SITE TO SITE VPN PROBLEM---UNABLE TO ESTABLISH CONNECTIVITY

Manjunatha Jayaram · ‎03-07-2007

Hi,

Below is my network setup

VPN Router

Site 2

------

|

|(Internet Cloud)

|

Site 1

------

InternetRouter

|

Firewall---->DMZ

|

LANSwitching

|

PC

----------------------------------------

Below is the configuration in the ASA at site-1

sh run

ASA Version 7.1(2)

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 124.x.x.177 255.255.255.248

interface GigabitEthernet0/1

nameif Inside

security-level 100

ip address 192.168.200.251 255.255.255.0

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 192.168.16.1 255.255.255.0

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

access-list 112 extended permit tcp host 194.117.106.129 host 124.30.88.117

access-list Outside_cryptomap_20 extended permit ip host 192.168.200.204 host 194.117.106.129

icmp permit any Outside

icmp permit any Inside

icmp permit any DMZ

asdm image disk0:/asdm512-k8.bin

no asdm history enable

arp timeout 14400

nat (Inside) 0 192.168.200.0 255.255.255.0

static (DMZ,Outside) 124.30.88.115 Mailserver netmask 255.255.255.255

static (DMZ,Outside) 124.30.88.114 vfortress netmask 255.255.255.255

static (Inside,DMZ) 192.168.200.0 192.168.200.0 netmask 255.255.255.0

static (Inside,Outside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0

static (Inside,Outside) 124.30.88.117 192.168.200.204 netmask 255.255.255.255

access-group 112 in interface Outside

access-group 113 in interface DMZ

route Outside 0.0.0.0 0.0.0.0 124.30.88.179 1

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map Outside_map 20 match address Outside_cryptomap_20

crypto map Outside_map 20 set peer 194.39.131.167

crypto map Outside_map 20 set transform-set ESP-3DES-MD5

crypto map Outside_map 20 set security-association lifetime seconds 7200

crypto map Outside_map interface Outside

isakmp enable Outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group "SAP TUNNEL" type ipsec-l2l

tunnel-group "SAP TUNNEL" ipsec-attributes

pre-shared-key *

----------------------------------

I have configured the VPN as above, but when i try to do a ping from the SAP Internal server(192.168.200.204) to the remote site server(194.117.106.129),I find the below mentioned error during the debug crypto isakmp and ipsec.

"isakmp Mar 07 00:56:45 [IKEv1]: IP = 194.39.131.167, Removing peer from peer table failed, no match!

Mar 07 00:56:45 [IKEv1]: IP = 194.39.131.167, Error: Unable to remove PeerTblEntry".

Could you please let me know where could be the problem.

Thanks & Regards,

Jithesh

kaachary · ‎03-07-2007

Jithesh,

It would be hard to comment since we do not have the config from the other end.

If you could post that and the complete debugs, we can check it and will let you know.

-Kanishka

Manjunatha Jayaram · ‎03-07-2007

Hi,

Unfortunaly the site in the remote end are not providing those details, but when we cordinate with them they says that the first phase handshake is not happening.As well during debugging from my end i get the below error message.

isakmp Mar 07 00:56:45 [IKEv1]: IP = 194.39.131.167, Removing peer from peer table failed, no match!

Mar 07 00:56:45 [IKEv1]: IP = 194.39.131.167, Error: Unable to remove PeerTblEntry

Which all parameters can i double check from my end before going for more details from the remote end.

regards,

Jithesh

Manjunatha Jayaram · ‎03-07-2007

Hi,

I was also able to get the below output from the remote end firewall.

#show crypto isakmp sa

194.39.131.167 124.30.88.177 MM_NO_STATE 332 0 (deleted)

194.39.131.167 124.30.88.177 MM_SA_SETUP 347 0

194.39.131.167 124.30.88.177 MM_NO_STATE 330 0 (deleted)

194.39.131.167 124.30.88.177 MM_NO_STATE 312 0 (deleted)

194.39.131.167 124.30.88.177 MM_SA_SETUP 340 0

194.39.131.167 124.30.88.177 MM_NO_STATE 324 0 (deleted)

194.39.131.167 124.30.88.177 MM_SA_SETUP 358 0

194.39.131.167 124.30.88.177 MM_NO_STATE 307 0 (deleted)

194.39.131.167 124.30.88.177 MM_SA_SETUP 334 0

194.39.131.167 124.30.88.177 MM_SA_SETUP 354 0

194.39.131.167 124.30.88.177 MM_NO_STATE 327 0 (deleted)

194.39.131.167 124.30.88.177 MM_NO_STATE 320 0 (deleted)

194.39.131.167 124.30.88.177 MM_NO_STATE 316 0 (deleted)

194.39.131.167 124.30.88.177 MM_SA_SETUP 337 0

194.39.131.167 124.30.88.177 MM_SA_SETUP 343 0

regards,

JIthesh

kaachary · ‎03-07-2007

Hi Jithesh,

Turn on the debugging to full severity level :

debug cry isa 255

debug cry ipsec 255

Send the Output.

-Kanishka

Manjunatha Jayaram · ‎03-19-2007

Hi Kanishhka,

I have the debugs done for isakmp attached.I was also able to get the below message as the state of the SA.

1 IKE Peer: 194.39.131.167

Type : user Role : initiator

Rekey : no State : MM_WAIT_MSG2

Please suggest on what could be the problem.

regards,

jithesh

rajkumar_sanapal · ‎03-21-2007

Since the state has been stopped at MM_WAIT_MSG2, i suspect the problem could be with wrong preshared key or cryto map statements....key should be similar on both sides and crypto map statements should be perfect...please provide sh log output or configuration of both routers/switches to troubleshoot it...

Manjunatha Jayaram · ‎03-23-2007

Hi Rajkumar,

Am planning upgrade the ios to 7.2.2 of ASA, as i can find lots of bugs pertaining to vpn bugs in ASA 7.1.2.Hopefully that should lead me to the results.

regards.

Jithesh

chenyokechuan · ‎04-15-2007

Hi,

Any result after upgrade ASA firmware? because i have same problem with the ASA 7.2.1 version, the L2L tunnel is run for few months without any problem, after that get the same error message and can't form the L2L tunnel.

Manjunatha Jayaram · ‎07-11-2007

Hi All,

This issue has got resolved.

The problem here was that the public IP assigned to the outside interface of the ASA was not published in the Internet.After speaking to the ISP, now its working fine.

Thanks to all.

regards..Jithesh