Cisco VPN :: ASA 5580 Random (Phase 2 Rekey Collision)

Feb 25, 2013

Configuration is simple, from one side ASA 5580 with soft asa844-5-smp-k8.bin, from another side: ASA 5520 with asa845-k8.bin. Between them is builded IPsec LAN-to-LAN.Usually it works fine, but:    In random time I can get  error in logs something like that on ASA 5520:   %ASA-5-713904: Group = x.x.x.200, IP = x.x.x.200, Phase 2 rekey collision, found centry 0x6cec9d28 or on ASA 5580:   %ASA-5-713904: Group = x.x.x.234, IP = x.x.x.234, Phase 2 rekey collision, found centry 0x00007ffe782dfa60 The main problem that if this error is occured on 5520 - all continues to work (only this message is appear in log).
 
If this problem occured on 5580 - tunnel stopped his work. One thing that works - it is drop crypto SA (clear crypto ikev1 sa x.x.x.234), after that tunnel reinitialized and all starts work again. As far as I know, this problem was on 5520 to version 8.4.2 and was solved in 8.4.3. But, as you see, in version for 5580 (-smp) this bug is still present in newer versions.

View 2 Replies


ADVERTISEMENT

Cisco Firewall :: ASA 5580 Arp Collision Errors?

Feb 11, 2012

I am receiving allot of Errors "%ASA-4-405001: received ARP collision from IP/MAC on interface dmz1 with existing ARP Entry IP/MAC
 
When i checked this MAC address in the same firewall it shows too many IP Addresses. What could be the reason ?

View 0 Replies View Related

Cisco WAN :: Late Collision Error In 881 Router

Apr 7, 2011

my cisco 881 router. The router is configured and line is up between ISP , and also can use internet from internal users.
 
But when i checked on the router, every 10 secs i found that error messages.
 
%PQII_PRO_FE-5-LATECOLL: PQII_PRO/FE(4), Late collision
 
The internet goes down often and comes up only when the router is restarted.
 
this is my IOS version.
 
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.0(1)M4, RELEASE SOFTWARE (fc1)Technical Support: [URL]
 
ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
 
xxxx uptime is 2 days, 16 hours, 1 minuteSystem returned to ROM by power-onSystem image file is "flash:c880data-universalk9-mz.150-1.M4.bin"Last reload type: Normal Reload
 
This product contains cryptographic features and is subject to UnitedStates and local country laws governing import, export, transfer anduse. Delivery of Cisco cryptographic products does not implythird-party authority to import, export, distribute or use encryption.Importers, exporters, distributors and users are responsible forcompliance with U.S. and local country laws. By using this product youagree to comply with applicable laws and regulations. If you are unableto comply with U.S. and local laws, return this product immediately.
 
A summary of U.S. laws governing Cisco cryptographic products may be found at:[URL]
 
Cisco 881 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memory.Processor board ID FHK144973KN
 
5 FastEthernet interfaces1 Virtual Private Network (VPN) Module256K bytes of non-volatile configuration memory.126000K bytes of ATA CompactFlash (Read/Write)
 
License Info: 
License UDI:-------------------------------------------------Device#      PID            SN------------------------------------------------- *0        CISCO881-K9           FHK144973KN   

[Code]....

When I look at the Sh interface fastethernet4 there has so many output errors , and I configure very simple and just use default route.

View 7 Replies View Related

Small Network / Random Computers Lose Browsing At Random Times?

Dec 29, 2012

Network running about 60 computers, most of which are running windows 7 professional. Some are on a domain, some are not.At (seemingly) random times, some computer on the network will lose the ability to browse websites (including the web interfaces of networked devices). I can't identify what circumstances cause this to occur. I only find out about it when someone calls me.From the affected computer:I can ping sites I can ping our Cyberoam UTM (which acts as our DNS, DHCP, and firewall)disabling/enabling connection doesn't fix the problem releasing/renewing ip doesn't fix the problem flushing dns doesnt fix the problem uninstalled antivirus on two test machines, problem still randomly manifests.replaced the Cyberoam with newer model users have claimed that if they wait a long period of time (40+ minutes) the problem sometimes resolves.rebooting the computer resolves the issue until it randomly occurs again changing the computer's mac address also resolves the issue until it randomly occurs again.

