djroh
asked on
Cisco ASA vpn and Site-to Site
Cisco ASA vpn can not be established correctly. Every time I try adding a crypto dynamic-map I get a warning i.e. " WARNING: Existing map is being linked to dynamic-map: vpn_map.
All static attributes in existing map will be inactive!"
The setup I have is I have a /30 from the router and /27 for public ips. However I have used one of the /30 ips as my outside interface. I can't seem to get site-to-site vpn working as well. This might be related. Here is my config below and hope that someone can assist me in getting this correctly setup.
ASAFW1(config)# sh run
: Saved
:
ASA Version 7.2(2)10
!
hostname ASAFW1
domain-name default.domain.invalid
enable password 5frNYRGa9U2321997hR7jLh encrypted
names
!
interface Ethernet0/0
speed 10
duplex full
nameif outside
security-level 0
ip address 216.x.x.166 255.255.255.252
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.110.1 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif eth2
security-level 50
ip address x.x.x.2 255.255.255.252
!
interface Ethernet0/3
speed 10
duplex half
nameif eth3
security-level 50
ip address x.x.x.2 255.255.255.252
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd w9ITcun.WwJmfyK5 encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network encoders
network-object 64.x.x.44 255.255.255.255
network-object 64.x.x.45 255.255.255.255
network-object 64.x.x.46 255.255.255.255
network-object 64.x.x.47 255.255.255.255
network-object 64.x.x.48 255.255.255.255
network-object 64.x.x.59 255.255.255.255
network-object 64.x.x.60 255.255.255.255
network-object 64.x.x.61 255.255.255.255
object-group network ENCACCESS
network-object 193.108.92.0 255.255.255.0
network-object 63.210.47.0 255.255.255.0
network-object 64.15.254.0 255.255.255.0
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit tcp object-group ENCACCESS object-group encoders eq www
access-list nonat extended permit ip 192.168.110.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip any 10.10.111.0 255.255.255.0
access-list vpn_acl standard permit 192.168.110.0 255.255.255.0
access-list vpn_acl standard permit 10.1.1.0 255.255.255.0
access-list 1vfw1 extended permit ip 192.168.110.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 1vfw1 extended permit ip 192.168.110.0 255.255.255.0 10.1.10.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu eth2 1500
mtu eth3 1500
mtu management 1500
ip local pool vpn 10.10.111.1-10.10.111.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400
global (outside) 1 64.x.x.37
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.110.0 255.255.255.0
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) 64.x.x.44 192.168.110.140 netmask 255.255.255.255
static (inside,outside) 64.x.x.45 192.168.110.141 netmask 255.255.255.255
static (inside,outside) 64.x.x.46 192.168.110.142 netmask 255.255.255.255
static (inside,outside) 64.x.x.47 192.168.110.143 netmask 255.255.255.255
static (inside,outside) 64.x.x.48 192.168.110.144 netmask 255.255.255.255
static (inside,outside) 64.x.x.59 192.168.110.137 netmask 255.255.255.255
static (inside,outside) 64.x.x.60 192.168.110.138 netmask 255.255.255.255
static (inside,outside) 64.x.x.61 192.168.110.139 netmask 255.255.255.255
static (inside,outside) 64.x.x.50 192.168.110.150 netmask 255.255.255.255
static (inside,outside) 64.x.x.55 192.168.110.151 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 216.x.x.165 1
route eth3 10.73.249.0 255.255.255.0 x.x.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy NYCVPN internal
group-policy NYCVPN attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_acl
username admin password OUZL9TRQu7Ns/Bzn encrypted privilege 15
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map vpn_map 30 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address 1vfw1
crypto map outside_map 20 set peer 72.x.x.77
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 30 ipsec-isakmp dynamic vpn_map
crypto map outside_map interface outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group 72.x.x.77 type ipsec-l2l
tunnel-group 72.x.x.77 ipsec-attributes
pre-shared-key *
tunnel-group NYCVPN type ipsec-ra
tunnel-group NYCVPN general-attributes
address-pool vpn
default-group-policy NYCVPN
tunnel-group NYCVPN ipsec-attributes
pre-shared-key *
telnet 192.168.110.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
!
prompt hostname context
Cryptochecksum:13bd243cbeb 122a0ae70e 6954b3f56c 2
: end
All static attributes in existing map will be inactive!"
