01-18-2011 11:35 PM - edited 03-11-2019 12:37 PM
have a Site to site VPN that will not pass data to each end point. we can reach the internet and the vpn shows that it is up on the ASA and the router. Cisco 881W
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname UniIndia800
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa accounting network acct_methods
action-type start-stop
group rad_acct
!
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
!
ip source-route
!
!
!
!
ip cef
ip domain name xxx.com
no ipv6 cef
!
!
license udi pid CISCO881W-GN-A-K9 sn FTX144000CM
!
!
archive
log config
hidekeys
username xxx privilege 15 password 0 xxx
!
!
!
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key xxx address aaa.bbb.ccc.ddd no-xauth
crypto isakmp key xxx address 10.0.0.0 255.0.0.0
!
!
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
crypto ipsec transform-set 3des-sha-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set aes-sha-compression esp-aes esp-sha-hmac comp-lzs
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer aaa.bbb.ccc.ddd
set transform-set 3des-sha
match address Crypto-list
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address xxx.yyy.107.226 255.255.255.252
ip helper-address 10.10.2.1
ip helper-address 10.10.2.2
duplex auto
speed auto
crypto map VPN-Map-1
!
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
ip address 10.15.4.1 255.255.254.0
ip helper-address 10.10.2.1
ip helper-address 10.10.2.2
!
ip default-gateway xxx.yyy.107.225
ip forward-protocol nd
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 12.69.103.225
ip route 0.0.0.0 0.0.0.0 xxx.yyy.107.225
ip route 10.15.4.0 255.255.254.0 10.15.5.254
ip route xxx.yyy.107.0 255.255.255.0 xxx.yyy.107.225
!
ip access-list standard re
!
ip access-list extended Crypto-list
permit ip 10.15.0.0 0.0.255.255 any
ip access-list extended Internet-inbound-ACL
permit udp host aaa.bbb.ccc.ddd any eq isakmp
permit esp host aaa.bbb.ccc.ddd any
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip 10.14.0.0 0.0.7.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 10.10.10.0 0.0.0.7 any
access-list 101 permit ip 10.15.0.0 0.0.7.255 any
access-list 102 remark SDM_ACL Category=128
access-list 102 permit ip host aaa.bbb.ccc.ddd any
access-list 103 remark SDM_ACL Category=0
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.10.200.0 0.0.1.255 10.10.10.0 0.0.0.7
!
!
!
!
snmp-server community UNISNMP RW
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
password -----
transport input telnet ssh
!
scheduler max-task-time 5000
ntp server 10.10.2.1
ntp server 195.43.74.3
end
firewall
Here is the firewall config.
ASA Version 8.0(3)
enable password ..Ge0JnvJlk/gAiB encrypted
names
name 192.168.255.0 BGP-Transit_Network description BGP-Transit
name 10.10.99.0 IP-Pool-VPNClients description Addresses Assigned to VPN Clients
dns-guard
!
interface Ethernet0/0
description Inside Interface
nameif inside
security-level 100
ip address 10.10.200.29 255.255.255.240
ospf cost 10
!
interface Ethernet0/1
description Outside Interface facing the Internet Rotuer.
nameif outside
security-level 0
ip address 12.69.103.226 255.255.255.240
ospf cost 10
!
interface Ethernet0/2
description Physical Trunk interface - Dont use
no nameif
no security-level
no ip address
!
interface Ethernet0/2.900
description DMZ Interface 12.69.103.0 / 26 (useable hosts .1 to .62)
vlan 900
nameif DMZ1-VLAN900
security-level 50
ip address 12.69.103.1 255.255.255.192
ospf cost 10
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.10.5.250 255.255.254.0
ospf cost 10
management-only
!
passwd L0Wjs4eA25R/befo encrypted
banner exec **********************************************************************
banner exec STO-ASA-5510-FW
banner exec ASA5510 - 10.10.200.29
banner exec Configured for Data use only
banner exec **********************************************************************
banner login **********************************************************************
banner login WARNING: This system is for the use of authorized clients only.
banner login Individuals using the computer network system without authorization,
banner login or in excess of their authorization, are subject to having all their
banner login activity on this computer network system monitored and recorded by
banner login system personnel. To protect the computer network system from
banner login unauthorized use and to ensure the computer network systems is
banner login functioning properly, system administrators monitor this system.
banner login Anyone using this computer network system expressly consents to such
banner login monitoring and is advised that if such monitoring reveals possible
banner login conduct of criminal activity, system personnel may provide the
banner login evidence of such activity to law enforcement officers.
banner login Access is restricted to authorized users only. Unauthorized access is
banner login a violation of state and federal, civil and criminal laws.
banner login **********************************************************************
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name universalsilencer.com
same-security-traffic permit intra-interface
object-group service SAP tcp-udp
description SAP Updates
port-object eq 3299
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service HUMANLand tcp
port-object eq citrix-ica
object-group service DM_INLINE_TCP_1 tcp
port-object eq 5061
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq 5061
port-object eq www
port-object eq https
object-group service DM_INLINE_UDP_1 udp
port-object eq snmp
port-object eq snmptrap
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp-udp eq www
service-object udp eq snmp
service-object udp eq snmptrap
object-group service Human tcp-udp
port-object eq 8100
access-list outside remark ************In Bound SAP Update Traffic per Ron Odom***************
access-list outside extended permit tcp any host 12.69.103.155 range 3200 3300 log
access-list outside remark *** SAP router****
access-list outside extended permit tcp host 12.69.103.155 host 194.39.131.34 range 3200 3300
access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 12.69.103.154
access-list outside remark ***** Inbound to the Mail server at 10.10.2.10 Peter K *****
access-list outside extended permit tcp any host 12.69.103.147 eq smtp
access-list outside remark ***** Inbound to the OCS EDGE on DMZ Peter K *****
access-list outside extended permit tcp any host 12.69.103.2 object-group DM_INLINE_TCP_1
access-list outside extended permit ip any host 12.69.103.6
access-list outside remark Blocked for malware activity
access-list outside extended deny ip host 77.78.247.86 any
access-list outside extended permit tcp any host 12.69.103.147 eq www
access-list outside extended permit tcp any host 12.69.103.147 eq https
access-list outside remark ***** Inbound to host 10.10.3.200 - Dan K *****
access-list outside extended permit tcp any host 12.69.103.145 eq www
access-list outside extended permit tcp any host 12.69.103.145 eq https
access-list outside remark ***** Inbound to host 10.10.2.30 USIFAXBACK- Dan K *****
access-list outside extended permit tcp any host 12.69.103.146 eq www
access-list outside extended permit tcp any host 12.69.103.146 eq https
access-list outside remark ***** Inbound to host 10.10.8.5 - Mitel 7100 - BOB M 4/4-2008 - BV *****
access-list outside extended permit tcp any host 12.69.103.152 eq pptp
access-list outside extended permit tcp any host 200.56.251.118 object-group HUMANLand
access-list outside extended permit tcp any host 200.56.251.121 eq 8100
access-list outside remark Allow all return ICMP traffic
access-list outside extended permit icmp any any log
access-list outside extended permit ip 10.14.0.0 255.255.0.0 any log debugging
access-list outside extended permit ip any 10.14.0.0 255.255.0.0 log debugging
access-list outside extended permit ip 10.15.0.0 255.255.0.0 any
access-list outside extended permit ip any 10.15.0.0 255.255.0.0
access-list outside extended permit udp host 12.88.249.62 any object-group DM_INLINE_UDP_1
access-list outside remark add to pervent bocking to Human
access-list outside extended permit object-group TCPUDP host 10.12.2.250 host 200.56.251.121 object-group Human
access-list outside extended permit object-group TCPUDP host 200.56.251.121 host 10.12.2.250 object-group Human
access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list VPN-SplitTunnel extended permit ip 10.11.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list VPN-SplitTunnel extended permit ip 10.12.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list VPN-SplitTunnel extended permit ip 10.13.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list VPN-SplitTunnel extended permit ip BGP-Transit_Network 255.255.255.0 IP-Pool-VPNClients 255.255.255.192
access-list VPN-SplitTunnel extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 10.14.4.0 255.255.254.0
access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 10.14.8.0 255.255.254.0
access-list DMZ1_in remark ***** OCS EDGE -2nd interface to inside hosts Peter K *****
access-list DMZ1_in extended permit tcp host 12.69.103.3 host 10.10.2.15 object-group DM_INLINE_TCP_2
access-list DMZ1_in remark Allow all ICMP traffic
access-list DMZ1_in extended permit icmp any any log
access-list DMZ1_in remark ***** Explicitly block access to all inside networks *****
access-list DMZ1_in remark ***** Any needed permits to inside networks *****
access-list DMZ1_in remark ***** Need to be done above this section *****
access-list DMZ1_in extended deny ip any 10.0.0.0 255.0.0.0
access-list DMZ1_in extended deny ip any 172.16.0.0 255.240.0.0
access-list DMZ1_in extended deny ip any 192.168.0.0 255.255.0.0
access-list DMZ1_in remark ***** Permit IP to any - this will be the internet *****
access-list DMZ1_in extended permit ip any any log debugging
access-list ezvpn1 standard permit 10.0.0.0 255.0.0.0
access-list DMZ1-VLAN900_cryptomap extended permit ip any any
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list nonat extended permit ip 10.11.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list nonat extended permit ip 10.12.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list nonat extended permit ip 10.13.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list nonat extended permit ip BGP-Transit_Network 255.255.255.0 IP-Pool-VPNClients 255.255.255.192
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.14.4.0 255.255.254.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.14.8.0 255.255.254.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.14.0.0 255.255.0.0
access-list traffic extended permit ip 10.0.0.0 255.0.0.0 10.14.0.0 255.255.0.0
access-list outside_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.15.0.0 255.255.0.0
pager lines 24
logging enable
logging timestamp
logging list VPN level informational class auth
logging list VPN level critical class config
logging list VPN level notifications class vpn
logging list VPN level notifications class vpnc
logging list VPN level notifications class webvpn
logging list all level alerts
logging buffer-size 256000
logging buffered all
logging trap VPN
logging asdm informational
logging host inside 10.10.2.41 format emblem
logging ftp-bufferwrap
logging ftp-server 10.10.2.41 \logs usi\administrator ****
mtu inside 1500
mtu outside 1500
mtu DMZ1-VLAN900 1500
mtu management 1500
ip local pool VPNClients 10.10.99.1-10.10.99.63 mask 255.255.255.192
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any DMZ1-VLAN900
asdm image disk0:/asdm-611.bin
asdm history enable
arp timeout 14400
global (outside) 10 12.69.103.129 netmask 255.255.255.255
global (outside) 11 12.69.103.130 netmask 255.255.255.255
global (outside) 12 12.69.103.131 netmask 255.255.255.255
global (outside) 13 12.69.103.132 netmask 255.255.255.255
nat (inside) 0 access-list nonat
nat (inside) 11 192.168.255.4 255.255.255.252
nat (inside) 12 192.168.255.8 255.255.255.252
nat (inside) 13 192.168.255.12 255.255.255.252
nat (inside) 10 10.10.0.0 255.255.0.0
nat (inside) 11 10.11.0.0 255.255.0.0
nat (inside) 12 10.12.0.0 255.255.0.0
nat (inside) 13 10.13.0.0 255.255.0.0
nat (outside) 10 10.14.0.0 255.255.0.0
nat (outside) 10 10.15.0.0 255.255.0.0
static (DMZ1-VLAN900,outside) 12.69.103.0 12.69.103.0 netmask 255.255.255.192
static (inside,outside) 12.69.103.154 10.10.2.41 netmask 255.255.255.255
static (inside,DMZ1-VLAN900) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,DMZ1-VLAN900) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
static (inside,DMZ1-VLAN900) 172.16.0.0 172.16.0.0 netmask 255.240.0.0
static (inside,outside) 12.69.103.148 10.255.2.2 netmask 255.255.255.255
static (inside,outside) 12.69.103.147 10.10.2.10 netmask 255.255.255.255
static (inside,outside) 12.69.103.152 10.10.8.5 netmask 255.255.255.255
static (inside,outside) 12.69.103.155 10.10.2.110 netmask 255.255.255.255
access-group outside in interface outside
access-group DMZ1_in in interface DMZ1-VLAN900
!
router eigrp 100
network 10.0.0.0 255.0.0.0
!
route outside 0.0.0.0 0.0.0.0 12.69.103.225 1
route inside 10.0.0.0 255.0.0.0 10.10.200.30 1
route inside 10.10.98.0 255.255.255.0 10.10.200.30 1
route outside 10.14.0.0 255.255.0.0 12.69.103.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server Microsoft protocol radius
accounting-mode simultaneous
reactivation-mode depletion deadtime 30
aaa-server Microsoft host 10.10.2.1
key cisco123
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.10.0.0 255.255.0.0 inside
http 10.10.0.0 255.255.0.0 management
snmp-server host inside 10.10.2.41 community UNISNMP version 2c udp-port 161
snmp-server location STODATDROOM
snmp-server contact SYS Admin
snmp-server community UNISNMP
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA
ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 10 match address traffic
crypto map outside_map 10 set peer 212.185.51.242
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 11 match address outside_cryptomap
crypto map outside_map 11 set peer 115.111.107.226
crypto map outside_map 11 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map DMZ1-VLAN900_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5
ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 33
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 10
telnet 10.10.0.0 255.255.0.0 inside
telnet 10.10.0.0 255.255.0.0 management
telnet timeout 29
ssh timeout 29
ssh version 2
console timeout 1
management-access inside
dhcprelay server 10.10.2.1 outside
threat-detection basic-threat
threat-detection statistics
wccp web-cache
wccp interface inside web-cache redirect in
ntp server 192.5.41.41
ntp server 192.5.41.40
ntp server 192.43.244.18
tftp-server inside 10.10.2.2 \asa
webvpn
group-policy DfltGrpPolicy attributes
banner value WARNING: This system is for the use of authorized clients only.
wins-server value 10.10.2.1
dns-server value 10.10.2.1 10.10.2.2
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-SplitTunnel
default-domain value universalsilencer.com
msie-proxy server value 00.00.00.00
address-pools value VPNClients
group-policy ezGROUP1 internal
group-policy ezGROUP1 attributes
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ezvpn1
nem enable
USERS REMOVED
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group USISplitTunnelRemoteAccess type remote-access
tunnel-group USISplitTunnelRemoteAccess general-attributes
address-pool VPNClients
tunnel-group USISplitTunnelRemoteAccess ipsec-attributes
pre-shared-key *
tunnel-group USISplitTunnelRADIUS type remote-access
tunnel-group USISplitTunnelRADIUS general-attributes
address-pool VPNClients
authentication-server-group Microsoft LOCAL
tunnel-group USISplitTunnelRADIUS ipsec-attributes
pre-shared-key *
tunnel-group ezVPN1 type remote-access
tunnel-group ezVPN1 general-attributes
default-group-policy ezGROUP1
tunnel-group ezVPN1 ipsec-attributes
pre-shared-key *
tunnel-group 212.185.51.242 type ipsec-l2l
tunnel-group 212.185.51.242 ipsec-attributes
pre-shared-key *
tunnel-group 115.111.107.226 type ipsec-l2l
tunnel-group 115.111.107.226 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:33bcbec6ab3835eadbe9418c697c72ac
: end
asdm image disk0:/asdm-611.bin
asdm location IP-Pool-VPNClients 255.255.255.192 inside
asdm location BGP-Transit_Network 255.255.255.0 inside
asdm location 10.10.4.60 255.255.254.255 inside
asdm history enable
Solved! Go to Solution.
01-19-2011 04:54 AM
Hi,
Please bring the tunnel down.
On ASA please enter the following commands:
clear cry isa sa
clear cry ips sa peer
Enable the following debugs on the ASA:
deb cry isa 127
deb cry ips 127
enable the debugs on the router:
debug cry isa
debug cry ips
Please try passing the traffic and bring the tunnel up.
Please attach the outputs of the same on passing the traffic.
Regards,
Anisha
01-19-2011 12:30 AM
Hi,
Please send the output of "sh cry isa sa" and "show cry ipsec sa" from both the ASA and router.
Please confirm if the tunnel configuration below are the correct ones i am looking at :
Router:
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key xxx address aaa.bbb.ccc.ddd no-xauth
!
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer aaa.bbb.ccc.ddd
set transform-set 3des-sha
match address Crypto-list
!
ip access-list extended Crypto-list
permit ip 10.15.0.0 0.0.255.255 any
!
interface FastEthernet4
ip address xxx.yyy.107.226 255.255.255.252
ip helper-address 10.10.2.1
ip helper-address 10.10.2.2
duplex auto
speed auto
crypto map VPN-Map-1
ASA:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map outside_map 11 match address outside_cryptomap
crypto map outside_map 11 set peer 115.111.107.226
crypto map outside_map 11 set transform-set ESP-3DES-SHA
!
access-list outside_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.15.0.0 255.255.0.0
!
tunnel-group 115.111.107.226 type ipsec-l2l
tunnel-group 115.111.107.226 ipsec-attributes
pre-shared-key *
!
crypto map outside_map interface outside
!
crypto isakmp enable outside
!
nat (inside) 0 access-list nonat
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list nonat extended permit ip 10.11.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list nonat extended permit ip 10.12.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list nonat extended permit ip 10.13.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list nonat extended permit ip BGP-Transit_Network 255.255.255.0 IP-Pool-VPNClients 255.255.255.192
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.14.4.0 255.255.254.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.14.8.0 255.255.254.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.14.0.0 255.255.0.0
!
01-19-2011 02:04 AM
yes that is correct
shows
router
UniIndia800#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
12.69.103.226 115.111.107.226 QM_IDLE 2001 ACTIVE
IPv6 Crypto ISAKMP SA
show cry ipsec sa
interface: FastEthernet4
Crypto map tag: VPN-Map-1, local addr 115.111.107.226
protected vrf: (none)
local ident (addr/mask/prot/port): (10.15.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 12.69.103.226 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 26683, #pkts encrypt: 26683, #pkts digest: 26683
#pkts decaps: 18878, #pkts decrypt: 18878, #pkts verify: 18878
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 6, #recv errors 0
local crypto endpt.: 115.111.107.226, remote crypto endpt.: 12.69.103.226
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x420061E6(1107321318)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x26766AC0(645294784)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3, flow_id: Onboard VPN:3, sibling_flags 80000046, crypto map: VPN-Map-1
sa timing: remaining key lifetime (k/sec): (4456896/2010)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x420061E6(1107321318)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4, flow_id: Onboard VPN:4, sibling_flags 80000046, crypto map: VPN-Map-1
sa timing: remaining key lifetime (k/sec): (4460364/2010)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.15.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (115.111.0.0/255.255.0.0/0/0)
current_peer 12.69.103.226 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 115.111.107.226, remote crypto endpt.: 12.69.103.226
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
UniIndia800#
ASA
Result of the command: "sh cry isa sa"
Active SA: 4
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 4
1 IKE Peer: 115.111.107.226
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: 116.12.211.66
Type : user Role : responder
Rekey : no State : AM_ACTIVE
3 IKE Peer: 116.12.211.66
Type : user Role : responder
Rekey : no State : AM_ACTIVE
4 IKE Peer: 212.185.51.242
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Result of the command: "show cry ipsec sa"
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 12.69.103.226
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.15.0.0/255.255.0.0/0/0)
current_peer: 115.111.107.226
#pkts encaps: 27644, #pkts encrypt: 27644, #pkts digest: 27644
#pkts decaps: 35493, #pkts decrypt: 35493, #pkts verify: 35493
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 27644, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 12.69.103.226, remote crypto endpt.: 115.111.107.226
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 26766AC0
inbound esp sas:
spi: 0x420061E6 (1107321318)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 55889920, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (3822769/1291)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x26766AC0 (645294784)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 55889920, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (3813436/1291)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 12.69.103.226
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.99.33/255.255.255.255/0/0)
current_peer: 116.12.211.66, username: pheng
dynamic allocated peer ip: 10.10.99.33
#pkts encaps: 10163, #pkts encrypt: 10187, #pkts digest: 10187
#pkts decaps: 10354, #pkts decrypt: 10354, #pkts verify: 10354
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 10163, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 24, #pre-frag failures: 0, #fragments created: 48
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 48
#send errors: 0, #recv errors: 0
local crypto endpt.: 12.69.103.226/4500, remote crypto endpt.: 116.12.211.66/1172
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 822B0511
inbound esp sas:
spi: 0x29D1C8C1 (701614273)
transform: esp-aes esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 55832576, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 26019
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x822B0511 (2183857425)
transform: esp-aes esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 55832576, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 26019
IV size: 16 bytes
replay detection support: Y
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 12.69.103.226
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.99.32/255.255.255.255/0/0)
current_peer: 116.12.211.66, username: pheng
dynamic allocated peer ip: 10.10.99.32
#pkts encaps: 9523, #pkts encrypt: 9547, #pkts digest: 9547
#pkts decaps: 9308, #pkts decrypt: 9308, #pkts verify: 9308
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 9523, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 24, #pre-frag failures: 0, #fragments created: 48
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 48
#send errors: 0, #recv errors: 0
local crypto endpt.: 12.69.103.226/4500, remote crypto endpt.: 116.12.211.66/1163
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 99A5DC54
inbound esp sas:
spi: 0x0AA3D3C5 (178508741)
transform: esp-aes esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 55828480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 25550
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x99A5DC54 (2577783892)
transform: esp-aes esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 55828480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 25550
IV size: 16 bytes
replay detection support: Y
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 12.69.103.226
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.14.0.0/255.255.0.0/0/0)
current_peer: 212.185.51.242
#pkts encaps: 127, #pkts encrypt: 127, #pkts digest: 127
#pkts decaps: 130, #pkts decrypt: 130, #pkts verify: 130
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 127, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 12.69.103.226, remote crypto endpt.: 212.185.51.242
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: B215F054
inbound esp sas:
spi: 0x59CAB074 (1506455668)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 46747648, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4274962/3297)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xB215F054 (2987782228)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 46747648, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4274906/3297)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: outside_map, seq num: 10, local addr: 12.69.103.226
access-list traffic permit ip 10.0.0.0 255.0.0.0 10.14.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.14.0.0/255.255.0.0/0/0)
current_peer: 212.185.51.242
#pkts encaps: 62539, #pkts encrypt: 62572, #pkts digest: 62572
#pkts decaps: 60327, #pkts decrypt: 60327, #pkts verify: 60327
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 62539, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 33, #pre-frag failures: 0, #fragments created: 66
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 87
#send errors: 0, #recv errors: 0
local crypto endpt.: 12.69.103.226, remote crypto endpt.: 212.185.51.242
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 400A31BF
inbound esp sas:
spi: 0x9BA5177B (2611287931)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 46747648, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4273924/1219)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x400A31BF (1074409919)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 46747648, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4274168/1219)
IV size: 8 bytes
replay detection support: Y
01-19-2011 02:25 AM
01-19-2011 03:15 AM
well i got traffic to route over the vpn and to the internet but not the LAN on the other side and back. so we can get the internet but no internal resources.
01-19-2011 04:00 AM
Hi Ronald,
The no nat statement is missing from the configuration.
Please configure the following on the ASA:
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.15.0.0 255.255.0.0
Regards,
Anisha
P.S.: Please mark this post answered if you think your query is answered.
01-19-2011 04:39 AM
I added the requested line and the problem is still ongoing
current asa config
: Saved
: Written by usiadmin at 06:22:45.200 CST Wed Jan 19 2011
!
ASA Version 8.0(3)
!
hostname STO-ASA-5510-FW
domain-name universalsilencer.com
enable password ..Ge0JnvJlk/gAiB encrypted
names
name 192.168.255.0 BGP-Transit_Network description BGP-Transit
name 10.10.99.0 IP-Pool-VPNClients description Addresses Assigned to VPN Clients
dns-guard
!
interface Ethernet0/0
description Inside Interface
nameif inside
security-level 100
ip address 10.10.200.29 255.255.255.240
ospf cost 10
!
interface Ethernet0/1
description Outside Interface facing the Internet Rotuer.
nameif outside
security-level 0
ip address 12.69.103.226 255.255.255.240
ospf cost 10
!
interface Ethernet0/2
description Physical Trunk interface - Dont use
no nameif
no security-level
no ip address
!
interface Ethernet0/2.900
description DMZ Interface 12.69.103.0 / 26 (useable hosts .1 to .62)
vlan 900
nameif DMZ1-VLAN900
security-level 50
ip address 12.69.103.1 255.255.255.192
ospf cost 10
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.10.5.250 255.255.254.0
ospf cost 10
management-only
!
passwd L0Wjs4eA25R/befo encrypted
banner exec **********************************************************************
banner exec STO-ASA-5510-FW
banner exec ASA5510 - 10.10.200.29
banner exec Configured for Data use only
banner exec **********************************************************************
banner login **********************************************************************
banner login WARNING: This system is for the use of authorized clients only.
banner login Individuals using the computer network system without authorization,
banner login or in excess of their authorization, are subject to having all their
banner login activity on this computer network system monitored and recorded by
banner login system personnel. To protect the computer network system from
banner login unauthorized use and to ensure the computer network systems is
banner login functioning properly, system administrators monitor this system.
banner login Anyone using this computer network system expressly consents to such
banner login monitoring and is advised that if such monitoring reveals possible
banner login conduct of criminal activity, system personnel may provide the
banner login evidence of such activity to law enforcement officers.
banner login Access is restricted to authorized users only. Unauthorized access is
banner login a violation of state and federal, civil and criminal laws.
banner login **********************************************************************
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name universalsilencer.com
same-security-traffic permit intra-interface
object-group service SAP tcp-udp
description SAP Updates
port-object eq 3299
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service HUMANLand tcp
port-object eq citrix-ica
object-group service DM_INLINE_TCP_1 tcp
port-object eq 5061
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq 5061
port-object eq www
port-object eq https
object-group service DM_INLINE_UDP_1 udp
port-object eq snmp
port-object eq snmptrap
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp-udp eq www
service-object udp eq snmp
service-object udp eq snmptrap
object-group service Human tcp-udp
port-object eq 8100
access-list outside remark ************In Bound SAP Update Traffic per Ron Odom***************
access-list outside extended permit tcp any host 12.69.103.155 range 3200 3300 log
access-list outside remark *** SAP router****
access-list outside extended permit tcp host 12.69.103.155 host 194.39.131.34 range 3200 3300
access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 12.69.103.154
access-list outside remark ***** Inbound to the Mail server at 10.10.2.10 Peter K *****
access-list outside extended permit tcp any host 12.69.103.147 eq smtp
access-list outside remark ***** Inbound to the OCS EDGE on DMZ Peter K *****
access-list outside extended permit tcp any host 12.69.103.2 object-group DM_INLINE_TCP_1
access-list outside extended permit ip any host 12.69.103.6
access-list outside remark Blocked for malware activity
access-list outside extended deny ip host 77.78.247.86 any
access-list outside extended permit tcp any host 12.69.103.147 eq www
access-list outside extended permit tcp any host 12.69.103.147 eq https
access-list outside remark ***** Inbound to host 10.10.3.200 - Dan K *****
access-list outside extended permit tcp any host 12.69.103.145 eq www
access-list outside extended permit tcp any host 12.69.103.145 eq https
access-list outside remark ***** Inbound to host 10.10.2.30 USIFAXBACK- Dan K *****
access-list outside extended permit tcp any host 12.69.103.146 eq www
access-list outside extended permit tcp any host 12.69.103.146 eq https
access-list outside remark ***** Inbound to host 10.10.8.5 - Mitel 7100 - BOB M 4/4-2008 - BV *****
access-list outside extended permit tcp any host 12.69.103.152 eq pptp
access-list outside extended permit tcp any host 200.56.251.118 object-group HUMANLand
access-list outside extended permit tcp any host 200.56.251.121 eq 8100
access-list outside remark Allow all return ICMP traffic
access-list outside extended permit icmp any any log
access-list outside extended permit ip 10.14.0.0 255.255.0.0 any log debugging
access-list outside extended permit ip 10.15.0.0 255.255.0.0 any
access-list outside extended permit ip any 10.14.0.0 255.255.0.0 log debugging
access-list outside extended permit ip any 10.15.0.0 255.255.0.0
access-list outside extended permit udp host 12.88.249.62 any object-group DM_INLINE_UDP_1
access-list outside remark add to pervent bocking to Human
access-list outside extended permit object-group TCPUDP host 10.12.2.250 host 200.56.251.121 object-group Human
access-list outside extended permit object-group TCPUDP host 200.56.251.121 host 10.12.2.250 object-group Human
access-list outside extended permit ip any host 12.69.103.156
access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list VPN-SplitTunnel extended permit ip 10.11.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list VPN-SplitTunnel extended permit ip 10.12.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list VPN-SplitTunnel extended permit ip 10.13.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list VPN-SplitTunnel extended permit ip BGP-Transit_Network 255.255.255.0 IP-Pool-VPNClients 255.255.255.192
access-list VPN-SplitTunnel extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 10.14.4.0 255.255.254.0
access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 10.15.4.0 255.255.254.0
access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 10.14.8.0 255.255.254.0
access-list DMZ1_in remark ***** OCS EDGE -2nd interface to inside hosts Peter K *****
access-list DMZ1_in extended permit tcp host 12.69.103.3 host 10.10.2.15 object-group DM_INLINE_TCP_2
access-list DMZ1_in remark Allow all ICMP traffic
access-list DMZ1_in extended permit icmp any any log
access-list DMZ1_in remark ***** Explicitly block access to all inside networks *****
access-list DMZ1_in remark ***** Any needed permits to inside networks *****
access-list DMZ1_in remark ***** Need to be done above this section *****
access-list DMZ1_in extended deny ip any 10.0.0.0 255.0.0.0
access-list DMZ1_in extended deny ip any 172.16.0.0 255.240.0.0
access-list DMZ1_in extended deny ip any 192.168.0.0 255.255.0.0
access-list DMZ1_in remark ***** Permit IP to any - this will be the internet *****
access-list DMZ1_in extended permit ip any any log debugging
access-list ezvpn1 standard permit 10.0.0.0 255.0.0.0
access-list DMZ1-VLAN900_cryptomap extended permit ip any any
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list nonat extended permit ip 10.11.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list nonat extended permit ip 10.12.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list nonat extended permit ip 10.13.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list nonat extended permit ip BGP-Transit_Network 255.255.255.0 IP-Pool-VPNClients 255.255.255.192
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.14.4.0 255.255.254.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.14.8.0 255.255.254.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.14.0.0 255.255.0.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.15.4.0 255.255.254.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.15.0.0 255.255.0.0
access-list traffic extended permit ip 10.0.0.0 255.0.0.0 10.14.0.0 255.255.0.0
access-list traffic extended permit ip 10.0.0.0 255.0.0.0 10.15.0.0 255.255.0.0
access-list outside_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.15.0.0 255.255.0.0
pager lines 24
logging enable
logging timestamp
logging list VPN level informational class auth
logging list VPN level critical class config
logging list VPN level notifications class vpn
logging list VPN level notifications class vpnc
logging list VPN level notifications class webvpn
logging list all level alerts
logging buffer-size 256000
logging buffered all
logging trap VPN
logging asdm informational
logging host inside 10.10.2.41 format emblem
logging ftp-bufferwrap
logging ftp-server 10.10.2.41 \logs usi\administrator 178US1SIL3~
mtu inside 1500
mtu outside 1500
mtu DMZ1-VLAN900 1500
mtu management 1500
ip local pool VPNClients 10.10.99.1-10.10.99.63 mask 255.255.255.192
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any DMZ1-VLAN900
asdm image disk0:/asdm-611.bin
asdm location IP-Pool-VPNClients 255.255.255.192 inside
asdm location BGP-Transit_Network 255.255.255.0 inside
asdm location 10.10.4.60 255.255.254.255 inside
asdm history enable
arp timeout 14400
global (outside) 10 12.69.103.129 netmask 255.255.255.255
global (outside) 11 12.69.103.130 netmask 255.255.255.255
global (outside) 12 12.69.103.131 netmask 255.255.255.255
global (outside) 13 12.69.103.132 netmask 255.255.255.255
nat (inside) 0 access-list nonat
nat (inside) 11 192.168.255.4 255.255.255.252
nat (inside) 12 192.168.255.8 255.255.255.252
nat (inside) 13 192.168.255.12 255.255.255.252
nat (inside) 10 10.10.0.0 255.255.0.0
nat (inside) 11 10.11.0.0 255.255.0.0
nat (inside) 12 10.12.0.0 255.255.0.0
nat (inside) 13 10.13.0.0 255.255.0.0
nat (outside) 10 10.14.0.0 255.255.0.0
nat (outside) 10 10.15.0.0 255.255.0.0
static (DMZ1-VLAN900,outside) 12.69.103.0 12.69.103.0 netmask 255.255.255.192
static (inside,outside) 12.69.103.154 10.10.2.41 netmask 255.255.255.255
static (inside,DMZ1-VLAN900) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,DMZ1-VLAN900) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
static (inside,DMZ1-VLAN900) 172.16.0.0 172.16.0.0 netmask 255.240.0.0
static (inside,outside) 12.69.103.148 10.255.2.2 netmask 255.255.255.255
static (inside,outside) 12.69.103.147 10.10.2.10 netmask 255.255.255.255
static (inside,outside) 12.69.103.152 10.10.8.5 netmask 255.255.255.255
static (inside,outside) 12.69.103.155 10.10.2.110 netmask 255.255.255.255
static (inside,outside) 12.69.103.156 10.10.3.100 netmask 255.255.255.255
access-group outside in interface outside
access-group DMZ1_in in interface DMZ1-VLAN900
!
router eigrp 100
network 10.0.0.0 255.0.0.0
!
route outside 0.0.0.0 0.0.0.0 12.69.103.225 1
route inside 10.0.0.0 255.0.0.0 10.10.200.30 1
route inside 10.10.98.0 255.255.255.0 10.10.200.30 1
route outside 10.14.0.0 255.255.0.0 12.69.103.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server Microsoft protocol radius
accounting-mode simultaneous
reactivation-mode depletion deadtime 30
aaa-server Microsoft host 10.10.2.1
key cisco123
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.10.0.0 255.255.0.0 inside
http 10.10.0.0 255.255.0.0 management
snmp-server host inside 10.10.2.41 community UNISNMP version 2c udp-port 161
snmp-server location STODATDROOM
snmp-server contact SYS Admin
snmp-server community UNISNMP
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 115.111.107.226
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 10 match address traffic
crypto map outside_map 10 set peer 212.185.51.242
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map DMZ1-VLAN900_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 33
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 10
telnet 10.10.0.0 255.255.0.0 inside
telnet 10.10.0.0 255.255.0.0 management
telnet timeout 29
ssh timeout 29
ssh version 2
console timeout 1
management-access inside
dhcprelay server 10.10.2.1 outside
threat-detection basic-threat
threat-detection statistics
wccp web-cache
wccp interface inside web-cache redirect in
ntp server 192.5.41.41
ntp server 192.5.41.40
ntp server 192.43.244.18
tftp-server inside 10.10.2.2 \asa
webvpn
group-policy DfltGrpPolicy attributes
banner value WARNING: This system is for the use of authorized clients only.
wins-server value 10.10.2.1
dns-server value 10.10.2.1 10.10.2.2
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-SplitTunnel
default-domain value universalsilencer.com
msie-proxy server value 00.00.00.00
address-pools value VPNClients
group-policy ezGROUP1 internal
group-policy ezGROUP1 attributes
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ezvpn1
nem enable----
----users removed
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key germanysilence
tunnel-group USISplitTunnelRemoteAccess type remote-access
tunnel-group USISplitTunnelRemoteAccess general-attributes
address-pool VPNClients
tunnel-group USISplitTunnelRemoteAccess ipsec-attributes
pre-shared-key z2LNoioYVCTyJlX
tunnel-group USISplitTunnelRADIUS type remote-access
tunnel-group USISplitTunnelRADIUS general-attributes
address-pool VPNClients
authentication-server-group Microsoft LOCAL
tunnel-group USISplitTunnelRADIUS ipsec-attributes
pre-shared-key fLFO2p5KSS8Ic2y
tunnel-group ezVPN1 type remote-access
tunnel-group ezVPN1 general-attributes
default-group-policy ezGROUP1
tunnel-group ezVPN1 ipsec-attributes
pre-shared-key usiPa55
tunnel-group 212.185.51.242 type ipsec-l2l
tunnel-group 212.185.51.242 ipsec-attributes
pre-shared-key usiPa55
tunnel-group 115.111.107.226 type ipsec-l2l
tunnel-group 115.111.107.226 ipsec-attributes
pre-shared-key uniindia
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6f8f82218206c3b83ae46b49364baf45
: end
01-19-2011 04:54 AM
Hi,
Please bring the tunnel down.
On ASA please enter the following commands:
clear cry isa sa
clear cry ips sa peer
Enable the following debugs on the ASA:
deb cry isa 127
deb cry ips 127
enable the debugs on the router:
debug cry isa
debug cry ips
Please try passing the traffic and bring the tunnel up.
Please attach the outputs of the same on passing the traffic.
Regards,
Anisha
01-19-2011 09:39 AM
here is th debug from the asa
the router did not retruen any debugs
STO-ASA-5510-FW# Jan 19 11:28:17 [IKEv1]: IP = 115.111.107.226, Received encrypted packet with no matching SA, dropping
STO-ASA-5510-FW# Jan 19 11:29:02 [IKEv1]: IP = 115.111.107.226, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 164
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, processing SA payload
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, Oakley proposal is acceptable
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, processing VID payload
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, Received NAT-Traversal RFC VID
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, processing VID payload
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, processing VID payload
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, Received NAT-Traversal ver 03 VID
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, processing VID payload
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, Received NAT-Traversal ver 02 VID
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, processing IKE SA payload
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 3
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, constructing ISAKMP SA payload
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, constructing NAT-Traversal VID ver 02 payload
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, constructing Fragmentation VID + extended capabilities payload
Jan 19 11:29:02 [IKEv1]: IP = 115.111.107.226, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Jan 19 11:29:02 [IKEv1]: IP = 115.111.107.226, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 284
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, processing ke payload
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, processing ISA_KE payload
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, processing nonce payload
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, processing VID payload
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, Received DPD VID
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, processing VID payload
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000f6f)
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, processing VID payload
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, Received xauth V6 VID
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, processing NAT-Discovery payload
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, computing NAT Discovery hash
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, processing NAT-Discovery payload
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, computing NAT Discovery hash
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, constructing ke payload
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, constructing nonce payload
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, constructing Cisco Unity VID payload
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, constructing xauth V6 VID payload
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, Send IOS VID
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, constructing VID payload
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, constructing NAT-Discovery payload
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, computing NAT Discovery hash
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, constructing NAT-Discovery payload
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, computing NAT Discovery hash
Jan 19 11:29:02 [IKEv1]: IP = 115.111.107.226, Connection landed on tunnel_group 115.111.107.226
Jan 19 11:29:02 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Generating keys for Responder...
Jan 19 11:29:02 [IKEv1]: IP = 115.111.107.226, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
Jan 19 11:29:02 [IKEv1]: IP = 115.111.107.226, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NOTIFY (11) + NONE (0) total length : 92
Jan 19 11:29:02 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing ID payload
Jan 19 11:29:02 [IKEv1 DECODE]: Group = 115.111.107.226, IP = 115.111.107.226, ID_IPV4_ADDR ID received
115.111.107.226
Jan 19 11:29:02 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing hash payload
Jan 19 11:29:02 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Computing hash for ISAKMP
Jan 19 11:29:02 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing notify payload
Jan 19 11:29:02 [IKEv1]: Group = 115.111.107.226, IP = 115.111.107.226, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Jan 19 11:29:02 [IKEv1]: IP = 115.111.107.226, Connection landed on tunnel_group 115.111.107.226
Jan 19 11:29:02 [IKEv1]: Group = 115.111.107.226, IP = 115.111.107.226, Freeing previously allocated memory for authorization-dn-attributes
Jan 19 11:29:02 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing ID payload
Jan 19 11:29:02 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing hash payload
Jan 19 11:29:02 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Computing hash for ISAKMP
Jan 19 11:29:02 [IKEv1 DEBUG]: IP = 115.111.107.226, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Jan 19 11:29:02 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing dpd vid payload
Jan 19 11:29:02 [IKEv1]: IP = 115.111.107.226, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Jan 19 11:29:02 [IKEv1]: Group = 115.111.107.226, IP = 115.111.107.226, PHASE 1 COMPLETED
Jan 19 11:29:02 [IKEv1]: IP = 115.111.107.226, Keep-alive type for this connection: DPD
Jan 19 11:29:02 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Starting P1 rekey timer: 64800 seconds.
Jan 19 11:29:03 [IKEv1 DECODE]: IP = 115.111.107.226, IKE Responder starting QM: msg id = 2daadb29
Jan 19 11:29:03 [IKEv1]: IP = 115.111.107.226, IKE_DECODE RECEIVED Message (msgid=2daadb29) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168
Jan 19 11:29:03 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing hash payload
Jan 19 11:29:03 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing SA payload
Jan 19 11:29:03 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing nonce payload
Jan 19 11:29:03 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing ID payload
Jan 19 11:29:03 [IKEv1 DECODE]: Group = 115.111.107.226, IP = 115.111.107.226, ID_IPV4_ADDR_SUBNET ID received--10.15.0.0--255.255.0.0
Jan 19 11:29:03 [IKEv1]: Group = 115.111.107.226, IP = 115.111.107.226, Received remote IP Proxy Subnet data in ID Payload: Address 10.15.0.0, Mask 255.255.0.0, Protocol 0, Port 0
Jan 19 11:29:03 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing ID payload
Jan 19 11:29:03 [IKEv1 DECODE]: Group = 115.111.107.226, IP = 115.111.107.226, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0
Jan 19 11:29:03 [IKEv1]: Group = 115.111.107.226, IP = 115.111.107.226, Received local IP Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
Jan 19 11:29:03 [IKEv1]: Group = 115.111.107.226, IP = 115.111.107.226, QM IsRekeyed old sa not found by addr
Jan 19 11:29:03 [IKEv1]: Group = 115.111.107.226, IP = 115.111.107.226, Static Crypto Map check, checking map = outside_map, seq = 1...
Jan 19 11:29:03 [IKEv1]: Group = 115.111.107.226, IP = 115.111.107.226, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:10.15.0.0 dst:0.0.0.0
Jan 19 11:29:03 [IKEv1]: Group = 115.111.107.226, IP = 115.111.107.226, Static Crypto Map check, checking map = outside_map, seq = 10...
Jan 19 11:29:03 [IKEv1]: Group = 115.111.107.226, IP = 115.111.107.226, Static Crypto Map check, map = outside_map, seq = 10, ACL does not match proxy IDs src:10.15.0.0 dst:0.0.0.0
Jan 19 11:29:03 [IKEv1]: Group = 115.111.107.226, IP = 115.111.107.226, IKE Remote Peer configured for crypto map: SYSTEM_DEFAULT_CRYPTO_MAP
Jan 19 11:29:03 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing IPSec SA payload
Jan 19 11:29:03 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, IPSec SA Proposal # 1, Transform # 1 acceptable Matches global IPSec SA entry # 65535
Jan 19 11:29:03 [IKEv1]: Group = 115.111.107.226, IP = 115.111.107.226, IKE: requesting SPI!
IPSEC: New embryonic SA created @ 0xD9321D28,
SCB: 0xDA1FF4B8,
Direction: inbound
SPI : 0x6E8D5150
Session ID: 0x0355D000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Jan 19 11:29:03 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, IKE got SPI from key engine: SPI = 0x6e8d5150
Jan 19 11:29:03 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, oakley constucting quick mode
Jan 19 11:29:03 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing blank hash payload
Jan 19 11:29:03 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing IPSec SA payload
Jan 19 11:29:03 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing IPSec nonce payload
Jan 19 11:29:03 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing proxy ID
Jan 19 11:29:03 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Transmitting Proxy Id:
Remote subnet: 10.15.0.0 Mask 255.255.0.0 Protocol 0 Port 0
Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol 0 Port 0
Jan 19 11:29:03 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing qm hash payload
Jan 19 11:29:03 [IKEv1 DECODE]: Group = 115.111.107.226, IP = 115.111.107.226, IKE Responder sending 2nd QM pkt: msg id = 2daadb29
Jan 19 11:29:03 [IKEv1]: IP = 115.111.107.226, IKE_DECODE SENDING Message (msgid=2daadb29) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168
Jan 19 11:29:03 [IKEv1]: IP = 115.111.107.226, IKE_DECODE RECEIVED Message (msgid=2daadb29) with payloads : HDR + HASH (8) + NONE (0) total length : 52
Jan 19 11:29:03 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing hash payload
Jan 19 11:29:03 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, loading all IPSEC SAs
Jan 19 11:29:03 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Generating Quick Mode Key!
Jan 19 11:29:03 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Generating Quick Mode Key!
IPSEC: New embryonic SA created @ 0xD564F2D8,
SCB: 0xD9377370,
Direction: outbound
SPI : 0xF0DBA4B1
Session ID: 0x0355D000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Completed host OBSA update, SPI 0xF0DBA4B1
IPSEC: Creating outbound VPN context, SPI 0xF0DBA4B1
Flags: 0x00000005
SA : 0xD564F2D8
SPI : 0xF0DBA4B1
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00000000
SCB : 0x1AD51E39
Channel: 0xD4562C58
IPSEC: Completed outbound VPN context, SPI 0xF0DBA4B1
VPN handle: 0x2DD02054
IPSEC: New outbound encrypt rule, SPI 0xF0DBA4B1
Src addr: 0.0.0.0
Src mask: 0.0.0.0
Dst addr: 10.15.0.0
Dst mask: 255.255.0.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0xF0DBA4B1
Rule ID: 0xDA46C7C0
IPSEC: New outbound permit rule, SPI 0xF0DBA4B1
Src addr: 12.69.103.226
Src mask: 255.255.255.255
Dst addr: 115.111.107.226
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0xF0DBA4B1
Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0xF0DBA4B1
Rule ID: 0xDA48A9C0
Jan 19 11:29:03 [IKEv1]: Group = 115.111.107.226, IP = 115.111.107.226, Security negotiation complete for LAN-to-LAN Group (115.111.107.226) Responder, Inbound SPI = 0x6e8d5150, Outbound SPI = 0xf0dba4b1
Jan 19 11:29:03 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, IKE got a KEY_ADD msg for SA: SPI = 0xf0dba4b1
IPSEC: Completed host IBSA update, SPI 0x6E8D5150
IPSEC: Creating inbound VPN context, SPI 0x6E8D5150
Flags: 0x00000006
SA : 0xD9321D28
SPI : 0x6E8D5150
MTU : 0 bytes
VCID : 0x00000000
Peer : 0x2DD02054
SCB : 0x09842643
Channel: 0xD4562C58
IPSEC: Completed inbound VPN context, SPI 0x6E8D5150
VPN handle: 0x2DD062F4
IPSEC: Updating outbound VPN context 0x2DD02054, SPI 0xF0DBA4B1
Flags: 0x00000005
SA : 0xD564F2D8
SPI : 0xF0DBA4B1
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x2DD062F4
SCB : 0x1AD51E39
Channel: 0xD4562C58
IPSEC: Completed outbound VPN context, SPI 0xF0DBA4B1
VPN handle: 0x2DD02054
IPSEC: Completed outbound inner rule, SPI 0xF0DBA4B1
Rule ID: 0xDA46C7C0
IPSEC: Completed outbound outer SPD rule, SPI 0xF0DBA4B1
Rule ID: 0xDA48A9C0
IPSEC: New inbound tunnel flow rule, SPI 0x6E8D5150
Src addr: 10.15.0.0
Src mask: 255.255.0.0
Dst addr: 0.0.0.0
Dst mask: 0.0.0.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0x6E8D5150
Rule ID: 0xDA03CB08
IPSEC: New inbound decrypt rule, SPI 0x6E8D5150
Src addr: 115.111.107.226
Src mask: 255.255.255.255
Dst addr: 12.69.103.226
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x6E8D5150
Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0x6E8D5150
Rule ID: 0xDA33BBE8
IPSEC: New inbound permit rule, SPI 0x6E8D5150
Src addr: 115.111.107.226
Src mask: 255.255.255.255
Dst addr: 12.69.103.226
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x6E8D5150
Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0x6E8D5150
Rule ID: 0xD9EA59E0
Jan 19 11:29:03 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Pitcher: received KEY_UPDATE, spi 0x6e8d5150
Jan 19 11:29:03 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Starting P2 rekey timer: 3059 seconds.
Jan 19 11:29:03 [IKEv1]: Group = 115.111.107.226, IP = 115.111.107.226, PHASE 2 COMPLETED (msgid=2daadb29)
Jan 19 11:29:03 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:29:03 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.250
Jan 19 11:29:04 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:29:04 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Jan 19 11:29:06 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:29:06 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.250
Jan 19 11:29:06 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:29:06 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Jan 19 11:29:10 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:29:10 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.250
Jan 19 11:29:10 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:29:10 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Jan 19 11:29:25 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Sending keep-alive of type DPD R-U-THERE (seq number 0xb63f1f2)
Jan 19 11:29:25 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing blank hash payload
Jan 19 11:29:25 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing qm hash payload
Jan 19 11:29:25 [IKEv1]: IP = 115.111.107.226, IKE_DECODE SENDING Message (msgid=e37c1728) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:29:25 [IKEv1]: IP = 115.111.107.226, IKE_DECODE RECEIVED Message (msgid=8873279b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:29:25 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing hash payload
Jan 19 11:29:25 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing notify payload
Jan 19 11:29:25 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0xb63f1f2)
Jan 19 11:29:35 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Sending keep-alive of type DPD R-U-THERE (seq number 0xb63f1f3)
Jan 19 11:29:35 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing blank hash payload
Jan 19 11:29:35 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing qm hash payload
Jan 19 11:29:35 [IKEv1]: IP = 115.111.107.226, IKE_DECODE SENDING Message (msgid=b1b6ba5f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:29:35 [IKEv1]: IP = 115.111.107.226, IKE_DECODE RECEIVED Message (msgid=7cadb61a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:29:35 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing hash payload
Jan 19 11:29:35 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing notify payload
Jan 19 11:29:35 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0xb63f1f3)
Jan 19 11:29:42 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:29:42 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.1
Jan 19 11:29:42 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:29:42 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.2, Dst: 10.15.4.1
Jan 19 11:29:46 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:29:46 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.1
Jan 19 11:29:46 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:29:46 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.2, Dst: 10.15.4.1
Jan 19 11:29:50 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:29:50 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.1
Jan 19 11:29:50 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:29:50 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.2, Dst: 10.15.4.1
Jan 19 11:29:57 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:29:57 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Jan 19 11:29:58 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:29:58 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.250
Jan 19 11:29:59 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:29:59 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Jan 19 11:30:01 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:30:01 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.250
Jan 19 11:30:01 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:30:01 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Jan 19 11:30:05 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:30:05 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.250
Jan 19 11:30:05 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:30:05 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Jan 19 11:30:15 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Sending keep-alive of type DPD R-U-THERE (seq number 0xb63f1f4)
Jan 19 11:30:15 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing blank hash payload
Jan 19 11:30:15 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing qm hash payload
Jan 19 11:30:15 [IKEv1]: IP = 115.111.107.226, IKE_DECODE SENDING Message (msgid=1639f532) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:30:15 [IKEv1]: IP = 115.111.107.226, IKE_DECODE RECEIVED Message (msgid=f0f3e0f3) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:30:15 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing hash payload
Jan 19 11:30:15 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing notify payload
Jan 19 11:30:15 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0xb63f1f4)
Jan 19 11:30:25 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Sending keep-alive of type DPD R-U-THERE (seq number 0xb63f1f5)
Jan 19 11:30:25 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing blank hash payload
Jan 19 11:30:25 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing qm hash payload
Jan 19 11:30:25 [IKEv1]: IP = 115.111.107.226, IKE_DECODE SENDING Message (msgid=4f8399f0) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:30:25 [IKEv1]: IP = 115.111.107.226, IKE_DECODE RECEIVED Message (msgid=6990b0fa) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:30:25 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing hash payload
Jan 19 11:30:25 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing notify payload
Jan 19 11:30:25 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0xb63f1f5)
Jan 19 11:30:35 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Sending keep-alive of type DPD R-U-THERE (seq number 0xb63f1f6)
Jan 19 11:30:35 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing blank hash payload
Jan 19 11:30:35 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing qm hash payload
Jan 19 11:30:35 [IKEv1]: IP = 115.111.107.226, IKE_DECODE SENDING Message (msgid=f953ba9a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:30:35 [IKEv1]: IP = 115.111.107.226, IKE_DECODE RECEIVED Message (msgid=7f2d5c31) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:30:35 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing hash payload
Jan 19 11:30:35 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing notify payload
Jan 19 11:30:35 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0xb63f1f6)
Jan 19 11:30:45 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Sending keep-alive of type DPD R-U-THERE (seq number 0xb63f1f7)
Jan 19 11:30:45 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing blank hash payload
Jan 19 11:30:45 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing qm hash payload
Jan 19 11:30:45 [IKEv1]: IP = 115.111.107.226, IKE_DECODE SENDING Message (msgid=16212aa7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:30:45 [IKEv1]: IP = 115.111.107.226, IKE_DECODE RECEIVED Message (msgid=ec419731) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:30:45 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing hash payload
Jan 19 11:30:45 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing notify payload
Jan 19 11:30:45 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0xb63f1f7)
Jan 19 11:30:50 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:30:50 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Jan 19 11:30:51 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:30:51 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.250
Jan 19 11:30:52 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:30:52 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Jan 19 11:30:54 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:30:54 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.250
Jan 19 11:30:54 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:30:54 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Jan 19 11:30:58 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:30:58 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.250
Jan 19 11:30:58 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:30:58 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Jan 19 11:31:03 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:31:03 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.1
Jan 19 11:31:03 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:31:03 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.2, Dst: 10.15.4.1
Jan 19 11:31:06 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:31:06 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.1
Jan 19 11:31:06 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:31:06 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.2, Dst: 10.15.4.1
Jan 19 11:31:10 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:31:10 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.1
Jan 19 11:31:10 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:31:10 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.2, Dst: 10.15.4.1
Jan 19 11:31:25 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Sending keep-alive of type DPD R-U-THERE (seq number 0xb63f1f8)
Jan 19 11:31:25 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing blank hash payload
Jan 19 11:31:25 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing qm hash payload
Jan 19 11:31:25 [IKEv1]: IP = 115.111.107.226, IKE_DECODE SENDING Message (msgid=dad2b4e2) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:31:25 [IKEv1]: IP = 115.111.107.226, IKE_DECODE RECEIVED Message (msgid=99cf6edd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:31:25 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing hash payload
Jan 19 11:31:25 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing notify payload
Jan 19 11:31:25 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0xb63f1f8)
Jan 19 11:31:35 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Sending keep-alive of type DPD R-U-THERE (seq number 0xb63f1f9)
Jan 19 11:31:35 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing blank hash payload
Jan 19 11:31:35 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing qm hash payload
Jan 19 11:31:35 [IKEv1]: IP = 115.111.107.226, IKE_DECODE SENDING Message (msgid=d1152ebb) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:31:35 [IKEv1]: IP = 115.111.107.226, IKE_DECODE RECEIVED Message (msgid=84fc263f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:31:35 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing hash payload
Jan 19 11:31:35 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing notify payload
Jan 19 11:31:35 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0xb63f1f9)
Jan 19 11:31:37 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:31:37 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Jan 19 11:31:38 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:31:38 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.250
Jan 19 11:31:39 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:31:39 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Jan 19 11:31:41 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:31:41 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.250
Jan 19 11:31:41 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:31:41 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Jan 19 11:31:45 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:31:45 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.250
Jan 19 11:31:45 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:31:45 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Jan 19 11:31:51 [IKEv1]: Group = 212.185.51.242, IP = 212.185.51.242, IKE Initiator: Rekeying Phase 2, Intf inside, IKE Peer 212.185.51.242 local Proxy Address 10.0.0.0, remote Proxy Address 10.14.0.0, Crypto map (outside_map)
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, Oakley begin quick mode
Jan 19 11:31:51 [IKEv1 DECODE]: Group = 212.185.51.242, IP = 212.185.51.242, IKE Initiator starting QM: msg id = 90e9b5a7
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, Active unit starts Phase 2 rekey with remote peer 212.185.51.242.
IPSEC: New embryonic SA created @ 0xD93217E8,
SCB: 0xDA49E2C0,
Direction: inbound
SPI : 0x0A08639B
Session ID: 0x02C95000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, IKE got SPI from key engine: SPI = 0x0a08639b
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, oakley constucting quick mode
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, constructing blank hash payload
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, constructing IPSec SA payload
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, constructing IPSec nonce payload
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, constructing proxy ID
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, Transmitting Proxy Id:
Local subnet: 10.0.0.0 mask 255.0.0.0 Protocol 0 Port 0
Remote subnet: 10.14.0.0 Mask 255.255.0.0 Protocol 0 Port 0
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, constructing qm hash payload
Jan 19 11:31:51 [IKEv1 DECODE]: Group = 212.185.51.242, IP = 212.185.51.242, IKE Initiator sending 1st QM pkt: msg id = 90e9b5a7
Jan 19 11:31:51 [IKEv1]: IP = 212.185.51.242, IKE_DECODE SENDING Message (msgid=90e9b5a7) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168
Jan 19 11:31:51 [IKEv1]: IP = 212.185.51.242, IKE_DECODE RECEIVED Message (msgid=2882654b) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, processing hash payload
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, processing delete
Jan 19 11:31:51 [IKEv1]: Group = 212.185.51.242, IP = 212.185.51.242, IKE Received delete for rekeyed centry IKE peer: 10.14.0.0, centry addr: d8afad78, msgid: 0x2b575fc0
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, Active unit receives a delete event for remote peer 212.185.51.242.
Jan 19 11:31:51 [IKEv1]: IP = 212.185.51.242, IKE_DECODE RECEIVED Message (msgid=90e9b5a7) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 196
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, IKE Deleting SA: Remote Proxy 10.14.0.0, Local Proxy 10.0.0.0
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, processing hash payload
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, processing SA payload
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, processing nonce payload
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, processing ID payload
Jan 19 11:31:51 [IKEv1 DECODE]: Group = 212.185.51.242, IP = 212.185.51.242, ID_IPV4_ADDR_SUBNET ID received--10.0.0.0--255.0.0.0
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, processing ID payload
Jan 19 11:31:51 [IKEv1 DECODE]: Group = 212.185.51.242, IP = 212.185.51.242, ID_IPV4_ADDR_SUBNET ID received--10.14.0.0--255.255.0.0
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, processing notify payload
Jan 19 11:31:51 [IKEv1 DECODE]: Responder Lifetime decode follows (outb SPI[4]|attributes):
Jan 19 11:31:51 [IKEv1 DECODE]: 0000: D2D6C364 80010001 00020004 00000E10 ...d............
Jan 19 11:31:51 [IKEv1]: Group = 212.185.51.242, IP = 212.185.51.242, Responder forcing change of IPSec rekeying duration from 28800 to 3600 seconds
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, loading all IPSEC SAs
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, Generating Quick Mode Key!
IPSEC: Deleted inbound decrypt rule, SPI 0x37BD96FF
Rule ID: 0xDA257DB8
IPSEC: Deleted inbound permit rule, SPI 0x37BD96FF
Rule ID: 0xD9967448
IPSEC: Deleted inbound tunnel flow rule, SPI 0x37BD96FF
Rule ID: 0xD9E600E8
IPSEC: Deleted inbound VPN context, SPI 0x37BD96FF
VPN handle: 0x2DCDD1BC
IPSEC: Deleted outbound encrypt rule, SPI 0x5645F4F4
Rule ID: 0xD8A1ED20
IPSEC: Deleted outbound permit rule, SPI 0x5645F4F4
Rule ID: 0xDA38D750
IPSEC: Deleted outbound VPN context, SPI 0x5645F4F4
VPN handle: 0x2DCDAD3C
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, Generating Quick Mode Key!
IPSEC: New embryonic SA created @ 0xD93586B0,
SCB: 0xD9888F38,
Direction: outbound
SPI : 0xD2D6C364
Session ID: 0x02C95000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Completed host OBSA update, SPI 0xD2D6C364
IPSEC: Creating outbound VPN context, SPI 0xD2D6C364
Flags: 0x00000005
SA : 0xD93586B0
SPI : 0xD2D6C364
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00000000
SCB : 0x1AE8599F
Channel: 0xD4562C58
IPSEC: Completed outbound VPN context, SPI 0xD2D6C364
VPN handle: 0x2DD0BACC
IPSEC: New outbound encrypt rule, SPI 0xD2D6C364
Src addr: 10.0.0.0
Src mask: 255.0.0.0
Dst addr: 10.14.0.0
Dst mask: 255.255.0.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0xD2D6C364
Rule ID: 0xD92342C8
IPSEC: New outbound permit rule, SPI 0xD2D6C364
Src addr: 12.69.103.226
Src mask: 255.255.255.255
Dst addr: 212.185.51.242
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0xD2D6C364
Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0xD2D6C364
Rule ID: 0xD8A1ED20
Jan 19 11:31:51 [IKEv1]: Group = 212.185.51.242, IP = 212.185.51.242, Security negotiation complete for LAN-to-LAN Group (212.185.51.242) Initiator, Inbound SPI = 0x0a08639b, Outbound SPI = 0xd2d6c364
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, oakley constructing final quick mode
IPSEC: Completed host IBSA update, SPI 0x0A08639B
IPSEC: Creating inbound VPN context, SPI 0x0A08639B
Flags: 0x00000006
SA : 0xD93217E8
SPI : 0x0A08639B
MTU : 0 bytes
VCID : 0x00000000
Peer : 0x2DD0BACC
SCB : 0x1BB4A893
Channel: 0xD4562C58
IPSEC: Completed inbound VPN context, SPI 0x0A08639B
VPN handle: 0x2DD0F80C
IPSEC: Updating outbound VPN context 0x2DD0BACC, SPI 0xD2D6C364
Flags: 0x00000005
SA : 0xD93586B0
SPI : 0xD2D6C364
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x2DD0F80C
SCB : 0x1AE8599F
Channel: 0xD4562C58
IPSEC: Completed outbound VPN context, SPI 0xD2D6C364
VPN handle: 0x2DD0BACC
IPSEC: Completed outbound inner rule, SPI 0xD2D6C364
Rule ID: 0xD92342C8
IPSEC: Completed outbound outer SPD rule, SPI 0xD2D6C364
Rule ID: 0xD8A1ED20
IPSEC: New inbound tunnel flow rule, SPI 0x0A08639B
Src addr: 10.14.0.0
Src mask: 255.255.0.0
Dst addr: 10.0.0.0
Dst mask: 255.0.0.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0x0A08639B
Rule ID: 0xD95F0010
IPSEC: New inbound decrypt rule, SPI 0x0A08639B
Src addr: 212.185.51.242
Src mask: 255.255.255.255
Dst addr: 12.69.103.226
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x0A08639B
Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0x0A08639B
Rule ID: 0xD8AE5A00
IPSEC: New inbound permit rule, SPI 0x0A08639B
Src addr: 212.185.51.242
Src mask: 255.255.255.255
Dst addr: 12.69.103.226
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x0A08639B
Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0x0A08639B
Rule ID: 0xD9313DA0
Jan 19 11:31:51 [IKEv1 DECODE]: Group = 212.185.51.242, IP = 212.185.51.242, IKE Initiator sending 3rd QM pkt: msg id = 90e9b5a7
Jan 19 11:31:51 [IKEv1]: IP = 212.185.51.242, IKE_DECODE SENDING Message (msgid=90e9b5a7) with payloads : HDR + HASH (8) + NONE (0) total length : 76
Jan 19 11:31:51 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x37bd96ff
Jan 19 11:31:51 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x37bd96ff
Jan 19 11:31:51 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x5645f4f4
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, IKE got a KEY_ADD msg for SA: SPI = 0xd2d6c364
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, Pitcher: received KEY_UPDATE, spi 0xa08639b
Jan 19 11:31:51 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, Starting P2 rekey timer: 3060 seconds.
