L2TP configuration on ASA 8.4

Similar Questions

• Windows L2TP/IPSec to ASA

  Hello

  I configured on ASA windows L2TP/Ipsec connections. Phase 1 and 2 are successful, the tunnel is created but immediately after this deletet. Tested from windows XP and windows 7. I use DefaultRAGroup for that (can not use any group which is by default not - limitation of windows). Here is my config:

  attributes of Group Policy DfltGrpPolicy
  value of 10.1.1.1 WINS server
  value of server DNS 10.1.1.1
  VPN-idle-timeout 300
  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
  the authentication of the user activation
  allow to NEM
  NAC-parameters DfltGrpPolicy-NAC-framework-create value
  WebVPN
  SVC keepalive no
  client of dpd-interval SVC no
  dpd-interval SVC bridge no
  value of customization DfltCustomization

  attributes global-tunnel-group DefaultRAGroup
  asa-admins address pool
  authentication-server-group CSACS
  IPSec-attributes tunnel-group DefaultRAGroup
  pre-shared-key *.
  Disable ISAKMP keepalive
  tunnel-group DefaultRAGroup ppp-attributes
  PAP Authentication
  ms-chap-v2 authentication
  eap-proxy authentication

  Crypto-map dynamic outside_dyn_map 10 the value transform-set TRANS_ESP_AES_SHA TRANS_ESP_DES_SHA ESP-AES-256-SHA ESP-AES-256-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 MD5-ESP-3DES ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA
  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
  outside_map interface card crypto outside

  And here are some logs:

  17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-715027: Group = DefaultRAGroup, IP = 193.193.193.193, IPSec SA proposal # 1, turn # 1 entry overall SA IPSec acceptable matches # 10

  17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-710005: UDP request and eliminated from 193.193.193.193/4204 outside: outside-interface/4500
  17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-6-602303: IPSEC: outgoing remote access to ITS (SPI = 0xAEA59455) between the outside of the interface and 193.193.193.193 (user = DefaultRAGroup) was created.
  17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-715007: Group = DefaultRAGroup, IP = 193.193.193.193, IKE got a msg KEY_ADD for SA: SPI = 0xaea59455
  17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-6-602303: IPSEC: incoming remote access to ITS (SPI = 0x9D3B8BDE) between the outside of the interface and 193.193.193.193 (user = DefaultRAGroup) was created.
  17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-715077: Group = DefaultRAGroup, IP = 193.193.193.193, pitcher: received KEY_UPDATE, spi 0x9d3b8bde
  17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-715080: Group = DefaultRAGroup, IP = 193.193.193.193, timer to generate a new key to start P2: 3060 seconds.
  17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % 713120-5-ASA: Group = DefaultRAGroup, IP = 193.193.193.193, PHASE 2 COMPLETED (msgid = 00000001)
  17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-713906: IKEQM_Active() Add L2TP classification rules: ip <193.193.193.193>mask <0xFFFFFFFF>port<4204>
  17 February 13:27:08 vpnasa1 February 17, 2010 13:27:08 vpnasa1: % ASA-7-710005: UDP request and eliminated from 193.193.193.193/4204 outside: outside-interface/1701
  17 February 13:27:08 vpnasa1 February 17, 2010 13:27:08 vpnasa1: % ASA-6-302016: connection UDP disassembly 56281479 for outside:193.193.193.193/4204 of identity: outside-interface/1701 duration 0:01:07 431 bytes
  17 February 13:27:10 vpnasa1 February 17, 2010 13:27:10 vpnasa1: % ASA-6-302015: built connection UDP incoming 56282536 for outside:193.193.193.193/4204 (193.193.193.193/4204) to the identity: outside-interface/1701 (outside-interface/1701)
  17 February 13:27:10 vpnasa1 February 17, 2010 13:27:10 vpnasa1: % ASA-6-603106: L2TP Tunnel created, tunnel_id 50, remote_peer_ip is 193.193.193.193 ppp_virtual_interface_id 1, client_dynamic_ip is 0.0.0.0 username is user1
  17 February 13:27:10 vpnasa1 February 17, 2010 13:27:10 vpnasa1: % ASA-6-603107: L2TP Tunnel deleted, tunnel_id = 50 remote_peer_ip = 193.193.193.193

  17 February 13:27:10 vpnasa1 February 17, 2010 13:27:10 vpnasa1: % ASA-4-113019: Group = DefaultRAGroup, username =, IP = 193.193.193.193, disconnected Session. Session type: IPsecOverNatT, duration: 0 h: 00 m: 03 s, xmt bytes: 795 bytes RRs: 1204, reason: L2TP initiated

  What's wrong?

  Thanx

  Please go ahead and activate the following command:

  ISAKMP nat-traversal crypto

  Try again.

• ASA5505: Configure the ASA for IPSec and SSL VPN?

  Hello-

  I currently have my 5505 for SSL AnyConnect VPN connections Setup.  Is it possible to set up also the 5505 for IPSec VPN connections?

  So, basically my ASA will be able to perform SSL and IPSec VPN tunnels, at the same time.

  Thank you!

  Kim,

  Yes, you can configure your ASA to support the AnyConnect VPN IPSec connections and at the same time.  In short, for the configuration of IPSec, you should configure at least a strategy ISAKMP, a set of IPSEC, encryption, tunnel group card processing and associated group policy.

  Matt

• Configuration Cisco ASA to shoot the AD user accounts

  I am trying to configure my asa cisco to authenticate with my ad instead of local accounts.  I followed the instructions at http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml and when I test the server in the AAA server group (which is my windows AD server, I get a successful connection.)  However, when I connect the ssl site for my cisco vpn, it continues not to accept connections active directory, only local.  is there somewhere else I need to tie the aaa server groups?  What should I do?

  Hi Neal,

  Great to hear that, 5 points for the answer, now please mark it as answered so future users can learn from this problem and the answer.

  Kind regards

• Intercept-dhcp works to tunnel L2TP through IPsec ASA?

  Hello

  Is there anyone in the world operating a tunnel L2TP through IPsec on Cisco ASA for the native Windows clients and a Tunnel Split Configuration fully functional?

  I created a tunnel L2TP through IPsec on the ASA 5520 9.1 (6) Version of the software running. My configuration is:

  mask 172.23.32.1 - 172.23.33.255 255.255.252.0 IP local pool VPN_Users

  ROUTING_SPLIT list standard access allowed 192.168.0.0 255.255.0.0
  ROUTING_SPLIT list standard access allowed 172.16.0.0 255.248.0.0

  Crypto ipsec transform-set esp-aes-256 WIN10, esp-sha-hmac ikev1
  transport mode encryption ipsec transform-set WIN10 ikev1
  Crypto ipsec transform-set esp-3des esp-sha-hmac WIN7 ikev1
  Crypto ipsec transform-set transport WIN7 using ikev1
  Dynamic crypto map DYNMAP 10 set transform-set WIN10 WIN7 ikev1
  Crypto dynamic-map DYNMAP 10 the value reverse-road
  card crypto CMAP 99-isakmp dynamic ipsec DYNMAP
  CMAP interface ipsec crypto map

  Crypto isakmp nat-traversal 29
  crypto ISAKMP disconnect - notify
  Ikev1 enable ipsec crypto
  IKEv1 crypto policy 10
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  output
  IKEv1 crypto policy 20
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  output

  internal EIK_USERS_RA group policy
  EIK_USERS_RA group policy attributes
  value of 12.34.56.7 DNS Server 12.34.56.8
  VPN - connections 2
  L2TP ipsec VPN-tunnel-Protocol ikev1
  disable the password-storage
  enable IP-comp
  enable PFS
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list ROUTING_SPLIT
  ad.NYME.Hu value by default-field
  Intercept-dhcp enable
  the authentication of the user activation
  the address value VPN_Users pools
  output

  attributes global-tunnel-group DefaultRAGroup
  authentication-server-group challenger
  accounting-server-group challenger
  Group Policy - by default-EIK_USERS_RA
  IPSec-attributes tunnel-group DefaultRAGroup
  IKEv1 pre-shared-key *.
  tunnel-group DefaultRAGroup ppp-attributes
  No chap authentication
  no authentication ms-chap-v1
  ms-chap-v2 authentication
  output

  Now, the native Windows clients can connect using this group of tunnel:

  our - asa # show remote vpn-sessiondb

  Session type: IKEv1 IPsec

  User name: w10vpn Index: 1
  Assigned IP: 172.23.32.2 public IP address: 12.34.56.9
  Protocol: IKEv1 IPsecOverNatT L2TPOverIPsecOverNatT
  License: Another VPN
  Encryption: IKEv1: (1) 3DES IPsecOverNatT: (1) L2TPOverIPsecOverNatT AES256: (1) no
  Hash: IKEv1: (1) IPsecOverNatT SHA1: (1) L2TPOverIPsecOverNatT SHA1: (1) no
  TX Bytes: 1233 bytes Rx: 10698
  Group Policy: Group EIK_USERS_RA Tunnel: DefaultRAGroup
  Connect time: 15:12:29 UTC Friday, April 8, 2016
  Duration: 0: 00: 01:00
  Inactivity: 0 h: 00 m: 00s
  Result of the NAC: unknown
  Map VLANS: VLAN n/a: no

  However, real communication takes place above the tunnel if I 'Gateway on remote network use default'. If I disable this option among the preferences of the IPv4 of the virtual interface of VPN in Control Panel as described in the section 'Configuration of Tunnel of Split' of This DOCUMENT then Windows sends all packets through the channel, because it fails to extract from the ASA routing table. Split routing works perfectly when using legacy Cisco VPN Client with the same group policy, but does not work with L2TP over IPsec.

  As far as I can see, the 'intercept-dhcp' option is inefficient somehow. I even managed to intercept packets of the PPP virtual machine Windows XP interface, and I saw that windows sends its DHCP INFORM requests, but the ASA does not. My question is why?

  -J' made a mistake in the above configuration?

  -Can there be one option somewhere else in my config running that defuses intercept-dhcp?

  - Or is there a software bug in my version of firmware ASA? (BTW, I tried with several versions of different software without success?

  Hi, I have the same problem you have, but I was lucky enough to be able to install version 9.2 (4) on which this feature works very well. I'm suspecting that it is a bug, but I need to dig a little deeper. If I find something interesting I'll share it here.

• Microsoft L2TP VPN to ASA 5520

  I am trying to configure an L2TP VPN connection on an XP laptop. On the SAA, I use the DefaultRAGroup and the DfltGrpPolicy. I put DefaultRAGroup to use a pre-shared key, and set the authentication of users on ACS_Radius. Our ACS server is associated with AD. Anyone know if I can use ACS to authenticate this user type or do I have to create local accounts on the SAA?

  When I try to connect from the laptop, I get error 789. On the ASA, I see this:

  Group = DefaultRAGroup, IP = 63.xxx.xxx.xxx, PHASE 1 COMPLETED

  Group = DefaultRAGroup, IP = 63.xxx.xxx.xxx, error QM WSF (P2 struct & 0xcddc7d28, mess id 0x46986b08).

  Group = DefaultRAGroup, IP = 63.xxx.xxx.xxx, peer of withdrawal of correlator table failed, no match!

  Group = DefaultRAGroup, username =, IP = 63.xxx.xxx.xxx, disconnected Session. Session type: IKE, duration: 0 h: 00 m: 00s, xmt bytes: 0, RRs bytes: 0, right: Phase 2 Mismatch

  On the one hand, it seems that the laptop is not sending the username and password. I've tried a lot of different combos on the side of microsoft MSCHAP and MSCHAPv2, both of them or all of them individually and matched this setting on the SAA. No matter what, I get the same error. Anyone have any ideas?

  Yes... I have never trusted guys for the configuration, I got the following errors:

  1 L2TP requires a mode of transport must be of the type of IPSEC traffic used, your config seems to refer to the one, yet it is not defined:

  Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_SHA

  Crypto ipsec transform-set

  Transit mode TRANS_ESP_3DES_SHA<-(needed>

  2. the present set of transformation is not attached to dynamic cryptography so not used:

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  It should look like:

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA

  Finally, it is just to clear up, make sure that your server ACS_Radius is indeed enabled for authentication MS-CHAPv2 of ASA and the l2tp client, otherwise it will fail always.

• Chrombook L2TP/IPSec for ASA 5510

  Hello

  I have trouble getting a chromebook to establish a remote access connection VPN using L2TP/IPsec for a Cisco ASA 5510 12 7.2 (5) running.

  Run a debug crypto isakmp 5 I see the following logs (ip changed...)

  Jan 06 09:58:06 [IKEv1 DEBUG]: IP = 1.1.1.1, Oakley proposal is acceptable

  Jan 06 09:58:06 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 4

  Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, connection landed on tunnel_group DefaultRAGroup

  Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, status of automatic NAT detection: remote endpoint IS behind a NAT device this end is NOT behind a NAT device

  Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, connection landed on tunnel_group DefaultRAGroup

  Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, previously allocated memory of liberation for permission-dn-attributes

  06 jan 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, PHASE 1 COMPLETED

  Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD

  Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, timer to generate a new key to start P1: 8100 seconds.

  06 jan 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, PHASE 1 COMPLETED

  Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD

  Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, timer to generate a new key to start P1: 8100 seconds.

  Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, data received in payload ID remote Proxy Host: address 3.3.3.3, 17 of the Protocol, Port 1701

  Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, data received in payload ID local Proxy Host: address 2.2.2.2, 17 of the Protocol, Port 1701

  Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, detected L2TP/IPSec session.

  Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, QM IsRekeyed its not found old addr

  Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, static checking Card Crypto, check card = outside_map, seq = 1...

  Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, static checking Card Crypto Card = outside_map, seq = 1, ACL does not proxy IDs src:1.1.1.1 dst: 2.2.2.2

  Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, only Tunnel UDP-encapsulated and UDP-encapsulated-Transport mode NAT-Traversal-defined selection

  Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, remote peer IKE configured crypto card: outside_dyn_map0

  Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, ITS processing IPSec payload

  Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, proposals of any IPSec security association has deemed unacceptable.

  Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, error QM WSF (P2 struct & 0x3d48800, mess id 0xce12c3dc).

  Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, history of mistake IKE responder QM WSF (struct & 0x3d48800) , : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH

  Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, removing counterpart table correlator failed, no match!

  1.1.1.1 = address remote chromebook NAT

  2.2.2.2 = ASA 5510 acting as distance termintaion access point

  3.3.3.3 = Chromebook private address

  I noticed that the Chromebook is appearing as the ID of the remote proxy but later, he seeks the applied to the Chromebook NAT address.  Not sure if this is the cause or how to solve this problem, if it is.

  Can someone advise please

  Thank you

  Ryan

  7.2 is old code.  You can re - test with 9.0.x or 9.1.x.

  https://support.Google.com/Chromebook/answer/1282338?hl=en

• L2TP over ipsec ASA

  Hello

  I tried to set up the on ASA 5505-L2TP connection.

  The phase 1 and Phase 2 are completed but Windows Client does not work.

  This is the configuration:

  Crypto ipsec transform-set L2TP-TS-SHA esp-3des esp-sha-hmac
  Crypto ipsec transform-set transit mode L2TP-TS-SHA

  Dynamic crypto map VPNCLIENT 65535 value transform-set L2TP-TS-SHA

  internal DefaultRAGroup group strategy
  attributes of Group Policy DefaultRAGroup
  value of server DNS 192.168.1.2 192.168.1.14
  Protocol-tunnel-VPN IPSec l2tp ipsec
  the address value VPNClient-pool pools

  attributes global-tunnel-group DefaultRAGroup
  address VPNClient-pool pool
  Group Policy - by default-DefaultRAGroup
  password-management
  IPSec-attributes tunnel-group DefaultRAGroup
  pre-shared-key *.
  tunnel-group DefaultRAGroup ppp-attributes
  ms-chap-v2 authentication

  Journal:

  dec 13 17:48:08 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, PHASE 2 COMPLETED (msgid = 00000002)
  dec 13 17:48:08 [IKEv1]: rules of classification IKEQM_Active() Add L2TP: ip <195.234.233.126>mask <0xFFFFFFFF>port<15334>
  dec 13 17:48:11 [IKEv1 DECODER]: IP = 195.234.233.126, IKE Responder starting QM: id msg = 00000003
  dec 13 17:48:11 [IKEv1]: IP = 195.234.233.126, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR HASH (8) HIS (1) + (10) NUNCIO + ID (5) + ID (5) ++ NAT - OA (131) + NONE (0) overall length: 312
  dec 13 17:48:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, processing hash payload
  dec 13 17:48:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, SA payload processing
  dec 13 17:48:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, nonce payload processing
  dec 13 17:48:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, payload processing ID
  dec 13 17:48:11 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.234.233.126, ID_IPV4_ADDR received ID
  192.168.236.25
  dec 13 17:48:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, data received in payload ID remote Proxy Host: address 195.234.233.126, Protocol 17, Port 0
  dec 13 17:48:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, payload processing ID
  dec 13 17:48:11 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.234.233.126, ID_IPV4_ADDR received ID
  94.88.180.84
  dec 13 17:48:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, data received in payload ID local Proxy Host: address 172.16.34.1, Protocol 17 Port 1701
  dec 13 17:48:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, detected L2TP/IPSec session.
  dec 13 17:48:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, payload NAT Original address of treatment
  dec 13 17:48:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, QM IsRekeyed its already be regenerated
  dec 13 17:48:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, error QM WSF (P2 struct & 0xd7f0b8d0, mess id 0x3)!
  dec 13 17:48:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, case of mistaken IKE responder QM WSF (struct & 0xd7f0b8d0) , : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
  dec 13 17:48:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, sending clear/delete with the message of reason
  dec 13 17:48:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, peer table correlator Removing failed, no match!
  dec 13 17:48:12 [IKEv1 DECODER]: IP = 195.234.233.126, IKE Responder starting QM: id msg = 00000003
  dec 13 17:48:12 [IKEv1]: IP = 195.234.233.126, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR HASH (8) HIS (1) + (10) NUNCIO + ID (5) + ID (5) ++ NAT - OA (131) + NONE (0) overall length: 312
  dec 13 17:48:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, processing hash payload
  dec 13 17:48:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, SA payload processing
  dec 13 17:48:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, nonce payload processing
  dec 13 17:48:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, payload processing ID
  dec 13 17:48:12 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.234.233.126, ID_IPV4_ADDR received ID
  192.168.236.25
  dec 13 17:48:12 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, data received in payload ID remote Proxy Host: address 195.234.233.126, Protocol 17, Port 0
  dec 13 17:48:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, payload processing ID
  dec 13 17:48:12 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.234.233.126, ID_IPV4_ADDR received ID
  94.88.180.84
  dec 13 17:48:12 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, data received in payload ID local Proxy Host: address 172.16.34.1, Protocol 17 Port 1701
  dec 13 17:48:12 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, detected L2TP/IPSec session.
  dec 13 17:48:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, payload NAT Original address of treatment
  dec 13 17:48:12 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, QM IsRekeyed its already be regenerated
  dec 13 17:48:12 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, error QM WSF (P2 struct & 0xd8b55468, mess id 0x3)!
  dec 13 17:48:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, case of mistaken IKE responder QM WSF (struct & 0xd8b55468) , : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
  dec 13 17:48:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.234.233.126, sending clear/delete with the message of reason
  dec 13 17:48:12 [IKEv1]: Group = DefaultRAGroup, IP = 195.234.233.126, peer table correlator Removing failed, no match!

  Can someone help me pls?

  Is behind a NAT device ASA? Also what version of the ASA are you running?

  Also, make sure that the settings on the client are right according to this doc:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807213a7.shtml

• Save the configuration to ASA 5505

  Hi all, I have this problem, I save the configuration to the ASA 5505 help RAM or using the copy, run start but whe I unplug the power cord and plug it back to the ASA gets its default factory configuration... so what I do is a copy start run to get the active configuration...

  Why is it so? even if I saved the config to Flash... greetings!

  You have bad start to register:

  Please follow the following document:

  http://www.Cisco.com/en/us/docs/security/ASA/asa71/configuration/guide/trouble.html#wp1062992

  You must set the default value 0 x 1

  ___

  HTH. Please rate this post if this has been helpful. If it solves your problem, please mark this message as "right answer".

• FIPS. You can configure an ASA in accordance with FIPS to reject all connections non - FIPS Anyconnect

  Hi dude, is he not automagically to refuse any connection Anyconnect an ASA compliant FIPS if the Anyconnect client is non-FIPS compatible?

  Any help, ideas or thoughts are appreciated because I can't seem to find something to think about as you can.

  Kind regards

  Paul.

  Hi Paul,.

  By default, the ASA specifies the non-compliant FIPS RC4-SHA1 for the connection. To comply with FIPS, you must make sure that a compatible encryption FIPS is the first specified in the list of SSL encryption. Otherwise, the DTLS connection fails. In addition, we recommend that you remove all non-FIPS list ciphers in order to ensure that the connection failed does not occur.

  In ASDM, go to Setup > remote access VPN > advanced > settings SSL to specify the types of SSL encryption. In the encryption area, move a FIPS compatible encryption at the first position in the list.

  If you use CLI, use the encryption ssl from the global configuration mode command to order the list.

  Kind regards

  NGO

• SNMP configuration on ASA 5520

  I was wondering if someone could provide me with basic configuration or a link to the basic configuration for the monitoring of SNMP on an ASA 5520.

  Thank you

  Chris

  SNMP-server host within the 192.168.1.185 community XXXXX

  ^ - Configures only host 192.168.1.185 can get snmp data

  Server SNMP community xxxxx

  ^ - open to everyone, if you want to

  location of Server SNMP-individuals

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Server enable SNMP traps syslog

  Server SNMP traps enable ipsec works stop

  Server enable SNMP traps entity config - change insert-fru fru - remove

  Server SNMP enable doors remote access has exceeded the threshold of session

  This should be the biggest part of what you need

• Configure Cisco ASA VPN client

  I did some research and the answers it was supposed to be possible, but no info on how to do it.  I wonder if it is possible to configure a Cisco ASA 5505/10/20 to be a customer to an existing (in this case) cisco vpn client.  The reasons why are complicated (and irrelevant IMO), but basically, I need to be able to make a small network that may be on this vpn rather than on individual computers.

  The vpn client is a Basic IPSec over UDP Cisco VPN to an ASA5505.

  So, how to set up an another ASA to connect to it as if it were a client?

  Hello

  Here is a document from Cisco on the configuration, the easy ASA of VPN server and Client

  Although in this case, they use a PIX firewall as a client.

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805c5ad9.shtml

  Here's another site with instructions related to this installation program

  http://www.petenetlive.com/kb/article/0000337.htm

  I imagine that the site of Cisco ASA Configuration Guide documents will also give instructions how to configure it.

  -Jouni

• IPSec tunnel problem work without configuration on asa

  Hello world

  I have a problem with one asa version 8.4.3.

  I have a tunnel if I do not set up the tunnel and if I configure it does not mount to mount with a remote site

  someone that you already see that? With version 8.2, we had no worries, but since he problem of migration.

  Tunnel configuration we get this error:

  IKEv1]: Group = x.x.x.x IP x.x.x.x, QM WSF error = (P2 struct & 0x49ba5a0, mess id 0xcd600011).

  [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, removing counterpart of correlator table failed, no match!

  Thanks for your response

  I have never seen as the result of an ASA simple upgrade, but in general there are a number of things that could cause this problem. Generally, this is one unidentified peer or peer without valid card crypto trying to establish VPN site site that generates the message above.

  Please take a look at this troubleshooting guide.

  If it does not help. Thanks for posting your script

• Can I configure an ASA 5510 to accept frames?

  I am replacing an old router which is an endpoint of a frame relay connection.  Can I use an ASA?  If so, what are the orders of the interface and the DLCI encapsulation?

  No, an ASA cannot terminate Frame Relay. That will be done on a router upstream.

• Configure the ASa 5505 of remote site by using ASDM

  I would like to be able to administer the ASA 5505 from another site, which is connected via a LAN of Ipsec site-to-site.

  How to activate this feature?

  Hello

  You can remotely administer an ASA using the public IP address (via the Internet), or through the tunnel to the private IP address.

  You can reach the private IP address by activating the command:

  management-access inside

  You can access the ASA by IP address private via CLI or GUI.

  Federico.