07-16-2014 03:52 AM - edited 02-21-2020 07:43 PM
Hello!
Im configuring l2tp ipsec tunnel for remote access between windows 8 and a cisco asa 5505 (version 8.2)
IKE Phase 1 and 2 are completed successfully, after 30 seconds channel goes down with the following error:
%ASA-5-713050: Connection terminated for peer IP_address. Reason: termination reason Remote Proxy IP_address, Local Proxy IP_address
Could you please help me to solve this?
access-list outside_cryptomap_65535.1 extended permit ip any any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list outside_nat0_outbound extended permit ip object-group user 192.168.24.0 255.255.255.0
ip local pool ipsecpool 192.168.24.10-192.168.24.100 mask 255.255.255.0
global (outside) 1 interface
nat (inside) 1 192.168.23.0 255.255.255.0
nat (outside) 0 access-list outside_nat0_outbound
nat (senseg-guest) 1 172.20.0.0 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 185.11.209.137 1
route outside 0.0.0.0 0.0.0.0 192.168.24.1 tunneled
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-AES256-SHA1-TRANS ESP-AES128-SHA1-TRANS ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map0 1 match address outside_cryptomap_65535.1
crypto dynamic-map outside_dyn_map0 1 set transform-set ESP-AES128-SHA1-TRANS ESP-AES256-SHA1-TRANS ESP-AES256-SHA1
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map0
crypto map outside_map interface outside
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
address-pool ipsecpool
default-group-policy l2tp_ipsec
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
07-16-2014 04:36 AM
Hi,
This might be due to timeout problems. This might be due to the problems @ windows end as well.
07-16-2014 04:47 AM
Hi nkarthikeyan ,
windows side, in its turn, gives error 809, briefly:
connection between PC and VPN could not be established (due to firewalls, NAT, etc). In my setup the PC from where im trying to get vpn working is connected to switch, and switch is connected to firewall outside port. Pc's and firewalls's ip addresses are in the same subnet, pc can ping firewall, but firewall cant ping PC (could that be an issue)?
regards,
olesia
07-16-2014 06:10 AM
Hi,
Can you set the vpn session timeout as none and check.
hostname(config)#group-policy DefaultRAGroup attributes hostname(config-group-policy)#vpn-session-timeout none
Regards
Karthik
07-16-2014 06:19 AM
i have added the lines you suggested but the resut is still the same, the same error
here is whole running confing
ciscoasa# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name senseg.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.25.0 vpn
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.23.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 185.11.209.139 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif senseg-guest
security-level 50
ip address 172.20.0.1 255.255.255.0
!
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup senseg-guest
dns server-group DefaultDNS
name-server 185.11.208.11
name-server 185.11.211.11
domain-name domain.com
object-group network user
network-object 192.168.23.0 255.255.255.0
object-group network guest
network-object 172.20.0.0 255.255.255.0
object-group service outside_webpage tcp
port-object eq 65000
object-group service DM_INLINE_TCP_1 tcp
group-object outside_webpage
port-object eq https
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
access-list allow_user extended permit icmp any any
access-list allow_user extended permit tcp object-group user any eq ftp
access-list allow_user extended permit tcp object-group user any eq ssh
access-list allow_user extended permit tcp object-group user any eq www
access-list allow_user extended permit tcp object-group user any eq https
access-list allow_user extended permit tcp object-group user any eq smtp
access-list allow_user extended permit tcp object-group user any eq imap4
access-list allow_user extended permit tcp object-group user any eq domain
access-list allow_user extended permit tcp object-group user any eq 37
access-list allow_user extended permit tcp object-group user any eq 123
access-list allow_user extended permit tcp object-group user any eq 465
access-list allow_user extended permit tcp object-group user any eq 993
access-list allow_user extended permit tcp object-group user any eq 995
access-list allow_user extended permit udp object-group user any eq domain
access-list allow_user extended permit udp object-group user any eq time
access-list allow_user extended permit udp object-group user any eq 587
access-list allow_user extended permit udp object-group user any eq 4500
access-list allow_user extended permit udp object-group user any eq isakmp
access-list allow_user extended permit udp object-group user any eq ntp
access-list allow_user extended permit tcp object-group user 192.168.24.0 255.255.255.0 eq pptp
access-list allow_guest extended permit tcp object-group guest any eq ftp
access-list allow_guest extended permit tcp object-group guest any eq www
access-list allow_guest extended permit tcp object-group guest any eq https
access-list allow_guest extended permit tcp object-group guest any eq ssh
access-list allow_guest extended permit tcp object-group guest any eq imap4
access-list allow_guest extended permit tcp object-group guest any eq 465
access-list allow_guest extended permit tcp object-group guest any eq 993
access-list allow_guest extended permit tcp object-group guest any eq 995
access-list allow_guest extended permit tcp object-group guest any eq 37
access-list allow_guest extended permit tcp object-group guest any eq domain
access-list allow_guest extended permit tcp object-group guest any eq 123
access-list allow_guest extended permit udp object-group guest any eq ntp
access-list allow_guest extended permit udp object-group guest any eq time
access-list allow_guest extended permit udp object-group guest any eq domain
access-list allow_guest extended permit udp object-group guest any eq 4500
access-list allow_guest extended permit udp object-group guest any eq isakmp
access-list allow_guest extended permit icmp any any
access-list allow_guest extended permit tcp object-group guest any eq smtp
access-list allow_guest extended permit udp object-group guest any eq 587
access-list 100 extended permit esp any any
access-list 100 extended permit ah any any
access-list 100 extended permit udp any eq isakmp any eq isakmp
access-list 100 extended permit udp any eq 4500 any eq 4500
access-list outside_nat0_outbound extended permit ip object-group user 192.168.24.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip host 10.0.0.0 interface outside
access-list outside_cryptomap_65535.1 extended permit ip any any
access-list outside_access_in extended permit tcp any 185.11.209.136 255.255.255.248 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
pager lines 24
logging enable
logging console emergencies
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu senseg-guest 1500
ip local pool ipsecpool 192.168.24.10-192.168.24.100 mask 255.255.255.0
ip local pool vpn_anyconnect 10.0.0.0-10.0.0.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.23.0 255.255.255.0
nat (outside) 0 access-list outside_nat0_outbound
nat (senseg-guest) 1 172.20.0.0 255.255.255.0
access-group allow_user out interface inside
access-group outside_access_in in interface outside
access-group allow_guest out interface senseg-guest
route outside 0.0.0.0 0.0.0.0 185.11.209.137 1
route outside 0.0.0.0 0.0.0.0 192.168.24.1 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.23.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES128-SHA1-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES128-SHA1-TRANS mode transport
crypto ipsec transform-set ESP-AES256-SHA1-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES256-SHA1-TRANS mode transport
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-AES256-SHA1-TRANS ESP-AES128-SHA1-TRANS ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map0 1 match address outside_cryptomap_65535.1
crypto dynamic-map outside_dyn_map0 1 set transform-set ESP-AES128-SHA1-TRANS ESP-AES256-SHA1-TRANS ESP-AES256-SHA1
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map0
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh timeout 5
console timeout 20
management-access inside
dhcpd dns 185.11.208.11 185.11.211.11
dhcpd domain domain.com
!
dhcpd address 192.168.23.5-192.168.23.132 inside
dhcpd enable inside
!
dhcpd address 172.20.0.5-172.20.0.25 senseg-guest
dhcpd enable senseg-guest
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3
svc enable
tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server none
dns-server value 185.11.208.11 185.11.211.11
vpn-session-timeout none
vpn-tunnel-protocol l2tp-ipsec
default-domain value domain.com
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol webvpn
group-policy VpnAnyConnect internal
group-policy VpnAnyConnect attributes
vpn-tunnel-protocol svc
group-policy l2tp_ipsec internal
group-policy l2tp_ipsec attributes
vpn-tunnel-protocol l2tp-ipsec
default-domain value domain.com
username test password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted privilege 0
username test attributes
vpn-group-policy DefaultRAGroup
username Tuomas password EdqK3SPjK4Ye1g5t encrypted privilege 15
username Olesia password lV0pt/lMWuzH/V0i encrypted privilege 15
username Olesia attributes
webvpn
svc ask none default svc
tunnel-group DefaultRAGroup general-attributes
address-pool ipsecpool
default-group-policy l2tp_ipsec
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool vpn_anyconnect
default-group-policy VpnAnyConnect
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect ipsec-pass-thru
!
prompt hostname context
no call-home reporting anonymous
07-16-2014 06:36 AM
sorry.... you should apply to the group policy what you have used for your l2tp vpn... here i guess it should be l2tp_ipsec.....
group-policy l2tp_ipsec attributes
vpn-session-timeout none
!
Try and let me know if this helps
Regards
Karthik
07-16-2014 06:50 AM
hi :)
ye i have added that to another group policy as well. now im getting another error (due to anyconnect configuration added i believe) error 789 - cannot negotiae l2tp security settings, phase 1 complete but
"A tunnel was dropped because the allowed tunnel specified in the group policy was different from the allowed tunnel in the tunnel group configuration."
!
hostname ciscoasa
domain-name senseg.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.25.0 vpn
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.23.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 185.11.209.139 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif senseg-guest
security-level 50
ip address 172.20.0.1 255.255.255.0
!
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup senseg-guest
dns server-group DefaultDNS
name-server 185.11.208.11
name-server 185.11.211.11
domain-name senseg.com
object-group network user
network-object 192.168.23.0 255.255.255.0
object-group network guest
network-object 172.20.0.0 255.255.255.0
object-group service outside_webpage tcp
port-object eq 65000
object-group service DM_INLINE_TCP_1 tcp
group-object outside_webpage
port-object eq https
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
access-list allow_user extended permit icmp any any
access-list allow_user extended permit tcp object-group user any eq ftp
access-list allow_user extended permit tcp object-group user any eq ssh
access-list allow_user extended permit tcp object-group user any eq www
access-list allow_user extended permit tcp object-group user any eq https
access-list allow_user extended permit tcp object-group user any eq smtp
access-list allow_user extended permit tcp object-group user any eq imap4
access-list allow_user extended permit tcp object-group user any eq domain
access-list allow_user extended permit tcp object-group user any eq 37
access-list allow_user extended permit tcp object-group user any eq 123
access-list allow_user extended permit tcp object-group user any eq 465
access-list allow_user extended permit tcp object-group user any eq 993
access-list allow_user extended permit tcp object-group user any eq 995
access-list allow_user extended permit udp object-group user any eq domain
access-list allow_user extended permit udp object-group user any eq time
access-list allow_user extended permit udp object-group user any eq 587
access-list allow_user extended permit udp object-group user any eq 4500
access-list allow_user extended permit udp object-group user any eq isakmp
access-list allow_user extended permit udp object-group user any eq ntp
access-list allow_user extended permit tcp object-group user 192.168.24.0 255.255.255.0 eq pptp
access-list allow_guest extended permit tcp object-group guest any eq ftp
access-list allow_guest extended permit tcp object-group guest any eq www
access-list allow_guest extended permit tcp object-group guest any eq https
access-list allow_guest extended permit tcp object-group guest any eq ssh
access-list allow_guest extended permit tcp object-group guest any eq imap4
access-list allow_guest extended permit tcp object-group guest any eq 465
access-list allow_guest extended permit tcp object-group guest any eq 993
access-list allow_guest extended permit tcp object-group guest any eq 995
access-list allow_guest extended permit tcp object-group guest any eq 37
access-list allow_guest extended permit tcp object-group guest any eq domain
access-list allow_guest extended permit tcp object-group guest any eq 123
access-list allow_guest extended permit udp object-group guest any eq ntp
access-list allow_guest extended permit udp object-group guest any eq time
access-list allow_guest extended permit udp object-group guest any eq domain
access-list allow_guest extended permit udp object-group guest any eq 4500
access-list allow_guest extended permit udp object-group guest any eq isakmp
access-list allow_guest extended permit icmp any any
access-list allow_guest extended permit tcp object-group guest any eq smtp
access-list allow_guest extended permit udp object-group guest any eq 587
access-list 100 extended permit esp any any
access-list 100 extended permit ah any any
access-list 100 extended permit udp any eq isakmp any eq isakmp
access-list 100 extended permit udp any eq 4500 any eq 4500
access-list outside_nat0_outbound extended permit ip object-group user 192.168.24.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip host 10.0.0.0 interface outside
access-list outside_cryptomap_65535.1 extended permit ip any any
access-list outside_access_in extended permit tcp any 185.11.209.136 255.255.255.248 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
pager lines 24
logging enable
logging console emergencies
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu senseg-guest 1500
ip local pool ipsecpool 192.168.24.10-192.168.24.100 mask 255.255.255.0
ip local pool vpn_anyconnect 10.0.0.0-10.0.0.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.23.0 255.255.255.0
nat (outside) 0 access-list outside_nat0_outbound
nat (senseg-guest) 1 172.20.0.0 255.255.255.0
access-group allow_user out interface inside
access-group outside_access_in in interface outside
access-group allow_guest out interface senseg-guest
route outside 0.0.0.0 0.0.0.0 185.11.209.137 1
route outside 0.0.0.0 0.0.0.0 192.168.24.1 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.23.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES128-SHA1-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES128-SHA1-TRANS mode transport
crypto ipsec transform-set ESP-AES256-SHA1-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES256-SHA1-TRANS mode transport
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-AES256-SHA1-TRANS ESP-AES128-SHA1-TRANS ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map0 1 match address outside_cryptomap_65535.1
crypto dynamic-map outside_dyn_map0 1 set transform-set ESP-AES128-SHA1-TRANS ESP-AES256-SHA1-TRANS ESP-AES256-SHA1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-DES-SHA ESP-AES128-SHA1-TRANS ESP-DES-MD5 ESP-AES256-SHA1-TRANS ESP-AES256-SHA1
crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map0
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh timeout 5
console timeout 20
management-access inside
dhcpd dns 185.11.208.11 185.11.211.11
dhcpd domain senseg.com
!
dhcpd address 192.168.23.5-192.168.23.132 inside
dhcpd enable inside
!
dhcpd address 172.20.0.5-172.20.0.25 senseg-guest
dhcpd enable senseg-guest
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3
svc enable
tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server none
dns-server value 185.11.208.11 185.11.211.11
vpn-session-timeout none
vpn-tunnel-protocol l2tp-ipsec
default-domain value senseg.com
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol webvpn
group-policy VpnAnyConnect internal
group-policy VpnAnyConnect attributes
vpn-tunnel-protocol svc
group-policy l2tp_ipsec internal
group-policy l2tp_ipsec attributes
vpn-session-timeout none
vpn-tunnel-protocol l2tp-ipsec
default-domain value senseg.com
username test password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted privilege 0
username test attributes
vpn-group-policy DefaultRAGroup
username Tuomas password EdqK3SPjK4Ye1g5t encrypted privilege 15
username Olesia password lV0pt/lMWuzH/V0i encrypted privilege 15
username Olesia attributes
webvpn
svc ask none default svc
tunnel-group DefaultRAGroup general-attributes
address-pool ipsecpool
default-group-policy l2tp_ipsec
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool vpn_anyconnect
default-group-policy VpnAnyConnect
tunnel-group 185.11.209.137 type ipsec-l2l
tunnel-group 185.11.209.137 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect ipsec-pass-thru
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5d4016f74a878a5eacebb4123271a676
: end
07-16-2014 06:57 AM
you can remove the previously done config which was mapped to anyconnect....
hostname(config)#group-policy DefaultRAGroup attributes hostname(config-group-policy)#no vpn-session-timeout none
Regards
Karthik
07-17-2014 12:54 AM
Hello Karthik,
yes, i have changed it but it actually has on impact on the error im getting.
If it is a NAT / access-list issue, it should be displayed in debug output, but im not getting anything reasonable, here it is
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, IKE SA Proposal # 1, Transform # 5 acceptable Matches global IKE entry # 7
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, constructing ISAKMP SA payload
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, constructing Fragmentation VID + extended capabilities payload
Jul 17 10:46:33 [IKEv1]: IP = 185.11.209.137, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
ISAKMP Header
Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 104
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 52
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 40
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 32
Transform #: 5
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 70 80
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
c0 00 00 00
RECV PACKET from 185.11.209.137
ISAKMP Header
Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
Next Payload: Key Exchange
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 212
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
b9 eb ea 03 ce 09 38 2a 8d c2 38 48 85 8c 24 ff
24 9a bf 61 61 3a c0 d0 89 4a 28 7b f5 8a ce be
6d 22 41 c1 d7 b4 85 9f d4 4c 48 b5 c5 33 13 28
8d a5 f5 fb cf e7 0e 8b 1f 69 47 43 c0 07 84 b4
0a a7 7b 97 05 01 e8 7b 0f 49 e3 3c ef 6f c2 29
e7 13 33 0f 64 4b 4b 91 6d 1d bd 84 b1 80 d7 1b
64 9c 23 6f cb 91 a5 9d 0a b5 92 70 e2 72 46 25
6d 41 72 ab 30 fd fa 5c f1 0d d3 6c cd 64 f0 3a
Payload Nonce
Next Payload: None
Reserved: 00
Payload Length: 52
Data:
2a 65 e8 17 bf 4c 4a 86 4a 3f 50 f0 cf 9d 91 ba
8b f1 24 76 8f 96 99 f8 e4 23 73 05 f1 3f ee ae
90 0c 81 d9 bc f3 d2 a2 07 b8 e9 6f 87 b1 01 5c
Jul 17 10:46:33 [IKEv1]: IP = 185.11.209.137, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 212
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, processing ke payload
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, processing ISA_KE payload
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, processing nonce payload
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, constructing ke payload
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, constructing nonce payload
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, constructing Cisco Unity VID payload
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, constructing xauth V6 VID payload
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, Send IOS VID
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, constructing VID payload
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 17 10:46:33 [IKEv1]: IP = 185.11.209.137, Connection landed on tunnel_group 185.11.209.137
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, Generating keys for Responder...
Jul 17 10:46:33 [IKEv1]: IP = 185.11.209.137, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
ISAKMP Header
Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
Next Payload: Key Exchange
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 256
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
6b 24 c9 cb bb 7e 33 12 c2 04 d4 47 47 d8 8e 71
17 66 fe 71 dc bd 92 6a 33 fc 73 db 74 b5 ed 0b
58 64 db 66 7f 13 89 ad 3e 76 b3 87 c7 5c be 7a
fb c5 30 a6 58 39 eb 2a f7 17 51 8f 49 e3 d0 60
41 7a 17 e6 9a 45 3a ac 12 9d 29 d6 28 f7 e1 8b
76 4f f6 bb 78 3e 75 b8 38 0d 0c 99 d3 1a a2 0e
db 30 4c 74 45 b2 d9 51 97 f0 c7 33 69 77 7c 59
bc d6 63 01 c2 93 45 2c a4 f2 48 0e 7c 1d a0 0f
Payload Nonce
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data:
d5 72 42 9f 5b 79 47 e5 a1 2b 69 43 31 e1 c8 24
14 c3 ad 3f
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 12
Data (In Hex): 09 00 26 89 df d6 b7 12
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
37 24 fa 7a aa 08 dd c0 2a b9 13 d8 75 e7 ac 62
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00
RECV PACKET from 185.11.209.137
ISAKMP Header
Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 68
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 68
Payload Identification
Next Payload: Hash
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: 185.11.209.137
Payload Hash
Next Payload: None
Reserved: 00
Payload Length: 24
Data:
48 ea 64 7e a3 a7 8a a0 8f 05 9a 88 84 cf f1 69
37 63 3d a0
Jul 17 10:46:33 [IKEv1]: IP = 185.11.209.137, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, processing ID payload
Jul 17 10:46:33 [IKEv1 DECODE]: Group = 185.11.209.137, IP = 185.11.209.137, ID_IPV4_ADDR ID received
185.11.209.137
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, processing hash payload
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, Computing hash for ISAKMP
Jul 17 10:46:33 [IKEv1]: IP = 185.11.209.137, Connection landed on tunnel_group 185.11.209.137
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, constructing ID payload
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, constructing hash payload
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, Computing hash for ISAKMP
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, constructing dpd vid payload
Jul 17 10:46:33 [IKEv1]: IP = 185.11.209.137, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
BEFORE ENCRYPTION
ISAKMP Header
Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 469762048
Payload Identification
Next Payload: Hash
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 17
Port: 500
ID Data: 185.11.209.139
Payload Hash
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data:
66 5d 7d 02 6c 46 fa 25 9f 8a 88 3b a0 1c bb 61
99 c2 85 0e
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
ISAKMP Header
Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 84
Jul 17 10:46:33 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, PHASE 1 COMPLETED
Jul 17 10:46:33 [IKEv1]: IP = 185.11.209.137, Keep-alive type for this connection: None
Jul 17 10:46:33 [IKEv1]: IP = 185.11.209.137, Keep-alives configured on but peer does not support keep-alives (type = None)
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, Starting P1 rekey timer: 21600 seconds.
RECV PACKET from 185.11.209.137
ISAKMP Header
Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 00000001
Length: 308
Jul 17 10:46:33 [IKEv1 DECODE]: IP = 185.11.209.137, IKE Responder starting QM: msg id = 00000001
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 00000001
Length: 308
Payload Hash
Next Payload: Security Association
Reserved: 00
Payload Length: 24
Data:
a0 38 d3 f2 d7 a1 f1 05 18 27 48 a8 84 38 0e c2
f6 c5 99 54
Payload Security Association
Next Payload: Nonce
Reserved: 00
Payload Length: 172
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 56
Proposal #: 1
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: 01 63 fb c6
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 44
Transform #: 1
Transform-Id: ESP_AES
Reserved2: 0000
Encapsulation Mode: Transport
Key Length: 128
Authentication Algorithm: SHA1
Life Type: Seconds
Life Duration (Hex): 00 00 0e 10
Life Type: Kilobytes
Life Duration (Hex): 00 03 d0 90
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 52
Proposal #: 2
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: 01 63 fb c6
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: ESP_3DES
Reserved2: 0000
Encapsulation Mode: Transport
Authentication Algorithm: SHA1
Life Type: Seconds
Life Duration (Hex): 00 00 0e 10
Life Type: Kilobytes
Life Duration (Hex): 00 03 d0 90
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 52
Proposal #: 3
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: 01 63 fb c6
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: ESP_DES
Reserved2: 0000
Encapsulation Mode: Transport
Authentication Algorithm: SHA1
Life Type: Seconds
Life Duration (Hex): 00 00 0e 10
Life Type: Kilobytes
Life Duration (Hex): 00 03 d0 90
Payload Nonce
Next Payload: Identification
Reserved: 00
Payload Length: 52
Data:
f8 6e d7 36 f9 f0 ee e0 ba c2 cc ad 9f 10 3e 39
15 74 8b cd 89 74 b3 fd b9 74 0b 99 b0 c8 73 2d
26 57 8f 80 58 5f dc 39 6b 21 80 d0 51 61 29 ee
Payload Identification
Next Payload: Identification
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 17
Port: 1701
ID Data: 185.11.209.137
Payload Identification
Next Payload: None
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 17
Port: 1701
ID Data: 185.11.209.139
Jul 17 10:46:33 [IKEv1]: IP = 185.11.209.137, IKE_DECODE RECEIVED Message (msgid=1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 300
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, processing hash payload
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, processing SA payload
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, processing nonce payload
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, processing ID payload
Jul 17 10:46:33 [IKEv1 DECODE]: Group = 185.11.209.137, IP = 185.11.209.137, ID_IPV4_ADDR ID received
185.11.209.137
Jul 17 10:46:33 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, Received remote Proxy Host data in ID Payload: Address 185.11.209.137, Protocol 17, Port 1701
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, processing ID payload
Jul 17 10:46:33 [IKEv1 DECODE]: Group = 185.11.209.137, IP = 185.11.209.137, ID_IPV4_ADDR ID received
185.11.209.139
Jul 17 10:46:33 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, Received local Proxy Host data in ID Payload: Address 185.11.209.139, Protocol 17, Port 1701
Jul 17 10:46:33 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, L2TP/IPSec session detected.
Jul 17 10:46:33 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, QM IsRekeyed old sa not found by addr
Jul 17 10:46:33 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, IKE Remote Peer configured for crypto map: SYSTEM_DEFAULT_CRYPTO_MAP
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, processing IPSec SA payload
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, IPSec SA Proposal # 1, Transform # 1 acceptable Matches global IPSec SA entry # 65535
Jul 17 10:46:33 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, IKE: requesting SPI!
