asa 5505 + l2l vpn + cisco client

Unanswered Question
Jan 13th, 2009

Hi,

I'm trying to replace PIX 506[working ok] with asa 5505. But just

after swaping them some of the vpn links doesn't work. I can't ping

sites. Cisco vpn client access doesn't work too. I was following few

cisco manuals but I can't figure out what is missing in my config.

Could you pls have a look at my config maybe sth obvious - I hope so.

Many thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Tue, 01/13/2009 - 08:13

Try this:

Remove this line "crypto map outside_map 10 ipsec-isakmp dynamic dynmap"

clear config crypto map outside_map 10

Then place it at the very bottom of your crypto config by entering:

crypto map outside_map 65535 ipsec-isakmp dynamic dynmap

Also you have a typo on the map 80:

crypto map outsite_map 80 I think it should be "outside"

Move this like that and try it, if clients are not able to connect still then try to get the client logs and the asa debugs

pawelek_maly Wed, 01/14/2009 - 12:52

Many tanks for your reply.

I have sorted most of the issues:

1. I was pointing to the wrong radius server.

2. pre-shared key for Cisco Client was wrong.

3. there is ..."set pfs" command in one site so I have added this to my config- it works!

I didn't touch the dynamic dynmap as you advised but it works so far.

I can't understand why my typo didn't affect the vpn link ["crypto map outsite_map 80"]?

Now I have one problem left with vpn link between asa5505 and pix501- can't establish the link.

This is only site I have no server (DC) and just tablet PCs. Do you think that after swaping my 506 with asa 5505 on that site there is no traffic on 501 site to renegotiate and establish tunnel with my new 5505?

Could you pls advise any debug commands I can use in this case.

Many thanks for your help!!!!

Tshi M Wed, 01/14/2009 - 13:16

I will first do what was suggested in the first reply. But i will increase the sequence to 100.

crypto map outside_map 100 ipsec-isakmp dynamic dynmap"

In regards to debug, you can use: debug crypto isakmp 127

Tshi M Wed, 01/14/2009 - 13:23

Also what is the ACL that allows the network inside the 5505 to access the network behind the pix?

pawelek_maly Wed, 01/14/2009 - 14:16

Could you explain why does ["crypto map outside_map 100 ipsec-isakmp dynamic dynmap"] makes the diffrence. What is the impact?

regarding access list:

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0

Thanks!

Tshi M Wed, 01/14/2009 - 18:08

When using clients vpn in conjuction with L2L, you want your clients VPN crypto map to have the highest sequence number.

Could you please post the output of the debug?

pawelek_maly Fri, 01/16/2009 - 13:34

It looks like my config was ok except many silly mistakes I've made.

Every vpn link is up + cisco client is ok :-)))

But it took 2 hours to reestablish vpn link between 5505 and PiX501 in one of my locations.

Any idea why? [debug was made during problems with establishing that vpn link]. Can anyone explain that debug output.

THANKS!

pb# debug crypto isakmp 127

pb# Jan 16 11:15:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 16 11:15:20 [IKEv1]: IP = 217.xx.xx.xx, Queuing KEY-ACQUIRE messages to be processed when P1 SA is

complete.

Jan 16 11:15:22 [IKEv1]: IP = 217.xx.xx.xx, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR

+ SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184

Jan 16 11:15:25 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 16 11:15:25 [IKEv1]: IP = 217.xx.xx.xx, Queuing KEY-ACQUIRE messages to be processed when P1 SA is

complete.

Jan 16 11:15:30 [IKEv1]: IP = 217.xx.xx.xx, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR

+ SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184

Jan 16 11:15:31 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 16 11:15:31 [IKEv1]: IP = 217.xx.xx.xx, Queuing KEY-ACQUIRE messages to be processed when P1 SA is

complete.

Jan 16 11:15:36 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 16 11:15:36 [IKEv1]: IP = 217.xx.xx.xx, Queuing KEY-ACQUIRE messages to be processed when P1 SA is

complete.

Jan 16 11:15:38 [IKEv1]: IP = 217.xx.xx.xx, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR

+ SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184

Jan 16 11:15:42 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 16 11:15:42 [IKEv1]: IP = 217.xx.xx.xx, Queuing KEY-ACQUIRE messages to be processed when P1 SA is

complete.

Jan 16 11:15:46 [IKEv1 DEBUG]: IP = 217.xx.xx.xx, IKE MM Initiator FSM error history (struct &0xd5a9a1

28) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT

_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->M

M_WAIT_MSG2, EV_RETRY

Jan 16 11:15:46 [IKEv1 DEBUG]: IP = 217.xx.xx.xx, IKE SA MM:3a113728 terminating: flags 0x01000022, r

efcnt 0, tuncnt 0

Jan 16 11:15:46 [IKEv1 DEBUG]: IP = 217.xx.xx.xx, sending delete/delete with reason message

Jan 16 11:15:46 [IKEv1]: IP = 217.xx.xx.xx, Removing peer from peer table failed, no match!

Jan 16 11:15:46 [IKEv1]: IP = 217.xx.xx.xx, Error: Unable to remove PeerTblEntry

Jan 16 11:15:47 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 16 11:15:47 [IKEv1]: IP = 217.xx.xx.xx, IKE Initiator: New Phase 1, Intf inside, IKE Peer 217.xx.x

xx.xx local Proxy Address 192.168.1.0, remote Proxy Address 192.168.9.0, Crypto map (outside_map)

Jan 16 11:15:47 [IKEv1 DEBUG]: IP = 217.xx.xx.xx, constructing ISAKMP SA payload

Jan 16 11:15:47 [IKEv1 DEBUG]: IP = 217.xx.xx.xx, constructing NAT-Traversal VID ver 02 payload

Jan 16 11:15:47 [IKEv1 DEBUG]: IP = 217.xx.xx.xx, constructing NAT-Traversal VID ver 03 payload

Jan 16 11:15:47 [IKEv1 DEBUG]: IP = 217.xx.xx.xx, constructing Fragmentation VID + extended capabiliti

es payload

Tshi M Fri, 01/16/2009 - 14:29

You might have a mismatch pre-shared key since phase is not completing.

Ivan Martinon Fri, 01/16/2009 - 14:32

It states Main Mode Waiting message 2, IKE consists on 6 messages when using Main Mode, waiting message 2 means that the remote peer is failing to send and validate your isakmp policies, maybe the remote end still has your tunnel as active?

Actions

This Discussion