Several instructions set-peer - failover behavior

Hi all

I would like to confirm the behavior of the use of several instructions of the command "set-peer" under a single sequence of crypto-map for failover to IPSEC tunnel. In particular, what happens when a peer that has been previously unavailable returns to service?

For example:

I have two sites; Site 1 and Site 2 have two routers. All are connected by a routed cloud.

Routers at each site have the following crypto card configured:

Site1 - the two router A and router b:

10 encryption ipsec-isakmp crypto map

defined by peer RouterD
defined peer RouterC

Set transform-set 3desMd5
match address 101

Site2 - router-C and router D:

10 encryption ipsec-isakmp crypto map
defined peer RouterA

defined peer RouterB

Set transform-set 3desMd5
match address 101

HSRP is used on the side LAN between two routers on each site to prefer the router A and router C respectively as the active device.

According to the Cisco documentation:

"you can specify several counterparts by repeating this command (set-peer). The peer who has in fact, packets are sent to is determined by the last counterpart who heard the router (received traffic or a request for negotiation of) for a given stream. If the attempt fails and the first pair, Internet Key Exchange (IKE) tries the next peer on the crypto card list '.

http://www.Cisco.com/en/us/docs/iOS/Security/command/reference/sec_s2.html#wp1046908

If RouterA has an IPSEC tunnel to routerD... and router D fails, a tunnel is built between routerA and routerC. When the router D is backup... traffic switches to D from router to router A?

What sequence of events would be the tunnel does not switch back once the main router has recovered from a failure?

Thanks in advance.

OK, that explains the behavior. When the router D returns, he becomes the main HSRP, traffic at the start of site 2 will use router D as point to exist; Router D paraphera session with A router ipsec. It looks like back switch for router D, but it's just because the initial D router to the router ipsec session has once he returns.

HTH,

Lei Tian

Tags: Cisco Security

Similar Questions

several instructions box in where clause

Hello
I'm trying to create report filters using substitution variables in a case statement in a where clause clause. I have several instructions box running on the same column. I don't really know how to write it. Here's what I have so far but I know I'm going in the wrong direction.
where
i.compute_zone =
case
When: P14_zone is NOT NULL
then: P14_zone
of other i.compute_zone
end
AND
i.compute_zone =
case
When: P14_zone_2 is NOT NULL
then: P14_zone_2
other: P14_zone
end
AND
i.compute_zone =
case
When: P14_zone_3 is NOT NULL
then: P14_zone_3
of other i.compute_zone
end
AND
i.compute_zone =
case
When: P14_zone_4 is NOT NULL
then: P14_zone_4
of other i.compute_zone
end
any suggestions?
Thank you
MICAH

Hi, Micah,

User12611868-Oracle wrote:

Hello

I'm trying to create report filters using substitution variables in a case statement in a where clause clause. I have several instructions box running on the same column. I don't really know how to write it. Here's what I have so far but I know I'm going in the wrong direction.

where

i.compute_zone =

case

When: P14_zone is NOT NULL

then: P14_zone

of other i.compute_zone

end

AND

i.compute_zone =

case

When: P14_zone_2 is NOT NULL

then: P14_zone_2

other: P14_zone

end

AND

i.compute_zone =

case

When: P14_zone_3 is NOT NULL

then: P14_zone_3

of other i.compute_zone

end

AND

i.compute_zone =

case

When: P14_zone_4 is NOT NULL

then: P14_zone_4

of other i.compute_zone

end

any suggestions?

Thank you

MICAH

How get the desired results of your data depends on the desired results and your data. What do you do? (I can't tell just by looking at the aat code that do not do). After CREATE TABLE and INSERT statements for some sample data and a couple of sets of parameters (variables such as p14_zone) and the exact results that your choices in each set of parameters, given the same sample data.

Check out the Forum FAQ: Re: 2. How can I ask a question on the forums?

CASE expressions are generally not useful in a WHERE clause. CASE expressions are a convenient way to IF-THEN-ELSE logic of the places where you can't do anything other than (the SELECT clause), but WHERE the clauses allow IF-THEN-ELSE logic in any case

Maybe you want something like

WHERE MERGE (: p14_zone,: p14_zone_2,: p14_zone_3,: p14_zone_4) IS NULL

OR IN i.compute_zone (: p14_zone,: p14_zone_2,: p14_zone_3,: p14_zone_4)

It returns TRUE if all 4 parameters are set to NULL. If 1 or more of them are not NULL, then it will return TRUE if i.compute_zone is equal to one of them.

SSE2 instruction set

Sr1300nx Compaq Presario with AMD Sempron 3000 + he defined sse2 instructions? If not, is it possible to add this feature?

My research indicates that sse2 was introduced in AMD processors in 2003. I bought my computer in 2005 but not sure, that he understands the sse2 instruction set. Is there a way to tell if this instruction set is based on my computer?

I opened up my case, but the AMD CPU seems to be fixed under a cooling fan. How to remove a who fan to be able to read what is written on the AMD Chip?

The reason for this question is that I have upgraded to Windows 7 and I wanted to put the new version of Word 2013 on the computer. My research indicates that Word 2013 requires the x 86 processor with SSE2 instruction set.

Thanks for the quick and accurate response.

Cannot install Silverlight, get error 1503, CPU does not support the SSE instruction set that Silverlight requires to run

Original title: silverlight

I tried to install Silverlight on my computer running Windows XP 32-bit with service pack 3. My question is, it downloads and then when I try to install, it appears that my CPU will not Silverlight support. I get the Message 1503, CPU does not support the SSE instruction set that Silverlight requires to operate.

So here's my question... How can I fix it? And what is the problem? Any help would be appreciated... Is it a I need a new operating system problem or just a cranky computer problem?

Thank you

Lynn

I tried to install Silverlight on my computer running Windows XP 32-bit with service pack 3. My question is, it downloads and then when I try to install, it appears that my CPU will not Silverlight support. I get the Message 1503, CPU does not support the SSE instruction set that Silverlight requires to operate.

So here's my question... How can I fix it? And what is the problem? Any help would be appreciated... Is it a I need a new operating system problem or just a cranky computer problem?

Thank you

Lynn

========================================
This means that your material is not up to the task.

If you search the Forums Silverlight 1503
you will find that you are not alone.

Silverlight .NET forums
http://forums.Silverlight.NET/search

The following article explains what is a CPU.

Central processing unit
http://en.Wikipedia.org/wiki/Central_processing_unit

Several instructions exit in a method - good or bad practice
Hi fans of Java,.

I happened to read this article: http://www.theserverside.com/tip/A-return-to-Good-Code on 'theserverside.com' how to have several instructions output in a method is bad programming practices.

However when you glance through the comments on the article, you will find people showering reactions mixed on this statement.

I want to know what should be the right road to take when writing code.
Is there a logic that must decide which method to follow?

Thanking you in advance for your advice.

Google search I found the following links:
http://StackOverflow.com/questions/2939162/is-it-bad-to-have-multiple-return-statements
http://StackOverflow.com/questions/36707/should-a-function-have-only-one-return-statement

Static code analyzers highlight several instructions output as a negative pointer!
815233 wrote:
A great example, I must say. Thanks a lot for this post baftos. And also thank you all for your contributions to it. :-)

And on this subject, an old chestnut that was given to me was: 'not more then 3 levels of conditional logic' (be they ifs, loops or something else).
Like most of the others, it must be applied with the thought; but it has served me quite well for 30 years.

Winston

Setting up failover in a V3 RV042

I have a new (about 4 months) RV042 V3 4.0.0.07 firmware I try to use in failover mode. I have a SOHO and I used to use cable Internet connection. It's pretty fast (15 megabits), but not super reliable. I added LILY (3.3 MB) which is five nine (supposedly) but not so fast.

I have a 7500 Westell DSL modem located in the basement, where wireless telephone lines in the building. It gives me a link to the server room wireless second floor via a wireless router that connects to the RV042 WAN 2. The cable modem is in the server room and connects directly to the RV042 RE 1. The cable works, but when it breaks down, the DSL link arrives but does not allow Internet traffic. The RV042 is configured as a bridge and I set up port forwarding to get the cable to work and used similar commands of firewall to route traffic if the router changed. I suspect that the problem is in the redirection of port (port 80) or firewall rules (which are quite simple) because everything that looks like it switches mode, but it does everything just not on WAN2.

Anyone can shed some light on this problem, which doesn't seem like it should be?

Thank you, Bob

Hi Bob,

Thank you for posting. If you plug a PC R2, you have access to the internet? What is the default gateway? Have you tried to give WAN2 one static IP and the gateway that points to R1?

SyncRep failover behavior

Configuration: 1 x Campus, 2 x servers, direct fiber mesh full between iSCSI switches

In each room, the customer has 2 5.5 ESXi hosts, 2 x iSCSI and the 1xPS6500 switches

The iSCSI network is a network of flat layer 2. The customer wants active SyncRep and two server rooms to be active/active to make good return on investment. In a DR scenario, for example the bathroom server disconnects. He wants VMs failover to B using VMware HA server room.

What exactly happens with SyncRep fail-over. I read the article of TR on which mentions changes in naa and restorations must be re-analyzed. In addition, intervention in the Group Manager.

Anyone can develop from any futher on exactly what to expect and what actions should be taken.

Thank you

Hello

The TR is describing what would happen after a failure on the primary side. That is a double failing RAIDset. Since currently there is no automatic failure on to the pool of replacement. You must the failover of GUI/CLI to the pool of replacement. Then rescan if ESXi, and start your virtual machines.

If you want to actively, you can move symply to the pool of replacement without any downtime. It uses a SCSI required has "connection redirection" and "Async logout". When you move to the pool of replacement, it will record the existing connections and when they immediately reconnect they will be redirected to the pool the pool rep now active sync.

Kind regards

Several data sets with SetFieldValues

Here is a simplified version of what I'm trying to do.
I have two drop-down menus. Each has 3 different options.
- Drop 1 - Apple, banana, strawberry.
- 2 - clock, window, door drop.
I have a field of text next to each drop down.
- Drop-down list 1 - 'colorfield' is the name of the corresponding text field
- 2 - drop "shapefield" is the name of the corresponding text field
I want that text from the fields to fill what is selected in the drop-down lists. I can get everyone to work separately, but when I add the script for both, only continues to operate.
Here's what I have.
Doc Javascript
```
// Data Set 1
var oneData = {
       "Apple": {
        color: "red"
    },
        "Banana": {
        color: "yellow"
    },
        "Strawberry": {
        color: "red"
    },
  };
// Data Set 2
var twoData = {
        "Clock": {
        shape: "round"
    },
        "Window": {
        shape: "square"
    },
        "Door": {
        shape: "rectangle"
    },
 };
// Populate fields function 1    
function SetFieldValues(fruit) {
    this.getField("colorfield").value = oneData[fruit].color;
}
// Populate fields function 2    
function SetFieldValues(objects) {
    this.getField("shapefield").value = twoData[objects].shape;
}
```
Custom script knocks on combo 1
```
if (event.willCommit) {
    if (event.value == " ") this.resetForm(["colorfield"]);
    else SetFieldValues(event.value);
}
```
Custom script knocks on combo 2
```
if (event.willCommit) {
    if (event.value == " ") this.resetForm(["shapefield"]);
    else SetFieldValues(event.value);
}
```
Thank you!

There is a reason, it is not a name of keyword that already exist, the computer program is not smart enough to determine who you mean. It goes the same for function names. You have 2 functions with exactly the same name but each run another block of code. The usual way that a program solves this dilemma is to use the last definition of the function. You must uniquely name functions of your "SetFieldValues".

Several instructions if in conditional actions?

Hello
I have a single button on a slide. Whenever the user clicks on it, a legend of additional text should be. My original idea was to hide all captions, create a variable to keep track of how many times the user has clicked the button and when the button was clicked, check to see how many times it has been clicked and present the appropriate caption. This approach would require multiple if statements because according to many times the button has been clicked, a different legend would have shown.
After my research is preliminary, it was not possible in 2012.
Someone at - it ideas?

You cannot nest the IF, but you can achieve this with several decisions. You do not have to nest IF s to achieve this goal, although having a function BOX would make it easier (you can do that with JS). Here is a much simpler application with advanced actions:

Blog after Posterous? -ClickClick - Captivate blog

Look at the example of ClickClick please.

Why can't put several instructions box here?
I am currently having a case statement and instruction decode in the same query, and whenever I run it, it gives me the same error-

KEYWORD not found or planned.

The query that I am running is.

