At Fixya.com, our trusted experts are meticulously vetted and possess extensive experience in their respective fields. Backed by a community of knowledgeable professionals, our platform ensures that the solutions provided are thoroughly researched and validated.
Dear Sir,
I have a problem
I need to connect Cisco ASA 5510 to Microsoft ISA 2006 over IPSEC tunnel
My ASA expert say everything configure, my ISA contact say same too. But:
When ASA try to estabilish the tunnel i got the log status is: MM_WAIT_MSG2
When ISA try to estabilish the tunnel i got the log status is: MM_WAIT_MSG3
And I monitor the Internet traffic outside of ISA and not got any packets from the CISCO over Internet. NOTHING that CISCO seems to be muted.
From ISA I can go to the ASA because I see the log, but the other side is nothing.
Can be the problem the heavy network traffic? Because I nmap the ISA UDP port 500 and that response only 6.03 sec.
Thank you
Akos
(**have the command 'undebug all' handy, as you could get flooded off of the box - you can paste it in at any time to revert to normal logging**)
Try generating a connection from either of the encryption domains, and after you get an acceptable amount of 'spammed' debug messages on the ASA console, 'undebug all' and review. You should get a hint from these messages as to where your problem lies. Try google on some of the output, as many of the messages won't turn up anything on Cisco's site, as these are typically reserved for Cisco TAC cases. Paste some in here if you feel it will help. Other than that, possibly consider running Cisco's Client VPN software if this is the kind of vpn your trying to build up, just to avoid any potential interoperability issues.
On the Cisco ASA side, trying watching the debug logs on the console after entering the following commands (may vary depending on version):
(**have the command 'undebug all' handy, as you could get flooded off of the box - you can paste it in at any time to revert to normal logging**)
Try generating a connection from either of the encryption domains, and after you get an acceptable amount of 'spammed' debug messages on the ASA console, 'undebug all' and review. You should get a hint from these messages as to where your problem lies. Try google on some of the output, as many of the messages won't turn up anything on Cisco's site, as these are typically reserved for Cisco TAC cases. Paste some in here if you feel it will help. Other than that, possibly consider running Cisco's Client VPN software if this is the kind of vpn your trying to build up, just to avoid any potential interoperability issues.
You can't post conmments that contain an email address.
- If you need clarification, ask it in the comment box above.
- Better answers use proper spelling and grammar.
- Provide details, support with references or personal experience.
Tell us some more! Your answer needs to include more details to help people.You can't post answers that contain an email address.Please enter a valid email address.The email address entered is already associated to an account.Login to postPlease use English characters only.
Tip: The max point reward for answering a question is 15.
if it is really deleted from FLASH, you will need to connect to ASA with a console cable, start up TFTP server on your pc, and in TFTP copy your ASA image file (.bin - on your CD that you got with ASA) so that you can get it from pc to asa.
then use tftpdnld command to set all the parameters on asa and start the download of the file from your pc .... after it has been done - just reboot asa :)
Use the ping command to check the network or find whether the application server is reachable from your network. It can be a problem with the maximum segment size (MSS) for transient packets that traverse a router or PIX/ASA device, specifically TCP segments with the SYN bit set.
Yes, it is possible and Yes you have to purchase it from Cisco.
Sorry, that is how they make the big bucks.
Consider a service contract on the unit, then you can download the firmware much cheaper.
Yes. The firewall will restart. Just be sure to save your running config to memory before turning off. For that you must issue the command: write memory.
On the Cisco ASA side, trying watching the debug logs on the console after entering the following commands (may vary depending on version):
debug crypto engine 150
debug crypto isakmp 255
debug crytpo ipsec 255
(**have the command 'undebug all' handy, as you could get flooded off of the box - you can paste it in at any time to revert to normal logging**)
Try generating a connection from either of the encryption domains, and after you get an acceptable amount of 'spammed' debug messages on the ASA console, 'undebug all' and review. You should get a hint from these messages as to where your problem lies. Try google on some of the output, as many of the messages won't turn up anything on Cisco's site, as these are typically reserved for Cisco TAC cases. Paste some in here if you feel it will help. Other than that, possibly consider running Cisco's Client VPN software if this is the kind of vpn your trying to build up, just to avoid any potential interoperability issues.
×