QoS policy & policy-card entry on marking interface

Similar Questions

• Multiple Crypto cards on a single Interface of ASA

  Hello

  I work with a TAC support engineer, and while troubleshooting it suggests to assign two different cryptographic cards on a single interface.

  It is technically possible to have multiple Crypto maps on a single Interface ASA?

  PS: I know have several sequences in a single encryption card would work, but it is a case that I must address multiple Crypto maps on a single ASA.

  Hi Ali,

  The rule is by interface, a single card encryption is supported. You cannot assign more than one encryption on a single interface card.

  Documentation: -.
  "You can only assign a single encryption card defined on an interface. If multiple crypto map entries with the same name of card but a sequence number different, they are part of the same series and are applied to the interface. ASA first assesses the entry card crypto with sequence number low. »

  http://www.Cisco.com/c/en/us/TD/docs/security/ASA/ASA-command-reference/A-H/cmdref1/C6.html

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• Multiple Crypto cards on simple external Interface

  Hi, I got the following encryption card configured on my ASA5505 to allow Cisco IPSec VPN clients to connect from the outside:

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  I'm now trying to set up a map of additional encryption - a static configuration to establish a tunnel with Windows Azure services. The configuration, they gave me is:

  Crypto map Azur-crypto-map 10 correspondence address azure-vpn-acl

  crypto azure-crypto-card card game 10 peers XXX.XXX.XXX.XXX (hidden)
  

  card crypto azure-crypto-map 10 set transform-set of Azur-ipsec-proposal-set

  Azur-crypto-card interface card crypto outside

  However, when I apply this configuration, my Cisco IPSec clients can connect is no longer. I think that my problem is that last line:

  Azur-crypto-card interface card crypto outside

  that blows away my original line:

  outside_map interface card crypto outside

  It seems that I'm stuck with just picking one of the maps to apply to the external interface. Is there a way to apply both of these cards to the external interface to allow the two IPSec tunnels to create? We lack ASA version 8.4 (7) 3.

  Hello

  You can use the same "crypto map"

  Just add

  card crypto outside_map 10 correspondence address azure-vpn-acl

  crypto outside_map 10 card game peers XXX.XXX.XXX.XXX (hidden)
  

  card crypto outside_map 10 set transform-set of Azur-ipsec-proposal-set

  Your dynamic VPN Clients will continue to work very well that their statements "crypto map" are in the order of precedence / low in "crypto map" configurations (65535) and VPN L2L is higher (10)

  And I want to say with the above is that, where a connection VPN L2L is formed from the remote end it will be naturally VPN L2L configurations you have with the number of configurations "crypto map" '10'. Then when a VPN Client connects it naturally will not match the specific configurations of the number "10" and will move to the next entry and the match (65535)

  If you happen to set up a new connection VPN L2L then you might give him the number "11" for example and it would still be fine.

  Hope this helps

  -Jouni

• Problem of QoS policy

  I have a Cisco 2651 router with a line of rental of 2 MB to the ISP. It seems that whenever my users begin to download stuff - ISO images, all of my interactive SSH sessions would be extremely slow.

  Therefore, I went through some of the QoS books and found that it was good for us to do priority queues.

  And what I did was to perform priority queues for incoming traffic on my series s0/0 interface which is connected to the ISP.

  However, even after this operation did not help to speed up my SSH sessions, while users are downloading, could someone help?

  ISP 215.23.21.0/24

  R---> my router---> our network

  Medium priority queues the best fact?

  Hello

  the problem with priority queues is that traffic no matter what you put in the high priority list gets kept first, and other, lower priority traffic could get faded out.

  Perhaps it would be best to configure based on weighted Fair Queuing priorities. You can define a class that corresponds to your SSH traffic and assign a certain percentage of bandwidth to this class. Here is an example:

  IP cef

  !

  class-map correspondence SSH

  ssh protocol game

  !

  Policy-map PRIORITIZE_SSH

  SSH class

  priority 500

  default class

  bandwidth 1000

  random detection

  !

  interface Serial0

  entry of service-policy PRIORITIZE_SSH

  Here you book 500 KB of bandwidth for your SSH traffic, other traffic gets 1000 KB of bandwidth. Bandwidth reserves come into force in the event of congestion.

  Maybe you can post what you have configured so far with PQ?

  Kind regards

  GP

• How to limit a vNic to use 5 GB/s. I can't find the good QOS policy to assign to a vNic

  Should a vNic to use the maximum of 5 GB/s...

  You don't really specify the line rate. Rate is the speed that would result in the available BW entry to be used.

  To answer the underlying question when you lower the rate, you specify burst and the value formatting.

  Formatting is discussed for example here:

  http://www.Cisco.com/en/us/Tech/tk543/tk545/technologies_q_and_a_item09186a00800cdfab.shtml#policing

  Example of

  bdsol-6248-06-A(nxos)# show run | section Gold
  policy-map type queuing org-root/ep-qos-Gold_QoS
  class type queuing class-default
  bandwidth percent 100
  shape 5000000 kbps 65000
  

  and when the use of line.

  bdsol-6248-06-A(nxos)# show run | section Platinium
  policy-map type queuing org-root/ep-qos-Platinium_5124
  class type queuing class-default
  bandwidth percent 100
  shape 10000000 kbps 5124
  

  Production of my USC in the laboratory.

  

  

• Better QoS policy for office video

  Hi all

  If this question is referring to the Movi time (I'll use this name for differentiation) and Jabber for Windows/Mac/iPad etc.

  Assuming NBAR is out of the question, so what means are at our disposal to ensure that the media in real time of these soft clients is found in a priority queue?

  I am aware that the VCS can apply DSCP Movi traffic tags when the media is routed through VCS, but what when the media takes the shortest path directly between customer Movi and the remote endpoint?  It is still referenced?

  What is Jabber?  These are configurable in CUCM?

  Best regards, Glen

  VCS does not mark traffic as the media does not pass through the VCS. All traces of Movi I took to direct call view all unmarked traffic DSCP 0 by default. The application is not marking traffic

• on my network card, a question mark appears that wasn't there. He appeared as a "switch" until I disabled "sharing network". He went away for a day and returned. This is a hack of nieghborhood?

  My mother is a modem from Qwest. I'm on a laptop with wireless on the same account. We were on a homegroup network. I found a question mark on its network card and a photograph camera, on mine with the name 'switch' and no other info on this subject between the computer and the modem peak. I called Qwest and they said they didn't know what it was. So I disabled all the sharing network. He went away. 2 days ago. Today, I checked again, he had again disappeared from the workstation but now it's back on mine, but it shows up as a question mark, as it did on the desktop. And also, there were a few weird anomilies appear on our computers. Do I have a virus or maybe a neighborhood hacker?

  If you use Microsoft Security Essentials, start here - https://support.microsoftsecurityessentials.com/ and select the link that says - I think my computer is infected. Options vary by region, but phone support leads you to the Microsoft answer service (http://www.answerdesk.com/) in the USA at this time. After an initial free consultation, will be charged a fee for assistance, based on the details of the case.

  If this is not the case, go to your provider AV.

  You can also try this web site - http://www.bleepingcomputer.com - contains details for most common infections, often immediately after that they started to appear in the wild, and instructions are provided for how to remove infections using their malware removal guides. They also have forums where you can seek assistance from people who specialize in the removal of malware.

  Here are other free programs that can help:

  Malwarebytes anti-malware free - http://www.malwarebytes.org/products/malwarebytes_free Please note, do not accept the trial version of MBAM Pro that it will conflict with MSE while the free version won't.

  SUPERAntiSpyware Free - http://www.superantispyware.com/downloadfile.html?productid=superantispywarefree

  TDSSKiller (free) - http://support.kaspersky.com/faq/?qid=208283363

  HitmanPro (free for 30 days) - http://www.surfright.nl/en/hitmanpro

• 2 cryptographic cards on the same interface

  Is it possible to apply two crypto is the interface even in a router? I have two cryptographic cards because I need to use two different authentication methods according to the VPN client that will connect.

  No, you can have a single encryption per interface card.

• The ASA can use 2 dynamic cryptographic cards on the external interface?

  We have an ASA which is currently used with dynamic VPN. I don't know the pre-shared key.  If I was going to try to create another card encryption. I did not want to bring another drop.  I know that the router does not allow.  It would replace the existing info.  I wasn't sure of the SAA.

  David,

  The pre shared key is defined in the specific tunnel-group, not in the crypto map.

  tunnel-group ipsec-attributes

  pre-shared key cisco

  However, by default:

  Dynamics of LAN-to-LAN tunnels using the 'DefaultL2LGroup '.
  

  L2TP/IPsec connections use the 'DefaultRAGroup '.
  

