146.188.94 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.0.0 255.255.0.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
set of 20 SYSTEM_DEFAULT_CRYPTO_MAP crypto dynamic-map transform-set ESP-3DES-SHA
card crypto outside_map 10 correspondence address to_static1
card crypto outside_map 10 peers set xxxxxxxxxx
outside_map crypto 10 card value transform-set ESP-3DES-SHA
card crypto outside_map 11 match address to_static2
card crypto outside_map 11 counterpart set xxxxxxxxxxxxx< problem="">
card crypto outside_map 11 game of transformation-ESP-3DES-SHA
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet 192.168.0.0 255.255.0.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
dhcpd outside auto_config
!
dhcpd address 192.168.9.101 - 192.168.9.199 inside
dhcpd dns 192.168.9.2 xxxxxxxxxxx interface inside
dhcpd xxxxxxxxx.local area inside interface
xxxxxxxx dhcpd option 66 ip inside interface
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
type of policy-card inspect sip default_sip
parameters
Journal of decline in the shares of Max-forwards-validation
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the netbios
inspect the rtsp
inspect the default_sip sip
!
global service-policy global_policy
Group xxxxx-RA internal policy
xxxxx-RA group policy attributes
Server DNS value 192.168.9.2 xxxxxxxxxxxxx
Protocol-tunnel-VPN IPSec l2tp ipsec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split
xxxxxxxxx.local value by default-field
allow to NEM
IPSec-attributes tunnel-group DefaultL2LGroup
pre-shared-key *.
type tunnel-group xxxxx-RA remote access
Tunnel-Group global xxxxxx-RA-attributes
address-RA-pool
Group Policy - by default-xxxxx-RA
tunnel-group xxxxxx-ipsec-attributes
pre-shared-key *.
tunnel-group STATIC2_WANIP type ipsec-l2l< problem="">
IPSec-attributes tunnel-group STATIC2_WANIP
pre-shared-key *.
tunnel-group STATIC1_WANIP type ipsec-l2l
IPSec-attributes tunnel-group STATIC1_WANIP
pre-shared-key *.
context of prompt hostnameand...
ASA5505-STATIC2 host name
domain xxxxxxxx.local
activate the password XXXXXX
passwd xxxxxxxxxxx
names of
!
interface Ethernet0/0
switchport access vlan 3
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport trunk allowed vlan 1-2
switchport trunk vlan 1 native
switchport mode trunk
!
interface Vlan1
nameif dmz
security-level 50
IP 10.10.0.1 address 255.255.255.0
!
interface Vlan2
nameif inside
security-level 100
192.168.16.1 IP address 255.255.255.0
!
interface Vlan3
nameif outside
security-level 0
IP address xxxxxxxxxxx 255.255.254.0
!
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
DNS lookup field inside
DNS server-group DefaultDNS
Server name xxxxxxxxxx
Server name xxxxxxxxxx
domain xxxxxxxxxx.local
access extensive list ip 192.168.16.0 to_hq allow 255.255.255.0 192.168.0.0 255.
255.0.0
192.168.16.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.0.0 255.
255.0.0
pager lines 24
MTU 1500 dmz
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400Route outside 0.0.0.0 0.0.0.0 xxxxxxxxxxx
Global 1 interface (outside)
NAT (dmz) 1 0.0.0.0 0.0.0.0
NAT (inside) 0 access-list sheep
NAT (inside) 1 0.0.0.0 0.0.0.0
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.0.0 255.255.0.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto cmap1 match 10 address to_hq
card crypto cmap1 10 peers set xxxxxxxxxxxxxx
cmap1 crypto 10 card value transform-set ESP-3DES-SHA
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet 192.168.0.0 255.255.0.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
dhcpd dns 192.168.9.2 xxxxxxxxxxxx
!
dhcpd address dmz 10.10.0.100 - 10.10.0.199
dhcpd lease 10800 dmz interface
dhcpd enable dmz
!
dhcpd address 192.168.16.101 - 192.168.16.131 inside
lease interface 10800 dhcpd inside
dhcpd xxxxxxxxxx.local area inside interface
dhcpd ip interface 192.168.9.50 option 66 inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
tunnel-group HUB_WANIP type ipsec-l2l
IPSec-attributes tunnel-group HUB_WANIP
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
context of prompt hostnameAny help is appreciated
Hello
Seems to me that the ASA named STATIC2-ASA5505 lack some essential associated VPN configurations.
The encryption card is not attached to any interface
Configure this
cmap1 interface card crypto outside
The Crypto ISAKMP is not enabled on any interface
Configure this
crypto ISAKMP allow outside
Hope this helps
-Jouni
-
Site to Site VPN tunnel is not come between 2 routers
Dear all,
I have 2 routers for branch which is configured for VPN site-to-site, but the tunnel does not come!
I ran debug and I enclose herwith output for your kind review and recommendation. I also enclose here the 2 routers configs branch.
Any idea on why the Site to site VPN is not coming?
Kind regards
Haitham
You guessed it!
Just because you have re-used the same card encryption for LAN to LAN and vpn-client traffic.
This from the DOC CD
No.-xauth
(Optional) Use this keyword if the router to router IP Security (IPSec) is on the same card encryption as a virtual private network (VPN) - client - to-Cisco-IOS IPSec. This keyword prevents the router causing the peer for the information of extended authentication (Xauth) (username and password).
-
MY IPAD WILL NOT COME BECAUSE I MADE THE UPDATE YESTERDAY?
If you are sure that the appliance is loaded, then press and hold the home and sleep/wake buttons until you see the Apple logo and then release. It could take up to 30 seconds of operation.
-
Internet Explorer will not come to the top. My router says I 54mpbs Exellent, but I can't go on the internet. Diagnose the problem button appears. When I run it, it says that my router is not working. I have wifi and my friend has the router and its connection is good. I also have a propellant that works great too.
Can you get far enough in IE to access the Tools Menu? If so try clicking Tools | Internet Options | Advanced and clicking the reset button.
-B-
http://www.officeforlawyers.com | http://www.OneNote-tips.com
Author: Guide to counsel for Microsoft Outlook -
I updated adobe and now windows vista will not come to the top!
I was doing something that requires adobe 9 or higher, so I updated to 10. Now my main screen will not come to the top. I can't do all the suggestions for troubleshooting because I can't get to my computer at all. I validated and it says windows Pascal more send activationsetc. and I can't update because I can't.
Try to start in safe mode (press F8 immediately and repeatedly after Power Up Self Test and before Windows starts) and uninstall Adobe Reader X. Then try to restart normally.
-
Color Laserjet CP5525 will not come on loan
Printer will not loan and the error log has 49.2F. E3. From what I could find, this is a firmware error. But how I've updated the firmware if the printer will not come on loan?
Ended up be the firmware. I had to replace the format because that I couldn't get a ready status to update the firmware. Printer works fine. Thank you
-
My Dell is power saving mode and will not come out
My Dell is power saving mode and will not come out? Any suggestions? I can't get anything else than a screen that says it is in power save mode and press a key or move the mouse. No one who does nothing. Don't disconnect.
Hi Ma32206,
Monitors Dell will automatically mode energy saving after a predetermined time amount when the computer is idle. The Dell monitor will go completely black, rather than display a screen saver. This allows your monitor to essentially turn off until it takes again.
A. Press any key on the keyboard or move the mouse. Either will automatically turn off the power saving mode. Alternatively, you can press the power button on your Dell computer tower or laptop.
B. press one button a second time if the monitor goes power saving in standby mode. Standby mode allows the screen saver appears.
Bindu R - Microsoft technical support.
Visit our Microsoft answers feedback Forum and let us know what you think. -
Security Windows will not come to the top
lost all my programs, firewall windows, I click on the setting change a white csreen rises then real quick stop... click on Security Center, c:\windows]system32\run1132.exe comes upand said parameter is in good... lost my windows live sign on... my norton will not come up... i think I may have been hack in to
lost all my programs, firewall windows, I click on the setting change a white csreen rises then real quick stop... click on Security Center, c:\windows]system32\run1132.exe comes upand said parameter is in good... lost my windows live sign on... my norton will not come up... i think I may have been hack in to
It seems that your system has been infected:
Preform Malwarebyte s scanning:
http://www.Malwarebytes.org/ recommended
then the use of scan of preform
a-squared Emergency USB Stick files http://www.emsisoft.com/en/software/download/
After that, make sure that your system is free of viruses:
http://www.Avira.com/en/download/index.php
If you can not install anti virus Software, then try to scan online
http://housecall.trendmicro.com/UK/
and spyware:
http://www.systweak.com/AntiSpyware/
http://www.SurfRight.nl/en/downloads/ recommended
-
Interface 1130ag WLAN AP will not come to the top?
Hi all
For the first time, I installed a 1130ag and I can't bring up the interface without wire/radio?
I have connected it via http at the moment and have tried to activate the radio via the GUI, but it does not come to the top? (This is normally upward in this way with the year 1200)
Can anyone suggest anything?
Thank you very much
Nathan.
UK.
Have you defined a SSID? If you have not the radio will not come to the top.
-
Windows Media Player will not come
Windows Media Player will not come
Windows Media Player will not come
In the Find box type copy paste the following command and press the Enter key.
"%programfiles%\Windows media player\wmplayer.exe".
If the above doesn't help, try a system restore - select any restore point when it did not have this problem.
-
Dell 1230c do not - print jobs go to the queue printing but will not come to buffer
Dell 1230c do not - print jobs go to the queue printing but will not come to buffer
Hey Joe,
Try duration to remove print jobs to remove Job feel stuck in the queue, and then restart your computer.
Also refer to:
Cancel printing
Maybe you have that impression break.
View, pause, or cancel printing
You can also see the troubleshooting steps in Dell for Dell printers.
Please post back with the State of the question.
-
Variables will not come through mailer
I have a php mailer on my site mortgagemaestro.net and variables will not come through when I send the form to any computer but mine. I just get a blank form in my email.
Here are the two codes
Thanks for any help
Stop();
var b1Load:LoadVars = new LoadVars();
var receiveLoad: LoadVars = new LoadVars();
This.B1.onRelease = function() {}
If (theEmail.text == null | theEmail.text == "" | ") theName.text == null | theName.text == "" | " homePhone.text == null | HomePhone.text =="") {}
gotoAndStop ("error");
} else {}
b1Load.theName = theName.text;
b1Load.homePhone = homePhone.text;
b1Load.workPhone = workPhone.text;
b1Load.theEmail = theEmail.text;
b1Load.theAddress = theAddress.text;
b1Load.theCity = theCity.text;
b1Load.TheState = theState.text;
b1Load.theZip = theZip.text;
b1Load.theCall = theCall.text;
b1Load.sendAndLoad (" http://www.mortgagemaestro.net/lib/phpmailer/email.php", receiveload);
getURL (" http://l-h1.com/richard_white_lending/destpage/thankyou.php", "_self");
}
<? PHP
require ("Class.PHPMailer.php");
$mail = new PHPMailer();
$mail-> IsSMTP(); send via SMTP
$mail-> host = "mail.mortgagemaestro.net"; SMTP servers
$mail-> SMTPAuth = true; enable SMTP authentication
$mail-> Username = "[email protected]"; SMTP Username
$mail-> password = "32bf1a3"; SMTP password
$mail-> from = '[email protected] ';
$mail-> FromName = "drive";
$mail-> AddAddress ("[email protected]");
$mail-> object = "Mortgage Maestro lead";
$mail-> body = "name:"; "
$mail-> body. = $_POST [theName];
$mail-> body. = "\nEmail: «;»»
$mail-> body. = $_POST [theEmail];
$mail-> body. = ' \nHomePhone: '; "
$mail-> body. = $_POST [homePhone];
$mail-> body. = ' \nWorkPhone: '; "
$mail-> body. = $_POST [as workPhone];
$mail-> body. = "\nAddress: «;»»
$mail-> body. = $_POST [theAddress];
$mail-> body. = ' \nCity: '; "
$mail-> body. = $_POST [theCity];
$mail-> body. = "\nState: «;»»
$mail-> body. = $_POST [the State];
$mail-> body. = ' \nZip: '; "
$mail-> body. = $_POST [theZip];
$mail-> body. = ' \nCall: '; "
$mail-> body. = $_POST [theCall];
If (! $mail-> Send())
{
echo "Message was sent not < p > ';
echo "Mailer error:". "." $mail-> ErrorInfo;
"exit";
}
echo "Message was sent;"
? >OK, here it is incase anyone ever have this problem. I changed all the instance names as theCall and theName to variables. For this change in the area titled var: sort of in the lower right corner of the properties. I also changed the shape of the POST method and made my form a clip called sendWork
Well here are the scripts.
I'm still having a problem with my if statements. They stopped working after I changed everything to variables. He would still put me to the error screen that I put in place even when I had all of the information entered.I know it's because they are implemented by using the instance names (see above the script), but when I say that everything will work smooth, if all goes well
Stop();
This.B1.onRelease = function() {}
sendWork.loadVariables ("email.php", "POST");
getURL (" http://l-h1.com/richard_white_lending/destpage/thankyou.php", "_self");
};<>
require ("Class.PHPMailer.php");$mail = new PHPMailer();
$mail-> IsSMTP(); send via SMTP
$mail-> host = "mail.mortgagemaestro.net"; SMTP servers
$mail-> SMTPAuth = true; enable SMTP authentication
$mail-> Username = "[email protected]"; SMTP Username
$mail-> password = "32bf1a3"; SMTP password$mail-> from = '[email protected] ';
$mail-> FromName = "drive";
$mail-> AddAddress ("[email protected]");$mail-> subject = "Mortgage Maestro lead";
$mail-> body = "name:"; "
$mail-> body. = $_POST [theName];
$mail-> body. = "\nEmail: «;»»
$mail-> body. = $_POST [theEmail];
$mail-> body. = ' \nHomePhone: '; "
$mail-> body. = $_POST [homePhone];
$mail-> body. = $_POST [homePhone02];
$mail-> body. = $_POST [homePhone03];
$mail-> body. = ' \nWorkPhone: '; "
$mail-> body. = $_POST [as workPhone];
$mail-> body. = $_POST [workPhone02];
$mail-> body. = $_POST [workPhone03];
$mail-> body. = "\nAddress: «;»»
$mail-> body. = $_POST [theAddress];
$mail-> body. = ' \nCity: '; "
$mail-> body. = $_POST [theCity];
$mail-> body. = "\nState: «;»»
$mail-> body. = $_POST [the State];
$mail-> body. = ' \nZip: '; "
$mail-> body. = $_POST [theZip];
$mail-> body. = ' \nCall: '; "
$mail-> body. = $_POST [theCall];if(!$mail->Send())
{
echo "Message has not been sent.";
echo "Mailer error:". "." $mail-> ErrorInfo;
"exit";
} -
IPSec tunnel do not come between two ASA - 5540 s.
I've included the appropriate configuration of the two ASA lines - 5540 s that I'm trying to set up a tunnel of 2 lan lan between. The first few lines show the messages that are generated when I try to ping another host on each side.
Did I miss something that will prevent the tunnel to come?
4 IP = 10.10.1.147, error: cannot delete PeerTblEntry
3 IP = 10.10.1.147, Removing peer to peer table has not, no match!
6 IP = 10.10.1.147, P1 retransmit msg sent to the WSF MM
5 IP is 10.10.1.147, in double Phase 1 detected package. Retransmit the last packet.
6 IP = 10.10.1.147, P1 retransmit msg sent to the WSF MM
5 IP is 10.10.1.147, in double Phase 1 detected package. Retransmit the last packet.
4 IP = 10.10.1.147, error: cannot delete PeerTblEntry
3 IP = 10.10.1.147, Removing peer to peer table has not, no match!
6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
6 IP = 10.10.1.147, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
5 IP = 10.10.1.147, IKE initiator: New Phase 1, Intf inside, IKE Peer 10.10.1.147 address Proxy local 10.10.1.135, Proxy address remote 10.10.1.155, Card Crypto (outside_map0)
ROC-ASA5540-A # sh run
!
ASA Version 8.0 (3)
!
CRO-ASA5540-A host name
names of
10.10.1.135 GHC_Laptop description name to test the VPN
10.10.1.155 SunMed_pc description name to test the VPN
!
interface GigabitEthernet0/0
Speed 100
full duplex
nameif inside
security-level 100
IP 10.10.1.129 255.255.255.240
!
interface GigabitEthernet0/3
nameif outside
security-level 0
IP 10.10.1.145 255.255.255.248
!
!
outside_2_cryptomap list extended access permit ip host host GHC_Laptop SunMed_pc
!
ASDM image disk0: / asdm - 603.bin
!
Route outside 255.255.255.248 10.10.1.152 10.10.1.147 1
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
card crypto game 2 outside_map0 address outside_2_cryptomap
outside_map0 crypto map peer set 2 10.10.1.147
card crypto outside_map0 2 the value transform-set ESP-3DES-SHA
outside_map0 card crypto 2 set nat-t-disable
outside_map0 interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
!
Group Policy Lan-2-Lan_only internal
attributes of Lan-2-Lan_only-group policy
VPN-filter no
Protocol-tunnel-VPN IPSec
tunnel-group 10.10.1.147 type ipsec-l2l
IPSec-attributes tunnel-group 10.10.1.147
pre-shared-key *.
!
ROC-ASA5540-A #.