View 3 Replies View Related

Cisco VPN :: ASA 8.2 - Site-to-Site VPN Stops When Traffic Volume Rekey Reached

Jan 12, 2010


We have several site-to-site IPSec VPN's setup.

All are running on ASA's 8.2(1).

All have a Security Association Lifetime (Time) of 8 hours.
All have a Security Association Lifetime (Traffic Volum) of 4608000 KiloBytes.

We have an issue when we do Oracle logshipping between the sites.

This triggers the Traffic Volume rekey as can be seen by this entry in the logs: -

%ASA-7-702307: IPSEC: An inbound L2L SA (SPI= 0x169FA1C1) between and (user= ) is rekeying due to data rollover.

However it does not appear as if the renegotiation is occurring properly. Within 10 to 15 minutes data stops being transmitted along the link, even though the IPSec tunnel still appears up in the ASDM GUI.

The 'fix' for this is that we are using is to login to the ASDM GUI and bounce the link by going to Monitoring => VPN => VPN Statistics => Sessions => IPSec Site-to-Site. Then select the appropriate VPN tunnel and click on 'Logout'. This forces a link renegotiation which works fine.

I have attached a logfile from the local ASA (there's nothing in the logfile of the remote ASA until we bounce the VPN tunnel).

View 10 Replies View Related

Cisco VPN :: ASA 5505 To Do Site To Site VPN Rekey

Dec 6, 2012

I have a5505 configured to support a number of site to site links. One of these has a problem with rekeying. Running debug I see the entres:The VPN is not configured on the Interface Servers but on another Interface (outside). It has been completely rebuilt recently. Is this a problem or a ghost of some sort?

View 4 Replies View Related

Cisco VPN :: 876 Phase 2 SA Policy Not Acceptable

Oct 16, 2012

I want to setup a vpn tunnel from a Cisco VPN Client in the internet over a fritzbox to the Cisco 876 (Version 15.1(4)M3) so that the vpn tunnel terminates at the Cisco 876.For that reason I used the command "crypto map mymap" on the int fastethernet 1. When I try to connect, the VPN Client opens the window for username and password but then ends with the message "not connected". When I do "debug crypto isakmp" the Cisco 876 shows the message: "phase 2 SA policy not acceptable!". [code]

View 3 Replies View Related

Cisco WAN :: Will 3945 Work On 208 V Single Phase

Mar 12, 2013

Will the 3945 router work on 208 V single phase (line to line)?  I know it mentions 100-240 VAC, but would the line-to-line issue cause a problem?

View 1 Replies View Related

To Find A Pass Phase Number

Jul 24, 2011

How to do the above thing.

View 3 Replies View Related

Cisco VPN :: ASA5510 To 2951 - Phase 2 Failures With 10.x Subnets

Apr 25, 2013

I have a site to site ipsec tunnel setup between an ASA5510 and a 2951 Router. The ASA 5510 is on a 10.x subnet with a few vlans behind it. There are also 7 other ASA5505 that connect to this box with ipsec.
 
The 2951 is on a 10.x subnet with multiple vlans behind it (10.x and 192.x subnets).
 
When I had ACL to allow traffic from 10.20.0.0 (ASA) to 192.168.111.0 (2951 - voice vlan) the connection comes online and is stable.
 
The minute I add any of the following, the connection drops off with Phase 2 errors: 10.20.0.0 to 10.1.200.0 10.20.1.0 to 10.1.1.0
 
I can add a second 10.20.0.0 to 192.168.10.0 with no problem at all. The issue only seems to occur when attempting to add traffic from 10 to 10 on the tunnel.

View 2 Replies View Related

Cisco VPN :: 5540 Duplicate Phase Packet Detected

Feb 27, 2011

I have a little problem with a Easy VPN, this is the topology:
 
-One router 2811: This is the Easy-client (Who has a ip address by dhcp)

-One ASA 5540: This is the Easy-server

View 11 Replies View Related

Cisco VPN :: 7600 - Cannot Successfully Negotiate ISAKMP Phase 1

Apr 22, 2012

I am trying to set up a site to site VPN tunnel using GRE over IPSEC. Below is the configuration from both routers and debug output. I'm scratching my head on this one. I'm using two Cisco 7600 routers with  SSC-400 SPA modules and 720 Supervisors. The IOS on R1 is 12.2 SXI2 and R2 has 12.2 SXI3.

View 1 Replies View Related

Cisco VPN :: 831 - Phase 1 And 2 Complete But Limited Network Access

Aug 5, 2012

I am configuring VPN on an 831 rotuer using a dynamic-map configuration. I can connect to the network and I can see phase 1 and 2 complete from the debugs however from what I can tell I can only ping across the VPN. I can't connect to and web services or RDP to any hosts on the local network. Here is a copy of my config.

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers

[code]....

View 6 Replies View Related

Cisco VPN :: ASA 5520 / VPN Phase 2 Complete But LAN Traffic Doesn't Pass

Aug 6, 2011

Just setup a site to site vpn between 2 ASA 5520 Firewalls in two locations but vpn doesn't work even though i see phase 2 completed on the logs. I can't ping across the LANs.

View 2 Replies View Related

Cisco Switching/Routing :: ASR 1001 - IKE Phase 2 SA Expires Immediately

Dec 11, 2012

I am migration an IPsec site to site VPN config to a new ASR1001 router «facing» a Linux box (ipsec-tools + racoon). As the Debian Linux does not offer VTI, I am using a crypto map.
 
The working config is given below with the corresponding logs on the Linux side.
 
When I try to apply this previously working config to the ASR1001, I get the following error :
 
000855: *Dec 12 18:28:21.859 UTC: %ACE-3-TRANSERR: IOSXE-ESP(14): IKEA trans 0x1350; opcode 0x60; param 0x2EE; error 0x5; retry cnt 0
 
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: initiate new phase 1 negotiation: 194.214.196.2[500]<=>130.120.124.8[500]
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: begin Identity Protection mode.
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: CISCO-UNITY
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: DPD
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt(code)

View 8 Replies View Related

Cisco VPN :: ASA5505 Phase 1 And 2 Are Completed But Windows Client Doesn't Work

Dec 12, 2010

i tried to configured L2TP connection on ASA5505.Phase 1 and Phase 2 are completed but Windows Client doesn't work. [code]

View 4 Replies View Related

Cisco VPN :: ASA-5520 Logs 713201 Duplicate Phase 2 Packet Detected

Feb 8, 2012

Got a classical remote access vpn with Cisco VPN Client and ASA-5520, Some weeks ago I noticed in my ASA logs this severity 5 Message. Group = xyz, Username = abc, IP = 84.n.n.n, Duplicate Phase 2  packet detected. No last packet to retransmit. This message comes with every connect, but then connections works fine.

Remark: See ASA ADSM:

- 1. Duplicated Phase II (!!)
- 2. Phase I
- 3. Phase II

View 4 Replies View Related

Cisco VPN :: 3000 Network Address Is Allowed Down Tunnel / Check Phase 2 IPSEC Proposal

Nov 4, 2012

I need to check and possibly change which Network address is allowed down a tunnel and check our Phase 2 IPSEC proposal. How would I do this on a VPN3000?

