Site to site errors

Thanks for any help... our internet connection has been moved to a new IP address by the provider and I can't seem to get our vpn site-to-site to the top.  I keep getting the following debug version my ASA.

Mar 04 22:35:23 [IKEv1] IP = 207.177.XX, connection landed on tunnel_group 207.177.XX
Mar 04 22:35:23 [IKEv1] group = 207.177.XXX, IP = 207.177.XX, PHASE 1 COMPLETED
Mar 04 22:35:23 [IKEv1] group = 207.177.XX, IP = 207.177.XX, IPSec security association proposals found unacceptable.
Mar 04 22:35:23 [IKEv1] group = 207.177.XX, IP = 207.177.XX, error QM WSF (P2 struct & 0x00007fff2f5844c0, mess id 0xceaeff).
Mar 04 22:35:23 [IKEv1] group = 207.177.XX, IP = 207.177.XX, Removing counterpart of correlator table failed, no match!
Mar 04 22:35:23 [IKEv1] group = 207.177.XX, IP = 207.177.XX, Session is be demolished. Reason: Phase 2
Mar 04 22:35:24 [IKEv1] IP = 207.177.XXX, encrypted packet received with any HIS correspondent, drop

My relevant configs is below my ASA and cisco 891W

ASA

----------------------------------------------------------------------

 ASA Version 8.6(1)2 

 access-list outside_cryptomap extended permit ip 10.40.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_1 access-list outside_cryptomap_2 extended permit ip any object XXX-range 
 nat (inside,outside) source static any any destination static obj-10.40.224.0 obj-10.40.224.0 route-lookup nat (inside,any) source static XXX_TO_NOC XXX_TO_NOC destination static NOC2 NOC2 nat (inside,any) source static XXX_TO_NOC XXX_TO_NOC destination static NOC1 NOC1
 route outside 0.0.0.0 0.0.0.0 71.6.XXX 1 route inside net_10_0_0_0-8 255.0.0.0 10.40.0.9 1 route inside 0.0.0.0 0.0.0.0 10.40.0.9 tunneled
 crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set esp-des esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set test esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set test mode transport crypto ipsec ikev1 transform-set XXX esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set XXX mode transport
 crypto ipsec security-association lifetime seconds 3600 crypto ipsec security-association replay window-size 128 crypto ipsec df-bit clear-df inside crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route crypto map outside_map 1 match address outside_cryptomap_2 crypto map outside_map 1 set pfs group1 crypto map outside_map 1 set peer 207.XXX crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 hollister crypto map outside_map 5 match address outside_cryptomap crypto map outside_map 5 set pfs crypto map outside_map 5 set peer 204.XXX crypto map outside_map 5 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-128-SHA crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside
 crypto isakmp nat-traversal 21
 crypto ikev1 enable outside crypto ikev1 ipsec-over-tcp port 10000 crypto ikev1 policy 1 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 2 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400

ROUTER

------------------------------------------------------------

crypto ISAKMP policy 20
BA aes
preshared authentication
Group 2
ISAKMP crypto key address XX 71.le XX
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac vpn_trans
transport mode
!
vpn_map 10 ipsec-isakmp crypto map
defined by peer 71.le XX
Set security-association second life 43200
Set transform-set vpn_trans
match address 101

interface GigabitEthernet0
Description $OUTSIDE$
bandwidth 4000
IP address 207.le 255.255.255.0 XXX
penetration of the IP stream
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
vpn_map card crypto

overload of IP nat inside source list 102 interface GigabitEthernet0
IP route 0.0.0.0 0.0.0.0 207.le XXX

Note access-list 1 INSIDE_IF = Vlan1
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 10.112.10.0 0.0.0.255
access-list 101 permit ip 10.112.10.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 101 permit ip 10.112.10.0 0.0.0.255 10.40.0.0 0.0.255.255
access-list 101 permit ip 10.112.10.0 0.0.0.255 10.50.0.0 0.0.255.255
access-list 101 permit ip 10.112.10.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 102 deny ip 10.112.10.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 102 deny ip 10.112.10.0 0.0.0.255 10.40.0.0 0.0.255.255
access-list 102 deny ip 10.112.10.0 0.0.0.255 10.50.0.0 0.0.255.255
access-list 102 deny ip 10.112.10.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 102 permit ip 10.112.10.0 0.0.0.255 any

debugging is not very useful, except I think about the ASA that the IP in the ID_IPV4_SUBNET ID message received initially is to form 10.112.10.0/24, but a few lines more far in the negotiation of phase 1/2 the ASA sees the address as 10.0.0.0/8 ID_IPV4_SUBNET ID that is not correct

also in debugging on the SAA traffic from the 10.112.10.0 network does not control card crypto for acl seq 1 or 5... I think that this traffic should be hitting seq1

Thank you!

