Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4639
Views
5
Helpful
13
Replies

ipsec tunnel probem

olesiaodmitrieva
Level 1
Level 1

‎07-16-2014 03:52 AM - edited ‎02-21-2020 07:43 PM

Hello!

 

Im configuring l2tp ipsec tunnel for remote access between windows 8 and a cisco asa 5505 (version 8.2)

 IKE Phase 1 and 2 are completed successfully, after 30 seconds channel goes down with the following error:


%ASA-5-713050: Connection terminated for peer IP_address. Reason: 
termination reason Remote Proxy IP_address, Local Proxy IP_address

 

Could you please help me to solve this?

access-list outside_cryptomap_65535.1 extended permit ip any any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any

access-list outside_nat0_outbound extended permit ip object-group user 192.168.24.0 255.255.255.0

ip local pool ipsecpool 192.168.24.10-192.168.24.100 mask 255.255.255.0

global (outside) 1 interface
nat (inside) 1 192.168.23.0 255.255.255.0
nat (outside) 0 access-list outside_nat0_outbound
nat (senseg-guest) 1 172.20.0.0 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 185.11.209.137 1
route outside 0.0.0.0 0.0.0.0 192.168.24.1 tunneled

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-AES256-SHA1-TRANS ESP-AES128-SHA1-TRANS ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map0 1 match address outside_cryptomap_65535.1
crypto dynamic-map outside_dyn_map0 1 set transform-set ESP-AES128-SHA1-TRANS ESP-AES256-SHA1-TRANS ESP-AES256-SHA1
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map0
crypto map outside_map interface outside

group-policy DefaultRAGroup attributes
 vpn-tunnel-protocol l2tp-ipsec

tunnel-group DefaultRAGroup general-attributes
 address-pool ipsecpool
 default-group-policy l2tp_ipsec
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 no authentication ms-chap-v1
 authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
 no authentication chap
 no authentication ms-chap-v1
 authentication ms-chap-v2

 

 

Labels:
0 Helpful
13 Replies 13

nkarthikeyan
Level 7
Level 7

‎07-16-2014 04:36 AM

Hi,

 

This might be due to timeout problems. This might be due to the problems @ windows end as well.

 

Error Message
%ASA-5-713050: Connection terminated for peer
IP_address
. Reason:
termination reason
Remote Proxy
IP_address
, Local Proxy
IP_address
Explanation
An IPsec tunnel has been terminated. Possible termination reasons include:
IPsec SA Idle Timeout
IPsec SA Max Time Exceeded
Administrator Reset
Administrator Reboot
Administrator Shutdown
Session Disconnected
Session Error Terminated
Peer Terminate
Recommended Action
None required.
 
Regards
Karthik
0 Helpful

olesiaodmitrieva
Level 1
Level 1

‎07-16-2014 04:47 AM

Hi nkarthikeyan ,

windows side, in its turn, gives error 809, briefly:

connection between PC and VPN could not be established (due to firewalls, NAT, etc). In my setup the PC from where im trying to get vpn working is connected to switch, and switch is  connected to firewall outside port. Pc's and firewalls's ip addresses are in the same subnet, pc can ping firewall, but firewall cant ping PC (could that be an issue)?

regards,

olesia

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to olesiaodmitrieva

‎07-16-2014 06:10 AM

Hi,

 

Can you set the vpn session timeout as none and check.

 

hostname(config)#group-policy DefaultRAGroup attributes
hostname(config-group-policy)#vpn-session-timeout none

 

Regards

Karthik

0 Helpful

olesiaodmitrieva
Level 1
Level 1
In response to nkarthikeyan

‎07-16-2014 06:19 AM

Hi nkarthikeyan,

i have added the lines you suggested but the resut is still the same, the same error

 

here is whole running confing

 

ciscoasa# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name senseg.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.25.0 vpn
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.23.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 185.11.209.139 255.255.255.248
!
interface Vlan3
 no forward interface Vlan1
 nameif senseg-guest
 security-level 50
 ip address 172.20.0.1 255.255.255.0
!
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup senseg-guest
dns server-group DefaultDNS
 name-server 185.11.208.11
 name-server 185.11.211.11
 domain-name domain.com
object-group network user
 network-object 192.168.23.0 255.255.255.0
object-group network guest
 network-object 172.20.0.0 255.255.255.0
object-group service outside_webpage tcp
 port-object eq 65000
object-group service DM_INLINE_TCP_1 tcp
 group-object outside_webpage
 port-object eq https
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object echo
 icmp-object echo-reply
 icmp-object information-reply
 icmp-object information-request
access-list allow_user extended permit icmp any any
access-list allow_user extended permit tcp object-group user any eq ftp
access-list allow_user extended permit tcp object-group user any eq ssh
access-list allow_user extended permit tcp object-group user any eq www
access-list allow_user extended permit tcp object-group user any eq https
access-list allow_user extended permit tcp object-group user any eq smtp
access-list allow_user extended permit tcp object-group user any eq imap4
access-list allow_user extended permit tcp object-group user any eq domain
access-list allow_user extended permit tcp object-group user any eq 37
access-list allow_user extended permit tcp object-group user any eq 123
access-list allow_user extended permit tcp object-group user any eq 465
access-list allow_user extended permit tcp object-group user any eq 993
access-list allow_user extended permit tcp object-group user any eq 995
access-list allow_user extended permit udp object-group user any eq domain
access-list allow_user extended permit udp object-group user any eq time
access-list allow_user extended permit udp object-group user any eq 587
access-list allow_user extended permit udp object-group user any eq 4500
access-list allow_user extended permit udp object-group user any eq isakmp
access-list allow_user extended permit udp object-group user any eq ntp
access-list allow_user extended permit tcp object-group user 192.168.24.0 255.255.255.0 eq pptp
access-list allow_guest extended permit tcp object-group guest any eq ftp
access-list allow_guest extended permit tcp object-group guest any eq www
access-list allow_guest extended permit tcp object-group guest any eq https
access-list allow_guest extended permit tcp object-group guest any eq ssh
access-list allow_guest extended permit tcp object-group guest any eq imap4
access-list allow_guest extended permit tcp object-group guest any eq 465
access-list allow_guest extended permit tcp object-group guest any eq 993
access-list allow_guest extended permit tcp object-group guest any eq 995
access-list allow_guest extended permit tcp object-group guest any eq 37
access-list allow_guest extended permit tcp object-group guest any eq domain
access-list allow_guest extended permit tcp object-group guest any eq 123
access-list allow_guest extended permit udp object-group guest any eq ntp
access-list allow_guest extended permit udp object-group guest any eq time
access-list allow_guest extended permit udp object-group guest any eq domain
access-list allow_guest extended permit udp object-group guest any eq 4500
access-list allow_guest extended permit udp object-group guest any eq isakmp
access-list allow_guest extended permit icmp any any
access-list allow_guest extended permit tcp object-group guest any eq smtp
access-list allow_guest extended permit udp object-group guest any eq 587
access-list 100 extended permit esp any any
access-list 100 extended permit ah any any
access-list 100 extended permit udp any eq isakmp any eq isakmp
access-list 100 extended permit udp any eq 4500 any eq 4500
access-list outside_nat0_outbound extended permit ip object-group user 192.168.24.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip host 10.0.0.0 interface outside
access-list outside_cryptomap_65535.1 extended permit ip any any
access-list outside_access_in extended permit tcp any 185.11.209.136 255.255.255.248 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
pager lines 24
logging enable
logging console emergencies
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu senseg-guest 1500
ip local pool ipsecpool 192.168.24.10-192.168.24.100 mask 255.255.255.0
ip local pool vpn_anyconnect 10.0.0.0-10.0.0.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.23.0 255.255.255.0
nat (outside) 0 access-list outside_nat0_outbound
nat (senseg-guest) 1 172.20.0.0 255.255.255.0
access-group allow_user out interface inside
access-group outside_access_in in interface outside
access-group allow_guest out interface senseg-guest
route outside 0.0.0.0 0.0.0.0 185.11.209.137 1
route outside 0.0.0.0 0.0.0.0 192.168.24.1 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.23.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES128-SHA1-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES128-SHA1-TRANS mode transport
crypto ipsec transform-set ESP-AES256-SHA1-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES256-SHA1-TRANS mode transport
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-AES256-SHA1-TRANS ESP-AES128-SHA1-TRANS ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map0 1 match address outside_cryptomap_65535.1
crypto dynamic-map outside_dyn_map0 1 set transform-set ESP-AES128-SHA1-TRANS ESP-AES256-SHA1-TRANS ESP-AES256-SHA1
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map0
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh timeout 5
console timeout 20
management-access inside
dhcpd dns 185.11.208.11 185.11.211.11
dhcpd domain domain.com
!
dhcpd address 192.168.23.5-192.168.23.132 inside
dhcpd enable inside
!
dhcpd address 172.20.0.5-172.20.0.25 senseg-guest
dhcpd enable senseg-guest
!

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
 svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3
 svc enable
 tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server none
 dns-server value 185.11.208.11 185.11.211.11
 vpn-session-timeout none
 vpn-tunnel-protocol l2tp-ipsec
 default-domain value domain.com
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol webvpn
group-policy VpnAnyConnect internal
group-policy VpnAnyConnect attributes
 vpn-tunnel-protocol svc
group-policy l2tp_ipsec internal
group-policy l2tp_ipsec attributes
 vpn-tunnel-protocol l2tp-ipsec
 default-domain value domain.com
username test password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted privilege 0
username test attributes
 vpn-group-policy DefaultRAGroup
username Tuomas password EdqK3SPjK4Ye1g5t encrypted privilege 15
username Olesia password lV0pt/lMWuzH/V0i encrypted privilege 15
username Olesia attributes
 webvpn
  svc ask none default svc
tunnel-group DefaultRAGroup general-attributes
 address-pool ipsecpool
 default-group-policy l2tp_ipsec
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
 isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 no authentication ms-chap-v1
 authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
 no authentication chap
 no authentication ms-chap-v1
 authentication ms-chap-v2
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
 address-pool vpn_anyconnect
 default-group-policy VpnAnyConnect
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect ipsec-pass-thru
!

prompt hostname context
no call-home reporting anonymous

 

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to olesiaodmitrieva

‎07-16-2014 06:36 AM

sorry.... you should apply to the group policy what you have used for your l2tp vpn... here i guess it should be l2tp_ipsec.....

 

group-policy l2tp_ipsec attributes

vpn-session-timeout none

!

Try and let me know if this helps

 

Regards

Karthik

0 Helpful

olesiaodmitrieva
Level 1
Level 1
In response to nkarthikeyan

‎07-16-2014 06:50 AM

hi :)

ye i have added that to another group policy as well. now im getting another error (due to anyconnect configuration added i believe) error 789 - cannot negotiae l2tp security settings, phase 1 complete but

"A tunnel was dropped because the allowed tunnel specified in the group policy was different from the allowed tunnel in the tunnel group configuration."

 

!
hostname ciscoasa
domain-name senseg.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.25.0 vpn
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.23.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 185.11.209.139 255.255.255.248
!
interface Vlan3
 no forward interface Vlan1
 nameif senseg-guest
 security-level 50
 ip address 172.20.0.1 255.255.255.0
!
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup senseg-guest
dns server-group DefaultDNS
 name-server 185.11.208.11
 name-server 185.11.211.11
 domain-name senseg.com
object-group network user
 network-object 192.168.23.0 255.255.255.0
object-group network guest
 network-object 172.20.0.0 255.255.255.0
object-group service outside_webpage tcp
 port-object eq 65000
object-group service DM_INLINE_TCP_1 tcp
 group-object outside_webpage
 port-object eq https
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object echo
 icmp-object echo-reply
 icmp-object information-reply
 icmp-object information-request
access-list allow_user extended permit icmp any any
access-list allow_user extended permit tcp object-group user any eq ftp
access-list allow_user extended permit tcp object-group user any eq ssh
access-list allow_user extended permit tcp object-group user any eq www
access-list allow_user extended permit tcp object-group user any eq https
access-list allow_user extended permit tcp object-group user any eq smtp
access-list allow_user extended permit tcp object-group user any eq imap4
access-list allow_user extended permit tcp object-group user any eq domain
access-list allow_user extended permit tcp object-group user any eq 37
access-list allow_user extended permit tcp object-group user any eq 123
access-list allow_user extended permit tcp object-group user any eq 465
access-list allow_user extended permit tcp object-group user any eq 993
access-list allow_user extended permit tcp object-group user any eq 995
access-list allow_user extended permit udp object-group user any eq domain
access-list allow_user extended permit udp object-group user any eq time
access-list allow_user extended permit udp object-group user any eq 587
access-list allow_user extended permit udp object-group user any eq 4500
access-list allow_user extended permit udp object-group user any eq isakmp
access-list allow_user extended permit udp object-group user any eq ntp
access-list allow_user extended permit tcp object-group user 192.168.24.0 255.255.255.0 eq pptp
access-list allow_guest extended permit tcp object-group guest any eq ftp
access-list allow_guest extended permit tcp object-group guest any eq www
access-list allow_guest extended permit tcp object-group guest any eq https
access-list allow_guest extended permit tcp object-group guest any eq ssh
access-list allow_guest extended permit tcp object-group guest any eq imap4
access-list allow_guest extended permit tcp object-group guest any eq 465
access-list allow_guest extended permit tcp object-group guest any eq 993
access-list allow_guest extended permit tcp object-group guest any eq 995
access-list allow_guest extended permit tcp object-group guest any eq 37
access-list allow_guest extended permit tcp object-group guest any eq domain
access-list allow_guest extended permit tcp object-group guest any eq 123
access-list allow_guest extended permit udp object-group guest any eq ntp
access-list allow_guest extended permit udp object-group guest any eq time
access-list allow_guest extended permit udp object-group guest any eq domain
access-list allow_guest extended permit udp object-group guest any eq 4500
access-list allow_guest extended permit udp object-group guest any eq isakmp
access-list allow_guest extended permit icmp any any
access-list allow_guest extended permit tcp object-group guest any eq smtp
access-list allow_guest extended permit udp object-group guest any eq 587
access-list 100 extended permit esp any any
access-list 100 extended permit ah any any
access-list 100 extended permit udp any eq isakmp any eq isakmp
access-list 100 extended permit udp any eq 4500 any eq 4500
access-list outside_nat0_outbound extended permit ip object-group user 192.168.24.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip host 10.0.0.0 interface outside
access-list outside_cryptomap_65535.1 extended permit ip any any
access-list outside_access_in extended permit tcp any 185.11.209.136 255.255.255.248 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
pager lines 24
logging enable
logging console emergencies
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu senseg-guest 1500
ip local pool ipsecpool 192.168.24.10-192.168.24.100 mask 255.255.255.0
ip local pool vpn_anyconnect 10.0.0.0-10.0.0.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.23.0 255.255.255.0
nat (outside) 0 access-list outside_nat0_outbound
nat (senseg-guest) 1 172.20.0.0 255.255.255.0
access-group allow_user out interface inside
access-group outside_access_in in interface outside
access-group allow_guest out interface senseg-guest
route outside 0.0.0.0 0.0.0.0 185.11.209.137 1
route outside 0.0.0.0 0.0.0.0 192.168.24.1 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.23.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES128-SHA1-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES128-SHA1-TRANS mode transport
crypto ipsec transform-set ESP-AES256-SHA1-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES256-SHA1-TRANS mode transport
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-AES256-SHA1-TRANS ESP-AES128-SHA1-TRANS ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map0 1 match address outside_cryptomap_65535.1
crypto dynamic-map outside_dyn_map0 1 set transform-set ESP-AES128-SHA1-TRANS ESP-AES256-SHA1-TRANS ESP-AES256-SHA1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-DES-SHA ESP-AES128-SHA1-TRANS ESP-DES-MD5 ESP-AES256-SHA1-TRANS ESP-AES256-SHA1
crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map0
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh timeout 5
console timeout 20
management-access inside
dhcpd dns 185.11.208.11 185.11.211.11
dhcpd domain senseg.com
!
dhcpd address 192.168.23.5-192.168.23.132 inside
dhcpd enable inside
!
dhcpd address 172.20.0.5-172.20.0.25 senseg-guest
dhcpd enable senseg-guest
!

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
 svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3
 svc enable
 tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server none
 dns-server value 185.11.208.11 185.11.211.11
 vpn-session-timeout none
 vpn-tunnel-protocol l2tp-ipsec
 default-domain value senseg.com
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol webvpn
group-policy VpnAnyConnect internal
group-policy VpnAnyConnect attributes
 vpn-tunnel-protocol svc
group-policy l2tp_ipsec internal
group-policy l2tp_ipsec attributes
 vpn-session-timeout none
 vpn-tunnel-protocol l2tp-ipsec
 default-domain value senseg.com
username test password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted privilege 0
username test attributes
 vpn-group-policy DefaultRAGroup
username Tuomas password EdqK3SPjK4Ye1g5t encrypted privilege 15
username Olesia password lV0pt/lMWuzH/V0i encrypted privilege 15
username Olesia attributes
 webvpn
  svc ask none default svc
tunnel-group DefaultRAGroup general-attributes
 address-pool ipsecpool
 default-group-policy l2tp_ipsec
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
 isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 no authentication ms-chap-v1
 authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
 no authentication chap
 no authentication ms-chap-v1
 authentication ms-chap-v2
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
 address-pool vpn_anyconnect
 default-group-policy VpnAnyConnect
tunnel-group 185.11.209.137 type ipsec-l2l
tunnel-group 185.11.209.137 ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect ipsec-pass-thru
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5d4016f74a878a5eacebb4123271a676
: end

 

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to olesiaodmitrieva

‎07-16-2014 06:57 AM

you can remove the previously done config which was mapped to anyconnect....

hostname(config)#group-policy DefaultRAGroup attributes
hostname(config-group-policy)#no vpn-session-timeout none

Regards

Karthik

0 Helpful

olesiaodmitrieva
Level 1
Level 1
In response to nkarthikeyan

‎07-17-2014 12:54 AM

Hello Karthik,

yes, i have changed it but it  actually has on impact on the error im getting.

If it is a NAT / access-list issue, it should be displayed in debug output, but im not getting anything reasonable, here it is

 

Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, IKE SA Proposal # 1, Transform # 5 acceptable  Matches global IKE entry # 7
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, constructing ISAKMP SA payload
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, constructing Fragmentation VID + extended capabilities payload
Jul 17 10:46:33 [IKEv1]: IP = 185.11.209.137, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104

ISAKMP Header
  Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
  Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
  Next Payload: Security Association
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 104
  Payload Security Association
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 52
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 40
      Proposal #: 1
      Protocol-Id: PROTO_ISAKMP
      SPI Size: 0
      # of transforms: 1
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 32
        Transform #: 5
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 70 80
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 24
    Data (In Hex):
      40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
      c0 00 00 00

 RECV PACKET from 185.11.209.137
ISAKMP Header
  Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
  Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
  Next Payload: Key Exchange
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 212
  Payload Key Exchange
    Next Payload: Nonce
    Reserved: 00
    Payload Length: 132
    Data:
      b9 eb ea 03 ce 09 38 2a 8d c2 38 48 85 8c 24 ff
      24 9a bf 61 61 3a c0 d0 89 4a 28 7b f5 8a ce be
      6d 22 41 c1 d7 b4 85 9f d4 4c 48 b5 c5 33 13 28
      8d a5 f5 fb cf e7 0e 8b 1f 69 47 43 c0 07 84 b4
      0a a7 7b 97 05 01 e8 7b 0f 49 e3 3c ef 6f c2 29
      e7 13 33 0f 64 4b 4b 91 6d 1d bd 84 b1 80 d7 1b
      64 9c 23 6f cb 91 a5 9d 0a b5 92 70 e2 72 46 25
      6d 41 72 ab 30 fd fa 5c f1 0d d3 6c cd 64 f0 3a
  Payload Nonce
    Next Payload: None
    Reserved: 00
    Payload Length: 52
    Data:
      2a 65 e8 17 bf 4c 4a 86 4a 3f 50 f0 cf 9d 91 ba
      8b f1 24 76 8f 96 99 f8 e4 23 73 05 f1 3f ee ae
      90 0c 81 d9 bc f3 d2 a2 07 b8 e9 6f 87 b1 01 5c
Jul 17 10:46:33 [IKEv1]: IP = 185.11.209.137, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 212
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, processing ke payload
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, processing ISA_KE payload
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, processing nonce payload
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, constructing ke payload
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, constructing nonce payload
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, constructing Cisco Unity VID payload
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, constructing xauth V6 VID payload
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, Send IOS VID
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, constructing VID payload
Jul 17 10:46:33 [IKEv1 DEBUG]: IP = 185.11.209.137, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 17 10:46:33 [IKEv1]: IP = 185.11.209.137, Connection landed on tunnel_group 185.11.209.137
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, Generating keys for Responder...
Jul 17 10:46:33 [IKEv1]: IP = 185.11.209.137, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256

ISAKMP Header
  Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
  Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
  Next Payload: Key Exchange
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 256
  Payload Key Exchange
    Next Payload: Nonce
    Reserved: 00
    Payload Length: 132
    Data:
      6b 24 c9 cb bb 7e 33 12 c2 04 d4 47 47 d8 8e 71
      17 66 fe 71 dc bd 92 6a 33 fc 73 db 74 b5 ed 0b
      58 64 db 66 7f 13 89 ad 3e 76 b3 87 c7 5c be 7a
      fb c5 30 a6 58 39 eb 2a f7 17 51 8f 49 e3 d0 60
      41 7a 17 e6 9a 45 3a ac 12 9d 29 d6 28 f7 e1 8b
      76 4f f6 bb 78 3e 75 b8 38 0d 0c 99 d3 1a a2 0e
      db 30 4c 74 45 b2 d9 51 97 f0 c7 33 69 77 7c 59
      bc d6 63 01 c2 93 45 2c a4 f2 48 0e 7c 1d a0 0f
  Payload Nonce
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 24
    Data:
      d5 72 42 9f 5b 79 47 e5 a1 2b 69 43 31 e1 c8 24
      14 c3 ad 3f
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 12
    Data (In Hex): 09 00 26 89 df d6 b7 12
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      37 24 fa 7a aa 08 dd c0 2a b9 13 d8 75 e7 ac 62
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00

 RECV PACKET from 185.11.209.137
ISAKMP Header
  Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
  Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
  Next Payload: Identification
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (Encryption)
  MessageID: 00000000
  Length: 68

AFTER DECRYPTION
ISAKMP Header
  Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
  Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
  Next Payload: Identification
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (Encryption)
  MessageID: 00000000
  Length: 68
  Payload Identification
    Next Payload: Hash
    Reserved: 00
    Payload Length: 12
    ID Type: IPv4 Address (1)
    Protocol ID (UDP/TCP, etc...): 0
    Port: 0
    ID Data: 185.11.209.137
  Payload Hash
    Next Payload: None
    Reserved: 00
    Payload Length: 24
    Data:
      48 ea 64 7e a3 a7 8a a0 8f 05 9a 88 84 cf f1 69
      37 63 3d a0
Jul 17 10:46:33 [IKEv1]: IP = 185.11.209.137, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, processing ID payload
Jul 17 10:46:33 [IKEv1 DECODE]: Group = 185.11.209.137, IP = 185.11.209.137, ID_IPV4_ADDR ID received
185.11.209.137
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, processing hash payload
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, Computing hash for ISAKMP
Jul 17 10:46:33 [IKEv1]: IP = 185.11.209.137, Connection landed on tunnel_group 185.11.209.137
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, constructing ID payload
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, constructing hash payload
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, Computing hash for ISAKMP
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, constructing dpd vid payload
Jul 17 10:46:33 [IKEv1]: IP = 185.11.209.137, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84

BEFORE ENCRYPTION
ISAKMP Header
  Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
  Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
  Next Payload: Identification
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 469762048
  Payload Identification
    Next Payload: Hash
    Reserved: 00
    Payload Length: 12
    ID Type: IPv4 Address (1)
    Protocol ID (UDP/TCP, etc...): 17
    Port: 500
    ID Data: 185.11.209.139
  Payload Hash
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 24
    Data:
      66 5d 7d 02 6c 46 fa 25 9f 8a 88 3b a0 1c bb 61
      99 c2 85 0e
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00

ISAKMP Header
  Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
  Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
  Next Payload: Identification
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (Encryption)
  MessageID: 00000000
  Length: 84
Jul 17 10:46:33 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, PHASE 1 COMPLETED
Jul 17 10:46:33 [IKEv1]: IP = 185.11.209.137, Keep-alive type for this connection: None
Jul 17 10:46:33 [IKEv1]: IP = 185.11.209.137, Keep-alives configured on but peer does not support keep-alives (type = None)
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, Starting P1 rekey timer: 21600 seconds.

 RECV PACKET from 185.11.209.137
ISAKMP Header
  Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
  Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Quick Mode
  Flags: (Encryption)
  MessageID: 00000001
  Length: 308
Jul 17 10:46:33 [IKEv1 DECODE]: IP = 185.11.209.137, IKE Responder starting QM: msg id = 00000001

AFTER DECRYPTION
ISAKMP Header
  Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
  Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Quick Mode
  Flags: (Encryption)
  MessageID: 00000001
  Length: 308
  Payload Hash
    Next Payload: Security Association
    Reserved: 00
    Payload Length: 24
    Data:
      a0 38 d3 f2 d7 a1 f1 05 18 27 48 a8 84 38 0e c2
      f6 c5 99 54
  Payload Security Association
    Next Payload: Nonce
    Reserved: 00
    Payload Length: 172
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: Proposal
      Reserved: 00
      Payload Length: 56
      Proposal #: 1
      Protocol-Id: PROTO_IPSEC_ESP
      SPI Size: 4
      # of transforms: 1
      SPI: 01 63 fb c6
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 44
        Transform #: 1
        Transform-Id: ESP_AES
        Reserved2: 0000
        Encapsulation Mode: Transport
        Key Length: 128
        Authentication Algorithm: SHA1
        Life Type: Seconds
        Life Duration (Hex): 00 00 0e 10
        Life Type: Kilobytes
        Life Duration (Hex): 00 03 d0 90
    Payload Proposal
      Next Payload: Proposal
      Reserved: 00
      Payload Length: 52
      Proposal #: 2
      Protocol-Id: PROTO_IPSEC_ESP
      SPI Size: 4
      # of transforms: 1
      SPI: 01 63 fb c6
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 40
        Transform #: 1
        Transform-Id: ESP_3DES
        Reserved2: 0000
        Encapsulation Mode: Transport
        Authentication Algorithm: SHA1
        Life Type: Seconds
        Life Duration (Hex): 00 00 0e 10
        Life Type: Kilobytes
        Life Duration (Hex): 00 03 d0 90
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 52
      Proposal #: 3
      Protocol-Id: PROTO_IPSEC_ESP
      SPI Size: 4
      # of transforms: 1
      SPI: 01 63 fb c6
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 40
        Transform #: 1
        Transform-Id: ESP_DES
        Reserved2: 0000
        Encapsulation Mode: Transport
        Authentication Algorithm: SHA1
        Life Type: Seconds
        Life Duration (Hex): 00 00 0e 10
        Life Type: Kilobytes
        Life Duration (Hex): 00 03 d0 90
  Payload Nonce
    Next Payload: Identification
    Reserved: 00
    Payload Length: 52
    Data:
      f8 6e d7 36 f9 f0 ee e0 ba c2 cc ad 9f 10 3e 39
      15 74 8b cd 89 74 b3 fd b9 74 0b 99 b0 c8 73 2d
      26 57 8f 80 58 5f dc 39 6b 21 80 d0 51 61 29 ee
  Payload Identification
    Next Payload: Identification
    Reserved: 00
    Payload Length: 12
    ID Type: IPv4 Address (1)
    Protocol ID (UDP/TCP, etc...): 17
    Port: 1701
    ID Data: 185.11.209.137
  Payload Identification
    Next Payload: None
    Reserved: 00
    Payload Length: 12
    ID Type: IPv4 Address (1)
    Protocol ID (UDP/TCP, etc...): 17
    Port: 1701
    ID Data: 185.11.209.139
Jul 17 10:46:33 [IKEv1]: IP = 185.11.209.137, IKE_DECODE RECEIVED Message (msgid=1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 300
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, processing hash payload
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, processing SA payload
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, processing nonce payload
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, processing ID payload
Jul 17 10:46:33 [IKEv1 DECODE]: Group = 185.11.209.137, IP = 185.11.209.137, ID_IPV4_ADDR ID received
185.11.209.137
Jul 17 10:46:33 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, Received remote Proxy Host data in ID Payload:  Address 185.11.209.137, Protocol 17, Port 1701
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, processing ID payload
Jul 17 10:46:33 [IKEv1 DECODE]: Group = 185.11.209.137, IP = 185.11.209.137, ID_IPV4_ADDR ID received
185.11.209.139
Jul 17 10:46:33 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, Received local Proxy Host data in ID Payload:  Address 185.11.209.139, Protocol 17, Port 1701
Jul 17 10:46:33 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, L2TP/IPSec session detected.
Jul 17 10:46:33 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, QM IsRekeyed old sa not found by addr
Jul 17 10:46:33 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, IKE Remote Peer configured for crypto map: SYSTEM_DEFAULT_CRYPTO_MAP
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, processing IPSec SA payload
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, IPSec SA Proposal # 1, Transform # 1 acceptable  Matches global IPSec SA entry # 65535
Jul 17 10:46:33 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, IKE: requesting SPI!
IPSEC: Creating IPsec SA
IPSEC: Getting the inbound SPI
IPSEC: New embryonic SA created @ 0xC9F50FF8,
    SCB: 0xC9F4C200,
    Direction: inbound
    SPI      : 0xEA99568C
    Session ID: 0x00041000
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, IKE got SPI from key engine: SPI = 0xea99568c
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, oakley constucting quick mode
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, constructing blank hash payload
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, constructing IPSec SA payload
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, constructing IPSec nonce payload
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, constructing proxy ID
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, Transmitting Proxy Id:
  Remote host: 185.11.209.137  Protocol 17  Port 1701
  Local host:  185.11.209.139  Protocol 17  Port 1701
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, constructing qm hash payload
Jul 17 10:46:33 [IKEv1 DECODE]: Group = 185.11.209.137, IP = 185.11.209.137, IKE Responder sending 2nd QM pkt: msg id = 00000001
Jul 17 10:46:33 [IKEv1]: IP = 185.11.209.137, IKE_DECODE SENDING Message (msgid=1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 164

BEFORE ENCRYPTION
ISAKMP Header
  Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
  Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Quick Mode
  Flags: (none)
  MessageID: 01000000
  Length: 469762048
  Payload Hash
    Next Payload: Security Association
    Reserved: 00
    Payload Length: 24
    Data:
      70 e2 38 71 7b 55 88 46 39 ff 4a 98 f4 09 c7 90
      02 57 e9 20
  Payload Security Association
    Next Payload: Nonce
    Reserved: 00
    Payload Length: 64
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 52
      Proposal #: 1
      Protocol-Id: PROTO_IPSEC_ESP
      SPI Size: 4
      # of transforms: 1
      SPI: ea 99 56 8c
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 40
        Transform #: 1
        Transform-Id: ESP_AES
        Reserved2: 0000
        Life Type: Seconds
        Life Duration (Hex): 0e 10
        Life Type: Kilobytes
        Life Duration (Hex): 00 03 d0 90
        Encapsulation Mode: Transport
        Authentication Algorithm: SHA1
        Key Length: 128
  Payload Nonce
    Next Payload: Identification
    Reserved: 00
    Payload Length: 24
    Data:
      98 80 42 be d9 81 9b 82 50 d8 fe 95 0f 54 09 58
      e1 f8 ca 88
  Payload Identification
    Next Payload: Identification
    Reserved: 00
    Payload Length: 12
    ID Type: IPv4 Address (1)
    Protocol ID (UDP/TCP, etc...): 17
    Port: 1701
    ID Data: 185.11.209.137
  Payload Identification
    Next Payload: None
    Reserved: 00
    Payload Length: 12
    ID Type: IPv4 Address (1)
    Protocol ID (UDP/TCP, etc...): 17
    Port: 1701
    ID Data: 185.11.209.139

ISAKMP Header
  Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
  Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Quick Mode
  Flags: (Encryption)
  MessageID: 00000001
  Length: 164

 RECV PACKET from 185.11.209.137
ISAKMP Header
  Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
  Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Quick Mode
  Flags: (Encryption)
  MessageID: 00000001
  Length: 60

