IPSEC packets are not encrypted
Hello (and Happy Thanksgiving in the USA),
We recently switched our ASA and applied again the saved for the new device configuration. There is a VPN site-to site that works and a remote VPN client that does not work. We use certain Cisco VPN clients and some Shrew Soft VPN clients. I compared the config of the ASA again to that of ASA old and I can't find all the differences (but the remote client VPN was working on the old ASA). Remote clients connect and a tunnel is created, but they are unable to pass traffic. Systems on the network where the ASA are able to access the internet.
Out of sho isakmp crypto his (ignore peer #1, this is the site to site VPN work)
HIS active: 2
Generate a new key SA: 0 (a tunnel report Active 1 and 1 generate a new key ITS d)
Total SA IKE: 2
1 peer IKE: xx.168.155.98
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
2 IKE peers: xx.211.206.48
Type: user role: answering machine
Generate a new key: no State: AM_ACTIVE
Output of sho crypto ipsec his (info about VPN site-to-site deleted). Packets are decrypted but unencrypted.
Tag crypto map: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: publi
c ip
local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)
Remote ident (addr, mask, prot, port): (10.20.1.100/255.255.255.255/0/0)
current_peer: xx.211.206.48, username: me
dynamic allocated peer ip: 10.20.1.100
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 20, #pkts decrypt: 20, #pkts check: 20
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
endpt local crypto. : public-ip/4500, crypto endpt distance. : xx.211.206.48/4
500
Path mtu 1500, fresh ipsec generals 82, media, mtu 1500
current outbound SPI: 7E0BF9B9
current inbound SPI: 41B75CCD
SAS of the esp on arrival:
SPI: 0x41B75CCD (1102535885)
transform: aes - esp esp-sha-hmac no compression
running parameters = {RA, Tunnel, NAT-T program,}
slot: 0, id_conn: 16384, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP
calendar of his: service life remaining key (s): 28776
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
SPI: 0xC06BF0DD (3228299485)
transform: aes - esp esp-sha-hmac no compression
running parameters = {RA, Tunnel, NAT-T program Rekeyed}
slot: 0, id_conn: 16384, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP
calendar of his: service life remaining key (s): 28774
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x000003FF 0xFFF80001
outgoing esp sas:
SPI: 0x7E0BF9B9 (2114714041)
transform: aes - esp esp-sha-hmac no compression
running parameters = {RA, Tunnel, NAT-T program,}
slot: 0, id_conn: 16384, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP
calendar of his: service life remaining key (s): 28774
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
SPI: 0xCBF945AC (3422111148)
transform: aes - esp esp-sha-hmac no compression
running parameters = {RA, Tunnel, NAT-T program Rekeyed}
slot: 0, id_conn: 16384, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP
calendar of his: service life remaining key (s): 28772
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
Config of ASA
: Saved
: Written by me at 19:56:37.957 pst Tuesday, November 26, 2013
!
ASA Version 8.2 (4)
!
hostname mfw01
domain company.int
enable encrypted password xxx
XXX encrypted passwd
names of
Name xx.174.143.97 description cox cox-gateway Gateway
name 172.16.10.0 iscsi-description iscsi network
name 192.168.1.0 network heritage heritage network description
name 10.20.50.0 management-description management network
name 10.20.10.0 network server server-description
name 10.20.20.0 user-network description user-network
name 192.168.1.101 private-em-imap description private-em-imap
name 10.20.10.2 description of private Exchange private-Exchange
name 10.20.10.3 description of private-private ftp ftp
name 192.168.1.202 description private-private-ip-phones ip phones,
name 10.20.10.6 private-kaseya kaseya private description
name 192.168.1.2 private mitel 3300 description private mitel 3300
name 10.20.10.1 private-pptp pptp private description
name 10.20.10.7 private-sharepoint description private-sharepoint
name 10.20.10.4 private-tportal private-tportal description
name 10.20.10.8 private-xarios private-xarios description
name 192.168.1.215 private-xorcom description private-xorcom
Name xx.174.143.99 description public Exchange public-Exchange
public xx.174.143.100 public-ftp ftp description name
Name xx.174.143.101 public-tportal public tportal description
Name xx.174.143.102 public-sharepoint description public-sharepoint
name of the public ip description public-ip-phones-phones xx.174.143.103
name mitel-public-3300 xx.174.143.104 description public mitel 3300
Name xx.174.143.105 public-xorcom description public-xorcom
xx.174.143.108 public-remote control-support name description public-remote control-support
Name xx.174.143.109 public-xarios public xarios description
Name xx.174.143.110 public-kaseya kaseya-public description
Name xx.174.143.111 public-pptp pptp-public description
name Irvine_LAN description Irvine_LAN 192.168.2.0
Name xx.174.143.98 public-ip
name 10.20.10.14 private-RevProxy description private-RevProxy
Name xx.174.143.107 public-RevProxy description public RevProxy
name 10.20.10.9 private-XenDesktop description private-XenDesktop
Name xx.174.143.115 public-XenDesktop description public-XenDesktop
name 10.20.1.1 private-bridge description private-bridge
name 192.168.1.96 description private-remote control-support private-remote control-support
!
interface Ethernet0/0
public nameif
security-level 0
IP address public ip 255.255.255.224
!
interface Ethernet0/1
Speed 100
full duplex
nameif private
security-level 100
address private-gateway IP, 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
the IP 192.168.0.1 255.255.255.0
management only
!
