Problems with site-to-site vpn

Hello world

I recently received the mission assigned to the site to site vpn configuration and this is my first time. I'm trying to set up a vpn with pix 501 but short questions site. I managed to get that below, but I'm stuck now and do not know what could be the problem. Here's the debug output.

Any help is greatly appreciated on what could be the potential problem.

-AK

ISAKMP (0:0): sending of NAT - T vendor ID - rev 2 & 3
ISAKMP (0): early changes of Main Mode
crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:500
Exchange OAK_MM
ISAKMP (0): treatment ITS payload. Message ID = 0

ISAKMP (0): audit ISAKMP transform 1 against 20 priority policy
ISAKMP: 3DES-CBC encryption
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: preshared auth
ISAKMP: type of life in seconds
ISAKMP: duration of life (basic) of 28800
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): load useful treatment vendor id

ISAKMP (0): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication

to return to the State is IKMP_NO_ERROR
crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:5
00
Exchange OAK_MM
ISAKMP (0): processing KE payload. Message ID = 0

ISAKMP (0): processing NONCE payload. Message ID = 0

ISAKMP (0): load useful treatment vendor id

ISAKMP (0): load useful treatment vendor id

ISAKMP (0): provider v6 code received xauth

ISAKMP (0): load useful treatment vendor id

ISAKMP (0): addressing another box of IOS!

ISAKMP (0): load useful treatment vendor id

ISAKMP (0): addressing a VPN3000 concentrator

ISAKMP (0): ID payload
next payload: 8
type: 1
Protocol: 17
Port: 0
Length: 8
ISAKMP (0): the total payload length: 12
to return to the State is IKMP_NO_ERROR
crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:5
00
Exchange OAK_MM
ISAKMP (0): processing ID payload. Message ID = 0
ISAKMP (0): HASH payload processing. Message ID = 0
ISAKMP (0): keep treatment alive: proposal = 32767/32767 sec., real = 3276/2 sec.

ISAKMP (0): load useful treatment vendor id

ISAKMP (0): Peer Remote supports dead peer detection

ISAKMP (0): SA has been authenticated.

ISAKMP (0): start Quick Mode changes, 413131006:189fe0feIPSEC (key_e M - ID
(Display): had an event of the queue...
IPSec (spi_response): spi 0x3e9451fa graduation (1049907706) for SA
from 208.249.117.203 to 70.91.20.245 for prot 3

to return to the State is IKMP_NO_ERROR
ISAKMP (0): send to notify INITIAL_CONTACT
ISAKMP (0): sending message 24578 NOTIFY 1 protocol
Peer VPN: ISAKMP: approved new addition: ip:208.249.117.203/500 Total VPN peer: 1
Peer VPN: ISAKMP: ip:208.249.117.203/500 Ref cnt is incremented to peers: 1 Total VPN
Peers: 1
crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:5
00
ISAKMP (0): processing DELETE payload. Message ID = 3425658127, spi size = 16
ISAKMP (0): delete SA: src 70.91.20.245 dst 208.249.117.203
to return to the State is IKMP_NO_ERR_NO_TRANS
ISADB: Reaper checking HIS 0xac149c, id_conn = 0 DELETE IT!

Peer VPN: ISAKMP: ip:208.249.117.203/500 Ref cnt decremented to peers: 0 Total VPN
Peers: 1
Peer VPN: ISAKMP: deleted peer: ip:208.249.117.203/500 VPN peer Total: 0IPSEC (ke
y_engine): got an event from the queue.
IPSec (key_engine_delete_sas): rec would remove the ISAKMP notify
IPSec (key_engine_delete_sas): remove all SAs shared with 208.249.117.203
IPSec (key_engine): request timer shot: count = 2,.
local (identity) = 70.91.20.245, distance = 208.249.117.203.
local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),
remote_proxy = 206.200.22.0/255.255.255.0/0/0 (type = 4)

Hello

Newspapers, I see you are using a VPN 3000 Concentrator as the remote vpn end point. Now, also of the debugs next section is interesting:

local (identity) = 70.91.20.245, distance = 208.249.117.203.
local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),
remote_proxy = 206.200.22.0/255.255.255.0/0/0 (type = 4)

-Looks like our traffic interesting PIX and the hub are not mirrors of each other, and does not. Can you please paste the PIX here cryptographic access lists, so that I can analyze the entries.

