Can't create second tunnel from 2821 router to ASA5510

Unanswered Question
May 2nd, 2007
User Badges:

Hi,


I have spent sleepless nights with this and I can't still successfully create a second tunnel from the 2821 to ASA5510. The first tunnel from 2821 to PIX (peer X.X.X.91) is up but not to ASA5510 (peer

X.X.X.74). The debug in ASA5510 is showing:


May 02 21:34:26 [IKEv1]: IP = X.X.X.113, Received encrypted packet with no matching SA, dropping


Attached are the ASA5510 config and complete debug from 5510.


The ASA5510 is also accepting L2L VPN from a site connected to ADSL modem (dynamic IP) and the 2821 is also connected to SDSL modem (static IP).


I have a feeling that I missed something on the router. I would be VERY GRATEFUL if someone kind enough can help.


2821Site3#


version 12.4


interface GigabitEthernet0/0.1

description $ETH-LAN_INSIDE$

encapsulation dot1Q 1 native

ip address 10.1.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

no snmp trap link-status

no cdp enable


interface GigabitEthernet0/1

description $ETH-WAN_OUTSIDE$

ip address X.X.X.113 255.255.255.192

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect sdm_ins_in_100 in

ip inspect DEFAULT100 out

ip ips sdm_ips_rule in

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

crypto map SDM_CMAP_1



crypto isakmp key sharedkey address X.X.X.91

crypto isakmp key sharedkey address X.X.X.74


crypto map SDM_CMAP_1 10 ipsec-isakmp

description Site 3 to Site 1 crypto map

set peer X.X.X.91

set transform-set ESP-3DES-MD5

match address 103


crypto map SDM_CMAP_1 20 ipsec-isakmp

description Site 3 to Site 2 crypto map

set peer X.X.X.74

set transform-set ESP-3DES-MD5

match address 104



ip nat pool NATKUB X.X.X.113 X.X.X.113 netmask 255.255.255.192

ip nat inside source route-map SDM_RMAP_1 pool NATKUB overload


access-list 103 remark Site 3 to Site 1 ACL

access-list 103 permit ip 10.1.1.0 0.0.0.255 90.0.0.0 0.0.0.255

access-list 104 remark Site 3 to Site 2 ACL

access-list 104 permit ip 10.1.1.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 105 remark Identifies traffic flows using route map SDM_RMAP_1

access-list 105 remark and are PATed via outside interface GigabitEthernet0/1

access-list 105 deny ip 10.1.1.0 0.0.0.255 90.0.0.0 0.0.0.255

access-list 105 deny ip 10.1.1.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 105 permit ip 10.1.1.0 0.0.0.255 any


route-map SDM_RMAP_1 permit 1

match ip address 105



Thanks,

Archie



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
agcastle2000 Thu, 05/03/2007 - 03:46
User Badges:

Hi,


Thanks for pointing out.

I used the same example when I configure the router but I can't find any example in Cisco site wherein the router is connected to more than one site. So I'm not sure if my config is right.


I don't really know if the SDSL modem which is connected to one of the Gig ports of the router has something to do with this and whether having Serial connection from the ISP would help. My experience with PIX and ASA5510 from other sites with serial connections are good - the VPN is up in few minutes.


I appreciate your reply.


Regards,

Archie

jmguillemot Fri, 05/04/2007 - 03:01
User Badges:

Hello,


please find attached a working configuration for a CISCO 851 connected to 2 sites :


- a ASA 550X (SITE 1)

- a HP VPN Server (SITE 2)


Both VPN tunnels are up and working.


Good luck


JM



oabduo983 Wed, 05/02/2007 - 11:20
User Badges:
  • Bronze, 100 points or more

What I'm suspecting (but not 100% sure as your router configuration is not complete), is that you are enabling ip inspect on the outside interface, and if you are not allowing for the esp and udp 500 to come from outside to inside explicitly, then you will face an issue...


The other thing is that you may consider is disabling Nat-T which is on by default on your routers:


no crypto ipsec nat-transparency udp-encapsulation


I will be waiting for your feedback...


Regards,


agcastle2000 Thu, 05/03/2007 - 04:11
User Badges:

Hi,


Thanks a lot for your reply.


I have to point out that the 2821 has a VPN link to other site (Site 1). It's the second connection which is failing ( Site 2). If the ip inspect has something to do with it then it should not also connect to the other site but tried what you suggested. I removed the ip inspect sdm_ins_in_100 in from (gi0/1), the outside interface. I also applied the no crypto ipsec nat-transparency udp-encapsulation and it still doesn't work.


The sh cry isa sa kept on saying it's deleted. Connection to X.X.X.91 is okay.


X.X.X.74 X.X.X.113 MM_NO_STATE 1892 0 ACTIVE (deleted)

X.X.X.113 X.X.X.91 QM_IDLE 1836 0 ACTIVE


This is driving my mad. I have more problems with ASA5510 even with the 7.2(2) release. With PIX from other site, everything works like a charm. One of our consultants told me that 7.x is buggy and should avoid it. He could be true.


Attached is a more complete config with just the telephony parts removed.


Have a good day or night to everyone.


Regards, Archie



sundar.palaniappan Thu, 05/03/2007 - 11:10
User Badges:
  • Green, 3000 points or more

Can you modify the 2821 config as noted below.


2821Site3(config)#crypto map SDM_CMAP_1 20 ipsec-isakmp

2821Site3#(config-crypto-map)#set pfs


After enabling PFS clear the ISAKMP & IPSEC SA and check the status.


HTH


Sundar

agcastle2000 Thu, 05/03/2007 - 14:07
User Badges:

Hi Sundar,


Thanks for your reply.


It's still doesn't work!


I've done what you suggested and I have also cleared the cryto isakmp sa and crypto ipsec sa on the ASA5510. I let it simmered for awhile and again apply crypto isakmp enable outside and crypto map outside_map interface outside on 5510 and crypto map on outside of the router.


What else is missing?


Thanks,

Archie

agcastle2000 Tue, 05/15/2007 - 09:25
User Badges:

Hi,


I can't make this thing to work so I gave up. I don't know why these two devices are the only ones which are not connecting. I have already spent tons of hours on this problem.


I also sent emails to a couple of Cisco Partners that I've known and ask them if they are interested to do the work and not a single one responded.


Thanks to everyone who responded.


Archie

Actions

This Discussion