passive FTP mode
clock timezone pst - 8
clock summer-time recurring PDT
DNS server-group DefaultDNS
domain mills.int
object-group service ftp
the tcp eq ftp service object
the purpose of the tcp eq ftp service - data
object-group service DM_INLINE_SERVICE_1
Group-object ftp
the eq tftp udp service object
DM_INLINE_TCP_1 tcp service object-group
port-object eq 40
EQ port ssh object
object-group service web-server
the purpose of the service tcp eq www
the eq https tcp service object
object-group service DM_INLINE_SERVICE_2
EQ-tcp smtp service object
object-group web server
object-group service DM_INLINE_SERVICE_3
EQ-ssh tcp service object
object-group web server
object-group service kaseya
the purpose of the service tcp eq 4242
the purpose of the service tcp 5721 eq
EQ-8080 tcp service object
the eq 5721 udp service object
object-group service DM_INLINE_SERVICE_4
Group-object kaseya
object-group web server
object-group service DM_INLINE_SERVICE_5
will the service object
the eq pptp tcp service object
object-group service VPN
will the service object
ESP service object
the purpose of the service ah
the eq pptp tcp service object
EQ-udp 4500 service object
the eq isakmp udp service object
the MILLS_VPN_VLANS object-group network
object-network 10.20.1.0 255.255.255.0
Server-network 255.255.255.0 network-object
user-network 255.255.255.0 network-object
255.255.255.0 network-object-network management
legacy-network 255.255.255.0 network-object
object-group service InterTel5000
the purpose of the service tcp 3998 3999 range
the 6800-6802 range tcp service object
the eq 20001 udp service object
the purpose of the udp 5004 5007 range service
the purpose of the udp 50098 50508 range service
the purpose of the udp 6604 7039 range service
the eq bootpc udp service object
the eq tftp udp service object
the eq 4000 tcp service object
the purpose of the service tcp eq 44000
the purpose of the service tcp eq www
the eq https tcp service object
the purpose of the service tcp eq 5566
the eq 5567 udp service object
the purpose of the udp 6004 6603 range service
the eq 6880 tcp service object
object-group service DM_INLINE_SERVICE_6
ICMP service object
the eq 2001 tcp service object
the purpose of the service tcp eq 2004
the eq 2005 tcp service object
object-group service DM_INLINE_SERVICE_7
ICMP service object
Group object InterTel5000
object-group service DM_INLINE_SERVICE_8
ICMP service object
the eq https tcp service object
EQ-ssh tcp service object
RevProxy tcp service object-group
RevProxy description
port-object eq 5500
XenDesktop tcp service object-group
Xen description
EQ object of port 8080
port-object eq 2514
port-object eq 2598
object-port 27000 eq
port-object eq 7279
port-object eq 8000
port-object eq citrix-ica
public_access_in list any host public-ip extended access allowed object-group DM_INLINE_SERVICE_8
public_access_in list any host public-ip extended access allowed object-group VPN
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_7 any host public-ip-phones
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any public ftp host
public_access_in allowed extended access list tcp any host public-xorcom DM_INLINE_TCP_1 object-group
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_2 any host public-Exchange
public_access_in allowed extended access list tcp all welcome RevProxy-public-group of objects RevProxy
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_3 any host public-remote control-support
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_6 any host public-xarios
public_access_in list extended access allowed object-group web server any host public-sharepoint
public_access_in list extended access allowed object-group web server any host public-tportal
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_4 any host public-kaseya
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_5 any host public-pptp
public_access_in list extended access permit ip any host public-XenDesktop
private_access_in list extended access permit icmp any one
private_access_in of access allowed any ip an extended list
VPN_Users_SplitTunnelAcl list standard allowed server-network access 255.255.255.0
VPN_Users_SplitTunnelAcl list standard allowed user-network access 255.255.255.0
VPN_Users_SplitTunnelAcl standard access list allow management-network 255.255.255.0
VPN_Users_SplitTunnelAcl standard access list allow 10.20.1.0 255.255.255.0
VPN_Users_SplitTunnelAcl standard access list allow legacy-network 255.255.255.0
private_nat0_outbound list extended access allowed object-group ip MILLS_VPN_VLANS 255.255.255.0 Irvine_LAN
private_nat0_outbound list extended access allowed object-group ip MILLS_VPN_VLANS 10.20.1.96 255.255.255.240
private_nat0_outbound list extended access allowed object-group ip MILLS_VPN_VLANS 10.90.2.0 255.255.255.0
public_1_cryptomap list extended access allowed object-group ip MILLS_VPN_VLANS 255.255.255.0 Irvine_LAN
public_2_cryptomap list extended access allowed object-group ip MILLS_VPN_VLANS 10.90.2.0 255.255.255.0
pager lines 24
Enable logging
list of logging level warnings error events
Monitor logging warnings
logging warnings put in buffered memory
logging trap warnings
exploitation forest asdm warnings
e-mail logging warnings
private private-kaseya host connection
forest-hostdown operating permits
logging of trap auth class alerts
MTU 1500 public
MTU 1500 private
management of MTU 1500
mask 10.20.1.100 - 10.20.1.110 255.255.255.0 IP local pool VPN_Users
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global interface 101 (public)
private_nat0_outbound of access list NAT 0 (private)
NAT (private) 101 0.0.0.0 0.0.0.0
NAT (management) 101 0.0.0.0 0.0.0.0
static DNS (private, public) public-private-netmask 255.255.255.255 ip phones, ip phones,
static DNS (private, public) private public-ftp-ftp netmask 255.255.255.255
static (private, public) public-private-xorcom netmask 255.255.255.255 xorcom dns
static DNS (private, public) public Exchange private-Exchange netmask 255.255.255.255
RevProxy-public (private, public) public static private-RevProxy netmask 255.255.255.255 dns
static DNS (private, public) public-remote control-support private-remote control-support netmask 255.255.255.255
static (private, public) public-private-xarios netmask 255.255.255.255 xarios dns
static public-sharepoint (private, public) private-sharepoint netmask 255.255.255.255 dns
TPORTAL-public (private, public) public static private-tportal netmask 255.255.255.255 dns
static (private, public) public-private-netmask 255.255.255.255 kaseya kaseya dns
static public-pptp (private, public) private-pptp netmask 255.255.255.255 dns
static public-XenDesktop (private, public) private-XenDesktop netmask 255.255.255.255 dns
Access-group public_access_in in the public interface
Access-group behind closed doors, interface private_access_in
Public route 0.0.0.0 0.0.0.0 cox-gateway 1
Private server network route 255.255.255.0 10.20.1.254 1
Route private user-network 255.255.255.0 10.20.1.254 1
Private networking route 255.255.255.0 10.20.1.254 1
Route private network iscsi 255.255.255.0 10.20.1.254 1
Private heritage network 255.255.255.0 route 10.20.1.254 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Admin-control LDAP attribute-map
Comment by card privileged-level name
LDAP attribute-map allow dialin
name of the msNPAllowDialin IETF-Radius-class card
msNPAllowDialin card-value FALSE NOACCESS
msNPAllowDialin card-value TRUE IPSecUsers
attribute-map LDAP Mills-VPN_Users
name of the msNPAllowDialin IETF-Radius-class card
msNPAllowDialin card-value FALSE NOACCESS
map-value msNPAllowDialin true IPSecUsers
LDAP attribute-map network admins
memberOf IETF Radius-Service-Type card name
map-value memberOf NOACCESS FAKE
map-value memberOf 'Network Admins' 6
dynamic-access-policy-registration DfltAccessPolicy
AAA-server protocol nt Mills
host of Mills (private) AAA-server private-pptp
auth-ms01.mills.int NT domain controller
AAA-server Mills_NetAdmin protocol ldap
AAA-server Mills_NetAdmin (private) host private-pptp
Server-port 389
or base LDAP-dn = San Diego, dc = factories, dc = int
or LDAP-group-base dn = San Diego, dc = factories, dc = int
LDAP-scope subtree
name attribute LDAP cn
LDAP-login-password *.