The setup I have is I have a /30 from the router and /27 for public ips. However I have used one of the /30 ips as my outside interface. I can't seem to get site-to-site vpn working as well. This might be related. Here is my config below and hope that someone can assist me in getting this correctly setup.
ASAFW1(config)# sh run
: Saved
:
ASA Version 7.2(2)10
!
hostname ASAFW1
domain-name default.domain.invalid
enable password 5frNYRGa9U2321997hR7jLh encrypted
names
!
interface Ethernet0/0
speed 10
duplex full
nameif outside
security-level 0
ip address 216.x.x.166 255.255.255.252
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.110.1 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif eth2
security-level 50
ip address x.x.x.2 255.255.255.252
!
interface Ethernet0/3
speed 10
duplex half
nameif eth3
security-level 50
ip address x.x.x.2 255.255.255.252
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd w9ITcun.WwJmfyK5 encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network encoders
network-object 64.x.x.44 255.255.255.255
network-object 64.x.x.45 255.255.255.255
network-object 64.x.x.46 255.255.255.255
network-object 64.x.x.47 255.255.255.255
network-object 64.x.x.48 255.255.255.255
network-object 64.x.x.59 255.255.255.255
network-object 64.x.x.60 255.255.255.255
network-object 64.x.x.61 255.255.255.255
object-group network ENCACCESS
network-object 193.108.92.0 255.255.255.0
network-object 63.210.47.0 255.255.255.0
network-object 64.15.254.0 255.255.255.0
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit tcp object-group ENCACCESS object-group encoders eq www
access-list nonat extended permit ip 192.168.110.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip any 10.10.111.0 255.255.255.0
access-list vpn_acl standard permit 192.168.110.0 255.255.255.0
access-list vpn_acl standard permit 10.1.1.0 255.255.255.0
access-list 1vfw1 extended permit ip 192.168.110.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 1vfw1 extended permit ip 192.168.110.0 255.255.255.0 10.1.10.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu eth2 1500
mtu eth3 1500
mtu management 1500
ip local pool vpn 10.10.111.1-10.10.111.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400
global (outside) 1 64.x.x.37
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.110.0 255.255.255.0
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) 64.x.x.44 192.168.110.140 netmask 255.255.255.255
static (inside,outside) 64.x.x.45 192.168.110.141 netmask 255.255.255.255
static (inside,outside) 64.x.x.46 192.168.110.142 netmask 255.255.255.255
static (inside,outside) 64.x.x.47 192.168.110.143 netmask 255.255.255.255
static (inside,outside) 64.x.x.48 192.168.110.144 netmask 255.255.255.255
static (inside,outside) 64.x.x.59 192.168.110.137 netmask 255.255.255.255
static (inside,outside) 64.x.x.60 192.168.110.138 netmask 255.255.255.255
static (inside,outside) 64.x.x.61 192.168.110.139 netmask 255.255.255.255
static (inside,outside) 64.x.x.50 192.168.110.150 netmask 255.255.255.255
static (inside,outside) 64.x.x.55 192.168.110.151 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 216.x.x.165 1
route eth3 10.73.249.0 255.255.255.0 x.x.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy NYCVPN internal
group-policy NYCVPN attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_acl
username admin password OUZL9TRQu7Ns/Bzn encrypted privilege 15
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map vpn_map 30 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address 1vfw1
crypto map outside_map 20 set peer 72.x.x.77
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 30 ipsec-isakmp dynamic vpn_map
crypto map outside_map interface outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group 72.x.x.77 type ipsec-l2l
tunnel-group 72.x.x.77 ipsec-attributes
pre-shared-key *
tunnel-group NYCVPN type ipsec-ra
tunnel-group NYCVPN general-attributes
address-pool vpn
default-group-policy NYCVPN
tunnel-group NYCVPN ipsec-attributes
pre-shared-key *
telnet 192.168.110.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
!
prompt hostname context
Cryptochecksum:13bd243cbeb
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
what is the exact command though, assuming you're using the priority of 30. need to test a couple of things out. works fine on the 6.3, but 7.x is a bit different. just want to know what you're trying to do so I can try to reproduce it.
also, why are you trying put two dynmaps on the same crypto map for the same interface. just curious what you're actually trying to accomplish
also, why are you trying put two dynmaps on the same crypto map for the same interface. just curious what you're actually trying to accomplish
ASKER
I am trying to get vpn working for clients on the road. Every time I try connecting I get this from the cisco vpn client log:
587 21:59:20.871 07/16/07 Sev=Info/4 CM/0x63100002
Begin connection process
588 21:59:20.886 07/16/07 Sev=Info/4 CM/0x63100004
Establish secure connection
589 21:59:20.886 07/16/07 Sev=Info/4 CM/0x63100024
Attempt connection with server "216.x.x.166"
590 21:59:20.902 07/16/07 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 216.x.x.166.
591 21:59:20.918 07/16/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 216.x.x.166
592 21:59:20.965 07/16/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 216.x.x.166
593 21:59:20.965 07/16/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 216.x.x.166
594 21:59:20.980 07/16/07 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
595 21:59:20.980 07/16/07 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
596 21:59:20.980 07/16/07 Sev=Info/5 IKE/0x63000001
Peer supports DPD
597 21:59:20.980 07/16/07 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
598 21:59:20.980 07/16/07 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
599 21:59:20.996 07/16/07 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
600 21:59:20.996 07/16/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONT ACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 216.x.x.166
601 21:59:20.996 07/16/07 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
602 21:59:20.996 07/16/07 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x057D, Remote Port = 0x1194
603 21:59:20.996 07/16/07 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
604 21:59:20.996 07/16/07 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
605 21:59:21.043 07/16/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 216.x.x.166
606 21:59:21.043 07/16/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 216.x.x.166
607 21:59:21.043 07/16/07 Sev=Info/4 CM/0x63100015
Launch xAuth application
608 21:59:21.136 07/16/07 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
609 21:59:21.136 07/16/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
610 21:59:25.293 07/16/07 Sev=Info/4 CM/0x63100017
xAuth application returned
611 21:59:25.293 07/16/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 216.x.x.166
612 21:59:25.340 07/16/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 216.x.x.166
613 21:59:25.340 07/16/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 216.x.x.166
614 21:59:25.340 07/16/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 216.x.x.166
615 21:59:25.340 07/16/07 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
616 21:59:25.371 07/16/07 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
617 21:59:25.371 07/16/07 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).
618 21:59:25.371 07/16/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 216.x.x.166
619 21:59:25.418 07/16/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 216.x.x.166
620 21:59:25.418 07/16/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 216.x.x.166
621 21:59:25.418 07/16/07 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.4.4.1
622 21:59:25.418 07/16/07 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
623 21:59:25.418 07/16/07 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000
624 21:59:25.418 07/16/07 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUD E (# of split_nets), value = 0x00000003
625 21:59:25.418 07/16/07 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 192.168.110.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
626 21:59:25.418 07/16/07 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #2
subnet = 10.1.1.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
627 21:59:25.418 07/16/07 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #3
subnet = 10.1.2.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
628 21:59:25.418 07/16/07 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
629 21:59:25.418 07/16/07 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5510-K8 Version 7.2(2)10 built by builders on Wed 31-Jan-07 17:52
630 21:59:25.418 07/16/07 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
631 21:59:25.418 07/16/07 Sev=Info/4 CM/0x63100019
Mode Config data received
632 21:59:25.433 07/16/07 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 10.4.4.1, GW IP = 216.x.x.166, Remote IP = 0.0.0.0
633 21:59:25.433 07/16/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 216.x.x.166
634 21:59:25.496 07/16/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 216.x.x.166
635 21:59:25.496 07/16/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIM E) from 216.x.x.166
636 21:59:25.496 07/16/07 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
637 21:59:25.496 07/16/07 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 5 seconds, setting expiry to 86395 seconds from now
638 21:59:25.496 07/16/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 216.x.x.166
639 21:59:25.496 07/16/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 216.x.x.166
640 21:59:25.496 07/16/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 216.x.x.166
641 21:59:25.496 07/16/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 216.x.x.166
642 21:59:25.496 07/16/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 216.x.x.166
643 21:59:25.496 07/16/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 216.x.x.166
644 21:59:25.496 07/16/07 Sev=Info/5 IKE/0x63000073
All fragments received.
645 21:59:25.496 07/16/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO) from 216.x.x.166
646 21:59:25.496 07/16/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 216.x.x.166
647 21:59:25.496 07/16/07 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=6A0F513C
648 21:59:25.496 07/16/07 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=FC97C52416110E85 R_Cookie=0378626844ED6386) reason = DEL_REASON_IKE_NEG_FAILED
649 21:59:25.496 07/16/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 216.x.x.166
650 21:59:25.496 07/16/07 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=FC97C52416110E85 R_Cookie=0378626844ED6386
651 21:59:25.496 07/16/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 216.x.x.166
652 21:59:25.636 07/16/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
653 21:59:28.636 07/16/07 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=FC97C52416110E85 R_Cookie=0378626844ED6386) reason = DEL_REASON_IKE_NEG_FAILED
654 21:59:28.636 07/16/07 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED ". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
655 21:59:28.636 07/16/07 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
656 21:59:28.636 07/16/07 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
657 21:59:28.636 07/16/07 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
658 21:59:28.652 07/16/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
659 21:59:28.652 07/16/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
660 21:59:28.652 07/16/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
661 21:59:28.652 07/16/07 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
587 21:59:20.871 07/16/07 Sev=Info/4 CM/0x63100002
Begin connection process
588 21:59:20.886 07/16/07 Sev=Info/4 CM/0x63100004
Establish secure connection
589 21:59:20.886 07/16/07 Sev=Info/4 CM/0x63100024
Attempt connection with server "216.x.x.166"
590 21:59:20.902 07/16/07 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 216.x.x.166.
591 21:59:20.918 07/16/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 216.x.x.166
592 21:59:20.965 07/16/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 216.x.x.166
593 21:59:20.965 07/16/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 216.x.x.166
594 21:59:20.980 07/16/07 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
595 21:59:20.980 07/16/07 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
596 21:59:20.980 07/16/07 Sev=Info/5 IKE/0x63000001
Peer supports DPD
597 21:59:20.980 07/16/07 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
598 21:59:20.980 07/16/07 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
599 21:59:20.996 07/16/07 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
600 21:59:20.996 07/16/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONT
601 21:59:20.996 07/16/07 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
602 21:59:20.996 07/16/07 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x057D, Remote Port = 0x1194
603 21:59:20.996 07/16/07 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
604 21:59:20.996 07/16/07 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
605 21:59:21.043 07/16/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 216.x.x.166
606 21:59:21.043 07/16/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 216.x.x.166
607 21:59:21.043 07/16/07 Sev=Info/4 CM/0x63100015
Launch xAuth application
608 21:59:21.136 07/16/07 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
609 21:59:21.136 07/16/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
610 21:59:25.293 07/16/07 Sev=Info/4 CM/0x63100017
xAuth application returned
611 21:59:25.293 07/16/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 216.x.x.166
612 21:59:25.340 07/16/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 216.x.x.166
613 21:59:25.340 07/16/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 216.x.x.166
614 21:59:25.340 07/16/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 216.x.x.166
615 21:59:25.340 07/16/07 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
616 21:59:25.371 07/16/07 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
617 21:59:25.371 07/16/07 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).
618 21:59:25.371 07/16/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 216.x.x.166
619 21:59:25.418 07/16/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 216.x.x.166
620 21:59:25.418 07/16/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 216.x.x.166
621 21:59:25.418 07/16/07 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.4.4.1
622 21:59:25.418 07/16/07 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
623 21:59:25.418 07/16/07 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000
624 21:59:25.418 07/16/07 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUD
625 21:59:25.418 07/16/07 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 192.168.110.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
626 21:59:25.418 07/16/07 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #2
subnet = 10.1.1.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
627 21:59:25.418 07/16/07 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #3
subnet = 10.1.2.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
628 21:59:25.418 07/16/07 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
629 21:59:25.418 07/16/07 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5510-K8 Version 7.2(2)10 built by builders on Wed 31-Jan-07 17:52
630 21:59:25.418 07/16/07 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
631 21:59:25.418 07/16/07 Sev=Info/4 CM/0x63100019
Mode Config data received
632 21:59:25.433 07/16/07 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 10.4.4.1, GW IP = 216.x.x.166, Remote IP = 0.0.0.0
633 21:59:25.433 07/16/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 216.x.x.166
634 21:59:25.496 07/16/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 216.x.x.166
635 21:59:25.496 07/16/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIM
636 21:59:25.496 07/16/07 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
637 21:59:25.496 07/16/07 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 5 seconds, setting expiry to 86395 seconds from now
638 21:59:25.496 07/16/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 216.x.x.166
639 21:59:25.496 07/16/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 216.x.x.166
640 21:59:25.496 07/16/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 216.x.x.166
641 21:59:25.496 07/16/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 216.x.x.166
642 21:59:25.496 07/16/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 216.x.x.166
643 21:59:25.496 07/16/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 216.x.x.166
644 21:59:25.496 07/16/07 Sev=Info/5 IKE/0x63000073
All fragments received.
645 21:59:25.496 07/16/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO) from 216.x.x.166
646 21:59:25.496 07/16/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 216.x.x.166
647 21:59:25.496 07/16/07 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=6A0F513C
648 21:59:25.496 07/16/07 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=FC97C52416110E85
649 21:59:25.496 07/16/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 216.x.x.166
650 21:59:25.496 07/16/07 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=FC97C52416110E85 R_Cookie=0378626844ED6386
651 21:59:25.496 07/16/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 216.x.x.166
652 21:59:25.636 07/16/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
653 21:59:28.636 07/16/07 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=FC97C52416110E85
654 21:59:28.636 07/16/07 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED
655 21:59:28.636 07/16/07 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
656 21:59:28.636 07/16/07 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
657 21:59:28.636 07/16/07 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
658 21:59:28.652 07/16/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
659 21:59:28.652 07/16/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
660 21:59:28.652 07/16/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
661 21:59:28.652 07/16/07 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
the only thing i see as a difference is that in my group-policy I have
ipsec-udp enable
the connection is obviously going thru a NAT device. that is the only thing I can actually think of. since its going thru a nat device, the asa isn't setup with a parameter to really allow encapsulation so the tunnel can go thru a nat device even though the nat-traversal is there.
ipsec-udp enable
the connection is obviously going thru a NAT device. that is the only thing I can actually think of. since its going thru a nat device, the asa isn't setup with a parameter to really allow encapsulation so the tunnel can go thru a nat device even though the nat-traversal is there.
umm, ok, now i'm a little confused. just curious what actually fixed your problem. thx
ASKER
WARNING: dynamic map has incomplete entries
WARNING: Existing map is being linked to dynamic-map: vpn_map.
All static attributes in existing map will be inactive!.
I don't know why that is. Please let me know. I got the site to site vpn working just fine.