cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7767
Views
10
Helpful
30
Replies

Cisco ASA 5515 + Mikrotik Site-to-Site IPsec VPN

falangerr
Beginner
Beginner

Good day. I have problem in installing IPsec VPN between Cisco ASA-5515 and mikrotik 951. I want to use ikev1 only.

Here it is my network:

LAN 10.7.0.1/24 --> Mikrotik <-- WAN 2.2.2.2 <--INTERNET--> WAN 1.1.1.1 --> Cisco <-- LAN 10.6.0.254/24

Config of Mikrotik router:
[admin@Brest-R] > ip ipsec peer print
Flags: X - disabled, D - dynamic
0    address=1.1.1.1/32 local-address=2.2.2.2 passive=no port=500 auth-method=pre-shared-key secret="test" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=2
[admin@Brest-R] >ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0     src-address=10.7.0.0/24 src-port=any dst-address=10.6.0.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1 proposal=test priority=0
[admin@Brest-R] > ip ipsec proposal print
Flags: X - disabled, * - default
0    name="test" auth-algorithms=md5,sha1,sha512 enc-algorithms=3des,aes-256-cbc lifetime=30m pfs-group=none
I see that phase 1 is ok:
[admin@Brest-R] > ip ipsec remote-peers print
0 local-address=2.2.2.2 remote-address=1.1.1.1 state=established side=initiator established=18h11m6s
But if I will try ping from mikrotik to cisco asa lan interface - I see next:
[admin@Brest-R] > ping 10.6.0.254 src-address=10.7.0.1
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 10.6.0.254                                              timeout
  sent=5 received=0 packet-loss=100%
echo: ipsec,debug new acquire 2.2.2.2 [0]<=>1.1.1.1[0]
echo: ipsec,debug suitable outbound SP found: 10.7.0.0/24[0] 10.6.0.0/24[0] proto=any dir=out
echo: ipsec,debug suitable inbound SP found: 10.6.0.0/24[0] 10.7.0.0/24[0] proto=any dir=in
echo: ipsec,debug no configuration found for 1.1.1.1.
echo: ipsec,error failed to begin ipsec sa negotiation.
Config of Cisco ASA you can see below:

interface GigabitEthernet0/1
description blablabla
nameif WAN
security-level 0
ip address 1.1.1.1 255.255.255.224

interface GigabitEthernet0/2
nameif TEST
security-level 100
ip address 10.6.0.254 255.255.255.0
crypto map WAN_map 1 match address WAN_cryptomap
crypto map WAN_map 1 set peer 2.2.2.2
crypto map WAN_map 1 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5

crypto map WAN_map 1 set security-association lifetime seconds 86400
crypto map WAN_map 1 set nat-t-disable
crypto map WAN_map 1 set reverse-route
crypto map WAN_map interface WAN
crypto ikev1 enable WAN
access-list WAN_cryptomap line 1 extended permit ip 10.6.0.0 255.255.255.0 10.7.0.0 255.255.255.0 (hitcnt=3) 0xf48c7385

nat (LAN,WAN) source dynamic any interface
nat (TEST,WAN) source static NETWORK_OBJ_10.6.0.0_24 NETWORK_OBJ_10.6.0.0_24 destination static NETWORK_OBJ_10.7.0.0_24 NETWORK_OBJ_10.7.0.0_24 no-proxy-arp route-lookup

ASA# show crypto ikev1 sa
IKEv1 SAs:
   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1   IKE Peer: 2.2.2.2
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
ASA# show crypto isakmp sa detail
IKEv1 SAs:
   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1   IKE Peer: 2.2.2.2
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : 3des            Hash    : SHA
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 19844

ASA# show crypto isakmp

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 86.57.168.157
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

There are no IKEv2 SAs

ASA# show crypto ipsec sa

There are no ipsec sas

As I see, problem in second phase of IKEv1. It doesn't want to set up.

30 Replies 30

Dinesh Moudgil
Cisco Employee
Cisco Employee

Hi falangerr,

The error 

"echo: ipsec,debug no configuration found for 1.1.1.1.
echo: ipsec,error failed to begin ipsec sa negotiation."

states that you do not have configuration for remote ASA peer 1.1.1.1. Can you verify the configuraiton on Mikrotik device?

Once done, please share the output of the following debug commands:
debug crypto condition peer 
debug crypto ipsec 255

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

This Mikrotik have IPsec tunnel with other Mikrotik, and it is work fine. Config in generall for tunnel between two Mikrotik routers is similar.

I entered two commands as you asked:

debug crypto condition peer 
debug crypto ipsec 255

And nothing appear. I see clear console.

Here it is all config of my Mikrotik router at this moment:

[admin@Brest-R] >> ip ipsec peer print

Flags: X - disabled, D - dynamic

 0    address=1.1.1.1/32 local-address=2.2.2.2 passive=no port=500 auth-method=pre-shared-key secret="test" generate-policy=no policy-template-group=group1 exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des,aes-128,aes-192,aes-256 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=2

 [admin@Brest-R] >> ip ipsec policy print

Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default

 2     src-address=10.7.0.0/24 src-port=any dst-address=10.6.0.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=86.57.168.157 sa-dst-address=213.184.230.160 proposal=test priority=0

[admin@Brest-R] >> ip ipsec proposal print

Flags: X - disabled, * - default

 1    name="test" auth-algorithms=md5,sha1,sha512 enc-algorithms=3des,aes-256-cbc lifetime=1d pfs-group=none

 [admin@Brest-R] >> ip firewall nat print

Flags: X - disabled, I - invalid, D - dynamic

 0    chain=srcnat action=accept src-address=10.7.0.0/24 dst-address=10.8.0.0/24 log=no log-prefix=""

  • chain=srcnat action=accept src-address=10.7.0.0/24 dst-address=10.6.0.0/24 log=no log-prefix=""

[admin@Brest-R] >> ip firewall filter print

Flags: X - disabled, I - invalid, D - dynamic

 0    ;;; Allow ICMP

      chain=input action=accept protocol=icmp log=no log-prefix=""

 1    ;;; Allow related and established connections

      chain=input action=accept connection-state=established,related log=no log-prefix=""

 2    ;;; Forward established and related connections

      chain=forward action=accept connection-state=established,related log=no log-prefix=""

 3    chain=input action=accept src-address=10.8.0.0/24 in-interface=Byfly-PPPoE log=no log-prefix=""

 4    chain=input action=accept src-address=10.6.0.0/24 in-interface=Byfly-PPPoE log=no log-prefix=""

 5    ;;; Allow IKE

      chain=input action=accept protocol=udp dst-port=500 log=no log-prefix=""

 6    ;;; Allow IPSec-esp

      chain=input action=accept protocol=ipsec-esp log=no log-prefix=""

 

You will need to enter the peer IP as well.

e.g. 
debug crypto condition peer  x.x.x.x (mikrotik's device public IP)
debug crypto ipsec 255

Moreover, the error is indicating issue on Mikrotik device's configuration for ASA.
The fact that other VPN tunnels are working fine on Mikrotik does not confirm that the device is configured correctly to negotiate phase 2 with ASA although the debugs from ASA can confirm this thing.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

 

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

I entered command with global IP of my Mikrotik router, I understand it. But I doesn't see any debug messages in console.

Maybe problem in that my Mikrotik router work with specific encryption or hach algorithm not so good.

Try adding these commands along with previously mentioned debug commands:

logging on
logging enable
logging monitor 7
logging buffered 7
logging buffer-size 1048576

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

User Access Verification

Username: xxxxxx
Password: **********
Type help or '?' for a list of available commands.
ASA> en
Password: **********
ASA# conf t
ASA(config)# logg
ASA(config)# logging on
ASA(config)# logg
ASA(config)# logging enab
ASA(config)# logg
ASA(config)# logging monitor 7
ASA(config)# logging buffered 7
ASA(config)# logging buffer-size 1048576
ASA(config)# debug crypto condition peer 2.2.2.2
ASA(config)# debug crypto ipsec 255

ASA(config)# show debug
debug crypto ipsec enabled at level 255

Crypto conditional debug is turned ON

IKE peer IP address filters:
2.2.2.2/32

ASA(config)#

And nothing happened. Ofcourse during this I tried to drop tunnel and get it up again.

In ASDM I can see only this:

5 Nov 12 2015 12:35:37 Group = 2.2.2.2, IP = 2.2.2.2, PHASE 1 COMPLETED
6 Nov 12 2015 12:35:37 AAA retrieved default group policy (GroupPolicy_2.2.2.2) for user = 2.2.2.2

Hi falangerr ,

Phase 2 parameters, crypto access-list and transform set seem to match in this case. Can you confirm if you are connected via console to ASA? 

1. Have you applied the crypto map at WAN interface.
2. Please share the output of show run log
3. Is any of the device behing NATed device. 
4. Check the output of "show log" if you see any debugs.


Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

I connect to the ASA with help of ssh, telnet or ASDM. Also, I can connect by console cable? But usually I use SSH or ASDM. There are few transform sets which was created for connections. I created them to avoid situation when some devices don't want work with specific algorithms.

1. Yes, I did.

crypto map WAN_map interface WAN

2. ASA# show run log
logging enable
logging buffer-size 1048576
logging monitor debugging
logging buffered debugging
logging asdm informational

3. No, all two devices have global ip. That is why NAT-T doesn't need. And I don't forget about excluding networks from NAT for ASA:

ASA# show nat
Manual NAT Policies (Section 1)
1 (LAN) to (WAN) source dynamic any interface
translate_hits = 767, untranslate_hits = 6
2 (TEST) to (WAN) source static NETWORK_OBJ_10.6.0.0_24 NETWORK_OBJ_10.6.0.0_24 destination static NETWORK_OBJ_10.7.0.0_24 NETWORK_OBJ_10.7.0.0_24 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0

and for Mikrotik:

[admin@Brest-R] >> ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
1 chain=srcnat action=accept src-address=10.7.0.0/24 dst-address=10.6.0.0/24 log=no log-prefix=""

4. I wrote messages about Phase 1which I saw in ASDM. Ofcourse I can see this in "show log". And additionally:

%ASA-7-715036: Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x6027656)
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=cb77946b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=a6c73290) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload
%ASA-7-715075: Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x6027656)

 

Thanks , you are on the right track.

Perform the following steps.
1. Run "clear log buffer"

2. Enable the debugs via
debug crypto condition peer 
debug crypto isakmp 255
debug crypto ipsec 255

3. Initiate the VPN tunnel.
4. Share the whole output of "show logg"

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Thank you for your help. You can see output below:


ASA# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: level debugging, 64034 messages logged
Buffer logging: level debugging, 63980 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 57742 messages logged
%ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'clear logging buffer'
%ASA-7-710005: TCP request discarded from 194.154.73.234/35623 to WAN:213.184.230.178/25
%ASA-7-710005: UDP request discarded from 10.1.1.13/56978 to LAN:255.255.255.255/1947
%ASA-7-710005: UDP request discarded from 10.1.1.13/56978 to TEST:255.255.255.255/1947
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-715036: Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x5626898a)
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=f4a901f1) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=ed8f7871) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload
%ASA-7-715075: Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x5626898a)
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to TEST:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to LAN:255.255.255.255/68
%ASA-7-710005: TCP request discarded from 194.154.73.234/35623 to WAN:213.184.230.178/25
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: TCP request discarded from 84.51.43.226/9484 to WAN:213.184.230.178/25
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to TEST:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to LAN:255.255.255.255/68
%ASA-5-111008: User 'enable_15' executed the 'debug crypto condition peer 2.2.2.2' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'debug crypto condition peer 2.2.2.2'
%ASA-5-111008: User 'enable_15' executed the 'debug crypto isakmp 255' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'debug crypto isakmp 255'
%ASA-7-710005: UDP request discarded from 10.1.1.137/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.137/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.146/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.146/17500 to TEST:255.255.255.255/17500
%ASA-5-111008: User 'enable_15' executed the 'debug crypto ipsec 255' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'debug crypto ipsec 255'
%ASA-6-302013: Built inbound TCP connection 10784 for LAN:10.1.1.197/59083 (10.1.1.197/59083) to identity:10.1.1.254/443 (10.1.1.254/443)
%ASA-6-725001: Starting SSL handshake with client LAN:10.1.1.197/59083 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client LAN:10.1.1.197/59083 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[6] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : RC4-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client LAN:10.1.1.197/59083
%ASA-6-725002: Device completed SSL handshake with client LAN:10.1.1.197/59083
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-6-611101: User authentication succeeded: Uname: admin
%ASA-6-605005: Login permitted from 10.1.1.197/59083 to LAN:10.1.1.254/https for user "admin"
%ASA-7-111009: User 'admin' executed cmd: show module cxsc details
%ASA-6-725007: SSL session with client LAN:10.1.1.197/59083 terminated.
%ASA-6-302014: Teardown TCP connection 10784 for LAN:10.1.1.197/59083 to identity:10.1.1.254/443 duration 0:00:00 bytes 1662 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.197/59083 to 10.1.1.254/443 flags FIN ACK on interface LAN
%ASA-7-710005: TCP request discarded from 10.1.1.197/59083 to LAN:10.1.1.254/443
%ASA-7-710005: UDP request discarded from 192.168.88.1/5678 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 192.168.88.1/5678 to TEST:255.255.255.255/5678
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=a4ee31c4) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-713906: Group = 2.2.2.2, IP = 2.2.2.2, processing delete
%ASA-5-713050: Group = 2.2.2.2, IP = 2.2.2.2, Connection terminated for peer 2.2.2.2. Reason: Peer Terminate Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
%ASA-7-713906: Group = 2.2.2.2, IP = 2.2.2.2, IKE SA MM:c54dda3a terminating: flags 0x01004802, refcnt 0, tuncnt 0
%ASA-5-713259: Group = 2.2.2.2, IP = 2.2.2.2, Session is being torn down. Reason: User Requested
%ASA-4-113019: Group = 2.2.2.2, Username = 2.2.2.2, IP = 2.2.2.2, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:12m:45s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested
%ASA-7-713906: Ignoring msg to mark SA with dsID 98304 dead because SA deleted
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.147/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.147/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to TEST:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to LAN:255.255.255.255/68
%ASA-7-710005: TCP request discarded from 194.154.73.234/35623 to WAN:213.184.230.178/25
%ASA-7-710005: UDP request discarded from 10.1.1.84/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.84/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to LAN:255.255.255.255/62976
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to TEST:255.255.255.255/62976
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 6 per second, max configured rate is 10; Current average rate is 9 per second, max configured rate is 5; Cumulative total count is 5978
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 244
%ASA-7-715047: IP = 2.2.2.2, processing SA payload
%ASA-7-713906: IP = 2.2.2.2, Oakley proposal is acceptable
%ASA-7-715047: IP = 2.2.2.2, processing VID payload
%ASA-7-715049: IP = 2.2.2.2, Received Cisco Unity client VID
%ASA-7-715047: IP = 2.2.2.2, processing VID payload
%ASA-7-715049: IP = 2.2.2.2, Received DPD VID
%ASA-7-715047: IP = 2.2.2.2, processing IKE SA payload
%ASA-7-715028: IP = 2.2.2.2, IKE SA Proposal # 1, Transform # 4 acceptable Matches global IKE entry # 13
%ASA-7-715046: IP = 2.2.2.2, constructing ISAKMP SA payload
%ASA-7-715046: IP = 2.2.2.2, constructing Fragmentation VID + extended capabilities payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 188
%ASA-7-715047: IP = 2.2.2.2, processing ke payload
%ASA-7-715047: IP = 2.2.2.2, processing ISA_KE payload
%ASA-7-715047: IP = 2.2.2.2, processing nonce payload
%ASA-7-715046: IP = 2.2.2.2, constructing ke payload
%ASA-7-715046: IP = 2.2.2.2, constructing nonce payload
%ASA-7-715046: IP = 2.2.2.2, constructing Cisco Unity VID payload
%ASA-7-715046: IP = 2.2.2.2, constructing xauth V6 VID payload
%ASA-7-715048: IP = 2.2.2.2, Send IOS VID
%ASA-7-715038: IP = 2.2.2.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
%ASA-7-715046: IP = 2.2.2.2, constructing VID payload
%ASA-7-715048: IP = 2.2.2.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713906: IP = 2.2.2.2, Connection landed on tunnel_group 2.2.2.2
%ASA-7-713906: Group = 2.2.2.2, IP = 2.2.2.2, Generating keys for Responder...
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing ID payload
%ASA-7-714011: Group = 2.2.2.2, IP = 2.2.2.2, ID_IPV4_ADDR ID received
2.2.2.2
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715076: Group = 2.2.2.2, IP = 2.2.2.2, Computing hash for ISAKMP
%ASA-7-713906: IP = 2.2.2.2, Connection landed on tunnel_group 2.2.2.2
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing ID payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing hash payload
%ASA-7-715076: Group = 2.2.2.2, IP = 2.2.2.2, Computing hash for ISAKMP
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing dpd vid payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
%ASA-6-113009: AAA retrieved default group policy (GroupPolicy_2.2.2.2) for user = 2.2.2.2
%ASA-5-713119: Group = 2.2.2.2, IP = 2.2.2.2, PHASE 1 COMPLETED
%ASA-7-713121: IP = 2.2.2.2, Keep-alive type for this connection: DPD
%ASA-7-715080: Group = 2.2.2.2, IP = 2.2.2.2, Starting P1 rekey timer: 82080 seconds.
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: TCP request discarded from 84.51.43.226/4905 to WAN:213.184.230.178/25
%ASA-6-302013: Built inbound TCP connection 10786 for LAN:10.1.1.197/59084 (10.1.1.197/59084) to identity:10.1.1.254/443 (10.1.1.254/443)
%ASA-6-725001: Starting SSL handshake with client LAN:10.1.1.197/59084 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client LAN:10.1.1.197/59084 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[6] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : RC4-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client LAN:10.1.1.197/59084
%ASA-6-725002: Device completed SSL handshake with client LAN:10.1.1.197/59084
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-6-611101: User authentication succeeded: Uname: admin
%ASA-6-605005: Login permitted from 10.1.1.197/59084 to LAN:10.1.1.254/https for user "admin"
%ASA-7-111009: User 'admin' executed cmd: show module cxsc details
%ASA-6-725007: SSL session with client LAN:10.1.1.197/59084 terminated.
%ASA-6-302014: Teardown TCP connection 10786 for LAN:10.1.1.197/59084 to identity:10.1.1.254/443 duration 0:00:00 bytes 1662 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.197/59084 to 10.1.1.254/443 flags FIN ACK on interface LAN
%ASA-7-710005: TCP request discarded from 10.1.1.197/59084 to LAN:10.1.1.254/443
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: TCP request discarded from 84.51.43.226/4905 to WAN:213.184.230.178/25
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-609001: Built local-host WAN:10.7.0.1
%ASA-6-302020: Built outbound ICMP connection for faddr 10.7.0.1/0 gaddr 213.184.230.178/1088 laddr 213.184.230.178/1088
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: TCP request discarded from 84.51.43.226/4905 to WAN:213.184.230.178/25
%ASA-6-302013: Built inbound TCP connection 10789 for LAN:10.1.1.197/59085 (10.1.1.197/59085) to identity:10.1.1.254/443 (10.1.1.254/443)
%ASA-6-725001: Starting SSL handshake with client LAN:10.1.1.197/59085 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client LAN:10.1.1.197/59085 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[6] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : RC4-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client LAN:10.1.1.197/59085
%ASA-6-725002: Device completed SSL handshake with client LAN:10.1.1.197/59085
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-6-611101: User authentication succeeded: Uname: admin
%ASA-6-605005: Login permitted from 10.1.1.197/59085 to LAN:10.1.1.254/https for user "admin"
%ASA-7-111009: User 'admin' executed cmd: show module cxsc details
%ASA-6-725007: SSL session with client LAN:10.1.1.197/59085 terminated.
%ASA-6-302014: Teardown TCP connection 10789 for LAN:10.1.1.197/59085 to identity:10.1.1.254/443 duration 0:00:00 bytes 1662 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.197/59085 to 10.1.1.254/443 flags FIN ACK on interface LAN
%ASA-7-710005: TCP request discarded from 10.1.1.197/59085 to LAN:10.1.1.254/443
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.127/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.127/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.154/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.154/68 to TEST:255.255.255.255/67
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 9 per second, max configured rate is 10; Current average rate is 10 per second, max configured rate is 5; Cumulative total count is 6070
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-715036: Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x513d064)
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=8c4f9f7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=a519933d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload
%ASA-7-715075: Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x513d064)
%ASA-5-111008: User 'enable_15' executed the 'ping 10.7.0.1' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.1.1.197, executed 'ping 10.7.0.1'
%ASA-6-302021: Teardown ICMP connection for faddr 10.7.0.1/0 gaddr 213.184.230.178/1088 laddr 213.184.230.178/1088
%ASA-7-609002: Teardown local-host WAN:10.7.0.1 duration 0:00:08
%ASA-7-710005: UDP request discarded from 10.1.1.1/5678 to TEST:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 10.1.1.1/5678 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 192.168.88.3/5678 to TEST:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 192.168.88.3/5678 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 10.1.1.169/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.169/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.23/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.146/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.146/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: TCP request discarded from 84.51.43.226/33967 to WAN:213.184.230.178/25
%ASA-6-302013: Built inbound TCP connection 10791 for LAN:10.1.1.197/59087 (10.1.1.197/59087) to identity:10.1.1.254/443 (10.1.1.254/443)
%ASA-6-725001: Starting SSL handshake with client LAN:10.1.1.197/59087 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client LAN:10.1.1.197/59087 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[6] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : RC4-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client LAN:10.1.1.197/59087
%ASA-6-725002: Device completed SSL handshake with client LAN:10.1.1.197/59087
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-6-611101: User authentication succeeded: Uname: admin
%ASA-6-605005: Login permitted from 10.1.1.197/59087 to LAN:10.1.1.254/https for user "admin"
%ASA-7-111009: User 'admin' executed cmd: show module cxsc details
%ASA-6-725007: SSL session with client LAN:10.1.1.197/59087 terminated.
%ASA-6-302014: Teardown TCP connection 10791 for LAN:10.1.1.197/59087 to identity:10.1.1.254/443 duration 0:00:00 bytes 1662 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.197/59087 to 10.1.1.254/443 flags FIN ACK on interface LAN
%ASA-7-710005: TCP request discarded from 10.1.1.197/59087 to LAN:10.1.1.254/443
%ASA-7-710005: UDP request discarded from 10.1.1.13/56978 to LAN:255.255.255.255/1947
%ASA-7-710005: UDP request discarded from 10.1.1.13/56978 to TEST:255.255.255.255/1947
%ASA-7-710005: UDP request discarded from 10.1.1.84/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.84/17500 to TEST:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to LAN:255.255.255.255/62976
%ASA-7-710005: UDP request discarded from 10.100.100.4/62976 to TEST:255.255.255.255/62976
%ASA-7-710005: TCP request discarded from 84.51.43.226/33967 to WAN:213.184.230.178/25
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.117/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.117/68 to TEST:255.255.255.255/67
%ASA-7-710005: TCP request discarded from 84.51.43.226/33967 to WAN:213.184.230.178/25
%ASA-5-111008: User 'enable_15' executed the 'undebug all' command.
%ASA-6-302013: Built inbound TCP connection 10793 for LAN:10.1.1.197/59088 (10.1.1.197/59088) to identity:10.1.1.254/443 (10.1.1.254/443)
%ASA-6-725001: Starting SSL handshake with client LAN:10.1.1.197/59088 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client LAN:10.1.1.197/59088 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[6] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : RC4-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client LAN:10.1.1.197/59088
%ASA-6-725002: Device completed SSL handshake with client LAN:10.1.1.197/59088
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-6-611101: User authentication succeeded: Uname: admin
%ASA-6-605005: Login permitted from 10.1.1.197/59088 to LAN:10.1.1.254/https for user "admin"
%ASA-7-710005: UDP request discarded from 0.0.0.0/5678 to LAN:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 0.0.0.0/5678 to TEST:255.255.255.255/5678
%ASA-7-111009: User 'admin' executed cmd: show module cxsc details
%ASA-6-725007: SSL session with client LAN:10.1.1.197/59088 terminated.
%ASA-6-302014: Teardown TCP connection 10793 for LAN:10.1.1.197/59088 to identity:10.1.1.254/443 duration 0:00:00 bytes 1662 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.197/59088 to 10.1.1.254/443 flags FIN ACK on interface LAN
%ASA-7-710005: TCP request discarded from 10.1.1.197/59088 to LAN:10.1.1.254/443
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 6 per second, max configured rate is 10; Current average rate is 10 per second, max configured rate is 5; Cumulative total count is 6227
%ASA-7-715036: Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x513d065)
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
%ASA-7-715046: Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=494c6c52) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=fb6c60f8) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload
%ASA-7-715075: Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x513d065)
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.80/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.80/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to TEST:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.1/67 to LAN:255.255.255.255/68
%ASA-7-710005: UDP request discarded from 10.1.1.91/68 to LAN:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.91/68 to TEST:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to LAN:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.211/2051 to TEST:255.255.255.255/7437
%ASA-7-710005: UDP request discarded from 10.1.1.127/17500 to LAN:255.255.255.255/17500
%ASA-7-710005: UDP request discarded from 10.1.1.127/17500 to TEST:255.255.255.255/17500
%ASA-6-302013: Built inbound TCP connection 10795 for LAN:10.1.1.197/59089 (10.1.1.197/59089) to identity:10.1.1.254/443 (10.1.1.254/443)
%ASA-6-725001: Starting SSL handshake with client LAN:10.1.1.197/59089 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client LAN:10.1.1.197/59089 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[6] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : RC4-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client LAN:10.1.1.197/59089
%ASA-6-725002: Device completed SSL handshake with client LAN:10.1.1.197/59089
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-6-611101: User authentication succeeded: Uname: admin
%ASA-6-605005: Login permitted from 10.1.1.197/59089 to LAN:10.1.1.254/https for user "admin"
%ASA-7-111009: User 'admin' executed cmd: show module cxsc details
%ASA-6-725007: SSL session with client LAN:10.1.1.197/59089 terminated.
%ASA-6-302014: Teardown TCP connection 10795 for LAN:10.1.1.197/59089 to identity:10.1.1.254/443 duration 0:00:00 bytes 1662 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.197/59089 to 10.1.1.254/443 flags FIN ACK on interface LAN
%ASA-7-710005: TCP request discarded from 10.1.1.197/59089 to LAN:10.1.1.254/443

Looking at the debugs:-

%ASA-7-713236: IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=a4ee31c4) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
%ASA-7-715047: Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
%ASA-7-713906: Group = 2.2.2.2, IP = 2.2.2.2, processing delete
%ASA-5-713050: Group = 2.2.2.2, IP = 2.2.2.2, Connection terminated for peer 2.2.2.2. Reason: Peer Terminate Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
%ASA-7-713906: Group = 2.2.2.2, IP = 2.2.2.2, IKE SA MM:c54dda3a terminating: flags 0x01004802, refcnt 0, tuncnt 0
%ASA-5-713259: Group = 2.2.2.2, IP = 2.2.2.2, Session is being torn down. Reason: User Requested
%ASA-4-113019: Group = 2.2.2.2, Username = 2.2.2.2, IP = 2.2.2.2, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:12m:45s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested
%ASA-7-713906: Ignoring msg to mark SA with dsID 98304 dead because SA deleted

You can see that we are getting a delete message from remote side and after processing , the session is torn down.

Can you confirm if you have a VPN tunnel on Mikrotik having overlapping subnets to anothet VPN peer. Also check if the interesting traffic is properly configured.

Try removing the other tunnel from Mikrotik and initiate the tunnel to see if this tunnel comes up. It seems like Mikrotik device is sending the delete message and thus causing issue.There is nothing much we can do on the ASA side. You might want to put it up on Mikrotik forum as well.


Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Thank's for help. This part of log show this moment when I manually kill IPsec connection from Mikrotik to show you full process of negotiation.

And yes. There was two VPN tunnels on those Mikrotik. The second tunnel is disabled now and nothing changed.

Hello to everyone.

I may be mistaking, but I'm not sure that ASA's NAT exception rules are configured correctly:

3. No, all two devices have global ip. That is why NAT-T doesn't need. And I don't forget about excluding networks from NAT for ASA:

ASA# show nat
Manual NAT Policies (Section 1)
1 (LAN) to (WAN) source dynamic any interface
translate_hits = 767, untranslate_hits = 6
2 (TEST) to (WAN) source static NETWORK_OBJ_10.6.0.0_24 NETWORK_OBJ_10.6.0.0_24 destination static NETWORK_OBJ_10.7.0.0_24 NETWORK_OBJ_10.7.0.0_24 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0

Dynamic NAT rule is at the first place of Section1, so it takes precedence over static twice nat (nat exception).

Try to change nat order.

First of all. Mikrotik and ASA have global ip on their WAN interfaces. After changing order two nat rules - nothing changed. Second rule was created with help of ASDM through wizard, after that I checked it and as I see there is no mistakes in it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers