ASA site to site VPN

Unanswered Question
Jun 10th, 2009

Hi there.

I currently have a site to site configured correctly and working fine. I am attempting to establish a secondary to the same asa device but am having problems. The VPN link connects ok but i am unable to route any traffic through.

I'm hoping this is a quick fix.

I'm not sure what info to post that would help to solve the issue but below is the output from my crypto map.

The link from 80.176.122.226 works ok and the link from 78.86.119.49 does not.

show run crypto map

crypto map rackmap 1 match address outside_1_cryptomap

crypto map rackmap 1 set pfs

crypto map rackmap 1 set peer 80.176.122.226

crypto map rackmap 1 set transform-set rackset

crypto map rackmap 65365 ipsec-isakmp dynamic rack

crypto map outside_map 1 match address outside_1_cryptomap_1

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 80.176.122.226

crypto map outside_map 1 set transform-set rackset

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer 78.86.119.49

crypto map outside_map 2 set transform-set rackset1

crypto map outside_map interface outside

Thanks,

J.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Wed, 06/10/2009 - 07:15

You need to make sure that the crypto map used for both vpn endpoints has the same name, remember all vpn devices can only have 1 crypto map per interface so per your config, the one that is applied right now is outside_map rackmap despite of being configured is not applied so you would need to add all of the settings from rackmap to outside_map using a different sequence number to differentiate them.

zangbezang Wed, 06/10/2009 - 08:06

Hi.

Thanks very much for the update. I'm very new to the cisco IOS.... Would it be possible for you to send me the correct command line to complete this?

Many thanks,

J.

Ivan Martinon Wed, 06/10/2009 - 08:11

Actually, if this an ASA just go ahead and type:

clear configure crypto map rackmap

And try again if it does not work still post your config pls.

zangbezang Thu, 06/11/2009 - 00:02

Hi.

Thanks again for the reply... Will this effect my working VPN connection if i run this command? And how do i re-apply the correct config for the non working vpn connection.

Novice here.

J.

zangbezang Thu, 06/11/2009 - 00:38

Here's my config.

Just to note: The vpn that is working correctly is:

80.176.122.226

Network 172.16.9.0/24 - 192.168.100.0/22

Not working:

78.86.119.49

Network 172.16.0.0/24 - 192.168.100.0/22

Attached is my config.

Attachment: 
Ivan Martinon Thu, 06/11/2009 - 07:25

Since this is not really applied to any interface, it will not affect your existing configuration so no need to reapply it.

zangbezang Thu, 06/11/2009 - 07:30

This one doesn't look liek a valid command on my system:

clear configure crypto map rackmap

^

ERROR: % Invalid input detected at '^' marker.

zangbezang Thu, 06/11/2009 - 07:39

My bad.

Entered command once in config, reconnect my vpn and still i'm unable to ping anything on those subnets.

Here's the latest output from my crypto map:

show run crypto map

crypto map outside_map 1 match address outside_1_cryptomap_1

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 80.176.122.226

crypto map outside_map 1 set transform-set rackset

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer 78.86.119.49

crypto map outside_map 2 set transform-set rackset1

crypto map outside_map interface outside

Ivan Martinon Thu, 06/11/2009 - 07:40

Ok, please send me the following output:

show vpn-sessiondb detail remote

show crypto ipsec sa detail

zangbezang Mon, 06/15/2009 - 07:15

Hi there.

Has anyone got any updates on this to get it resolved? I really am out of ideas on this one.

J.

ybtheneonet Mon, 06/15/2009 - 09:18

Hmm.. i have a feeling this is a case of assymetric routing which is causing only the decap count to increase in the 2nd crypto map.

Do you need 2 transform-sets? Try seeing if it's possible to work with on

Ivan Martinon Mon, 06/15/2009 - 09:24

On any of the interfaces that is not returning traffic configure:

"management-access "

Issue a clear crypto ipsec sa counters

Then go ahead and issue a ping from that interface like:

ping inside repeat 20

Get the show crypto ipsec sa, does it show any packets? If it does not show any them I I suspecting it has to do with the vpn context being corrupted, I could ask you lots of outputs to confirm this or you can try rebooting the ASA and try to connect again.

zangbezang Tue, 06/16/2009 - 00:38

Hi.

Thanks for the update... I performed a reboot of the asa initially and then ran the commands suggested. I'm still unable to ping any devices on those subnets. Attached is the output from the comands stated

Attachment: 
Ivan Martinon Tue, 06/16/2009 - 04:43

Mhhh strange, go ahead and collect the following:

show asp table classify crypto

show asp table vpn-context

show crypto ipsec sa detail

show run all

Ivan Martinon Tue, 06/16/2009 - 09:50

I just checked again your configuration and... here is some inconsistencies:

access-list outside_1_cryptomap extended permit ip any any

access-list outside_1_cryptomap_1 permit ip object-group Rackspace-Private object-group KC

access-list outside_2_cryptomap permit ip object-group Rackspace-Private object-group KC

crypto map outside_map 1 match address outside_1_cryptomap_1

crypto map outside_map 2 match address outside_2_cryptomap

Both tunnels despite of having different peers have exactly the same traffic as source and destiantion, this will cause you to always use the first tunnel to encrypt and decrypt.

No wonder nothing is coming back. Any reason for this?

zangbezang Wed, 06/17/2009 - 00:40

Hi.

I've changed my configuration to show the different destinations specific to thier ip range. Before i grouped them both together in the group 'KC'

Below is the new output

access-list outside_1_cryptomap extended permit ip any any

access-list outside_1_cryptomap_1 extended permit ip object-group Rackspace-Private 172.16.9.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip object-group Rackspace-Private 172.16.0.0 255.255.255.0

The object-group Rackspace-Private is the same for both becuase i want both devices to talk to the same subnets:

192.168.100.0/22

I am still unable to ping anything on those subnets from 78.86.119.49

zangbezang Mon, 06/22/2009 - 00:32

Hi there.

Does anyone have any updates for this post? I'm stumped.

J.

Ivan Martinon Mon, 06/22/2009 - 06:26

Go ahead and send me the show run all with the new settings, the show crypto ipsec sa show crypto iskamp sa and the settings on the remote endpoint pls.

Actions

This Discussion