Site to Site VPN configuration does not
Hello
I just tried to set up a test site to site VPN. Diagram of arrangement is attached. Router R2 is supposed to act as the 'Internet' to allow connectivity between the two networks.
My VPN on ASA1 and ASA2 configs are below:
ASA1
Note to outside_cryptomap_1 to access list VPN traffic to encrypt
outside_cryptomap_1 to access extended list ip 10.10.10.0 allow 255.255.255.0 172.16.10.0 255.225.255.0
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
tunnel-group 11.11.11.2 type ipsec-l2l
IPSec-attributes tunnel-Group 11.11.11.2
Cisco pre-shared key IKEv1
Crypto ipsec transform-set ikev1 AES - SHA esp-aes-256 esp-sha-hmac
card crypto outside_map 1 match address outside_cryptomap_1
peer set card crypto outside_map 1 11.11.11.2
card crypto outside_map 1 set of transformation-AES-SHA
outside_map interface card crypto outside
ASA2
Note to outside_cryptomap_1 to access list VPN traffic to encrypt
permit access list extended ip 172.16.10.0 outside_cryptomap_1 255.255.255.0 10.10.10.0 255.225.255.0
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
tunnel-group 12.12.12.2 type ipsec-l2l
IPSec-attributes tunnel-group 12.12.12.2
Cisco pre-shared key IKEv1
Crypto ipsec transform-set ikev1 AES - SHA esp-aes-256 esp-sha-hmac
card crypto outside_map 1 match address outside_cryptomap_1
peer set card crypto outside_map 1 12.12.12.2
card crypto outside_map 1 set of transformation-AES-SHA
outside_map interface card crypto outside
I can ping with the ASA2 ASA1, but when I try to test the VPN trying from one PC to another, I get nothing.
I tried a few commands show and they came out absolutely empty... as I have not configured:
SH in detail its crypto isakmp
There are no SAs IKEv1
There are no SAs IKEv2
SH crypto ipsec his
There is no ipsec security associations
Anyone have any ideas?
Hi martin,
Your configs are quite right. I tried your script, its works really well. Here's the configs & outputs.
What I mentioned in the previous note follow this.
--------------------
ASA1
ASA1 (config) # sh run
: Saved
:
ASA Version 8.0 (2)
!
hostname ASA1
activate 8Ry2YjIyt7RRXU24 encrypted password
names of
!
interface Ethernet0/0
nameif outside
security-level 0
IP 12.12.12.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
10.10.10.2 IP address 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/5
Shutdown
No nameif
no level of security
no ip address
!
2KFQnbNIdI.2KYOU encrypted passwd
passive FTP mode
extended vpn 10.10.10.0 ip access list allow 255.255.255.0 172.16.10.0 255.255.255.0
pager lines 24
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Route outside 0.0.0.0 0.0.0.0 12.12.12.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac tset
card crypto cmap 1 match for vpn
card crypto cmap 1 set peer 11.11.11.2
card crypto cmap 1 transform-set tset
cmap outside crypto map interface
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
md5 hash
Group 5
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
!
!
tunnel-group 11.11.11.2 type ipsec-l2l
IPSec-attributes tunnel-Group 11.11.11.2
pre-shared-key *.
context of prompt hostname
Cryptochecksum:00000000000000000000000000000000
: end
ASA1 (config) #.
---------------------
ASA2 (config) # sh run
: Saved
:
ASA Version 8.0 (2)
!
hostname ASA2
activate 8Ry2YjIyt7RRXU24 encrypted password
names of
!
interface Ethernet0/0
nameif outside
security-level 0
IP 11.11.11.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
IP 172.16.10.2 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/5
Shutdown
No nameif
no level of security
no ip address
!
2KFQnbNIdI.2KYOU encrypted passwd
passive FTP mode
extended vpn 172.16.10.0 ip access list allow 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Route outside 0.0.0.0 0.0.0.0 11.11.11.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac tset
card crypto cmap 1 match for vpn
card crypto cmap 1 set peer 12.12.12.2
card crypto cmap 1 transform-set tset
cmap outside crypto map interface
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
md5 hash
Group 5
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
!
!
