Problems with site-to-site VPN (ASA5500)

jelena001 · ‎10-26-2007

Hello,

I need help. I tried to create site-to-site VPN (with ASA 5510 and 5520)using VPN wizard,but I have a problem. VPN tunnel was not established. Also, there is no ping between end users (10.1.1.2 and 10.2.2.2). In Attachment are configurations and network topology.

Thank you.

pjhenriqs · ‎10-29-2007

Hi,

At a first glance I don't see anything wrong with the config but...

Have you tried the "debug crypto isakmp" and "debug crypto ipsec" commands so you can check what the error is?

Are you able to ping from one outside interface of the ASA to the other?

Regards,

Paulo

andrew-susag · ‎10-29-2007

Hi,

I'm having a similar issue to this user and I have a similar design. In my lab, the two ASAs can ping each others outside IP but the tunnel won't come up. I'm using a managed L2 switch though, not a L3.

andrew-susag · ‎10-29-2007

I've attached my config, if it helps. Like I said, pretty similar. We're trying to build a tunnel between a 5510 and a 5505 with a switch in the middle. They are running two different ASA versions, 7.0(7) and 7.2(2) respectively.

Thanks

jasonsuplita · ‎10-31-2007

take this out:

tunnel-group VPNgroup1 type ipsec-l2l

tunnel-group VPNgroup1 ipsec-attributes

pre-shared-key *

try this instead:

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key

Let me know how it goes

andrew-susag · ‎10-31-2007

Thanks.

Yeah, I noticed that l2l tunnels must have the ip of the peer as the tunnel-group when I was going through a couple of tech pubs. I tried it with no success. I'm working with the tac directly on this now. I'll post the solution when I find it.

jasonsuplita · ‎10-31-2007

Hi Andrew,

The two ASA configurations that you attached, is that the configuration you were using when it didn't work? The reason I ask is that the configuration is missing the following items for the vpn to completely work:

1. nat 0 with an access-list of the networks that are being encrypted.

2. Another access-list defining the traffic to be encrypted.

3. a crypto map match address

jasonsuplita · ‎10-31-2007

What I mentioned earlier, I saw those 3 things missing on the ASA 5505.

jasonsuplita · ‎10-31-2007

One other thing I noticed

you have the static routes pointing to 172.21.11.4, which I am assuming is the switch. You should have the the static routes pointing to the next hop of the other ASA. Otherwise the switch does not know where the network is located. For example, on the ASA 5505 you should have the following static route:

route outside 192.168.10.0 255.255.255.0 172.21.11.197

andrew-susag · ‎10-31-2007

Thank You Jason,

I'm going to attach some new configs. Those configs are a few days old and were very very wrong it appears.

The config I'm attaching has a plenty of changes on it. The two inside networks area 10.0.10.0(asa5510) and 10.0.11.0(asa5505). The outside interfaces are 172.21.11.197(asa5510) and 10.0.3.30(asa5505). This is all located in my lab. I'm also including a pretty drawing(yay!). I'm new to the whole security side of networking so it surely may be something dumb that I'm missing.

The two configs have been looked over once by the cisco tac, I haven't heard back from them yet today.

jasonsuplita · ‎10-31-2007

try this also. Put this command on both ASAs:

sysopt connection permit-vpn

jasonsuplita · ‎10-31-2007

One final thing. Include this too. It may not make a difference but try it anyway.

crypto map 10 set reverse-route

andrew-susag · ‎11-01-2007

Owned it guys!

With the help of the cisco tac of course :). I feel pretty silly now but it was kind of an easy miss, I think anyway.

My config was right on, the problem was that I didn't initiate 'interesting traffic'

You have to ping the opposite inside interface using:

#ping inside x.x.x.x

That forces the ping to originate from the local ASAs inside address and generates 'interesting traffic' which then builds the tunnel.

Hope this helps someone else too.

Thanks for the interest in my problem guys.

jelena001 · ‎11-01-2007

Hi,

I am able to ping from one outside interface of the ASA to the other. Here is output from "debug crypto isakmp":

debug crypto isakmp (on ASA1)

ping from 10.2.2.2 to 10.1.1.2:

ciscoasa1# Apr 20 23:32:09 [IKEv1]: Group = 192.168.2.2, IP = 192.168.2.2, Can't

find a valid tunnel group, aborting...!

Apr 20 23:32:09 [IKEv1]: Group = 192.168.2.2, IP = 192.168.2.2, Removing peer fr

om peer table failed, no match!

Apr 20 23:32:09 [IKEv1]: Group = 192.168.2.2, IP = 192.168.2.2, Error: Unable to

remove PeerTblEntry

Apr 20 23:32:17 [IKEv1]: IP = 192.168.2.2, Header invalid, missing SA payload! (

next payload = 4)

Apr 20 23:32:25 [IKEv1]: IP = 192.168.2.2, Header invalid, missing SA payload! (

next payload = 4)

Apr 20 23:32:33 [IKEv1]: IP = 192.168.2.2, Header invalid, missing SA payload! (

next payload = 4)

ping from 10.1.1.2 to 10.2.2.2:

ciscoasa1# Apr 20 23:34:44 [IKEv1]: IP = 192.168.2.2, Information Exchange proce

ssing failed

Apr 20 23:34:52 [IKEv1]: IP = 192.168.2.2, Information Exchange processing faile

d

Apr 20 23:35:00 [IKEv1]: IP = 192.168.2.2, Information Exchange processing faile

d

Apr 20 23:35:08 [IKEv1]: IP = 192.168.2.2, Removing peer from peer table failed,

no match!

Apr 20 23:35:08 [IKEv1]: IP = 192.168.2.2, Error: Unable to remove PeerTblEntry

Any comment will be useful.

Regards