View 3 Replies View Related

Cisco Switching/Routing :: 3phase Or Single Phase Wiring For Nexus 7010 Power Supplies

Jul 26, 2010

We just purchased a Nexus 7010 switch and we are at a stand still with our COLO trying to figure out what power source should be provided.  APC recommends a 50amp 3phase vertical cabinet PDU (AP7867).  What type of power sourcereakers will be sufficient in handling the Nexus 7k /w (3) power supplies?  Do the COLO need to provide single phase or 3 phase power recepticals?

View 7 Replies View Related

Cisco Firewall :: Cannot SSH / Telnet To ASA 5580

Oct 15, 2011

accessing my cisco ASA, last night we were doing VA on our ASA, after that iam not able to access it through ssh nor telnet. its not giving me any error.. i tried from different system also. SSH & telnet allowed from inside to 0.0.0.0 i have re-generated rsa keys when it was working. ASA version is 8.2 now when i connect telent is giving me blank prompt. i can login using ASDM.

View 5 Replies View Related

Cisco VPN :: 5580 Vendor L2L VPN Access To Others

Jun 20, 2012

Our ASA is a 5580 version 8.1(2) and is the L2L VPN peer for a handful of remote offices including a L2L VPN with a vendor who will provide a service for these remote offices. I have two questions/issues:We will need to provide this vendor access to the remote office network(s) only on port 9100 (printing to specific printers at these offices). I know there is an issue with L2L VPNs ability to see each other but if there is a global command allowing all to see each other that would be bad as we have others and don’t want all to see each other.The remote offices are using CIDR 172.20.0.0/16 so each one is assigned for example 172.20.3 the next office is 172.20.4 and so on.  For the crypto map access list for this vendor can we use 172.20.0.0/16 or do we need to specify each individual network?

View 3 Replies View Related

Cisco :: ASA 5580 - Top 10 Destinations / Sources Have No Data

Mar 1, 2012

In the Firewall Dashboard of my ASA 5580, I get data on every pane, except for the Top 10 Sources and Top 10 Destinations. Why is that, and what do I need to do to get data there?

View 1 Replies View Related

Cisco Firewall :: Cannot Activate Failover On Asa 5580

Sep 27, 2011

I got a problem with a cisco asa 5580 like two days ago and the device stop working (there was a mainteinance window and after that the device didn't work). Now we receive the RMA and we are trying to configure the failover so the new device get the configuration form the one that is working.
 
But this is the message that I gettin:
 
Failover message decryption failure. Please make sure both units have the same failover shared key and crypto license or system is not out of memory
 
We already changed the shared key and crypto license but the failover is still down, what are the features that the cisco need to activate to enable the failover?

View 5 Replies View Related

Cisco VPN :: ASA 5580 - Filter For Hairpin VPNs

Jul 2, 2012

We have a corporate site with a Cisco ASA 5580 (8.1), a remote office with a Cisco ASA 5510 (8.2) with a L2L VPN to corporate. A vendor has a L2L VPN to the corporate ASA with access to the remote office across the VPNs (hairpinning). The corporate office accesses an application at the vendor on port 23. Everything is working with regards to the vendor accessing resources to the remote office and the corporate office accessing the application at the vendor. Our goal now is to restrict the vendor to port 23 from the corporate network and port 9100 to the remote office. On the corporate ASA I setup a VPN filter and applied to the vendor's L2L vpn but when I apply the filter (see below) all traffic stops to the vendor such as telnet.

View 6 Replies View Related

Cisco WAN :: Vlan Gateway Is Route-able From ASA 5580

Mar 26, 2013

I connected my intranet cable to coreswitch 4510 created one vlan 600,that vlan gateway is routable from asa5580.now my intranet people able to ping my vlan gateway but iam unable to ping their ip.i added static route on asa route inside 192.0.0.0 255.255.255.0 10.100.106.1 1 but iam unable to ping remote ip.

View 2 Replies View Related

Cisco Firewall :: 5580 - Can't Ping ASA Different Interfaces

May 23, 2012

We are using Cisco ASA 5580 (8.2) firewall. When i try to ping from inside lan to firewall DMZ interface IP it is not pingable and but from inside users i am able to ping firewall inside interface IP address.
 
I think we can't ping to other interfaces of ASA by default. But can we allow the single IP address who can ping all the interfaces of firewall?
 
We are not doing any natting in firewall, for that we used the Load Balancer.

View 7 Replies View Related

Cisco VPN :: 5580 EZVPN Using RRI And NEM With Fa0/0 And Loop Back0

Mar 29, 2011

Our company has a handful of sites that use the EasyVPN technology.On my remote router (Cisco1841) - I add the crypto inside to the FA0/0 and the Loopback0 interface.On the other end my Cisco ASA 5580 - 8.41 code - I have RRI enabled and the tunnel comes up fine.However I only see the static route from the fa0/0 interface on the remote router.  I can not figure why I can not see the Loopback0 address?Wondering if this is a limitation or feature not enabled.
 
I added multiple interfaces on the Cisco 1800 and can see the networks.I run "show crypto ipsec sa" on the Cisco ASA and see the spi encaps/decaps for the loopback, but the SH ROUTE does not show the static route being injected.

View 3 Replies View Related

Cisco VPN :: ASA 5580 - Anyconnect Certificate Failover

Apr 28, 2013

I have a strange issue with certificate based authentication anyconnect.  We have an ASA with two internet links, both have a CA authenticated Cert for anyconnect VPN’s.  We have an anyconnect client profile also, when we simulate a link failure on the ASA the anyconnect should automatically attempt a re-connect to the backup server list in its configuration (which is the other interface on the ASA 5580) which it does but we get a certificate trust error.

View 3 Replies View Related

Cisco Firewall :: ASA 5580-20 System LED Flashing Red

May 16, 2011

A customer's ASA is presenting the System LED flashing red.I have already analysed the show tech-support and show environment output: Found nothing, everythink seems OK.Cisco ASA 5580-20 - 8.2.1.Single appliance, no failover, multiple context and transparent mode.

View 5 Replies View Related

Cisco VPN :: DfltCustomization File Is Missing In ASA 5580

Sep 22, 2012

I wanted to perform the customization of the SSL WebVPN page. But When I tried to create a new Customization object is is not happening as the DfltCustomization object is not available.We are having so many webvpn configuration and objects that i cant issue "revert webvpn all" command.Can I able to import the File from any location or the default customization object file so the I can export it into the ASA and create new custmixed object accordingly.Or what other steps I can take to have customization happening in my Cisco ASA 5580. 8.2 (5) and ASDM 6.4.

View 1 Replies View Related

Cisco Firewall :: Upgrading ASA 5580 Cluster From 7.2 To 8.2

Aug 19, 2012

we are going to upgrade our 5580 ASA Cluster from 7.2 to 8.2 and want to do it like this way ( which worked for all 7.x upgrades ) :download asa8.2 Image to primary + secondary Firewallreboot primary ( message come up " mate version ...)reboot secondary.Does it works any experience? Does it work if both firewall can see each other during the boot process ?
 
Do I have to bring the secondary into the monitor mode so the fw is not visible for the primary ?

View 2 Replies View Related

Cisco Firewall :: Does ASA 5580 Support NAT-PT For IPv6

Mar 29, 2011

I want to ask that does ASA 5580 support the nat-pt for IPv6?

View 2 Replies View Related

Cisco Firewall :: ASA 5580 Command Itself Is No Longer Used

Mar 5, 2011

i'm new with the asa's...i'm familiar with the FWSM's on 6500's and pix..I'm running Version 8.3(2) and i wanted to setup nat-control and use of identify nats for advertising inside subnets to my outside networks.
 
the old command was static(inside,outside) 10.x.x.x 10.x.x.x netmask 255.255.255.x i'm having a little difficulty decyphering the pdf about the static nat...the command itself is no longer used, nat-control is no longer used, but i'm not quite sure what the equivalent nat command is that equates to the old static inside,outside command.

View 8 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved