ASA site to site VPN

Unanswered Question
Jun 10th, 2009
User Badges:

Hi there.


I currently have a site to site configured correctly and working fine. I am attempting to establish a secondary to the same asa device but am having problems. The VPN link connects ok but i am unable to route any traffic through.


I'm hoping this is a quick fix.


I'm not sure what info to post that would help to solve the issue but below is the output from my crypto map.


The link from 80.176.122.226 works ok and the link from 78.86.119.49 does not.


show run crypto map

crypto map rackmap 1 match address outside_1_cryptomap

crypto map rackmap 1 set pfs

crypto map rackmap 1 set peer 80.176.122.226

crypto map rackmap 1 set transform-set rackset

crypto map rackmap 65365 ipsec-isakmp dynamic rack

crypto map outside_map 1 match address outside_1_cryptomap_1

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 80.176.122.226

crypto map outside_map 1 set transform-set rackset

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer 78.86.119.49

crypto map outside_map 2 set transform-set rackset1

crypto map outside_map interface outside



Thanks,


J.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Wed, 06/10/2009 - 07:15
User Badges:
  • Cisco Employee,

You need to make sure that the crypto map used for both vpn endpoints has the same name, remember all vpn devices can only have 1 crypto map per interface so per your config, the one that is applied right now is outside_map rackmap despite of being configured is not applied so you would need to add all of the settings from rackmap to outside_map using a different sequence number to differentiate them.

zangbezang Wed, 06/10/2009 - 08:06
User Badges:

Hi.


Thanks very much for the update. I'm very new to the cisco IOS.... Would it be possible for you to send me the correct command line to complete this?


Many thanks,


J.

Ivan Martinon Wed, 06/10/2009 - 08:11
User Badges:
  • Cisco Employee,

Actually, if this an ASA just go ahead and type:


clear configure crypto map rackmap


And try again if it does not work still post your config pls.

zangbezang Thu, 06/11/2009 - 00:02
User Badges:

Hi.


Thanks again for the reply... Will this effect my working VPN connection if i run this command? And how do i re-apply the correct config for the non working vpn connection.

Novice here.


J.

zangbezang Thu, 06/11/2009 - 00:38
User Badges:

Here's my config.


Just to note: The vpn that is working correctly is:

80.176.122.226

Network 172.16.9.0/24 - 192.168.100.0/22


Not working:

78.86.119.49

Network 172.16.0.0/24 - 192.168.100.0/22


Attached is my config.





Attachment: 
Ivan Martinon Thu, 06/11/2009 - 07:25
User Badges:
  • Cisco Employee,

Since this is not really applied to any interface, it will not affect your existing configuration so no need to reapply it.

zangbezang Thu, 06/11/2009 - 07:30
User Badges:

This one doesn't look liek a valid command on my system:


clear configure crypto map rackmap

^

ERROR: % Invalid input detected at '^' marker.

zangbezang Thu, 06/11/2009 - 07:39
User Badges:

My bad.


Entered command once in config, reconnect my vpn and still i'm unable to ping anything on those subnets.


Here's the latest output from my crypto map:


show run crypto map

crypto map outside_map 1 match address outside_1_cryptomap_1

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 80.176.122.226

crypto map outside_map 1 set transform-set rackset

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer 78.86.119.49

crypto map outside_map 2 set transform-set rackset1

crypto map outside_map interface outside


Ivan Martinon Thu, 06/11/2009 - 07:40
User Badges:
  • Cisco Employee,

Ok, please send me the following output:


show vpn-sessiondb detail remote

show crypto ipsec sa detail


zangbezang Mon, 06/15/2009 - 07:15
User Badges:

Hi there.


Has anyone got any updates on this to get it resolved? I really am out of ideas on this one.


J.

ybtheneonet Mon, 06/15/2009 - 09:18
User Badges:

Hmm.. i have a feeling this is a case of assymetric routing which is causing only the decap count to increase in the 2nd crypto map.


Do you need 2 transform-sets? Try seeing if it's possible to work with on




Ivan Martinon Mon, 06/15/2009 - 09:24
User Badges:
  • Cisco Employee,

On any of the interfaces that is not returning traffic configure:

"management-access "


Issue a clear crypto ipsec sa counters


Then go ahead and issue a ping from that interface like:


ping inside repeat 20


Get the show crypto ipsec sa, does it show any packets? If it does not show any them I I suspecting it has to do with the vpn context being corrupted, I could ask you lots of outputs to confirm this or you can try rebooting the ASA and try to connect again.

zangbezang Tue, 06/16/2009 - 00:38
User Badges:

Hi.


Thanks for the update... I performed a reboot of the asa initially and then ran the commands suggested. I'm still unable to ping any devices on those subnets. Attached is the output from the comands stated



Attachment: 
Ivan Martinon Tue, 06/16/2009 - 04:43
User Badges:
  • Cisco Employee,

Mhhh strange, go ahead and collect the following:


show asp table classify crypto

show asp table vpn-context

show crypto ipsec sa detail


show run all

Ivan Martinon Tue, 06/16/2009 - 07:09
User Badges:
  • Cisco Employee,

By the way, can you please send me the config from the remote end too.

Ivan Martinon Tue, 06/16/2009 - 09:50
User Badges:
  • Cisco Employee,

I just checked again your configuration and... here is some inconsistencies:


access-list outside_1_cryptomap extended permit ip any any

access-list outside_1_cryptomap_1 permit ip object-group Rackspace-Private object-group KC

access-list outside_2_cryptomap permit ip object-group Rackspace-Private object-group KC



crypto map outside_map 1 match address outside_1_cryptomap_1


crypto map outside_map 2 match address outside_2_cryptomap


Both tunnels despite of having different peers have exactly the same traffic as source and destiantion, this will cause you to always use the first tunnel to encrypt and decrypt.


No wonder nothing is coming back. Any reason for this?

zangbezang Wed, 06/17/2009 - 00:40
User Badges:

Hi.


I've changed my configuration to show the different destinations specific to thier ip range. Before i grouped them both together in the group 'KC'

Below is the new output


access-list outside_1_cryptomap extended permit ip any any

access-list outside_1_cryptomap_1 extended permit ip object-group Rackspace-Private 172.16.9.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip object-group Rackspace-Private 172.16.0.0 255.255.255.0


The object-group Rackspace-Private is the same for both becuase i want both devices to talk to the same subnets:


192.168.100.0/22


I am still unable to ping anything on those subnets from 78.86.119.49

zangbezang Mon, 06/22/2009 - 00:32
User Badges:

Hi there.


Does anyone have any updates for this post? I'm stumped.


J.

Ivan Martinon Mon, 06/22/2009 - 06:26
User Badges:
  • Cisco Employee,

Go ahead and send me the show run all with the new settings, the show crypto ipsec sa show crypto iskamp sa and the settings on the remote endpoint pls.

Actions

This Discussion