Troubleshooting IPSec Site-to-Site VPN between ASA and 1841

Answered Question
May 7th, 2010
User Badges:

Hello everyone,


in the past I set up several VPN connections between ASA devices. So I thought a site to site connection between an ASA and a 1841 would be easy as well... But it seems I was wrong.

I set up the Site-to Site VPN like it was described in Document ID: 110198 SDM: Site-to-Site IPsec VPN Between ASA/PIX and  an IOS Router Configuration Example (I did not use SDM but CCP).


I run the wizards on the ASA with ASDM and on the 1841 running IOS version 15.1 with CCP.


It seems the Phase 1 and 2 are coming up nicely as my ASA reports in ADSM (Monitoring > VPN > VPN Statistics > Sessions) an established tunnel with some traffic Tx but 0 traffic Rx),


On the ASA:

Result of the command: "sh crypto ipsec sa peer 217.xx.yy.zz"


peer address: 217.86.154.120
    Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc


      access-list outside_2_cryptomap_1 extended permit ip 192.168.37.0 255.255.255.0 172.20.2.0 255.255.255.0
      local ident (addr/mask/prot/port): (LAN-A/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (LAN-G/255.255.255.0/0/0)
      current_peer: 217.xx.yy.zz


      #pkts encaps: 400, #pkts encrypt: 400, #pkts digest: 400
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 400, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0


      local crypto endpt.: 62.aa.bb.cc, remote crypto endpt.: 217.xx.yy.zz


      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 39135054
      current inbound spi : B2E9E500


    inbound esp sas:
      spi: 0xB2E9E500 (3001672960)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 100327424, crypto-map: VPN-OUTSIDE
         sa timing: remaining key lifetime (kB/sec): (4374000/1598)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x39135054 (957567060)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 100327424, crypto-map: VPN-OUTSIDE
         sa timing: remaining key lifetime (kB/sec): (4373976/1598)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001





Result of the command: "sh crypto isakmp sa"


   Active SA: 4
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 4


IKE Peer: 217.xx.yy.zz
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE



On the 1841


1841#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
217.86.154.120  62.153.156.163  QM_IDLE           1002 ACTIVE



1841#sh crypto ipsec sa


interface: Dialer1
    Crypto map tag: SDM_CMAP_1, local addr 217.86.154.120


   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.20.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.37.0/255.255.255.0/0/0)
   current_peer 62.153.156.163 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 585, #pkts decrypt: 585, #pkts verify: 585
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0


     local crypto endpt.: 217.86.154.120, remote crypto endpt.: 62.153.156.163
     path mtu 1452, ip mtu 1452, ip mtu idb Dialer1
     current outbound spi: 0xB2E9E500(3001672960)
     PFS (Y/N): Y, DH group: group2


     inbound esp sas:
      spi: 0x39135054(957567060)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2003, flow_id: FPGA:3, sibling_flags 80000046, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4505068/1306)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0xB2E9E500(3001672960)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2004, flow_id: FPGA:4, sibling_flags 80000046, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4505118/1306)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE


     outbound ah sas:


     outbound pcp sas:


interface: Virtual-Access1
    Crypto map tag: SDM_CMAP_1, local addr 217.86.154.120


   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.20.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.37.0/255.255.255.0/0/0)
   current_peer 62.153.156.163 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 585, #pkts decrypt: 585, #pkts verify: 585
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0


     local crypto endpt.: 217.86.154.120, remote crypto endpt.: 62.153.156.163
     path mtu 1452, ip mtu 1452, ip mtu idb Dialer1
     current outbound spi: 0xB2E9E500(3001672960)
     PFS (Y/N): Y, DH group: group2


     inbound esp sas:
      spi: 0x39135054(957567060)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2003, flow_id: FPGA:3, sibling_flags 80000046, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4505068/1306)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0xB2E9E500(3001672960)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2004, flow_id: FPGA:4, sibling_flags 80000046, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4505118/1306)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE


     outbound ah sas:


     outbound pcp sas:


It seems that the routing on the 1841 does not work properly as I can tear down the tunnel and reinitiate by pinging a host on the 1841 network but not viceversa.


The VPN Trounleshoot report of the 1841 shows a message like "The following source(s) are routed through the crypto  map interface.      1) 172.20.2.0   Go to 'Configure->Routing' and correct the routing table"


I didn't found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly any hint!


This is the running config of the 1841


!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1841
!
boot-start-marker
boot system flash c1841-adventerprisek9-mz.151-1.T.bin
boot-end-marker
!
logging buffered 51200 notifications
!
aaa new-model
!
!
aaa authentication login default local
!
aaa session-id common
!
memory-size iomem 20
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
dot11 syslog
ip source-route
!
no ip dhcp use vrf connected
!
ip cef
no ip bootp server
ip domain name test
ip name-server 194.25.2.129
ip name-server 194.25.2.130
ip name-server 194.25.2.131
ip name-server 194.25.2.132
ip name-server 194.25.2.133
no ipv6 cef
!
multilink bundle-name authenticated
!
!
object-group network Telefone
description VoIP Telefone
host 172.20.2.50
host 172.20.2.51
!
redundancy
!
!
controller DSL 0/0/0
mode atm
dsl-mode shdsl symmetric annex B
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ****** address 62.aa.bb.cc
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to62.aa.bb.cc
set peer 62.aa.bb.cc
set transform-set ESP-3DES-SHA
set pfs group2
match address 100
!
!
!
interface FastEthernet0/0
description DMZ$FW_OUTSIDE$
ip address 10.10.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description $ETH-LAN$$FW_INSIDE$
ip address 172.20.2.254 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
pvc 1/32
  pppoe-client dial-pool-number 1
!
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname xxxxxxx
ppp chap password 7 xxxxxxx8
ppp pap sent-username xxxxxxx password 7 xxxxxxx
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip dns server
ip nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
ip nat inside source static tcp 10.10.10.1 25 interface Dialer1 25
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip nat inside source route-map SDM_RMAP_2 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
logging trap notifications
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.20.2.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 101 permit ip 172.20.2.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=2
access-list 102 remark IPSec Rule
access-list 102 deny   ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!


!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
route-map SDM_RMAP_2 permit 1
match ip address 102
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
length 0
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 172.20.2.250 prefer
end




As I mentioned before: any hint is highly appreciated!!



Best regards,


Joerg

Correct Answer by dirkfeldhaus about 7 years 2 months ago

Hi Joerg,

maybe there is a problem with the NAT, although configuration seems fine at a first glance.

You can issue the"show ip nat translation" command after you initiated the VPN from the ASA to see if your destination ip gets natted.

A second way is to use "debug ip packet" on the router to check what happens. This should be used with care as debugging will put a high load on the router, it might breakdown and you need to reboot. Although 1841 is quite stable. You should use an acl to limit the packets you're debugging. I'm not sure about the syntax, should be something like "debug ip packet access-list ...".

It's maybe easier to disable the NAT temporarily for a first check.

Good luck

Correct Answer by Federico Coto F... about 7 years 2 months ago

Joerg,


The ASA is not receiving any VPN packets because the IOS is not sending any.

Try to send packets from the 1841's LAN to the ASA's LAN and see is the ''sh cry ips sa'' on the 1841 increments the encrypted packets (it has none)


The problem then seems on the router side.

I will think is a routing issue, but you just have a default gateway (no other routes on the router).

The ACL 100 is defined to encrypt the traffic between the two subnets.

It seems the ACL 101 is also bypassing NAT for the VPN traffic.


Do the following:

Try initiating traffic from the router's LAN inside IP (ping 192.168.37.x source 172.20.2.254) and see if the packets are bypassing translation and are getting encrypted.


I would also remove ACL 100 from the inside interface on the router since it is used for VPN. You can create another ACL to apply to the interface.


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Federico Coto F... Fri, 05/07/2010 - 10:50
User Badges:
  • Green, 3000 points or more

Joerg,


The ASA is not receiving any VPN packets because the IOS is not sending any.