AFTER DECRYPTION
ISAKMP Header
  Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
  Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Quick Mode
  Flags: (Encryption)
  MessageID: 00000001
  Length: 60
  Payload Hash
    Next Payload: None
    Reserved: 00
    Payload Length: 24
    Data:
      97 97 ac 44 16 f6 5b a7 f0 58 ff 27 d8 40 a6 9e
      f2 92 dc ab
Jul 17 10:46:33 [IKEv1]: IP = 185.11.209.137, IKE_DECODE RECEIVED Message (msgid=1) with payloads : HDR + HASH (8) + NONE (0) total length : 52
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, processing hash payload
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, loading all IPSEC SAs
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, Generating Quick Mode Key!
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, NP encrypt rule look up for crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 matching ACL Unknown: returned cs_id=cb77dff0; rule=00000000
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, Generating Quick Mode Key!
IPSEC: Creating IPsec SA
IPSEC: Adding the outbound SA, SPI: 0x0163FBC6
IPSEC: New embryonic SA created @ 0xC9F4E7B0,
    SCB: 0xCB4964D0,
    Direction: outbound
    SPI      : 0x0163FBC6
    Session ID: 0x00041000
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: Completed host OBSA update, SPI 0x0163FBC6
IPSEC: Creating outbound VPN context, SPI 0x0163FBC6
    Flags: 0x00000205
    SA   : 0xC9F4E7B0
    SPI  : 0x0163FBC6
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00000000
    SCB  : 0x1DF00BAF
    Channel: 0xC6A93A40
IPSEC: Completed outbound VPN context, SPI 0x0163FBC6
    VPN handle: 0x009B1094
IPSEC: New outbound encrypt rule, SPI 0x0163FBC6
    Src addr: 185.11.209.139
    Src mask: 255.255.255.255
    Dst addr: 185.11.209.137
    Dst mask: 255.255.255.255
    Src ports
      Upper: 1701
      Lower: 1701
      Op   : equal
    Dst ports
      Upper: 1701
      Lower: 1701
      Op   : equal
    Protocol: 17
    Use protocol: true
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0x0163FBC6
    Rule ID: 0xCB7800D0
IPSEC: New outbound permit rule, SPI 0x0163FBC6
    Src addr: 185.11.209.139
    Src mask: 255.255.255.255
    Dst addr: 185.11.209.137
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x0163FBC6
    Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0x0163FBC6
    Rule ID: 0xCB77C290
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, NP encrypt rule look up for crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 matching ACL Unknown: returned cs_id=cb77dff0; rule=00000000
Jul 17 10:46:33 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, Security negotiation complete for LAN-to-LAN Group (185.11.209.137)  Responder, Inbound SPI = 0xea99568c, Outbound SPI = 0x0163fbc6
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, IKE got a KEY_ADD msg for SA: SPI = 0x0163fbc6
IPSEC: Creating IPsec SA
IPSEC: Updating the inbound SA, SPI: 0xEA99568C
IPSEC: Completed host IBSA update, SPI 0xEA99568C
IPSEC: Creating inbound VPN context, SPI 0xEA99568C
    Flags: 0x00000206
    SA   : 0xC9F50FF8
    SPI  : 0xEA99568C
    MTU  : 0 bytes
    VCID : 0x00000000
    Peer : 0x009B1094
    SCB  : 0x1DECE78F
    Channel: 0xC6A93A40
IPSEC: Completed inbound VPN context, SPI 0xEA99568C
    VPN handle: 0x009CAE34
IPSEC: Updating outbound VPN context 0x009B1094, SPI 0x0163FBC6
    Flags: 0x00000205
    SA   : 0xC9F4E7B0
    SPI  : 0x0163FBC6
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x009CAE34
    SCB  : 0x1DF00BAF
    Channel: 0xC6A93A40
IPSEC: Completed outbound VPN context, SPI 0x0163FBC6
    VPN handle: 0x009B1094
IPSEC: Completed outbound inner rule, SPI 0x0163FBC6
    Rule ID: 0xCB7800D0
IPSEC: Completed outbound outer SPD rule, SPI 0x0163FBC6
    Rule ID: 0xCB77C290
IPSEC: New inbound tunnel flow rule, SPI 0xEA99568C
    Src addr: 185.11.209.137
    Src mask: 255.255.255.255
    Dst addr: 185.11.209.139
    Dst mask: 255.255.255.255
    Src ports
      Upper: 1701
      Lower: 1701
      Op   : equal
    Dst ports
      Upper: 1701
      Lower: 1701
      Op   : equal
    Protocol: 17
    Use protocol: true
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0xEA99568C
    Rule ID: 0xCB7C9290
IPSEC: New inbound decrypt rule, SPI 0xEA99568C
    Src addr: 185.11.209.137
    Src mask: 255.255.255.255
    Dst addr: 185.11.209.139
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0xEA99568C
    Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0xEA99568C
    Rule ID: 0xCB774488
IPSEC: New inbound permit rule, SPI 0xEA99568C
    Src addr: 185.11.209.137
    Src mask: 255.255.255.255
    Dst addr: 185.11.209.139
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0xEA99568C
    Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0xEA99568C
    Rule ID: 0xCB786CD0
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, Pitcher: received KEY_UPDATE, spi 0xea99568c
Jul 17 10:46:33 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, Starting P2 rekey timer: 3420 seconds.
Jul 17 10:46:33 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, PHASE 2 COMPLETED (msgid=00000001)
Jul 17 10:46:33 [IKEv1]: IKEQM_Active() Add L2TP classification rules: ip <185.11.209.137> mask <0xFFFFFFFF> port <1701>

 RECV PACKET from 185.11.209.137
ISAKMP Header
  Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
  Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Informational
  Flags: (Encryption)
  MessageID: C85D6002
  Length: 76

AFTER DECRYPTION
ISAKMP Header
  Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
  Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Informational
  Flags: (Encryption)
  MessageID: C85D6002
  Length: 76
  Payload Hash
    Next Payload: Delete
    Reserved: 00
    Payload Length: 24
    Data:
      20 b5 e7 9a 04 64 0e 90 26 3d 98 28 fd 1e 74 3a
      36 28 4b 5d
  Payload Delete
    Next Payload: None
    Reserved: 00
    Payload Length: 16
    DOI: IPsec
    Protocol-ID: PROTO_IPSEC_ESP
    Spi Size: 4
    # of SPIs: 1
    SPI (Hex dump): 01 63 fb c6
Jul 17 10:47:08 [IKEv1]: IP = 185.11.209.137, IKE_DECODE RECEIVED Message (msgid=c85d6002) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Jul 17 10:47:08 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, processing hash payload
Jul 17 10:47:08 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, processing delete
Jul 17 10:47:08 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, Connection terminated for peer 185.11.209.137.  Reason: Peer Terminate  Remote Proxy 185.11.209.137, Local Proxy 185.11.209.139
Jul 17 10:47:08 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, Active unit receives a delete event for remote peer 185.11.209.137.

Jul 17 10:47:08 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, IKE Deleting SA: Remote Proxy 185.11.209.137, Local Proxy 185.11.209.139
Jul 17 10:47:08 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, Deleting static route for L2L peer that came in on a dynamic map. address: 185.11.209.137, mask: 255.255.255.255
Jul 17 10:47:08 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, IKE SA MM:675de3c2 rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tuncnt 0
Jul 17 10:47:08 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, IKE SA MM:675de3c2 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Jul 17 10:47:08 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, sending delete/delete with reason message
IPSEC: Destroy current outbound SPI: 0x0163FBC6
IPSEC: Deleted outbound encrypt rule, SPI 0x0163FBC6
    Rule ID: 0xCB7800D0
IPSEC: Deleted outbound permit rule, SPI 0x0163FBC6
    Rule ID: 0xCB77C290
IPSEC: Deleted outbound VPN context, SPI 0x0163FBC6
    VPN handle: 0x009B1094
IPSEC: Destroy current inbound SPI: 0xEA99568C
IPSEC: Deleted inbound decrypt rule, SPI 0xEA99568C
    Rule ID: 0xCB774488
IPSEC: Deleted inbound permit rule, SPI 0xEA99568C
    Rule ID: 0xCB786CD0
IPSEC: Deleted inbound tunnel flow rule, SPI 0xEA99568C
    Rule ID: 0xCB7C9290
IPSEC: Deleted inbound VPN context, SPI 0xEA99568C
    VPN handle: 0x009CAE34
Jul 17 10:47:08 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, constructing blank hash payload
Jul 17 10:47:08 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, constructing IKE delete payload
Jul 17 10:47:08 [IKEv1 DEBUG]: Group = 185.11.209.137, IP = 185.11.209.137, constructing qm hash payload
Jul 17 10:47:08 [IKEv1]: IP = 185.11.209.137, IKE_DECODE SENDING Message (msgid=d8c6b9cf) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

BEFORE ENCRYPTION
ISAKMP Header
  Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
  Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Informational
  Flags: (none)
  MessageID: CFB9C6D8
  Length: 469762048
  Payload Hash
    Next Payload: Delete
    Reserved: 00
    Payload Length: 24
    Data:
      0f fc 33 a3 73 7c 5b 49 c9 89 6b 6f a6 52 b4 b8
      73 99 04 4d
  Payload Delete
    Next Payload: None
    Reserved: 00
    Payload Length: 28
    DOI: IPsec
    Protocol-ID: PROTO_ISAKMP
    Spi Size: 16
    # of SPIs: 1
    SPI (Hex dump):
      8c b0 35 30 93 f0 b3 f1 c2 e3 5d 67 aa 09 dd c0

ISAKMP Header
  Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
  Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Informational
  Flags: (Encryption)
  MessageID: D8C6B9CF
  Length: 84
Jul 17 10:47:08 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xea99568c
Jul 17 10:47:08 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xea99568c

 RECV PACKET from 185.11.209.137
ISAKMP Header
  Initiator COOKIE: 8c b0 35 30 93 f0 b3 f1
  Responder COOKIE: c2 e3 5d 67 aa 09 dd c0
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Informational
  Flags: (Encryption)
  MessageID: 2CA3658B
  Length: 84
Jul 17 10:47:08 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, Session is being torn down. Reason: User Requested
Jul 17 10:47:08 [IKEv1]: Ignoring msg to mark SA with dsID 266240 dead because SA deleted

 

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to olesiaodmitrieva

‎07-17-2014 01:17 AM

Hi,

 

But here it says that connection deleted because user requested.

ul 17 10:47:08 [IKEv1]: IP = 185.11.209.137, IKE_DECODE SENDING Message (msgid=d8c6b9cf) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Jul 17 10:47:08 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xea99568c
Jul 17 10:47:08 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xea99568c

Jul 17 10:47:08 [IKEv1]: Group = 185.11.209.137, IP = 185.11.209.137, Session is being torn down. Reason: User Requested
Jul 17 10:47:08 [IKEv1]: Ignoring msg to mark SA with dsID 266240 dead because SA deleted

Regards

Karthik

0 Helpful

olesiaodmitrieva
Level 1
Level 1
In response to nkarthikeyan

‎07-17-2014 02:17 AM

Hi Karthik,

wel it does, but the user hasn't really requested it, windows 8 i guess times out or something. on the windows side there is an error code 809  - NAT / firewall preventing the connection.

 

debug acl - doesnt give any output.

any ideas..? :(

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to olesiaodmitrieva

‎07-17-2014 02:38 AM

can you enable the NAT traversal in your device and check?

 

Regards

Karthik

0 Helpful

olesiaodmitrieva
Level 1
Level 1
In response to nkarthikeyan

‎07-17-2014 03:20 AM

it is enabled in my cisco asa device. i also tried to disable it but the result was the same

0 Helpful

razzaque003
Level 1
Level 1
In response to olesiaodmitrieva

‎02-26-2019 05:13 AM

Its an old post but i hope you still can help on this. 

 

Were you able to fix this problem?

@olesiaodmitrieva wrote:

it is enabled in my cisco asa device. i also tried to disable it but the result was the same

 

Feb 26 15:41:39 [IKEv1]Group = DefaultRAGroup, IP = <client ip>, PHASE 2 COMPLETED (msgid=00000001)

 

Feb 26 15:42:14 [IKEv1]IP = <client ip>, IKE_DECODE RECEIVED Message (msgid=d2c7e844) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Feb 26 15:42:14 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = <client ip>, processing hash payload
Feb 26 15:42:14 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = <client ip>, processing delete
Feb 26 15:42:14 [IKEv1]Group = DefaultRAGroup, IP = <client ip>, Connection terminated for peer . Reason: Peer Terminate Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
Feb 26 15:42:14 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = <client ip>, Active unit receives a delete event for remote peer <client ip>.

Feb 26 15:42:14 [IKEv1]Group = DefaultRAGroup, IP = <client ip>, Remove from IKEv1 Tunnel Table succeeded for SA with logicalId 389120
Feb 26 15:42:14 [IKEv1]Group = DefaultRAGroup, IP = <client ip>, Remove from IKEv1 MIB Table succeeded for SA with logical ID 389120
Feb 26 15:42:14 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = <client ip>, IKE Deleting SA: Remote Proxy <client ip>, Local Proxy <ASA IP>
Feb 26 15:42:14 [IKEv1]MSG_FSM_QM lookup failed (handle 1)!
Feb 26 15:42:14 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = <client ip>, IKE SA MM:83dac607 terminating: flags 0x01000802, refcnt 0, tuncnt 0
Feb 26 15:42:14 [IKEv1]Group = DefaultRAGroup, IP = <client ip>, Session is being torn down. Reason: User Requested
Feb 26 15:42:14 [IKEv1]Ignoring msg to mark SA with dsID 389120 dead because SA deleted
Feb 26 15:42:14 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0xdcaca6e5
Feb 26 15:42:14 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0xdcaca6e5

Customers Also Viewed These Support Documents