Jan 19 11:31:51 [IKEv1]: Group = 212.185.51.242, IP = 212.185.51.242, PHASE 2 COMPLETED (msgid=90e9b5a7)
Jan 19 11:31:55 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Sending keep-alive of type DPD R-U-THERE (seq number 0xb63f1fa)
Jan 19 11:31:55 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing blank hash payload
Jan 19 11:31:55 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing qm hash payload
Jan 19 11:31:55 [IKEv1]: IP = 115.111.107.226, IKE_DECODE SENDING Message (msgid=7a2e3e3f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:31:55 [IKEv1]: IP = 115.111.107.226, IKE_DECODE RECEIVED Message (msgid=4514bafe) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:31:55 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing hash payload
Jan 19 11:31:55 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing notify payload
Jan 19 11:31:55 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0xb63f1fa)
Jan 19 11:32:05 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Sending keep-alive of type DPD R-U-THERE (seq number 0xb63f1fb)
Jan 19 11:32:05 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing blank hash payload
Jan 19 11:32:05 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing qm hash payload
Jan 19 11:32:05 [IKEv1]: IP = 115.111.107.226, IKE_DECODE SENDING Message (msgid=6421c0a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:32:05 [IKEv1]: IP = 115.111.107.226, IKE_DECODE RECEIVED Message (msgid=d3567c9d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:32:05 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing hash payload
Jan 19 11:32:05 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing notify payload
Jan 19 11:32:05 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0xb63f1fb)
Jan 19 11:32:12 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:32:12 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Jan 19 11:32:13 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:32:13 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.250
Jan 19 11:32:14 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:32:14 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Jan 19 11:32:16 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:32:16 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.250
Jan 19 11:32:16 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:32:16 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Jan 19 11:32:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:32:20 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.250
Jan 19 11:32:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:32:20 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Jan 19 11:32:21 [IKEv1]: IP = 212.185.51.242, IKE_DECODE RECEIVED Message (msgid=2ad07f4a) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Jan 19 11:32:21 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, processing hash payload
Jan 19 11:32:21 [IKEv1 DEBUG]: Group = 212.185.51.242, IP = 212.185.51.242, processing delete
Jan 19 11:32:21 [IKEv1]: Group = 212.185.51.242, IP = 212.185.51.242, Could not find centry for IPSec SA delete with reason message - SPI 0x5645F4F4
Jan 19 11:32:23 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:32:23 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.1
Jan 19 11:32:23 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:32:23 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.2, Dst: 10.15.4.1
Jan 19 11:32:24 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:32:24 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.250
Jan 19 11:32:25 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:32:25 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.250
Jan 19 11:32:25 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:32:25 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.250
Jan 19 11:32:25 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:32:25 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.2, Dst: 10.15.4.250
Jan 19 11:32:27 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:32:27 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.1
Jan 19 11:32:27 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:32:27 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.2, Dst: 10.15.4.1
Jan 19 11:32:30 [IKEv1]: IP = 98.244.86.208, IKE_DECODE RECEIVED Message (msgid=908ae820) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:32:30 [IKEv1 DEBUG]: Group = USISplitTunnelRADIUS, Username = eray, IP = 98.244.86.208, processing hash payload
Jan 19 11:32:30 [IKEv1 DEBUG]: Group = USISplitTunnelRADIUS, Username = eray, IP = 98.244.86.208, processing notify payload
Jan 19 11:32:30 [IKEv1 DEBUG]: Group = USISplitTunnelRADIUS, Username = eray, IP = 98.244.86.208, Received keep-alive of type DPD R-U-THERE (seq number 0xe5c9ce82)
Jan 19 11:32:30 [IKEv1 DEBUG]: Group = USISplitTunnelRADIUS, Username = eray, IP = 98.244.86.208, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xe5c9ce82)
Jan 19 11:32:30 [IKEv1 DEBUG]: Group = USISplitTunnelRADIUS, Username = eray, IP = 98.244.86.208, constructing blank hash payload
Jan 19 11:32:30 [IKEv1 DEBUG]: Group = USISplitTunnelRADIUS, Username = eray, IP = 98.244.86.208, constructing qm hash payload
Jan 19 11:32:30 [IKEv1]: IP = 98.244.86.208, IKE_DECODE SENDING Message (msgid=ace5a7e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:32:31 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:32:31 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.1
Jan 19 11:32:31 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:32:31 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.2, Dst: 10.15.4.1
Jan 19 11:32:34 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:32:34 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Jan 19 11:32:35 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:32:35 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.250
Jan 19 11:32:36 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:32:36 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Jan 19 11:32:38 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:32:38 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.250
Jan 19 11:32:38 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:32:38 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Jan 19 11:32:42 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:32:42 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.250
Jan 19 11:32:42 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:32:42 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Jan 19 11:32:55 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Sending keep-alive of type DPD R-U-THERE (seq number 0xb63f1fc)
Jan 19 11:32:55 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing blank hash payload
Jan 19 11:32:55 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing qm hash payload
Jan 19 11:32:55 [IKEv1]: IP = 115.111.107.226, IKE_DECODE SENDING Message (msgid=f10b019b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:32:55 [IKEv1]: IP = 115.111.107.226, IKE_DECODE RECEIVED Message (msgid=21de9236) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:32:55 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing hash payload
Jan 19 11:32:55 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing notify payload
Jan 19 11:32:55 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0xb63f1fc)
no deJan 19 11:33:05 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Sending keep-alive of type DPD R-U-THERE (seq number 0xb63f1fd)
Jan 19 11:33:05 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing blank hash payload
Jan 19 11:33:05 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing qm hash payload
Jan 19 11:33:05 [IKEv1]: IP = 115.111.107.226, IKE_DECODE SENDING Message (msgid=7081e35b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
bJan 19 11:33:05 [IKEv1]: IP = 115.111.107.226, IKE_DECODE RECEIVED Message (msgid=80f9c6fb) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:33:05 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing hash payload
Jan 19 11:33:05 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing notify payload
Jan 19 11:33:05 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0xb63f1fd)
ig all
^
ERROR: % Invalid input detected at '^' marker.
STO-ASA-5510-FW# Jan 19 11:33:15 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Sending keep-alive of type DPD R-U-THERE (seq number 0xb63f1fe)
Jan 19 11:33:15 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing blank hash payload
Jan 19 11:33:15 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, constructing qm hash payload
Jan 19 11:33:15 [IKEv1]: IP = 115.111.107.226, IKE_DECODE SENDING Message (msgid=e64bc9d8) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:33:15 [IKEv1]: IP = 115.111.107.226, IKE_DECODE RECEIVED Message (msgid=b793ab43) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 19 11:33:15 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing hash payload
Jan 19 11:33:15 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, processing notify payload
Jan 19 11:33:15 [IKEv1 DEBUG]: Group = 115.111.107.226, IP = 115.111.107.226, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0xb63f1fe)
n no debug Jan 19 11:33:25 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:33:25 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
allJan 19 11:33:26 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:33:26 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.250
Jan 19 11:33:27 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:33:27 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Jan 19 11:33:29 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:33:29 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.250
Jan 19 11:33:29 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:33:29 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Jan 19 11:33:33 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:33:33 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.1, Dst: 10.15.4.250
Jan 19 11:33:33 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 19 11:33:33 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.10.2.3, Dst: 10.15.4.250
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide