SH crypto isakmp sa is empty

Similar Questions

• Debug Crypto ISAKMP

  Hello

  I've been trying to set up a virtual private network and when I ran this command earlier I received a lot of output and everything seemed ok.

  I could see also dest, src, etc... When I ran isakmp crypto his.

  All of a sudden I have nothing now, even when I debug above. His crypto isakmp command is now empty, too, see below.

  crypto ISAKMP his

  IPv4 Crypto ISAKMP Security Association

  status of DST CBC State conn-id slot

  Suggests that the problem is with the remote end? I'd always get the display using debug crypto isakmp if the remote end is down to debug?

  Just puzzled as to why the power has disappeared 'quiet '.

  Thank you

  Hello

  There could be several reasons for the same thing:

  --> Interesting traffic or other remote or local end has been interrupted for any reason any.

  --> That the ASA has been showing some debugs earlier, it is unlikely that the package can't the ASA now which in turn will hit the crypto ACL (interesting traffic) triggering therefore Cryptography tunnels and debugs him.

  --> There could be changes in configuration to the remote end ASA because of which the tunnel is not triggered.

  The best way to solve this problem is to follow the VPN traffic or the package for tunnel VPN from its source to its destination.

  I recommend the following:

  • Take screenshots on the SAA hence traffic is running and see if it's the ACL crypto. Check the ACL has hit counts for the same.

  http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a0080a9edd6.shtml

  • Select "debug crypto isakmp 127' & see if the tunnel is triggered and debugging is generated.
  • If not, then run the packet tracer and see if the VPN traffic passes all the checks, and that he is authorized by the VPN.
  • If traffic is allowed under the VPN to tracers of package Phase, and you still do not see the traffic being passed through the VPN, then it might a possibility that is happening in a different tunnel and pressing a crypto ACL overlap (as appropriate) on the same source ASA.
  • If the package is not seen hitting the firewall of the above capture, then the package can't certainly ASA and you will need to check the internal routing.
  • You can also see that the syslogs on the ASA local drops because of any function of firewall for VPN traffic destined for.

  To respond to your request, if the remote end has been down you wouldn't see debugs it unless the host is launch of traffic to the VPN to the local line. If the VPN traffic has been initiated by behind the ASA remote, and it is down then you would see not all debugs on the ASA local.

  I would like to know once you have reduced it more so that we can move forward and I'll be in a better position to provide my next course of action on this.

  Hope this has been informative.

  Kind regards

  Nick

  P.S. Please mark this post as solved if the information above has helped you identify the problem or at least you move forward to resolve the issue so that other users are benifited too

• Show crypto isakmp/ipsec that his shows nothing

  Dear all,

  I have installed ipsec VPN in my router C2811 but when "show crypto isakmp/ipsec his" shows nothing.

  End point distance is a "ASA5520.  Is it indicates that the remote ASA5520 not yet configured?

  Here is my configuration of the router:

  crypto ISAKMP policy 1

  BA aes

  preshared authentication

  Group 2

  lifetime 28800

  ISAKMP crypto key address 202.70.53.xx

  !

  !

  Crypto ipsec transform-set esp - aes esp-sha-hmac ipsec

  !

  cisco 1-isakmp ipsec crypto map

  the value of 202.70.53.xx peer

  Set ipsec transform-set

  match the vpn address

  !

  !

  !

  !

  interface FastEthernet0/0

  WAN description

  IP address 202.55.8.zzz 255.255.255.252 secondary

  IP address 202.55.8.yy 255.255.255.224

  NAT outside IP

  IP virtual-reassembly

  full duplex

  Speed 100

  Cisco card crypto

  elboukri #sh crypto isakmp his

  status of DST CBC State conn-id slot

  elboukri #sh crypto ipsec his

  Interface: FastEthernet0/0

  Tag crypto map: cisco, local addr 202.55.8.yy

  protégé of the vrf: (none)

  local ident (addr, mask, prot, port): (192.168.13.0/255.255.255.0/0/0)

  Remote ident (addr, mask, prot, port): (10.17.91.190/255.255.255.255/0/0)

  current_peer 202.70.53.xx port 500

  LICENCE, flags is {origin_is_acl},

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 0, #pkts compr. has failed: 0

  #pkts not unpacked: 0, #pkts decompress failed: 0

  Errors #send 0, #recv 0 errors

  local crypto endpt. : 202.55.8.yy, remote Start crypto. : 202.70.53.xx

  Path mtu 1500, mtu 1500 ip, ip mtu IDB FastEthernet0/0

  current outbound SPI: 0x0 (0)

  SAS of the esp on arrival:

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  outgoing ah sas:

  outgoing CFP sas:

  Ping the peer is normal:

  elboukri #ping 202.70.53.xx 202.55.8.yy Yes

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 202.70.53.1, wait time is 2 seconds:

  Packet sent with a source address of 202.55.8.yy

  !!!!!

  Success rate is 100 per cent (5/5), round-trip min/avg/max = 64/64/68 ms

  Expand the tar IP access list

  10 deny ip 192.168.13.0 0.0.0.255 host 10.17.91.190

  20 permit ip 192.168.13.0 0.0.0.255 all (1356 matches)

  Extended IP access list vpn

  10 permit ip 192.168.13.0 0.0.0.255 host 10.17.91.190

  Lai

  The fact that there is no match in the vpn access list seems to mean that it was not all traffic from your end (192.168.13.0./24) who would go through the VPN. Is there has not been any traffic that matches the access list then there is nothing that would engage the ISAKMP negotiation or negotiation of IPSec. And that's probably why your original show had empty result commands.

  Can arrange for someone in 192.168.13.0 to send traffic to 10.17.91.190? Who should initiate the ISAKMP negotiation.

  HTH

  Rick

• Router Cisco 1941 - crypto isakmp policy command missing - IPSEC VPN

  Hi all

  I was looking around and I can't find the command 'crypto isakmp policy' on this router Cisco 1941.  I wanted to just a regular Lan IPSEC to surprise and Lan installation tunnel, the command isn't here.  Have I not IOS bad? I thought that a picture of K9 would do the trick.

  Any suggestions are appreciated

  That's what I get:

  Router (config) #crypto?
  CA Certification Authority
  main activities key long-term
  public key PKI components

  SEE THE WORM

  Cisco IOS software, software C1900 (C1900-UNIVERSALK9-M), Version 15.0 (1) M2, VERSION of the SOFTWARE (fc2)
  Technical support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2010 by Cisco Systems, Inc.
  Updated Thursday, March 10, 10 22:27 by prod_rel_team

  ROM: System Bootstrap, Version 15.0 M6 (1r), RELEASE SOFTWARE (fc1)

  The availability of router is 52 minutes
  System returned to ROM by reload at 02:43:40 UTC Thursday, April 21, 2011
  System image file is "flash0:c1900 - universalk9-mz.» Spa. 150 - 1.M2.bin.
  Last reload type: normal charging
  Reload last reason: reload command

  This product contains cryptographic features...

  Cisco CISCO1941/K9 (revision 1.0) with 487424K / 36864K bytes of memory.
  Card processor ID FTX142281F4
  2 gigabit Ethernet interfaces
  2 interfaces Serial (sync/async)
  Configuration of DRAM is 64 bits wide with disabled parity.
  255K bytes of non-volatile configuration memory.
  254464K bytes of system CompactFlash ATA 0 (read/write)

  License info:

  License IDU:

  -------------------------------------------------
  Device SN # PID
  -------------------------------------------------
  * 0 FTX142281F4 CISCO1941/K9

  Technology for the Module package license information: "c1900".

  ----------------------------------------------------------------
  Technology-technology-package technology
  Course Type next reboot
  -----------------------------------------------------------------
  IPBase ipbasek9 ipbasek9 Permanent
  security, none none none
  given none none none

  Configuration register is 0 x 2102

  You need get the license of security feature to configure the IPSec VPN.

  Currently, you have 'none' for the security feature:

  ----------------------------------------------------------------
  Technology-technology-package technology
  Course Type next reboot
  -----------------------------------------------------------------
  IPBase ipbasek9 ipbasek9 Permanent
  security, none none none
  given none none none

  Here is the information about the licenses on router 1900 series:

  http://www.Cisco.com/en/us/partner/docs/routers/access/1900/hardware/installation/guide/Software_Licenses.html

• "no nat-traversal crypto isakmp" after restart

  Hello

  With the version of the Software ASA 8.0, we noticed that whenever restart us tha device, the configuration line:

  No encryption isakmp nat-traversal

  appears in the configuration.

  It is very annoying, because this NAT - T obviously does not work.

  Any of you noticed that too?

  Ideas?

  Thank you very much.

  Marco Pizzi.

  Hi Marco,.

  This is a bug in the version of the ASA 8.x software and there are workarounds:

  CSCsj52581 Details of bug

  No inconsistent configuration of nat-traversal isakmp crypto after reboot

  Symptom:

  After a restart of the ASA at the global order "no isakmp encryption".

  NAT-traversal.

  appears in the running-config even it is not available in the

  startup-config.

  Conditions:

  None

  Steps to reproduce:

  BSNs-ASA5505-1 (config) # nat-traversal crypto isakmp

  BSNs-ASA5505-1 (config) # copy run start

  BSNs-ASA5505-1 (config) # sh run all | NAT Inc

  Crypto isakmp nat-traversal 20

  BSNs-ASA5505-1 (config) # sh start | NAT Inc

  BSNs-ASA5505-1 (config) #.

  After reloading of the ASA:

  BSNs-asa5505-1 # sh run all | NAT Inc

  No encryption isakmp nat-traversal

  BSNs-asa5505-1 # sh start | NAT Inc

  asa5505-BSNs-1 #.

  Workaround solution:

  (1) use a default value, for example, "crypto isakmp nat-traversal 21.

  (2) to activate the "crypto isakmp nat-traversal" after the restart of the ASA if you

  You can use the default value. The default value is: crypto isakmp

  NAT-traversal 20

  Radim

• No crypto isakmp ccm

  Can someone tell me or point me to the right direction to find out, what is / was the subject of the order "crypto isakmp ccm. ?

  I need to explain to a customer, and I can't find any information on this subject. I checked every reference command 12.x and I didn't find a thing.

  I've seen many examples of configs with "no crypto isakmp ccm", but nowhere can I find an explanation on this subject,

  Concerning

  Ariel,

  CCM stands for Protocol of CCM (CCMP).

  The message 'no ccm isakmp crypto' is not

  of all fear, because it's just letting you know that you have not implemented the Optional Protocol of the CCM (CCMP).

  CCMP is a data security protocol that handles authentication and encryption package. Privacy, CCMP uses AES in counter mode. For authentication and integrity, the CCMP uses Cipher Block Chaining Message Authentication Code (CBC - MAC). In the IEEE 802.11i standard, CCMP uses a 128-bit key. The block size is 128 bits. The size of the CBC - MAC is

  8 bytes and the size of Nuncio is 48 bits. There are two bytes of overhead IEEE 802.11. CBC - MAC, the Nuncio and the overload of IEEE 802.11 enlarge the CCMP 16 bytes only one unencrypted IEEE 802.11 packet

  package. Although somewhat slow, the biggest package is not a bad exchange for increased security.

  CCMP protects some of the fields that are not encrypted. Additional parts of the IEEE 802.11 frame get protected are known as additional authentication (AAD) data. AAD includes source and destination packages and protects against attacks from re-reading of the packages to different destinations.

  Let me know if it helps.

  Kind regards

  Arul

• Order the crypto isakmp his poster 2 VPN

  Hi all!

  Why my router shows me 2 VPN? Is this normal?

  R1 #show crypto isakmp his

  IPv4 Crypto ISAKMP Security Association
  DST CBC conn-State id
  10.10.0.5 10.10.0.2 QM_IDLE 1870 ACTIVE
  10.10.0.2 10.10.0.5 QM_IDLE 1871 ACTIVE

  For clarity, this shows that you have two sessions of IKE.

  The situation can occur when:

  1) both sides start IKE session at the same time.

  (2) when one side initiates a generation of new key IKE SA (every 24 hours by default).

  Most of the time is not a problem.

  Check if your IPsec security associations are upward and do not beat.

  Which allows to "consignment crypto session" is probably a good way to get visibility.

• ASA 5505 - crypto isakmp nat-traversal is missing?

  I can't understand it. I have an ASA5505 at home that I use for VPN access. Sometimes when I connect I can't ping anything. I check the config and it shows:

  No encryption isakmp nat-traversal

  I have configured "crypto isakmp nat-traversal" so many times before, and somehow it is still deleted. Seems to happen at random, as well as when the device is restarted. (Yes, the config has been saved). I would say that what is happening at least 2 - 3 times a week.

  Any ideas? I am running the 8.0.2 version code.

  This is a bug. Set the value on something other than the default value of 20. This will fix the problem.

  Cryto isakmp nat-traversal 21

• PERSONAL CRYPTO ISAKMP - General Question

  Here's the ISAKMPS on my firewall. How is it when I add a new policy it is not? I have a 51 policy which does not appear?

  crypto ISAKMP policy 10
  preshared authentication
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 20
  preshared authentication
  aes-256 encryption
  md5 hash
  Group 2
  life 86400
  crypto ISAKMP policy 30
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 50
  preshared authentication
  3des encryption
  md5 hash
  Group 2
  life 86400

  The number after the card statement Cryptography is simply the sequence number that identifies a card encryption on the other, it's how you can have several tunnels associated with a single interface that also do not necessarily map encryption policy isakmp (actually nothing lie).

  So basically what happens, is that if you change the encryption from 54 to 100 map, it will move down on the list of existing tunnels and most likely you would just duplicate this entries.

• invalid-spi-recovery crypto isakmp command worked well in the case of DMVPN

  Hello

  I did the Setup for Hub/spoke in th DMVPN case and it worked fine. But after reloading Hub and I saw an output of error below, well I added the command invalid-spi-recovery isakmp crypto in the Hub & spokes:

  * 7 Oct 03:10:03.175: CRYPTO-4-RECVD_PKT_INV_SPI %: decaps: rec would be package IPSEC a bad spi to destaddr = 150.1.1.1, prot = 50, spi = 0 x 72662541 (1919296833), port = 150.3.1.3

  * 7 Oct 03:10:03.175: CRYPTO-4-RECVD_PKT_INV_SPI %: decaps: rec would be package IPSEC a bad spi to destaddr = 150.1.1.1, prot = 50, spi = 0 x 72662541 (1919296833), port = 150.2.1.2

  Note: spoke1 IP address: 150.2.1.2/spoke2's IP address:150.3.1.3/Hub's IP address: 150.1.1.1

  My temporary solution for the same problem, I need to erase SPI by manually and it worked fine again.

  Everyone has the same problem, please let me know

  Kind regards

  TRAN

  Hello

  There is a common misconception of what the invalid-spi-recovery crypto isakmp command does. Even without this command IOS already performs a kind of recovery invalid SPI feature by sending a DELETION notify for the SA has received send peer If she already has an IKE SA with this peer. Still once, this happens regardless of whether the order invalid-spi-recovery crypto isakmp is enabled or not.

  With the order of isakmp crypto invalid-spi-recovery , he tries to regulate the condition where a router receives the IPSec traffic with invalid SPI and

  It doesn't have an IKE SA with this peer. In this case, it will try to put in place a new IKE session with the peer and then send a DELETION notification on the newly created HIS IKE. However, this command does not work in all configurations of crypto. Are the only configurations that this command works cryptographic instantiated, for example, Asit, and peer static maps from static cryptographic cards where the peer is defined explicitly. Here is a summary of commonly used configurations of crypto and know if invalid spi recovery works with this configuration or not:

  Crypto config	Not valid-spi-recovery?
  Static crypto map	YES
  Dynamic crypto map	NO.
  P2P GRE with TP	YES
  using love TP w / static PNDH mapping	YES
  using love TP w / dynamic PNDH mapping	NO.
  ASIT	YES
  EzVPN client	N/A

  For help with your scenario, you can enable DPD (isakmp crypto keepalive) on the shelf to help the recovery tunnel.

  Thank you

  Wen

• Can you have several strategies of crypto isakmp on a router?

  I have a router 1841 as a hub for several IPSec tunnels. I have a single ISAKMP policy that looks like this:

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  isakmp encryption key * address x.x.x.x

  isakmp encryption key * address y.y.y.y

  isakmp encryption key * address z.z.z.z

  I want to start using AES as the encryption ISAKMP protocol, but I can't be there to change the other ends of all other tunnels. Can I create an another crypto isakmp strategy 2 and just put the pre-shared key for new connections in this one while I'm migration?

  Thank you

  Chris

  Chris

  You can have several strategies of isakmp on your router. The router will run through them in order until it finds a match. If you just need to add a new policy for isakmp with a number of different sequence, for example.

  crypto ISAKMP policy 2

  BA aes

  AUTH pre-shared

  Group 2

  This will not affect your original isakmp policy.

  Not sure what you mean by putting the pre-shared 'under' the isakmp policy. The key is not related to any person isakmp policy - you can see that the configuration you specify above.

  All you need to do to switch is to configure isakmp on your router 1841 strategy and then move the remote as and when you can. Those that you changed uses AES, you have not yet changed that will continue to use 3DES.

  HTH

  Jon

• clear crypto isakmp tunnel not coming back is not upward

  Hello world

  In the lab, I was testing IPSEC between 2 routers.

  It was working fine

  I ran the command

  clear crypto isakmp on one side and ping the router nei but tunnel won't uo.

  I then ran command even on the other side and did the ping to router nei still no tunnel shows here

  On both sides, I see

  1811w #sh crypto isakmp his

  IPv4 Crypto ISAKMP Security Association

  DST CBC conn-State id

  IPv6 Crypto ISAKMP Security Association

  Buth IPSEC phase shows active

  1811w # sh crypto ipsec his

  Interface: FastEthernet0

  Tag crypto map: VPN_MAP, local addr 192.168.99.1

  protégé of the vrf: (none)

  local ident (addr, mask, prot, port): (192.168.0.0/255.255.0.0/0/0)

  Remote ident (addr, mask, prot, port): (192.168.99.0/255.255.255.0/0/0)

  current_peer 192.168.99.2 port 500

  LICENCE, flags is {origin_is_acl},

  #pkts program: 3765, #pkts encrypt: 3765, #pkts digest: 3765

  #pkts decaps: 3764, #pkts decrypt: 3764, #pkts check: 3764

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 0, #pkts compr. has failed: 0

  #pkts not unpacked: 0, #pkts decompress failed: 0

  Errors in #send 2, #recv 0 errors

  local crypto endpt. : 192.168.99.1, remote Start crypto. : 192.168.99.2

  Path mtu 1500, mtu 1500 ip, ip mtu IDB FastEthernet0

  current outbound SPI: 0x90EC4FE9 (2431406057)

  PFS (Y/N): N, Diffie-Hellman group: no

  SAS of the esp on arrival:

  SPI: 0xB5A39DEF (3047398895)

  transform: esp - esp-sha-hmac.

  running parameters = {Tunnel}

  Conn ID: 181, flow_id: VPN:181 on board, sibling_flags 80000046, crypto card: VPN_MAP

  calendar of his: service life remaining (k/s) key: (4429521/2247)

  Size IV: 8 bytes

  support for replay detection: Y

  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  SPI: 0x90EC4FE9 (2431406057)

  transform: esp - esp-sha-hmac.

  running parameters = {Tunnel}

  Conn ID: 182, flow_id: VPN:182 on board, sibling_flags 80000046, crypto card: VPN_MAP

  calendar of his: service life remaining (k/s) key: (4429521/2247)

  Size IV: 8 bytes

  support for replay detection: Y

  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  If anyone can please let me know that what's happening seems to phase 1 is declining and ipsec is implemented?

  Thank you

  Mahesh

  In the implementation of IOS of Ikev1, Phase I and Phase II can live and die separately.

  By Issueing clear crypto isakmp, you disabled the phase I. Phase II will remain until expiry and wil recreate a new Phase I when we have to generate a new key.

  See the session encryption will show the session as UP-NO-IKE, which is a normal state

  On ASA, however, the implementation is slightly different because it uses CCM [continuous channel Mode]. In this case, if the phase I is going to be deleted. We delete as wel the phase II. [And vice versa - if the last P2 should be deleted, we naturally remove the P1 as well.]

  I hope that this answer to your question.

  Merry Christmas.

  Olivier

• Debug crypto isakmp issue

  When you run the crypto isakmp debug is there a way to limit the output to only a specific piece of information.  Example, I want to see only the debug information for the x.x.x.x ip address and no one else.  Is it possible to do it with the debug command?

  Thank you

  Hello

  On the router, you can use the command "debug crypto condition equal."

  Debug condition crypto peers?

  group filter name of unity of the IKE peer group

  IKE peer host name filter FULL host name

  IPv4 filter address IP IKE peer

  subnet range of IKE peer IP address

  IKE peer username filter FULL domain name username

  In your case, the ipv4 option will limit debugs it to a host.

  There is a similar command that was made available in 8.0 (2) on the SAA.

  Debug condition crypto peers?

  HostName or the peer A.B.C.D address or host name

  Name of host or X:X:X:X:X peer IPv6 address or host name

  Let me know if it helps.

  Kind regards

  Loren

• ASA L2L IKEv1 5520 no information of its crypto isakmp

  Here is the config... and show isa scream his

  ----------------------------------------------------------------------------------------

  Dathomir - ASA (config) # see the isa scream his

  There are no SAs IKEv1

  There are no SAs IKEv2
  Dathomir - ASA (config) #.

  ----------------------------------------------------------------------------------------

  Manual NAT policies (Section 1)
  1 (inside) to the static (external) source inside static destination inside DAN DAN-NETWORK-route search
  translate_hits = 0, untranslate_hits = 0

  Manual NAT policies (Section 3)
  1 (inside) to the dynamics of the source (on the outside) no matter what interface
  translate_hits = 661, untranslate_hits = 0
  Dathomir - ASA (config) #.

  ----------------------------------------------------------------------------------------

  !
  Dathomir - ASA host name

  names of
  !
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  IP address dhcp setroute
  !
  interface GigabitEthernet0/1
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/2
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/3
  nameif inside
  security-level 100
  IP 192.168.75.1 255.255.255.0
  !
  interface Management0/0
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  passive FTP mode
  DNS server-group DefaultDNS
  SW - domain name. Demers.com
  network of the DAN - PUB object
  host 1.1.1.1
  the NATE-INSIDE object network
  Home 192.168.75.5
  network a group of objects inside
  object-network 192.168.75.0 255.255.255.0
  object-group network-DAN
  object-network 192.168.75.0 255.255.255.0
  list of permitted access to the INSIDE-IN scope ip any any newspaper
  the INSIDE-IN access list extended deny ip any any newspaper
  access OUTSIDE list / allowed extended inside host log 192.168.75.5 ip object DAN - PUB
  VPN - DAN 192.168.75.0 ip extended access list allow 255.255.255.0 192.168.200.0 255.255.255.0
  pager lines 24
  Enable logging
  timestamp of the record
  exploitation forest buffer-size 10000
  recording of debug console
  debug logging in buffered memory
  Outside 1500 MTU
  Within 1500 MTU
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 743.bin
  don't allow no asdm history
  ARP timeout 14400
  NAT (inside, outside) static source inside static destination inside DAN DAN-NETWORK-route search
  !
  NAT source auto after (indoor, outdoor) dynamic one interface
  Access-group OUTSIDE / inside interface outside
  group-access INTERIOR-IN in the interface inside
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  the ssh LOCAL console AAA authentication
  Enable http server
  http 192.168.75.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
  Crypto ipsec transform-set ikev1 TS_ESP_AES256_SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
  Crypto ipsec ikev2 ipsec-proposal OF
  encryption protocol esp
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 proposal ipsec 3DES
  Esp 3des encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES
  Esp aes encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES192
  Protocol esp encryption aes-192
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 AES256 ipsec-proposal
  Protocol esp encryption aes-256
  Esp integrity sha - 1, md5 Protocol
  address for correspondence mymap 10 card crypto VPN - DAN
  mymap 10 peer set 2.2.2.2 crypto card
  mymap 10 set transform-set TS_ESP_AES256_SHA ikev1 crypto card
  card crypto mymap 10 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
  crypto mymap 10 card value reverse-road
  address for correspondence mymap 20 card crypto VPN - DAN
  card crypto mymap 20 peers set 1.1.1.1
  mymap 20 set transform-set TS_ESP_AES256_SHA ikev1 crypto card
  crypto mymap 20 card value reverse-road
  mymap outside crypto map interface
  IKEv2 crypto policy 5
  aes encryption
  integrity sha
  Group 2
  FRP sha
  second life 86400
  Crypto ikev2 allow outside
  Crypto ikev1 allow outside
  IKEv1 crypto policy 10
  preshared authentication
  aes encryption
  sha hash
  Group 5
  life 86400
  Telnet timeout 5
  SSH 192.168.75.0 255.255.255.0 inside
  SSH timeout 20
  SSH version 2
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0
  dhcpd dns 8.8.8.8 4.4.2.2
  dhcpd lease 3000
  !
  dhcpd address 192.168.75.5 - 192.168.75.5 inside
  dhcpd dns 8.8.8.8 4.4.2.2 interface inside
  dhcpd ip interface 192.168.75.1 option 3 inside
  dhcpd 6 8.8.8.8 ip option 4.4.2.2 interface inside
  dhcpd allow inside
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  attributes of Group Policy DfltGrpPolicy
  Split-tunnel-policy tunnelspecified
  Split-tunnel-network-list value VPN - DAN
  user name password using a NAT L3LhK0WEjivHU8Xd encrypted privilege 15
  tunnel-group 2.2.2.2 type ipsec-l2l
  2.2.2.2 tunnel-group ipsec-attributes
  IKEv1 pre-shared-key *.
  remote control-IKEv2 pre-shared-key authentication *.
  pre-shared-key authentication local IKEv2 *.
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 ipsec-attributes
  IKEv1 pre-shared-key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  inspect the http
  !
  global service-policy global_policy
  context of prompt hostname
  no remote anonymous reporting call
  call-home
  Profile of CiscoTAC-1
  no active account
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  aes encryption password
  Cryptochecksum:5398307065bcf53ecaf5884259f1ea71
  : end

  -----------------------------------------------------------------------------------------------

  DEBUG CRYPTO 255 IKEV1

  RECV 73.206.149.11 PACKAGE
  ISAKMP header
  Initiator COOKIE: 30 42 fb 1 4 d fc be 9f
  Responder COOKIE: 00 00 00 00 00 00 00 00
  Next payload: Security Association
  Version: 1.0
  Exchange type: Protection of identity (Main Mode)
  Indicators: (none)
  MessageID: 00000000
  Length: 172
  Payload security association
  Next payload: Vendor ID
  Booked: 00
  Payload length: 60
  DOI: IPsec
  Situation: (SIT_IDENTITY_ONLY)
  Proposal of payload
  Next payload: no
  Booked: 00
  Payload length: 48
  Proposal #: 1
  Protocol-Id: PROTO_ISAKMP
  SPI size: 0
  number of transformations: 1
  Transformation of the payload
  Next payload: no
  Booked: 00
  Payload length: 40
  Transform #: 1
  Transform-Id: KEY_IKE
  Reserved2: 0000
  Description of the Group: Group 5
  Encryption algorithm: AES - CBC
  Key length: 256
  Hash algorithm: SHA1
  Authentication method: pre-shared key
  Type of life: seconds
  Life (Hex): 00 01 51 80
  Vendor ID payload
  Next payload: Vendor ID
  Booked: 00
  Payload length: 20
  Data (in hexadecimal):
  cb 80 91 3rd bb 69 90 6 08 63 81 b5 this 42 7 b 1f
  Vendor ID payload
  Next payload: Vendor ID
  Booked: 00
  Payload length: 20
  Data (in hexadecimal):
  94 19 53 10 ca 6f 17 a6 7 d 2C9 d 92 15 52 9 d 56
  Vendor ID payload
  Next payload: Vendor ID
  Booked: 00
  Payload length: 20
  Data (in hexadecimal):
  4 a 13 1 c 81 07 03 58 45 57 28 95 45 2f 0e f2 5 c
  Vendor ID payload
  Next payload: no
  Booked: 00
  Payload length: 24
  Data (in hexadecimal):
  40 48 b7 d5 6th e8 85 25 e7 7f 00 c2 d3 d6 bc
  C0 00 00 00
  August 11 at 08:14:40 [IKEv1] IP = 73.206.149.11, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 172
  11 August at 08:14:40 [IKEv1 DEBUG] IP = 73.206.149.11, SA payload processing
  August 11 at 08:14:40 [IKEv1] IP = 73.206.149.11, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + NOTIFY (11) + (0) NONE total length: 100

  ISAKMP header
  Initiator COOKIE: 30 42 fb 1 4 d fc be 9f
  Responder COOKIE: 0 d 4 c df a2 6 has 57 24
  Next payload: Notification
  Version: 1.0
  Exchange Type: information
  Indicators: (none)
  MessageID: 00000000
  Length: 100
  August 11 at 08:14:40 [IKEv1 DEBUG] IP = 73.206.149.11, proposals of all SA found unacceptable
  August 11 at 08:14:40 [IKEv1] IP = 73.206.149.11, error during load processing: payload ID: 1
  August 11 at 08:14:40 [IKEv1 DEBUG] IP = 73.206.149.11, case of mistaken IKE MM Responder WSF (struct & 0xcefbce48) , : MM_DONE, EV_ERROR--> MM_START, EV_RCV_MSG--> MM_START, EV_START_MM--> MM_START, EV_START_MM--> MM_START, EV_START_MM--> MM_START, EV_START_MM--> MM_START, EV_START_MM--> MM_START, EV_START_MM
  August 11 at 08:14:40 [IKEv1 DEBUG] IP = 73.206.149.11, IKE SA MM:a2df0c4d ending: flags 0 x 01000002, refcnt 0, tuncnt 0
  11 August at 08:14:40 [IKEv1 DEBUG] IP = 73.206.149.11, sending clear/delete with the message of reason

  Hello

  Your police ikev1 is

  IKEv1 crypto policy 10
  preshared authentication
  aes encryption
  sha hash
  Group 5

  And you found this peer

  Description of the Group: Group 5
  Encryption algorithm: AES - CBC
          Key length: 256
  Hash algorithm: SHA1
  Authentication method: pre-shared key

  If you have found the algorithm of encryption AES 256 of peers and you like AES

  HTH

  Averroès.

• Show crypto isakmp

  Hi all

  I have a pix 515e, and when I do "show isakmp crypto his ' I get the result of virtual private networks, but I found a connection, that there is no card tunnel-group or crypto created, and I do a 190.x.x.x run sh and I see the IP address in any part of my setup.

  Any ideas?

  IKE Peer: 190.x.x.x
  Type: user role: answering machine
  Generate a new key: no State: AM_ACTIVE

  Thank you.

  It isn't of type "user" - L2L (LAN to LAN or site to site).

  A type 'user' SA is someone coming in via remote access VPN is not defined statically by his peer in your configuration, but is rather a dynamic encryption card hit.

  Try checking 'show remote vpn session-db' for more details about who he is.