Solved: How do I get the Crypto Engine working in the ASA 5505

bryans1367 · ‎04-03-2008

I've purchased a brand new ASA 5505 to connect to the Cisco 3640 and I can't even bring up the tunnel. I have tried changing the transform-set to just DES but know luck. I have recently brought up a VPN using DMVPN and the Cisco 501 in a site-to-site but this one has been wondering what is going on.

The router (3640 running 12.4 code)looks ok and with the Cisco 501 working great I don't think I have an issue with the router.

This is a lab environment.

This is the feature set on the ASA 5505

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : 10

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

VPN Peers : 10

WebVPN Peers : 2

Dual ISPs : Disabled

VLAN Trunk Ports : 0

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

Advanced Endpoint Assessment : Disabled

This platform has a Base license.

This is a ping from 10.3.4.10 to 10.1.1.1. It doesn't say anything about IPSEC or ISAKMP.

This is what I get when I do the: show crypto ipsec sa

ASA5505(config)# show crypto ipsec sa

There are no ipsec sas

ASA5505(config)# show crypto isakmp sa

There are no isakmp sas

debug crypto isakmp 10

packet input inside icmp 10.3.4.10 8 0 10.1.1.1 detail

I've been working on this for a week and don't really know if I have a bad ASA5505. Since normal stuff like browsing the Internet works and I can ping outside and inside I don't know what to think. See attachments.

husycisco · ‎04-05-2008

"Doing what you asked worked"

Nice to hear that your issue is resolved.

"My question is can I use the ESP-3DES-SHA transform-set instead of the MD5?"

Sure you can.

Regards.

Please do not forget to rate helpful posts and check "Resolved my issue" box, if the post resolved your issue.

View solution in original post

husycisco · ‎04-03-2008

Hi Bryan

Try reloading ASA

Are you talking about the Remote access or site-to-site VPN?

Regards

bryans1367 · ‎04-03-2008

I'm working on a site to site VPN. The logs show the router is trying to talk to the ASA.

I have tried to set the defaults back to factory and nothing has changed. I can provide the router side if you think it would help.

LOGS:

4|Apr 03 2008|16:49:24|713903|||IP = 67.166.99.36, Error: Unable to remove PeerTblEntry

3|Apr 03 2008|16:49:24|713902|||IP = 67.166.99.36, Removing peer from peer table failed, no match!

4|Apr 03 2008|16:48:52|713903|||IP = 67.166.99.36, Information Exchange processing failed

5|Apr 03 2008|16:48:52|713904|||IP = 67.166.99.36, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping

5|Apr 03 2008|16:48:52|713041|||IP = 67.166.99.36, IKE Initiator: New Phase 1, Intf inside, IKE Peer 67.166.99.36 local Proxy Address 10.3.4.0, remote Proxy Address 10.1.1.0, Crypto map (outside_map1)

4|Apr 03 2008|16:48:28|713903|||IP = 67.166.99.36, Error: Unable to remove PeerTblEntry

3|Apr 03 2008|16:48:28|713902|||IP = 67.166.99.36, Removing peer from peer table failed, no match

fortis123 · ‎04-03-2008

Hi,

Do you have 'pfs' enabled on ASA..? From your upload..

crypto map outside_map1 1 set pfs

disable pfs (unless it is existing on other end also). check if it works.

thank you

MS

husycisco · ‎04-04-2008

Bryan,

Can you send the config of router and current config of ASA please?

Most probably, transform-set is not set. You would get a PFS mismatch error if it was a PFS issue.

bryans1367 · ‎04-04-2008

I have attached the configs for both. Still know luck.

bryans1367 · ‎04-04-2008

I have attached the configs for both. Still know luck.

husycisco · ‎04-04-2008

In 3640, do the following

no crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map SDM_CMAP_1 2 ipsec-isakmp

no set transform-set ESP-3DES-SHA1

set transform-set ESP-3DES-MD5

no ip nat inside source route-map SDM_RMAP_3 interface Ethernet2/0 overload

no access-list 105 deny ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255

no access-list 105 permit ip 10.1.2.0 0.0.0.255 any

no access-list 105 permit ip 10.1.1.0 0.0.0.255 any

no access-list 105 permit ip 10.1.1.0 0.0.0.255 10.3.4.0 0.0.0.255

no access-list 106 remark IPSec Rule

no access-list 106 deny ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255

no access-list 106 permit ip 10.3.3.0 0.0.0.255 any

no access-list 106 permit icmp any any

access-list 105 deny ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255

access-list 105 deny ip 10.1.1.0 0.0.0.255 10.3.4.0 0.0.0.255

access-list 105 permit ip 10.1.2.0 0.0.0.255 any

access-list 105 permit ip 10.1.1.0 0.0.0.255 any

access-list 105 permit ip 10.3.3.0 0.0.0.255 any

access-list 105 permit icmp any any

In ASA, do the following

no crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

no crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

no crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

no crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

no crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

no crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

no crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

no crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

no crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

no crypto ipsec transform-set ESP-3DES-SHA_BES esp-3des esp-sha-hmac

no crypto ipsec fragmentation after-encryption inside

no crypto map outside_map1 1 set transform-set ESP-3DES-MD5 ESP-3DES-SHA_BES ESP-3DES-SHA

crypto map outside_map1 1 set transform-set ESP-3DES-MD5

Restart both devices, then let me know if all is right. If not, post the last configs of both again

bryans1367 · ‎04-05-2008

Doing what you asked worked. My question is can I use the ESP-3DES-SHA transform-set instead of the MD5?

husycisco · ‎04-05-2008