tag:blogger.com,1999:blog-60201337663667488172024-03-13T08:56:43.427-07:00ciscoasafirewallUnknownnoreply@blogger.comBlogger7125tag:blogger.com,1999:blog-6020133766366748817.post-41654102971276541602011-06-17T09:32:00.000-07:002011-06-17T09:32:23.401-07:00Cisco ASA Firewall in Transparent Layer2 Mode<div dir="ltr" style="text-align: left;" trbidi="on"><span class="Apple-style-span" style="color: #333333; font-family: Arial, Arial, sans-serif; font-size: 14px; line-height: 18px;"></span><br />
<div style="line-height: 18px;">Traditionally, a network firewall is a routed hop that acts as a default gateway for hosts that connect to one of its screened subnets. A transparent firewall (or Layer 2 firewall), on the other hand, acts like a “stealth firewall” and is not seen as a Layer 3 hop to connected devices. The appliance connects the same Layer 3 network subnet on its inside and outside ports, but each interface of the firewall resides in a different Layer 2 Vlan. The Cisco ASA firewall can operate both in Routed Firewall Mode (default mode) or in Transparent Firewall Mode.</div><div style="line-height: 18px;"><span style="text-decoration: underline;">Routed Firewall Mode:</span></div><div style="line-height: 18px;">See the diagram below for a common network topology of a Cisco ASA firewall working in Routed Mode.</div><div style="line-height: 18px; text-align: center;"><img alt="" class="alignnone" height="500" src="http://www.tech21century.com/images/asa-routed-mode.jpg" style="border-bottom-style: none; border-color: initial; border-left-style: none; border-right-style: none; border-top-style: none; border-width: initial; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;" title="cisco asa in routed mode" width="350" /></div><div style="line-height: 18px;">As you can see, there are two different network subnets. Inside network (10.20.20.0/24) and Outside Network (10.10.10.0/24). There must be also two different layer2 vlans (Vlan20 for inside network and Vlan10 for outside network). All hosts residing in internal network must belong to subnet 10.20.20.0 and must have default gateway the internal IP of the ASA (10.20.20.1).</div><div style="line-height: 18px;"><span style="text-decoration: underline;">Transparent Firewall Mode:</span></div><div style="line-height: 18px;">The diagram below shows an example topology using a Cisco ASA in Layer 2 transparent mode.</div><div style="line-height: 18px; text-align: center;"><img alt="" class="alignnone" height="500" src="http://www.tech21century.com/images/asa-transparent-mode.jpg" style="border-bottom-style: none; border-color: initial; border-left-style: none; border-right-style: none; border-top-style: none; border-width: initial; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;" title="cisco asa transparent mode" width="350" /></div><div style="line-height: 18px;">As you can see, there is only one Layer 3 network (10.10.10.0/24) BUT there MUST be two different Layer 2 Vlans (Vlan20 for inside zone and Vlan10 for outside zone). All hosts must reside in network range 10.10.10.0 and the devices must have as default gateway the IP address of the outside router (10.10.10.2). Also, a management IP address MUST be configured on the ASA firewall (again within the range of 10.10.10.0). DO NOT specify the management IP address of the ASA as the default gateway for connected devices.</div><div><div style="float: left;">[ad#embedded-square]</div><div style="line-height: 18px;"><span style="text-decoration: underline;">Characteristics of Transparent Mode</span></div><div style="line-height: 18px;">• Transparent firewall mode supports only two interfaces (inside and outside)<br />
• The firewall bridges packets from one VLAN to the other instead of routing them.<br />
• MAC lookups are performed instead of routing table lookups.<br />
• Can run in single firewall context or in multiple firewall contexts.<br />
• A management IP address is required on the ASA.<br />
• The management IP address must be in the same subnet as the connected network.<br />
• Each interface of the ASA must be a different VLAN interface.<br />
• Even though the appliance acts as a Layer 2 bridge, Layer 3 traffic cannot pass through the security appliance from a lower security level to a higher security level interface.<br />
• The firewall can allow any traffic through by using normal extended Access Control Lists (ACL).</div></div><div style="line-height: 18px;"><span style="text-decoration: underline;">Initial Configuration</span></div><div style="line-height: 18px;">Asa(config)# firewall transparent</div><div style="line-height: 18px;">!<em>Configure management IP below</em><br />
Asa(config)# ip address 10.10.10.1 255.255.255.0</div><div style="line-height: 18px;">Asa(config)# interface Ethernet0/0<br />
Asa(config-if)# nameif outside<br />
Asa(config-if)# security-level 0<br />
!<br />
Asa(config)# interface Ethernet0/1<br />
Asa(config-if)# nameif inside<br />
Asa(config-if)# security-level 100</div><div style="line-height: 18px;"><br />
</div><div style="line-height: 18px;"><br />
</div><span class="Apple-style-span" style="font-family: arial, helvetica, sans-serif; font-size: 12px;"><h2 class="title-page" style="border-bottom-color: rgb(204, 204, 204); border-bottom-style: solid; border-bottom-width: 1px; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 26px; font-weight: normal; line-height: 1em; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 11px; padding-left: 0px; padding-right: 0px; padding-top: 4px; width: 940px;">PIX/ASA: Transparent Firewall Configuration Example</h2><div><br />
</div></span><span class="Apple-style-span" style="font-family: arial, helvetica, sans-serif; font-size: 12px;"><h2><a href="" name="intro">Introduction</a></h2>Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a "<b>bump in the wire</b>," or a "<b>stealth firewall</b>," and is not seen as a router hop to connected devices. The security appliance connects the same network on its inside and outside ports. Because the firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network; it is unnecessary to re-address IP.<br />
Maintenance is facilitated because there are no complicated routing patterns to troubleshoot and no NAT configuration.<br />
Even though the transparent mode acts as a bridge, Layer 3 traffic, such as IP traffic, cannot pass through the security appliance unless you explicitly permit it with an extended access list. The only traffic allowed through the transparent firewall without an access list is ARP traffic. ARP traffic can be controlled by ARP inspection.<br />
In routed mode, some types of traffic cannot pass through the security appliance even if you allow it in an access list. Alternatively, the transparent firewall can allow any traffic through with either an extended access list (for IP traffic) or an EtherType access list (for non-IP traffic).<br />
For example, you can establish routing protocol adjacencies through a transparent firewall; you can allow VPN (IPSec), OSPF, RIP, EIGRP, or BGP traffic through based on an extended access list. Likewise, protocols such as HSRP or VRRP can pass through the security appliance.<br />
Non-IP traffic (for example, AppleTalk, IPX, BPDUs, and MPLS) can be configured to go through with an EtherType access list.<br />
For features that are not directly supported on the transparent firewall, you can allow traffic to pass through so that upstream and downstream routers can support the functionality. For example, with an extended access list, you can allow DHCP traffic (instead of the unsupported DHCP relay feature) or multicast traffic, such as that created by IP/TV.<br />
When the security appliance runs in transparent mode, the outbound interface of a packet is determined by a MAC address lookup instead of a route lookup. Route statements can still be configured, but they only apply to security appliance-originated traffic. For example, if your syslog server is located on a remote network, you must use a static route, so the security appliance can reach that subnet.<br />
You can set the adaptive security appliance to run in the default routed firewall mode or transparent firewall mode. When you change modes, the adaptive security appliance clears the configuration because many commands are not supported in both modes. If you already have a populated configuration, be sure to back up this configuration before you change the mode; you can use this backup configuration for reference when you create a new configuration.<br />
For multiple context mode, you can use only one firewall mode for all contexts. You must set the mode in the system execution space. For multiple context mode, the system configuration is erased, which removes any contexts. If you again add a context that has an existing configuration that was created for the wrong mode, the context configuration does not work correctly.<br />
<b>Note: </b>Be sure to create your context configurations for the correct mode before you add them again, or add new contexts with new paths for new configurations.<br />
<b>Note: </b>If you download a text configuration to the security appliance that changes the mode with the <b>firewall transparent</b>command, be sure to put the command at the top of the configuration; the adaptive security appliance changes the mode as soon as the command is executed and then continues to read the configuration that you downloaded. If the command occurs later in the configuration, the adaptive security appliance clears all previous lines in the configuration.<br />
In order to configure Multiple Context Mode in Transparent Firewall, refer to <a href="http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/examples.html#wp1010043" style="color: #003399;" target="_blank">Multiple Mode, Transparent Firewall with Outside Access</a> <img border="0" height="9" src="http://www.cisco.com/apps-ui/generic/interim/images/popup_icon.gif" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px;" width="15" /><br />
<h2><a href="" name="prereq">Prerequisites</a></h2><h3><a href="" name="req">Requirements</a></h3>There are no specific requirements for this document.<br />
<h3><a href="" name="hw">Components Used</a></h3>The information in this document is based on these software and hardware versions:<br />
<ul><li>ASA with version 7.x and later</li>
</ul>The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.<br />
<h3><a href="" name="rel">Related Products</a></h3>This configuration can also be used with these hardware and software versions:<br />
<ul><li>PIX Security Appliance with 7.x and later</li>
</ul><h3><a href="" name="conv">Conventions</a></h3>Refer to the <a href="http://www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a0080121ac5.shtml" style="color: #003399;">Cisco Technical Tips Conventions</a> for more information on document conventions.<br />
<h2><a href="" name="backinfo">Transparent Firewall</a></h2><h3><a href="" name="guide">Guidelines</a></h3>Follow these guidelines when you plan your transparent firewall network:<br />
<ul><li>A management IP address is required; for multiple context mode, an IP address is required for each context.<br />
Unlike routed mode, which requires an IP address for each interface, a transparent firewall has an IP address assigned to the entire device. The security appliance uses this IP address as the source address for packets that originate on the security appliance, such as system messages or AAA communications.<br />
The management IP address must be on the same subnet as the connected network. You cannot set the subnet to a host subnet (255.255.255.255).</li>
<li>The transparent security appliance uses an inside interface and an outside interface only. If your platform includes a dedicated management interface, you can also configure the management interface or subinterface for management traffic only.<br />
In single mode, you can only use two data interfaces (and the dedicated management interface, if available) even if your security appliance includes more than two interfaces.</li>
<li>Each directly connected network must be on the same subnet.</li>
<li>Do not specify the security appliance management IP address as the default gateway for connected devices; devices need to specify the router on the other side of the security appliance as the default gateway.</li>
<li>For multiple context mode, each context must use different interfaces; you cannot share an interface across contexts.</li>
<li>For multiple context mode, each context typically uses a different subnet. You can use subnets that overlap, but your network topology requires router and NAT configuration to make it possible from a routing standpoint.</li>
<li>You must use an extended access list to allow Layer 3 traffic, such as IP traffic, through the security appliance.<br />
You can also optionally use an EtherType access list to allow non-IP traffic through.</li>
</ul><h3><a href="" name="mac">Allowed MAC Addresses</a></h3>These destination MAC addresses are allowed through the transparent firewall. Any MAC address not on this list is dropped.<br />
<ul><li>TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF</li>
<li>IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF</li>
<li>IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF</li>
<li>BPDU multicast address equal to 0100.0CCC.CCCD</li>
<li>AppleTalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF</li>
</ul><h3><a href="" name="unsupp">Unsupported Features</a></h3>These features are not supported in transparent mode:<br />
<ul><li>NAT /PAT<br />
NAT is performed on the upstream router.<br />
<b>Note: </b>Starting with ASA/PIX 8.0(2), NAT/PAT is supported in the transparent firewall.</li>
<li>Dynamic routing protocols (such as RIP, EIGRP, OSPF)<br />
You can add static routes for traffic that originates on the security appliance. You can also allow dynamic routing protocols through the security appliance with an extended access list.<br />
<b>Note: </b>IS-IS is IP protocol 124 (is-is over ipv4). IS-IS transient packets can be allowed through the transparent mode by the form of an ACL that permits protocol 124. The transparent mode supports all 255 IP protocols.</li>
<li>IPv6</li>
<li>DHCP relay<br />
The transparent firewall can act as a DHCP server, but it does not support the DHCP relay commands. DHCP relay is not required because you can allow DHCP traffic to pass through with an extended access list.</li>
<li>Quality of Service (QOS)</li>
<li>Multicast<br />
You can allow multicast traffic through the security appliance if you allow it in an extended access list. In a transparent firewall, access-lists are required to pass the multicast traffic from higher to lower, as well as from lower to higher security zones. In normal firewalls, higher to lower security zones are not required. For more information, refer to the<a href="http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080959e83.shtml#tpsd" style="color: #003399;">Pass Through Traffic</a> section in the Firewall Service Module Transparent Firewall Configuration Example.</li>
<li>VPN termination for through traffic<br />
The transparent firewall supports site-to-site VPN tunnels for management connections only. It does not terminate VPN connections for traffic through the security appliance. You can pass VPN traffic through the security appliance with an extended access list, but it does not terminate non-management connections.</li>
</ul><b>Note: </b>The transparent mode security appliance does not pass CDP packets or any packets that do not have a valid EtherType greater than or equal to 0x600.<br />
<h2><a href="" name="conf">Configure</a></h2>In this section, you are presented with the information to configure the features described in this document.<br />
<b>Note: </b>Use the <a href="http://www.cisco.com/pcgi-bin/Support/Cmdlookup/home.pl" style="color: #003399;">Command Lookup Tool</a> (<a href="http://tools.cisco.com/RPF/register/register.do" style="color: #003399;">registered</a> customers only) to obtain more information on the commands used in this section.<br />
<h3><a href="" name="diag">Network Diagram</a></h3>The network diagram shows a typical transparent firewall network where the outside devices are on the same subnet as the inside devices. The inside router and hosts appear to be directly connected to the outside router.<br />
<img alt="/image/gif/paws/97853/Transparent-firewall-1.gif" border="0" src="http://www.cisco.com/image/gif/paws/97853/Transparent-firewall-1.gif" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px;" usemap="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml" /><br />
<h3><a href="" name="configs">Configurations</a></h3><table bgcolor="#FFFFFF" border="1" cellpadding="3" cellspacing="1"><tbody>
<tr><th bgcolor="#CCCCFF" colspan="1" height="" rowspan="1" width="">ASA 8.x</th></tr>
<tr><td bgcolor="#FFFFFF" colspan="1" height="" rowspan="1" width=""><pre style="font-size: 15px;">ciscoasa#<b>show running-config</b>
: Saved
:
ASA Version 8.0(2)
!
<i>
<span style="color: blue;">!--- In order to set the firewall mode to transparent mode</span>
</i>
<b>firewall transparent</b>
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
<b>interface Ethernet0/0
nameif outside
security-level 0
!
interface Ethernet0/1
nameif inside
security-level 100</b>
!
interface Ethernet0/2
shutdown
no nameif
no security-level
!
interface Ethernet0/3
shutdown
no nameif
no security-level
!
interface Management0/0
shutdown
no nameif
no security-level
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
<i>
<span style="color: blue;">
!--- IP Address for the Management.
!--- Avoid using this IP Address as a default gateway.
!--- The security appliance uses this address as the source address
!--- for traffic originating on the security appliance, such as system
!--- messages or communications with AAA servers. You can also use this
!--- address for remote management access.
</span>
</i>
<b>ip address 192.168.1.1 255.255.255.0</b>
no failover
icmp unreachable rate-limit 1 burst-size 1
<i>
<span style="color: blue;">!--- Output Suppressed</span>
</i>
service-policy global_policy global
prompt hostname context
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
ciscoasa(config)#</pre></td></tr>
</tbody></table><br />
<h2><a href="" name="access">Data Moves Across the Transparent Firewall in Different Scenarios</a></h2><h3><a href="" name="inside">An Inside User Accesses the Outside Email Server</a></h3>The user on the inside network accesses the email server placed in the Internet (outside). The security appliance receives the packet and adds the source MAC address to the MAC address table, if required. Because it is a new session, it verifies that the packet is allowed in accordance with the terms of the security policy (access lists, filters, or AAA).<br />
<b>Note: </b>For multiple context mode, the security appliance first classifies the packet in accordance with a unique interface.<br />
The security appliance records that a session is established. If the destination MAC address is in its table, the security appliance forwards the packet out of the outside interface. The destination MAC address is that of the upstream router, 192.168.1.2. If the destination MAC address is not in the security appliance table, the security appliance attempts to discover the MAC address when it sends an ARP request and a ping. The first packet is dropped.<br />
The email server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. The security appliance forwards the packet to the inside user.<br />
<h3><a href="" name="visits">An Inside User Visits a Web Server with NAT</a></h3>If you enable NAT in the Internet router, the flow of the packet across the Internet router is slightly changed.<br />
The user on the inside network accesses the email server placed in the Internet (outside). The security appliance receives the packet and adds the source MAC address to the MAC address table, if required. Because it is a new session, it verifies that the packet is allowed in accordance with the terms of the security policy (access lists, filters, or AAA).<br />
<b>Note: </b>For multiple context mode, the security appliance first classifies the packet in accordance with a unique interface.<br />
The Internet router translates the real address of Host A (192.168.1.5) to the mapped address of the Internet router (172.16.1.1). Because the mapped address is not on the same network as the outside interface, make sure that upstream router has a static route to the mapped network that points to the security appliance.<br />
The security appliance records that a session is established and forwards the packet from the outside interface. If the destination MAC address is in its table, the security appliance forwards the packet out of the outside interface. The destination MAC address is that of the upstream router, 172.16.1.1. If the destination MAC address is not in the security appliance table, the security appliance attempts to discover the MAC address when it sends an ARP request and a ping. The first packet is dropped.<br />
The email server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. The security appliance performs NAT when it translates the mapped address to the real address, 192.168.1.5.<br />
<h3><a href="" name="insideacc">An Inside User Visits an Inside Web Server</a></h3>If Host A tries to access the inside web server (10.1.1.1), Host A (192.168.1.5) sends the request packet to the Internet router (since it is a default gateway) through the ASA from the inside to the outside. Then the packet is redirected to the web server (10.1.1.1) through ASA (outside to inside) and the internal router.<br />
<img alt="/image/gif/paws/97853/Transparent-firewall-1.gif" border="0" src="http://www.cisco.com/image/gif/paws/97853/Transparent-firewall-1.gif" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px;" usemap="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml" /><br />
<b>Note: </b>The request packet returns to the web server only if the ASA has an access list to allow the traffic from the outside to the inside.<br />
In order to resolve this, change the default gateway for Host A (10.1.1.1) to be the internal router (192.168.1.3) instead of the Internet router (192.168.1.2). This avoids any unnecessary traffic sent to the outside gateway and redirects occurrences on the outside router (Internet router). It also resolves in the reverse way, that is, when the web server or any host (10.1.1.0/24) present on the inside of the internal router tries to access Host A (192.168.1.5).<br />
<h3><a href="" name="outs">An Outside User Visits a Web Server on the Inside Network</a></h3>These steps describe how data moves through the security appliance:<br />
A user on the outside network requests a web page from the inside web server. The security appliance receives the packet and adds the source MAC address to the MAC address table, if required. Because it is a new session, it verifies that the packet is allowed in accordance with the terms of the security policy (access lists, filters, or AAA).<br />
<b>Note: </b>For multiple context mode, the security appliance first classifies the packet in accordance with a unique interface.<br />
The security appliance records that a session is established only if the outside user has the valid access to the internal web server. The access list must be configured to allow the outside user to get the access for the web server.<br />
If the destination MAC address is in its table, the security appliance forwards the packet out of the inside interface. The destination MAC address is that of the downstream router, 192.168.1.3.<br />
If the destination MAC address is not in the security appliance table, the security appliance attempts to discover the MAC address when it sends an ARP request and a ping. The first packet is dropped.<br />
The web server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. The security appliance forwards the packet to the outside user.<br />
<h3><a href="" name="userg">An Outside User Attempts to Access an Inside Host</a></h3>A user on the outside network attempts to reach an inside host. The security appliance receives the packet and adds the source MAC address to the MAC address table, if required. Because it is a new session, it verifies whether the packet is allowed in accordance with the terms of the security policy (access lists, filters, or AAA).<br />
<b>Note: </b>For multiple context mode, the security appliance first classifies the packet in accordance with a unique interface.<br />
The packet is denied, and the security appliance drops the packet because the outside user does not have the access to the inside host. If the outside user attempts to attack the inside network, the security appliance employs many technologies to determine whether a packet is valid for an already established session.<br />
<h2><a href="" name="veri">Verify</a></h2>Use this section to confirm that your configuration works properly.<br />
The <a href="https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl" style="color: #003399;">Output Interpreter Tool</a> (<a href="http://tools.cisco.com/RPF/register/register.do" style="color: #003399;">registered</a> customers only) (OIT) supports certain <b>show</b> commands. Use the OIT to view an analysis of <b>show</b> command output.<br />
<blockquote><pre style="font-size: 15px;">ciscoasa(config)# <b>sh firewall</b>
Firewall mode: <b>Transparent</b>
</pre></blockquote><h2><a href="" name="tshoot">Troubleshoot</a></h2>There is currently no specific troubleshooting information available for this configuration.<br />
<br />
<br />
------------------------------------------------<br />
<br />
</span><span class="Apple-style-span" style="color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: 14px;"><div class="post-header clearfix" style="display: block; padding-bottom: 15px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><div class="details" style="float: left; width: 665px;"><h2 style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-size: 1.9em; font-weight: normal; letter-spacing: -0.01em; line-height: 27px; margin-bottom: 2px; margin-left: 0px; margin-right: 0px; margin-top: 2px; outline-color: initial; outline-style: initial; outline-width: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://blog.ine.com/2008/09/29/transparent-mode-firewall-guidelines/" rel="bookmark" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #222222; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; outline-color: initial; outline-style: initial; outline-width: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-decoration: none;" title="Permanent Link to Transparent Mode Firewall Guidelines">Transparent Mode Firewall Guidelines</a></h2><div class="comments" style="float: right;"><small>16 Comments</small></div><div class="meta"><small>Posted by <a href="http://blog.ine.com/" rel="external" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #333333; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; outline-color: initial; outline-style: initial; outline-width: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;" title="Visit INE Instructor’s website">INE Instructor</a> in <a href="http://blog.ine.com/category/ccie-security/" rel="category tag" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #333333; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; outline-color: initial; outline-style: initial; outline-width: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;" title="View all posts in CCIE Security">CCIE Security</a>,<a href="http://blog.ine.com/category/ccie-security/pixasa-firewall/" rel="category tag" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #333333; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; outline-color: initial; outline-style: initial; outline-width: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;" title="View all posts in PIX/ASA Firewall">PIX/ASA Firewall</a></small></div></div></div><div class="content clearfix" style="display: block;"><div class="tw_button" id="tweetbutton283" style="float: right; margin-left: 10px;"><iframe allowtransparency="true" class="twitter-share-button twitter-count-vertical" frameborder="0" scrolling="no" src="http://platform0.twitter.com/widgets/tweet_button.html?_=1308327447484&count=vertical&id=twitter_tweet_button_0&lang=en&original_referer=http%3A%2F%2Fblog.ine.com%2F2008%2F09%2F29%2Ftransparent-mode-firewall-guidelines%2F&text=Transparent%20Mode%20Firewall%20Guidelines&url=http%3A%2F%2Fblog.ine.com%2F2008%2F09%2F29%2Ftransparent-mode-firewall-guidelines%2F&via=inetraining" style="height: 62px; width: 55px;" title="Twitter For Websites: Tweet Button"></iframe></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; line-height: 21px; margin-bottom: 20px; margin-left: 0px; margin-right: 0px; margin-top: 0px; outline-color: initial; outline-style: initial; outline-width: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">As I am sure you have already seen from the blog on setting up the <a href="http://www.ine.com/ccie-security-lab-preparation.htm" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #333333; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; outline-color: initial; outline-style: initial; outline-width: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;" title="security">security</a> device as a Layer 2 device, there are many interesting changes that occur on a PIX or ASA when configured for transparent operations. This blog highlights the major changes and guidelines that you should keep in mind when you opt for this special mode of operation.</div><ul class="unIndentedList"><li style="padding-bottom: 3px; padding-left: 3px; padding-right: 3px; padding-top: 3px;"><strong>Number of interfaces</strong> – perhaps on of the biggest things you will want to keep in mind is the fact that you are going to be limited on the number of traffic forwarding interfaces you can use when in Layer 2 mode. When you switch to transparent mode, you are limited to the use of two traffic forwarding interfaces. On some ASA models, you may also use your dedicated management interface, but of course, the use of this port is limited for management traffic. Remember also, when in multiple context mode, you cannot share interfaces between contexts like you can when in routed mode.</li>
<li style="padding-bottom: 3px; padding-left: 3px; padding-right: 3px; padding-top: 3px;"><strong>IP addressing</strong> – here is another major difference of course. In Layer 2 mode, you will assign a single IP address to the device in Global Configuration mode. This address is for remote management purposes and is required before the device will forward traffic. Once the address is assigned, all interfaces start “listening” on this address to ensure the device is responsive to its administrator. This global IP addressed assigned to the device must be in the same subnet that the forwarding interfaces are participating in. Remember, the transparent firewall is not adding a new network (subnet) to your topology.</li>
<li style="padding-bottom: 3px; padding-left: 3px; padding-right: 3px; padding-top: 3px;"><strong>Default gateway</strong> – for traffic sourced from the security device itself, you can configure a default gateway on the transparent device. You can do this with the route 0 0 command.</li>
<li style="padding-bottom: 3px; padding-left: 3px; padding-right: 3px; padding-top: 3px;"><strong>IPv6 support </strong>- the transparent firewall does not support IPv6.</li>
<li style="padding-bottom: 3px; padding-left: 3px; padding-right: 3px; padding-top: 3px;"><strong>Non-IP traffic</strong> – you can pass non-IP traffic through the Layer 2 Mode device. Note that this is not possible on a security appliance in its default Layer 3 mode.</li>
<li style="padding-bottom: 3px; padding-left: 3px; padding-right: 3px; padding-top: 3px;"><strong>More unsupported features</strong> – the Layer 2 mode device does not support – Quality of Service (QoS) or Network Address Translation (NAT).</li>
<li style="padding-bottom: 3px; padding-left: 3px; padding-right: 3px; padding-top: 3px;"><strong>Multicast</strong> – the transparent mode device does not offer multicast support, but you can configure Access Control Lists (ACLs) in order to pass multicast traffic through the device.</li>
<li style="padding-bottom: 3px; padding-left: 3px; padding-right: 3px; padding-top: 3px;"><strong>Inspection</strong> – with the Layer 2 mode device you can inspect traffic at Layer 2 and above. With the classic routed mode configuration, you can only inspect at Layer 3 and above.</li>
<li style="padding-bottom: 3px; padding-left: 3px; padding-right: 3px; padding-top: 3px;"><strong>VPN support</strong> – the transparent mode device does support a site to site VPN configuration, but only for its management traffic.</li>
</ul><div>----------------------------------------------</div><div><br />
</div></div></span><span class="Apple-style-span" style="font-family: arial, helvetica, sans-serif; font-size: 12px;"><h2 class="title-page" style="border-bottom-color: rgb(204, 204, 204); border-bottom-style: solid; border-bottom-width: 1px; color: #444444; font-family: Arial, Helvetica, sans-serif; font-size: 26px; font-weight: normal; line-height: 1em; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 11px; padding-left: 0px; padding-right: 0px; padding-top: 4px; width: 940px;">Firewall Service Module Transparent Firewall Configuration Example</h2><div><br />
</div></span><span class="Apple-style-span" style="font-family: arial, helvetica, sans-serif; font-size: 12px;"><h2><a href="" name="intro">Introduction</a></h2>Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a <i>bump in the wire</i>or a <i>stealth firewall</i> and is not seen as a router hop to connected devices. The Firewall Service Module (FWSM) connects the same network on its inside and outside interfaces. Because the firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network. IP readdressing is unnecessary.<br />
Maintenance is facilitated because there are no complicated routing patterns to troubleshoot and no NAT configuration.<br />
Even though transparent mode acts as a bridge, Layer 3 traffic (such as IP traffic) cannot pass through the FWSM unless you explicitly permit it with an extended access list. The only traffic allowed through the transparent firewall without an access list is ARP traffic. ARP traffic can be controlled by ARP inspection.<br />
In routed mode, some types of traffic cannot pass through the FWSM even if you allow it in an access list. Alternatively, the transparent firewall can allow any traffic through with either an extended access list (for IP traffic) or an EtherType access list (for non-IP traffic).<br />
For example, you can establish routing protocol adjacencies through a transparent firewall. You can allow VPN (IPSec), OSPF, RIP, EIGRP, or BGP traffic through based on an extended access list. Likewise, protocols such as HSRP or VRRP can pass through the FWSM.<br />
Non-IP traffic (for example, AppleTalk, IPX, BPDUs, and MPLS) can be configured to go through with an EtherType access list.<br />
For features that are not directly supported on the transparent firewall, you can allow traffic to pass through so that upstream and downstream routers can support the functionality. For example, with an extended access list, you can allow DHCP traffic (instead of the unsupported DHCP relay feature) or multicast traffic, such as that created by IP/TV.<br />
When the FWSM runs in transparent mode, the outbound interface of a packet is determined by a MAC address lookup instead of a route lookup. Route statements can still be configured, but they only apply to FWSM-originated traffic. For example, if your syslog server is located on a remote network, you must use a static route, so the FWSM can reach that subnet.<br />
