topic Try adding these commands in VPN

Cisco ASA 5515 + Mikrotik Site-to-Site IPsec VPN

falangerr — Sat, 22 Feb 2020 04:33:16 GMT

Good day. I have problem in installing IPsec VPN between Cisco ASA-5515 and mikrotik 951. I want to use ikev1 only.

Here it is my network:

LAN 10.7.0.1/24 --> Mikrotik <-- WAN 2.2.2.2 <--INTERNET--> WAN 1.1.1.1 --> Cisco <-- LAN 10.6.0.254/24

Config of Mikrotik router:
[admin@Brest-R] > ip ipsec peer print
Flags: X - disabled, D - dynamic
0    address=1.1.1.1/32 local-address=2.2.2.2 passive=no port=500 auth-method=pre-shared-key secret="test" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=2
[admin@Brest-R] >ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0     src-address=10.7.0.0/24 src-port=any dst-address=10.6.0.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1 proposal=test priority=0
[admin@Brest-R] > ip ipsec proposal print
Flags: X - disabled, * - default
0    name="test" auth-algorithms=md5,sha1,sha512 enc-algorithms=3des,aes-256-cbc lifetime=30m pfs-group=none
I see that phase 1 is ok:
[admin@Brest-R] > ip ipsec remote-peers print
0 local-address=2.2.2.2 remote-address=1.1.1.1 state=established side=initiator established=18h11m6s
But if I will try ping from mikrotik to cisco asa lan interface - I see next:
[admin@Brest-R] > ping 10.6.0.254 src-address=10.7.0.1
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 10.6.0.254                                              timeout
  sent=5 received=0 packet-loss=100%
echo: ipsec,debug new acquire 2.2.2.2 [0]<=>1.1.1.1[0]
echo: ipsec,debug suitable outbound SP found: 10.7.0.0/24[0] 10.6.0.0/24[0] proto=any dir=out
echo: ipsec,debug suitable inbound SP found: 10.6.0.0/24[0] 10.7.0.0/24[0] proto=any dir=in
echo: ipsec,debug no configuration found for 1.1.1.1.
echo: ipsec,error failed to begin ipsec sa negotiation.
Config of Cisco ASA you can see below:

interface GigabitEthernet0/1
description blablabla
nameif WAN
security-level 0
ip address 1.1.1.1 255.255.255.224

interface GigabitEthernet0/2
nameif TEST
security-level 100
ip address 10.6.0.254 255.255.255.0
crypto map WAN_map 1 match address WAN_cryptomap
crypto map WAN_map 1 set peer 2.2.2.2
crypto map WAN_map 1 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5

crypto map WAN_map 1 set security-association lifetime seconds 86400
crypto map WAN_map 1 set nat-t-disable
crypto map WAN_map 1 set reverse-route
crypto map WAN_map interface WAN
crypto ikev1 enable WAN
access-list WAN_cryptomap line 1 extended permit ip 10.6.0.0 255.255.255.0 10.7.0.0 255.255.255.0 (hitcnt=3) 0xf48c7385

nat (LAN,WAN) source dynamic any interface
nat (TEST,WAN) source static NETWORK_OBJ_10.6.0.0_24 NETWORK_OBJ_10.6.0.0_24 destination static NETWORK_OBJ_10.7.0.0_24 NETWORK_OBJ_10.7.0.0_24 no-proxy-arp route-lookup

ASA# show crypto ikev1 sa
IKEv1 SAs:
   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1   IKE Peer: 2.2.2.2
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
ASA# show crypto isakmp sa detail
IKEv1 SAs:
   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1   IKE Peer: 2.2.2.2
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : 3des            Hash    : SHA
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 19844

ASA# show crypto isakmp

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 86.57.168.157
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

There are no IKEv2 SAs

ASA# show crypto ipsec sa

There are no ipsec sas

As I see, problem in second phase of IKEv1. It doesn't want to set up.

Hi falangerr,

Dinesh Moudgil — Thu, 12 Nov 2015 08:49:15 GMT

Hi falangerr,

The error

"echo: ipsec,debug no configuration found for 1.1.1.1.
echo: ipsec,error failed to begin ipsec sa negotiation."

states that you do not have configuration for remote ASA peer 1.1.1.1. Can you verify the configuraiton on Mikrotik device?

Once done, please share the output of the following debug commands:
debug crypto condition peer
debug crypto ipsec 255

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

This Mikrotik have IPsec

falangerr — Thu, 12 Nov 2015 09:11:32 GMT

This Mikrotik have IPsec tunnel with other Mikrotik, and it is work fine. Config in generall for tunnel between two Mikrotik routers is similar.

I entered two commands as you asked:

debug crypto condition peer
debug crypto ipsec 255

And nothing appear. I see clear console.

Here it is all config of my Mikrotik router at this moment:

[admin@Brest-R] >> ip ipsec peer print

Flags: X - disabled, D - dynamic

0 address=1.1.1.1/32 local-address=2.2.2.2 passive=no port=500 auth-method=pre-shared-key secret="test" generate-policy=no policy-template-group=group1 exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des,aes-128,aes-192,aes-256 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=2

[admin@Brest-R] >> ip ipsec policy print

Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default

2 src-address=10.7.0.0/24 src-port=any dst-address=10.6.0.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=86.57.168.157 sa-dst-address=213.184.230.160 proposal=test priority=0

[admin@Brest-R] >> ip ipsec proposal print

Flags: X - disabled, * - default

1 name="test" auth-algorithms=md5,sha1,sha512 enc-algorithms=3des,aes-256-cbc lifetime=1d pfs-group=none

[admin@Brest-R] >> ip firewall nat print

Flags: X - disabled, I - invalid, D - dynamic

0 chain=srcnat action=accept src-address=10.7.0.0/24 dst-address=10.8.0.0/24 log=no log-prefix=""

chain=srcnat action=accept src-address=10.7.0.0/24 dst-address=10.6.0.0/24 log=no log-prefix=""

[admin@Brest-R] >> ip firewall filter print

Flags: X - disabled, I - invalid, D - dynamic

0 ;;; Allow ICMP

chain=input action=accept protocol=icmp log=no log-prefix=""

1 ;;; Allow related and established connections

chain=input action=accept connection-state=established,related log=no log-prefix=""

2 ;;; Forward established and related connections

chain=forward action=accept connection-state=established,related log=no log-prefix=""

3 chain=input action=accept src-address=10.8.0.0/24 in-interface=Byfly-PPPoE log=no log-prefix=""

4 chain=input action=accept src-address=10.6.0.0/24 in-interface=Byfly-PPPoE log=no log-prefix=""

5 ;;; Allow IKE

chain=input action=accept protocol=udp dst-port=500 log=no log-prefix=""

6 ;;; Allow IPSec-esp

chain=input action=accept protocol=ipsec-esp log=no log-prefix=""

You will need to enter the

Dinesh Moudgil — Thu, 12 Nov 2015 09:11:33 GMT

You will need to enter the peer IP as well.

e.g.
debug crypto condition peer x.x.x.x (mikrotik's device public IP)
debug crypto ipsec 255

Moreover, the error is indicating issue on Mikrotik device's configuration for ASA.
The fact that other VPN tunnels are working fine on Mikrotik does not confirm that the device is configured correctly to negotiate phase 2 with ASA although the debugs from ASA can confirm this thing.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

I entered command with global

falangerr — Thu, 12 Nov 2015 09:17:05 GMT

I entered command with global IP of my Mikrotik router, I understand it. But I doesn't see any debug messages in console.

