Solved

Issue with 2911 VPN tunnels to SA540/SA520 collapse after 10 minutes

Posted on 2013-06-25
4
629 Views
Last Modified: 2014-03-03
Group,
Hello, interesting problem I am dealing with, I have several remote sites that have SA520/540 routers and one main site with a 2911 router. The issue is that I can initially establish a site to site VPN connection but after ten minutes the connection flatlines. The 2911 shows the VPN tunnel as up but the SA540s show the tunnel as down and I can't ping through the tunnel etc. I can only re-establish by rebooting the 2911 wihch as you can imagine isn't a long term solution. About the same time I lost VPN client connectivity which was working before. The logs in the SA all show the same thing:

Tue Jun 25 12:43:16 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  Using IPsec SA configuration: 192.168.75.0/24<->192.168.10.0/27
Tue Jun 25 12:43:16 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  remote configuration for identifier "pl-gw1-tpa.platautofinance.com" found
Tue Jun 25 12:43:16 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  remote configuration for identifier "pl-gw1-tpa.platautofinance.com" found
Tue Jun 25 12:43:23 2013 (GMT -0400): [pafrd00fw0100] [IKE] ERROR:  Phase 1 negotiation failed due to time up for 97.76.78.218[500]. f3481e06d253bb78:0000000000000000
Tue Jun 25 12:43:47 2013 (GMT -0400): [pafrd00fw0100] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP 97.76.78.218->98.101.151.234
Tue Jun 25 12:44:26 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  Using IPsec SA configuration: 192.168.75.0/24<->192.168.10.0/27
Tue Jun 25 12:44:26 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  remote configuration for identifier "pl-gw1-tpa.platautofinance.com" found
Tue Jun 25 12:44:26 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  remote configuration for identifier "pl-gw1-tpa.platautofinance.com" found
Tue Jun 25 12:44:26 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  Initiating new phase 1 negotiation: 98.101.151.234[500]<=>97.76.78.218[500]
Tue Jun 25 12:44:26 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  Beginning Identity Protection mode.
Tue Jun 25 12:44:26 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:   [isakmp_ident.c:185]: XXX: NUMNATTVENDORIDS: 3
Tue Jun 25 12:44:26 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:   [isakmp_ident.c:189]: XXX: setting vendorid: 4
Tue Jun 25 12:44:26 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:   [isakmp_ident.c:189]: XXX: setting vendorid: 8
Tue Jun 25 12:44:26 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:   [isakmp_ident.c:189]: XXX: setting vendorid: 9
Tue Jun 25 12:44:57 2013 (GMT -0400): [pafrd00fw0100] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP 97.76.78.218->98.101.151.234
Tue Jun 25 12:45:41 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  Using IPsec SA configuration: 192.168.75.0/24<->192.168.10.0/27
Tue Jun 25 12:45:41 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  remote configuration for identifier "pl-gw1-tpa.platautofinance.com" found
Tue Jun 25 12:45:41 2013 (GMT -0400): [pafrd00fw0100] [IKE] INFO:  remote configuration for identifier "pl-gw1-tpa.platautofinance.com" found
Tue Jun 25 12:46:12 2013 (GMT -0400): [pafrd00fw0100] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP 97.76.78.218->98.101.151.234
Tue Jun 25 12:46:16 2013 (GMT -0400): [pafrd00fw0100] [IKE] ERROR:  Phase 1 negotiation failed due to time up for 97.76.78.218[500]. f64ae4d44935a260:0000000000000000

Here is the 2911 config, some items edited. I would appreciate your input this is a priority to keep those tunnels lit. Thanks experts!!


Building configuration...

Current configuration : 38621 bytes
!
! Last configuration change at 17:00:48 NewYork Mon Jun 24 2013 by blakmoon91
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname pl-gw1-tpa
!
boot-start-marker
boot-end-marker
!
!
logging buffered 52000
enable secret 5 $1$PY04$lr7M7hXShNpHY2OFzi8Yj1
enable password 7 153F080F1126272B3D216C71415757
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication enable default enable
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
clock timezone NewYork -5 0
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.0.15.1 10.0.15.9
ip dhcp excluded-address 10.0.15.21 10.0.15.30
ip dhcp excluded-address 192.168.10.1
!
ip dhcp pool ccp-pool1
 network 10.0.15.0 255.255.255.224
 domain-name platautofinance.com
 dns-server 208.67.220.220 208.67.222.222
 default-router 10.0.15.1
!
ip dhcp pool LAN_POOL
 import all
 network 192.168.10.0 255.255.255.224
 domain-name platuautofinance.com
 dns-server 192.168.10.2 208.67.220.220
 option 150 ip 192.168.10.29
 default-router 192.168.10.1
 lease 0 8
!
!
no ip bootp server
ip domain name platautofinance.com
ip name-server 208.67.220.220
ip name-server 208.67.222.222
ip name-server 8.8.4.4
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3265635853
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3265635853
 revocation-check none
 rsakeypair TP-self-signed-3265635853
!
!
crypto pki certificate chain TP-self-signed-3265635853
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33323635 36333538 3533301E 170D3133 30363137 31363035
  33385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32363536
  33353835 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100920C 1E8282C0 73A070FD D38CE7FA 9BFB28A9 2DBB650A E2BDBE39 DE6973B6
  E7D3B5B0 1CB17B0C BD1EDF5A 71110AF8 A284BD91 E53F8759 4983DBBD E30F21AA
  FEA356E8 0ECA20AC FA3A7182 8124C4F5 338EA780 24B05B3E EFF044E4 2D32805F
  10E34A2A 92D88F7F BEC18A26 C81F719B 4F40B442 3AA29410 362C2831 579DC2FF
  784B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 1482EF2E AA9A36F0 5E63266D 42493D85 2DC1474A 38301D06
  03551D0E 04160414 82EF2EAA 9A36F05E 63266D42 493D852D C1474A38 300D0609
  2A864886 F70D0101 05050003 81810000 03FA4A1B 645F0399 C5BA4EBD 2CE916F7
  9CE5066E D95E0666 EB3AC88D FDEFEBBC 38207B55 B2803706 2DAA39F4 0635DAF9
  860C3D5F 8CB68A8C D07F9669 260ECCCE 1C6A94B7 6CC6D15F 6B2E35C4 78AF2469
  A138ECA9 72C6BC5E 8C6ADEFF 5896B228 32B19F52 7A938A05 A59B4421 13ADFAE9
  413DC2DF FF0A9CB3 5B9D3E3E B383B5
        quit
license udi pid CISCO2911/K9 sn FGL162410ZE
license boot module c2900 technology-package securityk9
!
!
object-group service Asterisk
 description SIP Communication Settings
 udp eq 5060
 udp range 16384 16482
!
object-group service MSExchange
 description Exchange Server Services
 tcp eq pop3
 tcp eq 143
 tcp eq 443
 tcp eq smtp
 tcp eq www
!
object-group service OpenFire
 description Openfire IM Services
 tcp eq 7777
 tcp range 5222 5223
!
object-group service ReadyDesk
 description ReadyDesk Helpdesk Applications
 tcp range 7575 7576
 tcp eq 8081
!
username cisco privilege 15 password 7 0722224F5B05150A0200525F567A
username blakmoon91 privilege 15 password 7 132814111E0008253E3671606772
!
redundancy
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxxxxxx address 67.78.146.158
crypto isakmp key xxxxxxxxxxxx address 71.40.160.123
crypto isakmp key xxxxxxxxxxxx address 98.101.151.234
!
crypto isakmp client configuration group PlatinumVPN
 key xxxxxxxxxxxxxx
 dns 192.168.10.2 208.67.220.220
 domain clearwater.thrifty.com
 pool SDM_POOL_1
 acl 107
 include-local-lan
 split-dns clearwater.thrifty.com
 pfs
 max-users 25
 netmask 255.255.255.224
 banner ^CYou are connecting to a secure network.
All connections are monitored.
Please contact the MIS IT Department for more information at x1000.    ^C
crypto isakmp profile ciscocp-ike-profile-1
   match identity group PlatinumVPN
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-3DES-SHA4
 set isakmp-profile ciscocp-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to67.78.146.158
 set peer 67.78.146.158
 set transform-set ESP-3DES-SHA
 match address 103
crypto map SDM_CMAP_1 2 ipsec-isakmp
 description Tunnel to71.40.160.123
 set peer 71.40.160.123
 set transform-set ESP-3DES-SHA2
 match address 105
crypto map SDM_CMAP_1 3 ipsec-isakmp
 description Tunnel to98.101.151.234
 set peer 98.101.151.234
 set transform-set ESP-3DES-SHA3
 match address 106
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 no ip redirects
 ip flow ingress
 shutdown
!
interface GigabitEthernet0/0
 description INTERNET_UPLINK$ETH-WAN$$FW_OUTSIDE$
 ip address 97.76.78.218 255.255.255.248
 no ip redirects
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 load-interval 30
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
 crypto map SDM_CMAP_1
!
interface GigabitEthernet0/1
 description LAN$ETH_LAN$$ETH-LAN$$FW_INSIDE$
 ip address 192.168.10.1 255.255.255.224
 no ip redirects
 ip nbar protocol-discovery
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 ip verify unicast reverse-path
 load-interval 30
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/2
 description $ETH-LAN$$FW_INSIDE$
 ip address 10.0.15.1 255.255.255.224
 no ip redirects
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!
interface Virtual-Template1 type tunnel
 ip unnumbered GigabitEthernet0/0
 no ip redirects
 ip flow ingress
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!
ip local pool SDM_POOL_1 192.168.0.1 192.168.0.25
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip dns server
ip nat inside source route-map SDM_RMAP interface GigabitEthernet0/0 overload
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.10.13 21 97.76.78.218 21 route-map SDM_RMAP_10 extendable
ip nat inside source static tcp 192.168.10.2 25 97.76.78.218 25 route-map SDM_RMAP_6 extendable
ip nat inside source static udp 192.168.10.29 69 97.76.78.218 69 route-map SDM_RMAP_4 extendable
ip nat inside source static tcp 192.168.10.2 80 97.76.78.218 80 route-map SDM_RMAP_12 extendable
ip nat inside source static tcp 192.168.10.2 110 97.76.78.218 110 route-map SDM_RMAP_15 extendable
ip nat inside source static udp 192.168.10.28 161 97.76.78.218 161 route-map SDM_RMAP_8 extendable
ip nat inside source static tcp 192.168.10.2 443 97.76.78.218 443 route-map SDM_RMAP_9 extendable
ip nat inside source static udp 192.168.10.29 514 97.76.78.218 514 route-map SDM_RMAP_5 extendable
ip nat inside source static tcp 192.168.10.29 3389 97.76.78.218 3389 route-map SDM_RMAP_3 extendable
ip nat inside source static udp 192.168.10.12 5060 97.76.78.218 5060 route-map SDM_RMAP_11 extendable
ip nat inside source static tcp 192.168.10.28 5222 97.76.78.218 5222 route-map SDM_RMAP_14 extendable
ip nat inside source static tcp 192.168.10.28 5223 97.76.78.218 5223 route-map SDM_RMAP_13 extendable
ip nat inside source static tcp 192.168.10.28 8081 97.76.78.218 8081 route-map SDM_RMAP_7 extendable
ip route 0.0.0.0 0.0.0.0 97.76.78.217 name DEFAULT_ROUTE
!
ip access-list extended NAT_ACL
 remark Master NAT_ACL
 permit ip any any
!
access-list 100 remark CCP_ACL Category=18
access-list 100 deny   tcp host 192.168.10.13 eq ftp any
access-list 100 deny   tcp host 192.168.10.2 eq smtp any
access-list 100 deny   udp host 192.168.10.29 eq tftp any
access-list 100 deny   tcp host 192.168.10.2 eq www any
access-list 100 deny   tcp host 192.168.10.2 eq pop3 any
access-list 100 deny   udp host 192.168.10.28 eq snmp any
access-list 100 deny   tcp host 192.168.10.2 eq 443 any
access-list 100 deny   udp host 192.168.10.29 eq syslog any
access-list 100 deny   tcp host 192.168.10.29 eq 3389 any
access-list 100 deny   udp host 192.168.10.12 eq 5060 any
access-list 100 deny   tcp host 192.168.10.28 eq 5222 any
access-list 100 deny   tcp host 192.168.10.28 eq 5223 any
access-list 100 deny   tcp host 192.168.10.28 eq 8081 any
access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.1
access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.2
access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.3
access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.4
access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.5
access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.6
access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.7
access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.8
access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.9
access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.10
access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.11
access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.12
access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.13
access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.14
access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.15
access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.16
access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.17
access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.18
access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.19
access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.20
access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.21
access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.22
access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.23
access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.24
access-list 100 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.25
access-list 100 remark IPSec Rule
access-list 100 deny   ip 192.168.10.0 0.0.0.31 192.168.75.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 deny   ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 deny   ip 192.168.10.0 0.0.0.31 10.0.2.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.31 any
access-list 101 remark CCP_ACL Category=16
access-list 101 permit udp any host 97.76.78.218 eq tftp
access-list 101 permit tcp any host 97.76.78.218 eq ftp
access-list 101 permit tcp any host 97.76.78.218 eq 22
access-list 101 permit udp any host 97.76.78.218 eq snmp
access-list 101 permit udp any host 97.76.78.218 eq syslog
access-list 101 permit object-group OpenFire any host 97.76.78.218
access-list 101 permit object-group Asterisk any host 97.76.78.218
access-list 101 permit object-group MSExchange any host 97.76.78.218
access-list 101 permit object-group ReadyDesk any host 97.76.78.218
access-list 102 remark CCP_ACL Category=2
access-list 102 deny   tcp host 192.168.10.13 eq ftp any
access-list 102 deny   tcp host 192.168.10.2 eq smtp any
access-list 102 deny   udp host 192.168.10.29 eq tftp any
access-list 102 deny   tcp host 192.168.10.2 eq www any
access-list 102 deny   tcp host 192.168.10.2 eq pop3 any
access-list 102 deny   udp host 192.168.10.28 eq snmp any
access-list 102 deny   tcp host 192.168.10.2 eq 443 any
access-list 102 deny   udp host 192.168.10.29 eq syslog any
access-list 102 deny   tcp host 192.168.10.29 eq 3389 any
access-list 102 deny   udp host 192.168.10.12 eq 5060 any
access-list 102 deny   tcp host 192.168.10.28 eq 5222 any
access-list 102 deny   tcp host 192.168.10.28 eq 5223 any
access-list 102 deny   tcp host 192.168.10.28 eq 8081 any
access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.1
access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.2
access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.3
access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.4
access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.5
access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.6
access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.7
access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.8
access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.9
access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.10
access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.11
access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.12
access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.13
access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.14
access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.15
access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.16
access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.17
access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.18
access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.19
access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.20
access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.21
access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.22
access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.23
access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.24
access-list 102 deny   ip 192.168.10.0 0.0.0.31 host 192.168.0.25
access-list 102 remark IPSec Rule
access-list 102 deny   ip 192.168.10.0 0.0.0.31 10.0.2.0 0.0.0.255
access-list 102 remark IPSec Rule
access-list 102 deny   ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255
access-list 102 remark IPSec Rule
access-list 102 deny   ip 192.168.10.0 0.0.0.31 192.168.75.0 0.0.0.255
access-list 102 permit ip 10.0.15.0 0.0.0.31 any
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.10.0 0.0.0.31 10.0.2.0 0.0.0.255
access-list 105 remark CCP_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.10.0 0.0.0.31 10.41.14.0 0.0.0.255
access-list 106 remark CCP_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.10.0 0.0.0.31 192.168.75.0 0.0.0.255
access-list 107 remark CCP_ACL Category=4
access-list 107 permit ip 192.168.10.0 0.0.0.31 any
access-list 108 remark CCP_ACL Category=2
access-list 108 deny   ip host 192.168.10.29 host 192.168.0.25
access-list 108 deny   ip host 192.168.10.29 host 192.168.0.24
access-list 108 deny   ip host 192.168.10.29 host 192.168.0.23
access-list 108 deny   ip host 192.168.10.29 host 192.168.0.22
access-list 108 deny   ip host 192.168.10.29 host 192.168.0.21
access-list 108 deny   ip host 192.168.10.29 host 192.168.0.20
access-list 108 deny   ip host 192.168.10.29 host 192.168.0.19
access-list 108 deny   ip host 192.168.10.29 host 192.168.0.18
access-list 108 deny   ip host 192.168.10.29 host 192.168.0.17
access-list 108 deny   ip host 192.168.10.29 host 192.168.0.16
access-list 108 deny   ip host 192.168.10.29 host 192.168.0.15
access-list 108 deny   ip host 192.168.10.29 host 192.168.0.14
access-list 108 deny   ip host 192.168.10.29 host 192.168.0.13
access-list 108 deny   ip host 192.168.10.29 host 192.168.0.12
access-list 108 deny   ip host 192.168.10.29 host 192.168.0.11
access-list 108 deny   ip host 192.168.10.29 host 192.168.0.10
access-list 108 deny   ip host 192.168.10.29 host 192.168.0.9
access-list 108 deny   ip host 192.168.10.29 host 192.168.0.8