-Also, please make sure that you have followed all the steps during the vpn configuration according to the following links:

If your PIX is running at version 7.x and more: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008064a06f.shtml

If your PIX is running version 6.3.x: http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

Once you check the config on PIX and concentrator, please provide me with the output of "sh cry isa his" and "sh cry ipsec his ' of the PIX. With this release, we can continue to troubleshoot if there is more questions.

Let me know if this can help,

See you soon,.

Christian V

Tags: Cisco Security

Similar Questions

  • Problem with Site-to-Site VPN. VPN tunnel is broken but can ping

    OK, so I am trying to understand why I can't not only appears when I sh crypto isakmp his or sh crypto ipsec his. I did the basic to site vpn settings to another and I can't ping on both networks fine no problem. So, when I ping from one pc to the address 172.16.0.0 192.168.0.0 network network there is no problem at all because the pings are very well received. But when I go to sh crypto isakmp sa, there's simply nothing and I can't for the life of understand me why. I watched my sh run for both routers and all seems well, but I guess I could be overlooking something. I would really appreciate if someone could help me to diagnose this problem.

    I've attached my plotter file of package and two routers use the binary password. I also have the sh run two routers also attached.

    I'm not on any of the router 172.16.0.0/24 only 172.16.0.0/16 and I think that is the question.

    In Crypto ACL you have on the router of branch:

    !

    S2S-VPN-TRAFFIC extended IP access list

    Licensing ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255

    If it should not be:

    !

    S2S-VPN-TRAFFIC extended IP access list

    Licensing ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255

    and coursed mirrored on the main router.

    If this isn't the case, you are saying that some ping between 192.168.0.x and 172.16.0.x is going ok. Can you please indicate exactly that one? I could see that you have attached a package tracer, but I couldn't open it.

  • Problems with site-to-site vpn with of the asa 2

    I tried different ways so that this works, but failed. After 8 hours, I literally have a bad headache and have to step away for a minute.  I realize I need to ping between the tunnels mentioned, but still can not to. can someone take a look and tell me where I have gone wrong?  Im trying to configure a site to site vpn between:

    ASA_A

    external interface 5.179.17.66

    inside the interface 10.1.1.1

    ASA B

    external interface 5.81.57.19

    inside the 10.1.2.1 interface

    Frist why do you have two DGs on box -

    Route outside 0.0.0.0 0.0.0.0 5.179.121.65 1

    Route outside 0.0.0.0 0.0.0.0 5.179.17.65 1

    Attach the two end then it should work.

    Thank you

    Ajay

  • Problem with site Web page - coding errors - HELP

    Hello

    I'm having a problem with one of my pages which becomes corrupt eveytime I update the model. I get a reapeat of the template on the page and the following text is selected in the code.

    Can you tell me what he's trying to tell me?

    Capture.JPG

    Here is what the page has to look like:

    Pic 1.JPG

    Here's what it becomes, it seems to duplicate the page and shift right:

    Pic 2.JPG

    Looking at code for the linked page once again, I see that the problem is not with the model, it is with the code in an editable region of the child page.  So, on this page, change it.

    http://www.Macromedia.com/schemes/data/string/">

    on this subject.

    and save the page.

    In the model of change.

    menuside

    on this subject.


    menuside

    and save it in allowing the change to propagate.

    Having done this, page of your child behaves correctly now?

    In addition, you can solve this problem in the pages of the child and in the model-

    [email protected]"> contact" > mailto:clu [email protected]"> contact form '"»

    probably should be-

    [email protected]"> contact form.

  • ProBook 650 1: Problems with W10 upgrade - Client VPN in my notebook?

    Hello

    I upgraded my laptop to Windows 10 but, like many people, I encountered some problems with the Broadcom 802.11 wi - fi adapter. I read a lot of discussion about it and I decide to yestarday to roll back to Windows 7 in order to do a clean update by ISO and unisntall VPN. I read that Cisco VPN Client is the problem when upgrading to W10... but I'm not sure I have the Cisco Client in my notebook.
    You help me find a software which VPN I have in my book?
    I run Microsoft Fixit and found out that I have:
    Cisco PEAP
    Cisco LEAP
    Cisco EAP-FAST

    Is this software VPN? Or not?

    After having updated Broadcom driver on Windows 10 WiFi worked well, but I still had an error message ' Broadcom 802.11 network adapter wi - fi doesn't work "whenever I turned on the laptop.
    In addition, it was impossible on W10 to open the Broadcom Wireless Tool (Control Panel) software, I always get an error message.

    Should I unistall Cisco software?

    See you soon,.

    Marco

    "Hi @Kreiskybill,

    I'm sorry that was meant to be an internal memo that I'm not trained on commercial products and I was hoping one of my colleagues would help, but I'll try my best to help you.

    For your wireless problem, there are several troubleshooting documents available on the page of product support for your ProBook (http://ow.ly/ADK7301hCLl), that might be useful.  Also, here is the 'HP PC' document - troubleshooting wireless network and the Internet (Windows 10) consumer ( http://ow.ly/pIm0301hEIN ) for reference.

    With regard to programs of Cisco that you listed, @SpiritX on the Microsoft Forums ( http://ow.ly/DAhQ301hCFt ) well answer your question about Cisco programs you listed.  I know that you are not running Windows Vista, but the answer is always valid for you.

    If it helps and you want to thank me, please click the 'Thumbs Up' icon to say thank you.  If you think that I helped to solve your problem, please click the button of "acceptable Solution".  This will allow other users to find what worked for you. »

  • Problem with site settings

    I'm new to dreamweaver cs4 and have the following question. For some reason when I try to create a folder root for the web site, I am unable to create the path to a site already created forlder. The only way I can accomplish this is to write the name of the folder after directory root such as "C; \mysite\"motor words when I click on the folder icon and navigate to the folder of my site and click on 'Open' and then click on select to make the connection, I find myself with ' C; ------' in dreamweaver sitesetting page. Any help on this is welcome.

    Are you running Win7? If so, this is a known issue. Not sure if there is a bug for this fix. In the meantime, you can navigate to a deeper level to select the folder of your site or just enter manually.

  • Problems with site. Help?

    I'm trying to start another site, after having one already, and I can't seem to cross. I tried literally everything I can possibly think, but I am still confused on how to get this site on the remote server. Any help?

    This can help How to download your Web Site using DreamWeaver tutorial

  • Problem with Site - domain will not work without "www."

    When you visit the Web site without the WWW prefix, you are taken to a "process of development . "page I have tells me the webmaster has not added a Web site on the server. "

    However, if you put the prefix www it loads immediately. Just published on-line site and I realized my nameservers of Godaddy for iPage. Any ideas on why this is happening?


    http://mtbamg.com/

    http://www.mtbamg.com/

    Hello

    Just check the links on my machine and without www works.

    In my view, clear the browser cookies that will fix it on your machine.

    Kind regards

    Vivek

  • Vista problem with site management?

    Since I moved to my new Vista computer Dreamweaver 8, remember login and password for FTP in managing the Sites. I need to change the site everytime I open Dreamweaver. Is it because of Vista? Others have this experience?

    This Technote apply to you?
    http://www.Adobe.com/cfusion/knowledgebase/index.cfm?id=785362aa

    --
    Murray - ICQ 71997575
    Adobe Community Expert
    (If you * MUST * write me, don't don't LAUGH when you do!)
    ==================
    http://www.dreamweavermx-templates.com - template Triage!
    http://www.projectseven.com/go - DW FAQs, tutorials & resources
    http://www.dwfaq.com - DW FAQs, tutorials & resources
    http://www.macromedia.com/support/search/ - Macromedia (MM) Technotes
    ==================

    "craigtb" wrote in message
    News:f00c58$DMS$1@forums. Macromedia.com...
    > I installed the patch but when I run the Dreamweaver application, it still says that it is
    > 8.0.
    > I have reinstalled several times - whenever he said that he installed
    > successfully
    > - but the version number in everything done does not update. Reset
    > has
    > n no effect either.
    >

  • Problems with remote access IPSec VPN

    Dear Experts,

    Kindly help me with this problem of access VPN remotely.

    I have configured remote access VPN IPSec using the wizard. The remote client connects to fine enough seat, gets the defined IP address, sends the packets and bytes, BUT do not receive all the bytes or decrypt packets. On the contrary, the meter to guard discarded rising.

    What could be possibly responsible or what another configuration to do on the SAA for the connection to be fully functional?

    It can help to say that Anyconnect VPN is configured on the same external Interface on the ASA, and it is still functional. What is the reason?

    AnyConnect VPN is used by staff for remote access.

    Kindly help.

    Thank you.

    Hello

    So if I understand correctly, you have such an interface for LAN and WAN and, naturally, the destination networks you want to reach via the VPN Client connection are all located behind the LAN interface.

    In this case the NAT0 configuration with your software most recent could look like this

    object-group, LAN-NETWORKS-VPN network

    network-object

    network-object

    network-object

    network of the VPN-POOL object

    subnet

    destination of LAN-NETWORKS-VPN VPN-NETWORKS-LAN static NAT (LAN, WAN) 1 static source VPN-VPN-POOL

    Naturally, the naming of interfaces and objects might be different. In this case its just meant to illustrate the purpose of the object or interface.

    Naturally I'm not sure if the NAT0 configuration is the problem if I can't really say anything for some that I can't see the configuration.

    As for the other question,

    I have not implemented an ASA to use 2 interfaces so WAN in production environments in the case usually has separate platforms for both or we may be hosting / providing service for them.

    I imagine that there are ways to do it, but the main problem is the routing. Essentially, we know that the VPN Client connections can come from virtually any public source IP address, and in this case we would need to default route pointing to the VPN interface since its not really convenient to set up separate routes for the IP address where the VPN Client connections would come from.

    So if we consider that it should be the default route on the WEBSITE of the ASA link, we run to the problem that we can not have 2 default routes on the same active device at the same time.

    Naturally, with the level of your software, you would be able to use the NAT to get the result you wanted.

    In short, the requirements would be the following

    • VPN interface has a default route, INTERNET interface has a default route to value at the address below
    • NAT0 between LAN and VPN interface configuration to make sure that this traffic is passed between these interface without NAT
    • Interfaces to special NAT configuration between LAN and INTERNET which would essentially transfer all traffic on the INTERNET interface (except for VPN traffic that we have handled in the previous step)

    The above things would essentially allow the VPN interface have the default route that would mean that no matter what the VPN Client source IP address it should be able to communicate with the ASA.

    The NAT0 configuration application would be to force ASA to pass this traffic between the LAN and VPN (pools) for VPN traffic.

    The special configuration of NAT then match the traffic from LAN to ANY destination address and send to the INTERNET interface. Once this decision is made the traffic would follow the lower value default route on this interface.

    I would say that this isn't really the ideal situation and the configuration to use in an environment of productin. It potentially creates a complex NAT configuration such that you use to manipulate the traffic instead of leave the mark of table routing choice in the first place.

    Of course, there could be other options, but I have to test this configuration before I can say anything more for some.

    -Jouni

  • Problem with the Cisco ASA vpn redundancy?

    Hi all

    I have a series ASA 5500 firewall and need to set a different peer ip for the connection of site2sitevpn. In fact, my goal is, ASA tent first pair ip of the site2site tunnel, when ASA may not reach this ip, try to reach another ip I set before. I can configure this scenerio on Cisco router with this command;


    crypto map tohub 1 ipsec-isakmp
     set peer 10.1.1.1 default 
     set peer 10.2.2.2

    but I wonder what can I do about ASA?

    Thank you.

    Best regards.

    Shane,

    You can configure multiple IP addresses, under the same entry of homologous set on ASA, but it works the same on IOS with preferred peer, it passes between defined peer.

    Marcin

  • Cisco VPN problem with security update KB3057839 for Vista

    Someone had problems with any connection Cisco VPN works after the installation of update of security KB3057839 for Vista? When this update is installed, the pop-up to enter the password and user id not come, need to use the Task Manager to close the program. The first time I went back to the restore point to get my VPN to work, this time I tried to reinstall the VPN but that doesn't work anymore. I started to uninstall updates (had 7 of them), when I got to it, KB3057839, the VPN began working again.

    Mike

    See this on the real issue:

    http://www.chiark.greenend.org.uk/~sgtatham/PuTTY/wishlist/Vista-update-breaks-config.html

    It turns out that the logon dialog box is invisible, but still, it agrees to enter you your password and LOG you!

  • Problem with VPN Site-to-Site between RV215W and ASA5510

    The RV215W is intended to connect a new branch via 3G, but fail.

    But when connected to the internet via a cable modem VPN works.

    I have set up with the FULL domain name and remote ip address.

    Please help me soon as soon as you can.

    Thaks a lot.

    Henriux2412.

    Dear Henry;

    Thank you to the small community of Support Business.

    I doubt that this VPN site-to-site is compatible with the USB modem broadband Mobile 3 G, but I have when even suggest to verify that the Status field of the map will show your mobile card is connected (status > Mobile network). I've seen a similar problem with a Verizon USB modem where the solution was to change a few settings in their access Manager software ("NDIS Mode - connect manually" has been selected and change this option to "Modem Mode - connect manually fixed), but if this is not your case then I suggest you to check with your service provider about supported VPN site to site on the WAN configuration.

    Except that I advise you to contact the Small Business Support Center for more information on this subject, although I don't think they will support

    https://supportforums.Cisco.com/community/NetPro/small-business/sbcountrysupport

    Do not hesitate to contact me if there is anything I can help you with in the meantime.

    Kind regards

    Jeffrey Rodriguez S... : | :. : | :.
    Support Engineer Cisco client

    * Please rate the Post so other will know when an answer has been found.

  • problem with Ezvpn and VPN from Site to Site

    Hello

    I want to set Ezvpn and VPN Site to another but the problem is that the EasyVpn that would only work at the Site to the Site does not at all

    I have set up 1 card for two VPN with different tagged crypto

    I had execlude the traffice to NOT be natted to, and when I remove the Ezvpn site to another work well

    crypto ISAKMP policy 100
    BA aes
    md5 hash
    preshared authentication
    Group 2
    !
    crypto ISAKMP policy 10000
    BA aes 256
    preshared authentication
    Group 5
    key address 123456 crypto isakmp (deleted)

    ISAKMP crypto client configuration group easyvpn
    easyvpn key
    domain ezvpn
    pool easyvpn
    ACL easyvpn
    Save-password
    Split-dns cme
    MAX User 9
    netmask 255.255.255.0
    !

    Crypto ipsec transform-set esp - aes 256 esp-sha-hmac vpn

    Crypto-map dynamic easyvpn 10
    Set transform-set dmvpn
    market arriere-route
    !
    !
    address-card crypto easyvpn local Dialer1
    card crypto client easyvpn of authentication list easyvpn
    card crypto isakmp authorization list easyvpn easyvpn
    client configuration address card crypto easyvpn answer
    easyvpn 100 card crypto ipsec-isakmp dynamic easyvpn
    easyvpn 1000 ipsec-isakmp crypto map
    defined by the peers (deleted)
    Set transform-set vpn
    game site address

    interface Dialer1
    the negotiated IP address
    IP mtu 1492
    NAT outside IP
    IP virtual-reassembly
    encapsulation ppp
    Dialer pool 1
    PPP authentication chap callin pap
    PPP chap hostname
    PPP chap password
    PPP pap sent-name to user
    easyVPN card crypto

    DSL_ACCESSLIST extended IP access list
    deny ip 100.0.0.0 0.0.0.255 101.1.1.0 0.0.0.255
    deny ip 100.0.0.0 0.0.0.255 70.0.0.0 0.0.0.255
    IP 100.0.0.0 allow 0.0.0.255 any
    refuse an entire ip
    easyvpn extended IP access list
    IP 100.0.0.0 allow 0.0.0.255 70.0.0.0 0.0.0.255
    IP extended site access list
    IP 100.0.0.0 allow 0.0.0.255 101.1.1.0 0.0.0.255

    Best regards

    The sequence number of card crypto for the static mapping crypto (site to site vpn) should be higher (ie: sequence number must be lower) than the ezvpn (map dynamic crypto).

    In your case, you must configure as follows:

    map easyvpn 10 ipsec-isakmp crypto
    defined by the peers (deleted)
    Set transform-set vpn
    game site address

    map easyvpn 150 - ipsec-isakmp crypto dynamic easyvpn

    Hope that solves this problem.

  • IPSEC VPN from Site to Site - NAT problem with address management

    Hi all

    I have two Cisco ASA 5505 performing of IPSEC Site to Site VPN. All traffic inside each firewall through the VPN tunnel and I have full connectivity. From site A, I can connect to the inside address of the ASA at the site B and launch of the ASDM or SSH, etc.

    The problem I have is when I'm logged on the ASA site B management traffic is given the external address. I created this as interesting traffic to get it to go through the VPN but I need to use the inside address of ASA B. The following is possible:

    • If I can make the ASA Site B to use inside interface as its address management (I already have management access to the inside Interface)
    • I have NAT can address external interfaces to Site B before moving through the VPN tunnel management traffic so that it appears to come from Site B inside the address
    • I can NAT VPN traffic as it appears in the Site A for management traffic to Site B on the right address.

    The problem is that my PRACTICE Please also come from this address and I need the application before being on an internal address to even if my CA.

    Thanks for any help.

    Ian

    Thanks, I understand what you are trying to achieve now.

    However, I think that I don't have good news for you. Unfortunately PEIE request can be initiated of the SAA within the interface, as there is no option to start the query from the inside interface. With other features of management such as AAA, logging, you have an option to specify what ASA desired originally to demand from interface, but CEP doesn't have this option.

    Here's how you can configure under the trustpoint crypto, but unfortunately by specifying the interface doesn't not part of option:

    http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/C5.html#wp2262210

Maybe you are looking for

  • I can longer open a new tab in firefox

    I can't open a new tab in firefox. If I click on a link, a new tab opens, but if I use the new tab button or control t that nothing happens. I used to be able to open several tabs, but suddenly, that changed. Can you my why?

  • Why always the maps app shows directions

    Why the maps application still displays guidance at home when I look in the eyes. She does even when I stop on both tips the watch and phone. Is this a normal behavior? Is it possible to stop him? Thank you.

  • ENVY TouchSmart 15 t-j100 - install again SSD

    In the past, I have improved the internal system disks several times, and eventually I hope to upgrade to an SSD on the HP ENVY 15 t-j100 TouchSmart Envy (I've seen a 15 "EVNY with a SSD option). I don't really like on a recovery partition, I prefer

  • Blackberry blackBerry 10 classic - it fits?

    Hi guys! I think to buy the Soft Shell 'classic' and the 'Classic Sync Pod', but it will enter in the charger with the shell on it? Looks like he did get the phone only? Thanks for your help!

  • Mobile Edition first pro project from mac to windows

    someone at - it never use 2 os from mac to windows platform? before I use macbookpro retina to edit my film. Then I just build a pc to perform more quickly for editing... I use and save all external hd... then I change to change in my pc... but... al