CSM 3.1.1 VPN discovery fails

Unanswered Question
Aug 14th, 2008
User Badges:

I have already site to site VPN's configured b/w ASA 5505 with 7.2(3)and ASA 5510 with 8.0(3)


These ASA's are added in CSM and while discovering VPN I get the error message discover failed " A valid crypto map missing on the interface "


But Iam able to discover site-to-site VPN in other ASA boxes running with 7.2(3) and 8.0(3) images.


Also I have ASA 5510 (8.0.3) with two interfaces enbaled for multiple ISP's and configured site-to-site VPN on both interfaces.


The problem is Iam unable to discover the VPN in CSM 3.1.1 and get the error message " Crypto map applied to more than one interface "


Can any one help me to solve this issues.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dradhika Mon, 08/18/2008 - 03:58
User Badges:
  • Cisco Employee,

Can you attach the config of ASA device for the first issue?


Thanks,

Radhika

ckuriyar74 Mon, 08/18/2008 - 23:52
User Badges:

I have attached the config of ASA 5505 & 5510


The site-to-site VPN's are working fine when configured using CLI but unable to discover VPN in security manager.



Attachment: 
dradhika Wed, 08/27/2008 - 00:57
User Badges:
  • Cisco Employee,

Hi,


Discovered the attached configs in CSM latest version. Discovery is working fine. No error messages are given. I did P2P discovery. Did you use the same when you got the error message?


Thanks,

Radhika

ckuriyar74 Wed, 08/27/2008 - 04:16
User Badges:

Hi Radhika,


Thanks.


Iam using CSM release 3.1.1 with SP3 and I get the error message when tried P2P discovery.


I just wanted to know on what release did you manage to discover successfully?

dradhika Wed, 08/27/2008 - 18:40
User Badges:
  • Cisco Employee,

Its 3.2.1. Protected networks were not discovered. I think that's just because of the acls with missing ip address.


Thanks,

Radhika

ckuriyar74 Wed, 08/27/2008 - 20:07
User Badges:

I tried with 3.2 and without RME installed but I get the same error.


Does it require RME to be installed?


Thanks,

Chandru

dradhika Wed, 08/27/2008 - 21:09
User Badges:
  • Cisco Employee,

Hi Chandru,


No. I don't think the problem is related to RME.

Might be because of the dynamic crypto map on 5510 you are getting the error message. Just guessing not sure. Can you try removing the line and check if it works,

crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP.

Also this line is missing in your configs -

sysopt connection permit-ipsec . Can you add this to both the files before discovering?


Thanks,

Radhika

ckuriyar74 Wed, 08/27/2008 - 22:18
User Badges:

I have other site-to-site VPN's configured in ASA 5510 and iam able to discover successfully using CSM 3.1.1


I have two site-to-site VPN configured in ASA 5505 to remote sites having ASA 5510 & PIX 515E. The issue is I can't dicover both VPN configured with ASA 5505 in CSM.


The discovery of VPN in PIX 515E is fine.


Thanks,

Chandru

ckuriyar74 Wed, 08/27/2008 - 22:18
User Badges:

I tried these options but no luck.


I have other site-to-site VPN's configured in ASA 5510 and iam able to discover successfully using CSM 3.1.1


I have two site-to-site VPN configured in ASA 5505 to remote sites having ASA 5510 & PIX 515E. The issue is I can't dicover both VPN configured with ASA 5505 in CSM.


The discovery of VPN in PIX 515E to other remote sites is fine.


Thanks,

Chandru

ckuriyar74 Thu, 08/28/2008 - 05:57
User Badges:

Hi Radhika,


Finally I was able to figure out the problem.


My ASA 5505 is behind DSL router and ASA outside interface in NATed in DSL router.


If I change the ASA5505 outside interface to real outside address I could able to discover the VPN successfully in my test system.


Same way I had another issue where ASA5510 is enabled crypto map with 2 interfaces and I had issue with discovery of VPN. If I remove crypto map in one of the interface Iam able to discover the VPN.


But Iam not able to discover VPN with original configs.


Any idea to resolve this issue?


Thanks,

Chandru

dradhika Thu, 08/28/2008 - 18:52
User Badges:
  • Cisco Employee,

Not sure if I understand what you meant.

Do you mean that still you cannot discover the VPNs?

If so,

1. can you try discovering from the files instead of from the live devices?

2. If you try discovering just the devices with RA policies, do you see any error message?

3. Is the basic discovery of the devices without any policy discovery working? (Is Device reachable from CSM?)


Thanks,

Radhika

ckuriyar74 Thu, 08/28/2008 - 23:44
User Badges:

1. Iam still cannot discover the VPN's using the original config files.


2. Basic discovery of device works fine and the device is reachable from CSM.


I will explain in details.


I have ASA5505 behind DSL router and ASA outside interface 192.168.194.2 is NATed in DSL router to a public address with all traffic opened.


Issue:- If I remove the ASA outside interface address 192.168.194.2 and put real outside address in the configuration file the discovery of VPN works fine and with address 192.168.194.2 it fails to discover the VPN with error message " Missing a valid crypto map on the device "


I have ASA5510 configured two interfaces for VPN with crypto map enabled. The basic discovery of this device is fine and it's reachable from CSM.


Issue:- If I remove the crypro map in any of the interface in the config file the discovery of VPN works fine but crypto map enabled with both interfaces discovery of VPN fails with error message " Crypto map enabled in one or more interfaces "


I think you can understand what I explained.


Thanks,

Chandru

dradhika Fri, 08/29/2008 - 04:42
User Badges:
  • Cisco Employee,

Hi Chandru,

issue1:- When you are using the interface address 192.168.194.2, did you update even the configuration on the peer device with crypto map set peer ip address to 192.168.194.2 instead of the natted address?


issue2:- CSM allows only one interface to be configured ass VPN interface. That is the reason discovery throws the error message that crypto map is enabled on more than one interface. This is the implementation I guess.


HTH,

Radhika

ckuriyar74 Sun, 08/31/2008 - 08:41
User Badges:

Hi Radhika,


Issue1:- No, I use the peer address as natted address instead of 192.168.194.2 on the peer device.


Issue2:- Is there any solution that CSM supports crypto map enabled more than one interface OR there is no solution?


Thanks,

Chandru

dradhika Tue, 09/02/2008 - 05:54
User Badges:
  • Cisco Employee,

Hi Chandru,


Sorry for the late reply.

Issue1:- The NAT discovery fails because you are using the NAT address instead of the real address.

This is how CSM VPN discovery works.

device1 ---- device2

outside interface ip - x.x.x.x y.y.y.y

set peer command - y.y.y.y x.x.x.x


When you give "crypto map MYMAP interface outside"(outside interface address:x.x.x.x) on device1 CSM checks on device2 that there a crypto map on device2 with device1's outside interface ip address as set peer command (set peer x.x.x.x).

When you give the NAT address as the set peer then it will be different from outside interface address.

I guess that is the reason for getting the error message.


I think tunnel will not be established in this case between the two devices.

NAT-Transparency solves this problem I guess.

You need to apply dynamic crypto map without set peer command and enabling nat transparency using "isakmp nat-traversal" command.

Guess even CSM VPN Discovery works fine when you configure all these things.

Below are the few links that talk about Issue with NAT and NAT transparency if you need information about them

http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fdocs%2Fios%2F12_2t%2F12_2t13%2Ffeature%2Fguide%2Fftipsnat.html&pos=2&strqueryid=6&websessionid=VZp7dUrPWtTnE8fpwYgeTsY - NAT Transparency on IOS


http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ike.html#wp1052899 - Configuration Guide for NAT-T isakmp nat-traversal


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml - ASA Ipsec with NAT Cli with an Example


Issue2:- You can add it manually to the Discovered VPN after discovery and deploy.

I am not with Cisco at present :) , so don't remember if the VPN is discovered without VPN interface.


HTH,

Radhika

Actions

This Discussion