LDAP-connection-dn cn = asa, OU = Service accounts, or = San Diego, dc = factories, dc = int
microsoft server type
LDAP-attribute-map-Mills-VPN_Users
AAA-server NetworkAdmins protocol ldap
AAA-server NetworkAdmins (private) host private-pptp
or base LDAP-dn = San Diego, dc = factories, dc = int
or LDAP-group-base dn = San Diego, dc = factories, dc = int
LDAP-scope subtree
name attribute LDAP cn
LDAP-login-password *.
LDAP-connection-dn cn = asa, OU = Service accounts, or = San Diego, dc = factories, dc = int
microsoft server type
LDAP-attribute-map network-admins
AAA-server ADVPNUsers protocol ldap
AAA-server ADVPNUsers (private) host private-pptp
or base LDAP-dn = San Diego, dc = factories, dc = int
or LDAP-group-base dn = San Diego, dc = factories, dc = int
LDAP-scope subtree
name attribute LDAP cn
LDAP-login-password *.
LDAP-connection-dn cn = asa, OU = Service accounts, or = San Diego, dc = factories, dc = int
microsoft server type
LDAP-attribute-map-Mills-VPN_Users
Console to enable AAA authentication LOCAL ADVPNUsers
Console HTTP authentication of the AAA ADVPNUsers LOCAL
AAA authentication serial console LOCAL ADVPNUsers
Console Telnet AAA authentication LOCAL ADVPNUsers
authentication AAA ssh console LOCAL ADVPNUsers
Enable http server
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 public
http 0.0.0.0 0.0.0.0 private
Community private private-kaseya SNMP-server host * version 2 c
Server SNMP - San Diego location plants
contact SNMP server, help the Mills
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Sysopt noproxyarp private
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto public_map 1 match address public_1_cryptomap
card crypto public_map 1 set pfs
card crypto public_map 1 set xx.168.155.98 counterpart
card crypto public_map 1 the value transform-set ESP-3DES-MD5-ESP-AES-128-SHA
public_map card crypto 1 set nat-t-disable
card crypto public_map 1 phase 1-mode of aggressive setting
card crypto public_map 2 match address public_2_cryptomap
card crypto public_map 2 pfs set group5
card crypto public_map 2 peers set xx.181.134.141
card crypto public_map 2 game of transformation-ESP-AES-128-SHA
public_map card crypto 2 set nat-t-disable
public_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
public crypto map public_map interface
crypto ISAKMP enable public
crypto ISAKMP policy 1
preshared authentication
aes encryption
sha hash
Group 5
life 86400
crypto ISAKMP policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
md5 hash
Group 1
lifetime 28800
Telnet 0.0.0.0 0.0.0.0 private
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 public
SSH 0.0.0.0 0.0.0.0 private
SSH 0.0.0.0 0.0.0.0 management
SSH timeout 5
Console timeout 0
management of 192.168.0.2 - dhcpd addresses 192.168.0.254
!
a basic threat threat detection
Statistics-list of access threat detection
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
authenticate the NTP
NTP server 216.129.110.22 public source
NTP server 173.244.211.10 public source
NTP server 24.124.0.251 public source prefers
WebVPN
allow the public
enable SVC
internal group NOACCESS strategy
NOACCESS group policy attributes
VPN - concurrent connections 0
VPN-tunnel-Protocol svc
internal IPSecUsers group strategy
attributes of Group Policy IPSecUsers
value of server WINS 10.20.10.1
value of server DNS 10.20.10.1
Protocol-tunnel-VPN IPSec
allow password-storage
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_Users_SplitTunnelAcl
Mills.int value by default-field
the address value VPN_Users pools
Irvine internal group policy
Group Policy attributes Irvine
Protocol-tunnel-VPN IPSec
username admin password encrypted in Kra9/kXfLDwlSxis
type VPNUsers tunnel-group remote access
tunnel-group VPNUsers General attributes
address pool VPN_Users
authentication-server-group Mills_NetAdmin
Group Policy - by default-IPSecUsers
tunnel-group VPNUsers ipsec-attributes
pre-shared-key *.
tunnel-group xx.189.99.114 type ipsec-l2l
tunnel-group xx.189.99.114 General-attributes
Group Policy - by default-Irvine
XX.189.99.114 group of tunnel ipsec-attributes
pre-shared-key *.
tunnel-group xx.205.23.76 type ipsec-l2l
tunnel-group xx.205.23.76 General-attributes
Group Policy - by default-Irvine
XX.205.23.76 group of tunnel ipsec-attributes
pre-shared-key *.
tunnel-group xx.168.155.98 type ipsec-l2l
tunnel-group xx.168.155.98 General-attributes
Group Policy - by default-Irvine
XX.168.155.98 group of tunnel ipsec-attributes
pre-shared-key *.
!
Global class-card class
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
World-Policy policy-map
Global category
inspect the dns
inspect esmtp
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the sip
inspect the skinny
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect xdmcp
!
service-policy-international policy global
privilege level 3 mode exec cmd command perfmon
privilege level 3 mode exec cmd ping command
mode privileged exec command cmd level 3
logging of the privilege level 3 mode exec cmd commands
privilege level 3 exec command failover mode cmd
privilege level 3 mode exec command packet cmd - draw
privilege show import at the level 5 exec mode command
privilege level 5 see fashion exec running-config command
order of privilege show level 3 exec mode reload
privilege level 3 exec mode control fashion show
privilege see the level 3 exec firewall command mode
privilege see the level 3 exec mode command ASP.
processor mode privileged exec command to see the level 3
privilege command shell see the level 3 exec mode
privilege show level 3 exec command clock mode
privilege exec mode level 3 dns-hosts command show
privilege see the level 3 exec command access-list mode
logging of orders privilege see the level 3 exec mode
privilege, level 3 see the exec command mode vlan
privilege show level 3 exec command ip mode
privilege, level 3 see fashion exec command ipv6
privilege, level 3 see the exec command failover mode
privilege, level 3 see fashion exec command asdm
exec mode privilege see the level 3 command arp
command routing privilege see the level 3 exec mode
privilege, level 3 see fashion exec command ospf
privilege, level 3 see the exec command in aaa-server mode
AAA mode privileged exec command to see the level 3
privilege, level 3 see fashion exec command eigrp
privilege see the level 3 exec mode command crypto
privilege, level 3 see fashion exec command vpn-sessiondb
privilege level 3 exec mode command ssh show
privilege, level 3 see fashion exec command dhcpd
privilege, level 3 see fashion exec command vpn
privilege level see the 3 blocks from exec mode command
privilege, level 3 see fashion exec command wccp
privilege, level 3 see the exec command in webvpn mode
privilege control module see the level 3 exec mode
privilege, level 3 see fashion exec command uauth
privilege see the level 3 exec command compression mode
level 3 for the show privilege mode configure the command interface
level 3 for the show privilege mode set clock command
level 3 for the show privilege mode configure the access-list command
level 3 for the show privilege mode set up the registration of the order
level 3 for the show privilege mode configure ip command
level 3 for the show privilege mode configure command failover
level 5 mode see the privilege set up command asdm
level 3 for the show privilege mode configure arp command
level 3 for the show privilege mode configure the command routing
level 3 for the show privilege mode configure aaa-order server
level mode 3 privilege see the command configure aaa
level 3 for the show privilege mode configure command crypto
level 3 for the show privilege mode configure ssh command
level 3 for the show privilege mode configure command dhcpd
level 5 mode see the privilege set privilege to command
privilege level clear 3 mode exec command dns host
logging of the privilege clear level 3 exec mode commands
clear level 3 arp command mode privileged exec
AAA-server of privilege clear level 3 exec mode command
privilege clear level 3 exec mode command crypto
level 3 for the privilege cmd mode configure command failover
clear level 3 privilege mode set the logging of command
privilege mode clear level 3 Configure arp command
clear level 3 privilege mode configure command crypto
clear level 3 privilege mode configure aaa-order server
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:5d5c963680401d150bee94b3c7c85f7a
Maybe my eyes is glazed looking at it for too long. Something seems wrong? Maybe I missed a command that would not appear in the config?
Thanks in advance to those who take a glance.
We see that the UI is sent the echo request but there is no response to echo. This seems to be a routing problem between the ASA and the host you are trying to ping. You can see the range so that the traffic to 10.20.1.0 network is routed to the ASA. If there is no other routing device make sure that the default gateway is correct on the host computer, you're trying to reach.
If you try to ping a windows machine make sure that the windows firewall is disabled or allows ICMP.
--
Please do not forget to rate and choose a response from xorrect
Tags: Cisco Security
Similar Questions
-
How to configure Thunderbird to send messages that are not encrypted unless I want them to be?
I have Thunderbird set in place through gmail with enigmail and gpg4win 2.2.3 on a windows 7 64-bit operating system. I went through the Enigmail set up Assistant and unchecked 'encrypt by default', but it still sends encrypted E-mail. What don't I do?
Thanks for help.
DaveYes, I chose the convenient encryption settings. In fact, I tried both, just to be sure, but thank you. You're in the right area and I found a way, but I'm not sure it's the best way, so if someone knows a better way please let me know. In Thunderbird, click Tools, click on account settings, click Open PGP security , then uncheck the " encrypt messages by default" clear sign messages by default and then restart Thunderbird. I don't know if it's the best and fastest way, but it does not send the message unencrypted until someone tells us an easier way. I think the key is that you do all of this through the tools of Thunderbird tab and there is no need to touch the settings in Enigmail or gpg4win. Thank you.
Dave -
Photos of encryption and www work on IE.
You no longer see favicon for the site on the address bar, but you now see an icon that indicates what type of connection you have.
With an http connection unencrypted normal, you see:- This Web site does not provide identity information.
- Your connection to this Web site is not encrypted.
Only an encrypted HTTPS connection can provide additional information.
The change was for reasons of security prevent spoofing the favicon as an icon of padlock on websites.See the Site identity button:
-
Hello!
After the end of my second day of test error, I put this question on the table:
I use ArraytoChannels function to store ADO recordsets as strings. What is strange, is that for the first Recordset, it works; but for the next time through the loop, it always fails with the error message 'cannot be added because the channels of the target are not all the same length.
I confirmed that:
the RowData sizes and the ChannelNames are equal,
both spend the isarray = true test,
I change the order of the ChannelNames,.
I have reconnected/disconnected from the oConnexion every time, nothing has changed.
Apparently I'm missing something - but crazy to know what! -If anyone can share his opinion I'll so much appriciate. Here is my code:
oTables = Array ("WellStates", "ChokeData", "WellParameters", "FlowData", "PumpData", "SensorsData", "ModelCalculatedData")
Call OpenSQLConnection
Set oRecordset = CreateObject ("ADODB. Recordset')
Call SelectWell
Call GetWellStateIDsData.Root.Clear
for j = 0 to ubound(oTables,1)sSQLSting = "select * []" & oTables (j) & "] where [WellStateID] between" & WellStateIDFirst & "and" & WellStateIDLast ".
oRecordset.Open sSQLSting, oConnexion
Protected oFieldNames: table: ReDim oFieldNames (orecordset. Fields.Count - 1).
for i = 0 to orecordset. Fields.Count - 1
oFieldNames (i) = orecordset. Fields.Item (i) .name
next
oArray = oRecordset.GetRows (-1, 0, oFieldNames)
Set oGroup = Data .root .ChannelGroups .Add (oTables (j))oArray, oFieldNames arraytochannels
oRecordset.close
oConnection.Close
nextSub GetWellStateIDs
sSQLSting = "select * from [WellStates] where [wellid] =" & WellID
oRecordset.Open sSQLSting, oConnexion
oArray = oRecordset.GetRows)
WellStateIDFirst = oArray (0,0)
WellStateIDLast = oArray (0, ubound(oArray,2))
oRecordset.close
EndSubSub OpenSQLConnection
Set WshNetwork = CreateObject
oComputerName = WshNetwork.ComputerName
oDB = "MX2. Player.DB ".
Set oConnexion = CreateObject ("ADODB. Connection")
oProvider = "Provider = SQLOLEDB.1; Integrated Security = SSPI; PeoExecuteist Security Info = True; Data Source ='
oProvider = oProvider & oComputerName & "\MX; Use procedure for prepare = 1; Machine translation = True; The packet size = 4096; Workstation ID ="
oProvider = oProvider & oComputerName & " Use encryption for data = False; Tag with column collation when possible = False; Initial Catalog ='
oProvider = oProvider & oDB
oConnection.ConnectionString = oProvider
oConnection.Open
EndSubAnother clue. If you check using DIAdem
Microsoft Windows Script Debugger
you are able to install the debugger in DIAdem.
It would potentially have shown that the command does not work as expected.
Sorry for the inconveniance
Andreas
-
Feature IPSec VPN is not in router CISCO891-K9
I want to configure IPsec over GRE tunnel in CISCO891-K9 router. GRE tunnel works well, but I can not configure IPSEC. I found the command of ipsec isakmp or crypro encryption isn't here. The version of the CISCO891-K9 show is:
EFLWH-1 #sh worm
Cisco IOS software, software C890 (C890-UNIVERSALK9_NPE-M), Version 15.2 (4) M2, R SENSE SOFTWARE (fc2)
Technical support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Updated Thursday, November 7, 12 and 23:11 by prod_rel_team
ROM: System Bootstrap, Version 12.4 YB3 (22r), RELEASE SOFTWARE (fc1)
EFLWH-1 uptime is 2 days, 19 hours, 24 minutes
System to regain the power ROM
System image file is "flash: c890-universalk9_npe - mz.152 - 4.M2.bin.
Last reload type: normal charging
Reload last reason: power
This product contains cryptographic features and is under the United States
States and local laws governing the import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third party approval to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. laws and local countries. By using this product you
agree to comply with the regulations and laws in force. If you are unable
to satisfy the United States and local laws, return the product.
A summary of U.S. laws governing Cisco cryptographic products to:
http://www.Cisco.com/WWL/export/crypto/tool/stqrg.html
If you need assistance please contact us by mail at
Cisco 891 (MPC8300) processor (revision 1.0) with 498688K / 25600K bytes of memory.
Card processor ID FGL170926DF
9 FastEthernet interfaces
1 gigabit Ethernet interface
Serial 1 interface
1 line of terminal
256K bytes of non-volatile configuration memory.
247464K bytes of ATA CompactFlash (read/write)
License info:
License IDU:
-------------------------------------------------
Device SN # PID
-------------------------------------------------
* FGL170926DF 0 CISCO891-K9
Information about the license for "c890.
License level: advipservices_npe Type: Permanent
Next reboot license level: advipservices_npe
Configuration register is 0 x 2102
Yes, it should work then.
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
Random Tunnel IPSec Packet drops
Hi experts,
I am trying to solve a problem of fall of random package for tunneling IPSec between two VTI. For more than a month, we could not see not any question, and from today, we have 30% through a tunnel packet loss IPSec.
After analysis, I have concluded that packet loss is located somewhere on the way to the uc520 to the 2921. Package account see the correctly on the output interface physics uc520, but the number of packets is low on the interface of penetration on the 2921.
Pings outside of the tunnel by the way are very good.
I also deleted the tunnels on both ends and after they have recovery, the question was always present.
Pointers on research where packets get lost?
RR-hq-2921 #ping 10.1.13.1 g0/1 source rep 100
Type to abort escape sequence.
Send 100, echoes ICMP 100 bytes to 10.1.13.1, wait time is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!..!.!!!!!!!!!..!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
..!!.!!!!!!!!!!!.!!!!!!!!.!!!!
Topology:
[uc520] == HAVE == {{{cloud}}} == MODEM == [2921]
Test:
Claire 2921 # counters g0/0
Disable "show interface" counters on this interface [confirm]
% CLEAR-5-COUNTERS: claire counter on interface GigabitEthernet0/0
Execute on uc520: ping
source timeout 0 rep 4000 This is supposed to increase rapidly the number of packets at a distance of 4000 packages, as it has done on the output uc520 interface
# 2921 sho int g0/0 | I entered the packages
3348 packets input, 607812 bytes, 0 no buffer< missing="" ~650="">
# 2921 sho int g0/0
GigabitEthernet0/0 is up, line protocol is up
Material is CN Gigabit Ethernet, the address is XXXXXXXX
Description: Outdoors - WAN port
The Internet address is XXX.XXX.XXX.XXX/YY
MTU 1500 bytes, BW 35000 Kbit/s, 10 DLY usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
KeepAlive set (10 sec)
Full-Duplex, 1 Gbps, media type is RJ45
control output stream is XON, control of input stream is XON
Type of the ARP: ARPA, ARP Timeout 04:00
Last entry of 00:00:00, 00:00:00 exit, exit hang never
Final cleaning of the counters 'show interface' 00:00:42
Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 0
Strategy of queues: fifo
Output queue: 0/40 (size/max)
30 second entry rate 75000 bps, 51 packets/s
exit rate of 30 seconds 77000 bps, 52 packets/s
3456 packets input, 619794 bytes, 0 no buffer
Received 0 emissions (0 of IP multicasts)
0 Runts, 0 giants, 0 shifters
entry 0, 0 CRC errors, frame 0, saturation 0, 0 ignored
Watchdog 0, multicast 0, break 0 comments
3454 packets output, 632194 bytes, 0 underruns
0 output errors, 0 collisions, 0 resets interface
unknown protocol 0 drops
0 babbles, collision end 0, 0 deferred
carrier, 0 no carrier, lost 0 0 interrupt output
output buffer, the output buffers 0 permuted 0 failures
Good infor
Now, did you ask your ISP if they made the last changes made?
I think that your suspcious is correct and if the number of packets do not match, then probably something in the environment has changed, since it worked before with the same configuration and IOS versions.
HTH.
-
Problem with VPN. Router is not encrypted but decrypts
Hello, I have a problem in my IPSec tunnel. One of the routers (Cisco 861) is not encrypt the packets but decrypts those incoming from the remote peer (RV042). In the access list for the wan interface I deny traffic between subnets and vpn access list, I authorize the traffic. Could someone give me a help or advice. Thank you.
Hello
The problem is with the list of access-102. This is your NAT access list. You see that you allow the 172.16.2.0 at all until you deny, so all traffic is reflected on your public IP address before you try to go through the VPN. You always want to DENY traffic before making any permit in an access list because they treat up and down on the first game.
Try the following commands:
no nat ip inside the source list 102 interface FastEthernet4 overload
no access list 102
access-list 102 deny ip 172.26.2.0 0.0.0.255 172.26.3.0 0.0.0.255
access-list 102 permit ip 172.26.2.0 0.0.0.255 any
overload of IP nat inside source list 102 interface FastEthernet4
-
DMVPN questions - IPsec packets
Hi all
Currently, I am configuring DMVPN for the first time. I followed the guide to configuring cisco and Googling a bit other strands however seems to have hit a brick wall.
The Setup is in a lab environment, so I can post as much information as required, but here's the important bits:
I have 3 routers Cisco 2821 running IOS 12.4 (15) with a layer 3 switch in the Middle connecting ports 'wan' together. the routing works fine, I can ping to each of the other router router.
Excerpts from the hub router config:
crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac
!
crypto ipsec profile DMVPN_PRJ
set transform-set DMVPN_SET
!
interface Tunnel0
bandwidth 10000
ip address 172.17.100.1 255.255.255.0
no ip redirects
ip mtu 1500
ip nhrp authentication secretid
ip nhrp map multicast dynamic
ip nhrp network-id 101
ip nhrp holdtime 450
ip tcp adjust-mss 1460
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 10101
tunnel protection ipsec profile DMVPN_PRJ
!
interface GigabitEthernet0/0
description HQ WAN
ip address 1.1.1.1 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
and here's the config on the first router spoke:
crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac
!
crypto ipsec profile DMVPN_PRJ
set transform-set DMVPN_SET
!
interface Tunnel0
bandwidth 3000
ip address 172.17.100.10 255.255.255.0
no ip redirects
ip mtu 1500
ip nhrp authentication secretid
ip nhrp map 172.17.100.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 101
ip nhrp holdtime 450
ip nhrp nhs 172.17.100.1
ip tcp adjust-mss 1460
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 10101
tunnel protection ipsec profile DMVPN_PRJ
!
interface GigabitEthernet0/0
description Site 1 WAN
ip address 11.11.11.1 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
If I closed/no farm tunnel0 on RADIUS 1 interface, I get the following error on the hub router:
Mar 30 13:41:17.075: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /1.1.1.1, src_addr= 11.11.11.1, prot= 47
so I feel im lack some config on the side talking to encrypt the traffic, but I'm not sure what.