!
tunnel-group 12.12.12.2 type ipsec-l2l
IPSec-attributes tunnel-group 12.12.12.2
pre-shared-key *.
context of prompt hostname
Cryptochecksum:00000000000000000000000000000000
: end
ASA2 (config) #.
-------------------------
OUTPUTS:
*********************
ASA1 (config) # sh crypto isakmp his
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
1 peer IKE: 11.11.11.2
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE
---------------------
ASA1 (config) # sh crypto ipsec his
Interface: outside
Tag crypto map: cmap, seq num: 1, local addr: 12.12.12.2
access vpn ip 10.10.10.0 list allow 255.255.255.0 172.16.10.0 255.255.255.0
local ident (addr, mask, prot, port): (10.10.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.16.10.0/255.255.255.0/0/0)
current_peer: 11.11.11.2
#pkts program: 50, #pkts encrypt: 50, #pkts digest: 50
#pkts decaps: 49, #pkts decrypt: 49, #pkts check: 49
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 50, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 12.12.12.2, remote Start crypto. : 11.11.11.2
------------------------
ASA2 (config) # sh crypto isakmp his
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
1 peer IKE: 12.12.12.2
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
------------------------
ASA2 (config) # sh crypto ipsec his
Interface: outside
Tag crypto map: cmap, seq num: 1, local addr: 11.11.11.2
access vpn ip 172.16.10.0 list allow 255.255.255.0 10.10.10.0 255.255.255.0
local ident (addr, mask, prot, port): (172.16.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.10.10.0/255.255.255.0/0/0)
current_peer: 12.12.12.2
#pkts program: 49, #pkts encrypt: 49, #pkts digest: 49
#pkts decaps: 50, #pkts decrypt: 50, #pkts check: 50
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 49, #pkts comp failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 11.11.11.2, remote Start crypto. : 12.12.12.2
-------------------------
Tags: Cisco Security
Similar Questions
-
Site-to-Site VPN Ping does not
I configured a vpn site-to site between two firewalls ASA 5505. Establishes the tunnel, but the icmp traffic does not pass. In fact, ping worked twice, but only at random. I need to work on a regular basis. I have attached the configurations as well as an output of the packet - trace both of the ASA and the IPSec and its ISAKMP. Thanks for any help you can provide.
ASA Configuration 1:
ASA Version 8.0 (3)
!
hostname asa1
activate the encrypted password of A.zMQonBIU0NmOC0
names of
!
interface Vlan1
nameif inside
security-level 100
IP 10.1.50.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 1.1.1.1 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
OMV1AjIsWknnKr9H encrypted passwd
boot system Disk0: / asa803 - k8.bin
passive FTP mode
acl_out list extended access permit tcp any host 63.76.12.195 eq smtp
acl_out list extended access permit tcp any host 63.76.12.195 eq www
acl_out list extended access permit tcp any host 63.76.12.195 eq 3389
acl_out list extended access permit tcp any host 63.76.12.195 eq ftp
acl_out list extended access permit tcp any host 63.76.12.195 eq ftp - data
acl_out list extended access permit tcp any host 63.76.12.195 eq telnet
acl_out list extended access permit tcp any host 63.76.12.195 eq 5800
acl_out list extended access permit tcp any host 63.76.12.195 eq 5900
acl_out list extended access permit tcp any host 63.76.12.195 eq https
acl_out list extended access permit tcp any host 63.76.12.196 eq www
acl_out list extended access permit tcp any host 63.76.12.196 eq https
acl_out list extended access permit tcp any host 63.76.12.196 eq smtp
acl_out list extended access permit tcp any host 63.76.12.196 eq 3389
acl_out list extended access permit icmp any one
access-list 101 extended allow ip 10.1.50.0 255.255.255.0 10.1.40.0 255.255.255.0
access-list 101 extended allow ip 10.1.50.0 255.255.255.0 10.1.51.0 255.255.255.0