access-list 108 deny   ip host 192.168.10.29 host 192.168.0.7
access-list 108 deny   ip host 192.168.10.29 host 192.168.0.6
access-list 108 deny   ip host 192.168.10.29 host 192.168.0.5
access-list 108 deny   ip host 192.168.10.29 host 192.168.0.4
access-list 108 deny   ip host 192.168.10.29 host 192.168.0.3
access-list 108 deny   ip host 192.168.10.29 host 192.168.0.2
access-list 108 deny   ip host 192.168.10.29 host 192.168.0.1
access-list 108 permit tcp host 192.168.10.29 eq 3389 any
access-list 109 remark CCP_ACL Category=2
access-list 109 deny   ip host 192.168.10.29 host 192.168.0.25
access-list 109 deny   ip host 192.168.10.29 host 192.168.0.24
access-list 109 deny   ip host 192.168.10.29 host 192.168.0.23
access-list 109 deny   ip host 192.168.10.29 host 192.168.0.22
access-list 109 deny   ip host 192.168.10.29 host 192.168.0.21
access-list 109 deny   ip host 192.168.10.29 host 192.168.0.20
access-list 109 deny   ip host 192.168.10.29 host 192.168.0.19
access-list 109 deny   ip host 192.168.10.29 host 192.168.0.18
access-list 109 deny   ip host 192.168.10.29 host 192.168.0.17
access-list 109 deny   ip host 192.168.10.29 host 192.168.0.16
access-list 109 deny   ip host 192.168.10.29 host 192.168.0.15
access-list 109 deny   ip host 192.168.10.29 host 192.168.0.14
access-list 109 deny   ip host 192.168.10.29 host 192.168.0.13
access-list 109 deny   ip host 192.168.10.29 host 192.168.0.12
access-list 109 deny   ip host 192.168.10.29 host 192.168.0.11
access-list 109 deny   ip host 192.168.10.29 host 192.168.0.10
access-list 109 deny   ip host 192.168.10.29 host 192.168.0.9
access-list 109 deny   ip host 192.168.10.29 host 192.168.0.8
access-list 109 deny   ip host 192.168.10.29 host 192.168.0.7
access-list 109 deny   ip host 192.168.10.29 host 192.168.0.6
access-list 109 deny   ip host 192.168.10.29 host 192.168.0.5
access-list 109 deny   ip host 192.168.10.29 host 192.168.0.4
access-list 109 deny   ip host 192.168.10.29 host 192.168.0.3
access-list 109 deny   ip host 192.168.10.29 host 192.168.0.2
access-list 109 deny   ip host 192.168.10.29 host 192.168.0.1
access-list 109 permit udp host 192.168.10.29 eq tftp any
access-list 110 remark CCP_ACL Category=2
access-list 110 deny   ip host 192.168.10.29 host 192.168.0.25
access-list 110 deny   ip host 192.168.10.29 host 192.168.0.24
access-list 110 deny   ip host 192.168.10.29 host 192.168.0.23
access-list 110 deny   ip host 192.168.10.29 host 192.168.0.22
access-list 110 deny   ip host 192.168.10.29 host 192.168.0.21
access-list 110 deny   ip host 192.168.10.29 host 192.168.0.20
access-list 110 deny   ip host 192.168.10.29 host 192.168.0.19
access-list 110 deny   ip host 192.168.10.29 host 192.168.0.18
access-list 110 deny   ip host 192.168.10.29 host 192.168.0.17
access-list 110 deny   ip host 192.168.10.29 host 192.168.0.16
access-list 110 deny   ip host 192.168.10.29 host 192.168.0.15
access-list 110 deny   ip host 192.168.10.29 host 192.168.0.14
access-list 110 deny   ip host 192.168.10.29 host 192.168.0.13
access-list 110 deny   ip host 192.168.10.29 host 192.168.0.12
access-list 110 deny   ip host 192.168.10.29 host 192.168.0.11
access-list 110 deny   ip host 192.168.10.29 host 192.168.0.10
access-list 110 deny   ip host 192.168.10.29 host 192.168.0.9
access-list 110 deny   ip host 192.168.10.29 host 192.168.0.8
access-list 110 deny   ip host 192.168.10.29 host 192.168.0.7
access-list 110 deny   ip host 192.168.10.29 host 192.168.0.6
access-list 110 deny   ip host 192.168.10.29 host 192.168.0.5
access-list 110 deny   ip host 192.168.10.29 host 192.168.0.4
access-list 110 deny   ip host 192.168.10.29 host 192.168.0.3
access-list 110 deny   ip host 192.168.10.29 host 192.168.0.2
access-list 110 deny   ip host 192.168.10.29 host 192.168.0.1
access-list 110 permit udp host 192.168.10.29 eq syslog any
access-list 111 remark CCP_ACL Category=2
access-list 111 deny   ip host 192.168.10.2 host 192.168.0.25
access-list 111 deny   ip host 192.168.10.2 host 192.168.0.24
access-list 111 deny   ip host 192.168.10.2 host 192.168.0.23
access-list 111 deny   ip host 192.168.10.2 host 192.168.0.22
access-list 111 deny   ip host 192.168.10.2 host 192.168.0.21
access-list 111 deny   ip host 192.168.10.2 host 192.168.0.20
access-list 111 deny   ip host 192.168.10.2 host 192.168.0.19
access-list 111 deny   ip host 192.168.10.2 host 192.168.0.18
access-list 111 deny   ip host 192.168.10.2 host 192.168.0.17
access-list 111 deny   ip host 192.168.10.2 host 192.168.0.16
access-list 111 deny   ip host 192.168.10.2 host 192.168.0.15
access-list 111 deny   ip host 192.168.10.2 host 192.168.0.14
access-list 111 deny   ip host 192.168.10.2 host 192.168.0.13
access-list 111 deny   ip host 192.168.10.2 host 192.168.0.12
access-list 111 deny   ip host 192.168.10.2 host 192.168.0.11
access-list 111 deny   ip host 192.168.10.2 host 192.168.0.10
access-list 111 deny   ip host 192.168.10.2 host 192.168.0.9
access-list 111 deny   ip host 192.168.10.2 host 192.168.0.8
access-list 111 deny   ip host 192.168.10.2 host 192.168.0.7
access-list 111 deny   ip host 192.168.10.2 host 192.168.0.6
access-list 111 deny   ip host 192.168.10.2 host 192.168.0.5
access-list 111 deny   ip host 192.168.10.2 host 192.168.0.4
access-list 111 deny   ip host 192.168.10.2 host 192.168.0.3
access-list 111 deny   ip host 192.168.10.2 host 192.168.0.2
access-list 111 deny   ip host 192.168.10.2 host 192.168.0.1
access-list 111 permit tcp host 192.168.10.2 eq smtp any
access-list 112 remark CCP_ACL Category=2
access-list 112 deny   ip host 192.168.10.28 host 192.168.0.25
access-list 112 deny   ip host 192.168.10.28 host 192.168.0.24
access-list 112 deny   ip host 192.168.10.28 host 192.168.0.23
access-list 112 deny   ip host 192.168.10.28 host 192.168.0.22
access-list 112 deny   ip host 192.168.10.28 host 192.168.0.21
access-list 112 deny   ip host 192.168.10.28 host 192.168.0.20
access-list 112 deny   ip host 192.168.10.28 host 192.168.0.19
access-list 112 deny   ip host 192.168.10.28 host 192.168.0.18
access-list 112 deny   ip host 192.168.10.28 host 192.168.0.17
access-list 112 deny   ip host 192.168.10.28 host 192.168.0.16
access-list 112 deny   ip host 192.168.10.28 host 192.168.0.15
access-list 112 deny   ip host 192.168.10.28 host 192.168.0.14
access-list 112 deny   ip host 192.168.10.28 host 192.168.0.13
access-list 112 deny   ip host 192.168.10.28 host 192.168.0.12
access-list 112 deny   ip host 192.168.10.28 host 192.168.0.11
access-list 112 deny   ip host 192.168.10.28 host 192.168.0.10
access-list 112 deny   ip host 192.168.10.28 host 192.168.0.9
access-list 112 deny   ip host 192.168.10.28 host 192.168.0.8
access-list 112 deny   ip host 192.168.10.28 host 192.168.0.7
access-list 112 deny   ip host 192.168.10.28 host 192.168.0.6
access-list 112 deny   ip host 192.168.10.28 host 192.168.0.5
access-list 112 deny   ip host 192.168.10.28 host 192.168.0.4
access-list 112 deny   ip host 192.168.10.28 host 192.168.0.3
access-list 112 deny   ip host 192.168.10.28 host 192.168.0.2
access-list 112 deny   ip host 192.168.10.28 host 192.168.0.1
access-list 112 permit tcp host 192.168.10.28 eq 8081 any
access-list 113 remark CCP_ACL Category=2
access-list 113 deny   ip host 192.168.10.28 host 192.168.0.25
access-list 113 deny   ip host 192.168.10.28 host 192.168.0.24
access-list 113 deny   ip host 192.168.10.28 host 192.168.0.23
access-list 113 deny   ip host 192.168.10.28 host 192.168.0.22
access-list 113 deny   ip host 192.168.10.28 host 192.168.0.21
access-list 113 deny   ip host 192.168.10.28 host 192.168.0.20
access-list 113 deny   ip host 192.168.10.28 host 192.168.0.19
access-list 113 deny   ip host 192.168.10.28 host 192.168.0.18
access-list 113 deny   ip host 192.168.10.28 host 192.168.0.17
access-list 113 deny   ip host 192.168.10.28 host 192.168.0.16
access-list 113 deny   ip host 192.168.10.28 host 192.168.0.15
access-list 113 deny   ip host 192.168.10.28 host 192.168.0.14
access-list 113 deny   ip host 192.168.10.28 host 192.168.0.13
access-list 113 deny   ip host 192.168.10.28 host 192.168.0.12
access-list 113 deny   ip host 192.168.10.28 host 192.168.0.11
access-list 113 deny   ip host 192.168.10.28 host 192.168.0.10
access-list 113 deny   ip host 192.168.10.28 host 192.168.0.9
access-list 113 deny   ip host 192.168.10.28 host 192.168.0.8
access-list 113 deny   ip host 192.168.10.28 host 192.168.0.7
access-list 113 deny   ip host 192.168.10.28 host 192.168.0.6
access-list 113 deny   ip host 192.168.10.28 host 192.168.0.5
access-list 113 deny   ip host 192.168.10.28 host 192.168.0.4
access-list 113 deny   ip host 192.168.10.28 host 192.168.0.3
access-list 113 deny   ip host 192.168.10.28 host 192.168.0.2
access-list 113 deny   ip host 192.168.10.28 host 192.168.0.1
access-list 113 permit udp host 192.168.10.28 eq snmp any
access-list 114 remark CCP_ACL Category=2
access-list 114 deny   ip host 192.168.10.2 host 192.168.0.25
access-list 114 deny   ip host 192.168.10.2 host 192.168.0.24
access-list 114 deny   ip host 192.168.10.2 host 192.168.0.23
access-list 114 deny   ip host 192.168.10.2 host 192.168.0.22
access-list 114 deny   ip host 192.168.10.2 host 192.168.0.21
access-list 114 deny   ip host 192.168.10.2 host 192.168.0.20
access-list 114 deny   ip host 192.168.10.2 host 192.168.0.19
access-list 114 deny   ip host 192.168.10.2 host 192.168.0.18
access-list 114 deny   ip host 192.168.10.2 host 192.168.0.17
access-list 114 deny   ip host 192.168.10.2 host 192.168.0.16
access-list 114 deny   ip host 192.168.10.2 host 192.168.0.15
access-list 114 deny   ip host 192.168.10.2 host 192.168.0.14
access-list 114 deny   ip host 192.168.10.2 host 192.168.0.13
access-list 114 deny   ip host 192.168.10.2 host 192.168.0.12
access-list 114 deny   ip host 192.168.10.2 host 192.168.0.11
access-list 114 deny   ip host 192.168.10.2 host 192.168.0.10
access-list 114 deny   ip host 192.168.10.2 host 192.168.0.9
access-list 114 deny   ip host 192.168.10.2 host 192.168.0.8
access-list 114 deny   ip host 192.168.10.2 host 192.168.0.7
access-list 114 deny   ip host 192.168.10.2 host 192.168.0.6
access-list 114 deny   ip host 192.168.10.2 host 192.168.0.5
access-list 114 deny   ip host 192.168.10.2 host 192.168.0.4
access-list 114 deny   ip host 192.168.10.2 host 192.168.0.3
access-list 114 deny   ip host 192.168.10.2 host 192.168.0.2
access-list 114 deny   ip host 192.168.10.2 host 192.168.0.1
access-list 114 permit tcp host 192.168.10.2 eq 443 any
access-list 115 remark CCP_ACL Category=2
access-list 115 deny   ip host 192.168.10.13 host 192.168.0.25
access-list 115 deny   ip host 192.168.10.13 host 192.168.0.24
access-list 115 deny   ip host 192.168.10.13 host 192.168.0.23
access-list 115 deny   ip host 192.168.10.13 host 192.168.0.22
access-list 115 deny   ip host 192.168.10.13 host 192.168.0.21
access-list 115 deny   ip host 192.168.10.13 host 192.168.0.20
access-list 115 deny   ip host 192.168.10.13 host 192.168.0.19
access-list 115 deny   ip host 192.168.10.13 host 192.168.0.18
access-list 115 deny   ip host 192.168.10.13 host 192.168.0.17
access-list 115 deny   ip host 192.168.10.13 host 192.168.0.16
access-list 115 deny   ip host 192.168.10.13 host 192.168.0.15
access-list 115 deny   ip host 192.168.10.13 host 192.168.0.14
access-list 115 deny   ip host 192.168.10.13 host 192.168.0.13
access-list 115 deny   ip host 192.168.10.13 host 192.168.0.12
access-list 115 deny   ip host 192.168.10.13 host 192.168.0.11
access-list 115 deny   ip host 192.168.10.13 host 192.168.0.10
access-list 115 deny   ip host 192.168.10.13 host 192.168.0.9
access-list 115 deny   ip host 192.168.10.13 host 192.168.0.8
access-list 115 deny   ip host 192.168.10.13 host 192.168.0.7
access-list 115 deny   ip host 192.168.10.13 host 192.168.0.6
access-list 115 deny   ip host 192.168.10.13 host 192.168.0.5
access-list 115 deny   ip host 192.168.10.13 host 192.168.0.4
access-list 115 deny   ip host 192.168.10.13 host 192.168.0.3
access-list 115 deny   ip host 192.168.10.13 host 192.168.0.2
access-list 115 deny   ip host 192.168.10.13 host 192.168.0.1
access-list 115 permit tcp host 192.168.10.13 eq ftp any
access-list 116 remark CCP_ACL Category=2
access-list 116 deny   ip host 192.168.10.12 host 192.168.0.25
access-list 116 deny   ip host 192.168.10.12 host 192.168.0.24
access-list 116 deny   ip host 192.168.10.12 host 192.168.0.23
access-list 116 deny   ip host 192.168.10.12 host 192.168.0.22
access-list 116 deny   ip host 192.168.10.12 host 192.168.0.21
access-list 116 deny   ip host 192.168.10.12 host 192.168.0.20
access-list 116 deny   ip host 192.168.10.12 host 192.168.0.19
access-list 116 deny   ip host 192.168.10.12 host 192.168.0.18
access-list 116 deny   ip host 192.168.10.12 host 192.168.0.17
access-list 116 deny   ip host 192.168.10.12 host 192.168.0.16
access-list 116 deny   ip host 192.168.10.12 host 192.168.0.15
access-list 116 deny   ip host 192.168.10.12 host 192.168.0.14
access-list 116 deny   ip host 192.168.10.12 host 192.168.0.13
access-list 116 deny   ip host 192.168.10.12 host 192.168.0.12
access-list 116 deny   ip host 192.168.10.12 host 192.168.0.11
access-list 116 deny   ip host 192.168.10.12 host 192.168.0.10
access-list 116 deny   ip host 192.168.10.12 host 192.168.0.9
access-list 116 deny   ip host 192.168.10.12 host 192.168.0.8
access-list 116 deny   ip host 192.168.10.12 host 192.168.0.7
access-list 116 deny   ip host 192.168.10.12 host 192.168.0.6
access-list 116 deny   ip host 192.168.10.12 host 192.168.0.5
access-list 116 deny   ip host 192.168.10.12 host 192.168.0.4
access-list 116 deny   ip host 192.168.10.12 host 192.168.0.3
access-list 116 deny   ip host 192.168.10.12 host 192.168.0.2
access-list 116 deny   ip host 192.168.10.12 host 192.168.0.1
access-list 116 permit udp host 192.168.10.12 eq 5060 any
access-list 117 remark CCP_ACL Category=2
access-list 117 deny   ip host 192.168.10.2 host 192.168.0.25
access-list 117 deny   ip host 192.168.10.2 host 192.168.0.24
access-list 117 deny   ip host 192.168.10.2 host 192.168.0.23
access-list 117 deny   ip host 192.168.10.2 host 192.168.0.22
access-list 117 deny   ip host 192.168.10.2 host 192.168.0.21
access-list 117 deny   ip host 192.168.10.2 host 192.168.0.20
access-list 117 deny   ip host 192.168.10.2 host 192.168.0.19
access-list 117 deny   ip host 192.168.10.2 host 192.168.0.18
access-list 117 deny   ip host 192.168.10.2 host 192.168.0.17
access-list 117 deny   ip host 192.168.10.2 host 192.168.0.16
access-list 117 deny   ip host 192.168.10.2 host 192.168.0.15
access-list 117 deny   ip host 192.168.10.2 host 192.168.0.14
access-list 117 deny   ip host 192.168.10.2 host 192.168.0.13
access-list 117 deny   ip host 192.168.10.2 host 192.168.0.12
access-list 117 deny   ip host 192.168.10.2 host 192.168.0.11
access-list 117 deny   ip host 192.168.10.2 host 192.168.0.10
access-list 117 deny   ip host 192.168.10.2 host 192.168.0.9
access-list 117 deny   ip host 192.168.10.2 host 192.168.0.8
access-list 117 deny   ip host 192.168.10.2 host 192.168.0.7
access-list 117 deny   ip host 192.168.10.2 host 192.168.0.6
access-list 117 deny   ip host 192.168.10.2 host 192.168.0.5
access-list 117 deny   ip host 192.168.10.2 host 192.168.0.4
access-list 117 deny   ip host 192.168.10.2 host 192.168.0.3
access-list 117 deny   ip host 192.168.10.2 host 192.168.0.2
access-list 117 deny   ip host 192.168.10.2 host 192.168.0.1
access-list 117 permit tcp host 192.168.10.2 eq www any
access-list 118 remark CCP_ACL Category=2
access-list 118 deny   ip host 192.168.10.28 host 192.168.0.25
access-list 118 deny   ip host 192.168.10.28 host 192.168.0.24
access-list 118 deny   ip host 192.168.10.28 host 192.168.0.23
access-list 118 deny   ip host 192.168.10.28 host 192.168.0.22
access-list 118 deny   ip host 192.168.10.28 host 192.168.0.21
access-list 118 deny   ip host 192.168.10.28 host 192.168.0.20
access-list 118 deny   ip host 192.168.10.28 host 192.168.0.19
access-list 118 deny   ip host 192.168.10.28 host 192.168.0.18
access-list 118 deny   ip host 192.168.10.28 host 192.168.0.17
access-list 118 deny   ip host 192.168.10.28 host 192.168.0.16
access-list 118 deny   ip host 192.168.10.28 host 192.168.0.15
access-list 118 deny   ip host 192.168.10.28 host 192.168.0.14
access-list 118 deny   ip host 192.168.10.28 host 192.168.0.13
access-list 118 deny   ip host 192.168.10.28 host 192.168.0.12
access-list 118 deny   ip host 192.168.10.28 host 192.168.0.11
access-list 118 deny   ip host 192.168.10.28 host 192.168.0.10
access-list 118 deny   ip host 192.168.10.28 host 192.168.0.9
access-list 118 deny   ip host 192.168.10.28 host 192.168.0.8
access-list 118 deny   ip host 192.168.10.28 host 192.168.0.7
access-list 118 deny   ip host 192.168.10.28 host 192.168.0.6
access-list 118 deny   ip host 192.168.10.28 host 192.168.0.5
access-list 118 deny   ip host 192.168.10.28 host 192.168.0.4
access-list 118 deny   ip host 192.168.10.28 host 192.168.0.3
access-list 118 deny   ip host 192.168.10.28 host 192.168.0.2
access-list 118 deny   ip host 192.168.10.28 host 192.168.0.1
access-list 118 permit tcp host 192.168.10.28 eq 5223 any
access-list 119 remark CCP_ACL Category=2
access-list 119 deny   ip host 192.168.10.28 host 192.168.0.25
access-list 119 deny   ip host 192.168.10.28 host 192.168.0.24
access-list 119 deny   ip host 192.168.10.28 host 192.168.0.23
access-list 119 deny   ip host 192.168.10.28 host 192.168.0.22
access-list 119 deny   ip host 192.168.10.28 host 192.168.0.21
access-list 119 deny   ip host 192.168.10.28 host 192.168.0.20
access-list 119 deny   ip host 192.168.10.28 host 192.168.0.19
access-list 119 deny   ip host 192.168.10.28 host 192.168.0.18
access-list 119 deny   ip host 192.168.10.28 host 192.168.0.17
access-list 119 deny   ip host 192.168.10.28 host 192.168.0.16
access-list 119 deny   ip host 192.168.10.28 host 192.168.0.15
access-list 119 deny   ip host 192.168.10.28 host 192.168.0.14
access-list 119 deny   ip host 192.168.10.28 host 192.168.0.13
access-list 119 deny   ip host 192.168.10.28 host 192.168.0.12
access-list 119 deny   ip host 192.168.10.28 host 192.168.0.11
access-list 119 deny   ip host 192.168.10.28 host 192.168.0.10
access-list 119 deny   ip host 192.168.10.28 host 192.168.0.9
access-list 119 deny   ip host 192.168.10.28 host 192.168.0.8
access-list 119 deny   ip host 192.168.10.28 host 192.168.0.7
access-list 119 deny   ip host 192.168.10.28 host 192.168.0.6
access-list 119 deny   ip host 192.168.10.28 host 192.168.0.5
access-list 119 deny   ip host 192.168.10.28 host 192.168.0.4
access-list 119 deny   ip host 192.168.10.28 host 192.168.0.3
access-list 119 deny   ip host 192.168.10.28 host 192.168.0.2
access-list 119 deny   ip host 192.168.10.28 host 192.168.0.1
access-list 119 permit tcp host 192.168.10.28 eq 5222 any
access-list 120 remark CCP_ACL Category=2
access-list 120 deny   ip host 192.168.10.2 host 192.168.0.25
access-list 120 deny   ip host 192.168.10.2 host 192.168.0.24
access-list 120 deny   ip host 192.168.10.2 host 192.168.0.23
access-list 120 deny   ip host 192.168.10.2 host 192.168.0.22
access-list 120 deny   ip host 192.168.10.2 host 192.168.0.21
access-list 120 deny   ip host 192.168.10.2 host 192.168.0.20
access-list 120 deny   ip host 192.168.10.2 host 192.168.0.19
access-list 120 deny   ip host 192.168.10.2 host 192.168.0.18
access-list 120 deny   ip host 192.168.10.2 host 192.168.0.17
access-list 120 deny   ip host 192.168.10.2 host 192.168.0.16
access-list 120 deny   ip host 192.168.10.2 host 192.168.0.15
access-list 120 deny   ip host 192.168.10.2 host 192.168.0.14
access-list 120 deny   ip host 192.168.10.2 host 192.168.0.13
access-list 120 deny   ip host 192.168.10.2 host 192.168.0.12
access-list 120 deny   ip host 192.168.10.2 host 192.168.0.11
access-list 120 deny   ip host 192.168.10.2 host 192.168.0.10
access-list 120 deny   ip host 192.168.10.2 host 192.168.0.9
access-list 120 deny   ip host 192.168.10.2 host 192.168.0.8
access-list 120 deny   ip host 192.168.10.2 host 192.168.0.7
access-list 120 deny   ip host 192.168.10.2 host 192.168.0.6
access-list 120 deny   ip host 192.168.10.2 host 192.168.0.5
access-list 120 deny   ip host 192.168.10.2 host 192.168.0.4
access-list 120 deny   ip host 192.168.10.2 host 192.168.0.3
access-list 120 deny   ip host 192.168.10.2 host 192.168.0.2
access-list 120 deny   ip host 192.168.10.2 host 192.168.0.1
access-list 120 permit tcp host 192.168.10.2 eq pop3 any
!
no cdp run
!
!
!
route-map SDM_RMAP permit 1
 match ip address 100
!
route-map SDM_RMAP_15 permit 1
 match ip address 120
!
route-map SDM_RMAP_14 permit 1
 match ip address 119
!
route-map SDM_RMAP_11 permit 1
 match ip address 116
!
route-map SDM_RMAP_10 permit 1
 match ip address 115
!
route-map SDM_RMAP_13 permit 1
 match ip address 118
!
route-map SDM_RMAP_12 permit 1
 match ip address 117
!
route-map SDM_RMAP_4 permit 1
 match ip address 109
!
route-map SDM_RMAP_5 permit 1
 match ip address 110
!
route-map SDM_RMAP_6 permit 1
 match ip address 111
!
route-map SDM_RMAP_7 permit 1
 match ip address 112
!
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
route-map SDM_RMAP_3 permit 1
 match ip address 108
!
route-map SDM_RMAP_8 permit 1
 match ip address 113
!
route-map SDM_RMAP_9 permit 1
 match ip address 114
!
route-map RMAP-NAT permit 10
 match ip address NAT_ACL
!
!
snmp-server community public RO
snmp-server community ourCommStr RW
snmp-server location Tampa, Florida, USA
snmp-server contact MIS IT Services x1000
snmp-server enable traps snmp linkdown linkup coldstart
snmp-server host 192.168.10.28 version 2c ourCommStr
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 privilege level 15
 password 7 02160B5E520F020D494F5D4A
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server 12.10.191.151 source GigabitEthernet0/0
ntp server 96.226.123.157 source GigabitEthernet0/0
ntp server 129.6.15.30 prefer source GigabitEthernet0/0
end
0
Comment
Question by:Ross Mccullough
  • 2
  • 2
4 Comments
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 39282688
Two commands to try adding (on each endpoint):

