ASA5505 L2L multiple subnet problem

kduong774 · ‎09-14-2009

Hello,

I have a working L2L tunnel from Cisco ASA5505 to an Astaro security device. There are 4 remote LANs that are routed over this tunnel: 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 and 143.65.0.0/16.

However I cannot reach any remote device of this LAN 143.65.0.0 but I can reach devices from the other 3 LANs.

The 'show crypto ipsec sa' shows that only IPSec seesions are established for the other LAN but not for 143.65.0.0.

Can anyone tell me why? Any LAN limitation or is it not allowed to use public IP range for LAN? But It works just fine with the old Pix 501.

His is part of my configuration:

ASA Version 7.2(4)

...

interface Vlan1

nameif inside

security-level 100

ip address 192.168.94.200 255.255.255.0

...

object-group network test

network-object 192.168.0.0 255.255.0.0

network-object 10.0.0.0 255.0.0.0

network-object 172.16.0.0 255.240.0.0

network-object 143.65.0.0 255.255.0.0

access-list outside_cryptomap_10 extended permit ip 192.168.94.0 255.255.255.0 object-group test

access-list outside_nonat_10 extended permit ip 192.168.94.0 255.255.255.0 object-group test

...

global (outside) 1 interface

nat (inside) 0 access-list outside_nonat_10

nat (inside) 1 0.0.0.0 0.0.0.0

...

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto map raagfw02 10 match address outside_cryptomap_10

crypto map raagfw02 10 set pfs

crypto map raagfw02 10 set peer x.x.x.x

crypto map raagfw02 10 set transform-set ESP-AES-128-SHA

crypto map raagfw02 interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 13

authentication pre-share

encryption aes

hash sha

group 2

lifetime 7800

crypto isakmp nat-traversal 20

...

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

Any soon response warmthly welcomed.

Thanks

Jon Marshall · ‎09-14-2009

Kim

There are no limitations in terms of private/public subnets. The ASA doesn't really care one way or the other.

I assume that to get to all the remote VPN subnets you have to route out of the same interface ?

If so then there doesn't look to be a lot wrong with your config. Have you tried debugging ipsec to see what is happening when the tunnel is initiated ?

You may also want to verify that the Astaro is configured correctly.

Jon

kduong774 · ‎09-14-2009

Hi Jon,

Thanks for fast response.

When I ping an device from 143.65.0.0/16 I can see that IPSec sa is created but then remove again:

IPSEC: New embryonic SA created @ 0x0396ACB0,

SCB: 0x01D293F8,

Direction: inbound

SPI : 0x333C7B2B

Session ID: 0x0000000D

VPIF num : 0x00000002

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

...

Sep 14 14:13:45 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: Invalid message id (9)

Sep 14 14:13:53 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x1d26588, mess id 0x954c9c0d)!

Sep 14 14:13:53 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, IKE QM Initiator FSM error history (struct &0x1d26588) , : QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent

Sep 14 14:13:53 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, sending delete/delete with reason message

Sep 14 14:13:53 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload

Sep 14 14:13:53 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Sep 14 14:13:53 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy 143.65.0.0, Local Proxy 192.168.94.0

Sep 14 14:13:53 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!

I don't have any route set for the other subnet and still I can reach them.

Astaro is configured correctly.

Kim