12-21-2009 10:40 AM
We have a pix 515 (6.3.5) and a ASA5510 (8.2.1)
We must set up a site2site vpn but seems to have problems which cannot find
It seems that even the ISAKMP phase has got problem
Below an extract of the debug crypto isakmp taken from the PIX
The strange thing I noticed is that it thinks it connect to a VPN concentrator
ISAKMP (0): Checking ISAKMP transform 1 against priority 5 policy
ISAKMP: default group 2
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a VPN3000 concentrator
ISAKMP (0:0): Detected NAT-D payload
can anyone tell me if there are problem with pix 6.3 and ASA 8.x or if there 's something in the configuration ?
thanks
12-21-2009 11:14 AM
The debugs here do not show anything wrong, the message speaking to a vpn 3000 concentrator is normal when using ASA and pix, in your case we can say that phase 1 is going ok, I would advise you to get the debugs from the ASA since they are more complete than the pix ones.
12-21-2009 07:46 PM
Ivan is correct. The only thing I would add is to please provide the output with the ASA as the responder using 'debug crypto isakmp 254'
12-23-2009 06:53 AM
Hi ,
It took time to get back on this issue but here I am again.
I've checked again the configuration of the ASA and it seems correct to me .
Then I tried to ping the ethernet interface of the PIX 515 from the console of the ASA5510
Below the result . It seems to me that PHASE 1 Isakmp is ok
The IP of the internal interface of PIX is 192.168.0.230
The IP of the internal interface of ASA is 172.16.2.248
asa5510# ping 192.168.0.230
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to PIX-515, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
asa5510# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: PIX_515
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
I'm going to check the configuration of PIX as well.
thanks
12-23-2009 07:31 AM
having the debug crypto isakmp enabled on the asa and trying to ping
from the PIX I got this on the asa console
%ASA-7-713222: Group = 194.x.x.2, IP = 194.x.x.2, Static Crypto Map check, map = Internet_map, seq = 20, ACL does not match proxy IDs src:0.0.0.0 dst:REMOTE_LAN_CLIENT %ASA-3-713061: Group = 194.x.x.2, IP = 194.x.x.2, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/1/0 local proxy 172.16.2.0/255.255.254.0/1/0 on interface Internet %ASA-7-713906: Group = 194.x.x.2, IP = 194.x.x.2, sending notify message %ASA-7-715046: Group = 194.x.x.2, IP = 194.x.x.2, constructing blank hash payload %ASA-7-715046: Group = 194.x.x.2, IP = 194.x.x.2, constructing qm hash payload %ASA-7-713236: IP = 194.x.x.2, IKE_DECODE SENDING Message (msgid=16b8d4c6) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 416 %ASA-3-713902: Group = 194.x.x.2, IP = 194.x.x.2, QM FSM error (P2 struct &0xd82fd598, mess id 0xc6f734d4)! %ASA-7-715065: Group = 194.x.x.2, IP = 194.x.x.2, IKE QM Responder FSM error history (struct &0xd82fd598) , : QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH %ASA-7-713906: Group = 194.x.x.2, IP = 194.x.x.2, sending delete/delete with reason message %2, Username = 194.x.x.2, IP = REMOTEPIX_NAT, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found %ASA-7-713906: Ignoring msg to mark SA with dsID 49152 dead because SA deleted .27.2, IKE Responder starting QM: msg id = 6ea4a349
12-23-2009 07:41 AM
Pinging from the console will typically not work to bring up the vpn as the outside interfaces are probably not part of your
crypto acl.
Post your configs.
12-23-2009 07:47 AM
Your problem is the following:
nat (inside) 0 access-list outside_40_cryptomap
access-list outside_40_cryptomap is being used on the nat exempt config, and it is also used on the following crypto map:
crypto map STS 40 match address outside_40_cryptomap
AND the tunnel you are trying to configure is defined after this crypto map, since the traffic for tunnel 600 is included on line outside_40_crypto map this will be the crypto map processed intead of 600.
You should never define the nat exempt list to be one already used for the crypto map of another tunnel, so go ahead and duplicate access-list outside_40_crypto map into another one called something like nonat make sure it has all the lines for all the tunnels (which I believe crypto 40 has) and apply it to the nat (inside) 0 access-list nonat setup.
Then clean your crypto 40 from lines on the acl that do not belong to it. And try again.
12-23-2009 07:57 AM
I think you posted in the wrong thread.
12-23-2009 08:00 AM
I think you are right.. my apologies, will check your debugs in a second.
12-23-2009 08:04 AM
All right, I made sure I am reading the right one now, based on this line:
ejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/1/0 local proxy 172.16.2.0/255.255.254.0/1/0 on interface Internet
it means that either you are receiving an SA formed with 0.0.0.0 mask of 0.0.0.0 in other words any any, which either you or the remote side will have to mirror, can you please post your crypto acls here as well as the remote side ones?
12-23-2009 08:54 AM
Here the config at the moment
PIX 515:
PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 hostname terminator .... .... access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.128.0 172.16.2.0 255.255.255.0 access-list inside_outbound_nat0_acl "contains other entries for local dmz zones" ..... access-list outside_cryptomap_50 permit ip 192.168.0.0 255.255.128.0 172.16.2.0 255.255.255.0 ip address outside 194.x.x.2 255.255.255.240 ip address inside 192.168.0.230 255.255.128.0 global (outside) 1 interface global (dmz) 1 192.168.168.8 nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (dmz) 1 0.0.0.0 0.0.0.0 0 0 ..... sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40 crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60 crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80 crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100 crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-MD5 crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer xxxxx crypto map outside_map 20 set transform-set ESP-DES-MD5 crypto map outside_map 30 ipsec-isakmp crypto map outside_map 30 match address vpn_tc crypto map outside_map 30 set peer xxxxx crypto map outside_map 30 set transform-set ESP-DES-MD5 crypto map outside_map 50 ipsec-isakmp crypto map outside_map 50 match address outside_cryptomap_50 crypto map outside_map 50 set pfs group2 crypto map outside_map 50 set peer 80.x.x.x crypto map outside_map 50 set transform-set ESP-3DES-MD5 ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map client authentication RADIUS crypto map outside_map interface outside isakmp enable outside isakmp key ******** address x netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address x netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 80.x.x.x netmask 255.255.255.255 no-xauth no-config-mode isakmp nat-traversal 20 isakmp policy 5 authentication pre-share isakmp policy 5 encryption 3des isakmp policy 5 hash sha isakmp policy 5 group 2 isakmp policy 5 lifetime 86400 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 isakmp policy 40 authentication pre-share isakmp policy 40 encryption des isakmp policy 40 hash md5 isakmp policy 40 group 2 isakmp policy 40 lifetime 86400 ASA5510 interface Ethernet0/0 nameif Internet security-level 0 ip address 80.x.x.x 255.255.255.240 interface Ethernet0/3 nameif Internal security-level 100 ip address 172.16.2.248 255.255.255.0 ..... access-list Internal_Internet_Nat0 extended permit ip 172.16.2.0 255.255.255.0 192.168.0.0 255.255.128.0 access-list Crypto_Map_ACL extended permit ip 172.16.2.0 255.255.255.0 192.168.0.0 255.255.128.0 nat (Internal) 0 access-list Internal_Internet_Nat0 crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 rypto map Internet_map 20 match address Crypto_Map_ACL crypto map Internet_map 20 set pfs crypto map Internet_map 20 set peer 194.x.x.x crypto map Internet_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-MD5 ESP-DES-SHA crypto map Internet_map interface Internet crypto isakmp identity address crypto isakmp enable Internet crypto isakmp policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 15 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp policy 20 authentication pre-share encryption des hash md5 group 2 lifetime 86400 tunnel-group 194.244.27.2 type ipsec-l2l tunnel-group 194.244.27.2 ipsec-attributes pre-shared-key * ....
12-23-2009 08:57 AM
Mhhh can you attach it on a text file and upload it, it is all mixed up, can't read it.
12-23-2009 09:13 AM
12-28-2009 02:46 AM
Hi ,
Today I'm back on this issue hoping for some help.
I started again from the basics and checked the configuration , which seems to be good ( at least to me ) ,
I made some basic troubleshooting ( sh crypto isakmp sa , sh crypto ipsec sa ) and found a change from last week.
Here below the findings. It seems that the tunnel is established but somehow the traffic is not treated as interesting and crypted(tunneled)
The configuration are :
PIX 515 Internal IP 192.168.0.230/24 Outside IP 192.x.x.x
ASA5510 Internal IP 172.16.0.248 Outside IP 80.x.x.x
PIX 515 SIDE :
terminator# sh crypto isakmp sa
Total : 2
Embryonic : 0
dst src state pending created
194.x.x.x 151.x.x.x QM_IDLE 0 1
194.x.x.x 80.x.x.x QM_IDLE 0 1
terminator# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, local addr. 194.x.x.x
local ident (addr/mask/prot/port): (192.168.0.0/255.255.128.0/1/0)
remote ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/1/0)
current_peer: 80.x.x.x:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 194.x.x.x, remote crypto endpt.: 80.x.x.x
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
local ident (addr/mask/prot/port): (192.168.0.0/255.255.128.0/0/0)
remote ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)
current_peer: 80.x.x.x:500
dynamic allocated peer ip: 0.0.0.0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 201, #pkts encrypt: 201, #pkts digest 201
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 194.x.x.x, remote crypto endpt.: 80.x.x.x
path mtu 1500, ipsec overhead 56, media mtu 1500
BELOW THE OUTPUT OF SH CRYPTO IPSEC WHILE PINGING THE REMOTE SITE
local ident (addr/mask/prot/port): (192.168.0.0/255.255.128.0/0/0)
remote ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)
current_peer: 80.x.x.x:500
dynamic allocated peer ip: 0.0.0.0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 264, #pkts encrypt: 264, #pkts digest 264
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 194.x.x.x, remote crypto endpt.: 80.x.x.x
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 821a3915
inbound esp sas:
spi: 0x1cc96a1b(482961947)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4608000/28506)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x821a3915(2182756629)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4607993/28483)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
12-28-2009 09:59 AM
What I see here is that your pix is encrypting the traffic, however the remote side (ASA?) is not encrypting back, can you get the show crypto ipsec sa from the asa for this tunnel? Do you see the opposite behavior? decrypted packets and no encrypted packets?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide