- Cisco Community
- Technology and Support
- Security
- VPN
- Ofcourse,
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Cisco ASA 5515 + Mikrotik Site-to-Site IPsec VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-12-2015 12:40 AM - edited 02-21-2020 08:33 PM
Good day. I have problem in installing IPsec VPN between Cisco ASA-5515 and mikrotik 951. I want to use ikev1 only.
Here it is my network:
LAN 10.7.0.1/24 --> Mikrotik <-- WAN 2.2.2.2 <--INTERNET--> WAN 1.1.1.1 --> Cisco <-- LAN 10.6.0.254/24
Config of Mikrotik router:
[admin@Brest-R] > ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=1.1.1.1/32 local-address=2.2.2.2 passive=no port=500 auth-method=pre-shared-key secret="test" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=2
[admin@Brest-R] >ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 src-address=10.7.0.0/24 src-port=any dst-address=10.6.0.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1 proposal=test priority=0
[admin@Brest-R] > ip ipsec proposal print
Flags: X - disabled, * - default
0 name="test" auth-algorithms=md5,sha1,sha512 enc-algorithms=3des,aes-256-cbc lifetime=30m pfs-group=none
I see that phase 1 is ok:
[admin@Brest-R] > ip ipsec remote-peers print
0 local-address=2.2.2.2 remote-address=1.1.1.1 state=established side=initiator established=18h11m6s
But if I will try ping from mikrotik to cisco asa lan interface - I see next:
[admin@Brest-R] > ping 10.6.0.254 src-address=10.7.0.1
SEQ HOST SIZE TTL TIME STATUS
0 10.6.0.254 timeout
sent=5 received=0 packet-loss=100%
echo: ipsec,debug new acquire 2.2.2.2 [0]<=>1.1.1.1[0]
echo: ipsec,debug suitable outbound SP found: 10.7.0.0/24[0] 10.6.0.0/24[0] proto=any dir=out
echo: ipsec,debug suitable inbound SP found: 10.6.0.0/24[0] 10.7.0.0/24[0] proto=any dir=in
echo: ipsec,debug no configuration found for 1.1.1.1.
echo: ipsec,error failed to begin ipsec sa negotiation.
Config of Cisco ASA you can see below:
interface GigabitEthernet0/1
description blablabla
nameif WAN
security-level 0
ip address 1.1.1.1 255.255.255.224
interface GigabitEthernet0/2
nameif TEST
security-level 100
ip address 10.6.0.254 255.255.255.0
crypto map WAN_map 1 match address WAN_cryptomap
crypto map WAN_map 1 set peer 2.2.2.2
crypto map WAN_map 1 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5
crypto map WAN_map 1 set security-association lifetime seconds 86400
crypto map WAN_map 1 set nat-t-disable
crypto map WAN_map 1 set reverse-route
crypto map WAN_map interface WAN
crypto ikev1 enable WAN
access-list WAN_cryptomap line 1 extended permit ip 10.6.0.0 255.255.255.0 10.7.0.0 255.255.255.0 (hitcnt=3) 0xf48c7385
nat (LAN,WAN) source dynamic any interface
nat (TEST,WAN) source static NETWORK_OBJ_10.6.0.0_24 NETWORK_OBJ_10.6.0.0_24 destination static NETWORK_OBJ_10.7.0.0_24 NETWORK_OBJ_10.7.0.0_24 no-proxy-arp route-lookup
ASA# show crypto ikev1 sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
ASA# show crypto isakmp sa detail
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : 3des Hash : SHA
Auth : preshared Lifetime: 86400
Lifetime Remaining: 19844
ASA# show crypto isakmp
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 86.57.168.157
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
ASA# show crypto ipsec sa
There are no ipsec sas
As I see, problem in second phase of IKEv1. It doesn't want to set up.
- Labels:
-
IPSEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2015 12:57 AM
Could you, please, post the output of show runn nat? Just to make sure that NAT exceptions are configured correctly...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2015 01:17 AM
Ofcourse,
ASA# show running-config nat
nat (TEST,WAN) source static NETWORK_OBJ_10.6.0.0_24 NETWORK_OBJ_10.6.0.0_24 destination static NETWORK_OBJ_10.7.0.0_24 NETWORK_OBJ_10.7.0.0_24 no-proxy-arp route-lookup
nat (LAN,WAN) source dynamic any interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2015 01:21 AM
Great, thanks.
Am I right, saying that object NETWORK_OBJ_10.6.0.0_24 describes the net behind ASA's interface "TEST" and object NETWORK_OBJ_10.7.0.0_24 describes network behind Mikrotik?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2015 01:27 AM
Yes, you are.
ASA Lan network 10.6.0.0/24 (interface name test)
Mikrotik Lan network 10.7.0.0/24
Also you can see that there is no hits in nat translations.
