Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
At 9:39:21, we see an invalid SPI message:
Jul 10 09:39:21.274 AEST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=203.y.y.100, prot=50, spi=0x41E4DA50(1105517136), srcaddr=203.x.x.6, input interface=Tunnel300...
Ah ok, the router is running traditional IOS. And you are correct, the syntax is different. It would be:
ip access-list extended FILTERpermit ip host <Dialer1 IP> host 4.2.2.2permit ip host 4.2.2.2 host <Dialer1 IP>
monitor capture buffer BUFF circ...
My apologies, the "match ip" is ASA capture syntax... long day. It should be just regular extended ACL syntax, like this:
ip access-list extended FILTER permit ip host <Dialer1 IP> host 4.2.2.2 permit ip host 4.2.2.2 host <Dialer1 IP>
Just wanted to confirm that I was able to get DMVPN runing on this platform. Just tested it out right now:
ESR63000(config-if)#do sh plat
Chassis type: ESR-6300-CON-K9
Slot Type State Insert time (ago)
------...
If the autentication challenge is just asking for username/password through the AnyConnect GUI itself, then it's not invoking SAML authentication, which will pop up in separate AnyConnect embedded browser window. This tells me that it may be hitting...
