Problems with site-to-site VPN (ASA5500)

Unanswered Question
Oct 26th, 2007
User Badges:

Hello,

I need help. I tried to create site-to-site VPN (with ASA 5510 and 5520)using VPN wizard,but I have a problem. VPN tunnel was not established. Also, there is no ping between end users (10.1.1.2 and 10.2.2.2). In Attachment are configurations and network topology.

Thank you.




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pjhenriqs Mon, 10/29/2007 - 04:05
User Badges:

Hi,


At a first glance I don't see anything wrong with the config but...


Have you tried the "debug crypto isakmp" and "debug crypto ipsec" commands so you can check what the error is?


Are you able to ping from one outside interface of the ASA to the other?


Regards,

Paulo

andrew-susag Mon, 10/29/2007 - 12:26
User Badges:

Hi,


I'm having a similar issue to this user and I have a similar design. In my lab, the two ASAs can ping each others outside IP but the tunnel won't come up. I'm using a managed L2 switch though, not a L3.

andrew-susag Mon, 10/29/2007 - 13:34
User Badges:

I've attached my config, if it helps. Like I said, pretty similar. We're trying to build a tunnel between a 5510 and a 5505 with a switch in the middle. They are running two different ASA versions, 7.0(7) and 7.2(2) respectively.


Thanks



Attachment: 
jasonsuplita Wed, 10/31/2007 - 12:43
User Badges:

take this out:


tunnel-group VPNgroup1 type ipsec-l2l

tunnel-group VPNgroup1 ipsec-attributes

pre-shared-key *


try this instead:


tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key


Let me know how it goes

andrew-susag Wed, 10/31/2007 - 12:50
User Badges:

Thanks.


Yeah, I noticed that l2l tunnels must have the ip of the peer as the tunnel-group when I was going through a couple of tech pubs. I tried it with no success. I'm working with the tac directly on this now. I'll post the solution when I find it.

jasonsuplita Wed, 10/31/2007 - 12:59
User Badges:

Hi Andrew,


The two ASA configurations that you attached, is that the configuration you were using when it didn't work? The reason I ask is that the configuration is missing the following items for the vpn to completely work:


1. nat 0 with an access-list of the networks that are being encrypted.


2. Another access-list defining the traffic to be encrypted.


3. a crypto map match address



jasonsuplita Wed, 10/31/2007 - 13:03
User Badges:

What I mentioned earlier, I saw those 3 things missing on the ASA 5505.

jasonsuplita Wed, 10/31/2007 - 13:10
User Badges:

One other thing I noticed


you have the static routes pointing to 172.21.11.4, which I am assuming is the switch. You should have the the static routes pointing to the next hop of the other ASA. Otherwise the switch does not know where the network is located. For example, on the ASA 5505 you should have the following static route:


route outside 192.168.10.0 255.255.255.0 172.21.11.197



andrew-susag Wed, 10/31/2007 - 13:42
User Badges:

Thank You Jason,


I'm going to attach some new configs. Those configs are a few days old and were very very wrong it appears.


The config I'm attaching has a plenty of changes on it. The two inside networks area 10.0.10.0(asa5510) and 10.0.11.0(asa5505). The outside interfaces are 172.21.11.197(asa5510) and 10.0.3.30(asa5505). This is all located in my lab. I'm also including a pretty drawing(yay!). I'm new to the whole security side of networking so it surely may be something dumb that I'm missing.


The two configs have been looked over once by the cisco tac, I haven't heard back from them yet today.



Attachment: 
jasonsuplita Wed, 10/31/2007 - 14:16
User Badges:

try this also. Put this command on both ASAs:


sysopt connection permit-vpn

jasonsuplita Wed, 10/31/2007 - 14:20
User Badges:

One final thing. Include this too. It may not make a difference but try it anyway.


crypto map 10 set reverse-route

andrew-susag Thu, 11/01/2007 - 12:28
User Badges:

Owned it guys!


With the help of the cisco tac of course :). I feel pretty silly now but it was kind of an easy miss, I think anyway.


My config was right on, the problem was that I didn't initiate 'interesting traffic'


You have to ping the opposite inside interface using:


#ping inside x.x.x.x


That forces the ping to originate from the local ASAs inside address and generates 'interesting traffic' which then builds the tunnel.


Hope this helps someone else too.


Thanks for the interest in my problem guys.

jelena001 Thu, 11/01/2007 - 04:17
User Badges:

Hi,

I am able to ping from one outside interface of the ASA to the other. Here is output from "debug crypto isakmp":


debug crypto isakmp (on ASA1)


ping from 10.2.2.2 to 10.1.1.2:


ciscoasa1# Apr 20 23:32:09 [IKEv1]: Group = 192.168.2.2, IP = 192.168.2.2, Can't

find a valid tunnel group, aborting...!

Apr 20 23:32:09 [IKEv1]: Group = 192.168.2.2, IP = 192.168.2.2, Removing peer fr

om peer table failed, no match!

Apr 20 23:32:09 [IKEv1]: Group = 192.168.2.2, IP = 192.168.2.2, Error: Unable to

remove PeerTblEntry

Apr 20 23:32:17 [IKEv1]: IP = 192.168.2.2, Header invalid, missing SA payload! (

next payload = 4)

Apr 20 23:32:25 [IKEv1]: IP = 192.168.2.2, Header invalid, missing SA payload! (

next payload = 4)

Apr 20 23:32:33 [IKEv1]: IP = 192.168.2.2, Header invalid, missing SA payload! (

next payload = 4)


ping from 10.1.1.2 to 10.2.2.2:


ciscoasa1# Apr 20 23:34:44 [IKEv1]: IP = 192.168.2.2, Information Exchange proce

ssing failed

Apr 20 23:34:52 [IKEv1]: IP = 192.168.2.2, Information Exchange processing faile

d

Apr 20 23:35:00 [IKEv1]: IP = 192.168.2.2, Information Exchange processing faile

d

Apr 20 23:35:08 [IKEv1]: IP = 192.168.2.2, Removing peer from peer table failed,

no match!

Apr 20 23:35:08 [IKEv1]: IP = 192.168.2.2, Error: Unable to remove PeerTblEntry


Any comment will be useful.


Regards

Actions

This Discussion