Issue of ASA
I have users that connect to the ASA via the Cisco VPN client. They log in but can't access anything on the network. They cannot ping any devices or the door to get out. I have other users who do not see this problem. They all run the same version of the client that I made sure that it wasn't a problem with an older client. The system is configured to distribute just different IP 5 at the moment that the user pool is really small, since we are still in test mode. No details on this issue would be helpful. Let me know if I did not explain the question very well.
Mark gibson
ISAKMP nat-traversal
Some people are connecting probably behind the pat tool and some people aren't.
Tags: Cisco Security
Similar Questions
-
Issue of ASA L2TP VPN error QM WSF
Hello guys
Facing the issue with new support for .do L2tp connection on this you can
L2TP is terminiated on ASA and ASA before there is a router where ASA outside interface is coordinated to the public IP address
Here is the config and the logs.earlier of debugging that she was unknown to the Group and now tunnel is not eslablshitng to my machine via l2tp
ASA 5,0000 Version 59
access-list acl - scope ip allowed any one
acl_outside list extended access permitted ip object-group HQ ABC object-group
acl_outside list extended access permit tcp any host 10.10.20.10 eq 5269
inside_nat0 list extended access permitted ip object-group ABC object-group HQ
inside_nat0 list of allowed ip extended access all 10.1.252.0 255.255.255.0
DefaultRAGroup_splitTunnelAcl list standard access allowed 10.0.0.0 255.0.0.0IP local pool vpngroup 10.1.252.1 - 10.1.252.253 mask 255.255.255.0
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0
NAT (inside) 1 0.0.0.0 0.0.0.0Crypto ipsec transform-set esp-3des esp-sha-hmac trans
Crypto-map Dynamics dyno 10 transform-set ESP-3DES-MD5-TRANS trans
card crypto 65535-isakmp ipsec vpn Dynamics dyno
vpn outside crypto map interface
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
lifetime 28800
Crypto isakmp nat-traversal 3600internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of 10.1.16.11 DNS server 10.1.16.13
VPN-idle-timeout no
VPN-session-timeout no
Protocol-tunnel-VPN l2tp ipsec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl
by default-field valuexyz.com
Split-dns value xyz.com
enable dhcp Intercept 255.255.0.0
the authentication of the user activation
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsecpassword cisco KCtylQW4545gfddN6mbi93ijmA user name is nt encrypted
attributes username cisco
Protocol-tunnel-VPN l2tp ipsec
type of remote access service
IPSec-attributes tunnel-group DefaultL2LGroup
pre-shared key *.
attributes global-tunnel-group DefaultRAGroup
vpngroup address pool
Group Policy - by default-DefaultRAGroup
management of the password password-expire-to-days 30
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
tunnel-group DefaultRAGroup ppp-attributes
ms-chap-v2 authentication===========================
Debug logs:
EQ-INTFW01 # Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + SA (1) +.
SELLER (13) of the SELLER (13) of the SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) ++ NONE (0) overall length: 38
4
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, SA payload processing
Apr 04 14:59:36 [IKEv1]: failure of Phase 1: incompatibility of the types of attributes of class Group Description: RRs would be: unknown Cfg would have: Gr
our p
Apr 04 14:59:36 [IKEv1]: failure of Phase 1: incompatibility of the types of attributes of class Group Description: RRs would be: unknown Cfg would have: Gr
our p
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, Oakley proposal is acceptable
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, received NAT - Traversal RFC VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, received NAT-Traversal worm 02 VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, received Fragmentation VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, IKE SA payload processing
Apr 04 14:59:36 [IKEv1]: failure of Phase 1: incompatibility of the types of attributes of class Group Description: RRs would be: unknown Cfg would have: Gr
our p
Apr 04 14:59:36 [IKEv1]: failure of Phase 1: incompatibility of the types of attributes of class Group Description: RRs would be: unknown Cfg would have: Gr
OUP 2
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, IKE SA proposal # 1, transform # 5 acceptable entry Matches overall IKE #.
1
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, build the payloads of ISAKMP security
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, constructing the payload of NAT-Traversal VID worm RFC
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, construction of Fragmentation VID + load useful functionality
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13)
NONE (0) + SELLER (13) overall length: 124
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + KE (4), NUNCIO (10)
NAT - D (20) + NAT - D (20), NONE (0) overall length: 260
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, processing ke payload
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing ISA_KE
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload NAT-discovery of treatment
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, calculation of hash discovered NAT
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload NAT-discovery of treatment
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, calculation of hash discovered NAT
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, building ke payload
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, building nonce payload
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, build payloads of Cisco Unity VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, constructing payload V6 VID xauth
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, Send IOS VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, ASA usurpation IOS Vendor ID payload construction (version: 1.0.0 capabilit)
IES: 20000001)
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, build payloads VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, NAT-discovery payload construction
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, calculation of hash discovered NAT
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, NAT-discovery payload construction
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, calculation of hash discovered NAT
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, connection landed on tunnel_group DefaultRAGroup
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Generating keys for answering machine...
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + KE (4), NUNCIO (10) +.
SELLER of the SELLER the SELLER (13) (13) (13) of the SELLER (13) + NAT - D (20) + NAT - D (20) ++ (0) NONE total length: 304
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + ID (5) + HASH (8) +.
NONE (0) overall length: 64
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:36 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, calculation of hash for ISAKMP
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, status of automatic NAT detection: remote endpoint IS be
Hind a NAT device this end is behind a NAT device
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, connection landed on tunnel_group DefaultRAGroup
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of payload ID
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, calculation of hash for ISAKMP
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, building dpd vid payload
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR, ID (5) + HASH (8) + V
ENDOR (13) + (0) NONE total length: 84
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, PHASE 1 COMPLETED
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, for this connection Keep-alive type: None
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, Keep-alives configured on, but the peer does not support persistent (type = None)
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, timer to generate a new key to start P1: 21600 seconds.
Apr 04 14:59:36 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000001
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 1) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:36 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
10.1.100.79, Protocol 17 Port 1701
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:36 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
85.78.161.254, Protocol 17 Port 1701
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its not found old addr
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, static check card Crypto, card dyno, seq = 10 is a success
FUL game
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Selecting one-encapsulated-Tunnel UDP and UDP - en
pre-measured-Transport modes defined by NAT-Traversal
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, remote peer IKE configured crypto card: dyno
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, ITS processing IPSec payload
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IPSec SA proposal # 2, transform # 1 acceptable M
global security association entry IPSec matches # 10
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE: asking SPI!
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE got SPI engine key: SPI = 0x321170a2
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, quick mode of oakley constucting
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, empty building hash payload
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, building the IPSec Security Association Management
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of support useful Nuncio IPSec
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, constructing the ID of the proxy
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, transmission Proxy Id:
Remote host: 195.229.90.21 Protocol Port 17 0
Local host: 10.10.20.2 Protocol 17 Port 1701
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of payload NAT Original address
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of payload NAT Original address
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address sending NAT-Traversal
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash qm
Apr 04 14:59:36 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE Responder sending 2nd QM pkt: id msg = 000000
01
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 1) with payloads: HDR, HASH (8), HIS (1) + N
A TIMES (10) + ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21) + (0) NONE total length: 184
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 1) with payloads: HDR + HASH (8) + NO (0)
total length: 52
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, loading all IPSEC security associations
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, generate Quick Mode key!
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, NP encrypt rule looking for dyno carpet 10 crypto card
Ching unknown ACL: returned cs_id = ccf1ac00; rule = 00000000
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, generate Quick Mode key!
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, NP encrypt rule looking for dyno carpet 10 crypto card
Ching unknown ACL: returned cs_id = ccf1ac00; rule = 00000000
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, security full negotiation for user (Responder), in
related SPI, 0x321170a2, SPI = out = 0x8349be0f
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE got a msg KEY_ADD for SA: SPI = 0x8349be0f
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, pitcher: received KEY_UPDATE, spi 0x321170a2
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, timer to generate a new key to start P2: 3060 seconds.
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, PHASE 2 COMPLETED (msgid = 00000001)
Apr 04 14:59:36 [IKEv1]: rules of classification IKEQM_Active() Add L2TP: ip <195.229.90.21>mask <0xFFFFFFFF>port<4500>
Apr 04 14:59:38 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000002
Apr 04 14:59:38 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 2) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:38 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:38 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, static check card Crypto, card dyno, seq = 10 is a success
FUL game
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Selecting one-encapsulated-Tunnel UDP and UDP - en
pre-measured-Transport modes defined by NAT-Traversal
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, remote peer IKE configured crypto card: dyno
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, ITS processing IPSec payload
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IPSec SA proposal # 2, transform # 1 acceptable M4500>0xFFFFFFFF>195.229.90.21>
global security association entry IPSec matches # 10
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE: asking SPI!
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, the delete unit Active process event generate a new key for outdoors
peer 195.229.90.21.Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE got SPI engine key: SPI = 0xc9c523ea
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, quick mode of oakley constucting
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, empty building hash payload
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, building the IPSec Security Association Management
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of support useful Nuncio IPSec
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, constructing the ID of the proxy
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, transmission Proxy Id:
Remote host: 195.229.90.21 Protocol Port 17 0
Local host: 10.10.20.2 Protocol 17 Port 1701
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of payload NAT Original address
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of payload NAT Original address
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address sending NAT-Traversal
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash qm
Apr 04 14:59:38 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE Responder sending 2nd QM pkt: id msg = 000000
02
Apr 04 14:59:38 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 2) with payloads: HDR, HASH (8), SA (1) + N
A TIMES (10) + ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21) + (0) NONE total length: 184
Apr 04 14:59:38 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 2) with payloads: HDR + HASH (8) + NO (0)
total length: 52
Apr 04 14:59:38 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = b0e14739) with payloads: HDR + HASH (8), OF
LETE (12) + (0) NONE total length: 68
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, removal of treatment
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE Received delete to resultants to reappear homologous IKE: 195,22
9.90.21, reappear addr: cd4874a0, msgid: 0x00000001
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, L2TP/IPSec: ignoring delete for a sentry (rekeyed m
SGID = 1)
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, loading all IPSEC security associations
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, generate Quick Mode key!
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, NP encrypt rule looking for dyno carpet 10 crypto card
Ching unknown ACL: returned cs_id = ccf1ac00; rule = 00000000
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, generate Quick Mode key!
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, NP encrypt rule looking for dyno carpet 10 crypto card
Ching unknown ACL: returned cs_id = ccf1ac00; rule = 00000000
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, security full negotiation for user (Responder), in
related SPI, 0xc9c523ea, SPI = out = 0x619b7d3a
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE got a msg KEY_ADD for SA: SPI = 0x619b7d3a
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, pitcher: received KEY_UPDATE, spi 0xc9c523ea
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, timer to generate a new key to start P2: 3060 seconds.
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, PHASE 2 COMPLETED (msgid = 00000002)
Apr 04 14:59:39 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000003
Apr 04 14:59:39 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:39 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:39 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:39 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:39 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:39 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:39 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its already be regenerated
Apr 04 14:59:39 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, error QM WSF (P2 struct & 0xcd51dbb8, mess id 0x3)!
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, case of mistaken IKE responder QM WSF (struct & 0xcd51
DBB8), : QM_DONE, EV_ERROR--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MS
G--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:39 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
Apr 04 14:59:41 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000003
Apr 04 14:59:41 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:41 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:41 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:41 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:41 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:41 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:41 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its already be regenerated
Apr 04 14:59:41 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, error QM WSF (P2 struct & 0xcd5159c8, mess id 0x3)!
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, case of mistaken IKE responder QM WSF (struct & 0xcd51
59 c 8), : QM_DONE, EV_ERROR--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MS
G--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:41 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
Apr 04 14:59:44 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000003
Apr 04 14:59:44 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:44 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:44 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:44 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:44 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:44 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:44 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its already be regenerated
Apr 04 14:59:44 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, error QM WSF (P2 struct & 0xcd5159c8, mess id 0x3)!
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, case of mistaken IKE responder QM WSF (struct & 0xcd51
59 c 8), : QM_DONE, EV_ERROR--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MS
G--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:44 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
Apr 04 14:59:48 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000003
Apr 04 14:59:48 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:48 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:48 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its already be regenerated
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, error QM WSF (P2 struct & 0xcd5159c8, mess id 0x3)!
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, case of mistaken IKE responder QM WSF (struct & 0xcd51
59 c 8), : QM_DONE, EV_ERROR--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MS
G--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
Apr 04 14:59:57 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000003
Apr 04 14:59:57 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:57 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:57 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its already be regenerated
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, error QM WSF (P2 struct & 0xcd515f40, mess id 0x3)!
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, case of mistaken IKE responder QM WSF (struct & 0xcd51
5f40), : QM_DONE, EV_ERROR--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MS
G--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, empty building hash payload
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, building IPSec delete payload
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash qm
04 Apr 15:00:08 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 64ea9549) with payloads: HDR + HASH (8) + delete
SUMMER (12) + (0) NONE total length: 68
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Active unit receives an event would have expired for re
Mote 195.229.90.21 counterpart.04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE, removing SA: Remote Proxy 195.229.90.21, Local
Proxy 10.10.20.2
04 Apr 15:00:08 [IKEv1 DEBUG]: pitcher: received the keys delete msg, spi 0x321170a2
04 Apr 15:00:11 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = d28ee0e6) with payloads: HDR + HASH (8), OF
LETE (12) + (0) NONE total length: 68
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, removal of treatment
04 Apr 15:00:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, completed for peer Connection. Reason: Put an end to Peer
Remote proxy 195.229.90.21 Proxy Local 10.10.20.2
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Active unit receives a delete for remote wet event
r 195.229.90.21.04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE, removing SA: Remote Proxy 195.229.90.21, Local
Proxy 10.10.20.2
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE SA MM:a32eab27 RRs would end: MM_ACTIV of State
E flags 0 x 00000042, refcnt 1, tuncnt 0
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE SA MM:a32eab27 ending: flags 0 x 01000002,
refcnt 0, tuncnt 0
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, empty building hash payload
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, constructing the payload to delete IKE
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash qm
04 Apr 15:00:11 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = e5c290b6) with payloads: HDR + HASH (8) + delete
SUMMER (12) + (0) NONE total length: 80
04 Apr 15:00:11 [IKEv1 DEBUG]: pitcher: received the keys delete msg, spi 0xc9c523ea
04 Apr 15:00:11 [IKEv1 DEBUG]: pitcher: received the keys delete msg, spi 0xc9c523ea
04 Apr 15:00:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, Session is be demolished. Reason: The user has requested
04 Apr 15:00:11 [IKEv1]: ignoring msg SA brand with Iddm 36864 dead because ITS removal
04 Apr 15:00:11 [IKEv1]: IP = 195.229.90.21, encrypted packet received with any HIS correspondent, dropEQ-INTFW01 # IPSEC: deleted leaving encrypt rule, SPI 0x243066CC
Rule ID: 0xCD487C20
IPSEC: Remove permitted outbound rule, SPI 0x243066CC
Rule ID: 0xCD51D3E8
IPSEC: Circumscribed outgoing VPN, SPI 0x243066CC context
Handle VPN: 0x00033D94
IPSEC: Deleted the inbound rule decrypt, SPI 0x44001D8E
Rule ID: 0xCD51DC68
IPSEC: Deleted the allowed inbound rule, SPI 0x44001D8E
Rule ID: 0xCD51DE08
IPSEC: Remove workflow rule entrants tunnel, SPI 0x44001D8E
Rule ID: 0xCD51CCF8
IPSEC: Circumscribed incoming VPN, SPI 0x44001D8E context
VPN handle: 0 x 00035734
IPSEC: Deleted leaving encrypt rule, SPI 0x9EF2CA7A
Rule ID: 0xCD3CD1E8
IPSEC: Remove permitted outbound rule, SPI 0x9EF2CA7A
Rule ID: 0xCD51AE20
IPSEC: Removed outbound VPN, SPI 0x9EF2CA7A context
Handle VPN: 0x00033D94
IPSEC: Deleted the inbound rule decrypt, SPI 0x866D812A
Rule ID: 0xCD487FD0
IPSEC: Deleted the allowed inbound rule, SPI 0x866D812A
Rule ID: 0xCCB3D7D0
IPSEC: Remove workflow rule entrants tunnel, SPI 0x866D812A
Rule ID: 0xCD48B110
IPSEC: Deleted incoming VPN, SPI 0x866D812A context
VPN handle: 0 x 00035734
IPSEC: HIS embryonic new created @ 0xCCB9C1F8.
RCS: 0XCD489170,
Direction: inbound
SPI: 0XADBC899B
Session ID: 0x0000E000
VPIF num: 0x00000001
Tunnel type: ra
Protocol: esp
Life expectancy: 240 seconds
IPSEC: HIS embryonic new created @ 0xCD17B2B8.
RCS: 0XCD4896C8,
Direction: outgoing
SPI: 0XD69313B6
Session ID: 0x0000E000
VPIF num: 0x00000001
Tunnel type: ra
Protocol: esp
Life expectancy: 240 seconds
IPSEC: Completed the update of NDONGO host, SPI 0xD69313B6
IPSEC: Creating outgoing VPN context, SPI 0xD69313B6
Flags: 0 x 00000225
SA: 0XCD17B2B8
SPI: 0XD69313B6
MTU: 1500 bytes
VCID: 0X00000000
Peer: 0x00000000
CBS: 0X010926E1
Channel: 0xC929B4C0
IPSEC: Finished outgoing VPN, SPI 0xD69313B6 context
Handle VPN: 0x00037A0C
IPSEC: New outbound encrypt rule, SPI 0xD69313B6
ADR SRC: 10.10.20.2
SRC mask: 255.255.255.255
ADR DST: 195.229.90.21
DST mask: 255.255.255.255
Ports of CBC
Superior: 1701
Bass: 1701
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Finished out encrypt rule, SPI 0xD69313B6
Rule ID: 0xCD489970
IPSEC: New rule to permit outgoing, SPI 0xD69313B6
ADR SRC: 10.10.20.2
SRC mask: 255.255.255.255
ADR DST: 195.229.90.21
DST mask: 255.255.255.255
Ports of CBC
Superior: 4500
Bass: 4500
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Finished allowed outbound rule, SPI 0xD69313B6
Rule ID: 0xCD4899F8
IPSEC: Completed the update of IBSA host, SPI 0xADBC899B
IPSEC: Create context incoming VPN, SPI 0xADBC899B
Flags: 0 x 00000226
SA: 0XCCB9C1F8
SPI: 0XADBC899B
MTU: 0 bytes
VCID: 0X00000000
Peer: 0x00037A0C
CBS: 0 X 01088849
Channel: 0xC929B4C0
IPSEC: Completed incoming VPN, SPI 0xADBC899B context
Handle VPN: 0x0003864C
IPSEC: updated outgoing VPN 0x00037A0C, SPI 0xD69313B6 context
Flags: 0 x 00000225
SA: 0XCD17B2B8
SPI: 0XD69313B6
MTU: 1500 bytes
VCID: 0X00000000
Peer: 0x0003864C
CBS: 0X010926E1
Channel: 0xC929B4C0
IPSEC: Finished outgoing VPN, SPI 0xD69313B6 context
Handle VPN: 0x00037A0C
IPSEC: Internal filled rule of outgoing traffic, SPI 0xD69313B6
Rule ID: 0xCD489970
IPSEC: External filled SPD rule of outgoing traffic, SPI 0xD69313B6
Rule ID: 0xCD4899F8
IPSEC: New entrants flow tunnel, SPI 0xADBC899B
ADR SRC: 195.229.90.21
SRC mask: 255.255.255.255
ADR DST: 10.10.20.2
DST mask: 255.255.255.255
Ports of CBC
High: 0
Low: 0
OP: ignore
Ports of DST
Superior: 1701
Bass: 1701
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Incoming Tunnel filled with flow, SPI 0xADBC899B
Rule ID: 0xC92B0518
IPSEC: New rule to decrypt incoming, SPI 0xADBC899B
ADR SRC: 195.229.90.21
SRC mask: 255.255.255.255
ADR DST: 10.10.20.2
DST mask: 255.255.255.255
Ports of CBC
Superior: 4500
Bass: 4500
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Completed inbound rule decrypt, SPI 0xADBC899B
Rule ID: 0xCD3CD1A8
IPSEC: New rule incoming authorization, SPI 0xADBC899B
ADR SRC: 195.229.90.21
SRC mask: 255.255.255.255
ADR DST: 10.10.20.2
DST mask: 255.255.255.255
Ports of CBC
Superior: 4500
Bass: 4500
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Finished entering permitted rule, SPI 0xADBC899B
Rule ID: 0xCD03D6F0
IPSEC: HIS embryonic new created @ 0xCD51AC70.
RCS: 0XCD51ABC0,
Direction: inbound
SPI: 0X89796CE7
Session ID: 0x0000E000
VPIF num: 0x00000001
Tunnel type: ra
Protocol: esp
Life expectancy: 240 seconds
IPSEC: HIS embryonic new created @ 0xCD488538.
RCS: 0XCD488D48,
Direction: outgoing
SPI: 0XEF66E002
Session ID: 0x0000E000
VPIF num: 0x00000001
Tunnel type: ra
Protocol: esp
Life expectancy: 240 seconds
IPSEC: Completed the update of NDONGO host, SPI 0xEF66E002
IPSEC: Finished outgoing VPN, SPI 0xEF66E002 context
Handle VPN: 0x00037A0C
IPSEC: New outbound encrypt rule, SPI 0xEF66E002
ADR SRC: 10.10.20.2
SRC mask: 255.255.255.255
ADR DST: 195.229.90.21
DST mask: 255.255.255.255
Ports of CBC
Superior: 1701
Bass: 1701
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Finished out encrypt rule, SPI 0xEF66E002
Rule ID: 0xCD488948
IPSEC: New rule to permit outgoing, SPI 0xEF66E002
ADR SRC: 10.10.20.2
SRC mask: 255.255.255.255
ADR DST: 195.229.90.21
DST mask: 255.255.255.255
Ports of CBC
Superior: 4500
Bass: 4500
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Finished allowed outbound rule, SPI 0xEF66E002
Rule ID: 0xCD51BEE0
IPSEC: Completed the update of IBSA host, SPI 0x89796CE7
IPSEC: Completed incoming VPN, SPI 0x89796CE7 context
Handle VPN: 0x0003864C
IPSEC: Finished outgoing VPN, SPI 0xEF66E002 context
Handle VPN: 0x00037A0C
IPSEC: Filled internal SPD rule of outgoing traffic, SPI 0xEF66E002
Rule ID: 0xCD488948
IPSEC: External filled SPD rule of outgoing traffic, SPI 0xEF66E002
Rule ID: 0xCD51BEE0
IPSEC: New entrants flow tunnel, SPI 0x89796CE7
ADR SRC: 195.229.90.21
SRC mask: 255.255.255.255
ADR DST: 10.10.20.2
DST mask: 255.255.255.255
Ports of CBC
High: 0
Low: 0
OP: ignore
Ports of DST
Superior: 1701
Bass: 1701
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Incoming Tunnel filled with flow, SPI 0x89796CE7
Rule ID: 0xCD51C6F0
IPSEC: New rule to decrypt incoming, SPI 0x89796CE7
ADR SRC: 195.229.90.21
SRC mask: 255.255.255.255
ADR DST: 10.10.20.2
DST mask: 255.255.255.255
Ports of CBC
Superior: 4500
Bass: 4500
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Completed inbound rule decrypt, SPI 0x89796CE7
Rule ID: 0xCD487CC8
IPSEC: New rule incoming authorization, SPI 0x89796CE7
ADR SRC: 195.229.90.21
SRC mask: 255.255.255.255
ADR DST: 10.10.20.2
DST mask: 255.255.255.255
Ports of CBC
Superior: 4500
Bass: 4500
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Finished entering permitted rule, SPI 0x89796CE7
Rule ID: 0xCD487E68EQ-INTFW01 #.
--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
Apr 04 14:59:57 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000003
Apr 04 14:59:57 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:57 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:57 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its already be regenerated
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, error QM WSF (P2 struct & 0xcd515f40, mess id 0x3)!
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, case of mistaken IKE responder QM WSF (struct & 0xcd51
5f40), : QM_DONE, EV_ERROR--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MS
G--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, empty building hash payload
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, building IPSec delete payload
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash qm
04 Apr 15:00:08 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 64ea9549) with payloads: HDR + HASH (8) + delete
SUMMER (12) + (0) NONE total length: 68
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Active unit receives an event would have expired for re
Mote 195.229.90.21 counterpart.04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE, removing SA: Remote Proxy 195.229.90.21, Local
Proxy 10.10.20.2
04 Apr 15:00:08 [IKEv1 DEBUG]: pitcher: received the keys delete msg, spi 0x321170a2
04 Apr 15:00:11 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = d28ee0e6) with payloads: HDR + HASH (8), OF
LETE (12) + (0) NONE total length: 68
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, removal of treatment
04 Apr 15:00:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, completed for peer Connection. Reason: Put an end to Peer
Remote proxy 195.229.90.21 Proxy Local 10.10.20.2
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Active unit receives a delete for remote wet event
r 195.229.90.21.04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE, removing SA: Remote Proxy 195.229.90.21, Local
Proxy 10.10.20.2
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE SA MM:a32eab27 RRs would end: MM_ACTIV of State
E flags 0 x 00000042, refcnt 1, tuncnt 0
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE SA MM:a32eab27 ending: flags 0 x 01000002,
refcnt 0, tuncnt 0
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, empty building hash payload
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, constructing the payload to delete IKE
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash qm
04 Apr 15:00:11 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = e5c290b6) with payloads: HDR + HASH (8) + delete
SUMMER (12) + (0) NONE total length: 80
04 Apr 15:00:11 [IKEv1 DEBUG]: pitcher: received the keys delete msg, spi 0xc9c523ea
04 Apr 15:00:11 [IKEv1 DEBUG]: pitcher: received the keys delete msg, spi 0xc9c523ea
04 Apr 15:00:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, Session is be demolished. Reason: The user has requested
04 Apr 15:00:11 [IKEv1]: ignoring msg SA brand with Iddm 36864 dead because ITS removal
04 Apr 15:00:11 [IKEv1]: IP = 195.229.90.21, encrypted packet received with any HIS correspondent, drop!
I'm glad that the problem is solved!
Please mark the thread as answered in favour of other members of the community.Kind regards
Dinesh Moudgil -
Issue of ASA 5505 VPN licenses
I have three places that I want to connect via vpn site-to-site deployed on three ASA 5505. How is the term 'Peers' in the text of license, affecting my script? Each peer ASA in a solution from site to site, or each transmission of user data in the established tunnel also counted?
Users, passing through the tunnel of site to another are not counted. Only the peers themselves.
-
Issue of ASA vpn site to site isakmp
Hello
He has been asked to configure on ASA a new vpn site-to-site. For that vpn should I put:
crypto isakmp identity address
crypto ISAKMP allow outside.. the configuration of my identity crypto isakmp is automatic and isakmp crypto is not enabled on any interface. I love vpn with ike enabled on the external interface. My question is: why should I enable isakmp on the external interface and especially can create disturbances to ike vpn that are already in place?
By elsewhere-group or tunnel-group strategy, it was me asked to set up, the two do not have indication of ike. Never seen this kind of configuration before vpn, something new.
Thank you
Hi, Giuseppe.
The crypto isakmp command activate outside changed ikev1 crypto Enable outside in the new ASA versions you need not enable this.
There is also no need configure isakmp crypto identity address such that it is set to auto.
This command indicates that the tunnel would be negotiated on the basis of the IP address but since it is set to auto it on it own will therefore not need to specify this command.
Yes, you can create a new group policy group for this new tunnel and tunnel and there should be no impact on other tunnels of work.
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
-
Dear all,
I applied ASA 5510 in my network,
I configured 3 DMZ, inside and outside interfaces
ASA, I can access the Interior, DMZ and outside (Internet)
Inside users can communicate with the servers in the DMZ
Inside users goto Internet via the external interface
DMZ servers can goto Internet via the external interface
The DMZ servers cannot Ping inside the network
I've been using IpSec VPN on my router,
clients connect to the router using the Cisco VPN Client software,
NOW, when I understood ASA in the network, VPN clients are unable to communicate with the servers in the DMZ
security level 0 for outside
DMZ 50
100 for the inside
NAT is disabled with no command nat control
What I need to ON the NAT and some ACL must be put in place...
Please advise me what ACL I should implement, interface? Direction?
Which statement NAT should I include?
I want to access my network via VPN...
Help, please
Kind regards
Junaid
ICMP pings are not stateful. The firewall needs special treatment to dynamically allow pings back, this is done through the "ICMP inspection." The ICMP inspection is disabled by default. You can activate the inspection or use an ACL to allow ICMP traffic. Here is a useful link:
Please rate if useful.
Concerning
Farrukh
-
I'm having a problem on a new ASA. I am able to connect to the client? s network using the Cisco VPN client, but I'm not able to PING or access anything on the client network. What needs to be done to solve this problem?
There is a road on the client? s router pointing back to the firewall for the IP range you get when you VPN into?
Thank you
Chris
try to add to the ASA... This is disabled by default
ISAKMP nat-traversal
-
Hello
I have a question about NAT and routing on the SAA. I'm relatively new to ASA and don't know if it works or not. I have a pool of public IP (209.x.x.x/28) that routes my ISP to the external interface of my ASA. IP was assigned address for the outside of the ASA is an address of 206.x.x.2/24 with a default GW of 206.x.x.1. I intend using NAT to allow my web/mail servers on the DMZ (192.168.x.x) use 209.x.x.x addresses. However, I do know how to make it work since I'm not arping on any interface for 209.x.x.x addresses as they will be sent to the 206.x.x.2 address by the ISP. Can I just set up a translation NAT (on the external interface?) of the 209.x.x.x on 192.168.x.x address and the ASA will figure it out?
Thanks for the help.
Todd
The ASa will figure it out, he will answer ARP queries for all that he has set up in a "static" command As long as th PSIA routes 209.x.x.x directly to the ASA addresses then it should all work fine.
You just need to add lines like the following:
static (dmz, external) 209.x.x.x netmask 255.255.255.255 192.168.x.x
for each of your internal servers in the DMZ. Then an access-list to allow only HTTP/SMTP/etc through these addresses 209.x.x.x.
list of allowed inbound tcp access any host 209.x.x.x eq smtp
list of allowed inbound tcp access any host 209.y.y.y eq http
Access-group interface incoming outside
-
AnyConnect Version issues on ASA - continues to try to get off
I am trying to test and then update our corporate AnyConnect Client from version 2.4.0202 to version 2.5.2019. My current clients of production using 2.4.0202 and everything works as expected. I have a test machine I installed 2.5.2019 (with the SBL/GINA if it's important). I downloaded the 2.5.2019 to my ASA pkg but left as a low priority image in order not to update customers of production.
Now, whenever I try to connect using my 2.5 test client, he's trying to downgrade me back to 2.4. Certainly there must be a way to test multiple versions of the AnyConnect client. They can expect me just to download the new client directly in production. Any help?
Other information that might be relevant:
AnyConnect as SSL using
ASA version 8.0 (4)
ASDM version 6.1 (5)
Thanks in advance!
I think I got the same problem. On the machine that you installed 2.5 on, make sure that there is a
VPNManifest.dat file in C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client. I found that when this was completely missing, he tried to go down. I think that you can copy it to the VPNManifest.dat of any machine which one who had 2.4 installed power but 2.5 better. I don't know why he doesn't get created in all cases.
-
Issue of ASA 5540 and secure desktop Configuration
Hey guys, I have the program installation and tested AnyConnect VPN and Cisco Secure Desktop successfully.
Here's my question: is it possible to install two groups of VPN users, using Secure Desktop and who does not. Example of the groups below:
Group 1: Corporate computers laptops that are not standard AnyConnect VPN Secure Desktop client.
Group 2: Contractor and personal computers that cannot use the Cisco Secure Desktop via AnyConnect VPN.
Thanks for you help guys!
It is now possible to the 8.2.1. You can disable the CSD on a per database connection profile, you use Group URL subject.
-
Hello.
I have a question about a connection between an asa5505-sec-bun-k9 (who acts as easy VPN client) and an EASY VPN server.
The connection with the easy VPN server is OK, but I can't connect to the internet and create VPN for my ASA5505 connections when I activated the feature.
Is this a normal phenomenon with Easy VPN active customer?
Cool
Please, note useful
-
Routing issue of Cisco VPN Client ASA
Hi, I use a Barracuda NG for firewalls and I would use a Cisco ASA 5505 for VPN Client connections. But I have the problem that I can't get a connection to the VPN PC connected to the internal network. But I can reach the VPN connected PC from the inside. Here is a diagram of my network:
Here the IP Configuration and the routing of the Barracuda firewall table:
I have a route on the Barracuda NG to the 10.10.10.0/24 network VPN Client on eth0.
The 192.168.1.0/24 LAN I ping the Client comes with Client VPN 10.10.10.11 as it should. But I can't ping or access network resources in the local network for AnyConnected customer's PC that connected through the VPN.
Here is the config Cisco ASA:
: Saved : : Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz : ASA Version 9.2(2) ! hostname leela names ip local pool VPN-Pool 10.10.10.10-10.10.10.200 mask 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 switchport access vlan 5 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.250 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp ! interface Vlan5 nameif dmz security-level 50 ip address 172.16.0.250 255.255.255.0 ! ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 dns domain-lookup inside dns server-group DefaultDNS name-server 192.168.1.10 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network VPN-Pool subnet 10.10.10.0 255.255.255.0 description VPN-Pool object network NETWORK_OBJ_10.10.10.0_24 subnet 10.10.10.0 255.255.255.0 access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit ip object VPN-Pool any access-list dmz_access_in extended permit ip any any access-list global_access extended permit ip any any access-list outside_access_in extended permit ip any any pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,dmz) source static any any destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 no-proxy-arp route-lookup inactive access-group inside_access_in in interface inside access-group outside_access_in in interface outside access-group dmz_access_in in interface dmz access-group global_access global route dmz 0.0.0.0 0.0.0.0 172.16.0.254 1 route inside 0.0.0.0 0.0.0.0 192.168.1.254 tunneled timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy server-type microsoft user-identity default-domain LOCAL aaa authentication enable console LDAP_SRV_GRP LOCAL aaa authentication http console LDAP_SRV_GRP LOCAL aaa authentication ssh console LDAP_SRV_GRP LOCAL aaa authentication serial console LOCAL http server enable 444 http 192.168.1.0 255.255.255.0 inside snmp-server location Vienna crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map inside_map interface inside crypto map dmz_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map dmz_map interface dmz crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=leela proxy-ldc-issuer crl configure crypto ca trustpoint ASDM_TrustPoint1 enrollment terminal crl configure crypto ca trustpool policy crypto ca certificate chain ASDM_TrustPoint0 quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable dmz client-services port 443 crypto ikev2 remote-access trustpoint ASDM_TrustPoint0 telnet timeout 5 no ssh stricthostkeycheck ssh 192.168.1.0 255.255.255.0 inside ssh timeout 30 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.1.254-192.168.1.254 inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept dynamic-filter updater-client enable dynamic-filter use-database ntp server 192.168.1.10 source inside ssl trust-point ASDM_TrustPoint0 dmz ssl trust-point ASDM_TrustPoint0 inside webvpn enable dmz no anyconnect-essentials anyconnect image disk0:/anyconnect-macosx-i386-3.1.05170-k9.pkg 1 anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 2 anyconnect image disk0:/anyconnect-linux-3.1.05170-k9.pkg 3 anyconnect image disk0:/anyconnect-linux-64-3.1.05170-k9.pkg 4 anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml anyconnect enable tunnel-group-list enable group-policy DfltGrpPolicy attributes default-domain value group-policy GroupPolicy_AnyConnect internal group-policy GroupPolicy_AnyConnect attributes wins-server none dns-server value 192.168.1.10 vpn-tunnel-protocol ikev2 ssl-client webvpn anyconnect profiles value AnyConnect_client_profile type user group-policy portal internal group-policy portal attributes vpn-tunnel-protocol ssl-clientless webvpn url-list none username tunnel-group AnyConnect type remote-access tunnel-group AnyConnect general-attributes address-pool VPN-Pool authentication-server-group LDAP_SRV_GRP default-group-policy GroupPolicy_AnyConnect tunnel-group AnyConnect webvpn-attributes group-alias AnyConnect enable tunnel-group Portal type remote-access tunnel-group Portal general-attributes authentication-server-group LDAP_SRV_GRP default-group-policy portal tunnel-group Portal webvpn-attributes group-alias portal enable! ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 ! prompt hostname context no call-home reporting anonymous hpm topN enable : end no asdm history enable
Can someone please help me solve this problem?
When I tried to solve this I didn't choose which interface the Packet Tracer?
The interface inside or DMZ interface? Inside, he says it will not work with the dmz but the error did not help me
Anyone here knows why it does not work?
Hello
Inside LAN is directly connected to the right firewall VPN... then I don't think you have to have the itinerary tunnele... can you try to remove the road tunnel mode and check.
entrance to the road that is static to achieve 10.10.10.11 as its display is correct...
Route by tunnel watch also with 255 administrative distance. I've never used that in my scenarios... lets see...
Concerning
Knockaert
-
8.4 ASA using NAT VPN issue.
Hello
I'm working on a customer site and they have a problem with one of their VPN (we have other works well), but it is a major issue and I think it's because we use manual NAT and NAT of the object on the same server for different things.
Traffic between indoors and outdoors:
It works with a specific manual NAT rule of source from the server 10.10.10.10 object
Inside
SRC-> DST
10.10.10.10-> 1.1.2.10 1.1.1.10-> 1.1.2.10 SNAT
= VPN =-> 1.1.2.10 1.1.1.10 1.1.1.10-> 1.1.2.10 <3rd party="" fw=""> It works with a specific using the NAT on the server of 10.10.10.10 object
Remote
SRC-> DST
1.1.1.10-> 1.1.2.10 1.1.1.10-> 1.1.2.10 <3rd party="" fw="">= VPN =-> 1.1.2.10 1.1.1.10
1.1.1.10-> DNAT 10.10.10.10 3rd>3rd>If we have the manual NAT and NAT object it does anyway.
So the question is (as I am new to zip code 8.3 ASA) should not mix the 2 types of NAt and look at configuring it all with manual NAT or NAT object?
With the NAT object out it does not work as it is taken in ouside NAT inside all:
Dynamic NAT (inside, outside) source no matter what interface (this NAT to 1.1.1.1 then does not match the card encryption for VPN)
and I tried a no - nat above that, but that does not work either.
Straws and hugging come to mind try to configure a different config. Any pointers in the right direction would be great.
Kind regards
Z
Hello
I'm not sure that installing even with the explanation. Each NAT configuration I did for VPN used Section 1 Manual / NAT twice.
You have configured the rule by default PAT that you use as Section 1 NAT rule. NAT rules in the new software are divided into 3 sections
- Section 1: Manual / twice by NAT
- Section 2: Purpose NAT
- Section 3: Manual / double NAT (moved to section 3 using the setting "auto after")
- The Sections are passed by from 1 to 2 and 3 in order to find a match.
You should also notice that the Section 1 and Section 3 NAT has "line number" similar to the ACL parameter type. So if you have a default existing PAT rule configured for Section 1 and just add another Section 1 NAT rule without line/order number (VPN NAT) then it will just fall under the existing rule, making the new useless rule.
I would advice against the use of the rule by default PAT as Section 1 NAT rule. Finally, this means that you be constantly watch and edit its configuration when you try to configure more specific rules.
As a general rule 3 of the Section the PAT above default configuration would be the following
NAT (inside, outside) after the automatic termination of dynamic source no matter what interface
This would mean that you need to remove the old. That would mean as naturally as the change would temporarily dismantling all the current connections through "inside", "Outside" while you change the NAT rule format.
If after this configure a NAT twice to the VPN (wihtout the setting "auto after"), it will be the rule in article 1 while the default PAT will be Section 3. Of course, Section 1 will be matched first.
I'm not quite sure of what your setup of the foregoing have understood.
You're just source NAT?
I guess that the configuration you do is something like this?
network of the LAN-REAL object
10.10.10.0 subnet 255.255.255.0
purpose of the MAPPED in LAN network
1.1.1.0 subnet 255.255.255.0
being REMOTE-LAN network
1.1.2.0 subnet 255.255.255.0
NAT static destination of LAN LAN-REAL-MAPPED Shared source (indoor, outdoor) REMOTE - LAN LAN
If the network 1.1.1.0/24 is supposed to be one that is connected directly to your "external" to the format interface may need to be anything else.
-Jouni
-
2504 power issues - is this the same brick used on an ASA?
I have a 2504, that does not illuminate. No led on the front. Seems to have power over the brick.
Can question - I use an ASA 5505 power on these too? They also have a 48V power supply and the plug is the same. Just do not know if the + and - are the same pins and no meter autour.
The answer is 'yes' but I won't be held responsible if something were to happen.
-
Issue of NAT for ASA running 8.4 (5)
We have a client who is about to hang an ASA off the coast of the demilitarized zone of our firewall that is running 8.4 (5). This firewall is currently on another part of our network, and NAT will be considerably changed. Now, everything on the client firewall must be coordinated outside for the same thing as the IP model internal, for example like the old "static (inside, outside) 172.16.16.0 172.16.16.0 netm 255.255.255.0" command.
When I look at the document from Cisco for (conversion) NAT
( http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp96828), I see not all conversions between the two. This is not a "nat 0" because users need access to certain hosts inside the firewall of our customers.
Can someone tell me please in the right direction? Thank you
Hello
Lets assume that the following is true
- The new ASA has 'inside' and 'outside' network/interface only
- The ASA News should do EVERYTHING NAT 'inside' to 'outside' to any kind of situation traffic (your firewall handles this?)
Then you can simply have the ASA with absolutely no. NAT configurations. The ASA with new software releases 8.3 and above all automatically passes all traffic through the ASA UNNATED. We use it on a single client and it works very well.
Please let me know if the above is the case, or can't think of anything else
-Jouni
-
Hello
I'm new with Cisco licenses... I produced Cisco ASA 5505 in house with base with the limit of 10 hosts license. More information below.
I bought the 'L-ASA5505-10-UL =' upgrade remove limit hosts and I got the certificate with Pak. But when I go to the licenses of Cisco website to get the key of activation with this PAK I you will get the error message below.
Unfortunately I didn't take in charge of the contract so I can not open a Service request as said.
Any help what to do?
Error message:
Bad Sku (s) 'L-ASA5505-10-UL =' for 'ASA5505-BUN-K9': device contains the licenses following "K9-BA-ASA5500.
Serial number = JMX1526Zxxx
We're sorry, but the serial number provided is not the same type of platform that serial number has failed. An upgrade is requested is not permitted.
If you want assistance in solving this problem, please open a Service request by using the TAC Service request tool
> View version
The devices allowed for this platform:
The maximum physical Interfaces: 8 perpetual
VLAN: 3 restricted DMZ
Double ISP: Disabled perpetual
Junction VIRTUAL LAN ports: perpetual 0
The hosts on the inside: 10 perpetual
Failover: Disabled perpetual
VPN - A: enabled perpetual
VPN-3DES-AES: activated perpetual
AnyConnect Premium peers: 2 perpetual
AnyConnect Essentials: Disabled perpetual
Counterparts in other VPNS: 10 perpetual
Total VPN counterparts: 25 perpetual
Shared license: disabled perpetual
AnyConnect for Mobile: disabled perpetual
AnyConnect Cisco VPN phone: disabled perpetual
Assessment of Advanced endpoint: disabled perpetual
Proxy UC phone sessions: 2 perpetual
Proxy total UC sessions: 2 perpetual
Botnet traffic filter: disabled perpetual
Intercompany Media Engine: Disabled perpetual
This platform includes a basic license.
See you soon,.
Henri
It's an automatic response, or a person actually answered? License Rep must respond to your e-mail. They would be able to rehost the license for you.
Maybe you are looking for
-
Have a document in the queue of the printer which is "delete", but did not finish the process. Can't print other documents thereby. How can I remove the delete document? Thank you
-
My Satellie A200-1TW (PSAE6E) is too hot?
Why is my laptop so hot? Its a toshiba A200-1TW (PSAE6E) As you can see from this screenshot here its around 60Celsius and if I play games, it will even 90 c and it's incredible hot! Is this normal or not? http://I8.Photobucket.com/albums/A17/Waila/n
-
Restoration of documents/images after a virus and subsequent restoration of the system
Caused by a virus, I'd need to do a system restore and I can't access my documents or images, the files are there but empty. I can find them with a search, but do not know how to restore them to where I can access it by clicking on 'my documents' or
-
How to recover data from $recycle.bin of an operating system Vista failed?
Hi, my name is Andre. My OS has failed, wouldn't boot and all options start Recovery (even with a Vista disk) have failed. I am able to connect the hard drive to another PC via the USB port and be able to see all the files and to recover. My last ch
-
Audio distortion with Windows 7
Running Windows 7 Professional 64-bit, Service Pack 1 on a Dell XPS PC 8700 Special Edition. I have the audio distortion / rupture & dropouts/skips during playback of music from the computer via headphones or external speakers. The problem occurs i