vpn-fargo extended ip 10.1.50.0 access list allow 255.255.255.0 10.1.51.0 255.255.255.0
pager lines 24
Enable logging
debug logging in buffered memory
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP local pool ippool 10.1.40.1 - 10.1.40.254
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 523.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
(Inside) NAT 0-list of access 101
NAT (inside) 1 0.0.0.0 0.0.0.0
static (inside, outside) 1.1.1.2 tcp ftp 10.1.50.3 ftp netmask 255.255.255.255
static (inside, outside) 1.1.1.2 tcp ftp - data 10.1.50.3 ftp - data netmask 255.255.255.255
static (inside, outside) 1.1.1.2 tcp telnet 10.1.50.3 telnet netmask 255.255.255.255
static (inside, outside) tcp 1.1.1.2 5800 10.1.50.102 5800 netmask 255.255.255.255
static (inside, outside) 1.1.1.2 tcp 5900 10.1.50.102 5900 netmask 255.255.255.255
static (inside, outside) 1.1.1.2 tcp 3389 10.1.50.5 3389 netmask 255.255.255.255
static (inside, outside) 1.1.1.3 10.1.50.6 netmask 255.255.255.255
Access-group acl_out in interface outside
Route outside 0.0.0.0 0.0.0.0 1.1.1.0 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
Crypto-map dynamic dynmap 10 transform-set RIGHT
map mymap 10-isakmp ipsec crypto dynamic dynmap
card crypto mymap 20 match address vpn-fargo
card crypto mymap 20 peers set 2.2.2.2
card crypto mymap 20 transform-set RIGHT
crypto mymap 20 card value reverse-road
mymap outside crypto map interface
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
crypto ISAKMP ipsec-over-tcp port 10000
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 5
Console timeout 0
management-access inside
dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
internal group vpn3000 strategy
attributes of the strategy group vpn3000
value of server WINS 10.1.50.5
value of 10.1.50.5 DNS server 10.1.50.6
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value 101
asa1.com value by default-field
disable authentication of the user
the address value ippool pools
encrypted vpn Tw.atDK7GScnXkMJ password username
vpn tunnel-group type remote access
VPN tunnel-group general attributes
Group Policy - by default-vpn3000
jtvpn group of tunnel ipsec-attributes
pre-shared-key *.
tunnel-group 2.2.2.2 type ipsec-l2l
2.2.2.2 tunnel-group ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the icmp
inspect the icmp error
!
global service-policy global_policy
context of prompt hostname
: end
ASA 2 configuration:
ASA Version 8.2 (1)
!
hostname asa2
activate the encrypted password of A.zMQonBIU0NmOC0
1vU9VISnc.IQ6OSN encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 10.1.51.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address 2.2.2.2 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
vpn - dsm extended ip 10.1.51.0 access list allow 255.255.255.0 10.1.50.0 255.255.255.0
IP 10.1.51.0 allow Access-list extended sheep 255.255.255.0 10.1.50.0 255.255.255.0
access outside-access list extended icmp permitted an echo
outside-access extended access list permit icmp any any echo response
outside-access extended access list permit all all unreachable icmp
access outside-access allowed list icmp exceed all once
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list sheep
NAT (inside) 1 0.0.0.0 0.0.0.0
access-outside group access component software snap-in interface outside
Route outside 0.0.0.0 0.0.0.0 2.2.2.0 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto mymap 10 correspondence address vpn - dsm
card crypto mymap 10 set peer 1.1.1.1
card crypto mymap 10 game of transformation-ESP-3DES
crypto mymap 10 card value reverse-road
mymap outside crypto map interface
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 5
Console timeout 0
management-access inside
dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the icmp
inspect the icmp error
!
global service-policy global_policy
context of prompt hostname
: end
Packet trace of ASA1:
asa1 (config) # entry packet - trace within the icmp 10.1.50.253 1 1 detailed 10.1.51.253
Phase: 1
Type: FLOW-SEARCH
Subtype:
Result: ALLOW
Config:
Additional information:
Not found no corresponding stream, creating a new stream
Phase: 2
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 0.0.0.0 0.0.0.0 outdoors
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DECLINE
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0xd49dcce0, priority = 500, area = allowed, deny = true
Hits = 5, user_data = 0 x 6, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 10.1.50.253, mask is 255.255.255.255, port = 0
DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: drop
Drop-reason: flow (acl-drop) is denied by the configured rule
Packet trace of ASA2:
asa2 (config) # entry packet - trace within the icmp 10.1.51.253 1 1 detailed 10.1.50.253
Phase: 1
Type: FLOW-SEARCH
Subtype:
Result: ALLOW
Config:
Additional information:
Not found no corresponding stream, creating a new stream
Phase: 2
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 10.1.50.0 255.255.255.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DECLINE
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0xc9583648, priority = 500, area = allowed, deny = true
hits = 9, user_data = 0 x 6, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 10.1.51.253, mask is 255.255.255.255, port = 0
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: drop
Drop-reason: flow (acl-drop) is denied by the configured rule
ASA 1 IPSec security association:
peer address: 2.2.2.2
Tag crypto map: dynmap, seq num: 10, local addr: 1.1.1.1
local ident (addr, mask, prot, port): (10.1.50.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.1.51.0/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
decaps #pkts: 5, #pkts decrypt: 5, #pkts check: 5
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
endpt local crypto. : 1.1.1.1, remote Start crypto. : 2.2.2.2
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 1F3E7E3A
SAS of the esp on arrival:
SPI: 0x1DFAE5E0 (502982112)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 77824, crypto-card: dynmap
calendar of his: service life remaining (KB/s) key: (3824999/28036)
Size IV: 8 bytes
support for replay detection: Y
outgoing esp sas:
SPI: 0x1F3E7E3A (524189242)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 77824, crypto-card: dynmap
calendar of his: service life remaining (KB/s) key: (3825000/28034)
Size IV: 8 bytes
support for replay detection: Y
ASA 1 ISAKMP Security Association:
1 peer IKE: 2.2.2.2
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
ASA 2 IPSec security association:
peer address: 1.1.1.1
Tag crypto map: mymap, seq num: 10, local addr: 2.2.2.2
list of access vpn - dsm allowed ip 10.1.51.0 255.255.255.0 10.1.50.0 255.255.255.0
local ident (addr, mask, prot, port): (10.1.51.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.1.50.0/255.255.255.0/0/0)
current_peer: 63.76.12.194
#pkts program: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 5, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
endpt local crypto. : 2.2.2.2, remote Start crypto. : 1.1.1.1
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 1DFAE5E0
SAS of the esp on arrival:
SPI: 0x1F3E7E3A (524189242)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 81920, crypto-map: mymap
calendar of his: service life remaining (KB/s) key: (4374000/27900)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0x1DFAE5E0 (502982112)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 81920, crypto-map: mymap
calendar of his: service life remaining (KB/s) key: (4373999/27900)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
ASA 2 ISAKMP Security Association:
1 peer IKE: 1.1.1.1
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE
Hi Mike,.
I see the following in your configuration:
map mymap 10-isakmp ipsec crypto dynamic dynmap
Sequence number of Th for the peer 2.2.2.2 is 20 so we first hit the dynamic map that could cause this problem.
To avoid this, I suggest you do the following:
No map mymap 10-isakmp ipsec crypto dynamic dynmap
map mymap 65535-isakmp ipsec crypto dynamic dynmap
To validate this fact, if you look at the SA on ASA1 ipsec, you will find that it was negotiated with dymap (card crypto seq 10) and not 20!
ASA 1 IPSec security association:
peer address: 2.2.2.2
Tag crypto map: dynmap, seq num: 10, local addr: 1.1.1.1
local ident (addr, mask, prot, port): (10.1.50.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.1.51.0/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
decaps #pkts: 5, #pkts decrypt: 5, #pkts check: 5
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
Hope this helps!
See you soon,.
Manasi!
-
my browser cannot open google and facebook and other https sites that it does not open even the app store does not work, I tried to change my DNS google DNS and disable IPv6 but still no use, help PLZ!
You may have installed one or more variants of the malware "VSearch' ad-injection. Please back up all data, and then take the steps below to disable it.
Do not use any type of product, "anti-virus" or "anti-malware" on a Mac. It is never necessary for her, and relying on it for protection makes you more vulnerable to attacks, not less.
Malware is constantly evolving to work around defenses against it. This procedure works now, I know. It will not work in the future. Anyone finding this comment a couple of days or more after it was published should look for a more recent discussion, or start a new one.
