How do I get the Crypto Engine working in the ASA 5505

Answered Question
Apr 3rd, 2008
User Badges:

I've purchased a brand new ASA 5505 to connect to the Cisco 3640 and I can't even bring up the tunnel. I have tried changing the transform-set to just DES but know luck. I have recently brought up a VPN using DMVPN and the Cisco 501 in a site-to-site but this one has been wondering what is going on.


The router (3640 running 12.4 code)looks ok and with the Cisco 501 working great I don't think I have an issue with the router.


This is a lab environment.



This is the feature set on the ASA 5505


Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : 10

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

VPN Peers : 10

WebVPN Peers : 2

Dual ISPs : Disabled

VLAN Trunk Ports : 0

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

Advanced Endpoint Assessment : Disabled


This platform has a Base license.


This is a ping from 10.3.4.10 to 10.1.1.1. It doesn't say anything about IPSEC or ISAKMP.


This is what I get when I do the: show crypto ipsec sa

ASA5505(config)# show crypto ipsec sa


There are no ipsec sas


ASA5505(config)# show crypto isakmp sa


There are no isakmp sas


debug crypto isakmp 10

packet input inside icmp 10.3.4.10 8 0 10.1.1.1 detail



I've been working on this for a week and don't really know if I have a bad ASA5505. Since normal stuff like browsing the Internet works and I can ping outside and inside I don't know what to think. See attachments.



Correct Answer by husycisco about 9 years 2 months ago

"Doing what you asked worked"

Nice to hear that your issue is resolved.

"My question is can I use the ESP-3DES-SHA transform-set instead of the MD5?"

Sure you can.


Regards.

Please do not forget to rate helpful posts and check "Resolved my issue" box, if the post resolved your issue.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
husycisco Thu, 04/03/2008 - 10:15
User Badges:
  • Gold, 750 points or more

Hi Bryan

Try reloading ASA

Are you talking about the Remote access or site-to-site VPN?

Regards

bryans1367 Thu, 04/03/2008 - 10:20
User Badges:

I'm working on a site to site VPN. The logs show the router is trying to talk to the ASA.

I have tried to set the defaults back to factory and nothing has changed. I can provide the router side if you think it would help.


LOGS:


4|Apr 03 2008|16:49:24|713903|||IP = 67.166.99.36, Error: Unable to remove PeerTblEntry

3|Apr 03 2008|16:49:24|713902|||IP = 67.166.99.36, Removing peer from peer table failed, no match!

4|Apr 03 2008|16:48:52|713903|||IP = 67.166.99.36, Information Exchange processing failed

5|Apr 03 2008|16:48:52|713904|||IP = 67.166.99.36, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping

5|Apr 03 2008|16:48:52|713041|||IP = 67.166.99.36, IKE Initiator: New Phase 1, Intf inside, IKE Peer 67.166.99.36 local Proxy Address 10.3.4.0, remote Proxy Address 10.1.1.0, Crypto map (outside_map1)

4|Apr 03 2008|16:48:28|713903|||IP = 67.166.99.36, Error: Unable to remove PeerTblEntry

3|Apr 03 2008|16:48:28|713902|||IP = 67.166.99.36, Removing peer from peer table failed, no match



fortis123 Thu, 04/03/2008 - 11:58
User Badges:

Hi,


Do you have 'pfs' enabled on ASA..? From your upload..


crypto map outside_map1 1 set pfs


disable pfs (unless it is existing on other end also). check if it works.


thank you

MS

husycisco Fri, 04/04/2008 - 03:25
User Badges:
  • Gold, 750 points or more

Bryan,

Can you send the config of router and current config of ASA please?

Most probably, transform-set is not set. You would get a PFS mismatch error if it was a PFS issue.



bryans1367 Fri, 04/04/2008 - 06:54
User Badges:

I have attached the configs for both. Still know luck.



husycisco Fri, 04/04/2008 - 12:30
User Badges:
  • Gold, 750 points or more

In 3640, do the following


no crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map SDM_CMAP_1 2 ipsec-isakmp

no set transform-set ESP-3DES-SHA1

set transform-set ESP-3DES-MD5


no ip nat inside source route-map SDM_RMAP_3 interface Ethernet2/0 overload


no access-list 105 deny ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255

no access-list 105 permit ip 10.1.2.0 0.0.0.255 any

no access-list 105 permit ip 10.1.1.0 0.0.0.255 any

no access-list 105 permit ip 10.1.1.0 0.0.0.255 10.3.4.0 0.0.0.255

no access-list 106 remark IPSec Rule

no access-list 106 deny ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255

no access-list 106 permit ip 10.3.3.0 0.0.0.255 any

no access-list 106 permit icmp any any



access-list 105 deny ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255

access-list 105 deny ip 10.1.1.0 0.0.0.255 10.3.4.0 0.0.0.255

access-list 105 permit ip 10.1.2.0 0.0.0.255 any

access-list 105 permit ip 10.1.1.0 0.0.0.255 any

access-list 105 permit ip 10.3.3.0 0.0.0.255 any

access-list 105 permit icmp any any



In ASA, do the following


no crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

no crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

no crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

no crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

no crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

no crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

no crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

no crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

no crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

no crypto ipsec transform-set ESP-3DES-SHA_BES esp-3des esp-sha-hmac

no crypto ipsec fragmentation after-encryption inside

no crypto map outside_map1 1 set transform-set ESP-3DES-MD5 ESP-3DES-SHA_BES ESP-3DES-SHA

crypto map outside_map1 1 set transform-set ESP-3DES-MD5


Restart both devices, then let me know if all is right. If not, post the last configs of both again

bryans1367 Sat, 04/05/2008 - 08:53
User Badges:

Doing what you asked worked. My question is can I use the ESP-3DES-SHA transform-set instead of the MD5?



Correct Answer
husycisco Sat, 04/05/2008 - 10:17
User Badges:
  • Gold, 750 points or more

"Doing what you asked worked"

Nice to hear that your issue is resolved.

"My question is can I use the ESP-3DES-SHA transform-set instead of the MD5?"

Sure you can.


Regards.

Please do not forget to rate helpful posts and check "Resolved my issue" box, if the post resolved your issue.

Actions

This Discussion