IPSEC: Creating IPsec SA
IPSEC: Getting the inbound SPI
IPSEC: New embryonic SA created @ 0xC9F50FF8,
SCB: 0xC9F4C200,
Direction: inbound
SPI : 0xEA99568C
Session ID: 0x00041000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, IKE got SPI from key engine: SPI = 0xea99568c
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, oakley constucting quick mode
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, constructing blank hash payload
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, constructing IPSec SA payload
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, constructing IPSec nonce payload
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, constructing proxy ID
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, Transmitting Proxy Id:
Remote host: 185.11.209.137 Protocol 17 Port 1701
Local host: 185.11.209.139 Protocol 17 Port 1701
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, constructing qm hash payload
Jul 17 10:46:33 [IKEv1 DECODE]: Group = 185.11.209.137, IP = 185.11.209.137, IKE Responder sending 2nd QM pkt: msg id = 00000001
Jul 17 10:46:33 [IKEv1]: IP = 185.11.209.137, IKE_DECODE SENDING Message (msgid=1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 164
BEFORE ENCRYPTION
ISAKMP Header
Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (none)
MessageID: 01000000
Length: 469762048
Payload Hash
Next Payload: Security Association
Reserved: 00
Payload Length: 24
Data:
70 e2 38 71 7b 55 88 46 39 ff 4a 98 f4 09 c7 90
02 57 e9 20
Payload Security Association
Next Payload: Nonce
Reserved: 00
Payload Length: 64
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 52
Proposal #: 1
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: ea 99 56 8c
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: ESP_AES
Reserved2: 0000
Life Type: Seconds
Life Duration (Hex): 0e 10
Life Type: Kilobytes
Life Duration (Hex): 00 03 d0 90
Encapsulation Mode: Transport
Authentication Algorithm: SHA1
Key Length: 128
Payload Nonce
Next Payload: Identification
Reserved: 00
Payload Length: 24
Data:
98 80 42 be d9 81 9b 82 50 d8 fe 95 0f 54 09 58
e1 f8 ca 88
Payload Identification
Next Payload: Identification
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 17
Port: 1701
ID Data: 185.11.209.137
Payload Identification
Next Payload: None
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 17
Port: 1701
ID Data: 185.11.209.139
ISAKMP Header
Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 00000001
Length: 164
RECV PACKET from 185.11.209.137
ISAKMP Header
Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 00000001
Length: 60
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 00000001
Length: 60
Payload Hash
Next Payload: None
Reserved: 00
Payload Length: 24
Data:
97 97 ac 44 16 f6 5b a7 f0 58 ff 27 d8 40 a6 9e
f2 92 dc ab
Jul 17 10:46:33 [IKEv1]: IP = 185.11.209.137, IKE_DECODE RECEIVED Message (msgid=1) with payloads : HDR + HASH (8) + NONE (0) total length : 52
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, processing hash payload
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, loading all IPSEC SAs
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, Generating Quick Mode Key!
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, NP encrypt rule look up for crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 matching ACL Unknown: returned cs_id=cb77dff0; rule=00000000
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, Generating Quick Mode Key!
IPSEC: Creating IPsec SA
IPSEC: Adding the outbound SA, SPI: 0x0163FBC6
IPSEC: New embryonic SA created @ 0xC9F4E7B0,
SCB: 0xCB4964D0,
Direction: outbound
SPI : 0x0163FBC6
Session ID: 0x00041000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Completed host OBSA update, SPI 0x0163FBC6
IPSEC: Creating outbound VPN context, SPI 0x0163FBC6
Flags: 0x00000205
SA : 0xC9F4E7B0
SPI : 0x0163FBC6
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00000000
SCB : 0x1DF00BAF
Channel: 0xC6A93A40
IPSEC: Completed outbound VPN context, SPI 0x0163FBC6
VPN handle: 0x009B1094
IPSEC: New outbound encrypt rule, SPI 0x0163FBC6
Src addr: 185.11.209.139
Src mask: 255.255.255.255
Dst addr: 185.11.209.137
Dst mask: 255.255.255.255
Src ports
Upper: 1701
Lower: 1701
Op : equal
Dst ports