Hello

Your router config seems functional but your ASA tunnel config nat-exemption is messed up and here is the fix.

Step 1:
object-group network My-router-lan
object-network 10.112.10.0 255.255.255.0

Step 2:
object-group network My-local-lan
network-object 10.11.0.0 0.0.255.255
network-object 10.40.0.0 0.0.255.255
network-object 10.50.0.0 0.0.255.255
object-network 10.0.0.0 0.255.255.255

Step 3:
outside_cryptomap_2 list extended access permitted ip object-group group-object-My-local-lan my lan router

Step 4:
no access list outside_cryptomap_2 extended permit ip any object XXX-range

Step 5:
NAT (inside, all) static source My My-local-lan-lan-local static destination My-router-lan my lan router

Step 6:

Route 10.112.10.0 255.255.255.0 71.xxx.xxx.xxx.xxx

71.xxx.xxx.xxx.xxx = equal to the default route pointing to the address of the ISP on your ASA.

- - - - - - - - - - - - - - - - - - - - - - - - - -

If these nats associated tunnel going to the router, remove them as well.

NAT (inside, outside) static source any any destination static obj - 10.40.224.0 obj - 10.40.224.0 - route search
destination NAT (inside, all) static source XXX_TO_NOC XXX_TO_NOC NOC2 NOC2 static
destination NAT (inside, everything) XXX_TO_NOC XXX_TO_NOC NOC1 NOC1 static static source

- - - - - - - - - - - - - - - - - - - - - - - - - -

Let me know, if this can help.

Thank you

Rizwan James

Tags: Cisco Security

Similar Questions

  • Tried the FAQ help still getting a runtime error, server with a Web site error

    I tried several times to go on texags.com forums that I have in the past, but get the following message.

    In the Application Server error ' / '.
    Runtime error
    Description: An application error occurred on the server. The current settings of error customized for this application prevent the details of the error in the application being viewed remotely (for security reasons). It could, however, be read by browsers running on the local server computer.

    Details: To enable the details of this error message specific either visible on remote machines, please create a < customErrors > tag in a "web.config" configuration file located in the root directory of the current web application. The < customErrors > tag should have its attribute of 'mode' on 'Off '.

    <!-- Web.Config Configuration File -->

<configuration>
    <system.web>
        <customErrors mode="Off"/>
    </system.web>
</configuration>

    Note: The current error page, you see may be replaced by a custom error page by modifying the "defaultRedirect" of an application < customErrors > attribute tag configuration to point to a custom error page URL.

    <!-- Web.Config Configuration File -->

<configuration>
    <system.web>
        <customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>
    </system.web>
</configuration>

    Other people on the forum using firefox without problems and I did in the past. I'm moving to Chrome, but it is a huge block for me. I checked the updates and erased the history and cache as suggested in the FAQ. Any advice?

    Thank you. I tried only the part about the deletion of my story. Supposedly to forget this site or adjust my cookies solved the problem.

  • 35.0 Firefox is report the SSLV3 security on site errors not using SSLV3 when you will fix it

    I was in the middle of a transaction on chaseonline when firefox me hunting and showed a page about the SSLV3 security issues. When I started this morning the version of firefox has been 34.0.5 after what is is that the version of firefox was 35.0. I did the test of SSL site and that the site does not use the Protocol SSLv3, see the link below:

    https://www.ssllabs.com/ssltest/analyze.html?d=chaseonline.Chase.com

    I've been using version 34 and more for some time and did not have problems accessing chaseonline website, until the 35 version has been installed.

    I haven't restarted the browser since it happened, but my guess is that the problem will continue. When this will look?

    Thanks for the quick response.

    The site wasn't trying to redirect, I was typing in e-mail secure at the time.

    I tried several times to reconnect to my account and only got the page generic message about firefox is not able to access the site due to problems with SSLv3 safely. During this time I never exceeded this point trying to connect to the site.

    Meanwhile, I realize now that the browser was stuck between versions (34.0.5 and 35). Although I still don't know why 34.0.5 through this error when I used it for a long time I was able to resolve the problem by closing and restarting my browser.

    In other words, I am now able to access the site of hunting without errors.

    That is why I am rarely, if ever, to host software auto-magiquement update in the background. I'll be this switch off voltage and installation of the updates manually.

    Thanks for you comments and feedback!

    His

  • untrusted site error

    I got an error of untrusted site for a site, you do not have access to the, and I was literally thousands of times. However, the error won't be work around. How can I access this site I know is a valid website?

    OK, I certainly can reproduce this problem. My guess is that the site is currently implementing of measures against the recently published widespread vulnerability that allows the Web servers with a certain version of openssl running on them to be exploited (heartbleed.com) & is pass their certificate.

    a feature of advanced security in firefox is picking up this change as the site does not seem to be fully updated for this new certificate. You can temporarily work around the problem:

    enter on: config in the address bar of firefox (confirmed the message information where it appears) and search for the preference named security.ssl.enable_ocsp_stapling. Double-click it and change its value to false.

    However, it is important that after some time when the problem is solved by the site (maybe try again in 24 hours), you go back and turn the setting to "true" again!

  • SIT - error 14104

    Hi all

    With Simulink Matlab r2008b, Win XP 32, Microsoft Visual C++ 2008 Express, Labview 8.6 and SIT 5.0.1 & when I try to run the SIT dll generated on my PXI system, I get the following error (see attachment). My model works in the simulation environment. The dll is located in the/or-rt/system /dossier and seems properly named. Finally, my model 182 KB, so it shouldn't be a memory problem. What's wrong?

    The sit_error.txt gives me the following error:

    "Log of error generated on 20-05-09 at 06:24
    14104 error occurred at TomModVue2_Driver.vi > NI_SIT_driversupportVIs.lvlibIT initialize Model.vi > NI_SIT_driversupportVIs.lvlibIT Init model DLL.vi

    This error code is not set. No one has provided a description for this code, or you could have wired a number which is not an admission of error code error code. »

    Of course, my model is named TomModVue2.dll.

    What's wrong?

    Thank you very much!

     

    Hi all

    I manage my errors with the following steps.

    First of all, I had proof that my dll has been altered through the following utility:

    http://digital.NI.com/public.nsf/allkb/0BF52E6FAC0BF9C286256EDB00015230?OpenDocument

    I realized I was missing something related to kernel32.dll.

    Instead of using the compiler of Visual Studio 2008 Express and, my favorite engineer NOR suggested me to try with the VS200Express and 2003 SDK, as explained on this article:

    http://digital.NI.com/public.nsf/allkb/AAD15283A1F051A1862574F000744DBD?OpenDocument

    I downloaded the VS2005 from Softpedia, because haven't found on the Microsoft Web site. The SDK 2003 (standalone) is always available on the MS website:

    http://www.Microsoft.com/downloads/details.aspx?FamilyId=484269E2-3B89-47E3-8EB7-1F2BE6D7123A&displa...

    So. Basically, that's all. I followed the instructions on the KB, and it worked!

  • Can't access a site error: HTTP 400 Bad request.

    Original title: problem getting on a Web site

    HTTP 400 Bad request returns constantly to a site Web im trying access to the

    Hello
    Normally, this is a Web site log in the error message.
    Is it necessary that you connect to the site in question?
    Exactly when this started happening?
    I suggest you contact the Web site "webmaster to ensure that your account is to this day.
    http://support.Microsoft.com/kb/826437
    hope this helps,
    B Eddie

  • SIT error 14104, dll runs on the host, but not on the target

    Hello

    I have problems of deployment dll (compiled in 2007 with Microsoft Visual C++ .NET 2003) Simulink in LabVIEW (2009 SP1). My target system is a desktop PC with LabVIEW Real-time 9.0 installed.

    I created a simple Simulink model which mulitplies an entry with a Gain and returns the result. I compiled using the nidll.tlc as a target file system.

    Then, I created a LabVIEW RT application that uses this DLL. I created exactly the same application as the host VI and VI target. On the host VI everything works fine. On the target VI, I get error SIT 14104.

    What I did to solve this problem? I followed the steps on http://digital.ni.com/public.nsf/allkb/C7FF960E0A6C219A8625729600104615 . I have manually deployed the dll on the target computer. I used the suggested compiler. There is a lot of memory on the computer (RAM and HDD) target. And I'm not using a CRio system.

    Does anyone have an idea how to fix this error? I will attach the sample project labview and the MDL and DLL to this post. Don't forget to adapt the DLL-path if you test the program.

    Kind regards

    Thomas

    Well I found a solution.

    I had to deploy the DLL manually on the target, but not in ftp://IP_Address/ni-rt/system/ as the link above is said but rather in ftp://IP_Address/ .

    Problem solved.

    Kind regards

    Thomas

  • Access to the Microsoft Update Web site [error number: 0x8024400A]

    When I try to update by using the Update Web site I get the message [error number: 0x8024400A].  I need to upgrade to SP3, but I can't access the Web site to do this.  Any help would be appreciated.

    Try to download the SP directly from here.

    http://www.Microsoft.com/en-US/Download/details.aspx?ID=24

    I hope this helps.

  • Restore Web site error

    How can I fix this error that appears when I connect to my home page?

    Hi anne brew.

    1 when was the last time it was working fine?

    2. what browser you use on the computer?

    3. do you have security software installed on the computer?

    4. did you of recent changes on the computer?

    5. what Web site you set as homepage?

    Try the following steps if you are using Internet Explorer as your web browser.

    Method 1

    Check if Add-ons installed on the Internet explore is the origin of the problem. I suggest that you try to open Internet explorer without modules and check if the problem persists.

    (a) click the Start button, click all programs, and click Accessories

    (b) click System Tools, click Internet Explorer (No Add-ons).

    How the modules of the browser affect my computer?

    http://Windows.Microsoft.com/en-us/Windows7/how-do-browser-add-ons-affect-my-computer

    Method 2

    If the previous step fails then try to reset the internet settings explore by default and check.

    For more information, see the link below.

    How to reset Internet Explorer settings

    http://support.Microsoft.com/kb/923737

    Important: Reset Internet explore its default configuration. This step will disable also any add-ons, plug-ins or toolbars that are installed. Although this solution is fast, it also means that, if you want to use one of these modules in the future, they must be reinstalled.

  • KB3067505 download Micrsoft site error 8DDD0010

    The website has encountered a problem
    [Error number: 8DDD0010]
    There is a problem with the page you are looking for, and it cannot be displayed.
    Please, try the following:

    Contact the Web site administrator and inform them that this error has occurred for this Web page address.

    Now, the 8DDD0010 changed to error 800 error has 0046:

    The website has encountered a problem
    [Error number: 800A 0046]
    The website has encountered a problem and cannot display the page you are trying to view. The options provided below may help you solve the problem.
    For self-help options:

    Hello

    Thanks for posting your query to the Microsoft forum. I will definitely help you with this.

    I see that it is an update of security for Windows Server 2003. Let me ask you;

    1. Are you facing problems in updating Windows server?
    2. Your computer is connected to a domain network?

    If your question relates to the domain or Server Windows, please post your question in the TechNet forums.

    https://social.technet.Microsoft.com/forums/Windows/en-us/home?Forum=w7itpronetworking&filter=AllTypes&sort=lastpostdesc

    I hope this helps.

    ___________________

    Thank you best regards &,.

    Isha Soni

  • The blackBerry Smartphones Web site error

    A site that I used to be able to now gives me the following error...

    An error has occurred!

    Sorry, this section is not available for users wireless right now.

     

    So, just curious as to why.

    Thank you.

    Try to clear the cache first (in the browser itself > press the Blackberry, aka the Menu button > select Options > Cache operations > clear all here and BACKSPACE.) When his memory of cleaning done, Soft Reset your Blackberry (traction 30 seconds with Blackberry battery on) and then test after its finished reboot.

  • home network used acess let sites error has expired

    whenever we try to put on www.zionsbank.com it says connection has expired and it has been for the last two weeks, so we called the Bank and they said that their routers worked very well and everyone could get on their site, so we called comcast and they said they couldn't find any problem that does not work on any computer on our network I have tried to run windows diagnostics and it did not help and turned off firewall and reset the router we know all the other things that might solve my problem

    Hello

    To provide the proper resolution, I would need more information on your side.

    1. do you have a wired network connection or wireless network connection?

    2. what web browser do you use?

    Internet Explorer imposes a time-out for the server limit return data. When the server is having a problem, Internet Explorer waits forever for the server return data.

    If you use Internet Explorer, you can try the procedure described in the article and check if it helps.

    Internet Explorer error "connection timed out" when server does not
    http://support.Microsoft.com/kb/181050

    Important: This section, method, or task contains steps that tell you how to modify the registry. However, serious problems can occur if you modify the registry incorrectly. Therefore, make sure that you proceed with caution. For added protection, back up the registry before you edit it. Then you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click on the number below to view the article in the Microsoft Knowledge Base:

    http://Windows.Microsoft.com/en-us/Windows7/back-up-the-registry

    Hope this information helps. Answer the post with an up-to-date issue report to help you further.

  • Site error stock 400? The site is down?

    While browsing the site of stock, an error page displays the following message:

    ERROR 400

    [+] Your requested action could not be completed, sorry.

    [+] Visit our home page and try again.

    The site is down?

    Hi Lesley,

    Please clear your history and cookies and restart your browser. This will solve your problem. Please let us know if you need assistance.

    EBQ

  • Connection to the site error

    Im trying to add a site, but im getting this error:

    "To connect to the site target for setting up replication." failed for the entity with the following error message.

    Unable to connect to the specified site. The site is perhaps not available on the network or a network problem may exist. Check your connection details and try again.

    VRS and Mrs. can see between them.

    There are a few points:

    -The target site uses port 81 (Im specify it)

    -J' have already a VRS/SRM connected to another site, I added another

    Everything seems to be fine with the connection. Any ideas?

    Hello

    What VR version do you use? There have been corrections to the support of the custom port for the proxy reverse vCenter.

    In addition, if you use VR<5.8, which="" ui="" are="" you="" using="" to="" configure="" the="" vr="" pairing?="" c#-based="" one="" or="" the="" one="" in="" the="">

    Details for the failure will be probably available ball VRMS at the source site (/ opt/vmware/hms/logs/hms.log) or vsphere client - virgo.log (If pairing is done via the WebClient service) to vCenter machine.

    Kind regards

    Martin

  • How to remove "some files on the server may be missing or incorrect." Muse Web site error?

    I created a separate page out of php, one for the Office site for the mobile version of the Web site.

    There is No error message when you use the desktop version of the Web site (SESSION TIMES) However, there loading the mobile version (SESSION TIME)

    responded here

    How can I fix error of muse "some files on the server may be missing or incorrect."?

Maybe you are looking for

  • How to get apps on my nonadministrator account?

    I just created an account and wish to use the software that I have in my administrator account. Specifically, Microsoft Office and bluetooth.

  • Navigation Bar raise search results; no direct web page?

    I use Google as my home page and the bar very high, where you are supposed to be able to type in an address and it takes you directly to the site, I think is disabled. Now when I go to type in the address, he brings just search results. I looked all

  • SD for Tecra M2-S410 problem

    Hi allI have a problem that is I have already installed windows XP then I installed all the drivers for SD card located on the CD after the restart but the laptop even, the card does not work so I installed the latest version of the Toshiba site but

  • IdeaPad S205 battery charge no problem

    Hello, I have a Lenovo IdeaPad S205 and met with some difficulties. The charger has recently stopped working and I bought a replacement - the original charger has a 20V power, whereas the replacement 19V power. However, I don't think it would make a

  • "device does not support this file type.

    That is the message from wmp when I try to sync the audio books from the library (wma dmr 10) to my Sansa Clip 2 GB. Firmware is lie. I'm able to play wmp files. What should do? -- BR annettew