Cisco ASA 5505 -> Cisco 5510 VPN (Site to Site) Not Working
Hello,
We have two offices. Office A is 192.168.1.0 (255.255.255.0) w/ outside IP 70.91.xxx.22
Office B is 172.16.4.0 (255.255.252.0) w/ outside IP 90.106.xxx.41
I can not get the VPN connection to be established. I've set up a VPN with two PIX in the past and had no issues, but it took a little bit of time, since I am not a Cisco nor VPN expert.
Could you take a look at these running configurations and give me your first thoughts? The VPN won't establish and it looks like it should!
--- RUNNING CVILE (OFFICE A) ---
ASA Version 8.2(1)
!
names
name 192.168.1.0 SMTNetwork
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.1.10.200 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.6.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone CST -6
dns server-group DefaultDNS
domain-name smt.local
access-list inside_access_in extended permit ip SMTNetwork 255.255.255.0 any
access-list inbound extended permit tcp any host 70.91.xxx.21 eq www
access-list inbound extended permit tcp any host 70.91.xxx.21 eq domain
access-list inbound extended permit udp any host 70.91.xxx.21 eq domain
access-list inbound extended permit tcp any host 70.91.xxx.17 eq www
access-list inbound extended permit tcp any host 70.91.xxx.17 eq domain
access-list inbound extended permit udp any host 70.91.xxx.17 eq domain
access-list inbound extended permit tcp any host 70.91.xxx.18 eq smtp
access-list inbound extended permit tcp any host 70.91.xxx.19 eq https
access-list LAN_Traffic extended permit ip SMTNetwork 255.255.255.0 172.16.4.0 255.255.252.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 70.91.xxx.21 192.168.1.24 netmask 255.255.255.255
static (inside,outside) 70.91.xxx.17 192.168.1.12 netmask 255.255.255.255
static (inside,outside) 70.91.xxx.18 192.168.1.3 netmask 255.255.255.255
static (inside,outside) 70.91.xxx.19 192.168.1.16 netmask 255.255.255.255
static (inside,outside) 172.16.4.0 access-list LAN_Traffic
access-group inbound in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.1.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 192.168.6.0 255.255.255.0 management
http SMTNetwork 255.255.255.0 inside
http 99.106.xxx.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map L2L 1 match address LAN_Traffic
crypto map L2L 1 set peer 99.106.xxx.41
crypto map L2L 1 set transform-set L2L
crypto map L2L interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet SMTNetwork 255.255.255.0 inside
telnet timeout 5
ssh SMTNetwork 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.6.2-192.168.6.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 99.106.xxx.41 type ipsec-l2l
tunnel-group 99.106.xxx.41 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b40bbdefa6f
: end
--- RUNNING OFFICE B ---
ASA Version 8.2(3)
!
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.4.1 255.255.252.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp
!
boot system disk0:/asa823-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name smt.local
same-security-traffic permit inter-interface
access-list VPN_Traffic extended permit ip 172.16.4.0 255.255.252.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.4.0 255.255.252.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 172.16.4.0 255.255.252.0 192.168.1.0 255.255.255.0
access-list encrypt_acl extended permit ip 172.16.4.0 255.255.252.0 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 99.106.xxx.41 netmask 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 99.106.10.46 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 172.16.4.0 255.255.252.0 inside
http 70.91.xxx.22 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set l2l esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map l2l 1 match address VPN_Traffic
crypto map l2l 1 set peer 70.91.xxx.22
crypto map l2l 1 set transform-set l2l
crypto map l2l interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.16.7.100-172.16.7.254 inside
dhcpd dns 68.94.156.1 68.94.157.1 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 70.91.xxx.22 type ipsec-l2l
tunnel-group 70.91.xxx.22 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e9144ec144c
: end
Thank you in advanced!
We have two offices. Office A is 192.168.1.0 (255.255.255.0) w/ outside IP 70.91.xxx.22
Office B is 172.16.4.0 (255.255.252.0) w/ outside IP 90.106.xxx.41
I can not get the VPN connection to be established. I've set up a VPN with two PIX in the past and had no issues, but it took a little bit of time, since I am not a Cisco nor VPN expert.
Could you take a look at these running configurations and give me your first thoughts? The VPN won't establish and it looks like it should!
--- RUNNING CVILE (OFFICE A) ---
ASA Version 8.2(1)
!
names
name 192.168.1.0 SMTNetwork
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.1.10.200 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.6.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone CST -6
dns server-group DefaultDNS
domain-name smt.local
access-list inside_access_in extended permit ip SMTNetwork 255.255.255.0 any
access-list inbound extended permit tcp any host 70.91.xxx.21 eq www
access-list inbound extended permit tcp any host 70.91.xxx.21 eq domain
access-list inbound extended permit udp any host 70.91.xxx.21 eq domain
access-list inbound extended permit tcp any host 70.91.xxx.17 eq www
access-list inbound extended permit tcp any host 70.91.xxx.17 eq domain
access-list inbound extended permit udp any host 70.91.xxx.17 eq domain
access-list inbound extended permit tcp any host 70.91.xxx.18 eq smtp
access-list inbound extended permit tcp any host 70.91.xxx.19 eq https
access-list LAN_Traffic extended permit ip SMTNetwork 255.255.255.0 172.16.4.0 255.255.252.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 70.91.xxx.21 192.168.1.24 netmask 255.255.255.255
static (inside,outside) 70.91.xxx.17 192.168.1.12 netmask 255.255.255.255
static (inside,outside) 70.91.xxx.18 192.168.1.3 netmask 255.255.255.255
static (inside,outside) 70.91.xxx.19 192.168.1.16 netmask 255.255.255.255
static (inside,outside) 172.16.4.0 access-list LAN_Traffic
access-group inbound in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.1.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 192.168.6.0 255.255.255.0 management
http SMTNetwork 255.255.255.0 inside
http 99.106.xxx.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map L2L 1 match address LAN_Traffic
crypto map L2L 1 set peer 99.106.xxx.41
crypto map L2L 1 set transform-set L2L
crypto map L2L interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet SMTNetwork 255.255.255.0 inside
telnet timeout 5
ssh SMTNetwork 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.6.2-192.168.6.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 99.106.xxx.41 type ipsec-l2l
tunnel-group 99.106.xxx.41 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b40bbdefa6f
: end
--- RUNNING OFFICE B ---
ASA Version 8.2(3)
!
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.4.1 255.255.252.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp
!
boot system disk0:/asa823-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name smt.local
same-security-traffic permit inter-interface
access-list VPN_Traffic extended permit ip 172.16.4.0 255.255.252.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.4.0 255.255.252.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 172.16.4.0 255.255.252.0 192.168.1.0 255.255.255.0
access-list encrypt_acl extended permit ip 172.16.4.0 255.255.252.0 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 99.106.xxx.41 netmask 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 99.106.10.46 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 172.16.4.0 255.255.252.0 inside
http 70.91.xxx.22 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set l2l esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map l2l 1 match address VPN_Traffic
crypto map l2l 1 set peer 70.91.xxx.22
crypto map l2l 1 set transform-set l2l
crypto map l2l interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.16.7.100-172.16.7.254 inside
dhcpd dns 68.94.156.1 68.94.157.1 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 70.91.xxx.22 type ipsec-l2l
tunnel-group 70.91.xxx.22 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e9144ec144c
: end
Thank you in advanced!
ASKER
Just added and tried ping 172.16.4.1 (to office b asa) and still no go...
Other thoughts?
Other thoughts?
Hi,
try
sysopt connection permit-ipsec or sysopt connection permit-vpn.
try
sysopt connection permit-ipsec or sysopt connection permit-vpn.
Anything showing in the logs of the asas?
ASKER
rochey: should I run sysopt on both ASAs? If so I won't be able to until tomorrow.
ernie: I will do some looking into this - end of the day here so I'll be back in the AM.
ernie: I will do some looking into this - end of the day here so I'll be back in the AM.
Yes.
We'll be here :)
ASKER
Tried this on both sides (sysopt connection permit-ipsec) and no luck. tried the other and nothing either. I am looking into logs
5 Nov 01 2011 10:45:01 713041 IP = 99.106.10.41, IKE Initiator: New Phase 1, Intf inside, IKE Peer 99.106.10.41 local Proxy Address 192.168.1.0, remote Proxy Address 172.16.4.0, Crypto map (L2L)
6 Nov 01 2011 10:45:06 713219 IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6 Nov 01 2011 10:45:11 713219 IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
3 Nov 01 2011 10:46:16 713902 IP = 99.106.10.41, Removing peer from peer table failed, no match!
4 Nov 01 2011 10:46:16 713903 IP = 99.106.10.41, Error: Unable to remove PeerTblEntry
???
5 Nov 01 2011 10:45:01 713041 IP = 99.106.10.41, IKE Initiator: New Phase 1, Intf inside, IKE Peer 99.106.10.41 local Proxy Address 192.168.1.0, remote Proxy Address 172.16.4.0, Crypto map (L2L)
6 Nov 01 2011 10:45:06 713219 IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6 Nov 01 2011 10:45:11 713219 IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
3 Nov 01 2011 10:46:16 713902 IP = 99.106.10.41, Removing peer from peer table failed, no match!
4 Nov 01 2011 10:46:16 713903 IP = 99.106.10.41, Error: Unable to remove PeerTblEntry
???
ASKER
Does anybody have any further information on the above errors or any information on why this configuration isn't working?
More information: Our DSL (Site B) has a gateway of 99.106.xxx.46, but we have the ASA get 99.106.xxx.41 from one of the available addresses. Any ideas?
More information: Our DSL (Site B) has a gateway of 99.106.xxx.46, but we have the ASA get 99.106.xxx.41 from one of the available addresses. Any ideas?
So the asa (site B) gets the address through dhcp? Not sure if that might cause an issue. Are you able to set that address statically on the asa?
It looks like phase1 isn't even established at the moment.
It looks like phase1 isn't even established at the moment.
plase show the output of
deb cry isa 128
deb cry ips 128
deb cry isa 128
deb cry ips 128
Hi ikalmar,
Do tell me, what's the 128 for (haven't seen that before)?
Do tell me, what's the 128 for (haven't seen that before)?
it gives more informations on the debugging,.,..
ASKER
It gets an address from DHCP but it's only one IP address in the pool. It was set up stupidly by the previous IT years ago - I will change it to static when I get to that office and I'll turn off DHCP. Regardless, the IP address isn't changing and the lease time is set for 30 days.
I am working on the debug log please give me a little bit.
I am working on the debug log please give me a little bit.
No problem, we'll be here.
@ikalmar: Neat! Had my learning experience for today :)
@ikalmar: Neat! Had my learning experience for today :)
ASKER
ikalmar: Could you tell me what's the best way I can view just the debug logging for the VPN traffic? When I set up syslog for debug, it is showing all the teardowns and so on.
Any help would be appreciated.
Any help would be appreciated.
1. You need to enable debugging booth devices:
deb cry isakmp 128
deb cry ipsec 128
2. You need to to crate interesting traffic for VPN,
3. and after please provide us the output of debugging....
deb cry isakmp 128
deb cry ipsec 128
2. You need to to crate interesting traffic for VPN,
3. and after please provide us the output of debugging....
ASKER
Some more information on Site A: ASA shows outside of 10.1.10.200/24 which is the IP the cable modem is giving. In turn the public IP is translated to 70.91.xxx.22. Just some more information. Working on the debugging log.
yes, that is the problem... Do you able to make real one to ony NAT on the cable modem?:
ASKER
There is no 1-to-1 NAT enabled on the Cable Modem.
Old VPN between two PIX worked OK with this same setup and same IP's I used. But let's ignore that obviously the ASA is different than the PIX.
Old VPN between two PIX worked OK with this same setup and same IP's I used. But let's ignore that obviously the ASA is different than the PIX.
ASKER
(70.91.xxx.22 = WAN IP / Public Address). We use the other IP's for email, web server, and so on.
Is it a possibility to put the modem in bridged mode so you can put the public address on the outside interface of the ASA?
the config working if those ASA bulit up the vpn which is behind the modem.... please try it.... did you enable nat-t?
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ike.html#wp1066013
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ike.html#wp1066013
ASKER
the config working if those ASA bulit up the vpn which is behind the modem.... please try it.... did you enable nat-t?
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ike.html#wp1066013
Does this need to be done on both sites, or only Site A? If only on site A - it did not help.
ASKER
I noticed in old PIX, Site A had command: crypto map mymap 20 ipsec-isakmp - nothing like this in running config on ASA. Just more info...
ASKER
Do we have any other ideas here? I might try the old configuration which was like this:
http://fengnet.com/book/vpnconf/ch21lev1sec3.html
http://fengnet.com/book/vpnconf/ch21lev1sec3.html
what was the output of the debug?
Hi Jesh,
The configuration of the Running Office B has DHCP configured for the outside IP address.
In this case you would not be able to configure a peer IP address for VPN in the Office A ASA.
You would need to use a dynamic crypto map in the Office A ASA.
Here is a document to configure the dynamic crypto map:
Dynamic Lan to Lan between pix and router
Check if this is the case and let me know. Hope this helps.
The configuration of the Running Office B has DHCP configured for the outside IP address.
In this case you would not be able to configure a peer IP address for VPN in the Office A ASA.
You would need to use a dynamic crypto map in the Office A ASA.
Here is a document to configure the dynamic crypto map:
Dynamic Lan to Lan between pix and router
Check if this is the case and let me know. Hope this helps.
ASKER
Mystique: office B's DHCP pool is just 1 address, the previous IT person had it set up that way. I disabled DHCP and assigned an IP address.
rochey: I didn't go through the debug since we have begun to make assumptions that this has to do with Comcast Business Gateway - however I did have this working in the past with the same configuration and would like to know if the Cisco ASA operates differently than the Cisco PIX. If so we can make that a possibility. If not, then we know it is something else. Does anyone know for SURE that the ASA and PIX operate differently and would cause this setup to not work?
rochey: also, could you tell me how to reset all the logging to default and just display the debug to our syslog server and or ssh session?
rochey: I didn't go through the debug since we have begun to make assumptions that this has to do with Comcast Business Gateway - however I did have this working in the past with the same configuration and would like to know if the Cisco ASA operates differently than the Cisco PIX. If so we can make that a possibility. If not, then we know it is something else. Does anyone know for SURE that the ASA and PIX operate differently and would cause this setup to not work?
rochey: also, could you tell me how to reset all the logging to default and just display the debug to our syslog server and or ssh session?
ASKER
Nov 03 09:28:37 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:28:37 [IKEv1]: IP = 99.106.10.41, IKE Initiator: New Phase 1, Intf inside, IKE Peer 99.106.10.41 local Proxy Address 192.168.1.0, remote Proxy Address 172.16.4.0, Crypto map (VPN_map)
Nov 03 09:28:37 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing ISAKMP SA payload
Nov 03 09:28:37 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 02 payload
Nov 03 09:28:37 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 03 payload
Nov 03 09:28:37 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver RFC payload
Nov 03 09:28:37 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing Fragmentation VID + extended capabilities payload
Nov 03 09:28:37 [IKEv1]: IP = 99.106.10.41, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:28:40 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:28:40 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:28:45 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:28:46 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:28:46 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:28:53 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:29:01 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:29:09 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE MM Initiator FSM error history (struct &0xac153738) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2,
Nov 03 09:29:09 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE SA MM:51b38963 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Nov 03 09:29:09 [IKEv1 DEBUG]: IP = 99.106.10.41, sending delete/delete with reason message
Nov 03 09:29:09 [IKEv1]: IP = 99.106.10.41, Removing peer from peer table failed, no match!
Nov 03 09:29:09 [IKEv1]: IP = 99.106.10.41, Error: Unable to remove PeerTblEntry
Nov 03 09:30:07 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:07 [IKEv1]: IP = 99.106.10.41, IKE Initiator: New Phase 1, Intf inside, IKE Peer 99.106.10.41 local Proxy Address 192.168.1.0, remote Proxy Address 172.16.4.0, Crypto map (VPN_map)
Nov 03 09:30:07 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing ISAKMP SA payload
Nov 03 09:30:07 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 02 payload
Nov 03 09:30:07 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 03 payload
Nov 03 09:30:07 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver RFC payload
Nov 03 09:30:07 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing Fragmentation VID + extended capabilities payload
Nov 03 09:30:07 [IKEv1]: IP = 99.106.10.41, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:30:10 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:10 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:30:15 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:30:16 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:16 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:30:17 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:17 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:30:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:20 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:30:23 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:30:26 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:26 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:30:31 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:30:38 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:38 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:30:39 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE MM Initiator FSM error history (struct &0xac32f190) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2,
Nov 03 09:30:39 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE SA MM:d26c529e terminating: flags 0x01000022, refcnt 0, tuncnt 0
Nov 03 09:30:39 [IKEv1 DEBUG]: IP = 99.106.10.41, sending delete/delete with reason message
Nov 03 09:30:39 [IKEv1]: IP = 99.106.10.41, Removing peer from peer table failed, no match!
Nov 03 09:30:39 [IKEv1]: IP = 99.106.10.41, Error: Unable to remove PeerTblEntry
Nov 03 09:30:41 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:41 [IKEv1]: IP = 99.106.10.41, IKE Initiator: New Phase 1, Intf inside, IKE Peer 99.106.10.41 local Proxy Address 192.168.1.0, remote Proxy Address 172.16.4.0, Crypto map (VPN_map)
Nov 03 09:30:41 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing ISAKMP SA payload
Nov 03 09:30:41 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 02 payload
Nov 03 09:30:41 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 03 payload
Nov 03 09:30:41 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver RFC payload
Nov 03 09:30:41 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing Fragmentation VID + extended capabilities payload
Nov 03 09:30:41 [IKEv1]: IP = 99.106.10.41, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:30:47 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:47 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:30:49 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:30:57 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:31:05 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:31:05 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:31:05 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:31:08 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:31:08 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:31:13 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE MM Initiator FSM error history (struct &0xac139658) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2,
Nov 03 09:31:13 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE SA MM:d1e9e94a terminating: flags 0x01000022, refcnt 0, tuncnt 0
Nov 03 09:31:13 [IKEv1 DEBUG]: IP = 99.106.10.41, sending delete/delete with reason message
Nov 03 09:31:13 [IKEv1]: IP = 99.106.10.41, Removing peer from peer table failed, no match!
Nov 03 09:31:13 [IKEv1]: IP = 99.106.10.41, Error: Unable to remove PeerTblEntry
Nov 03 09:31:14 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:31:14 [IKEv1]: IP = 99.106.10.41, IKE Initiator: New Phase 1, Intf inside, IKE Peer 99.106.10.41 local Proxy Address 192.168.1.0, remote Proxy Address 172.16.4.0, Crypto map (VPN_map)
Nov 03 09:31:14 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing ISAKMP SA payload
Nov 03 09:31:14 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 02 payload
Nov 03 09:31:14 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 03 payload
Nov 03 09:31:14 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver RFC payload
Nov 03 09:31:14 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing Fragmentation VID + extended capabilities payload
Nov 03 09:31:14 [IKEv1]: IP = 99.106.10.41, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:31:22 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:31:26 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:31:26 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:31:29 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:31:29 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:31:30 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:31:35 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:31:35 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:31:38 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:31:05 [IKEv1 DEBUG]: Pitcher: received a key acquir$
Nov 03 09:28:37 [IKEv1]: IP = 99.106.10.41, IKE Initiator: New Phase 1, Intf inside, IKE Peer 99.106.10.41 local Proxy Address 192.168.1.0, remote Proxy Address 172.16.4.0, Crypto map (VPN_map)
Nov 03 09:28:37 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing ISAKMP SA payload
Nov 03 09:28:37 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 02 payload
Nov 03 09:28:37 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 03 payload
Nov 03 09:28:37 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver RFC payload
Nov 03 09:28:37 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing Fragmentation VID + extended capabilities payload
Nov 03 09:28:37 [IKEv1]: IP = 99.106.10.41, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:28:40 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:28:40 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:28:45 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:28:46 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:28:46 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:28:53 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:29:01 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:29:09 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE MM Initiator FSM error history (struct &0xac153738) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2,
Nov 03 09:29:09 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE SA MM:51b38963 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Nov 03 09:29:09 [IKEv1 DEBUG]: IP = 99.106.10.41, sending delete/delete with reason message
Nov 03 09:29:09 [IKEv1]: IP = 99.106.10.41, Removing peer from peer table failed, no match!
Nov 03 09:29:09 [IKEv1]: IP = 99.106.10.41, Error: Unable to remove PeerTblEntry
Nov 03 09:30:07 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:07 [IKEv1]: IP = 99.106.10.41, IKE Initiator: New Phase 1, Intf inside, IKE Peer 99.106.10.41 local Proxy Address 192.168.1.0, remote Proxy Address 172.16.4.0, Crypto map (VPN_map)
Nov 03 09:30:07 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing ISAKMP SA payload
Nov 03 09:30:07 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 02 payload
Nov 03 09:30:07 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 03 payload
Nov 03 09:30:07 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver RFC payload
Nov 03 09:30:07 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing Fragmentation VID + extended capabilities payload
Nov 03 09:30:07 [IKEv1]: IP = 99.106.10.41, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:30:10 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:10 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:30:15 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:30:16 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:16 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:30:17 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:17 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:30:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:20 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:30:23 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:30:26 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:26 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:30:31 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:30:38 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:38 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:30:39 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE MM Initiator FSM error history (struct &0xac32f190) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2,
Nov 03 09:30:39 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE SA MM:d26c529e terminating: flags 0x01000022, refcnt 0, tuncnt 0
Nov 03 09:30:39 [IKEv1 DEBUG]: IP = 99.106.10.41, sending delete/delete with reason message
Nov 03 09:30:39 [IKEv1]: IP = 99.106.10.41, Removing peer from peer table failed, no match!
Nov 03 09:30:39 [IKEv1]: IP = 99.106.10.41, Error: Unable to remove PeerTblEntry
Nov 03 09:30:41 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:41 [IKEv1]: IP = 99.106.10.41, IKE Initiator: New Phase 1, Intf inside, IKE Peer 99.106.10.41 local Proxy Address 192.168.1.0, remote Proxy Address 172.16.4.0, Crypto map (VPN_map)
Nov 03 09:30:41 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing ISAKMP SA payload
Nov 03 09:30:41 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 02 payload
Nov 03 09:30:41 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 03 payload
Nov 03 09:30:41 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver RFC payload
Nov 03 09:30:41 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing Fragmentation VID + extended capabilities payload
Nov 03 09:30:41 [IKEv1]: IP = 99.106.10.41, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:30:47 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:47 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:30:49 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:30:57 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:31:05 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:31:05 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:31:05 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:31:08 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:31:08 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:31:13 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE MM Initiator FSM error history (struct &0xac139658) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2,
Nov 03 09:31:13 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE SA MM:d1e9e94a terminating: flags 0x01000022, refcnt 0, tuncnt 0
Nov 03 09:31:13 [IKEv1 DEBUG]: IP = 99.106.10.41, sending delete/delete with reason message
Nov 03 09:31:13 [IKEv1]: IP = 99.106.10.41, Removing peer from peer table failed, no match!
Nov 03 09:31:13 [IKEv1]: IP = 99.106.10.41, Error: Unable to remove PeerTblEntry
Nov 03 09:31:14 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:31:14 [IKEv1]: IP = 99.106.10.41, IKE Initiator: New Phase 1, Intf inside, IKE Peer 99.106.10.41 local Proxy Address 192.168.1.0, remote Proxy Address 172.16.4.0, Crypto map (VPN_map)
Nov 03 09:31:14 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing ISAKMP SA payload
Nov 03 09:31:14 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 02 payload
Nov 03 09:31:14 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 03 payload
Nov 03 09:31:14 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver RFC payload
Nov 03 09:31:14 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing Fragmentation VID + extended capabilities payload
Nov 03 09:31:14 [IKEv1]: IP = 99.106.10.41, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:31:22 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:31:26 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:31:26 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:31:29 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:31:29 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:31:30 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:31:35 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:31:35 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:31:38 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:31:05 [IKEv1 DEBUG]: Pitcher: received a key acquir$
ASKER
I'm sorry here is a little better one, the other was spammed a little bit:
Nov 03 09:34:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:34:20 [IKEv1]: IP = 99.106.10.41, IKE Initiator: New Phase 1, Intf inside, IKE Peer 99.106.10.41 local Proxy Address 192.168.1.0, remote Proxy Address 172.16.4.0, Crypto map (VPN_map)
Nov 03 09:34:20 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing ISAKMP SA payload
Nov 03 09:34:20 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 02 payload
Nov 03 09:34:20 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 03 payload
Nov 03 09:34:20 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver RFC payload
Nov 03 09:34:20 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing Fragmentation VID + extended capabilities payload
Nov 03 09:34:20 [IKEv1]: IP = 99.106.10.41, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:34:23 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:34:23 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:34:28 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:34:29 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:34:29 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:34:36 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:34:44 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:34:52 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE MM Initiator FSM error history (struct &0xac139658) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2,
Nov 03 09:34:52 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE SA MM:01e3d49f terminating: flags 0x01000022, refcnt 0, tuncnt 0
Nov 03 09:34:52 [IKEv1 DEBUG]: IP = 99.106.10.41, sending delete/delete with reason message
Nov 03 09:34:52 [IKEv1]: IP = 99.106.10.41, Removing peer from peer table failed, no match!
Nov 03 09:34:52 [IKEv1]: IP = 99.106.10.41, Error: Unable to remove PeerTblEntry
Nov 03 09:34:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:34:20 [IKEv1]: IP = 99.106.10.41, IKE Initiator: New Phase 1, Intf inside, IKE Peer 99.106.10.41 local Proxy Address 192.168.1.0, remote Proxy Address 172.16.4.0, Crypto map (VPN_map)
Nov 03 09:34:20 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing ISAKMP SA payload
Nov 03 09:34:20 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 02 payload
Nov 03 09:34:20 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 03 payload
Nov 03 09:34:20 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver RFC payload
Nov 03 09:34:20 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing Fragmentation VID + extended capabilities payload
Nov 03 09:34:20 [IKEv1]: IP = 99.106.10.41, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:34:23 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:34:23 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:34:28 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:34:29 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:34:29 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:34:36 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:34:44 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:34:52 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE MM Initiator FSM error history (struct &0xac139658) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2,
Nov 03 09:34:52 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE SA MM:01e3d49f terminating: flags 0x01000022, refcnt 0, tuncnt 0
Nov 03 09:34:52 [IKEv1 DEBUG]: IP = 99.106.10.41, sending delete/delete with reason message
Nov 03 09:34:52 [IKEv1]: IP = 99.106.10.41, Removing peer from peer table failed, no match!
Nov 03 09:34:52 [IKEv1]: IP = 99.106.10.41, Error: Unable to remove PeerTblEntry
ASKER
Here it another debug log, this time when I tried to ping 172.16.4.1. I see now it says construction NAT-Traversal...
Nov 03 10:37:51 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 10:37:51 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be p rocessed when P1 SA is complete.
Nov 03 10:37:54 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 10:37:56 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 10:37:56 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 10:38:01 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 10:38:01 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 10:38:02 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE MM Initiator FSM error history (struct &0xac2698f8) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2,
Nov 03 10:38:02 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE SA MM:cd013b23 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Nov 03 10:38:02 [IKEv1 DEBUG]: IP = 99.106.10.41, sending delete/delete with reason message
Nov 03 10:38:02 [IKEv1]: IP = 99.106.10.41, Removing peer from peer table failed, no match!
Nov 03 10:38:02 [IKEv1]: IP = 99.106.10.41, Error: Unable to remove PeerTblEntry
Nov 03 10:38:06 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 10:38:06 [IKEv1]: IP = 99.106.10.41, IKE Initiator: New Phase 1, Intf inside, IKE Peer 99.106.10.41 local Proxy Address 192.168.1.0, remote Proxy Address 172.16.4.0, Crypto map (VPN_map)
Nov 03 10:38:06 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing ISAKMP SA payload
Nov 03 10:38:06 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 02 payload
Nov 03 10:38:06 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 03 payload
Nov 03 10:38:06 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver RFC payload
Nov 03 10:38:06 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing Fragmentation VID + extended capabilities payload
Nov 03 10:38:06 [IKEv1]: IP = 99.106.10.41, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 10:38:14 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 10:38:22 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 10:38:30 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 10:38:38 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE MM Initiator FSM error history (struct &0xac13e730) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2,
Nov 03 10:38:38 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE SA MM:90c0ca18 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Nov 03 10:38:38 [IKEv1 DEBUG]: IP = 99.106.10.41, sending delete/delete with reason message
Nov 03 10:38:38 [IKEv1]: IP = 99.106.10.41, Removing peer from peer table failed, no match!
Nov 03 10:38:38 [IKEv1]: IP = 99.106.10.41, Error: Unable to remove PeerTblEntry
Nov 03 10:37:51 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 10:37:51 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be p rocessed when P1 SA is complete.
Nov 03 10:37:54 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 10:37:56 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 10:37:56 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 10:38:01 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 10:38:01 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 10:38:02 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE MM Initiator FSM error history (struct &0xac2698f8) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2,
Nov 03 10:38:02 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE SA MM:cd013b23 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Nov 03 10:38:02 [IKEv1 DEBUG]: IP = 99.106.10.41, sending delete/delete with reason message
Nov 03 10:38:02 [IKEv1]: IP = 99.106.10.41, Removing peer from peer table failed, no match!
Nov 03 10:38:02 [IKEv1]: IP = 99.106.10.41, Error: Unable to remove PeerTblEntry
Nov 03 10:38:06 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 10:38:06 [IKEv1]: IP = 99.106.10.41, IKE Initiator: New Phase 1, Intf inside, IKE Peer 99.106.10.41 local Proxy Address 192.168.1.0, remote Proxy Address 172.16.4.0, Crypto map (VPN_map)
Nov 03 10:38:06 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing ISAKMP SA payload
Nov 03 10:38:06 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 02 payload
Nov 03 10:38:06 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 03 payload
Nov 03 10:38:06 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver RFC payload
Nov 03 10:38:06 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing Fragmentation VID + extended capabilities payload
Nov 03 10:38:06 [IKEv1]: IP = 99.106.10.41, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 10:38:14 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 10:38:22 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 10:38:30 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 10:38:38 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE MM Initiator FSM error history (struct &0xac13e730) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2,
Nov 03 10:38:38 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE SA MM:90c0ca18 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Nov 03 10:38:38 [IKEv1 DEBUG]: IP = 99.106.10.41, sending delete/delete with reason message
Nov 03 10:38:38 [IKEv1]: IP = 99.106.10.41, Removing peer from peer table failed, no match!
Nov 03 10:38:38 [IKEv1]: IP = 99.106.10.41, Error: Unable to remove PeerTblEntry
ASKER
If any more information is required please let me know. I'd like to get this issue resolved as soon as possible. Thanks!!
ASKER
More information... SH RUN SYSOPT never returns anything, even though I am using 'sysopt conn permit-vpn'.
Ideas?? Is this the stupid problem!?!
Ideas?? Is this the stupid problem!?!
Hi,
post
show sysopt
make sure the preshared keys match and that the peer ip addresses are correct.
post
show sysopt
make sure the preshared keys match and that the peer ip addresses are correct.
Hi,
Did you enabled IPSEC pass through on the modem?
Did you enabled IPSEC pass through on the modem?
ASKER
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt noproxyarp outside
no sysopt noproxyarp inside
no sysopt noproxyarp management
preshared keys match, I have redone the configuration 2x to make sure.
ikalmar - I don't see a setting anywhere for IPSEC?
Some more information: Site A is Comcast Cable Modem (Small business, 5 ip's), Site B is AT&T DSL with 5 ip's. I've set up this configuration before and had no problems :(
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt noproxyarp outside
no sysopt noproxyarp inside
no sysopt noproxyarp management
preshared keys match, I have redone the configuration 2x to make sure.
ikalmar - I don't see a setting anywhere for IPSEC?
Some more information: Site A is Comcast Cable Modem (Small business, 5 ip's), Site B is AT&T DSL with 5 ip's. I've set up this configuration before and had no problems :(
ASKER
DSL Info: IP Address 99.106.xxx.41 - 99.106.xxx.45
Gateway: 99.106.xxx.46
I've assigned the ASA to use the address of .41 and NAT to use outside IP address.
Gateway: 99.106.xxx.46
I've assigned the ASA to use the address of .41 and NAT to use outside IP address.
Hi,
It is possible to turn on bridge on the modem?
It is possible to turn on bridge on the modem?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
you missed to create nonat on the first ASA:
access-list LAN_nonatextended permit ip SMTNetwork 255.255.255.0 172.16.4.0 255.255.252.0
nat (inside) 0 access-list nonat