IPSEC VPN Tunnle Problem in CISCO ASA

sarkar.sandip · ‎11-18-2008

Hi,

We have created IPSEC VPN tunnel between two Cisco ASA 5510 firewall. After establishing the VPN tunnel, when we are generating the traffic in that tunnel, it is showing up and active but we are unbale to "PING" or access our local LAN segments. I am getting the following syslog error...

1 Nov 10 2008 16:21:22 713900 Group = XX.XX.XX.XX, IP = XX.XX.XX.XX, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Please note the IOS version of one firewall is Cisco ASA 8.0(4)for another one is Cisco ASA 7.0(7)

Please help me by providing the neccessary solution to overcome this problem.

andrew.prince · ‎11-19-2008

it sounds like you have not passed phase 2 of the VPN negotiations.

I would do the folllowing:-

1) Check you have the same encryption and hash configuration for phase 2 at both ends.

2) Check that you encryption domains (interesting traffic access-list) allows the same subnets at both ends.

Post the output of:-

debug crypto ipsec 20

HTH>

sarkar.sandip · ‎11-19-2008

Hi,

Thanks for your reply. As per your suggestion..I have checked the 2 points as you have mentioned.

Please find the attach file containing the site to site VPN configuration for both end firewall. Please suggest ...

Thanks in advanced..

Please find the output of sh crypto ipsec sa

IVOXFIRE# sh crypto ipsec sa

interface: outside

Crypto map tag: IPSecMap, seq num: 40, local addr: xx.xx.xx.xx

access-list 120 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer: xx.xx.xx.xx

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: xx.xx.xx.xx, remote crypto endpt.: xx.xx.xx.xx

path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: 8995D15D

inbound esp sas:

spi: 0x67FA295B (1744447835)

transform: esp-aes esp-md5-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 74, crypto-map: IPSecMap

sa timing: remaining key lifetime (kB/sec): (4275000/27122)

IV size: 16 bytes

replay detection support: Y

outbound esp sas:

spi: 0x8995D15D (2308297053)

transform: esp-aes esp-md5-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 74, crypto-map: IPSecMap

sa timing: remaining key lifetime (kB/sec): (4275000/27114)

IV size: 16 bytes

replay detection support: Y

andrew.prince · ‎11-19-2008

OK - your config looks good, the crypto ipsec sa's look good apart from one thing:-

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

Firstly this indicates that nothing from 192.168.3.0 (local) is going to 192.168.1.0 (remote) - worring

Does your local 192.168.3.0/24 network know where 192.168.1.0/24 is and how to get there?

Do you have any filtering on the inside interface that would block traffic from 192.168.3.0/24 to 192.168.1.0/24 ??

Can you post the config's with any sensitive config removed?

HTH>

sarkar.sandip · ‎11-19-2008

Hi,

Please find the firewall configuration and suggest me for necessary action..

Thanks..

andrew.prince · ‎11-19-2008

OK here are my observations:-

1) Your acl "acl_inside" your first line is permit ip any any - which negates ALL other lines in the acl, as you are already allowing everything.

2) Your acl ""acl-inside" only alows ICMP ech0-reply.....so you cannot actually ping out - add the following line:-

access-list acl_inside line 4 extended permit icmp any any echo

3) I always like to add specific routes for my VPN's try adding:-

route outside 192.168.1.0 255.255.255.255 <>

re-test and show the output of "show access-list acl_inside"

HTH>

sarkar.sandip · ‎11-19-2008

Hi,

I have tried the same and added the required commands in the firewall as you have mentioned. But still unable to PING the remote location LAN segments(192.168.1.0/24) from (192.168.3.0/24).

Please help.

andrew.prince · ‎11-19-2008

output of "show access-list" ??

sarkar.sandip · ‎11-19-2008

Hi,

Please find the attached file containing the output of show access-list..

Thanks

andrew.prince · ‎11-20-2008

OK thanks for the output, what I see is:-

access-list acl_inside line 1 extended permit ip any any (hitcnt=3442000)

You can remove ALL other lines, as I said before they are useless.

access-list 120 line 1 extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=321743)

This indicates that traffic is hitting the ACL for the VPN, but traffic is not shown in the IPSEC SA.

I would clear the access-list counters, and clear down the VPN and try to initiate it again.

HTH>

sarkar.sandip · ‎11-20-2008

Hi,

I have cleared the access-list counters as well as SA's by the following commands..

Firewall#clear access-list 120 counters

Firewall#clear crypto ipsec sa

Firewall#clear crypto isakmp sa

But still unable to PING the remote LAN segment..

andrew.prince · ‎11-20-2008

post output of:-

show access-list

show crypto ispec sa

also - can you get the same from the remote end?

sarkar.sandip · ‎11-20-2008

Hi,

As requested please find the attached files containing the required putputs for both location firewalls...

Thanks

andrew.prince · ‎11-20-2008

From the outputs, I would say you have an issue in the local end, as you have decrypted traffic, but not sent any. The remote end has initiated the tunnel and sent traffic, which has been received but not responded to.

Check your IP routes, check your ACl's (again) debug debug debug.

HTH>

sarkar.sandip · ‎11-21-2008

Hi,

I have reconfigured the Phase 2 for IPSEC VPN tunnel at local end and now it is working fine. We are able to PING both location LAN segments properly.

Thanks to you for your help and support.