Site_to_site VPN Issue Between ASA55XX & VPN router 3845

Nadeem ahmed Ahmed · ‎02-15-2010

Hi,

I am having issue in establishing site-to_site IPSec VPN tunnel between Cisco ASA and VPN router 3845. configurations seems to be fine but tunnel is not getting up. i also did debug at VPN router and find that even phase 1 is also not getting up. I would appreciate if i can get some useful peace of advise.

Following is the configurations at devices and debug at VPN3845,

ASA55XX

+++++++++++

ASA Version 8.0(4)
!
hostname S-FW

names
name 192.168.2.0 inside-network
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.251 255.255.255.0
!
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name zime.biz

access-list outside_1_cryptomap extended permit ip host 10.60.114.12 host 192.168.108.122
access-list outside_1_cryptomap extended permit ip host 10.60.114.11 host 192.168.124.19
access-list outside_1_cryptomap extended permit ip host 10.60.114.13 host 192.168.124.26
access-list outside_1_cryptomap extended permit ip host 10.60.114.10 host 192.168.108.61

access-list inside_nat_outbound extended permit tcp inside-network 255.255.255.0 host 192.168.124.19 eq 8895
access-list inside_nat_outbound extended permit tcp inside-network 255.255.255.0 host 192.168.124.19 eq 8896
access-list inside_nat_outbound extended permit tcp inside-network 255.255.255.0 host 192.168.124.19 eq 8897
access-list inside_nat_outbound_1 extended permit tcp inside-network 255.255.255.0 host 192.168.108.122 eq ssh
access-list inside_nat_outbound_2 extended permit tcp inside-network 255.255.255.0 host 192.168.124.26 eq https
access-list inside_nat_outbound_3 extended permit tcp inside-network 255.255.255.0 host 192.168.108.61 eq 8413

nat-control
global (outside) 1 interface
global (outside) 2 10.60.114.12 netmask 255.255.255.255
global (outside) 3 10.60.114.11 netmask 255.255.255.255
global (outside) 4 10.60.114.13 netmask 255.255.255.255
global (outside) 5 10.60.114.10 netmask 255.255.255.255

nat (inside) 3 access-list inside_nat_outbound
nat (inside) 2 access-list inside_nat_outbound_1
nat (inside) 4 access-list inside_nat_outbound_2
nat (inside) 5 access-list inside_nat_outbound_3
nat (inside) 1 inside-network 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.1.254 1

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 10 match address outside_1_cryptomap
crypto map outside_map 10 set peer 194.170.X.X
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 10 set nat-t-disable
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
crypto isakmp reload-wait
!

group-policy Sinad-ipsec internal
group-policy Sinad-ipsec attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group 194.170.X.X type ipsec-l2l
tunnel-group 194.170.X.X general-attributes
default-group-policy Sinad-ipsec
tunnel-group 194.170.X.X ipsec-attributes
pre-shared-key S!N@#XXX
!

+++++++++++++++++++++++++

VPN-Router_3845

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key XXXX address 217.17.X.X

crypto isakmp fragmentation

!

crypto ipsec transform-set ENBD-VPN esp-3des esp-sha-hmac

!

crypto map ENBD-map 40 ipsec-isakmp

set peer 217.17.X.X

set transform-set ENBD-VPN

match address VPN

reverse-route

!

interface GigabitEthernet0/1

description **** Connected to INET-SW-6 Port#: Gig0/3 ****

ip address 195.229.X.X 255.255.X.X

crypto map ENBD-map

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 195.229.123.241 name ****Default-Route-to-INET-FW****

ip route 192.168.108.61 255.255.255.255 195.229.X.X

ip route 192.168.108.75 255.255.255.255 195.229.X.X

ip route 192.168.108.115 255.255.255.255 195.229.X.X

ip route 192.168.108.122 255.255.255.255 195.229.X.X

ip route 192.168.124.19 255.255.255.255 195.229.X.X

ip route 192.168.124.26 255.255.255.255 195.229.X.X

ip route 192.168.124.112 255.255.255.255 195.229.X.X

ip route 194.170.X.X 255.255.255.255 195.229.X.X

!

no ip http server

no ip http secure-server

!

ip access-list extended VPN

permit ip host 192.168.108.122 host 10.66.98.12

permit ip host 192.168.124.19 host 10.66.98.11

permit ip host 192.168.108.61 host 10.66.98.10

permit ip host 192.168.124.26 host 10.66.98.13

!

DR-NI-VPN-A#sh version

Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.4(15)T10, RELEASE SOFTWARE (fc3)

System image file is "flash:c3845-advipservicesk9-mz.124-15.T10.bin"

++++++++++++++++

Debug at VPN router

*Feb 15 12:28:47.791: ISAKMP (0:0): received packet from 217.17.X.X dport 500 sport 55056 Global (N) NEW SA
*Feb 15 12:28:47.791: ISAKMP: Created a peer struct for 217.17.X.X, peer port 55056
*Feb 15 12:28:47.791: ISAKMP: New peer created peer = 0x66E91284 peer_handle = 0x8000000D
*Feb 15 12:28:47.791: ISAKMP: Locking peer struct 0x66E91284, refcount 1 for crypto_isakmp_process_block
*Feb 15 12:28:47.791: ISAKMP: local port 500, remote port 55056
*Feb 15 12:28:47.791: insert sa successfully sa = 684177A0
*Feb 15 12:28:47.791: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb 15 12:28:47.791: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

*Feb 15 12:28:47.791: ISAKMP:(0): processing SA payload. message ID = 0
*Feb 15 12:28:47.791: ISAKMP:(0): processing vendor id payload
*Feb 15 12:28:47.791: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Feb 15 12:28:47.791: ISAKMP:(0): vendor ID is NAT-T v2
*Feb 15 12:28:47.791: ISAKMP:(0): processing vendor id payload
*Feb 15 12:28:47.791: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Feb 15 12:28:47.791: ISAKMP:(0): vendor ID is NAT-T v3
*Feb 15 12:28:47.791: ISAKMP:(0): processing vendor id payload
*Feb 15 12:28:47.791: ISAKMP:(0): processing IKE frag vendor id payload
*Feb 15 12:28:47.791: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Feb 15 12:28:47.791: ISAKMP:(0):found peer pre-shared key matching 217.17.237.142
*Feb 15 12:28:47.791: ISAKMP:(0): local preshared key found
*Feb 15 12:28:47.791: ISAKMP : Scanning profiles for xauth ...
*Feb 15 12:28:47.791: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Feb 15 12:28:47.791: ISAKMP:      default group 2
*Feb 15 12:28:47.791: ISAKMP:      encryption 3DES-CBC
*Feb 15 12:28:47.791: ISAKMP:      hash SHA
*Feb 15 12:28:47.791: ISAKMP:      auth pre-share
*Feb 15 12:28:47.791: ISAKMP:      life type in seconds
*Feb 15 12:28:47.791: ISAKMP:      life duration (VPI) of 0x0 0x0 0xE 0x10
*Feb 15 12:28:47.791: ISAKMP:(0):atts are acceptable. Next payload is 0
*Feb 15 12:28:47.791: ISAKMP:(0):Acceptable atts:actual life: 0
*Feb 15 12:28:47.791: ISAKMP:(0):Acceptable atts:life: 0
*Feb 15 12:28:47.791: ISAKMP:(0):Fill atts in sa vpi_length:4
*Feb 15 12:28:47.791: ISAKMP:(0):Fill atts in sa life_in_seconds:3600
*Feb 15 12:28:47.791: ISAKMP:(0):Returning Actual lifetime: 3600
*Feb 15 12:28:47.791: ISAKMP:(0)::Started lifetime timer: 3600.

*Feb 15 12:28:47.791: ISAKMP:(0): processing vendor id payload
*Feb 15 12:28:47.791: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Feb 15 12:28:47.791: ISAKMP:(0): vendor ID is NAT-T v2
*Feb 15 12:28:47.791: ISAKMP:(0): processing vendor id payload
*Feb 15 12:28:47.791: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Feb 15 12:28:47.791: ISAKMP:(0): vendor ID is NAT-T v3
*Feb 15 12:28:47.791: ISAKMP:(0): processing vendor id payload
*Feb 15 12:28:47.791: ISAKMP:(0): processing IKE frag vendor id payload
*Feb 15 12:28:47.791: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Feb 15 12:28:47.791: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Feb 15 12:28:47.791: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

*Feb 15 12:28:47.791: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Feb 15 12:28:47.791: ISAKMP:(0): sending packet to 217.17.X.X my_port 500 peer_port 55056 (R) MM_SA_SETUP
*Feb 15 12:28:47.791: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb 15 12:28:47.791: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Feb 15 12:28:47.791: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

*Feb 15 12:28:55.775: ISAKMP (0:0): received packet from 217.17.X.X dport 500 sport 55056 Global (R) MM_SA_SETUP
*Feb 15 12:28:55.775: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
*Feb 15 12:28:55.775: ISAKMP:(0): retransmitting due to retransmit phase 1
*Feb 15 12:28:56.275: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
*Feb 15 12:28:56.275: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Feb 15 12:28:56.275: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
*Feb 15 12:28:56.275: ISAKMP:(0): sending packet to 217.17.X>X my_port 500 peer_port 55056 (R) MM_SA_SETUP
*Feb 15 12:28:56.275: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb 15 12:29:03.791: ISAKMP (0:0): received packet from 217.17.X.X dport 500 sport 55056 Global (R) MM_SA_SETUP
*Feb 15 12:29:03.791: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
*Feb 15 12:29:03.791: ISAKMP:(0): retransmitting due to retransmit phase 1
*Feb 15 12:29:04.291: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
*Feb 15 12:29:04.291: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Feb 15 12:29:04.291: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
*Feb 15 12:29:04.291: ISAKMP:(0): sending packet to 217.17.X.X my_port 500 peer_port 55056 (R) MM_SA_SETUP
*Feb 15 12:29:04.291: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb 15 12:29:11.791: ISAKMP (0:0): received packet from 217.17.X.X dport 500 sport 55056 Global (R) MM_SA_SETUP
*Feb 15 12:29:11.791: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
*Feb 15 12:29:11.791: ISAKMP:(0): retransmitting due to retransmit phase 1
*Feb 15 12:29:12.291: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
*Feb 15 12:29:12.291: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Feb 15 12:29:12.291: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
*Feb 15 12:29:12.291: ISAKMP:(0): sending packet to 217.17.X.X my_port 500 peer_port 55056 (R) MM_SA_SETUP
*Feb 15 12:29:12.291: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb 15 12:29:22.291: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
*Feb 15 12:29:22.291: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Feb 15 12:29:22.291: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
*Feb 15 12:29:22.291: ISAKMP:(0): sending packet to 217.17.X.X my_port 500 peer_port 55056 (R) MM_SA_SETUP
*Feb 15 12:29:22.291: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb 15 12:29:32.291: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
*Feb 15 12:29:32.291: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Feb 15 12:29:32.291: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
*Feb 15 12:29:32.291: ISAKMP:(0): sending packet to 217.17.X.X my_port 500 peer_port 55056 (R) MM_SA_SETUP
*Feb 15 12:29:32.291: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb 15 12:29:42.291: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
*Feb 15 12:29:42.291: ISAKMP:(0):peer does not do paranoid keepalives.

*Feb 15 12:29:42.291: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer

217.17.237.142)
*Feb 15 12:29:42.291: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer

217.17.237.142)
*Feb 15 12:29:42.291: ISAKMP: Unlocking peer struct 0x66E91284 for isadb_mark_sa_deleted(), count 0
*Feb 15 12:29:42.291: ISAKMP: Deleting peer node by peer_reap for 217.17.X.X: 66E91284
*Feb 15 12:29:42.291: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Feb 15 12:29:42.291: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_DEST_SA

Regards

Nad

Federico Coto Fajardo · ‎02-15-2010

Hi,

Is this tunnel going through Internet?

I ask this because the ASA only has private IPs. I see the crypto map on the router is pointing to a public IP (is this statically NATed by another device in front of the ASA)?

The VPN traffic might not be hitting the ASA?

Federico.

Collin Clark · ‎02-15-2010

Also check this troubleshooting guide.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Nadeem ahmed Ahmed · ‎02-15-2010

Hi,

Yes, this VPN is across the internet cloud and ASA is connected with DSL line which having public IP and ASA traffic is getting translated there. Thats' why you are seeing public IPs in the debug output.

Regards

Nad

Federico Coto Fajardo · ‎02-16-2010

Please attach the results from the following commands on the ASA when trying to establish the tunnel:

debug cry isa 155

debug cry ipse 155

Federico.

Nadeem ahmed Ahmed · ‎02-17-2010

Hi Federico,

What is 155 as router is not taking mention command.

either

debug cry isa (cariage return)

debug cry ipsec (cariage return)

Rg

Federico Coto Fajardo · ‎02-17-2010

Those debugs are to be implemented on the ASA not the router.

We want to check the debugs on the ASA.

Federico.

Nadeem ahmed Ahmed · ‎02-23-2010

Apology for delay response.. Indeed, both ASA & VPN router configuration is correct, VPN was not getting establish due to isakmp packet drop at internet gateway router.

It is fixed by allowing at internet gateway,...

Regards

Nad