02-17-2007 01:19 PM
Hello,
I?m trying to configure VPN client and site to site VPN on ASA outside?s interface, I went through the configuration examples on Cisco site and followed the steps over there, the VPN clients worked fine but the L2L VPN not.
While troubleshooting this issue I disabled and re-enabled the dynamic crypto map and I got the error below:
WARNING: Existing map is being linked to dynamic-map: Dynmap.
All static attributes in existing map will be inactive!
Snipping of the configuration on the ASA:
crypto ipsec transform-set Stat-Set esp-3des esp-md5-hmac
crypto dynamic-map Dynmap 20 set transform-set Stat-Set
crypto map Mymap 69 match address 121
crypto map Mymap 69 set peer x.x.x.x
crypto map Mymap 69 set transform-set Stat-Set
crypto map Mymap 65525 ipsec-isakmp dynamic Dynmap
crypto map Mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 69
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 300
crypto isakmp ipsec-over-tcp port 10000
Kindly advice what is doing on !!
Regards,
Belal
02-18-2007 07:39 AM
Can we see your tunnel groups as well?
Bryan
02-18-2007 03:08 PM
Hello,
this is the required information:
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool WebVPN-Pool
default-group-policy WebVPN-Policy
tunnel-group DefaultWEBVPNGroup webvpn-attributes
hic-fail-group-policy WebVPN-Policy
tunnel-group X-VPNClient type ipsec-ra
tunnel-group X-VPNClient general-attributes
address-pool VPN-Clients-Pool
default-group-policy VPNClient-Policy
tunnel-group X-VPNClient ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
kindly be noted that the other VPN termination for L2L VPN is PLANET concentrator but i don't believe this is the reason to disable the static crypto map once the dynamic one enabled..
regards,
Belal
02-18-2007 10:54 PM
Hi Belal,
When this was tested, was the client connected from behind the same concentrator that we are trying to establish the L2L tunnel with? Would it be possible to post the complete config of the ASA?
Regards,
Kamal
02-19-2007 03:11 AM
Hello Kamal,
I tested from the ASA itself and from the other VPN termination, I always got an error indicate that ISAKMP phase 1 didn't established and i'm sure about the configured SA on both ends.
below the configuration, apprecaite any recommendation on the same issue.
ASA Version 7.2(2)
same-security-traffic permit intra-interface
access-list Home-Users-VPN remark *****ALLOW VPN USERS TO ACCESS THE LOCAT SUBNETS*****
access-list Home-Users-VPN extended permit ip 10.100.0.0 255.255.0.0 10.100.71.0 255.255.255.0
access-list Home-Users-VPN extended permit ip Shuwaikh-Store 255.255.255.0 10.100.71.0 255.255.255.0
access-list Home-Users-VPN extended permit ip 192.168.170.0 255.255.255.0 10.100.71.0 255.255.255.0
access-list Home-Users-VPN extended permit ip 10.100.0.0 255.255.0.0 10.100.72.0 255.255.255.0
access-list Home-Users-VPN extended permit ip 10.100.0.0 255.255.0.0 192.168.0.0 255.255.255.0
ip local pool VPN-Clients-Pool 10.100.71.10-10.100.71.100
ip local pool WebVPN-Pool 10.100.72.100-10.100.72.150 mask 255.255.255.0
ip verify reverse-path interface outside
ip audit name defind attack action alarm drop
ip audit interface outside defind
ip audit interface inside defind
ip audit attack action alarm reset
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
global (outside) 82 x.x.x.x-x.x.x.x
global (outside) 82 x.x.x.x
nat (inside) 0 access-list Home-Users-VPN
nat (inside) 82 10.100.101.2 255.255.255.255
nat (inside) 82 Suliba-Store 255.255.255.0
nat (inside) 82 B-Factory 255.255.255.0
nat (inside) 82 10.100.0.0 255.255.0.0
access-group OpenPortsOUT in interface outside
access-group OpenPortsIN in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
group-policy WebVPN-Policy internal
group-policy WebVPN-Policy attributes
dns-server value 10.100.13.100
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value WebVPN
default-domain value X.com.kw
address-pools value WebVPN-Pool
webvpn
svc enable
svc keep-installer installed
svc rekey time 30
group-policy VPNClient-Policy internal
group-policy VPNClient-Policy attributes
dns-server value 10.100.13.100
vpn-idle-timeout 20
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Home-Users-VPN
default-domain value X.com.kw
http server enable
http 10.100.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Stat-Set esp-3des esp-md5-hmac
crypto dynamic-map Dynmap 20 set transform-set Stat-Set
crypto map Mymap 69 match address 121
crypto map Mymap 69 set peer x.x.x.x
crypto map Mymap 69 set transform-set Stat-Set
crypto map Mymap 65525 ipsec-isakmp dynamic Dynmap
crypto map Mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 69
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 300
crypto isakmp ipsec-over-tcp port 10000
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool WebVPN-Pool
default-group-policy WebVPN-Policy
tunnel-group DefaultWEBVPNGroup webvpn-attributes
hic-fail-group-policy WebVPN-Policy
tunnel-group X-VPNClient type ipsec-ra
tunnel-group X-VPNClient general-attributes
address-pool VPN-Clients-Pool
default-group-policy VPNClient-Policy
tunnel-group X-VPNClient ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
webvpn
enable outside
svc image disk0:/sslclient-win-1.1.2.169.pkg 1
svc enable
prompt hostname context
Regards,
Belal
02-19-2007 07:06 AM
Hi Belal,
To begin with, please notice the command : crypto map Mymap 69 match address 121
I can not see the access-list 121. Either you have posted an edited config or the access-list is not there. Please make sure that access-list 121 is configured and correctly configured.
Regards,
Kamal
02-19-2007 10:09 PM
Hi Kamanl,
sorry for the drop, its already there but I tried to snip the required configuration from the overall configuration.
access-list 121 extended permit ip 10.100.0.0 255.255.0.0 192.168.0.0 255.255.255.0
but one more strange thing, I continuously got the two errors mentioned below when I enabled the "debug crypto isakmp" command.
Feb 18 10:21:12 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0xdf77a88, mess id 0xb099d673)!
Feb 18 10:21:12 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!
Regards,
Belal
02-21-2007 04:15 AM
Hi ,
You might wanna post the detailed debugs from the ASA:
debug cry isa 255
debug cry ipsec 255
-Kanishka
02-21-2007 05:26 AM
02-21-2007 06:39 AM
Hi Belal,
These are not the complete debugs.Please provide us with the complete debugs.
Regards,
Kamal
02-21-2007 11:46 PM
02-22-2007 05:10 AM
Hi,
From the debugs :
eb 21 16:07:37 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, processing ke payload
Feb 21 16:07:37 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, processing ISA_KE for PFS in phase 2
Feb 21 16:07:37 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, QM IsRekeyed old sa not found by addr
Feb 21 16:07:37 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Static Crypto Map check, checking map = Mymap, seq = 69...
Feb 21 16:07:37 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Static Crypto Map check, map Mymap, seq = 69 is a successful match
Feb 21 16:07:37 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, IKE Remote Peer configured for crypto map: Mymap
Feb 21 16:07:37 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, processing IPSec SA payload
Feb 21 16:07:37 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, All IPSec SA proposals found unacceptable!
It seems Phase two policies do not match on both the sides.
You mght want to check the following on the remote site:
1: The crypto ACL
2: Make sure PFS is disabled.
3: Transform set.
-Kanishka
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: