cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2596
Views
0
Helpful
11
Replies

Dynamic & Static crytpo map problem on ASA

balsheikh
Level 1
Level 1

Hello,

I?m trying to configure VPN client and site to site VPN on ASA outside?s interface, I went through the configuration examples on Cisco site and followed the steps over there, the VPN clients worked fine but the L2L VPN not.

While troubleshooting this issue I disabled and re-enabled the dynamic crypto map and I got the error below:

WARNING: Existing map is being linked to dynamic-map: Dynmap.

All static attributes in existing map will be inactive!

Snipping of the configuration on the ASA:

crypto ipsec transform-set Stat-Set esp-3des esp-md5-hmac

crypto dynamic-map Dynmap 20 set transform-set Stat-Set

crypto map Mymap 69 match address 121

crypto map Mymap 69 set peer x.x.x.x

crypto map Mymap 69 set transform-set Stat-Set

crypto map Mymap 65525 ipsec-isakmp dynamic Dynmap

crypto map Mymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 69

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 300

crypto isakmp ipsec-over-tcp port 10000

Kindly advice what is doing on !!

Regards,

Belal

11 Replies 11

bthibode
Level 1
Level 1

Can we see your tunnel groups as well?

Bryan

Hello,

this is the required information:

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool WebVPN-Pool

default-group-policy WebVPN-Policy

tunnel-group DefaultWEBVPNGroup webvpn-attributes

hic-fail-group-policy WebVPN-Policy

tunnel-group X-VPNClient type ipsec-ra

tunnel-group X-VPNClient general-attributes

address-pool VPN-Clients-Pool

default-group-policy VPNClient-Policy

tunnel-group X-VPNClient ipsec-attributes

pre-shared-key *

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

kindly be noted that the other VPN termination for L2L VPN is PLANET concentrator but i don't believe this is the reason to disable the static crypto map once the dynamic one enabled..

regards,

Belal

Hi Belal,

When this was tested, was the client connected from behind the same concentrator that we are trying to establish the L2L tunnel with? Would it be possible to post the complete config of the ASA?

Regards,

Kamal

Hello Kamal,

I tested from the ASA itself and from the other VPN termination, I always got an error indicate that ISAKMP phase 1 didn't established and i'm sure about the configured SA on both ends.

below the configuration, apprecaite any recommendation on the same issue.

ASA Version 7.2(2)

same-security-traffic permit intra-interface

access-list Home-Users-VPN remark *****ALLOW VPN USERS TO ACCESS THE LOCAT SUBNETS*****

access-list Home-Users-VPN extended permit ip 10.100.0.0 255.255.0.0 10.100.71.0 255.255.255.0

access-list Home-Users-VPN extended permit ip Shuwaikh-Store 255.255.255.0 10.100.71.0 255.255.255.0

access-list Home-Users-VPN extended permit ip 192.168.170.0 255.255.255.0 10.100.71.0 255.255.255.0

access-list Home-Users-VPN extended permit ip 10.100.0.0 255.255.0.0 10.100.72.0 255.255.255.0

access-list Home-Users-VPN extended permit ip 10.100.0.0 255.255.0.0 192.168.0.0 255.255.255.0

ip local pool VPN-Clients-Pool 10.100.71.10-10.100.71.100

ip local pool WebVPN-Pool 10.100.72.100-10.100.72.150 mask 255.255.255.0

ip verify reverse-path interface outside

ip audit name defind attack action alarm drop

ip audit interface outside defind

ip audit interface inside defind

ip audit attack action alarm reset

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

global (outside) 82 x.x.x.x-x.x.x.x

global (outside) 82 x.x.x.x

nat (inside) 0 access-list Home-Users-VPN

nat (inside) 82 10.100.101.2 255.255.255.255

nat (inside) 82 Suliba-Store 255.255.255.0

nat (inside) 82 B-Factory 255.255.255.0

nat (inside) 82 10.100.0.0 255.255.0.0

access-group OpenPortsOUT in interface outside

access-group OpenPortsIN in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

group-policy WebVPN-Policy internal

group-policy WebVPN-Policy attributes

dns-server value 10.100.13.100

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value WebVPN

default-domain value X.com.kw

address-pools value WebVPN-Pool

webvpn

svc enable

svc keep-installer installed

svc rekey time 30

group-policy VPNClient-Policy internal

group-policy VPNClient-Policy attributes

dns-server value 10.100.13.100

vpn-idle-timeout 20

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Home-Users-VPN

default-domain value X.com.kw

http server enable

http 10.100.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set Stat-Set esp-3des esp-md5-hmac

crypto dynamic-map Dynmap 20 set transform-set Stat-Set

crypto map Mymap 69 match address 121

crypto map Mymap 69 set peer x.x.x.x

crypto map Mymap 69 set transform-set Stat-Set

crypto map Mymap 65525 ipsec-isakmp dynamic Dynmap

crypto map Mymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 69

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 300

crypto isakmp ipsec-over-tcp port 10000

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool WebVPN-Pool

default-group-policy WebVPN-Policy

tunnel-group DefaultWEBVPNGroup webvpn-attributes

hic-fail-group-policy WebVPN-Policy

tunnel-group X-VPNClient type ipsec-ra

tunnel-group X-VPNClient general-attributes

address-pool VPN-Clients-Pool

default-group-policy VPNClient-Policy

tunnel-group X-VPNClient ipsec-attributes

pre-shared-key *

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

webvpn

enable outside

svc image disk0:/sslclient-win-1.1.2.169.pkg 1

svc enable

prompt hostname context

Regards,

Belal

Hi Belal,

To begin with, please notice the command : crypto map Mymap 69 match address 121

I can not see the access-list 121. Either you have posted an edited config or the access-list is not there. Please make sure that access-list 121 is configured and correctly configured.

Regards,

Kamal

Hi Kamanl,

sorry for the drop, its already there but I tried to snip the required configuration from the overall configuration.

access-list 121 extended permit ip 10.100.0.0 255.255.0.0 192.168.0.0 255.255.255.0

but one more strange thing, I continuously got the two errors mentioned below when I enabled the "debug crypto isakmp" command.

Feb 18 10:21:12 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0xdf77a88, mess id 0xb099d673)!

Feb 18 10:21:12 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!

Regards,

Belal

Hi ,

You might wanna post the detailed debugs from the ASA:

debug cry isa 255

debug cry ipsec 255

-Kanishka

Hi,

attached the required debugs, hopefully it will help you.

Regards,

Belal

Hi Belal,

These are not the complete debugs.Please provide us with the complete debugs.

Regards,

Kamal

Hello Kamal,

attached the complete debugs, appreciate your assistance.

Regards,

Belal

Hi,

From the debugs :

eb 21 16:07:37 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, processing ke payload

Feb 21 16:07:37 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, processing ISA_KE for PFS in phase 2

Feb 21 16:07:37 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, QM IsRekeyed old sa not found by addr

Feb 21 16:07:37 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Static Crypto Map check, checking map = Mymap, seq = 69...

Feb 21 16:07:37 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Static Crypto Map check, map Mymap, seq = 69 is a successful match

Feb 21 16:07:37 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, IKE Remote Peer configured for crypto map: Mymap

Feb 21 16:07:37 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, processing IPSec SA payload

Feb 21 16:07:37 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, All IPSec SA proposals found unacceptable!

It seems Phase two policies do not match on both the sides.

You mght want to check the following on the remote site:

1: The crypto ACL

2: Make sure PFS is disabled.

3: Transform set.

-Kanishka

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: