Cannot connect ASA5505 to 3000 Concentrator

Answered Question
Jul 31st, 2008
User Badges:

Hi everyone,


I followed the document

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008064a06f.shtml


but I am still unable to get my ASA to connect. I'm thinking it's because of the ISP's DSL router but I'm not sure. I even enabled NAT-T but that didn't do anything. Here is my layout:


ASA -> DSL Router -> Internet -> Concentrator


ASA inside: 10.103.0.1

ASA outside: 192.168.1.250

DSL Router LAN: 192.168.1.254

DSL Router WAN: 148.X.X.X

Concentrator: 24.X.X.X

Concentrator LAN: 172.16.0.1



Here's my config too with some debugs. Can someone shed some light please? Thanks.




Attachment: 
Correct Answer by Farrukh Haroon about 8 years 8 months ago

Sorry logs are not helping


debug crypto isakmp 127

debug crypto ipsec 127

debug crypto engine


show crypto isakmp sa detail

show crypto ipsec sa detail


It could be Phase 1 identity issue also. ASA accepts and moves on the Phast 1, but VPNC reject.


Also if possible IKE,IKEDBG,IPSEC,IPSECDBG logs from VPNC.


Regards


Farrukh


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Farrukh Haroon Thu, 07/31/2008 - 19:32
User Badges:
  • Red, 2250 points or more

Double check your Pre-shared key and phase 2 parameters. The document uses a /16 mask on the VPN concentrator side, on the ASA you are using a /24 for the concentrator LAN, is it the same on the other side?


Regards


Farrukh

agonza07 Tue, 08/05/2008 - 13:49
User Badges:

Yeah I checked both of them and still nothing. The subnets are like that because I was making changes to the config so as to not give out my real config.


I'm being NAT's behind a cisco 1800 that belongs to the ISP, but the IP address is the one that I set up on the concentrator. Do you think this has something to do with it.

Farrukh Haroon Wed, 08/06/2008 - 10:54
User Badges:
  • Red, 2250 points or more

If there is NAT in the transit path, why don't you enable NAT-T on the Concentrator?


Its enabled on IOS by default, but disabled on PIX/ASA/VPNC.


Regards


Farrukh

agonza07 Wed, 08/06/2008 - 11:49
User Badges:

I'm not very familiar with the ASA, but I believe I configured NAT-T already. Here is another screenshot and updated config. Thanks for all your help guys, i really hope we can get this up and running.


I had to edit some of the subnets but it all should be exactly off the Cisco doc 69115. I'm trying to get the ISP to give me the IP directly to my ASA, but it's been hard trying to get ahold of them, and I want to get this up ASAP.



Attachment: 
Farrukh Haroon Thu, 08/07/2008 - 04:12
User Badges:
  • Red, 2250 points or more

On the ASA add:


crypto isakmp nat-traversal


On the VPN concentrator you have enabled NAT-T on the L2L Connection itself, but have you enabled it globally? LIke this:


#


Configure IPSec over NAT-T and/or IPSec over TCP:


1. On the VPN Concentrator select Configuration > System > Tunneling Protocols > IPSec > NAT Transparency.

2. Check the IPSec over NAT-T and/or TCP check box.


Regards


Farrukh

Farrukh Haroon Thu, 08/07/2008 - 08:16
User Badges:
  • Red, 2250 points or more

Initiate the tunnel from the ASA and post the output of show crypto isakmp sa detail


Also if possible the debug output 'debug crypto isakmp 127'


Do 'find and replace' for your public IPs to hide them.


Regards


Farrukh

agonza07 Thu, 08/07/2008 - 08:29
User Badges:

Mexico-ASA5501# ping inside 172.16.0.4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.0.4, timeout is 2 seconds:

Aug 07 06:51:09 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 07 06:51:09 [IKEv1]: IP = 24.X.X.X, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer 24.X.X.X local Proxy Address 10.103.0.0, remote Proxy Address 50.0.0.0, Crypto map (EP-Map)

Aug 07 06:51:09 [IKEv1 DEBUG]: IP = 24.X.X.X, constructing ISAKMP SA payload

Aug 07 06:51:09 [IKEv1 DEBUG]: IP = 24.X.X.X, constructing NAT-Traversal VID ver 02 payload

Aug 07 06:51:09 [IKEv1 DEBUG]: IP = 24.X.X.X, constructing NAT-Traversal VID ver 03 payload

Aug 07 06:51:09 [IKEv1 DEBUG]: IP = 24.X.X.X, constructing Fragmentation VID + extended capabilities payload

Aug 07 06:51:09 [IKEv1]: IP = 24.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152

?Aug 07 06:51:11 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 07 06:51:11 [IKEv1]: IP = 24.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

?Aug 07 06:51:13 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 07 06:51:13 [IKEv1]: IP = 24.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

?Aug 07 06:51:15 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 07 06:51:15 [IKEv1]: IP = 24.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

?Aug 07 06:51:17 [IKEv1]: IP = 24.X.X.X, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152

Aug 07 06:51:17 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 07 06:51:17 [IKEv1]: IP = 24.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

?

Success rate is 0 percent (0/5)

Mexico-ASA5501# Aug 07 06:51:25 [IKEv1]: IP = 24.X.X.X, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152

Aug 07 06:51:33 [IKEv1]: IP = 24.X.X.X, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152

Aug 07 06:51:41 [IKEv1 DEBUG]: IP = 24.X.X.X, IKE MM Initiator FSM error history (struct &0x3c71290) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

Aug 07 06:51:41 [IKEv1 DEBUG]: IP = 24.X.X.X, IKE SA MM:02d189d8 terminating: flags 0x01000022, refcnt 0, tuncnt 0

Aug 07 06:51:41 [IKEv1 DEBUG]: IP = 24.X.X.X, sending delete/delete with reason message

Aug 07 06:51:41 [IKEv1]: IP = 24.X.X.X, Removing peer from peer table failed, no match!

Aug 07 06:51:41 [IKEv1]: IP = 24.X.X.X, Error: Unable to remove PeerTblEntry


Correct Answer
Farrukh Haroon Thu, 08/07/2008 - 09:02
User Badges:
  • Red, 2250 points or more

Sorry logs are not helping


debug crypto isakmp 127

debug crypto ipsec 127

debug crypto engine


show crypto isakmp sa detail

show crypto ipsec sa detail


It could be Phase 1 identity issue also. ASA accepts and moves on the Phast 1, but VPNC reject.


Also if possible IKE,IKEDBG,IPSEC,IPSECDBG logs from VPNC.


Regards


Farrukh


agonza07 Thu, 08/07/2008 - 09:20
User Badges:

Mexico-ASA5501# debug crypto isakmp 127

Mexico-ASA5501# debug crypto ipsec 127

Mexico-ASA5501# debug crypto engine

Mexico-ASA5501#

Mexico-ASA5501# show crypto isakmp sa detail


There are no isakmp sas

Mexico-ASA5501# show crypto ipsec sa detail


There are no ipsec sas

Mexico-ASA5501# ping inside 172.16.0.4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.0.4, timeout is 2 seconds:

Aug 07 07:31:21 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 07 07:31:21 [IKEv1]: IP = 24.X.X.X, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer 24.X.X.X local Proxy Address 10.103.0.0, remote Proxy Address 172.16.0.0, Crypto map (EP-Map)

Aug 07 07:31:21 [IKEv1 DEBUG]: IP = 24.X.X.X, constructing ISAKMP SA payload

Aug 07 07:31:21 [IKEv1 DEBUG]: IP = 24.X.X.X, constructing NAT-Traversal VID ver 02 payload

Aug 07 07:31:21 [IKEv1 DEBUG]: IP = 24.X.X.X, constructing NAT-Traversal VID ver 03 payload

Aug 07 07:31:21 [IKEv1 DEBUG]: IP = 24.X.X.X, constructing Fragmentation VID + extended capabilities payload

Aug 07 07:31:21 [IKEv1]: IP = 24.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152

?Aug 07 07:31:23 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 07 07:31:23 [IKEv1]: IP = 24.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

?Aug 07 07:31:25 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 07 07:31:25 [IKEv1]: IP = 24.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

?Aug 07 07:31:27 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 07 07:31:27 [IKEv1]: IP = 24.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

?Aug 07 07:31:29 [IKEv1]: IP = 24.X.X.X, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152

Aug 07 07:31:29 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 07 07:31:29 [IKEv1]: IP = 24.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

?

Success rate is 0 percent (0/5)

Mexico-ASA5501# show crypto isakmp sa detail


Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1


1 IKE Peer: 24.X.X.X

Type : user Role : initiator

Rekey : no State : MM_WAIT_MSG2

Encrypt : aes-256 Hash : SHA

Auth : preshared Lifetime: 0

Mexico-ASA5501# show crypto ipsec sa detail


There are no ipsec sas



agonza07 Thu, 08/07/2008 - 09:30
User Badges:

GOT IT!!!


my IKE proposals had the aes-128 above the 256, so I just moved the 256 above the 128 and that did it. Thanks for all your help Farrukh.


--mando

Farrukh Haroon Thu, 08/07/2008 - 11:14
User Badges:
  • Red, 2250 points or more

NO problem buddy, I'm glad you have it working.


A debug almost always helps :)


Regards


Farrukh

Actions

This Discussion