Migration of VPN3000 to ASA - Sets of transformation
I'm working on the conversion of a number of tunnels L2L over our an ASA VPN concentrator. A question I've met (so far) is the transfer of the transform sets.
I have a number of tunnels on the concentrator using ESP, MD5, HMAC-160. However, ASA, authentication methods only can I use are esp-md5-hmac (which is hmac-128) and esp-sha-hmac (which is hmac-160).
I'm trying to make this as transparent as possible, especially for the client at the other end (we do not maintain the peers). I have no choice to change the authentication method for the latter?
Thought I'd ask.
Thank you.
Jason
Jason,
I have access to a hub at the time and under Configuration . Management strategies | Traffic management | Security associations
for the authentication options, I see only:
ESP, MD5, HMAC-128 or
ESP/HMAC/SHA-160
Federico.
Tags: Cisco Security
Similar Questions
-
I can't download the trail. It is said that migration is not necessary by setting. Stop smoking in the library.
I deleted all the files on the error in the file "Adobe", and I downloaded it again. It worked this time. Thank you.
-
Why is - that someone would use Authentication Header in a set of transformation?
I came on a setup that uses an IPSEC transform-set of esp-3des ah-sha-hmac. It is a Cisco router, and it runs inside a MPLS tunnel. Because ESP does everything what AH, is there no good reason to use AH?
I would like to change it because I haven't read fully the framework.
It's a little strange to see, but not out of the question. ESP has largely supplanted AH because authentication and integrity, and encryption can be treated in a protocol. AH is still valid in this scenario, but simply do everything with ESP now.
-
Migrate certificates on Cisco ASA
Hello
I'm migrating an ASA5520 to an ASA5525-x. I'm just going through the configs and copy the bias.
How can I migrate on certificates?
Thank you
If it's a public certificate signed PKI, not easily. You must have the private key of the server (ASA) for use on an another ASA. Unless you checked exportable at creation time, it is not exportable by default.
You could inform you as to whether the issuer will be re-edited if you submit a new CSR.
-
VPN peers on old ASA, reverse routing as we migrate to the new ASA and new Internet
Hello
I'm migrating my old Internet/VPN connection. How can I ensure that even existing VPN are addressed to my old/curreent ASA
While my default gateway must get out of my new internet link
Very vague question, given the lack of topology ;/
In general redistribute you your range of IP addresses downstream pool to the nucleus.
-
Migration licenses VPN between ASAs
I have a X 5515 ASA firewall with VPN client licenses. I also have a spare ASA 5510 with a 25 ASA 5500 VPN SSL user license.
Simple question: can I migrate licenses off the 5510 on 5515 x?
Thanks for the ideas
Jim
Hello Jim,
No, it is not possible.
Please contact [email protected] / * / for more details.
HTH.
-
VPN from Site to Site ASA setting not
Hi all...
I have two firewalls ASA 5505, headquarters of one and the other in a warehouse at a distance. I want to create an IPsec tunnel so that our warehouse distance can use some applications that have a component of database hosted at Headquarters.
I think I created links correctly (in reverse the settings on the two ASAs and crippled the IP addresses were required, quadruple checked the IKE keys, etc.) but my tunnel does not put in place.
At this point, I think what Miss me is probably obvious and manifest right at me. Anyone would be able to help? I can provide show run on devices and other log files, as requested.
Concerning
Rob
Hello
Try changing your peer IP card crypto HQ. It's different on what is configured on the ASA remote outside intellectual property.
-
Many sub-strategies and transform sets for peer 1 tunnel?
Recently acquired a heavy ASA company, with network administrators. They seem to stand for some things to ASA I don't understand quite below.
This is one site talked, and there's only 1 tunnel on this subject on the hub. This tunnel appealed to the transformation of named sets ""ESP-3DES-SHA "&"ESP-3DES-MD5." " That said, why have they configured transform sets for AES 256, AES 192, AES and if they ask only 3DES transformation sets in the card encryption? The sub-strategies down from the extract of seem to have something to do with it, but if that were the case, wouldn't you call all transformation configured in the encryption card sets to perform fully all sub-strategies set in this config, because each set of sub-policy puts the encryption to a different type / method?
Excerpt from the configuration:
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transitcard crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set of peer XX.XXX.XXX. XX
card crypto outside_map 1 set ikev1 transform-set ESP-3DES-MD5 SHA-ESP-3DESoutside_map interface card crypto outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400Only the transform-set called card encryption will be used. Policies will be judged by priority until a correspondent of the hub is found. Ideally, it would be first.
You're right for the use case you describe only a single defined and political transformation is necessary. Multiples are often the legacy of the settings by default and, sometimes, an attempt to standardize with each set of transformation and the policy on the ASAs so that no matter where they end up connect to the necessary building blocks are in the config. However, it causes a lot of unused lines.
-
"the apprentice" crypto transform-set issues
Greetings - I was sort of a backup person or I guess as "Apprentice" to our network administrator who has recently retired. Same story, guess who is responsible now to figure it all out.
We have a pair of 5510 in the main office, the second is a "fail-over" the death of number 1.
Our remote offices have 5505 s (system image file is disk0: / asa844-1 - k8.bin) which connect here on LAN-to-LAN via the Internet connection provided to this office by various Internet service providers. Mostly good, some "tunnels" or connections remain for days, or even weeks or sometimes months without any problem.
But we have some offices of disorder where each connection fall fairly regularly or in one case, they often lose the ability to connect to the connector of the computer central address here. We have different subnets in our offices, the mainframe and email are provided by the State, or IT Enterprise/ITE Central. Some of our 'networks' uses public addresses, some private.
Each remote office has its own network. The numbering is based on number of office accountant, not that it's really important.
Thus each remote office will have a private 10.252.xxx.xxx plan where the first xxx film series is the office number and the last series of xxx is the range assign us, normally broke up with a 27 (255.255.255.224) mask.
This established, a typical office will be 10.252.24.1 - 30 (10.252.24.0 network)
I was thrown in the fire and said to our offices in problem to understand. In trying to figure out why things are what they are, I find things which surprise me. Can't put my finger on it, but it just doesn't feel good.
A topic at a time - I find Cisco documentation that says you can assign a MAXIMUM of 6 transform sets to all that.
HOWEVER, I find more than 6 in the list, 11 actually. I can't understand why so many and what the heck we even need more than 1 or 2 for anyway. I think it's here because updates to the os on the means of years that things seemed simply by the process of update and I think also that some has been everything simply because things have been tried - to throw in and see if it helps. I hate this.
I want these cleaned and only the code that is required to be left - and in a way I can understand. And if that helps with our connection issues, great, but if not at least things will be easier to sort through and understand.
This is the area in question for the purposes of this post-
Looking at the small part of our config in a typical remote office ASA5505 I'll post below - which belongs or is necessary, and what is foreign and may or must be destroyed or deleted.
Why 11 lines of transform-set?
Spoke 6 max? (this quote) > after a set of transformation configuration, you assign it to a card encryption. You can assign up to six sets of the transform to a card encryption.----------------------------------------------------------------------
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac (why this?)
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac.
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac.
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac.
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac.
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac.
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac.
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac.
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac.
Crypto ipsec ikev1 transform-set ESP-DES-MD5 esp - esp-md5-hmac (10 of them besides the next)
Crypto ipsec transform-set esp-3des esp-md5-hmac ikev1 vpnivrs (kind of sense-vpnivrs is the 'name' and serves...?)
ivrsmap card crypto 10 corresponds to the address DESENLOG
crypto ivrsmap 10 card game 209.111.111.666 peers (changed to protect the real address)
ivrsmap 10 set transform-set vpnivrs ikev1 crypto card
ivrsmap interface card crypto outside
Crypto isakmp nat-traversal 30
Crypto ikev1 allow outside
IKEv1 crypto policy 10 (why two of these lines of 'political'?)
preshared authentication
3des encryption
md5 hash
Group 2
lifetime 28800
IKEv1 crypto policy 65535 (see above - this is number 2 - why two? in what do this?)
preshared authentication
3des encryption
sha hash
Group 2
life 86400
--------------------------------------------------------Some quick stats or tests.
VRAMSASA1 # show crypto ikev1 his
IKEv1 SAs:
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 11 peer IKE: 209.111.111.666
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVEI can provide any additional information can help.
I have already corrected some problems by turning the NAT - T on offices provided Internet via a DSL modem, that the modem is apparently a NAT - external interfaces on the 5505 device s with DSL have 192.168 addresses and the MODEM has the Internet address where the provided cable modem sites have a direct public address on the external interface. Something bothered me on these sites - and I was able to understand what and why. This example configuration above mind right now - but I don't know why.Just an another public employee trying to make it work properly, having to learn the hard way now...
I apologize if this isn't the correct area to post.
Thank you.You are welcome.
Regarding your questions Suites A and B - two Yes.
DO first - make a backup of your configuration. It is a good idea during changes of any kind. If you have doubts, backs up front and backup after. Do a comparison aside to check your work. (I use ExamDiff make comparison of less prone to human error long text files.)
When you have preshared keys (which appear as hashes when you perform a simple "show run"), you must use the following (when recording the output of your senior year):
term pager 0more system:running-configThe first line will make all output scroll by at the time and the second will print configuration with pre-shared plaintext keys.
-
Is it possible on board animate through code to set a value of transformation of timeline?
Is it possible on board animate through code to set a value of transformation of timeline? If this isn't the case, it would be a great feature. For example, I have a symbol that I'm animated to look like, it's jump using the timeline. I would like to use the code to turn a bit randomly the symbol at the height of the jump before she comes back down. I tried sym.$("element").css ({"transform":"rotate("+randNum"deg)"});}) in a trigger on the timeline, but it seems that my code gets overridden by the transformations of chronology of Edge.
It would be cool to have a user interface to say choice a value in a range for this keyframe. Or if there is a way to do it through code that had to be cool.
If I understand correctly, you want to do animation of the jump to animate and change rotation according to your logic.