Maybe problem in that my Mikrotik router work with specific encryption or hach algorithm not so good.

Try adding these commands

Dinesh Moudgil — Thu, 12 Nov 2015 09:20:00 GMT

Try adding these commands along with previously mentioned debug commands:

logging on
logging enable
logging monitor 7
logging buffered 7
logging buffer-size 1048576

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

User Access Verification

falangerr — Thu, 12 Nov 2015 09:38:35 GMT

User Access Verification

Username: xxxxxx
Password: **********
Type help or '?' for a list of available commands.
ASA> en
Password: **********
ASA# conf t
ASA(config)# logg
ASA(config)# logging on
ASA(config)# logg
ASA(config)# logging enab
ASA(config)# logg
ASA(config)# logging monitor 7
ASA(config)# logging buffered 7
ASA(config)# logging buffer-size 1048576
ASA(config)# debug crypto condition peer 2.2.2.2
ASA(config)# debug crypto ipsec 255

ASA(config)# show debug
debug crypto ipsec enabled at level 255

Crypto conditional debug is turned ON

IKE peer IP address filters:
2.2.2.2/32

ASA(config)#

And nothing happened. Ofcourse during this I tried to drop tunnel and get it up again.

In ASDM I can see only this:

Nov 12 2015

12:35:37

Group = 2.2.2.2, IP = 2.2.2.2, PHASE 1 COMPLETED

Nov 12 2015

12:35:37

AAA retrieved default group policy (GroupPolicy_2.2.2.2) for user = 2.2.2.2

Also I can show debug from

falangerr — Thu, 12 Nov 2015 10:01:12 GMT

Also I can show debug from Mikrotik

echo: ipsec,debug initiate new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
echo: ipsec,debug begin Identity Protection mode.
echo: ipsec,debug sent phase1 packet 2.2.2.2[500]<=>1.1.1.1[500] 7b14e7063c4be7e5:0000000000000000
echo: ipsec,debug received broken Microsoft ID: FRAGMENTATION
echo: ipsec,debug sent phase1 packet 2.2.2.2[500]<=>1.1.1.1[500] 7b14e7063c4be7e5:1c3ed76289a2750c
echo: ipsec,debug received Vendor ID: CISCO-UNITY
echo: ipsec,debug received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
echo: ipsec,debug sent phase1 packet 2.2.2.2[500]<=>1.1.1.1[500] 7b14e7063c4be7e5:1c3ed76289a2750c
echo: ipsec,debug received Vendor ID: DPD
echo: ipsec,debug ISAKMP-SA established 2.2.2.2[500]-1.1.1.1[500] spi:7b14e7063c4be7e5:1c3ed76289a2750c

Hi falangerr ,Phase 2

Dinesh Moudgil — Thu, 12 Nov 2015 11:53:46 GMT

Hi falangerr ,

Phase 2 parameters, crypto access-list and transform set seem to match in this case. Can you confirm if you are connected via console to ASA?

1. Have you applied the crypto map at WAN interface.
2. Please share the output of show run log
3. Is any of the device behing NATed device.
4. Check the output of "show log" if you see any debugs.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

I connect to the ASA with

falangerr — Thu, 12 Nov 2015 12:31:16 GMT

I connect to the ASA with help of ssh, telnet or ASDM. Also, I can connect by console cable? But usually I use SSH or ASDM. There are few transform sets which was created for connections. I created them to avoid situation when some devices don't want work with specific algorithms.

1. Yes, I did.

crypto map WAN_map interface WAN

2. ASA# show run log
logging enable
logging buffer-size 1048576
logging monitor debugging
logging buffered debugging
logging asdm informational

3. No, all two devices have global ip. That is why NAT-T doesn't need. And I don't forget about excluding networks from NAT for ASA:

ASA# show nat
Manual NAT Policies (Section 1)
1 (LAN) to (WAN) source dynamic any interface
translate_hits = 767, untranslate_hits = 6
2 (TEST) to (WAN) source static NETWORK_OBJ_10.6.0.0_24 NETWORK_OBJ_10.6.0.0_24 destination static NETWORK_OBJ_10.7.0.0_24 NETWORK_OBJ_10.7.0.0_24 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0

and for Mikrotik:

[admin@Brest-R] >> ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
1 chain=srcnat action=accept src-address=10.7.0.0/24 dst-address=10.6.0.0/24 log=no log-prefix=""

4. I wrote messages about Phase 1which I saw in ASDM. Ofcourse I can see this in "show log". And additionally:

%ASA-7-715036: Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x6027656)
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=cb77946b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=a6c73290) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload
%ASA-7-715075: Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x6027656)

Thanks , you are on the right

Dinesh Moudgil — Thu, 12 Nov 2015 12:46:48 GMT

Thanks , you are on the right track.

Perform the following steps.
1. Run "clear log buffer"

2. Enable the debugs via
debug crypto condition peer
debug crypto isakmp 255
debug crypto ipsec 255

3. Initiate the VPN tunnel.
4. Share the whole output of "show logg"

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Thank you for your help. You

falangerr — Thu, 12 Nov 2015 13:05:14 GMT

Thank you for your help. You can see output below:

ASA# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: level debugging, 64034 messages logged
Buffer logging: level debugging, 63980 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 57742 messages logged
%ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'clear logging buffer'
%ASA-7-710005: TCP request discarded from 194.154.73.234/35623 to WAN:213.184.230.178/25
%ASA-7-710005: UDP request discarded from 10.1.1.13/56978 to LAN:255.255.255.255/1947
%ASA-7-710005: UDP request discarded from 10.1.1.13/56978 to TEST:255.255.255.255/1947
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-715036: Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x5626898a)
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=f4a901f1) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=ed8f7871) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload
%ASA-7-715075: Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x5626898a)
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to TEST:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to LAN:255.255.255.255/68
%ASA-7-710005: TCP request discarded from 194.154.73.234/35623 to WAN:213.184.230.178/25
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: TCP request discarded from 84.51.43.226/9484 to WAN:213.184.230.178/25
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to TEST:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to LAN:255.255.255.255/68
%ASA-5-111008: User 'enable_15' executed the 'debug crypto condition peer 2.2.2.2' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'debug crypto condition peer 2.2.2.2'
%ASA-5-111008: User 'enable_15' executed the 'debug crypto isakmp 255' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'debug crypto isakmp 255'
%ASA-7-710005: UDP request discarded from 10.1.1.137/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.137/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.146/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.146/17500 to TEST:255.255.255.255/17500
%ASA-5-111008: User 'enable_15' executed the 'debug crypto ipsec 255' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'debug crypto ipsec 255'
%ASA-6-302013: Built inbound TCP connection 10784 for LAN:10.1.1.197/59083 (10.1.1.197/59083) to identity:10.1.1.254/443 (10.1.1.254/443)
%ASA-6-725001: Starting SSL handshake with client LAN:10.1.1.197/59083 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client LAN:10.1.1.197/59083 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[6] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : RC4-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client LAN:10.1.1.197/59083
%ASA-6-725002: Device completed SSL handshake with client LAN:10.1.1.197/59083
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-6-611101: User authentication succeeded: Uname: admin
%ASA-6-605005: Login permitted from 10.1.1.197/59083 to LAN:10.1.1.254/https for user "admin"
%ASA-7-111009: User 'admin' executed cmd: show module cxsc details
%ASA-6-725007: SSL session with client LAN:10.1.1.197/59083 terminated.
%ASA-6-302014: Teardown TCP connection 10784 for LAN:10.1.1.197/59083 to identity:10.1.1.254/443 duration 0:00:00 bytes 1662 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.197/59083 to 10.1.1.254/443 flags FIN ACK on interface LAN
%ASA-7-710005: TCP request discarded from 10.1.1.197/59083 to LAN:10.1.1.254/443
%ASA-7-710005: UDP request discarded from 192.168.88.1/5678 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 192.168.88.1/5678 to TEST:255.255.255.255/5678
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=a4ee31c4) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-713906: Group = 2.2.2.2, IP = 2.2.2.2, processing delete
%ASA-5-713050: Group = 2.2.2.2, IP = 2.2.2.2, Connection terminated for peer 2.2.2.2. Reason: Peer Terminate Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
%ASA-7-713906: Group = 2.2.2.2, IP = 2.2.2.2, IKE SA MM:c54dda3a terminating: flags 0x01004802, refcnt 0, tuncnt 0
%ASA-5-713259: Group = 2.2.2.2, IP = 2.2.2.2, Session is being torn down. Reason: User Requested
%ASA-4-113019: Group = 2.2.2.2, Username = 2.2.2.2, IP = 2.2.2.2, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:12m:45s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested
%ASA-7-713906: Ignoring msg to mark SA with dsID 98304 dead because SA deleted
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.147/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.147/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to TEST:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to LAN:255.255.255.255/68
%ASA-7-710005: TCP request discarded from 194.154.73.234/35623 to WAN:213.184.230.178/25
%ASA-7-710005: UDP request discarded from 10.1.1.84/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.84/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to LAN:255.255.255.255/62976
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to TEST:255.255.255.255/62976
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 6 per second, max configured rate is 10; Current average rate is 9 per second, max configured rate is 5; Cumulative total count is 5978
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 244
%ASA-7-715047: IP = 2.2.2.2, processing SA payload
%ASA-7-713906: IP = 2.2.2.2, Oakley proposal is acceptable
%ASA-7-715047: IP = 2.2.2.2, processing VID payload
%ASA-7-715049: IP = 2.2.2.2, Received Cisco Unity client VID
%ASA-7-715047: IP = 2.2.2.2, processing VID payload
%ASA-7-715049: IP = 2.2.2.2, Received DPD VID
%ASA-7-715047: IP = 2.2.2.2, processing IKE SA payload
%ASA-7-715028: IP = 2.2.2.2, IKE SA Proposal # 1, Transform # 4 acceptable Matches global IKE entry # 13
%ASA-7-715046: IP = 2.2.2.2, constructing ISAKMP SA payload
%ASA-7-715046: IP = 2.2.2.2, constructing Fragmentation VID + extended capabilities payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 188
%ASA-7-715047: IP = 2.2.2.2, processing ke payload
%ASA-7-715047: IP = 2.2.2.2, processing ISA_KE payload
%ASA-7-715047: IP = 2.2.2.2, processing nonce payload
%ASA-7-715046: IP = 2.2.2.2, constructing ke payload
%ASA-7-715046: IP = 2.2.2.2, constructing nonce payload
%ASA-7-715046: IP = 2.2.2.2, constructing Cisco Unity VID payload
%ASA-7-715046: IP = 2.2.2.2, constructing xauth V6 VID payload
%ASA-7-715048: IP = 2.2.2.2, Send IOS VID
%ASA-7-715038: IP = 2.2.2.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
%ASA-7-715046: IP = 2.2.2.2, constructing VID payload
%ASA-7-715048: IP = 2.2.2.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713906: IP = 2.2.2.2, Connection landed on tunnel_group 2.2.2.2
%ASA-7-713906: Group = 2.2.2.2, IP = 2.2.2.2, Generating keys for Responder...
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing ID payload
%ASA-7-714011: Group = 2.2.2.2, IP = 2.2.2.2, ID_IPV4_ADDR ID received
2.2.2.2
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715076: Group = 2.2.2.2, IP = 2.2.2.2, Computing hash for ISAKMP
%ASA-7-713906: IP = 2.2.2.2, Connection landed on tunnel_group 2.2.2.2
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing ID payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing hash payload
%ASA-7-715076: Group = 2.2.2.2, IP = 2.2.2.2, Computing hash for ISAKMP
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing dpd vid payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
%ASA-6-113009: AAA retrieved default group policy (GroupPolicy_2.2.2.2) for user = 2.2.2.2
%ASA-5-713119: Group = 2.2.2.2, IP = 2.2.2.2, PHASE 1 COMPLETED
%ASA-7-713121: IP = 2.2.2.2, Keep-alive type for this connection: DPD
%ASA-7-715080: Group = 2.2.2.2, IP = 2.2.2.2, Starting P1 rekey timer: 82080 seconds.
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: TCP request discarded from 84.51.43.226/4905 to WAN:213.184.230.178/25
%ASA-6-302013: Built inbound TCP connection 10786 for LAN:10.1.1.197/59084 (10.1.1.197/59084) to identity:10.1.1.254/443 (10.1.1.254/443)
%ASA-6-725001: Starting SSL handshake with client LAN:10.1.1.197/59084 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client LAN:10.1.1.197/59084 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[6] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : RC4-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client LAN:10.1.1.197/59084
%ASA-6-725002: Device completed SSL handshake with client LAN:10.1.1.197/59084
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-6-611101: User authentication succeeded: Uname: admin
%ASA-6-605005: Login permitted from 10.1.1.197/59084 to LAN:10.1.1.254/https for user "admin"
%ASA-7-111009: User 'admin' executed cmd: show module cxsc details
%ASA-6-725007: SSL session with client LAN:10.1.1.197/59084 terminated.
%ASA-6-302014: Teardown TCP connection 10786 for LAN:10.1.1.197/59084 to identity:10.1.1.254/443 duration 0:00:00 bytes 1662 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.197/59084 to 10.1.1.254/443 flags FIN ACK on interface LAN
%ASA-7-710005: TCP request discarded from 10.1.1.197/59084 to LAN:10.1.1.254/443
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: TCP request discarded from 84.51.43.226/4905 to WAN:213.184.230.178/25
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-609001: Built local-host WAN:10.7.0.1
%ASA-6-302020: Built outbound ICMP connection for faddr 10.7.0.1/0 gaddr 213.184.230.178/1088 laddr 213.184.230.178/1088
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: TCP request discarded from 84.51.43.226/4905 to WAN:213.184.230.178/25
%ASA-6-302013: Built inbound TCP connection 10789 for LAN:10.1.1.197/59085 (10.1.1.197/59085) to identity:10.1.1.254/443 (10.1.1.254/443)
%ASA-6-725001: Starting SSL handshake with client LAN:10.1.1.197/59085 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client LAN:10.1.1.197/59085 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[6] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : RC4-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client LAN:10.1.1.197/59085
%ASA-6-725002: Device completed SSL handshake with client LAN:10.1.1.197/59085
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-6-611101: User authentication succeeded: Uname: admin
%ASA-6-605005: Login permitted from 10.1.1.197/59085 to LAN:10.1.1.254/https for user "admin"
%ASA-7-111009: User 'admin' executed cmd: show module cxsc details
%ASA-6-725007: SSL session with client LAN:10.1.1.197/59085 terminated.
%ASA-6-302014: Teardown TCP connection 10789 for LAN:10.1.1.197/59085 to identity:10.1.1.254/443 duration 0:00:00 bytes 1662 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.197/59085 to 10.1.1.254/443 flags FIN ACK on interface LAN
%ASA-7-710005: TCP request discarded from 10.1.1.197/59085 to LAN:10.1.1.254/443
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.127/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.127/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.154/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.154/68 to TEST:255.255.255.255/67
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 9 per second, max configured rate is 10; Current average rate is 10 per second, max configured rate is 5; Cumulative total count is 6070
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-715036: Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x513d064)
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=8c4f9f7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=a519933d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload
%ASA-7-715075: Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x513d064)
%ASA-5-111008: User 'enable_15' executed the 'ping 10.7.0.1' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'ping 10.7.0.1'
%ASA-6-302021: Teardown ICMP connection for faddr 10.7.0.1/0 gaddr 213.184.230.178/1088 laddr 213.184.230.178/1088
%ASA-7-609002: Teardown local-host WAN:10.7.0.1 duration 0:00:08
%ASA-7-710005: UDP request discarded from 10.1.1.1/5678 to TEST:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 10.1.1.1/5678 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 192.168.88.3/5678 to TEST:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 192.168.88.3/5678 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 10.1.1.169/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.169/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.146/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.146/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: TCP request discarded from 84.51.43.226/33967 to WAN:213.184.230.178/25
%ASA-6-302013: Built inbound TCP connection 10791 for LAN:10.1.1.197/59087 (10.1.1.197/59087) to identity:10.1.1.254/443 (10.1.1.254/443)
%ASA-6-725001: Starting SSL handshake with client LAN:10.1.1.197/59087 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client LAN:10.1.1.197/59087 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[6] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : RC4-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client LAN:10.1.1.197/59087
%ASA-6-725002: Device completed SSL handshake with client LAN:10.1.1.197/59087
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-6-611101: User authentication succeeded: Uname: admin
%ASA-6-605005: Login permitted from 10.1.1.197/59087 to LAN:10.1.1.254/https for user "admin"
%ASA-7-111009: User 'admin' executed cmd: show module cxsc details
%ASA-6-725007: SSL session with client LAN:10.1.1.197/59087 terminated.
%ASA-6-302014: Teardown TCP connection 10791 for LAN:10.1.1.197/59087 to identity:10.1.1.254/443 duration 0:00:00 bytes 1662 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.197/59087 to 10.1.1.254/443 flags FIN ACK on interface LAN
%ASA-7-710005: TCP request discarded from 10.1.1.197/59087 to LAN:10.1.1.254/443
%ASA-7-710005: UDP request discarded from 10.1.1.13/56978 to LAN:255.255.255.255/1947
%ASA-7-710005: UDP request discarded from 10.1.1.13/56978 to TEST:255.255.255.255/1947
%ASA-7-710005: UDP request discarded from 10.1.1.84/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.84/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to LAN:255.255.255.255/62976
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to TEST:255.255.255.255/62976
%ASA-7-710005: TCP request discarded from 84.51.43.226/33967 to WAN:213.184.230.178/25
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.117/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.117/68 to TEST:255.255.255.255/67
%ASA-7-710005: TCP request discarded from 84.51.43.226/33967 to WAN:213.184.230.178/25
%ASA-5-111008: User 'enable_15' executed the 'undebug all' command.
%ASA-6-302013: Built inbound TCP connection 10793 for LAN:10.1.1.197/59088 (10.1.1.197/59088) to identity:10.1.1.254/443 (10.1.1.254/443)
%ASA-6-725001: Starting SSL handshake with client LAN:10.1.1.197/59088 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client LAN:10.1.1.197/59088 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[6] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : RC4-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client LAN:10.1.1.197/59088
%ASA-6-725002: Device completed SSL handshake with client LAN:10.1.1.197/59088
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-6-611101: User authentication succeeded: Uname: admin
%ASA-6-605005: Login permitted from 10.1.1.197/59088 to LAN:10.1.1.254/https for user "admin"
%ASA-7-710005: UDP request discarded from 0.0.0.0/5678 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 0.0.0.0/5678 to TEST:255.255.255.255/5678
%ASA-7-111009: User 'admin' executed cmd: show module cxsc details
%ASA-6-725007: SSL session with client LAN:10.1.1.197/59088 terminated.
%ASA-6-302014: Teardown TCP connection 10793 for LAN:10.1.1.197/59088 to identity:10.1.1.254/443 duration 0:00:00 bytes 1662 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.197/59088 to 10.1.1.254/443 flags FIN ACK on interface LAN
%ASA-7-710005: TCP request discarded from 10.1.1.197/59088 to LAN:10.1.1.254/443
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 6 per second, max configured rate is 10; Current average rate is 10 per second, max configured rate is 5; Cumulative total count is 6227
%ASA-7-715036: Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x513d065)
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=494c6c52) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=fb6c60f8) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload
%ASA-7-715075: Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x513d065)
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.80/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.80/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to TEST:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to LAN:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.91/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.91/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.127/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.127/17500 to TEST:255.255.255.255/17500
%ASA-6-302013: Built inbound TCP connection 10795 for LAN:10.1.1.197/59089 (10.1.1.197/59089) to identity:10.1.1.254/443 (10.1.1.254/443)
%ASA-6-725001: Starting SSL handshake with client LAN:10.1.1.197/59089 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client LAN:10.1.1.197/59089 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[6] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : RC4-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client LAN:10.1.1.197/59089
%ASA-6-725002: Device completed SSL handshake with client LAN:10.1.1.197/59089
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-6-611101: User authentication succeeded: Uname: admin
%ASA-6-605005: Login permitted from 10.1.1.197/59089 to LAN:10.1.1.254/https for user "admin"
%ASA-7-111009: User 'admin' executed cmd: show module cxsc details
%ASA-6-725007: SSL session with client LAN:10.1.1.197/59089 terminated.
%ASA-6-302014: Teardown TCP connection 10795 for LAN:10.1.1.197/59089 to identity:10.1.1.254/443 duration 0:00:00 bytes 1662 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.197/59089 to 10.1.1.254/443 flags FIN ACK on interface LAN
%ASA-7-710005: TCP request discarded from 10.1.1.197/59089 to LAN:10.1.1.254/443

Looking at the debugs:-

Dinesh Moudgil — Thu, 12 Nov 2015 14:31:02 GMT

Looking at the debugs:-

%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=a4ee31c4) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-713906: Group = 2.2.2.2, IP = 2.2.2.2, processing delete
%ASA-5-713050: Group = 2.2.2.2, IP = 2.2.2.2, Connection terminated for peer 2.2.2.2. Reason: Peer Terminate Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
%ASA-7-713906: Group = 2.2.2.2, IP = 2.2.2.2, IKE SA MM:c54dda3a terminating: flags 0x01004802, refcnt 0, tuncnt 0
%ASA-5-713259: Group = 2.2.2.2, IP = 2.2.2.2, Session is being torn down. Reason: User Requested
%ASA-4-113019: Group = 2.2.2.2, Username = 2.2.2.2, IP = 2.2.2.2, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:12m:45s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested
%ASA-7-713906: Ignoring msg to mark SA with dsID 98304 dead because SA deleted

You can see that we are getting a delete message from remote side and after processing , the session is torn down.

Can you confirm if you have a VPN tunnel on Mikrotik having overlapping subnets to anothet VPN peer. Also check if the interesting traffic is properly configured.

Try removing the other tunnel from Mikrotik and initiate the tunnel to see if this tunnel comes up. It seems like Mikrotik device is sending the delete message and thus causing issue.There is nothing much we can do on the ASA side. You might want to put it up on Mikrotik forum as well.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Thank's for help. This part

falangerr — Thu, 12 Nov 2015 14:41:20 GMT

Thank's for help. This part of log show this moment when I manually kill IPsec connection from Mikrotik to show you full process of negotiation.

And yes. There was two VPN tunnels on those Mikrotik. The second tunnel is disabled now and nothing changed.

Hi falangerr,

swj — Fri, 13 Nov 2015 05:58:54 GMT

Hi falangerr,

I reviewed the debugs, and I agree with Dinesh we receive process delete from the remote end. However I have one more concern why we received remote proxy as "any any" instead of specific one ?

Could you please check with remote end to conform what is the remote proxy they used.

In most third party devices I see they build tunnel using 2 ways one is Route based and another is access-list based, please inform the remote end to use Mirrored crypto ACL. The remote end ACl should be like "10.7.0.0 255.255.255.0 10.6.0.0 255.255.255.0"

And if they use “any any” on the other end always we should be the initiator always.

This kind of peer termination problem occurs, Consider your tunnel is up as you initiated the traffic, Since remote end us using “any any” consider remote end initiate the traffic apart from 10.6.0.0/24 and ASA receives crypto ACL as any any as shown in the log and chances that we delete the tunnel since ASA don’t have that in the crypto map.

So to avoid this situations make the Crypto ACL to be mirrored.

Please let me know the below information

Was the tunnel coming up when you initiate the traffic from ASA end ? The reason I ask you is the below output show its up for 12M and tearing it down ?

Requested
%ASA-4-113019: Group = 2.2.2.2, Username = 2.2.2.2, IP = 2.2.2.2, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:12m:45s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested

Thanks,

Regards,

Swj.

Good day! We receive process

falangerr — Fri, 13 Nov 2015 07:59:01 GMT

Good day! We receive process delete from the remote end (from Mikrotik) because I manually kill vpn connection to show full process of starting ike.

I don't actually understand what you mean in words "remote proxy as any any". If you mean ACL which should specify interesting traffic - Mikrotik has mirrored policy (like cisco ACL):

[admin@Brest-R] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 TX* group=group1 src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes

2 src-address=10.7.0.0/24 src-port=any dst-address=10.6.0.0/24 dst-port=any protocol=all action=encrypt
level=require ipsec-protocols=esp tunnel=yes sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1
proposal=test priority=0

And Mikrotik rules is more like ACL then router based.

When first phase is up, I always try to ping from Mikrotik with command:

[admin@Brest-R] > ping 10.6.0.1 src-address=10.7.0.1

And from ASA with command:

ASA# ping 10.7.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.7.0.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

I do ping from two devices at one time when first phase of negotiation comming up.

And the last. You can see 12 minutes uptime because tunnel was in up state 12 minutes, until I manually drop it down. Tunnel can be in up state one, two , three , ten hours and etc. it is doesn't matter. But second phase of negotiation has never installed between this two devices : (

What i mean by remote proxy

swj — Fri, 13 Nov 2015 19:54:01 GMT

What i mean by remote proxy any any

%ASA-5-713050: Group = 2.2.2.2, IP = 2.2.2.2, Connection terminated for peer 2.2.2.2. Reason: Peer Terminate Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0 >>>.>

Anf one more thing from the debugs provided i can see phase-1 completed however there is no IPSEC debugs i see after the pahse-1. Please can you collect the ipsec debugs again.

Unfortunatly I don't know the

falangerr — Mon, 16 Nov 2015 08:08:16 GMT

Unfortunatly I don't know the reason why we see 0.0.0.0 instead of specific IP address. I can only tell that addresses of local and remote peers are specified on Mikrotik router:

address=1.1.1.1/32 local-address=2.2.2.2 passive=no port=500 auth-method=pre-shared-key secret="test" generate-policy=no policy-template-group=group1 exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des,aes-128,aes-192,aes-256 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=2

And it has specific policies for this peers:

src-address=10.7.0.0/24 src-port=any dst-address=10.6.0.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1 proposal=newland priority=0

And here it is my log again. Tunnel was in down state at moment of start logging.

