asa ipsec problem

Answered Question
Jun 3rd, 2008

Hello,

While configuring ipsec tunnel between ASA and ISR 1811 I've got some

negative issues:

pc host (192.168.56.1) <-----> (inside 192.168.56.56) ASA (outside x.x.x.56)

<-------> (outside x.x.x.55) ISR (lo 192.168.55.55)

When I ping from ISR to ASA everyting is ok:

ISR# ping ip 192.168.56.1 source 192.168.55.55

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.56.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.55.55

.!!!!

ASA# sh isa sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: x.x.x.55

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

But in vise versa ipsec tunnel is not established:

ASA# clear isa sa

PC host# ping -c 2 192.168.55.55

PING 192.168.55.55 (192.168.55.55) 56(84) bytes of data.

--- 192.168.55.55 ping statistics ---

2 packets transmitted, 0 received, 100% packet loss, time 1010ms

and on the ASA I have seen follow debug messages:

Jun 02 03:18:07 [IKEv1]: IKE Initiator unable to find policy: Intf inside,

Src: 192.168.56.1, Dst: 192.168.55.55

Jun 02 03:18:16 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi

0x0

Jun 02 03:18:16 [IKEv1]: IKE Initiator unable to find policy: Intf inside,

Src: 192.168.56.1, Dst: 192.168.55.55

Jun 02 03:18:17 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi

0x0

Can anybody help me with this problem?

Thanks.

I have this problem too.
0 votes
Correct Answer by Farrukh Haroon about 8 years 6 months ago

Hello, I just noticed you are using a dynamic map, may I ask the reason for that?

I don't think you can be the 'initiator' of a VPN session when using dynamic crypto maps, if you are putting the address of the remote peer, what benefit are you gaining by using the dynamic crypto map?

Regards

Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Farrukh Haroon Tue, 06/03/2008 - 06:40

can you post the ASA configuration or at least the following:

show run crypto all

show run tunnel-group

Regards

Farrrukh

salexanov Tue, 06/03/2008 - 06:53

Of course, yes.

ASA# sh run cry

crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYN-VPN-MAP1 1 match address VPN

crypto dynamic-map DYN-VPN-MAP1 1 set peer x.x.x.55

crypto dynamic-map DYN-VPN-MAP1 1 set transform-set ESP-AES-MD5

crypto dynamic-map DYN-VPN-MAP1 1 set security-association lifetime seconds 28800

crypto dynamic-map DYN-VPN-MAP1 1 set security-association lifetime kilobytes 4608000

crypto map VPN-MAP1 1 ipsec-isakmp dynamic DYN-VPN-MAP1

crypto map VPN-MAP1 interface outside

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp am-disable

ASA# sh run tun

tunnel-group x.x.x.55 type ipsec-l2l

tunnel-group x.x.x.55 ipsec-attributes

pre-shared-key *

ASA# sh access-l VPN

access-list VPN; 1 elements

access-list VPN line 1 extended permit ip 192.168.56.0 255.255.255.0 10.10.10.0 255.255.255.0

And some ipsec related parts from ISR config:

ISR# sh run

Current configuration : 5007 bytes

!

version 12.4

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key KEY1 address x.x.x.56

crypto isakmp aggressive-mode disable

!

!

crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac

!

crypto map VPN_MAP1 1 ipsec-isakmp

set peer x.x.x.56

set transform-set ESP-AES-MD5

match address VPN

!

interface Loopback10

ip address 10.10.10.10 255.255.255.0

!

interface FastEthernet0

description External->ASA

ip address 82.x.x.55 255.255.255.192

speed 100

full-duplex

crypto map VPN_MAP1

ip access-list extended VPN

permit ip 10.10.10.0 0.0.0.255 192.168.56.0 0.0.0.255

!

!

end

Farrukh Haroon Tue, 06/03/2008 - 07:04

Can you try to remove the following four commands and then check:

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYN-VPN-MAP1 1 set security-association lifetime seconds 28800

crypto dynamic-map DYN-VPN-MAP1 1 set security-association lifetime kilobytes 4608000

Regards

Farrukh

salexanov Tue, 06/03/2008 - 07:31

Yes, I can, but i don't understand the target of

this action.

If I execute statements from your post with 'no' it will not be any changes, because this predefined values in ASA software.

I've tryed to change this values to be equal to ISR.

ISR# sh cry ipsec security-association

Security association lifetime: 4608000 kilobytes/3600 seconds

ASA# sh run cry | i ^crypto_.*_lifetime

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYN-VPN-MAP1 1 set security-association lifetime seconds 3600

crypto dynamic-map DYN-VPN-MAP1 1 set security-association lifetime kilobytes 4608000

and nothing is happend:

PC# ping -c 2 10.10.10.10

PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data.

--- 10.10.10.10 ping statistics ---

2 packets transmitted, 0 received, 100% packet loss, time 999ms

debug from ASA:

Jun 03 07:19:28 [IKEv1]: IKE Initiator unable to find policy: Intf inside, Src: 192.168.56.1, Dst: 10.10.10.10

Jun 03 07:19:29 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jun 03 07:19:29 [IKEv1]: IKE Initiator unable to find policy: Intf inside, Src: 192.168.56.1, Dst: 10.10.10.10

Jun 03 07:19:34 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jun 03 07:19:34 [IKEv1]: IKE Initiator unable to find policy: Intf inside, Src: 192.168.56.1, Dst: 10.10.10.10

Jun 03 07:19:35 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jun 03 07:19:35 [IKEv1]: IKE Initiator unable to find policy: Intf inside, Src: 192.168.56.1, Dst: 10.10.10.10

Correct Answer
Farrukh Haroon Tue, 06/03/2008 - 09:09

Hello, I just noticed you are using a dynamic map, may I ask the reason for that?

I don't think you can be the 'initiator' of a VPN session when using dynamic crypto maps, if you are putting the address of the remote peer, what benefit are you gaining by using the dynamic crypto map?

Regards

Farrukh

salexanov Wed, 06/04/2008 - 02:37

You've absolutely was right about this:

"I don't think you can be the 'initiator' of a VPN session when using dynamic crypto maps"

Thanks a lot!

Farrukh Haroon Wed, 06/04/2008 - 03:44

Its great to know your problem is solved now, I'm glad I could help :)

Regards

Farrukh

Actions

This Discussion