04-11-2007 02:26 PM - edited 02-21-2020 01:28 AM
Hi,
It's already 2:00 AM here and I can't still make this to work.
We have an ASA5510 with static IP which will serve as the new VPN hub to 3 spoke sites that has PIX, 1841 and 2821 . ASA5510 L2L connection to PIX with static IP works well. But the ASA5510 L2L link to 1841 with dynamic IP (ADSL) and also, the ASA5510 L2L link to 2821 both don't work.
Links from PIX to ASA5510, 1841 and 2821 are all up.
I'm attaching the config of ASA5510 and the 1841 to start.
Grateful if someone can look at the configs and point me to the right configuration.
Thanks in advance.
Archie
04-17-2007 12:59 PM
Check the line status of all the links.Try to assign static ip and see if it works.If it works then problem is with the ip assignment.
04-19-2007 07:11 AM
Hi,
Thanks for your reply.
The L2L links with both static IPs are up now but I can't make the L2L (dynamic to static) work. I already put the crypto dynamic at high sequence and I also added the line:
tunnel-group-map default-group DefaultL2LGroup
See my crypto. I don't know what parameters I still need to add.
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 6000 match address auh2dxb_acl
crypto dynamic-map outside_dyn_map 6000 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 6000 set reverse-route
crypto map outside_map 10 match address auh2mct_acl
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer 212.72.26.91
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 30 match address auh2kub_acl
crypto map outside_map 30 set pfs
crypto map outside_map 30 set peer 202.160.32.113
crypto map outside_map 30 set transform-set ESP-3DES-MD5
crypto map outside_map 6000 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
Regards,
Archie
04-24-2007 08:50 AM
Hi,
Can someone shed a light what this debug error means and what I need to look at to resolve the issue?
Received encrypted packet with no matching SA, dropping
Regards,
Archie
04-24-2007 06:33 PM
Archie
I did not notice this when it was first posted, and I admit that I have not looked closely at the configs that you posted, on the assumption that in the passing time you may have modified something. My guess about the debug message is that the timers may not match which results in one peer deleting the SA while the other peer is still using it. Can you check the timers and verify that they match? And if they do match perhaps you can post fresh copies of the configs?
HTH
Rick
04-25-2007 01:31 PM
Rick,
I'm attaching the configs of the ASA5510 (static serial), PIX (static serial), 1841 (dynamic ADSL) and 2821 (static SDSL). The PIX, 1841 and 2821 has to connect to ASA5510 which will become the new hub. At the moment, the PIX-ASA5510 is connected and stable. The 1841-ASA5510 is also up but intermittently I lost the connection. At this juncture, I can't make the 2821 establish a VPN link to ASA5510.
On the other hand, the PIX, considered as the old hub, has stable connections to ASA5510, 1841 and 2821.
I would be really really grateful if you could share your expertise and throw some help.
On the next post is the debug result of the ASA5510 and the config of the 2821.
Thanks,
Archie
04-25-2007 01:33 PM
04-25-2007 03:47 AM
Hello
Can you configure a L2L tunnel from a router using dynamic IP addresses (the 1841 in your example)? I was under the impression that site-to-site tunnels require devices with static IP addresses on both sides. Spokes with dynamic IP addresses can be connected using EasyVPN or DMVPN (between routers, not supported on ASA/PIX).
Regards,
Cristian
04-25-2007 01:16 PM
Hi Cristian,
After days of trying, I managed to establish an L2L tunnel from the 1841 with ADSL modem infront to the ASA5510 but I must say that sometimes the tunnel disappears any time of the day. It could be something to do with my configuration either in 1841 or in ASA5510.
Thanks,
Archie
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: