Life of the ISAKMP Security Association

Hello

Like to know the process of ITS expiration date and renew, it will cause the VPN Goes?

and how long preshared key can support?

Thank you in advance!

Before the expiry of SA, a new SA will be negotiated and implemented, therefore, as soon as the old SA has expired, there are already HIS new, which will be done automatically. So to answer your question, to generate a new key SA, the VPN tunnel won't go down.

The life expectancy of SA for the phase 2 can be configured for a maximum of 214783647 seconds (default is 28800 seconds).

Hope that answers your question.

Tags: Cisco Security

Similar Questions

  • Question about the life of the IPSec Security Association

    Hi all

    I'm confused about life. A book, they said that you should service life of the peer to keep two exact same, otherwise you can not establish the tunnel. But I saw another book says you can use different to life (time interval or byte count), two peers will choose the lower one.

    Please help me. Thanks in advance.

    Banlan

    There are two lives involved with IPSec, Phase 1 (ISAKMP) and Phase 2 (IPSec) connections.

    With the Phase 1 tunnel, if the initiator has a longer life than that the answering machine, the answering machine does not accept the connection, then it is certainly preferable to keep your the same Phase 1 lives.

    Phase 2, life will be negotiated at the lower of the two values regardless of intiates, if it is not serious. Always advised to keep living the same since you can run questions of negotiation with devices from different vendors.

  • DMVPN Question ISAKMP Security Association

    Hi all

    I have implemented a full mesh base DMVPN, similar to the int of config used life package

    http://packetlife.net/blog/2008/Jul/23/dynamic-multipoint-VPN-DMVPN/ tutorial.

    I have a Hub and two rays. Everything seems to be ok functioing. I've included the config below for tunnels.

    My Question is, when I do an isakmp crypto see the its, for example 2A talked, I have three ISAKMP SA with three different addresses of CBC...

    How is that possible when I only have the tunnels to two other devices, the hub and rays 1? and why a foreign source address appears as an association of ISAKMP security on this router?

    status of DST CBC State conn-id slot

    172.16.1.2 172.16.2.2 QM_IDLE 1 0 ACTIVE

    172.16.2.2 172.16.3.2 QM_IDLE 3 0 ACTIVE

    172.16.2.2 172.16.1.2 QM_IDLE 2 0 ACTIVE

    A similar result on the hub

    status of DST CBC State conn-id slot

    172.16.2.2 172.16.1.2 QM_IDLE 2 0 ACTIVE

    172.16.1.2 172.16.2.2 QM_IDLE 1 0 ACTIVE

    172.16.1.2 172.16.3.2 QM_IDLE 3 0 ACTIVE

    Still 1 spoke only a 2

    172.16.1.2 172.16.3.2 QM_IDLE 1 0 ACTIVE

    172.16.2.2 172.16.3.2 QM_IDLE 2 0 ACTIVE

    Crypto config for all:

    crypto isakmp policy 10 authentication pre-share crypto isakmp key P4ssw0rd address 172.16.0.0 255.255.0.0 ! crypto ipsec transform-set MyTransformSet esp-aes esp-sha-hmac ! crypto ipsec profile MyProfile set transform-set MyTransformSet ! interface Tunnel0 tunnel protection ipsec profile MyProfile

    Config of Tunnel hub

    interface Tunnel0

    10.0.100.1 IP address 255.255.255.0

    dynamic multicast of IP PNDH map

    PNDH network IP-1 id

    tunnel source fa0/0

    multipoint gre tunnel mode

    Spoke 1 Tunnel Config

    !

    interface FastEthernet0/0

    address 172.16.3.2 IP 255.255.255.0

    automatic duplex

    automatic speed

    !

    interface Tunnel0

    10.0.100.2 IP address 255.255.255.0

    no ip redirection

    map of PNDH IP 10.0.100.1 172.16.1.2

    map of PNDH IP multicast 172.16.1.2

    PNDH network IP-1 id

    property intellectual PNDH nhs 10.0.100.1

    source of tunnel FastEthernet0/0

    multipoint gre tunnel mode

    Profile of tunnel MyProfile ipsec protection

    Spoke 2 Config of Tunnel

    !

    interface FastEthernet0/0

    IP 172.16.2.2 255.255.255.0

    automatic duplex

    automatic speed

    !

    interface Tunnel0

    IP 10.0.100.3 255.255.255.0

    no ip redirection

    map of PNDH IP 10.0.100.1 172.16.1.2

    map of PNDH IP multicast 172.16.1.2

    PNDH network IP-1 id

    property intellectual PNDH nhs 10.0.100.1

    source of tunnel FastEthernet0/0

    multipoint gre tunnel mode

    Profile of tunnel MyProfile ipsec protection

    SRC and DST IP addresses indicate that was author and answering machine. They do not represent information outlet (in the traditional sense of the term).

    You could get in double sessions of the two scenarios IKE, are the most common.

    (1) the negotiation started at both ends "simultaneously".

    (2) renegotiation of IKE.

    What is strange to me, is that you seem to have initiated session and responsed by the hub.

    What I would do, is to add:

    -ip server only PNDH (on the hub, it is not a provided ASR)

    -DPD (on all devices).

    Assures us that this hub initiates not anything in the PNDH and useless/deceased sessions are torn down eventually.

  • change the lives of the IPSEC Security Association

    Hello

    If I use the

    order of the life of-association of IPSEC crypto security, that does not hold for all customers? I'm trying to change it only for an IPSEC security association and I don't want to interrupt any existing VPN client.

    is it possible to put it for a client?

    Thank you!

    Lisa G

    You can change it in a configuration card crypto for each individual connection. Since you don't specify what your vpn device ends on however, I can't give you a specific example.

    the command you gave is global, for which there is already a default lifetime. 'local' lifespans for individual crypto cards override this value.

    also, if two peers differ in their lives during the negotiation, they are "supposed to" choose the smallest value, but still not connect.

  • Missing Captain obvious - Site to site IPSEC, any ISAKMP security association

    So I try to set up a site to IPsec and I fell at the first hurdle. I checked my config so many times and I can't see a problem.
    Two routers can ping each other so connectivity is there.
    Two routers have static routes to the router's local ip range against pointing out the wan interface.
    Both routers have ACL (155) to the direction of movement of the other router and is associcated with the cryptomap.
    Two routers have the map on the external interface.
    However, any attempt to put in place a SA. Debugging on both shows nothing, show isakmp crypto that his shows nothing.
    Please help us save my sanity!
    Router 1
    Current configuration : 4652 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered!
aaa new-model
!
aaa authentication login TERMINAL-LINES local
!
aaa session-id common
!
dot11 syslog
ip source-route
!
!
ip cef
ip dhcp excluded-address 192.168.30.1 192.168.30.100
ip dhcp excluded-address 192.168.31.1 192.168.31.100
ip dhcp excluded-address 192.168.32.1 192.168.32.100
!
ip dhcp pool DynamicPool
   network 192.168.30.0 255.255.255.0
   dns-server 192.168.30.1 8.8.8.8 208.67.222.222
   default-router 192.168.30.1
   lease 0 0 15
!
ip dhcp pool Tony-PC
   host 192.168.30.10 255.255.255.0
   client-identifier 0100.1e8c.6d85.3e
   lease infinite
!
ip dhcp pool VisitorPool
   network 192.168.31.0 255.255.255.0
   dns-server 8.8.8.8 8.8.4.4 208.67.222.222
   default-router 192.168.31.1
   lease 0 0 15
!
ip dhcp pool GuestPool
   network 192.168.32.0 255.255.255.0
   dns-server 8.8.8.8 8.8.4.4 208.67.222.222
   default-router 192.168.32.1
   lease 0 0 15
!
!
ip host switch 192.168.30.5
ip host router 192.168.30.1
ip host unifi 212.250.84.221
ip host tony-pc 192.168.30.10
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 208.67.222.222
ip name-server 208.67.220.220
no ipv6 cef
!
multilink bundle-name authenticated
!
voice-card 0
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key H8sh8Js7dn2jJ address *ROUTER2-IP*
!
crypto ipsec transform-set C33-MH-SET esp-aes esp-sha-hmac
!
crypto map C33-MH-MAP 1 ipsec-isakmp
 set peer *ROUTER2-IP*
 set transform-set C33-MH-SET
 match address 155
!
ip ssh port 8083 rotary 1
!
interface GigabitEthernet0/0
 ip address *ROUTER1-IP* 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map C33-MH-MAP
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet1/0
 ip address 192.168.30.1 255.255.255.0
 ip access-group native in
 ip nat inside
 ip virtual-reassembly
!
interface GigabitEthernet1/0.1
 encapsulation dot1Q 40
 ip address 192.168.31.1 255.255.255.0
 ip access-group visitor in
 ip nat inside
 ip virtual-reassembly
!
interface GigabitEthernet1/0.2
 encapsulation dot1Q 50
 ip address 192.168.32.1 255.255.255.0
 ip access-group guest in
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 217.137.232.209
ip route 192.168.20.0 255.255.255.0 GigabitEthernet0/0
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.30.10 3389 interface GigabitEthernet0/0 3389
ip nat inside source static udp 192.168.30.10 3389 interface GigabitEthernet0/0 3389
!
ip access-list extended guest
 deny   ip 192.168.32.0 0.0.0.255 192.168.30.0 0.0.0.255
 deny   ip 192.168.32.0 0.0.0.255 192.168.31.0 0.0.0.255
 permit ip any any
ip access-list extended management
 permit ip 192.168.30.0 0.0.0.255 any
 permit ip 192.168.20.0 0.0.0.255 any
 permit ip 212.250.84.0 0.0.0.255 any
 permit ip 194.62.232.0 0.0.0.255 any
ip access-list extended native
 deny   ip 192.168.30.0 0.0.0.255 192.168.31.0 0.0.0.255
 deny   ip 192.168.30.0 0.0.0.255 192.168.32.0 0.0.0.255
 permit ip any any
ip access-list extended visitor
 deny   ip 192.168.31.0 0.0.0.255 192.168.30.0 0.0.0.255
 deny   ip 192.168.31.0 0.0.0.255 192.168.32.0 0.0.0.255
 permit ip any any
!
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 100 deny   ip any 192.168.0.0 0.0.255.255
access-list 155 permit ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
ccm-manager fax protocol cisco
!
mgcp fax t38 ecm
!
line con 0
line aux 0
line 66
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
 access-class management in
 login authentication TERMINAL-LINES
 transport input all
line vty 5 10
 access-class management in
 login authentication TERMINAL-LINES
 rotary 1
 transport input all
!
scheduler allocate 20000 1000
end
    Router 2
    

    Current configuration : 6059 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
boot-start-marker
boot-end-marker
!
aaa new-model
!
aaa session-id common
!
no ip cef
ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.20.1 192.168.20.100
!
ip dhcp pool DynamicPool
   network 192.168.20.0 255.255.255.0
   dns-server 192.168.20.1 8.8.8.8 208.67.222.222
   default-router 192.168.20.1
   lease 0 0 15
!
ip dhcp pool HTPC
   host 192.168.20.10 255.255.255.0
   client-identifier 011c.6f65.43fb.ca
   lease infinite
!
ip dhcp pool Wifi1
   host 192.168.20.20 255.255.255.0
   client-identifier 0104.18d6.8656.d6
   lease infinite
!
ip dhcp pool Wifi2
   host 192.168.20.21 255.255.255.0
   client-identifier 0104.18d6.6e44.00
   lease infinite
!
ip dhcp pool Wifi3
   host 192.168.20.22 255.255.255.0
   client-identifier 0144.d9e7.7471.00
   lease infinite
!
ip dhcp pool LivingRoomCC
   host 192.168.20.30 255.255.255.0
   client-identifier 016c.adf8.9eed.44
!
ip dhcp pool MillHouseCC
   host 192.168.20.31 255.255.255.0
   client-identifier 016c.adf8.ad31.50
!
ip dhcp pool Deskphone
   host 192.168.20.40 255.255.255.0
   client-identifier 0170.8105.b355.b0
   lease 5
!
ip dhcp pool DiningSureSignal
   host 192.168.20.41 255.255.255.0
   client-identifier 01b0.46fc.5f25.24
   lease 5
!
ip dhcp pool HallSureSignal
   host 192.168.20.42 255.255.255.0
   client-identifier 01b0.46fc.575e.47
   lease 5
!
ip dhcp pool HomeLaptop
   host 192.168.20.50 255.255.255.0
   client-identifier 0100.16ea.80a6.7e
   lease 0 1
!
ip dhcp pool Z2
   host 192.168.20.60 255.255.255.0
   client-identifier 0130.a8db.8ae5.3f
   lease 0 1
!
ip dhcp pool iPhone5
   host 192.168.20.61 255.255.255.0
   client-identifier 01d0.a637.01b6.38
   lease 0 1
!
ip dhcp pool Vera3
   host 192.168.20.11 255.255.255.0
   lease infinite
!
ip dhcp pool VeraEdge
   host 192.168.20.12 255.255.255.0
   client-identifier 0194.4a0c.0d82.3c
   lease infinite
!
ip dhcp pool Wifi4
   host 192.168.20.23 255.255.255.0
   client-identifier 0144.d9e7.7458.8c
   lease infinite
!
ip host htpc 192.168.20.10
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
 no dspfarm
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key H8sh8Js7dn2jJ address *ROUTER1-IP*
!
crypto ipsec transform-set C33-MH-SET esp-aes esp-sha-hmac
!
crypto map C33-MH-MAP 1 ipsec-isakmp
 set peer *ROUTER1-IP*
 set transform-set C33-MH-SET
 match address 155
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no mop enabled
!
interface GigabitEthernet0/1
 no ip address
 ip nat inside
 ip virtual-reassembly
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1/0
 switchport trunk native vlan 10
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Serial0/0/0
 no ip address
 shutdown
 clock rate 2000000
!
interface GigabitEthernet1/0
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface GigabitEthernet1/0.21
 encapsulation dot1Q 21
 ip address 192.168.1.2 255.255.255.0
!
interface Vlan1
 no ip address
!
interface Dialer1
 mtu 1480
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 ppp authentication chap pap callin
 ppp chap hostname 10518-DMIL-LN50QY
 ppp chap password 0 111MIL
 ppp pap sent-username 10518-DMIL-LN50QY password 0 111MIL
 crypto map C33-MH-MAP
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1 10.20.0.1
ip route 8.8.0.0 255.255.255.0 10.20.0.1 5 name g-dns
ip route 8.8.0.0 255.255.255.0 192.168.1.1 10 name g-dns
ip route 8.8.4.0 255.255.255.0 192.168.1.1 name ML3G
ip route 104.238.169.0 255.255.255.0 192.168.1.1 name uk-london.privateinternetaccess.com
ip route 192.168.30.0 255.255.255.0 Dialer1
!
ip dns server
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer1 overload
ip nat inside source static tcp 192.168.20.27 80 interface Dialer1 90
ip nat inside source static tcp 192.168.20.10 8443 interface Dialer1 8443
ip nat inside source static tcp 192.168.20.10 80 interface Dialer1 80
ip nat inside source static tcp 192.168.20.10 8081 interface Dialer1 8081
ip nat inside source static tcp 192.168.20.10 8080 interface Dialer1 8080
ip nat inside source static tcp 192.168.20.10 8880 interface Dialer1 8880
ip nat inside source static tcp 192.168.20.10 8843 interface Dialer1 8843
!
ip access-list extended STOP_PING
 deny   icmp any any
 permit ip any any
ip access-list extended management
 permit ip 192.168.30.0 0.0.0.255 any
 permit ip 192.168.20.0 0.0.0.255 any
 permit ip 194.62.232.0 0.0.0.255 any
!
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 100 deny   ip any 192.168.0.0 0.0.255.255
access-list 155 permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
mgcp behavior g729-variants static-pt
!
line con 0
line aux 0
line 66
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
 access-class management in
  transport input ssh
!
scheduler allocate 20000 1000
!
end