ASA# show nat
Manual NAT Policies (Section 1)
1 (TEST) to (WAN) source static NETWORK_OBJ_10.6.0.0_24 NETWORK_OBJ_10.6.0.0_24 destination static NETWORK_OBJ_10.7.0.0_24 NETWORK_OBJ_10.7.0.0_24 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
2 (LAN) to (WAN) source dynamic any interface
translate_hits = 1, untranslate_hits = 0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2015 01:31 AM
Ok, thanks a lot. That seems, at NAT exception is not the issue. No more ideas at that point of time...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2015 01:38 AM
Can you please confirm the ASA os version?
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2015 01:52 AM
ASA# show version
Cisco Adaptive Security Appliance Software Version 9.1(2)
Device Manager Version 7.1(3)
Compiled on Thu 09-May-13 16:20 PDT by builders
System image file is "disk0:/asa912-smp-k8.bin"
Config file at boot was "startup-config"
Few minutes ago I tried to change settings on Mikrotik on DES + SHA to test the most simpliest protocols. And result as usual - only phase 1 was installed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-12-2015 09:58 PM
Hi falangerr,
I reviewed the debugs, and I agree with Dinesh we receive process delete from the remote end. However I have one more concern why we received remote proxy as "any any" instead of specific one ?
Could you please check with remote end to conform what is the remote proxy they used.
In most third party devices I see they build tunnel using 2 ways one is Route based and another is access-list based, please inform the remote end to use Mirrored crypto ACL. The remote end ACl should be like "10.7.0.0 255.255.255.0 10.6.0.0 255.255.255.0"
And if they use “any any” on the other end always we should be the initiator always.
This kind of peer termination problem occurs, Consider your tunnel is up as you initiated the traffic, Since remote end us using “any any” consider remote end initiate the traffic apart from 10.6.0.0/24 and ASA receives crypto ACL as any any as shown in the log and chances that we delete the tunnel since ASA don’t have that in the crypto map.
So to avoid this situations make the Crypto ACL to be mirrored.
Please let me know the below information
Was the tunnel coming up when you initiate the traffic from ASA end ? The reason I ask you is the below output show its up for 12M and tearing it down ?
Requested
%ASA-4-113019: Group = 2.2.2.2, Username = 2.2.2.2, IP = 2.2.2.2, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:12m:45s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested
Thanks,
Regards,
Swj.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-12-2015 11:59 PM
Good day! We receive process delete from the remote end (from Mikrotik) because I manually kill vpn connection to show full process of starting ike.
I don't actually understand what you mean in words "remote proxy as any any". If you mean ACL which should specify interesting traffic - Mikrotik has mirrored policy (like cisco ACL):
[admin@Brest-R] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 TX* group=group1 src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
2 src-address=10.7.0.0/24 src-port=any dst-address=10.6.0.0/24 dst-port=any protocol=all action=encrypt
level=require ipsec-protocols=esp tunnel=yes sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1
proposal=test priority=0
And Mikrotik rules is more like ACL then router based.
When first phase is up, I always try to ping from Mikrotik with command:
[admin@Brest-R] > ping 10.6.0.1 src-address=10.7.0.1
And from ASA with command:
ASA# ping 10.7.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.7.0.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
I do ping from two devices at one time when first phase of negotiation comming up.
And the last. You can see 12 minutes uptime because tunnel was in up state 12 minutes, until I manually drop it down. Tunnel can be in up state one, two , three , ten hours and etc. it is doesn't matter. But second phase of negotiation has never installed between this two devices : (
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-13-2015 11:54 AM
What i mean by remote proxy any any
%ASA-5-713050: Group = 2.2.2.2, IP = 2.2.2.2, Connection terminated for peer 2.2.2.2. Reason: Peer Terminate Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0 >>>.>
Anf one more thing from the debugs provided i can see phase-1 completed however there is no IPSEC debugs i see after the pahse-1. Please can you collect the ipsec debugs again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-16-2015 12:08 AM
Unfortunatly I don't know the reason why we see 0.0.0.0 instead of specific IP address. I can only tell that addresses of local and remote peers are specified on Mikrotik router:
address=1.1.1.1/32 local-address=2.2.2.2 passive=no port=500 auth-method=pre-shared-key secret="test" generate-policy=no policy-template-group=group1 exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des,aes-128,aes-192,aes-256 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=2
And it has specific policies for this peers:
src-address=10.7.0.0/24 src-port=any dst-address=10.6.0.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1 proposal=newland priority=0
And here it is my log again. Tunnel was in down state at moment of start logging.
Newland-ASA(config)# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: level debugging, 658720 messages logged
Buffer logging: level debugging, 658666 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 74808 messages logged
%ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'clear logging buffer'
%ASA-5-111008: User 'enable_15' executed the 'debug crypto condition peer 2.2.2.2' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'debug crypto condition peer 2.2.2.2'
%ASA-5-111008: User 'enable_15' executed the 'debug crypto isakmp 255' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'debug crypto isakmp 255'
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-5-111008: User 'enable_15' executed the 'debug crypto ipsec 255' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'debug crypto ipsec 255'
%ASA-7-710005: UDP request discarded from 176.192.187.45/12179 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.127/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.127/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 176.192.187.45/12179 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 5 per second, max configured rate is 10; Current average rate is 12 per second, max configured rate is 5; Cumulative total count is 7271
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 244
%ASA-7-715047: IP = 2.2.2.2, processing SA payload
%ASA-7-713906: IP = 2.2.2.2, Oakley proposal is acceptable
%ASA-7-715047: IP = 2.2.2.2, processing VID payload
%ASA-7-715049: IP = 2.2.2.2, Received Cisco Unity client VID
%ASA-7-715047: IP = 2.2.2.2, processing VID payload
%ASA-7-715049: IP = 2.2.2.2, Received DPD VID
%ASA-7-715047: IP = 2.2.2.2, processing IKE SA payload
%ASA-7-715028: IP = 2.2.2.2, IKE SA Proposal # 1, Transform # 4 acceptable Matches global IKE entry # 13
%ASA-7-715046: IP = 2.2.2.2, constructing ISAKMP SA payload
%ASA-7-715046: IP = 2.2.2.2, constructing Fragmentation VID + extended capabilities payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 188
%ASA-7-715047: IP = 2.2.2.2, processing ke payload
%ASA-7-715047: IP = 2.2.2.2, processing ISA_KE payload
%ASA-7-715047: IP = 2.2.2.2, processing nonce payload
%ASA-7-715046: IP = 2.2.2.2, constructing ke payload
%ASA-7-715046: IP = 2.2.2.2, constructing nonce payload
%ASA-7-715046: IP = 2.2.2.2, constructing Cisco Unity VID payload
%ASA-7-715046: IP = 2.2.2.2, constructing xauth V6 VID payload
%ASA-7-715048: IP = 2.2.2.2, Send IOS VID
%ASA-7-715038: IP = 2.2.2.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
%ASA-7-715046: IP = 2.2.2.2, constructing VID payload
%ASA-7-715048: IP = 2.2.2.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713906: IP = 2.2.2.2, Connection landed on tunnel_group 2.2.2.2
%ASA-7-713906: Group = 2.2.2.2, IP = 2.2.2.2, Generating keys for Responder...
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
%ASA-6-302013: Built inbound TCP connection 13094 for LAN:10.1.1.197/52695 (10.1.1.197/52695) to identity:10.1.1.254/443 (10.1.1.254/443)
%ASA-6-725001: Starting SSL handshake with client LAN:10.1.1.197/52695 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client LAN:10.1.1.197/52695 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[6] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : RC4-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client LAN:10.1.1.197/52695
%ASA-6-725002: Device completed SSL handshake with client LAN:10.1.1.197/52695
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-6-611101: User authentication succeeded: Uname: admin
%ASA-6-605005: Login permitted from 10.1.1.197/52695 to LAN:10.1.1.254/https for user "admin"
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing ID payload
%ASA-7-714011: Group = 2.2.2.2, IP = 2.2.2.2, ID_IPV4_ADDR ID received
2.2.2.2
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715076: Group = 2.2.2.2, IP = 2.2.2.2, Computing hash for ISAKMP
%ASA-7-713906: IP = 2.2.2.2, Connection landed on tunnel_group 2.2.2.2
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing ID payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing hash payload
%ASA-7-715076: Group = 2.2.2.2, IP = 2.2.2.2, Computing hash for ISAKMP
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing dpd vid payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
%ASA-6-113009: AAA retrieved default group policy (GroupPolicy_2.2.2.2) for user = 2.2.2.2
%ASA-5-713119: Group = 2.2.2.2, IP = 2.2.2.2, PHASE 1 COMPLETED
%ASA-7-713121: IP = 2.2.2.2, Keep-alive type for this connection: DPD
%ASA-7-715080: Group = 2.2.2.2, IP = 2.2.2.2, Starting P1 rekey timer: 82080 seconds.
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-111009: User 'admin' executed cmd: show module cxsc details
%ASA-6-725007: SSL session with client LAN:10.1.1.197/52695 terminated.
%ASA-6-302014: Teardown TCP connection 13094 for LAN:10.1.1.197/52695 to identity:10.1.1.254/443 duration 0:00:00 bytes 1662 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.197/52695 to 10.1.1.254/443 flags FIN ACK on interface LAN
%ASA-7-710005: TCP request discarded from 10.1.1.197/52695 to LAN:10.1.1.254/443
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to LAN:255.255.255.255/62976
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to TEST:255.255.255.255/62976
%ASA-7-710005: UDP request discarded from 192.168.88.3/5678 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 192.168.88.3/5678 to TEST:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 10.1.1.13/56978 to LAN:255.255.255.255/1947
%ASA-7-710005: UDP request discarded from 10.1.1.13/56978 to TEST:255.255.255.255/1947
%ASA-7-710005: UDP request discarded from 176.192.187.45/12179 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.111/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.111/17500 to LAN:255.255.255.255/17500
%ASA-6-302013: Built inbound TCP connection 13096 for LAN:10.1.1.197/52696 (10.1.1.197/52696) to identity:10.1.1.254/443 (10.1.1.254/443)
%ASA-6-725001: Starting SSL handshake with client LAN:10.1.1.197/52696 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client LAN:10.1.1.197/52696 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[6] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : RC4-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client LAN:10.1.1.197/52696
%ASA-6-725002: Device completed SSL handshake with client LAN:10.1.1.197/52696
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-6-611101: User authentication succeeded: Uname: admin
%ASA-6-605005: Login permitted from 10.1.1.197/52696 to LAN:10.1.1.254/https for user "admin"
%ASA-7-111009: User 'admin' executed cmd: show module cxsc details
%ASA-6-725007: SSL session with client LAN:10.1.1.197/52696 terminated.
%ASA-6-302014: Teardown TCP connection 13096 for LAN:10.1.1.197/52696 to identity:10.1.1.254/443 duration 0:00:00 bytes 1662 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.197/52696 to 10.1.1.254/443 flags FIN ACK on interface LAN
%ASA-7-710005: TCP request discarded from 10.1.1.197/52696 to LAN:10.1.1.254/443
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.161/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.161/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 176.114.205.102/49105 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 0.0.0.0/5678 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 0.0.0.0/5678 to TEST:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 6 per second, max configured rate is 10; Current average rate is 12 per second, max configured rate is 5; Cumulative total count is 7334
%ASA-7-710005: UDP request discarded from 176.114.205.102/49105 to WAN:1.1.1.1/9000
%ASA-7-715036: Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x2b8a09a6)
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=efe509bb) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=d9014cb7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload
%ASA-7-715075: Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x2b8a09a6)
%ASA-7-710005: UDP request discarded from 93.178.113.253/41479 to WAN:1.1.1.1/9000
%ASA-6-302013: Built inbound TCP connection 13098 for LAN:10.1.1.197/52697 (10.1.1.197/52697) to identity:10.1.1.254/443 (10.1.1.254/443)
%ASA-6-725001: Starting SSL handshake with client LAN:10.1.1.197/52697 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client LAN:10.1.1.197/52697 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[6] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : RC4-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client LAN:10.1.1.197/52697
%ASA-6-725002: Device completed SSL handshake with client LAN:10.1.1.197/52697
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-6-611101: User authentication succeeded: Uname: admin
%ASA-6-605005: Login permitted from 10.1.1.197/52697 to LAN:10.1.1.254/https for user "admin"
%ASA-7-710005: UDP request discarded from 217.29.190.250/37258 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-111009: User 'admin' executed cmd: show module cxsc details
%ASA-6-725007: SSL session with client LAN:10.1.1.197/52697 terminated.
%ASA-6-302014: Teardown TCP connection 13098 for LAN:10.1.1.197/52697 to identity:10.1.1.254/443 duration 0:00:00 bytes 1662 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.197/52697 to 10.1.1.254/443 flags FIN ACK on interface LAN
%ASA-7-710005: TCP request discarded from 10.1.1.197/52697 to LAN:10.1.1.254/443
%ASA-7-710005: UDP request discarded from 217.29.190.250/37258 to WAN:1.1.1.1/9000
%ASA-7-710005: TCP request discarded from 217.29.190.250/58688 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.127/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.127/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 93.178.113.253/41479 to WAN:1.1.1.1/9000
%ASA-7-710005: TCP request discarded from 93.178.113.253/64092 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 176.114.205.102/49105 to WAN:1.1.1.1/9000
%ASA-6-302020: Built outbound ICMP connection for faddr 10.7.0.1/0 gaddr 1.1.1.1/1840 laddr 1.1.1.1/1840
%ASA-7-710005: TCP request discarded from 217.29.190.250/58688 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 217.29.190.250/37258 to WAN:1.1.1.1/9000
%ASA-7-710005: TCP request discarded from 93.178.113.253/64092 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 93.178.113.253/41479 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.1/60783 to TEST:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 10.1.1.1/60783 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 10.1.1.86/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.86/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to TEST:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to LAN:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to LAN:255.255.255.255/62976
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to TEST:255.255.255.255/62976
%ASA-7-710005: UDP request discarded from 10.1.1.107/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.107/68 to TEST:255.255.255.255/67
%ASA-6-302013: Built inbound TCP connection 13101 for LAN:10.1.1.197/52698 (10.1.1.197/52698) to identity:10.1.1.254/443 (10.1.1.254/443)
%ASA-6-725001: Starting SSL handshake with client LAN:10.1.1.197/52698 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client LAN:10.1.1.197/52698 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[6] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : RC4-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client LAN:10.1.1.197/52698
%ASA-6-725002: Device completed SSL handshake with client LAN:10.1.1.197/52698
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-6-611101: User authentication succeeded: Uname: admin
%ASA-6-605005: Login permitted from 10.1.1.197/52698 to LAN:10.1.1.254/https for user "admin"
%ASA-7-111009: User 'admin' executed cmd: show module cxsc details
%ASA-6-725007: SSL session with client LAN:10.1.1.197/52698 terminated.
%ASA-6-302014: Teardown TCP connection 13101 for LAN:10.1.1.197/52698 to identity:10.1.1.254/443 duration 0:00:00 bytes 1662 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.197/52698 to 10.1.1.254/443 flags FIN ACK on interface LAN
%ASA-7-710005: TCP request discarded from 10.1.1.197/52698 to LAN:10.1.1.254/443
%ASA-7-710005: UDP request discarded from 192.168.88.1/5678 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 192.168.88.1/5678 to TEST:255.255.255.255/5678
%ASA-7-710005: TCP request discarded from 217.29.190.250/58688 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 217.29.190.250/37258 to WAN:1.1.1.1/9000
%ASA-7-710005: TCP request discarded from 93.178.113.253/64092 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 93.178.113.253/41479 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.146/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.146/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-5-111008: User 'enable_15' executed the 'ping 10.7.0.1' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'ping 10.7.0.1'
%ASA-6-302021: Teardown ICMP connection for faddr 10.7.0.1/0 gaddr 1.1.1.1/1840 laddr 1.1.1.1/1840
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to TEST:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to LAN:255.255.255.255/68
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 8 per second, max configured rate is 10; Current average rate is 12 per second, max configured rate is 5; Cumulative total count is 7256
%ASA-7-710005: UDP request discarded from 31.23.228.61/57975 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-5-111008: User 'enable_15' executed the 'undebug all' command.
%ASA-7-715036: Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x2b8a09a7)
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=88b0cb2c) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=d95a1561) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload
%ASA-7-715075: Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x2b8a09a7)
%ASA-7-710005: UDP request discarded from 10.1.1.111/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.111/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.13/56978 to LAN:255.255.255.255/1947
%ASA-7-710005: UDP request discarded from 10.1.1.13/56978 to TEST:255.255.255.255/1947
%ASA-6-302013: Built inbound TCP connection 13103 for LAN:10.1.1.197/52699 (10.1.1.197/52699) to identity:10.1.1.254/443 (10.1.1.254/443)
%ASA-6-725001: Starting SSL handshake with client LAN:10.1.1.197/52699 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client LAN:10.1.1.197/52699 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[6] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : RC4-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client LAN:10.1.1.197/52699
%ASA-6-725002: Device completed SSL handshake with client LAN:10.1.1.197/52699
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-6-611101: User authentication succeeded: Uname: admin
%ASA-6-605005: Login permitted from 10.1.1.197/52699 to LAN:10.1.1.254/https for user "admin"
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-111009: User 'admin' executed cmd: show module cxsc details
%ASA-6-725007: SSL session with client LAN:10.1.1.197/52699 terminated.
%ASA-6-302014: Teardown TCP connection 13103 for LAN:10.1.1.197/52699 to identity:10.1.1.254/443 duration 0:00:00 bytes 1662 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.197/52699 to 10.1.1.254/443 flags FIN ACK on interface LAN
%ASA-7-710005: TCP request discarded from 10.1.1.197/52699 to LAN:10.1.1.254/443
%ASA-7-710005: TCP request discarded from 78.58.205.83/64777 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 78.58.205.83/30682 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.70/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.70/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to LAN:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to TEST:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.85/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.85/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: TCP request discarded from 78.58.205.83/64777 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 78.58.205.83/30682 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.158/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.158/68 to TEST:255.255.255.255/67
%ASA-6-302021: Teardown ICMP connection for faddr 10.7.0.1/0 gaddr 1.1.1.1/1032 laddr 10.1.1.1/1032
%ASA-7-609002: Teardown local-host WAN:10.7.0.1 duration 0:01:09
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 95.26.255.60/19982 to WAN:1.1.1.1/9000
%ASA-7-710005: TCP request discarded from 78.58.205.83/64777 to WAN:1.1.1.1/9000
%ASA-7-710005: UDP request discarded from 78.58.205.83/30682 to WAN:1.1.1.1/9000
%ASA-6-302013: Built inbound TCP connection 13105 for LAN:10.1.1.197/52706 (10.1.1.197/52706) to identity:10.1.1.254/443 (10.1.1.254/443)
%ASA-6-725001: Starting SSL handshake with client LAN:10.1.1.197/52706 for TLSv1 session.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-17-2015 10:06 AM
Hi falangerr,
I am afraid we do not see any phase 2 debugs here. All we get is Phase 1 completion message and keepalive packets between VPN endpoints.
%ASA-5-713119: Group = 2.2.2.2, IP = 2.2.2.2, PHASE 1 COMPLETED
%ASA-7-715036: Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x2b8a09a7)
%ASA-7-715075: Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x2b8a09a7)
Can you please confirm if you have the following commands while taking debugs:
debug crypto condition peer 2.2.2.2
debug crypto ipsec 200
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-17-2015 11:09 PM
Hi Dinesh Moudgil!
Yes, I see that we don't have phase 2 of negotiation. I told about it earlier. In the output above you can see such commands as:
%ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'clear logging buffer'
%ASA-5-111008: User 'enable_15' executed the 'debug crypto condition peer 2.2.2.2' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'debug crypto condition peer 2.2.2.2'
%ASA-5-111008: User 'enable_15' executed the 'debug crypto isakmp 255' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'debug crypto isakmp 255'
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-5-111008: User 'enable_15' executed the 'debug crypto ipsec 255' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'debug crypto ipsec 255'
But if you want to see only
debug crypto condition peer 2.2.2.2
debug crypto ipsec 200
Here it is:
Newland-ASA# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: level debugging, 1018381 messages logged
Buffer logging: level debugging, 1018327 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 98808 messages logged
%ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'clear logging buffer'
%ASA-5-111008: User 'enable_15' executed the 'debug crypto condition peer 2.2.2.2' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'debug crypto condition peer 2.2.2.2'
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.161/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.161/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.1/60783 to TEST:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 10.1.1.1/60783 to LAN:255.255.255.255/5678
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 4 per second, max configured rate is 10; Current average rate is 10 per second, max configured rate is 5; Cumulative total count is 6381
%ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 12 per second, max configured rate is 4; Cumulative total count is 46674
%ASA-5-111008: User 'enable_15' executed the 'debug crypto ipsec 200' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'debug crypto ipsec 200'
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 244
%ASA-7-715047: IP = 2.2.2.2, processing SA payload
%ASA-7-713906: IP = 2.2.2.2, Oakley proposal is acceptable
%ASA-7-715047: IP = 2.2.2.2, processing VID payload
%ASA-7-715049: IP = 2.2.2.2, Received Cisco Unity client VID
%ASA-7-715047: IP = 2.2.2.2, processing VID payload
%ASA-7-715049: IP = 2.2.2.2, Received DPD VID
%ASA-7-715047: IP = 2.2.2.2, processing IKE SA payload
%ASA-7-715028: IP = 2.2.2.2, IKE SA Proposal # 1, Transform # 4 acceptable Matches global IKE entry # 13
%ASA-7-715046: IP = 2.2.2.2, constructing ISAKMP SA payload
%ASA-7-715046: IP = 2.2.2.2, constructing Fragmentation VID + extended capabilities payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 188
%ASA-7-715047: IP = 2.2.2.2, processing ke payload
%ASA-7-715047: IP = 2.2.2.2, processing ISA_KE payload
%ASA-7-715047: IP = 2.2.2.2, processing nonce payload
%ASA-7-715046: IP = 2.2.2.2, constructing ke payload
%ASA-7-715046: IP = 2.2.2.2, constructing nonce payload
%ASA-7-715046: IP = 2.2.2.2, constructing Cisco Unity VID payload
%ASA-7-715046: IP = 2.2.2.2, constructing xauth V6 VID payload
%ASA-7-715048: IP = 2.2.2.2, Send IOS VID
%ASA-7-715038: IP = 2.2.2.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
%ASA-7-715046: IP = 2.2.2.2, constructing VID payload
%ASA-7-715048: IP = 2.2.2.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713906: IP = 2.2.2.2, Connection landed on tunnel_group 2.2.2.2
%ASA-7-713906: Group = 2.2.2.2, IP = 2.2.2.2, Generating keys for Responder...
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing ID payload
%ASA-7-714011: Group = 2.2.2.2, IP = 2.2.2.2, ID_IPV4_ADDR ID received
2.2.2.2
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715076: Group = 2.2.2.2, IP = 2.2.2.2, Computing hash for ISAKMP
%ASA-7-713906: IP = 2.2.2.2, Connection landed on tunnel_group 2.2.2.2
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing ID payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing hash payload
%ASA-7-715076: Group = 2.2.2.2, IP = 2.2.2.2, Computing hash for ISAKMP
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing dpd vid payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
%ASA-6-113009: AAA retrieved default group policy (GroupPolicy_2.2.2.2) for user = 2.2.2.2
%ASA-5-713119: Group = 2.2.2.2, IP = 2.2.2.2, PHASE 1 COMPLETED
%ASA-7-713121: IP = 2.2.2.2, Keep-alive type for this connection: DPD
%ASA-7-715080: Group = 2.2.2.2, IP = 2.2.2.2, Starting P1 rekey timer: 82080 seconds.
%ASA-7-710005: UDP request discarded from 10.1.1.92/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.92/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.100/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.100/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.65/53492 to TEST:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.65/53492 to LAN:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.65/53492 to LAN:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.65/53492 to TEST:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.102/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.102/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: TCP request discarded from 220.181.130.172/46405 to WAN:1.1.1.1/25
%ASA-7-710005: TCP request discarded from 220.181.130.172/46405 to WAN:1.1.1.1/25
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: TCP request discarded from 220.181.130.172/46405 to WAN:1.1.1.1/25
%ASA-7-710005: UDP request discarded from 192.168.88.3/5678 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 192.168.88.3/5678 to TEST:255.255.255.255/5678
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 5 per second, max configured rate is 10; Current average rate is 10 per second, max configured rate is 5; Cumulative total count is 6315
%ASA-7-710005: UDP request discarded from 10.1.1.163/2414 to LAN:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.163/2414 to LAN:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.163/2414 to TEST:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.163/2414 to TEST:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: TCP request discarded from 220.181.130.172/46405 to WAN:1.1.1.1/25
%ASA-7-715036: Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x64d21e43)
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=b64d980a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=ed6e9e6d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload
%ASA-7-715075: Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x64d21e43)
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.111/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.111/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.13/56978 to LAN:255.255.255.255/1947
%ASA-7-710005: UDP request discarded from 10.1.1.13/56978 to TEST:255.255.255.255/1947
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to LAN:255.255.255.255/62976
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to TEST:255.255.255.255/62976
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: TCP request discarded from 220.181.130.172/46405 to WAN:1.1.1.1/25
%ASA-7-710005: UDP request discarded from 10.1.1.80/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.80/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to LAN:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to TEST:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 0.0.0.0/5678 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 0.0.0.0/5678 to TEST:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.100/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.100/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: TCP request discarded from 220.181.130.172/48025 to WAN:1.1.1.1/25
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 7 per second, max configured rate is 10; Current average rate is 10 per second, max configured rate is 5; Cumulative total count is 6310
%ASA-7-710005: TCP request discarded from 220.181.130.172/48025 to WAN:1.1.1.1/25
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to LAN:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to TEST:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.120/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.120/68 to TEST:255.255.255.255/67
%ASA-7-715036: Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x64d21e44)
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=332724cc) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=e0a0e4a6) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload
%ASA-7-715075: Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x64d21e44)
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to LAN:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to TEST:255.255.255.255/68
%ASA-7-710005: TCP request discarded from 220.181.130.172/48025 to WAN:1.1.1.1/25
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to TEST:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to LAN:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.102/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.102/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.65/64242 to LAN:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.65/64242 to LAN:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.65/64242 to TEST:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.65/64242 to TEST:255.255.255.255/8610
%ASA-7-710005: TCP request discarded from 220.181.130.172/48025 to WAN:1.1.1.1/25
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-6-302020: Built outbound ICMP connection for faddr 10.7.0.1/0 gaddr 1.1.1.1/17746 laddr 1.1.1.1/17746
%ASA-7-710005: UDP request discarded from 192.168.88.1/5678 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 192.168.88.1/5678 to TEST:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 69.64.50.192/5092 to WAN:1.1.1.1/5060
%ASA-7-710005: UDP request discarded from 10.1.1.163/2417 to LAN:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.163/2417 to LAN:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.163/2417 to TEST:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.163/2417 to TEST:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.200/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.200/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.111/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.111/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: TCP request discarded from 220.181.130.172/48025 to WAN:1.1.1.1/25
%ASA-6-302021: Teardown ICMP connection for faddr 10.7.0.1/0 gaddr 1.1.1.1/2002 laddr 10.1.1.1/2002
%ASA-5-111008: User 'enable_15' executed the 'ping 10.7.0.1' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'ping 10.7.0.1'
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-6-302021: Teardown ICMP connection for faddr 10.7.0.1/0 gaddr 1.1.1.1/17746 laddr 1.1.1.1/17746
%ASA-7-609002: Teardown local-host WAN:10.7.0.1 duration 0:01:17
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to LAN:255.255.255.255/62976
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to TEST:255.255.255.255/62976
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.1/60783 to TEST:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 10.1.1.1/60783 to LAN:255.255.255.255/5678
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 5 per second, max configured rate is 10; Current average rate is 10 per second, max configured rate is 5; Cumulative total count is 6365
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-715036: Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x64d21e45)
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=2be4f18a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=f6fb205f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload
%ASA-7-715075: Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x64d21e45)
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.13/56978 to LAN:255.255.255.255/1947
%ASA-7-710005: UDP request discarded from 10.1.1.13/56978 to TEST:255.255.255.255/1947
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.100/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.100/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.131/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.131/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.102/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.102/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-111009: User 'enable_15' executed cmd: show logging
%ASA-7-710005: UDP request discarded from 192.168.88.3/5678 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 192.168.88.3/5678 to TEST:255.255.255.255/5678
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 7 per second, max configured rate is 10; Current average rate is 10 per second, max configured rate is 5; Cumulative total count is 6518
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.65/57066 to LAN:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.65/57066 to LAN:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.65/57066 to TEST:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.65/57066 to TEST:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.163/2429 to LAN:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.163/2429 to LAN:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.163/2429 to TEST:255.255.255.255/8610
%ASA-7-710005: UDP request discarded from 10.1.1.163/2429 to TEST:255.255.255.255/8610
%ASA-7-715036: Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x64d21e46)
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=26be5e72) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=9f3bb532) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload
%ASA-7-715075: Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x64d21e46)
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.111/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.111/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-6-305012: Teardown dynamic ICMP translation from LAN:10.1.1.1/2002 to WAN:1.1.1.1/2002 duration 0:01:47
%ASA-7-609002: Teardown local-host LAN:10.1.1.1 duration 0:01:47
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to LAN:255.255.255.255/62976
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to TEST:255.255.255.255/62976
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 0.0.0.0/5678 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 0.0.0.0/5678 to TEST:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.100/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.100/17500 to TEST:255.255.255.255/17500
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 3 per second, max configured rate is 10; Current average rate is 10 per second, max configured rate is 5; Cumulative total count is 6544
%ASA-7-111009: User 'enable_15' executed cmd: show logging
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.101/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.101/68 to TEST:255.255.255.255/67
%ASA-7-715036: Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x64d21e47)
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=6e9b55ec) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=ee377dbd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload
%ASA-7-715075: Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x64d21e47)
Now I will try to combine different parameters in transform sets in ASA and proposal in Mikrotik. Maybe this two devices (when work together) don't like some kinds of encryption or hash algorithm. Thanks for help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-12-2015 02:01 AM
Also I can show debug from Mikrotik
echo: ipsec,debug initiate new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
echo: ipsec,debug begin Identity Protection mode.
echo: ipsec,debug sent phase1 packet 2.2.2.2[500]<=>1.1.1.1[500] 7b14e7063c4be7e5:0000000000000000
echo: ipsec,debug received broken Microsoft ID: FRAGMENTATION
echo: ipsec,debug sent phase1 packet 2.2.2.2[500]<=>1.1.1.1[500] 7b14e7063c4be7e5:1c3ed76289a2750c
echo: ipsec,debug received Vendor ID: CISCO-UNITY
echo: ipsec,debug received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
echo: ipsec,debug sent phase1 packet 2.2.2.2[500]<=>1.1.1.1[500] 7b14e7063c4be7e5:1c3ed76289a2750c
echo: ipsec,debug received Vendor ID: DPD
echo: ipsec,debug ISAKMP-SA established 2.2.2.2[500]-1.1.1.1[500] spi:7b14e7063c4be7e5:1c3ed76289a2750c
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-19-2015 02:46 AM
Tunnel got up today, after three hours of reconfiguring devices. Result config are:
Mikrotik:
[admin@Brest-R] > ip ipsec peer export
# nov/19/2015 13:02:46 by RouterOS 6.33
# software id = PCMK-DBQQ
#
/ip ipsec peer
add address=1.1.1.1/32 dpd-maximum-failures=2 enc-algorithm=aes-256 local-address=2.2.2.2 \
nat-traversal=no secret=test
[admin@Brest-R] > ip ipsec proposal export
# nov/19/2015 13:02:57 by RouterOS 6.33
# software id = PCMK-DBQQ
#
/ip ipsec proposal
add auth-algorithms=sha1,sha256 enc-algorithms=3des,aes-256-cbc lifetime=1d name=newland
[admin@Brest-R] > ip ipsec policy export
# nov/19/2015 13:03:04 by RouterOS 6.33
# software id = PCMK-DBQQ
#
/ip ipsec policy group
set
/ip ipsec policy
add dst-address=10.6.0.0/24 proposal=newland sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 \
src-address=10.7.0.0/24 tunnel=yes
Cisco ASA:
!
interface GigabitEthernet0/1
description Internet from ISP Aichina
nameif WAN
security-level 0
ip address 1.1.1.1 255.255.255.224
!
interface GigabitEthernet0/2
nameif TEST
security-level 100
ip address 10.6.0.254 255.255.255.0
!
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association pmtu-aging infinite
crypto map WAN_map 1 match address WAN_cryptomap
crypto map WAN_map 1 set peer 2.2.2.2
crypto map WAN_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map WAN_map 1 set security-association lifetime seconds 86400
crypto map WAN_map 1 set nat-t-disable
crypto map WAN_map interface WAN
crypto isakmp identity address
crypto ikev1 enable WAN
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
group-policy GroupPolicy_2.2.2.2 internal
group-policy GroupPolicy_2.2.2.2 attributes
vpn-tunnel-protocol ikev1
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 general-attributes
default-group-policy GroupPolicy_2.2.2.2
tunnel-group 2.2.2.2 ipsec-attributes
ikev1 pre-shared-key *******************
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *******************
Thank's for help guys!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide