VPN between ASA does not

Hello world

hope you can help us with a problem.

We try to create a tunnel vpn site-to-site between offices in different countries. We create 4 vpn tunnel, 3 of them are working right now, but there is an ASA which does not allow the connection.

On our side, we have an ASA 5516 running firmware version 9.5 (1) that has this configuration:

ti_jamaica list of allowed ip extended access any object host_10.10.10.252

NAT (inside, outside) 1 dynamic source any destination host static 10.10.10.252 host_10.111.0.10 host_10.10.10.252

Crypto ipsec transform-set esp-aes-256 ikev1, esp-md5-hmac ts_jamaica

card crypto vpnpbs 1 match address ti_jamaica
card crypto vpnpbs 1 set of peer XXX.XXX.XXX.XXX
card crypto 1 ikev1 transform-set ts_jamaica set vpnpbs

tunnel-group, type ipsec-l2l XXX.XXX.XXX.XXX
tunnel-group ipsec-attributes XXX.XXX.XXX.XXX
IKEv1 pre-shared-key vpn1234

internal GroupPolicy_xxx group strategy
attributes of Group Policy GroupPolicy_xxx
Ikev1 VPN-tunnel-Protocol

Crypto ikev1 allow outside
IKEv1 crypto policy 11
preshared authentication
aes-256 encryption
md5 hash
Group 2
life 86400

On the other side, our office has an ASA (don't know the model) running firmware version 8.2 with this configuration

permit access list extended ip host 10.10.10.252 Outside_21_cryptomap 10.111.0.10

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto Outside_map 21 card matches the address Outside_21_cryptomap
card crypto Outside_map 21 set pfs
card crypto Outside_map 21 peer set XXX.XXX.XXX.XXX
card crypto Outside_map 21 the transform-set ESP-AES-256-MD5 value

tunnel-group, type ipsec-l2l XXX.XXX.XXX.XXX
tunnel-group ipsec-attributes XXX.XXX.XXX.XXX
pre-shared-key vpn1234

crypto ISAKMP policy 170
preshared authentication
aes-256 encryption
md5 hash
Group 2
life 86400

but I get this error on «See the ikev1 debugging»

11 February 15:32:06 [IKEv1] group = IP XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX, Session = is to be demolished. Reason: The user has requested

11 February 15:32:11 [IKEv1] Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, removal table correlator counterpart has failed, no match!

I already check that this error message, it indicates that there is a configuration issue between both sides of the VPN, according to the manual, it the encryption and hash does not match their topic, but we think we have the right configuration.

I appreciate any help or advice on your part.

Best regards

First of all your cryptographic domains do not match, correct so that the first. They are the same on both sides.

That's what they say.

access-list ti_jamaica extended permit ip any object host_10.10.10.252

And the other.

access-list Outside_21_cryptomap extended permit ip host 10.10.10.252 host 10.111.0.10

Tags: Cisco Security

Similar Questions

Problem with IPsec VPN between ASA and router Cisco - ping is not response

Hello

I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):

my network topology data:

LAN 1 connect ASA - 1 (inside the LAN)

PC - 10.0.1.3 255.255.255.0 10.0.1.1

ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0

-----------------------------------------------------------------

ASA - 1 Connect (LAN outide) R1

ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252

R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252

---------------------------------------------------------------------

R1 R2 to connect

R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252

R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252

R2 for lan connection 2

--------------------------------------------------------------------

R2 to connect LAN2

R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0

PC - 10.0.2.3 255.255.255.0 10.0.2.1

ASA configuration:

1 GigabitEthernet interface
nameif inside
security-level 100
IP 10.0.1.1 255.255.255.0
no downtime
interface GigabitEthernet 0
nameif outside
security-level 0
IP 172.30.1.2 255.255.255.252
no downtime
Route outside 0.0.0.0 0.0.0.0 172.30.1.1

------------------------------------------------------------

access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
object obj LAN
subnet 10.0.1.0 255.255.255.0
object obj remote network
10.0.2.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static

-----------------------------------------------------------
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 3600
Crypto ikev1 allow outside
crypto isakmp identity address

------------------------------------------------------------
tunnel-group 172.30.2.2 type ipsec-l2l
tunnel-group 172.30.2.2 ipsec-attributes
IKEv1 pre-shared-key cisco123
Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1