crypto isakmp keepalive 30 5
crypto isakmp invalid-spi-recovery
0
 

Author Comment

by:Ross Mccullough
ID: 39285858
Hello asavener,
I have been digging a bit more into this and have some debug I would like to lend to the conversation to see if that helps.

OK]
pl-gw1-tpa#term mon
pl-gw1-tpa#
001565: .Jun 28 15:53:58.647 NewYork: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001566: .Jun 28 15:53:58.647 NewYork: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
001567: .Jun 28 15:53:58.647 NewYork: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
001568: .Jun 28 15:53:58.647 NewYork: ISAKMP:(0): sending packet to 67.78.146.158 my_port 500 peer_port 500 (I) MM_NO_STATE
001569: .Jun 28 15:53:58.647 NewYork: ISAKMP:(0):Sending an IKE IPv4 Packet.
001570: .Jun 28 15:54:08.643 NewYork: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 97.76.78.218:0, remote= 67.78.146.158:0,
    local_proxy= 192.168.10.0/255.255.255.224/0/0 (type=4),
    remote_proxy= 10.0.2.0/255.255.255.0/0/0 (type=4)
001571: .Jun 28 15:54:08.643 NewYork: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 97.76.78.218:500, remote= 67.78.146.158:500,
    local_proxy= 192.168.10.0/255.255.255.224/0/0 (type=4),
    remote_proxy= 10.0.2.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 86400s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
001572: .Jun 28 15:54:08.643 NewYork: ISAKMP: set new node 0 to QM_IDLE
001573: .Jun 28 15:54:08.643 NewYork: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 97.76.78.218, remote 67.78.146.158)
001574: .Jun 28 15:54:08.643 NewYork: ISAKMP: Error while processing SA request: Failed to initialize SA
001575: .Jun 28 15:54:08.643 NewYork: ISAKMP: Error while processing KMI message 0, error 2.
001576: .Jun 28 15:54:08.647 NewYork: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001577: .Jun 28 15:54:08.647 NewYork: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
001578: .Jun 28 15:54:08.647 NewYork: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
001579: .Jun 28 15:54:08.647 NewYork: ISAKMP:(0): sending packet to 67.78.146.158 my_port 500 peer_port 500 (I) MM_NO_STATE
001580: .Jun 28 15:54:08.647 NewYork: ISAKMP:(0):Sending an IKE IPv4 Packet.
001581: .Jun 28 15:54:18.647 NewYork: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001582: .Jun 28 15:54:18.647 NewYork: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
001583: .Jun 28 15:54:18.647 NewYork: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
001584: .Jun 28 15:54:18.647 NewYork: ISAKMP:(0): sending packet to 67.78.146.158 my_port 500 peer_port 500 (I) MM_NO_STATE
001585: .Jun 28 15:54:18.647 NewYork: ISAKMP:(0):Sending an IKE IPv4 Packet.
001586: .Jun 28 15:54:28.615 NewYork: ISAKMP:(0):purging node 1854266786
001587: .Jun 28 15:54:28.615 NewYork: ISAKMP:(0):purging node 98441207
001588: .Jun 28 15:54:28.647 NewYork: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001589: .Jun 28 15:54:28.647 NewYork: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
001590: .Jun 28 15:54:28.647 NewYork: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
001591: .Jun 28 15:54:28.647 NewYork: ISAKMP:(0): sending packet to 67.78.146.158 my_port 500 peer_port 500 (I) MM_NO_STATE
001592: .Jun 28 15:54:28.647 NewYork: ISAKMP:(0):Sending an IKE IPv4 Packet.
001593: .Jun 28 15:54:38.615 NewYork: ISAKMP:(0):purging SA., sa=312C90F4, delme=312C90F4
001594: .Jun 28 15:54:38.643 NewYork: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 97.76.78.218:0, remote= 67.78.146.158:0,
    local_proxy= 192.168.10.0/255.255.255.224/0/0 (type=4),
    remote_proxy= 10.0.2.0/255.255.255.0/0/0 (type=4)
001595: .Jun 28 15:54:38.647 NewYork: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001596: .Jun 28 15:54:38.647 NewYork: ISAKMP:(0):peer does not do paranoid keepalives.

001597: .Jun 28 15:54:38.647 NewYork: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 67.78.146.158)
001598: .Jun 28 15:54:38.647 NewYork: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 67.78.146.158)
001599: .Jun 28 15:54:38.647 NewYork: ISAKMP: Unlocking peer struct 0x2BC4564C for isadb_mark_sa_deleted(), count 0
001600: .Jun 28 15:54:38.647 NewYork: ISAKMP: Deleting peer node by peer_reap for 67.78.146.158: 2BC4564C
001601: .Jun 28 15:54:38.647 NewYork: ISAKMP:(0):deleting node 512304635 error FALSE reason "IKE deleted"
001602: .Jun 28 15:54:38.647 NewYork: ISAKMP:(0):deleting node 273013099 error FALSE reason "IKE deleted"
001603: .Jun 28 15:54:38.647 NewYork: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
001604: .Jun 28 15:54:38.647 NewYork: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

001605: .Jun 28 15:54:38.647 NewYork: IPSEC(key_engine): got a queue event with 1 KMI message(s)
001606: .Jun 28 15:54:38.675 NewYork: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 97.76.78.218:500, remote= 67.78.146.158:500,
    local_proxy= 192.168.10.0/255.255.255.224/0/0 (type=4),
    remote_proxy= 10.0.2.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 86400s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
001607: .Jun 28 15:54:38.675 NewYork: ISAKMP:(0): SA request profile is (NULL)
001608: .Jun 28 15:54:38.675 NewYork: ISAKMP: Created a peer struct for 67.78.146.158, peer port 500
001609: .Jun 28 15:54:38.675 NewYork: ISAKMP: New peer created peer = 0x2BC4564C peer_handle = 0x8000000E
001610: .Jun 28 15:54:38.675 NewYork: ISAKMP: Locking peer struct 0x2BC4564C, refcount 1 for isakmp_initiator
001611: .Jun 28 15:54:38.675 NewYork: ISAKMP: local port 500, remote port 500
001612: .Jun 28 15:54:38.675 NewYork: ISAKMP: set new node 0 to QM_IDLE
001613: .Jun 28 15:54:38.675 NewYork: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 3160EF7C
001614: .Jun 28 15:54:38.675 NewYork: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
001615: .Jun 28 15:54:38.675 NewYork: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
001616: .Jun 28 15:54:38.675 NewYork: ISAKMP:(0):found peer pre-shared key matching 67.78.146.158
001617: .Jun 28 15:54:38.675 NewYork: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
001618: .Jun 28 15:54:38.675 NewYork: ISAKMP:(0): constructed NAT-T vendor-07 ID
001619: .Jun 28 15:54:38.675 NewYork: ISAKMP:(0): constructed NAT-T vendor-03 ID
001620: .Jun 28 15:54:38.675 NewYork: ISAKMP:(0): constructed NAT-T vendor-02 ID
001621: .Jun 28 15:54:38.675 NewYork: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
001622: .Jun 28 15:54:38.675 NewYork: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

001623: .Jun 28 15:54:38.675 NewYork: ISAKMP:(0): beginning Main Mode exchange
001624: .Jun 28 15:54:38.675 NewYork: ISAKMP:(0): sending packet to 67.78.146.158 my_port 500 peer_port 500 (I) MM_NO_STATE
001625: .Jun 28 15:54:38.675 NewYork: ISAKMP:(0):Sending an IKE IPv4 Packet.
001626: .Jun 28 15:54:48.675 NewYork: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001627: .Jun 28 15:54:48.675 NewYork: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
001628: .Jun 28 15:54:48.675 NewYork: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
001629: .Jun 28 15:54:48.675 NewYork: ISAKMP:(0): sending packet to 67.78.146.158 my_port 500 peer_port 500 (I) MM_NO_STATE
001630: .Jun 28 15:54:48.675 NewYork: ISAKMP:(0):Sending an IKE IPv4 Packet.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39285961
Can you post the debug from the other end as well?
0
 

Author Comment

by:Ross Mccullough
ID: 39285999
Asavener,
Thanks for the response, here is the IPSEC log from the SA540

Fri Jun 28 19:35:21 2013 (GMT -0400): [clrctr00fw0100] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP 97.76.78.218->67.78.146.158
Fri Jun 28 19:35:21 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  Using IPsec SA configuration: 10.0.2.0/24<->192.168.10.0/27
Fri Jun 28 19:35:21 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  remote configuration for identifier "pl-gw1-tpa.platautofinance.com" found
Fri Jun 28 19:35:21 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  remote configuration for identifier "pl-gw1-tpa.platautofinance.com" found
Fri Jun 28 19:35:32 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  remote configuration for identifier "pl-gw1-tpa.platautofinance.com" found
Fri Jun 28 19:35:32 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  Received request for new phase 1 negotiation: 67.78.146.158[500]<=>97.76.78.218[500]
Fri Jun 28 19:35:32 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  Beginning Identity Protection mode.
Fri Jun 28 19:35:32 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  Received Vendor ID: RFC 3947
Fri Jun 28 19:35:32 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  Received unknown Vendor ID
Fri Jun 28 19:35:32 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  Received unknown Vendor ID
Fri Jun 28 19:35:32 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

Fri Jun 28 19:35:32 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  For 97.76.78.218[500], Selected NAT-T version: RFC 3947
Fri Jun 28 19:35:40 2013 (GMT -0400): [clrctr00fw0100] [IKE] ERROR:  Phase 1 negotiation failed due to time up for 97.76.78.218[500]. 80beadeb87c36b04:05ffb1e98541dc25
Fri Jun 28 19:35:42 2013 (GMT -0400): [clrctr00fw0100] [IKE] NOTIFY:  The packet is retransmitted by 97.76.78.218[500].
Fri Jun 28 19:35:52 2013 (GMT -0400): [clrctr00fw0100] [IKE] NOTIFY:  The packet is retransmitted by 97.76.78.218[500].
Fri Jun 28 19:35:52 2013 (GMT -0400): [clrctr00fw0100] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP 97.76.78.218->67.78.146.158
Fri Jun 28 19:35:52 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  Using IPsec SA configuration: 10.0.2.0/24<->192.168.10.0/27
Fri Jun 28 19:35:52 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  remote configuration for identifier "pl-gw1-tpa.platautofinance.com" found
Fri Jun 28 19:35:52 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  remote configuration for identifier "pl-gw1-tpa.platautofinance.com" found
Fri Jun 28 19:36:02 2013 (GMT -0400): [clrctr00fw0100] [IKE] NOTIFY:  The packet is retransmitted by 97.76.78.218[500].
Fri Jun 28 19:36:12 2013 (GMT -0400): [clrctr00fw0100] [IKE] NOTIFY:  The packet is retransmitted by 97.76.78.218[500].
Fri Jun 28 19:36:22 2013 (GMT -0400): [clrctr00fw0100] [IKE] NOTIFY:  The packet is retransmitted by 97.76.78.218[500].
Fri Jun 28 19:36:23 2013 (GMT -0400): [clrctr00fw0100] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP 97.76.78.218->67.78.146.158
Fri Jun 28 19:36:24 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  Using IPsec SA configuration: 10.0.2.0/24<->192.168.10.0/27
Fri Jun 28 19:36:24 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  remote configuration for identifier "pl-gw1-tpa.platautofinance.com" found
Fri Jun 28 19:36:24 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  remote configuration for identifier "pl-gw1-tpa.platautofinance.com" found
Fri Jun 28 19:36:41 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  remote configuration for identifier "pl-gw1-tpa.platautofinance.com" found
Fri Jun 28 19:36:41 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  Received request for new phase 1 negotiation: 67.78.146.158[500]<=>97.76.78.218[500]
Fri Jun 28 19:36:41 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  Beginning Identity Protection mode.
Fri Jun 28 19:36:41 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  Received Vendor ID: RFC 3947
Fri Jun 28 19:36:41 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  Received unknown Vendor ID
Fri Jun 28 19:36:41 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  Received unknown Vendor ID
Fri Jun 28 19:36:41 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

Fri Jun 28 19:36:41 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  For 97.76.78.218[500], Selected NAT-T version: RFC 3947
Fri Jun 28 19:36:51 2013 (GMT -0400): [clrctr00fw0100] [IKE] NOTIFY:  The packet is retransmitted by 97.76.78.218[500].
Fri Jun 28 19:36:55 2013 (GMT -0400): [clrctr00fw0100] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP 97.76.78.218->67.78.146.158
Fri Jun 28 19:36:56 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  Using IPsec SA configuration: 10.0.2.0/24<->192.168.10.0/27
Fri Jun 28 19:36:56 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  remote configuration for identifier "pl-gw1-tpa.platautofinance.com" found
Fri Jun 28 19:36:56 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  remote configuration for identifier "pl-gw1-tpa.platautofinance.com" found
Fri Jun 28 19:37:01 2013 (GMT -0400): [clrctr00fw0100] [IKE] NOTIFY:  The packet is retransmitted by 97.76.78.218[500].
Fri Jun 28 19:37:11 2013 (GMT -0400): [clrctr00fw0100] [IKE] NOTIFY:  The packet is retransmitted by 97.76.78.218[500].
Fri Jun 28 19:37:21 2013 (GMT -0400): [clrctr00fw0100] [IKE] NOTIFY:  The packet is retransmitted by 97.76.78.218[500].
Fri Jun 28 19:37:22 2013 (GMT -0400): [clrctr00fw0100] [IKE] ERROR:  Phase 1 negotiation failed due to time up for 97.76.78.218[500]. 80beadeb2afec7f4:3abfc1cc73b05af3
Fri Jun 28 19:37:27 2013 (GMT -0400): [clrctr00fw0100] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP 97.76.78.218->67.78.146.158
Fri Jun 28 19:37:27 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  Using IPsec SA configuration: 10.0.2.0/24<->192.168.10.0/27
Fri Jun 28 19:37:27 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  remote configuration for identifier "pl-gw1-tpa.platautofinance.com" found
Fri Jun 28 19:37:27 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  remote configuration for identifier "pl-gw1-tpa.platautofinance.com" found
Fri Jun 28 19:37:31 2013 (GMT -0400): [clrctr00fw0100] [IKE] NOTIFY:  The packet is retransmitted by 97.76.78.218[500].
Fri Jun 28 19:37:50 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  remote configuration for identifier "pl-gw1-tpa.platautofinance.com" found
Fri Jun 28 19:37:50 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  Received request for new phase 1 negotiation: 67.78.146.158[500]<=>97.76.78.218[500]
Fri Jun 28 19:37:50 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  Beginning Identity Protection mode.
Fri Jun 28 19:37:50 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  Received Vendor ID: RFC 3947
Fri Jun 28 19:37:50 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  Received unknown Vendor ID
Fri Jun 28 19:37:50 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  Received unknown Vendor ID
Fri Jun 28 19:37:50 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

Fri Jun 28 19:37:50 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  For 97.76.78.218[500], Selected NAT-T version: RFC 3947
Fri Jun 28 19:37:58 2013 (GMT -0400): [clrctr00fw0100] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP 97.76.78.218->67.78.146.158
Fri Jun 28 19:37:59 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  Using IPsec SA configuration: 10.0.2.0/24<->192.168.10.0/27
Fri Jun 28 19:37:59 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  remote configuration for identifier "pl-gw1-tpa.platautofinance.com" found
Fri Jun 28 19:37:59 2013 (GMT -0400): [clrctr00fw0100] [IKE] INFO:  remote configuration for identifier "pl-gw1-tpa.platautofinance.com" found
Fri Jun 28 19:38:00 2013 (GMT -0400): [clrctr00fw0100] [IKE] NOTIFY:  The packet is retransmitted by 97.76.78.218[500].
Fri Jun 28 19:38:10 2013 (GMT -0400): [clrctr00fw0100] [IKE] NOTIFY:  The packet is retransmitted by 97.76.78.218[500].
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now