Upper: 1701
Lower: 1701
Op : equal
Protocol: 17
Use protocol: true
SPI: 0x00000000
Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0x0163FBC6
Rule ID: 0xCB7800D0
IPSEC: New outbound permit rule, SPI 0x0163FBC6
Src addr: 185.11.209.139
Src mask: 255.255.255.255
Dst addr: 185.11.209.137
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x0163FBC6
Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0x0163FBC6
Rule ID: 0xCB77C290
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, NP encrypt rule look up for crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 matching ACL Unknown: returned cs_id=cb77dff0; rule=00000000
Jul 17 10:46:33 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, Security negotiation complete for LAN-to-LAN Group (185.11.209.137) Responder, Inbound SPI = 0xea99568c, Outbound SPI = 0x0163fbc6
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, IKE got a KEY_ADD msg for SA: SPI = 0x0163fbc6
IPSEC: Creating IPsec SA
IPSEC: Updating the inbound SA, SPI: 0xEA99568C
IPSEC: Completed host IBSA update, SPI 0xEA99568C
IPSEC: Creating inbound VPN context, SPI 0xEA99568C
Flags: 0x00000206
SA : 0xC9F50FF8
SPI : 0xEA99568C
MTU : 0 bytes
VCID : 0x00000000
Peer : 0x009B1094
SCB : 0x1DECE78F
Channel: 0xC6A93A40
IPSEC: Completed inbound VPN context, SPI 0xEA99568C
VPN handle: 0x009CAE34
IPSEC: Updating outbound VPN context 0x009B1094, SPI 0x0163FBC6
Flags: 0x00000205
SA : 0xC9F4E7B0
SPI : 0x0163FBC6
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x009CAE34
SCB : 0x1DF00BAF
Channel: 0xC6A93A40
IPSEC: Completed outbound VPN context, SPI 0x0163FBC6
VPN handle: 0x009B1094
IPSEC: Completed outbound inner rule, SPI 0x0163FBC6
Rule ID: 0xCB7800D0
IPSEC: Completed outbound outer SPD rule, SPI 0x0163FBC6
Rule ID: 0xCB77C290
IPSEC: New inbound tunnel flow rule, SPI 0xEA99568C
Src addr: 185.11.209.137
Src mask: 255.255.255.255
Dst addr: 185.11.209.139
Dst mask: 255.255.255.255
Src ports
Upper: 1701
Lower: 1701
Op : equal
Dst ports
Upper: 1701
Lower: 1701
Op : equal
Protocol: 17
Use protocol: true
SPI: 0x00000000
Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0xEA99568C
Rule ID: 0xCB7C9290
IPSEC: New inbound decrypt rule, SPI 0xEA99568C
Src addr: 185.11.209.137
Src mask: 255.255.255.255
Dst addr: 185.11.209.139
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0xEA99568C
Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0xEA99568C
Rule ID: 0xCB774488
IPSEC: New inbound permit rule, SPI 0xEA99568C
Src addr: 185.11.209.137
Src mask: 255.255.255.255
Dst addr: 185.11.209.139
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0xEA99568C
Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0xEA99568C
Rule ID: 0xCB786CD0
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, Pitcher: received KEY_UPDATE, spi 0xea99568c
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, Starting P2 rekey timer: 3420 seconds.
Jul 17 10:46:33 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, PHASE 2 COMPLETED (msgid=00000001)
Jul 17 10:46:33 [IKEv1]: IKEQM_Active() Add L2TP classification rules: ip <185.11.209.137> mask <0xFFFFFFFF> port <1701>
RECV PACKET from 185.11.209.137
ISAKMP Header
Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: C85D6002
Length: 76
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: C85D6002
Length: 76
Payload Hash
Next Payload: Delete
Reserved: 00
Payload Length: 24
Data:
20 b5 e7 9a 04 64 0e 90 26 3d 98 28 fd 1e 74 3a
36 28 4b 5d
Payload Delete
Next Payload: None
Reserved: 00
Payload Length: 16
DOI: IPsec
Protocol-ID: PROTO_IPSEC_ESP
Spi Size: 4
# of SPIs: 1
SPI (Hex dump): 01 63 fb c6
Jul 17 10:47:08 [IKEv1]: IP = 185.11.209.137, IKE_DECODE RECEIVED Message (msgid=c85d6002) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Jul 17 10:47:08 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, processing hash payload
Jul 17 10:47:08 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, processing delete
Jul 17 10:47:08 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, Connection terminated for peer 185.11.209.137. Reason: Peer Terminate Remote Proxy 185.11.209.137, Local Proxy 185.11.209.139
Jul 17 10:47:08 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, Active unit receives a delete event for remote peer 185.11.209.137.