You should take this approach.
1. Add a handler for "Timeline.update".
2. in the Manager to obtain the current transformation
3 merge your rotation with the current transformation
4. set the transformation merged as a symbol. $("element") .css ({"transform":...})
You will find this useful
-
Hi all
I read the http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5505/quick/guide/rem_acc.html and following the steps to create a remote access VPN. At the end of this post is delivered to the FW config.
I test the connection on a Cisco VPN Client for Windows Remote with plans on the migration of the profile to my Linux laptop. What I see is an error message when you run 'debug cryptop isa 129' of
Dec 09 10:10:03 [IKEv1]: Group = DefaultRAGroup, IP = 83.109.134.21, Removing peer to peer table does not, no match!
Dec 09 10:10:03 [IKEv1]: Group = DefaultRAGroup, IP = 83.109.134.21, error: cannot delete PeerTblEntryWhat seems strange to me, is that I have a group policy and a configured connection IPSec 'RemoteHome' profile, but it is not referenced in the debug output. I searched through my config for DefaultRAGroup, but nothing helped. However I found it in the ASDM under IPSec connection profiles.
I configured the FW to use LOCAL authentication and have configured the VPN Client with the right user name and password.
So, basically, I'm at a loss on how to correct my mistake. Any help much appreciated.
After the config FW is the power output of debug crypto isa 129.
See you soon,.
Conor
RemoteHome_splitTunnelAcl list standard access allowed host 10.2.2.2
RemoteHome_splitTunnelAcl list standard access allowed 172.16.0.0 255.255.0.0
RemoteHome_splitTunnelAcl standard access list allow 10.3.3.0 255.255.255.0
RemoteHome_splitTunnelAcl list standard access allowed 192.168.2.0 255.255.255.0
access-list 1 permit line INSIDE_nat0_outbound extended ip host 10.2.2.2 192.168.2.64 255.255.255.192
allowed to Access - list INSIDE_nat0_outbound line 2 extended ip 172.16.0.0 255.255.0.0 192.168.2.64 255.255.255.192
permit for access list 3 INSIDE_nat0_outbound line scope ip 10.3.3.0 255.255.255.0 192.168.2.64 255.255.255.192
allowed to Access - list INSIDE_nat0_outbound line 4 extended ip 192.168.2.0 255.255.255.0 192.168.2.64 255.255.255.192
local pool VPN_REMOTE_POOL 192.168.2.90 - 192.168.2.99 255.255.255.0 IP mask
internal RemoteHome group strategy
Group Policy attributes RemoteHome
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list RemoteHome_splitTunnelAcl
value of DNS server *.
cunningtek.com value by default-field
tunnel-group RemoteHome type remote access
attributes global-tunnel-group RemoteHome
Group Policy - by default-RemoteHome
address VPN_REMOTE_POOL pool
IPSec-attributes tunnel-group RemoteHome
pre-shared key *.
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
NAT (INSIDE) 0 access-list INSIDE_nat0_outbound tcp udp 0 0 0Firewall # Dec 09 10:10:03 [IKEv1]: IP = 83.109.134.21, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR (4) SA (1) + KE + NUNCIO (10) + ID (5) the SELLER (13) + the SELLER (13) + SOLD
OR (13) of the SELLER (13) + the SELLER (13) + (0) NONE total length: 849
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, SA payload processing
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, processing ke payload
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing ISA_KE
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, nonce payload processing
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing ID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, received xauth V6 VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, DPD received VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, received Fragmentation VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, received NAT-Traversal worm 02 VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, the customer has received Cisco Unity VID
Dec 09 10:10:03 [IKEv1]: IP = 83.109.134.21, message received ISAKMP Aggressive Mode 1 with the name of Group of unknown tunnel "conor".
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, IKE SA payload processing
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, IKE SA proposal # 1, transform # 5 entry overall IKE acceptable matches # 1
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, build the payloads of ISAKMP security
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, building ke payload
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, building nonce payload
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, Generating keys for answering machine...
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, construction of payload ID
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, build payloads of hash
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, calculation of hash for ISAKMP
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, build payloads of Cisco Unity VID
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, constructing payload V6 VID xauth
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, constructing the payload of the NAT-Traversal VID ver 02
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, NAT-discovery payload construction
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, NAT discovery hash calculation
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, NAT-discovery payload construction
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, NAT discovery hash calculation
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, construction of Fragmentation VID + load useful functionality
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, build payloads VID
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 09 10:10:03 [IKEv1]: IP = 83.109.134.21, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR (4) SA (1) + KE + NUNCIO (10) + ID (5) + HASH (8) the SELLER (13) + the SELLER (13) + SOLD
OR (13) NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + (0) NONE total length: 424
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, case of mistaken IKE AM Responder WSF (struct & 0xd8d3bed8), : AM_DONE, EV_ERROR--> AM_SND_MSG2, EV_
SND_MSG--> AM_SND_MSG2, EV_START_TMR--> AM_BLD_MSG2, EV_BLD_MSG2_TRL--> AM_BLD_MSG2, EV_SKEYID_OK--> AM_BLD_MSG2, NullEvent--> AM_BLD_MSG2, EV_GEN_SKEYID--> AM_BLD_MSG2, EV_BLD_MSG2_HDR
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, IKE SA AM:7ff48db9 ending: 0x0104c001, refcnt flags 0, tuncnt 0
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, sending clear/delete with the message of reason
Dec 09 10:10:03 [IKEv1]: Group = DefaultRAGroup, IP = 83.109.134.21, Removing peer to peer table does not, no match!
Dec 09 10:10:03 [IKEv1]: Group = DefaultRAGroup, IP = 83.109.134.21, error: cannot delete PeerTblEntryI think this is the beginning of your question.
Message received ISAKMP aggressive Mode 1 with the name of the unknown group tunnel "conor".
In the vpn client, you must enter the name of the group, RemoteHome and pre shared key, NOT your username. You will be asked your username after login.
As the name conor group does not exist, it is failing in the DefaultRAGroup
-
Issue of ASA L2TP VPN error QM WSF
Hello guys
Facing the issue with new support for .do L2tp connection on this you can
L2TP is terminiated on ASA and ASA before there is a router where ASA outside interface is coordinated to the public IP address
Here is the config and the logs.earlier of debugging that she was unknown to the Group and now tunnel is not eslablshitng to my machine via l2tp
ASA 5,0000 Version 59
access-list acl - scope ip allowed any one
acl_outside list extended access permitted ip object-group HQ ABC object-group
acl_outside list extended access permit tcp any host 10.10.20.10 eq 5269
inside_nat0 list extended access permitted ip object-group ABC object-group HQ
inside_nat0 list of allowed ip extended access all 10.1.252.0 255.255.255.0
DefaultRAGroup_splitTunnelAcl list standard access allowed 10.0.0.0 255.0.0.0IP local pool vpngroup 10.1.252.1 - 10.1.252.253 mask 255.255.255.0
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0
NAT (inside) 1 0.0.0.0 0.0.0.0Crypto ipsec transform-set esp-3des esp-sha-hmac trans
Crypto-map Dynamics dyno 10 transform-set ESP-3DES-MD5-TRANS trans
card crypto 65535-isakmp ipsec vpn Dynamics dyno
vpn outside crypto map interface
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
lifetime 28800
Crypto isakmp nat-traversal 3600internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of 10.1.16.11 DNS server 10.1.16.13
VPN-idle-timeout no
VPN-session-timeout no
Protocol-tunnel-VPN l2tp ipsec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl
by default-field valuexyz.com
Split-dns value xyz.com
enable dhcp Intercept 255.255.0.0
the authentication of the user activation
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsecpassword cisco KCtylQW4545gfddN6mbi93ijmA user name is nt encrypted
attributes username cisco
Protocol-tunnel-VPN l2tp ipsec
type of remote access service
IPSec-attributes tunnel-group DefaultL2LGroup
pre-shared key *.
attributes global-tunnel-group DefaultRAGroup
vpngroup address pool
Group Policy - by default-DefaultRAGroup
management of the password password-expire-to-days 30
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
tunnel-group DefaultRAGroup ppp-attributes
ms-chap-v2 authentication===========================
Debug logs:
EQ-INTFW01 # Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + SA (1) +.
SELLER (13) of the SELLER (13) of the SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) ++ NONE (0) overall length: 38
4
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, SA payload processing
Apr 04 14:59:36 [IKEv1]: failure of Phase 1: incompatibility of the types of attributes of class Group Description: RRs would be: unknown Cfg would have: Gr
our p
Apr 04 14:59:36 [IKEv1]: failure of Phase 1: incompatibility of the types of attributes of class Group Description: RRs would be: unknown Cfg would have: Gr
our p
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, Oakley proposal is acceptable
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, received NAT - Traversal RFC VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, received NAT-Traversal worm 02 VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, received Fragmentation VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, IKE SA payload processing
Apr 04 14:59:36 [IKEv1]: failure of Phase 1: incompatibility of the types of attributes of class Group Description: RRs would be: unknown Cfg would have: Gr
our p
Apr 04 14:59:36 [IKEv1]: failure of Phase 1: incompatibility of the types of attributes of class Group Description: RRs would be: unknown Cfg would have: Gr
OUP 2
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, IKE SA proposal # 1, transform # 5 acceptable entry Matches overall IKE #.
1
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, build the payloads of ISAKMP security
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, constructing the payload of NAT-Traversal VID worm RFC
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, construction of Fragmentation VID + load useful functionality
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13)
NONE (0) + SELLER (13) overall length: 124
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + KE (4), NUNCIO (10)
NAT - D (20) + NAT - D (20), NONE (0) overall length: 260
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, processing ke payload
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload processing ISA_KE
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload NAT-discovery of treatment
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, calculation of hash discovered NAT
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, payload NAT-discovery of treatment
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, calculation of hash discovered NAT
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, building ke payload
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, building nonce payload
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, build payloads of Cisco Unity VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, constructing payload V6 VID xauth
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, Send IOS VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, ASA usurpation IOS Vendor ID payload construction (version: 1.0.0 capabilit)
IES: 20000001)
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, build payloads VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, NAT-discovery payload construction
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, calculation of hash discovered NAT
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, NAT-discovery payload construction
Apr 04 14:59:36 [IKEv1 DEBUG]: IP = 195.229.90.21, calculation of hash discovered NAT
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, connection landed on tunnel_group DefaultRAGroup
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Generating keys for answering machine...
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + KE (4), NUNCIO (10) +.
SELLER of the SELLER the SELLER (13) (13) (13) of the SELLER (13) + NAT - D (20) + NAT - D (20) ++ (0) NONE total length: 304
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + ID (5) + HASH (8) +.
NONE (0) overall length: 64
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:36 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, calculation of hash for ISAKMP
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, status of automatic NAT detection: remote endpoint IS be
Hind a NAT device this end is behind a NAT device
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, connection landed on tunnel_group DefaultRAGroup
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of payload ID
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, calculation of hash for ISAKMP
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, building dpd vid payload
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR, ID (5) + HASH (8) + V
ENDOR (13) + (0) NONE total length: 84
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, PHASE 1 COMPLETED
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, for this connection Keep-alive type: None
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, Keep-alives configured on, but the peer does not support persistent (type = None)
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, timer to generate a new key to start P1: 21600 seconds.
Apr 04 14:59:36 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000001
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 1) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:36 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
10.1.100.79, Protocol 17 Port 1701
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:36 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
85.78.161.254, Protocol 17 Port 1701
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its not found old addr
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, static check card Crypto, card dyno, seq = 10 is a success
FUL game
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Selecting one-encapsulated-Tunnel UDP and UDP - en
pre-measured-Transport modes defined by NAT-Traversal
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, remote peer IKE configured crypto card: dyno
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, ITS processing IPSec payload
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IPSec SA proposal # 2, transform # 1 acceptable M
global security association entry IPSec matches # 10
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE: asking SPI!
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE got SPI engine key: SPI = 0x321170a2
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, quick mode of oakley constucting
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, empty building hash payload
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, building the IPSec Security Association Management
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of support useful Nuncio IPSec
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, constructing the ID of the proxy
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, transmission Proxy Id:
Remote host: 195.229.90.21 Protocol Port 17 0
Local host: 10.10.20.2 Protocol 17 Port 1701
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of payload NAT Original address
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of payload NAT Original address
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address sending NAT-Traversal
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash qm
Apr 04 14:59:36 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE Responder sending 2nd QM pkt: id msg = 000000
01
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 1) with payloads: HDR, HASH (8), HIS (1) + N
A TIMES (10) + ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21) + (0) NONE total length: 184
Apr 04 14:59:36 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 1) with payloads: HDR + HASH (8) + NO (0)
total length: 52
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, loading all IPSEC security associations
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, generate Quick Mode key!
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, NP encrypt rule looking for dyno carpet 10 crypto card
Ching unknown ACL: returned cs_id = ccf1ac00; rule = 00000000
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, generate Quick Mode key!
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, NP encrypt rule looking for dyno carpet 10 crypto card
Ching unknown ACL: returned cs_id = ccf1ac00; rule = 00000000
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, security full negotiation for user (Responder), in
related SPI, 0x321170a2, SPI = out = 0x8349be0f
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE got a msg KEY_ADD for SA: SPI = 0x8349be0f
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, pitcher: received KEY_UPDATE, spi 0x321170a2
Apr 04 14:59:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, timer to generate a new key to start P2: 3060 seconds.
Apr 04 14:59:36 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, PHASE 2 COMPLETED (msgid = 00000001)
Apr 04 14:59:36 [IKEv1]: rules of classification IKEQM_Active() Add L2TP: ip <195.229.90.21>mask <0xFFFFFFFF>port<4500>
Apr 04 14:59:38 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000002
Apr 04 14:59:38 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 2) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:38 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:38 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, static check card Crypto, card dyno, seq = 10 is a success
FUL game
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Selecting one-encapsulated-Tunnel UDP and UDP - en
pre-measured-Transport modes defined by NAT-Traversal
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, remote peer IKE configured crypto card: dyno
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, ITS processing IPSec payload
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IPSec SA proposal # 2, transform # 1 acceptable M
global security association entry IPSec matches # 10
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE: asking SPI!
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, the delete unit Active process event generate a new key for outdoors
peer 195.229.90.21.Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE got SPI engine key: SPI = 0xc9c523ea
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, quick mode of oakley constucting
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, empty building hash payload
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, building the IPSec Security Association Management
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of support useful Nuncio IPSec
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, constructing the ID of the proxy
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, transmission Proxy Id:
Remote host: 195.229.90.21 Protocol Port 17 0
Local host: 10.10.20.2 Protocol 17 Port 1701
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of payload NAT Original address
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, construction of payload NAT Original address
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address sending NAT-Traversal
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash qm
Apr 04 14:59:38 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE Responder sending 2nd QM pkt: id msg = 000000
02
Apr 04 14:59:38 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 2) with payloads: HDR, HASH (8), SA (1) + N
A TIMES (10) + ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21) + (0) NONE total length: 184
Apr 04 14:59:38 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 2) with payloads: HDR + HASH (8) + NO (0)
total length: 52
Apr 04 14:59:38 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = b0e14739) with payloads: HDR + HASH (8), OF
LETE (12) + (0) NONE total length: 68
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, removal of treatment
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE Received delete to resultants to reappear homologous IKE: 195,22
9.90.21, reappear addr: cd4874a0, msgid: 0x00000001
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, L2TP/IPSec: ignoring delete for a sentry (rekeyed m
SGID = 1)
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, loading all IPSEC security associations
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, generate Quick Mode key!
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, NP encrypt rule looking for dyno carpet 10 crypto card
Ching unknown ACL: returned cs_id = ccf1ac00; rule = 00000000
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, generate Quick Mode key!
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, NP encrypt rule looking for dyno carpet 10 crypto card
Ching unknown ACL: returned cs_id = ccf1ac00; rule = 00000000
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, security full negotiation for user (Responder), in
related SPI, 0xc9c523ea, SPI = out = 0x619b7d3a
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE got a msg KEY_ADD for SA: SPI = 0x619b7d3a
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, pitcher: received KEY_UPDATE, spi 0xc9c523ea
Apr 04 14:59:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, timer to generate a new key to start P2: 3060 seconds.
Apr 04 14:59:38 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, PHASE 2 COMPLETED (msgid = 00000002)
Apr 04 14:59:39 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000003
Apr 04 14:59:39 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:39 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:39 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:39 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:39 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:39 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:39 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its already be regenerated
Apr 04 14:59:39 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, error QM WSF (P2 struct & 0xcd51dbb8, mess id 0x3)!
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, case of mistaken IKE responder QM WSF (struct & 0xcd51
DBB8), : QM_DONE, EV_ERROR--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MS
G--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:39 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
Apr 04 14:59:41 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000003
Apr 04 14:59:41 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:41 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:41 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:41 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:41 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:41 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:41 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its already be regenerated
Apr 04 14:59:41 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, error QM WSF (P2 struct & 0xcd5159c8, mess id 0x3)!
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, case of mistaken IKE responder QM WSF (struct & 0xcd51
59 c 8), : QM_DONE, EV_ERROR--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MS
G--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:41 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:41 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
Apr 04 14:59:44 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000003
Apr 04 14:59:44 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:44 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:44 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:44 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:44 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:44 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:44 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its already be regenerated
Apr 04 14:59:44 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, error QM WSF (P2 struct & 0xcd5159c8, mess id 0x3)!
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, case of mistaken IKE responder QM WSF (struct & 0xcd51
59 c 8), : QM_DONE, EV_ERROR--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MS
G--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:44 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:44 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
Apr 04 14:59:48 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000003
Apr 04 14:59:48 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:48 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:48 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its already be regenerated
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, error QM WSF (P2 struct & 0xcd5159c8, mess id 0x3)!
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, case of mistaken IKE responder QM WSF (struct & 0xcd51
59 c 8), : QM_DONE, EV_ERROR--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MS
G--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
Apr 04 14:59:57 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000003
Apr 04 14:59:57 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:57 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:57 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its already be regenerated
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, error QM WSF (P2 struct & 0xcd515f40, mess id 0x3)!
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, case of mistaken IKE responder QM WSF (struct & 0xcd51
5f40), : QM_DONE, EV_ERROR--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MS
G--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, empty building hash payload
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, building IPSec delete payload
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash qm
04 Apr 15:00:08 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 64ea9549) with payloads: HDR + HASH (8) + delete
SUMMER (12) + (0) NONE total length: 68
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Active unit receives an event would have expired for re
Mote 195.229.90.21 counterpart.04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE, removing SA: Remote Proxy 195.229.90.21, Local
Proxy 10.10.20.2
04 Apr 15:00:08 [IKEv1 DEBUG]: pitcher: received the keys delete msg, spi 0x321170a2
04 Apr 15:00:11 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = d28ee0e6) with payloads: HDR + HASH (8), OF
LETE (12) + (0) NONE total length: 68
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, removal of treatment
04 Apr 15:00:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, completed for peer Connection. Reason: Put an end to Peer
Remote proxy 195.229.90.21 Proxy Local 10.10.20.2
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Active unit receives a delete for remote wet event
r 195.229.90.21.04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE, removing SA: Remote Proxy 195.229.90.21, Local
Proxy 10.10.20.2
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE SA MM:a32eab27 RRs would end: MM_ACTIV of State
E flags 0 x 00000042, refcnt 1, tuncnt 0
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE SA MM:a32eab27 ending: flags 0 x 01000002,
refcnt 0, tuncnt 0
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, empty building hash payload
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, constructing the payload to delete IKE
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash qm
04 Apr 15:00:11 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = e5c290b6) with payloads: HDR + HASH (8) + delete
SUMMER (12) + (0) NONE total length: 80
04 Apr 15:00:11 [IKEv1 DEBUG]: pitcher: received the keys delete msg, spi 0xc9c523ea
04 Apr 15:00:11 [IKEv1 DEBUG]: pitcher: received the keys delete msg, spi 0xc9c523ea
04 Apr 15:00:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, Session is be demolished. Reason: The user has requested
04 Apr 15:00:11 [IKEv1]: ignoring msg SA brand with Iddm 36864 dead because ITS removal
04 Apr 15:00:11 [IKEv1]: IP = 195.229.90.21, encrypted packet received with any HIS correspondent, dropEQ-INTFW01 # IPSEC: deleted leaving encrypt rule, SPI 0x243066CC
Rule ID: 0xCD487C20
IPSEC: Remove permitted outbound rule, SPI 0x243066CC
Rule ID: 0xCD51D3E8
IPSEC: Circumscribed outgoing VPN, SPI 0x243066CC context
Handle VPN: 0x00033D94
IPSEC: Deleted the inbound rule decrypt, SPI 0x44001D8E
Rule ID: 0xCD51DC68
IPSEC: Deleted the allowed inbound rule, SPI 0x44001D8E
Rule ID: 0xCD51DE08
IPSEC: Remove workflow rule entrants tunnel, SPI 0x44001D8E
Rule ID: 0xCD51CCF8
IPSEC: Circumscribed incoming VPN, SPI 0x44001D8E context
VPN handle: 0 x 00035734
IPSEC: Deleted leaving encrypt rule, SPI 0x9EF2CA7A
Rule ID: 0xCD3CD1E8
IPSEC: Remove permitted outbound rule, SPI 0x9EF2CA7A
Rule ID: 0xCD51AE20
IPSEC: Removed outbound VPN, SPI 0x9EF2CA7A context
Handle VPN: 0x00033D94
IPSEC: Deleted the inbound rule decrypt, SPI 0x866D812A
Rule ID: 0xCD487FD0
IPSEC: Deleted the allowed inbound rule, SPI 0x866D812A
Rule ID: 0xCCB3D7D0
IPSEC: Remove workflow rule entrants tunnel, SPI 0x866D812A
Rule ID: 0xCD48B110
IPSEC: Deleted incoming VPN, SPI 0x866D812A context
VPN handle: 0 x 00035734
IPSEC: HIS embryonic new created @ 0xCCB9C1F8.
RCS: 0XCD489170,
Direction: inbound
SPI: 0XADBC899B
Session ID: 0x0000E000
VPIF num: 0x00000001
Tunnel type: ra
Protocol: esp
Life expectancy: 240 seconds
IPSEC: HIS embryonic new created @ 0xCD17B2B8.
RCS: 0XCD4896C8,
Direction: outgoing
SPI: 0XD69313B6
Session ID: 0x0000E000
VPIF num: 0x00000001
Tunnel type: ra
Protocol: esp
Life expectancy: 240 seconds
IPSEC: Completed the update of NDONGO host, SPI 0xD69313B6
IPSEC: Creating outgoing VPN context, SPI 0xD69313B6
Flags: 0 x 00000225
SA: 0XCD17B2B8
SPI: 0XD69313B6
MTU: 1500 bytes
VCID: 0X00000000
Peer: 0x00000000
CBS: 0X010926E1
Channel: 0xC929B4C0
IPSEC: Finished outgoing VPN, SPI 0xD69313B6 context
Handle VPN: 0x00037A0C
IPSEC: New outbound encrypt rule, SPI 0xD69313B6
ADR SRC: 10.10.20.2
SRC mask: 255.255.255.255
ADR DST: 195.229.90.21
DST mask: 255.255.255.255
Ports of CBC
Superior: 1701
Bass: 1701
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Finished out encrypt rule, SPI 0xD69313B6
Rule ID: 0xCD489970
IPSEC: New rule to permit outgoing, SPI 0xD69313B6
ADR SRC: 10.10.20.2
SRC mask: 255.255.255.255
ADR DST: 195.229.90.21
DST mask: 255.255.255.255
Ports of CBC
Superior: 4500
Bass: 4500
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Finished allowed outbound rule, SPI 0xD69313B6
Rule ID: 0xCD4899F8
IPSEC: Completed the update of IBSA host, SPI 0xADBC899B
IPSEC: Create context incoming VPN, SPI 0xADBC899B
Flags: 0 x 00000226
SA: 0XCCB9C1F8
SPI: 0XADBC899B
MTU: 0 bytes
VCID: 0X00000000
Peer: 0x00037A0C
CBS: 0 X 01088849
Channel: 0xC929B4C0
IPSEC: Completed incoming VPN, SPI 0xADBC899B context
Handle VPN: 0x0003864C
IPSEC: updated outgoing VPN 0x00037A0C, SPI 0xD69313B6 context
Flags: 0 x 00000225
SA: 0XCD17B2B8
SPI: 0XD69313B6
MTU: 1500 bytes
VCID: 0X00000000
Peer: 0x0003864C
CBS: 0X010926E1
Channel: 0xC929B4C0
IPSEC: Finished outgoing VPN, SPI 0xD69313B6 context
Handle VPN: 0x00037A0C
IPSEC: Internal filled rule of outgoing traffic, SPI 0xD69313B6
Rule ID: 0xCD489970
IPSEC: External filled SPD rule of outgoing traffic, SPI 0xD69313B6
Rule ID: 0xCD4899F8
IPSEC: New entrants flow tunnel, SPI 0xADBC899B
ADR SRC: 195.229.90.21
SRC mask: 255.255.255.255
ADR DST: 10.10.20.2
DST mask: 255.255.255.255
Ports of CBC
High: 0
Low: 0
OP: ignore
Ports of DST
Superior: 1701
Bass: 1701
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Incoming Tunnel filled with flow, SPI 0xADBC899B
Rule ID: 0xC92B0518
IPSEC: New rule to decrypt incoming, SPI 0xADBC899B
ADR SRC: 195.229.90.21
SRC mask: 255.255.255.255
ADR DST: 10.10.20.2
DST mask: 255.255.255.255
Ports of CBC
Superior: 4500
Bass: 4500
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Completed inbound rule decrypt, SPI 0xADBC899B
Rule ID: 0xCD3CD1A8
IPSEC: New rule incoming authorization, SPI 0xADBC899B
ADR SRC: 195.229.90.21
SRC mask: 255.255.255.255
ADR DST: 10.10.20.2
DST mask: 255.255.255.255
Ports of CBC
Superior: 4500
Bass: 4500
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Finished entering permitted rule, SPI 0xADBC899B
Rule ID: 0xCD03D6F0
IPSEC: HIS embryonic new created @ 0xCD51AC70.
RCS: 0XCD51ABC0,
Direction: inbound
SPI: 0X89796CE7
Session ID: 0x0000E000
VPIF num: 0x00000001
Tunnel type: ra
Protocol: esp
Life expectancy: 240 seconds
IPSEC: HIS embryonic new created @ 0xCD488538.
RCS: 0XCD488D48,
Direction: outgoing
SPI: 0XEF66E002
Session ID: 0x0000E000
VPIF num: 0x00000001
Tunnel type: ra
Protocol: esp
Life expectancy: 240 seconds
IPSEC: Completed the update of NDONGO host, SPI 0xEF66E002
IPSEC: Finished outgoing VPN, SPI 0xEF66E002 context
Handle VPN: 0x00037A0C
IPSEC: New outbound encrypt rule, SPI 0xEF66E002
ADR SRC: 10.10.20.2
SRC mask: 255.255.255.255
ADR DST: 195.229.90.21
DST mask: 255.255.255.255
Ports of CBC
Superior: 1701
Bass: 1701
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Finished out encrypt rule, SPI 0xEF66E002
Rule ID: 0xCD488948
IPSEC: New rule to permit outgoing, SPI 0xEF66E002
ADR SRC: 10.10.20.2
SRC mask: 255.255.255.255
ADR DST: 195.229.90.21
DST mask: 255.255.255.255
Ports of CBC
Superior: 4500
Bass: 4500
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Finished allowed outbound rule, SPI 0xEF66E002
Rule ID: 0xCD51BEE0
IPSEC: Completed the update of IBSA host, SPI 0x89796CE7
IPSEC: Completed incoming VPN, SPI 0x89796CE7 context
Handle VPN: 0x0003864C
IPSEC: Finished outgoing VPN, SPI 0xEF66E002 context
Handle VPN: 0x00037A0C
IPSEC: Filled internal SPD rule of outgoing traffic, SPI 0xEF66E002
Rule ID: 0xCD488948
IPSEC: External filled SPD rule of outgoing traffic, SPI 0xEF66E002
Rule ID: 0xCD51BEE0
IPSEC: New entrants flow tunnel, SPI 0x89796CE7
ADR SRC: 195.229.90.21
SRC mask: 255.255.255.255
ADR DST: 10.10.20.2
DST mask: 255.255.255.255
Ports of CBC
High: 0
Low: 0
OP: ignore
Ports of DST
Superior: 1701
Bass: 1701
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Incoming Tunnel filled with flow, SPI 0x89796CE7
Rule ID: 0xCD51C6F0
IPSEC: New rule to decrypt incoming, SPI 0x89796CE7
ADR SRC: 195.229.90.21
SRC mask: 255.255.255.255
ADR DST: 10.10.20.2
DST mask: 255.255.255.255
Ports of CBC
Superior: 4500
Bass: 4500
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Completed inbound rule decrypt, SPI 0x89796CE7
Rule ID: 0xCD487CC8
IPSEC: New rule incoming authorization, SPI 0x89796CE7
ADR SRC: 195.229.90.21
SRC mask: 255.255.255.255
ADR DST: 10.10.20.2
DST mask: 255.255.255.255
Ports of CBC
Superior: 4500
Bass: 4500
OP: equality
Ports of DST
Superior: 4500
Bass: 4500
OP: equality
Protocol: 17
Use the Protocol: true
SPI: 0X00000000
Use the SPI: false
IPSEC: Finished entering permitted rule, SPI 0x89796CE7
Rule ID: 0xCD487E68EQ-INTFW01 #.
