Site to Site VPN between ASA 5505 and Cisco 800 Router

Unanswered Question
Jan 29th, 2010

Had to replace a ADSL router at a site with a 5505 and I've been trying to get a site to site VPN connect between the 2 locations with no luck. The error that I'm getting on the ASA side is

Jan 29 16:38:23 [IKEv1]: IP = 68.xxx.xxx.10, Removing peer from peer table failed, no match!
Jan 29 16:38:23 [IKEv1]: IP = 68.xxx.xxx.10, Error: Unable to remove PeerTblEntry

But the preshare key and all the encryption items are set the same on both ends.

Here are the 2 configs:

ASA


ASA Version 8.2(1)
!
hostname CommerceASA
domain-name default.domain.invalid
enable password tAf6rGGUWMW1FEHS encrypted
passwd Zoe5u6JK4HLxdSDn encrypted
names
name 10.253.127.11 CommerceServer description CommerceServer
name 10.253.127.12 CommerceBarracuda description CommerceBarracuda
name 172.16.1.0 Roswell
!
interface Vlan1
nameif inside
security-level 100
ip address 10.253.127.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 162.x.x.38 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa812-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host 162.x.x.38 eq pptp
access-list outside_access_in extended permit gre any host 162.x.x.37
access-list outside_access_in extended permit tcp any host 162.x.x.38 eq smtp
access-list outside_1_cryptomap extended permit ip 10.253.127.0 255.255.255.0 10.252.143.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any host 10.252.143.0
access-list inside_nat0_outbound extended permit ip 10.253.127.0 255.255.255.0 10.252.143.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.252.143.0 255.255.255.0
access-list test extended permit ip host 162.x.x.38 host 68.x.x.10
access-list test extended permit ip host 68.x.x.10 host 162.x.x.38
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface pptp CommerceServer pptp netmask 255.255.255.255
static (inside,outside) tcp interface smtp CommerceBarracuda smtp netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 162.x.x.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.253.127.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 68.x.x.10
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 17.151.16.20 source outside prefer
webvpn
username cisco password ffIRPGpDSOJh9YLq encrypted privilege 15
tunnel-group 68.x.x.10 type ipsec-l2l
tunnel-group 68.x.x.10 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:cc0231bdad56aa9eb1b6123a79c65973
: end

Cisco 800:


!
version 12.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname dublin
!
enable secret 5 $1$khzd$UST4NQj4JCTRYX8vc/qiP.
!
clock timezone est -5
clock summer-time edt recurring
ip subnet-zero
no ip source-route
ip domain-name dublin.local
ip name-server 10.252.143.10
!
ip inspect name firewall http java-list 66 alert on audit-trail off
ip inspect name firewall udp alert on
ip inspect name firewall tcp alert on
ip inspect name firewall ftp alert on
ip inspect name firewall smtp alert on
ip inspect name inbound smtp alert on
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key DublinCommerce address 162.x.x.38
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set 3des esp-3des esp-md5-hmac
!
crypto map vpn local-address Ethernet1
crypto map vpn 50 ipsec-isakmp
set peer 162.x.x.38
set transform-set 3des
match address 109
!
!
!
!
interface Loopback0
ip address 192.168.200.1 255.255.255.0
!
interface Ethernet0
ip address 10.252.143.254 255.255.255.0
ip nat inside
no ip route-cache
ip policy route-map nonatstatic
no ip mroute-cache
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Ethernet1
ip address 68.x.x.10 255.255.255.252
ip access-group 108 in
ip access-group 111 out
ip nat outside
ip inspect inbound in
ip inspect firewall out
no ip route-cache
no ip mroute-cache
no cdp enable
crypto map vpn
!
ip nat inside source route-map nonat interface Ethernet1 overload
ip nat inside source static 10.252.143.10 68.x.x.10
ip nat inside source static tcp 10.252.143.10 53 68.x.x.10 53 extendable
ip nat inside source static tcp 10.252.143.10 1723 68.x.x.10 1723 extendable
ip nat inside source static tcp 10.252.143.10 80 68.x.x.10 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 68.x.x.9 permanent
no ip http server
ip pim bidir-enable
!
!
access-list 66 permit any
access-list 101 deny   ip 10.252.143.0 0.0.0.255 10.253.127.0 0.0.0.255
access-list 101 permit ip 10.252.143.0 0.0.0.255 any
access-list 108 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 108 deny   ip 224.0.0.0 31.255.255.255 any log
access-list 108 deny   ip host 0.0.0.0 any log
access-list 108 deny   ip host 255.255.255.255 any log
access-list 108 permit icmp any any
access-list 108 permit udp host 162.x.x.38 eq isakmp host 68.x.x.10 eq isakmp
access-list 108 permit esp host 162.x.x.38 host 68.x.x.10
access-list 108 permit ip 10.253.127.0 0.0.0.255 10.252.143.0 0.0.0.255
access-list 108 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 108 permit tcp any host 68.x.x.10  eq smtp
access-list 108 permit tcp any host 68.x.x.10  eq domain
access-list 108 permit udp any host 68.x.x.10  eq domain
access-list 108 permit tcp any host 68.x.x.10  eq www
access-list 108 permit tcp any any eq 1723
access-list 108 permit tcp any eq 1723 any
access-list 108 permit gre any any
access-list 108 permit udp any eq ntp any eq ntp
access-list 108 deny   ip any any log
access-list 109 permit ip 10.252.143.0 0.0.0.255 10.253.127.0 0.0.0.255
access-list 111 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 111 deny   udp any eq netbios-ns any log
access-list 111 deny   udp any any eq netbios-ns log
access-list 111 deny   udp any eq netbios-dgm any log
access-list 111 deny   udp any any eq netbios-dgm log
access-list 111 deny   tcp any eq 137 any log
access-list 111 deny   tcp any any eq 137 log
access-list 111 deny   tcp any eq 138 any log
access-list 111 deny   tcp any any eq 138 logaccess-list 111 permit icmp any any
access-list 111 permit ip any any
access-list 120 permit ip host 10.252.143.10 10.253.127.0 0.0.0.255
no cdp run
route-map clear-df permit 10
match ip address 109
set ip next-hop 192.168.200.2
set ip df 0
!
route-map nonatstatic permit 10
match ip address 120
set ip next-hop 192.168.200.2
!
route-map nonat permit 10
match ip address 101
!
!
line con 0
exec-timeout 120 0
password 7 15161D5A547A7D77
login
stopbits 1
line vty 0 4
exec-timeout 120 0
password 7 15161D5A547A7D77
login
!
scheduler max-task-time 5000
sntp server 192.5.41.41
end

Thanks in advance for any help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pudawat Fri, 01/29/2010 - 15:54

HI Cole,

Can you attach detail debugs of the ASA?

deb cry isakmp 200

deb cry ipsec 200

Remove the crypto map from the inside interface.

add "no-xauth" in the end of the line "crypto isakmp key xxxxxxx address 168.x.x.x"

Then check the tunnel!

Thanks ,

Pradhuman

cole_rutherford Mon, 02/01/2010 - 07:39

Still no luck.

Here's the log from the ASA:

Feb 01 17:19:41 [IKEv1]: IP = 68.xxx.xxx.10, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 01 17:19:43 [IKEv1]: IP = 68.xxx.xxx.10, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Feb 01 17:19:44 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 01 17:19:44 [IKEv1]: IP = 68.xxx.xxx.10, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 01 17:19:47 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 01 17:19:47 [IKEv1]: IP = 68.xxx.xxx.10, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 01 17:19:50 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 01 17:19:50 [IKEv1]: IP = 68.xxx.xxx.10, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 01 17:19:51 [IKEv1]: IP = 68.xxx.xxx.10, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Feb 01 17:19:54 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 01 17:19:54 [IKEv1]: IP = 68.xxx.xxx.10, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 01 17:19:55 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 01 17:19:55 [IKEv1]: IP = 68.xxx.xxx.10, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 01 17:19:59 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 01 17:19:59 [IKEv1]: IP = 68.xxx.xxx.10, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 01 17:19:59 [IKEv1]: IP = 68.xxx.xxx.10, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Feb 01 17:20:00 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 01 17:20:00 [IKEv1]: IP = 68.xxx.xxx.10, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 01 17:20:05 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 01 17:20:05 [IKEv1]: IP = 68.xxx.xxx.10, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 01 17:20:06 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 01 17:20:06 [IKEv1]: IP = 68.xxx.xxx.10, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 01 17:20:07 [IKEv1 DEBUG]: IP = 68.xxx.xxx.10, IKE MM Initiator FSM error history (struct &0xda45a5b8)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Feb 01 17:20:07 [IKEv1 DEBUG]: IP = 68.xxx.xxx.10, IKE SA MM:5ac4ac0e terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Feb 01 17:20:07 [IKEv1 DEBUG]: IP = 68.xxx.xxx.10, sending delete/delete with reason message
Feb 01 17:20:07 [IKEv1]: IP = 68.xxx.xxx.10, Removing peer from peer table failed, no match!
Feb 01 17:20:07 [IKEv1]: IP = 68.xxx.xxx.10, Error: Unable to remove PeerTblEntry
Feb 01 17:20:12 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 01 17:20:12 [IKEv1]: IP = 68.xxx.xxx.10, IKE Initiator: New Phase 1, Intf inside, IKE Peer 68.xxx.xxx.10  local Proxy Address 10.253.127.0, remote Proxy Address 10.252.143.0,  Crypto map (outside_map)
Feb 01 17:20:12 [IKEv1 DEBUG]: IP = 68.xxx.xxx.10, constructing ISAKMP SA payload
Feb 01 17:20:12 [IKEv1 DEBUG]: IP = 68.xxx.xxx.10, constructing NAT-Traversal VID ver 02 payload
Feb 01 17:20:12 [IKEv1 DEBUG]: IP = 68.xxx.xxx.10, constructing NAT-Traversal VID ver 03 payload
Feb 01 17:20:12 [IKEv1 DEBUG]: IP = 68.xxx.xxx.10, constructing NAT-Traversal VID ver RFC payload
Feb 01 17:20:12 [IKEv1 DEBUG]: IP = 68.xxx.xxx.10, constructing Fragmentation VID + extended capabilities payload
Feb 01 17:20:12 [IKEv1]: IP = 68.xxx.xxx.10, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
no deb cry isFeb 01 17:20:19 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 01 17:20:19 [IKEv1]: IP = 68.xxx.xxx.10, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
a 20Feb 01 17:20:20 [IKEv1]: IP = 68.xxx.xxx.10, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

pudawat Tue, 02/02/2010 - 15:56

Feb 01 17:20:12 [IKEv1]: IP = 68.xxx.xxx.10, IKE Initiator: New Phase 1, Intf inside, IKE Peer 68.xxx.xxx.10  local Proxy Address 10.253.127.0, remote Proxy Address 10.252.143.0,  Crypto map (outside_map)

The above debugs indicate that the ike policies are getting negotiated on the inside interface.........because crypto map is enabled on the inside interface......just remove it and then try

also add the command on the ASA: cry isakmp nat-t

Thanks,

Pradhuman

Actions

This Discussion