Jul 17 10:47:08 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, IKE Deleting SA: Remote Proxy 185.11.209.137, Local Proxy 185.11.209.139
Jul 17 10:47:08 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, Deleting static route for L2L peer that came in on a dynamic map. address: 185.11.209.137, mask: 255.255.255.255
Jul 17 10:47:08 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, IKE SA MM:675de3c2 rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0
Jul 17 10:47:08 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, IKE SA MM:675de3c2 terminating: flags 0x01000002, refcnt 0, tuncnt 0
Jul 17 10:47:08 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, sending delete/delete with reason message
IPSEC: Destroy current outbound SPI: 0x0163FBC6
IPSEC: Deleted outbound encrypt rule, SPI 0x0163FBC6
Rule ID: 0xCB7800D0
IPSEC: Deleted outbound permit rule, SPI 0x0163FBC6
Rule ID: 0xCB77C290
IPSEC: Deleted outbound VPN context, SPI 0x0163FBC6
VPN handle: 0x009B1094
IPSEC: Destroy current inbound SPI: 0xEA99568C
IPSEC: Deleted inbound decrypt rule, SPI 0xEA99568C
Rule ID: 0xCB774488
IPSEC: Deleted inbound permit rule, SPI 0xEA99568C
Rule ID: 0xCB786CD0
IPSEC: Deleted inbound tunnel flow rule, SPI 0xEA99568C
Rule ID: 0xCB7C9290
IPSEC: Deleted inbound VPN context, SPI 0xEA99568C
VPN handle: 0x009CAE34
Jul 17 10:47:08 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, constructing blank hash payload
Jul 17 10:47:08 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, constructing IKE delete payload
Jul 17 10:47:08 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, constructing qm hash payload
Jul 17 10:47:08 [IKEv1]: IP = 185.11.209.137, IKE_DECODE SENDING Message (msgid=d8c6b9cf) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
BEFORE ENCRYPTION
ISAKMP Header
Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: CFB9C6D8
Length: 469762048
Payload Hash
Next Payload: Delete
Reserved: 00
Payload Length: 24
Data:
0f fc 33 a3 73 7c 5b 49 c9 89 6b 6f a6 52 b4 b8
73 99 04 4d
Payload Delete
Next Payload: None
Reserved: 00
Payload Length: 28
DOI: IPsec
Protocol-ID: PROTO_ISAKMP
Spi Size: 16
# of SPIs: 1
SPI (Hex dump):
8c b0 35 30 93 f0 b3 f1 c2 e3 5d 67 aa 09 dd c0
ISAKMP Header
Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: D8C6B9CF
Length: 84
Jul 17 10:47:08 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xea99568c
Jul 17 10:47:08 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xea99568c
RECV PACKET from 185.11.209.137
ISAKMP Header
Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 2CA3658B
Length: 84
Jul 17 10:47:08 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, Session is being torn down. Reason: User Requested
Jul 17 10:47:08 [IKEv1]: Ignoring msg to mark SA with dsID 266240 dead because SA deleted
07-17-2014 01:17 AM
Hi,
But here it says that connection deleted because user requested.
ul 17 10:47:08 [IKEv1]: IP = 185.11.209.137, IKE_DECODE SENDING Message (msgid=d8c6b9cf) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jul 17 10:47:08 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xea99568c
Jul 17 10:47:08 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xea99568c
Jul 17 10:47:08 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, Session is being torn down. Reason: User Requested
Jul 17 10:47:08 [IKEv1]: Ignoring msg to mark SA with dsID 266240 dead because SA deleted
Regards
Karthik
07-17-2014 02:17 AM
Hi Karthik,
wel it does, but the user hasn't really requested it, windows 8 i guess times out or something. on the windows side there is an error code 809 - NAT / firewall preventing the connection.
debug acl - doesnt give any output.
any ideas..? :(
07-17-2014 02:38 AM
can you enable the NAT traversal in your device and check?
Regards
Karthik
07-17-2014 03:20 AM
it is enabled in my cisco asa device. i also tried to disable it but the result was the same
02-26-2019 05:13 AM
Its an old post but i hope you still can help on this.
Were you able to fix this problem?
@olesiaodmitrieva wrote:
it is enabled in my cisco asa device. i also tried to disable it but the result was the same
Feb 26 15:41:39 [IKEv1]Group = DefaultRAGroup, IP = <client ip>, PHASE 2 COMPLETED (msgid=00000001)
Feb 26 15:42:14 [IKEv1]IP = <client ip>, IKE_DECODE RECEIVED Message (msgid=d2c7e844) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Feb 26 15:42:14 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = <client ip>, processing hash payload
Feb 26 15:42:14 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = <client ip>, processing delete
Feb 26 15:42:14 [IKEv1]Group = DefaultRAGroup, IP = <client ip>, Connection terminated for peer . Reason: Peer Terminate Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
Feb 26 15:42:14 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = <client ip>, Active unit receives a delete event for remote peer <client ip>.
Feb 26 15:42:14 [IKEv1]Group = DefaultRAGroup, IP = <client ip>, Remove from IKEv1 Tunnel Table succeeded for SA with logicalId 389120
Feb 26 15:42:14 [IKEv1]Group = DefaultRAGroup, IP = <client ip>, Remove from IKEv1 MIB Table succeeded for SA with logical ID 389120
Feb 26 15:42:14 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = <client ip>, IKE Deleting SA: Remote Proxy <client ip>, Local Proxy <ASA IP>
Feb 26 15:42:14 [IKEv1]MSG_FSM_QM lookup failed (handle 1)!
Feb 26 15:42:14 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = <client ip>, IKE SA MM:83dac607 terminating: flags 0x01000802, refcnt 0, tuncnt 0
Feb 26 15:42:14 [IKEv1]Group = DefaultRAGroup, IP = <client ip>, Session is being torn down. Reason: User Requested
Feb 26 15:42:14 [IKEv1]Ignoring msg to mark SA with dsID 389120 dead because SA deleted
Feb 26 15:42:14 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0xdcaca6e5
Feb 26 15:42:14 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0xdcaca6e5
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide