Removing the acl from the crypto map entry would be the simplest and the best way with the least amount of configurations.By removing the acl from the crypto map the asa will no longer encrypt that subnet/host to the peer ip.You may also have to adjust nat if you plan to send your traffic over another tunnel.However if you have an FTD you can go into access policies or site to site vpn and just click disable and the config will stay but not be applied.   Anouther way would be to block your peer ip address port 4500 and 500 inbound and outbound. ... View more

not seeing any nat exemption here.   can you do a packet tracer and attach the output using the following: "pack in in icmp 192.168.1.99 8 0 192.168.2.29 det"   also i see the following config : split-tunnel-policy excludespecified split-tunnel-network-list value access_in access-list access_in extended permit ip 192.168.1.0 255.255.255.0 any access-list access_in extended permit ip object VPNpool any access-list access_in extended permit ip interface outside any   you are excluding the addresses in the acl from going over the tunnel. From your anyconnect client right click and go to settings and check your secured routes. Secured routes are the subnets that you will be encrypting and be able to reach over the tunnel.     ... View more

If you do not have an admin and nobody knows how to get onto the asa you can do a password recovery. I would caution doing this if you are not familiar with backup and recovery procedures.Before doing the password recover I would suggest making a backup of configurations on the device and placing them on an external drive in the event a mistake is made. You can follow the password recover procedure here: https://community.cisco.com/t5/security-documents/asa-password-recovery/ta-p/3126046   When on anyconnect you will have access to anything that is on lan as long as its configured for access on the destination device as well as the ASA. So you should be able to reach you network share, however that's odd that you can still ping your mail server but cant accesses it even though the network share is accessible.   Without doing a packet tracer on the asa or a wire shark capture on the mail server i couldn't really tell you yet if its a problem with the mail server,asa or your computer.   Depending on how your asa and anyconnect is setup you might be able to install anyconnect on another computer and test if its your computer.DNS and IP settings are pushed by the ASA headend so if you are connecting to the asa you will have the same settings as your peers just a different ip address.   Please let me know what you have under your secure/nonsecure routes, these are the subnets that are going over your vpn tunnel.you can find this under settings when you right click anyconnect icon in lower right hand of windows.   Also what is the ip address is that you are pinging for your mail server.All of these addresses should be private ip addresses and you can share these if they are in this range: 10.0.0.0 – 10.255.255.255 172.16.0.0 – 172.31.255.255 192.168.0.0 – 192.168.255.255 Do not share this information the ip address is out of these ranges   also under the preferences tab under client ipv4 address , dns, and tunnel mode ipv4 what do you have ... View more

Next time right click Anyconnect in the bottom right hand corner of windows and select "quit" then reopen anyconnect.If a new package is pushed quitting anyconnect then restarting the application will run the new package. ... View more

Hi Stanly,   As far as virtual contexts whatever is applied to the main context for licensing is shared across the sub contexts. However some licenses will need to be allocated to sub contexts such as Anyconnect. If you have a 500 user license you will need to allocate how many licenses from that pool can be used in each context. class gold limit-resource Mac-addresses 10000 limit-resource Conns 15.0% limit-resource rate Conns 1000 limit-resource rate Inspects 500 limit-resource Hosts 9000 limit-resource ASDM 5 limit-resource SSH 5 limit-resource rate Syslogs 5000 limit-resource Xlates 36000 limit-resource Routes 5000 limit-resource VPN Other 10 limit-resource VPN Burst Other 5 limit-resource VPN AnyConnect 2 the last one specifies how many anyconnect licenses you are assigning to this class, this class "gold" would then need to be assigned to the sub context.For example if your context name was "Cisco" you would go to that context and add "member gold". In general licenses are based of serial number so the only reason you would need a different licenses is if you had different devices.   That brings us to the second part. Your active/standby would need the same encryption license on both devices because the second device will have a different serial number you will need a separate platform license.For Anyconnect there is a way to share your license between multiple devices in your CCO license portal.If you need help distributing an Anyconnect license between devices please feel free to contact Cisco TAC. You can also refer to this guide on licensing under the "Licensing for failover" section. https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/ha-failover.pdf   Also I wanted to make you aware that if you are using failover in multi context with Anyconnect there are many unsupported features.Please take a look at this link:https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuw19758/?reffering_site=dumpcr Please let me know if this answered your question or if you had any other questions. ... View more

-When you ping the mail server are you resolving the FQDN to an IP or are you pinging the IP directly? -You would benefit from doing a packet capture on the ASA as well to see if traffic is being received back from the mail server or if the ASA/mail server is blocking the ports. https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html -You can test the same by telneting to the mail server ports to see if they are open "telnet x.x.x.x portnumber" you should see it say "connected to".   -Have you tried walking into the office and plugging into the LAN to see if you can get on your mail?Can other people reach email when on VPN? ... View more

This guy is using IKEV2. Proper commands would be :   In ftd you would need to turn on ssh session debugging in order to get any output.   debug cry con peer (peerip) debug cry ikev2 pro 127 debug cry ikev2 plat 127   bounce tunnel then do a packet tracer.   Id also suggest not using anything GCM i have seen many issues with this encryption.Also try starting with lower DH,integrity and encryption in order to troubleshoot as this may be anouther factor.   Do you see phase one being built? Check "show cry ikev2 sa" what does it say? ... View more

Typically this error is seen due to licenses. Are you connecting from a pc or a mobile device like an ipad or android phone?If this is a mobile device provide the output of "show ver" and remove your serial and key numbers. ... View more

You will not loose configs. The process is the same as on any other ASA: you boot it with no configuration,then get into the privileged exec mode, issue the 'copy startup running' command, and then set the new enable password.   ... View more

Ikev2 on 5500 series cannot use sha256 this is a hardware limitation due to the architecture of the CPU. You can also see the limitation listed here :    https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_ike.html#pgfId-1042794   “SHA-256 can be used for integrity and PRF to establish IKEv2 tunnels, but it can also be used for ESP integrity protection on the newer ASA platforms (and not 5505, 5510, 5520, 5540, or 5550).” ... View more