  In order to see the pre shared key in clear text: "more system: run".

  You can have a single card dynamic encryption card crypto, but you can have multiple entries / map instances of this dynamic, for example:

  Crypto-map dynamic dynamic_map 10 the value transform-set ESP-AES-256-SHA
  

  Crypto-map dynamic dynamic_map 20 the value transform-set ESP-AES-192-SHA
  

  
  

  map outside_map 65535-isakmp ipsec crypto dynamic dynamic_map

  More info:

  Dynamic IPsec Tunnel between a statically addressed ASA and dynamically addressed Cisco IOS router that uses the example of Configuration of CCP

  ASA/PIX: Allow the tunneling split for the VPN Clients on the example of Configuration of ASA

  
  

  Let me know if you have any other questions.

  Portu.

• network cards, teredo tunneling pseudo-interface. device cannot start (code 10)

  error code 10

  http://support.Microsoft.com/default.aspx/KB/943104

  Take a look at the KB and see if that fixes it.

• Cards and key marker legend

  Hi all

  I'm working on maps and I would like to know if it is possible to put a custom caption button or a custom bubble or if it is possible to hide the button of the legend inside the bubble.

  Kind regards.

  I've created a new issue in Jira requesting these new features:

  https://www.BlackBerry.com/jira/browse/BBTEN-1284

• control vNIC speed

  Hi all

  I want to know I could change speed in UCS with UCSM vnic and if I answer Yes, how can I change it?

  Thanks in advance

  Hi Amr

  Vnic speed you see in UCSM is given by the underlying hardware (adapter I/O, IOM,...).

  If you want to change it (for example to limit the bandwidth), you create a QoS policy and join with this interface.

  Walter.

• Question on ISAKMP POLICY < priority > GROUP?

  Good evening everyone,

  I have a few questions about affecting an isakmp group a 4th connection. I read that Im only allowed to use the Group 1,2,5 (on pix to pix firewall), but I've exhausted all 3 groups with my existing connection and Im currently adding another office off site to the network but can't understand how, need whether in 3des as well.

  These are my configs to the 3 existing work sites, how could I add the site 4th with 3des encryption?

  Crypto ipsec transform-set esp-3des esp-md5-hmac AAA

  Crypto ipsec transform-set esp-3des esp-md5-hmac BBB

  Crypto ipsec transform-set esp-3des esp-md5-hmac CCC

  vpn_remote 10 ipsec-isakmp crypto map

  vpn_remote crypto 10 card matches the address AAA

  card crypto vpn_remote 10 peers set www.xxx.yyy.zzz

  card crypto vpn_remote 10 transform-set AAA

  vpn_remote crypto 20 card matches the address BBB

  card crypto vpn_remote 20 peers set www.xxx.yyy.zzz

  vpn_remote crypto 20 card value transform-set BBB

  vpn_remote 30 ipsec-isakmp crypto map

  correspondence address 30 card crypto vpn_remote CCC

  card crypto vpn_remote 30 peers set www.xxx.yyy.zzz

  CCC vpn_remote 30 transform-set card crypto

  vpn_remote interface card crypto outside

  part of pre authentication ISAKMP policy 10

  ISAKMP policy 10 3des encryption

  ISAKMP policy 10 md5 hash

  10 1 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  part of pre authentication ISAKMP policy 20

  ISAKMP policy 20 3des encryption

  ISAKMP policy 20 md5 hash

  20 2 ISAKMP policy group

  ISAKMP duration strategy of life 20 86400

  part of pre authentication ISAKMP policy 30

  ISAKMP policy 30 3des encryption

  ISAKMP policy 30 md5 hash

  political group 30 ISAKMP 5

  ISAKMP duration strategy of life 30 86400

  Thank you in advance, I hope someone can give me some input on this.

  CYM

  You need not to N isakmp policy to support associations N IKE. You can use one for all remote locations. You could live with isakmp policy 10 and use the Group Diffie-Hellman 1 2 or 5 (do not need all three). Just make sure that there are individual cryptographic cards for each site (unless your doing dynamic VPN).

  Also you do not need separate transform-sets because you use the same encryption methods in all three sets of transformation that you have defined.

  If you do not want to change the configs that above, all you have to do is to create a key isakmp, as well as a new instance of crypto 40 for the 4th remote site map.