Here's the output router spoke:
RTR_SITE1#sh dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
-------------- Interface Tunnel0 info: --------------
Intf. is up, Line Protocol is up, Addr. is 172.17.100.10
Source addr: 11.11.11.1, Dest addr: MGRE
Protocol/Transport: "multi-GRE/IP", Protect "DMVPN_PRJ",
Tunnel VRF "", ip vrf forwarding ""
NHRP Details: NHS: 172.17.100.1 E
Type:Spoke, NBMA Peers:1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 1.1.1.1 172.17.100.1 IKE never S 172.17.100.1/32
Interface: Tunnel0
Session: [0x48E31B98]
Crypto Session Status: DOWN
fvrf: (none), IPSEC FLOW: permit 47 host 11.11.11.1 host 1.1.1.1
Active SAs: 0, origin: crypto map
Outbound SPI : 0x 0, transform :
Socket State: Closed
Pending DMVPN Sessions:
RTR_SITE1#sh ip nhrp detail
172.17.100.1/32 via 172.17.100.1, Tunnel0 created 00:33:44, never expire
Type: static, Flags: used
NBMA address: 1.1.1.1
RTR_SITE1#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 11.11.11.1
protected vrf: (none)
local ident (addr/mask/prot/port): (11.11.11.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 46, #recv errors 0
local crypto endpt.: 11.11.11.1, remote crypto endpt.: 1.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
All these commands appear as empty when I throw them on the hub router.
Any help appreciated.
Thank you
No negotiate is because you do not have an Ike key implemented. You need
Crypto ISAKMP policy 1
BA (whatever)
AUTH pre-shared
Group (whatever)
ISAKMP crypto key 0 some secret address 0.0.0.0 0.0.0.0
Hun and talks must match.
Your IPSec transform-set should also have "transport mode".
Sent by Cisco Support technique iPad App
-
Some features of Windows are not available.
I have an IdeaPad p580 and I noticed that a few basic functionality of windows are not available. I use Windows 7 Home premium SP1 and everything else is usually straight out of the box. I guess these are the basic features of windows because I learn about them in an intro to the class of Windows operating system.
When I try to use secpol.msc in the start menu, windows cannot find it, and also when I try to encrypt a file or a file this option is grayed out. I think Veriface is the encrypt function creep, or another software that is preinstalled is to play with things.
No idea as to what could be the cause? Is my book misleading me, I may get to such a different way?
Hi Kholt,
Some features are not available in Windows 7 Home premium...
http://www.SevenForums.com/network-sharing/202099-secpol-MSC-network-security-workaround.html
http://Windows.Microsoft.com/en-us/Windows7/encrypt-or-decrypt-a-folder-or-file
http://en.Wikipedia.org/wiki/BitLocker_Drive_Encryption
Zehn
-
The files are currently encryption automatically.
A lot of word documents and my son is creating programs c ++ are automatically encrypted. When the document is opened, it is said user has access privileges. When I try to uncheck the encryption properties, I get an access denied message. I'm doing this as an administrator.
Where Devil am I going to stop this?
Where can I fix the access denied message?
How to change permanently the user permissions for all users to have all permissions for the created documents?
These files are under encryption by the Encrypting File System (EFS). This seems to indicate that you have a XP Pro and not XP Home. When it comes to the EFS, administrators don't have little or no power to decrypt these files. Even if you are an administrator, you will not be able to access these files.
With impatience... You can access the encrypted files is to create a "EFS Recovery Agent. You can then use the recovery agent to access any encrypted file after the agent has been installed. You will find that only the encrypted files after the recovery agent is in place can be consulted. Files created before then will not be available.
"How to add an EFS recovery agent in Windows XP Professional"
<>http://support.Microsoft.com/kb/887414 >
"How to remove encryption from a file or a folder in Windows XP"
<>http://support.Microsoft.com/kb/308993 >
... and of course, the reading for all agent the world using EFS:
"Best Practices for encrypting file system"
<>http://support.Microsoft.com/kb/223316 >You can also disable EFS. You can do this with group policy in a domain environment, but at home, a registry value can be changed. Use with caution. If you do not understand what follows or how to change the registry, not to do so.
< quote="">
«Note: Group Policy sets a registry key which is verified by the EFS during user operations.» The key is:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\EFS\EfsConfiguration
In the case of local computers that are not members of a domain, local politics is not available for the deactivation of EFS.
However, a different registry key can be set to disable EFS. If the key is set to a DWORD value of 0x01, EFS will be disabled.
Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\EfsConfiguration"
< uote="">Found in:
"Encryption in Windows XP and Windows Server 2003 file system"
<>http://TechNet.Microsoft.com/en-us/library/bb457065.aspx >If it's any consolation, EFS is known as the 'Recycle Bin delay' because if a user does not save the certificate (as it is most are not), all crashing Windows requiring a re-installation of Windows will permanently remove access to these files to everyone.
I hope this helps.
JW -
SX80 with TC7.3.4 not allowing not encryption is enabled
I have a client with a SX80 that has been sitting in a box for a while, just to install now. It has a TC7.3.4 software. You cannot activate the encryption mode for calls on this device - best Effort and the modes are not available, only turned off. It seems to me that the wrong software load must be on this camera (not crypto), but I wonder if there are other things that could cause this. I thought that non-crypto charges disappeared and it wasn't possible, but I might be overlooking something else that could cause this problem. It has a default Cisco cert installed on it and preinstalled case.
The SX80 must have an installed encryption Option to encrypt calls. It will be in the format C 1 000-1-XXXXXXXX
Check on the Cisco Licensing Portal to see that if you get for your device that everything has not been installed, otherwise you will get a.
Wayne
--
Remember the frequency responses and mark your question as answered as appropriate. -
FWSM syslogs are not displayed in the event 4.1 CSM Viewer
I have MSC 4.1 the observer of events and it should now support FWSM syslogs. The FWSM context now appears as device monitored the event viewer and I can see that the system receives the syslogs (the capture of packets on the server).
But they are not displayed? Why?
Rgds.
Which version is the FWSM performer?
You can use the event viewer with FWSM running software versions 3.1.17+, 3.2.17+, 4.0.10 + and + 4.1.1 only.
P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.
-
Hello
I am CCNP, but a beginner VOIP, just took a new job. That is why the first VOIP LAN.
I upgraded my LAN using switches of WS-C3560X. I'm upgrading 60 Tandberg E20 video phones from TE2.1.0 to TE4.1.0 because of the E20 not finding the vlan voice.
I use Avaya S8800 Server CM 5.2.1 with Avaya phones model 9640D01A-1009 and model Tandberg E20 video phones.
I am trying to decide which software to use; with encryption or no encryption.
Software Cisco E20
S52100te4_1_1.pkg AES encryption
No encryption s52101tenc4_1_1.pkg
Q1. What's being encryption? Voice traffic is the obvious answer to this, no?
Q2. This device is at the other end of the encryption? CM or telephone
Q3. Since the appeal will go outside my Avaya CM (ie. call to the outside world), encryption important?
Thank you for your time and effort.
Scott
Hello.
S52100te4_1_1.pkg AES encryption for the countries where the AES encryption are allowed.
No s52101tenc4_1_1.pkg encryption is the countries where VOIP encryption is not allowed by law.
You have only one key to unlock for one of them, so there is really no other choice.
You can choose to disable encryption on the TE4 version (so it will have the same function as the TENC4), but you are not able to activate encryption on the TENC4.
TE4 encryption is disabled by default, in any case, if the different software versions are here just for the legal question.
Q1: Call for installation and the RTP stream can be configured to be encrypted on TE4.
Q2: Endpoint or device interop
Q3: It depends if your Avaya CM supports encryption or not.
Thank you
Marius
-
inter esxi host ipv6 multicast traffic are not detected by the destination VM
Hello
Warning, I do not have in-depth knowledge of vmware, so please excuse the bad wording, misconception and ignorance in the post below.
The current topology is:
Each esxi 4.1 update 3 (DL380 G8) host is to connect both layer 2 switch.
on each host, the vswitch has two network cards configured as active/active, with the default NIC cluster approach (route based on the original virtual port code).
Everything else is default.
The switches are connected by a link to trunk (not bunk)
I have two Windows Server 2008 R2 VM in the same subnet and you have enabled ipv6 on them (by default)
When two virtual machines are on the same physical host, ping-6 destination_ipv6_address works (I just use the link local address)
When two virtual machines are on different hosts, ping fails with the "destination unreachable" message, which usually means the neighbor discovery process fails (similar to arp in ipv4 where source VM cannot get mac address of the destination virtual machine)
When two virtual machines are on the same physical host, the the packet capture shows that Neighbor Solicitation message is sent via an ipv6 multicast address
When they are not on the same physical hosts, packet capture on the VM shows that the destination virtual machine will ever get the destination ipv6 multicast packets.
I then connect two DL380 G8 in a similar way to the switches and install windows Server2008 R2 directly without virtualization on them and ping-6 works perfectly.
My questions are:
-I missed somewhere, a configuration to allow ipv6 multicast to work? Or even to remove any 'logic' and treat it simply as a show?
On network switches, you can do this by disabling IGMP who will then deal with multicast as broadcast packets.
Although I can't find a similar setting under esxi anywhere.
-J' saw an option "Enable ipv6" on esxi, but I guess it's only useful if the host itself to participate in ipv6 and therefore not applicable to my case?
The only similar question I found the research is on the link below, which suggest to hardcode the next table on virtual machines, which is not ideal.
I can confirm however, hard coding the table nearby on two virtual machines to work. This problem seems to be on how esxi vswitches manage ipv6 multicast traffic
Ideas, points of view are very appreciated
Ed
I don't know if this will really solve your problem, but it is worth trying to update the firmware of the NETWORK adapter and the driver.
Looks like it's a HP NC 331FLR NIC (gen8 DL by default NETWORK 4 ports with the BCM5719 chip card).
There is no binary updates that you can run from the 4.1, but you can update all the components of the firmware with the current Service Pack HP for Proliant image:
Or start the server in a live Linux of your choice and use the Linux binary update:
http://www.HP.com/swpublishing/MTX-ec0e18db6a8e4d978b57aa95d1
These will update the NIC 331FLR to the Boot Code version 1.37/NCSI 1.2.37.
Then update the tg3 driver in ESXi with this set to 3.129d.v40.1 offline:
You need the file bundle offline (BCM - tg3 - 3.129d.v40.1 - offline_bundle - 1033618.zip) in this package. You can import in the vCenter update manager for easier deployment or install it (probably) ESXi shell with esxupdate--bundle=/tmp/BCM-tg3-3.129d.v40.1-offline_bundle-1033618.zip
I'm a little rusty in the Department of ESXi 4.1 CLI however, you may need to use the vihostupdate utility or with PowerCLI Install-VMHostPatch remote:
-
Newspapers are not sent to the database of Dr. help, please
Hello
I have create a databas physics ensures the local site. the works of dataguard.
But the database pending cannot receive the journal when the standby database installs remotely and change IP, / etc/hosts, listener.ora and tnsnames.ora.
It seems that work waiting for network problem coz log shipping database to the local site.
Help, please.
