IPSec tunnel do not come between two ASA - 5540 s.

Similar Questions

• Site to Site VPN tunnel is not come between 2 routers

  Dear all,

  I have 2 routers for branch which is configured for VPN site-to-site, but the tunnel does not come!

  I ran debug and I enclose herwith output for your kind review and recommendation. I also enclose here the 2 routers configs branch.

  Any idea on why the Site to site VPN is not coming?

  Kind regards

  Haitham

  You guessed it!

  Just because you have re-used the same card encryption for LAN to LAN and vpn-client traffic.

  This from the DOC CD

  No.-xauth

  (Optional) Use this keyword if the router to router IP Security (IPSec) is on the same card encryption as a virtual private network (VPN) - client - to-Cisco-IOS IPSec. This keyword prevents the router causing the peer for the information of extended authentication (Xauth) (username and password).

• IPSec Tunnel permanent between two ASA

  Hello

  I configured a VPN IPSec tunnel between two ASA 5505 firewall. I want to assure you as the IPSec tunnel (this is why the security association) is permanent and do not drop due to the idle state.

  What should I do?

  Thanks for any help

  Yves

  Disables keepalive IKE processing, which is enabled by default.

  (config) #tunnel - 10.165.205.222 group ipsec-attributes

  KeepAlive (ipsec-tunnel-config) #isakmp disable

  Set a maximum time for VPN connections with the command of vpn-session-timeout in group policy configuration mode or username configuration mode:

  attributes of hostname (config) #-Group Policy DfltGrpPolicy
  hostname (Group Policy-config) #vpn - idle - timeout no

  attributes of hostname (config) #-Group Policy DfltGrpPolicy
  hostname (Group Policy-config) #vpn - session - timeout no

  Thank you

  Ajay

• Easy VPN between two ASA 9.5 - Split tunnel does not

  Hi guys,.

  We have set up a site to site vpn using easy configuration vpn between ver 9.5 race (1) two ASA. The tunnels are up and ping is reached between sites. I also configured split tunnel for internet traffic under the overall strategy of the ASA easy vpn server. But for some unknown reason all the customer same internet traffic is sent to the primary site. I have configured NAT to relieve on the side of server and client-side. Please advise if no limitation so that the installation program.

  Thank you and best regards,

  Arjun T P

  I have the same question and open a support case.

  It's a bug in the software 9.5.1. See the bug: CSCuw22886

• ASA 5505 - I can't create an IPSEC VPN between two ASA 5505

  Hello

  I have two ASA 5505 with basic license and I'm trying to create a VPN IPSEC using the CLI. Here are the steps I did:

  1 Configure ASA-1 (host name, vlan 1 and vlan 2).

  2. configure a static route

  3. create object network (local and remote)

  4. create the access list

  5. create ikev1 crypto

  6. create tunnel-group

  7 Configure nat

  and I repeat the steps above with the ASA but another change IP.

  Are to correct the above steps?

  Why can I not create an IPSEC VPN between devices?.

  No, you needn't. The ASA configuration is ok. Packet trace proved it. I think it can be a problem on the hosts. Please, check the firewall on the PC and try to put out of service, if it is running.

• ASA 8.6 - l2l IPsec tunnel established - not possible to ping

  Hello world

  I have a problem of configuration of the CISCO ASA 5512-x (IOS 8.6).

  The IPsec tunnel is created between ASA and an another non-CISCO router (hereinafter "router"). I can send packets ping from router to ASA, but ASA is NOT able to meet these demands. Sending requests of ASA is also NOT possible.

  I'm trying to interconnect with the network 192.168.2.0/24 (CISCO, interface DMZ) premises and 192.168.3.0/24 (router).

  The CISCO ASA has a static public IP address. The router has a dynamic IP address, so I use the dynamic-map option...

  Here is the output of "show run":

  ---------------------------------------------------------------------------------------------------------------------------------------------

  ASA 1.0000 Version 2

  !

  ciscoasa hostname

  activate oBGOJTSctBcCGoTh encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  interface GigabitEthernet0/0

  nameif outside

  security-level 0

  address IP X.X.X.X 255.255.255.0

  !

  interface GigabitEthernet0/1

  nameif inside

  security-level 100

  the IP 192.168.0.1 255.255.255.0

  !

  interface GigabitEthernet0/2

  nameif DMZ

  security-level 50

  IP 192.168.2.1 255.255.255.0

  !

  interface GigabitEthernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/4

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/5

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  nameif management

  security-level 100

  IP 192.168.1.1 255.255.255.0

  management only

  !

  passive FTP mode

  internal subnet object-

  192.168.0.0 subnet 255.255.255.0

  object Web Server external network-ip

  host Y.Y.Y.Y

  Network Web server object

  Home 192.168.2.100

  network vpn-local object - 192.168.2.0

  Subnet 192.168.2.0 255.255.255.0

  network vpn-remote object - 192.168.3.0

  subnet 192.168.3.0 255.255.255.0

  outside_acl list extended access permit tcp any object Web server

  outside_acl list extended access permit tcp any object webserver eq www

  access-list l2l-extensive list allowed ip, vpn-local - 192.168.2.0 vpn-remote object - 192.168.3.0

  dmz_acl access list extended icmp permitted an echo

  pager lines 24

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  MTU 1500 DMZ

  management of MTU 1500

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  NAT (DMZ, outside) static static vpn-local destination - 192.168.2.0 vpn-local - 192.168.2.0, 192.168.3.0 - remote control-vpn vpn-remote control - 192.168.3.0

  !

  internal subnet object-

  NAT dynamic interface (indoor, outdoor)

  Network Web server object

  NAT (DMZ, outside) Web-external-ip static tcp www www Server service

  Access-Group global dmz_acl

  Route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  identity of the user by default-domain LOCAL

  Enable http server

  http 192.168.1.0 255.255.255.0 management

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  IKEv1 crypto ipsec transform-set ikev1-trans-set esp-3des esp-md5-hmac

  Crypto ipsec ikev2 proposal ipsec 3des-GNAT

  Esp 3des encryption protocol

  Esp integrity md5 Protocol

  Crypto dynamic-map dynMidgeMap 1 match l2l-address list

  Crypto dynamic-map dynMidgeMap 1 set pfs

  Crypto dynamic-map dynMidgeMap 1 set ikev1 ikev1-trans-set transform-set

  Crypto dynamic-map dynMidgeMap 1 set ikev2 ipsec-proposal 3des-GNAT

  Crypto dynamic-map dynMidgeMap 1 life span of seconds set association security 28800

  Crypto dynamic-map dynMidgeMap 1 the value reverse-road

  midgeMap 1 card crypto ipsec-isakmp dynamic dynMidgeMap

  midgeMap interface card crypto outside

  ISAKMP crypto identity hostname

  IKEv2 crypto policy 1

  3des encryption

  the md5 integrity

  Group 2

  FRP md5

  second life 86400

  Crypto ikev2 allow outside

  Crypto ikev1 allow outside

  IKEv1 crypto policy 1

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  management of 192.168.1.2 - dhcpd address 192.168.1.254

  enable dhcpd management

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal midgeTrialPol group policy

  attributes of the strategy of group midgeTrialPol

  L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2

  enable IPSec-udp

  tunnel-group midgeVpn type ipsec-l2l

  tunnel-group midgeVpn General-attributes

  Group Policy - by default-midgeTrialPol

  midgeVpn group of tunnel ipsec-attributes

  IKEv1 pre-shared-key *.

  remote control-IKEv2 pre-shared-key authentication *.

  pre-shared-key authentication local IKEv2 *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:fa02572f9ff8add7bbfe622a4801e606

  : end

  ------------------------------------------------------------------------------------------------------------------------------

  X.X.X.X - ASA public IP

  Y.Y.Y.Y - a web server

  Z.Z.Z.Z - default gateway

  -------------------------------------------------------------------------------------------------------------------------------

  ASA PING:

  ciscoasa # ping DMZ 192.168.3.1

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 192.168.3.1, time-out is 2 seconds:

  ?????

  Success rate is 0% (0/5)

  PING from router (debug on CISCO):

  NAT ciscoasa #: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

  NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

  NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

  Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 0 len = 40

  Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 1 len = 40

  Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 2 len = 40

  Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = len 3 = 40

  -------------------------------------------------------------------------------------------------------------------------------

  ciscoasa # show the road outside

  Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP

  D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone

  N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2

  E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP

  i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone

  * - candidate by default, U - static route by user, o - ODR

  P periodical downloaded static route

  Gateway of last resort is Z.Z.Z.Z to network 0.0.0.0

  C Z.Z.Z.0 255.255.255.0 is directly connected to the outside of the

  S 192.168.3.0 255.255.255.0 [1/0] via Z.Z.Z.Z, outdoors

  S * 0.0.0.0 0.0.0.0 [1/0] via Z.Z.Z.Z, outdoors

  -------------------------------------------------------------------------------------------------------------------------------

  Do you have an idea that I am wrong? Probably some bad NAT/ACL I suppose, but I could always find something only for 8.4 iOS and not 8.6... Perhaps and no doubt I already missed the configuration with the unwanted controls, but I've tried various things...

  Please, if you have an idea, let me know! Thank you very much!

  Hello

  I've never used "global" option in ACL, but it looks to be the origin of the problem. Cisco doc.

  "The global access rules are defined as a special ACL that is processed for each interface on the device for incoming traffic in the interface. Thus, although the ACL is configured once on the device, it acts as an ACL defined for Management In secondary interface-specific. (Global rules are always in the direction of In, never Out Management). "

  You ACL: access-list extended dmz_acl to any any icmp echo

  For example, when you launch the ASA, there is an echo response from the router on the external interface--> global can block.

  Then to initiate router, the ASA Launches echo-reply being blocked again.

  Try to add permit-response to echo as well.

  In addition, you can use both "inspect icmp" in world politics than the ACL.

  If none does not work, you can run another t-shoot with control packet - trace on SAA.

  THX

  MS

• IPSec tunnels does not work

  I have 2 Cat6, with IPsec SPA card, while the other did not.

  I tried setting IPsec tunnel between them, but somehow can't bring up the tunnel, can someone help me to watch set it up?

  A (with SPA):

  crypto ISAKMP policy 1

  BA aes 256

  preshared authentication

  Group 5

  ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0

  ISAKMP crypto keepalive 10

  Crypto ipsec transform-set esp - aes 256 esp-sha-hmac testT1

  !

  Crypto ipsec profile P1

  Set transform-set testT1

  !

  Crypto call admission limit ike his 3000

  !

  Crypto call admission limit ike in-negotiation-sa 115

  !

  interface Tunnel962

  Loopback962 IP unnumbered

  tunnel GigabitEthernet2/37.962 source

  tunnel destination 172.16.16.6

  ipv4 ipsec tunnel mode

  Profile of tunnel P1 ipsec protection

  interface GigabitEthernet2/37.962

  encapsulation dot1Q 962

  IP 172.16.16.5 255.255.255.252

  interface Loopback962

  1.1.4.200 the IP 255.255.255.255

  IP route 2.2.4.200 255.255.255.255 Tunnel962

  B (wuthout SPA):

  crypto ISAKMP policy 1

  BA aes 256

  preshared authentication

  Group 5

  ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0

  !

  !

  Crypto ipsec transform-set esp - aes 256 esp-sha-hmac T1

  !

  Crypto ipsec profile P1

  game of transformation-T1

  interface Tunnel200

  Loopback200 IP unnumbered

  tunnel GigabitEthernet2/1.1 source

  tunnel destination 172.16.16.5

  ipv4 ipsec tunnel mode

  Profile of tunnel T1 ipsec protection

  interface Loopback200

  2.2.4.200 the IP 255.255.255.255

  interface GigabitEthernet2/1.1

  encapsulation dot1Q 962

  IP 172.16.16.6 255.255.255.252

  IP route 1.1.4.200 255.255.255.255 Tunnel200

  I can ping from 172.16.16.6 to 172.16.16.5, but the tunnel just can not upwards. When I turned on "debugging ipsec cry ' and ' debug cry isa", nothing comes out, when I trun on 'cry of debugging sciences', I got:

  "00:25:17: crypto_engine_select_crypto_engine: can't handle more."

  Hello

  You need a map of IPSEC SPA on chassis B do IPSEC encryption. Please see the below URL for more details.

  Without a SPA-IPSEC - 2G or IPsec VPN Services Module of acceleration, the IPsec network security feature (configured with the crypto ipsec command) is supported in the software only for administrative for Catalyst 6500 series switches and routers for the Cisco 7600 Series connections.

  http://www.Cisco.com/en/us/docs/switches/LAN/catalyst6500/IOS/12.2SXF/native/release/notes/OL_4164.html

  Kind regards

  Arul

  * Rate pls if it helps *.

• IPSEC tunnels does not connect

  Out of sudden IPSEC tunnel on remote site 202.68.211.20 is not plug in. Previously is OK. There is no change in config.

  IKE Phase 1 even not connect.

  I'm debugging, but I don't know what could be the error.

  -----------------------------------------------------------------------------

  = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = PuTTY connect 2016.05.12 15:19:36 = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ =.
  12 May 12:06:50 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  12 May 12:06:50 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
  12 May 12:06:53 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  12 May 12:06:53 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
  12 May 12:06:54 [IKEv1 DEBUG]: IP = 202.68.211.20, case of mistaken IKE MM Initiator WSF (struct & 0xd84aff40) , : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY
  12 May 12:06:54 [IKEv1 DEBUG]: IP = 202.68.211.20, IKE SA MM:914f04ce ending: flags 0 x 01000022, refcnt 0, tuncnt 0
  12 May 12:06:54 [IKEv1 DEBUG]: IP = 202.68.211.20, sending clear/delete with the message of reason
  12 May 12:06:59 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  12 May 12:06:59 [IKEv1]: IP = 202.68.211.20, initiator of IKE: New Phase 1, Intf internal, IKE Peer 202.68.211.20 address proxy local 10.215.20.0 address remote Proxy 10.210.0.0, Card Crypto (VPN_map)
  12 May 12:06:59 [IKEv1 DEBUG]: IP = 202.68.211.20, build the payloads of ISAKMP security
  12 May 12:06:59 [IKEv1 DEBUG]: IP = 202.68.211.20, construction of Fragmentation VID + load useful functionality
  12 May 12:06:59 [IKEv1]: IP = 202.68.211.20, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
  12 May 12:07 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  12 May 12:07 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
  12 May 12:07:03 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  12 May 12:07:03 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
  12 May 12:07:07 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
  12 May 12:07:09 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  12 May 12:07:09 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
  12 May 12:07:15 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
  12 May 12:07:23 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
  12 May 12:07:31 [IKEv1 DEBUG]: IP = 202.68.211.20, case of mistaken IKE MM Initiator WSF (struct & 0xd8457958) , : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY
  12 May 12:07:31 [IKEv1 DEBUG]: IP = 202.68.211.20, IKE SA MM:be63ea64 ending: flags 0 x 01000022, refcnt 0, tuncnt 0
  12 May 12:07:31 [IKEv1 DEBUG]: IP = 202.68.211.20, sending clear/delete with the message of reason
  12 May 12:07:37 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  12 May 12:07:37 [IKEv1]: IP = 202.68.211.20, initiator of IKE: New Phase 1, Intf internal, IKE Peer 202.68.211.20 address proxy local 10.215.20.0 address remote Proxy 10.210.0.0, Card Crypto (VPN_map)
  12 May 12:07:37 [IKEv1 DEBUG]: IP = 202.68.211.20, build the payloads of ISAKMP security
  12 May 12:07:37 [IKEv1 DEBUG]: IP = 202.68.211.20, construction of Fragmentation VID + load useful functionality
  12 May 12:07:37 [IKEv1]: IP = 202.68.211.20, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
  12 May 12:07:40 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  12 May 12:07:40 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
  12 May 12:07:45 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
  12 May 12:07:46 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
  12 May 12:07:46 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
  12 May 12:07:53 [IKEv1]: IP = 202.68.211.20, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 112
  q

  Hello

  It seems that the tunnel is blocked to MSG_2.

  You can check if the UDP 500 traffic is not blocked between peers?

  Please check with your provider.

  Kind regards

  Aditya

  Please evaluate the useful messages and mark the correct answers.

• IPSec tunnel does not work

  Hi all

  We have an IPSec tunnel that does not work. I think that Phase 2 is not established but I don't know why.

  Add the output and the newspaper.

  Thanks for your help

  ASA-VPN-PRI/act/pri # sh crypto isakmp his
  !
  13 peer IKE: 91.209.243.5
  Type: L2L role: answering machine
  Generate a new key: no State: MM_ACTIVE

  !

  ASA-VPN-PRI/act/pri # sh crypto isakmp his | include the 91.209.243.5
  12 peer IKE: 91.209.243.5
  ASA-VPN-PRI/act/pri #.

  ASA-VPN-PRI/act/pri # sh crypto ipsec his | include the 91.209.243.5
  ASA-VPN-PRI/act/pri #.

  7. December 17, 2014 | 15: 40:48 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = c516994b) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:48 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
  7. December 17, 2014 | 15: 40:48 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
  7. December 17, 2014 | 15: 40:48 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d6c)
  7. December 17, 2014 | 15: 40:48 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d6c)
  7. December 17, 2014 | 15: 40:48 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
  7. December 17, 2014 | 15: 40:48 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
  7. December 17, 2014 | 15: 40:48 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = 29bf4142) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:43 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = b72ddf0a) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:43 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
  7. December 17, 2014 | 15: 40:43 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
  7. December 17, 2014 | 15: 40:43 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d6b)
  7. December 17, 2014 | 15: 40:43 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d6b)
  7. December 17, 2014 | 15: 40:43 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
  7. December 17, 2014 | 15: 40:43 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
  7. December 17, 2014 | 15: 40:43 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = ae5305df) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:38 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = b796798d) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:38 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
  7. December 17, 2014 | 15: 40:38 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
  7. December 17, 2014 | 15: 40:38 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d6a)
  7. December 17, 2014 | 15: 40:38 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d6a)
  7. December 17, 2014 | 15: 40:38 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
  7. December 17, 2014 | 15: 40:38 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
  7. December 17, 2014 | 15: 40:38 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = 98241c 63) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:33 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = e233621d) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:33 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
  7. December 17, 2014 | 15: 40:33 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
  7. December 17, 2014 | 15: 40:33 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d69)
  7. December 17, 2014 | 15: 40:33 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d69)
  7. December 17, 2014 | 15: 40:33 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
  7. December 17, 2014 | 15: 40:33 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
  7. December 17, 2014 | 15: 40:33 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = 36ecdf6a) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: is.40:28 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = cb1b978d) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: is.40:28 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
  7. December 17, 2014 | 15: is.40:28 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
  7. December 17, 2014 | 15: is.40:28 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d68)
  7. December 17, 2014 | 15: is.40:28 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d68)
  7. December 17, 2014 | 15: is.40:28 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
  7. December 17, 2014 | 15: is.40:28 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
  7. December 17, 2014 | 15: is.40:28 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = f25bcdb5) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:23 | 713236 | IP = 91.209.243.5, IKE_DECODE SEND Message (msgid = 32bca075) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
  7. December 17, 2014 | 15: 40:23 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, build payloads of hash qm
  7. December 17, 2014 | 15: 40:23 | 715046 | Group = 91.209.243.5, IP = 91.209.243.5, payload of empty hash construction
  7. December 17, 2014 | 15: 40:23 | 715036 | Group = 91.209.243.5, IP = 91.209.243.5, sending persistent type DPD R-U-HERE-ACK (seq number 0x7d67)
  7. December 17, 2014 | 15: 40:23 | 715075 | Group = 91.209.243.5, IP = 91.209.243.5, received persistent type DPD R-U-LÀ (seq number 0x7d67)
  7. December 17, 2014 | 15: 40:23 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, processing notify payload
  7. December 17, 2014 | 15: 40:23 | 715047 | Group = 91.209.243.5, IP = 91.209.243.5, payload of hash of treatment
  7. December 17, 2014 | 15: 40:23 | 713236 | IP = 91.209.243.5, IKE_DECODE RECEIPT Message (msgid = a3f0e3f9) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84

  Please repeat the debug with "debug crypto isakmp 100". And compare the config of the Phase 2 on both sides:

  1. Is what ACL crypto exactly in the opposite direction on both sides?
  2. Your transformation sets include exactly the same algorithms?

• site-to-site between two ASA firewall

  Hello

  I have two ASA and I have set up the two ASA til S2S. ASA1 is in HQ and ASA2 is in Office of Brunch. HQ ASA has multi S2S connection and Brunch ASA has only S2S to Headquarters. The Senario is I want to send all traffic (both Internet and LAN in the ASA HQ) ASA2 throug the tunnel. The problem is that when the tunnel is up and there is ASA2 connevtivity (brunch office) for the network local behinde ASA1 (HQ), but the client behinde ASA2 has no conectivity when they try to go to the Internet. Tanks a lot in advance for any help!

  ASA HQ extern ip 192.x.y.z/24, LAN 10.70.0.0/16

  Brunch of the ASA Office a extern ip 168.x.y.z/24, LAN 10.79.1.0/24

  This should help you:

  Global 1 interface (outside)
  NAT (inside) 1 0.0.0.0 0.0.0.0

  access extensive list ip 10.79.1.0 inside_nat0_outbound allow 255.255.255.0 255.255.255.0 x.x.x.x
  access extensive list ip 10.79.1.0 outside_1_cryptomap allow 255.255.255.0 255.255.255.0 x.x.x.x

  x.x.x.x = subnet HQ, in the ASA HQ you need of the opposite ACL:

  permit inside_nat0_outbound to access extended list ip x.x.x.x 255.255.255.0 10.79.1.0 255.255.255.0
  permit outside_1_cryptomap to access extended list ip x.x.x.x 255.255.255.0 10.79.1.0 255.255.255.0

  This way to the internet traffic will be coordinated because it turns off and traffic to the VPN will be
  not be translated as she goes down the tunnel

• IPSec tunnels do not work

  Hello

  I practice a bit with 2 CISCO 2811 routers and 2621. I did the basic configuration for an IPSec connection, but the tunnel seems not to lead. Also, I can ping the external interface of the other router, but I cannot ping inside network behind each of them. Any ideas? The external interface are connected via a cable UTP croosover. Here's the sh run of each:

  2621 router:

  !

  version 12.2

  horodateurs service debug uptime

  Log service timestamps uptime

  encryption password service

  !

  hostname RPrueba2

  !

  logging buffered 51200 warnings

  enable secret 5 $1$ oNw1$ SQaqP.FazBuaiVZ3MHte70

  !

  username supervisor privilege 15 password 7 07062F49420C1A110513

  voice-card 1

  !

  IP subnet zero

  !

  !

  !

  !

  crypto ISAKMP policy 1

  md5 hash

  preshared authentication

  ISAKMP crypto keys Inelectra address 20.20.20.21

  !

  !

  Crypto ipsec transform-set base esp - esp-md5-hmac

  !

  Armadillo 1 ipsec-isakmp crypto map

  defined by peer 20.20.20.21

  security-association value seconds of life 4000

  Set transform-set basic

  PFS Group1 Set

  match address 101

  !

  call the rsvp-sync

  !

  !

  !

  !

  !

  !

  controller E1 1/0

  !

  !

  !

  interface FastEthernet0/0

  IP 192.168.250.1 255.255.255.0

  automatic duplex

  automatic speed

  !

  interface Serial0/0

  no ip address

  Shutdown

  !

  interface FastEthernet0/1

  IP 20.20.20.1 255.255.255.0

  automatic duplex

  automatic speed

  Armadillo card crypto

  !

  interface Serial0/1

  no ip address

  Shutdown

  !

  interface Serial0/2

  no ip address

  Shutdown

  !

  !

  IP classless

  IP route 0.0.0.0 0.0.0.0 20.20.20.21

  IP http server

  !

  !

  !

  !

  !

  !

  !

  !

  !

  access-list 101 permit ip 192.168.250.0 0.0.0.255 any

  access-list 102 permit ip 192.168.250.0 0.0.0.255 192.168.240.0 0.0.0.255

  !

  !

  Dial-peer cor custom

  !

  !

  !

  !

  !

  Line con 0

  password 7 020F0A5E07030C355E4F

  opening of session

  line to 0

  line vty 0 4

  privilege level 15

  password 7 12100B121E0E0F10382A

  opening of session

  transport input telnet ssh

  !

  end

  2811 router:

  !

  version 12.4

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  no password encryption service

  !

  hostname RPrueba

  !

  boot-start-marker

  boot-end-marker

  !

  logging buffered 51200 warnings

  enable secret 5 $1$ oNw1$ SQaqP.FazBuaiVZ3MHte70

  !

  No aaa new-model

  !

  resources policy

  !

  iomem 15 memory size

  No network-clock-participate wic 1

  IP subnet zero

  !

  !

  IP cef

  !

  !

  !

  !

  voice-card 0

  No dspfarm

  !

  username supervisor privilege 15 password 7 07062F49420C1A110513

  !

  !

  controller E1 1/0/0

  !

  !

  crypto ISAKMP policy 1

  md5 hash

  preshared authentication

  ISAKMP crypto keys Inelectra address 20.20.20.1

  !

  !

  Crypto ipsec transform-set Ineset ah-md5-hmac esp - a

  Crypto ipsec transform-set base esp - esp-md5-hmac

  !

  Armadillo 1 ipsec-isakmp crypto map

  defined by peer 20.20.20.1

  security-association value seconds of life 4000

  Set transform-set basic

  PFS Group1 Set

  match address 102

  !

  !

  !

  !

  interface FastEthernet0/0

  IP 192.168.240.1 255.255.255.0

  automatic duplex

  automatic speed

  !

  interface FastEthernet0/1

  IP 20.20.20.21 255.255.255.0

  automatic duplex

  automatic speed

  Armadillo card crypto

  !

  interface Serial0/0/0

  no ip address

  Shutdown

  no fair queue

  2000000 clock frequency

  !

  interface Serial0/0/1

  no ip address

  Shutdown

  2000000 clock frequency

  !

  IP classless

  IP route 0.0.0.0 0.0.0.0 20.20.20.1

  !

  !

  IP http server

  no ip http secure server

  !

  access-list 101 permit ip 192.168.240.0 0.0.0.255 any

  access-list 102 permit ip 192.168.240.0 0.0.0.255 192.168.250.0 0.0.0.255

  !

  control plan

  !

  Line con 0

  password 7 020F0A5E07030C355E4F

  opening of session

  line to 0

  line vty 0 4

  privilege level 15

  password 7 12100B121E0E0F10382A

  opening of session

  transport input telnet ssh

  !

  Scheduler allocate 20000 1000

  !

  end

  I also tried the isakmp crypto see the its and there is nothing on the table. Thanks for any help.

  Gustavo

  Under card crypto router armadilloin 2621 =

  Use the ACL 102 crypto instead of 101.

  match address 102

  And then disable the isakmp its ipsec and its

  then try to ping.

• GRE tunnels will not come on VPN IPsec/GRE

  Hi all

  We have 400 + remote sites that connect to our central location (and a backup site) using Cisco routers with vpn IPSec/GRE tunnels.  We use a basic model for the creation of tunnels, so there is very little chance of a bad configuration on each router.  Remote sites use Cisco 831 s, central sites use Cisco 2821 s.  There is a site where the tunnels WILL refuse just to come.

  Routers are able to ping their public IP addresses, so it is not a routing problem, but gre endpoints cannot ping.  There is no NATing involved, two routers directly accessing the Internet.  The assorded display orders seem to indicate that the SAs are properly built, but newspapers, it seems that last part just don't is finished, and the GRE tunnels come not only upward.

  The attached log file, it seems that both its IPSEC & ISAKMP are created @ 00:25:14, then QM_PHASE2 end @ 00:25:15.

  00:25:15: ISAKMP: (0:10:HW:2): node error 1891573546 FALSE reason for deletion "(wait) QM.
  00:25:15: ISAKMP: (0:10:HW:2): entrance, node 1891573546 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  00:25:15: ISAKMP: (0:10:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
  00:25:15: ISAKMP (0:268435467): received 208.XX packet. Dport 500 sport Global 500 (I) QM_IDLE yy.11
     
  00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
  00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
  00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 1572231461/50
  00:25:15: ISAKMP: (0:11:HW:2): error in node-1931380074 FALSE reason for deletion "(wait) QM.
  00:25:15: ISAKMP: (0:11:HW:2): entrance, node-1931380074 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  00:25:15: ISAKMP: (0:11:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
  00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
  00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
  00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 310818168/50

  I don't have the remote router log file, and is very long, so I joined her.  Before that I captured the log file, I enabled debugging ipsec & isakmp and immediately authorized the SAs.

  Assorted useful details and matching orders of show results:

  Cisco IOS Software, C831 (C831-K9O3SY6-M), Version 12.4 (25), RELEASE SOFTWARE (fc1)

  There are 2 connections of IPSEC/GRE tunnel:

  Tunnel101: KC (208.YY. ZZ.11) - remote control (74.WW. XX.35)
  Tunnel201: Dallas (208.XX. YY.11) - remote control (74.WW. XX.35)

  Site-382-831 #sho ip int br
  Interface IP-Address OK? Method State Protocol
  FastEthernet1 unassigned YES unset down down
  FastEthernet2 unassigned YES unset upward, upward
  FastEthernet3 unassigned YES unset upward, upward
  FastEthernet4 unassigned YES unset upward, upward
  Ethernet0 10.3.82.10 YES NVRAM up up
  Ethernet1 74.WW. XX.35 YES NVRAM up up
  Ethernet2 172.16.1.10 YES NVRAM up up
  Tunnel101 1.3.82.46 YES NVRAM up toward the bottom<>
  Tunnel201 1.3.82.62 YES NVRAM up toward the bottom<====  ="">
  NVI0 unassigned don't unset upward upwards

  Site-382-831 #.
  Site-382-831 #sho run int tunnel101
  Building configuration...

  Current configuration: 277 bytes
  !
  interface Tunnel101
  Description % connected to the 2nd KC BGP 2821 - PRI - B
  IP 1.3.82.46 255.255.255.252
  IP mtu 1500
  IP virtual-reassembly
  IP tcp adjust-mss 1360
  KeepAlive 3 3
  source of tunnel Ethernet1
  destination of the 208.YY tunnel. ZZ.11
  end

  Site-382-831 #.

  Site-382-831 #show isakmp crypto his
  status of DST CBC State conn-id slot
  208.XX. YY.11 74.WW. XX.35 QM_IDLE ASSETS 0 11
  208.YY. ZZ.11 74.WW. XX.35 QM_IDLE 10 0 ACTIVE
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show detail of the crypto isakmp
  Code: C - IKE configuration mode, D - Dead Peer Detection
  NAT-traversal - KeepAlive, N - K
  X - IKE extended authentication
  PSK - GIPR pre-shared key - RSA signature
  renc - RSA encryption

  C - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
  11 74.WW. XX.35 208.XX. YY.11 ACTIVE 3des sha psk 1 23:56:09
  Connection-id: motor-id = 11:2 (hardware)
  74.WW 10. XX.35 208.YY. ZZ.11 ACTIVE 3des sha psk 1 23:56:09
  Connection-id: motor-id = 10:2 (hardware)
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show crypto ipsec his

  Interface: Ethernet1
  Tag crypto map: IPVPN_MAP, local addr 74.WW. XX.35

  protégé of the vrf: (none)
  ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
  Remote ident (addr, mask, prot, port): (208.YY. ZZ.11/255.255.255.255/47/0)
  current_peer 208.YY. ZZ.11 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  #send 21, #recv errors 0

  local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.YY. ZZ.11
  Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
  current outbound SPI: 0x45047D1D (1157922077)

  SAS of the esp on arrival:
  SPI: 0x15B97AEA (364477162)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: C83X_MBRD:4, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4486831/1056)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0x45047D1D (1157922077)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: C83X_MBRD:3, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4486744/1056)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  protégé of the vrf: (none)
  ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
  Remote ident (addr, mask, prot, port): (208.XX. YY.11/255.255.255.255/47/0)
  current_peer 208.XX. YY.11 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  #send 21, #recv errors 0

  local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.XX. YY.11
  Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
  current outbound SPI: 0xE82A86BC (3895101116)

  SAS of the esp on arrival:
  SPI: 0x539697CA (1402378186)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2008, flow_id: C83X_MBRD:8, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4432595/1039)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xE82A86BC (3895101116)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2001, flow_id: C83X_MBRD:1, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4432508/1039)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show crypto ipsec his | Pkts Inc. | life
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4486831/862)
  calendar of his: service life remaining (k/s) key: (4486738/862)
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4432595/846)
  calendar of his: service life remaining (k/s) key: (4432501/846)
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show crypto isakmp policy

  World IKE policy
  Priority protection Suite 10
  encryption algorithm: three key triple a
  hash algorithm: Secure Hash Standard
  authentication method: pre-shared Key
  Diffie-Hellman group: #1 (768 bits)
  lifetime: 86400 seconds, no volume limit
  Default protection suite
  encryption algorithm: - Data Encryption STANDARD (56-bit keys).
  hash algorithm: Secure Hash Standard
  authentication method: Rivest-Shamir-Adleman Signature
  Diffie-Hellman group: #1 (768 bits)
  lifetime: 86400 seconds, no volume limit
  Site-382-831 #.

  Site-382-831 #show crypto card
  "IPVPN_MAP" 101-isakmp ipsec crypto map
  Description: at the 2nd KC BGP 2821 - PRI - B
  Peer = 208.YY. ZZ.11
  Extend the PRI - B IP access list
  access list PRI - B allowed will host 74.WW. XX.35 the host 208.YY. ZZ.11
  Current counterpart: 208.YY. ZZ.11
  Life safety association: 4608000 Kbytes / 3600 seconds
  PFS (Y/N): N
  Transform sets = {}
  IPVPN,
  }

  "IPVPN_MAP" 201-isakmp ipsec crypto map
  Description: 2nd Dallas BGP 2821 - s-B
  Peer = 208.XX. YY.11
  Expand the list of IP SEC-B access
  s - B allowed will host 74.WW access list. XX.35 the host 208.XX. YY.11
  Current counterpart: 208.XX. YY.11
  Life safety association: 4608000 Kbytes / 3600 seconds
  PFS (Y/N): N
  Transform sets = {}
  IPVPN,
  }
  Interfaces using crypto card IPVPN_MAP:
  Ethernet1
  Site-382-831 #.

  Tunnel between KC & the remote site configuration is:

  Distance c831 - KC

  crypto ISAKMP policy 10
  BA 3des
  preshared authentication
  !
  PRI-B-382 address 208.YY isakmp encryption key. ZZ.11
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac IPVPN
  transport mode
  !
  IPVPN_MAP 101 ipsec-isakmp crypto map
  Description of 2nd KC BGP 2821 - PRI - B
  set of peer 208.YY. ZZ.11
  game of transformation-IPVPN
  match address PRI - B
  !
  interface Tunnel101
  Description % connected to the 2nd KC BGP 2821 - PRI - B
  IP 1.3.82.46 255.255.255.252
  IP mtu 1500
  KeepAlive 3 3
  IP virtual-reassembly
  IP tcp adjust-mss 1360
  source of tunnel Ethernet1
  destination of the 208.YY tunnel. ZZ.11
  !
  interface Ethernet0
  private network Description
  IP 10.3.82.10 255.255.255.0
  IP mtu 1500
  no downtime
  !
  interface Ethernet1
  IP 74.WW. XX.35 255.255.255.248
  IP mtu 1500
  automatic duplex
  IP virtual-reassembly
  card crypto IPVPN_MAP
  no downtime
  !
  PRI - B extended IP access list
  allow accord 74.WW the host. XX.35 the host 208.YY. ZZ.11
  !

  KC-2821 *.

  PRI-B-382 address 74.WW isakmp encryption key. XX.35
  !
  PRI-B-382 extended IP access list
  allow accord 208.YY the host. ZZ.11 the host 74.WW. XX.35
  !
  IPVPN_MAP 382 ipsec-isakmp crypto map
  Description % connected to the 2nd KC BGP 2821
  set of peer 74.WW. XX.35
  game of transformation-IPVPN
  match address PRI-B-382
  !
  interface Tunnel382
  Description %.
  IP 1.3.82.45 255.255.255.252
  KeepAlive 3 3
  IP virtual-reassembly
  IP tcp adjust-mss 1360
  IP 1400 MTU
  delay of 40000
  tunnel of 208.YY origin. ZZ.11
  destination of the 74.WW tunnel. XX.35
  !
  end

  Any help would be much appreciated!

  Mark

  Hello

  logs on Site-382-831, only see the crypt but none decrypts, could you check a corresponding entry on the peer and see if has any questions send return traffic?

  Site-382-831 #show crypto ipsec his | Pkts Inc. | life
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4486831/862)
  calendar of his: service life remaining (k/s) key: (4486738/862)
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4432595/846)
  calendar of his: service life remaining (k/s) key: (4432501/846)
  Site-382-831 #.

  Kind regards

  Averroès.

• IPSec Tunnel site to Site between ASA (static IP) to the firewall Microtick (dynamic IP) cannot telnet routeros and open https

  I purchased Mikrotik hardware devices and want to use routeros seat firewall cisco asa establish VPN. Aims to establish that a branch may be two IPSEC VPN access devices at the headquarters of the server via the public network.

  But now, I'm having some trouble, so I have cisco asa branches and headquarters to establish successful ipsec vpn.
  (1) branch routeros WAN port using a private IP address and is a member of the asa above outdoor sound created vpn ipsec, vpn successfully established internal servers and I ping the switch at the headquarters of the branch. However, there is a problem, I go through routeros visit that the headquarters of the https server pages can not be opened, telnet internal switches can telnet to the top, but were unable to penetrate into the character.
  (2) in addition, I left the branch routeros on a public IP address WAN port and asa VPN IPSEC created seat, said problems above are not, the server can also be accessed, telnet switch can also enter text and control.
  At the present time, I have encountered this problem of interface not CAN not because I need to create of very, very many industries and the need to establish headquarters communications branch offices so I have to use private IP addresses to access the Wan, unable to do wan are public IP address and headquarters to establish IPSEC VPN.

  now, I can't telnet asa inside the cisco router and open the web inside https, I can't solve the problems.

  now, registrants of asa:

  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  IP 49.239.3.10 255.255.255.0
  !
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  IP 172.17.0.111 255.255.255.0

  network of the object inside
  172.17.1.0 subnet 255.255.255.0
  network outsidevpn object
  Subnet 192.168.0.0 255.255.0.0

  QQQ

  NAT (inside, outside) static source inside inside destination static outsidevpn outsidevpn non-proxy-arp-search to itinerary

  Route outside 0.0.0.0 0.0.0.0 49.239.3.1 1
  Route inside 172.17.1.0 255.255.255.0 172.17.0.5 1

  Crypto ipsec transform-set esp-3des esp-md5-hmac ikev1 cisco
  Crypto ipsec pmtu aging infinite - the security association
  Crypto dynamic-map cisco 1000 set pfs
  Crypto dynamic-map cisco 1000 set transform-set cisco ikev1
  Crypto dynamic-map cisco 1000 value reverse-road
  Cisco-cisco ipsec isakmp dynamic 1000 card crypto
  cisco interface card crypto outside
  trustpool crypto ca policy
  Crypto isakmp nat-traversal 60
  Crypto ikev1 allow outside
  IKEv1 crypto policy 10
  preshared authentication
  3des encryption
  md5 hash
  Group 2
  life 86400

  IPSec-attributes tunnel-group DefaultL2LGroup
  IKEv1 pre-shared-key *.

  Hello

  Could you share the output of the counterpart of its IPSec cry see the 49.239.3.10 of the other device?

  Kind regards

  Aditya

• Site to Site VPN tunnel between two ASA

  I use the Site Wizard to Site on an ASA 5520, and ASA 5505 of the ADSM. Both are using 8.4 (5). When you create configurations. You follow the wizard configurations with manual what ACL s to allow the traffic of every subnet connected to talk to each other? Or they are automatically generated in the configuration file? Have not been to school yet to understand how to create the CLI VPN tunnels and what to look for.

  Thank you

  Carlos

  Hello

  First, I would like to say that I don't personally use ASDM for the configuration.

  But you should be able to configure all the necessary elements for a connection VPN L2L base through the wizard.

  I guess that typical problems to do so could relate to the lack of configuration NAT exempt or might not choose the setting "Bypass Interface Access List" that would mean you would allow traffic from the remote site in the 'external' ACL of ASA local interface. Like all other traffic coming from behind the 'outer' interface

  If you share format CLI configurations and say what networks must be able to connect via VPN L2L then I could give the required CLI format configurations.

  -Jouni

• Pinging or TFTPing between two ASA

  I soon two of ASA, to have several more in the area of connection of networks together.  My main ASA has built a site between itself and other ASA (hand ASA5520 / other ASA5505).

  I can SSH or telnet to 5505, even to its internal IP address, but my current problem is the network I cannot ping other devices of the 5505, which is contained within our network.  I try to update the ASA using TFTP, but this does not work as well.  I know this has something to do with icmp, but I think I'm missing something.

  When I try to do a traceroute on an internal ip, it fails.

  911PSAP-5505 # traceroute 192.255.255.13

  Type to abort escape sequence.
  The route to 192.255.255.13

  1 68.213.181.241 0 ms 0 ms 0 ms
  2 68.216.208.95 20 ms 10 ms 10 ms
  3 68.152.198.81 10 ms 10 ms 10 ms
  4 12.81.24.108 10 ms 10 ms 10 ms
  5   *  *  *
  6   *  *  *
  7   *  *  *
  8   *  *  *
  9   *  *  *
  10  *  *  *
  11  *  *  *
  12  *  *  *
  13  *  *  *
  14  *  *  *
  15  *  *  *
  16  *  *  *
  17  *  *  *
  18  *  *  *
  19  *  *  *
  20  *  *  *
  21  *  *  *
  22  *  *  *
  23  *  *  *
  24  *  *  *
  25  *  *  *
  26  *  *  *
  27  *  *  *
  28  *  *  *
  29  *  *  *
  30  *  *  *

  The tftp command is to specify where the file will be recovered from the tftp server. ASA can act as a TFTP server.

  Are you trying to ping devices in the same subnet as your ASA interface? You can check the settings of firewall device itself where sometimes it is not allow ping inbound, to disable the Firewall setting may solve your problem of ping test. If you try to ping from a network device, such as a switch or a router of the ASA, you might have more luck.