-------------------------------------------------------------
card crypto ASA1VPN 10 is the LAN1 to LAN2 address
card crypto ASA1VPN 10 set peer 172.30.2.2
card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
card crypto ASA1VPN set 10 security-association life seconds 3600
ASA1VPN interface card crypto outside

R2 configuration:

interface fastEthernet 0/0
IP 10.0.2.1 255.255.255.0
no downtime
interface fastEthernet 0/1
IP 172.30.2.2 255.255.255.252
no downtime

-----------------------------------------------------

router RIP
version 2
Network 10.0.2.0
network 172.30.2.0

------------------------------------------------------
access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
access-list 102 permit esp 172.30.1.2 host 172.30.2.2
access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
interface fastEthernet 0/1
IP access-group 102 to

------------------------------------------------------
crypto ISAKMP policy 110
preshared authentication
aes encryption
sha hash
Group 2
life 42300

------------------------------------------------------
ISAKMP crypto key cisco123 address 172.30.1.2

-----------------------------------------------------
Crypto ipsec transform-set esp - aes 128 R2TS

------------------------------------------------------

access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

------------------------------------------------------

R2VPN 10 ipsec-isakmp crypto map
match address 101
defined by peer 172.30.1.2
PFS Group1 Set
R2TS transformation game
86400 seconds, life of security association set
interface fastEthernet 0/1
card crypto R2VPN

I don't know what the problem

Thank you

If the RIP is not absolutely necessary for you, try adding the default route to R2:

IP route 0.0.0.0 0.0.0.0 172.16.2.1

If you want to use RIP much, add permissions ACL 102:

access-list 102 permit udp any any eq 520

Troubleshooting IPSec Site to Site VPN between ASA and 1841

Hi all

in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

On the ASA:

Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

address of the peers: 217.86.154.120
Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
current_peer: 217.xx.yy.zz

#pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0

local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 39135054
current inbound SPI: B2E9E500

SAS of the esp on arrival:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4374000/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4373976/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001

Output of the command: "sh crypto isakmp his."

HIS active: 4
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 4

IKE Peer: 217.xx.yy.zz
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE

On the 1841

1841 crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

1841 crypto ipsec #sh its

Interface: Dialer1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2

SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

Interface: virtual Network1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2

SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto. (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

It's the running of the 1841 configuration

!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 1841
!
boot-start-marker
start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
boot-end-marker
!
logging buffered 51200 notifications
!
AAA new-model
!
!
AAA authentication login default local
!
AAA - the id of the joint session
!
iomem 20 memory size
clock timezone PCTime 1
PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
dot11 syslog
IP source-route
!
No dhcp use connected vrf ip
!
IP cef
no ip bootp Server
IP domain name test
name of the IP-server 194.25.2.129
name of the IP-server 194.25.2.130
name of the IP-server 194.25.2.131
name of the IP-server 194.25.2.132
name of the IP-server 194.25.2.133
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
object-group network phone
VoIP phone description
Home 172.20.2.50
Home 172.20.2.51
!
redundancy
!
!
controller LAN 0/0/0
atm mode
Annex symmetrical shdsl DSL-mode B
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 62.aa.bb.cc
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to62.aa.bb.cc
the value of 62.aa.bb.cc peer
game of transformation-ESP-3DES-SHA
PFS group2 Set
match address 100
!
!
!
interface FastEthernet0/0
DMZ description $ FW_OUTSIDE$
10.10.10.254 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description $ETH - LAN$ $FW_INSIDE$
IP 172.20.2.254 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0/0/0.1
PVC 1/32
PPPoE-client dial-pool-number 1
!
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 2
PPP authentication chap callin pap
PPP chap hostname xxxxxxx
PPP chap password 7 xxxxxxx8
PPP pap sent-name of user password xxxxxxx xxxxxxx 7
map SDM_CMAP_1 crypto
!
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
!
!
The dns server IP
IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
logging trap notifications
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 172.20.2.0 0.0.0.255
Note access-list category 2 CCP_ACL = 2
access-list 2 allow 10.10.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
Note CCP_ACL the access list 101 = 2 category
Note access-list 101 IPSec rule
access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 101 permit ip 172.20.2.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 2
Note access-list 102 IPSec rule
access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!

!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
allowed SDM_RMAP_2 1 route map
corresponds to the IP 102
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
length 0
transport input telnet ssh
!
Scheduler allocate 20000 1000
NTP-Calendar Update
NTP 172.20.2.250 Server prefer
end

As I mentioned previously: suspicion is much appreciated!

Best regards

Joerg

Joerg,

ASA receives not all VPN packages because IOS does not send anything.

Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

The problem seems so on the side of the router.

I think that is a routing problem, but you only have one default gateway (no other channels on the router).

The ACL 100 is set to encrypt the traffic between the two subnets.

It seems that the ACL 101 is also bypassing NAT for VPN traffic.

Follow these steps:

Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

Federico.

VPN between ASA and cisco router [phase2 question]

Hi all

I have a problem with IPSEC VPN between ASA and cisco router

I think that there is a problem in the phase 2

Can you please guide me where could be the problem.
I suspect questions ACL on the router, but I cannot fix. ACL on the router is specified below

Looking forward for your help

Phase 1 is like that

Cisco_router #sh crypto isakmp his

IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
78.x.x.41 87.x.x.4 QM_IDLE 2006 0 ACTIVE

and ASA

ASA # sh crypto isakmp his

ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1

1 peer IKE: 78.x.x.41
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE

Phase 2 on SAA

ASA # sh crypto ipsec his
Interface: Outside
Tag crypto map: Outside_map, seq num: 20, local addr: 87.x.x.4

Outside_cryptomap_20 ip 172.19.209.0 access list allow 255.255.255.0 172.
19.194.0 255.255.255.0
local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
current_peer: 78.x.x.41

#pkts program: 8813, #pkts encrypt: 8813, #pkts digest: 8813
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 8813, model of #pkts failed: 0, #pkts Dang failed: 0
#send errors: 0, #recv errors: 0

local crypto endpt. : 87.x.x.4, remote Start crypto. : 78.x.x.41

Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: C96393AB

SAS of the esp on arrival:
SPI: 0x3E9D820B (1050509835)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 7, crypto-card: Outside_map
calendar of his: service life remaining (KB/s) key: (4275000/3025)
Size IV: 8 bytes
support for replay detection: Y
outgoing esp sas:
SPI: 0xC96393AB (3378746283)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 7, crypto-card: Outside_map
calendar of his: service life remaining (KB/s) key: (4274994/3023)
Size IV: 8 bytes
support for replay detection: Y

Phase 2 on cisco router

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
current outbound SPI: 0x0 (0)

SAS of the esp on arrival:

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:

outgoing ah sas:

outgoing CFP sas:

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 8947, #pkts decrypt: 8947, #pkts check: 8947
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
current outbound SPI: 0x3E9D820B (1050509835)

SAS of the esp on arrival:
SPI: 0xC96393AB (3378746283)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 29, flow_id: Motorola SEC 1.0:29, card crypto: mycryptomap
calendar of his: service life remaining (k/s) key: (4393981/1196)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0x3E9D820B (1050509835)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 30, flow_id: Motorola SEC 1.0:30, card crypto: mycryptomap
calendar of his: service life remaining (k/s) key: (4394007/1196)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

VPN configuration is less in cisco router

access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
access-list 101 permit ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
access-list 101 permit ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
access-list 101 permit ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
access-list 105 deny ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
access-list 105 deny ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
access-list 105 deny ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

sheep allowed 10 route map
corresponds to the IP 105

Crypto ipsec transform-set esp-3des esp-md5-hmac mytransformset

mycryptomap 100 ipsec-isakmp crypto map
the value of 87.x.x.4 peer
Set transform-set mytransformset
match address 101

crypto ISAKMP policy 100
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key xxx2011 address 87.x.x.4

Your permit for 105 ACL statement should be down is changed to match because it is the most general ACL.

You currently have:

Extend the 105 IP access list
5 permit ip 172.19.194.0 0.0.0.255 (18585 matches)
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

It should be:

Extend the 105 IP access list
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

IP 172.19.194.0 allow 60 0.0.0.255 (18585 matches)

To remove it and add it to the bottom:

105 extended IP access list

not 5

IP 172.19.194.0 allow 60 0.0.0.255 any

Then ' delete ip nat trans. "

and it should work now.

ASA does not propagate any routes for VPN users

Good afternoon

I m a problem concerning the spread of the roads to authenticated VPN users through the asa tunnel-group.

I have a VPN-users-pool where my users receive their IP address, and after authentication and the tunnel is established the idea is that the user get to the networks defined in the following ACL:

access-list within the standard allow 10.1.0.0 255.255.0.0

access-list within the standard allow 192.168.15.0 255.255.224.0

Now, the problem is that, after the tunnel is set up the only way, that the user receives is the default route (which is not supposed to be sent). The user does not receive the roads specified in the ACL list above. It has not received the network mask and assumes one 8 netmask (given that the pool of network from where it receives the IP address is a class A network).

Network routing works as expected (when I add the static routes directly to PC users, everything works OK). It s just the matter of the ASA do not spread the roads as it should.

Here is my split tunneling settings:

attributes of Group Policy DefaultRAGroup

VPN-idle-timeout 1

Protocol-tunnel-VPN l2tp ipsec

disable the PFS

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value inside

(...)

attributes of Group Policy DfltGrpPolicy

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value inside

(...)

Any ideas?

I have apreciate your help

Best regards

Just a question, I see:

attributes of Group Policy DefaultRAGroup

Protocol-tunnel-VPN l2tp ipsec

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value inside

internal DefaultRAGroup_1 group strategy

attributes of Group Policy DefaultRAGroup_1

Split-tunnel-policy tunnelspecified

It looks like your policy

DefaultRAGroup_1 you set ACLs and the other doesn't seem to be for L2TP/IPSEC. How do you connect to the ASA, using L2TP/IPSEC or Cisco IPSEC client? In addition, if your users are devoted to this group policy:

DefaultRAGroup_1 it looks like the acl is missing for the split tunneling

VPN between ASA and router

Hi all

First of all, I would like to say I'm trying to implement this on Packet trace. I would like to set up a VPN using an ASA 5505 and a Cisco router 1841 (both available on Packet trace).

The devices can ping external IP address on the other.

The problem is that the VPN is not established. If I run sh crypto control its isakmp on the SAA, he said: there are no SAs IKEv1

Configurations for both devices are attached.

No idea why it doesn't work? Sorry if it is not the right forum for this, is the first time I post. I've searched the forums and I checked some of the proposed solutions, but I have not found the answer to my problem :-(

Thanks in advance,

Patty
1. On the router, there is no crypto card. Need in a manner consistent with the SAA.
2. Your policy of phase 1 is not compatible. They settings must match on both sides (router: 3des, ASA: aes)
3. You can adjust your NAT on both devices that tunnel traffic does not get teeth. Remember that NAT is made prior to IPsec. If you do not exempt NAT traffic, then it will not match the ACL crypto more after NAT.
4. Yes, the forum is perfectly fine! ;-)

VPN error 809 does not work

I have a windows vista, before my vpn network worked perfectly, but when the update sp2 vpn does not work again so could any body can help me with this sound like Windows have no clue at all to this subject, so far I try most of the answers

but none works

Support FREE from Microsoft for SP2:

https://support.Microsoft.com/OAS/default.aspx?PRID=13014&Gprid=582034&St=1

Free unlimited installation and compatibility support is available for Windows Vista, but only for Service Pack 2 (SP2). This support for SP2 is valid until August 30, 2010.

Microsoft free support for Vista SP2 at the link above.

See you soon.

Mick Murphy - Microsoft partner

LAN to lan vpn between ASA and router 7200

Hi friends,

I need to configure the lan to lan between ASA vpn (remote location) and router 7200 (on our network).

<7200 router="" (ip="" add:="" 10.10.5.2)="">-(Internet) -<(IP add:="" 192.168.12.2)="" asa(5510)="">---192.135.5.0/24 network

I will have the following configuration:

7200 router:

crypto ISAKMP policy 80

the enc

AUTH pre-shared

Group 1

life 3600

ISAKMP crypto key cisco123 address 192.168.12.2

Cryto ipsec transform-set esp - esp-md5-hmac VPNtrans

map VPNTunnel 80 ipsec-isakmp crypto

defined by peer 192.168.12.2

game of transformation-VPNtrans

match address 110

int fa0/0

IP add 10.10.5.2 255.255.255.192

IP virtual-reassembly

no ip route cache

Speed 100

full duplex

card crypto VPNTunnel

access-list 110 permit ip any 192.135.5.0 0.0.0.255

ASA:

int e0/0

nameif inside

security-level 100

192.135.5.254 Add IP 255.255.255.0

int e0/1

nameif outside

security-level 0

IP add 192.168.12.2 255.255.255.240

access-list ACL extended ip 192.135.5.0 allow 255.255.255.0 any

Route outside 0.0.0.0 0.0.0.0.0 192.168.12.3 1

"pre-shared key auth" ISAKMP policy 10

ISAKMP policy 10-enc

ISAKMP policy 10 md5 hash

10 1 ISAKMP policy group

ISAKMP duration strategy of life 10-3600

Crypto ipsec transform-set esp - esp-md5-hmac VPNtran

card crypto VPN 10 matches the ACL address

card crypto VPN 10 set peer 10.10.5.2

card crypto VPN 10 the transform-set VPNtran value

tunnel-group 10.10.5.2 type ipsec-l2l

IPSec-attributes of type tunnel-group 10.10.5.2

cisco123 pre-shared key

card crypto VPN outside interface

ISAKMP allows outside

dhcpd address 192.135.5.1 - 192.135.5.250 inside

dhcpd dns 172.15.4.5 172.15.4.6

dhcpd wins 172.15.76.5 172.15.74.5

dhcpd lease 14400

dhcpd ping_timeout 500

dhcpd allow inside

Please check the configuration, please correct me if I missed something. I'm in a critical situation at the moment...

Please advise...

Thank you very much...

Where it fails at the present time?

Can you share out of after trying to establish the VPN tunnel:

See the isa scream his

See the ipsec scream his

Please also run the following debug to see where it is a failure:

debugging cry isa

debugging ipsec cry

Authentication of VPN 3000 Client does not

Get the following error trying to authenticate on VPN 3020: Xauth required but winning proposal does not support xauth, of audit priorities of the xauth list proposal ike ike proposals

Not really sure what it means.

Find the proposals on the VPN3020 IKE (location varies depending on the version, so I can't tell you where). You will find some are active, others do not. Make sure that one is active when the authentication method is "pre-shared keys (xuauth)" with something like MD5, 3DES, DH group2.

If you see a proposal named "CiscoVPNClient-3DES-MD5" that will do the trick.

Client VPN router IOS does not connect

Hi all

I'm having some trouble of Client VPN connection over the internet to our Cisco IOS router. Some help would be very appreciated!

On the VPN client log I get the following error messages:

---------------------------

...

573 16:32:13.164 21/12/05 Sev = WARNING/2 IKE/0xE3000099

Size invalid SPI (PayloadNotify:116)

574 16:32:13.164 21/12/05 Sev = Info/4 IKE/0xE30000A4

Invalid payload: said length of payload, 568, not enough Notification:(PayloadList:149)

575 16:32:13.164 21/12/05 Sev = WARNING/3 IKE/0xA3000058

Received incorrect message or negotiation is no longer active (message id: 0x00000000)

---------------------------

We get debugging on the router that I'm trying to connect:

---------------------------

router #debug isakmp crypto

...

21 Dec 16:32:16.089 AEDT: ISAKMP (0:0): received 203.153.196.1 packet dport 500 sport 500 SA NEW Global (N)

21 Dec 16:32:16.089 AEDT: ISAKMP: created a struct peer 203.153.196.1, peer port 500

21 Dec 16:32:16.089 AEDT: ISAKMP: new created position = 0x678939E0 peer_handle = 0 x 80000031

21 Dec 16:32:16.089 AEDT: ISAKMP: lock struct 0x678939E0, refcount IKE peer 1 for crypto_isakmp_process_block

21 Dec 16:32:16.089 AEDT: ISAKMP: 500 local port, remote port 500

21 Dec 16:32:16.089 AEDT: insert his with his 67B0AB34 = success

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): treatment ITS payload. Message ID = 0

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): payload ID for treatment. Message ID = 0

21 Dec 16:32:16.089 AEDT: ISAKMP (0:0): payload ID

next payload: 13

type: 11

ID of the Group: eggs

Protocol: 17

Port: 500

Length: 12

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): peer games * no * profiles

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): load useful vendor id of treatment

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): supplier code seems the unit/DPD but major incompatibility of 215

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): provider ID is XAUTH

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): load useful vendor id of treatment

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): provider ID is DPD

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): load useful vendor id of treatment

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): supplier code seems the unit/DPD but major incompatibility of 194

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): load useful vendor id of treatment

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): supplier code seems the unit/DPD but major incompatibility of 123

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): provider ID is NAT - T v2

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): load useful vendor id of treatment

21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): provider ID is the unit

21 Dec 16:32:16.089 AEDT: ISAKMP: analysis of the profiles for xauth...

.....

21 Dec 16:32:16.093 AEDT: ISAKMP: (0:0:N / A:0): atts are not acceptable. Next payload is 3

21 Dec 16:32:16.093 AEDT: ISAKMP: (0:0:N / A:0): audit ISAKMP transform 12 against the policy of priority 3

21 Dec 16:32:16.093 AEDT: ISAKMP: 3DES-CBC encryption

21 Dec 16:32:16.093 AEDT: ISAKMP: MD5 hash

21 Dec 16:32:16.093 AEDT: ISAKMP: group by default 2

21 Dec 16:32:16.093 AEDT: ISAKMP: pre-shared key auth

21 Dec 16:32:16.093 AEDT: ISAKMP: type of life in seconds

21 Dec 16:32:16.093 AEDT: ISAKMP: life (IPV) 0x0 0 x 20 0xC4 0x9B

21 Dec 16:32:16.093 AEDT: ISAKMP: (0:0:N / A:0): pre-shared authentication offered but does not match policy.

21 Dec 16:32:16.093 AEDT: ISAKMP: (0:0:N / A:0): atts are not acceptable. Next payload is 3

---------------------------

You can apply the encryption the WAN interface card and check?

New router. Connection to the remote NAS device or a file between computers does not.

I just changed routers and lost my connection wirelessly between devices. Internet is good, but no connection with Lynksys NAS 200 wireless backup. And I can't share files between computers. All my permissions are large open on both computers, but same homegroup does not. Windows 7 on both computers. A desktop connected to the network and a wireless laptop which is connected to the NAS. My wired desktop backup is fine. NA not lose that connection.

I just changed routers and lost my connection wirelessly between devices. Internet is good, but no connection with Lynksys NAS 200 wireless backup. And I can't share files between computers. All my permissions are large open on both computers, but same homegroup does not. Windows 7 on both computers. A desktop connected to the network and a wireless laptop which is connected to the NAS. My wired desktop backup is fine. NA not lose that connection.

Me too, I unfortunately have the same problem.

Installed a replacement wifi router and lost access to a NAS. And it is the only element that would not be re - connect...

It's the config probably simple setting of the wireless router with the IP Address of the NAS (10.1.10.199 if this is of any help), but it's clearly a mystery to find useful info on how and what to configure...

Unfortunately, it was easier under XP...

Thanks for the research.

Account shared between cubes does not receive data
Hello

I created an application Multicurrency, consisting of 2 cubes. The first cube has only the default dimensions, the second cube additional custom two-dimensional. Custom2 stores members 'Amount' and 'Description', CUSTOM1 stores data for transactions (T1, T2, etc.).
Cube 2 there is a form that uses an account shared between cubes ("Transactions") with cube 2 as plan source type. Thus, in cube 2 data is stored for a combination of account "Opérations", "T1" (Custom1) and 'Amount' (Custom2).
Cube 1 there is a form that shows the account 'Operations' (read only due to the plan of different source type), however after I entered some data for the form assigned to cube2, train in cube1 is giving me all the data.

I checked the essbase outline and cube 1 account 'Opérations' has the value dynamic Calc and formula automatically genereated during refresh XREF. For cube 2, this account is set to store.

It seems that I'm missing something, however, I am not in a position to define what is originally the function XREF does not give results.
The gurus of the Hyperion, you help me?

Concerning
Marcin Stawny
Silly question

If you do not have these dimensions in the Cube 1. This means that they take the total of these dimensions when he jumps from 1 Cube for Cube 2

But you you aggregate Cube 2 entirely on these 2 dimensions.

If you do not have a value at the top of these 2 dimensions, then you will see nothing in 1 Cube sure

Œuvres ping for the VPN ASA5505 RDP does not work?

I have an ASA5505 VPN remote access facility

I have a server connected directly behind the ASA and I can ping the server without problem.

The reports being encrypted and decrypted packets VPN client

However when I try to RDP to the server packages encyrpted keep incrementing but the decrypted packets are not.

I also do not see all RDP traffic hit the server (checked by ethereal)

I did a packet trace and it succeeds, but ends with a parody of IP which I believe is correct as is the vpn traffic and not actually be encrypted.

This is the correction of the RDP session, I'm confused by one ICMP denied on line 2 that I am able to ping the server?

% ASA-6-302013: built of TCP connections incoming 88193 for external:172.16.24.4/50984 (172.16.24.4/50984) at internal:192.168.100.146/3389 (192.168.100.146/3389) (roger_ssl)

% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.146: no matching session

% ASA-609001 7: built internal local-host: 192.168.100.37

% ASA-6-302015: built connection UDP incoming 88194 for external:172.16.24.4/50620 (172.16.24.4/50620) at internal:192.168.100.37/53 (192.168.100.37/53) (roger_ssl)

% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.37: no matching session

% ASA-6-302015: built connection UDP incoming 88195 for external:172.16.24.4/64598 (172.16.24.4/64598) at internal:192.168.100.37/53 (192.168.100.37/53) (roger_ssl)

% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.37: no matching session

% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.37: no matching session

% 302014-6-ASA: disassembly of the TCP connection 88193 for external:172.16.24.4/50984 to internal:192.168.100.146/3389 duration 0: bytes of 00:00 0 flow closed by inspection (roger_ssl)

I have that configured NAT

NAT (internal, external) static source 192.168.100.0 192.168.100.0 static destination VPN_172 VPN_172

The only logical bit that is closed by the inspection flow? Is this to say that the server has not responded?

And decrypt packets increase not when trying to RDP

Does this mean anyting to anyone that I have arrived at the end of my knowledge of the SAA on this one!

Thank you

Roger

Answer is based on your other thread:

https://supportforums.Cisco.com/thread/2207372

VPN between ASA and 871

Hello

I'm setting up a VPN router between 871 and ASA 5505 for the first time and having a problem. I have attached my network diagram as well as the configuration of 871 and ASA. Although the VPN tunnel is coming for example sh crypto isakmp his watch QM_IDLE and Exchange ipsec SA is successuful as well, but none of the machine can access each other. Please help as I am in desperate need to operate.

Thank you all,.

Jérôme

Hello

It seems that you are missing some required configuration. See the link below...

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805e8c80.shtml

HTH

MS

* Rate of useful messages *.

L2l VPN between ASA with the IP address public and CISCO2911 behind the ISP router with port forwarding

Hi all

My apologies if this is a trivial question, but I spent considerable time trying to search and had no luck.

I encountered a problem trying to set up a temporary L2L VPN from a Subscriber with CISCO2911 sitting behind the router of the ISP of an ASA. ISP has informed that I can't ignore their device and complete the circuit Internet on the Cisco for a reason, so I'm stuck with it. The Setup is:

company 10.1.17.1 - y.y.y.y - router Internet - z.z.z.z - ISP - LAN - 10.x.x.2 - XXX1 - ASA - 10.1.17.2 - CISCO2911 - 10.1.15.1 LAN

where 10.x.x.x is a corporate LAN Beach private network, y.y.y.y is a public ip address assigned to the external interface of the ASA and the z.z.z.z is the public IP address of the ISP router.

I have forwarded ports 500, 4500 and ESP on the ISP router for 10.1.17.2. The 2911 config attached below, what I can't understand is what peer IP address to configure on the SAA, because if I use z.z.z.z it will be a cause of incompatibility of identity 2911 identifies himself as 10.1.17.2...

! ^ ^ ^ ISAKMP (Phase 1) ^ ^ ^!
crypto ISAKMP policy 5
BA 3des
md5 hash
preshared authentication
Group 2
lifetime 28800
isakmp encryption key * address no.-xauth y.y.y.y

! ^ ^ ^ IPSEC (Phase 2) ^ ^ ^!
crymap extended IP access list
IP 10.1.15.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
Crypto ipsec transform-set ESP-3DES-SHA 3rd-esp esp-sha-hmac
card crypto 1 TUNNEL VPN ipsec-isakmp
defined peer y.y.y.y
game of transformation-ESP-3DES-SHA
match the address crymap

Gi0/2 interface
card crypto VPN TUNNEL

Hello

debug output, it seems he's going on IPSEC States at the tunnel of final bud QM_IDLE's.

What I noticed in your configuration of ASA box, it's that you're usig PFS but not on 2911 router.

So I suggest:

no card crypto OUTSIDE_map 4 don't set pfs <-- this="" will="" disable="" pfs="" on="" asa="">

Then try tunnel initiate.

Kind regards

Jan

VPN between ASA does not

Similar Questions

Maybe you are looking for