--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:48 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:48 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
Apr 04 14:59:57 [IKEv1 DECODER]: IP = 195.229.90.21, IKE Responder starting QM: id msg = 00000003
Apr 04 14:59:57 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = 3) with payloads: HDR + HASH (8) + HER (1) +.
ID (5) + ID (5) + NAT - OA (21) + NAT - OA (21), NUNCIO (10) + (0) NONE total length: 324
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, SA payload processing
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, nonce payload processing
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:57 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
10.1.100.79
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID remote Proxy Host: address
195.229.90.21, Protocol 17, Port 0
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload processing ID
Apr 04 14:59:57 [IKEv1 DECODER]: Group = DefaultRAGroup, IP = 195.229.90.21, ID_IPV4_ADDR received ID
185.78.161.254
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, data received in payload ID local Proxy Host: address 1
0.10.20.2, Protocol 17 Port 1701
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, detected L2TP/IPSec session.
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, payload NAT Original address of treatment
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, QM IsRekeyed its already be regenerated
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, error QM WSF (P2 struct & 0xcd515f40, mess id 0x3)!
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, case of mistaken IKE responder QM WSF (struct & 0xcd51
5f40), : QM_DONE, EV_ERROR--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MS
G--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
Apr 04 14:59:57 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
Apr 04 14:59:57 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, peer table correlator Removing failed, no match!
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, empty building hash payload
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, building IPSec delete payload
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash qm
04 Apr 15:00:08 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = 64ea9549) with payloads: HDR + HASH (8) + delete
SUMMER (12) + (0) NONE total length: 68
04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Active unit receives an event would have expired for re
Mote 195.229.90.21 counterpart.04 Apr 15:00:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE, removing SA: Remote Proxy 195.229.90.21, Local
Proxy 10.10.20.2
04 Apr 15:00:08 [IKEv1 DEBUG]: pitcher: received the keys delete msg, spi 0x321170a2
04 Apr 15:00:11 [IKEv1]: IP = 195.229.90.21, IKE_DECODE RECEIPT Message (msgid = d28ee0e6) with payloads: HDR + HASH (8), OF
LETE (12) + (0) NONE total length: 68
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, processing hash payload
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, removal of treatment
04 Apr 15:00:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, completed for peer Connection. Reason: Put an end to Peer
Remote proxy 195.229.90.21 Proxy Local 10.10.20.2
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, Active unit receives a delete for remote wet event
r 195.229.90.21.04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE, removing SA: Remote Proxy 195.229.90.21, Local
Proxy 10.10.20.2
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE SA MM:a32eab27 RRs would end: MM_ACTIV of State
E flags 0 x 00000042, refcnt 1, tuncnt 0
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, IKE SA MM:a32eab27 ending: flags 0 x 01000002,
refcnt 0, tuncnt 0
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, sending clear/delete with the message of reason
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, empty building hash payload
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, constructing the payload to delete IKE
04 Apr 15:00:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 195.229.90.21, build payloads of hash qm
04 Apr 15:00:11 [IKEv1]: IP = 195.229.90.21, IKE_DECODE SEND Message (msgid = e5c290b6) with payloads: HDR + HASH (8) + delete
SUMMER (12) + (0) NONE total length: 80
04 Apr 15:00:11 [IKEv1 DEBUG]: pitcher: received the keys delete msg, spi 0xc9c523ea
04 Apr 15:00:11 [IKEv1 DEBUG]: pitcher: received the keys delete msg, spi 0xc9c523ea
04 Apr 15:00:11 [IKEv1]: Group = DefaultRAGroup, IP = 195.229.90.21, Session is be demolished. Reason: The user has requested
04 Apr 15:00:11 [IKEv1]: ignoring msg SA brand with Iddm 36864 dead because ITS removal
04 Apr 15:00:11 [IKEv1]: IP = 195.229.90.21, encrypted packet received with any HIS correspondent, drop!
I'm glad that the problem is solved!
Please mark the thread as answered in favour of other members of the community.Kind regards
Dinesh Moudgil -
Hello world
I have a 8.4 ASA
Recently, I have setup a "L2tp Vpn" connection, but I m facing a lot of question
actually I m not able to connect any of windows client (windows 7 & 8)
below is my setup and debugging I did
Any help would be appreciated, thank you in advance
MY SETUP L2TP
~~~~~~~~~~~~~~~~~~~~~~2 Configure ISAKMP policy
-----------------------------IKEv1 crypto policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 864003 configure an address pool
--------------------------------mask IP local pool L2TP_POOL-WHO 10.30.255.1 - 10.30.255.6 255.255.255.248
4. configure the authentication method
--------------------------------------
Locally on ASA
------------------username privilege the mschap password l2tp SGC 0
attrib l2tp username
VPN-group-policy DefaultRAGroup
Protocol-tunnel-VPN l2tp ipsec4. define group policy
------------------------
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
the address value L2TP_POOL-WHO pools
Protocol-tunnel-VPN l2tp ipsec5 set the tunnel group
------------------------attributes global-tunnel-group DefaultRAGroup
address-pool L2TP_POOL-OMS
Group Policy - by default-DefaultRAGroupIPSec-attributes tunnel-group DefaultRAGroup
IKEv1 pre-shared-key *.tunnel-group DefaultRAGroup ppp-attributes
no authentication ms-chap-v1
ms-chap-v2 authentication6. ipsec settings
------------------------------
Crypto ipsec transform-set RIGHT ikev1 aes - esp esp-sha-hmac
IKEv1 crypto ipsec transform-set RIGHT transit mode7. dynamic crypto map configuration
---------------------------------
Crypto-map dynamic dynmap 1 set transform-set RIGHT ikev18. create a map entry and associated crypto dynamic with her map
------------------------------------------------------------map mymap 65535-isakmp ipsec crypto dynamic dynmap
9. connect the crypto in interface map
-----------------------------------mymap outside crypto map interface
10 enable isakmp on interface
------------------------------crypto ISAKMP allow outside
******************
Debug crypto ikev1
******************
FWASA-VICT1 (config) # 01 August at 20:54:25 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, error QM WSF (P2 struct & 0xb074f010, mess id 0 x 4)!
01 August at 20:54:25 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, peer table correlator Removing failed, no match!
01 August at 20:54:30 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, error QM WSF (P2 struct & 0xb074f010, mess id 0 x 4)!
01 August at 20:54:30 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, peer table correlator Removing failed, no match!
01 August at 20:54:34 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, error QM WSF (P2 struct & 0xb074f010, mess id 0 x 4)!
01 August at 20:54:34 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, peer table correlator Removing failed, no match!
01 August at 20:54:43 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, error QM WSF (P2 struct & 0xb074f010, mess id 0 x 4)!
01 August-20:54:43 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, peer table correlator Removing failed, no match!*****************************
Debugging debug crypto isakmp 7
Debug crypto ipsec 7
*****************************FWASA-VICT1 (config) # 01 August at 20:35 [IKEv1] IP = 197.217.68.99, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR SA (1) the seller (13) of the SELLER (13) + seller (13) + seller (13) + seller (13) + seller (13) ++ SELLER (13) + (0) NONE total length: 384
01 August 20:35 [IKEv1 DEBUG] IP = 197.217.68.99, SA payload processing
01 August 20:35 [IKEv1] Phase 1 failure: incompatible types of attributes of class Group Description: RRs would be: unknown Cfg would: Group 2
01 August 20:35 [IKEv1] Phase 1 failure: incompatible types of attributes of class Group Description: RRs would be: unknown Cfg would: Group 2
01 August 20:35 [IKEv1] Phase 1 failure: incompatible types of attributes of class Group Description: RRs would be: unknown Cfg would: Group 2
01 August 20:35 [IKEv1] Phase 1 failure: incompatible types of attributes of class Group Description: RRs would be: unknown Cfg would: Group 2
01 August 20:35 [IKEv1] Phase 1 failure: incompatible types of attributes of class Group Description: RRs would be: unknown Cfg would: Group 2
01 August 20:35 [IKEv1] Phase 1 failure: incompatible types of attributes of class Group Description: RRs would be: unknown Cfg would: Group 2
01 August 20:35 [IKEv1] Phase 1 failure: incompatible types of attributes of class Group Description: RRs would be: unknown Cfg would: Group 2
01 August 20:35 [IKEv1] Phase 1 failure: incompatible types of attributes of class Group Description: RRs would be: unknown Cfg would: Group 2
01 August 20:35 [IKEv1] Phase 1 failure: incompatible types of attributes of class Group Description: RRs would be: unknown Cfg would: Group 2
01 August 20:35 [IKEv1] Phase 1 failure: incompatible types of attributes of class Group Description: RRs would be: unknown Cfg would: Group 2
01 August 20:35 [IKEv1 DEBUG] IP = 197.217.68.99, Oakley proposal is acceptable
01 August 20:35 [IKEv1 DEBUG] IP = 197.217.68.99, payload processing VID
01 August 20:35 [IKEv1 DEBUG] IP = 197.217.68.99, payload processing VID
01 August 20:35 [IKEv1 DEBUG] IP = 197.217.68.99, received NAT - Traversal RFC VID
01 August 20:35 [IKEv1 DEBUG] IP = 197.217.68.99, payload processing VID
01 August 20:35 [IKEv1 DEBUG] IP = 197.217.68.99, received NAT-Traversal worm 02 VID
01 August 20:35 [IKEv1 DEBUG] IP = 197.217.68.99, payload processing VID
01 August 20:35 [IKEv1 DEBUG] IP = 197.217.68.99, received Fragmentation VID
01 August 20:35 [IKEv1 DEBUG] IP = 197.217.68.99, payload processing VID
01 August 20:35 [IKEv1 DEBUG] IP = 197.217.68.99, payload processing VID
01 August 20:35 [IKEv1 DEBUG] IP = 197.217.68.99, payload processing VID
01 August 20:35 [IKEv1 DEBUG] IP = 197.217.68.99, IKE SA payload processing
01 August 20:35 [IKEv1] Phase 1 failure: incompatible types of attributes of class Group Description: RRs would be: unknown Cfg would: Group 2
01 August 20:35 [IKEv1] Phase 1 failure: incompatible types of attributes of class Group Description: RRs would be: unknown Cfg would: Group 2
01 August 20:35 [IKEv1] Phase 1 failure: incompatible types of attributes of class Group Description: RRs would be: unknown Cfg would: Group 2
01 August 20:35 [IKEv1] Phase 1 failure: incompatible types of attributes of class Group Description: RRs would be: unknown Cfg would: Group 2
01 August 20:35 [IKEv1] Phase 1 failure: incompatible types of attributes of class Group Description: RRs would be: unknown Cfg would: Group 2
01 August 20:35 [IKEv1] Phase 1 failure: incompatible types of attributes of class Group Description: RRs would be: unknown Cfg would: Group 2
01 August 20:35 [IKEv1] Phase 1 failure: incompatible types of attributes of class Group Description: RRs would be: unknown Cfg would: Group 2
01 August 20:35 [IKEv1] Phase 1 failure: incompatible types of attributes of class Group Description: RRs would be: unknown Cfg would: Group 2
01 August 20:35 [IKEv1] Phase 1 failure: incompatible types of attributes of class Group Description: RRs would be: unknown Cfg would: Group 2
01 August 20:35 [IKEv1] Phase 1 failure: incompatible types of attributes of class Group Description: RRs would be: unknown Cfg would: Group 2
01 August 20:35 [IKEv1 DEBUG] IP = 197.217.68.99, IKE SA proposal # 1, transform # 5 entry IKE acceptable Matches # 3 overall
01 August 20:35 [IKEv1 DEBUG] IP = 197.217.68.99, build the payloads of ISAKMP security
01 August 20:35 [IKEv1 DEBUG] IP = 197.217.68.99, constructing the payload of NAT-Traversal VID worm RFC
01 August 20:35 [IKEv1 DEBUG] IP = 197.217.68.99, construction of Fragmentation VID + load useful functionality
01 August 20:35 [IKEv1] IP = 197.217.68.99, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR, HIS (1), SELLER (13) of the SELLER (13) + (0) NONE total length: 124
01 August at 20:35:01 [IKEv1] IP = 197.217.68.99, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + KE (4) NUNCIO (10) + NAT - D (20), NAT - D (20) & NONE (0) overall length: 260
01 August at 20:35:01 [IKEv1 DEBUG] IP = 197.217.68.99, processing ke payload
01 August at 20:35:01 [IKEv1 DEBUG] IP = 197.217.68.99, payload processing ISA_KE
01 August at 20:35:01 [IKEv1 DEBUG] IP = 197.217.68.99, nonce payload processing
01 August at 20:35:01 [IKEv1 DEBUG] IP = 197.217.68.99, payload NAT-discovery of treatment
01 August at 20:35:01 [IKEv1 DEBUG] IP = 197.217.68.99, NAT discovery hash calculation
01 August at 20:35:01 [IKEv1 DEBUG] IP = 197.217.68.99, payload NAT-discovery of treatment
01 August at 20:35:01 [IKEv1 DEBUG] IP = 197.217.68.99, NAT discovery hash calculation
01 August at 20:35:01 [IKEv1 DEBUG] IP = 197.217.68.99, building ke payload
01 August at 20:35:01 [IKEv1 DEBUG] IP = 197.217.68.99, building nonce payload
01 August at 20:35:01 [IKEv1 DEBUG] IP = 197.217.68.99, build payloads of Cisco Unity VID
01 August at 20:35:01 [IKEv1 DEBUG] IP = 197.217.68.99, constructing payload V6 VID xauth
01 August at 20:35:01 [IKEv1 DEBUG] IP = 197.217.68.99, Send IOS VID
01 August at 20:35:01 [IKEv1 DEBUG] IP = 197.217.68.99, ASA usurpation IOS Vendor ID payload construction (version: 1.0.0 capabilities: 20000001)
01 August at 20:35:01 [IKEv1 DEBUG] IP = 197.217.68.99, build payloads VID
01 August at 20:35:01 [IKEv1 DEBUG] IP = 197.217.68.99, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
01 August at 20:35:01 [IKEv1 DEBUG] IP = 197.217.68.99, NAT-discovery payload construction
01 August at 20:35:01 [IKEv1 DEBUG] IP = 197.217.68.99, NAT discovery hash calculation
01 August at 20:35:01 [IKEv1 DEBUG] IP = 197.217.68.99, NAT-discovery payload construction
01 August at 20:35:01 [IKEv1 DEBUG] IP = 197.217.68.99, NAT discovery hash calculation
01 August at 20:35:01 [IKEv1] IP = 197.217.68.99, connection landed on tunnel_group DefaultRAGroup
01 August at 20:35:01 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, Generating keys for answering machine...
01 August at 20:35:01 [IKEv1] IP = 197.217.68.99, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + KE (4) + (10) NUNCIO seller (13) + the seller (13) + the seller (13) + the seller (13) NAT - D (20) + NAT - D (20) & NONE (0) total length: 304
01 August at 20:35:02 [IKEv1] IP = 197.217.68.99, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + ID (5) + HASH (8) + (0) NONE total length: 64
01 August at 20:35:02 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, payload processing ID
01 August at 20:35:02 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, processing hash payload
01 August at 20:35:02 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, calculation of hash for ISAKMP
01 August at 20:35:02 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, status of automatic NAT detection: remote endpoint IS behind a NAT device this end is behind a NAT device
01 August at 20:35:02 [IKEv1] IP = 197.217.68.99, connection landed on tunnel_group DefaultRAGroup
01 August at 20:35:02 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, construction of payload ID
01 August at 20:35:02 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, build payloads of hash
01 August at 20:35:02 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, calculation of hash for ISAKMP
01 August at 20:35:02 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, building dpd vid payload
01 August at 20:35:02 [IKEv1] IP = 197.217.68.99, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + ID (5) + HASH (8), SELLER (13) + (0) NONE total length: 84
01 August at 20:35:02 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, PHASE 1 COMPLETED
01 August at 20:35:02 [IKEv1] IP = 197.217.68.99, type Keep-alive for this connection: None
01 August at 20:35:02 [IKEv1] IP = 197.217.68.99, Keep-alives configured on, but the peer does not support persistent (type = None)
01 August at 20:35:02 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, timer to generate a new key to start P1: 21600 seconds.
01 August at 20:35:03 [IKEv1] IP = 197.217.68.99, IKE_DECODE RECEIPT Message (msgid = 1) with payloads: HDR HASH (8) HIS (1) + (10) NUNCIO + ID (5) + ID (5) + NAT - OA (21) ++ NAT - OA (21) + (0) NONE total length: 324
01 August at 20:35:03 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, processing hash payload
01 August at 20:35:03 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, SA payload processing
01 August at 20:35:03 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, nonce payload processing
01 August at 20:35:03 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, payload processing ID
01 August at 20:35:03 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, data received in payload ID remote Proxy Host: address 192.168.5.122, Protocol 17 Port 1701
01 August at 20:35:03 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, payload processing ID
01 August at 20:35:03 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, data received in payload ID local Proxy Host: address 41.63.166.15, Protocol 17 Port 1701
01 August at 20:35:03 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, detected L2TP/IPSec session.
01 August at 20:35:03 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, payload NAT Original address of treatment
01 August at 20:35:03 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, payload NAT Original address of treatment
01 August at 20:35:03 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, QM IsRekeyed its not found old addr
01 August at 20:35:03 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, only Tunnel UDP-encapsulated and UDP-encapsulated-Transport mode NAT-Traversal-defined selection
01 August at 20:35:03 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, remote peer IKE configured crypto card: dynmap
01 August at 20:35:03 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, payload processing IPSec SA
01 August at 20:35:03 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, IPSec SA proposal # 1, turn # 1 entry overall SA IPSec acceptable matches # 1
01 August at 20:35:03 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, IKE: asking SPI!
IPSEC: HIS embryonic new created @ 0xb2b4ef98.
RCS: 0XB1BBEC58,
Direction: inbound
SPI: 0X8DFBC25E
Session ID: 0 x 01236000
VPIF num: 0x00000002
Tunnel type: ra
Protocol: esp
Life expectancy: 240 seconds
01 August at 20:35:03 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, IKE got SPI engine key: SPI = 0x8dfbc25e
01 August at 20:35:03 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, quick mode of oakley constucting
01 August at 20:35:03 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, empty building hash payload
01 August at 20:35:03 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, building the IPSec Security Association Management
01 August at 20:35:03 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, construction of support useful Nuncio IPSec
01 August at 20:35:03 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, constructing the ID of the proxy
01 August at 20:35:03 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, transmission Proxy Id:
Remote host: 197.217.68.99 Protocol Port 17 0
Local host: 10.30.21.2 Protocol 17 Port 1701
01 August at 20:35:03 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, construction of payload NAT Original address
01 August at 20:35:03 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, construction of payload NAT Original address
01 August at 20:35:03 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, payload NAT Original address sending NAT-Traversal
01 August at 20:35:03 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, build payloads of hash qm
01 August at 20:35:03 [IKEv1] IP = 197.217.68.99, IKE_DECODE SEND Message (msgid = 1) with payloads: HDR HASH (8) HIS (1) + (10) NUNCIO + ID (5) + ID (5) + NAT - OA (21) ++ NAT - OA (21) + NONE (0) overall length: 188
01 August at 20:35:04 [IKEv1] IP = 197.217.68.99, IKE_DECODE RECEIPT Message (msgid = 2) with payloads: HDR HASH (8) HIS (1) + (10) NUNCIO + ID (5) + ID (5) + NAT - OA (21) ++ NAT - OA (21) + (0) NONE total length: 324
01 August at 20:35:04 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, processing hash payload
01 August at 20:35:04 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, SA payload processing
01 August at 20:35:04 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, nonce payload processing
01 August at 20:35:04 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, payload processing ID
01 August at 20:35:04 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, data received in payload ID remote Proxy Host: address 197.217.68.99, Protocol 17, Port 0
01 August at 20:35:04 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, payload processing ID
01 August at 20:35:04 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, data received in payload ID local Proxy Host: address 10.30.21.2, Protocol 17 Port 1701
01 August at 20:35:04 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, detected L2TP/IPSec session.
01 August at 20:35:04 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, payload NAT Original address of treatment
01 August at 20:35:04 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, payload NAT Original address of treatment
01 August at 20:35:04 [IKEv1] IP = 197.217.68.99, rejecting new IPSec security association negotiation for peer 197.217.68.99. A negotiation was underway for local 10.30.21.2/255.255.255.255, remote Proxy 197.217.68.99/255.255.255.255 Proxy
01 August at 20:35:04 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, error QM WSF (P2 struct & 0xb1fe13a8, mess id 0 x 2)!
01 August at 20:35:04 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, case of mistaken IKE responder QM WSF (struct & 0xb1fe13a8), : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
01 August at 20:35:04 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, sending clear/delete with the message of reason
01 August at 20:35:04 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, peer table correlator Removing failed, no match!
01 August at 20:35:05 [IKEv1] IP = 197.217.68.99, IKE_DECODE RECEIPT Message (msgid = 2) with payloads: HDR HASH (8) HIS (1) + (10) NUNCIO + ID (5) + ID (5) + NAT - OA (21) ++ NAT - OA (21) + (0) NONE total length: 324
01 August at 20:35:05 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, processing hash payload
01 August at 20:35:05 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, SA payload processing
01 August at 20:35:05 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, nonce payload processing
01 August at 20:35:05 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, payload processing ID
01 August at 20:35:05 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, data received in payload ID remote Proxy Host: address 197.217.68.99, Protocol 17, Port 0
01 August at 20:35:05 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, payload processing ID
01 August at 20:35:05 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, data received in payload ID local Proxy Host: address 10.30.21.2, Protocol 17 Port 1701
01 August at 20:35:05 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, detected L2TP/IPSec session.
01 August at 20:35:05 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, payload NAT Original address of treatment
01 August at 20:35:05 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, payload NAT Original address of treatment
01 August at 20:35:05 [IKEv1] IP = 197.217.68.99, rejecting new IPSec security association negotiation for peer 197.217.68.99. A negotiation was underway for local 10.30.21.2/255.255.255.255, remote Proxy 197.217.68.99/255.255.255.255 Proxy
01 August at 20:35:05 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, error QM WSF (P2 struct & 0xb074f010, mess id 0 x 2)!
01 August at 20:35:05 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, case of mistaken IKE responder QM WSF (struct & 0xb074f010), : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH--> QM_BLD_MSG2, EV_VALIDATE_MSG
01 August at 20:35:05 [IKEv1 DEBUG] group = DefaultRAGroup, IP = 197.217.68.99, sending clear/delete with the message of reason
01 August at 20:35:05 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, peer table correlator Removing failed, no match!Hi man,
As you can see in the output: -.
01 August at 20:35:02 [IKEv1] group = DefaultRAGroup, IP = 197.217.68.99, PHASE 1 COMPLETEDPhase 1 is done and QM WSF error indicates the issue with transform-set or crypto-access list.
Please try to use ESP-3DES and HMAC-SHA-ESP to turn together and tell us how it rates.You could try as well as authentication using PAP.
Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
L2l with certificates between 2 ASAs
Hi all
I want to set up a VPN L2L/Site-to-site tunnel, which authenticates by using certificates.
In fact I am following this guide-> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aa5be1.shtml
I configured the tunnel group on both ends, with the trustpoint configured, authenticated and accepted specified.
I correspondent isakmp policies at both ends, and of course my cryptographic cards contains 3 identical lines - set peer match access-list and transformation-a set cryptomap. Next to those, there are 2 identical lines for life. I haven't specified the trustpoint in encryption card while it is not indicated in the top link (guide) to do, even if I tried, without different result. Debugs him happens exactly the same each time:
Debug the cry isa 10: (on the remote end)
TEST-ASA-RA # debug cry isa 10
TEST-ASA-RA # Jul 07 11:36:18 [IKEv1]: IP = 80.62.240.136, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 208
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, SA payload processing
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, Oakley proposal is acceptable
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, payload processing VID
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, received NAT-Traversal worm 02 VID
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, payload processing VID
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, worm received 03 NAT-Traversal, VID
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, payload processing VID
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, received NAT - Traversal RFC VID
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, payload processing VID
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, received Fragmentation VID
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: true
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, IKE SA payload processing
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, IKE SA proposal # 1, turn # 1 entry IKE acceptable Matches # 3 overall
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, build the payloads of ISAKMP security
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, construction of Fragmentation VID + load useful functionality
Jul 07 11:36:18 [IKEv1]: IP = 80.62.240.136, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108
Jul 07 11:36:18 [IKEv1]: IP = 80.62.240.136, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + KE (4) NUNCIO (10) + CERT_REQ (7) + CERT_REQ (7) seller (13) + the seller (13) + the seller (13) + the seller (13) + (0) NONE total length: 374
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, processing ke payload
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, payload processing ISA_KE
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, nonce payload processing
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, treatment certificate request payload
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, treatment certificate request payload
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, payload processing VID
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, the customer has received Cisco Unity VID
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, payload processing VID
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, received xauth V6 VID
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, payload processing VID
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, treatment VPN3000 / ASA payload IOS Vendor ID theft (version: 1.0.0 capabilities: 20000001)
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, payload processing VID
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, received Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, building ke payload
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, building nonce payload
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, building certreq payload
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, build payloads of Cisco Unity VID
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, constructing payload V6 VID xauth
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, Send IOS VID
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, ASA usurpation IOS Vendor ID payload construction (version: 1.0.0 capabilities: 20000001)
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, build payloads VID
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, Generating keys for answering machine...
Jul 07 11:36:18 [IKEv1]: IP = 80.62.240.136, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + KE (4) NUNCIO (10) + CERT_REQ (7) seller (13) + the seller (13) + the seller (13) + the seller (13) + (0) NONE total length: 298
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, RRs would fragment a new set of fragmentation. Removal of fragments of old.
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, assembled with success an encrypted pkt of RRs would be fragments!
Jul 07 11:36:18 [IKEv1]: IP = 80.62.240.136, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + ID (5) + GIS (9) + IOS KEEPALIVE (128) + CERT (6), SELLER (13) + (0) NONE total length: 1987
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, payload processing ID
Jul 07 11:36:18 [IKEv1 DECODER]: IP = 80.62.240.136, ID_IPV4_ADDR received ID
80.62.240.136
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, payload processing cert
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, treatment of RSA signature
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, calculation of hash for ISAKMP
Jul 07 11:36:18 [IKEv1 DECODER]: Dump of Signature received, len 256:
0000: 8D97FE83 CDA9CEB2 A5D7F63F 0FAA76A4...? ... c.
0010: 21F229A8 2A714C2D 12F16ABF 08E44664!.). *... qL j... FD
0020: 0D95A510 0AFFA63B 815CCBB0 B7C708CF...; \......
0030: 31246316 0E93E084 59395461 118C 9251 $1 c... Y9Ta... Q
0040: 823A36CB 55F2F59C 3342326D 251F8B7A. : 6.U... 3B2m %... z
0050: B9C9F916 C403A4D1 59DA3AA8 932312C 0... Y.:.. #..
0060: 88476460 E9C9A07C 5671C18D A9202382. GD'... | DV... #.
0070: 441F47AF 74E407B1 DB06B929 406E993D D.G.t...) @n. =
0080: A7C149FA 1677D1A2 E3105356 4E205E45... I have... w... SVN ^ E
0090: 06D2CB2A B6BF638E 0910283C 7FF6BAE2... *... c... (<>
00 to 0: 3F97ADF5 19B 78872 69C0346B 7EF89FAE?... ri.4k... ~
00B 0: 456E26CF 52CC296B 11F6AE68 2498024C en &. R) k...h$... L
00C 0: 74658112 you 16121A 68 h
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, IOS treatment keep alive payload: proposal = 32767/32767 sec.
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, payload processing VID
Jul 07 11:36:18 [IKEv1 DEBUG]: IP = 80.62.240.136, DPD received VID
Jul 07 11:36:18 [IKEv1]: IP = 80.62.240.136, trying to find the group via IKE ID...
Jul 07 11:36:18 [IKEv1]: IP = 80.62.240.136, connection landed on tunnel_group 80.62.240.136
Jul 07 11:36:18 [IKEv1 DEBUG]: Group = 80.62.240.136, IP = 80.62.240.136, ID type homologous 1 received (IPV4_ADDR)
Jul 07 11:36:18 [IKEv1]: Group = 80.62.240.136, IP = 80.62.240.136, identity of IKE for peer name incompatibility Cert subject Alt
Jul 07 11:36:18 [IKEv1 DEBUG]: Group = 80.62.240.136, IP = 80.62.240.136, case of mistaken IKE MM Responder WSF (struct & 0xd3dcecf0)
, : MM_DONE, EV_ERROR--> EV_COMPARE_IDS--> MM_BLD_MSG6, MM_BLD_MSG6, NullEvent--> MM_BLD_MSG6, EV_VALIDATE_CERT--> MM_BLD_MSG6, EV_UPDATE_CERT--> MM_BLD_MSG6, EV_TEST_CERT--> MM_BLD_MSG6, EV_CHECK_NAT_T, EV_CERT_OK--> MM_BLD_MSG6 Jul 07 11:36:18 [IKEv1 DEBUG]: Group = 80.62.240.136, IP = 80.62.240.136, IKE SA MM:1e531705 ending: 0x0100c002, refcnt flags 0, tuncnt 0
Jul 07 11:36:18 [IKEv1 DEBUG]: Group = 80.62.240.136, IP = 80.62.240.136, sending clear/delete with the message of reason
Jul 07 11:36:18 [IKEv1 DEBUG]: Group = 80.62.240.136, IP = 80.62.240.136, payload of empty hash construction
Jul 07 11:36:18 [IKEv1 DEBUG]: Group = 80.62.240.136, IP = 80.62.240.136, constructing the payload to delete IKE
Jul 07 11:36:18 [IKEv1 DEBUG]: Group = 80.62.240.136, IP = 80.62.240.136, build payloads of hash qm
Jul 07 11:36:18 [IKEv1]: IP = 80.62.240.136, IKE_DECODE SEND Message (msgid = 5a228b67) with payloads: HDR HASH (8) + DELETE (12) + (0) NONE total length: 80
Jul 07 11:36:18 [IKEv1]: Group = 80.62.240.136, IP = 80.62.240.136, Removing peer to peer table does not, no match!
Jul 07 11:36:18 [IKEv1]: Group = 80.62.240.136, IP = 80.62.240.136, error: cannot delete PeerTblEntry
Jul 07 11:36:26 [IKEv1]: IP = 80.62.240.136, invalid header, lack of payload SA! (next payload = 132)
Jul 07 11:36:26 [IKEv1]: IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + NOTIFY (11) + NONE (0) overall length: 68
Jul 07 11:36:26 [IKEv1]: IP = 80.62.240.136, invalid header, lack of payload SA! (next payload = 132)
Jul 07 11:36:26 [IKEv1]: IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + NOTIFY (11) + NONE (0) overall length: 68
Jul 07 11:36:26 [IKEv1]: IP = 80.62.240.136, invalid header, lack of payload SA! (next payload = 132)
Jul 07 11:36:26 [IKEv1]: IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + NOTIFY (11) + NONE (0) overall length: 68
Then, it waits a bit and start over. No matter if I am trying to establish the tunnel network or remote endpoint - there is no difference in the result.
I made a line of debug output "BOLD" - I don't the have not seen this before, don't think that devices Cisco used this alternative area? Thought it was Microsoft?
1 thing is a reference to the certificates - I use my won Microsoft PKI based on 2003 servers. I have 1 Root CA and 2 subordinates. The root CA is stopped. During the construction of my trustpoints, I start to do my request, give it to one of subordinates, gets my identity certificate and save it on my computer. Then check the chain, which looks always good - RootCA-> SubordinateCA-> ClientCert. Then I extracted the subordinate cert, to authenticate my trustpoint and finally I import the certificate of identity. No complaints, it of all good - and actually working like a charm for my EZVPN configurations.
So I do not think the problem it's with the certificates, although the release said that there is an incompatibility with the other name in question.
The debugging online after this statement, I understand not quite - maybe someone can help me with this? Because right after this line, he begins to destroy the tunnel.
I can provide from configs if necessary, but really, it corresponds to the configuration contained in the guide.
/ Peter
Can you check the "crypto isakmp identity" command on both sides? He looks like a side sends the IP, when it expected the certificate DN is the name so it can match the value in the cert.
Jul 07 11:36:18 [IKEv1 DEBUG]: Group = 80.62.240.136, IP = 80.62.240.136, ID type homologous 1 received (IPV4_ADDR)
Jul 07 11:36:18 [IKEv1]: Group = 80.62.240.136, IP = 80.62.240.136, identity of IKE for peer name incompatibility Cert subject Alt
-Jason
-
Hello all, I have problem with an IPSec tunnel and always looking what is exatly the problem. Have 2 ASA AAA. AA. AAA. A and BBB. BB. BBB. B where BBB. BB. BBB. B has 2 interfaces LAN is another DSL modem. When there is no problem with LAN tunnel is ACTIVE, but when I ALS rocking a few errors on the tunnel:
IP = AAA. AA. AAA. One, received an INVALID_COOKIE unencrypted notify message, drop
IP = AAA. AA. AAA. A, package in double Phase 1 detected. Retransmit the last packet.
SH isakmp sa is:
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
1 peer IKE: AAA. AA. AAA. A
Type: user role: initiator
Generate a new key: no State: MM_WAIT_MSG4
If the router is waiting for ack but not expected and there is no package.
At both ends, I deleted:
cry clear isa
cry clear ipsec
I checked the peer addresses are correct, what is bodering me, it's the missing package. I think that this packet is sent to the other interface which is down and so the other ASA cannot get the negotiation.
I will be grateful if anyone can help, I'll debug and sniff for that.
Here are the configs and small on isakmp debug information
Router AAA. AA. AAA. A config:
outside_cryptomap_60 list of allowed ip extended access object-US-VPN VPN - US group object
Route outside 0.0.0.0 0.0.0.0 XXX. XX. XX.1 1
Crypto ipsec transform-set ESP-AES-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 60 match address outside_cryptomap_60
game card crypto outside_map 60 peers BBB. BBB. BB. B CC. CCC. C.CCC
card crypto outside_map 60 value transform-set ESP-AES-SHA
life safety association set card crypto outside_map 60 28800 seconds
card crypto outside_map 60 set security-association life kilobytes 4608000
outside_map interface card crypto outside
ISAKMP allows outside
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 sha hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
tunnel-group BBB. BBB. BB. B type ipsec-l2l
tunnel-group BBB. BBB. BB. B ipsec-attributes
pre-shared-key *.
ASA BBB. BB. BBB. B:
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_cryptomap_1
card crypto outside_map 1 set of AAA peers. AA. AAA. A
card crypto outside_map 1 the value transform-set ESP-SHA-3DES ESP-AES-SHA
outside_map interface card crypto outside
card crypto outside_map interface outsideadsl
crypto ISAKMP allow inside
crypto ISAKMP allow outside
ISAKMP crypto enable outsideadsl
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
ISAKMP crypto am - disable
debugging isakmp 127
28 Dec 11:58:01 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. A, IKE initiator: New Phase 1, Intf inside, IKE Peer AAA. AA. AAA. A local Proxy 192.168.0.0, address remote Proxy 192.167.0.0, Card Crypto (outside_map)
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Building ITS ISAKMP payload
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Payload has, worm 02 NAT-Traversal vid construction
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Payload has, worm 03 NAT-Traversal vid construction
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, building Fragmentation VID + load useful functionality
28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. A, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 148
28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. ITS payload processing
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Oakley proposal is acceptable
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. VID payload processing
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, received Fragmentation VID
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, IKE Peer included IKE fragmentation capability flags: Main Mode: Mode aggressive True: True
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Construction ke payload
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Construction nonce payload
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Building Cisco Unity VID payload
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Xauth V6 VID payload construction
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, Send IOS VID
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A payload the IOS Vendor ID theft construction ASA (version: 1.0.0 capabilities: 20000001)
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Construction VIDEO payload
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. One, send Altiga/Cisco VPN3000/Cisco ASA GW VID
28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. A, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + KE (4) + (10) NUNCIO seller (13) + the seller (13) + the seller (13) + the seller (13) + (0) NONE total length: 256
28 Dec 11:58:07 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
28 Dec 11:58:07 [IKEv1]: IP = AAA. AA. AAA. A Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
28 Dec 11:58:09 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. ITS payload processing
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Oakley proposal is acceptable
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. VID payload processing
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, received Fragmentation VID
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, IKE Peer included IKE fragmentation capability flags: Main Mode: Mode aggressive True: True
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Treatment IKE payload
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 2
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Building ITS ISAKMP payload
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, building Fragmentation VID + load useful functionality
28 Dec 11:58:09 [IKEv1]: IP = AAA. AA. AAA. A, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108
28 Dec 11:58:09 [IKEv1]: IP = AAA. AA. AAA. A Message from FORWARDING IKE_DECODE (msgid = 0) with payloads: HDR + KE (4) + NUNCIO (10) + SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) + (0) NONE total length: 256
28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + NOTIFY (11) + NONE (0) overall length: 68
28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + NOTIFY (11) + NONE (0) overall length: 68
28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. One, received an INVALID_COOKIE unencrypted notify message, drop
28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. A, exchanging information processing failed
No degDec 28 11:58:12 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
28 Dec 11:58:12 [IKEv1]: IP = AAA. AA. AAA. A Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
Don't know if that's the only issue, but to start you need a 'tunnel-group C.C.C.C' ASA A.
If there is still a problem, download him debugs on both sides at the same time please.
Also, what version of the software the ASA work, and how you simulate the failure on the main interface of B? Is it possible that in your test one can always happen to B through its main interface?
HTH
Herbert
Maybe you are looking for
-
Skype sends more of his keyboard DTMF tones
Yesterday, I noticed that I could access is no longer my daily teleconference as the remote system did not accept the access code I'm punching in Skype keyboard. Today, I tried to access a menu system (coincidentally, for the MS customer service). I
-
HP laserjet 3030 all-in-one prints only odd characters now that it is connected to parallel cable.
I have a printer HP laserjet 3030 all-in-one that has worked very well, but the connector broken so I bought a USB2.00 for parallel printer cable pre-mounted to my laptop (I use windows 7) It only prints the weird characters! Help, please. I change s
-
All of a sudden, I have several problems with my computer. I can't not computer to recognize a flash drive. Printer works in the same usb port. I used Device Manager, checked the drivers, made every difficulty that MS has to offer, each difficulty
-
Hello experts! It s what an object is used, but the doesn´t works for me. Let me show you the problem: I have a request that I have configured the icon overview on the properties of the eclipse, I m use 4,612 to blackberry OS and my application, but
-
[Envy dv6t Quad Edition laptop] Can I change my graphics card?
Laptop: HP dv6t Quad Edition Envy Proccessor: Intel 3rd gen i7 RAM: 16 GB Operating system: Windows 8 64-bit The current graphics card I have in my laptop is the Nvidia Geforce GT M 635. I was just wondering, it would be possible for me to change the