Select ctn_nbr, plt_id, locn_brcd, ctrl_nbr, substr(ref_field_1,3,8),
ship_via, user_id, mod_date_time, TRUNC (sched_dlvry_date), trkg_nbr as tracking_number,
DECODE (STAT_CODE,
"10', 'not selected."
'20', 'printed ',.
"35', 'in packaging."
"40", "complete package"
"70', 'loaded on truck."
"90', ' delivered/billed."
"99', 'cancellation."
'Unknown') THAT the status.
case
When SUBSTR (SOLDTO, 0, 6) = "BATH" and "special order".
else "Standard order"
end up like "order type".
Table A

Is this something ridiculously simple that I'm missing like a comma? I do not understand why this error message keeps coming up. Help, please!
end as "order type".

Illustrator CS3 is what I use. I can't select only the work of export in JPG or PNG format. When I do, it exports the entire workspace. I want just the artwork in a jpg file. What are the instruction sets to convert only the number of art work

Can someone tell me how to export my object of works of art in a PNG or JPG? I get the whole workspace saves when I export. I want to export a label to another program to print and the entire workspace is in the JPG, including not only art, I want to, but something else that is located on the workspace. How can I simply isolate the object I want to export and convert? Newsgroup_User

Randy,

You can create a rectangle the size of the work and the object > crop area > make, then save for Web.

Or you can use the crop box tool, see the documentation or here.

http://DesignerToday.com/tutorials/Illustrator/4822/using.the.crop.tool.Illustrator.CS3.TU torial.aspx

GETVPN Configuration Tips

Hello Cisco support community teams.

I intend to implement GETVPN for my Client. I have several questions about GETVPN failover behavior.

I have test the configuration on GNS3 with C3725 router and also tested on real C2800Series router, and the result of the behavior is the same.

1. I have 2 KS on the topology, is the GM only saved with a KS?

2. When primary KS down, GM has not changed to secondary KS, so I need clear gdoi crypto on the GM, is there any configuration required to modify the GM car to other assets KS?

3. I have check on the GM I had encap and decrypt, but never the decaps and decipher?

Please find the attachment for the example topology and configuration.

Thank you and have a nice day.

Sincerely yours

Audrey

Take a look at the SEARCH it will answer most of your questions.

http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps6525/ps9370/ps7180/GETVPN_DIG_version_1_0_External.PDF

Section 1.2.7

(1) Yes.

(2) check the DIG, avoid a need to register immediately, "Secondary KS" should become a new primary.

(3) you say it is not reciving ecnrypted traffic or that it does not increment the counter? I would not trust GNS3. If the problem is the same on 15.1 (4) 2800 M, check with the people in the TAC.

peer found setting up ipsec tunnel

I'm trying to configure the vpn between a 6.3 (5) 7.2 (4) pix and asa. everything looks good to me and I can't understand why the tunnel came not.

PIX

--------------------------------------

inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.10.134.0 255.255.255.0

inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.10.130.20 255.255.255.254

inside_outbound_nat0_acl ip 10.10.132.0 access list allow 255.255.255.0 10.10.130.20 255.255.255.254

inside_outbound_nat0_acl ip 10.10.132.0 access list allow 255.255.255.0 10.10.134.0 255.255.255.0

inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.220.0.0 255.255.255.0

inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.10.130.160 255.255.255.248

inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.220.3.0 255.255.255.0

inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.220.252.0 255.255.255.0

inside_outbound_nat0_acl ip 10.10.130.0 access list allow 255.255.255.0 10.220.248.0 255.255.252.0

outside_cryptomap_20 ip 10.10.130.0 access list allow 255.255.255.0 10.10.134.0 255.255.255.0

outside_cryptomap_20 ip 10.10.130.0 access list allow 255.255.255.0 10.220.0.0 255.255.255.0

outside_cryptomap_20 ip 10.10.130.0 access list allow 255.255.255.0 10.220.3.0 255.255.255.0

outside_cryptomap_20 ip 10.10.130.0 access list allow 255.255.255.0 10.220.252.0 255.255.255.0

outside_cryptomap_20 ip 10.10.130.0 access list allow 255.255.255.0 10.220.248.0 255.255.252.0

outside_cryptomap_dyn_20 ip access list allow any 10.10.130.20 255.255.255.254

outside_cryptomap_40 ip 10.10.130.0 access list allow 255.255.255.0 10.10.134.0 255.255.255.0

outside_cryptomap_40 ip 10.10.132.0 access list allow 255.255.255.0 10.10.134.0 255.255.255.0

lscctx_splitTunnelAcl ip 10.10.130.0 access list allow 255.255.255.0 any

outside_cryptomap_dyn_40 ip access list allow any 10.10.130.160 255.255.255.248

outside_cryptomap_dyn_60 ip access list allow any 10.130.254.0 255.255.255.0

outside_cryptomap_60 ip 10.10.130.0 access list allow 255.255.255.0 10.130.16.0 255.255.255.0

outside_cryptomap_60 ip 10.10.132.0 access list allow 255.255.255.0 10.130.16.0 255.255.255.0

outside_cryptomap_60 ip 10.10.134.0 access list allow 255.255.255.0 10.130.16.0 255.255.255.0

Permitted connection ipsec sysopt

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20

Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-DES-MD5 value

Dynamic crypto map outside_dyn_map 40 correspondence address outside_cryptomap_dyn_40

Crypto-map dynamic outside_dyn_map 40 the transform-set ESP-3DES-MD5 value

Dynamic crypto map outside_dyn_map 60 match address outside_cryptomap_dyn_60

Crypto-map dynamic outside_dyn_map 60 the transform-set ESP-3DES-MD5 value

outside_map 20 ipsec-isakmp crypto map

card crypto outside_map 20 match address outside_cryptomap_20

peer set card crypto outside_map 20 208.77.70.98

outside_map crypto 20 card value transform-set ESP-3DES-SHA

outside_map 60 ipsec-isakmp crypto map

card crypto outside_map 60 match address outside_cryptomap_40

peer set card crypto outside_map 60 10.130.254.6

card crypto outside_map 60 the transform-set ESP-3DES-MD5 value

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

client authentication card crypto outside_map LOCAL

outside_map interface card crypto outside

ISAKMP allows outside

ISAKMP key * address 66.15.x, x netmask 255.255.255.255 No.-xauth-no-config-mode

ISAKMP key * address 208.125.x.x netmask 255.255.255.255 No.-xauth-no-config-mode

ISAKMP key * address 209.125.x.xnetmask 255.255.255.255 No.-xauth-no-config-mode

ISAKMP key * address 12.49.x.x netmask 255.255.255.255 No.-xauth-no-config-mode

ISAKMP key * address 208.77.x.x netmask 255.255.255.255 No.-xauth-no-config-mode

ISAKMP key * address 10.130.254.2 netmask 255.255.255.255 No.-xauth No. config-mode

ISAKMP key * address 10.130.254.6 netmask 255.255.255.255 No.-xauth No. config-mode

ISAKMP identity address

ISAKMP nat-traversal 60

part of pre authentication ISAKMP policy 10

ISAKMP policy 10 3des encryption

ISAKMP policy 10 sha hash

10 2 ISAKMP policy group

ISAKMP life duration strategy 10 86400

part of pre authentication ISAKMP policy 20

encryption of ISAKMP policy 20

ISAKMP policy 20 md5 hash

20 2 ISAKMP policy group

ISAKMP duration strategy of life 20 86400

part of pre authentication ISAKMP policy 40

ISAKMP policy 40 3des encryption

ISAKMP policy 40 md5 hash

40 2 ISAKMP policy group

ISAKMP duration strategy of life 40 86400

ASA

--------------------------

Access extensive list ip 10.130.16.0 OUTSIDE_CRYPTOMAP allow 255.255.255.0 10.10.130.0 255.255.255.0

Access extensive list ip 10.130.16.0 OUTSIDE_CRYPTOMAP allow 255.255.255.0 10.10.132.0 255.255.255.0

Access extensive list ip 10.130.16.0 OUTSIDE_CRYPTOMAP allow 255.255.255.0 10.10.134.0 255.255.255.0

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

card crypto OUTSIDE_MAP 1 corresponds to the address OUTSIDE_CRYPTOMAP

card crypto OUTSIDE_MAP 1 set peer 10.10.133.10

OUTSIDE_MAP 1 transform-set ESP-3DES-MD5 crypto card game

OUTSIDE_MAP interface card crypto outside

crypto isakmp identity address

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

tunnel-group 10.10.133.10 type ipsec-l2l

IPSec-attributes tunnel-group 10.10.133.10

pre-shared-key *.

!

!

PIX of debugging

------------------------------------

CT - PIX #.

crypto_isakmp_process_block:src:10.130.254.6, dest:10.10.133.10 spt:500 dpt:500

Exchange OAK_MM

ISAKMP (0): treatment ITS payload. Message ID = 0

ISAKMP (0): audit ISAKMP transform 1 against the policy of priority 10

ISAKMP: default group 2

ISAKMP: 3DES-CBC encryption

ISAKMP: MD5 hash

ISAKMP: preshared auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0 x 0 0 x 1 0 x 51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): audit ISAKMP transform 1 against 20 priority policy

ISAKMP: default group 2

ISAKMP: 3DES-CBC encryption

ISAKMP: MD5 hash

ISAKMP: preshared auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0 x 0 0 x 1 0 x 51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): audit ISAKMP transform 1 against the 40 priority policy

ISAKMP: default group 2

ISAKMP: 3DES-CBC encryption

ISAKMP: MD5 hash

ISAKMP: preshared auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0 x 0 0 x 1 0 x 51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): load useful treatment vendor id

ISAKMP (0): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication

to return to the State is IKMP_NO_ERROR

ISAKMP (0): retransmission of the phase 1 (0)...

crypto_isakmp_process_block:src:10.130.254.6, dest:10.10.133.10 spt:500 dpt:500

Peer VPN: ISAKMP: Peer Info for 10.130.254.6/500 not found - peer: 0

ISAKMP: its larva is found

ISAKMP (0): retransmission of the phase 1 (1)...

ISAKMP (0): retransmission of the phase 1 (2)...

crypto_isakmp_process_block:src:10.130.254.6, dest:10.10.133.10 spt:500 dpt:500

Peer VPN: ISAKMP: Peer Info for 10.130.254.6/500 not found - peer: 0

ISAKMP: its larva is found

ISAKMP (0): retransmission of the phase 1 (3)...

crypto_isakmp_process_block:src:10.130.254.6, dest:10.10.133.10 spt:500 dpt:500

Peer VPN: ISAKMP: Peer Info for 10.130.254.6/500 not found - peer: 0

ISAKMP: its larva is found

ISAKMP (0): retransmission of the phase 1 (4)...

ISAKMP (0): delete SA: src 10.130.254.6 dst 10.10.133.10

ISADB: Reaper checking HIS 0 x 1143144, id_conn = 0 DELETE IT!

Peer VPN: ISAKMP: Peer Info for 10.130.254.6/500 not found - peer: 0

ASA of DEUG

--------------------------------------

CT-STEPHEN-ASA # 18 Jul 20:08:23 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0

18 Jul 20:08:23 [IKEv1]: IP = 10.10.133.10, initiator of IKE: New Phase 1, Intf inside, IKE Peer 10.10.133.10 address local proxy 10.130.16.0, address remote Proxy 10.10.130.0, Card Crypto (OUTSIDE_MAP)

18 Jul 20:08:23 [IKEv1 DEBUG]: IP = 10.10.133.10, build the payloads of ISAKMP security

18 Jul 20:08:23 [IKEv1 DEBUG]: IP = 10.10.133.10, construction of Fragmentation VID + load useful functionality

18 Jul 20:08:23 [IKEv1]: IP = 10.10.133.10, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108

SENDING PACKETS to 10.10.133.10

ISAKMP header

Initiator COOKIE: 28 31 24 50 42 4-5 ba has

Responder COOKIE: 00 00 00 00 00 00 00 00

Next payload: Security Association

Version: 1.0

Exchange type: Protection of identity (Main Mode)

Indicators: (none)

MessageID: 00000000

Length: 108

Payload security association

Next payload: Vendor ID

Booked: 00

Payload length: 56

DOI: IPsec

Situation: (SIT_IDENTITY_ONLY)

Proposal of payload

Next payload: no

Booked: 00

Payload length: 44

Proposal #: 1

Protocol-Id: PROTO_ISAKMP

SPI size: 0

number of transformations: 1

Transformation of the payload

Next payload: no

Booked: 00

Payload length: 36

Transform #: 1

Transform-Id: KEY_IKE

Reserved2: 0000

Description of the Group: Group 2

Encryption algorithm: 3DES-CBC

The hashing algorithm: MD5

Authentication method: pre-shared key

Type of life: seconds

Life (Hex): 00 01 51 80

Vendor ID payload

Next payload: no

Booked: 00

Payload length: 24

Data (in hexadecimal):

40 48 b7 d5 6th e8 85 25 e7 7f 00 c2 d3 d6 bc

C0 00 00 00

18 Jul 20:08:25 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0

18 Jul 20:08:25 [IKEv1]: IP = 10.10.133.10, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

18 Jul 20:08:27 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0

18 Jul 20:08:27 [IKEv1]: IP = 10.10.133.10, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

18 Jul 20:08:29 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0

18 Jul 20:08:29 [IKEv1]: IP = 10.10.133.10, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

18 Jul 20:08:31 [IKEv1]: IP = 10.10.133.10, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108

ISAKMP header

Initiator COOKIE: 28 31 24 50 42 4-5 ba has

Responder COOKIE: 00 00 00 00 00 00 00 00

Next payload: Security Association

Version: 1.0

Exchange type: Protection of identity (Main Mode)

Indicators: (none)

MessageID: 00000000

Length: 108

Payload security association

Next payload: Vendor ID

Booked: 00

Payload length: 56

DOI: IPsec

Situation: (SIT_IDENTITY_ONLY)

Proposal of payload

Next payload: no

Booked: 00

Payload length: 44

Proposal #: 1

Protocol-Id: PROTO_ISAKMP

SPI size: 0

number of transformations: 1

Transformation of the payload

Next payload: no

Booked: 00

Payload length: 36

Transform #: 1

Transform-Id: KEY_IKE

Reserved2: 0000

Description of the Group: Group 2

Encryption algorithm: 3DES-CBC

The hashing algorithm: MD5

Authentication method: pre-shared key

Type of life: seconds

Life (Hex): 00 01 51 80

Vendor ID payload

Next payload: no

Booked: 00

Payload length: 24

Data (in hexadecimal):

40 48 b7 d5 6th e8 85 25 e7 7f 00 c2 d3 d6 bc

C0 00 00 00

18 Jul 20:08:31 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0

18 Jul 20:08:31 [IKEv1]: IP = 10.10.133.10, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

18 Jul 20:08:39 [IKEv1]: IP = 10.10.133.10, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108

ISAKMP header

Initiator COOKIE: 28 31 24 50 42 4-5 ba has

Responder COOKIE: 00 00 00 00 00 00 00 00

Next payload: Security Association

Version: 1.0

Exchange type: Protection of identity (Main Mode)

Indicators: (none)

MessageID: 00000000

Length: 108

Payload security association

Next payload: Vendor ID

Booked: 00

Payload length: 56

DOI: IPsec

Situation: (SIT_IDENTITY_ONLY)

Proposal of payload

Next payload: no

Booked: 00

Payload length: 44

Proposal #: 1

Protocol-Id: PROTO_ISAKMP

SPI size: 0

number of transformations: 1

Transformation of the payload

Next payload: no

Booked: 00

Payload length: 36

Transform #: 1

Transform-Id: KEY_IKE

Reserved2: 0000

Description of the Group: Group 2

Encryption algorithm: 3DES-CBC

The hashing algorithm: MD5

Authentication method: pre-shared key

Type of life: seconds

Life (Hex): 00 01 51 80

Vendor ID payload

Next payload: no

Booked: 00

Payload length: 24

Data (in hexadecimal):

40 48 b7 d5 6th e8 85 25 e7 7f 00 c2 d3 d6 bc

C0 00 00 00

18 Jul 20:08:47 [IKEv1]: IP = 10.10.133.10, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108

ISAKMP header

Initiator COOKIE: 28 31 24 50 42 4-5 ba has

Responder COOKIE: 00 00 00 00 00 00 00 00

Next payload: Security Association

Version: 1.0

Exchange type: Protection of identity (Main Mode)

Indicators: (none)

MessageID: 00000000

Length: 108

Payload security association

Next payload: Vendor ID

Booked: 00

Payload length: 56

DOI: IPsec

Situation: (SIT_IDENTITY_ONLY)

Proposal of payload

Next payload: no

Booked: 00

Payload length: 44

Proposal #: 1

Protocol-Id: PROTO_ISAKMP

SPI size: 0

number of transformations: 1

Transformation of the payload

Next payload: no

Booked: 00

Payload length: 36

Transform #: 1

Transform-Id: KEY_IKE

Reserved2: 0000

Description of the Group: Group 2

Encryption algorithm: 3DES-CBC

The hashing algorithm: MD5

Authentication method: pre-shared key

Type of life: seconds

Life (Hex): 00 01 51 80

Vendor ID payload

Next payload: no

Booked: 00

Payload length: 24

Data (in hexadecimal):

40 48 b7 d5 6th e8 85 25 e7 7f 00 c2 d3 d6 bc

C0 00 00 00

18 Jul 20:08:55 [IKEv1 DEBUG]: IP = 10.10.133.10, case of mistaken IKE MM Initiator WSF (struct & 0x1d24750) , : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY

18 Jul 20:08:55 [IKEv1 DEBUG]: IP = 10.10.133.10, IKE SA MM:50243128 ending: flags 0 x 01000022, refcnt 0, tuncnt 0

18 Jul 20:08:55 [IKEv1 DEBUG]: IP = 10.10.133.10, sending clear/delete with the message of reason

18 Jul 20:08:55 [IKEv1]: IP = 10.10.133.10, Removing peer to peer table has no, no match!

18 Jul 20:08:55 [IKEv1]: IP = 10.10.133.10, error: cannot delete PeerTblEntry

Sorry, just trying to think why it cannot find the peer, with the following error message:

Peer VPN: ISAKMP: Peer Info for 10.130.254.6/500 not found - peer: 0

While, in fact 10.130.254.6 is configured as directed by your post.

Configuration seems correct to me. You might want to try to reload the PIX.

Site to site VPN - need help to set up several tunnels

I currently have tunnels VPN site-to-site of two remote sites with 1720s to connect to an ASA5510 on my site TOWN_HALL. (see attached diagram)

It works well, but I want to add connectivity between the 1720-A LAN (172.20.3.0/24) and LAN 1720 - B (172.22.3.0/24). What is the best way to do it? The years 1720 can be configured with direct VPN L2L tunnels or that will affect the existing tunnels is the ASA5510? If so, I'm guessing that each 1720 will have to go through the ASA first.

Thank you.

Configs below:

ASA5510

ASA Version 7.2 (2)

!

names of

name 172.18.3.19 Postal Mail Server description

name 172.18.3.33 description Helpdesk Server helpdesk

DNS-guard

!

interface Ethernet0/0

Description link Comcast

nameif ComCast_Out

security-level 0

IP 29.92.14.73 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

address 192.168.10.2 255.255.255.252

!

interface Ethernet0/2

security-level 0

!

interface Ethernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

nameif management

security-level 100

IP 10.10.10.1 255.255.255.0

management only

!

boot system Disk0: / asa722 - k8.bin

boot system Disk0: / asa706 - k8.bin

passive FTP mode

clock timezone IS - 5

clock to summer time EDT recurring

list of allowed incoming access extended ip any host 29.92.14.74

list of extended all inbound icmp permitted access all inaccessible

list of inbound icmp permitted access extended throughout entire echo response

list of allowed inbound tcp extended access any host 29.92.14.73 eq 3000

list of allowed inbound tcp extended access any newspaper SMTP host 29.92.14.73 eq

list of allowed inbound tcp extended access any host 29.92.14.73 eq www

list of allowed inbound tcp extended access any host 29.92.14.73 eq 3389

list of allowed inbound tcp extended access any host 29.92.14.73 eq pptp

list of allowed inbound tcp extended access any host 116.204.226.42 eq 3000

list of allowed inbound tcp extended access any host 116.204.226.42 eq smtp

list of allowed inbound tcp extended access any host 116.204.226.42 eq www

list of allowed inbound tcp extended access any host 116.204.226.42 eq 3389

list of allowed inbound tcp extended access any host 116.204.226.42 eq pptp

list of inbound note FTP Server access

list of allowed inbound tcp extended access any host 29.92.14.73 eq ftp

acl_out list extended access permit tcp host 29.92.14.73 any eq smtp

acl_out list extended access permit tcp host 192.168.1.4 any eq smtp

tcp extended access list acl_out deny any any eq smtp

access ip allowed any one extended list acl_out

121 extended access-list permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

IP 172.18.3.0 allow Access-list extended sheep 255.255.255.0 172.22.3.0 255.255.255.0

IP 172.18.3.0 allow Access-list extended sheep 255.255.255.0 172.20.3.0 255.255.255.0

access-list extended sheep allowed ip 192.168.1.0 255.255.255.0 172.22.3.0 255.255.255.0

access-list sheep extended ip 172.30.1.0 allow 255.255.255.0 172.31.255.0 255.255.255.0

access-list sheep extended ip 192.168.10.0 allow 255.255.255.252 172.31.255.0 255.255.255.0

IP 172.17.1.0 allow Access-list extended sheep 255.255.255.0 172.31.255.0 255.255.255.0

172.18.0.0 IP Access-list extended sheep 255.255.0.0 allow 172.31.255.0 255.255.255.0

IP 172.31.3.0 allow Access-list extended sheep 255.255.255.0 172.31.255.0 255.255.255.0

access-list sheep extended ip 192.168.0.0 allow 255.255.0.0 172.31.255.0 255.255.255.0

backup_access_out of access allowed any ip an extended list

outside_access_out of access allowed any ip an extended list

Note to access list outside_access_out Barracuda

outside_access_out list extended access permit tcp host 172.18.3.8 any eq smtp inactive

Comment from outside_access_out-access SMTP Block list

outside_access_out tcp extended access list deny any any eq smtp inactive

Note to access list schools SMTP inside_access_in

inside_access_in list extended access permit tcp host postal eq smtp no matter what eq smtp

inside_access_in list extended access permit tcp host 172.18.3.8 any eq smtp

inside_access_in list extended access permit tcp host 172.18.3.30 any eq smtp

inside_access_in tcp extended access list deny any any eq smtp

inside_access_in of access allowed any ip an extended list

Access extensive list ip 172.18.3.0 ComCast_Out_20_cryptomap allow 255.255.255.0 172.22.3.0 255.255.255.0

ComCast_Out_20_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 172.22.3.0 255.255.255.0

Access extensive list ip 172.18.3.0 ComCast_Out_25_cryptomap allow 255.255.255.0 172.20.3.0 255.255.255.0

vpn_access list standard access allowed 192.168.10.0 255.255.255.252

standard access list vpn_access allow 172.17.1.0 255.255.255.0

standard access list vpn_access allow 172.18.0.0 255.255.0.0

standard access list vpn_access allow 172.31.3.0 255.255.255.0

vpn_access list standard access allowed 172.30.1.0 255.255.255.0

vpn_access list standard access allowed 192.168.0.0 255.255.0.0

pager lines 24

Enable logging

emergency logging monitor

logging warnings put in buffered memory

asdm of logging of information

MTU 1500 ComCast_Out

Within 1500 MTU

MTU 1500 NOT_IN_USE

management of MTU 1500

IP local pool vpnpool 192.168.20.2 - 192.168.20.254

172.31.255.1 mask - local 172.31.255.250 pool POOL VPN IP 255.255.255.0

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 522.bin

don't allow no asdm history

ARP timeout 14400

NAT-control

Global interface (ComCast_Out) 1

Global (NOT_IN_USE) 1 interface

NAT (inside) 0 access-list sheep

NAT (inside) 1 192.0.0.0 255.0.0.0

NAT (inside) 1 0.0.0.0 0.0.0.0

TCP static (inside ComCast_Out) interface 3000 172.18.3.22 3000 netmask 255.255.255.255

TCP static (inside ComCast_Out) interface smtp 172.18.3.8 smtp netmask 255.255.255.255

TCP static (inside ComCast_Out) interface www 172.18.3.30 www netmask 255.255.255.255

TCP static (inside ComCast_Out) interface 3389 172.18.3.22 3389 netmask 255.255.255.255

TCP static (inside ComCast_Out) interface 172.18.3.22 pptp pptp netmask 255.255.255.255

TCP static (inside NOT_IN_USE) interface 3000 172.18.3.22 3000 netmask 255.255.255.255

TCP static (inside NOT_IN_USE) interface smtp 172.18.3.8 smtp netmask 255.255.255.255

TCP static (inside NOT_IN_USE) interface www 172.18.3.30 www netmask 255.255.255.255

TCP static (inside NOT_IN_USE) interface 3389 172.18.3.23 3389 netmask 255.255.255.255

TCP static (inside NOT_IN_USE) interface 172.18.3.22 pptp pptp netmask 255.255.255.255

TCP static (inside ComCast_Out) interface 3101 172.18.3.8 3101 netmask 255.255.255.255

TCP static (inside ComCast_Out) ftp ftp netmask 255.255.255.255 helpdesk interface

static TCP (inside ComCast_Out) interface ftp - data helpdesk ftp - data netmask 255.255.255.255

static (inside, ComCast_Out) 29.92.14.74 172.18.3.16 netmask 255.255.255.255

Access-group entering interface ComCast_Out

Access-group interface ComCast_Out outside_access_out

inside_access_in access to the interface inside group

Access-group entering interface NOT_IN_USE

Access-group interface NOT_IN_USE backup_access_out

Route 0.0.0.0 ComCast_Out 0.0.0.0 29.92.14.78 1 track 1

Route inside 192.168.0.0 255.255.0.0 192.168.10.1 1

Route inside 172.17.1.0 255.255.255.0 192.168.10.1 1

Route inside 172.18.0.0 255.255.0.0 192.168.10.1 1

Route inside 172.31.3.0 255.255.255.0 192.168.10.1 1

Route inside 172.30.1.0 255.255.255.0 192.168.10.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout, uauth 0:05:00 absolute

internal group vpnclient strategy

vpnclient group policy attributes

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list vpn_access

internal remote group strategy

Group remote attributes policy

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value 121

Enable http server

http 172.0.0.0 255.0.0.0 inside

http 192.0.0.0 255.0.0.0 inside

http 10.10.10.0 255.255.255.0 management

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

monitor SLA 123

interface type echo protocol ipIcmpEcho 168.87.71.226 ComCast_Out

NUM-package of 3

frequency 10

Annex ALS life monitor 123 to always start-time now

Crypto ipsec transform-set esp-3des esp-md5-hmac 3des

Crypto ipsec transform-set esp - esp-sha-hmac SHA3DES

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

3DES encryption dynamic-map dynmap 10 transform-set

Crypto-map dynamic outside_dyn_map 10 the value transform-set ESP-3DES-SHA

address for correspondence card crypto vpnremote 20 ComCast_Out_20_cryptomap

peer set card crypto vpnremote 20 202.13.116.209

vpnremote card crypto 20 the transform-set ESP-DES-MD5 value

address for correspondence card crypto vpnremote 25 ComCast_Out_25_cryptomap

peer set card crypto vpnremote 25 207.147.31.97

card crypto vpnremote 25 game of transformation-ESP-DES-MD5

vpnremote 30 card crypto ipsec-isakmp dynamic dynmap

map vpnremote 65535-isakmp ipsec crypto dynamic outside_dyn_map

vpnremote ComCast_Out crypto map interface

card crypto VN1530600A 663 matches the address ACL663

card crypto VN1530600A 663 set pfs

card crypto VN1530600A 663 set peer 29.92.14.73

crypto VN1530600A 663 the transform-set SHA3DES value card

card crypto VN1530600A 663 defined security-association life seconds 1800

crypto isakmp identity address

ISAKMP crypto enable ComCast_Out

crypto ISAKMP policy 10

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

crypto ISAKMP policy 20

preshared authentication

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 30

preshared authentication

the Encryption

md5 hash

Group 2

life 86400

Crypto isakmp nat-traversal 20

!

track 1 rtr 123 accessibility

tunnel-group type remote ipsec-ra

tunnel-group remote General attributes

address vpnpool pool

Group Policy - by default-remote control

tunnel-group remote ipsec-attributes

pre-shared-key *.

tunnel-group 29.92.14.73 type ipsec-l2l

IPSec-attributes tunnel-group 29.92.14.73

pre-shared-key *.

tunnel-group 202.13.116.209 type ipsec-l2l

IPSec-attributes tunnel-group 202.13.116.209

pre-shared-key *.

tunnel-group 207.147.31.97 type ipsec-l2l

IPSec-attributes tunnel-group 207.147.31.97

pre-shared-key *.

Telnet 192.168.0.0 255.255.0.0 inside

Telnet 172.0.0.0 255.0.0.0 inside

Telnet timeout 120

SSH timeout 5

Console timeout 0

management-access inside

management of 10.10.10.11 - dhcpd addresses 10.10.10.20

!

!

class-map inspection_default

match default-inspection-traffic

!

!

Policy-map global_policy

class inspection_default

inspect the pptp

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:82155434d3cfa69cd7217f20aaacabb7

: end

1720-A

version 12.2

horodateurs service debug datetime

Services log timestamps datetime

encryption password service

!

1720-A host name

!

logging buffered debugging 4096

!

iomem 20 memory size

clock timezone IS - 5

clock to summer time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 02:00

IP subnet zero

!

!

no ip domain-lookup

name of the IP-server 172.18.3.24

DHCP excluded-address IP 172.20.3.1 172.20.3.20

!

IP dhcp pool dhcppool

network 172.20.3.0 255.255.255.0

router by default - 172.20.3.1

DNS-server 172.18.3.24 172.18.3.26

!

audit of IP notify Journal

Max-events of po verification IP 100

property intellectual ssh timeout of 120

property intellectual ssh authentication-3 retries

!

crypto ISAKMP policy 10

md5 hash

preshared authentication

Group 2

address of Cisco key crypto isakmp 29.92.14.73

!

!

Crypto ipsec transform-set esp - esp-md5-hmac TOWN_HALL

Crypto ipsec transform-set esp - esp-md5-hmac DES-MD5

Dimensions of tunnel mib crypto ipsec flowmib history 200

MIB crypto ipsec flowmib size of 200 historical failure

!

map VPNmap 10 ipsec-isakmp crypto

defined by peer 29.92.14.73

game of transformation-TOWN_HALL

match address TOWN_HALL

!

!

!

!

interface Ethernet0

IP 207.147.31.97 255.255.255.252

IP-group access to the PERIMETER of

NAT outside IP

Half duplex

card crypto VPNmap

!

interface FastEthernet0

LAN description

IP 172.20.3.1 255.255.255.0

IP nat inside

automatic speed

!

interface Serial0

no ip address

Shutdown

!

IP nat inside source list NAT_ADDRESSES interface Ethernet0 overload

IP classless

IP route 0.0.0.0 0.0.0.0 207.147.31.98

no ip address of the http server

enable IP pim Bennett

!

!

NAT_ADDRESSES extended IP access list

deny ip 172.20.3.0 0.0.0.255 172.18.3.0 0.0.0.255

IP 172.20.3.0 allow 0.0.0.255 any

PERIMETER extended IP access list

permit udp host 29.92.14.73 host 207.147.31.97 eq isakmp

esp permits 29.92.14.73 host 207.147.31.97

IP 172.18.3.0 allow 0.0.0.255 172.20.3.0 0.0.0.255

allow all all unreachable icmp

permit any any icmp echo response

allow any host 207.147.31.97 eq telnet tcp

allow any host 192.168.20.1 eq telnet tcp

permit tcp any eq www everything

permit tcp any eq 443 all

permit udp host 173.13.116.209 host 207.147.31.97 eq isakmp

esp permits 173.13.116.209 host 207.147.31.97

IP 172.22.3.0 allow 0.0.0.255 172.20.3.0 0.0.0.255

refuse an entire ip

TOWN_HALL extended IP access list

IP 172.20.3.0 allow 0.0.0.255 172.18.3.0 0.0.0.255

!

alias exec sr show run

alias exec s sh ip int br

alias exec srt show ip route

!

Line con 0

exec-timeout 0 0

Synchronous recording

line to 0

line vty 0 4

exec-timeout 60 0

Synchronous recording

local connection

transport telnet entry

!

No Scheduler allocate

NTP-period clock 17180009

end

1720-B

version 12.1

no single-slot-reload-enable service

horodateurs service debug datetime

Services log timestamps datetime

encryption password service

!

1720-B host name

!

logging buffered debugging 4096

no set record in buffered memory

Console rate-limit logging 10 except errors

!

iomem 25 memory size

clock AND time zone - 5

clock to summer time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 02:00

IP subnet zero

no ip finger

no ip domain-lookup

name of the IP-server 172.18.3.24

DHCP excluded-address IP 172.22.3.1 172.22.3.20

!

IP dhcp pool dhcppool

network 172.22.3.0 255.255.255.0

router by default - 172.22.3.1

DNS-server 172.18.3.24 172.18.3.26

!

audit of IP notify Journal

Max-events of po verification IP 100

!

!

crypto ISAKMP policy 10

md5 hash

preshared authentication

Group 2

address of Cisco key crypto isakmp 29.92.14.73

!

!

Crypto ipsec transform-set esp - esp-md5-hmac TOWN_HALL

!

map VPNmap 10 ipsec-isakmp crypto

defined by peer 29.92.14.73

game of transformation-TOWN_HALL

match address TOWN_HALL

!

!

!

!

interface Ethernet0

IP 202.13.116.209 255.255.255.252

IP-group access to the PERIMETER of

NAT outside IP

Half duplex

card crypto VPNmap

!

interface FastEthernet0

LAN description

IP 172.22.3.1 255.255.255.0

IP nat inside

automatic speed

!

IP nat inside source list NAT_ADDRESSES interface Ethernet0 overload

source-interface IP kerberos any

IP classless

IP route 0.0.0.0 0.0.0.0 202.13.116.210

no ip address of the http server

!

!

NAT_ADDRESSES extended IP access list

deny ip 172.22.3.0 0.0.0.255 172.18.3.0 0.0.0.255

deny ip 172.22.3.0 0.0.0.255 192.168.1.0 0.0.0.255

IP 172.22.3.0 allow 0.0.0.255 any

PERIMETER extended IP access list

permit udp host 29.92.14.73 host 202.13.116.209 eq isakmp

esp permits 29.92.14.73 host 202.13.116.209

IP 172.18.3.0 allow 0.0.0.255 172.22.3.0 0.0.0.255

allow all all unreachable icmp

permit any any icmp echo response

permit tcp any eq www everything

permit tcp any eq 443 all

ip permit 192.168.1.0 0.0.0.255 172.22.3.0 0.0.0.255

refuse an entire ip

TOWN_HALL extended IP access list

IP 172.22.3.0 allow 0.0.0.255 172.18.3.0 0.0.0.255

IP 172.22.3.0 allow 0.0.0.255 192.168.1.0 0.0.0.255

alias exec sr show run

alias exec s sh ip int br

alias exec srt show ip route

alias exec sri see the race | I have

alias exec srb see the race | b

!

Line con 0

Synchronous recording

transport of entry no

line to 0

line vty 0 4

exec-timeout 0 0

Synchronous recording

local connection

!
No Scheduler allocate

NTP-period clock 17180266

end

Make sure you have the following sets of transformations in used through the tunnel:
Crypto ipsec transform-set esp - esp-md5-hmac TOWN_HALL

The tunnel seems to be failing on the negotiations of the phase 2 due to incompatibility, but depending on the configuration
It seems very well.

Are you sure that these debugs are not only a part of the negotiations and finally the established tunnel?

Check the condition of the tunnel with the commands:
HS cry isa his
HS cry ips its
In trying to establish the tunnel again and we will see the results.

Federico.

Several VPN site to site on the same ASA

I need to set up an IPSEC tunnel to allow a provider to the remote site printing to a printer on my network. I intend to use an ASA 5520 to do this. The architecture is fairly simple:

[Remote]-[Remote FW] --[FW Local]-[Local routing]-[printer]

The downside is that there is finally more than a seller who needs to do. Each will have a different destination but mena there will be more than a VPN to ASA at my end. It seems that the ASA 5520 can be supported more than a VPN site to site, but I need to assign an IP address for different endpoint in each tunnel?

I searched and found no a design guide for the VPN site - to-many. If so, I'd appreciate a pointer.

--

Stephen

You can do several tunnels VPN site to site. As a general rule, you would have a card encryption applied to the interface in the face of internet. Each crypto map entry has a sequence number. You simply have to create all the necessary configurations (tunnel-group for the remote peer IP, ACL to set interesting traffic, etc.) and increment the entry card crypto.
```
 Example: crypto map outside_map 1 match address s2s-VPN-1 crypto map outside_map 1 set pfs crypto map outside_map 1 set peer 1.2.3.4 crypto map outside_map 1 set transform-set ESP-3DES-SHA tunnel-group 1.2.3.4 type ipsec-l2l tunnel-group 1.2.3.4 ipsec-attributes  ikev1 pre-shared-key SomeSecureKey$ crypto map outside_map 2 match address s2s-VPN-2 crypto map outside_map 2 set pfs crypto map outside_map 2 set peer 4.5.6.7 crypto map outside_map 2 set transform-set ESP-3DES-SHA tunnel-group 4.5.6.7 type ipsec-l2l tunnel-group 4.5.6.7 ipsec-attributes ikev1 pre-shared-key SomeSecureKey2$
```

Several instructions set-peer - failover behavior

Similar Questions

Maybe you are looking for