    			 
    Save your sanity, it's put a big :-) but--
    

    You must change your NAT ACL IE. they should read-
    

    Router 1-
    

    "access-list 100 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255.
    "access-list 100 permit ip 192.168.0.0 0.0.255.255 any."
    

    Router 2-
    

    "access-list 100 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255.
    "access-list 100 permit ip 192.168.0.0 0.0.255.255 any."
    

    Jon
    		   
    •  
            
           
  •  
		     
    ASA 5520 to 5510 VPN is not the creation of the IPSEC Security Association
     
			 
    I have an L2L built between a 5520 and 5510 ipsec tunnel. I'm sure I configured everything that I need to but when I do a show ipsec cry his it is nothing.  I do not know the inbetween firewall are open to allow connections as well. also whenever I set up a part of the cryptomap as a command: crypto outside_map 10 card game peers 6.7.0.13 he would come back with this error
    

    [IKEv1]: ignoring msg SA brand with the specified coordinates dead.
    

    any ideas?
    			 
    Hello
    

    Could you please paste the output of the command "show following run crypto" since both the ASAs. Also, what do you see when you give "cry isa to show her.
    

    Also if your ACL crypto for the tunnel have something like this "access-list extended ACL permit tcp host 192.168.11.11 host 10.1.100.105 eq ftp.
    

    Change the ACL for ip that is "access-list extended ACL permit ip 192.168.11.11 host 10.1.100.105" Let me know if that helps
    

    Thank you
    

    Delvallée
    		   
    •  
            
           
  •  
		     
    Claire ISAKMP and IPSec in PIX Security Association
     
			 
    Hello
    

    How do you delete the ISAKMP and IPSec security associations in a PIX? (As you do in the IOS using the commands 'clear' crypto..)
    

    Thank you------Naman
    			 
    The type of config mode:
    

    Claire ipsec his
    

    Claire isakmp his
    

    I hope this helps.
    

    Cody Rowland
    

    Infrastructure engineer
    		   
    •  
            
           
  •  
		     
    Phase 2 question [all IPSec security association proposals considered unacceptable!]
     
			 
    
     

    

    Hello
    

    
     

    

    I have problems to configure an ipsec L2L with my 1921 tunnel and ASA.
    

    I have to use aggressive mode as the 1921 does not have a fixed IP.
    

    
     

    

    Phase 1 of IKE's fine, but then I get the following message:
    

    
     

    

    5 11:00:14 Group April 1, 2014 713119 = CIT-TEST, IP = YYY. YYY. YYY. YYY, PHASE 1 COMPLETED
    

    5 11:00:14 Group April 1, 2014 713904 = CIT-TEST, IP = YYY. YYY. YYY. YYY proposals, any IPSec security association has deemed unacceptable!
    

    
     

    

    and the tunnel manages not to come.
    

    
     

    

    So I guess it's one about identifyed networks, so I suspect the transformation defined not to be good.
    

    
     

    

    ASA:
    

    
     

    

    # Crypto card #.
    

    address the crypto dynamic-map OUTSIDE_cryptomap_65535.130 SYSTEM_DEFAULT_CRYPTO_MAP 130
    

    Crypto-map dynamic 130 SYSTEM_DEFAULT_CRYPTO_MAP set transform-set ESP-AES-256-SHA ikev1
    

    86400 seconds, crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 130 the duration value of security-association
    

    
     

    

    
     

    

    # Identification of the traffic.
    

    Access extensive list ip 10.30.2.0 Outside_cryptomap_65535.130 allow 255.255.255.0 10.30.42.0 255.255.255.0
    

    
     

    

    # Crypto card #.
    

    address the crypto dynamic-map OUTSIDE_cryptomap_65535.130 SYSTEM_DEFAULT_CRYPTO_MAP 130
    

    Crypto-map dynamic 130 SYSTEM_DEFAULT_CRYPTO_MAP set transform-set ESP-AES-256-SHA ikev1
    

    86400 seconds, crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 130 the duration value of security-association
    

    
     

    

    
     

    

    And on the 1921:
    

    
     

    

    
     

    

    door-key crypto LOCAL
    

    pre-shared key address XXX.XXX.XXX.XXX key mykey
    

    !
    

    crypto ISAKMP policy 1
    

    BA aes 256
    

    preshared authentication
    

    Group 2
    

    ISAKMP crypto identity hostname
    

    Profile of crypto isakmp AGGRESSIVE-ASA
    

    LOCAL Keyring
    

    identity function address XXX.XXX.XXX.XXX 255.255.255.255
    

    aggressive mode
    

    !
    

    !
    

    Crypto ipsec transform-set aes - esp hmac-sha256-esp gsm
    

    tunnel mode
    

    !
    

    !
    

    !
    

    Crypto map gsm2 isakmp-ASA-AGGRESSIVE profile
    

    gsm2 20 ipsec-isakmp crypto map
    

    defined peer XXX.XXX.XXX.XXX
    

    Set transform-set gsm
    

    match address 103
    

    !
    

    
     

    

    access-list 103 allow ip 10.30.42.0 0.0.0.255 10.30.2.0 0.0.0.255
    

    
     

    

    
     

    

    
     

    

    But tried with different combos on the 1921 but no luck. What Miss me?
    

    Could anyone help with the transformation on the 1921 set command, it's a little different than on the ASA.
    

    Can anyone help?
    

    
     

    

    Best regards
    			 
    You don't show us the configuration (if one is called) for Phase 2 of ASAs transform-set.
    

    There should be an installer matching your 1921 something as in this example:
    

    http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...
    		   
    •  
            
           
  •  
		     
    IPsec Security Association keep it up
     
			 
    Hello community,
    

    Customer has about 50 distance 871 s (home) with IP phones.
    

    Main site has ASA 5510 sheltering the CUCM.
    

    Problem is...
    

    When user1 calls user2 there no audio data (since there is no built between remote users IPsec security association).
    

    The fact that user1 called user2 built IPsec between ROUTER1 and ASA, but since there is no IPsec security association for users between ROUTER2 and ASA, audio fails.
    

    If User2 calls user1 now, then the call is successful, because the SAs are built:
    

    IPsec security association between ROUTER1 and ASA for the traffic of user1 and user2
    

    IPsec security association between ROUTER2 and ASA for the user1 user2 traffic
    

    So, the problem is that both parties must open up traffic to make this work.
    

    What I did to solve the problem, is to configure IP SLA on routers to send a PING packet every 10 minutes at their home by peers (thus keeping the SAs between remote sites all the time).
    

    IP SLA works, but I'm looking for a better way to solve the problem of having to manually launch the traffic (DMVPN or running as one routing protocol does not work with the ASA through the tunnel).
    

    I guess to increase life expectancy IPsec Security Association is another option.
    

    Looking to get recommendations, thanks!
    

    Federico.
    			 
    Hi Federico,.
    

    Have you considered EzVPN/Easy VPN, with ASA like server EzVPN configuration and Clients (routers/ASA5505) as clients of EzVPN? This would create the tunnel as soon as it is configured.
    

    In addition, apart from the increase in the life expectancy of the AA (which is basically report to generate a new key stage 2), you can configure vpn-idle-timeout to be 'none' in the group-policy framework of the SAA.
    

    Any thoughts?
    

    Kind regards
    

    Praveen
    		   
    •  
            
           
  •  
		     
    ProDesk 600 G1 BIOS configuration of the TPM secure through the BIOS Configuration utility
     
			 
    We have a range of devices, computers HP desktop and laptops in our environment.  Devices are all running Windows 7 64 bit and should have Bitlocker enabled, but we found that some were not encrypted.  So I am trying to set up a remote BIOS and Bitlocker config activate software that we can get out via SCCM and then embed in a task sequence image for new machines.
    

    I use the Bios HP Configuration utility to check a BIOS password is set and then activate the TPM chip.  I took a BIOS config output of each of our models and created a settings file that has all of the TPM associated parameters of all models.
    

    At the moment I run Setup BIOS utility manually for testing.  On all models I tried that works very well, except for the 600 ProDesk G1 SFF.
    

    When I run the utility on the ProDesk 600 G1 MFS, it says that I have managed to update the settings, and when I check the BIOS, the TPM secure has been unhidden and the TPM Management was given to the operating system (two settings I change), but the TPM itself remains hidden.
    

    It's the release of the BIOS configuration utility (it uses the 2.60.13.1 version, which uses plaintext passwords.  I also tried with the 3.0.13.1 later version that uses password files - same result)
    

    C:\ > BiosConfigUtility64.exe /cspwd: "password" set: "TPM_Config.REPSET"
    
< BIOSCONFIG Version = "2.60.13.1" Computername = 'HP600G1' Date = "24/07/2014" Time = "13:01:37 ' UTC '1' = >"
    
< SETTING changeStatus = "pass" name = "Embedded Security Device" reason = "' returnCode '0' = >"
    
        < OLDVALUE > <! [CDATA [hidden device]] > < / OLDVALUE >
    
        < NEWVALUE > <! [CDATA [device]] > < / NEWVALUE >
    
< / SETTING >
    
< SETTING changeStatus = "pass" name = "Enable security on the next boot" reason = "' returnCode '0' = >"
    
        < OLDVALUE > <! [CDATA [disable]] > < / OLDVALUE >
    
        < NEWVALUE > <! [CDATA [enable]] > < / NEWVALUE >
    
< / SETTING >
    
< SETTING changeStatus = "pass" name = "The BONES of on-board safety management" reason = "' returnCode '0' = >"
    
        < OLDVALUE > <! [CDATA [disable]] > < / OLDVALUE >
    
        < NEWVALUE > <! [CDATA [enable]] > < / NEWVALUE >
    
< / SETTING >
    
< SUCCESS msg = "Successfully set BIOS config." / >
    
< information msg = 'BCU return the value' real '0' = translated = '0' / >
    
< / BIOSCONFIG >
    
C:\ >
    

    And after a reboot (where it should activate the TPM), BIOS shows as disabled built-in safety device (see attachment for the image).
    

    I have tried everything I can think of to get this to activate, including:
    

    • Different versions of the BIOS configuration utility

      • 

    • Remove the password from the BIOS and the application in the same order as the parameters

      • 

    • Different passwords

      • 

    • Reboot and allowing the machine to start completely to Windows before checking if the setting took effect
    

    I also tried to add the utility and the commands for an SCCM package and it works directly and as part of a sequence of tasks to see if that makes a difference, but nothing I've done has activated the TPM module.
    

    I know that the TPM module works, as you can turn it on manually and then Bitlocker can be applied to the machine, but with thousands of devices in our environment, I need to get this job without the need for manual intervention.
    

    Has anyone else had this problem and found a solution?  Or has someone at - he managed to activate the TPM on the SFF of 600 ProDesk G1 using the BIOS Setup utility?  Any ideas / suggestions would be very appreciated!
    

    P.S. This thread was moved from the company PC - Compaq, Elite, Pro for HP PC Client management. -Hp moderator of the Forum
    			 
    This problem has now been resolved by HP.

    They provided a replacement motherboard for the test machine I was using that solved this problem. I don't know what kind of motherboard failure could prevent the activation via the script TMP chip but not prevent activation through the BIOS menu, but as a replacement solved the problem, then it must be a hardware failure.
    		   
    •  
            
           
  •  
		     
    I'm having a problem with the update of the last security update. What can I do?
     
			 
    Remember - this is a public forum so never post private information such as numbers of mail or telephone!
    

    Ideas: problem getting my pc to download the latest security update
    

    • You have problems with programs
      • 

    • Error messages
      • 

    • Recent changes to your computer
      • 

    • What you have already tried to solve the problem
    			 
    Floyd,
    

    It helps those answering questions if you provide:
    

    What version of windows (32-bit or 64-bit) and service pack level.
    

    you use what browser (exact version).
    

    What application or antivirus security suite is installed and your current subscription?
    

    What third-party firewall
    

    What anti-malware software can be installed.
    

    What updates you trying to install?
    What error do you get everything when trying to install updates?
    

    In addition to the information required:
    

    How to view the log of update windows
    

    Click Start, and then click Run.
    

    in the Open box, type%windir%\windowsupdate.log
    

    and then click ok.
    

    Scroll down to the last entries find the error codes associated with the last attempt to download/install.
    

    start at the bottom and work your way up a section that indicates an ERROR, WARNING or FATAL.
    

    If the appropriate copy and paste the codes of errors in this thread if someone may be able to help you.
    

    on the other hand, you can find the error code and other suggestions by searching the forum.
    

    Also check the windows file called Ko folder * .log (* = number of update KB896688 ie) and send the contents of the update has failed.
    

    This may even provide clues as to why the update failed.
    

    How to read the windowsupdate.log file:
    

    http://support.Microsoft.com/?kbid=902093>
    		   
    •  
            
           
  •  
		     
    HP Stream 13.3: master password for the software security device
     
			 
    I recently bought my HP laptop and I thought it would bw a good idea to use the password and I created and do not remember for the life of me what it is. Using google and see what I could do. He told me that I could restore the computer to factory settings and keep my files and clear the password. I tried and when I logged on today he again asked me the password into a box that says: Please enter the master password for the software security device. I tried all how can I get rid of this or reset it so that I can pick one and write it down. It won't let me connect on the Web site of my school because even if I click cancel it tell me that I can get because it cannot determine my credentials. Yes, even though I entered in my password for my school site which is not serious because I do not know the master password! Please help as soon as you can!
    

    PiTT
    

    E-mail: [email protected]
    			 
    See the document of support here:
    

    https://support.Mozilla.org/en-us/KB/reset-your-master-password-if-you-forgot-it
    		   
    •  
            
           
  •  
		     
    iOS 10 effect on the life of the battery for the iPhone 6 s
     
			 
    I bought a 6 s iPhone 64GB one month before the release of iOS 10. I noticed a huge difference in the life of battery since the upgrade to iOS 10 and iPhone is to have the latest version (iOS 10.0.2). I have disabled some features, I found online as lift to wake and reduced the flow for the life of the reserve battery but still not satisfied with the result. Can someone please guide me what can I do? or if it can be reviewed and fixed in the next software update?
    			 
    I had this problem too. I went into settings > battery and checked my battery usage and fixed applications with a background activity that was it drains. But it's still pretty dark. I had to leave my phone mode low power just to prevent it from falling down for like 60% after only being on 3 hours.
    		   
    •  
            
           
  •  
		     
    How to reset the iCloud security code
     
			 
    Can you reset the Security Code iCloud until one has the entered incorrectly too many times?
    

    (I am connected to iCloud on my MacBook and want to connect on my iPad, but am unsure of the security code to use, so I want to reset it on the MacBook.)
    

    Apple Help topic for If you register your iCloud Security Code wrong too many times... says:
    

    

    On a Mac using OS X Yosemite or later:
    

    Choose the Apple menu > System Preferences, and then click iCloud.
    

    Click Options next to keychain.
    

    Click on change the Security Code, and enter a new cryptogram iCloud.
    

    My prefs do not show 'Options' beside keychain. (Keyring is enabled).
    

    I have to go through the process of entry that he incorrectly too many times on the iPad before 'Options' will appear on the Mac?
    			 
    There is no way to reset the iCloud security code as it comes to Apple servers.  What specific problems you encounter when you try to connect to your iPad?
    		   
    •  
            
           
  •  
		     
    Impossible to analyze your diet. Invalid XML: error on line 190: name of the "disabled" attribute associated with an element type "button" should be followed by the "=" character.
     
			 
    Hello I am trying to download an episode of my Podcast podcast connect and get this error?
    

    Impossible to analyze your diet. Invalid XML: error on line 190: name of the "disabled" attribute associated with an element type "button" should be followed by the "=" character.
    

    my diet is validated? http://beprovidedhealthradio.libsyn.com/RSS
    

    It worked for my first episode? I don't know why it doesn't work for the second episode. I also use Libsyn if that helps.
    

    			 
    Your show is already in iTunes.
    

    https://iTunes.Apple.com/podcast/id1151562400?MT=2 & ls = 1
    

    And everything seems fine with it and your diet.  You ONLY SUBMIT YOUR FEED ONCE.
    

    That's it - better to stay outside of your podcast connect account - only bad things happen to go there and play with things.  Once again, your show is very well and is in iTunes and your flow is good with it.
    

    Both episodes show when you subscribe - and your most recent episode appears on the page of the iTunes, general store with in 24 hours from when you posted it.
    

    Rob W
    

    https://iTunes.Apple.com/us/podcast/beprovided-health-radio/id1151562400?MT=2 https://iTunes.Apple.com/us/podcast/beprovided-health-radio/id1151562400?MT=2
    		   
    •  
          
 
         
 
        
 
		
 
          
Maybe you are looking for
 
          
     
           
  •  
		     
    Can I use my Mini 200 for anything without recovery disk?
     
			 
    Hello I ve had 200-4200 Mini. A few months back I had a hard drive crash and another was sent by the warranty. I m abroad, so he was sent to my friend, who sent me to the Nicaragua. The drive arrived, BUT pick it up USB does not stick. (they came sep
     
		   
    •  
           
  •  
		     
    my computer has been out sporadically, the monitor only has no signal and goes to sleep
     
			 
    I have a PC who recently acted squirrels.  It start partially, completely, or run for hours and then stop.  Once it turns off it won't do it again.  If I unplug it I try to run the next day and it worked but only for limited periods.
     
		   
    •  
           
  •  
		     
    Vista Service Pack 2 update problems
     
			 
    I keep trying to update Vista SP2 but I get access denied popup. I go my computer and give my account and system full control to the folder of Windows but am unable to give me total control over the program files and other folders in my HARD drive. H
     
		   
    •  
           
  •  
		     
    Photosmart Premium C309-g: the drivers and the printer software will not be installed.
     
			 
    My network all-in-one Photosmart Premium C309-g worked very well on my desk until recently, when suddenly the HP software could still see and connect to the printer, but Windows 10 could not. I tried to remove the printer and uninstall all associated
     
		   
    •  
           
  •  
		     
    Printer Officejet 6600
     
			 
    I have a HP Officejet 6600.ScreenShot217.jpg When I go to scan or print I get a notice It is not any other things to do. This happens if I try to print, copy, scan, etc..Help please.
     
		   
    •