• ASA 5500 looking for incomplete service policy

  I'm trying to update my device to 8.2 (2). These release notes, he mentions to make sure that you do not have the incomplete following lines:

  -Policy-map global_policy

  -comprehensive service-policy global_policy

  Here's a copy of my config. I want to just make sure I'm reading it correctly. I don't think I have incomplete service policies. I made the lines in question "BOLD". Thank you.

  !
  class-map type regex match - all DomainBlockList
  matches the regex domainlist1
  type of class-card inspect all match http BlockDomainsClass
  corresponds to the expression class regular request header host DomainBlockList
  class-map IPS_CLASS
  match any
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect http http_inspection_policy
  parameters
  class BlockDomainsClass
  Reset log
  type of policy-card inspect dns migrated_dns_map_1
  parameters
  message-length maximum 2048
  policy-map global_policy - online question
  class inspection_default
  inspect the migrated_dns_map_1 dns
  inspect h323 h225
  inspect the netbios
  inspect the rsh
  inspect the skinny
  inspect sqlnet
  inspect sunrpc
  inspect the tftp
  inspect the sip
  inspect xdmcp
  inspect the icmp
  inspect the ftp
  inspect the h323 ras
  inspect the http http_inspection_policy
  Policy-map IPS_POLICY
  class IPS_CLASS
  IPS inline help
  !
  line of service-policy global_policy global - in question
  IPS_POLICY service-policy to the outside interface
  context of prompt hostname
  Cryptochecksum:9678c3xd399320688fyyu741823
  : end
  asa5500 #.
  asa5500 #.

  Hello

  You have the default global_policy applied generally to service policy. (they are not incomplete).

  You can edit these policies or create policies and apply them in the world of politics of service or specific interfaces.

  You can find more information about the inspection on the SAA here:

  http://www.Cisco.com/en/us/docs/security/ASA/asa82/configuration/guide/inspect_overview.html

  Federico.

• IKE initiator unable to find the policy; Outside INTF, CBC: error

  I have a Cisco ASA 5505 having a tunnel at a remote office. I just put in place another identical to another tunnel and when I followed the VPN in ASDM I see that the VPN is active. But I can't ping through it. When I check the logs I see "IKE initiator unable to find the policy; Outside INTF, CBC:... "Nobody knows what might be the cause? Here is a copy of the configuration. Thank you.

  See the config of bdavpn1 #.
  : Saved
  : Written by admin in 17:54:11.823 HAA Monday, June 7, 2010
  !
  ASA Version 8.2 (2)
  !
  hostname bdavpn1
  domain.com domain name
  activate the encrypted password of OSaXLnYQKkAcBhYA
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  !
  interface Vlan1
  nameif inside
  security-level 100
  192.168.2.100 IP address 255.255.255.0 ensures 192.168.2.101
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP 101.17.205.116 255.255.255.1018 Eve 101.17.205.117
  !
  interface Vlan3
  nameif dmz
  security-level 50
  IP 172.20.0.1 address 255.255.255.0 watch 172.20.0.3
  !
  interface Vlan4
  Failover LAN Interface Description
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  switchport access vlan 91
  !
  interface Ethernet0/3
  switchport access vlan 3
  !
  interface Ethernet0/4
  switchport access vlan 3
  !
  interface Ethernet0/5
  switchport access vlan 4
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  passive FTP mode
  clock timezone AST - 4
  clock to summer time recurring ADT
  DNS domain-lookup dmz
  DNS server-group DefaultDNS
  Server name 172.20.0.99
  domain.com domain name
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  object-group Protocol TCPUDP
  object-protocol udp
  object-tcp protocol
  object-group network Chicago-nets
  object-network 10.150.1.0 255.255.255.0
  object-network 10.150.55.0 255.255.255.0
  object-network 10.150.56.0 255.255.255.0
  object-network 10.150.57.0 255.255.255.0
  object-network 172.16.1.0 255.255.255.0
  object-network 192.168.26.0 255.255.255.0
  object-network 10.150.111.0 255.255.255.0
  the DM_INLINE_NETWORK_2 object-group network
  object-network 192.168.4.0 255.255.255.0
  object Group Chicago-nets
  the DM_INLINE_NETWORK_1 object-group network
  object-network 192.168.4.0 255.255.255.0
  object Group Chicago-nets
  the DM_INLINE_NETWORK_3 object-group network
  object-NET 172.20.0.0 255.255.255.0
  object-network 192.168.2.0 255.255.255.0
  the DM_INLINE_NETWORK_4 object-group network
  object-NET 172.20.0.0 255.255.255.0
  object-network 192.168.2.0 255.255.255.0
  outside_cryptomap to access extended list ip 192.168.2.0 allow 255.255.255.0 DM_INLINE_NETWORK_1 object-group
  inside_nat0_outbound to access extended list ip 192.168.2.0 allow 255.255.255.0 DM_INLINE_NETWORK_2 object-group
  inside_nat0_outbound to access extended list ip 192.168.2.0 allow 255.255.255.0 172.20.0.0 255.255.255.0
  inside_nat0_outbound list extended access allowed object-group ip DM_INLINE_NETWORK_3 192.168.4.0 255.255.255.0
  inside_nat0_outbound list extended access allowed object-group ip DM_INLINE_NETWORK_4 192.168.4.0 255.255.255.0
  Note to access list outside_to_dmz allow access to the citrix Server
  outside_to_dmz list extended access permit tcp any newspaper HTTPS host 101.17.205.123 eq
  dmz_to_inside allowed extended access list host 172.20.0.2 ip 192.168.2.0 255.255.255.0 connect
  Note to outside_access_in entering of Citrix access list
  outside_access_in list extended access permit tcp any host 101.17.205.123 eq https
  outside_2_cryptomap list extended access allowed object-group ip DM_INLINE_NETWORK_4 192.168.4.0 255.255.255.0
  pager lines 101
  Enable logging
  timestamp of the record
  logging paused
  logging buffered information
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  MTU 1500 dmz
  IP verify reverse path to the outside interface
  failover
  primary failover lan unit
  failover failover lan interface Vlan4
  failover interface ip failover 172.16.30.1 255.255.255.252 watch 172.16.30.2
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 625.bin
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  Global interface (dmz) 2
  NAT (inside) 0-list of access inside_nat0_outbound
  NAT (inside) 1 0.0.0.0 0.0.0.0
  static (dmz, external) 101.17.205.123 172.20.0.2 netmask 255.255.255.255
  Access-group outside_access_in in interface outside
  Access-group dmz_to_inside in dmz interface
  Route outside 0.0.0.0 0.0.0.0 101.17.205.115 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  AAA authentication enable LOCAL console
  AAA authentication http LOCAL console
  LOCAL AAA authentication serial console
  the ssh LOCAL console AAA authentication
  AAA authentication LOCAL telnet console
  LOCAL AAA authorization command
  Enable http server
  http 0.0.0.0 0.0.0.0 outdoors
  http 0.0.0.0 0.0.0.0 inside
  redirect http outside 80
  SNMP-server host inside 10.150.1.177 community survey * version 2 c
  SNMP-server host inside 10.150.2.38 community survey * version 2 c
  location of Server SNMP Hamilton, Bermuda
  SNMP Server contact René Bouchard
  Community SNMP-server
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Service resetoutside
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  inside
  redirect http outside 80
  SNMP-server host inside 10.150.1.177 community survey * version 2 c
  SNMP-server host inside 10.150.2.38 community survey * version 2 c
  location of Server SNMP Hamilton, Bermuda
  SNMP Server contact René Bouchard
  Community SNMP-server
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Service resetoutside
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  card crypto outside_map3 1 match address outside_cryptomap
  outside_map3 card crypto 1jeu peer 101.88.182.189
  outside_map3 card crypto 1jeu transform-set ESP-3DES-SHA
  card crypto game 2 outside_map3 address outside_2_cryptomap
  outside_map3 crypto map peer set 2 101.1.95.253
  card crypto outside_map3 2 the value transform-set ESP-3DES-SHA
  Crypto map outside_map3 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  outside_map3 interface card crypto outside
  Crypto ca trustpoint bdavpn1
  Terminal registration
  domain name full bdavpn1.domain.bm
  name of the object CN = bdavpn1.domain.bm, OR = Ltd, O is domain, C = US, St is of_confusion, L is Hamilton,[email protected] / * /
  Configure CRL
  Crypto ca certificate card domainincCertificateMap 10
  name of the object attr cn eq sslvpn.domain.com
  Crypto ca certificate chain bdavpn1
  certificate ca 00
  30820267 308201d 0 a0030201 02020100 300 d 0609 2a 864886 f70d0101 04050030
  32310b 30 09060355 04061302 5553310 300 b 0603 d. 55040 has 13 41 53311430 04414c
  12060355 0403130b 63612e61 6c61732e 636f6d30 35303130 31303630 1e170d39
  3335 30313031 30363031 31395 has 30 32310 b 30 170d 3131395a 09060355 04061302
  300b 0603 55040 5553310d has 13 04414c 41 53311430 12060355 0403130b 63612e61
  06092a 86 4886f70d 01010105 0003818d 00308189 819f300d 636f6d30 6c61732e
  c19012ed 02818100 4cf67378 c9347162 2bcf6519 a3ab748f 1c9cae07 5c232c93
  8a 625638 68416412 and 55808768 412675bc 5906ba4a 3ffd1d101 303d0ea7 d559ccf8
  0d425ffc edf1cee8 337ca5c7 5f718f2d 081551f8 fc742b78 8866de9b c82310b0
  89975e30 7ea7f047 bf518ac3 aa2dfd7e f93b1016 7d5261ea 34f18fa7 748d52c8
  7595ecb3 02030100 01a3818c 30818930 1 d 060355 1d0e0416 0414c1ab b8651761
  fc3f12d1 b132322e be36ff6a cecb305a 0603551d 23045330 518014c 1 abb86517
  61fc3f12 d1b13232 2ebe36ff 6acecba1 36 has 43430 32310b 30 09060355 04061302
  300b 0603 55040 5553310d has 13 04414c 41 53311430 12060355 0403130b 63612e61
  6c61732e 636f6d82 0100300c 0603551d 13040530 030101ff 300 d 0609 2a 864886
  f70d0101 818100ad 04050003 1d558eab 05d50f7b b656e2c4 213a9ac3 1cecee73
  0251f931 0b47e84f f3c0847e b2168562 d27330b3 72c8023f b83aeb4a 2db8fbf7
  f4575c8e c56300aa 6d5b0fd3 092e7747 76 76286 26e81b3e 4ca35b71 792380b 9
  ca480932 c58a8ee6 2fa62a73 aa1d209d 68662c 59 0b8a71f1 c2db0cbb 5aefc8c5
  bedcbda7 caf46f0c b01def
  quit smoking
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  the Encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 20
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 30
  authentication rsa - sig
  3des encryption
  sha hash
  Group 2
  life 86400
  No encryption isakmp nat-traversal
  crypto ISAKMP ipsec-over-tcp port 10000
  Telnet 0.0.0.0 0.0.0.0 inside
  Telnet 0.0.0.0 0.0.0.0 outdoors
  Telnet timeout 120
  SSH enable ibou
  SSH 0.0.0.0 0.0.0.0 inside
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH timeout 60
  Console timeout 0
  management-access inside

