Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About James Dykes
08-18-2017
Stats
Member since
11-20-2012
25
Posts
0
Helpful
0
Solutions
07-06-2015
10:17 AM
I made some changes after creating this thread. I added both networks to the inside no-nat group and added ACLs. Updated configuration is attached. The customer is reporting pings are working, but RDP/SQL traffic is not. It looks like the firewall is trying to NAT the traffic to a different network. The packet-tracer output is below. 4344-FWL001# packet-tracer input inside tcp 192.168.133.210 3389 192.168.0.68 $ Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.0.0 255.255.255.0 inside Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside_acl in interface inside access-list inside_acl extended permit ip 192.168.133.0 255.255.255.0 192.168.0.0 255.255.255.0 Additional Information: Forward Flow based lookup yields rule: in id=0xca8e5540, priority=12, domain=permit, deny=false hits=492, user_data=0xc7955c90, cs_id=0x0, flags=0x0, protocol=0 src ip=192.168.133.0, mask=255.255.255.0, port=0 dst ip=192.168.0.0, mask=255.255.255.0, port=0, dscp=0x0 Phase: 3 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection decrement-ttl service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0xca36a9a0, priority=7, domain=conn-set, deny=false hits=173249113, user_data=0xca37fb78, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xc96e0ef8, priority=0, domain=inspect-ip-options, deny=true hits=386801563, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 5 Type: NAT-EXEMPT Subtype: Result: ALLOW Config: match ip inside 192.168.133.0 255.255.255.0 inside 192.168.0.0 255.255.255.0 NAT exempt translate_hits = 576, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0xca0671d8, priority=6, domain=nat-exempt, deny=false hits=576, user_data=0xc9d1de38, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip=192.168.133.0, mask=255.255.255.0, port=0 dst ip=192.168.0.0, mask=255.255.255.0, port=0, dscp=0x0 Phase: 6 Type: NAT-EXEMPT Subtype: rpf-check Result: ALLOW Config: match ip inside 192.168.0.0 255.255.255.0 inside 192.168.133.0 255.255.255.0 NAT exempt translate_hits = 0, untranslate_hits = 574 Additional Information: Forward Flow based lookup yields rule: in id=0xc9d5e870, priority=6, domain=nat-exempt-reverse, deny=false hits=576, user_data=0xc9d5e1d8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip=192.168.133.0, mask=255.255.255.0, port=0 dst ip=192.168.0.0, mask=255.255.255.0, port=0, dscp=0x0 Phase: 7 Type: NAT Subtype: Result: ALLOW Config: nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any inside any dynamic translation to pool 1 (No matching global) translate_hits = 139552, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0xc97697f0, priority=1, domain=nat, deny=false hits=140512, user_data=0xc9769730, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 8 Type: NAT Subtype: host-limits Result: ALLOW Config: nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any inside any dynamic translation to pool 1 (No matching global) translate_hits = 139552, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0xc9769b48, priority=1, domain=host, deny=false hits=16028284, user_data=0xc9769730, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 9 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any inside any dynamic translation to pool 1 (No matching global) translate_hits = 139552, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: out id=0xc97699a0, priority=1, domain=nat-reverse, deny=false hits=606, user_data=0xc9769730, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 10 Type: NAT Subtype: host-limits Result: ALLOW Config: static (inside,outside) 172.16.0.0 access-list vpn_nat match ip inside 192.168.0.0 255.255.255.0 outside 10.1.7.0 255.255.255.0 static translation to 172.16.0.0 translate_hits = 114129674, untranslate_hits = 1964376 Additional Information: Reverse Flow based lookup yields rule: in id=0xca3691d8, priority=5, domain=host, deny=false hits=194675064, user_data=0xca5562e0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=192.168.0.0, mask=255.255.255.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 11 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0xc96e0ef8, priority=0, domain=inspect-ip-options, deny=true hits=386801565, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 12 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 410248530, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_tcp_normalizer snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_ifc_stat Module information for reverse flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_translate snp_fp_tcp_normalizer snp_fp_adjacency snp_fp_fragment snp_ifc_stat Result: input-interface: inside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: allow And entries from the logs: Jul 2 18:21:35 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/63744 to 192.168.0.112/139 flags RST on interface inside Jul 2 18:21:41 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59619 flags SYN ACK on interface inside Jul 2 18:21:43 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59611 flags RST on interface inside Jul 2 18:21:44 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59619 flags SYN ACK on interface inside Jul 2 18:21:50 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59619 flags SYN ACK on interface inside Jul 2 18:22:00 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59636 flags SYN ACK on interface inside Jul 2 18:22:02 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59619 flags RST on interface inside Jul 2 18:22:03 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59636 flags SYN ACK on interface inside Jul 2 18:22:09 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59636 flags SYN ACK on interface inside Jul 2 18:22:19 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59640 flags SYN ACK on interface inside Jul 2 18:22:21 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59636 flags RST on interface inside
... View more
07-03-2015
12:41 PM
I did not architect their network. Their servers at our location use the firewall as their gateway, and their office connected through a point to point line uses a separate router as its gateway, then traffic to that network from the servers here is supposed to be routed via the firewall to the router.
... View more
07-01-2015
11:12 AM
I have an ASA 5500 running 8.2(4). There is a static route inside for the 192.168.0.0/24 network to go to 192.168.133.1, which is another router on the firewall's inside network that leads back to their office. I try pinging from a host in the 192.168.133 network to the 192.168.0 network, and the packet is dropped. A packet-tracer command gives the following output: 4344-FWL001(config)# packet-tracer input inside icmp 192.168.133.100 0 8 192.1$ Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.0.0 255.255.255.0 inside Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside_acl in interface inside access-list inside_acl extended permit icmp any any echo-reply Additional Information: Forward Flow based lookup yields rule: in id=0xc979d518, priority=12, domain=permit, deny=false hits=9224348, user_data=0xc7959a20, cs_id=0x0, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 3 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection decrement-ttl service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0xca36a9a0, priority=7, domain=conn-set, deny=false hits=172443571, user_data=0xca37fb78, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xc96e0ef8, priority=0, domain=inspect-ip-options, deny=true hits=385629755, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 5 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xc96e0b70, priority=66, domain=inspect-icmp-error, deny=false hits=14153115, user_data=0xc96e0a58, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 6 Type: NAT Subtype: Result: DROP Config: nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any inside any dynamic translation to pool 1 (No matching global) translate_hits = 139551, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0xc97697f0, priority=1, domain=nat, deny=false hits=139932, user_data=0xc9769730, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Result: input-interface: inside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule I then try to add the network to the no nat group: access-list inside_nat0_outbound extended permit ip 192.168.133.0 255.255.255.0 192.168.0.0 255.255.255.0 And the packet-tracer fails on a later step: 4344-FWL001(config)#packet-tracer input inside icmp 192.168.133.100 0 8 192.1$ Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.0.0 255.255.255.0 inside Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside_acl in interface inside access-list inside_acl extended permit icmp any any echo-reply Additional Information: Forward Flow based lookup yields rule: in id=0xc979d518, priority=12, domain=permit, deny=false hits=9224458, user_data=0xc7959a20, cs_id=0x0, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 3 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection decrement-ttl service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0xca36a9a0, priority=7, domain=conn-set, deny=false hits=172445451, user_data=0xca37fb78, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xc96e0ef8, priority=0, domain=inspect-ip-options, deny=true hits=385632692, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 5 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xc96e0b70, priority=66, domain=inspect-icmp-error, deny=false hits=14153257, user_data=0xc96e0a58, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 6 Type: NAT-EXEMPT Subtype: Result: ALLOW Config: match ip inside 192.168.133.0 255.255.255.0 inside 192.168.0.0 255.255.255.0 NAT exempt translate_hits = 1, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0xc6b95be8, priority=6, domain=nat-exempt, deny=false hits=1, user_data=0xc9d1d7a8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip=192.168.133.0, mask=255.255.255.0, port=0 dst ip=192.168.0.0, mask=255.255.255.0, port=0, dscp=0x0 Phase: 7 Type: NAT Subtype: Result: ALLOW Config: nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any inside any dynamic translation to pool 1 (No matching global) translate_hits = 139551, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0xc97697f0, priority=1, domain=nat, deny=false hits=139933, user_data=0xc9769730, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 8 Type: NAT Subtype: host-limits Result: ALLOW Config: nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any inside any dynamic translation to pool 1 (No matching global) translate_hits = 139551, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0xc9769b48, priority=1, domain=host, deny=false hits=16003947, user_data=0xc9769730, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 9 Type: NAT Subtype: rpf-check Result: DROP Config: nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any inside any dynamic translation to pool 1 (No matching global) translate_hits = 139551, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: out id=0xc97699a0, priority=1, domain=nat-reverse, deny=false hits=28, user_data=0xc9769730, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Result: input-interface: inside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule What am I missing to get this traffic through the ACLs?
... View more
- Tags:
- firewall 5505 ACL
Labels:
04-24-2014
01:14 PM
I'm running 5.0.07.0440 on my machine. Below are the results of a ping test from my machine to 192.168.10.1. Packets are encrypted, but nothing is getting to the ASA - no increments at all on the IPSec SA. Thanks, James
... View more
04-23-2014
05:43 PM
I have a customer who's seeing the same behavior. Connects, unable to reach anything on the 192.168.10.x network. The requested information is below. 3118-FWL001# ping inside 192.168.20.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.20.2, timeout is 2 seconds: ????? Success rate is 0 percent (0/5) 3118-FWL001# sho cry ips sa interface: outside Crypto map tag: outside_dyn_map, seq num: 20, local addr: 199.21.66.162 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (192.168.20.2/255.255.255.255/0/0) current_peer: 216.211.143.85, username: kevin dynamic allocated peer ip: 192.168.20.2 #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 199.21.66.162, remote crypto endpt.: 216.211.143.85 path mtu 1500, ipsec overhead 58, media mtu 1500 current outbound spi: 49B2A368 inbound esp sas: spi: 0xE5F78E93 (3858206355) transform: esp-3des esp-sha-hmac none in use settings ={RA, Tunnel, } 3118-FWL001# packet-tracer in inside icmp 192.168.10.10 8 0 192.168.20.2 detail Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x354d568, priority=1, domain=permit, deny=false hits=113261577, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 Phase: 2 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 3 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.20.2 255.255.255.255 outside Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x3550890, priority=0, domain=permit-ip-option, deny=true hits=4663836, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 Phase: 5 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0x358aef8, priority=70, domain=inspect-icmp, deny=false hits=1, user_data=0x358ad58, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 Phase: 6 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x3da47a0, priority=70, domain=inspect-icmp-error, deny=false hits=1, user_data=0x3da4600, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 Phase: 7 Type: NAT-EXEMPT Subtype: Result: ALLOW Config: nat (inside) 0 access-list inside_nat0_outbound match ip inside 192.168.10.0 255.255.255.0 outside 192.168.20.0 255.255.255.0 NAT exempt translate_hits = 8, untranslate_hits = 119 Additional Information: Forward Flow based lookup yields rule: in id=0x36bbab0, priority=6, domain=nat-exempt, deny=false hits=7, user_data=0x36bba40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip=192.168.10.0, mask=255.255.255.0, port=0 dst ip=192.168.20.0, mask=255.255.255.0, port=0 Phase: 8 Type: NAT Subtype: Result: ALLOW Config: nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any outside any dynamic translation to pool 1 (199.21.66.162 [Interface PAT]) translate_hits = 88, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0x36bf688, priority=1, domain=nat, deny=false hits=88, user_data=0x36bf618, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 Phase: 9 Type: NAT Subtype: host-limits Result: ALLOW Config: nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any inside any dynamic translation to pool 1 (No matching global) translate_hits = 0, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0x36bf378, priority=1, domain=host, deny=false hits=133, user_data=0x36bef30, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 Phase: 10 Type: HOST-LIMIT Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x3ce31f8, priority=0, domain=host-limit, deny=false hits=4352254, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 Phase: 11 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: out id=0x3e8a9d0, priority=70, domain=encrypt, deny=false hits=1, user_data=0x3b77084, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=192.168.20.2, mask=255.255.255.255, port=0 Phase: 12 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x3e993b0, priority=69, domain=ipsec-tunnel-flow, deny=false hits=1, user_data=0x3b9e11c, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=192.168.20.2, mask=255.255.255.255, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 Phase: 13 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x35869c8, priority=0, domain=permit-ip-option, deny=true hits=5523984, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 Phase: 14 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 5990975, packet dispatched to next module Module information for forward flow ... snp_fp_inspect_ip_options snp_fp_inspect_icmp snp_fp_adjacency snp_fp_encrypt snp_fp_fragment snp_fp_tracer_drop snp_ifc_stat Module information for reverse flow ... snp_fp_inspect_ip_options snp_fp_ipsec_tunnel_flow snp_fp_inspect_icmp snp_fp_adjacency snp_fp_fragment snp_fp_tracer_drop snp_ifc_stat Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow
... View more
04-23-2014
04:26 PM
Here are the results of the commands you requested. I'm not able to ping either direction. Thanks, James 3118-FWL001# sho cry isa sa Active SA: 5 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 5 1 IKE Peer: 50.34.254.58 Type : L2L Role : responder Rekey : no State : MM_ACTIVE 2 IKE Peer: 173.10.71.69 Type : L2L Role : responder Rekey : no State : MM_ACTIVE 3 IKE Peer: 75.151.109.253 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE 4 IKE Peer: 70.99.88.194 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE 5 IKE Peer: 216.211.143.85 Type : user Role : responder Rekey : no State : AM_ACTIVE 3118-FWL001# sho cry ips sa interface: outside Crypto map tag: outside_dyn_map, seq num: 20, local addr: 199.21.66.162 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (192.168.20.2/255.255.255.255/0/0) current_peer: 216.211.143.85, username: kevin dynamic allocated peer ip: 192.168.20.2 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 199.21.66.162, remote crypto endpt.: 216.211.143.85 path mtu 1500, ipsec overhead 58, media mtu 1500 current outbound spi: CBF94621 inbound esp sas: spi: 0x8D8279CA (2374138314) transform: esp-3des esp-sha-hmac none in use settings ={RA, Tunnel, } slot: 0, conn_id: 200, crypto-map: outside_dyn_map sa timing: remaining key lifetime (sec): 28715 IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0xCBF94621 (3422111265) transform: esp-3des esp-sha-hmac none in use settings ={RA, Tunnel, } slot: 0, conn_id: 200, crypto-map: outside_dyn_map sa timing: remaining key lifetime (sec): 28715 IV size: 8 bytes replay detection support: Y Crypto map tag: outside_map, seq num: 1, local addr: 199.21.66.162 access-list outside_1_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer: 50.34.254.58 #pkts encaps: 15356573, #pkts encrypt: 15356573, #pkts digest: 15356573 #pkts decaps: 9021115, #pkts decrypt: 9021114, #pkts verify: 9021114 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 15356573, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 199.21.66.162, remote crypto endpt.: 50.34.254.58 path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: FE16571B inbound esp sas: spi: 0x78BD7E4F (2025684559) transform: esp-aes esp-sha-hmac none in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 86, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (4263158/5788) IV size: 16 bytes replay detection support: Y outbound esp sas: spi: 0xFE16571B (4262876955) transform: esp-aes esp-sha-hmac none in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 86, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (4064653/5788) IV size: 16 bytes replay detection support: Y Crypto map tag: outside_map, seq num: 4, local addr: 199.21.66.162 access-list outside_4_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0) current_peer: 70.99.88.194 #pkts encaps: 491814, #pkts encrypt: 491814, #pkts digest: 491814 #pkts decaps: 416810, #pkts decrypt: 416810, #pkts verify: 416810 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 491814, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 199.21.66.162, remote crypto endpt.: 70.99.88.194 path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: 533F55E1 inbound esp sas: spi: 0xE2F461AD (3807666605) transform: esp-aes esp-sha-hmac none in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 194, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (4273818/27167) IV size: 16 bytes replay detection support: Y outbound esp sas: spi: 0x533F55E1 (1396659681) transform: esp-aes esp-sha-hmac none in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 194, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (4266133/27167) IV size: 16 bytes replay detection support: Y Crypto map tag: outside_map, seq num: 2, local addr: 199.21.66.162 access-list outside_2_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0) current_peer: 75.151.109.253 #pkts encaps: 207718, #pkts encrypt: 207718, #pkts digest: 207718 #pkts decaps: 142739, #pkts decrypt: 142739, #pkts verify: 142739 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 207722, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 199.21.66.162, remote crypto endpt.: 75.151.109.253 path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: 8D74AC18 inbound esp sas: spi: 0x0CF7F70B (217577227) transform: esp-aes esp-sha-hmac none in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 195, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (4274490/23242) IV size: 16 bytes replay detection support: Y outbound esp sas: spi: 0x8D74AC18 (2373233688) transform: esp-aes esp-sha-hmac none in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 195, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (4270718/23242) IV size: 16 bytes replay detection support: Y Crypto map tag: outside_map, seq num: 3, local addr: 199.21.66.162 access-list outside_3_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0) current_peer: 173.10.71.69 #pkts encaps: 3427935, #pkts encrypt: 3427935, #pkts digest: 3427935 #pkts decaps: 2006044, #pkts decrypt: 2006044, #pkts verify: 2006044 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 3427935, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 199.21.66.162, remote crypto endpt.: 173.10.71.69 path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: 2E8A6147 inbound esp sas: spi: 0x467968AB (1182361771) transform: esp-aes esp-sha-hmac none in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 154, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (4270213/18597) IV size: 16 bytes replay detection support: Y outbound esp sas: spi: 0x2E8A6147 (780820807) transform: esp-aes esp-sha-hmac none in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 154, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (4162093/18597) IV size: 16 bytes replay detection support: Y 3118-FWL001# sho run route route outside 0.0.0.0 0.0.0.0 199.21.66.161 1
... View more
Created by
James Dykes
in VPN and AnyConnect
in VPN and AnyConnect
04-23-2014
04:12 PM
04-23-2014
04:12 PM
I have a remote access VPN configured on a device here. I'm able to connect a device and it assigns me an IP address out of the pool, and injects the routes to its local network, but I'm not able to pass any traffic through the VPN and none of the IPSec SA counters increment for the dial-in connection. I've compared the config here to the samples from documentation and I don't know what I'm missing. Config is below. 3118-FWL001(config)# sho run : Saved : ASA Version 7.2(3) ! hostname 3118-FWL001 domain-name rr-rentals.com enable password hEgvNHfNHV8zypPu encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.10.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 199.X.X.162 255.255.255.248 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd 2KFQnbNIdI.2KYOU encrypted banner exec banner exec banner exec banner exec Any attempted or unauthorized access, use, or modification is prohibited. banner exec Unauthorized users may face criminal and/or civil penalties. banner exec The use of this system may be monitored and recorded. banner exec If the monitoring reveals possible evidence of criminal activity, Adhost can banner exec provide the records to law enforcement. banner exec Be safe! Do not share your access information with anyone! banner exec banner exec banner exec banner asdm banner asdm banner asdm banner asdm Any attempted or unauthorized access, use, or modification is prohibited. banner asdm Unauthorized users may face criminal and/or civil penalties. banner asdm The use of this system may be monitored and recorded. banner asdm If the monitoring reveals possible evidence of criminal activity, Adhost can banner asdm provide the records to law enforcement. banner asdm Be safe! Do not share your access information with anyone! banner asdm banner asdm banner asdm ftp mode passive dns server-group DefaultDNS domain-name rr-rentals.com same-security-traffic permit inter-interface same-security-traffic permit intra-interface access-list outside_acl extended permit ip any host 199.X.X.163 access-list outside_acl extended permit icmp any any echo access-list outside_acl extended permit icmp any any echo-reply access-list outside_acl extended permit tcp 216.X.X.64 255.255.255.192 any access-list outside_acl extended permit tcp host 76.X.X.166 any eq 3389 access-list outside_acl extended permit tcp 67.X.X.192 255.255.255.224 any eq 3389 access-list outside_acl extended permit tcp any any eq ftp access-list outside_acl extended permit tcp any any eq ftp-data access-list outside_acl extended permit tcp host 72.X.X.71 any eq 3389 access-list outside_acl extended permit tcp host 26.X.X.155 any eq 3389 access-list outside_acl extended permit tcp host 24.X.X.155 any eq 3389 access-list outside_acl extended permit icmp any any unreachable access-list outside_acl extended permit icmp any any time-exceeded access-list outside_acl extended permit tcp host 71.X.X.170 any eq 3389 access-list outside_acl extended permit tcp host 24.X.X.200 any eq 3389 access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_4_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list outside_3_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list rr-vpn_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0 access-list rr-vpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 pager lines 24 logging enable logging buffer-size 1048576 logging buffered debugging logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool vpnpool 192.168.20.1-192.168.20.254 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-523.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) 199.X.X.163 192.168.10.2 netmask 255.255.255.255 access-group outside_acl in interface outside route outside 0.0.0.0 0.0.0.0 199.X.X.161 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authentication enable console LOCAL aaa authentication serial console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside http 216.X.X.64 255.255.255.192 outside http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart sysopt connection tcpmss 1200 crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set pfs crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer 50.X.X.58 crypto map outside_map 1 set transform-set ESP-AES-128-SHA crypto map outside_map 2 match address outside_2_cryptomap crypto map outside_map 2 set pfs crypto map outside_map 2 set peer 75.X.X.253 crypto map outside_map 2 set transform-set ESP-AES-128-SHA crypto map outside_map 3 match address outside_3_cryptomap crypto map outside_map 3 set pfs crypto map outside_map 3 set peer 173.X.X.69 crypto map outside_map 3 set transform-set ESP-AES-128-SHA crypto map outside_map 4 match address outside_4_cryptomap crypto map outside_map 4 set pfs crypto map outside_map 4 set peer 70.X.X.194 crypto map outside_map 4 set transform-set ESP-AES-128-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption aes hash sha group 5 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh 192.168.10.2 255.255.255.255 inside ssh 192.168.0.0 255.255.0.0 inside ssh 216.X.X.64 255.255.255.192 outside ssh 50.X.X.58 255.255.255.255 outside ssh timeout 60 ssh version 2 console timeout 0 management-access inside ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect icmp inspect icmp error ! service-policy global_policy global tftp-server outside 216.X.X.116 3118-FWL001.config group-policy rr-vpn internal group-policy rr-vpn attributes dns-server value 216.X.X.12 66.X.X.11 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value rr-vpn_splitTunnelAcl username rrlee password B6rKS8LmKC50oIXK encrypted privilege 0 username rrlee attributes vpn-group-policy rr-vpn username cschirado password QYICGrOFAZ9iPWpp encrypted privilege 0 username cschirado attributes vpn-group-policy rr-vpn username daniel password SZsXZCSuVXcFn9NB encrypted privilege 15 username adhostadm password 7P2Y2Ow1o0.VSjvh encrypted privilege 15 username troy password amZKsxVU.8N9kKPb encrypted privilege 0 username troy attributes vpn-group-policy rr-vpn username troyr password Hek9zbMrM6wEDSfi encrypted privilege 15 username druiz password 33oau7XOcvhJ3DMv encrypted privilege 0 username druiz attributes vpn-group-policy rr-vpn username theresa password qWsPnR.vfjXzlunC encrypted privilege 0 username theresa attributes vpn-group-policy rr-vpn username kevin password R5DPfUVhzGCEg6pu encrypted privilege 0 username kevin attributes vpn-group-policy rr-vpn username andrea password MyhIPdH6UJQDon77 encrypted privilege 0 username andrea attributes vpn-group-policy rr-vpn tunnel-group 50.X.X.58 type ipsec-l2l tunnel-group 50.X.X.58 ipsec-attributes pre-shared-key * tunnel-group 75.X.X.253 type ipsec-l2l tunnel-group 75.X.X.253 ipsec-attributes pre-shared-key * tunnel-group 72.X.X.71 type ipsec-l2l tunnel-group 72.X.X.71 ipsec-attributes pre-shared-key * tunnel-group 173.X.X.69 type ipsec-l2l tunnel-group 173.X.X.69 ipsec-attributes pre-shared-key * tunnel-group rr-vpn type ipsec-ra tunnel-group rr-vpn general-attributes address-pool vpnpool default-group-policy rr-vpn tunnel-group rr-vpn ipsec-attributes pre-shared-key * tunnel-group 70.X.X.194 type ipsec-l2l tunnel-group 70.X.X.194 ipsec-attributes pre-shared-key * prompt hostname context
... View more
Labels:
02-28-2014
01:42 PM
And what I get from isakmp debug: Feb 28 13:41:26 [IKEv1]: Group = 216.203.46.252, IP = 216.203.46.252, QM FSM error (P2 struct &0xc9f39e68, mess id 0xe0ba04c)! Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, IKE QM Initiator FSM error history (struct &0xc9f39e68) , : QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, sending delete/delete with reason message Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing blank hash payload Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing IPSec delete payload Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing qm hash payload Feb 28 13:41:26 [IKEv1]: IP = 216.203.46.252, IKE_DECODE SENDING Message (msgid=216bc3cb) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68 Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, IKE Deleting SA: Remote Proxy 10.1.14.0, Local Proxy 10.133.133.0 Feb 28 13:41:26 [IKEv1]: Group = 216.203.46.252, IP = 216.203.46.252, Removing peer from correlator table failed, no match! Feb 28 13:41:26 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xb161983b Feb 28 13:41:29 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Feb 28 13:41:29 [IKEv1]: Group = 216.203.46.252, IP = 216.203.46.252, IKE Initiator: New Phase 2, Intf backup, IKE Peer 216.203.46.252 local Proxy Address 10.133.133.0, remote Proxy Address 10.1.14.0, Crypto map (outside_map) Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, Oakley begin quick mode Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, IKE got SPI from key engine: SPI = 0x9b973b9b Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, oakley constucting quick mode Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing blank hash payload Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing IPSec SA payload Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing IPSec nonce payload Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing proxy ID Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, Transmitting Proxy Id: Local subnet: 10.133.133.0 mask 255.255.255.0 Protocol 0 Port 0 Remote subnet: 10.1.14.0 Mask 255.255.255.0 Protocol 0 Port 0 Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing qm hash payload Feb 28 13:41:29 [IKEv1]: IP = 216.203.46.252, IKE_DECODE SENDING Message (msgid=150b2ab3) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168 Feb 28 13:41:29 [IKEv1]: IP = 216.203.46.252, IKE_DECODE RECEIVED Message (msgid=cabc11c) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 224 Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, processing hash payload Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, processing notify payload Feb 28 13:41:29 [IKEv1]: Group = 216.203.46.252, IP = 216.203.46.252, Received non-routine Notify message: Invalid ID info (18) I suspect the configs don't match on both sides, but getting info from the other side of the tunnel is like pulling teeth.
... View more
02-28-2014
01:39 PM
Here's what I'm getting from debug: IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256 IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched. IPSEC: New embryonic SA created @ 0xC9D5AC10, SCB: 0xCA7F3CA0, Direction: inbound SPI : 0xC404C4D2 Session ID: 0x034F6000 VPIF num : 0x00000002 Tunnel type: l2l Protocol : esp Lifetime : 240 seconds IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256 IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched. IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256 IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched. IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256 IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched. IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256 IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched. IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256 IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched. IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256 IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched. IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256 IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched. IPSEC: New embryonic SA created @ 0xC9F32960, SCB: 0xCA7DCFC0, Direction: inbound SPI : 0x25646462 Session ID: 0x034F6000 VPIF num : 0x00000002 Tunnel type: l2l Protocol : esp Lifetime : 240 seconds IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256 IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched. IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256 IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched. IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256 IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched. IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256 IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched. IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256 IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
... View more
02-26-2014
11:01 AM
I don't have access to the other device. They say they've added the ACLs, but I can't confirm. I should still see a packet-tracer command at least try to encrypt the traffic, though, right? It's only simulating what a packet would do.
... View more
02-25-2014
02:23 PM
I've added a new network for a customer's firewall and I'm trying to get that network across the existing VPN tunnel to their DR site. The new network is 10.133.133.0/24 and I'm trying to get it to connect to 10.1.14.0/24 on the other side of the tunnel. I'm missing something, though, because when I do a packet-tracer to simulate traffic, it dies before getting encrypted. The output is below. What am I missing to get this traffic to even attempt to go across the tunnel? ----- 4344-FWL001#packet-tracer input backup icmp 10.133.133.10 0 0 10.1.14.20 Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group backup_acl in interface backup access-list backup_acl extended permit ip 10.133.133.0 255.255.255.0 10.1.14.0 255.255.255.0 Additional Information: Phase: 3 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection decrement-ttl service-policy global_policy global Additional Information: Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 6 Type: NAT-EXEMPT Subtype: Result: ALLOW Config: match ip backup 10.133.133.0 255.255.255.0 outside 10.1.14.0 255.255.255.0 NAT exempt translate_hits = 40, untranslate_hits = 0 Additional Information: Phase: 7 Type: NAT Subtype: Result: ALLOW Config: nat (backup) 1 0.0.0.0 0.0.0.0 match ip backup any outside any dynamic translation to pool 1 (216.211.133.59 [Interface PAT]) translate_hits = 254, untranslate_hits = 18 Additional Information: Phase: 8 Type: NAT Subtype: host-limits Result: ALLOW Config: nat (backup) 1 0.0.0.0 0.0.0.0 match ip backup any outside any dynamic translation to pool 1 (216.211.133.59 [Interface PAT]) translate_hits = 254, untranslate_hits = 18 Additional Information: Phase: 9 Type: VPN Subtype: encrypt Result: DROP Config: Additional Information: Result: input-interface: backup input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
... View more
Labels:
Created by
James Dykes
in VPN and AnyConnect
in VPN and AnyConnect
10-02-2013
02:02 PM
10-02-2013
02:02 PM
We have a customer experiencing very slow throughput on applications travelling across point-to-point tunnels from their branch offices to their central server located in our facility. This slow throughput is not experienced when connecting to the ASA in front of the central server via dial-up VPN from the same physical location. Each location is behind an ASA 5505. Traceroutes show a round trip of less than 60ms between the central server and the branch server in question. Configs are attached. I'm at a bit of a loss as to what is going on. Neither firewall appears to be overloaded, experiencing heavy CPU load or memory usage, and while I see some retransmissions in the TCP flow doing a packet capture on both sides, nothing looks terribly out of the ordinary. Any ideas?
... View more
- Tags:
- l2l
- slow
- throughput
- vpn
Labels:
Created by
James Dykes
in VPN and AnyConnect
in VPN and AnyConnect
07-26-2013
05:00 PM
07-26-2013
05:00 PM
I have an ASA 5505 that I'm trying to create a L2L tunnel with to a Sonicwall device. Phase 1 settings appear to match on both sides from the screenshots sent from the client's office and my settings here, but something is off. My settings are below and the endpoint's settings are screenshotted in attachments. The error I'm getting is: Jul 26 11:22:40 [IKEv1]: IP = 66.208.251.193, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 92 Jul 26 11:22:40 [IKEv1]: IP = 66.208.251.193, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 92 Jul 26 11:22:40 [IKEv1]: IP = 66.208.251.193, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Jul 26 11:22:40 [IKEv1]: IP = 66.208.251.193, Information Exchange processing failed Jul 26 11:22:43 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jul 26 11:22:43 [IKEv1]: IP = 66.208.251.193, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jul 26 11:22:48 [IKEv1]: IP = 66.208.251.193, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 148 Jul 26 11:22:48 [IKEv1]: IP = 66.208.251.193, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 92 Jul 26 11:22:48 [IKEv1]: IP = 66.208.251.193, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 92 Jul 26 11:22:48 [IKEv1]: IP = 66.208.251.193, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Jul 26 11:22:48 [IKEv1]: IP = 66.208.251.193, Information Exchange processing failed Jul 26 11:22:48 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Jul 26 11:22:48 [IKEv1]: IP = 66.208.251.193, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. Jul 26 11:22:56 [IKEv1]: IP = 66.208.251.193, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 148 Jul 26 11:22:56 [IKEv1]: IP = 66.208.251.193, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 92 Jul 26 11:22:56 [IKEv1]: IP = 66.208.251.193, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 92 Jul 26 11:22:56 [IKEv1]: IP = 66.208.251.193, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Jul 26 11:22:56 [IKEv1]: IP = 66.208.251.193, Information Exchange processing failed Jul 26 11:23:04 [IKEv1 DEBUG]: IP = 66.208.251.193, IKE MM Initiator FSM error history (struct &0x3c6caf8) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY Jul 26 11:23:04 [IKEv1 DEBUG]: IP = 66.208.251.193, IKE SA MM:9300f290 terminating: flags 0x01000022, refcnt 0, tuncnt 0 Jul 26 11:23:04 [IKEv1 DEBUG]: IP = 66.208.251.193, sending delete/delete with reason message Jul 26 11:23:04 [IKEv1]: IP = 66.208.251.193, Removing peer from peer table failed, no match! Jul 26 11:23:04 [IKEv1]: IP = 66.208.251.193, Error: Unable to remove PeerTblEntry 5753-FWL001# sho run : Saved : ASA Version 7.2(3) ! hostname 5753-FWL001 domain-name coffeefest.com enable password 8GJ1Rq/1t25uy0R3 encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.133.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address XXX.XXX.XXX.196 255.255.255.240 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive dns server-group DefaultDNS domain-name coffeefest.com object-group network FTP-ALLOW description Hosts allowed to FTP into servers object-group network RDP-ALLOW description Palador Allowed for RDP network-object host 64.3.25.178 network-object host 64.3.25.179 network-object host 64.3.25.180 network-object host 64.3.25.181 network-object host 64.3.25.182 network-object host 64.3.25.183 network-object host 64.3.25.184 network-object host 64.3.25.185 network-object host 64.3.25.186 network-object host 64.3.25.187 network-object host 64.3.25.188 access-list outside_acl extended permit ip 216.211.143.64 255.255.255.192 any access-list outside_acl extended permit tcp any host XXX.XXX.XXX.198 eq www access-list outside_acl extended permit tcp any host XXX.XXX.XXX.198 eq https access-list outside_acl extended permit tcp host 216.254.1.194 host XXX.XXX.XXX.197 eq 1433 access-list outside_acl extended permit tcp host 69.88.113.154 host XXX.XXX.XXX.197 eq 1433 access-list outside_acl extended permit tcp host 69.88.113.155 host XXX.XXX.XXX.197 eq 3389 access-list outside_acl extended permit tcp host 69.88.113.155 host XXX.XXX.XXX.197 eq 1433 access-list outside_acl extended permit tcp host 69.88.113.154 host XXX.XXX.XXX.197 eq 3389 access-list outside_acl extended permit tcp host 69.88.113.154 host XXX.XXX.XXX.198 eq 1433 access-list outside_acl extended permit tcp host 69.88.113.154 host XXX.XXX.XXX.198 eq 3389 access-list outside_acl extended permit tcp host 69.88.113.155 host XXX.XXX.XXX.198 eq 3389 access-list outside_acl extended permit tcp host 69.88.113.155 host XXX.XXX.XXX.198 eq 1433 access-list outside_acl extended permit tcp host 67.51.49.138 any eq 3389 access-list outside_acl extended permit tcp host 67.51.49.138 any eq 1433 access-list outside_acl extended permit tcp host 64.3.25.178 host XXX.XXX.XXX.197 eq imap4 access-list outside_acl extended permit tcp 64.3.25.176 255.255.255.240 any eq 3389 access-list outside_acl extended permit tcp object-group RDP-ALLOW any eq 3389 access-list outside_acl extended permit tcp host 207.115.95.194 host XXX.XXX.XXX.198 eq 3389 access-list outside_acl extended permit tcp host 207.115.95.194 host XXX.XXX.XXX.197 eq 1433 access-list coffeefest_vpn_splitTunnelAcl standard permit 192.168.133.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.133.0 255.255.255.0 192.168.133.16 255.255.255.240 access-list inside_nat0_outbound extended permit ip 192.168.133.0 255.255.255.0 10.0.43.0 255.255.255.0 access-list outside_1_cryptomap extended permit ip 192.168.133.0 255.255.255.0 10.0.43.0 255.255.255.0 pager lines 24 logging enable logging console debugging logging buffered debugging logging history debugging logging device-id hostname logging host outside 216.211.143.116 mtu inside 1500 mtu outside 1500 ip local pool coffeefest_pool 192.168.133.16-192.168.133.32 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-523.bin no asdm history enable arp timeout 14400 nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) XXX.XXX.XXX.197 192.168.133.197 netmask 255.255.255.255 static (inside,outside) XXX.XXX.XXX.198 192.168.133.198 netmask 255.255.255.255 static (inside,outside) XXX.XXX.XXX.199 192.168.133.199 netmask 255.255.255.255 static (inside,outside) XXX.XXX.XXX.200 192.168.133.200 netmask 255.255.255.255 access-group outside_acl in interface outside route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.193 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server tacacs protocol tacacs+ aaa-server tacacs (outside) host 216.211.143.68 key 0b0bmlult aaa authentication ssh console tacacs LOCAL aaa authentication enable console tacacs LOCAL aaa authentication http console tacacs LOCAL http server enable http 192.168.133.0 255.255.255.0 inside http 216.211.143.64 255.255.255.192 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set pfs crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set peer 66.208.251.193 crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 28800 crypto isakmp nat-traversal 20 telnet timeout 5 ssh 216.211.143.64 255.255.255.192 outside ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global tftp-server outside 216.211.143.116 5753-FWL001 group-policy coffeefest_vpn internal group-policy coffeefest_vpn attributes dns-server value 216.211.128.12 66.119.192.11 vpn-session-timeout none vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value coffeefest_vpn_splitTunnelAcl default-domain value coffeefest.com username palador password Tcn05BksapoGh4oq encrypted privilege 0 username palador attributes vpn-group-policy coffeefest_vpn username adhostadm password SNuHaf3vLSQl9DfR encrypted privilege 15 tunnel-group coffeefest_vpn type ipsec-ra tunnel-group coffeefest_vpn general-attributes address-pool coffeefest_pool default-group-policy coffeefest_vpn tunnel-group coffeefest_vpn ipsec-attributes pre-shared-key * tunnel-group 66.208.251.193 type ipsec-l2l tunnel-group 66.208.251.193 ipsec-attributes pre-shared-key * prompt hostname context Cryptochecksum:2dea922083637b4704baefd9d073e9d0 : end
... View more
- Tags:
- asa5505
Labels:
Created by
James Dykes
in VPN and AnyConnect
in VPN and AnyConnect
07-22-2013
03:04 PM
07-22-2013
03:04 PM
Some background - the VPN Client configuration was already in place before I was given the project to add L2L VPN tunnels to the device. You're saying that configuration should be part of the crypto map vpn_map configuration and not in its own config? Can you give me an example? Thank you, James
... View more
Created by
James Dykes
in VPN and AnyConnect
in VPN and AnyConnect
07-22-2013
02:55 PM
07-22-2013
02:55 PM
These changes have not resolved the issue. "The change did not resolve the issue. The P2 was staying alive due to packets incoming from this side (192.168.201.1). The tunnel is still not coming up when traffic is originating from the 192.168.80.0 network. Can you check for any other adjustments that need to be made?"
... View more
07-06-2015
I made some changes after creating this thread. I added both networks to
the inside no-nat group and...
07-03-2015
I did not architect their network. Their servers at our location use the
firewall as their gateway, ...
07-01-2015
I have an ASA 5500 running 8.2(4). There is a static route inside for
the 192.168.0.0/24 network to ...
04-24-2014
I'm running 5.0.07.0440 on my machine.Below are the results of a ping
test from my machine to 192.16...
04-23-2014
I have a customer who's seeing the same behavior. Connects, unable to
reach anything on the 192.168....
04-23-2014
Here are the results of the commands you requested. I'm not able to ping
either direction.Thanks,Jam...
Created by
James Dykes
in VPN and AnyConnect
04-23-2014
04-23-2014
I have a remote access VPN configured on a device here. I'm able to
connect a device and it assigns ...
02-28-2014
And what I get from isakmp debug:Feb 28 13:41:26 [IKEv1]: Group =
216.203.46.252, IP = 216.203.46.25...
02-28-2014
Here's what I'm getting from debug:IPSEC(crypto_map_check)-3: Looking
for crypto map matching 5-tupl...
02-26-2014
I don't have access to the other device. They say they've added the
ACLs, but I can't confirm.I shou...
02-25-2014
I've added a new network for a customer's firewall and I'm trying to get
that network across the exi...
Created by
James Dykes
in VPN and AnyConnect
10-02-2013
10-02-2013
We have a customer experiencing very slow throughput on applications
travelling across point-to-poin...
07-26-2013
I have an ASA 5505 that I'm trying to create a L2L tunnel with to a
Sonicwall device. Phase 1 settin...
Created by
James Dykes
in VPN and AnyConnect
07-22-2013
07-22-2013
Some background - the VPN Client configuration was already in place
before I was given the project t...
Created by
James Dykes
in VPN and AnyConnect
07-22-2013
07-22-2013
These changes have not resolved the issue."The change did not resolve
the issue. The P2 was staying ...
Public Statistics
| Date Registered | 11-20-2012 09:05 PM |
| Date Last Visited | 08-18-2017 04:00 AM |
| Total Messages Posted | 25 |