Step 1
VSearch malware tries to hide by varying names of the files it installs. It regenerates itself also if you try to remove it when it is run. To remove it, you must first start in safe mode temporarily disable the malware.
Note: If FileVault is enabled in OS X 10.9 or an earlier version, or if a firmware password is defined, or if the boot volume is a software RAID, you can not do this. Ask for other instructions.
Step 2
When running in safe mode, load the web page and then triple - click on the line below to select. Copy the text to the Clipboard by pressing Control-C key combination:
/Library/LaunchDaemons
In the Finder, select
Go ▹ go to the folder...
from the menu bar and paste it into the box that opens by pressing command + V. You won't see what you pasted a newline being included. Press return.
A folder named "LaunchDaemons" can open. If this is the case, press the combination of keys command-2 to select the display of the list, if it is not already selected.
There should be a column in the update Finder window. Click this title two times to sort the content by date with the most recent at the top. Please don't skip this step. Files that belong to an instance of VSearch will have the same date of change for a few minutes, then they will be grouped together when you sort the folder this way, which makes them easy to identify.
Step 3
In the LaunchDaemons folder, there may be one or more files with the name of this form:
com Apple.something.plist
When something is a random string, without the letters, different in each case.
Note that the name consists of four words separated by dots. Typical examples are:
com Apple.builins.plist
com Apple.cereng.plist
com Apple.nysgar.plist
There may be one or more items with a name of the form:
com.something.plist
Yet once something is a random string, without meaning - not necessarily the same as that which appears in one of the other file names.
These names consist of three words separated by dots. Typical examples are:
com.semifasciaUpd.plist
com.ubuiling.plist
Sometimes there are items (usually not more than one) with the name of this form:
com.something .net - preferences.plist
This name consists of four words (the third hyphen) separated by periods. Typical example:
com.jangly .net - preferences.plist
Drag all items in the basket. You may be prompted for administrator login password.
Restart the computer and empty the trash.
Examples of legitimate files located in the same folder:
com.apple.FinalCutServer.fcsvr_ldsd.plist
com Apple.Installer.osmessagetracing.plist
com Apple.Qmaster.qmasterd.plist
com Apple.aelwriter.plist
com Apple.SERVERD.plist
com Tether.plist
The first three are clearly not VSearch files because the names do not match the above models. The last three are not easy to distinguish by the name alone, but the modification date will be earlier than the date at which VSearch has been installed, perhaps several years. None of these files will be present in most installations of Mac OS X.
Do not delete the folder 'LaunchDaemons' or anything else inside, unless you know you have another type of unwanted software and more VSearch. The file is a normal part of Mac OS X. The "demon" refers to a program that starts automatically. This is not inherently bad, but the mechanism is sometimes exploited by hackers for malicious software.
If you are not sure whether a file is part of the malware, order the contents of the folder by date modified I wrote in step 2, no name. Malicious files will be grouped together. There could be more than one such group, if you attacked more than once. A file dated far in the past is not part of the malware. A folder in date dated Middle an obviously malicious cluster is almost certainly too malicious.
If the files come back after you remove the, they are replaced by others with similar names, then either you didn't start in safe mode or you do not have all the. Return to step 1 and try again.
Step 4
Reset the home page in each of your browsers, if it has been modified. In Safari, first load the desired home page, then select
▹ Safari preferences... ▹ General
and click on
Set on the current Page
If you use Firefox or Chrome web browser, remove the extensions or add-ons that you don't know that you need. When in doubt, remove all of them.
The malware is now permanently inactivated, as long as you reinstall it never. A few small files will be left behind, but they have no effect, and trying to find all them is more trouble that it's worth.
Step 5
The malware lets the web proxy discovery in the network settings. If you know that the setting was already enabled for a reason, skip this step. Otherwise, you should undo the change.
Open the network pane in system preferences. If there is a padlock icon in the lower left corner of the window, click it and authenticate to unlock the settings. Click the Advanced button, and then select Proxies in the sheet that drops down. Uncheck that Auto Discovery Proxy if it is checked. Click OK, and then apply.
Step 6
This step is optional. Open the users and groups in the system preferences and click on the lock icon to unlock the settings. In the list of users, there may be some with random names that have been added by the malware. You can remove these users. If you are not sure whether a user is legitimate, do not delete it.
-
How to delete user names registered for a Web site if it does not have an associated password?
I accidentally typed in part of a password when you enter a user name for a Web site.
How can I delete this registered user name? I tried to delete cookies from the Web site, but it does not work. I tried looking through saved passwords, but it doesn't work either, since there is no actual password associated with the username.Was probably saved as a data form - see this:
https://support.Mozilla.org/en-us/KB/control-Firefox-automatically-fills-in-forms#w_clearing-form-history -
the color of the sites I visit does not change in firefox but changes in bing
The color of the sites I visit does not change in the list of sites.
I'm not able to find this feature Firefix 4, even though it existed in earlier versions.
Pl help
Make sure that you are not running Firefox mode of private - browsing using Firefox without saving history permanent.
- You enter private browsing mode, if you select: Tools > Options > privacy > History: Firefox will be: "don't forget the story ever.
- To view the history settings and cookies, choose: Tools > Options > privacy, choose the setting Firefox will: use the custom settings for the story of
- Uncheck: [] "Permanent private browsing Mode.
-
I'm having a problem where Firefox keeps asking for my password to Amazon, even if I tell Firefox NOT to remember this password. In Firefox options, Amazon is clearly recognized as a site for which does not save passwords.
Do not remove the navigation, search and download history on Firefox to clear the "Site preferences".
Compensation of the "Site Preferences" clears all exceptions for cookies, images, windows pop up, installation of software and passwords.
-
My sensitive back of Web Site navigation bar does not work by smartphone - fewowiesbach.de. What can I do?
It does not work because the jquery and JavaScript of Bootstrap files are not on the server, or if they are, they are in the wrong place.
This topic has been moved, by the way, for the main forum for Support of Dreamweaver.
-
I would like to stop my paid subscription to Adobe, the creative cloud because adobe does not work on my computer. In addition, it is not possible for me to stop my subscription on the site, because it does not show I have this subscription. That's why I need to helo, please, thanks :-)
Hi Stephanie,
Please let us know the problem you are having with your Adobe Creative cloud so that we can fix it for you.
For cancellation requests, please contact customer service.
Reference: cancel your creative cloud membership
Kind regards
Sheena
-
I try to install Lightroom 4 on a new machine, but the media are hosted by Adobe. I can see my license number but do not see the option for download. Y at - it a link to the downloads for this media on the Web site? It does not appear in my Adobe account.
Adobe - Lightroom: For Windows
Adobe - Lightroom: For Macintosh
Mylenium
-
The site buy ExportPDF does not work. His hanging. How to buy?
The site buy ExportPDF does not work. His hanging. How to buy?
More quick way to get help: Contact Customer Services and click on the still need help? button to speak with an agent.
[subject moved to Document Cloud Services forum]
-
Receive the error message "your current configuration does not allow this file to download.
Original title: Windows Defender security problems?
Anyone know how to bypass Windows Defender to allow viewing of websites or certain parts of a website? I don't want to turn off Windows Defender, but working around him. Whenever I go into a subcategory of my University web site, I get a message that reads as follows: 'your current configuration does not download this file'
I don't want to download the file, just to see the link that are associated with.
Thanks to all those who know well that to answer.
Hi Eric,.
Thanks for posting your question on the Forum of the Microsoft community.
I would be grateful if you can provide us with the following information to help us better understand the issue.
- Could you please provide the names of a few websites that is blocked?
- Have you tried to open these websites of all other browsers? If yes was the result even?
- How are you sure that these sites are getting blocked by Defender?
According to the description of your problem, it seems that you are unable to open some websites, then, there may be a chance that the site is not compatible with Internet Explorer. So I suggest to open these websites in compatibility view and see if it helps.
Open Internet Explorer..
Open Web site which is getting blocked.
To open the toolbar, press the alt key pressed .
Now, click on Tools.
Then click on compatibility view settings.
You will see the name of the Web site under Add this Web site, to do this, click Add to add this Web site.
Close the window and restart your computer.
If the problem persists, try to trust these websites by following the steps mentioned below.
Step 1: Open the trusted sites
- Open Internet Explorer.
- Press the Alt key to display the Tools menu.
- In the menu, click Tools.
- Now, click on Internet Options.
- Click on Security tab.
- Select Trusted sites.
- Click the Sites.
Step 2:
Add the trust Web site
- Enter the address of the site you want to add.
- Click on Add.
- Close the open windows of Trusted Sites and Internet Options .
Hope it would help. If problem persists always post back with the current state of your computer and the result of the proposed suggestion, we will be happy to help you.
Thank you.
-
VPN L2TP does not / / Android 4.4.3
My vpn connection does not work.
The installer is: L2TP/IPSec with PSK in my network private.
Given that my old phone (Xperia S), located on android 4.3.X, still works
I see no problem of configuration, but I guess that it is a problem with android 4.4.XThe same problem occurs on my sony tablet z since the update to 4.4.X
Is there any fix from sony?
I read on a google fix, that should be in place on the 4.4.4, version but updated for 4.4.4 on the
Tablet does not solve this problem.We got a test account of another user with this issue and have found the cause of this. It will be fixed in a future software update.
-
Wireless zero configuration does not start automatically.i have to start whenever I restart the computer. I have a laptop dell inspiron
Moved from feedback
Original title: WiFi
Hello
1. what version of Windows is installed on the computer?
2. is it works much earlier?
3 have there been recent changes made on the computer before the show?
To activate the Configuration service automatic wireless so it starts automatically, click the Start button. Select settings , then select Control Panel.
If you use Windows XP display, select the performance and Maintenance category, and then select Administrative Tools.
If you use Classic view, and then select Administrative Tools. In the left pane, click the Services icon. Click the automatic Wireless Configuration icon in the right pane, and change the box Startup Type to Automatic.
This parameter will be defined the service starts automatically at boot time. Then click on the Start button to start the Wireless Auto Configuration service zero wireless and click on the OK button.
The automatic Wireless Configuration can also be started and stopped from a command prompt.
To start the automatic Wireless Configuration, run the following command:
net start wzcsvc
To stop the automatic Wireless Configuration, run the following command:
net stop wzcsvc
For more information, see the link.
Wireless Zero Configuration Reference
Please post back with the results and we will be happy to help you further.
-
Automatic configuration does not...
I bought a 2nd wre54g and automatic configuration does not work... I tried for an hour... light remains red link... I tried the reset button but same thing... My only other works fine... all ideas except repair... I have only one at a time if it is not the problem... Thank you
Thanks for your reply... I managed to do work using the ethernet cable to set it up, and now it works.
-
Win 7 backup and restore, backup configuration does not work.
Win 7 Home Premium Backup and restore, backup configuration does not work. I tried "clean boot", turned off all non-Microsoft services, pc restarted, Setup backup does not always work. When I click on the configuration backup, just open a Windows Explorer window in the System 32 folder. That's all. What now?
Thank you
MarkThis problem is caused by a 3rd party shell extension. To identify the incriminated extension, use ShellExView.
"When you click on"Set up backup"or click on"Change settings"in Windows 7 backup and restore, nothing happens or open the System32 folder."Follow method 2 in this page: http://windowsxp.mvps.org/slowrightclick.htm
Maybe you are looking for
-
Cedric_L: when click search on google web, firefox error and disappear
Then, click search the web from google or yahoo web, firefox error and disappear Operating system Window xp sp2
-
Need to find the correct reference for replacement screen Aspire 5742
Hello I need to find the correct part for replacement screen Aspire 5742. The backlight does not work anymore, and I already bought a UPS to see that this model/version does not use a UPS (as the backlight is LED and integrated in the element of the
-
Transfer from my XP system to my new laptop licensed MS?
Dell says it is not allowed, as the license for one PC (my old PC). Understood that MS won't get my XP system on two PC under a single license, move the material of the new system is another question. Dell is blowing smoke in this case? Thank you Bru
-
Hello! I tried to learn about the type of screen of my laptop, but I can't do it myself. Who will give me some good advice? Thank you
-
How can I use my legal license instead of the cracked version of Windows 7
Windows 7 Cracked Version I use windows 7 cracked version of geniune microsoft but I bought the license for my windows and I don't want to use cracked version more, how can I use my legal license key?