An exception to this rule is when you use voice inspections and the endpoint is at least one hop away from the FWSM. For example, if you use the transparent firewall between a CCM and an H.323 gateway, and there is a router between the transparent firewall and the H.323 gateway, then you need to add a static route on the FWSM for the H.323 gateway for successful call completion.<br />
<b>Note: </b>The transparent mode FWSM does not pass CDP packets or any packets that do not have a valid EtherType greater than or equal to 0x600. For example, you cannot pass IS-IS packets. An exception is made for BPDUs, which are supported.<br />
<h2><a href="" name="prereq">Prerequisites</a></h2><h3><a href="" name="req">Requirements</a></h3>There are no specific requirements for this document.<br />
<h3><a href="" name="hw">Components Used</a></h3>The information in this document is based on FWSM with version 3.x.<br />
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.<br />
<h3><a href="" name="conv">Conventions</a></h3>Refer to the <a href="http://www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a0080121ac5.shtml" style="color: #003399;">Cisco Technical Tips Conventions</a> for more information on document conventions.<br />
<h2><a href="" name="backinfo">Transparent Firewall</a></h2><h3><a href="" name="bgdf">Bridge Groups</a></h3>If you do not want the overhead of security contexts, or want to maximize your use of security contexts, you can configure up to eight pairs of interfaces, called bridge groups. Each bridge group connects to a separate network. Bridge group traffic is isolated from other bridge groups. Traffic is not routed to another bridge group within the FWSM, and traffic must exit the FWSM before it is routed by an external router back to another bridge group in the FWSM. Although the bridging functions are separate for each bridge group, many other functions are shared between all bridge groups. For example, all bridge groups share a system log server or AAA server configuration. For complete security policy separation, use security contexts with one bridge group in each context.<br />
Because the firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network. IP readdressing is unnecessary. Maintenance is facilitated because there are no complicated routing patterns to troubleshoot and no NAT configuration.<br />
<b>Note: </b>Each bridge group requires a management IP address. The FWSM uses this IP address as the source address for packets that originate from the bridge group. The management IP address must be on the same subnet as the connected network.<br />
<h3><a href="" name="guide">Guidelines</a></h3>Follow these guidelines when you plan your transparent firewall network:<br />
<ul><li>A management IP address is required for each bridge group.<br />
Unlike routed mode, which requires an IP address for each interface, a transparent firewall has an IP address assigned to the entire bridge group. The FWSM uses this IP address as the source address for packets that originate on the FWSM, such as system messages or AAA communications.<br />
The management IP address must be on the same subnet as the connected network. You cannot set the subnet to a host subnet (255.255.255.255). The FWSM does not support traffic on secondary networks; only traffic on the same network as the management IP address is supported. Refer to <a href="http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/intfce_f.html#wpxref28248" style="color: #003399;">Assigning an IP Address to a Bridge Group</a> for more information about management IP subnets.</li>
<li>Each bridge group uses an inside interface and an outside interface only.</li>
<li>Each directly connected network must be on the same subnet.</li>
<li>Do not specify the bridge group management IP address as the default gateway for connected devices. Devices need to specify the router on the other side of the FWSM as the default gateway.</li>
<li>The default route for the transparent firewall, which is required to provide a return path for management traffic, is only applied to management traffic from one bridge group network. This is because the default route specifies an interface in the bridge group as well as the router IP address on the bridge group network, and you can only define one default route. If you have management traffic from more than one bridge group network, you need to specify a static route that identifies the network from which you expect management traffic.</li>
<li>For multiple context mode, each context must use different interfaces. You cannot share an interface across contexts.</li>
<li>For multiple context mode, each context typically uses different subnets. You can use overlapping subnets, but your network topology requires router and NAT configuration to make it possible from a routing standpoint.<br />
You must use an extended access list to allow Layer 3 traffic, such as IP traffic, through the FWSM. You can also optionally use an EtherType access list to allow non-IP traffic through.</li>
</ul><h3><a href="" name="mac">Allowed MAC Addresses</a></h3>These destination MAC addresses are allowed through the transparent firewall. Any MAC address not on this list is dropped.<br />
<ul><li>TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF</li>
<li>IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF</li>
<li>IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF</li>
<li>BPDU multicast address equal to 0100.0CCC.CCCD</li>
<li>AppleTalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF</li>
</ul><h3><a href="" name="unsupp">Unsupported Features</a></h3>These features are not supported in transparent mode:<br />
<ul><li>NAT /PAT<br />
NAT is performed on the upstream router.<br />
<b>Note: </b>NAT/PAT is supported in the transparent firewall for FWSM version 3.2 and later releases.</li>
<li>Dynamic routing protocols (such as RIP, EIGRP, OSPF)<br />
You can add static routes for traffic that originates on the FWSM. You can also allow dynamic routing protocols through the FWSM with an extended access list.</li>
<li>IPv6 for the bridge group IP address.<br />
However, you can pass the IPv6 EtherType using an EtherType access list.</li>
<li>DHCP relay<br />
The transparent firewall can act as a DHCP server, but it does not support the DHCP relay commands. DHCP relay is not required because you can allow DHCP traffic to pass through with an extended access list.</li>
<li>Quality of Service (QOS)</li>
<li>Multicast<br />
You can allow multicast traffic through the FWSM if you allow it in an extended access list. Refer to the <a href="http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080959e83.shtml?referring_site=bodynav#tpsd" style="color: #003399;">Pass Through Traffic</a> section for more information.</li>
<li>VPN termination for through traffic<br />
The transparent firewall supports site-to-site VPN tunnels for management connections only. It does not terminate VPN connections for traffic through the FWSM. You can pass VPN traffic through the FWSM with an extended access list, but it does not terminate non-management connections.</li>
<li>LoopGuard on the switch<br />
Do not enable LoopGuard globally on the switch if the FWSM is in transparent mode. LoopGuard is automatically applied to the internal EtherChannel between the switch and the FWSM, so after a failover and a failback, LoopGuard causes the secondary unit to be disconnected because the EtherChannel goes into the err-disable state.</li>
</ul><h2><a href="" name="conf">Configure</a></h2>In this section, you are presented with the information to configure the features described in this document.<br />
<b>Note: </b>Use the <a href="http://www.cisco.com/pcgi-bin/Support/Cmdlookup/home.pl" style="color: #003399;">Command Lookup Tool</a> (<a href="http://tools.cisco.com/RPF/register/register.do" style="color: #003399;">registered</a> customers only) to obtain more information on the commands used in this section.<br />
<h3><a href="" name="diag">Network Diagram</a></h3>The network diagram shows a typical transparent firewall network where the outside devices are on the same subnet as the inside devices. The inside router and hosts appear to be directly connected to the outside router.<br />
<img alt="/image/gif/paws/100773/transparent-firewall.gif" border="0" src="http://www.cisco.com/image/gif/paws/100773/transparent-firewall.gif" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px;" usemap="http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080959e83.shtml?referring_site=bodynav" /><br />
<h3><a href="" name="configs">Configurations</a></h3>You can set each context to run in routed firewall mode (the default) or transparent firewall mode.<br />
When you change modes, the FWSM clears the configuration because many commands are not supported for both modes. If you already have a populated configuration, be sure to back up your configuration before you change the mode. You can use this backup for reference when creating your new configuration.<br />
If you download a text configuration to the FWSM that changes the mode with the firewall transparent command, be sure to put the command at the top of the configuration. The FWSM changes the mode as soon as it reads the command and then continues reading the configuration that you downloaded. If the command is later in the configuration, the FWSM clears all the preceding lines in the configuration.<br />
In order to set the mode to transparent, enter this command in each context:<br />
<blockquote><pre style="font-size: 15px;">hostname(config)#<b>firewall transparent</b>
</pre></blockquote>In order to set the mode to routed, enter this command in each context:<br />
<blockquote><pre style="font-size: 15px;">hostname(config)#<b>no firewall transparent</b>
</pre></blockquote><h2><a href="" name="access">Data Moves Across the Transparent Firewall in Different Scenarios</a></h2><h3><a href="" name="inside">An Inside User Accesses the Outside Email Server</a></h3>The user on the inside network accesses the email server placed in the Internet (outside). The FWSM receives the packet and adds the source MAC address to the MAC address table, if required. Because it is a new session, it verifies that the packet is allowed in accordance with the terms of the security policy (access lists, filters, or AAA).<br />
<b>Note: </b>For multiple context mode, the FWSM first classifies the packet in accordance with a unique interface.<br />
The FWSM records that a session is established. If the destination MAC address is in its table, the FWSM forwards the packet out of the outside interface. The destination MAC address is that of the upstream router, 192.168.1.2. If the destination MAC address is not in the FWSM table, the FWSM attempts to discover the MAC address when it sends an ARP request and a ping. The first packet is dropped.<br />
The email server responds to the request. Because the session is already established, the packet bypasses the many lookups associated with a new connection. The FWSM forwards the packet to the inside user.<br />
<h3><a href="" name="visits">An Inside User Visits a Web Server with NAT</a></h3>If you enable NAT in the Internet router, the flow of the packet across the Internet router is slightly changed.<br />
The user on the inside network accesses the email server placed in the Internet (outside). The FWSM receives the packet and adds the source MAC address to the MAC address table, if required. Because it is a new session, it verifies that the packet is allowed in accordance with the terms of the security policy (access lists, filters, or AAA).<br />
<b>Note: </b>For multiple context mode, the FWSM first classifies the packet in accordance with a unique interface.<br />
The Internet router translates the real address of Host A (192.168.1.5) to the mapped address of the Internet router (172.16.1.1). Because the mapped address is not on the same network as the outside interface, make sure that upstream router has a static route to the mapped network that points to the FWSM.<br />
The FWSM records that a session is established and forwards the packet from the outside interface. If the destination MAC address is in its table, the FWSM forwards the packet out of the outside interface. The destination MAC address is that of the upstream router, 172.16.1.1. If the destination MAC address is not in the FWSM table, the FWSM attempts to discover the MAC address when it sends an ARP request and a ping. The first packet is dropped.<br />
The email server responds to the request. Because the session is already established, the packet bypasses the many lookups associated with a new connection. The FWSM performs NAT when it translates the mapped address to the real address, 192.168.1.5.<br />
<h3><a href="" name="insideacc">An Inside User Visits an Inside Web Server</a></h3>If Host A tries to access the inside web server (10.1.1.1), Host A (192.168.1.5) sends the request packet to the Internet router (since it is a default gateway) through the ASA from the inside to the outside. Then the packet is redirected to the web server (10.1.1.1) through ASA (outside to inside) and the internal router.<br />
<img alt="/image/gif/paws/100773/transparent-firewall.gif" border="0" src="http://www.cisco.com/image/gif/paws/100773/transparent-firewall.gif" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px;" usemap="http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080959e83.shtml?referring_site=bodynav" /><br />
<b>Note: </b>The request packet returns to the web server only if the ASA has an access list to allow the traffic from the outside to the inside.<br />
In order to resolve this issue, change the default gateway for Host A (10.1.1.1) to be the internal router (192.168.1.3) instead of the Internet router (192.168.1.2). This avoids any unnecessary traffic sent to the outside gateway and redirects occurrences on the outside router (Internet router). It also resolves in the reverse way, that is, when the web server or any host (10.1.1.0/24) present on the inside of the internal router tries to access Host A (192.168.1.5).<br />
<h3><a href="" name="outs">An Outside User Visits a Web Server on the Inside Network</a></h3>These steps describe how data moves through the FWSM:<br />
<ol type="1"><li>A user on the outside network requests a web page from the inside web server. The FWSM receives the packet and adds the source MAC address to the MAC address table, if required. Because it is a new session, it verifies that the packet is allowed in accordance with the terms of the security policy (access lists, filters, or AAA).<br />
<b>Note: </b>For multiple context mode, the FWSM first classifies the packet in accordance with a unique interface.</li>
<li>The FWSM records that a session is established only if the outside user has the valid access to the internal web server. The access list must be configured to allow the outside user to get the access for the web server.</li>
<li>If the destination MAC address is in its table, the FWSM forwards the packet out of the inside interface. The destination MAC address is that of the downstream router, 192.168.1.3.</li>
<li>If the destination MAC address is not in the FWSM table, the FWSM attempts to discover the MAC address when it sends an ARP request and a ping. The first packet is dropped.</li>
<li>The web server responds to the request. Because the session is already established, the packet bypasses the many lookups associated with a new connection. The FWSM forwards the packet to the outside user.</li>
</ol><h3><a href="" name="userg">An Outside User Attempts to Access an Inside Host</a></h3>A user on the outside network attempts to reach an inside host. The FWSM receives the packet and adds the source MAC address to the MAC address table, if required. Because it is a new session, it verifies whether the packet is allowed in accordance with the terms of the security policy (access lists, filters, or AAA).<br />
<b>Note: </b>For multiple context mode, the FWSM first classifies the packet in accordance with a unique interface.<br />
The packet is denied, and the FWSM drops the packet because the outside user does not have the access to the inside host. If the outside user attempts to attack the inside network, the FWSM employs many technologies to determine whether a packet is valid for an already established session.<br />
<h2><a href="" name="veri">Verify</a></h2>Use this section to confirm that your configuration works properly.<br />
The <a href="https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl" style="color: #003399;">Output Interpreter Tool</a> (<a href="http://tools.cisco.com/RPF/register/register.do" style="color: #003399;">registered</a> customers only) (OIT) supports certain <b>show</b> commands. Use the OIT to view an analysis of <b>show</b> command output.<br />
<blockquote><pre style="font-size: 15px;">ciscoasa(config)#<b>show firewall</b>
Firewall mode: <b>Transparent</b>
</pre></blockquote><h2><a href="" name="tshoot">Troubleshoot</a></h2><h3><a href="" name="tpsd">Pass Through Traffic</a></h3>In transparent firewall, to pass multicast traffic from high to low and low to high access-lists are required. In normal firewalls from high to low is not required.<br />
<b>Note: </b> Multicast address (224.0.0.9) can never be source address for return traffic, so it wont be allowed to come back in, that's why we need ACL's from in to out and out to in.<br />
For example, in order to pass through Rip traffic, the transparent firewall access list would be similar to this example:<br />
<b>RIP</b><br />
Outside ACL (from out to in):<br />
<blockquote><pre style="font-size: 15px;">access-list outside permit udp host (outside source router) host 224.0.0.9 eq 520
access-group outside in interface outside</pre></blockquote>Inside ACL (from inside to outside):<br />
<blockquote><pre style="font-size: 15px;">access-list inside permit udp host (inside source router) host 224.0.0.9 eq 520
access-group inside in interface inside</pre></blockquote><b>EIGRP to run:</b><br />
<blockquote><pre style="font-size: 15px;">access-list inside permit eigrp host (inside source) host 224.0.0.10
access-group inside in interface inside
access-list outside permit eigrp host (outside source) host 224.0.0.10
access-group outside in interface outside</pre></blockquote><b>For OSPF:</b><br />
<blockquote><pre style="font-size: 15px;">access-list inside permit ospf host ( inside source ) host 224.0.0.5
( this access-list is for hello packets )
access-list inside permit ospf host ( inside source ) host 224.0.0.6
( dr send update on this port )
access-list inside permit ospf host ( inside source ) host ( outside source )
access-group inside in interface inside
access-list outside permit ospf host ( outside source ) host 224.0.0.5
access-list outside permit ospf host ( outside source ) host 224.0.0.6
access-list outside permit ospf host ( outside sourec ) host ( inside source )
access-group outside in interafce outside</pre></blockquote><h3><a href="" name="vlan">MSFC VLAN vs FWSM VLAN</a></h3>In transparent mode, it is not necessary to have the same VLANs in MSFC interface and FWSM, since it is a type of bridging.<br />
<h2><a href="" name="NetPro">Cisco Support Community - Featured Conversations</a></h2><concept><para><a href="https://supportforums.cisco.com/index.jspa" style="color: #003399;">Cisco Support Community</a> </para></concept></span><span class="Apple-style-span" style="font-family: arial, helvetica, sans-serif; font-size: 12px;"><concept><para>is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers. Below are just some of the most recent and relevant conversations happening right now.</para><br />
<div class=" read-write-module clearfix" id="ciscoReadWrite" style="border-bottom-color: rgb(192, 209, 217); border-bottom-style: solid; border-bottom-width: 1px; border-left-color: rgb(192, 209, 217); border-left-style: solid; border-left-width: 1px; border-right-color: rgb(192, 209, 217); border-right-style: solid; border-right-width: 1px; border-top-color: rgb(192, 209, 217); border-top-style: solid; border-top-width: 1px; font-family: Arial, verdana, sans-serif; font-size: 12px; margin-bottom: auto; margin-left: 0px; margin-right: auto; margin-top: auto; min-height: 0px; width: 570px;"><div class="header"></div></div></concept></span><br />
<span class="Apple-style-span" style="font-family: arial, helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: 12px;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-family: arial, helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: 12px;"><br />
</span></span></div>Unknownnoreply@blogger.com4tag:blogger.com,1999:blog-6020133766366748817.post-2861262003000155602011-06-17T09:02:00.000-07:002011-06-17T09:02:35.569-07:00PACKET TRACER AND CAPTURE ON ASA<div dir="ltr" style="text-align: left;" trbidi="on"><span class="Apple-style-span" style="color: #37414b; font-family: 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 19px;">Firewall configurations can be tricky to debug. Especially when you think you have all the proper NAT statements, route statements, and access control lists in place, and it’s still not working quite as you had planned. Have no fear, Packet Trace is here!</span><br />
<div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">The Cisco ASA Packet Trace feature is a wonderful tool for finding out just how a packet will be handled by your ASA in its current configuration. The Packet Trace feature allows you to select an interface, then supply a couple of IP addresses and ports, and it will then trace the path that packet will take through your firewall and provide detailed results.</div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">This tool can be accessed in a couple of different places via the Cisco ASDM. One of these places is in the Firewall’configuration screen on the NAT Rules tab. You’ll see it near the top on the right-hand display.</div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"><br />
</div><span class="Apple-style-span" style="color: #37414b; font-family: 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 19px;"><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">Here is a screen shot of the initial packet trace setup.</div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"></div><h4 style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; display: block; font-family: inherit; font-size: 1.14em; font-style: inherit; font-weight: bold; line-height: 1.23em; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">Figure A</h4><a href="http://content.techrepublic.com.com/2347-10878_11-303638-303639.html?seq=1" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #003399; cursor: pointer; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; outline-color: initial; outline-style: none; outline-width: initial; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-decoration: none; vertical-align: baseline;" target="_blank"><img alt="" class="alignnone" height="479" src="http://i.techrepublic.com.com/gallery/303639-500-479.png" style="border-bottom-style: none; border-bottom-width: 0pt; border-color: initial; border-color: initial; border-color: initial; border-left-style: none; border-left-width: 0pt; border-right-style: none; border-right-width: 0pt; border-style: initial; border-top-style: none; border-top-width: 0pt; border-width: initial; display: block; float: none; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 10px; margin-left: 5px; margin-right: 5px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;" title="Packet Trace setup" width="500" /></a><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"><em style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: italic; font-weight: inherit; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">NOTE: Click to enlarge.</em></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">In <strong>Figure B</strong>, I’ve set up a trace for an internal IP going to an external Web site. As the packet is processed by the firewall, the individual steps are displayed in real time if you have the Show Animation box selected. These steps are further detailed in the Phase portion of the display. In the example, the results show that the firewall rules will allow this traffic as each step of the process is given a green check mark and the final results are reported as “The packet is allowed.”</div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"></div><h4 style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; display: block; font-family: inherit; font-size: 1.14em; font-style: inherit; font-weight: bold; line-height: 1.23em; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">Figure B<a href="http://content.techrepublic.com.com/2347-10878_11-303638-303640.html?seq=2" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #003399; cursor: pointer; font-family: inherit; font-size: 16px; font-style: inherit; font-weight: inherit; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; outline-color: initial; outline-style: none; outline-width: initial; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-decoration: none; vertical-align: baseline;" target="_blank"><img alt="" class="aligncenter" height="479" src="http://i.techrepublic.com.com/gallery/303640-500-479.png" style="border-bottom-style: none; border-bottom-width: 0pt; border-color: initial; border-color: initial; border-color: initial; border-left-style: none; border-left-width: 0pt; border-right-style: none; border-right-width: 0pt; border-style: initial; border-top-style: none; border-top-width: 0pt; border-width: initial; font-family: inherit; font-size: 16px; font-style: inherit; font-weight: inherit; margin-bottom: 0px; margin-left: 5px; margin-right: 5px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;" title="Packet Trace" width="500" /></a></h4><em style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: italic; font-weight: inherit; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">NOTE: Click to enlarge.</em><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">You can drill down into each phase of the process to see exactly what steps were taken, which ACLs were used in processing the packet, what route was used, etc. <strong>Figures C</strong>, <strong>D</strong>, and <strong>E</strong> show the actual packet path and processing of our example flow.</div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">In Figure C, we see the packet go through an access list check, a check for any existing matching traffic flows, and a valid route check.</div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"></div><h4 style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; display: block; font-family: inherit; font-size: 1.14em; font-style: inherit; font-weight: bold; line-height: 1.23em; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">Figure C<a href="http://content.techrepublic.com.com/2347-10878_11-303638-303641.html?seq=3" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #003399; cursor: pointer; font-family: inherit; font-size: 16px; font-style: inherit; font-weight: inherit; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; outline-color: initial; outline-style: none; outline-width: initial; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-decoration: none; vertical-align: baseline;" target="_blank"><img alt="" class="aligncenter" height="478" src="http://i.techrepublic.com.com/gallery/303641-500-478.png" style="border-bottom-style: none; border-bottom-width: 0pt; border-color: initial; border-color: initial; border-color: initial; border-left-style: none; border-left-width: 0pt; border-right-style: none; border-right-width: 0pt; border-style: initial; border-top-style: none; border-top-width: 0pt; border-width: initial; font-family: inherit; font-size: 16px; font-style: inherit; font-weight: inherit; margin-bottom: 0px; margin-left: 5px; margin-right: 5px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;" title="Packet Trace flow" width="500" /></a></h4><em style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: italic; font-weight: inherit; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">NOTE: Click to enlarge.</em><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">In Figure D, we see the NAT translation rules that are applied to this packet and the resulting dynamic translation (PAT) that is used.</div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"></div><h4 style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; display: block; font-family: inherit; font-size: 1.14em; font-style: inherit; font-weight: bold; line-height: 1.23em; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">Figure D<a href="http://content.techrepublic.com.com/2347-10878_11-303638-303642.html?seq=4" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #003399; cursor: pointer; font-family: inherit; font-size: 16px; font-style: inherit; font-weight: inherit; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; outline-color: initial; outline-style: none; outline-width: initial; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-decoration: none; vertical-align: baseline;" target="_blank"><img alt="" class="aligncenter" height="478" src="http://i.techrepublic.com.com/gallery/303642-500-478.png" style="border-bottom-style: none; border-bottom-width: 0pt; border-color: initial; border-color: initial; border-color: initial; border-left-style: none; border-left-width: 0pt; border-right-style: none; border-right-width: 0pt; border-style: initial; border-top-style: none; border-top-width: 0pt; border-width: initial; font-family: inherit; font-size: 16px; font-style: inherit; font-weight: inherit; margin-bottom: 0px; margin-left: 5px; margin-right: 5px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;" title="Packet Trace" width="500" /></a></h4><em style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: italic; font-weight: inherit; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">NOTE: Click to enlarge.</em><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">In Figure E, you can see that a Flow is created, its flow ID number, and the route that has been selected as well as the final result.</div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"></div><h4 style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; display: block; font-family: inherit; font-size: 1.14em; font-style: inherit; font-weight: bold; line-height: 1.23em; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">Figure E<a href="http://content.techrepublic.com.com/2347-10878_11-303638-303643.html?seq=5" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #003399; cursor: pointer; font-family: inherit; font-size: 16px; font-style: inherit; font-weight: inherit; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; outline-color: initial; outline-style: none; outline-width: initial; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-decoration: none; vertical-align: baseline;" target="_blank"><img alt="" class="aligncenter" height="477" src="http://i.techrepublic.com.com/gallery/303643-500-477.png" style="border-bottom-style: none; border-bottom-width: 0pt; border-color: initial; border-color: initial; border-color: initial; border-left-style: none; border-left-width: 0pt; border-right-style: none; border-right-width: 0pt; border-style: initial; border-top-style: none; border-top-width: 0pt; border-width: initial; font-family: inherit; font-size: 16px; font-style: inherit; font-weight: inherit; margin-bottom: 0px; margin-left: 5px; margin-right: 5px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;" width="500" /></a></h4><em style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: italic; font-weight: inherit; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">NOTE: Click to enlarge.</em><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">The final example shows a flow that was not allowed through the firewall.</div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"></div><h4 style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; display: block; font-family: inherit; font-size: 1.14em; font-style: inherit; font-weight: bold; line-height: 1.23em; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">Figure F<a href="http://content.techrepublic.com.com/2347-10878_11-303638-303644.html?seq=6" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #003399; cursor: pointer; font-family: inherit; font-size: 16px; font-style: inherit; font-weight: inherit; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; outline-color: initial; outline-style: none; outline-width: initial; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-decoration: none; vertical-align: baseline;" target="_blank"><img alt="" class="aligncenter" height="480" src="http://i.techrepublic.com.com/gallery/303644-500-480.png" style="border-bottom-style: none; border-bottom-width: 0pt; border-color: initial; border-color: initial; border-color: initial; border-left-style: none; border-left-width: 0pt; border-right-style: none; border-right-width: 0pt; border-style: initial; border-top-style: none; border-top-width: 0pt; border-width: initial; font-family: inherit; font-size: 16px; font-style: inherit; font-weight: inherit; margin-bottom: 0px; margin-left: 5px; margin-right: 5px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;" width="500" /></a></h4><em style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: italic; font-weight: inherit; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">NOTE: Click to enlarge.</em><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">As you can see from the above information, this simply wonderful tool can provide a wealth of information. This comes in handy whether you are debugging a critical issue, checking an access control list, or settling your curiousity about how your firewall is actually processing packets.</div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"><br />
</div></span><span class="Apple-style-span" style="color: #37414b; font-family: 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 19px;"><h1 class="h s-1 space-2" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; display: block; font-family: inherit; font-size: 3.14em !important; font-style: inherit; font-weight: normal; line-height: 1.07em; margin-bottom: 20px !important; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">Easy packet captures straight from the Cisco ASA firewall</h1></span><span class="Apple-style-span" style="color: #37414b; font-family: 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 19px;"><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">Whether you are troubleshooting a difficult problem or chasing some interesting traffic, sometimes you need to pull a packet capture. Of course, you could configure and deploy a sniffer, but that is not the only solution you have at your fingertips. You can pull the packet capture directly from the Cisco ASA firewall. The Cisco ASA makes this an easy process.</div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">There are at least two ways to configure your ASA to capture packets. If you prefer the GUI interface of the ASDM, you can use the Packet Capture Wizard tool by selecting it from the wizard menu.</div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">However, I’ve found that if you don’t mind getting your hands dirty, so to speak, the CLI interface is the way to go. You can identify the traffic you are looking for with an ACL and then set your interface to capture based on the ACL results. Here’s an example of how easy it is to do this.</div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">In this example, I want to capture all IP packets between a host at 192.168.80.51 and the test ASA at 192.168.81.52.</div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">The first step is to set a quick ACL:</div><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;">access-list testcap extended permit ip host 192.168.80.51 host 192.168.81.52</pre><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">Then, we set up the capture using the <em style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: italic; font-weight: inherit; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">capture</em> command. We’ll reference our ACL (testcap) as our “interesting” traffic, and we’ll specify which interface we want to look at:</div><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;">myasa# capture testcap interface inside</pre><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">Admittedly, this is probably the command in its simplest form. There are many options you can configure as part of this command, including setting buffer sizes, setting a circular-buffer that overwrites itself when full, and selecting webvpn or isakmp traffic. The point is, with two quick commands, we’ve got a packet capture going! It just doesn’t get much easier than that.</div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">A quick <em style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: italic; font-weight: inherit; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">show capture</em> command verifies my capture is running.</div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"><br />
</div></span><span class="Apple-style-span" style="color: #37414b; font-family: 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 19px;"><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;">myasa# sh capture</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;">capture testcap type raw-data interface INSIDE [Capturing - 4314 bytes]</pre><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">To stop the capture, use the <em style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: italic; font-weight: inherit; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">no</em> form of this command.</div><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;">myasa # no capture testcap</pre><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">Now let’s look at the results. Here again, we have choices. We can look at the traffic via a browser directly from the ASA by opening an http link (<strong>Figure A</strong>) like the following:</div><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;">https://192.168.81.52/admin/capture/testcap</pre><h4 style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; display: block; font-family: inherit; font-size: 1.14em; font-style: inherit; font-weight: bold; line-height: 1.23em; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">Figure A</h4><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-align: center; vertical-align: baseline;"><a href="http://content.techrepublic.com.com/2347-10878_11-263392-287050.html?seq=35" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #003399; cursor: pointer; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; outline-color: initial; outline-style: none; outline-width: initial; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-decoration: none; vertical-align: baseline;" target="_blank"><img alt="" class="aligncenter" height="212" src="http://i.techrepublic.com.com/gallery/287050-500-236.png" style="border-bottom-style: none; border-bottom-width: 0pt; border-color: initial; border-color: initial; border-color: initial; border-left-style: none; border-left-width: 0pt; border-right-style: none; border-right-width: 0pt; border-style: initial; border-top-style: none; border-top-width: 0pt; border-width: initial; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 0px; margin-left: 5px; margin-right: 5px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;" title="Packet capture data" width="450" /></a></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"></div><h6 style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #778596; display: block; font-family: inherit; font-size: 0.93em; font-style: inherit; font-weight: normal; line-height: 1.23em; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">Click to enlarge.</h6>While we see the traffic and much of the information, we cannot see all the detail of a regular packet capture. However, we can save this info as a libpcap file with the following command, and then open this file with Wireshark or such.<div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"></div><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;">https://192.168.81.52/capture/testcap/pcap</pre><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"><strong>Figure B</strong> shows this file when opened with Wireshark.</div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"></div><h4 style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; display: block; font-family: inherit; font-size: 1.14em; font-style: inherit; font-weight: bold; line-height: 1.23em; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">Figure B</h4><a href="http://content.techrepublic.com.com/2347-10878_11-263392-287051.html?seq=36" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #003399; cursor: pointer; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; outline-color: initial; outline-style: none; outline-width: initial; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-decoration: none; vertical-align: baseline;" target="_blank"><img alt="" class="alignnone" height="329" src="http://i.techrepublic.com.com/gallery/287051-500-366.png" style="border-bottom-style: none; border-bottom-width: 0pt; border-color: initial; border-color: initial; border-color: initial; border-left-style: none; border-left-width: 0pt; border-right-style: none; border-right-width: 0pt; border-style: initial; border-top-style: none; border-top-width: 0pt; border-width: initial; display: block; float: none; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 10px; margin-left: 5px; margin-right: 5px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;" title="Packet capture data viewed with Wireshark" width="450" /></a><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"></div><h6 style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #778596; display: block; font-family: inherit; font-size: 0.93em; font-style: inherit; font-weight: normal; line-height: 1.23em; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">Click to enlarge.</h6>The command line also provides options for looking at your data.<div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"></div><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;">myasa# show capture testcap ?</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;"> access-list Display packets matching access list</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;"> count Display <number> of packets in capture</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;"> decode Display decode information for each packet</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;"> detail Display more information for each packet</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;"> dump Display hex dump for each packet</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;"> packet-number Display packet <number> in capture</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;"> trace Display extended trace information for each packet</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;"> | Output modifiers</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;"> <cr></pre><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">Let’s look at the first nine packets.</div><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;">myasa# show capture testcap count 9</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;">4532 packets captured</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;"> 1: 13:46:31.052746 192.168.81.52.22 > 192.168.80.51.2057: P 1290581619:1290581687(68) ack 941116409 win 8192</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;"> 2: 13:46:31.052884 192.168.80.51.2057 > 192.168.81.52.22: . ack 1290581687 win 65207</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;"> 3: 13:46:38.374583 arp who-has 192.168.80.219 tell 192.168.82.51</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;"> 4: 13:46:38.521655 arp who-has 192.168.80.204 tell 192.168.82.51</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;"> 5: 13:46:39.803120 192.168.81.52.443 > 192.168.80.51.3968: P 787673978:787675438(1460) ack 3043311886 win 8192</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;"> 6: 13:46:39.803150 192.168.81.52.443 > 192.168.80.51.3968: P 787675438:787675589(151) ack 3043311886 win 8192</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;"> 7: 13:46:39.803257 192.168.81.52.443 > 192.168.80.51.3968: P 787675589:787677049(1460) ack 3043311886 win 8192</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;"> 8: 13:46:39.803272 192.168.81.52.443 > 192.168.80.51.3968: P 787677049:787677200(151) ack 3043311886 win 8192</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;"> 9: 13:46:39.803287 192.168.81.52.443 > 192.168.80.51.3968: P 787677200:787677883(683) ack 3043311886 win 8192</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;">9 packets shown</pre><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">We can also look at an entire packet from the CLI.</div><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;">myasa# show capture testcap detail packet-number 5 dump</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;">4532 packets captured</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;"> 5: 13:46:39.803120 0022.5597.25b9 0014.3815.89fb 0x0800 1514: 192.168.81.52.443 > 192.168.80.51.3968: P [tcp sum ok] 787673978:787675438(1460) ack 30 43311886 win 8192 (ttl 255, id 54032)</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;">0x0000 4500 05dc d310 0000 ff06 c052 c0a8 5134 E..........R..Q4</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;">0x0010 c0a8 5033 01bb 0f80 2ef2 f37a b565 410e ..P3.......z.eA.</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;">0x0020 5018 2000 5488 0000 1703 0106 4654 db31 P. .T.......FT.1</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;">0x0030 b3d4 0a5b 3295 f719 d82a 8767 6b8b dae1 ...[2....*.gk...</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;">0x0040 0a54 0ea8 c8c4 1c61 c45c e321 452e 6ab6 .T.....a.\.!E.j.</pre><pre style="background-color: #fff0ca; border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #008023; display: block; font-family: consolas, 'Courier New', courier, monospace; font-size: inherit; font-style: inherit; font-weight: inherit; font: normal normal normal 1em/normal 'andale mono', 'lucida console', monospace; margin-bottom: 10px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;">0x0050 ba80 4e94 3801 d973 b4fe 97d4 8b2f 9e77 ..N.8..s...../.w</pre><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">*Only a partial result is displayed.</div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;">So save your hardware or laptop sniffers for other parts of your network. Use your ASA to gather those snippets of network traffic that you need. But remember: in general, be kind to your ASA. When possible, create specific ACLs to refine the traffic you want to capture. Monitor your ASA while capturing packets and adjust the buffers if you need to. And, as always, refer to<a href="http://www.cisco.com/" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: #003399; cursor: pointer; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; outline-color: initial; outline-style: none; outline-width: initial; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-decoration: none; vertical-align: baseline;" target="_blank">www.cisco.com</a> for more detailed information.</div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"><br />
</div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"><br />
</div></span><span class="Apple-style-span" style="color: #37414b; font-family: 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 19px;"><div><br />
</div></span><span class="Apple-style-span" style="color: #37414b; font-family: 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 19px;"><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; font-family: inherit; font-size: 14px; font-style: inherit; font-weight: inherit; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; vertical-align: baseline;"><br />
</div></span></div>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-6020133766366748817.post-38693237619041313102011-06-16T10:09:00.001-07:002011-06-16T10:09:29.263-07:00Cisco ASA order of operations<div dir="ltr" style="text-align: left;" trbidi="on"><span class="Apple-style-span" style="color: #333333; font-family: Verdana, Arial, sans-serif; font-size: 13px;"></span><br />
<h3 class="post-title entry-title" style="font-size: 16px; font-weight: bold; line-height: 1.1em; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><br />
</h3><div class="post-header" style="line-height: 1.3em; margin-bottom: 0.75em; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><div class="post-header-line-1" style="line-height: 1.3em; margin-bottom: 0.75em; margin-left: 0px; margin-right: 0px; margin-top: 0px;"></div></div><div class="post-body entry-content" style="line-height: 1.3em; margin-bottom: 0.75em; margin-left: 0px; margin-right: 0px; margin-top: 0px;">1. FLOW-LOOKUP- This will check for existing connections. I a connection exists, the flow is automatically allowed<br />
<br />
2. ROUTE-LOOKUP - This is the inbound route lookup which includes reverse patch, if enabled.<br />
<br />
3. Inbound ACCESS-LIST- Checks for an interface ACL<br />
<br />
4. CONN-SETTINGS - Application layer checks (Class maps)<br />
<br />
5. IP-OPTIONS- RFC 791<br />
<br />
6. NAT<br />
<br />
7. Outbound ACCESS-LIST (if an outbound access list exists on the egress interface).<br />
<br />
9.FLOW-CREATION<br />
<br />
10.ROUTE LOOKUP - Destination route lookup</div></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6020133766366748817.post-21243274577815372152011-06-16T10:08:00.001-07:002011-06-16T10:08:32.692-07:00Cisco VPN Troubleshooting Guide<div dir="ltr" style="text-align: left;" trbidi="on"><span class="Apple-style-span" style="color: #333333; font-family: Verdana, Arial, sans-serif; font-size: 13px;"></span><br />
<h3 class="post-title entry-title" style="font-size: 16px; font-weight: bold; line-height: 1.1em; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><br />
</h3><div class="post-header" style="line-height: 1.3em; margin-bottom: 0.75em; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><div class="post-header-line-1" style="line-height: 1.3em; margin-bottom: 0.75em; margin-left: 0px; margin-right: 0px; margin-top: 0px;"></div></div><div class="post-body entry-content" style="line-height: 1.3em; margin-bottom: 0.75em; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span style="font-weight: bold;">Cisco PIX 7.0 VPN Troubleshooting</span><br />
<br />
<br />
<span style="font-weight: bold;">Quick overview of IPSEC</span><br />
It is important to understand how IPSEC works in order to understand how to troubleshoot a VPN connection. This is a quick overview of IPSEC and is by no means a complete detailed guide.<br />
<br />
IPSEC is a suite of protocols, defined in RFC 2401, that is used to protect information as it travels from one private network to another private network over a public network.<br />
<br />
IPSEC consists of Security Protocols (AH and ESP), Key Management (ISAKMP, IKE, and SKEME), and Algorithms (3DES, AES256, etc).<br />
<br />
ISAKMP defines the procedures and packet formats used to establish, negotiate, and modify Security Associations. ISAKMP communicates over UDP 500.<br />
<br />
Security Protocols consist of AH (Authentication Header) and ESP (Encapsulating Security Payload). AH communicates over IP 51 and provides data authentication, integrity, and replay protection (for man in the middle attacks), but does not provide confidentiality. It is important to understand that AH encapsulates the IP packet but does not encrypt it.<br />
ESP communicates over IP 50 and provides the same service as AH in addition to providing data confidentiality by encrypting the original payload and encapsulating the packet.<br />
<br />
SA’s (Security Associations):<br />
In order to have an IPSEC conversation, you first need a security association. Each device must agree on the policies or rules of the conversation by negotiating these policies with their potential peers. The SA represents a unidirectional instance of a security policy for a given connection.<br />
<br />
Main mode IPSEC packet exchange:<br />
--Initiator--- ---Responder---<br />
----------pk#1—Policy Proposal------><br />
<-------pk#2---Policy Accept/Reject-- ----------pk#3---DH Exchange--------><br />
<-------pk#4---DH Exchange---------- ----------pk#5---ID/Hash-------------><br />
<------pk#6---ID/Hash---------------><br />
<br />
<span style="font-weight: bold;">Packet handling order:</span><br />
<br />
<span style="font-weight: bold;">Step 1 </span>Access lists applied to an interface and crypto map are used by Cisco IOS software to select interesting traffic to be encrypted.<br />
<span style="font-weight: bold;">Step 2</span> Cisco IOS software checks to see if IPSec SAs have been established.<br />
<span style="font-weight: bold;">Step 3</span> If the SA has already been established by manual configuration using the crypto ipsec transform-set and crypto map commands or has been previously set up by IKE, the packet is encrypted based on the policy specified in the crypto map and is transmitted out of the interface.<br />
<span style="font-weight: bold;">Step 4 </span>If the SA has not been established, Cisco IOS software checks to see if an IKE SA has been configured and set up.<br />
<span style="font-weight: bold;">Step 5 </span>If the IKE SA has been set up, the IKE SA governs negotiation of the IPSec SA as specified in the IKE policy configured by the crypto isakmp policy command, the packet is encrypted by IPSec, and it is transmitted.<br />
<span style="font-weight: bold;">Step 6 </span>If the IKE SA has not been set up, Cisco IOS software checks to see if certification authority (CA) has been configured to establish an IKE policy.<br />
<span style="font-weight: bold;">Step 7 </span>If CA authentication is configured with the various crypto ca commands, the router uses public and private keys previously configured, obtains the CA's public certificate, gets a certificate for its own public key, and then uses the key to negotiate an IKE SA, which in turn is used to establish an IPSec SA to encrypt and transmit the packet.<br />
<br />
<br />
<span style="font-weight: bold;">Configuring Phase 1:</span><br />
The first 2 octets of IPs have been replaced with "y.y."<br />
Phase I is not configured on a per connection basis. When a Phase I connection is being established, configured ISAKMP policies will be tried one at a time until a match is found.<br />
<br />
Example of an ISAKMP policy:<br />
#isakmp policy 20 authentication pre-share<br />
#isakmp policy 20 encryption 3des<br />
#isakmp policy 20 hash md5<br />
#isakmp policy 20 group 2<br />
#isakmp policy 20 lifetime 43200<br />
<br />
<br />
<span style="font-weight: bold;">Troubleshooting Phase I:</span><br />
<peer ip=""><br />
Check the syslogs<br />
<br />
<span style="font-style: italic;">Show run isakmp </span><br />
This will show the isakmp policies for all VPN connections. To view a specific ISAKMP policy type show run isakmp | grep <policy#><br />
</policy#></peer><span style="font-style: italic;">show vpn-sessiondb detail l2l</span><br />
<peer ip=""><policy#><br />
<span style="font-style: italic;">Show crypto isakmp sa detail </span>– This command will display the state of Phase I of the IPSEC tunnel. A state of MM_Active indicates that Phase I was successfully completed. If Phase I does not complete, refer to the table below to find out exactly what state the Phase I connection is currently in. This will give you an indication of where the problem has occurred. More specific information can be found by running a debug(discussed later).<br />
<br />
<span style="font-weight: bold;">State Description</span><br />
<span style="font-style: italic;">OAK_MM_No_STATE</span> This is the initial state of Phase I. If you see Phase I<br />
In this state for longer than a few seconds, this is an<br />
indication that a failure of tunnel establishment for<br />
Phase I has occurred.<br />
<br />
<span style="font-style: italic;">OAK_MM_SA_SETUP</span> The peers have agreed on parameters for the ISAKMP<br />
SA. Phase I will be in this state after packet 1 and packet 2 exchange of the Main Mode negotiation (see above).<br />
<br />
<br />
<span style="font-style: italic;">MM_WAIT_MSG </span>The firewall is waiting on the remote end device to respond with DH and public key.<br />
<br />
<br />
<span style="font-style: italic;">OAK_MM_KEY_EXCH</span> The peers have exchanged DH public keys and have generated a shared secret.<br />
<br />
<span style="font-style: italic;">OAK_MM_KEY_AUTH </span>The ISAKMP SA has been authenticated.<br />
<br />
<br />
<span style="font-style: italic;">The debug crypto isakmp 5</span> command will display real time information on every step of the Phase I connection. Debug level 5 should be sufficient for most troubleshooting however level 7 provides more detailed information if necessary.<br />
Please note that you cannot limit the debug output to a specific tunnel.<br />
<br />
<span style="font-style: italic;">IKMP_NO_ERROR_NO_TRANS</span> indicates a matching transform set was not found<br />
<br />
<span style="font-style: italic;">No Proposal Chosen</span>=isakmp policy mismatch<br />
<br />
<br />
syslog sample of a completed connection:</policy#></peer>Mar 10 2008 18:47:05: %PIX-3-713119: Group = y.y.41.250, IP = y.y..41.250, PHASE 1 COMPLETED<br />
<br />
<peer ip=""><policy#>Sample Debug output:<br />
The following shows the initiation of the first packet for an IPSEC tunnel.<br />
58534 02/27/2004 07:42:38.600 SEV=4 IKE/41 RPT=8619 y.y.11.49<br />
IKE Initiator: New Phase 1, Intf 2, IKE Peer<br />
<br />
The following indicates that the IKE Phase I policy was accepted by the remote gateway.<br />
58534 02/27/2004 07:42:38.600 IP = y.y.11.49, Oakley proposal is acceptable<br />
<br />
This indicates Phase I has completed.<br />
58534 02/27/2004 07:42:38.600 Group= y.y.11.49, IP=y.y.11.49, Oakley begin quick mode<br />
<br />
The following indicates that the remote gateway has indicated that none of the policies are acceptable.<br />
5|Oct 02 2006 09:41:41|713904: IP = y.y.138.12, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping<br />
<br />
To clear the Security Associations related to Phase 1, use the clear crypto isakmp command. This will clear ALL of the SA’s currently built on this firewall.<br />
<br />
To confirm that the IPSEC packets are reaching the firewall, a capture can be created for all UDP 500 traffic.<br />
First create an access-list for the traffic you would like to capture.<br />
<span style="font-style: italic;">Access-list capture1 permit udp any any eq 500</span><br />
<br />
Next create a capture.<br />
<span style="font-style: italic;">Capture cap1 access-list capture1 interface outside</span><br />
<br />
Next display the results of the capture.<br />
<span style="font-style: italic;">Show capture cap1 detail</span><br />
<br />
<span style="font-style: italic;">ciscoasa#show capture cap1 detail</span><br />
<span style="font-style: italic;">1: 13:04:06.284897 192.168.1.50 > 192.168.1.1: UDP:500</span><br />
<br />
View capture on web<br />
https://<ip>capture/pcap/cap1<cap_name><br />
<br />
View pre-shared keys:<br />
<span style="font-style: italic;">more system:running-config</span><br />
<br />
<br />
<span style="font-weight: bold;">Configuring Phase 2:</span><br />
A transform set combines encryption method and authentication method. During the IPSec security association negotiation with ISAKMP, the peers agree to use a particular transform set to protect a particular data flow. The transform set must be the same for both peers.<br />
You can create multiple transform sets, and then specify one or more of these transform sets in a crypto map entry.<br />
You can view previously created transform sets by typing the show crypto ipsec transform-set command. If the desired transform set has not been previously defined, the crypto ipsec transform-set command is used to create it.<br />
<br />
Example:<br />
<span style="font-style: italic;">#(config)crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac</span><br />
<br />
An access-list is used to define the “interesting traffic” or the traffic that should be encrypted and allowed through the VPN Tunnel. The access-list should always be defined from local to remote. The subnet sizes need to match on the remote gateway.<br />
<br />
Example:<br />
<span style="font-style: italic;">#(config) access-list tunnel1 extended permit ip y.y..191.0 255.255.255.0 host y.y..155.12</span><br />
<br />
If port filtering is being used, and traffic is being initiated from the remote side, the destination port of the remote host must be the source port of the local matching acl.<br />
<br />
A tunnel group is used to identify specific connection parameters and the definition of a group policy. The default tunnel groups are DefaultRAGroup (used for Remote Access tunnels) and DefaultL2Lgroup(used for IPSEc Lan-to-Lan tunnels).<br />
<br />
Example:<br />
<span style="font-style: italic;">#(config)tunnel-group y.y.155.1 type IPsec_l2l</span><br />
<span style="font-style: italic;">#(config)tunnel-group y.y.155.1 ipsec-attributes</span><br />
<span style="font-style: italic;">#(config-attributes) pre-shared-key abc123</span><br />
<br />
<br />
The crypto map ties together several components that define the VPN tunnel. This is where the peer defined in the tunnel-group command is tied to the access-list and transform-set. The crypto map must be assigned a unique map id #. To view the previously used crypto map id numbers run the show ru crypto command.<br />
<br />
Example:<br />
<span style="font-style: italic;">#(config)crypto map mymap 10 match address tunnel1</span><br />
<span style="font-style: italic;">#(config)crypto map mymap 10 set peer y.y,155.1</span><br />
<span style="font-style: italic;">#(config)crypto map mymap 10 set transform-set 3desmd5</span><br />
<br />
Nat considerations:<br />
If a local address is going to be natted outbound, the crypto acl should use the outside ip address.<br />
<br />
<span style="font-weight: bold;">Troubleshooting Phase II:</span><br />
Check syslogs<br />
<br />
<span style="font-style: italic;">Show crypto ipsec sa-</span> This command shows the output of the IPSEC SA’s. The SA will include the ip address of the local and remote endpoints, encryption domains (interesting traffic), transform set (what encryption and hash is being used), key lifetime, and # of packet encrypt/decrypts.<br />
</cap_name></ip></policy#></peer><span style="font-style: italic;">debug crypto engine</span>—Displays the traffic that is encrypted.<br />
<br />
<peer ip=""><policy#><ip><cap_name>Example of an IPSEC SA:<br />
This shows the crypto map used for this connection.<br />
Crypto map tag: vpn_map, seq num: 130, local addr: x.x.160.45<br />
<br />
The following line shows the crypto acl that includes the traffic to be protected.<br />
access-list VPN-CIDS704976 permit ip x.x.190.0 255.255.254.0 host 10.2 5.4.80<br />
local ident (addr/mask/prot/port): (x.x.190.0/255.255.254.0/0/0)<br />
remote ident (addr/mask/prot/port): (10.25.4.80/255.255.255.255/0/0)<br />
current_peer: y.y.227.136<br />
<br />
Encrypts indicate that this side is encrypting and sending traffic. Decrypts indicates that the other side is sending traffic.<br />
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5<br />
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0<br />
#pkts compressed: 0, #pkts decompressed: 0<br />
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0<br />
#send errors: 0, #recv errors: 0<br />
<br />
This lists the local and remote endpoints.<br />
local crypto endpt.: x.x.160.45, remote crypto endpt.: y.y.227.136<br />
<br />
path mtu 1500, ipsec overhead 74, media mtu 1500<br />
current outbound spi: 2AFEA5C7<br />
<br />
There is a separate sa for inbound and outbound.<br />
inbound esp sas:<br />
spi: 0x9D111D2A (2635144490)<br />
transform: esp-aes-256 esp-sha-hmac none<br />
in use settings ={L2L, Tunnel, PFS Group 5, }<br />
slot: 0, conn_id: 317225, crypto-map: vpn_map<br />
sa timing: remaining key lifetime (kB/sec): (4275000/28789)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
outbound esp sas:<br />
spi: 0x2AFEA5C7 (721331655)<br />
transform: esp-aes-256 esp-sha-hmac none<br />
in use settings ={L2L, Tunnel, PFS Group 5, }<br />
slot: 0, conn_id: 317225, crypto-map: vpn_map<br />
sa timing: remaining key lifetime (kB/sec): (4274999/28789)<br />
IV size: 16 bytes<br />
replay detection support: Y<br />
<br />
<span style="font-style: italic;">Clear crypto ipsec sa peer</span> <peer ip="">will clear the Phase 2 SA’s for a given peer.<br />
<br />
<br />
<span style="font-style: italic;">debug crypto ipsec</span>—Displays the IPSec negotiations of phase 2.<br />
<br />
No Valid SA/ Identity mismatch – Transform set or crypto acl<br />
<br />
Sample Debug output:<br />
The following shows that the tunnel group configuration was found.<br />
Oct 26 15:42:43 [IKEv1]: IP =y.y.205.92, Connection landed on tunnel_group y.y,.205.92<br />
<br />
<span style="font-weight: bold;">Sample syslog errors:</span><br />
<br />
This shows interesting traffic ACL getting exchanged.<br />
1754 11/29/2001 16:20:18.500 SEV=7 IKEDBG/0 RPT=546 y.y.205.92<br />
Transmitting Proxy Id:<br />
Remote host: 192.168.1.1 Protocol 0 Port 0<br />
Local host: 10.64.10.9 Protocol 0 Port 0<br />
<br />
Completion of Phase II.<br />
1949 11/29/2001 16:20:18.540 SEV=4 IKE/49 RPT=3 y.y.205.92<br />
Security negotiation complete<br />
Responder, Inbound SPI = 0x11a56495, Outbound SPI = 0xb17718a5</peer></cap_name></ip></policy#></peer><br />
Mar 10 2008 18:47:05: %PIX-5-713120: Group = y.y.41.250, IP = y.y.41.250, PHASE 2 COMPLETED (msgid=0f78e513)<br />
<br />
<peer ip=""><policy#><ip><cap_name><peer ip="">Pre-shared key mismatch.<br />
1754 11/29/2001 16:20:18.500 Group = 172.16.172.63, IP = 172.16.172.63, Received an un-encrypted PAYLOAD_MALFORMED notify message, dropping.<br />
<br />
Pre-shared key mismatch reported by the report peer(receiving peer):</peer></cap_name></ip></policy#></peer><span style="font-size: 13px;">:713903: Group = 172.1.12.1, IP = 172.1.12.1 ERROR. peer has indicated that</span><span style="font-size: 13px;"> </span><span style="font-size: 13px;">something is wrong with our message. This could indicate a pre-shared key mismatch</span>.<br />
<br />
<peer ip=""><policy#><ip><cap_name><peer ip="">Transform-set mismatch.<br />
1754 11/29/2001 16:20:18.500 Group = 172.16.172.63, IP = 172.16.172.63, Received non-routine Notify message: No Proposal Chosen<br />
<br />
Transform-set mismatch on remote peer(receiving peer):</peer></cap_name></ip></policy#></peer><br />
713904” IP = 10.51.16.1, Received encrypted packet with no matching SA, dropping<br />
713048: IP = 10.51.16.1 Error processing payload. Payload ID 1<br />
<peer ip=""><policy#><ip><cap_name><peer ip=""><br />
The following indicates that the remote gateway is not finding matching interesting traffic.<br />
1754 11/29/2001 16:20:18.500 Group = y.y.172.63, IP = y.y.172.63, Received non-routing Notify message: Invalid ID info (18)<br />
<br />
The following indicates that the local gateway is not finding matching interesting traffic.<br />
1754 11/29/2001 16:20:18.500 Group =y.y.172.63, IP = y.y.172.63, Static Crypto Map check, map = mymap, seq = 10, ACL does not match proxy IDs src:192.168.1.0 dst:192.168.2.0<br />
<br />
PFS mismatch:</peer></cap_name></ip></policy#></peer><br />
<div class="MsoNormal" style="line-height: 1.3em; margin-bottom: 0.75em; margin-left: 0px; margin-right: 0px; margin-top: 0px;">713068: Group – 172.1.12.1, Received non-rouing Notify message; No Proposal chosen (14)</div><div class="MsoNormal" style="line-height: 1.3em; margin-bottom: 0.75em; margin-left: 0px; margin-right: 0px; margin-top: 0px;">PFS turned on on the remote peer. Local peer reports the following:</div><div class="MsoNormal" style="line-height: 1.3em; margin-bottom: 0.75em; margin-left: 0px; margin-right: 0px; margin-top: 0px;">713902; Group = 10.51.16.1. QM FSM error (p2 struct &0x296fde8, mess id 0x518e80d)!</div>QM FSM is a generic message indicating that the phase II connection was rejected by the remote peer.<br />
<br />
This indicated that the remote peer is natting:<br />
%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x72DEC2AA, sequence number= 0x41) from y.y.28.178 (user= y.y.28.178) to y.y.83.194. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as y.y.83.194, its source as y.y.28.178, and its protocol as 1. The SA specifies its local proxy as y.y.10.16/255.255.255.240/0/0 and its remote_proxy as y.y.63.0/255.255.255.0/0/0.<br />
<br />
<peer ip=""><policy#><ip><cap_name><peer ip=""><br />
<br />
When reverse route is turned on:</peer></cap_name></ip></policy#></peer><br />
<div class="MsoNormal" style="line-height: 1.3em; margin-bottom: 0.75em; margin-left: 0px; margin-right: 0px; margin-top: 0px;">Jan 26 2009 18:15:07: %ASA-6-713211: Group =y.y43.160, IP = y.y.43.160, Adding static route for L2L peer coming in on a dynamic map. address: 192.168.8.5, mask: 255.255.255.255</div><div class="MsoNormal" style="line-height: 1.3em; margin-bottom: 0.75em; margin-left: 0px; margin-right: 0px; margin-top: 0px;">Jan 26 2009 18:57:54: %ASA-6-713213: Group = y.y.43.160, IP =y.y43.160, Deleting static route for L2L peer that came in on a dynamic map. address: 192.168.8.5, mask: 255.255.255.255</div></div></div>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-6020133766366748817.post-55060554601150140622011-06-16T10:07:00.000-07:002011-06-16T10:07:16.837-07:00Most Common L2L and Remote Access IPsec VPN Troubleshooting Solutions<div dir="ltr" style="text-align: left;" trbidi="on"><span class="Apple-style-span" style="font-family: arial, helvetica, sans-serif; font-size: 12px;"></span><br />
<h2><a href="" name="intro">Introduction</a></h2>This document contains the most common solutions to IPsec VPN problems. These solutions come directly from service requests that the Cisco Technical Support have solved. Many of these solutions can be implemented prior to the in-depth troubleshooting of an IPsec VPN connection. As a result, this document provides a checklist of common procedures to try before you begin to troubleshoot a connection and call Cisco Technical Support.<br />
If you need configuration example documents for the site-to-site VPN and remote access VPN, refer to the <i>Remote Access VPN, Site to Site VPN (L2L) with PIX, Site to Site VPN (L2L) with IOS,</i> and <i>Site to Site VPN (L2L) with VPN3000</i> sections of <a href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html" style="color: #003399;">Configuration Examples and TechNotes</a>.<br />
<b>Note: </b>Even though the configuration examples in this document are for use on routers and security appliances, nearly all of these concepts are also applicable to the VPN 3000 concentrator.<br />
<b>Note: </b>Refer to <a href="http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml" style="color: #003399;">IP Security Troubleshooting - Understanding and Using debug Commands</a> to provide an explanation of common debug commands that are used to troubleshoot IPsec issues on both the Cisco IOS<sup>®</sup> Software and PIX.<br />
<b>Note: </b>ASA/PIX will not pass multicast traffic over IPsec VPN tunnels.<br />
<b>Note: </b>You can look up any command used in this document with the <a href="http://tools.cisco.com/Support/CLILookup/cltSearchAction.do" style="color: #003399;">Command Lookup Tool</a> (registered customers only).<br />
<img alt="warning" src="http://www.cisco.com/images/warning.gif" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px;" /> <b>Warning: </b>Many of the solutions presented in this document can lead to a temporary loss of all IPsec VPN connectivity on a device. It is recommended that these solutions be implemented with caution and in accordance with your change control policy.<br />
<h2><a href="" name="prereq">Prerequisites</a></h2><h3><a href="" name="req">Requirements</a></h3>Cisco recommends that you have knowledge of IPsec VPN configuration on these Cisco devices:<br />
<ul><li>Cisco PIX 500 Series Security Appliance</li>
<li>Cisco ASA 5500 Series Security Appliance</li>
<li>Cisco IOS Routers</li>
<li>Cisco VPN 3000 Series Concentrators (<i>Optional</i>)</li>
</ul><h3><a href="" name="hw">Components Used</a></h3>The information in this document is based on these software and hardware versions:<br />
<ul><li>Cisco ASA 5500 Series Security Appliance</li>
<li>Cisco PIX 500 Series Security Appliance</li>
<li>Cisco IOS</li>
</ul>The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.<br />
<h3><a href="" name="conventions">Conventions</a></h3>Refer to <a href="http://www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a0080121ac5.shtml" style="color: #003399;">Cisco Technical Tips Conventions</a> for more information on document conventions.<br />
<h2><a href="" name="topic1">IPsec VPN Configuration Does Not Work</a></h2><h3><a href="" name="topic1-problem">Problem</a></h3>A recently configured or modified IPsec VPN solution does not work.<br />
A current IPsec VPN configuration no longer works.<br />
<h3><a href="" name="topic1-solution">Solutions</a></h3>This section contains solutions to the most common IPsec VPN problems. Although they are not listed in any particular order, these solutions can be used as a checklist of items to verify or try before you engage in in-depth troubleshooting and call the TAC. All of these solutions come directly from TAC service requests and have resolved numerous customer issues.<br />
<ul><li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution01" style="color: #003399;">Enable NAT-Traversal (#1 RA VPN Issue)</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution02" style="color: #003399;">Test Connectivity Properly</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution03" style="color: #003399;">Enable ISAKMP</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution04" style="color: #003399;">Enable/Disable PFS</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution05" style="color: #003399;">Clear Old or Existing Security Associations (Tunnels)</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution06" style="color: #003399;">Verify ISAKMP Lifetime</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution07" style="color: #003399;">Enable or Disable ISAKMP Keepalives</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution08" style="color: #003399;">Re-Enter or Recover Pre-Shared-Keys</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution09" style="color: #003399;">Mismatched Pre-shared Key</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution10" style="color: #003399;">Remove and Re-apply Crypto Maps</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution11" style="color: #003399;">Verify that sysopt Commands are Present (PIX/ASA Only)</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution12" style="color: #003399;">Verify the ISAKMP Identity</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution13" style="color: #003399;">Verify Idle/Session Timeout</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution14" style="color: #003399;">Verify that ACLs are Correct and are Binded to Crypto Map</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution15" style="color: #003399;">Verify the ISAKMP Policies</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution16" style="color: #003399;">Verify that Routing is Correct</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution17" style="color: #003399;">Verify that Transform-Set is Correct</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution18" style="color: #003399;">Verify Crypto Map Sequence Numbers and Name</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution19" style="color: #003399;">Verify the Peer IP Address is Correct</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution20" style="color: #003399;">Verify the Tunnel Group and Group Names</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution21" style="color: #003399;">Disable XAUTH for L2L Peers</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution22" style="color: #003399;">VPN Pool Getting Exhausted</a></li>
</ul><b>Note: </b>Some of the commands in these sections have been brought down to a second line due to spatial considerations.<br />
<h3><a href="" name="solution01">Enable NAT-Traversal (#1 RA VPN Issue)</a></h3>NAT-Traversal or NAT-T allows VPN traffic to pass through NAT or PAT devices, such as a Linksys SOHO router. If NAT-T is not enabled, VPN Client users often appear to connect to the PIX or ASA without a problem, but they are unable to access the internal network behind the security appliance.<br />
If you do not enable the NAT-T in the NAT/PAT Device, you can receive the <tt>regular translation creation failed for protocol 50 src inside:10.0.1.26 dst outside:10.9.69.4</tt> error message in the PIX/ASA.<br />
Similarly, if you are unable to do simultaneous login from the same IP address, the <tt>Secure VPN connection terminated locally by client. Reason 412: The remote peer is no longer responding.</tt> error message appears. Enable NAT-T in the head end VPN device in order to resolve this error.<br />
<b>Note: </b>With Cisco IOS Software Release 12.2(13)T and later, NAT-T is enabled by default in Cisco IOS.<br />
Here is the command to enable NAT-T on a Cisco Security Appliance. The 20 in this example is the keepalive time (default).<br />
<b>PIX/ASA 7.1 and earlier</b><br />
<blockquote><pre style="font-size: 15px;">pix(config)#<b>isakmp nat-traversal 20</b>
</pre></blockquote><b>PIX/ASA 7.2(1) and later</b><br />
<blockquote><pre style="font-size: 15px;">securityappliance(config)#<b>crypto isakmp nat-traversal 20</b>
</pre></blockquote>The clients need to be modified as well in order for it to work.<br />
In Cisco VPN Client, choose to <b>Connection Entries</b> and click <b>Modify</b>. It opens a new window where you have to choose the <b>Transport</b> tab. Under this tab, choose <b>Enable Transparent Tunneling</b> and the <b>IPSec over UDP ( NAT / PAT )</b> radio button. Then click <b>Save</b> and test the connection.<br />
<b>Note: </b>This command is the same for both PIX 6.x and PIX/ASA 7.x.<br />
<b>Note: </b>It is important to allow the UDP 4500 for NAT-T, UDP 500 and ESP ports by the configuration of an ACL because the PIX/ASA acts as a NAT device. Refer to<a href="http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml" style="color: #003399;">Configuring an IPsec Tunnel through a Firewall with NAT</a> for more information in order to learn more about the ACL configuration in PIX/ASA.<br />
<b>VPN Concentrator</b><br />
Choose <b>Configuration > Tunneling and Security > IPSEC > NAT Transparency > Enable: <i>IPsec over NAT-T</i></b> in order to enable NAT-T on the VPN Concentrator.<br />
<b>Note: </b> NAT-T also lets multiple VPN clients to connect through a PAT device at same time to any head end whether it is PIX, Router or Concentrator.<br />
<h3><a href="" name="solution02">Test Connectivity Properly</a></h3>Ideally, VPN connectivity is tested from devices behind the endpoint devices that do the encryption, yet many users test VPN connectivity with the <b>ping</b> command on the devices that do the encryption. While the <b>ping</b> generally works for this purpose, it is important to source your ping from the correct interface. If the <b>ping</b> is sourced incorrectly, it can appear that the VPN connection has failed when it really works. Take this scenario as an example:<br />
<img alt="common_ipsec_trouble-1.gif" border="0" src="http://www.cisco.com/image/gif/paws/81824/common_ipsec_trouble-1.gif" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px;" usemap="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml" /><br />
Router A crypto ACL<br />
<blockquote><pre style="font-size: 15px;">access-list 110 permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255</pre></blockquote>Router B crypto ACL<br />
<blockquote><pre style="font-size: 15px;">access-list 110 permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255</pre></blockquote>In this situation, a <b>ping</b> must be sourced from the "inside" network behind either router. This is because the crypto ACLs are only configured to encrypt traffic with those source addresses. A <b>ping</b> sourced from the Internet-facing interfaces of either router are not encrypted. Use the extended options of the <b>ping</b> command in privileged EXEC mode to source a ping from the "inside" interface of a router:<br />
<blockquote><pre style="font-size: 15px;">routerA#<b>ping</b>
Protocol [ip]:
<b>Target IP address: 192.168.200.10</b>
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
<b>Extended commands [n]: y</b>
<b>Source address or interface: 192.168.100.1</b>
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.200.1, timeout is 2 seconds:
<b>Packet sent with a source address of 192.168.100.1</b>
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = ½/4 ms</pre></blockquote>Imagine that the routers in this diagram have been replaced with PIX or ASA security appliances. The <b>ping</b> used to test connectivity can also be sourced from the inside interface with the <b>inside</b> keyword:<br />
<blockquote><pre style="font-size: 15px;">securityappliance#<b>ping inside 192.168.200.10</b>
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.200.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms</pre></blockquote><b>Note: </b>It is not recommended that you target the inside interface of a security appliance with your <b>ping</b>. If you must target the inside interface with your <b>ping</b>, you must enable<b>management-access</b> on that interface, or the appliance does not reply.<br />
<blockquote><pre style="font-size: 15px;">securityappliance(config)#<b>management-access inside</b>
</pre></blockquote><b>Note: </b>When a problem exist with the connectivity, even phase 1 of VPN does not come up. On the ASA, if connectivity fails, the SA output is similar to this example, which indicates possibly an incorrect crypto peer configuration and/or incorrect ISAKMP proposal configuration:<br />
<blockquote><pre style="font-size: 15px;">Router#<b>show crypto isakmp sa</b>
1 IKE Peer: XX.XX.XX.XX
Type : L2L Role : initiator
Rekey : no State : MM_WAIT_MSG2</pre></blockquote><b>Note: </b>The state could be from MM_WAIT_MSG2 to MM_WAIT_MSG5, which denotes failure of concerned state exchange in main mode (MM).<br />
<b>Note: </b>Crypto SA output when the phase 1 is up is similar to this example:<br />
<blockquote><pre style="font-size: 15px;">Router#<b>show crypto isakmp sa</b>
1 IKE Peer: XX.XX.XX.XX
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE</pre></blockquote><h3><a href="" name="solution03">Enable ISAKMP</a></h3>If there is no indication that an IPsec VPN tunnel comes up at all, it possibly is due to the fact that ISAKMP has not been enabled. Be sure that you have enabled ISAKMP on your devices. Use one of these commands to enable ISAKMP on your devices:<br />
<ul><li>Cisco IOS<br />
<blockquote><pre style="font-size: 15px;">router(config)#<b>crypto isakmp enable</b>
</pre></blockquote></li>
<li>Cisco PIX 7.1 and earlier (replace <b>outside</b> with your desired interface)<br />
<blockquote><pre style="font-size: 15px;">pix(config)#<b>isakmp enable outside</b>
</pre></blockquote></li>
<li>Cisco PIX/ASA 7.2(1) and later (replace <b>outside</b> with your desired interface)<br />
<blockquote><pre style="font-size: 15px;">securityappliance(config)#<b>crypto isakmp enable outside</b>
</pre></blockquote></li>
</ul>You can also get this error when you enable the ISAKMP on the outside interface:<br />
<blockquote><pre style="font-size: 15px;">UDP: ERROR - socket <unknown> 62465 in used
ERROR: IkeReceiverInit, unable to bind to port</pre></blockquote>The cause of the error can be that the Client behind ASA/PIS gets PAT'd to udp port 500 before isakmp can be enabled on the interface. Once that PAT translation is removed (clear xlate), the isakmp is able to be enabled.<br />
<b>Note: </b>Always make sure that UDP 500 and 4500 port numbers are reserved for the negotiation of ISAKMP connections with the peer.<br />
<b>Note: </b>When the ISAKMP is not enabled on the interface, the VPN client shows an error message similar to this message:<br />
<blockquote><pre style="font-size: 15px;">Secure VPN connection terminated locally by client.
Reason 412: The remote peer is no longer responding</pre></blockquote><b>Note: </b>In order to resolve this error, enable the ISAKMP on the crypto interface of the VPN gateway.<br />
<h3><a href="" name="solution04">Enable/Disable PFS</a></h3>In IPsec negotiations, Perfect Forward Secrecy (PFS) ensures that each new cryptographic key is unrelated to any previous key. Either enable or disable PFS on both the tunnel peers; otherwise, the LAN-to-LAN (L2L) IPsec tunnel is not established in the PIX/ASA/IOS router.<br />
<b>PIX/ASA:</b><br />
PFS is disabled by default. In order to enable PFS, use the <b>pfs</b> command with the enable keyword in group-policy configuration mode. In order to disable PFS, enter the disable keyword.<br />
<blockquote><pre style="font-size: 15px;">hostname(config-group-policy)#<b>pfs {enable | disable}</b>
</pre></blockquote>In order to remove the PFS attribute from the running configuration, enter the no form of this command. A group policy can inherit a value for PFS from another group policy. Enter the no form of this command in order to prevent inheriting a value.<br />
<blockquote><pre style="font-size: 15px;">hostname(config-group-policy)#<b>no pfs</b> </pre></blockquote><b>IOS Router:</b><br />
In order to specify that IPsec must ask for PFS when new Security Associations are requested for this crypto map entry, or that IPsec requires PFS when it receives requests for new Security Associations, use the <b>set pfs</b> command in crypto map configuration mode. In order to specify that IPsec must not request PFS, use the no form of this command. By default, PFS is not requested. If no group is specified with this command, group1 is used as the default.<br />
<blockquote><pre style="font-size: 15px;">set pfs [group1 | group2]
no set pfs </pre></blockquote>For the set pfs command:<br />
<ul><li>group1 —Specifies that IPsec must use the 768-bit Diffie-Hellman prime modulus group when the new Diffie-Hellman exchange is performed.</li>
<li>group2 —Specifies that IPsec must use the 1024-bit Diffie-Hellman prime modulus group when the new Diffie-Hellman exchange is performed.</li>
</ul>Example:<br />
<blockquote><pre style="font-size: 15px;">Router(config)#crypto map map 10 ipsec-isakmp
Router(config-crypto-map)#<b>set pfs group2</b>
</pre></blockquote><b>Note: </b> Perfect Forward Secrecy (PFS) is Cisco proprietary and is not supported on third party devices.<br />
<h3><a href="" name="solution05">Clear Old or Existing Security Associations (Tunnels)</a></h3>If this error message occurs in the IOS Router, the problem is that the SA has either expired or been cleared. The remote tunnel end device does not know that it uses the expired SA to send a packet (not a SA establishment packet). When a new SA has been established, the communication resumes, so initiate the <i>interesting</i> traffic across the tunnel to create a new SA and re-establish the tunnel.<br />
<blockquote><pre style="font-size: 15px;"><b>%CRYPTO-4-IKMP_NO_SA: IKE message from x.x.x.x has no SA </b>
</pre></blockquote>If you clear ISAKMP (Phase I) and IPsec (Phase II) security associations (SAs), it is the simplest and often the best solution to resolve IPsec VPN problems.<br />
If you clear SAs, you can frequently resolve a wide variety of error messages and strange behaviors without the need to troubleshoot. While this technique can easily be used in any situation, it is almost always a requirement to clear SAs after you change or add to a current IPsec VPN configuration. Moreover, while it is possible to clear only specific security associations, the most benefit can come from when you clear SAs globally on the device.<br />
<b>Note: </b>Once the Security Associations have been cleared, it can be necessary to send traffic across the tunnel to re-establish them.<br />
<img alt="warning" src="http://www.cisco.com/images/warning.gif" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px;" /> <b>Warning: </b>Unless you specify which security associations to clear, the commands listed here can clear all security associations on the device. Proceed with caution if other IPsec VPN tunnels are in use.<br />
<ol type="1"><li>View Security Associations before you clear them<br />
<ol type="a"><li><b>Cisco IOS</b><br />
<blockquote><pre style="font-size: 15px;">router#<b>show crypto isakmp sa</b>
router#<b>show crypto ipsec sa</b>
</pre></blockquote></li>
<li><b>Cisco PIX/ASA Security Appliances</b><br />
<blockquote><pre style="font-size: 15px;">securityappliance#<b>show crypto isakmp sa</b>
securityappliance#<b>show crypto ipsec sa</b>
</pre></blockquote><b>Note: </b>These commands are the same for both Cisco PIX 6.x and PIX/ASA 7.x</li>
</ol></li>
<li>Clear Security Associations. Each command can be entered as shown in bold or entered with the options shown with them.<br />
<ol type="a"><li><b>Cisco IOS</b><br />
<ol type="a"><li><b>ISAKMP (Phase I)</b><br />
<blockquote><pre style="font-size: 15px;">router#<b>clear crypto isakmp</b> ?
<0 - 32766> connection id of SA
<cr></pre></blockquote></li>
<li><b>IPsec (Phase II)</b><br />
<blockquote><pre style="font-size: 15px;">router#<b>clear crypto sa</b> ?
counters Reset the SA counters
map Clear all SAs for a given crypto map
peer Clear all SAs for a given crypto peer
spi Clear SA by SPI
<cr></pre></blockquote></li>
</ol></li>
<li><b>Cisco PIX/ASA Security Appliances</b><br />
<ol type="a"><li><b>ISAKMP (Phase I)</b><br />
<blockquote><pre style="font-size: 15px;">securityappliance#<b>clear crypto isakmp sa</b>
</pre></blockquote></li>
<li><b>IPsec (Phase II)</b><br />
<blockquote><pre style="font-size: 15px;">security appliance#<b>clear crypto ipsec sa</b> ?
counters Clear IPsec SA counters
entry Clear IPsec SAs by entry
map Clear IPsec SAs by map
peer Clear IPsec SA by peer
<cr></pre></blockquote></li>
</ol></li>
</ol></li>
</ol><h3><a href="" name="solution06">Verify ISAKMP Lifetime</a></h3>If the users are frequently disconnected across the L2L tunnel, the problem can be the lesser lifetime configured in ISAKMP SA. If any discrepancy occurs in the ISAKMP lifetime, you can receive the <b>%PIX|ASA-5-713092: Group = x.x.x.x, IP = x.x.x.x, Failure during phase 1 rekeying attempt due to collision</b> error message in PIX/ASA. For FWSM, you can receive the <tt>%FWSM-5-713092: Group = x.x.x.x, IP = x.x.x.x, Failure during phase 1 rekeying attempt due to collision</tt> error message. Configure the same value in both the peers in order to fix it.<br />
The default is 86,400 seconds or 24 hours. As a general rule, a shorter lifetime provides more secure ISAKMP negotiations (up to a point), but, with shorter lifetimes, the security appliance sets up future IPsec SAs more quickly.<br />
A match is made when both policies from the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values, and when the policy of the remote peer specifies a lifetime less than or equal to the lifetime in the compared policy. If the lifetimes are not identical, the shorter lifetime—from the policy of the remote peer—is used. If no acceptable match is found, the IKE refuses negotiation, and the IKE SA is not established.<br />
Specify the SA lifetime. This examples sets a lifetime of 4 hours (14400 seconds). The default is 86400 seconds (24 hours).<br />
PIX/ASA<br />
<blockquote><pre style="font-size: 15px;">hostname(config)#<b>isakmp policy 2 lifetime 14400</b>
</pre></blockquote>IOS Router<br />
<blockquote><pre style="font-size: 15px;">R2(config)#<b>crypto isakmp policy 10</b>
R2(config-isakmp)#<b>lifetime 86400</b>
</pre></blockquote>If the maximum configured lifetime is exceeded, you receive this error message when the VPN connection is terminated:<br />
<tt>Secure VPN Connection terminated locally by the Client. Reason 426: Maximum Configured Lifetime Exceeded</tt>.<br />
In order to resolve this error message, set the <b><span style="font-style: italic; font-weight: normal;">lifetime</span></b> value to <i>0</i> in order to set the lifetime of an IKE security association to infinity. The VPN will always be connection and will not terminate.<br />
<blockquote><pre style="font-size: 15px;">hostname(config)#<a href="http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/i3.html#wp1845527" style="color: #003399;">isakmp policy 2 lifetime 0</a>
</pre></blockquote>You can also <b>disable re-xauth in the group-policy</b> in order to resolve the issue.<br />
<h3><a href="" name="solution07">Enable or Disable ISAKMP Keepalives</a></h3>If you configure ISAKMP keepalives, it helps prevent sporadically dropped LAN-to-LAN or Remote Access VPN, which includes VPN clients, tunnels and the tunnels that are dropped after a period of inactivity. This feature lets the tunnel endpoint monitor the continued presence of a remote peer and report its own presence to that peer. If the peer becomes unresponsive, the endpoint removes the connection. In order for ISAKMP keepalives to work, both VPN endpoints must support them.<br />
<ul><li>Configure ISAKMP keepalives in Cisco IOS with this command:<br />
<blockquote><pre style="font-size: 15px;">router(config)#<b>crypto isakmp keepalive 15</b>
</pre></blockquote></li>
<li>Use these commands to configure ISAKMP keepalives on the PIX/ASA Security Appliances:<br />
<ul><li>Cisco PIX 6.x<br />
<blockquote><pre style="font-size: 15px;">pix(config)#<b>isakmp keepalive 15</b>
</pre></blockquote></li>
<li>Cisco PIX/ASA 7.x and later, for the tunnel group named <b>10.165.205.222</b><br />
<blockquote><pre style="font-size: 15px;">securityappliance(config)#<b>tunnel-group 10.165.205.222
ipsec-attributes</b>
securityappliance(config-tunnel-ipsec)#<b>isakmp keepalive
threshold 15 retry 10</b>
</pre></blockquote></li>
</ul>In some situations, it is necessary to disable this feature in order to solve the problem, for example, if the VPN Client is behind a Firewall that prevents DPD packets.<br />
Cisco PIX/ASA 7.x and later, for the tunnel group named <b>10.165.205.222</b><br />
Disables IKE keepalive processing, which is enabled by default.<br />
<blockquote><pre style="font-size: 15px;">securityappliance(config)#<b>tunnel-group 10.165.205.222
ipsec-attributes</b>
securityappliance(config-tunnel-ipsec)#<b>isakmp keepalive</b> <b>disable</b>
</pre></blockquote><b>Disable Keepalive for Cisco VPN Client 4.x</b><br />
Choose <b>%System Root% > Program Files > Cisco Systems >VPN Client > Profiles</b> on the Client PC that experiences the issue in order to disable IKE keepalive, and edit the <b>PCF file</b> , where applicable, for the connection.<br />
Change the <b>'ForceKeepAlives=0'</b> (default) to <b>'ForceKeepAlives=1'</b>.</li>
</ul><b>Note: </b>Keepalives are Cisco proprietary and are not supported by third party devices.<br />
<h3><a href="" name="solution08">Re-Enter or Recover Pre-Shared-Keys</a></h3>In many cases, a simple typo can be to blame when an IPsec VPN tunnel does not come up. For example, on the security appliance, pre-shared keys become hidden once they are entered. This obfuscation makes it impossible to see if a key is incorrect.<b>Be certain that you have entered any pre-shared-keys correctly on each VPN endpoint.</b>Re-enter a key to be certain that it is correct; this is a simple solution that can help avoid in-depth troubleshooting.<br />
In Remote Access VPN, check that the valid group name and preshared key are entered in the CiscoVPN Client. You can face this error if the group name/ preshared key are not matched between the VPN Client and the head-end device.<br />
<blockquote><pre style="font-size: 15px;">1 12:41:51.900 02/18/06 Sev=Warning/3 IKE/0xE3000056
The received HASH payload cannot be verified
2 12:41:51.900 02/18/06 Sev=Warning/2 IKE/0xE300007D
Hash verification failed
3 14:37:50.562 10/05/06 Sev=Warning/2 IKE/0xE3000099
Failed to authenticate peer (Navigator:904)
4 14:37:50.593 10/05/06 Sev=Warning/2 IKE/0xE30000A5
Unexpected SW error occurred while processing Aggressive Mode
negotiator:(Navigator:2202)
5 14:44:15.937 10/05/06 Sev=Warning/2 IKE/0xA3000067
Received Unexpected InitialContact Notify (PLMgrNotify:888)
6 14:44:36.578 10/05/06 Sev=Warning/3 IKE/0xE3000056
The received HASH payload cannot be verified
7 14:44:36.593 10/05/06 Sev=Warning/2 IKE/0xE300007D
Hash verification failed... may be configured with invalid group password.
8 14:44:36.609 10/05/06 Sev=Warning/2 IKE/0xE3000099
Failed to authenticate peer (Navigator:904)
9 14:44:36.640 10/05/06 Sev=Warning/2 IKE/0xE30000A5
Unexpected SW error occurred while processing Aggressive Mode
negotiator:(Navigator:2202)</pre></blockquote>You can also recover a pre-shared key without any configuration changes on the PIX/ASA security appliance. Refer to <a href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00807f2d37.shtml" style="color: #003399;">PIX/ASA 7.x: Pre-shared Key Recovery</a>.<br />
<img alt="warning" src="http://www.cisco.com/images/warning.gif" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px;" /> <b>Warning: </b>If you remove crypto-related commands, you are likely to bring down one or all of your VPN tunnels. Use these commands with caution and refer to the change control policy of your organization before you follow these steps.<br />
<ul><li>Use these commands to remove and re-enter the pre-shared-key <b>secretkey</b> for the peer <b>10.0.0.1</b> or the group <b>vpngroup</b> in IOS:<br />
<ul><li>Cisco LAN-to-LAN VPN<br />
<blockquote><pre style="font-size: 15px;">router(config)#<b>no crypto isakmp key secretkey
address 10.0.0.1</b>
router(config)#<b>crypto isakmp key secretkey
address 10.0.0.1</b>
</pre></blockquote></li>
<li>Cisco Remote Access VPN<br />
<blockquote><pre style="font-size: 15px;">router(config)#<b>crypto isakmp client configuration
group vpngroup</b>
router(config-isakmp-group)#<b>no key secretkey</b>
router(config-isakmp-group)#<b>key secretkey</b>
</pre></blockquote></li>
</ul></li>
<li>Use these commands to remove and re-enter the pre-shared-key <b>secretkey</b> for the peer <b>10.0.0.1</b> on PIX/ASA Security Appliances:<br />
<ul><li>Cisco PIX 6.x<br />
<blockquote><pre style="font-size: 15px;">pix(config)#<b>no isakmp key secretkey address 10.0.0.1</b>
pix(config)#<b>isakmp key secretkey address 10.0.0.1</b>
</pre></blockquote></li>
<li>Cisco PIX/ASA 7.x and later<br />
<blockquote><pre style="font-size: 15px;">securityappliance(config)#<b>tunnel-group 10.0.0.1
ipsec-attributes</b>
securityappliance(config-tunnel-ipsec)#<b>no pre-shared-key</b>
securityappliance(config-tunnel-ipsec)#<b>pre-shared-key
secretkey</b>
</pre></blockquote></li>
</ul></li>
</ul><h3><a href="" name="solution09">Mismatched Pre-shared Key</a></h3>The initiation of VPN Tunnel gets disconnected. This issue might occur because of a mismatched pre-shared-key during the phase I negotiations.<br />
The <b>MM_WAIT_MSG_6</b> message in the <b>show crypto isakmp sa</b> command indicates a mismatched pre-shared-key as shown in this example:<br />
<blockquote><pre style="font-size: 15px;">ASA#<b>show crypto isakmp sa</b>
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 10.7.13.20
Type : L2L Role : initiator
Rekey : no State : <b>MM_WAIT_MSG_6</b>
</pre></blockquote>In order to resolve this issue, re-enter the pre-shared key in both appliances; the pre-shared-key must be unique and matched. See <a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution08" style="color: #003399;">Re-Enter or Recover Pre-Shared-Keys</a>for more information.<br />
<h3><a href="" name="solution10">Remove and Re-apply Crypto Maps</a></h3>When you <a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution05" style="color: #003399;">clear security associations</a>, and it does not resolve an IPsec VPN issue, remove and reapply the relevant crypto map in order to resolve a wide variety of issues that includes intermittent dropping of VPN tunnel and failure of some VPN sites to come up.<br />
<img alt="warning" src="http://www.cisco.com/images/warning.gif" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px;" /> <b>Warning: </b>If you remove a crypto map from an interface, it <b>definitely</b> brings down any IPsec tunnels associated with that crypto map. Follow these steps with caution and consider the change control policy of your organization before you proceed.<br />
<ul><li>Use these commands to remove and replace a crypto map in Cisco IOS:<br />
Begin with the removal of the crypto map from the interface. Use the no form of the <b>crypto map</b> command.<br />
<blockquote><pre style="font-size: 15px;">router(config-if)#<b>no crypto map mymap</b>
</pre></blockquote>Continue to use the <b>no</b> form to remove an entire crypto map.<br />
<blockquote><pre style="font-size: 15px;">router(config)#<b>no crypto map mymap 10</b>
</pre></blockquote>Replace the crypto map on interface Ethernet0/0 for the peer <b>10.0.0.1</b>. This example shows the minimum required crypto map configuration:<br />
<blockquote><pre style="font-size: 15px;">router(config)#<b>crypto map mymap 10 ipsec-isakmp</b>
router(config-crypto-map)#<b>match address 101</b>
router(config-crypto-map)#<b>set transform-set mySET</b>
router(config-crypto-map)#<b>set peer 10.0.0.1</b>
router(config-crypto-map)#<b>exit</b>
router(config)#<b>interface ethernet0/0</b>
router(config-if)#<b>crypto map mymap</b>
</pre></blockquote></li>
<li>Use these commands to remove and replace a crypto map on the PIX or ASA:<br />
Begin with the removal of the crypto map from the interface. Use the no form of the <b>crypto map</b> command.<br />
<blockquote><pre style="font-size: 15px;">securityappliance(config)#<b>no crypto map mymap interface outside</b>
</pre></blockquote>Continue to use the <b>no</b> form to remove the other crypto map commands.<br />
<blockquote><pre style="font-size: 15px;">securityappliance(config)#<b>no crypto map mymap 10 match
address 101</b>
securityappliance(config)#<b>no crypto map mymap set
transform-set mySET</b>
securityappliance(config)#<b>no crypto map mymap set
peer 10.0.0.1</b>
</pre></blockquote>Replace the crypto map for the peer <b>10.0.0.1</b>. This example shows the minimum required crypto map configuration:<br />
<blockquote><pre style="font-size: 15px;">securityappliance(config)#<b>crypto map mymap 10 ipsec-isakmp</b>
securityappliance(config)#<b>crypto map mymap 10
match address 101</b>
securityappliance(config)#<b>crypto map mymap 10 set
transform-set mySET</b>
securityappliance(config)#<b>crypto map mymap 10 set
peer 10.0.0.1</b>
securityappliance(config)#<b>crypto map mymap interface outside</b>
</pre></blockquote></li>
</ul><b>Note: </b>If you remove and reapply the crypto map, this also resolves the connectivity issue if the IP address of head end has been changed.<br />
<h3><a href="" name="solution11">Verify that sysopt Commands are Present (PIX/ASA Only)</a></h3>The commands <b>sysopt connection permit-ipsec</b> and <b>sysopt connection permit-vpn</b> allow packets from an IPsec tunnel and their payloads to bypass interface ACLs on the security appliance. IPsec tunnels that are terminated on the security appliance are likely to fail if one of these commands is not enabled.<br />
In Security Appliance Software Version 7.0 and earlier, the relevant sysopt command for this situation is <b>sysopt connection permit-ipsec</b>.<br />
In Security Appliance Software Version 7.1(1) and later, the relevant sysopt command for this situation is <b>sysopt connection permit-vpn</b>.<br />
In PIX 6.x, this functionality is <b>disabled</b> by default. With PIX/ASA 7.0(1) and later, this functionality is <b>enabled</b> by default. Use these show commands to determine if the relevant <b>sysopt</b> command is enabled on your device:<br />
<ul><li>Cisco PIX 6.x<br />
<blockquote><pre style="font-size: 15px;">pix# <b>show sysopt</b>
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt uauth allow-http-cache
<b>no sysopt connection permit-ipsec</b>
<i>
<span style="color: blue;">!--- sysopt connection permit-ipsec is disabled</span>
</i>
no sysopt connection permit-pptp
no sysopt connection permit-l2tp
no sysopt ipsec pl-compatible
</pre></blockquote></li>
<li>Cisco PIX/ASA 7.x<br />
<blockquote><pre style="font-size: 15px;">securityappliance# <b>show running-config sysopt</b>
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
<b>sysopt connection permit-vpn</b>
<i>
<span style="color: blue;">!--- sysopt connection permit-vpn is enabled
!--- This device is running 7.2(2)</span>
</i>
</pre></blockquote></li>
</ul>Use these commands in order to enable the correct <b>sysopt</b> command for your device:<br />
<ul><li>Cisco PIX 6.x and PIX/ASA 7.0<br />
<blockquote><pre style="font-size: 15px;">pix(config)#<b>sysopt connection permit-ipsec</b>
</pre></blockquote></li>
<li>Cisco PIX/ASA 7.1(1) and later<br />
<blockquote><pre style="font-size: 15px;">securityappliance(config)#<b>sysopt connection permit-vpn</b>
</pre></blockquote></li>
</ul><b>Note: </b>If you do not wish to use the <b>sysopt connection</b> command, then you must explicitly permit the required traffic, which is interesting traffic from source to destination, for example, from LAN of remote device to LAN of local device and "UDP port 500" for outside interface of remote device to outside interface of local device, in outside ACL.<br />
<h3><a href="" name="solution12">Verify the ISAKMP Identity</a></h3>If the IPsec VPN tunnel has failed within the IKE negotiation, the failure can be due to either the PIX or the inability of its peer to recognize the identity of its peer. When two peers use IKE to establish IPsec security associations, each peer sends its ISAKMP identity to the remote peer. It sends either its IP address or host name dependent upon how each has its ISAKMP identity set. By default, the ISAKMP identity of the PIX Firewall unit is set to the IP address. As a general rule, set the security appliance and the identities of its peers in the same way to avoid an IKE negotiation failure.<br />
In order to set the Phase 2 ID to be sent to the peer, use the <b>isakmp identity</b> command in global configuration mode<br />
<blockquote><pre style="font-size: 15px;">crypto isakmp identity address
<i>
<span style="color: blue;">!--- If the RA or L2L (site-to-site) VPN tunnels connect
!--- with pre-shared key as authentication type</span>
</i>
</pre></blockquote>OR<br />
<blockquote><pre style="font-size: 15px;">crypto isakmp identity auto
<i>
<span style="color: blue;">!--- If the RA or L2L (site-to-site) VPN tunnels connect
!--- with ISAKMP negotiation by connection type; IP address for
!--- preshared key or cert DN for certificate authentication.</span>
</i>
</pre></blockquote>OR<br />
<blockquote><pre style="font-size: 15px;">crypto isakmp identity hostname
<i>
<span style="color: blue;">!--- Uses the fully-qualified domain name of
!--- the host exchanging ISAKMP identity information (default).
!--- This name comprises the hostname and the domain name.</span>
</i>
</pre></blockquote>VPN tunnel fails to come up after moving configuration from PIX to ASA using the PIX/ASA configuration migration tool; these messages appear in the log:<br />
<tt>[IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Stale PeerTblEntry found, removing! [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match! [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, construct_ipsec_delete(): No SPI to identify Phase 2 SA! [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!</tt><br />
This issue happens since PIX by default is set to identify the connection as <b>hostname</b> where the ASA identifies as <b>IP</b>. In order to resolve this issue, use the <b>crypto isakmp identity</b> command in global configuration mode as shown below:<br />
<blockquote><pre style="font-size: 15px;"><b>crypto isakmp identity <i>hostname</i>
</b>
<i>
<span style="color: blue;">!--- Use the fully-qualified domain name of
!--- the host exchanging ISAKMP identity information (default).
!--- This name comprises the hostname and the domain name.</span>
</i>
</pre></blockquote><b>Note: </b>The <b>isakmp identity</b> command was deprecated from the software version 7.2(1). Refer to the <a href="http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2069059" style="color: #003399;">Cisco Security Appliance Command Reference, Version 7.2</a> for more information.<br />
<h3><a href="" name="solution13">Verify Idle/Session Timeout</a></h3>If the idle timeout is set to 30 minutes (default), it means that it drops the tunnel after 30 minutes of no traffic passes through it. The VPN client gets disconnected after 30 minutes regardless of the setting of idle timeout and encounters the <tt>PEER_DELETE-IKE_DELETE_UNSPECIFIED</tt> error.<br />
Configure <b>idle timeout</b> and <b>session timeout</b> as <b>none</b> in order to make the tunnel always be <b>up</b> and so that the tunnel is never dropped.<br />
<b>PIX/ASA 7.x and later</b><br />
Enter the <b>vpn-idle-timeout</b> command in group-policy configuration mode or in username configuration mode in order to configure the user timeout period:<br />
<blockquote><pre style="font-size: 15px;">hostname(config)#<b>group-policy DfltGrpPolicy attributes</b>
hostname(config-group-policy)#<b>vpn-idle-timeout none</b>
</pre></blockquote>Configure a maximum amount of time for VPN connections with the <b>vpn-session-timeout</b> command in group-policy configuration mode or in username configuration mode:<br />
<blockquote><pre style="font-size: 15px;">hostname(config)#<b>group-policy DfltGrpPolicy attributes</b>
hostname(config-group-policy)#<b>vpn-session-timeout none</b>
</pre></blockquote><b>Note: </b>When you have <b>tunnel-all</b> configured, you do not need to configure <b>idle-timeout</b> because, even if you configure VPN-idle timeout, it will not work because all traffic is going through the tunnel (since tunnel-all is configured). Therefore, the interesting traffic (or even the traffic generated by the PC) will be interesting and will not let Idle-timeout come into action.<br />
<b>Cisco IOS Router</b><br />
Use the <b>crypto ipsec security-association idle-time</b> command in global configuration mode or crypto map configuration mode in order to configure the IPsec SA idle timer. By default IPsec SA idle timers are disabled.<br />
<blockquote><pre style="font-size: 15px;"><b>crypto ipsec security-association idle-time </b>
<i>seconds </i>
</pre></blockquote>Time is in <i>seconds</i>, which the idle timer allows an inactive peer to maintain an SA. Valid values for the seconds argument range from 60 to 86400.<br />
<h3><a href="" name="solution14">Verify that ACLs are Correct and Binded to Crypto Map</a></h3>There are two access lists used in a typical IPsec VPN configuration. One access list is used to exempt traffic that is destined for the VPN tunnel from the NAT process. The other access list defines what traffic to encrypt; this includes a crypto ACL in a LAN-to-LAN setup or a split-tunneling ACL in a Remote Access configuration. When these ACLs are incorrectly configured or missing, traffic might only flow in one direction across the VPN tunnel, or it might not be sent across the tunnel at all.<br />
<b>Note: </b>Make sure to bind the crypto ACL with crypto map by using the <a href="http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c5.html#wp2238243" style="color: #003399;"><b>crypto map match address</b></a> command in global configuration mode.<br />
Be sure that you have configured all of the access lists necessary to complete your IPsec VPN configuration and that those access lists define the correct traffic. This list contains simple things to check when you suspect that an ACL is the cause of problems with your IPsec VPN.<br />
<ul><li>Make sure that your NAT Exemption and crypto ACLs specify the correct traffic.</li>
<li>If you have multiple VPN tunnels and multiple crypto ACLs, make sure that those ACLs do not overlap.<br />
<b>Note: </b>On VPN concentrator, you might see a log like this:<br />
<tt>Tunnel Rejected: IKE peer does not match remote peer as defined in L2L policy</tt><br />
In order to avoid this message and in order to bring the tunnel up, make sure that the crypto ACLs do not overlap and the same interesting traffic is not used by any other configured VPN tunnel.</li>
<li>Do not use ACLs twice. Even if your NAT Exemption ACL and crypto ACL specify the same traffic, use two different access lists.</li>
<li>For remote access configuration, do not use access-list for interesting traffic with the dynamic crypto map. This can cause the VPN client to be unable to connect to the head end device. If you mistakenly configured the crypto ACL for Remote access VPN, you can get the <tt>%ASA-3-713042: IKE Initiator unable to find policy: Intf 2</tt> error message.<br />
<b>Note: </b>If this is a VPN site-to-site tunnel, make sure to match the access list with the peer. They must be in reverse order on the peer.<br />
Refer to <a href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml#configs" style="color: #003399;">PIX/ASA 7.x and Cisco VPN Client 4.x with Windows 2003 IAS RADIUS (Against Active Directory) Authentication Configuration Example</a> for a sample configuration that shows how to set up the remote access VPN connection between a Cisco VPN Client and the PIX/ASA.</li>
<li>Make sure that your device is configured to use the NAT Exemption ACL. On a router, this means that you use the <b>route-map</b> command. On the PIX or ASA, this means that you use the <b>nat (0)</b> command. A NAT exemption ACL is required for both LAN-to-LAN and Remote Access configurations.<br />
<ul><li>Here, an IOS router is configured to exempt traffic that is sent between <b>192.168.100.0 /24</b> and <b>192.168.200.0 /24</b> or <b>192.168.1.0 /24</b> from NAT. Traffic destined for anywhere else is subject to NAT overload:<br />
<blockquote><pre style="font-size: 15px;">access-list 110 deny ip 192.168.100.0 0.0.0.255
192.168.200.0 0.0.0.255
access-list 110 deny ip 192.168.100.0 0.0.0.255
192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.100.0 0.0.0.255 any
route-map nonat permit 10
match ip address 110
ip nat inside source route-map nonat interface FastEthernet0/0 overload</pre></blockquote></li>
<li>Here, a PIX is configured to exempt traffic that is sent between <b>192.168.100.0 /24</b> and <b>192.168.200.0 /24</b> or <b>192.168.1.0 /24</b> from NAT. For example, all other traffic is subject to NAT overload:<br />
<blockquote><pre style="font-size: 15px;">access-list <b>noNAT</b> extended permit ip 192.168.100.0
255.255.255.0 192.168.200.0 255.255.255.0
access-list <b>noNAT</b> extended permit ip 192.168.100.0
255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list <b>noNAT</b>
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface</pre></blockquote><b>Note: </b>NAT exemption ACLs work only with the IP address or IP networks, such as those examples mentioned (access-list noNAT), and must be identical to the crypto map ACLs. The NAT exemption ACLs do not work with the port numbers (for instance, 23, 25, etc.).<br />
<b>Note: </b>In a VOIP environment, where the voice calls between networks are being communicated through the VPN, the voice calls do not work if the NAT 0 ACLs are not properly configured. Before going deep through VOIP troubleshooting, it is suggested to check the VPN connectivity status because the problem could be with misconfiguration of NAT exempt ACLs.<br />
<b>Note: </b>You can get the error message as shown if there is misconfiguration in NAT exemption (nat 0) ACLs.<br />
<blockquote><pre style="font-size: 15px;">%PIX-3-305005: <b>No translation group</b>
found for icmp src outside:192.168.100.41 dst
inside:192.168.200.253 (type 8, code 0)
</pre></blockquote><blockquote><pre style="font-size: 15px;">%ASA-3-305005: No translation group found for
udp src Outside:x.x.x.x/p dst Inside:y.y.y.y/p</pre></blockquote><b>Note: </b> <b>Incorrect Example:</b><br />
<blockquote><pre style="font-size: 15px;">access-list noNAT extended permit ip 192.168.100.0
255.255.255.0 192.168.200.0 255.255.255.0 <b>eq 25</b>
</pre></blockquote>If NAT exemption (nat 0) does not work, then try to remove it and issue the <b>NAT 0</b> command in order for it to work.</li>
</ul></li>
<li>Make sure that your ACLs are not backwards and that they are the right type.<br />
<ul><li>Crypto and NAT exemption ACLs for LAN-to-LAN configurations must be written from the perspective of the device on which the ACL is configured. This means that the ACLs must <b>mirror</b> each other. In this example, a LAN-to-LAN tunnel is set up between <b>192.168.100.0 /24</b> and <b>192.168.200.0 /24</b>.<br />
<img alt="common_ipsec_trouble-1.gif" border="0" src="http://www.cisco.com/image/gif/paws/81824/common_ipsec_trouble-1.gif" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px;" usemap="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml" /><br />
Router A crypto ACL<br />
<blockquote><pre style="font-size: 15px;">access-list 110 permit ip 192.168.100.0 0.0.0.255
192.168.200.0 0.0.0.255</pre></blockquote>Router B crypto ACL<br />
<blockquote><pre style="font-size: 15px;">access-list 110 permit ip 192.168.200.0 0.0.0.255
192.168.100.0 0.0.0.255</pre></blockquote><b>Note: </b>Although it is not illustrated here, this same concept applies to the PIX and ASA Security Appliances, as well.</li>
<li>In PIX/ASA, split-tunnel ACLs for Remote Access configurations must be <b>standard</b> access lists that permit traffic to the network to which the VPN clients need access. IOS routers can use extended ACL for split-tunnel.<br />
<b>Note: </b>In the extended access list, to use <b>'any'</b> at the source in the split tunneling ACL is similar to disable split tunneling. Use only the source networks in the extended ACL for split tunneling.<br />
<b>Note: </b> <b>Correct Example:</b><br />
<blockquote><pre style="font-size: 15px;">access-list 140 permit ip <b>10.1.0.0 0.0.255.255</b> 10.18.0.0 0.0.255.255</pre></blockquote><b>Note: </b> <b>Incorrect Example:</b><br />
<blockquote><pre style="font-size: 15px;">access-list 140 permit ip <b>any</b> 10.18.0.0 0.0.255.255</pre></blockquote><img alt="common_ipsec_trouble-2.gif" border="0" src="http://www.cisco.com/image/gif/paws/81824/common_ipsec_trouble-2.gif" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px;" usemap="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml" /><br />
<ul><li>Cisco IOS<br />
<blockquote><pre style="font-size: 15px;">router(config)#<b>access-list 10 permit ip 192.168.100.0</b>
router(config)#<b>crypto isakmp client configuration group MYGROUP</b>
router(config-isakmp-group)#<b>acl 10</b>
</pre></blockquote></li>
<li>Cisco PIX 6.x<br />
<blockquote><pre style="font-size: 15px;">pix(config)#<b>access-list 10 permit</b> 192.168.100.0
255.255.255.0
pix(config)#<b>vpngroup MYGROUP split-tunnel 10</b>
</pre></blockquote></li>
<li>Cisco PIX/ASA 7.x<br />
<blockquote><pre style="font-size: 15px;">securityappliance(config)#<b>access-list 10 standard
permit 192.168.100.0 255.255.255.0</b>
securityappliance(config)#<b>group-policy MYPOLICY internal</b>
securityappliance(config)#<b>group-policy MYPOLICY attributes</b>
securityappliance(config-group-policy)#<b>split-tunnel-policy
tunnelspecified</b>
securityappliance(config-group-policy)#<b>split-tunnel-network-list
value 10</b>
</pre></blockquote></li>
</ul></li>
</ul></li>
</ul>This error occurs in ASA 8.3 if the NO NAT ACL is misconfigured or is not configured on ASA:<br />
<tt>%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside: x.x.x.x/xxxxx dst inside:x.x.x.x/xx denied due to NAT reverse path failure</tt><br />
In order to resolve this issue, verify the configuration is correct or reconfigure if the settings are incorrect.<br />
<h3><a href="" name="solution15">Verify the ISAKMP Policies</a></h3>If the IPsec tunnel is not UP, check that the ISAKMP policies match with the remote peers. This ISAKMP policy is applicable to both the Site-to-Site (L2L) and Remote Access IPsec VPN.<br />
If the Cisco VPN Clients or the Site-to-Site VPN are not able establish the tunnel with the remote-end device, check that <b>the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values</b> and when the remote peer policy specifies a lifetime less than or equal to the lifetime in the policy that the initiator sent. If the lifetimes are not identical, the security appliance uses the shorter lifetime. If no acceptable match exists, ISAKMP refuses negotiation, and the SA is not established.<br />
<blockquote><pre style="font-size: 15px;">"Error: Unable to remove Peer TblEntry, Removing peer from peer table
failed, no match!"</pre></blockquote>Here is the detailed log message:<br />
<blockquote><pre style="font-size: 15px;">4|Mar 24 2010 10:21:50|713903: IP = X.X.X.X, Error: Unable to remove PeerTblEntry
3|Mar 24 2010 10:21:50|713902: IP = X.X.X.X, Removing peer from peer table failed,
no match!
3|Mar 24 2010 10:21:50|713048: IP = X.X.X.X, Error processing payload: Payload ID: 1
4|Mar 24 2010 10:21:49|713903: IP = X.X.X.X, Information Exchange processing failed
5|Mar 24 2010 10:21:49|713904: IP = X.X.X.X, Received an un-encrypted
NO_PROPOSAL_CHOSEN notify message, dropping</pre></blockquote>This message usually appears due to mismatched ISAKMP policies or a missing NAT 0 statement.<br />
In addition, this message appears:<br />
<blockquote><pre style="font-size: 15px;">Error Message %PIX|ASA-6-713219: Queueing KEY-ACQUIRE messages to be processed when
P1 SA is complete.</pre></blockquote>This message indicates that Phase 2 messages are being enqueued after Phase 1 completes. This error message might be due to one of these reasons:<br />
<ul><li>Mismatch in phase on any of the peers</li>
<li>ACL is blocking the peers from completing phase 1</li>
</ul>This message usually comes after the <tt>Removing peer from peer table failed, no match!</tt> error message.<br />
If the Cisco VPN Client is unable to connect the head-end device, the problem can be the mismatch of ISAKMP Policy. The head-end device must match with one of the <a href="http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client46/administration/guide/vcAch8.html#wp1157757" style="color: #003399;">IKE Proposals</a> of the Cisco VPN Client.<br />
<b>Note: </b>For the ISAKMP policy and IPsec Transform-set that is used on the PIX/ASA, the Cisco VPN client cannot use a policy with a combination of DES and SHA. If you use DES, you need to use MD5 for the hash algorithm, or you can use the other combinations, 3DES with SHA and 3DES with MD5.<br />
<h3><a href="" name="solution16">Verify that Routing is Correct</a></h3>Routing is a critical part of almost every IPsec VPN deployment. Be certain that your encryption devices such as Routers and PIX or ASA Security Appliances have the proper routing information to send traffic over your VPN tunnel. Moreover, if other routers exist behind your gateway device, be sure that those routers know how to reach the tunnel and what networks are on the other side.<br />
One key component of routing in a VPN deployment is Reverse Route Injection (RRI). RRI places dynamic entries for remote networks or VPN clients in the routing table of a VPN gateway. These routes are useful to the device on which they are installed, as well as to other devices in the network because routes installed by RRI can be redistributed through a routing protocol such as EIGRP or OSPF.<br />
<ul><li>In a LAN-to-LAN configuration, it is important for each endpoint to have a route or routes to the networks for which it is supposed to encrypt traffic. In this example, Router A must have routes to the networks behind Router B through <b>10.89.129.2</b>. Router B must have a similar route to <b>192.168.100.0 /24</b>:<br />
<img alt="common_ipsec_trouble-3.gif" border="0" src="http://www.cisco.com/image/gif/paws/81824/common_ipsec_trouble-3.gif" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px;" usemap="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml" /><br />
<ul><li>The first way to ensure that each router knows the appropriate route(s) is to configure static routes for each destination network. For example, Router A can have these route statements configured:<br />
<blockquote><pre style="font-size: 15px;">ip route 0.0.0.0 0.0.0.0 172.22.1.1
ip route 192.168.200.0 255.255.255.0 10.89.129.2
ip route 192.168.210.0 255.255.255.0 10.89.129.2
ip route 192.168.220.0 255.255.255.0 10.89.129.2
ip route 192.168.230.0 255.255.255.0 10.89.129.2</pre></blockquote>If Router A was replaced with a PIX or ASA, the configuration can look like this:<br />
<blockquote><pre style="font-size: 15px;">route outside 0.0.0.0 0.0.0.0 172.22.1.1
route outside 192.168.200.0 255.255.255.0 10.89.129.2
route outside 192.168.200.0 255.255.255.0 10.89.129.2
route outside 192.168.200.0 255.255.255.0 10.89.129.2
route outside 192.168.200.0 255.255.255.0 10.89.129.2</pre></blockquote></li>
<li>If a large number of networks exists behind each endpoint, the configuration of static routes becomes difficult to maintain. Instead, it is recommended that you use Reverse Route Injection, as described. RRI places into the routing table routes for all of the remote networks listed in the crypto ACL. For example, the crypto ACL and crypto map of Router A can look like this:<br />
<blockquote><pre style="font-size: 15px;">access-list 110 permit ip 192.168.100.0 0.0.0.255
192.168.200.0 0.0.0.255
access-list 110 permit ip 192.168.100.0 0.0.0.255
192.168.210.0 0.0.0.255
access-list 110 permit ip 192.168.100.0 0.0.0.255
192.168.220.0 0.0.0.255
access-list 110 permit ip 192.168.100.0 0.0.0.255
192.168.230.0 0.0.0.255
crypto map myMAP 10 ipsec-isakmp
set peer 10.89.129.2
<b>reverse-route</b>
set transform-set mySET
match address 110</pre></blockquote>If Router A was replaced by a PIX or ASA, the configuration can look like this:<br />
<blockquote><pre style="font-size: 15px;">access-list cryptoACL extended permit ip 192.168.100.0
255.255.255.0 192.168.200.0 255.255.255.0
access-list cryptoACL extended permit ip 192.168.100.0
255.255.255.0 192.168.210.0 255.255.255.0
access-list cryptoACL extended permit ip 192.168.100.0
255.255.255.0 192.168.220.0 255.255.255.0
access-list cryptoACL extended permit ip 192.168.100.0
255.255.255.0 192.168.230.0 255.255.255.0
crypto map myMAP 10 match address cryptoACL
crypto map myMAP 10 set peer 10.89.129.2
crypto map myMAP 10 set transform-set mySET
<b>crypto map mymap 10 set reverse-route</b>
</pre></blockquote></li>
</ul></li>
<li>In a Remote Access configuration, routing changes are not always necessary. Yet, if other routers exist behind the VPN gateway router or Security Appliance, those routers need to learn the path to the VPN clients somehow. In this example, suppose that the VPN clients are given addresses in the range of <b>10.0.0.0 /24</b> when they connect.<br />
<img alt="common_ipsec_trouble-4.gif" border="0" src="http://www.cisco.com/image/gif/paws/81824/common_ipsec_trouble-4.gif" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px;" usemap="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml" /><br />
If no routing protocol is in use between the gateway and the other router(s), static routes can be used on routers such as Router 2:<br />
<blockquote><pre style="font-size: 15px;">ip route 10.0.0.0 255.255.255.0 192.168.100.1</pre></blockquote>If a routing protocol such as EIGRP or OSPF is in use between the gateway and other routers, it is recommended that Reverse Route Injection be used as described. RRI automatically adds routes for the VPN client to the routing table of the gateway. These routes can then be distributed to the other routers in the network.<br />
<ul><li>Cisco IOS Router:<br />
<blockquote><pre style="font-size: 15px;">crypto dynamic-map dynMAP 10
set transform-set mySET
<b>reverse-route</b>
crypto map myMAP 60000 ipsec-isakmp dynamic dynMAP</pre></blockquote></li>
<li>Cisco PIX or ASA Security Appliance:<br />
<blockquote><pre style="font-size: 15px;">crypto dynamic-map dynMAP 10 set transform-set mySET
<b>crypto dynamic-map dynMAP 10 set reverse-route</b>
crypto map myMAP 60000 ipsec-isakmp dynamic dynMAP</pre></blockquote></li>
</ul></li>
</ul><b>Note: </b>The routing issue occurs if the pool of IP addresses assigned for the VPN clients are overlaps with internal networks of the head-end device. For further information, refer to the <a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#overlap" style="color: #003399;">Overlapping Private Networks</a> section .<br />
<h3><a href="" name="solution17">Verify that Transform-Set is Correct</a></h3>Make sure that the IPsec encryption and hash algorithms to be used by the transform set on the both ends are the same. Refer to the <a href="http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2064589" style="color: #003399;">Command reference</a> section of the Cisco Security Appliance configuration guide for more information.<br />
<b>Note: </b>For the ISAKMP policy and IPsec Transform-set that is used on the PIX/ASA, the Cisco VPN client cannot use a policy with a combination of DES and SHA. If you use DES, you need to use MD5 for the hash algorithm, or you can use the other combinations, 3DES with SHA and 3DES with MD5.<br />
<h3><a href="" name="solution18">Verify Crypto Map Sequence Numbers and Name and also that the Crypto map is applied in the right interface in which the IPsec tunnel start/end</a></h3>If static and dynamic peers are configured on the same crypto map, the order of the crypto map entries is very important. The sequence number of the dynamic crypto map entry <b>must be</b> higher than all of the other static crypto map entries. If the static entries are numbered higher than the dynamic entry, connections with those peers fail and the debugs as shown appears.<br />
<blockquote><pre style="font-size: 15px;">IKEv1]: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x49ba5a0, mess id 0xcd600011)!
[IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!</pre></blockquote><b>Note: </b>Only one Dynamic Crypto-map is allowed for each interface in the Security Appliance.<br />
Here is an example of a properly numbered crypto map that contains a static entry and a dynamic entry. Note that the dynamic entry has the highest sequence number and room has been left to add additional static entries:<br />
<blockquote><pre style="font-size: 15px;">crypto dynamic-map cisco 20 set transform-set myset
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 172.16.77.10
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
<b>crypto map mymap 60000 ipsec-isakmp dynamic cisco</b>
</pre></blockquote><b>Note: </b>Crypto map names are case-sensitive.<br />
<b>Note: </b>This error message can also be seen when dynamic crypto man sequence is not correct which causes the peer to hit the wrong crypto map: <tt>%ASA-3-713042: IKE Initiator unable to find policy:</tt><br />
In the scenarios where multiple VPN tunnels to be terminated in the same interface, we need to create crypto map with same name (only one crypto map is allowed per interface) but with a different sequence number. This holds true for the router, PIX, and ASA.<br />
Refer to <a href="http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094cea.shtml#configs" style="color: #003399;">Configuring IPsec Between Hub and Remote PIXes with VPN Client and Extended Authentication</a> for more information in order to learn more about the hub PIX configuration for the same crypto map with the different sequence numbers on the same interface. Similarly, refer to <a href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml#newtunnel" style="color: #003399;">PIX/ASA 7.X: Add a New Tunnel or Remote Access to an Existing L2L VPN</a> for more information in order to learn more about the crypto map configuration for both L2L and Remote Access VPN scenarios.<br />
<h3><a href="" name="solution19">Verify the Peer IP Address is Correct</a></h3>For a PIX/ASA Security Appliance 7.x LAN-to-LAN (L2L) IPsec VPN configuration, you must specify the <b><name></b> of the tunnel group as the<b>Remote peer IP Address</b>(remote tunnel end) in the <b>tunnel-group <name> type ipsec-l2l</b> command for the creation and management of the database of connection-specific records for IPsec. The peer IP address must match in <b>tunnel group name</b> and the <b>Crypto map set address</b> commands. While you configure the VPN with ASDM, it generated the tunnel group name automatically with right peer IP address. If the peer IP Address is not configured properly, the logs can contain this message, which can be resolved by proper configuration of the <b>Peer IP Address</b>.<br />
<blockquote><pre style="font-size: 15px;">[IKEv1]: Group = DefaultL2LGroup, IP = x.x.x.x,
ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting</pre></blockquote>In PIX 6.x LAN-to-LAN (L2L) IPsec VPN configuration, the Peer IP address (remote tunnel end) must match <b>isakmp key address</b> and the <b>set peer</b> command in crypto map for a successful IPsec VPN connection.<br />
When the peer IP address has not been configured properly on the ASA crypto configuration, the ASA is not able to establish the VPN tunnel and hangs in the<i>MM_WAIT_MSG4</i> stage only. In order to resolve this issue, correct the peer IP address in the configuration.<br />
Here is the output of the <b>show crypto isakmp sa</b> command when the VPN tunnel hangs at in the MM_WAIT_MSG4 state.<br />
<blockquote><pre style="font-size: 15px;">hostname#<b>show crypto isakmp sa</b>
1 IKE Peer: XX.XX.XX.XX
Type : L2L Role : initiator
Rekey : no State : MM_WAIT_MSG4</pre></blockquote><h3><a href="" name="solution20">Verify the Tunnel Group and Group Names</a></h3><blockquote><pre style="font-size: 15px;">%PIX|ASA-3-713206: Tunnel Rejected: Conflicting protocols specified by
tunnel-group and group-policy</pre></blockquote>The message appears when a tunnel is dropped because the allowed tunnel specified in the group policy is different than the allowed tunnel in the tunnel-group configuration.<br />
<blockquote><pre style="font-size: 15px;">group-policy hf_group_policy attributes
vpn-tunnel-protocol l2tp-ipsec
username hfremote attributes
vpn-tunnel-protocol l2tp-ipsec
<b>Both lines should read:</b>
vpn-tunnel-protocol ipsec l2tp-ipsec</pre></blockquote>Enable IPSec In Default Group policy to the already Existing Protocols In Default Group Policy .<br />
<blockquote><pre style="font-size: 15px;">group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol L2TP-IPSec IPSec webvpn</pre></blockquote><h3><a href="" name="solution21">Disable XAUTH for L2L Peers</a></h3>If a LAN-to-LAN tunnel and a Remote Access VPN tunnel are configured on the same crypto map, the LAN-to-LAN peer is prompted for XAUTH information, and the LAN-to-LAN tunnel fails with "<b><i>CONF_XAUTH</i></b> " in the output of the <b>show crypto isakmp sa</b> command.<br />
Here is an example of the SA output:<br />
<blockquote><pre style="font-size: 15px;">Router#<b>show crypto isakmp sa</b>
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
X.X.X.X Y.Y.Y.Y CONF_XAUTH 10223 0 ACTIVE
X.X.X.X Z.Z.Z.Z CONF_XAUTH 10197 0 ACTIVE</pre></blockquote><b>Note: </b>This issue only applies to Cisco IOS and PIX 6.x. whereas PIX/ASA 7.x is not affected by this issue since it uses tunnel-groups.<br />
Use the <b>no-xauth</b> keyword when you enter the isakmp key, so the device does not prompt the peer for XAUTH information (username and password). This keyword disables XAUTH for static IPsec peers. Enter a command similar to this on the device that has both L2L and RA VPN configured on the same crypto map:<br />
<blockquote><pre style="font-size: 15px;">router(config)#<b>crypto isakmp key cisco123 address
172.22.1.164 no-xauth</b>
</pre></blockquote>In the scenario where the PIX/ASA 7.x acts as the Easy VPN Server, the easy VPN client is unable to connect to head end because of the Xauth issue. Disable the user authentication in the PIX/ASA in order to resolve the issue as shown:<br />
<blockquote><pre style="font-size: 15px;">ASA(config)#<b>tunnel-group example-group type ipsec-ra</b>
ASA(config)#<b>tunnel-group example-group ipsec-attributes</b>
ASA(config-tunnel-ipsec)#<b>isakmp ikev1-user-authentication none</b>
</pre></blockquote>See the <a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#mis" style="color: #003399;">Miscellaneous</a> section of this document in order to know more about the <b>isakmp ikev1-user-authentication</b> command.<br />
<h3><a href="" name="Solution22">VPN Pool Getting Exhausted</a></h3>When the range of IP addresses assigned to the VPN pool are not sufficient, you can extend the availability of IP addresses in two ways:<br />
<ol type="1"><li>Remove the existing range, and define the new range. Here is an example:<br />
<blockquote><pre style="font-size: 15px;">CiscoASA(config)#<b>no ip local pool testvpnpool 10.76.41.1-10.76.41.254</b>
CiscoASA(config)#<b>ip local pool testvpnpool 10.76.41.1-10.76.42.254</b>
</pre></blockquote></li>
<li>When discontiguous subnets are to be added to the VPN pool, you can define two separate VPN pools and then specify them in order under the "<a href="http://www.cisco.com/en/US/partner/docs/security/asa/asa82/command/reference/t.html#wp1535435" style="color: #003399;">tunnel-group attributes</a>". Here is an example:<br />
<blockquote><pre style="font-size: 15px;">CiscoASA(config)#<b>ip local pool testvpnpoolAB 10.76.41.1-10.76.42.254</b>
CiscoASA(config)#<b>ip local pool testvpnpoolCD 10.76.45.1-10.76.45.254</b>
CiscoASA(config)#<b>tunnel-group test type remote-access</b>
CiscoASA(config)#<b>tunnel-group test general-attributes</b>
CiscoASA(config-tunnel-general)#<b>address-pool (inside) testvpnpoolAB testvpnpoolCD</b>
CiscoASA(config-tunnel-general)#<b>exit</b>
</pre></blockquote></li>
</ol>The order in which you specify the pools is very important because the ASA allocates addresses from these pools in the order in which the pools appear in this command.<br />
<b>Note: </b>The address-pools settings in the group-policy address-pools command always override the local pool settings in the tunnel-group address-pool command.<br />
<h2><a href="" name="solunf">VPN Clients are Unable to Connect with ASA/PIX</a></h2><h3><a href="" name="solunf-problem">Problem</a></h3>Cisco VPN clients are unable to authenticate when the X-auth is used with the Radius server.<br />
<h3><a href="" name="solunf-solution">Solution</a></h3>The problem can be that the xauth times out. Increase the timeout value for AAA server in order to resolve this issue.<br />
For example:<br />
<blockquote><pre style="font-size: 15px;">Hostname(config)#<b>aaa-server test protocol radius</b>
hostname(config-aaa-server-group)#<b>aaa-server test host 10.2.3.4</b>
hostname(config-aaa-server-host)#<b>timeout 10</b>
</pre></blockquote><h3><a href="" name="solunf-problem-1">Problem</a></h3>Cisco VPN clients are unable to authenticate when the X-auth is used with the Radius server.<br />
<h3><a href="" name="solunf-solution-1">Solution</a></h3>Initially, make sure that the authentication works properly. To narrow down the problem, first verify the authentication with local database on ASA.<br />
<blockquote><pre style="font-size: 15px;">tunnel-group tggroup general-attributes
authentication-server-group none
authentication-server-group LOCAL
exit</pre></blockquote>If this works fine, then the problem should be related to Radius server configuration.<br />
Verify the connectivity of the Radius server from the ASA. If the ping works without any problem, then check the Radius-related configuration on ASA and database configuration on the Radius server.<br />
You could use the <b>debug radius</b> command to troubleshoot radius related issues. For sample <b>debug radius</b> output, refer to this <a href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c18ff.shtml#tshoot" style="color: #003399;"><b>Sample Output</b></a> .<br />
<b>Note: </b>Before you use the <b>debug</b> command on the ASA, refer to this documentation: <a href="http://www.cisco.com/en/US/tech/tk801/tk379/technologies_tech_note09186a008017874c.shtml#warn" style="color: #003399;"><b>Warning message</b></a> .<br />
<h2><a href="" name="vpnconn">VPN Client Drops Connection Frequently on First Attempt or "Security VPN Connection terminated by tier. Reason 433." or "Secure VPN Connection terminated by Peer Reason 433:(Reason Not Specified by Peer)"</a></h2><h3><a href="" name="vpnconn-problem">Problem</a></h3>Cisco VPN client users might receive this error when they attempt the connection with the head end VPN device.<br />
"<i>VPN client drops connection frequently on first attempt</i>" or "<i>Security VPN Connection terminated by tier. Reason 433.</i>" or "<i>Secure VPN Connection terminated by Peer Reason 433:(Reason Not Specified by Peer)</i>" or "<i>Attempted to assign network or broadcast IP address, removing (x.x.x.x) from pool</i>"<br />
<h3><a href="" name="vpnconn-solution">Solution 1</a></h3>The problem might be with the IP pool assignment either through ASA/PIX, Radius server, DHCP server or through Radius server acting as DHCP server. Use the <b>debug crypto</b> command in order to verify that the netmask and IP addresses are correct. Also, verify that the pool does not include the network address and the broadcast address. Radius servers must be able to assign the proper IP addresses to the clients.<br />
<h3><a href="" name="err433-solution">Solution 2</a></h3>This issues also occurs due to the failure of extended authentication. You must check the AAA server to troubleshoot this error. Reloading the AAA server might resolve the issue.<br />
<h2><a href="" name="topic-ra">Remote Access and EZVPN Users Connect to VPN but Cannot Access External Resources</a></h2><h3><a href="" name="topic-ra-problem">Problem</a></h3>Remote access users have no Internet connectivity once they connect to the VPN.<br />
Remote access users cannot access resources located behind other VPNs on the same device.<br />
Remote access users can access only the local network.<br />
<h3><a href="" name="topic-ra-solution">Solutions</a></h3>Try these solutions in order to resolve this issue:<br />
<ul><li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#unableto" style="color: #003399;">Unable to Access the Servers in DMZ</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#dnsuu" style="color: #003399;">VPN Clients Unable to Resolve DNS</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#ra-sol-1" style="color: #003399;">Split-Tunnel—Unable to access Internet or excluded networks</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#ra-sol-2" style="color: #003399;">Hairpinning</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#ra-sol-3" style="color: #003399;">Local LAN Access</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#overlap" style="color: #003399;">Overlapping Private Networks</a></li>
</ul><h3><a href="" name="unableto">Unable to Access the Servers in DMZ</a></h3>Once the VPN client is established the IPsec tunnel with the VPN head-end device (PIX/ASA/IOS Router), the VPN client users are able to access the INSIDE network (10.10.10.0/24) resources, but they are unable to access the DMZ network (10.1.1.0/24).<br />
<b>Diagram</b><br />
<img alt="common_ipsec_trouble-8.gif" border="0" src="http://www.cisco.com/image/gif/paws/81824/common_ipsec_trouble-8.gif" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px;" usemap="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml" /><br />
Check that the Split Tunnel, NO NAT configuration is added in the head-end device to access the resources in the DMZ network.<br />
<b>Example</b><br />
<table bgcolor="#FFFFFF" border="1" cellpadding="3" cellspacing="1"><tbody>
<tr><th bgcolor="#CCCCFF" colspan="1" height="" rowspan="1" width="">ASA/PIX</th></tr>
<tr><td bgcolor="#FFFFFF" colspan="1" height="" rowspan="1" width=""><pre style="font-size: 15px;">ciscoasa#<b>show running-config</b>
<i>
<span style="color: blue;">
!--- Split tunnel for the <b>inside network</b> access</span>
</i>
access-list vpnusers_spitTunnelAcl permit ip 10.10.10.0 255.255.0.0 any
<i>
<span style="color: blue;">
!--- Split tunnel for the <b>DMZ network</b> access</span>
</i>
access-list vpnusers_spitTunnelAcl permit ip 10.1.1.0 255.255.0.0 any
<i>
<span style="color: blue;">
!--- Create a pool of addresses from which IP addresses are assigned
!--- dynamically to the remote VPN Clients.</span>
</i>
ip local pool vpnclient 192.168.1.1-192.168.1.5
<i>
<span style="color: blue;">
!--- This access list is used for a nat zero command that prevents
!--- traffic which matches the access list from undergoing NAT.
!--- No Nat for the <b>DMZ network.</b>
</span>
</i>
access-list nonat-dmz permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
<i>
<span style="color: blue;">
!--- No Nat for the <b>Inside network</b>.</span>
</i>
access-list nonat-in permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
<i>
<span style="color: blue;">
!--- NAT 0 prevents NAT for networks specified in the <b>ACL nonat</b>
</span>
</i>.
nat (DMZ) 0 access-list nonat-dmz
nat (inside) 0 access-list nonat-in </pre></td></tr>
</tbody></table><br />
After you add a new entry for the NAT configuration, clear the Nat translation.<br />
<blockquote><pre style="font-size: 15px;">Clear xlate
Clear local</pre></blockquote><b>Verify:</b><br />
If the tunnel has been established, go to the <b>Cisco VPN Client</b> and choose <b>Status > Route Details</b> to check that the secured routes are shown for both the DMZ and INSIDE networks.<br />
<img alt="common_ipsec_trouble-9.gif" border="0" src="http://www.cisco.com/image/gif/paws/81824/common_ipsec_trouble-9.gif" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px;" usemap="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml" /><br />
Refer to <a href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml" style="color: #003399;">PIX/ASA 7.x: Mail Server Access on the DMZ Configuration Example</a> for more information on how to set up the PIX Firewall for access to a mail server located on the Demilitarized Zone (DMZ) network.<br />
Refer to <a href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml#newra" style="color: #003399;">PIX/ASA 7.x: Add a New Tunnel or Remote Access to an Existing L2L VPN</a> in order to provide the steps required to add a new VPN tunnel or a remote access VPN to a L2L VPN configuration that already exists.<br />
Refer to <a href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml" style="color: #003399;">PIX/ASA 7.x: Allow Split Tunneling for VPN Clients on the ASA Configuration Example</a> in order to provide step-by-step instructions on how to allow VPN Clients access to the Internet while they are tunneled into a Cisco Adaptive Security Appliance (ASA) 5500 Series Security Appliance.<br />
Refer to <a href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml" style="color: #003399;">PIX/ASA 7.x and Cisco VPN Client 4.x with Windows 2003 IAS RADIUS (Against Active Directory) Authentication Configuration Example</a> for more information on how to set up the remote access VPN connection between a Cisco VPN Client (4.x for Windows) and the PIX 500 Series Security Appliance 7.x.<br />
<h3><a href="" name="dnsuu">VPN Clients Unable to Resolve DNS</a></h3>After the tunnel has been established, if the VPN Clients are unable to resolve the DNS, the problem can be the DNS Server configuration in the head-end device (ASA/PIX). Also check the connectivity between the VPN Clients and the DNS Server. The DNS Server configuration must be configured under the group policy and applied under the the group policy in the tunnel-group general attributes; for example:<br />
<blockquote><pre style="font-size: 15px;"><i>
<span style="color: blue;">!--- Create the group policy named <b>vpn3000</b> and
!--- specify the DNS server IP address(172.16.1.1)
!--- and the domain name(cisco.com) in the group policy.</span>
</i>
<b>group-policy vpn3000 internal
group-policy vpn3000 attributes
dns-server value 172.16.1.1
default-domain value cisco.com</b>
<i>
<span style="color: blue;">!--- Associate the group policy(vpn3000) to the tunnel group
!--- using the default-group-policy.</span>
</i>
<b>tunnel-group vpn3000 general-attributes
default-group-policy vpn3000</b>
</pre></blockquote><b>VPN clients unable to connect internal servers by name</b><br />
The VPN client is unable to ping the hosts or servers of the remote or head end internal network by name. You need to enable the split-dns configure on ASA in order to resolve this issue.<br />
<h3><a href="" name="ra-sol-1">Split-Tunnel—Unable to access Internet or excluded networks</a></h3>Split tunneling lets remote-access IPsec clients conditionally direct packets over the IPsec tunnel in encrypted form or direct packets to a network interface in cleartext form, decrypted, where they are then routed to a final destination. Split-tunneling is disabled by default, which is <tt>tunnelall</tt> traffic.<br />
<blockquote><pre style="font-size: 15px;"><b>split-tunnel-policy {tunnelall | tunnelspecified | excludespecified}</b>
</pre></blockquote><b>Note: </b>The option <b><i><a href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml#s2" style="color: #003399;"><span style="color: blue;">excludespecified</span></a></i></b> is supported only for Cisco VPN clients, not EZVPN clients.<br />
<blockquote><pre style="font-size: 15px;">ciscoasa(config-group-policy)#<b>split-tunnel-policy excludespecified</b>
</pre></blockquote>Refer to these documents for detailed configuration examples of split-tunneling:<br />
<ul><li><a href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml" style="color: #003399;">PIX/ASA 7.x: Allow Split Tunneling for VPN Clients on the ASA Configuration Example</a></li>
<li><a href="http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml" style="color: #003399;">Router Allows VPN Clients to Connect IPsec and Internet Using Split Tunneling Configuration Example</a></li>
<li><a href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00806f34fa.shtml" style="color: #003399;">Split Tunneling for VPN Clients on the VPN 3000 Concentrator Configuration Example</a></li>
</ul><h3><a href="" name="ra-sol-2">Hairpinning</a></h3>This feature is useful for VPN traffic that enters an interface but is then routed out of that same interface. For example, if you have a hub and spoke VPN network, where the security appliance is the hub and remote VPN networks are spokes, in order for one spoke to communicate with another spoke, traffic must go into the security appliance and then out again to the other spoke.<br />
Use the <b>same-security-traffic</b> configuration to allow traffic to enter and exit the same interface.<br />
<blockquote><pre style="font-size: 15px;">securityappliance(config)#<b>same-security-traffic permit intra-interface</b>
</pre></blockquote><h3><a href="" name="ra-sol-3">Local LAN Access</a></h3>Remote access users connect to the VPN and are able to connect to local network only.<br />
For a more detailed configuration example, refer to <a href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml" style="color: #003399;">PIX/ASA 7.x: Allow local LAN access for VPN clients</a>.<br />
<h3><a href="" name="overlap">Overlapping Private Networks</a></h3><b>Problem</b><br />
If you are unable to access the internal network after the tunnel establishment, check the IP address assigned to the VPN client that overlaps with the internal network behind the head-end device.<br />
<b>Solution</b><br />
Always make sure that the IP addresses in the pool to be assigned for the VPN clients, the internal network of the head-end device and the VPN Client internal network must be in different networks. You can assign the same major network with different subnets, but sometimes the routing issues occur.<br />
For further examples, see the <i>Diagram</i> and <i>Example</i> of the <a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#unableto" style="color: #003399;">Unable to Access the Servers in DMZ</a> section.<br />
<h2><a href="" name="topic-vpnc">Unable to Connect More Than Three VPN Client Users</a></h2><h3><a href="" name="topic-vpnc-problem">Problem</a></h3>Only three VPN clients can connect to ASA/PIX; connection for the fourth client fails. Upon failure, this error message is displayed:<br />
<blockquote><pre style="font-size: 15px;">Secure VPN Connection terminated locally by the client.
Reason 413: User Authentication failed.</pre></blockquote><blockquote><pre style="font-size: 15px;">tunnel rejected; the maximum tunnel count has been reached</pre></blockquote><h3><a href="" name="topic-vpnc-solutions">Solutions</a></h3>In most cases, this issue is related to a simultaneous login setting within group policy and the maximum session-limit.<br />
Try these solutions in order to resolve this issue:<br />
<ul><li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#vpnc-sol-1" style="color: #003399;">Configure Simultaneous Logins</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#vpnc-sol-2" style="color: #003399;">Configure the ASA/PIX with CLI</a></li>
<li><a href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#concentr" style="color: #003399;">Configure Concentrator Configure Concentrator</a></li>
</ul>For more information, refer to the <a href="http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/selected_procedures/asdm_grp.html" style="color: #003399;">Configuring Group Policies</a> section of <a href="http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/selected_procedures/asdmproc.html" style="color: #003399;">Selected ASDM VPN Configuration Procedures for the Cisco ASA 5500 Series, Version 5.2</a>.<br />
<h3><a href="" name="vpnc-sol-1">Configure Simultaneous Logins</a></h3>If the <b>Inherit</b> check box in ASDM is checked, only the default number of simultaneous logins is allowed for the user. The default value for simultaneous logins is three.<br />
In order to resolve this issue, increase the value for simultaneous logins.<br />
<ol type="1"><li>Launch ASDM and then navigate to <b>Configuration > VPN > Group Policy</b>.<br />
<img alt="common_ipsec_trouble-5.gif" border="0" src="http://www.cisco.com/image/gif/paws/81824/common_ipsec_trouble-5.gif" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px;" usemap="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml" /></li>
<li>Choose the appropriate <b>Group</b> and click the <b>Edit</b> button.<br />
<img alt="common_ipsec_trouble-6.gif" border="0" src="http://www.cisco.com/image/gif/paws/81824/common_ipsec_trouble-6.gif" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px;" usemap="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml" /></li>
<li>Once in the <b>General</b> tab, undo the <b>Inherit</b> check box for <b>Simultaneous Logins</b> under <b>Connection Settings</b>. Choose an appropriate value in the field.<br />
<img alt="common_ipsec_trouble-7.gif" border="0" src="http://www.cisco.com/image/gif/paws/81824/common_ipsec_trouble-7.gif" style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px;" usemap="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml" /><br />
<b>Note: </b> The minimum value for this field is 0, which disables login and prevents user access.<br />
<b>Note: </b>When you log in using the same user account from a different PC, the current session (the connection established from another PC using the same user account) is terminated, and the new session is established. This is the default behaviour and is independent to VPN simultaneous logins.</li>
</ol><h3><a href="" name="vpnc-sol-2">Configure the ASA/PIX with CLI</a></h3>Complete these steps in order to configure the desired number of simultaneous logins. In this example, 20 was chosen as the desired value.<br />
<blockquote><pre style="font-size: 15px;">ciscoasa(config)#<b>group-policy Bryan attributes</b>
ciscoasa(config-group-policy)#<b>vpn-simultaneous-logins 20</b>
</pre></blockquote>In order to learn more about this command, refer to <a href="http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/uz_72.html" style="color: #003399;">Cisco Security Appliance Command Reference, Version 7.2</a>.<br />
Use the <b>vpn-sessiondb max-session-limit</b> command in global configuration mode in order to limit VPN sessions to a lower value than the security appliance allows. Use the <tt>no</tt> version of this command in order to remove the session limit. Use the command again in order to overwrite the current setting.<br />
<blockquote><pre style="font-size: 15px;">vpn-sessiondb max-session-limit {session-limit}</pre></blockquote>This example shows how to set a maximum VPN session limit of 450:<br />
<blockquote><pre style="font-size: 15px;">hostname#<b>vpn-sessiondb max-session-limit 450</b>
</pre></blockquote><h3><a href="" name="concentr">Configure Concentrator</a></h3><b>Error Message</b><br />
<blockquote><pre style="font-size: 15px;">20932 10/26/2007 14:37:45.430 SEV=3 AUTH/5 RPT=1863 10.19.187.229
Authentication rejected: Reason = Simultaneous logins exceeded for user
handle = 623, server = (none), user = 10.19.187.229, domain = <not
specified></pre></blockquote><b>Solution</b><br />
Complete these steps in order to configure the desired number of simultaneous logins. You can also try to set the Simultaneous Logins to 5 for this SA:<br />
Choose <b>Configuration > User Management > Groups > Modify 10.19.187.229 > General > Simultaneous Logins</b>, and change the number of logins to <b>5</b>.<br />
<h2><a href="" name="tunnelest">Unable to Initiate the Session or an Application and Slow Transfer after the Tunnel Establishment</a></h2><h3><a href="" name="tunnelest-problem">Problem</a></h3>After the IPsec tunnel establishment, the application or the session does not initiate across the tunnel.<br />
<h3><a href="" name="tunnelest-solutions">Solutions</a></h3>Use the <b>ping</b> command to check the network or find whether the application server is reachable from your network. It can be a problem with the maximum segment size (MSS) for transient packets that traverse a router or PIX/ASA device, specifically TCP segments with the SYN bit set.<br />
<h3><a href="" name="iose">Cisco IOS Router—Change the MSS Value in the Outside Interface (Tunnel End Interface) of the Router</a></h3>Run these commands in order to change the MSS value in the outside interface (tunnel end interface) of the router:<br />
<blockquote><pre style="font-size: 15px;">Router><b>enable</b>
Router#<b>configure terminal</b>
Router(config)#<b>interface ethernet0/1</b>
<b>Router(config-if)#<b>ip tcp adjust-mss 1300</b> </b>
Router(config-if)#<b>end</b>
</pre></blockquote>These messages show the debug output for TCP MSS:<br />
<blockquote><pre style="font-size: 15px;"><b>Router#<b>debug ip tcp transactions</b>
</b>
Sep 5 18:42:46.247: TCP0: state was LISTEN -> SYNRCVD [23 -> 10.0.1.1(38437)]
Sep 5 18:42:46.247: TCP: tcb 32290C0 connection to 10.0.1.1:38437, peer MSS 1300, MSS is
1300
Sep 5 18:42:46.247: TCP: sending SYN, seq 580539401, ack 6015751
Sep 5 18:42:46.247: TCP0: Connection to 10.0.1.1:38437, advertising MSS 1300
Sep 5 18:42:46.251: TCP0: state was SYNRCVD -> ESTAB [23 -> 10.0.1.1(38437)]</pre></blockquote>The MSS gets adjusted to 1300 on the router as configured.<br />
For more information, refer to <a href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml" style="color: #003399;">PIX/ASA 7.x and IOS: VPN Fragmentation</a>.<br />
<h3><a href="" name="pixasa">PIX/ASA 7.X—Refer to PIX/ASA Documentation</a></h3>There is an inability to access the Internet properly or slow transfer through the tunnel because it gives the MTU size error message and MSS issues. Refer to these documents in order to resolve the issue:<br />
<ul><li><a href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml" style="color: #003399;">PIX/ASA 7.x and IOS: VPN Fragmentation</a></li>
<li><a href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml" style="color: #003399;">PIX/ASA 7.0 Issue: MSS Exceeded - HTTP Clients Cannot Browse to Some Web Sites</a></li>
</ul><h2><a href="" name="adfs">Unable to Initiate VPN Tunnel from ASA/PIX</a></h2><h3><a href="" name="adfs-problem">Problem</a></h3>You are unable to initiate the VPN tunnel from ASA/PIX interface, and after the tunnel establishment, the remote end/VPN Client is unable to ping the inside interface of ASA/PIX on the VPN tunnel. For example, the pn client can be unable to initiate a SSH or HTTP connection to ASA's inside interface over VPN tunnel.<br />
<h3><a href="" name="adfs-solution">Solution</a></h3>The inside interface of the PIX cannot be pinged from the other end of the tunnel unless the <b>management-access</b> command is configured in the global configuration mode.<br />
<blockquote><pre style="font-size: 15px;">PIX-02(config)#<b>management-access inside</b>
PIX-02(config)#<b>show management-access</b>
management-access inside</pre></blockquote><b>Note: </b>This command also helps in initiating a ssh or http connection to inside interface of ASA through a VPN tunnel.<br />
<b>Note: </b>This information holds true for DMZ interface as well. For example, if you want to ping the DMZ interface of PIX/ASA or want to initiate a tunnel from DMZ interface, then the <b>management-access DMZ</b> command is required.<br />
<blockquote><pre style="font-size: 15px;">PIX-02(config)#<b>management-access DMZ</b>
</pre></blockquote><b>Note: </b>If the VPN client is unable to connect, then make sure ESP and UDP ports are open, however if those ports are not open then try to connect on TCP 10000 with the selection of this port under the VPN client connection entry. Right click <b>modify > transport tab > IPsec over TCP</b>.<br />
<h2><a href="" name="trftunpas">Unable to Pass Traffic Across VPN Tunnel</a></h2><h3><a href="" name="tunpas-problem">Problem</a></h3>You are unable to pass traffic across a VPN tunnel.<br />
<h3><a href="" name="tunpas-solution">Solution</a></h3>This issue occurs due to the problem described in Cisco bug ID <a href="http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtb53186" style="color: #003399;">CSCtb53186</a> (<a href="http://tools.cisco.com/RPF/register/register.do" style="color: #003399;">registered</a> customers only) . In order to resolve this issue, reload the ASA. Refer to the bug for more information.<br />
This issue might also occur when the ESP packets are blocked. In order to resolve this issue, reconfiguring the VPN tunnel.<br />
<h2><a href="" name="addbackup">Configuring Backup peer for vpn tunnel on same crypto map</a></h2><h3><a href="" name="addbackupprblm">Problem</a></h3>You want to use multiple backup peers for a single vpn tunnel.<br />
<h3><a href="" name="addbackup-solution">Solution</a></h3>Configuring multiple peers is equivalent to providing a fallback list. For each tunnel, the security appliance attempts to negotiate with the first peer in the list.<br />
If that peer does not respond, the security appliance works its way down the list until either a peer responds or there are no more peers in the list.<br />
The ASA should have a crypto map already configured as the primary peer. The secondary peer could be added after the primary one.<br />
This example configuration shows the primary peer as X.X.X.X and backup peer as Y.Y.Y.Y:<br />
<blockquote><pre style="font-size: 15px;">ASA(config)#<b>crypto map mymap 10 set peer X.X.X.X Y.Y.Y.Y</b>
</pre></blockquote>For more information, refer to the <a href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2193237" style="color: #003399;">Crypto map set peer</a> section in the <i>Cisco Security Appliance Command Reference, Version 8.0</i>.<br />
<h2><a href="" name="dish">Disable/Restart VPN Tunnel</a></h2><h3><a href="" name="dish-problem">Problem</a></h3>In order to temporarily disable the VPN tunnel and restart the service, complete the procedure described in this section.<br />
<h3><a href="" name="dish-solution">Solution</a></h3>Use the <b>crypto map interface</b> command in global configuration mode to remove a previously defined crypto map set to an interface. Use the <b>no</b> form of this command in order to remove the crypto map set from the interface.<br />
<blockquote><pre style="font-size: 15px;">hostname(config)#<b>no crypto map</b> <i>map-name</i> <b>interface</b> <i>interface-name</i>
</pre></blockquote>This command removes a crypto map set to any active security appliance interface and make the IPsec VPN tunnel inactive in that interface.<br />
To restart the IPsec tunnel on an interface, you must assign a crypto map set to an interface before that interface can provide IPsec services.<br />
<blockquote><pre style="font-size: 15px;">hostname(config)#<b>crypto map</b> <i>map-name</i> <b>interface</b> <i>interface-name</i>
</pre></blockquote><h2><a href="" name="fewtunn">Some Tunnels not Encrypted</a></h2><h3><a href="" name="fewtunn-prblm">Problem</a></h3>When a huge number of tunnels are configured on the VPN gateway, some tunnels do not pass traffic. The ASA does not receive encrypted packets for those tunnels.<br />
<h3><a href="" name="fewtunn-Sol">Solution</a></h3>This issue occurs because the ASA fails to pass the encrypted packets through the tunnels. Duplicate encryption rules are created in the ASP table. This is a known issue and bug ID <a href="http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtb65794" style="color: #003399;">CSCtb53186</a> (<a href="http://tools.cisco.com/RPF/register/register.do" style="color: #003399;">registered</a> customers only) has been filed to address this problem. In order to resolve this issue, either reload the ASA or upgrade the software to a version in which this bug is fixed.<br />
<h2><a href="" name="error">Error:- %ASA-5-713904: Group = DefaultRAGroup, IP = x.x.x.x, Client is using an unsupported Transaction Mode v2 version.Tunnel terminated.</a></h2><h3><a href="" name="error-problem">Problem</a></h3>The <tt>%ASA-5-713904: Group = DefaultRAGroup, IP = 99.246.144.186, Client is using an unsupported Transaction Mode v2 version.Tunnel terminated</tt> error message appears.<br />
<h3><a href="" name="error-solution">Solution</a></h3>The reason for the <tt>Transaction Mode v2</tt> error message is that ASA supports only IKE Mode Config V6 and not the old V2 mode version. Use the IKE Mode Config V6 version in order to resolve this error.<br />
<h2><a href="" name="error2">Error:- %ASA-6-722036: Group client-group User xxxx IP x.x.x.x Transmitting large packet 1220 (threshold 1206)</a></h2><h3><a href="" name="error2-problem">Problem</a></h3>The <tt>%ASA-6-722036: Group < client-group > User < xxxx > IP < x.x.x.x> Transmitting large packet 1220 (threshold 1206)</tt> error message appears in the logs of ASA. What does this log means and how this can be resolved?<br />
<h3><a href="" name="error2-solution">Solution</a></h3>This log message states that a large packet was sent to the client. The source of the packet is not aware of the MTU of the client. This can also be due to compression of non-compressible data. The workaround is to turn off the SVC compression with the <b><a href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1409736" style="color: #003399;">svc compression none</a></b> command, which resolves the issue.<br />
<h2><a href="" name="authentication-server-group">Error: The authentication-server-group none command has been deprecated</a></h2><h3><a href="" name="authentication-server-group-problem">Problem</a></h3>If you transfer the VPN configuration from the PIX/ASA that runs Version 7.0.x to the another security appliance that runs 7.2.x, you receive this error message:<br />
<blockquote><pre style="font-size: 15px;">ERROR: The authentication-server-group none command has been deprecated.
The "isakmp ikev1-user-authentication none" command in the ipsec-attributes should be used
instead.</pre></blockquote><h3><a href="" name="authentication-server-group-solution">Solution</a></h3>The command <b>authentication-server-group</b> is no longer supported in 7.2(1) and later. This command was deprecated and moved to tunnel-group general-attributes configuration mode.<br />
Refer to the <a href="http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i3_72.html#wp1731892" style="color: #003399;">isakmp ikev1-user-authentication</a> section of the command reference for more information about this command.<br />
<h2><a href="" name="qos_enabled">Error Message when QoS is Enabled in one End of the VPN Tunnel</a></h2><h3><a href="" name="qos_enabled-problem">Problem</a></h3>If you enabled QoS in one end of the VPN Tunnel, you might receive this error message:<br />
<blockquote><pre style="font-size: 15px;">IPSEC: Received an ESP packet (SPI= 0xDB6E5A60, sequence number= 0x7F9F) from
10.18.7.11 (user= ghufhi) to 172.16.29.23 that failed anti-replay checking</pre></blockquote><h3><a href="" name="qos_enabled-solution">Solution</a></h3>This message is normally caused when one end of the tunnel is doing QoS. This happens when a packet is detected as being out of order. You can disable QoS to stop this but it can be ignored as long as traffic is able to traverse the tunnel.<br />
<h2><a href="" name="err">WARNING: crypto map entry will be incomplete</a></h2><h3><a href="" name="err-problem">Problem</a></h3>When you run the <b>crypto map mymap 20 ipsec-isakmp</b> command, you might receive this error:<br />
<tt>WARNING: crypto map entry will be incomplete</tt><br />
For example:<br />
<blockquote><pre style="font-size: 15px;">ciscoasa(config)#<b>crypto map mymap 20 ipsec-isakmp</b>
<b>WARNING: crypto map entry will be incomplete</b>
</pre></blockquote><h3><a href="" name="err-solution">Solution</a></h3>This is a usual warning when you define a new crypto map, a reminder that parameters such as access-list (match address), transform set and peer address must be configured before it can work. It is also normal that the first line you type in order to define the crypto map does not show in the configuration.<br />
<h2><a href="" name="largeping">Error:- %ASA-4-400024: IDS:2151 Large ICMP packet from to on interface outside</a></h2><h3><a href="" name="largeping-problem">Problem</a></h3>Unable to pass large ping packet across the vpn tunnel. When we try to pass large ping packets we get the error <tt>%ASA-4-400024: IDS:2151 Large ICMP packet from to on interface outside</tt><br />
<h3><a href="" name="largeping-solution">Solution</a></h3>Disable the signatures 2150 and 2151 in order to resolve this issue.Once the signatures are disabled ping works fine.<br />
Use these commands in order to disable the signatures:<br />
ASA(config)#<b>ip audit signature 2151 disable</b><br />
ASA(config)#<b>ip audit signature 2150 disable</b><br />
<h2><a href="" name="IPSecWindowsize">Error:- %PIX|ASA-4-402119: IPSEC: Received a protocol packet (SPI=spi, sequence number= seq_num) from remote_IP (username) to local_IP that failed anti-replay checking.</a></h2><h3><a href="" name="IPSecWindowsize-problem">Problem</a></h3>I received this error in the log messages of the ASA:<br />
<tt>Error:- %PIX|ASA-4-402119: IPSEC: Received a protocol packet (SPI=spi, sequence number= seq_num) from remote_IP (username) to local_IP that failed anti-replay checking.</tt><br />
<h3><a href="" name="IPSecWindowsize-solution">Solution</a></h3>In order to resolve this error, use the <b><a href="http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/c5.html#wp2200043" style="color: #003399;">crypto ipsec security-association replay window-size</a></b> command in order to vary the window size.<br />
<blockquote><pre style="font-size: 15px;">hostname(config)#<b>crypto ipsec security-association replay window-size 1024</b>
</pre></blockquote><b>Note: </b>Cisco recommends that you use the full 1024 window size to eliminate any anti-replay problems.<br />
<h2><a href="" name="error5">Error Message - %PIX|ASA-4-407001: Deny traffic for local-host interface_name:inside_address, license limit of number exceeded</a></h2><h3><a href="" name="error5-problem">Problem</a></h3>Few hosts are unable to connect to the Internet, and this error message appears in the syslog:<br />
<tt>Error Message - %PIX|ASA-4-407001: Deny traffic for local-host interface_name:inside_address, license limit of number exceeded</tt><br />
<h3><a href="" name="error5-solution">Solution</a></h3>This error message is received when the number of users exceeds the user limit of the license used. This error can be resolved by upgrading the license to a higher number of users. The user license can include 50, 100, or unlimited users as required.<br />
<h2><a href="" name="error6">Error Message - %VPN_HW-4-PACKET_ERROR:</a></h2><h3><a href="" name="error6-problem">Problem</a></h3>The <tt>Error Message - %VPN_HW-4-PACKET_ERROR:</tt> error message indicates that ESP packet with HMAC received by the router are mismatched. This error might be caused by these issues:<br />
<ul><li>Defective VPN H/W module</li>
<li>Corrupt ESP packet</li>
</ul><h3><a href="" name="error6-solution">Solution</a></h3>In order to resolve this error message:<br />
<ul><li>Ignore the error messages unless there is traffic disruption.</li>
<li>If there is traffic disruption, replace the module.</li>
</ul><h2><a href="" name="error7">Error message: Command rejected: delete crypto connection between VLAN XXXX and XXXX, first.</a></h2><h3><a href="" name="error7-problem">Problem</a></h3>This error message appears when you attempt to add an allowed VLAN on the trunk port on a switch: <tt>Command rejected: delete crypto connection between VLAN XXXX and VLAN XXXX, first.</tt>.<br />
The WAN edge trunk cannot be modified to allow additional VLANs. That is, you are unable to add VLANs in the <b>IPSEC VPN SPA</b> trunk.<br />
This command is rejected because allowing it will result in a crypto connected interface VLAN that belongs to the interface's allowed VLAN list, which poses a potential IPSec security breach. Note that this behavior applies to all trunk ports.<br />
<h3><a href="" name="error7-solution">Solution</a></h3>Instead of the <tt>no switchport trunk allowed vlan (vlanlist)</tt> command, use the <tt>switchport trunk allowed vlan none</tt> command or the <tt>"switchport trunk allowed vlan remove (vlanlist)"</tt> command.<br />
<h2><a href="" name="error8">Error Message - % FW-3-RESPONDER_WND_SCALE_INI_NO_SCALE: Dropping packet - Invalid Window Scale option for session x.x.x.x:27331 to x.x.x.x:23 [Initiator(flag 0,factor 0) Responder (flag 1, factor 2)]</a></h2><h3><a href="" name="error8-problem">Problem</a></h3>This error occurs when you try to telnet from a device on the far end of a VPN tunnel or when you try to telnet from the router itself:<br />
<tt>Error Message - % FW-3-RESPONDER_WND_SCALE_INI_NO_SCALE: Dropping packet - Invalid Window Scale option for session x.x.x.x:27331 to x.x.x.x:23 [Initiator(flag 0,factor 0) Responder (flag 1, factor 2)]</tt><br />
<h3><a href="" name="error8-solution">Solution</a></h3>The user license can include 50, 100, or unlimited users as required. Window scaling was added to allow for rapid transmission of data on long fat networks (LFN). These are typically connections with very high bandwidth, but also high latency. Networks with satellite connections are one example of an LFN, since satellite links always have high propagation delays but typically have high bandwidth. To enable window scaling to support LFNs, the TCP window size must be more than 65,535. This error message can be resolved by increasing the TCP window size to be more than 65,535.<br />
<h2><a href="" name="err310">%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse . Please update this issue flows</a></h2><h3><a href="" name="er013prob">Problem</a></h3>This error message appears once the VPN tunnel comes up:<br />
<tt>%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse . Please update this issue flows</tt><br />
<h3><a href="" name="err013-solution">Solution</a></h3>In order to resolve this issue when not on the same interface as the host using NAT, use the mapped address instead of the actual address to connect to the host. In addition, enable the <b>inspect</b> command if the application embeds the IP address.<br />
<h2><a href="" name="err680">%PIX|ASA-5-713068: Received non-routine Notify message: notify_type</a></h2><h3><a href="" name="er068prob">Problem</a></h3>This error message appears if the VPN tunnel fails to come up:<br />
<tt>%PIX|ASA-5-713068: Received non-routine Notify message: notify_type</tt><br />
<h3><a href="" name="err068-solution">Solution</a></h3>This message occurs due to misconfiguration (that is, when the policies or ACLs are not configured to be the same on peers). Once the policies and ACLs are matched the tunnel comes up without any problem.<br />
<h2><a href="" name="errcosmet">%ASA-5-720012: (VPN-Secondary) Failed to update IPSec failover runtime data on the standby unit (or) %ASA-6-720012: (VPN-unit) Failed to update IPsec failover runtime data on the standby unit</a></h2><h3><a href="" name="errcosprob">Problem</a></h3>One of these error messages appear when you try to upgrade the Cisco Adaptive Security Appliance (ASA):<br />
<tt>%ASA-5-720012: (VPN-Secondary) Failed to update IPSec failover runtime data on the standby unit.</tt><br />
<tt>%ASA-6-720012: (VPN-unit) Failed to update IPsec failover runtime data on the standby unit.</tt><br />
<h3><a href="" name="errcossol">Solution</a></h3>These error messages do not require a solution since they are informative errors; they do not impact functionality, the ASA, or the VPN.<br />
<h2><a href="" name="vpnclientwith">Cisco VPN Client Does Not Work with Data Card on Windows 7</a></h2><h3><a href="" name="vpnclientwithpr">Problem</a></h3>Cisco VPN Client does not work with data card on Windows 7.<br />
<h3><a href="" name="vpnclientwithssol">Solution</a></h3>Cisco VPN Client installed on Windows 7 does not work with 3G connections since data cards are not supported on VPN clients installed on a Windows 7 machine.<br />
<h2><a href="" name="mis">Miscellaneous</a></h2><h3><a href="" name="ag">AG_INIT_EXCH Message Appears in the "show crypto isakmp sa" and "debug" Commands Output</a></h3>If the tunnel does not get initiated, the <tt>AG_INIT_EXCH</tt> message appears in output of the <b>show crypto isakmp sa</b> command and in <b>debug</b> output as well. The reason can be due to mismatching isakmp policies or if port udp 500 gets blocked on the way.<br />
<h3><a href="" name="deb">Debug Message "Received an IPC message during invalid state" Appears</a></h3>This message is an informational message and has nothing to do with the disconnection of the VPN tunnel.<br />
</div>Unknownnoreply@blogger.com4tag:blogger.com,1999:blog-6020133766366748817.post-11470017558702796132011-05-22T19:42:00.001-07:002011-05-22T19:42:52.667-07:00Types of Firewalls<div dir="ltr" style="text-align: left;" trbidi="on"><span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"></span><br />
<h3 class="docSection1Title" style="color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: large; font-weight: bold;"><span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: xx-small; font-weight: normal;">In order to gain a thorough understanding of firewall technology, it is important to understand the various types of firewalls. These various types of firewalls provide more or less the same functions that were outlined earlier. However, their methods of doing so provide differentiation in terms of performance and level of security offered.</span></h3><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">The firewalls discussed in this section are divided into five categories based on the mechanism that each uses to provide firewall functionality:</div><ul><li><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Circuit-level firewalls</div></li>
<li><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Proxy server firewalls</div></li>
<li><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Nonstateful packet filters</div></li>
<li><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Stateful packet filters</div></li>
<li><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Personal firewalls</div></li>
</ul><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">These various types of firewalls gather different types of information from the data flowing through them to keep track of legitimate and illegitimate traffic and to protect against unauthorized access. The type of information they use often also determines the level of security they provide.</div><a href="" name="ch07lev2sec5"></a><h4 class="docSection2Title" style="color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: medium; font-weight: bold;">Circuit-Level Firewalls</h4><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">These firewalls act as relays for TCP connections. They intercept TCP connections being made to a host behind them and complete the handshake on behalf of that host. Only after the connection is established is the traffic allowed to flow to the client. Also, the firewall makes sure that as soon as the connection is established, only data packets belonging to the connection are allowed to go through.<a href="" name="idd1e18636"></a><a href="" name="idd1e18641"></a><a href="" name="idd1e18644"></a></div><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Circuit-level firewalls do not validate the payload or any other information in the packet, so they are fairly fast. These firewalls essentially are interested only in making sure that the TCP handshake is properly completed before a connection is allowed. Consequently, these firewalls do not allow access restrictions to be placed on protocols other than TCP and do not allow the use of payload information in the higher-layer protocols to restrict access.</div><a href="" name="ch07lev2sec6"></a><h4 class="docSection2Title" style="color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: medium; font-weight: bold;">Proxy Server Firewalls</h4><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Proxy server firewalls work by examining packets at the application layer. Essentially a proxy server intercepts the requests being made by the applications sitting behind it and performs the requested functions on behalf of the requesting application. It then forwards the results to the application. In this way it can provide a fairly high level of security to the applications, which do not have to interact directly with outside applications and servers.<a href="" name="idd1e18661"></a><a href="" name="idd1e18666"></a><a href="" name="idd1e18669"></a></div><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Proxy servers are advantageous in the sense that they are aware of application-level protocols and they can restrict or allow access based on these protocols. They also can look into the data portions of the packets and use that information to restrict access. However, this very capability of processing the packets at a higher layer of the stack can contribute to the slowness of proxy servers. Also, because the inbound traffic has to be processed by the proxy server as well as the end-user application, further degradation in speed can occur. Proxy servers often are not transparent to end users who have to make modifications to their applications in order to use the proxy server. For each new application that must go through a proxy firewall, modifications need to be made to the firewall's protocol stack to handle that type of application.</div><a href="" name="ch07lev2sec7"></a><h4 class="docSection2Title" style="color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: medium; font-weight: bold;">Nonstateful Packet Filters</h4><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Nonstateful packet filters are fairly simple devices that sit on the periphery of a network and, based on a set of rules, allow some packets through while blocking others. The decisions are made based on the addressing information contained in network layer protocols such as IP and, in some cases, information contained in transport layer protocols such as TCP or UDP headers as well.</div><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Nonstateful packet filters are fairly simple devices, but to function properly they require a thorough understanding of the usage of services required by a network to be protected. Although these filters can be fast because they do not proxy any traffic but only inspect it as it passes through, they do not have any knowledge of the application-level protocols or the data elements in the packet. Consequently, their usefulness is limited. These filters also do not retain any knowledge of the sessions established through them. Instead, they just keep tabs on what is immediately passing through.. The use of simple and extended access lists (without the <span class="docEmphStrong" style="font-weight: bold;">established</span> keyword) on routers are examples of such firewalls.<a href="" name="idd1e18695"></a><a href="" name="idd1e18700"></a><a href="" name="idd1e18703"></a><a href="" name="idd1e18710"></a></div><a href="" name="ch07lev2sec8"></a><h4 class="docSection2Title" style="color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: medium; font-weight: bold;">Stateful Packet Filters</h4><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Stateful packet filters are more intelligent than simple packet filters in that they can block pretty much all incoming traffic and still can allow return traffic for the traffic generated by machines sitting behind them. They do so by keeping a record of the transport layer connections that are established through them by the hosts behind them.<a href="" name="idd1e18722"></a><a href="" name="idd1e18727"></a><a href="" name="idd1e18730"></a><a href="" name="idd1e18737"></a></div><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Stateful packet filters are the mechanism for implementing firewalls in most modern networks. Stateful packet filters can keep track of a variety of information regarding the packets that are traversing them, including the following:</div><ul><li><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Source and destination TCP and UDP port numbers</div></li>
<li><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">TCP sequence numbering</div></li>
<li><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">TCP flags</div></li>
<li><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">TCP session state based on the RFCed TCP state machine</div></li>
<li><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">UDP traffic tracking based on timers</div></li>
</ul><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Stateful firewalls often have built-in advanced IP layer handling features such as fragment reassembly and clearing or rejecting of IP options.</div><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Many modern stateful packet filters are aware of application layer protocols such as FTP and HTTP and can perform access-control functions based on these protocols' specific needs.</div><a href="" name="ch07lev2sec9"></a><h4 class="docSection2Title" style="color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: medium; font-weight: bold;">Personal Firewalls</h4><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Personal firewalls are firewalls installed on personal computers. They are designed to protect against network attacks. These firewalls are generally aware of the applications running on the machine and allow only connections established by these applications to operate on the machine.</div><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">A personal firewall is a useful addition to any PC because it increases the level of security already offered by a network firewall. However, because many of the attacks on today's networks originate from inside the protected network, a PC firewall is an even more useful tool, because network firewalls cannot protect against these attacks. Personal firewalls come in a variety of flavors. Most are implemented to be aware of the applications running on the PC. However, they are designed to not require any changes from the user applications running on the PC, as is required in the case of proxy servers.</div></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6020133766366748817.post-78327403766510721962011-05-22T09:21:00.000-07:002011-05-22T09:21:36.631-07:00Troubleshooting IPsec VPNs<div dir="ltr" style="text-align: left;" trbidi="on"><br />
<br />
<h3 class="docSection1Title" style="color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: large; font-weight: bold;"><br />
</h3><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;"> Because IPsec is a combination of multiple protocols, it is important to have a very strong understanding of how these protocols work together to troubleshoot IPsec. A thorough understanding of ISAKMP is also very useful in identifying negotiation problems in IPsec. This section looks at some of the tools available to troubleshoot IPsec, as well as some of the common issues surrounding its implementation.<a href="" name="idd1e71076"></a><a href="" name="idd1e71083"></a><a href="" name="idd1e71088"></a><a href="" name="idd1e71095"></a></div><span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24lev2sec16"></a></span><h4 class="docSection2Title" style="color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: medium; font-weight: bold;">IPsec's Order of Events</h4><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">IPsec's order of events is important to know because IPsec interacts with a wide variety of protocols running on a router. Because IPsec adds an additional header on top of the original header with a changed IP address in the case of ESP tunnel mode, it is important to understand how the various other routines affect this new header. Tablebelow outlines the sequence of events. "Inside" is generally the private network behind the router, and "outside" is the network on the public side of the router.</div><span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24table06"></a></span><div style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"></div><table cellpadding="4" cellspacing="0" frame="hsides" rules="rows"><caption><h5 class="docTableTitle" style="color: black; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small; font-weight: bold;">Table. Order in Which Various Operations Are Performed for Packets Passing Through a Router</h5></caption><colgroup><col></col><col></col></colgroup><thead>
<tr><th align="left" class="thead" valign="top"><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;"><span class="docEmphStrong" style="font-weight: bold;">Inside to Outside</span></div></th><th align="left" class="thead" valign="top"><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;"><span class="docEmphStrong" style="font-weight: bold;">Outside to Inside</span></div></th></tr>
</thead><tbody>
<tr><td align="left" class="docTableCell" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small;" valign="top"><div style="font-weight: bold;"><ol class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;" type="1"><li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">If IPsec, check input access list</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Decryption for CET or IPsec</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Check input access list</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Check input rate limits</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Input accounting</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Inspect</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Policy routing</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Routing</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Redirect to web cache</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">NAT inside to outside (local-to-global translation)</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Crypto (check map and mark for encryption)</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Check output access list</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Inspect</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">TCP intercept</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Encryption for CET or IPsec</div></div></li>
</ol></div></td><td align="left" class="docTableCell" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small;" valign="top"><div style="font-weight: bold;"><ol class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;" type="1"><li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">If IPsec, check input access list</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Decryption for CET or IPsec</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Check input access list</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Check input rate limits</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Input accounting</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Inspect</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">NAT outside to inside (global-to-local translation)</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Policy routing</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Routing</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Redirect to web cache</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Crypto (check map and mark for encryption)</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Check output access list</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Inspect</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">TCP intercept</div></div></li>
<li><div style="font-weight: normal;"><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Encryption for CET or IPsec</div></div></li>
</ol></div></td></tr>
</tbody></table><br />
<br />
<div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">It is interesting to note that for IPsec traffic, the incoming access list is processed twice-once before decryption and once after decryption. Therefore, not only does ESP traffic need to be allowed through the incoming access list, but a hole needs to be opened for the subnets that are considered interesting traffic for IPsec and are being tunneled. However, because the router drops any packets arriving on its outside interface that match the IPsec interesting traffic access list and are not IPsec-encapsulated, the risk of an attacker's using this hole to gain access to the network behind the router is minimized.<a href="" name="idd1e71276"></a><a href="" name="idd1e71283"></a><a href="" name="idd1e71288"></a><a href="" name="idd1e71295"></a></div><span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24lev2sec17"></a></span><h4 class="docSection2Title" style="color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: medium; font-weight: bold;">IPsec Debugs</h4><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">IPsec debug messages are a very important source for understanding any issues that might creep into the implementation of IPsec VPNs. The three most commonly used<span class="docEmphStrong" style="font-weight: bold;">debug</span> commands to troubleshoot IPsec are<a href="" name="idd1e71310"></a><a href="" name="idd1e71315"></a><a href="" name="idd1e71320"></a><a href="" name="idd1e71325"></a><a href="" name="idd1e71332"></a></div><ul style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><li><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;"><span class="docEmphStrong" style="font-weight: bold;">debug crypto isakmp</span></div></li>
<li><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;"><span class="docEmphStrong" style="font-weight: bold;">debug crypto ipsec</span></div></li>
<li><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;"><span class="docEmphStrong" style="font-weight: bold;">debug crypto engine</span></div></li>
</ul><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">The first two <span class="docEmphStrong" style="font-weight: bold;">debug</span> commands are valid for the PIX Firewall as well. PIX has similar debugs as the ones shown for a router.</div><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Example below shows the configuration of the router on one end of the IPsec tunnel. The router on the other end has a corresponding configuration . This configuration is used to generate the debugs shown here.</div><span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24list17"></a></span><h5 class="docExampleTitle" style="color: black; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small; font-weight: bold;">Example . IPsec Configuration on a Router Used to Generate Sample Debugs</h5><pre style="color: #790029; font-family: 'Andale Mono', 'Courier New', Courier, monospace; font-size: x-small;">Router#<span class="docEmphStrong" style="font-weight: bold;">write terminal</span>
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key jw4ep9846804ijl address 172.16.172.20
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 172.16.172.20
set transform-set myset
match address 101
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet1/0
ip address 172.16.172.10 255.255.255.240
crypto map vpn
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
</pre><br />
<div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Example below shows the debug messages generated by turning on the three debugs just mentioned.<a href="" name="idd1e71386"></a><a href="" name="idd1e71391"></a><a href="" name="idd1e71396"></a><a href="" name="idd1e71401"></a><a href="" name="idd1e71408"></a></div><span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24note01"></a></span><div class="docNote" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif; margin-bottom: 2em; margin-left: 2em; margin-right: 2em;"><div class="docNoteTitle" style="color: black; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small; font-weight: bold;">NOTE</div><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">In the sample debugs shown in Example below, the explanation of the debug is followed by the actual debugs for that explanation.</div></div><br />
<span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24list18"></a></span><h5 class="docExampleTitle" style="color: black; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small; font-weight: bold;">Example . IPsec Debugs Generated by Issuing the Commands <span class="docEmphStrong" style="font-weight: bold;">debug crypto isakmp</span>, <span class="docEmphStrong" style="font-weight: bold;">debug crypto ipsec</span>, and <span class="docEmphStrong" style="font-weight: bold;">debug crypto engine</span></h5><pre style="color: #790029; font-family: 'Andale Mono', 'Courier New', Courier, monospace; font-size: x-small;">Router#<span class="docEmphStrong" style="font-weight: bold;">debug crypto ISAKMP</span>
Router#<span class="docEmphStrong" style="font-weight: bold;">debug crypto engine</span>
Router#<span class="docEmphStrong" style="font-weight: bold;">debug crypto ipsec</span>
<span class="docEmphMark" style="background-color: #999999;">!Ping source and destination addresses matched the address access list for the</span>
<span class="docEmphMark" style="background-color: #999999;">!crypto map VPN</span>
00:04:10: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 172.16.172.10, remote= 172.16.172.20,
local_proxy = 10.1.1.0/255.255.255.0/0/0 (type=4),
remote_proxy = 10.1.2.0/255.255.255.0/0/0 (type=4),
<span class="docEmphMark" style="background-color: #999999;">!The 'local' is the local tunnel endpoint, and the 'remote' is the remote crypto</span>
<span class="docEmphMark" style="background-color: #999999;">!endpoint as configured in the map. The local proxy is the src interesting traffic</span>
<span class="docEmphMark" style="background-color: #999999;">!as defined by the match address access list. The remote proxy is the destination</span>
<span class="docEmphMark" style="background-color: #999999;">!interesting traffic as defined by the match address access list.</span>
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x4A10F22E(1242624558), conn_id= 0, keysize= 0, flags= 0x400C
<span class="docEmphMark" style="background-color: #999999;">!The protocol and the transforms are specified by the crypto map that has been</span>
<span class="docEmphMark" style="background-color: #999999;">!hit, as are the lifetimes</span>
<span class="docEmphMark" style="background-color: #999999;">!negotiate phase I SA parameters.</span>
ISAKMP: received ke message (1/1)
ISAKMP: local port 500, remote port 500
ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM Old State =
IKE_READY New State = IKE_I_MM1
ISAKMP (0:1): beginning Main Mode exchange
00:04:10: ISAKMP (0:1): sending packet to 172.16.172.20 (I) MM_NO_STATE
00:04:10: ISAKMP (0:1): received packet from 172.16.172.20 (I) MM_NO_STATE
00:04:10: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Old State = IKE_I_MM1 New State = IKE_I_MM2
00:04:10: ISAKMP (0:1): processing SA payload. message ID = 0
00:04:10: ISAKMP (0:1): found peer pre-shared key matching 172.16.172.20
00:04:10: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy
00:04:10: ISAKMP: encryption 3DES-CBC
00:04:10: ISAKMP: hash SHA
00:04:10: ISAKMP: default group 1
00:04:10: ISAKMP: auth pre-share
00:04:10: ISAKMP: life type in seconds
00:04:10: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
00:04:10: ISAKMP (0:1): atts are acceptable. Next payload is 0<a href="" name="idd1e71476"></a><a href="" name="idd1e71481"></a><a href="" name="idd1e71486"></a><a href="" name="idd1e71491"></a><a href="" name="idd1e71498"></a>
00:04:10: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Old State = IKE_I_MM2 New State = IKE_I_MM2
<span class="docEmphMark" style="background-color: #999999;">!Policy 1 on this router and the atts offered by the other side matched.</span>
<span class="docEmphMark" style="background-color: #999999;">!The third and fourth packets complete the Diffie-Hellman Exchange.</span>
ISAKMP (0:1): sending packet to
172.16.172.20 (I) MM_SA_SETUP
ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE Old State = IKE_I_MM2 New State = IKE_I_MM3
ISAKMP (0:1): received packet from 172.16.172.20 (I) MM_SA_SETUP
ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Old State = IKE_I_MM3 New State = IKE_I_MM4
ISAKMP (0:1): processing KE payload. message ID = 0
ISAKMP (0:1): processing NONCE payload. message ID = 0
ISAKMP (0:1): found peer pre-shared key matching 172.16.172.20
ISAKMP (0:1): SKEYID state generated
ISAKMP (0:1): processing vendor id payload
<span class="docEmphMark" style="background-color: #999999;">!The fifth and sixth packets complete IKE authentication. Phase I SA established.</span>
ISAKMP (0:1): SA is doing pre-shared key
authentication using id type ID_IPV4_ADDR
...
ISAKMP (0:1): sending packet to 172.16.172.20
(I) MM_KEY_EXCH
ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETEOld State = IKE_I_MM4 New State = IKE_I_MM5
ISAKMP (0:1): received packet from 172.16.172.20 (I) MM_KEY_EXCH
ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Old State = IKE_I_MM5 New State = IKE_I_MM6
ISAKMP (0:1): processing ID payload. message ID = 0
ISAKMP (0:1): processing HASH payload. message ID = 0
ISAKMP (0:1): SA has been authenticated with 172.16.172.20
ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
<span class="docEmphMark" style="background-color: #999999;">!Begin Quick Mode exchange. IPsec SA is negotiated in QM.</span>
ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 965273472
ISAKMP (0:1): sending packet to 172.16.172.20 (I) QM_IDLE
ISAKMP (0:1): Node 965273472, Input = IKE_MESG_INTERNAL, IKE_INIT_QM Old State =
IKE_QM_READY New State = IKE_QM_I_QM1
ISAKMP (0:1): received packet from 172.16.172.20 (I) QM_IDLE
<span class="docEmphMark" style="background-color: #999999;">!The IPsec SA proposal offered by the far end is checked against the local crypto</span>
<span class="docEmphMark" style="background-color: #999999;">!map configuration</span>
ISAKMP (0:1): processing HASH payload. message ID = 965273472
ISAKMP (0:1): processing SA payload. message ID = 965273472
ISAKMP (0:1): Checking IPsec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0:1): atts are acceptable.
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.16.172.10, remote= 172.16.172.20,
local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),<a href="" name="idd1e71522"></a><a href="" name="idd1e71527"></a><a href="" name="idd1e71532"></a><a href="" name="idd1e71537"></a><a href="" name="idd1e71544"></a>
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
<span class="docEmphMark" style="background-color: #999999;">!Two IPsec SAs have been negotiated--an incoming SA with the SPI generated by the</span>
<span class="docEmphMark" style="background-color: #999999;">!local machine and an outbound SA with the SPIs proposed by the remote end.</span>
ISAKMP (0:1): Creating IPsec SAs
inbound SA from 172.16.172.20 to 172.16.172.10(proxy 10.1.2.0 to 10.1.1.0)
has spi 0x8EAB0B22 and conn_id 2029 and flags 4
lifetime of 3600 seconds lifetime of 4608000 kilobytes
outbound SA from 172.16.172.10 to 172.16.172.20 (proxy 10.1.1.0 to 10.1.2.0)
has spi -343614331 and conn_id 2030 and flags C
lifetime of 3600 seconds lifetime of 4608000 kilobytes
<span class="docEmphMark" style="background-color: #999999;">!The IPsec SA info negotiated by IKE will be populated into the router's SADB.</span>
00:04:10: IPSEC(key_engine): got a queue event...
00:04:10: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 172.16.172.10, remote= 172.16.172.20,
local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x8EAB0B22(2393574178), conn_id= 2029, keysize= 0, flags= 0x4
00:04:10: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 172.16.172.10, remote= 172.16.172.20,
local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0xEB84DC85(3951352965), conn_id= 2030, keysize= 0, flags= 0xC
<span class="docEmphMark" style="background-color: #999999;">!IPsec SA created in SADB, sent out last packet with commit bit set. IPsec</span>
<span class="docEmphMark" style="background-color: #999999;">!tunnel established.</span>
IPSEC(create_sa): sa created,
(sa) sa_dest= 172.16.172.10,
sa_prot= 50,
sa_spi= 0x8EAB0B22(2393574178),
sa_trans= esp-3des esp-md5-hmac ,
sa_conn_id= 2029
IPSEC(create_sa): sa created,
(sa) sa_dest= 172.16.172.20, sa_prot= 50, sa_spi= 0xEB84DC85(3951352965),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2030
ISAKMP (0:1): sending packet to 172.16.172.20 (I) QM_IDLE
ISAKMP (0:1): Node 965273472, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
</pre><span class="Apple-style-span" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: xx-small;"><br />
</span><span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24lev2sec18"></a></span><h4 class="docSection2Title" style="color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: medium; font-weight: bold;"><span class="docEmphStrong" style="font-weight: bold;">IPsec</span> show <span class="docEmphStrong" style="font-weight: bold;">Commands</span></h4><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">IPsec <span class="docEmphStrong" style="font-weight: bold;">show</span> commands are particularly useful in debugging IPsec. Having established basic connectivity, the network administrator can use <span class="docEmphStrong" style="font-weight: bold;">show</span> commands to see the issues related to the operation of IPsec on top of the basic network connectivity. Three <span class="docEmphStrong" style="font-weight: bold;">show</span> commands are most commonly used to view the status of an IPsec connection:<a href="" name="idd1e71626"></a><a href="" name="idd1e71631"></a><a href="" name="idd1e71636"></a></div><ul style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><li><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;"><span class="docEmphStrong" style="font-weight: bold;">show crypto isakmp sa</span></div></li>
<li><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;"><span class="docEmphStrong" style="font-weight: bold;">show crypto ipsec sa</span></div></li>
<li><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;"><span class="docEmphStrong" style="font-weight: bold;">show crypto engine connection active</span></div></li>
</ul><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">The <span class="docEmphStrong" style="font-weight: bold;">show</span> command output in Example below shows one ISAKMP SA and two IPsec SAs established. The packet count for each of the IPsec SAs, along with the negotiated parameters, are also shown.</div><span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24list19"></a></span><h5 class="docExampleTitle" style="color: black; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small; font-weight: bold;">Example . Sample Output for the <span class="docEmphStrong" style="font-weight: bold;">show crypto engine connection active</span> Command</h5><span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="idd1e71677"></a><a href="" name="idd1e71680"></a></span><pre style="color: #790029; font-family: 'Andale Mono', 'Courier New', Courier, monospace; font-size: x-small;">Router#<span class="docEmphStrong" style="font-weight: bold;">show crypto engine connection active</span>
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 <none> <none> set HMAC_SHA+3DES_56_C 0 0
<span class="docEmphMark" style="background-color: #999999;">!Shown above is the ISAKMP SA. It shows the hashing algorithm, SHA-HMAC, which is</span>
<span class="docEmphMark" style="background-color: #999999;">!being used for authentication, as well as the encryption algorithm, 3DES, used to</span>
<span class="docEmphMark" style="background-color: #999999;">!encrypt the IKE negotiation messages. The encrypt and decrypt counts are 0</span>
<span class="docEmphMark" style="background-color: #999999;">!because the ISAKMP SA is not used to encrypt and decrypt data.</span>
2029 Ethernet1/0 172.16.172.10 set HMAC_MD5+3DES_56_C 0 4
2030 Ethernet1/0 172.16.172.10 set HMAC_MD5+3DES_56_C 4 0
<span class="docEmphMark" style="background-color: #999999;">!Shown above are the two IPsec SAs. They show the hashing algorithm, SHA-HMAC,</span>
<span class="docEmphMark" style="background-color: #999999;">!which is used for message integrity checking, as well as the encryption</span>
<span class="docEmphMark" style="background-color: #999999;">!algorithm, 3DES, used to encrypt the ESP packets. The first SA is the incoming</span>
<span class="docEmphMark" style="background-color: #999999;">!SA, because the packet count shows decrypts in it. The other one is the outgoing</span>
<span class="docEmphMark" style="background-color: #999999;">!SA, showing only encrypts.</span>
</pre><br />
<div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">The <span class="docEmphStrong" style="font-weight: bold;">show</span> command in Example below shows the ISAKMP SA. It is in QM_IDLE state, meaning that quick mode has been successfully completed.</div><span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24list20"></a></span><h5 class="docExampleTitle" style="color: black; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small; font-weight: bold;">Example . Sample Output for the <span class="docEmphStrong" style="font-weight: bold;">show crypto isakmp sa</span> Command</h5><pre style="color: #790029; font-family: 'Andale Mono', 'Courier New', Courier, monospace; font-size: x-small;">Router#<span class="docEmphStrong" style="font-weight: bold;">show crypto isakmp sa</span>
dst src state conn-id slot
172.16.172.20 172.16.172.10 QM_IDLE 1 0
</pre><br />
<div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">The ISAKMP SA can be in a number of states, depending on which state the negotiation is in. The following tables list these states. They are an excellent reference if you are trying to use <span class="docEmphStrong" style="font-weight: bold;">show</span> command output to find out the point at which a negotiation is. Table below shows the states displayed in the <span class="docEmphStrong" style="font-weight: bold;">show crypto isakmp sa</span> command when main mode is being negotiated. important.<a href="" name="idd1e71768"></a><a href="" name="idd1e71771"></a><a href="" name="idd1e71776"></a><a href="" name="idd1e71781"></a><a href="" name="idd1e71786"></a></div><span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24table07"></a></span><div style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"></div><table cellpadding="4" cellspacing="0" frame="hsides" rules="rows"><caption><h5 class="docTableTitle" style="color: black; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small; font-weight: bold;">Table . States Displayed in the <span class="docEmphStrong" style="font-weight: bold;">show crypto isakmp sa</span> Command When Main Mode Is Being Negotiated</h5></caption><colgroup><col></col><col></col></colgroup><thead>
<tr><th align="left" class="thead" valign="top"><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;"><span class="docEmphStrong" style="font-weight: bold;">State</span></div></th><th align="left" class="thead" valign="top"><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;"><span class="docEmphStrong" style="font-weight: bold;">Description</span></div></th></tr>
</thead><tbody>
<tr><td align="left" class="docTableCell" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small;" valign="top"><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">OAK_MM_NO_STATE</div></td><td align="left" class="docTableCell" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small;" valign="top"><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">The ISAKMP SA has been created, but nothing else has happened yet. It is "larval" at this stage-there is no state.</div></td></tr>
<tr><td align="left" class="docTableCell" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small;" valign="top"><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">OAK_MM_SA_SETUP</div></td><td align="left" class="docTableCell" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small;" valign="top"><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">The peers have agreed on parameters for the ISAKMP SA.</div></td></tr>
<tr><td align="left" class="docTableCell" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small;" valign="top"><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">OAK_MM_KEY_EXCH</div></td><td align="left" class="docTableCell" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small;" valign="top"><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">The peers have exchanged Diffie-Hellman public keys and have generated a shared secret. The ISAKMP SA remains unauthenticated.</div></td></tr>
<tr><td align="left" class="docTableCell" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small;" valign="top"><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">OAK_MM_KEY_AUTH</div></td><td align="left" class="docTableCell" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small;" valign="top"><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to OAK_QM_IDLE, and a quick mode exchange begins.</div></td></tr>
</tbody></table><br />
<span class="Apple-style-span" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: xx-small;"><span class="Apple-style-span" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: xx-small;"><br />
</span><br />
Table below shows the states displayed in the <span class="docEmphStrong" style="font-weight: bold;">show crypto isakmp sa</span> command when aggressive mode is being negotiated. </span><br />
<span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24table08"></a></span><div style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"></div><table cellpadding="4" cellspacing="0" frame="hsides" rules="rows"><caption><h5 class="docTableTitle" style="color: black; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small; font-weight: bold;">Table . States Displayed in the <span class="docEmphStrong" style="font-weight: bold;">show crypto isakmp sa</span> Command When Aggressive Mode Is Being Negotiated</h5></caption><colgroup><col></col><col></col></colgroup><thead>
<tr><th align="left" class="thead" valign="top"><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;"><span class="docEmphStrong" style="font-weight: bold;">State</span></div></th><th align="left" class="thead" valign="top"><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;"><span class="docEmphStrong" style="font-weight: bold;">Description</span></div></th></tr>
</thead><tbody>
<tr><td align="left" class="docTableCell" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small;" valign="top"><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">OAK_AG_NO_STATE</div></td><td align="left" class="docTableCell" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small;" valign="top"><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">The ISAKMP SA has been created, but nothing else has happened yet. It is "larval" at this stage-there is no state.</div></td></tr>
<tr><td align="left" class="docTableCell" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small;" valign="top"><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">OAK_AG_INIT_EXCH</div></td><td align="left" class="docTableCell" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small;" valign="top"><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">The peers have done the first exchange in aggressive mode, but the SA is not authenticated.</div></td></tr>
<tr><td align="left" class="docTableCell" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small;" valign="top"><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">OAK_AG_AUTH</div></td><td align="left" class="docTableCell" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small;" valign="top"><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to OAK_QM_IDLE, and a quick mode exchange begins.</div></td></tr>
</tbody></table><br />
<span class="Apple-style-span" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: xx-small;"><span class="Apple-style-span" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: xx-small;"><br />
</span><br />
<span class="Apple-style-span" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: xx-small;"><br />
</span><br />
<span class="Apple-style-span" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: xx-small;"><br />
</span><br />
Table below shows the state displayed in the <span class="docEmphStrong" style="font-weight: bold;">show crypto isakmp sa</span> command when quick mode is being negotiated or has been negotiated. In general, the states shown in these tables are the most commonly seen states. Some other states might also be seen, but these shown here are by far the most </span><br />
<span class="Apple-style-span" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: xx-small;"><br />
</span><br />
<span class="Apple-style-span" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: xx-small;"><br />
</span><span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24table09"></a></span><br />
<div style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"></div><table cellpadding="4" cellspacing="0" frame="hsides" rules="rows"><caption><h5 class="docTableTitle" style="color: black; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small; font-weight: bold;">Table . State Displayed in the <span class="docEmphStrong" style="font-weight: bold;">show crypto isakmp sa</span> Command When Quick Mode Is Being Negotiated or Has Been Negotiated</h5></caption><colgroup><col></col><col></col></colgroup><thead>
<tr><th align="left" class="thead" valign="top"><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;"><span class="docEmphStrong" style="font-weight: bold;">State</span></div></th><th align="left" class="thead" valign="top"><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;"><span class="docEmphStrong" style="font-weight: bold;">Description</span></div></th></tr>
</thead><tbody>
<tr><td align="left" class="docTableCell" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small;" valign="top"><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">OAK_QM_IDLE</div></td><td align="left" class="docTableCell" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small;" valign="top"><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">The ISAKMP SA is idle. It remains authenticated with its peer and may be used for subsequent quick mode exchanges. It is in a quiescent state.</div></td></tr>
</tbody></table><br />
<br />
<div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">The <span class="docEmphStrong" style="font-weight: bold;">show</span> commands in Example below show the packets, counts, SPI, and various other parameters for both of the IPsec SAs in place between the two routers.<a href="" name="idd1e71978"></a><a href="" name="idd1e71983"></a><a href="" name="idd1e71988"></a></div><span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24list21"></a></span><h5 class="docExampleTitle" style="color: black; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small; font-weight: bold;">Example . Sample Output for the <span class="docEmphStrong" style="font-weight: bold;">show crypto IPsec sa</span> Command</h5><pre style="color: #790029; font-family: 'Andale Mono', 'Courier New', Courier, monospace; font-size: x-small;">Router#<span class="docEmphStrong" style="font-weight: bold;">show crypto IPsec sa</span>
interface: Ethernet1/0
Crypto map tag: vpn, local addr. 172.16.172.10<a href="" name="idd1e72008"></a><a href="" name="idd1e72011"></a>
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
current_peer: 172.16.172.20
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 6, #recv errors 0
local crypto endpt.: 172.16.172.10, remote crypto endpt.: 172.16.172.20
path mtu 1500, media mtu 1500
current outbound spi: EB84DC85
inbound esp sas:
spi: 0x8EAB0B22(2393574178)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2029, flow_id: 1, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4607998/3347)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xEB84DC85(3951352965)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2030, flow_id: 2, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4607999/3347)
IV size: 8 bytes
replay detection support: Y
</pre><br />
<span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24lev2sec19"></a></span><h4 class="docSection2Title" style="color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: medium; font-weight: bold;">Commonly Seen IPsec Problems and Resolutions</h4><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">IPsec issues can arise from a wide variety of reasons. This section discusses some of the more common problems with setting up IPsec tunnels and their functioning.</div><span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24lev3sec14"></a></span><h5 class="docSection3Title" style="color: #333333; font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;">Incompatible ISAKMP Policy or Preshared Key</h5><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">It is important for the ISAKMP preshared key, if that is the method of authentication being used, to match on the two IPsec peers. If this doesn't happen, the tunnel won't come up. The failure occurs in phase one of ISAKMP.<a href="" name="idd1e72031"></a><a href="" name="idd1e72036"></a><a href="" name="idd1e72041"></a></div><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Example below shows the debugs seen on a Cisco IOS router when the preshared keys do not match.</div><span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24list22"></a></span><h5 class="docExampleTitle" style="color: black; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small; font-weight: bold;">Example . Sample Debug Output Seen on a Cisco IOS Router When the Preshared Keys Configured on It and Its Peer Do Not Match</h5><pre style="color: #790029; font-family: 'Andale Mono', 'Courier New', Courier, monospace; font-size: x-small;">Router#<span class="docEmphStrong" style="font-weight: bold;">debug crypto ISAKMP</span>
Router#<span class="docEmphStrong" style="font-weight: bold;">debug crypto engine</span>
Router<span class="docEmphStrong" style="font-weight: bold;">#debug crypto ipsec</span>
ISAKMP: reserved no zero on payload 5!
%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 155.0.0.1 failed its
sanity check or is malformed
</pre><br />
<div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">It is also important for at least one ISAKMP policy on the two peers to match. If this does not happen, phase 1 of ISAKMP fails.</div><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Example below contains sample debugs seen on a router when ISAKMP policies fail to match.</div><span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24list23"></a></span><h5 class="docExampleTitle" style="color: black; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small; font-weight: bold;">Example . Sample Debug Output Seen on a Router When ISAKMP Policies Fail to Match</h5><pre style="color: #790029; font-family: 'Andale Mono', 'Courier New', Courier, monospace; font-size: x-small;">Router#<span class="docEmphStrong" style="font-weight: bold;">debug crypto ISAKMP</span>
Router#<span class="docEmphStrong" style="font-weight: bold;">debug crypto engine</span>
Router#<span class="docEmphStrong" style="font-weight: bold;">debug crypto ipsec</span>
ISAKMP (0:1): Encryption algorithm offered does not match policy!
ISAKMP (0:1): atts are not acceptable. Next payload is 0
ISAKMP (0:1): no offers accepted!
ISAKMP (0:1): phase 1 SA not acceptable!
</pre><br />
<span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24lev3sec15"></a></span><h5 class="docSection3Title" style="color: #333333; font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;">Incorrect Access Lists for Interesting Traffic</h5><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">For IPsec to work correctly, the access control lists on the two peers must define interesting traffic such that the two peers can agree that they want to encrypt the same traffic. In most cases, the access lists configured on the two peers are exact reflections of each other. However, it is permissible for the traffic specified by an access list defined on one peer to be a subset of the traffic specified by the access list configured on the other peer. In the case of VPN clients, dynamic crypto maps need to be used to get over the problem of the VPN clients coming from an unknown IP address.<a href="" name="idd1e72100"></a><a href="" name="idd1e72105"></a></div><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Example below shows the debugs that appear on the routers when the access lists configured on two peers negotiating IPsec are neither the same nor the subsets of each other.</div><span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24list24"></a></span><h5 class="docExampleTitle" style="color: black; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small; font-weight: bold;">Example . Sample Debug Output When the Access Lists Configured on Two Peers Negotiating IPsec Are Not the Same or Are Subsets of Each Other</h5><pre style="color: #790029; font-family: 'Andale Mono', 'Courier New', Courier, monospace; font-size: x-small;">Router#<span class="docEmphStrong" style="font-weight: bold;">debug crypto ISAKMP</span>
Router#<span class="docEmphStrong" style="font-weight: bold;">debug crypto engine</span>
Router#<span class="docEmphStrong" style="font-weight: bold;">debug crypto ipsec</span>
3d00h: IPsec(validate_transform_proposal): proxy identities not supported
3d00h: ISAKMP (0:3): IPsec policy invalidated proposal
3d00h: ISAKMP (0:3): phase 2 SA not acceptable!
</pre><br />
<span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24lev3sec16"></a></span><h5 class="docSection3Title" style="color: #333333; font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;">Crypto Map Is on the Wrong Interface</h5><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Generally, the crypto map needs to be applied to the outgoing interface of the router or the PIX. Not applying the map to the egress interface stops IPsec from kicking in at all, and no ISAKMP debugs are generated. The crypto map needs to be applied to tunnel interfaces as well if you are using GRE with IPsec. In general, if a logical interface is used in conjunction with a physical interface to pass IPsec traffic, the crypto map needs to be applied to both of them.<a href="" name="idd1e72144"></a><a href="" name="idd1e72149"></a><a href="" name="idd1e72154"></a></div><span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24lev3sec17"></a></span><h5 class="docSection3Title" style="color: #333333; font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;">Routing Issues</h5><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Routing can play an important role in bringing up an IPsec tunnel successfully. Keep in mind the following points when examining routing issues in IPsec implementations:</div><ul style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><li><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">A packet needs to be routed to the interface that has the crypto map configured on it before IPsec kicks in.</div></li>
<li><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Routes need to be there not only for the router to reach its peer's address but also for the IP subnet addresses in the IP packets' heads after they have been decrypted.</div></li>
<li><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Use the <span class="docEmphStrong" style="font-weight: bold;">debug ip packet</span> <span class="docEmphasis" style="font-style: italic;">acl</span> <span class="docEmphStrong" style="font-weight: bold;">detailed</span> command to see if the routing is occurring correctly.</div></li>
</ul><span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24lev3sec18"></a></span><h5 class="docSection3Title" style="color: #333333; font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;">Bypassing NAT</h5><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">We have already discussed how NAT can be bypassed on a router for traffic that is to be encapsulated in an IPsec tunnel.<a href="" name="idd1e72201"></a><a href="" name="idd1e72206"></a></div><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">On the PIX Firewall, the <span class="docEmphStrong" style="font-weight: bold;">nat (inside) 0 access-list</span> command can be used to bypass NAT in a fashion similar to the routers.</div><span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24lev3sec19"></a></span><h5 class="docSection3Title" style="color: #333333; font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;">Time Settings for Certificates</h5><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Digital certificates are issued for a time frame. They become invalid after that and are invalid before the time frame starts. The clock and calendar of the machine on which the certificates are installed are used to determine the certificates' validity. It is important to have the correct time and date configured on the router or the PIX using certificates so that they can function properly.</div><span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24lev3sec20"></a></span><h5 class="docSection3Title" style="color: #333333; font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;">Firewall or Access List Is Blocking IPsec Negotiations or Traffic</h5><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">A firewall in the middle of an IPsec tunnel must allow the following protocols to go through it for IPsec to function properly:</div><ul style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><li><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">ESP and/or AH</div></li>
<li><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">UDP port 500</div></li>
</ul><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">The IPsec router, if it has an access list configured on the egress interface, must have holes in that access list not only for these two protocols but also to accommodate the fact that the incoming access list is applied twice to the IPsec traffic. See the discussion at the start of this section for details.</div><span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24lev3sec21"></a></span><h5 class="docSection3Title" style="color: #333333; font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;">IPsec MTU Issues</h5><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">IPsec adds significant overhead to the original IP packet being encapsulated. Therefore, it is possible that the new encapsulated packet's size might be more than the MTU on certain segments over which the IPsec packets must pass. Normal Path MTU mechanisms using ICMP packets can take care of fixing the MTU size, but when such ICMPs are blocked by a firewall or an access list somewhere along the path that the IPsec packet takes, issues can arise. The symptoms of these issues are often the inability of users to run applications such as e-mail and large file FTPs across the IPsec tunnel. Figure below shows how Path MTU discovery with IPsec works. If a router in the path of the packet being sent by the end host is unable to transmit the frame using the size of the frame it has received, it sends back an ICMP packet to the end host, asking for the packet size to be reduced to the maximum size the router can support. The end host then transmits the packets in frames of reduced size, which the router can transmit. This process is repeated as necessary by all the routers in the path of the packets transmitted by the end host.<a href="" name="idd1e72270"></a><a href="" name="idd1e72277"></a><a href="" name="idd1e72282"></a><a href="" name="idd1e72287"></a></div><span class="Apple-style-span" style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><a href="" name="ch24fig03"></a></span><div style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"></div><center style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><h5 class="docFigureTitle" style="color: black; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small; font-weight: bold;">Figure . IPsec Path MTU</h5><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;"><img alt="graphics/24fig03.gif" border="0" height="295" src="http://book.soundonair.ru/cisco/images/1587050250/graphics/24fig03.gif" width="500" /></div></center><div style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"></div><br />
<div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">However, there are situations in which the ICMP packets generated in the fashion previously described are blocked (perhaps by a firewall) from reaching the end host. Therefore, the end host never finds out that there is a problem with the MTU of the packets it is sending and continues sending frames with the large MTU size resulting in these large packets being dropped by the device which does have an MTU size large enough to accommodate these packets. Another situation arises when the end host does receive the ICMP packets but due to a bug or faulty implementation of the TCP/IP stack does not reduce its MTU size. The result is the same as described for ICMPs being blocked from reaching the end host.</div><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">In both of these cases, two options remain for the network administrator to fix the problem:</div><ul style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><li><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Setting up the TCP MSS on an edge router, forcing a small TCP MSS to be negotiated</div></li>
<li><div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Manually reducing the MTU on the end hosts that are not receiving the ICMP packets or are choosing to ignore them</div></li>
</ul><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">To use either of these methods, you must know how to calculate the size of the packet after the IPsec header has been added. The following formula is used to calculate the size to which the original IP packet must be restricted to remain within the smallest MTU available on the path that is traversed by the IPsec tunnel:<a href="" name="idd1e72328"></a><a href="" name="idd1e72333"></a><a href="" name="idd1e72338"></a><a href="" name="idd1e72343"></a></div><blockquote style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><br />
<div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">maximum original packet size allowed = floor((IPsec packet size allowed),8) - (IPsec header+SPI+sequence number+HMAC) - (IV+pad+pad length+next header)</div></blockquote><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">where</div><blockquote style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><br />
<div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">IPsec header = 20 bytes in ESP tunnel mode</div><br />
<br />
<div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">SPI (Security Parameter Index) = 4 bytes</div><br />
<br />
<div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Sequence number = 4 bytes</div><br />
<br />
<div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">ESP-HMAC MD5/SHA 96 digest = 12 bytes</div><br />
<br />
<div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">IV (Initialization Vector) = 8 bytes</div><br />
<br />
<div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Pad = 1 byte</div><br />
<br />
<div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Pad length = 1 byte</div><br />
<br />
<div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Next header = 1 byte</div><br />
<br />
<div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">The floor function here is calculated by finding the largest whole number (a number such as 1200.0 or 1300.0, not 1200.345 or 1300.897) that is fully divisible by 8 <span class="docEmphasis" style="font-style: italic;">and</span> that is less than "IPsec packet size allowed." For example, if the IPsec packet size allowed is 876, the floor to 8 would be 872, because 872 is fully divisible by 8 (872 / 8 = 109.0) and 872 is the largest such number that is less than 876.</div></blockquote><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;"><br />
</div><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">A sample calculation is shown next. In this case, the network administrator has found out that the smallest MTU on the IPsec tunnel path is 1330 bytes:</div><blockquote style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><br />
<div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">maximum original packet size allowed = floor((1330),8) - (20+4+4+12) - (8-1-1-1) = 1328 - 40 - 11 = 1277</div></blockquote><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Therefore, the network administrator can manually configure the end host not to send a packet larger than 1277 bytes.</div><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">If the network administrator does not want to change the MTU on the end host, such as when there are too many of them, he or she can use the <span class="docEmphStrong" style="font-weight: bold;">tcp mss</span> command on the router's ingress interface. The router for the default gateway for the end hosts is:</div><pre style="color: #790029; font-family: 'Andale Mono', 'Courier New', Courier, monospace; font-size: x-small;"></pre><br />
<pre style="color: #790029; font-family: 'Andale Mono', 'Courier New', Courier, monospace; font-size: x-small;"><span class="docEmphStrong" style="font-weight: bold;">ip tcp adjust-mss</span> <span class="docEmphasis" style="font-style: italic;">number</span>
</pre><br />
<div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">This command forces the router to sniff on the incoming TCP SYN packets and tweak the TCP MSS field to the number configured in this command. With the MSS value tweaked, the two end hosts sitting behind the two IPsec peers must agree to this tweaked, negotiated TCP MSS value.<a href="" name="idd1e72447"></a></div><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">The number is calculated by taking into account the size of the TCP header in the packet. The calculation is as follows:<a href="" name="idd1e72457"></a><a href="" name="idd1e72462"></a><a href="" name="idd1e72467"></a></div><blockquote style="font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;"><br />
<div class="docList" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">Maximum TCP MSS value allowed = maximum original packet size allowed - 40</div></blockquote><div class="docText" style="color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small;">So, in the case of our example, the TCP MSS number would be 1277 - 40 = 1237 bytes.</div><br />
</div>Unknownnoreply@blogger.com0