Try to send packets from the 1841's LAN to the ASA's LAN and see is the ''sh cry ips sa'' on the 1841 increments the encrypted packets (it has none)


The problem then seems on the router side.

I will think is a routing issue, but you just have a default gateway (no other routes on the router).

The ACL 100 is defined to encrypt the traffic between the two subnets.

It seems the ACL 101 is also bypassing NAT for the VPN traffic.


Do the following:

Try initiating traffic from the router's LAN inside IP (ping 192.168.37.x source 172.20.2.254) and see if the packets are bypassing translation and are getting encrypted.


I would also remove ACL 100 from the inside interface on the router since it is used for VPN. You can create another ACL to apply to the interface.


Federico.

Raj Kumar Mon, 09/29/2014 - 00:39
User Badges:

I have created IPSec Site-to-Site tunnel, it was working fine till yesterday.

today I checked the tunnel status, it was up but when try to ping the other end ip, encaps & Decaps is 0, so I cleared the tunnel clear crypto ipsec sa peer *.*.*.* and traffic start passing, and this issue is continue now. If the tunnel remain idle for long time(10 or 20 hours) there is no traffic pass and  as soon as I clear the tunnel it starts working.

Please help....

Correct Answer
dirkfeldhaus Fri, 05/07/2010 - 11:10
User Badges:

Hi Joerg,

maybe there is a problem with the NAT, although configuration seems fine at a first glance.

You can issue the"show ip nat translation" command after you initiated the VPN from the ASA to see if your destination ip gets natted.

A second way is to use "debug ip packet" on the router to check what happens. This should be used with care as debugging will put a high load on the router, it might breakdown and you need to reboot. Although 1841 is quite stable. You should use an acl to limit the packets you're debugging. I'm not sure about the syntax, should be something like "debug ip packet access-list ...".

It's maybe easier to disable the NAT temporarily for a first check.

Good luck

Joerg - Mon, 05/10/2010 - 00:11
User Badges:

Thanks folks,


I played araound with the access lists and now the traffic passes the tunnel as it is supposed to be.


BUT:


on the ASA side the tunnel is shown as up and running, on the 1841 side the tunnel is still shown as DOWN in CCP monitor. Only the ISAKMP windows shows an active connection. IPSEC is blank...


show crypto ipsec sa indicates the packets are encrypted and decrypted (as it should be as there is traffic passing the tunnel).


I can deal with it but it would be nicer to see the tunnel on the monitor page...


As mentioned on my first posting: any hint is welcome.


Have a nice and slow start in the week,


Joerg

Hi All


i have made a site to site IPSEC tunnel between Cisco ASA and Juniper SRX 240.After configurgartion i get IPSEC and IKE both phase 1 and phase 2 tunnel are up.but when i am trying to ping the cisco ASA side local lan IP from SRX LAN the ASA IPSEC decaps traffic is increase but encaps traffic is 0.please check the below sh crypto ipsec sa output.


sh cry ip sa

interface: outside

    Crypto map tag: DR-Tunnel, seq num: 10, local addr: 202.56.248.78


      access-list imc_crypto permit ip 10.0.1.0 255.255.255.0 10.1.0.0 255.255.254.0

      local ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.1.0.0/255.255.254.0/0/0)

      current_peer: 125.21.177.123


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 504, #pkts decrypt: 504, #pkts verify: 504

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #send errors: 0, #recv errors: 0


      local crypto endpt.: 202.56.248.78, remote crypto endpt.: 125.21.177.123


      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: F0D66B1B


    inbound esp sas:

      spi: 0xEA57870A (3931604746)

         transform: esp-aes-256 esp-sha-hmac none

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 1, crypto-map: DR-Tunnel

         sa timing: remaining key lifetime (kB/sec): (4274961/26472)

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xF0D66B1B (4040583963)

         transform: esp-aes-256 esp-sha-hmac none

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 1, crypto-map: DR-Tunnel

         sa timing: remaining key lifetime (kB/sec): (4275000/26471)

         IV size: 16 bytes

         replay detection support: Y


Pls help me the resolve the same issue.


thanks for your support in advance.

Actions

This Discussion

Related Content