message below
AIX 5300-12-04-1119 + Oracle 11.2.0.2
# Journal of primary database alerts. #########
******************************************************************
LGWR: Definition of 'active' from archive to destination LOG_ARCHIVE_DEST_2
******************************************************************
Wed Sep 09 18:40:13 2013
WARN: Cra1: termination pid 2916466 hooked to an IO operation
WARN: Cra1: termination pid 3350692 hooked to an IO operation
krsv_proc_kill: kill 1 process (process by index)
Wed Sep 09 18:40:24 2013
krsv_proc_kill: kill 1 process (process by index)
Arc1: Error 16198 done hung operation of e/s to LOG_ARCHIVE_DEST_2
Arc1: Default detected process ARCH
Arc1: Default detected process ARCH
ARC1: FROM PROCESS ARCH
Wed Sep 09 18:40:27 2013
ARC2 started with pid = 20, OS id = 2916468
ARC2: Started archiving
WARN: ARC2: termination pid 585944 hooked to an IO operation
Wed Sep 09 18:40:27 2013
ARC3 started with pid = 22, OS id = 3383458
ARC3: Started archiving
ARC1: FROM PROCESS ARCH COMPLETE
Reclaiming entered dead process FAL [pid 2916466]
krsv_proc_kill: kill 1 process (process by index)
WARN: ARC3: termination pid 585944 hooked to an IO operation
krsv_proc_kill: kill 1 process (process by index)
ARC2: Default detected process ARCH
ARC2: FROM PROCESS ARCH
Wed Sep 09 18:40:34 2013
Arc0 started with pid = 19, OS id = 3854466
ARC3: Become the heartbeat ARCH
Arc0: Started archiving
ARC2: FROM PROCESS ARCH COMPLETE
Reclaiming entered dead process FAL [pid 3350692]
Reclaiming entered dead process FAL [pid 585944]
Wed Sep 09 18:45:28 2013
WARN: Cra1: termination pid 3854466 hooked to an IO operation
WARN: Cra1: termination pid 2916468 hooked to an IO operation
WARN: Cra1: termination pid 3383458 hooked to an IO operation
Wed Sep 09 18:45:42 2013
WARN: Cra1: termination pid 3858682 hooked to an IO operation
krsv_proc_kill: kill 1 process (process by index)
krsv_proc_kill: kill 1 process (process by index)
krsv_proc_kill: kill 1 process (process by index)
Wed Sep 09 18:45:53 2013
krsv_proc_kill: kill 1 process (process by index)
Arc1: Default detected process ARCH
Arc1: Default detected process ARCH
Arc1: Default detected process ARCH
ARC1: FROM PROCESS ARCH
Wed Sep 09 18:45:55 am 2013
Arc0 started with pid = 19, OS id = 3858686
Wed Sep 09 18:45:55 am 2013
ARC2 started with pid = 20, OS id = 3383460
Arc0: Started archiving
Wed Sep 09 18:45:55 am 2013
ARC3 started with pid = 22, OS id = 585962
ARC2: Started archiving
ARC2: Become the heartbeat ARCH
Reclaiming entered dead process FAL [pid 3383458]
ARC3: Started archiving
ARC1: FROM PROCESS ARCH COMPLETE
Reclaiming entered dead process FAL [pid 2916468]
Wed Sep 09 18:46:57 2013
Reclaiming entered dead process FAL [pid 3854466]
Wed Sep 09 18:46:59 2013
NSA2 started with pid = 47, OS id = 2838532
Wed Sep 09 18:47:02 2013
Thread 1 Advanced for you connect to sequence 4883 (switch LGWR)
Currently Journal # 2 seq # 4883 mem # 0: /u2/oracle/oradata/plmdb/redo02.log
Wed Sep 09 18:47:02 2013
Archived journal 4860 extra for each sequence 1 4882 0x5c432f01 dest ID thread entry 1:
# Log alerts standby database. #########
krsv_proc_kill: kill 1 process (RFS slowed by thread/sequence)
RFS [66]: assigned to the RFS 700480 process
RFS [66]: open the newspaper for thread 1 sequence 4872 dbid 1547947009 branch of the 757523841
Wed Sep 09 18:46:59 2013
Primary database is in MAXIMUM PERFORMANCE mode
RFS [67]: assigned to the RFS 463046 process
RFS [67]: no waiting redo logfiles available for thread 1
RFS [67]: open the newspaper for thread 1 4883 dbid 1547947009 branch of the 757523841 sequence
Wed Sep 09 18:51:03 2013
RFS [64]: network Possible disconnect with primary database
Wed Sep 09 18:51:15 2013
krsv_proc_kill: kill 1 process (RFS slowed by thread/sequence)
Wed Sep 09 18:51:16 2013
krsv_proc_kill: kill 1 process (RFS slowed by thread/sequence)
Wed Sep 09 18:51:16 2013
RFS [68]: assigned to the RFS 626724 process
RFS [68]: open the newspaper for thread 1 sequence 4867 dbid 1547947009 branch of the 757523841
RFS [69]: assigned to the RFS 684156 process
RFS [69]: open the newspaper for thread 1 sequence 4866 dbid 1547947009 branch of the 757523841
RFS [70]: assigned to the RFS 483332 process
RFS [70]: open the newspaper for thread 1 sequence 4872 dbid 1547947009 branch of the 757523841
# Primary database: journal of archives report #.
INSTALLATION GRAVITY MESSAGE_NUM ERROR_CODE CAL TO_CHAR(TIMESTAMP,'DD-MON-YYY MESSAGE)
------------------------ ------------- ----------- ---------- --- ----------------------------- ------------------------------------------------------------
Setpoint error of Transport Services 41532 16198 YES 9 October 2013 17:41:22 WARN: cra1: termination pid 3600618 hooked to an IO operation
Setpoint error of Transport Services 41533 16198 YES 9 October 2013 17:41:27 WARNING: cra1: termination pid 4071430 hooked to an IO operation
Setpoint error of Transport 41536 16198 YES 9 October 2013 17:41:36 ARC1: 16198 error due to guillotine operation of e/s to LOG_ARCHIVE_D
EST_2
Setpoint error of Transport Services 41540 16198 YES 9 October 2013 17:41:36 WARN: ARC2: termination pid 3960900 hooked to an IO operation
Log Transport Services 41543 16198 YES error 9 October 2013 17:41:41 WARN: ARC3: termination pid 3960900 hooked to an IO operation
Setpoint error of Transport Services 41548 16198 YES 9 October 2013 17:46:37 WARN: cra1: termination pid 3797106 hooked to an IO operation
Setpoint error of Transport Services 41549 16198 YES 9 October 2013 17:46:42 WARN: cra1: termination pid 3600622 hooked to an IO operation
Setpoint error of Transport Services 41550 16198 YES 9 October 2013 17:46:46 WARN: cra1: termination pid 4071432 hooked to an IO operation
Setpoint error of Transport Services 41551 16198 YES 9 October 2013 17:46:51 WARN: cra1: termination pid 4001810 hung on an IO operation
Newspapers are not shipped to the physical database ensures [1130523.1 ID]
) Please work with your network administrator to make sure that the following firewall features are disabled.
- SQLNet fixup protocol
- Deep Packet Inspection (DPI)
- SQLNet packet inspection
- Fixed SQL
- SQL ALG (Juniper firewall)
Disable SQL ALG.
Maybe you are looking for
-
I recently got some adware with a download from cnet and did my best to uninstall (including an older version of FF, which was installed in the car). Subsequently, when you restart Firefox, the ads have disappeared, but I noticed a few icons that Fla
-
Pavilion 23-q227c: can Windows 7 Pro installed on a PC Pavilion 23-q227c?
I like the big screen but unfortunately important software does not work well or at all in the environment Windows 10. Window 7 Pro has been used and is used on the local server. There are card readers and password for readers simply not work wit thi
-
Unable to connect via the android app
I am able to s n the community and through my browser to change account details but am unable to connect through my android app. Only, I have the app and do not have a computer to check anything. It has literally been working just this morning/yester
-
I recently created my home network again. It consists of a laptop running windows 7 Professional 64 b, b Office windows 7 Professional 32 running and a netbook under windows xp home. Two computers running windows 7 recognize each other and share co
-
Win-8 Mail - how to remove a mail client
I have several Surface Pro which I set up for use in the field. I am setup email using my hotmail account (which, to my knowledge, also makes me the owner of the tablet in the eyes of Microsoft) and have each rep field to add their own email provider