Newland-ASA(config)# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: level debugging, 658720 messages logged
Buffer logging: level debugging, 658666 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 74808 messages logged
%ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'clear logging buffer'
%ASA-5-111008: User 'enable_15' executed the 'debug crypto condition peer 2.2.2.2' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'debug crypto condition peer 2.2.2.2'
%ASA-5-111008: User 'enable_15' executed the 'debug crypto isakmp 255' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'debug crypto isakmp 255'
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-5-111008: User 'enable_15' executed the 'debug crypto ipsec 255' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'debug crypto ipsec 255'
%ASA-7-710005: UDP request discarded from 176.192.187.45/12179 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.127/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.127/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 176.192.187.45/12179 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 5 per second, max configured rate is 10; Current average rate is 12 per second, max configured rate is 5; Cumulative total count is 7271
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 244
%ASA-7-715047: IP = 2.2.2.2, processing SA payload
%ASA-7-713906: IP = 2.2.2.2, Oakley proposal is acceptable
%ASA-7-715047: IP = 2.2.2.2, processing VID payload
%ASA-7-715049: IP = 2.2.2.2, Received Cisco Unity client VID
%ASA-7-715047: IP = 2.2.2.2, processing VID payload
%ASA-7-715049: IP = 2.2.2.2, Received DPD VID
%ASA-7-715047: IP = 2.2.2.2, processing IKE SA payload
%ASA-7-715028: IP = 2.2.2.2, IKE SA Proposal # 1, Transform # 4 acceptable Matches global IKE entry # 13
%ASA-7-715046: IP = 2.2.2.2, constructing ISAKMP SA payload
%ASA-7-715046: IP = 2.2.2.2, constructing Fragmentation VID + extended capabilities payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 188
%ASA-7-715047: IP = 2.2.2.2, processing ke payload
%ASA-7-715047: IP = 2.2.2.2, processing ISA_KE payload
%ASA-7-715047: IP = 2.2.2.2, processing nonce payload
%ASA-7-715046: IP = 2.2.2.2, constructing ke payload
%ASA-7-715046: IP = 2.2.2.2, constructing nonce payload
%ASA-7-715046: IP = 2.2.2.2, constructing Cisco Unity VID payload
%ASA-7-715046: IP = 2.2.2.2, constructing xauth V6 VID payload
%ASA-7-715048: IP = 2.2.2.2, Send IOS VID
%ASA-7-715038: IP = 2.2.2.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
%ASA-7-715046: IP = 2.2.2.2, constructing VID payload
%ASA-7-715048: IP = 2.2.2.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713906: IP = 2.2.2.2, Connection landed on tunnel_group 2.2.2.2
%ASA-7-713906: Group = 2.2.2.2, IP = 2.2.2.2, Generating keys for Responder...
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
%ASA-6-302013: Built inbound TCP connection 13094 for LAN:10.1.1.197/52695 (10.1.1.197/52695) to identity:10.1.1.254/443 (10.1.1.254/443)
%ASA-6-725001: Starting SSL handshake with client LAN:10.1.1.197/52695 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client LAN:10.1.1.197/52695 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[6] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : RC4-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client LAN:10.1.1.197/52695
%ASA-6-725002: Device completed SSL handshake with client LAN:10.1.1.197/52695
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-6-611101: User authentication succeeded: Uname: admin
%ASA-6-605005: Login permitted from 10.1.1.197/52695 to LAN:10.1.1.254/https for user "admin"
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing ID payload
%ASA-7-714011: Group = 2.2.2.2, IP = 2.2.2.2, ID_IPV4_ADDR ID received
2.2.2.2
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715076: Group = 2.2.2.2, IP = 2.2.2.2, Computing hash for ISAKMP
%ASA-7-713906: IP = 2.2.2.2, Connection landed on tunnel_group 2.2.2.2
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing ID payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing hash payload
%ASA-7-715076: Group = 2.2.2.2, IP = 2.2.2.2, Computing hash for ISAKMP
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing dpd vid payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
%ASA-6-113009: AAA retrieved default group policy (GroupPolicy_2.2.2.2) for user = 2.2.2.2
%ASA-5-713119: Group = 2.2.2.2, IP = 2.2.2.2, PHASE 1 COMPLETED
%ASA-7-713121: IP = 2.2.2.2, Keep-alive type for this connection: DPD
%ASA-7-715080: Group = 2.2.2.2, IP = 2.2.2.2, Starting P1 rekey timer: 82080 seconds.
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-111009: User 'admin' executed cmd: show module cxsc details
%ASA-6-725007: SSL session with client LAN:10.1.1.197/52695 terminated.
%ASA-6-302014: Teardown TCP connection 13094 for LAN:10.1.1.197/52695 to identity:10.1.1.254/443 duration 0:00:00 bytes 1662 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.197/52695 to 10.1.1.254/443 flags FIN ACK on interface LAN
%ASA-7-710005: TCP request discarded from 10.1.1.197/52695 to LAN:10.1.1.254/443
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to LAN:255.255.255.255/62976
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to TEST:255.255.255.255/62976
%ASA-7-710005: UDP request discarded from 192.168.88.3/5678 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 192.168.88.3/5678 to TEST:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 10.1.1.13/56978 to LAN:255.255.255.255/1947
%ASA-7-710005: UDP request discarded from 10.1.1.13/56978 to TEST:255.255.255.255/1947
%ASA-7-710005: UDP request discarded from 176.192.187.45/12179 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.111/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.111/17500 to LAN:255.255.255.255/17500
%ASA-6-302013: Built inbound TCP connection 13096 for LAN:10.1.1.197/52696 (10.1.1.197/52696) to identity:10.1.1.254/443 (10.1.1.254/443)
%ASA-6-725001: Starting SSL handshake with client LAN:10.1.1.197/52696 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client LAN:10.1.1.197/52696 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[6] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : RC4-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client LAN:10.1.1.197/52696
%ASA-6-725002: Device completed SSL handshake with client LAN:10.1.1.197/52696
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-6-611101: User authentication succeeded: Uname: admin
%ASA-6-605005: Login permitted from 10.1.1.197/52696 to LAN:10.1.1.254/https for user "admin"
%ASA-7-111009: User 'admin' executed cmd: show module cxsc details
%ASA-6-725007: SSL session with client LAN:10.1.1.197/52696 terminated.
%ASA-6-302014: Teardown TCP connection 13096 for LAN:10.1.1.197/52696 to identity:10.1.1.254/443 duration 0:00:00 bytes 1662 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.197/52696 to 10.1.1.254/443 flags FIN ACK on interface LAN
%ASA-7-710005: TCP request discarded from 10.1.1.197/52696 to LAN:10.1.1.254/443
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.161/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.161/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 176.114.205.102/49105 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 0.0.0.0/5678 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 0.0.0.0/5678 to TEST:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 6 per second, max configured rate is 10; Current average rate is 12 per second, max configured rate is 5; Cumulative total count is 7334
%ASA-7-710005: UDP request discarded from 176.114.205.102/49105 to WAN:1.1.1.1/9000
%ASA-7-715036: Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x2b8a09a6)
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=efe509bb) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=d9014cb7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload
%ASA-7-715075: Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x2b8a09a6)
%ASA-7-710005: UDP request discarded from 93.178.113.253/41479 to WAN:1.1.1.1/9000
%ASA-6-302013: Built inbound TCP connection 13098 for LAN:10.1.1.197/52697 (10.1.1.197/52697) to identity:10.1.1.254/443 (10.1.1.254/443)
%ASA-6-725001: Starting SSL handshake with client LAN:10.1.1.197/52697 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client LAN:10.1.1.197/52697 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[6] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : RC4-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client LAN:10.1.1.197/52697
%ASA-6-725002: Device completed SSL handshake with client LAN:10.1.1.197/52697
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-6-611101: User authentication succeeded: Uname: admin
%ASA-6-605005: Login permitted from 10.1.1.197/52697 to LAN:10.1.1.254/https for user "admin"
%ASA-7-710005: UDP request discarded from 217.29.190.250/37258 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-111009: User 'admin' executed cmd: show module cxsc details
%ASA-6-725007: SSL session with client LAN:10.1.1.197/52697 terminated.
%ASA-6-302014: Teardown TCP connection 13098 for LAN:10.1.1.197/52697 to identity:10.1.1.254/443 duration 0:00:00 bytes 1662 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.197/52697 to 10.1.1.254/443 flags FIN ACK on interface LAN
%ASA-7-710005: TCP request discarded from 10.1.1.197/52697 to LAN:10.1.1.254/443
%ASA-7-710005: UDP request discarded from 217.29.190.250/37258 to WAN:1.1.1.1/9000
%ASA-7-710005: TCP request discarded from 217.29.190.250/58688 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.127/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.127/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 93.178.113.253/41479 to WAN:1.1.1.1/9000
%ASA-7-710005: TCP request discarded from 93.178.113.253/64092 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 176.114.205.102/49105 to WAN:1.1.1.1/9000
%ASA-6-302020: Built outbound ICMP connection for faddr 10.7.0.1/0 gaddr 1.1.1.1/1840 laddr 1.1.1.1/1840
%ASA-7-710005: TCP request discarded from 217.29.190.250/58688 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 217.29.190.250/37258 to WAN:1.1.1.1/9000
%ASA-7-710005: TCP request discarded from 93.178.113.253/64092 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 93.178.113.253/41479 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.1/60783 to TEST:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 10.1.1.1/60783 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 10.1.1.86/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.86/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to TEST:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to LAN:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to LAN:255.255.255.255/62976
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to TEST:255.255.255.255/62976
%ASA-7-710005: UDP request discarded from 10.1.1.107/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.107/68 to TEST:255.255.255.255/67
%ASA-6-302013: Built inbound TCP connection 13101 for LAN:10.1.1.197/52698 (10.1.1.197/52698) to identity:10.1.1.254/443 (10.1.1.254/443)
%ASA-6-725001: Starting SSL handshake with client LAN:10.1.1.197/52698 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client LAN:10.1.1.197/52698 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[6] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : RC4-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client LAN:10.1.1.197/52698
%ASA-6-725002: Device completed SSL handshake with client LAN:10.1.1.197/52698
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-6-611101: User authentication succeeded: Uname: admin
%ASA-6-605005: Login permitted from 10.1.1.197/52698 to LAN:10.1.1.254/https for user "admin"
%ASA-7-111009: User 'admin' executed cmd: show module cxsc details
%ASA-6-725007: SSL session with client LAN:10.1.1.197/52698 terminated.
%ASA-6-302014: Teardown TCP connection 13101 for LAN:10.1.1.197/52698 to identity:10.1.1.254/443 duration 0:00:00 bytes 1662 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.197/52698 to 10.1.1.254/443 flags FIN ACK on interface LAN
%ASA-7-710005: TCP request discarded from 10.1.1.197/52698 to LAN:10.1.1.254/443
%ASA-7-710005: UDP request discarded from 192.168.88.1/5678 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 192.168.88.1/5678 to TEST:255.255.255.255/5678
%ASA-7-710005: TCP request discarded from 217.29.190.250/58688 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 217.29.190.250/37258 to WAN:1.1.1.1/9000
%ASA-7-710005: TCP request discarded from 93.178.113.253/64092 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 93.178.113.253/41479 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.146/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.146/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-5-111008: User 'enable_15' executed the 'ping 10.7.0.1' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'ping 10.7.0.1'
%ASA-6-302021: Teardown ICMP connection for faddr 10.7.0.1/0 gaddr 1.1.1.1/1840 laddr 1.1.1.1/1840
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to TEST:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to LAN:255.255.255.255/68
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 8 per second, max configured rate is 10; Current average rate is 12 per second, max configured rate is 5; Cumulative total count is 7256
%ASA-7-710005: UDP request discarded from 31.23.228.61/57975 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-5-111008: User 'enable_15' executed the 'undebug all' command.
%ASA-7-715036: Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x2b8a09a7)
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=88b0cb2c) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=d95a1561) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload
%ASA-7-715075: Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x2b8a09a7)
%ASA-7-710005: UDP request discarded from 10.1.1.111/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.111/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.13/56978 to LAN:255.255.255.255/1947
%ASA-7-710005: UDP request discarded from 10.1.1.13/56978 to TEST:255.255.255.255/1947
%ASA-6-302013: Built inbound TCP connection 13103 for LAN:10.1.1.197/52699 (10.1.1.197/52699) to identity:10.1.1.254/443 (10.1.1.254/443)
%ASA-6-725001: Starting SSL handshake with client LAN:10.1.1.197/52699 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client LAN:10.1.1.197/52699 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[6] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : RC4-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client LAN:10.1.1.197/52699
%ASA-6-725002: Device completed SSL handshake with client LAN:10.1.1.197/52699
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-6-611101: User authentication succeeded: Uname: admin
%ASA-6-605005: Login permitted from 10.1.1.197/52699 to LAN:10.1.1.254/https for user "admin"
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-111009: User 'admin' executed cmd: show module cxsc details
%ASA-6-725007: SSL session with client LAN:10.1.1.197/52699 terminated.
%ASA-6-302014: Teardown TCP connection 13103 for LAN:10.1.1.197/52699 to identity:10.1.1.254/443 duration 0:00:00 bytes 1662 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.197/52699 to 10.1.1.254/443 flags FIN ACK on interface LAN
%ASA-7-710005: TCP request discarded from 10.1.1.197/52699 to LAN:10.1.1.254/443
%ASA-7-710005: TCP request discarded from 78.58.205.83/64777 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 78.58.205.83/30682 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.70/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.70/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to LAN:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to TEST:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.85/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.85/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: TCP request discarded from 78.58.205.83/64777 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 78.58.205.83/30682 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.158/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.158/68 to TEST:255.255.255.255/67
%ASA-6-302021: Teardown ICMP connection for faddr 10.7.0.1/0 gaddr 1.1.1.1/1032 laddr 10.1.1.1/1032
%ASA-7-609002: Teardown local-host WAN:10.7.0.1 duration 0:01:09
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 95.26.255.60/19982 to WAN:1.1.1.1/9000
%ASA-7-710005: TCP request discarded from 78.58.205.83/64777 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 78.58.205.83/30682 to WAN:1.1.1.1/9000
%ASA-6-302013: Built inbound TCP connection 13105 for LAN:10.1.1.197/52706 (10.1.1.197/52706) to identity:10.1.1.254/443 (10.1.1.254/443)
%ASA-6-725001: Starting SSL handshake with client LAN:10.1.1.197/52706 for TLSv1 session.

Hi falangerr,

Dinesh Moudgil — Tue, 17 Nov 2015 18:06:05 GMT

Hi falangerr,

I am afraid we do not see any phase 2 debugs here. All we get is Phase 1 completion message and keepalive packets between VPN endpoints.

%ASA-5-713119: Group = 2.2.2.2, IP = 2.2.2.2, PHASE 1 COMPLETED

%ASA-7-715036: Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x2b8a09a7)

%ASA-7-715075: Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x2b8a09a7)

Can you please confirm if you have the following commands while taking debugs:
debug crypto condition peer 2.2.2.2
debug crypto ipsec 200

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Hi Dinesh Moudgil!

falangerr — Wed, 18 Nov 2015 07:09:39 GMT

Hi Dinesh Moudgil!

Yes, I see that we don't have phase 2 of negotiation. I told about it earlier. In the output above you can see such commands as:

%ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'clear logging buffer'
%ASA-5-111008: User 'enable_15' executed the 'debug crypto condition peer 2.2.2.2' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'debug crypto condition peer 2.2.2.2'
%ASA-5-111008: User 'enable_15' executed the 'debug crypto isakmp 255' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'debug crypto isakmp 255'
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-5-111008: User 'enable_15' executed the 'debug crypto ipsec 255' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'debug crypto ipsec 255'

But if you want to see only

debug crypto condition peer 2.2.2.2
debug crypto ipsec 200
Here it is:

Newland-ASA# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: level debugging, 1018381 messages logged
Buffer logging: level debugging, 1018327 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 98808 messages logged
%ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'clear logging buffer'
%ASA-5-111008: User 'enable_15' executed the 'debug crypto condition peer 2.2.2.2' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'debug crypto condition peer 2.2.2.2'
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.161/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.161/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.1/60783 to TEST:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 10.1.1.1/60783 to LAN:255.255.255.255/5678
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 4 per second, max configured rate is 10; Current average rate is 10 per second, max configured rate is 5; Cumulative total count is 6381
%ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 12 per second, max configured rate is 4; Cumulative total count is 46674
%ASA-5-111008: User 'enable_15' executed the 'debug crypto ipsec 200' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'debug crypto ipsec 200'
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 244
%ASA-7-715047: IP = 2.2.2.2, processing SA payload
%ASA-7-713906: IP = 2.2.2.2, Oakley proposal is acceptable
%ASA-7-715047: IP = 2.2.2.2, processing VID payload
%ASA-7-715049: IP = 2.2.2.2, Received Cisco Unity client VID
%ASA-7-715047: IP = 2.2.2.2, processing VID payload
%ASA-7-715049: IP = 2.2.2.2, Received DPD VID
%ASA-7-715047: IP = 2.2.2.2, processing IKE SA payload
%ASA-7-715028: IP = 2.2.2.2, IKE SA Proposal # 1, Transform # 4 acceptable Matches global IKE entry # 13
%ASA-7-715046: IP = 2.2.2.2, constructing ISAKMP SA payload
%ASA-7-715046: IP = 2.2.2.2, constructing Fragmentation VID + extended capabilities payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 188
%ASA-7-715047: IP = 2.2.2.2, processing ke payload
%ASA-7-715047: IP = 2.2.2.2, processing ISA_KE payload
%ASA-7-715047: IP = 2.2.2.2, processing nonce payload
%ASA-7-715046: IP = 2.2.2.2, constructing ke payload
%ASA-7-715046: IP = 2.2.2.2, constructing nonce payload
%ASA-7-715046: IP = 2.2.2.2, constructing Cisco Unity VID payload
%ASA-7-715046: IP = 2.2.2.2, constructing xauth V6 VID payload
%ASA-7-715048: IP = 2.2.2.2, Send IOS VID
%ASA-7-715038: IP = 2.2.2.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
%ASA-7-715046: IP = 2.2.2.2, constructing VID payload
%ASA-7-715048: IP = 2.2.2.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713906: IP = 2.2.2.2, Connection landed on tunnel_group 2.2.2.2
%ASA-7-713906: Group = 2.2.2.2, IP = 2.2.2.2, Generating keys for Responder...
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing ID payload
%ASA-7-714011: Group = 2.2.2.2, IP = 2.2.2.2, ID_IPV4_ADDR ID received
2.2.2.2
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715076: Group = 2.2.2.2, IP = 2.2.2.2, Computing hash for ISAKMP
%ASA-7-713906: IP = 2.2.2.2, Connection landed on tunnel_group 2.2.2.2
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing ID payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing hash payload
%ASA-7-715076: Group = 2.2.2.2, IP = 2.2.2.2, Computing hash for ISAKMP
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing dpd vid payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
%ASA-6-113009: AAA retrieved default group policy (GroupPolicy_2.2.2.2) for user = 2.2.2.2
%ASA-5-713119: Group = 2.2.2.2, IP = 2.2.2.2, PHASE 1 COMPLETED
%ASA-7-713121: IP = 2.2.2.2, Keep-alive type for this connection: DPD
%ASA-7-715080: Group = 2.2.2.2, IP = 2.2.2.2, Starting P1 rekey timer: 82080 seconds.
%ASA-7-710005: UDP request discarded from 10.1.1.92/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.92/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.100/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.100/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.65/53492 to TEST:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.65/53492 to LAN:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.65/53492 to LAN:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.65/53492 to TEST:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.102/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.102/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: TCP request discarded from 220.181.130.172/46405 to WAN:1.1.1.1/25
%ASA-7-710005: TCP request discarded from 220.181.130.172/46405 to WAN:1.1.1.1/25
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: TCP request discarded from 220.181.130.172/46405 to WAN:1.1.1.1/25
%ASA-7-710005: UDP request discarded from 192.168.88.3/5678 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 192.168.88.3/5678 to TEST:255.255.255.255/5678
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 5 per second, max configured rate is 10; Current average rate is 10 per second, max configured rate is 5; Cumulative total count is 6315
%ASA-7-710005: UDP request discarded from 10.1.1.163/2414 to LAN:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.163/2414 to LAN:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.163/2414 to TEST:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.163/2414 to TEST:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: TCP request discarded from 220.181.130.172/46405 to WAN:1.1.1.1/25
%ASA-7-715036: Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x64d21e43)
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=b64d980a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=ed6e9e6d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload
%ASA-7-715075: Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x64d21e43)
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.111/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.111/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.13/56978 to LAN:255.255.255.255/1947
%ASA-7-710005: UDP request discarded from 10.1.1.13/56978 to TEST:255.255.255.255/1947
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to LAN:255.255.255.255/62976
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to TEST:255.255.255.255/62976
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: TCP request discarded from 220.181.130.172/46405 to WAN:1.1.1.1/25
%ASA-7-710005: UDP request discarded from 10.1.1.80/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.80/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to LAN:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to TEST:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 0.0.0.0/5678 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 0.0.0.0/5678 to TEST:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.100/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.100/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: TCP request discarded from 220.181.130.172/48025 to WAN:1.1.1.1/25
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 7 per second, max configured rate is 10; Current average rate is 10 per second, max configured rate is 5; Cumulative total count is 6310
%ASA-7-710005: TCP request discarded from 220.181.130.172/48025 to WAN:1.1.1.1/25
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to LAN:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to TEST:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.120/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.120/68 to TEST:255.255.255.255/67
%ASA-7-715036: Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x64d21e44)
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=332724cc) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=e0a0e4a6) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload
%ASA-7-715075: Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x64d21e44)
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to LAN:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to TEST:255.255.255.255/68
%ASA-7-710005: TCP request discarded from 220.181.130.172/48025 to WAN:1.1.1.1/25
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to TEST:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to LAN:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.102/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.102/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.65/64242 to LAN:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.65/64242 to LAN:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.65/64242 to TEST:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.65/64242 to TEST:255.255.255.255/8610
%ASA-7-710005: TCP request discarded from 220.181.130.172/48025 to WAN:1.1.1.1/25
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-6-302020: Built outbound ICMP connection for faddr 10.7.0.1/0 gaddr 1.1.1.1/17746 laddr 1.1.1.1/17746
%ASA-7-710005: UDP request discarded from 192.168.88.1/5678 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 192.168.88.1/5678 to TEST:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 69.64.50.192/5092 to WAN:1.1.1.1/5060
%ASA-7-710005: UDP request discarded from 10.1.1.163/2417 to LAN:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.163/2417 to LAN:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.163/2417 to TEST:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.163/2417 to TEST:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.200/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.200/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.111/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.111/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: TCP request discarded from 220.181.130.172/48025 to WAN:1.1.1.1/25
%ASA-6-302021: Teardown ICMP connection for faddr 10.7.0.1/0 gaddr 1.1.1.1/2002 laddr 10.1.1.1/2002
%ASA-5-111008: User 'enable_15' executed the 'ping 10.7.0.1' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'ping 10.7.0.1'
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-6-302021: Teardown ICMP connection for faddr 10.7.0.1/0 gaddr 1.1.1.1/17746 laddr 1.1.1.1/17746
%ASA-7-609002: Teardown local-host WAN:10.7.0.1 duration 0:01:17
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to LAN:255.255.255.255/62976
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to TEST:255.255.255.255/62976
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.1/60783 to TEST:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 10.1.1.1/60783 to LAN:255.255.255.255/5678
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 5 per second, max configured rate is 10; Current average rate is 10 per second, max configured rate is 5; Cumulative total count is 6365
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-715036: Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x64d21e45)
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=2be4f18a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=f6fb205f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload
%ASA-7-715075: Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x64d21e45)
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.13/56978 to LAN:255.255.255.255/1947
%ASA-7-710005: UDP request discarded from 10.1.1.13/56978 to TEST:255.255.255.255/1947
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.100/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.100/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.131/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.131/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.102/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.102/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-111009: User 'enable_15' executed cmd: show logging
%ASA-7-710005: UDP request discarded from 192.168.88.3/5678 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 192.168.88.3/5678 to TEST:255.255.255.255/5678
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 7 per second, max configured rate is 10; Current average rate is 10 per second, max configured rate is 5; Cumulative total count is 6518
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.65/57066 to LAN:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.65/57066 to LAN:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.65/57066 to TEST:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.65/57066 to TEST:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.163/2429 to LAN:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.163/2429 to LAN:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.163/2429 to TEST:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.163/2429 to TEST:255.255.255.255/8610
%ASA-7-715036: Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x64d21e46)
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=26be5e72) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=9f3bb532) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload
%ASA-7-715075: Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x64d21e46)
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.111/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.111/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-6-305012: Teardown dynamic ICMP translation from LAN:10.1.1.1/2002 to WAN:1.1.1.1/2002 duration 0:01:47
%ASA-7-609002: Teardown local-host LAN:10.1.1.1 duration 0:01:47
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to LAN:255.255.255.255/62976
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to TEST:255.255.255.255/62976
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 0.0.0.0/5678 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 0.0.0.0/5678 to TEST:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.100/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.100/17500 to TEST:255.255.255.255/17500
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 3 per second, max configured rate is 10; Current average rate is 10 per second, max configured rate is 5; Cumulative total count is 6544
%ASA-7-111009: User 'enable_15' executed cmd: show logging
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.101/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.101/68 to TEST:255.255.255.255/67
%ASA-7-715036: Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x64d21e47)
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=6e9b55ec) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=ee377dbd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload
%ASA-7-715075: Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x64d21e47)

Now I will try to combine different parameters in transform sets in ASA and proposal in Mikrotik. Maybe this two devices (when work together) don't like some kinds of encryption or hash algorithm. Thanks for help.