05-02-2007 09:54 AM - edited 03-09-2019 05:54 PM
Hi,
I have spent sleepless nights with this and I can't still successfully create a second tunnel from the 2821 to ASA5510. The first tunnel from 2821 to PIX (peer X.X.X.91) is up but not to ASA5510 (peer
X.X.X.74). The debug in ASA5510 is showing:
May 02 21:34:26 [IKEv1]: IP = X.X.X.113, Received encrypted packet with no matching SA, dropping
Attached are the ASA5510 config and complete debug from 5510.
The ASA5510 is also accepting L2L VPN from a site connected to ADSL modem (dynamic IP) and the 2821 is also connected to SDSL modem (static IP).
I have a feeling that I missed something on the router. I would be VERY GRATEFUL if someone kind enough can help.
2821Site3#
version 12.4
interface GigabitEthernet0/0.1
description $ETH-LAN_INSIDE$
encapsulation dot1Q 1 native
ip address 10.1.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no snmp trap link-status
no cdp enable
interface GigabitEthernet0/1
description $ETH-WAN_OUTSIDE$
ip address X.X.X.113 255.255.255.192
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect sdm_ins_in_100 in
ip inspect DEFAULT100 out
ip ips sdm_ips_rule in
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
crypto map SDM_CMAP_1
crypto isakmp key sharedkey address X.X.X.91
crypto isakmp key sharedkey address X.X.X.74
crypto map SDM_CMAP_1 10 ipsec-isakmp
description Site 3 to Site 1 crypto map
set peer X.X.X.91
set transform-set ESP-3DES-MD5
match address 103
crypto map SDM_CMAP_1 20 ipsec-isakmp
description Site 3 to Site 2 crypto map
set peer X.X.X.74
set transform-set ESP-3DES-MD5
match address 104
ip nat pool NATKUB X.X.X.113 X.X.X.113 netmask 255.255.255.192
ip nat inside source route-map SDM_RMAP_1 pool NATKUB overload
access-list 103 remark Site 3 to Site 1 ACL
access-list 103 permit ip 10.1.1.0 0.0.0.255 90.0.0.0 0.0.0.255
access-list 104 remark Site 3 to Site 2 ACL
access-list 104 permit ip 10.1.1.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 105 remark Identifies traffic flows using route map SDM_RMAP_1
access-list 105 remark and are PATed via outside interface GigabitEthernet0/1
access-list 105 deny ip 10.1.1.0 0.0.0.255 90.0.0.0 0.0.0.255
access-list 105 deny ip 10.1.1.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 105 permit ip 10.1.1.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address 105
Thanks,
Archie
05-02-2007 10:07 AM
05-02-2007 10:46 AM
This is a good one too...
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
05-03-2007 03:46 AM
Hi,
Thanks for pointing out.
I used the same example when I configure the router but I can't find any example in Cisco site wherein the router is connected to more than one site. So I'm not sure if my config is right.
I don't really know if the SDSL modem which is connected to one of the Gig ports of the router has something to do with this and whether having Serial connection from the ISP would help. My experience with PIX and ASA5510 from other sites with serial connections are good - the VPN is up in few minutes.
I appreciate your reply.
Regards,
Archie
05-04-2007 03:01 AM
05-02-2007 11:20 AM
What I'm suspecting (but not 100% sure as your router configuration is not complete), is that you are enabling ip inspect on the outside interface, and if you are not allowing for the esp and udp 500 to come from outside to inside explicitly, then you will face an issue...
The other thing is that you may consider is disabling Nat-T which is on by default on your routers:
no crypto ipsec nat-transparency udp-encapsulation
I will be waiting for your feedback...
Regards,
05-03-2007 04:11 AM
Hi,
Thanks a lot for your reply.
I have to point out that the 2821 has a VPN link to other site (Site 1). It's the second connection which is failing ( Site 2). If the ip inspect has something to do with it then it should not also connect to the other site but tried what you suggested. I removed the ip inspect sdm_ins_in_100 in from (gi0/1), the outside interface. I also applied the no crypto ipsec nat-transparency udp-encapsulation and it still doesn't work.
The sh cry isa sa kept on saying it's deleted. Connection to X.X.X.91 is okay.
X.X.X.74 X.X.X.113 MM_NO_STATE 1892 0 ACTIVE (deleted)
X.X.X.113 X.X.X.91 QM_IDLE 1836 0 ACTIVE
This is driving my mad. I have more problems with ASA5510 even with the 7.2(2) release. With PIX from other site, everything works like a charm. One of our consultants told me that 7.x is buggy and should avoid it. He could be true.
Attached is a more complete config with just the telephony parts removed.
Have a good day or night to everyone.
Regards, Archie
05-03-2007 11:10 AM
Can you modify the 2821 config as noted below.
2821Site3(config)#crypto map SDM_CMAP_1 20 ipsec-isakmp
2821Site3#(config-crypto-map)#set pfs
After enabling PFS clear the ISAKMP & IPSEC SA and check the status.
HTH
Sundar
05-03-2007 02:07 PM
Hi Sundar,
Thanks for your reply.
It's still doesn't work!
I've done what you suggested and I have also cleared the cryto isakmp sa and crypto ipsec sa on the ASA5510. I let it simmered for awhile and again apply crypto isakmp enable outside and crypto map outside_map interface outside on 5510 and crypto map on outside of the router.
What else is missing?
Thanks,
Archie
05-15-2007 09:25 AM
Hi,
I can't make this thing to work so I gave up. I don't know why these two devices are the only ones which are not connecting. I have already spent tons of hours on this problem.
I also sent emails to a couple of Cisco Partners that I've known and ask them if they are interested to do the work and not a single one responded.
Thanks to everyone who responded.
Archie
05-15-2007 10:03 AM
Hi,
Could you please check your routing table and that there is no internal subnet going to somewhere else while it should be going to your peer's internal network.
If you trust me, I can work with you on this issue remotely, you can email me on oabduo@universe.com.kw
Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: