Issue of ASA L2TP VPN error QM WSF
Hello guys
Facing the issue with new support for .do L2tp connection on this you can
L2TP is terminiated on ASA and ASA before there is a router where ASA outside interface is coordinated to the public IP address
Here is the config and the logs.earlier of debugging that she was unknown to the Group and now tunnel is not eslablshitng to my machine via l2tp
ASA 5,0000 Version 59
access-list acl - scope ip allowed any one
acl_outside list extended access permitted ip object-group HQ ABC object-group
acl_outside list extended access permit tcp any host 10.10.20.10 eq 5269
inside_nat0 list extended access permitted ip object-group ABC object-group HQ
inside_nat0 list of allowed ip extended access all 10.1.252.0 255.255.255.0
DefaultRAGroup_splitTunnelAcl list standard access allowed 10.0.0.0 255.0.0.0
IP local pool vpngroup 10.1.252.1 - 10.1.252.253 mask 255.255.255.0
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0
NAT (inside) 1 0.0.0.0 0.0.0.0
Crypto ipsec transform-set esp-3des esp-sha-hmac trans
Crypto-map Dynamics dyno 10 transform-set ESP-3DES-MD5-TRANS trans
card crypto 65535-isakmp ipsec vpn Dynamics dyno
vpn outside crypto map interface
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
lifetime 28800
Crypto isakmp nat-traversal 3600
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of 10.1.16.11 DNS server 10.1.16.13
VPN-idle-timeout no
VPN-session-timeout no
Protocol-tunnel-VPN l2tp ipsec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl
by default-field valuexyz.com
Split-dns value xyz.com
enable dhcp Intercept 255.255.0.0
the authentication of the user activation
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec
password cisco KCtylQW4545gfddN6mbi93ijmA user name is nt encrypted
attributes username cisco
Protocol-tunnel-VPN l2tp ipsec
type of remote access service
IPSec-attributes tunnel-group DefaultL2LGroup
pre-shared key *.
attributes global-tunnel-group DefaultRAGroup
vpngroup address pool
Group Policy - by default-DefaultRAGroup
management of the password password-expire-to-days 30
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
tunnel-group DefaultRAGroup ppp-attributes
ms-chap-v2 authentication
===========================
Debug logs:
EQ-INTFW01 # Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + SA (1) +.
SELLER (13) of the SELLER (13) of the SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) ++ NONE (0) overall length: 38
4
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, SA payload processing
Apr 04 14:59:36 [IKEv1]: failure of Phase 1: incompatibility of the types of attributes of class Group Description: RRs would be: unknown Cfg would have: Gr
our p
Apr 04 14:59:36 [IKEv1]: failure of Phase 1: incompatibility of the types of attributes of class Group Description: RRs would be: unknown Cfg would have: Gr
our p
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, Oakley proposal is acceptable
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, received NAT - Traversal RFC VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, received NAT-Traversal worm 02 VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, received Fragmentation VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, IKE SA payload processing
Apr 04 14:59:36 [IKEv1]: failure of Phase 1: incompatibility of the types of attributes of class Group Description: RRs would be: unknown Cfg would have: Gr
our p
Apr 04 14:59:36 [IKEv1]: failure of Phase 1: incompatibility of the types of attributes of class Group Description: RRs would be: unknown Cfg would have: Gr
OUP 2
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, IKE SA proposal # 1, transform # 5 acceptable entry Matches overall IKE #.
1
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, build the payloads of ISAKMP security
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, constructing the payload of NAT-Traversal VID worm RFC
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, construction of Fragmentation VID + load useful functionality
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13)
NONE (0) + SELLER (13) overall length: 124
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + KE (4), NUNCIO (10)
NAT - D (20) + NAT - D (20), NONE (0) overall length: 260
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, processing ke payload
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing ISA_KE
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload NAT-discovery of treatment
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, calculation of hash discovered NAT
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload NAT-discovery of treatment
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, calculation of hash discovered NAT
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, building ke payload
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, building nonce payload
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, build payloads of Cisco Unity VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, constructing payload V6 VID xauth
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, Send IOS VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, ASA usurpation IOS Vendor ID payload construction (version: 1.0.0 capabilit)
IES: 20000001)
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, build payloads VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, NAT-discovery payload construction
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, calculation of hash discovered NAT
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, NAT-discovery payload construction
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, calculation of hash discovered NAT
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, connection landed on tunnel_group DefaultRAGroup
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Generating keys for answering machine...
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + KE (4), NUNCIO (10) +.
SELLER of the SELLER the SELLER (13) (13) (13) of the SELLER (13) + NAT - D (20) + NAT - D (20) ++ (0) NONE total length: 304
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + ID (5) + HASH (8) +.
NONE (0) overall length: 64
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:36 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, calculation of hash for ISAKMP
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, status of automatic NAT detection: remote endpoint IS be
Hind a NAT device this end is behind a NAT device
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, connection landed on tunnel_group DefaultRAGroup
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of payload ID
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, calculation of hash for ISAKMP
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, building dpd vid payload
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR, ID (5) + HASH (8) + V
ENDOR (13) + (0) NONE total length: 84
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, PHASE 1 COMPLETED
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, for this connection Keep-alive type: None
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, Keep-alives configured on, but the peer does not support persistent (type = None)
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, timer to generate a new key to start P1: 21600 seconds.
Apr 04 14:59:36 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000001
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 1) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:36 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
10.1.100.79, Protocol 17 Port 1701
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:36 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
85.78.161.254, Protocol 17 Port 1701
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its not found old addr
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, static check card Crypto, card dyno, seq = 10 is a success
FUL game
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Selecting one-encapsulated-Tunnel UDP and UDP - en
pre-measured-Transport modes defined by NAT-Traversal
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, remote peer IKE configured crypto card: dyno
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, ITS processing IPSec payload
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IPSec SA proposal # 2, transform # 1 acceptable M
global security association entry IPSec matches # 10
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE: asking SPI!
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE got SPI engine key: SPI = 0x321170a2
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, quick mode of oakley constucting
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, empty building hash payload
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, building the IPSec Security Association Management
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of support useful Nuncio IPSec
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, constructing the ID of the proxy
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, transmission Proxy Id:
Remote host: 195.229.90.21 Protocol Port 17 0
Local host: 10.10.20.2 Protocol 17 Port 1701
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of payload NAT Original address
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of payload NAT Original address
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address sending NAT-Traversal
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash qm
Apr 04 14:59:36 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE Responder sending 2nd QM pkt: id msg = 000000
01
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 1) with payloads: HDR, HASH (8), HIS (1) + N
A TIMES (10) + ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21) + (0) NONE total length: 184
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 1) with payloads: HDR + HASH (8) + NO (0)
total length: 52
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, loading all IPSEC security associations
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, generate Quick Mode key!
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, NP encrypt rule looking for dyno carpet 10 crypto card
Ching unknown ACL: returned cs_id = ccf1ac00; rule = 00000000
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, generate Quick Mode key!
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, NP encrypt rule looking for dyno carpet 10 crypto card
Ching unknown ACL: returned cs_id = ccf1ac00; rule = 00000000
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, security full negotiation for user (Responder), in
related SPI, 0x321170a2, SPI = out = 0x8349be0f
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE got a msg KEY_ADD for SA: SPI = 0x8349be0f
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, pitcher: received KEY_UPDATE, spi 0x321170a2
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, timer to generate a new key to start P2: 3060 seconds.
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, PHASE 2 COMPLETED (msgid = 00000001)
Apr 04 14:59:36 [IKEv1]: rules of classification IKEQM_Active() Add L2TP: ip <195.229.90.21>mask <0xFFFFFFFF>port<4500>
Apr 04 14:59:38 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000002
Apr 04 14:59:38 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 2) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:38 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:38 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, static check card Crypto, card dyno, seq = 10 is a success
FUL game
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Selecting one-encapsulated-Tunnel UDP and UDP - en
pre-measured-Transport modes defined by NAT-Traversal
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, remote peer IKE configured crypto card: dyno
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, ITS processing IPSec payload
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IPSec SA proposal # 2, transform # 1 acceptable M4500>0xFFFFFFFF>195.229.90.21>
global security association entry IPSec matches # 10
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE: asking SPI!
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, the delete unit Active process event generate a new key for outdoors
peer 195.229.90.21.
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE got SPI engine key: SPI = 0xc9c523ea
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, quick mode of oakley constucting
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, empty building hash payload
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, building the IPSec Security Association Management
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of support useful Nuncio IPSec
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, constructing the ID of the proxy
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, transmission Proxy Id:
Remote host: 195.229.90.21 Protocol Port 17 0
Local host: 10.10.20.2 Protocol 17 Port 1701
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of payload NAT Original address
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of payload NAT Original address
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address sending NAT-Traversal
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash qm
Apr 04 14:59:38 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE Responder sending 2nd QM pkt: id msg = 000000
02
Apr 04 14:59:38 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 2) with payloads: HDR, HASH (8), SA (1) + N
A TIMES (10) + ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21) + (0) NONE total length: 184
Apr 04 14:59:38 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 2) with payloads: HDR + HASH (8) + NO (0)
total length: 52
Apr 04 14:59:38 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = b0e14739) with payloads: HDR + HASH (8), OF
LETE (12) + (0) NONE total length: 68
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, removal of treatment
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE Received delete to resultants to reappear homologous IKE: 195,22
9.90.21, reappear addr: cd4874a0, msgid: 0x00000001
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, L2TP/IPSec: ignoring delete for a sentry (rekeyed m
SGID = 1)
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, loading all IPSEC security associations
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, generate Quick Mode key!
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, NP encrypt rule looking for dyno carpet 10 crypto card
Ching unknown ACL: returned cs_id = ccf1ac00; rule = 00000000
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, generate Quick Mode key!
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, NP encrypt rule looking for dyno carpet 10 crypto card
Ching unknown ACL: returned cs_id = ccf1ac00; rule = 00000000
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, security full negotiation for user (Responder), in
related SPI, 0xc9c523ea, SPI = out = 0x619b7d3a
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE got a msg KEY_ADD for SA: SPI = 0x619b7d3a
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, pitcher: received KEY_UPDATE, spi 0xc9c523ea
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, timer to generate a new key to start P2: 3060 seconds.
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, PHASE 2 COMPLETED (msgid = 00000002)
Apr 04 14:59:39 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000003
Apr 04 14:59:39 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:39 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:39 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:39 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:39 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:39 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:39 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its already be regenerated
Apr 04 14:59:39 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, error QM WSF (P2 struct & 0xcd51dbb8, mess id 0x3)!
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, case of mistaken IKE responder QM WSF (struct & 0xcd51
DBB8)
G--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:39 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
Apr 04 14:59:41 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000003
Apr 04 14:59:41 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:41 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:41 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:41 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:41 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:41 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:41 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its already be regenerated
Apr 04 14:59:41 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, error QM WSF (P2 struct & 0xcd5159c8, mess id 0x3)!
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, case of mistaken IKE responder QM WSF (struct & 0xcd51
59 c 8)
G--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:41 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
Apr 04 14:59:44 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000003
Apr 04 14:59:44 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:44 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:44 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:44 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:44 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:44 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:44 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its already be regenerated
Apr 04 14:59:44 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, error QM WSF (P2 struct & 0xcd5159c8, mess id 0x3)!
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, case of mistaken IKE responder QM WSF (struct & 0xcd51
59 c 8)
G--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:44 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
Apr 04 14:59:48 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000003
Apr 04 14:59:48 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:48 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:48 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its already be regenerated
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, error QM WSF (P2 struct & 0xcd5159c8, mess id 0x3)!
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, case of mistaken IKE responder QM WSF (struct & 0xcd51
59 c 8)
G--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
Apr 04 14:59:57 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000003
Apr 04 14:59:57 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:57 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:57 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its already be regenerated
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, error QM WSF (P2 struct & 0xcd515f40, mess id 0x3)!
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, case of mistaken IKE responder QM WSF (struct & 0xcd51
5f40)
G--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, empty building hash payload
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, building IPSec delete payload
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash qm
04 Apr 15:00:08 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 64ea9549) with payloads: HDR + HASH (8) + delete
SUMMER (12) + (0) NONE total length: 68
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Active unit receives an event would have expired for re
Mote 195.229.90.21 counterpart.
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE, removing SA: Remote Proxy 195.229.90.21, Local
Proxy 10.10.20.2
04 Apr 15:00:08 [IKEv1 DEBUG]: pitcher: received the keys delete msg, spi 0x321170a2
04 Apr 15:00:11 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = d28ee0e6) with payloads: HDR + HASH (8), OF
LETE (12) + (0) NONE total length: 68
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, removal of treatment
04 Apr 15:00:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, completed for peer Connection. Reason: Put an end to Peer
Remote proxy 195.229.90.21 Proxy Local 10.10.20.2
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Active unit receives a delete for remote wet event
r 195.229.90.21.
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE, removing SA: Remote Proxy 195.229.90.21, Local
Proxy 10.10.20.2
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE SA MM:a32eab27 RRs would end: MM_ACTIV of State
E flags 0 x 00000042, refcnt 1, tuncnt 0
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE SA MM:a32eab27 ending: flags 0 x 01000002,
refcnt 0, tuncnt 0
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, empty building hash payload
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, constructing the payload to delete IKE
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash qm
04 Apr 15:00:11 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = e5c290b6) with payloads: HDR + HASH (8) + delete
SUMMER (12) + (0) NONE total length: 80
04 Apr 15:00:11 [IKEv1 DEBUG]: pitcher: received the keys delete msg, spi 0xc9c523ea
04 Apr 15:00:11 [IKEv1 DEBUG]: pitcher: received the keys delete msg, spi 0xc9c523ea
04 Apr 15:00:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, Session is be demolished. Reason: The user has requested
04 Apr 15:00:11 [IKEv1]: ignoring msg SA brand with Iddm 36864 dead because ITS removal
04 Apr 15:00:11 [IKEv1]: IP = 195.229.90.21, encrypted packet received with any HIS correspondent, drop
EQ-INTFW01 # IPSEC: deleted leaving encrypt rule, SPI 0x243066CC
Rule ID: 0xCD487C20
IPSEC: Remove permitted outbound rule, SPI 0x243066CC
Rule ID: 0xCD51D3E8
IPSEC: Circumscribed outgoing VPN, SPI 0x243066CC context
Handle VPN: 0x00033D94
IPSEC: Deleted the inbound rule decrypt, SPI 0x44001D8E
Rule ID: 0xCD51DC68
IPSEC: Deleted the allowed inbound rule, SPI 0x44001D8E
Rule ID: 0xCD51DE08
IPSEC: Remove workflow rule entrants tunnel, SPI 0x44001D8E
Rule ID: 0xCD51CCF8
IPSEC: Circumscribed incoming VPN, SPI 0x44001D8E context
VPN handle: 0 x 00035734
IPSEC: Deleted leaving encrypt rule, SPI 0x9EF2CA7A
Rule ID: 0xCD3CD1E8
IPSEC: Remove permitted outbound rule, SPI 0x9EF2CA7A
Rule ID: 0xCD51AE20
IPSEC: Removed outbound VPN, SPI 0x9EF2CA7A context
Handle VPN: 0x00033D94
IPSEC: Deleted the inbound rule decrypt, SPI 0x866D812A
Rule ID: 0xCD487FD0
IPSEC: Deleted the allowed inbound rule, SPI 0x866D812A
Rule ID: 0xCCB3D7D0
IPSEC: Remove workflow rule entrants tunnel, SPI 0x866D812A
Rule ID: 0xCD48B110
IPSEC: Deleted incoming VPN, SPI 0x866D812A context
VPN handle: 0 x 00035734
IPSEC: HIS embryonic new created @ 0xCCB9C1F8.
RCS: 0XCD489170,
Direction: inbound
SPI: 0XADBC899B
Session ID: 0x0000E000
VPIF num: 0x00000001
Tunnel type: ra
Protocol: esp
Life expectancy: 240 seconds
IPSEC: HIS embryonic new created @ 0xCD17B2B8.