  a basic threat threat detection
  threat detection statistics
  a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
  prefer NTP server 192.168.2.116 source inside
  NTP server 192.168.2.117 source inside
  bdavpn1 point of trust SSL outdoors
  WebVPN
  allow outside
  enable SVC
  attributes of Group Policy DfltGrpPolicy
  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
  LtdAdmin XRlF3jA1k3JEhNgr encrypted privilege 15 password username
  domainadmin encrypted E1zLpTPUtBADN9og privilege 15 password username
  tunnel-group sslvpn.domain.com type ipsec-l2l
  sslvpn.domain.com group of tunnel ipsec-attributes
  validation by the peer-id cert
  trust-point bdavpn1
  tunnel-group 101.88.182.189 type ipsec-l2l
  IPSec-attributes tunnel-group 101.88.182.189
  pre-shared-key *.
  tunnel-group 101.1.95.253 type ipsec-l2l
  IPSec-attributes tunnel-group 101.1.95.253
  pre-shared-key *.
  tunnel-Group-map enable rules
  Tunnel-Group-map domainincCertificateMap 10 sslvpn.domain.com
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 10101
  ID-randomization
  ID-incompatibility action log
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  inspect the icmp
  inspect the icmp error
  inspect the amp-ipsec
  !
  global service-policy global_policy
  context of prompt hostname
  Cryptochecksum:a23ada0366576d96bd5c343645521107

  Scott,

  When you check the status of the two tunnels of the CLI, check the following:

  HS cry isa--> of his watch as active or QM_IDLE

  HS cry ips his--> shows the packages encrypted/decrypted

  The second tunnel does not properly come upwards, should ensure that policies correspond to the two ends of the tunnel.

  If this second tunnel is started but does not traffic, we might have a problem NAT or routing.

  Federico.