----------------------------------------------------------
ROC-ASA5540-B # sh run
: Saved
:
ASA Version 8.0 (3)
!
name of host ROC-ASA5540-B
!
names of
name 10.10.1.135 GHC_laptop
name 10.10.1.155 SunMed_PC
!
interface GigabitEthernet0/0
Speed 100
full duplex
nameif inside
security-level 100
IP 10.10.1.153 255.255.255.248
!
interface GigabitEthernet0/3
nameif outside
security-level 0
IP 10.10.1.147 255.255.255.248
!
outside_cryptomap list extended access permit ip host host SunMed_PC GHC_laptop
!
ASDM image disk0: / asdm - 603.bin
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
card crypto outside_map2 1 match address outside_cryptomap
outside_map2 card crypto 1jeu peer 10.10.1.145
outside_map2 card crypto 1jeu transform-set ESP-3DES-SHA
outside_map2 card crypto 1jeu nat-t-disable
outside_map2 interface card crypto outside
crypto ISAKMP allow inside
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
!
internal Lan-2-Lan group strategy
Lan Lan 2-strategy of group attributes
Protocol-tunnel-VPN IPSec
tunnel-group 10.10.1.145 type ipsec-l2l
IPSec-attributes tunnel-group 10.10.1.145
pre-shared-key *.
!
ROC-ASA5540-B #.
On the ASA of ROC-ASA5540-B, you have "isakmp allows inside", it should be "enable isakmp outside."
Please reconfigure the ASA and let me know how it goes.
Kind regards
Arul
* Please note the useful messages *.
-
I have two monitors and Firefox will not come on the screen.
When I try to open Firefox it will not load on each screen. Looks like he's trying to go to the secondary screen, but is not visible. The OS is Windows 7 Home first Service Pack 1. Firefox version 37.0.1
Thanks for your help.
JerryYou get a sticker or other indication on the Windows task bar that there is a window of Firefox "somewhere", but it is not visible anywhere?
If there is a tile (or a title of the window above the Firefox button in the task bar):
The Firefox window sometimes opens off screen. If you have a multiple monitor configuration, make sure that both monitors are on. Other users have reported that sometimes Firefox acts strangely while the second monitor is turned off. You mentioned that both monitors are on in your case.
In all other cases: you can often force the Firefox window is displayed on the screen by double clicking on the thumbnail image just above the taskbar and choose expand. Does it work?
A possible cause for this is that the file that stores the positions and sizes of window is corrupt.
#1 method: If you can get a zoomed window:
Open the settings folder (AKA Firefox profile) current Firefox help
- button "3-bar" menu > "?" button > troubleshooting information
- (menu bar) Help > troubleshooting information
- type or paste everything: in the address bar and press Enter
In the first table of the page, click on the view file"" button. This should launch a new window that lists the various files and folders in Windows Explorer.
Leave this window open, switch back to Firefox and output, either:
- "3-bar" menu button > button "power".
- (menu bar) File > Exit
Pause while Firefox finishing its cleanup, then rename xulstore.json to something like xulstore.old. If you see a file named localstore.rdf, rename this to localstore.old as well.
Launch Firefox back up again. Windows normally appear again?
#2 method: If you can not get a Firefox window for all:
Close Firefox by right clicking the icon in the taskbar > close all windows.
Using the Run dialog box (windows key + R) or search from the start menu (bar (or, in Windows 8 may bar charms bar research?) type or paste the following and press ENTER to drill down to the profiles folder):
%APPDATA%\Mozilla\Firefox\Profiles
Here you can see a folder - in this case, double-click that - or more than one case - in this case, double-click on in what looks like the most recently updated.
Scroll down and rename xulstore.json to something like xulstore.old. If you see a file named localstore.rdf, rename this to localstore.old as well.
Launch Firefox back up again. Windows normally appear again?
Maybe you are looking for
-
See the question
-
Skype password from keychain access application
When I run Skype, he asked my Keychain password, how to prevent this happens all the time? [The update by the moderator topic title should be more descriptive. [Original topic title was: "Password"]
-
Equium A60 PSA67E & Max hard drive capacity
Is there a maximum capacity that the BIOS can see that I'm looking to upgrade the hard drive of my laptop?
-
He NEITHER has a recommendation for an effective system of data management product compatible with multisim and ultiboard files?
-
MS Update hangs whenever he starts; need help to reset/repair (XP - SP3)
Since a hard stop MS Update due to the loss of power, it has been send me adjustments: the process crashes when starting, either manually * or automatically, and - svchost CPU use goes through the roof. MSE is also affected, unable to update virus d