RCS: 0XCD4896C8,
Direction: outgoing
SPI: 0XD69313B6
Session ID: 0x0000E000
VPIF num: 0x00000001
Tunnel type: ra
Protocol: esp
Life expectancy: 240 seconds
IPSEC: Completed the update of NDONGO host, SPI 0xD69313B6
IPSEC: Creating outgoing VPN context, SPI 0xD69313B6
Flags: 0 x 00000225
SA: 0XCD17B2B8
SPI: 0XD69313B6
MTU: 1500 bytes
VCID: 0X00000000
Peer: 0x00000000
CBS: 0X010926E1
Channel: 0xC929B4C0
IPSEC: Finished outgoing VPN, SPI 0xD69313B6 context
Handle VPN: 0x00037A0C
IPSEC: New outbound encrypt rule, SPI 0xD69313B6
ADR SRC: 10.10.20.2
SRC mask: 255.255.255.255
ADR DST: 195.229.90.21
DST mask: 255.255.255.255
Ports of CBC
Superior: 1701
Bass: 1701
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Finished out encrypt rule, SPI 0xD69313B6
Rule ID: 0xCD489970
IPSEC: New rule to permit outgoing, SPI 0xD69313B6
ADR SRC: 10.10.20.2
SRC mask: 255.255.255.255
ADR DST: 195.229.90.21
DST mask: 255.255.255.255
Ports of CBC
Superior: 4500
Bass: 4500
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Finished allowed outbound rule, SPI 0xD69313B6
Rule ID: 0xCD4899F8
IPSEC: Completed the update of IBSA host, SPI 0xADBC899B
IPSEC: Create context incoming VPN, SPI 0xADBC899B
Flags: 0 x 00000226
SA: 0XCCB9C1F8
SPI: 0XADBC899B
MTU: 0 bytes
VCID: 0X00000000
Peer: 0x00037A0C
CBS: 0 X 01088849
Channel: 0xC929B4C0
IPSEC: Completed incoming VPN, SPI 0xADBC899B context
Handle VPN: 0x0003864C
IPSEC: updated outgoing VPN 0x00037A0C, SPI 0xD69313B6 context
Flags: 0 x 00000225
SA: 0XCD17B2B8
SPI: 0XD69313B6
MTU: 1500 bytes
VCID: 0X00000000
Peer: 0x0003864C
CBS: 0X010926E1
Channel: 0xC929B4C0
IPSEC: Finished outgoing VPN, SPI 0xD69313B6 context
Handle VPN: 0x00037A0C
IPSEC: Internal filled rule of outgoing traffic, SPI 0xD69313B6
Rule ID: 0xCD489970
IPSEC: External filled SPD rule of outgoing traffic, SPI 0xD69313B6
Rule ID: 0xCD4899F8
IPSEC: New entrants flow tunnel, SPI 0xADBC899B
ADR SRC: 195.229.90.21
SRC mask: 255.255.255.255
ADR DST: 10.10.20.2
DST mask: 255.255.255.255
Ports of CBC
High: 0
Low: 0
OP: ignore
Ports of DST
Superior: 1701
Bass: 1701
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Incoming Tunnel filled with flow, SPI 0xADBC899B
Rule ID: 0xC92B0518
IPSEC: New rule to decrypt incoming, SPI 0xADBC899B
ADR SRC: 195.229.90.21
SRC mask: 255.255.255.255
ADR DST: 10.10.20.2
DST mask: 255.255.255.255
Ports of CBC
Superior: 4500
Bass: 4500
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Completed inbound rule decrypt, SPI 0xADBC899B
Rule ID: 0xCD3CD1A8
IPSEC: New rule incoming authorization, SPI 0xADBC899B
ADR SRC: 195.229.90.21
SRC mask: 255.255.255.255
ADR DST: 10.10.20.2
DST mask: 255.255.255.255
Ports of CBC
Superior: 4500
Bass: 4500
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Finished entering permitted rule, SPI 0xADBC899B
Rule ID: 0xCD03D6F0
IPSEC: HIS embryonic new created @ 0xCD51AC70.
RCS: 0XCD51ABC0,
Direction: inbound
SPI: 0X89796CE7
Session ID: 0x0000E000
VPIF num: 0x00000001
Tunnel type: ra
Protocol: esp
Life expectancy: 240 seconds
IPSEC: HIS embryonic new created @ 0xCD488538.
RCS: 0XCD488D48,
Direction: outgoing
SPI: 0XEF66E002
Session ID: 0x0000E000
VPIF num: 0x00000001
Tunnel type: ra
Protocol: esp
Life expectancy: 240 seconds
IPSEC: Completed the update of NDONGO host, SPI 0xEF66E002
IPSEC: Finished outgoing VPN, SPI 0xEF66E002 context
Handle VPN: 0x00037A0C
IPSEC: New outbound encrypt rule, SPI 0xEF66E002
ADR SRC: 10.10.20.2
SRC mask: 255.255.255.255
ADR DST: 195.229.90.21
DST mask: 255.255.255.255
Ports of CBC
Superior: 1701
Bass: 1701
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Finished out encrypt rule, SPI 0xEF66E002
Rule ID: 0xCD488948
IPSEC: New rule to permit outgoing, SPI 0xEF66E002
ADR SRC: 10.10.20.2
SRC mask: 255.255.255.255
ADR DST: 195.229.90.21
DST mask: 255.255.255.255
Ports of CBC
Superior: 4500
Bass: 4500
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Finished allowed outbound rule, SPI 0xEF66E002
Rule ID: 0xCD51BEE0
IPSEC: Completed the update of IBSA host, SPI 0x89796CE7
IPSEC: Completed incoming VPN, SPI 0x89796CE7 context
Handle VPN: 0x0003864C
IPSEC: Finished outgoing VPN, SPI 0xEF66E002 context
Handle VPN: 0x00037A0C
IPSEC: Filled internal SPD rule of outgoing traffic, SPI 0xEF66E002
Rule ID: 0xCD488948
IPSEC: External filled SPD rule of outgoing traffic, SPI 0xEF66E002
Rule ID: 0xCD51BEE0
IPSEC: New entrants flow tunnel, SPI 0x89796CE7
ADR SRC: 195.229.90.21
SRC mask: 255.255.255.255
ADR DST: 10.10.20.2
DST mask: 255.255.255.255
Ports of CBC
High: 0
Low: 0
OP: ignore
Ports of DST
Superior: 1701
Bass: 1701
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Incoming Tunnel filled with flow, SPI 0x89796CE7
Rule ID: 0xCD51C6F0
IPSEC: New rule to decrypt incoming, SPI 0x89796CE7
ADR SRC: 195.229.90.21
SRC mask: 255.255.255.255
ADR DST: 10.10.20.2
DST mask: 255.255.255.255
Ports of CBC
Superior: 4500
Bass: 4500
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Completed inbound rule decrypt, SPI 0x89796CE7
Rule ID: 0xCD487CC8
IPSEC: New rule incoming authorization, SPI 0x89796CE7
ADR SRC: 195.229.90.21
SRC mask: 255.255.255.255
ADR DST: 10.10.20.2
DST mask: 255.255.255.255
Ports of CBC
Superior: 4500
Bass: 4500
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Finished entering permitted rule, SPI 0x89796CE7
Rule ID: 0xCD487E68
EQ-INTFW01 #.
--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE, removing SA: Remote Proxy 195.229.90.21, Local 04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE, removing SA: Remote Proxy 195.229.90.21, Local
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
Apr 04 14:59:57 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000003
Apr 04 14:59:57 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:57 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:57 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its already be regenerated
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, error QM WSF (P2 struct & 0xcd515f40, mess id 0x3)!
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, case of mistaken IKE responder QM WSF (struct & 0xcd51
5f40)
G--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, empty building hash payload
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, building IPSec delete payload
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash qm
04 Apr 15:00:08 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 64ea9549) with payloads: HDR + HASH (8) + delete
SUMMER (12) + (0) NONE total length: 68
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Active unit receives an event would have expired for re
Mote 195.229.90.21 counterpart.
Proxy 10.10.20.2
04 Apr 15:00:08 [IKEv1 DEBUG]: pitcher: received the keys delete msg, spi 0x321170a2
04 Apr 15:00:11 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = d28ee0e6) with payloads: HDR + HASH (8), OF
LETE (12) + (0) NONE total length: 68
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, removal of treatment
04 Apr 15:00:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, completed for peer Connection. Reason: Put an end to Peer
Remote proxy 195.229.90.21 Proxy Local 10.10.20.2
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Active unit receives a delete for remote wet event
r 195.229.90.21.
Proxy 10.10.20.2
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE SA MM:a32eab27 RRs would end: MM_ACTIV of State
E flags 0 x 00000042, refcnt 1, tuncnt 0
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE SA MM:a32eab27 ending: flags 0 x 01000002,
refcnt 0, tuncnt 0
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, empty building hash payload
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, constructing the payload to delete IKE
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash qm
04 Apr 15:00:11 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = e5c290b6) with payloads: HDR + HASH (8) + delete
SUMMER (12) + (0) NONE total length: 80
04 Apr 15:00:11 [IKEv1 DEBUG]: pitcher: received the keys delete msg, spi 0xc9c523ea
04 Apr 15:00:11 [IKEv1 DEBUG]: pitcher: received the keys delete msg, spi 0xc9c523ea
04 Apr 15:00:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, Session is be demolished. Reason: The user has requested
04 Apr 15:00:11 [IKEv1]: ignoring msg SA brand with Iddm 36864 dead because ITS removal
04 Apr 15:00:11 [IKEv1]: IP = 195.229.90.21, encrypted packet received with any HIS correspondent, drop
!
I'm glad that the problem is solved!
Please mark the thread as answered in favour of other members of the community.
Kind regards
Dinesh Moudgil
Tags: Cisco Security
Similar Questions
-
Issue of ASA 5505 VPN licenses
I have three places that I want to connect via vpn site-to-site deployed on three ASA 5505. How is the term 'Peers' in the text of license, affecting my script? Each peer ASA in a solution from site to site, or each transmission of user data in the established tunnel also counted?
Users, passing through the tunnel of site to another are not counted. Only the peers themselves.
-
Microsoft L2TP VPN to ASA 5520
I am trying to configure an L2TP VPN connection on an XP laptop. On the SAA, I use the DefaultRAGroup and the DfltGrpPolicy. I put DefaultRAGroup to use a pre-shared key, and set the authentication of users on ACS_Radius. Our ACS server is associated with AD. Anyone know if I can use ACS to authenticate this user type or do I have to create local accounts on the SAA?
When I try to connect from the laptop, I get error 789. On the ASA, I see this:
Group = DefaultRAGroup, IP = 63.xxx.xxx.xxx, PHASE 1 COMPLETED
Group = DefaultRAGroup, IP = 63.xxx.xxx.xxx, error QM WSF (P2 struct & 0xcddc7d28, mess id 0x46986b08).
Group = DefaultRAGroup, IP = 63.xxx.xxx.xxx, peer of withdrawal of correlator table failed, no match!
Group = DefaultRAGroup, username =, IP = 63.xxx.xxx.xxx, disconnected Session. Session type: IKE, duration: 0 h: 00 m: 00s, xmt bytes: 0, RRs bytes: 0, right: Phase 2 Mismatch
On the one hand, it seems that the laptop is not sending the username and password. I've tried a lot of different combos on the side of microsoft MSCHAP and MSCHAPv2, both of them or all of them individually and matched this setting on the SAA. No matter what, I get the same error. Anyone have any ideas?
Yes... I have never trusted guys for the configuration, I got the following errors:
1 L2TP requires a mode of transport must be of the type of IPSEC traffic used, your config seems to refer to the one, yet it is not defined:
Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_SHA
Crypto ipsec transform-set
Transit mode TRANS_ESP_3DES_SHA<-(needed>-(needed>
2. the present set of transformation is not attached to dynamic cryptography so not used:
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
It should look like:
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA
Finally, it is just to clear up, make sure that your server ACS_Radius is indeed enabled for authentication MS-CHAPv2 of ASA and the l2tp client, otherwise it will fail always.
-
Site to Site and together on ASA 5505 VPN remote access
Hello
I tried to set up a VPN Site again on an ASA5505 where there already is a VPN remote on it.
After you add the new configuration lines, I received the following message when I debug:
04 Nov 07:06:06 [IKEv1]: group =
, IP = , error QM WSF (P2 struct & 0xd91a4d10, mess id 0xeac05ec0). 04 Nov 07:04:36 [IKEv1]: group =
, IP = , peer of drop table Correlator has failed, no match! Someone knows what's the problem? And what to change in the config?
Thanks in advance,
Ruben
Hello
If the ASA had a remote access VPN and you add a new Site-to-Site you must make sure that the priority for the card encryption is weaker for the new Site-to - added Site.This is because otherwise traffic will always try to match the access tunnel at distance. You can check it with the command "sh run card cry"
Federico.
-
Layman to ASA 5505 vpn of the native vpn client internet, tcp 1723
Hi all
I am setting up this asa for connect users at home to my network using vpn clients from microsoft to the native address with windows xp on the internet.
This asa have, on the outside interface an ip public Internet and inside Board have set up in the network of 192.168.0.x and I want to access this network of internet users using native vpn clients.
I tested with a pc connected directly to the external interface and works well, but when I connect this interface to the internet and tried to connect to the vpn user I can see it in the newspapers and unable to connect with error 800.
Request TCP and eliminated from "public_ip_client/61648" outdoors: publicip_outside_interface / 1723 "
Can help me please?, very thanks in advance!
(running configuration)
: Saved
:
ASA Version 8.4 (3)
!
ciscoasa hostname
activate the password * encrypted
passwd * encrypted
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address publicinternetaddress 255.255.255.0
!
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network gatewayono object
Home gatewayofinternetprovideraccess
Description salida gateway ono
service remotointerno object
service destination tcp 3389 eq
Remote description
network pb_clienteing_2 object
host 192.168.0.15
Description Pebble client food bowl 2
service remotoexternopebble object
Service tcp destination eq 5353
Description remotoexterno
network actusmon object
Home 192.168.0.174
Description web news monitor
the Web object service
Service tcp destination eq www
Description 80
irdeto network object
Home 192.168.0.31
Irdeto description
network nmx_mc_p object
host 192.168.0.60
Main description of NMX multichannel
network nmx_mc_r object
Home 192.168.0.61
Description NMX multichannel reserva
network tarsys object
host 192.168.0.10
Tarsys description
network nmx_teuve object
host 192.168.0.30
Nmx cabecera teuve description
tektronix network object
host 192.168.0.20
Tektronix vnc description
vnc service object
destination eq 5900 tcp service
Description access vnc
service exvncnmxmcr object
Service tcp destination EQ. 5757
Access vnc external nmx mc figurative description
service exvncirdeto object
Service tcp destination eq 6531
Description access vnc external irdeto
service exvncnmxmcp object
Service tcp destination eq 5656
service exvnctektronix object
Service tcp destination eq 6565
service exvncnmxteuve object
Service tcp destination eq 6530
ssh service object
tcp destination eq ssh service
service sshtedialexterno object
Service tcp destination eq 5454
puertosabiertos tcp service object-group
Remotedesktop description
EQ port 3389 object
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
the DM_INLINE_NETWORK_1 object-group network
network-object object irdeto
network-object object nmx_mc_p
network-object object nmx_mc_r
network-object object nmx_teuve
tektronix network-object
object-group service udp vpn
EQ port 1723 object
DM_INLINE_TCP_1 tcp service object-group
EQ object of the https port
EQ pptp Port object
the DM_INLINE_NETWORK_2 object-group network
network-object object actusmon
network-object object tarsys
inside_access_in remotointerno permitted object extended access list a whole
inside_access_in list extended access allowed object ssh a whole
inside_access_in list extended access allowed object-group TCPUDP any any eq www
inside_access_in list extended access permit icmp any one
inside_access_in list extended access allowed object vnc a whole
inside_access_in of access allowed any ip an extended list
outside_access_in list extended access allowed object remotointerno any object pb_clienteing_2
outside_access_in list extended access allowed object-group TCPUDP any object actusmon eq www
access-list outside_access_in note Acceso tedial ssh
outside_access_in list extended access permit tcp any object tarsys eq ssh
outside_access_in list extended access allowed object vnc any object-group DM_INLINE_NETWORK_1
outside_access_in list extended access permit tcp any any DM_INLINE_TCP_1 object-group
outside_access_in list extended access deny icmp a whole
access-list standard corporate allowed 192.168.0.0 255.255.255.0
Split-Tunnel-ACL access-list allowed standard 192.168.0.0 255.255.255.0
pager lines 24
Enable logging
monitor debug logging
logging of debug asdm
Debugging trace record
Within 1500 MTU
Outside 1500 MTU
IP local pool 192.168.0.100 - 192.168.0.110 mask 255.255.255.0 clientesvpn
IP local pool clientesvpn2 192.168.1.120 - 192.168.1.130 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
don't allow no asdm history
ARP timeout 14400
NAT (exterior, Interior) static source any service of actusmon of interface static destination Web one-way Web interface
NAT (exterior, Interior) static source to any destination interface interface static tarsys one-way sshtedialexterno ssh service
NAT (exterior, Interior) static source any destination interface interface static one-way pb_clienteing_2 service remotoexternopebble remotointerno
NAT (exterior, Interior) static source any destination interface interface static irdeto one-way exvncirdeto vnc service
NAT (exterior, Interior) static source any destination interface interface static one-way vnc exvncnmxmcp service nmx_mc_p
NAT (exterior, Interior) static source any destination interface interface static one-way vnc exvncnmxmcr service nmx_mc_r
NAT (exterior, Interior) static source any destination interface interface static one-way vnc exvncnmxteuve service nmx_teuve
NAT (exterior, Interior) static source any destination interface interface static tektronix one-way exvnctektronix vnc service
NAT (all, outside) interface dynamic source DM_INLINE_NETWORK_2
inside_access_in access to the interface inside group
Access-group outside_access_in in interface out by-user-override
Route outside 0.0.0.0 0.0.0.0 gatewayinternetprovideracces 1
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
EOU allow none
local AAA authentication attempts 10 max in case of failure
Enable http server
http 192.168.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
No vpn sysopt connection permit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac ikev1 clientewindowsxp
IKEv1 crypto ipsec transform-set clientewindowsxp transport mode
Crypto ipsec transform-set ikev1 L2TP-IKE1-Transform-Set esp - aes esp-sha-hmac
Crypto ipsec ikev1 transit mode L2TP-IKE1-Transform-Set transform-set
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set transform-set clientewindowsxp ikev1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1jeu ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Crypto-map dynamic L2TP - map 10 set transform-set L2TP-IKE1-Transform-Set ikev1
inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside crypto map inside_map interface
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
Crypto map L2TP - VPN - dynamic 20-isakmp ipsec L2TP-map map
L2TP-VPN-card interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 activate out of service the customer port 443
trustpoint to ikev2 crypto Ingeniería remote access
Crypto ikev1 allow inside
Crypto ikev1 allow outside
IKEv1 crypto policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet 192.168.0.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd dns 8.8.8.8
dhcpd outside auto_config
!
dhcpd address 192.168.0.5 - 192.168.0.36 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd auto_config outside interface inside
dhcpd allow inside
!
no basic threat threat detection
no statistical access list - a threat detection
no statistical threat detection tcp-interception
SSL-trust Ingeniería out point
WebVPN
tunnel-group-list activate
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
WINS server no
Server 192.168.0.1 DNS value
Protocol-tunnel-VPN l2tp ipsec
by default no
attributes of Group Policy DfltGrpPolicy
value of server DNS 8.8.8.8
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
internal engineering group policy
attributes of Ingeniería group policy
Protocol-tunnel-VPN l2tp ipsec
by default no
L2TP-policy group policy interns
attributes of L2TP-policy-group policy
value of server DNS 8.8.8.8
Protocol-tunnel-VPN l2tp ipsec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value Split-Tunnel-ACL
Intercept-dhcp enable
username, password Ingeniería 4fD/5xY/6BwlkjGqMZbnKw is encrypted nt privilege 0
Ingeniería username attributes
VPN-group-policy Ingeniería
password rjuve SjBNOLNgSkUi5KWk/TUsTQ user name is nt encrypted
attributes global-tunnel-group DefaultRAGroup
address clientesvpn pool
address clientesvpn2 pool
authentication-server-group (outside LOCAL)
LOCAL authority-server-group
Group Policy - by default-L2TP-policy
authorization required
IPSec-attributes tunnel-group DefaultRAGroup
IKEv1 pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
No chap authentication
ms-chap-v2 authentication
!
class-map inspection_default
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
!
context of prompt hostname
anonymous reporting remote call
Cryptochecksum:59b54f1d10fe829aeb47bafee57ba95e
: end
don't allow no asdm history
I ramon I guess that service policy is not applied in the firewall. So it does not not trust other than the same audience segment.
Apply like this.
global_policy global service policy.
because according to the configs old, I see that the policy has not been applied. Please let me know the results.
Please rate if the given info can help.
-
Problem with ASA 5505 VPN remote access
After about 1 year to have the VPN Client from Cisco connection to an ASA 5505 with no problems, all of a sudden one day it stops working. The customer is able to get a connection to the ASA and browse the local network for only about 30 seconds after the connection. After that, no access is available to the network behind the ASA. I have tried everything I can think of to try to solve the problem, but at this point, I'm just banging my head against a wall. Anyone know what could cause this?
Here is the cfg running of the ASA
----------------------------------------------------------------------------------------
: Saved
:
ASA Version 8.4 (1)
!
hostname NCHCO
enable encrypted password xxxxxxxxxxxxxxx
xxxxxxxxxxx encrypted passwd
names of
description of NCHCO name 192.168.2.0 City offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address **. ***. 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system Disk0: / asa841 - k8.bin
passive FTP mode
network of the NCHCO object
Subnet 192.168.2.0 255.255.255.0
network object obj - 192.168.1.0
subnet 192.168.1.0 255.255.255.0
network object obj - 192.168.2.64
subnet 192.168.2.64 255.255.255.224
network object obj - 0.0.0.0
subnet 0.0.0.0 255.255.255.0
network obj_any object
subnet 0.0.0.0 0.0.0.0
the Web server object network
the FINX object network
Home 192.168.2.11
rdp service object
source between 1-65535 destination eq 3389 tcp service
Rdp description
outside_nat0_outbound extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0
outside_nat0_outbound extended access list permit ip object NCHCO 192.168.2.0 255.255.255.0
inside_nat0_outbound extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0
inside_nat0_outbound list of allowed ip extended access all 192.168.2.64 255.255.255.224
permit access list extended ip 0.0.0.0 inside_nat0_outbound 255.255.255.0 192.168.2.64 255.255.255.224
outside_1_cryptomap extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0
outside_1_cryptomap_1 extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0
LAN_Access list standard access allowed 192.168.2.0 255.255.255.0
LAN_Access list standard access allowed 0.0.0.0 255.255.255.0
NCHCO_splitTunnelAcl_1 list standard access allowed 192.168.2.0 255.255.255.0
AnyConnect_Client_Local_Print deny ip extended access list a whole
AnyConnect_Client_Local_Print list extended access permit tcp any any eq lpd
Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 631
print the access-list AnyConnect_Client_Local_Print Note Windows port
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol
AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.251 eq 5353
AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol
AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.252 eq 5355
Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 137
AnyConnect_Client_Local_Print list extended access udp allowed any any eq netbios-ns
outside_access_in list extended access permit tcp any object FINX eq 3389
outside_access_in_1 list extended access allowed object rdp any object FINX
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask of VPN_Pool VPN_Start VPN_End of local pool IP 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 649.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside, all) static source NCHCO destination NCHCO static obj - 192.168.1.0 obj - 192.168.1.0
NAT (inside, all) static source any any destination static obj - 192.168.2.64 obj - 192.168.2.64
NAT (inside, all) source static obj - 0.0.0.0 0.0.0.0 - obj destination static obj - 192.168.2.64 obj - 192.168.2.64
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
the FINX object network
NAT (inside, outside) interface static service tcp 3389 3389
Access-group outside_access_in_1 in interface outside
Route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
network-acl outside_nat0_outbound
WebVPN
SVC request to enable default svc
Enable http server
http 192.168.1.0 255.255.255.0 inside
http *. **. ***. 255.255.255.255 outside
http *. **. ***. 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
http 96.11.251.186 255.255.255.255 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 l2tp-transform
IKEv1 crypto ipsec transform-set l2tp-transformation mode transit
Crypto ipsec transform-set vpn-transform ikev1 esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA ikev1
transport mode encryption ipsec transform-set TRANS_ESP_3DES_SHA ikev1
Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5 ikev1
transport mode encryption ipsec transform-set TRANS_ESP_3DES_MD5 ikev1
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs Group1
crypto dynamic-map dyn-map 10 set transform-set l2tp vpn-transform processing ikev1
dynamic-map encryption dyn-map 10 value reverse-road
Crypto-map dynamic outside_dyn_map 20 set transform-set ESP-3DES-SHA ikev1
Crypto-map dynamic outside_dyn_map 20 the value reverse-road
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
peer set card crypto outside_map 1 74.219.208.50
card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside crypto map inside_map interface
card crypto vpn-map 1 match address outside_1_cryptomap_1
card crypto vpn-card 1 set pfs Group1
set vpn-card crypto map peer 1 74.219.208.50
card crypto 1 set transform-set ESP-3DES-SHA ikev1 vpn-map
dynamic vpn-map 10 dyn-map ipsec isakmp crypto map
crypto isakmp identity address
Crypto ikev1 allow inside
Crypto ikev1 allow outside
IKEv1 crypto ipsec-over-tcp port 10000
IKEv1 crypto policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
IKEv1 crypto policy 15
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 35
preshared authentication
3des encryption
sha hash
Group 2
life 86400
enable client-implementation to date
Telnet 192.168.1.0 255.255.255.0 inside
Telnet NCHCO 255.255.255.0 inside
Telnet timeout 5
SSH 192.168.1.0 255.255.255.0 inside
SSH NCHCO 255.255.255.0 inside
SSH timeout 5
Console timeout 0
dhcpd address 192.168.2.150 - 192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
lease interface 64000 dhcpd inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of server DNS 192.168.2.1
L2TP ipsec VPN-tunnel-Protocol ikev1
nchco.local value by default-field
attributes of Group Policy DfltGrpPolicy
value of server DNS 192.168.2.1
L2TP ipsec VPN-tunnel-Protocol ikev1 ssl-clientless ssl-client
allow password-storage
enable IPSec-udp
enable dhcp Intercept 255.255.255.0
the address value VPN_Pool pools
internal NCHCO group policy
NCHCO group policy attributes
value of 192.168.2.1 DNS Server 8.8.8.8
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list NCHCO_splitTunnelAcl_1
value by default-field NCHCO.local
admin LbMiJuAJjDaFb2uw encrypted privilege 15 password username
username privilege 15 encrypted password yB1lHEVmHZGj5C2Z 8njferg
username NCHvpn99 password dhn. JzttvRmMbHsP encrypted
attributes global-tunnel-group DefaultRAGroup
address (inside) VPN_Pool pool
address pool VPN_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside LOCAL)
LOCAL authority-server-group
authorization-server-group (inside) LOCAL
authorization-server-group (outside LOCAL)
Group Policy - by default-DefaultRAGroup
band-Kingdom
band-band
IPSec-attributes tunnel-group DefaultRAGroup
IKEv1 pre-shared-key *.
NOCHECK Peer-id-validate
tunnel-group DefaultRAGroup ppp-attributes
No chap authentication
no authentication ms-chap-v1
ms-chap-v2 authentication
tunnel-group DefaultWEBVPNGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
tunnel-group 74.219.208.50 type ipsec-l2l
IPSec-attributes tunnel-group 74.219.208.50
IKEv1 pre-shared-key *.
type tunnel-group NCHCO remote access
attributes global-tunnel-group NCHCO
address pool VPN_Pool
Group Policy - by default-NCHCO
IPSec-attributes tunnel-group NCHCO
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:a2110206e1af06974c858fb40c6de2fc
: end
ASDM image disk0: / asdm - 649.bin
ASDM VPN_Start 255.255.255.255 inside location
ASDM VPN_End 255.255.255.255 inside location
don't allow no asdm history
---------------------------------------------------------------------------------------------------------------
And here are the logs of the Cisco VPN Client when sailing, then is unable to browse the network behind the ASA:
---------------------------------------------------------------------------------------------------------------
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc.. All rights reserved.
Customer type: Windows, Windows NT
Running: 6.1.7601 Service Pack 1
Config files directory: C:\Program Files (x 86) \Cisco Systems\VPN Client\
1 09:44:55.677 01/10/13 Sev = Info/6 CERT / 0 x 63600026
Try to find a certificate using hash Serial.
2 09:44:55.677 01/10/13 Sev = Info/6 CERT / 0 x 63600027
Found a certificate using hash Serial.
3 09:44:55.693 01/10/13 Sev = Info/6 GUI/0x63B00011
RELOADED successfully certificates in all certificate stores.
4 09:45:02.802 10/01/13 Sev = Info/4 CM / 0 x 63100002
Start the login process
5 09:45:02.802 01/10/13 Sev = Info/4 CM / 0 x 63100004
Establish a secure connection
6 09:45:02.802 01/10/13 Sev = Info/4 CM / 0 x 63100024
Attempt to connect with the server "*." **. ***. *** »
7 09:45:02.802 10/01/13 Sev = Info/6 IKE/0x6300003B
Try to establish a connection with *. **. ***. ***.
8 09:45:02.818 10/01/13 Sev = Info/4 IKE / 0 x 63000001
From IKE Phase 1 negotiation
9 09:45:02.865 10/01/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) to *. **. ***. ***
10 09:45:02.896 10/01/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
11 09:45:02.896 10/01/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">
12 09:45:02.896 10/01/13 Sev = Info/5 IKE / 0 x 63000001
Peer is a compatible peer Cisco-Unity
13 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001
Peer supports XAUTH
14 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001
Peer supports the DPD
15 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001
Peer supports NAT - T
16 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001
Peer supports fragmentation IKE payloads
17 09:45:02.927 01/10/13 Sev = Info/6 IKE / 0 x 63000001
IOS Vendor ID successful construction
18 09:45:02.927 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) to *. **. ***. ***
19 09:45:02.927 01/10/13 Sev = Info/4 IKE / 0 x 63000083
IKE port in use - Local Port = 0xDD3B, Remote Port = 0x01F4
20 09:45:02.927 01/10/13 Sev = Info/5 IKE / 0 x 63000072
Automatic NAT detection status:
Remote endpoint is NOT behind a NAT device
This effect is NOT behind a NAT device
21 09:45:02.927 01/10/13 Sev = Info/4 CM/0x6310000E
ITS established Phase 1. 1 crypto IKE Active SA, 0 IKE SA authenticated user in the system
22 09:45:02.943 10/01/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
23 09:45:02.943 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
24 09:45:02.943 01/10/13 Sev = Info/4 CM / 0 x 63100015
Launch application xAuth
25 09:45:03.037 01/10/13 Sev = Info/6 GUI/0x63B00012
Attributes of the authentication request is 6: 00.
26 09:45:03.037 01/10/13 Sev = Info/4 CM / 0 x 63100017
xAuth application returned
27 09:45:03.037 10/01/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
28 09:45:03.037 10/01/13 Sev = Info/4 IPSEC / 0 x 63700008
IPSec driver started successfully
29 09:45:03.037 01/10/13 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
30 09:45:03.083 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
31 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
32 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
33 09:45:03.083 01/10/13 Sev = Info/4 CM/0x6310000E
ITS established Phase 1. 1 crypto IKE Active SA, 1 IKE SA authenticated user in the system
34 09:45:03.083 01/10/13 Sev = Info/5 IKE/0x6300005E
Customer address a request from firewall to hub
35 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
36 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
37 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="" **.**.***.***="" isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
38 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 192.168.2.70
39 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.255.0
40 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 192.168.2.1
41 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 8.8.8.8
42 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000001
43 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
44 09:45:03.146 10/01/13 Sev = Info/5 IKE/0x6300000F
SPLIT_NET #1
= 192.168.2.0 subnet
mask = 255.255.255.0
Protocol = 0
SRC port = 0
port dest = 0
45 09:45:03.146 10/01/13 Sev = Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = NCHCO.local
46 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_UDP_NAT_PORT, value = 0 x 00002710
47 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000
48 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = 8.4 (1) Cisco systems, Inc. ASA5505 Version built by manufacturers on Tuesday, January 31, 11 02:11
49 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001
50 09:45:03.146 01/10/13 Sev = Info/4 CM / 0 x 63100019
Data in mode Config received
51 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000056
Received a request from key driver: local IP = 192.168.2.70, GW IP = *. **. ***. remote IP address = 0.0.0.0
52 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK QM * (HASH, SA, NO, ID, ID) to *. **. ***. ***
53 09:45:03.177 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
54 09:45:03.177 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">
55 09:45:03.177 01/10/13 Sev = Info/5 IKE / 0 x 63000045
Answering MACHINE-LIFE notify has value of 86400 seconds
56 09:45:03.177 01/10/13 Sev = Info/5 IKE / 0 x 63000047
This SA was already alive for 1 second, expiration of adjustment to 86399 seconds now
57 09:45:03.193 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
58 09:45:03.193 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" qm="" *(hash,="" sa,="" non,="" id,="" id,="" notify:status_resp_lifetime)="" from="">
59 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000045
Answering MACHINE-LIFE notify is set to 28800 seconds
60 09:45:03.193 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK QM * (HASH) to *. **. ***. ***
61 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000059
IPsec Security Association of loading (MsgID = SPI OUTBOUND SPI INCOMING = 0x3EBEBFC5 0xAAAF4C1C = 967A3C93)
62 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000025
OUTGOING ESP SPI support: 0xAAAF4C1C
63 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000026
Charges INBOUND ESP SPI: 0x3EBEBFC5
64 09:45:03.193 01/10/13 Sev = Info/5 CVPND / 0 x 63400013
Destination mask subnet Gateway Interface metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261
96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261
96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261
192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261
65 09:45:03.521 01/10/13 Sev = Info/6 CVPND / 0 x 63400001
Launch VAInst64 for controlling IPSec virtual card
66 09:45:03.896 01/10/13 Sev = Info/4 CM / 0 x 63100034
The virtual card has been activated:
IP=192.168.2.70/255.255.255.0
DNS = 192.168.2.1, 8.8.8.8
WINS = 0.0.0.0 0.0.0.0
Domain = NCHCO.local
Split = DNS names
67 09:45:03.912 01/10/13 Sev = Info/5 CVPND / 0 x 63400013
Destination mask subnet Gateway Interface metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261
96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261
96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261
192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 0.0.0.0 0.0.0.0 261
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261
255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0 261
68 09:45:07.912 01/10/13 Sev = Info/4 CM / 0 x 63100038
Were saved successfully road to file changes.
69 09:45:07.912 01/10/13 Sev = Info/5 CVPND / 0 x 63400013
Destination mask subnet Gateway Interface metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
**. **. ***. 255.255.255.255 96.11.251.1 96.11.251.149 100
96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261
96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261
96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261
192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.2.0 255.255.255.0 192.168.2.70 192.168.2.70 261
192.168.2.0 255.255.255.0 192.168.2.1 192.168.2.70 100
192.168.2.70 255.255.255.255 192.168.2.70 192.168.2.70 261
192.168.2.255 255.255.255.255 192.168.2.70 192.168.2.70 261
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 192.168.2.70 192.168.2.70 261
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261
255.255.255.255 255.255.255.255 192.168.2.70 192.168.2.70 261
70 09:45:07.912 01/10/13 Sev = Info/6 CM / 0 x 63100036
The routing table has been updated for the virtual card
71 09:45:07.912 01/10/13 Sev = Info/4 CM/0x6310001A
A secure connection established
72 09:45:07.943 01/10/13 Sev = Info/4 CM/0x6310003B
Look at address added to 96.11.251.149. Current host name: psaserver, current address (s): 192.168.2.70, 96.11.251.149, 192.168.1.3.
73 09:45:07.943 01/10/13 Sev = Info/4 CM/0x6310003B
Look at address added to 192.168.2.70. Current host name: psaserver, current address (s): 192.168.2.70, 96.11.251.149, 192.168.1.3.
74 09:45:07.943 01/10/13 Sev = Info/5 CM / 0 x 63100001
Did not find the smart card to watch for removal
75 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
76 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700010
Creates a new key structure
77 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370000F
Adding key with SPI = 0x1c4cafaa in the list of keys
78 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700010
Creates a new key structure
79 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370000F
Adding key with SPI = 0xc5bfbe3e in the list of keys
80 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370002F
Assigned WILL interface private addr 192.168.2.70
81 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700037
Configure the public interface: 96.11.251.149. SG: **.**.***.***
82 09:45:07.943 10/01/13 Sev = Info/6 CM / 0 x 63100046
Define indicator tunnel set up in the registry to 1.
83 09:45:13.459 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***
84 09:45:13.459 01/10/13 Sev = Info/6 IKE/0x6300003D
Upon request of the DPD to *. **. ***. , our seq # = 107205276
85 09:45:13.474 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
86 09:45:13.474 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">
87 09:45:13.474 01/10/13 Sev = Info/5 IKE / 0 x 63000040
Receipt of DPO ACK to *. **. ***. seq # receipt = 107205276, seq # expected is 107205276
88 09:45:15.959 01/10/13 Sev = Info/4 IPSEC / 0 x 63700019
Activate key dating SPI = 0x1c4cafaa key with SPI = 0xc5bfbe3e
89 09:46:00.947 10/01/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***
90 09:46:00.947 01/10/13 Sev = Info/6 IKE/0x6300003D
Upon request of the DPD to *. **. ***. , our seq # = 107205277
91 09:46:01.529 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
92 09:46:01.529 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">
93 09:46:01.529 01/10/13 Sev = Info/5 IKE / 0 x 63000040
Receipt of DPO ACK to *. **. ***. seq # receipt = 107205277, seq # expected is 107205277
94 09:46:11.952 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***
95 09:46:11.952 01/10/13 Sev = Info/6 IKE/0x6300003D
Upon request of the DPD to *. **. ***. , our seq # = 107205278
96 09:46:11.979 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
97 09:46:11.979 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">
98 09:46:11.979 01/10/13 Sev = Info/5 IKE / 0 x 63000040
Receipt of DPO ACK to *. **. ***. seq # receipt = 107205278, seq # expected is 107205278
---------------------------------------------------------------------------------------------------------------
Any help would be appreciated, thanks!
try to refuse the ACL (access-list AnyConnect_Client_Local_Print extended deny ip any one) at the end of the ACL.
-
Cisco ASA 5510 VPN Site to Site with Sonicwall
I am trying to configure a tunnel between a Cisco ASA 5510 VPN (Version 8.2 (2)) and TZ200 Sonicwall. I rose tunnel and go and I am able to ping the internal IP address of Cisco ASA of the Sonicwall LAN but nothing work. When I try to ping a host behind the Cisco ASA of the Sonicwall LAN I get the following message "rules asymmetrical NAT matched for flows forward and backward; Connection for tcp src outside:10.20.10.x/xxxx dst inside:10.20.2.x/xxxx refused due to failure of reverse path of NAT"on the SAA
Googling the error above shows the problems with version 8.3 or later that resembled the nat commands have been changed SAA, train is still on 8.2 but I another common question does not add an exemption of NAT I have double-triple checked that I did add an exception rule of NAT of the hosts on the network from cisco for the guests of the Sonicwall network. Looks like I hit a road block so any help would be appreciated. Thank you
Here are a few excertps of the config file (10.20.2.0 behind the cisco) and 10.20.10.0 behind the sonicwall
NAT (inside) 0 access-list sheep
..
IP 10.20.2.0 allow Access-list extended sheep 255.255.255.0 10.20.10.0 255.255.255.0
access extensive list ip 10.20.2.0 outside_1_cryptomap allow 255.255.255.0 10.20.10.0 255.255.255.0
..
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set counterpart x.x.x.x
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
..
crypto ISAKMP allow outside
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
lifetime 28800
..
internal SiteToSitePolicy group strategy
attributes of Group Policy SiteToSitePolicy
VPN-idle-timeout no
Protocol-tunnel-VPN IPSec
Split-tunnel-network-list no
..
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x General attributes
Group Policy - by default-SiteToSitePolicy
tunnel-group ipsec-attributes x.x.x.x
pre-shared key *.
..
Added some excerpts from the configuration file
Hello Manjitriat,
Okay, detected IPSEC parody is normal, that means you are trying to send unencrypted on a line of encrypted packets.
Now, if you see on the plotter of package that traffic will hollow the VPN channel all its fine in your site.
Now the packet tracer must be something like this:
entrance to Packet-trace inside private_ip_lan destination_private_ip_lan 1025 tcp 80
Please provide us with the result of the following instructions after you run the packet tracer.
See the crypto Isakamp SA
See the crypto Ipsec SA
Kind regards
Julio
-
Cannot open an L2TP VPN tunnel behind a router 806.
This is the scenario:
My ISP provider provides pppoE.
When I connect a PC directly to the ADSL modem, I can open my L2TP VPN and VPN works fine and I am able to navigate.
When I connect the PC behind 806, I get a private pool in 806 IP and I am able to navigate, but PC, I open my VPN L2TP software utility (same as before) and cannot open the VPN.
Could you please tell me what config I shoul put in router to open the tunnel of 806 instead of op VPN software utility? The difference is that now 806 global IP gets rather od PC.
So I know now tunnel should be open from the router, but I Don t know what I have lines shlould Add.
Help, please!
I thinkl you want is VPN passthrough, the answer to that is the version of the IOS, I think IOS version 12.2 and allows VPN Passthru especially. There is no other configuration required just to 12.2 or above
-
Disable ipsec for l2tp vpn connection?
Hello
How can I disable ipsec for l2tp vpn connection? I use a linux vpn that offers only l2tp. I remember doing this with winxp in regedit.
[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/RasMan/settings] "ProhibitIpSec" = DWORD: 00000001
How is it possible in win7?
Thank you.
Thank you for visiting the Microsoft answers community site. The question you have posted is related to Linux and would be better suited to the community network. Please visit the link below to find a community that will provide the support you want.
http://social.technet.Microsoft.com/forums/en-us/w7itpronetworking/threads
-
ASA 5505 VPN sessions maximum 25?
Hello friend´s
The company I work when acquired several ASA 5505, so now we will be able to connect several branches at Headquarters. But, now, I know that the ASA 5505 just scalates to 25 VPN sessions, I think that it won´t be enough to support the operations of an office. I have a lot of questions about this:
Is - what the number 25 menas supporting up to 25 L2L tunnels? Or it means 25 sessions, regardless of the amount of L2L tunnels?
Is this the way number 25 supporting up to 25 users in the Branch Office? Or it means that a user can use several sessions?
I'm the stage of testing in a laboratory where one PC connects to many applications, at - it now someone if there is a command in the SAA to check how many VPN sessions is used?
Please, do not hesitate to ask as much as necessary information. Any comments or document will be appreciated.
Kind regards!
Hi Alex,
The assistance session 25 ASA 5505 VPN as max for IKEv1 or IPSEC tunnels customers it could be up to 25 L2L tunnels or 25 users using ikev1 (Legacy IPSEC client) and another 25 sessions for Anyconnect or Webvpn in this case are used in function.
To check how many sessions VPN is currently running, run the command 'Show vpn-sessiondb' and 'display the summary vpn-sessiondb '.
Find the official documentation for the ASA5505 on the following link:
Rate if helps.
-Randy-
-
Hello
I would like to configure the ASA for vpn only. By default, ASA allows traffic from the interface of high security to low security interface. I want to stop it. Is it possible to do without resorting to access lists.
Thank you
John
Define interfaces for the same level of security and make sure that you do not have same-security-traffic permits inter-interface enabled.
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807fc191.shtml
Hope that helps.
-
DHCP relay for users (ASA) SSL VPN
I have ASA 5520 vpn endpoint. Before asa, there are firewalls which translates the public ip address to the private sector and to pass SSL traffic to ASA. I have configured DHCP relay to get the IP address for the DHCP in Windows Server users:
dhcprelay Server 10.100.2.101 on the inside
dhcprelay activate vpn
dhcprelay setroute vpn
and it does not work. with the local pool, it works fine. Should I do something else? When I turn on debugging it has not any activity.
You try to assign the IP address to the SSL vpn client using the DHCP server?
If so, you don't need these commands contained in your message.
Basically, you need to set dhcp server in tunnel-group and dhcp-network-scope in group policy.
Here is an example of Ipsec client. Setup must be the same.
-
VPN with ASA 5500 VPN with PIX 515E vs
I wonder what are the differences between the use of an exisitng PIX 515E for VPN remote users as appossed to acquire an ASA 5500 VPN remote users? Information or advice are appreciated to help me lean toward one or the other.
Craig
According to the version of the code that you run on the PIX on the PIX or ASA VPN features must be the same. So if the choice is not based on differences in features, what else would help guide the choice? You can consider if the existing PIX has sufficient resources to add the extra processing VPN load or if you should put that on another box. You might consider that the PIX is an older product range, and his end is near, while the ASA is the product that is the strategic replacement for the PIX. Given a choice I probably prefer to use a technology newer than the old technology. I also believe that the ASA will give you more choice of technology to go forward (a way of better growth) while the PIX provides current capacity but no path of growth.
On the other hand, there is the aspect of consider that using the existing PIX does not need not to buy something new and ASA would be an expense you have to cover in the budget. And for some people the budget constraint is an important consideration.
HTH
Rick
-
Community support,
I want to run this question by you guys to avoid the sales of our partner CISCO and similar pitch more to the best solution that would give us what we want.
We currently have a VPN from CISCO 3020 hub to terminate the Lan-to-Lan tunnels and have our mobile workers to connect through the client VPN CISCO (300 users-employees and contractors).
Given that this device is coming to an end of LIFE this year, we bought a CISCO 5520 (here is the current licenses in this topic)
Licensing seems quite complicated, so here's my question:
-What VPN do you recommend for our users and entrepreneurs? I understand that the CISCO VPN client does not work with ASA 5500 Series devices
Is there a license needed to deploy a VPN solution for our remote users(employees/contractors)?
Thank you
John
The devices allowed for this platform:
The maximum physical Interfaces: unlimited perpetual
VLAN maximum: 150 perpetual
Guests of the Interior: perpetual unlimited
Failover: Active/active perpetual
VPN - A: enabled perpetual
VPN-3DES-AES: activated perpetual
Security contexts: 2 perpetual
GTP/GPRS: Disabled perpetual
AnyConnect Premium peers: 2 perpetual
AnyConnect Essentials: Disabled perpetual
Counterparts in other VPNS: 750 perpetual
Total VPN counterparts: 750 perpetual
Shared license: disabled perpetual
AnyConnect for Mobile: disabled perpetual
AnyConnect Cisco VPN phone: disabled perpetual
Assessment of Advanced endpoint: disabled perpetual
Proxy UC phone sessions: 2 perpetual
Proxy total UC sessions: 2 perpetual
Botnet traffic filter: disabled perpetual
Intercompany Media Engine: Disabled perpetualThis platform includes an ASA 5520 VPN Plus license.
Your understanding that the Cisco VPN client does not work with ASA is wrong. Maybe it's the version of Cisco VPN client that you use currently does not work with ASA. But these (and so not very new indeed) versions of VPN client work with the ASA. I installed for several clients who use the traditional IPSec VPN client with ASA ASAs and they work well.
You are right that the granting of licenses for the SAA is complicated. Your tunnels IPSec VPN site-to-site will work on the SAA and pose much challenge in terms of licenses. But there are problems and alternative solutions to consider for remote access VPN clients. At this point, there are two major variants: you can use the classic IPSec VPN client or you can use the new AnyConnect client. From a licensing perspective there is a Hugh difference between them. It is not special license that applies to the traditional IPSec client and they are just against your license for peers Total VPN (for which you have 750 in your license). For the AnyConect there is a condition of licence. There is a premium for AnyConnect license and there are licensed AnyConnect Essentials. The Essentials license price is much lower than the premium license, but Essentials does not all the features that made the premium.
In the immediate future, that it would sound like an easy question to answer, use the traditional IPSec VPN client for which theere is not a special permit and it is what you are used to. However Cisco has announced the dates of end of sale and end of Support for the traditional VPN client. If at some point you will need to use the AnyConnect client. I would say that if you make the change of the ASA that it might be a good choice to also adopt the AnyConnect client.
HTH
Rick
-
ASA 5520 - VPN users have no internet.
Hello
We just migrated a Pix 515 and an ASA 5520 VPN concentrator. The firewall part works fine, but we have some problem with our remote VPN.
Everything inside network is accessible when you use VPN remote but there is no access to our perimeter network or the internet. I don't know there's only something simple you need that I'm missing, and hoping someone can shed some light on what is needed to allow the VPN tunnel back outdoors and in our DMZ.
The ASA is running 8.2 (2) 9 and ASDM 6.2 (1).
See you soon,.
Rob
From the 172.16.68.0/24 you can PING 10.10.10.1 correct?
The 10.10.10.0/24 you can PING 172.16.68.1 correct?
I'm having a hard time find now how this tunnel is up since you have PFS
activated on the SAA, but not on the PIX.Federico.
Maybe you are looking for
-
Share albums not updated on all devices
Using MacBook Air with OS X Yosemite version 10.10.5 & iPhone 6s. Have several photo albums shared on iCloud, created using Photos on the laptop. Recently, photos added by me on my laptop do not appear in the album shared on this same device, but d
-
Write the table of data (with a fixed size)
Hi fellow users of LabView,. My problem is very basic, I'm sorry about that, I'm just a beginner I get continuous data of a function and I want to write them in a table with a fixed size. The fixed size is because I want to get the max/min of the lat
-
amclient... error XML damaged when installing BufferZone Pro
I install BufferZone Pro and get this message settings in file amclient.xml is corrupt BufferZone is trying to load the default settings. How can I solve this problem?
-
get an error when the computer shuts down say reinstall Extender player. ? What is it. Thank you
-
broadbandToGo I bought a Virgin broadbandtogo stick and installed on my computer... When I go to connect, he displays an error and says impossible to update files in directory... I can get online with wifi but not the stick... Y at - it an update I h