Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3113
Views
0
Helpful
3
Replies

Cisco ASA PPPoE issue

charlesransom712318070
Level 1
Level 1

‎07-17-2020 09:45 AM

Hi,
My ASA keeps having issues with the PPPoE set up. It will establish fine but after about 10 mins (sometimes sooner), the default route will disappear from the routing table and the console will be spammed with the below message:


PPPoE Virtual interface(VpifNum) Tunnel not configured while dispatching

 

I did have a google and look through some support articles but didn't find anything relating to it. During the issue, the Tunnel and Session remain up. Given I have a static block for my ISP addresses, i tried both 'ip address x.x.x.x pppoe setroute' and ip address pppoe setroute' but i hit the issue no matter what. I have also tried 2 different codes, Current stared release and also the latest and doesnt make a difference. Also wiped the device and re-applied the config but no change. Please see below for captured outputs. Any help would be most appreciated. Thanks

CR-ASA01# show int g1/1

Interface GigabitEthernet1/1 "outside", is up, line protocol is up

  Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec

        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

        Input flow control is unsupported, output flow control is off

        Description: WAN

        MAC address 286f.7f02.1845, MTU 1492

        IP address 82.68.38.246, subnet mask 255.255.255.255

        91721 packets input, 96663805 bytes, 0 no buffer

        Received 5842 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 pause input, 0 resume input

        0 L2 decode drops

        22920 packets output, 5898642 bytes, 0 underruns

        0 pause output, 0 resume output

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 input reset drops, 10 output reset drops

        input queue (blocks free curr/low): hardware (939/891)

        output queue (blocks free curr/low): hardware (1023/982)

  Traffic Statistics for "outside":

        170913 packets input, 189080211 bytes

        22920 packets output, 5475591 bytes

        7979 packets dropped

      1 minute input rate 0 pkts/sec,  0 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 11 pkts/sec,  3113 bytes/sec

      5 minute output rate 3 pkts/sec,  975 bytes/sec

      5 minute drop rate, 2 pkts/sec

CR-ASA01#

CR-ASA01# show run vpdn

vpdn group ASA-ZEN-DIALER-GROUP request dialout pppoe

vpdn group ASA-ZEN-DIALER-GROUP localname *********@zen

vpdn group ASA-ZEN-DIALER-GROUP ppp authentication chap

vpdn username *********@zen password ***** store-local

CR-ASA01# show run int g1/1

!

interface GigabitEthernet1/1

description WAN

nameif outside

security-level 0

pppoe client vpdn group ASA-ZEN-DIALER-GROUP

ip address pppoe setroute

CR-ASA01# show vpdn tunnel pppoe state

 

 

PPPoE Tunnel Information (Total tunnels=1 sessions=1)

 

 

LocID RemID Last-Chg  Sessions

    2     0 2932 secs       1

CR-ASA01# PPPoE Virtual interface(VpifNum) Tunnel not configured while dispatching

PPPoE Virtual interface(VpifNum) Tunnel not configured while dispatching

PPPoE Virtual interface(VpifNum) Tunnel not configured while dispatching

PPPoE Virtual interface(VpifNum) Tunnel not configured while dispatching

PPPoE Virtual interface(VpifNum) Tunnel not configured while dispatching

PPPoE Virtual interface(VpifNum) Tunnel not configured while dispatching

PPPoE Virtual interface(VpifNum) Tunnel not configured while dispatching

PPPoE Virtual interface(VpifNum) Tunnel not configured while dispatching

PPPoE Virtual interface(VpifNum) Tunnel not configured while dispatching

 

 

 

1 person had this problem
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎07-17-2020 02:01 PM

i prefer to see your complete config since it was working and suddenly stop working so.

 

you can try one option based on the configuration you provided :

 

interface GigabitEthernet1/1

description WAN

nameif outside

security-level 0

pppoe client vpdn group ASA-ZEN-DIALER-GROUP

no ip address pppoe setroute

ip address pppoe

 

 

still, issue post the configuration along with below show command output

 

show version.

show pppoe session

 

you can also debug :

 

debug vpdn pppoe-events

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

charlesransom712318070
Level 1
Level 1
In response to balaji.bandi

‎07-18-2020 05:46 AM

Hi,


Please see below for config. I set the ip as 'ip address pppoe' but still had the same issue. As it stands at the moment after a reload, it seems to be intermittent as to what issue I get. I had a number of ping drops last night, about 5-10% when the error started occurring. Sometimes the session wont come up at all. The show pppoe command doesnt work on an ASA so have included 'show vpdn pppinterface' 

 

CR-ASA01# show pppoe ?
ERROR: % Unrecognized command
CR-ASA01# show vpdn ppp
CR-ASA01# show vpdn pppinterface ?

id Keyword to specify interface device id
| Output modifiers
<cr>
CR-ASA01# show vpdn pppinterface

PPP virtual interface id = 1
PPP authentication protocol is CHAP
Server ip address is 51.148.72.22
Our ip address is 82.68.38.246
Transmitted Pkts: 14029, Received Pkts: 15762, Error Pkts: 0
MPPE key strength is None
MPPE_Encrypt_Pkts: 0, MPPE_Encrypt_Bytes: 0
MPPE_Decrypt_Pkts: 0, MPPE_Decrypt_Bytes: 0
Rcvd_Out_Of_Seq_MPPE_Pkts: 0

CR-ASA01#

 

Cisco Adaptive Security Appliance Software Version 9.8(4)22
Firepower Extensible Operating System Version 2.2(2.124)
Device Manager Version 7.14(1)

Compiled on Fri 29-May-20 00:37 PDT by builders
System image file is "disk0:/asa984-22-lfbff-k8.SPA"
Config file at boot was "startup-config"

CR-ASA01 up 18 mins 48 secs

Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Number of accelerators: 1

1: Ext: GigabitEthernet1/1 : address is 286f.7f02.1845, irq 255
2: Ext: GigabitEthernet1/2 : address is 286f.7f02.1846, irq 255
3: Ext: GigabitEthernet1/3 : address is 286f.7f02.1847, irq 255
4: Ext: GigabitEthernet1/4 : address is 286f.7f02.1848, irq 255
5: Ext: GigabitEthernet1/5 : address is 286f.7f02.1849, irq 255
6: Ext: GigabitEthernet1/6 : address is 286f.7f02.184a, irq 255
7: Ext: GigabitEthernet1/7 : address is 286f.7f02.184b, irq 255
8: Ext: GigabitEthernet1/8 : address is 286f.7f02.184c, irq 255
9: Int: Internal-Data1/1 : address is 286f.7f02.1844, irq 255
10: Int: Internal-Data1/2 : address is 0000.0001.0002, irq 0
11: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0
12: Int: Internal-Data1/3 : address is 0000.0001.0003, irq 0
13: Ext: Management1/1 : address is 286f.7f02.1844, irq 0
14: Int: Internal-Data1/4 : address is 0000.0100.0001, irq 0

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 30 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 10 perpetual
AnyConnect Essentials : 50 perpetual
Other VPN Peers : 50 perpetual
Total VPN Peers : 50 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 160 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Enabled perpetual

This platform has an ASA 5506 Security Plus license.

Serial Number: xxxxxxxxxx
Running Permanent Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxx
Configuration register is 0x1
Image type : Release
Key Version : A
Configuration last modified by enable_15 at 13:34:26.429 GMT/BDT Sat Jul 18 2020

 

ASA Version 9.8(4)22
!
hostname CR-ASA01
enable password 
multicast-routing
names
no mac-address auto
ip local pool VPN_POOL 172.20.40.10-172.20.40.254 mask 255.255.255.0
ip local pool VPN_POOL_1 172.20.50.10-172.20.50.254 mask 255.255.255.0

!
interface GigabitEthernet1/1
description WAN
nameif outside
security-level 0
pppoe client vpdn group ASA-ZEN-DIALER-GROUP
ip address 82.68.38.246 255.255.255.255 pppoe setroute
!
interface GigabitEthernet1/2
description OSPF L3 Vlan for Interconnect
nameif INTERCONNECT
security-level 100
ip address 172.22.250.1 255.255.255.252
!
interface GigabitEthernet1/3
nameif CR-SKY01
security-level 100
ip address 172.20.30.1 255.255.255.0
!
interface GigabitEthernet1/4
nameif CR-TEST01
security-level 100
ip address 172.20.50.1 255.255.255.0
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
nameif MGMT
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
interface Tunnel99
nameif RANSOM_HOME_VPN_VTI
ip address 10.100.254.246 255.255.255.252
tunnel source interface outside
tunnel destination x.x.x.x
tunnel mode ipsec ipv4
tunnel protection ipsec profile RANSOM_HOME_PROFILE
!
interface Tunnel100
nameif MATTHEW_VPN_VTI
ip address 10.100.254.250 255.255.255.252
tunnel source interface outside
tunnel destination x.x.x.x
tunnel mode ipsec ipv4
tunnel protection ipsec profile MATTHEW_VPN_PROFILE
!
boot system disk0:/asa984-22-lfbff-k8.SPA
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns server-group OpenDNS
name-server 208.67.222.222
name-server 208.67.220.220
dns-group OpenDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NET_MGMT
subnet 172.22.128.0 255.255.255.0
description Network Management IP Range
object network NET_ANYCONNECT
subnet 172.20.40.0 255.255.255.0
object network NET_LAN
subnet 172.20.10.0 255.255.255.0
description Vlan 10 User Network
object network NET_GUEST
subnet 172.20.20.0 255.255.255.0
description Guest Wireless
object network CR-SONOS
host 172.20.10.10
description Sonos Play:3
object network NET_LABVMs
subnet 172.22.140.0 255.255.255.0
object network NET_IOT
subnet 10.10.10.0 255.255.255.0
description IoT devices
object network NET_SKY
subnet 172.20.30.0 255.255.255.0
description SkyQ box
object network NET_CHECKPOINT
subnet 172.22.141.0 255.255.255.0
object network LAB_NETWORKS_LINUX_APPLIANCES_VL500
subnet 10.10.10.0 255.255.255.0
object network LAB_NETWORKS_WINDOWS_SERVERS_VL501
subnet 10.10.11.0 255.255.255.0
object network NET_MATTHEW
subnet 10.100.0.0 255.255.0.0
object network RFC-1918-10
subnet 10.0.0.0 255.0.0.0
object network RFC-1918-172
subnet 172.16.0.0 255.240.0.0
object network RFC-1918-192
subnet 192.168.0.0 255.255.0.0
object network NET_TEST
subnet 172.20.50.0 255.255.255.0
description Testing
object network NET_RANSOM_HOME
subnet 172.21.10.0 255.255.255.0
object network MATTHEW_OUTSIDE
host 81.2.177.1
object network NET_RANSOM_HOME_MGMT
subnet 172.22.129.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object 172.20.10.0 255.255.255.0
network-object 172.20.20.0 255.255.255.0
network-object 172.22.128.0 255.255.255.0
network-object 172.22.140.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 172.20.10.0 255.255.255.0
network-object 172.20.20.0 255.255.255.0
network-object 172.22.128.0 255.255.255.0
network-object 172.22.140.0 255.255.255.0
object-group network INTERNAL_NETWORKS
description Production Internal Networks
network-object object NET_MGMT
network-object object NET_ANYCONNECT
network-object object NET_LAN
network-object object NET_LABVMs
network-object object NET_IOT
network-object object NET_GUEST
network-object object NET_CHECKPOINT
network-object object LAB_NETWORKS_LINUX_APPLIANCES_VL500
network-object object LAB_NETWORKS_WINDOWS_SERVERS_VL501
network-object object NET_SKY
network-object object NET_TEST
object-group network IoT
network-object object CR-SONOS
network-object 10.10.10.0 255.255.255.0
object-group protocol ANY
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network RFC-1918
network-object object RFC-1918-10
network-object object RFC-1918-172
network-object object RFC-1918-192
object-group network MATTHEW_DEST
description Matthew Destinations
network-object 172.20.10.0 255.255.255.0
network-object object LAB_NETWORKS_LINUX_APPLIANCES_VL500
network-object object LAB_NETWORKS_WINDOWS_SERVERS_VL501
network-object host 172.22.128.7
object-group network RANSOM_HOME_DEST
network-object host 172.22.128.7
object-group network RANSOM_HOME_SOURCES
network-object object NET_RANSOM_HOME
network-object object NET_RANSOM_HOME_MGMT
access-list global_access extended permit ip object NET_GUEST object-group IoT
access-list global_access remark Guest Access restriction
access-list global_access extended deny ip object NET_GUEST object-group INTERNAL_NETWORKS
access-list global_access remark Trusted Networks Access
access-list global_access extended permit ip object-group INTERNAL_NETWORKS any log disable
access-list global_access extended permit icmp object-group INTERNAL_NETWORKS any traceroute
access-list global_access extended deny ip any any log disable
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list crypto-map-matthew-vpn extended permit ip 10.10.0.0 255.255.0.0 10.100.0.0 255.255.0.0
access-list crypto-map-matthew-vpn extended permit ip 10.11.0.0 255.255.0.0 10.100.0.0 255.255.0.0
access-list MATTHEW_VPN_VTI_access_in extended permit ip object NET_MATTHEW object-group MATTHEW_DEST
access-list MATTHEW_VPN_VTI_access_in_1 extended permit ip object NET_MATTHEW object-group MATTHEW_DEST
access-list ExcludeSass extended permit ip 104.146.128.0 255.255.128.0 any4
access-list ExcludeSass extended permit ip 13.107.128.0 255.255.252.0 any4
access-list ExcludeSass extended permit ip 13.107.136.0 255.255.252.0 any4
access-list ExcludeSass extended permit ip 13.107.18.10 255.255.255.254 any4
access-list ExcludeSass extended permit ip 13.107.6.152 255.255.255.254 any4
access-list ExcludeSass extended permit ip 13.107.64.0 255.255.192.0 any4
access-list ExcludeSass extended permit ip host 131.253.33.215 any4
access-list ExcludeSass extended permit ip 132.245.0.0 255.255.0.0 any4
access-list ExcludeSass extended permit ip 150.171.32.0 255.255.252.0 any4
access-list ExcludeSass extended permit ip 150.171.40.0 255.255.252.0 any4
access-list ExcludeSass extended permit ip 191.234.140.0 255.255.252.0 any4
access-list ExcludeSass extended permit ip host 204.79.197.215 any4
access-list ExcludeSass extended permit ip 23.103.160.0 255.255.240.0 any4
access-list ExcludeSass extended permit ip 2603:1006::/40 any6
access-list ExcludeSass extended permit ip 2603:1016::/36 any6
access-list ExcludeSass extended permit ip 2603:1026::/36 any6
access-list ExcludeSass extended permit ip 2603:1036::/36 any6
access-list ExcludeSass extended permit ip 2603:1046::/36 any6
access-list ExcludeSass extended permit ip 2603:1056::/36 any6
access-list ExcludeSass extended permit ip 2603:1096:400::/40 any6
access-list ExcludeSass extended permit ip 2603:1096:600::/40 any6
access-list ExcludeSass extended permit ip 2603:1096::/38 any6
access-list ExcludeSass extended permit ip 2603:1096:a00::/39 any6
access-list ExcludeSass extended permit ip 2603:1096:c00::/40 any6
access-list ExcludeSass extended permit ip 2603:10a6:200::/40 any6
access-list ExcludeSass extended permit ip 2603:10a6:400::/40 any6
access-list ExcludeSass extended permit ip 2603:10a6:600::/40 any6
access-list ExcludeSass extended permit ip 2603:10a6:800::/40 any6
access-list ExcludeSass extended permit ip 2603:10d6:200::/40 any6
access-list ExcludeSass extended permit ip host 2620:1ec:4::152 any6
access-list ExcludeSass extended permit ip host 2620:1ec:4::153 any6
access-list ExcludeSass extended permit ip 2620:1ec:8f0::/46 any6
access-list ExcludeSass extended permit ip 2620:1ec:8f8::/46 any6
access-list ExcludeSass extended permit ip 2620:1ec:900::/46 any6
access-list ExcludeSass extended permit ip 2620:1ec:908::/46 any6
access-list ExcludeSass extended permit ip host 2620:1ec:a92::152 any6
access-list ExcludeSass extended permit ip host 2620:1ec:a92::153 any6
access-list ExcludeSass extended permit ip host 2620:1ec:c::10 any6
access-list ExcludeSass extended permit ip host 2620:1ec:c::11 any6
access-list ExcludeSass extended permit ip host 2620:1ec:d::10 any6
access-list ExcludeSass extended permit ip host 2620:1ec:d::11 any6
access-list ExcludeSass extended permit ip 2a01:111:f400::/48 any6
access-list ExcludeSass extended permit ip 2a01:111:f402::/48 any6
access-list ExcludeSass extended permit ip 40.104.0.0 255.254.0.0 any4
access-list ExcludeSass extended permit ip 40.108.128.0 255.255.128.0 any4
access-list ExcludeSass extended permit ip 40.96.0.0 255.248.0.0 any4
access-list ExcludeSass extended permit ip 52.104.0.0 255.252.0.0 any4
access-list ExcludeSass extended permit ip 52.112.0.0 255.252.0.0 any4
access-list ExcludeSass extended permit ip 52.120.0.0 255.252.0.0 any4
access-list ExcludeSass extended permit ip 52.96.0.0 255.252.0.0 any4
access-list ExcludeSass remark v4 address for Microsoft Teams
access-list ExcludeSass extended permit ip host 13.107.60.1 any4
access-list ExcludeSass remark IPv4 and IPv6 destinations for Cisco Webex
access-list ExcludeSass extended permit ip 114.29.192.0 255.255.224.0 any4
access-list ExcludeSass extended permit ip 170.133.128.0 255.255.192.0 any4
access-list ExcludeSass extended permit ip 173.243.0.0 255.255.240.0 any4
access-list ExcludeSass extended permit ip 173.39.224.0 255.255.224.0 any4
access-list ExcludeSass extended permit ip 207.182.160.0 255.255.224.0 any4
access-list ExcludeSass extended permit ip 209.197.192.0 255.255.224.0 any4
access-list ExcludeSass extended permit ip 210.4.192.0 255.255.240.0 any4
access-list ExcludeSass extended permit ip 216.151.128.0 255.255.224.0 any4
access-list ExcludeSass extended permit ip 62.109.192.0 255.255.192.0 any4
access-list ExcludeSass extended permit ip 64.68.96.0 255.255.224.0 any4
access-list ExcludeSass extended permit ip 66.114.160.0 255.255.240.0 any4
access-list ExcludeSass extended permit ip 66.163.32.0 255.255.224.0 any4
access-list ExcludeSass extended permit ip 69.26.160.0 255.255.224.0 any4
access-list ExcludeSass extended permit ip 69.26.176.0 255.255.240.0 any4
access-list RANSOM_HOME_VPN_VTI_access_in extended permit ip object-group RANSOM_HOME_SOURCES object-group RANSOM_HOME_DEST
pager lines 24
logging enable
logging buffer-size 64000
logging buffered debugging
logging trap debugging
logging asdm debugging
mtu outside 1500
mtu INTERCONNECT 1500
mtu CR-SKY01 1500
mtu CR-TEST01 1500
mtu MGMT 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-openjre-7141-46.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (any,outside) source static INTERNAL_NETWORKS INTERNAL_NETWORKS destination static NET_ANYCONNECT NET_ANYCONNECT
nat (any,outside) source dynamic INTERNAL_NETWORKS interface
access-group MATTHEW_VPN_VTI_access_in in interface MATTHEW_VPN_VTI
access-group global_access global
router ospf 1
router-id 10.100.1.1
network 172.22.250.0 255.255.255.252 area 0
log-adj-changes
redistribute connected subnets
default-information originate always
!
route MATTHEW_VPN_VTI 10.100.0.0 255.255.0.0 10.100.254.249 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http server session-timeout 30
http 172.20.10.0 255.255.255.0 INTERCONNECT
http 172.22.128.0 255.255.255.0 INTERCONNECT
snmp-server location Pine Tree Lodge
snmp-server contact Pine Tree Lodge
snmp-server community *****
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change cpu-temperature chassis-temperature accelerator-temperature
snmp-server enable traps memory-threshold
snmp-server enable traps interface-threshold
snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable traps connection-limit-reached
snmp-server enable traps cpu threshold rising
snmp-server enable traps ikev2 start stop
snmp-server enable traps nat packet-discard
fragment chain 1 outside
fragment chain 1 INTERCONNECT
fragment chain 1 CR-SKY01
sysopt connection preserve-vpn-flows
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES-256-GCM
protocol esp encryption aes-gcm-256
protocol esp integrity null
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec profile MATTHEW_VPN_PROFILE
set ikev2 ipsec-proposal AES-256-GCM
set pfs group20
set security-association lifetime seconds 28800
crypto ipsec profile RANSOM_HOME_PROFILE
set ikev2 ipsec-proposal AES256
set pfs group14
set security-association lifetime seconds 28800
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint CRANSOM_CO_UK_WILDCARD
fqdn vpn.cransom.co.uk
subject-name CN=CR-ASA.cransom.co.uk
keypair CRANSOM_CO_UK_WILDCARD
crl configure
crypto ca trustpoint CA_BUNDLE
enrollment terminal
crl configure
crypto ca trustpoint AzureAD-AC-SAML
enrollment terminal
no ca-check
crl configure
crypto ca trustpoint Duo_Single_SignOn
enrollment terminal
crl configure
crypto ca trustpoint DigiCert_High_Assurance_EV_Root_CA
enrollment terminal
crl configure
crypto ca trustpoint DigiCert_SHA2_High_Assurance_Server_CA
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca certificate chain CRANSOM_CO_UK_WILDCARD
certificate 4f3641dceba1a3436587e3ff7013cec0
30820637 3082051f a0030201 0202104f 3641dceb a1a34365 87e3ff70 13cec030
0d06092a 864886f7 0d01010b 05003081 8f310b30 09060355 04061302 4742311b
30190603 55040813 12477265 61746572 204d616e 63686573 74657231 10300e06
03550407 13075361 6c666f72 64311830 16060355 040a130f 53656374 69676f20
4c696d69 74656431 37303506 03550403 132e5365 63746967 6f205253 4120446f
6d61696e 2056616c 69646174 696f6e20 53656375 72652053 65727665 72204341
301e170d 32303031 32313030 30303030 5a170d32 31303332 31323335 3935395a
301a3118 30160603 5504030c 0f2a2e63 72616e73 6f6d2e63 6f2e756b 30820122
300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101 00d5d0b2
6a967891 0fe0e243 4d2c9530 fd5fe6fc 7d52205d b6decb00 31202edc 77b120a7
3045ceea 1af42787 7b5c9120 c4788c34 20e70ac4 5adb2b70 23d13c53 83d5de3d
ecfca4d0 2a752cc2 ccb96c54 2a995031 3fa60d29 0d3fc2b9 3986f571 2a0072c2
67247537 a1ace4ee 073af2e0 4b7f4a3b c589023a af4a9132 032a2ac4 053b566a
97e7b24a 4be0f30f 93ea44a3 49553449 12d4b6ab b26a08ee 5f85cc2f 6c1c0137
686cd50d 9276392b 6ac7761e efc66d3e f314eb11 9e3ebfc4 54980e3a beee0897
41e221c1 5b034860 e30cf39d 33ef4b07 8757890d d66a2bae 86cd2799 057a8577
b0f7c8be 27a7391c 6c03a5d5 2e59c00a 21fa1a35 9a2ab788 8414569c 97020301
0001a382 03013082 02fd301f 0603551d 23041830 1680148d 8c5ec454 ad8ae177
e99bf99b 05e1b801 8d61e130 1d060355 1d0e0416 04148bdf 18df09af 618427f1
374f9cf0 277aa061 446c300e 0603551d 0f0101ff 04040302 05a0300c 0603551d
130101ff 04023000 301d0603 551d2504 16301406 082b0601 05050703 0106082b
06010505 07030230 49060355 1d200442 30403034 060b2b06 010401b2 31010202
07302530 2306082b 06010505 07020116 17687474 70733a2f 2f736563 7469676f
2e636f6d 2f435053 30080606 67810c01 02013081 8406082b 06010505 07010104
78307630 4f06082b 06010505 07300286 43687474 703a2f2f 6372742e 73656374
69676f2e 636f6d2f 53656374 69676f52 5341446f 6d61696e 56616c69 64617469
6f6e5365 63757265 53657276 65724341 2e637274 30230608 2b060105 05073001
86176874 74703a2f 2f6f6373 702e7365 63746967 6f2e636f 6d302906 03551d11
04223020 820f2a2e 6372616e 736f6d2e 636f2e75 6b820d63 72616e73 6f6d2e63
6f2e756b 3082017f 060a2b06 010401d6 79020402 0482016f 0482016b 01690076
007d3ef2 f88fff88 556824c2 c0ca9e52 89792bc5 0e78097f 2e6a9768 997e22f0
d7000001 6fca3115 5e000004 03004730 45022100 b47269c5 46b3aece 778a5248
c998d116 340c9f06 b727c344 2951cc22 bf795ce0 022005f5 9f4e48ab b4bc7bc1
88a74a35 4a70dfc9 3c4365c6 1452bda0 3b8b683b d8290077 00449465 2eb0eece
afc44007 d8a8fe28 c0dae682 bed8cb31 b53fd333 96b5b681 a8000001 6fca3115
51000004 03004830 46022100 d9c9af90 967fe422 4293d7f1 7f0c7bef 7c10c6f3
59c0ac47 9c4a87ab e6df9b31 022100aa 78d24ee6 daeb49bd f6172d5d c9977d8e
3b1164ce b79d14b6 179471d5 10fea800 76006f53 76ac31f0 3119d899 00a45115
ff77151c 11d902c1 0029068d b2089a37 d9130000 016fca31 153e0000 04030047
30450220 18f784b2 051b6c6e 18e0cfc3 7cb1719b bab25dcc c3ce6992 8d885def
c6959912 02210094 70e4b7be bb0dd145 7a60a862 7126063f 987b6983 6b7c8f30
9c953608 93327e30 0d06092a 864886f7 0d01010b 05000382 010100bf 1f549647
ef0a6a43 32032c63 928cdb3b ad81dba2 5322e0d3 cc6e3519 6f764d67 9d183e09
96ae4503 52c642dd ee3633da 3bf17a8b d5e9558c f1ad634b 657e0c5c 3b44fcf1
21b35855 83eed635 e9dd391b d360f316 600db63d 6ecbb518 e2453f96 ae4105fb
c7e244c7 fbf1c440 258376f9 ea90a889 d9f1aa80 9ebfdfa5 bca2cc5d 788fbb98
eae7b3fd bdcffbd7 922c1730 73b47f83 c7e0bc55 f929134f 023854b0 28224a5a
65fa28f5 c0e50bf2 b959297b 5f1f7f3a 93f170f5 099b36c2 f4f51524 b836cf79
b16f8223 86d86e06 1440f27a 2071987c f2754e72 ae55ccb3 632809f7 3878fc23
8ec414f3 2c4a9a3e 949fff2a f3bad0fd 9c544af3 3f0f5c8a 9034da
quit
crypto ca certificate chain CA_BUNDLE
certificate ca 7d5b5126b476ba11db74160bbc530da7
30820613 308203fb a0030201 0202107d 5b5126b4 76ba11db 74160bbc 530da730
0d06092a 864886f7 0d01010c 05003081 88310b30 09060355 04061302 55533113
30110603 55040813 0a4e6577 204a6572 73657931 14301206 03550407 130b4a65
72736579 20436974 79311e30 1c060355 040a1315 54686520 55534552 54525553
54204e65 74776f72 6b312e30 2c060355 04031325 55534552 54727573 74205253
41204365 72746966 69636174 696f6e20 41757468 6f726974 79301e17 0d313831
31303230 30303030 305a170d 33303132 33313233 35393539 5a30818f 310b3009
06035504 06130247 42311b30 19060355 04081312 47726561 74657220 4d616e63
68657374 65723110 300e0603 55040713 0753616c 666f7264 31183016 06035504
0a130f53 65637469 676f204c 696d6974 65643137 30350603 55040313 2e536563
7469676f 20525341 20446f6d 61696e20 56616c69 64617469 6f6e2053 65637572
65205365 72766572 20434130 82012230 0d06092a 864886f7 0d010101 05000382
010f0030 82010a02 82010100 d67333d6 d73c20d0 00d21745 b8d63e07 a23fc741
ee3230c9 b06cfdf4 9fcb1298 0f2d3f8d 4d010c82 0f177f62 2ee9b848 79fb1683
4eadd732 2593b707 bfb9503f a94cc340 2ae939ff d981ca1f 163241da 8026b923
7a87201e e3ff209a 3c95446f 87750690 40b43293 16091008 233ed2dd 870f6f5d
51146a0a 69c54f01 7269cfd3 934c6d04 a0a31b82 7eb19ab9 edc59ec5 37789f9a
0834fb56 2e58c409 0e06645b bc37dcf1 9f2868a8 56b092a3 5c9fbb88 98081b24
1dab3085 aeafb02e 9e7a9dc1 c0421ce2 02f0eae0 4ad2ef90 0eb4c140 16f06f85
424a64f7 a430a0fe bf2ea327 5a8e8b58 b8adc319 178463ed 6f56fd83 cb6034c4
74bee69d dbe1e4e5 ca0c5f15 02030100 01a38201 6e308201 6a301f06 03551d23
04183016 80145379 bf5aaa2b 4acf5480 e1d89bc0 9df2b203 66cb301d 0603551d
0e041604 148d8c5e c454ad8a e177e99b f99b05e1 b8018d61 e1300e06 03551d0f
0101ff04 04030201 86301206 03551d13 0101ff04 08300601 01ff0201 00301d06
03551d25 04163014 06082b06 01050507 03010608 2b060105 05070302 301b0603
551d2004 14301230 06060455 1d200030 08060667 810c0102 01305006 03551d1f
04493047 3045a043 a041863f 68747470 3a2f2f63 726c2e75 73657274 72757374
2e636f6d 2f555345 52547275 73745253 41436572 74696669 63617469 6f6e4175
74686f72 6974792e 63726c30 7606082b 06010505 07010104 6a306830 3f06082b
06010505 07300286 33687474 703a2f2f 6372742e 75736572 74727573 742e636f
6d2f5553 45525472 75737452 53414164 64547275 73744341 2e637274 30250608
2b060105 05073001 86196874 74703a2f 2f6f6373 702e7573 65727472 7573742e
636f6d30 0d06092a 864886f7 0d01010c 05000382 02010032 bf61bd0e 48c34fc7
ba474df8 9c781901 dc131d80 6ffcc370 b4529a31 339a5752 fb319e6b a4ef54aa
898d4017 68f81110 7cd2cab1 f15586c7 eeb33691 86f63951 bf46bf0f a0bab4f7
7e49c42a 36179ee4 68397aaf 944e566f b27b3bbf 0a86bdcd c5771c03 b838b1a2
1f5f7edb 8adc4648 b6680acf b2b5b4e2 34e467a9 3866095e d2b8fc9d 283a1740
27c2724e 29fd213c 7ccf13fb 962cc531 44fd13ed d59ba969 68777cee e1ffa4f9
36380853 39a28434 9c19f3be 0eacd524 37eb23a8 78d0d3e7 ef924764 623922ef
c6f711be 2285c666 4424268e 10328dc8 93ae079e 833e2fd9 f9f5468e 63bec1e6
b4dca6cd 21a8860a 95d92e85 261afdfc b1b65742 6d95d133 f6391406 824138f5
8f58dc80 5ba4d57d 9578fda7 9bfffdc5 a869ab26 e7a7a405 875ba9b7 b8a3200b
97a94585 ddb38be5 89378e29 0dfc0617 f638400e 42e41206 fb7bf3c6 116862df
e398f413 d8154f8b b169d910 60bc642a ea31b7e4 b5a33a14 9b26e30b 7bfd028e
b699c138 975936f6 a874a286 b65eebc6 64eacfa0 a3f96e9e ba2d11b6 86980858
2dc9ac25 64f25e75 b438c1ae 7f5a4683 ea51cab6 f1991135 6ba56a7b c600b0e7
f8be64b2 adc8c2f1 ace351ea a493e079 c8e18140 c90a5be1 123cc160 2ae397c0
8942ca94 cf469812 69bb98d0 c2d30d72 4b476ee5 93c43228 638743e4 b0323e0a
d34bbf23 9b142941 2b9a041f 932df1c7 39483cad 5a127f
quit
crypto ca certificate chain AzureAD-AC-SAML
certificate ca 17547180660913ac4ec4ccf2ed07c847
308202f0 308201d8 a0030201 02021017 54718066 0913ac4e c4ccf2ed 07c84730
0d06092a 864886f7 0d01010b 05003034 31323030 06035504 0313294d 6963726f
736f6674 20417a75 72652046 65646572 61746564 2053534f 20436572 74696669
63617465 301e170d 32303037 30353139 31343038 5a170d32 33303730 35313931
3430385a 30343132 30300603 55040313 294d6963 726f736f 66742041 7a757265
20466564 65726174 65642053 534f2043 65727469 66696361 74653082 0122300d
06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100bf a85fba43
c825c5f6 466cd5ae 09ad0d37 4d368fc1 f4d12329 7f57dd00 fab1c301 cfc3eb17
9cc8a405 e9bd36cd 8e1f8e4d b38aaeff dcf2dff5 d9ce73cd 7b0ccace a47f62df
bed4edd9 3a7265c8 50d0907f c396ab9d 6d8b622a 886a3e82 fcac9374 8036a09b
74d55306 001a6d6d b9d2de67 d09dfe5a f36fd8da 9883bde1 3418b21a a65b9450
a4b26a4b 441918b3 7de32b0e 24df2f7c 75a7947b 52b671de a382c08b ad7f90a2
fb94b86d 8e3b2b5d 54a433aa 027499d9 a4cdc3e0 a3ee2ef5 c3e0b3dd 953d0574
6ab967e5 84c64134 0376ec5e 96a3c84d 414ab505 169e9e8c 70a2d077 c0bd36c5
b43faaee abedcb01 bf9cdb1d 15c31b95 0b5b7d53 95c6b331 4c4a0d02 03010001
300d0609 2a864886 f70d0101 0b050003 82010100 95e50236 f230fad8 b0b5cc32
ba380880 be944f03 d7b42abf 9337957d 073b8408 21c7c8c7 00866314 82d2c085
cfb6107c 9fa40187 99a4a96f db9a6bd2 0913a5f9 a56a93f7 43487425 9c8f0d72
f4e638f3 a34a46fe d7da7668 dd71f068 a7552da2 22e8239e 53945da2 8fe2c3b7
2ce4ef9c 89be9a49 37db4ac1 2705862a dafc6197 2a61a21c 239106cf ed5d2a06
fec2ec74 e5d8b8a7 55edd582 008fe660 4562e37d 0d712dc8 2a34edcc 62792166
019269b8 9ac94a39 63f317c7 ab56910d 9389afe9 1a2133bd fc011d05 c158e48b
bed22015 4fb07a63 8ffe57b0 0bce0c4d fc1d89b7 f90bdd2e 637f94f2 f57eefb7
2273109c 17e189e5 edf27df4 17204548 7c9f0c44
quit
crypto ca certificate chain Duo_Single_SignOn
certificate ca 77155ea98695c7f169aed2c3dba3a2122c339097
3082030d 308201f5 a0030201 02021477 155ea986 95c7f169 aed2c3db a3a2122c
33909730 0d06092a 864886f7 0d01010b 05003036 31153013 06035504 0a0c0c44
756f2053 65637572 69747931 1d301b06 03550403 0c144449 4f304454 34394d4d
38353746 41454e36 5334301e 170d3230 30373036 31373032 34395a17 0d333830
31313930 33313430 375a3036 31153013 06035504 0a0c0c44 756f2053 65637572
69747931 1d301b06 03550403 0c144449 4f304454 34394d4d 38353746 41454e36
53343082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282
010100d4 4a5b3305 abff6107 e1fb8222 58c0c463 2ef5f635 12fa98d8 57e54625
178c7749 2810bd58 241610c1 4d614c1b a5eeb551 0c3c3f57 a535edae 2abee4eb
0cdfb854 09867839 1bb9d8ef c71beeb6 1c344ce6 3cc432a7 6bf37797 01da320e
c33e5a56 58496555 2618c896 be939954 d552d99c a700b251 9ea24ef7 5f3e8286
9fdc4e68 045902dd a11fd6ac cc4460b0 63272d6d 32fae0e7 13fe3a73 b98da80f
1cfc2754 41a6cf35 743bf6e6 9203e22e e33b8284 87f07ff7 a8d5a378 9efaae1d
240bf7cf 23b06c59 0a080bb2 8941dc5e cff40a80 0ba8d5a1 0346d9e0 906f7172
1d503cc0 557f8287 db829f90 45f44ce8 9f14d847 a2cb8c9a 3a16ccf8 87c65450
9f928f02 03010001 a3133011 300f0603 551d1301 01ff0405 30030101 ff300d06
092a8648 86f70d01 010b0500 03820101 0084ed69 e8fb456a 9015ec7d c5ea6e2c
d4f11889 2a58acba 04cd8138 f7f965d3 ffc8d293 fa7d4f71 c395fd92 abb14937
02d35697 d8996d18 c28cabfd bde8b163 26bfe48f 8f15a913 b71a16de 24682f1b
42217cbc 14b545e3 86ffa3ed dbebe197 6691e263 475e1e9d e36dd4c4 63c93ebd
71110a9f 652b8298 5bdd2ba7 7f499e68 c3e75854 5e9131c5 b288ecaa 9bddc905
423ca422 dbf7223b 5274afa4 105a7126 bf8bc45d 56dbb189 a699c035 a14c1027
e77a5355 9a80a3ce daba3f96 ca2fda8d 789f33c0 91259335 886b9276 e534092b
e5e72d54 4d5d2657 9bdc2b0b 78b82a7a 3914d330 9c1f83a4 92a2e784 a2cf05ef
53df4097 10127a9a a3d946fe 9abf4e48 7c
quit
crypto ca certificate chain DigiCert_High_Assurance_EV_Root_CA
certificate ca 02ac5c266a0b409b8f0b79f2ae462577
308203c5 308202ad a0030201 02021002 ac5c266a 0b409b8f 0b79f2ae 46257730
0d06092a 864886f7 0d010105 0500306c 310b3009 06035504 06130255 53311530
13060355 040a130c 44696769 43657274 20496e63 31193017 06035504 0b131077
77772e64 69676963 6572742e 636f6d31 2b302906 03550403 13224469 67694365
72742048 69676820 41737375 72616e63 65204556 20526f6f 74204341 301e170d
30363131 31303030 30303030 5a170d33 31313131 30303030 3030305a 306c310b
30090603 55040613 02555331 15301306 0355040a 130c4469 67694365 72742049
6e633119 30170603 55040b13 10777777 2e646967 69636572 742e636f 6d312b30
29060355 04031322 44696769 43657274 20486967 68204173 73757261 6e636520
45562052 6f6f7420 43413082 0122300d 06092a86 4886f70d 01010105 00038201
0f003082 010a0282 010100c6 cce573e6 fbd4bbe5 2d2d32a6 dfe5813f c9cd2549
b6712ac3 d5943467 a20a1cb0 5f69a640 b1c4b7b2 8fd098a4 a941593a d3dc94d6
3cdb7438 a44acc4d 2582f74a a5531238 eef3496d 71917e63 b6aba65f c3a484f8
4f6251be f8c5ecdb 3892e306 e508910c c4284155 fbcb5a89 157e71e8 35bf4d72
093dbe3a 38505b77 311b8db3 c724459a a7ac6d00 145a04b7 ba13eb51 0a984141
224e6561 87814150 a6795c89 de194a57 d52ee65d 1c532c7e 98cd1a06 16a46873
d0340413 5ca171d3 5a7c55db 5e64e137 87305604 e511b429 8012f179 3988a202
117c2766 b788b778 f2ca0aa8 38ab0a64 c2bf665d 9584c1a1 251e875d 1a500b20
12cc41bb 6e0b5138 b84bcb02 03010001 a3633061 300e0603 551d0f01 01ff0404
03020186 300f0603 551d1301 01ff0405 30030101 ff301d06 03551d0e 04160414
b13ec369 03f8bf47 01d49826 1a0802ef 63642bc3 301f0603 551d2304 18301680
14b13ec3 6903f8bf 4701d498 261a0802 ef63642b c3300d06 092a8648 86f70d01
01050500 03820101 001c1a06 97dcd79c 9f3c8866 06085721 db2147f8 2a67aabf
18327640 1057c18a f37ad911 658e35fa 9efc45b5 9ed94c31 4bb891e8 432c8eb3
78cedbe3 537971d6 e5219401 da55879a 2464f68a 66ccde9c 37cda834 b1699b23
c89e7822 2b7043e3 55473161 19ef58c5 852f4e30 f6a03116 23c8e7e2 651633cb
bf1a1ba0 3df8ca5e 8b318b60 08892d0c 065c52b7 c4f90a98 d1155f9f 12be7c36
6338bd44 a47fe426 2b0ac497 690de98c e2c01057 b8c87612 9155f248 69d8bc2a
025b0f44 d42031db f4ba7026 5d90609e bc4b1709 2fb4cb1e 4368c907 27c1d25c
f7ea21b9 68129c3c 9cbf9efc 805c9b63 cdec47aa 252767a0 37f30082 7d54d7a9
f8e92e13 a377e81f 4a
quit
crypto ca certificate chain DigiCert_SHA2_High_Assurance_Server_CA
certificate ca 04e1e7a4dc5cf2f36dc02b42b85d159f
308204b1 30820399 a0030201 02021004 e1e7a4dc 5cf2f36d c02b42b8 5d159f30
0d06092a 864886f7 0d01010b 0500306c 310b3009 06035504 06130255 53311530
13060355 040a130c 44696769 43657274 20496e63 31193017 06035504 0b131077
77772e64 69676963 6572742e 636f6d31 2b302906 03550403 13224469 67694365
72742048 69676820 41737375 72616e63 65204556 20526f6f 74204341 301e170d
31333130 32323132 30303030 5a170d32 38313032 32313230 3030305a 3070310b
30090603 55040613 02555331 15301306 0355040a 130c4469 67694365 72742049
6e633119 30170603 55040b13 10777777 2e646967 69636572 742e636f 6d312f30
2d060355 04031326 44696769 43657274 20534841 32204869 67682041 73737572
616e6365 20536572 76657220 43413082 0122300d 06092a86 4886f70d 01010105
00038201 0f003082 010a0282 010100b6 e02fc224 06c86d04 5fd7ef0a 6406b27d
22266516 ae42409b cedc9f9f 76073ec3 30558719 b94f940e 5a941f55 56b4c202
2aafd098 ee0b40d7 c4d03b72 c8149eef 90b111a9 aed2c8b8 433ad90b 0bd5d595
f540afc8 1ded4d9c 5f57b786 506899f5 8adad2c7 051fa897 c9dca4b1 82842dc6
ada59cc7 1982a685 0f5e4458 2a378ffd 35f10b08 27325af5 bb8b9ea4 bd51d027
e2dd3b42 33a30528 c4bb28cc 9aac2b23 0d78c67b e65e71b7 4a3e08fb 81b71616
a19d2312 4de5d792 08ac75a4 9cbacd17 b21e4435 657f5325 39d11c0a 9a631b19
9274680a 37c2c252 48cb395a a2b6e15d c1dda020 b821a293 266f144a 2141c7ed
6d9bf248 2ff303f5 a2689253 2f5ee302 03010001 a3820149 30820145 30120603
551d1301 01ff0408 30060101 ff020100 300e0603 551d0f01 01ff0404 03020186
301d0603 551d2504 16301406 082b0601 05050703 0106082b 06010505 07030230
3406082b 06010505 07010104 28302630 2406082b 06010505 07300186 18687474
703a2f2f 6f637370 2e646967 69636572 742e636f 6d304b06 03551d1f 04443042
3040a03e a03c863a 68747470 3a2f2f63 726c342e 64696769 63657274 2e636f6d
2f446967 69436572 74486967 68417373 7572616e 63654556 526f6f74 43412e63
726c303d 0603551d 20043630 34303206 04551d20 00302a30 2806082b 06010505
07020116 1c687474 70733a2f 2f777777 2e646967 69636572 742e636f 6d2f4350
53301d06 03551d0e 04160414 5168ff90 af020775 3cccd965 6462a212 b859723b
301f0603 551d2304 18301680 14b13ec3 6903f8bf 4701d498 261a0802 ef63642b
c3300d06 092a8648 86f70d01 010b0500 03820101 00188a95 8903e66d df5cfc1d
68ea4a8f 83d6512f 8d6b4416 9eac63f5 d26e6c84 998baa81 71845bed 344eb0b7
799229cc 2d806af0 8e20e179 a4fe0347 13eaf586 ca59717d f404966b d359583d
fed33125 5c183884 a3e69f82 fd8c5b98 314ecd78 9e1afd85 cb49aaf2 278b9972
fc3eaad5 410bdad5 36a1bf1c 6e47497f 5ed9487c 03d9fd8b 49a09826 4240ebd6
9211a464 0a5754c4 f51dd602 5e6bacee c4809a12 72fa5693 d7ffbf30 850630bf
0b7f4eff 57059d24 ed85c32b fba675a8 ac2d16ef 7d7927b2 ebc29d0b 07eaaa85
d301a320 28415943 28d281e3 aaf6ec7b 3b77b640 62800541 4501ef17 063edec0
339b67d3 612e7287 e469fc12 0057401e 70f51ec9 b4
quit
crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 2
encryption aes-256
integrity sha
group 20
prf sha384
lifetime seconds 86400
crypto ikev2 policy 3
encryption aes-256
integrity sha
group 14
prf sha
lifetime seconds 86400
crypto ikev2 policy 4
encryption aes-256
integrity sha
group 14
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption aes
integrity sha
group 14
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
telnet timeout 5
ssh stricthostkeycheck
ssh 172.22.250.0 255.255.255.252 INTERCONNECT
ssh 172.20.10.0 255.255.255.0 INTERCONNECT
ssh 172.22.128.0 255.255.255.0 INTERCONNECT
ssh 192.168.1.0 255.255.255.0 MGMT
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ASA-ZEN-DIALER-GROUP request dialout pppoe
vpdn group ASA-ZEN-DIALER-GROUP localname zen381842@zen
vpdn group ASA-ZEN-DIALER-GROUP ppp authentication chap
vpdn username zen381842@zen password ***** store-local

dhcpd dns 208.67.222.222 208.67.220.220
dhcpd domain cransom.co.uk
!
dhcpd address 172.20.30.10-172.20.30.254 CR-SKY01
dhcpd dns 208.67.222.222 208.67.220.220 interface CR-SKY01
dhcpd domain cransom.co.uk interface CR-SKY01
dhcpd enable CR-SKY01
!
dhcpd address 172.20.50.10-172.20.50.254 CR-TEST01
dhcpd dns 208.67.222.222 208.67.220.220 interface CR-TEST01
dhcpd enable CR-TEST01
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 216.239.35.0 source outside
ntp server 216.239.35.4 source outside
ssl trust-point CRANSOM_CO_UK_WILDCARD outside
webvpn
enable outside
anyconnect-custom-attr dynamic-split-exclude-domains description dynamic split exclude domains
hsts
enable
max-age 31536000
include-sub-domains
no preload
no anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.9.00086-webdeploy-k9.pkg 1
anyconnect profiles PINE_TREE_LODGE disk0:/pine_tree_lodge.xml
anyconnect enable
saml idp https://sso-eefbc123.sso.duosecurity.com/saml2/sp/DIO0DT49MM857FAEN6S4/metadata
url sign-in https://sso-eefbc123.sso.duosecurity.com/saml2/sp/DIO0DT49MM857FAEN6S4/sso
url sign-out https://sso-eefbc123.sso.duosecurity.com/saml2/sp/DIO0DT49MM857FAEN6S4/slo
base-url https://vpn.cransom.co.uk
trustpoint idp Duo_Single_SignOn
trustpoint sp CRANSOM_CO_UK_WILDCARD
no signature
no force re-authentication
timeout assertion 300
saml idp https://sts.windows.net/898088b2-1142-4151-a1f5-0b59f9df0a90/
url sign-in https://login.microsoftonline.com/898088b2-1142-4151-a1f5-0b59f9df0a90/saml2
url sign-out https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
base-url https://vpn.cransom.co.uk
trustpoint idp AzureAD-AC-SAML
trustpoint sp CRANSOM_CO_UK_WILDCARD
no signature
no force re-authentication
tunnel-group-list enable
cache
disable
error-recovery disable
anyconnect-custom-data dynamic-split-exclude-domains domains assets-yammer.com, yammer.comyammerusercontent.com, service-now.com, xmatters.com, github.com, slack.com
anyconnect-custom-data dynamic-split-exclude-domains domains , youtube.com, youtube.be, googlevideo.com, youtube-nocookie.com, yt3.ggpht.com, youtubeeducation.com
anyconnect-custom-data dynamic-split-exclude-domains domains , ytimg.com, youtube-ui.l.google.com, ytimg.l.google.com, ytstatic.l.google.com, youtubei.googleapis.com
anyconnect-custom-data dynamic-split-exclude-domains domains , spotify.com, audio-ak-spotify-com.akamaized.net, audio-akp-bbr-spotify-com.akamaized.net
anyconnect-custom-data dynamic-split-exclude-domains domains , audio4-ak-spotify-com.akamaized.net, heads-ak-spotify-com.akamaized.net, pscdn.co, scdn.co
anyconnect-custom-data dynamic-split-exclude-domains domains , spotify-com.akamaized.net, spotify.com.edgesuite.net, spotify.demdex.net, spotify.edgekey.net
anyconnect-custom-data dynamic-split-exclude-domains domains , spotify.map.fastly.net, spotifycdn.net, spotilocal.com, netflix.com, nflxext.com, nflximg.com, nflximg.net
anyconnect-custom-data dynamic-split-exclude-domains domains , nflxso.net, nflxvideo.net, music.apple.com, itunes-apple.com.akadns.net, itunes.apple.com
anyconnect-custom-data dynamic-split-exclude-domains domains , itunes.apple.com.edgesuite.net, itunes.com, aiv-cdn.net, aiv-cdn.net.c.footprint.net, aiv-delivery.net
anyconnect-custom-data dynamic-split-exclude-domains domains , amazonvideo.com, atv-ext.amazon.com, atv-ps.amazon.com, d25xi40x97liuc.cloudfront.net
anyconnect-custom-data dynamic-split-exclude-domains domains , dmqdd6hw24ucf.cloudfront.net, media-amazon.com, primevideo.com, facebook.com, accountkit.com
anyconnect-custom-data dynamic-split-exclude-domains domains , developers.facebook.com, facebook.net, fb.com, fb.gg, fbcdn.net, fbsbx.com, fbwat.ch, instagram.com
anyconnect-custom-data dynamic-split-exclude-domains domains , cdninstagram.com, twitter.com, ads-twitter.com, t.co, twimg.com, twttr.com, linkedin.com, licdn.com
anyconnect-custom-data dynamic-split-exclude-domains domains , news.sky.com, bbc.co.uk, bbc.com, bbci.co.uk, metro.co.uk, dailymail.co.uk, theguardian.com, telegraph.co.uk
anyconnect-custom-data dynamic-split-exclude-domains domains , independent.co.uk, huffingtonpost.co.uk, thesun.co.uk, chime.aws, slack-msgs.com, slack-edge.com
anyconnect-custom-data dynamic-split-exclude-domains domains , slack-imgs.com, slack-core.com, slack-files.com, slack-redir.com, slack-redir.net, slack.global.ssl.fastly.net
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
group-policy RANSOM_HOME_VPN_GP internal
group-policy RANSOM_HOME_VPN_GP attributes
vpn-tunnel-protocol ikev2
group-policy MATTHEW_VPN_GP internal
group-policy MATTHEW_VPN_GP attributes
vpn-tunnel-protocol ikev2
group-policy ANYCONNECT_POLICY internal
group-policy ANYCONNECT_POLICY attributes
banner value Welcome to the Ransom Home Network.
banner value Access to this device is limited to authorised personnel only. Unauthorised access or use of this device may be subject to civil or criminal prosecution.
dns-server value 208.67.222.222 208.67.220.220
vpn-access-hours none
vpn-idle-timeout 60
vpn-session-timeout none
vpn-filter value global_access
vpn-tunnel-protocol ssl-client ssl-clientless
group-lock value ANYCONNECT_TG
split-tunnel-policy excludespecified
split-tunnel-network-list value ExcludeSass
default-domain value cransom.co.uk
vlan none
address-pools value VPN_POOL
anyconnect-custom dynamic-split-exclude-domains value domains
webvpn
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect dpd-interval client 30
anyconnect profiles value PINE_TREE_LODGE type user
anyconnect ask none default anyconnect
customization value Duo
group-policy ANYCONNECT_POLICY_1 internal
group-policy ANYCONNECT_POLICY_1 attributes
banner value Welcome to the Ransom Network. Access to this device is limited to authorised personnel only. Unauthorised access or use of this device may be subject to civil or criminal prosecution.
dns-server value 208.67.222.222 208.67.220.220
vpn-access-hours none
vpn-idle-timeout 60
vpn-session-timeout none
vpn-filter value global_access
vpn-tunnel-protocol ssl-client ssl-clientless
group-lock value ANYCONNECT_TG_1
default-domain value cransom.co.uk
vlan none
address-pools value VPN_POOL_1
webvpn
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect dpd-interval client 30
anyconnect profiles value PINE_TREE_LODGE type user
anyconnect ask none default anyconnect
customization value MS_SAML
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record DAP_VPN
network-acl global_access
webvpn
always-on-vpn profile-setting
username admin password 
username charles.ransom password 
username charles.ransom attributes
vpn-group-policy ANYCONNECT_POLICY_1
service-type remote-access
webvpn
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
tunnel-group ANYCONNECT_TG type remote-access
tunnel-group ANYCONNECT_TG general-attributes
address-pool VPN_POOL
default-group-policy ANYCONNECT_POLICY
tunnel-group ANYCONNECT_TG webvpn-attributes
customization MS_SAML
authentication saml
radius-reject-message
group-alias REMOTE-ACCESS-MS-SAML enable
group-url https://vpn.cransom.co.uk/REMOTE-ACCESS-MS-SAML enable
saml identity-provider https://sts.windows.net/898088b2-1142-4151-a1f5-0b59f9df0a90/
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy MATTHEW_VPN_GP
tunnel-group x.x.x.x ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy RANSOM_HOME_VPN_GP
tunnel-group x.x.x.x ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group ANYCONNECT_TG_1 type remote-access
tunnel-group ANYCONNECT_TG_1 general-attributes
address-pool VPN_POOL_1
default-group-policy ANYCONNECT_POLICY_1
tunnel-group ANYCONNECT_TG_1 webvpn-attributes
customization Duo
authentication saml
radius-reject-message
group-alias REMOTE-ACCESS-DUO enable
group-url https://xxx.xxxxxxx.co.uk/REMOTE-ACCESS-DUO enable
saml identity-provider https://sso-eefbc123.sso.duosecurity.com/saml2/sp/DIO0DT49MM857FAEN6S4/metadata
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
inspect snmp
class class-default
user-statistics accounting
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:69953bbe4a60b876f1b84fa5d70ff491
: end

0 Helpful

Daniel_4658
Level 1
Level 1

‎09-02-2020 03:27 AM

Hi there, 

 

I'm also having this exact same issue with one of our clients ASA 5516-X. 

 

I have have also tried the above including different versions of code but the issue still remains, did you manage to find out what the issue was for you? 

 

Regards, 

 

Dan. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card