Cisco Switching/Routing :: ASR 1001 - IKE Phase 2 SA Expires Immediately
Dec 11, 2012
I am migration an IPsec site to site VPN config to a new ASR1001 router «facing» a Linux box (ipsec-tools + racoon). As the Debian Linux does not offer VTI, I am using a crypto map.
The working config is given below with the corresponding logs on the Linux side.
When I try to apply this previously working config to the ASR1001, I get the following error :
000855: *Dec 12 18:28:21.859 UTC: %ACE-3-TRANSERR: IOSXE-ESP(14): IKEA trans 0x1350; opcode 0x60; param 0x2EE; error 0x5; retry cnt 0
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: initiate new phase 1 negotiation: 194.214.196.2[500]<=>130.120.124.8[500]
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: begin Identity Protection mode.
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: CISCO-UNITY
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: DPD
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt(code)
View 8 Replies
ADVERTISEMENT
Nov 7, 2011
I have a 3845 router which got reloaded immediately and need to know the reason for the reload .Router have created crash info detail .
View 3 Replies
View Related
Mar 29, 2012
I faced with issue on ME3800. [code] With that configuration there is no problem with DHCP Relay packets.But if I add on interface #xconnect 82.199.1 19.1 77 encapsulation mpls it will stop forward DHCP relay packets immediately. All other traffic transfers without problem.
View 2 Replies
View Related
Jan 31, 2013
i want to apply a QOS for my trafic LAN, in my ASR 1001 , the LAN is connected with ge0/0/0 interface and it configured with the service instance to bridge vlan 1 ( i do that for OTV ) i put service policy in "service instance 1" to marking data with ef31 but i noticed that the class "plateform_datacenter" match the trafic and the ACL associate to this class not mach any trafic trafic !
tha policy-map march trafic for Datacenter :
sh policy-map interface gigabitEthernet 0/0/0 service instance 1
GigabitEthernet0/0/0: EFP 1
Service-policy input: MARKING-OTV
Class-map: Platforme_DC (match-any)
[code].....
View 9 Replies
View Related
Jul 26, 2010
We just purchased a Nexus 7010 switch and we are at a stand still with our COLO trying to figure out what power source should be provided. APC recommends a 50amp 3phase vertical cabinet PDU (AP7867). What type of power source�reakers will be sufficient in handling the Nexus 7k /w (3) power supplies? Do the COLO need to provide single phase or 3 phase power recepticals?
View 7 Replies
View Related
Mar 24, 2013
when i make a trace route on an ASR 1001 router to 172.23.30.7 I get the following output:
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.99.192 0 msec
192.168.99.191 1 msec
192.168.99.192 0 msec
2 172.23.30.243 1 msec 1 msec 1 msec
3 172.23.30.7 1 msec 1 msec 1 msec
Is there a loop between 192.168.99.191 and .192 (this are two routers with hsrp .190) or is this normal behavior when using trace route on an asr 1001?
View 2 Replies
View Related
Apr 9, 2013
deploy OTV using ASR 1001 between 2 data-centers? We want to acquire HSRP localization there, but at this moment I can only see lots docs are saying how to do this on N7K, not ASR. I saw it has a FHRP filtering enabled by default when the OTV configuration is done, and also see there is a access-list created by default call otv_filter_fhrp, Im just wondering besides this IP ACL there should be MAC ACL applied?
View 3 Replies
View Related
Dec 18, 2011
I have a few new ASR 1001s throwing false environmental alerts.According to the logs, the inlet temp is in excess of 100 degrees C.When I telnet to the routers, they're well within tolerance (30-32C),Running 15.1(1)S and bug toolkit shows no related issues or caveats.
View 1 Replies
View Related
Dec 23, 2012
I was wondering if I am able to add a redundant power supply to an asr 1001 router that is in production without losing connectivity or causing any diruption to the Users - is it hotswappable?
View 1 Replies
View Related
Oct 30, 2012
I'm configuring CoPP for an ASR 1001 router with consolidated IOS XE Version: 03.07.01.S. And I'm trying to use 'DROP' command under policy map to drop.un wanted traffic. But the drop command is not listed.
[code]...
View 6 Replies
View Related
Oct 26, 2011
what license do I need to create a IPSEC tunnel? I have an ASR 1001, running? [code]
View 2 Replies
View Related
May 2, 2011
We are facing issue with Cisco WLC 4402 (Cisco AireOS Version 4.2.205.0) and username and password expired automatically. It happens very often. We are not able to retreive the password, so everytime we need to reset(factory default) the Cisco WLC4402 and doing fresh installation.
Also is there any possibility of recover the username and [password with resetting the cisco wlc4402.
View 2 Replies
View Related
Jun 14, 2012
my win 7 desktop always disconnect from internet connection after it has been connected and i ran network diagnosis wizard it was saying DNS ERROR CONNECTION. All other systems in my office use the same dns address.
View 3 Replies
View Related
Aug 20, 2012
where with my computer where it will connect to my network for a second or two then immediately disconnect. Other computer and devices connect without a problem. I have also experienced this with every network I have tried to connect to; it does the same thing. I figure it is therefore a problem with my laptop itself, but trouble shooting has yielded nothing and most of the fixes I have found require connecting to the network, but obviously I cannot do that.I can connect with an Ethernet cable just fine. My guess would be that there is a setting that is incorrect within the wireless on my computer, but what that is I could not even venture to guess.
View 2 Replies
View Related
Oct 16, 2012
I want to setup a vpn tunnel from a Cisco VPN Client in the internet over a fritzbox to the Cisco 876 (Version 15.1(4)M3) so that the vpn tunnel terminates at the Cisco 876.For that reason I used the command "crypto map mymap" on the int fastethernet 1. When I try to connect, the VPN Client opens the window for username and password but then ends with the message "not connected". When I do "debug crypto isakmp" the Cisco 876 shows the message: "phase 2 SA policy not acceptable!". [code]
View 3 Replies
View Related
Sep 15, 2011
I just update my cisco 7609 to Version 12.2(33)SRD6. I encounter a strange problem with this version, everytime i change BGP policy ( input or output ) this will take effect immediately without "clear ip bgp neighbor <address> soft". Are there anyway not to take BGP policy affect unless command "clear ip bgp neighbor <> soft" ?
View 7 Replies
View Related
Apr 6, 2012
I have about 30 remote EZVPN 1811 routers that never come up after a firewall reload for about an hour. I have watched the EZVPN remotes and they believe they still have an IPSEC SA and they never attempt to reconnect until their IKE SA times out. Is there any way I can change this behavior so that the remotes will more rapidly recognize that their SA is invalid and negotiate a new one?
View 2 Replies
View Related
Jan 21, 2012
Have been experiencing speeds of max 2.5 Mbps for transferring files between Windows 7 machines connected wirelessly to a Billion 800VGT router. A speed of maximum 18 Mbps was achieved. No matter what I did to adaptor settings it was the best possible. Have 6 wireless machines which I cross checked multiple times using Lan Speed Test by Totusoft.I then disabled the wireless security (WPA-PSK) on my Billion 800VGT router and secured the network by using the Wireless MAC address filter. My speed immediately increased to 11Mbps between wireless machines. Speeds to machines on fixed lan increased to 26 Mbps.
View 1 Replies
View Related
Feb 13, 2012
My HW is Version B2 and my firmware is 2.25. My internet conection keeps droping and reconecting. I started off doing this a few times a day but now it does not keep a connection for more than 10 minutes.
View 5 Replies
View Related
Mar 12, 2013
Will the 3945 router work on 208 V single phase (line to line)? I know it mentions 100-240 VAC, but would the line-to-line issue cause a problem?
View 1 Replies
View Related
Sep 28, 2010
I recently upgraded our 5508s to 7.0.98 I am now seeing this message on the primary WLC while running adebug on a client *apfMsConnTask_1: Sep 29 11:05:36.114: Deleting the client immediately since WLAN is changed.
View 6 Replies
View Related
Jul 24, 2011
How to do the above thing.
View 3 Replies
View Related
Apr 25, 2013
I have a site to site ipsec tunnel setup between an ASA5510 and a 2951 Router. The ASA 5510 is on a 10.x subnet with a few vlans behind it. There are also 7 other ASA5505 that connect to this box with ipsec.
The 2951 is on a 10.x subnet with multiple vlans behind it (10.x and 192.x subnets).
When I had ACL to allow traffic from 10.20.0.0 (ASA) to 192.168.111.0 (2951 - voice vlan) the connection comes online and is stable.
The minute I add any of the following, the connection drops off with Phase 2 errors: 10.20.0.0 to 10.1.200.0 10.20.1.0 to 10.1.1.0
I can add a second 10.20.0.0 to 192.168.10.0 with no problem at all. The issue only seems to occur when attempting to add traffic from 10 to 10 on the tunnel.
View 2 Replies
View Related
Feb 27, 2011
I have a little problem with a Easy VPN, this is the topology:
-One router 2811: This is the Easy-client (Who has a ip address by dhcp)
-One ASA 5540: This is the Easy-server
View 11 Replies
View Related
Feb 25, 2013
Configuration is simple, from one side ASA 5580 with soft asa844-5-smp-k8.bin, from another side: ASA 5520 with asa845-k8.bin. Between them is builded IPsec LAN-to-LAN.Usually it works fine, but: In random time I can get error in logs something like that on ASA 5520: %ASA-5-713904: Group = x.x.x.200, IP = x.x.x.200, Phase 2 rekey collision, found centry 0x6cec9d28 or on ASA 5580: %ASA-5-713904: Group = x.x.x.234, IP = x.x.x.234, Phase 2 rekey collision, found centry 0x00007ffe782dfa60 The main problem that if this error is occured on 5520 - all continues to work (only this message is appear in log).
If this problem occured on 5580 - tunnel stopped his work. One thing that works - it is drop crypto SA (clear crypto ikev1 sa x.x.x.234), after that tunnel reinitialized and all starts work again. As far as I know, this problem was on 5520 to version 8.4.2 and was solved in 8.4.3. But, as you see, in version for 5580 (-smp) this bug is still present in newer versions.
View 2 Replies
View Related
Apr 22, 2012
I am trying to set up a site to site VPN tunnel using GRE over IPSEC. Below is the configuration from both routers and debug output. I'm scratching my head on this one. I'm using two Cisco 7600 routers with SSC-400 SPA modules and 720 Supervisors. The IOS on R1 is 12.2 SXI2 and R2 has 12.2 SXI3.
View 1 Replies
View Related
Aug 5, 2012
I am configuring VPN on an 831 rotuer using a dynamic-map configuration. I can connect to the network and I can see phase 1 and 2 complete from the debugs however from what I can tell I can only ping across the VPN. I can't connect to and web services or RDP to any hosts on the local network. Here is a copy of my config.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
[code]....
View 6 Replies
View Related
Aug 6, 2011
Just setup a site to site vpn between 2 ASA 5520 Firewalls in two locations but vpn doesn't work even though i see phase 2 completed on the logs. I can't ping across the LANs.
View 2 Replies
View Related
Nov 25, 2011
Our wireless network has started to drop out periodically. If we pull power and restore, the network immediately comes back up on all our our devices. We have the WRT54G, and we have 2 PCs, 2 Macs, and 3 iPhones, and a wired home phone. Normally there are not this many devices connected, but with everyone home for Thanksgiving and all these devices on the network we have started to see this issue.
Are there simply more devices than the router can handle? Is one of the devices crashing the network for everyone? What typically will cause something like this?
View 2 Replies
View Related
Dec 12, 2010
i tried to configured L2TP connection on ASA5505.Phase 1 and Phase 2 are completed but Windows Client doesn't work. [code]
View 4 Replies
View Related
Feb 8, 2012
Got a classical remote access vpn with Cisco VPN Client and ASA-5520, Some weeks ago I noticed in my ASA logs this severity 5 Message. Group = xyz, Username = abc, IP = 84.n.n.n, Duplicate Phase 2 packet detected. No last packet to retransmit. This message comes with every connect, but then connections works fine.
Remark: See ASA ADSM:
- 1. Duplicated Phase II (!!)
- 2. Phase I
- 3. Phase II
View 4 Replies
View Related
Apr 15, 2013
I've an ASR1001 with 15.1(2)S code on it connected to out ISP, we've been get some complaints about performance and I'm seeing drop on the output policy. Checking the bandwidth consumption we have plenty spare when drops are occuring, there's 300Mb/s. Details below, any suggestions gratefully received
The policy is to guarantee the following bandwidth:
Outbound policy:
class 1 => 50% guaranteed
class 2 => 8% guaranteed
class 3 => 1% guaranteed
class 4 => 5% guaranteed
class 5 => 1% guaranteed
class 6 => 5% guaranteed
class => 7% guaranteed
class 8 => 7% guaranteed
class default => not configured
config :
policy-map priority
class 1
priority percent 50
class 2
priority percent 8
class 3
priority percent 1
class 4(code)
View 9 Replies
View Related
Nov 4, 2012
I need to check and possibly change which Network address is allowed down a tunnel and check our Phase 2 IPSEC proposal. How would I do this on a VPN3000?
View 3 Replies
View Related
