No VPN

Answered Question
Sep 1st, 2009
User Badges:

Hi there.


I have a new asa at my new location and am attempting a site to site with my office based asa that currently has other vpn connections.


I am unable to initiate the connection and stumped as to why. Any help would eb great. Attached is my current config.



Attachment: 
Correct Answer by Yudong Wu about 7 years 8 months ago

5|Sep 02 2009|17:05:10|713904|||Group = 195.99.220.70, IP = 195.99.220.70, All IPSec SA proposals found unacceptable!



<<< IPSEC SA proposals did not much.

In my previous email, I told you PFS setting was not match. One side is pfs group1 and the other side is pfs group2. You need config them the same.

Correct Answer by Yudong Wu about 7 years 8 months ago

You need provide the config from the other end and "debug crypto isa" and "debug crypto ipsec" to troubleshoot the issue.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Correct Answer
Yudong Wu Tue, 09/01/2009 - 08:21
User Badges:
  • Gold, 750 points or more

You need provide the config from the other end and "debug crypto isa" and "debug crypto ipsec" to troubleshoot the issue.

zangbezang Wed, 09/02/2009 - 01:29
User Badges:

Hi.


Running the debug commands on my asa returned nothing. Are they the complete commands?


Attached is the requested configuration. 205.217.13.126 is the new asathat i'm attempting the connection with that holds the earlier configuration.


Thanks.



Attachment: 
zangbezang Wed, 09/02/2009 - 02:18
User Badges:

Also, i've run the following commands on both devices and both can ping eachother. No errors appear.


debug crypto isakmp 200

debug crypto ipsec 200

debug crypto engine 200


Yudong Wu Wed, 09/02/2009 - 06:25
User Badges:
  • Gold, 750 points or more

At central site, "set pfs" is configured, which will use group2 by default.

At remote site, "crypto map outside_map 1 set pfs group1" is configure, it will use group1.


Please check over your VPN config again. I did not go through all of them.


By the way, you can remote the following config, I don't think you need them.

vpnclient server 195.99.220.70

vpnclient mode client-mode

vpnclient vpngroup DefaultRAGroup password ********


After enable debug commands, make sure logging level is set to 7. You need initiate VPN related traffic to bring up the VPN tunnel as well.




zangbezang Wed, 09/02/2009 - 06:39
User Badges:

Hi.


Central site is set to group2.


Remote site is set to group1.


I've removed the config you suggested.


Console debug is set to level 7. How do i initiate VPN related traffic to bring up the tunnels?

Yudong Wu Wed, 09/02/2009 - 07:36
User Badges:
  • Gold, 750 points or more

Here is the ACL you used in your vpn configuration

access-list outside_1_cryptomap extended permit ip object-group SavvisSloughPrivateNetworks object-group SMLOfficeNetworks


You need have traffic which can match this ACL.

zangbezang Wed, 09/02/2009 - 07:42
User Badges:

I'm not even getting to the point of testing the internal IP connectivity. Currently my asa's are not establishing a connection between eachother. They can both ping eachothers public IP address's, but no VPN. I'm not sure where to start looking as my 'base' asa currently works with other devices i have in terms of site to site connectivty, but my new 'remote asa', nothing.


Any ideas from what you've seen in the previous configs?

Yudong Wu Wed, 09/02/2009 - 07:49
User Badges:
  • Gold, 750 points or more

If there is no traffic which need go to VPN tunnel, the VPN tunnel won't be up. You need initiate a traffic which match ACL I mentioned in my previous email. You can just use a ping between two hosts in that ACL.

When ASA get the packet and find it need go to tunnel, it will start to establish the VPN tunnel and you would see those debug output for isakmp phase 1 and phase 2 negociation.

zangbezang Wed, 09/02/2009 - 08:01
User Badges:

Right, i think i understnad what you mean.


I've attempted ping's to both private subnets from each side and nothing.


ping 172.16.102.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.102.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)


10.192.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.192.1.1, timeout is 2 seconds:

??Sep 02 17:14:08 [IKEv1]: IP = 90.16.237.27, Unsupported message length of 0

???

Success rate is 0 percent (0/5)



Yudong Wu Wed, 09/02/2009 - 08:06
User Badges:
  • Gold, 750 points or more

Did you ping from ASA to the other end's private IP?

If yes, does that ping packet match your ACL for VPN traffic? You did not get my point yet.

zangbezang Wed, 09/02/2009 - 08:13
User Badges:

Hi there.


Pinging from a device on one end to another and i can see various entries within the logs. Attached is a snippet.


Thanks.



Attachment: 
Correct Answer
Yudong Wu Wed, 09/02/2009 - 08:29
User Badges:
  • Gold, 750 points or more

5|Sep 02 2009|17:05:10|713904|||Group = 195.99.220.70, IP = 195.99.220.70, All IPSec SA proposals found unacceptable!



<<< IPSEC SA proposals did not much.

In my previous email, I told you PFS setting was not match. One side is pfs group1 and the other side is pfs group2. You need config them the same.

zangbezang Thu, 09/03/2009 - 00:11
User Badges:

Excellent, that worked great thanks. The VPN link is now up, but i am unable to ping any devices on the LAN in question. Again here are some snipets from my logs while i'm running a ping to 10.192.1.1 from a server in my office.

I'm pretty sure the networks i've allowed are correct for the exempt rules.



Attachment: 
Yudong Wu Thu, 09/03/2009 - 06:13
User Badges:
  • Gold, 750 points or more

I can see ICMP connection was built for 172.16.102.101 and 10.192.1.1. Please check your routing between end to end in both directions.

zangbezang Thu, 09/03/2009 - 06:28
User Badges:

It looked like i just needed to add some static routes on my remote end. All working fine now.


Thanks very much for your help.

Actions

This Discussion