How to add new L2L Tunnel between ASA (Cluster) and IOS VPN Router to an Existing RA VPN?

Unanswered Question
Apr 29th, 2010
User Badges:

Hello Everybody


I have a problem to add new site-to-site VPN to existing RA VPN and ASA running load-balancing cluster. No message about IKE Phase 1 on both devices. RA VPN work fine but L2L VPN not work. Please help me. I try to debug crypto isakmp on both ASA and Router but no messages from devices. Both of devices can ping each other.


Here are configuration on ASA and Router


#################################################################################


interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.1.1.2 255.255.255.0


crypto ipsec transform-set RA-SET esp-aes esp-sha-hmac
crypto ipsec transform-set L2L-SET esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set RA-SET
crypto dynamic-map dyn1 1 set reverse-route
crypto map VPN-MAP 1 ipsec-isakmp dynamic dyn1
crypto map VPN-MAP 10 match address ACL-L2L-TEST
crypto map VPN-MAP 10 set peer 10.1.1.10
crypto map VPN-MAP 10 set transform-set L2L-SET
crypto map VPN-MAP interface outside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 5000
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 5500
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group 10.1.1.10 type ipsec-l2l
tunnel-group 10.1.1.10 ipsec-attributes
pre-sharekey test123


vpn load-balancing
redirect-fqdn enable
priority 2
cluster key vpn*cluster
cluster ip address 10.1.1.1
cluster encryption
participate


#################################################################################


crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 10.1.1.2                              -----> This ip address shoule be real ip address of ASA or VIP (Cluster)
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set L2L-SET esp-3des esp-sha-hmac
!
crypto map L2L-TEST 1 ipsec-isakmp
set peer 10.1.1.2                                                                -----> This ip address shoule be real ip address of ASA or VIP  (Cluster)
set transform-set L2L-SET
match address ACL-L2L
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 10.1.1.10 255.255.255.0
ip nat outside
ip virtual-reassembly
crypto map L2L-TEST

#################################################################################


ASA-1# sh crypto isa sa


   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1


1   IKE Peer: 10.1.1.3
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE



****** No L2L Tunnel status between ASA and Router *****


#################################################################################


ROUTER#sh crypto isa sa
dst             src             state          conn-id slot status


****** No L2L Tunnel status between ASA and Router *****

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Thu, 04/29/2010 - 10:45
User Badges:
  • Green, 3000 points or more

Hi,


You have the dynamic crypto map associated with the static crypto map with an ID of 1.

The L2L has an ID of 10.


The Site-to-Site should always have a lower ID.

Please change the ID to 100 for example.


no crypto map VPN-MAP 1 ipsec-isakmp dynamic dyn1

crypto map VPN-MAP 100 ipsec-isakmp dynamic dyn1

Let's see if that makes any difference (the reason is because the VPN will try to match the crypto maps in sequential order).


Federico.

phatrachit Thu, 04/29/2010 - 10:58
User Badges:

Hi Federico


Thank for you reply my post. I already changed configuration on ASA but my problem still occured.


Here is new configuration


crypto map VPN-MAP 10 match address ACL-L2L-TEST
crypto map VPN-MAP 10 set peer 10.1.1.10
crypto map VPN-MAP 10 set transform-set L2L-SET
crypto map VPN-MAP 65000 ipsec-isakmp dynamic dyn1


After changer configuration on ASA, i cleared crypto isakmp on both ASA and Router.

Federico Coto F... Thu, 04/29/2010 - 11:01
User Badges:
  • Green, 3000 points or more

Can you post the output of the debugs to see why phase 2 is not coming up?


On the ASA:

debug cry isa 127

debug cry ips 127


On the router:

debug cry isa

debug cry ips


Federico.

phatrachit Thu, 04/29/2010 - 11:10
User Badges:

As my first post, I already debug crypto isakmp and ipsec on both ASA and Router. I didn't get any messages from both of devices. It's look like no communicate between ASA and Router  for VPN tunnel.


Am i misses configuration on device.


ASA 5550 with SW version 8.2

Router 2801 with IOS 12.4T (Advanced Enterprise)

Federico Coto F... Thu, 04/29/2010 - 11:14
User Badges:
  • Green, 3000 points or more

Is there any device in between, or in either end, blocking ISAKMP (UDP 500) or ESP protocol?

You need to make sure that both are permitted through along the path.

I don't think that you have this problem on the ASA side (since RA connections are working fine), but what about the Router side?


Federico.

phatrachit Thu, 04/29/2010 - 11:18
User Badges:

Between ASA and Router is L3 switch that i simulated as ISP. No ACL on router and opened firewall policy as permit ip any any on outside interface also.


Lenka,

Federico Coto F... Thu, 04/29/2010 - 11:34
User Badges:
  • Green, 3000 points or more

Ok, since you're getting no debugs you can do a test:


For example on the router:

access-list ISAKMP permit udp host ASA's_IP host Router's_IP eq 500

access-list ISAKMP permit ip any any


If you apply this ACL on your router's outside interface in the inbound direction, you should see if the ISAKMP traffic is getting to the router.

You should see hitcounts on the ACL.


If you don't get hitcounts, either the ASA is not sending the packets to the router or something is blocking the packets from reaching the router.


Federico.

phatrachit Thu, 04/29/2010 - 12:02
User Badges:

Hi Federico,


I put an ACL on router and use command "capture" for monitor packet that coming to asa. Neither router nor asa send any packets to each other. Except an icmp that both devices can capture and see those packets.


No ACL apply on any interfaces L3 switch that connect to asa and router.


Lenka.

Federico Coto F... Thu, 04/29/2010 - 12:07
User Badges:
  • Green, 3000 points or more

That is very weird.

If both ASA and router can PING each other that means the routing is ok too.


Sometimes I've seen the ISP blocking ISAKMP, have you checked if this is the case on the router side?

Can you also post the ''sh run'' from both sides?


Federico.

Actions

This Discussion