Dynamic & Static crytpo map problem on ASA

Unanswered Question
Feb 17th, 2007

Hello,

I?m trying to configure VPN client and site to site VPN on ASA outside?s interface, I went through the configuration examples on Cisco site and followed the steps over there, the VPN clients worked fine but the L2L VPN not.

While troubleshooting this issue I disabled and re-enabled the dynamic crypto map and I got the error below:

WARNING: Existing map is being linked to dynamic-map: Dynmap.

All static attributes in existing map will be inactive!

Snipping of the configuration on the ASA:

crypto ipsec transform-set Stat-Set esp-3des esp-md5-hmac

crypto dynamic-map Dynmap 20 set transform-set Stat-Set

crypto map Mymap 69 match address 121

crypto map Mymap 69 set peer x.x.x.x

crypto map Mymap 69 set transform-set Stat-Set

crypto map Mymap 65525 ipsec-isakmp dynamic Dynmap

crypto map Mymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 69

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 300

crypto isakmp ipsec-over-tcp port 10000

Kindly advice what is doing on !!

Regards,

Belal

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
balsheikh Sun, 02/18/2007 - 15:08

Hello,

this is the required information:

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool WebVPN-Pool

default-group-policy WebVPN-Policy

tunnel-group DefaultWEBVPNGroup webvpn-attributes

hic-fail-group-policy WebVPN-Policy

tunnel-group X-VPNClient type ipsec-ra

tunnel-group X-VPNClient general-attributes

address-pool VPN-Clients-Pool

default-group-policy VPNClient-Policy

tunnel-group X-VPNClient ipsec-attributes

pre-shared-key *

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

kindly be noted that the other VPN termination for L2L VPN is PLANET concentrator but i don't believe this is the reason to disable the static crypto map once the dynamic one enabled..

regards,

Belal

Kamal Malhotra Sun, 02/18/2007 - 22:54

Hi Belal,

When this was tested, was the client connected from behind the same concentrator that we are trying to establish the L2L tunnel with? Would it be possible to post the complete config of the ASA?

Regards,

Kamal

balsheikh Mon, 02/19/2007 - 03:11

Hello Kamal,

I tested from the ASA itself and from the other VPN termination, I always got an error indicate that ISAKMP phase 1 didn't established and i'm sure about the configured SA on both ends.

below the configuration, apprecaite any recommendation on the same issue.

ASA Version 7.2(2)

same-security-traffic permit intra-interface

access-list Home-Users-VPN remark *****ALLOW VPN USERS TO ACCESS THE LOCAT SUBNETS*****

access-list Home-Users-VPN extended permit ip 10.100.0.0 255.255.0.0 10.100.71.0 255.255.255.0

access-list Home-Users-VPN extended permit ip Shuwaikh-Store 255.255.255.0 10.100.71.0 255.255.255.0

access-list Home-Users-VPN extended permit ip 192.168.170.0 255.255.255.0 10.100.71.0 255.255.255.0

access-list Home-Users-VPN extended permit ip 10.100.0.0 255.255.0.0 10.100.72.0 255.255.255.0

access-list Home-Users-VPN extended permit ip 10.100.0.0 255.255.0.0 192.168.0.0 255.255.255.0

ip local pool VPN-Clients-Pool 10.100.71.10-10.100.71.100

ip local pool WebVPN-Pool 10.100.72.100-10.100.72.150 mask 255.255.255.0

ip verify reverse-path interface outside

ip audit name defind attack action alarm drop

ip audit interface outside defind

ip audit interface inside defind

ip audit attack action alarm reset

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

global (outside) 82 x.x.x.x-x.x.x.x

global (outside) 82 x.x.x.x

nat (inside) 0 access-list Home-Users-VPN

nat (inside) 82 10.100.101.2 255.255.255.255

nat (inside) 82 Suliba-Store 255.255.255.0

nat (inside) 82 B-Factory 255.255.255.0

nat (inside) 82 10.100.0.0 255.255.0.0

access-group OpenPortsOUT in interface outside

access-group OpenPortsIN in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

group-policy WebVPN-Policy internal

group-policy WebVPN-Policy attributes

dns-server value 10.100.13.100

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value WebVPN

default-domain value X.com.kw

address-pools value WebVPN-Pool

webvpn

svc enable

svc keep-installer installed

svc rekey time 30

group-policy VPNClient-Policy internal

group-policy VPNClient-Policy attributes

dns-server value 10.100.13.100

vpn-idle-timeout 20

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Home-Users-VPN

default-domain value X.com.kw

http server enable

http 10.100.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set Stat-Set esp-3des esp-md5-hmac

crypto dynamic-map Dynmap 20 set transform-set Stat-Set

crypto map Mymap 69 match address 121

crypto map Mymap 69 set peer x.x.x.x

crypto map Mymap 69 set transform-set Stat-Set

crypto map Mymap 65525 ipsec-isakmp dynamic Dynmap

crypto map Mymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 69

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 300

crypto isakmp ipsec-over-tcp port 10000

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool WebVPN-Pool

default-group-policy WebVPN-Policy

tunnel-group DefaultWEBVPNGroup webvpn-attributes

hic-fail-group-policy WebVPN-Policy

tunnel-group X-VPNClient type ipsec-ra

tunnel-group X-VPNClient general-attributes

address-pool VPN-Clients-Pool

default-group-policy VPNClient-Policy

tunnel-group X-VPNClient ipsec-attributes

pre-shared-key *

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

webvpn

enable outside

svc image disk0:/sslclient-win-1.1.2.169.pkg 1

svc enable

prompt hostname context

Regards,

Belal

Kamal Malhotra Mon, 02/19/2007 - 07:06

Hi Belal,

To begin with, please notice the command : crypto map Mymap 69 match address 121

I can not see the access-list 121. Either you have posted an edited config or the access-list is not there. Please make sure that access-list 121 is configured and correctly configured.

Regards,

Kamal

balsheikh Mon, 02/19/2007 - 22:09

Hi Kamanl,

sorry for the drop, its already there but I tried to snip the required configuration from the overall configuration.

access-list 121 extended permit ip 10.100.0.0 255.255.0.0 192.168.0.0 255.255.255.0

but one more strange thing, I continuously got the two errors mentioned below when I enabled the "debug crypto isakmp" command.

Feb 18 10:21:12 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0xdf77a88, mess id 0xb099d673)!

Feb 18 10:21:12 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!

Regards,

Belal

kaachary Wed, 02/21/2007 - 04:15

Hi ,

You might wanna post the detailed debugs from the ASA:

debug cry isa 255

debug cry ipsec 255

-Kanishka

Kamal Malhotra Wed, 02/21/2007 - 06:39

Hi Belal,

These are not the complete debugs.Please provide us with the complete debugs.

Regards,

Kamal

kaachary Thu, 02/22/2007 - 05:10

Hi,

From the debugs :

eb 21 16:07:37 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, processing ke payload

Feb 21 16:07:37 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, processing ISA_KE for PFS in phase 2

Feb 21 16:07:37 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, QM IsRekeyed old sa not found by addr

Feb 21 16:07:37 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Static Crypto Map check, checking map = Mymap, seq = 69...

Feb 21 16:07:37 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Static Crypto Map check, map Mymap, seq = 69 is a successful match

Feb 21 16:07:37 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, IKE Remote Peer configured for crypto map: Mymap

Feb 21 16:07:37 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, processing IPSec SA payload

Feb 21 16:07:37 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, All IPSec SA proposals found unacceptable!

It seems Phase two policies do not match on both the sides.

You mght want to check the following on the remote site:

1: The crypto ACL

2: Make sure PFS is disabled.

3: Transform set.

-Kanishka

Actions

This Discussion