IPsec Cisco ASA problems

Javi Benito · ‎05-19-2010

Hello,

I have VPN between Cisco Asa 5510 and Stonegate (v5.1) and sometimes part of the vpn downs. I can do ping between some networks and with other networks in the same VPN I can't do ping.

When I reload Cisco ASA all start workin correctly.

These are some logs of the VPN:

Received encrypted packet with no matching SA, dropping
Removing peer from correlator table failed, no match!
Received non-routine Notify message: No proposal chosen (14)
Removing peer from correlator table failed, no match!
construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Where is the problem,

Thanks in advance

If you need more information tell me

Jennifer Halim · ‎05-20-2010

That means that when Stonegate sends encrypted packet towards the ASA, there is no matching SA (Security Association) for that particular encrypted packet. It is either Stonegate is sending the encrypted packet with a new SA that the ASA has not established yet, OR/ the ASA does not have the SA built at all for that particular encrypted packet.

Seen a number of issues between third party vendor, in particular during the time of rekey. You might want to open a Cisco TAC case and Stonegate, and troubleshoot it further with both vendors.

Javi Benito · ‎05-20-2010

If I put the configuration of ASA could you see if there is anything wrong ?

Jennifer Halim · ‎05-20-2010

If it works after reloading the ASA, more than likely it is not a configuration issue.It might be bug or interopability issue with Stonegate.

Do you know if the issue happens during the rekey time?

I would suggest to open up a TAC case so it could be investigated.

Javi Benito · ‎05-20-2010

These are the logs before it went down part of the VPN.

Jennifer Halim · ‎05-20-2010

Yes, seems that the DPD detected connectivity issue with the peer and tear down the tunnels.

You might want to disable DPD completely on both peers.

Another thing that I found is the IPSec lifetime is negotiated to be the lower value of 1800 seconds. You might want to make sure that both sides are actually configured with the ipsec lifetime of 28800 seconds.

Hope that helps.

Javi Benito · ‎05-20-2010

The lifetimes are of the another VPN between Cisco ASA and Fortigate (it's working fine).

The problem is with 194.30.30.2(Stonegate). How can I verify if DPD is disabled in Cisco ASA? I'm newbie with these devices?

Thanks for all

Federico Coto Fajardo · ‎05-20-2010

Javi,

To disable ISAKMP DPD on the ASA:

tunnel-group GROUP_NAME ipsec-attributes

no isakmp keepalive

Federico.

Javi Benito · ‎05-20-2010

This is the tunnel before and after execute no isakmp keepalive.

tunnel-group 194.30.30.2 type ipsec-l2l
tunnel-group 194.30.30.2 ipsec-attributes
pre-shared-key *

Federico Coto Fajardo · ‎05-20-2010

Javi,

That means that DPD was not active.

You can try entering the command globally:

cry isak keepalive 10

Check if you get an error if it's already implemented.

Also as halijeen suggested, set the IPsec lifetimes to match to avoid mismatch times in the renegotiation of SAs.

Federico.

Javi Benito · ‎05-20-2010

I've alrady execute this command.These is my configuration:

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable
crypto map VPN_map 1 match address VPN_1_cryptomap
crypto map VPN_map 1 set pfs group5
crypto map VPN_map 1 set peer 194.30.30.2
crypto map VPN_map 1 set transform-set ESP-3DES-SHA
crypto map VPN_map 1 set nat-t-disable
crypto map VPN_map 3 match address VPN_3_cryptomap
crypto map VPN_map 3 set pfs group5
crypto map VPN_map 3 set peer 202.111.1.186
crypto map VPN_map 3 set transform-set ESP-AES-256-SHA
crypto map VPN_map 3 set nat-t-disable
crypto map VPN_map 4 match address VPN_4_cryptomap
crypto map VPN_map 4 set pfs group5
crypto map VPN_map 4 set peer 201.144.100.242
crypto map VPN_map 4 set transform-set ESP-AES-256-SHA
crypto map VPN_map 4 set nat-t-disable
crypto map VPN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map VPN_map interface VPN
crypto map management_map 1 match address management_1_cryptomap
crypto map management_map 1 set pfs group5
crypto map management_map 1 set peer 194.30.80.226
crypto map management_map 1 set transform-set ESP-AES-256-SHA
crypto map management_map 1 set nat-t-disable
crypto map management_map interface management
crypto isakmp enable Inside
crypto isakmp enable VPN
crypto isakmp enable management
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet 0.0.0.0 0.0.0.0 Inside
telnet 0.0.0.0 0.0.0.0 Outside
telnet timeout 5
ssh y.y.y.y.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
management-access Inside
no threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server DC source Inside prefer
webvpn
group-policy Ba internal
group-policy Ba attributes
vpn-filter none
vpn-tunnel-protocol IPSec
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group 194.30.30.2 type ipsec-l2l
tunnel-group 194.30.30.2 ipsec-attributes
pre-shared-key *
tunnel-group 194.30.80.226 type ipsec-l2l
tunnel-group 194.30.80.226 ipsec-attributes
pre-shared-key *
tunnel-group 202.111.1.186 type ipsec-l2l
tunnel-group 202.111.1.186 ipsec-attributes
pre-shared-key *
tunnel-group 201.144.100.242 type ipsec-l2l
tunnel-group 201.144.100.242 ipsec-attributes
pre-shared-key *
!
class-map global-class
match access-list global_mpc
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global-policy
class global-class
flow-export event-type all destination y.y.y.y
!
service-policy global-policy global
prompt hostname context
Cryptochecksum:e276e644e2a23bce93ceb259b80b401c
: end
ciscoasa#

Can you see anything wrong?

Jennifer Halim · ‎05-20-2010

Actually, ignore my post on matching the ipsec lifetime. Just double check the logs again, and that's for a different tunnel.

Based on the following logs:

May 20 01:42:16 10.10.10.1 May 20 2010 01:43:21: %ASA-5-713904: IP = 194.30.30.2, Received encrypted packet with no matching SA, dropping
May 20 01:42:15 10.10.10.1 May 20 2010 01:43:20: %ASA-4-402114: IPSEC: Received an ESP packet (SPI= 0x4C0B0502, sequence number= 0x186A1) from 194.30.30.2 to 90.182.56.74 with an invalid SPI.
May 20 01:42:15 10.10.10.1 May 20 2010 01:43:20: %ASA-5-713050: Group = 194.30.30.2, IP = 194.30.30.2, Connection terminated for peer 194.30.30.2. Reason: Peer Terminate Remote Proxy 192.168.0.0, Local Proxy 10.10.10.0
May 20 01:42:15 10.10.10.1 May 20 2010 01:43:20: %ASA-5-713049: Group = 194.30.30.2, IP = 194.30.30.2, Security negotiation complete for LAN-to-LAN Group (194.30.30.2) Responder, Inbound SPI = 0x768ccac1, Outbound SPI = 0x1ba12f14

The above hightlighted basically means that the peer has terminated this particular SA between 192.168.0.0 and 10.10.10.0.

You would need to investigate on the peer device (Stonegate) as to why it terminates this particular SA.

Javi Benito · ‎05-20-2010

But I have another VPNs with this firewall to another Firewalls and works correctly with the same errors:

194.30.80.226 (Fortigate)

194.30.80.130 (Fortigate)

May 20 10:40:23 90.179.242.74 May 20 2010 10:41:30: %ASA-5-713904: IP = 194.30.80.226, Received encrypted packet with no matching SA, dropping

May 20 10:40:23 90.179.242.74 May 20 2010 10:41:30: %ASA-5-713050: Group = 194.30.80.226, IP = 194.30.80.226, Connection terminated for peer 194.30.80.226.  Reason: Peer Terminate  Remote Proxy 192.168.1.60, Local Proxy 10.10.23.11

May 20 10:37:23 90.179.242.74 May 20 2010 10:38:30: %ASA-5-713120: Group = 194.30.80.226, IP = 194.30.80.226, PHASE 2 COMPLETED (msgid=05a81847)

May 20 10:37:23 90.179.242.74 May 20 2010 10:38:30: %ASA-5-713049: Group = 194.30.80.226, IP = 194.30.80.226, Security negotiation complete for LAN-to-LAN Group (194.30.80.226)  Responder, Inbound SPI = 0x89d8684c, Outbound SPI = 0x19edcb57

May 20 10:36:49 90.179.242.74 May 20 2010 10:37:56: %ASA-5-713119: Group = 194.30.80.226, IP = 194.30.80.226, PHASE 1 COMPLETED

May 20 10:36:47 90.179.242.74 May 20 2010 10:37:54: %ASA-5-713050: Group = 194.30.80.226, IP = 194.30.80.226, Connection terminated for peer 194.30.80.226.  Reason: Peer Terminate  Remote Proxy 192.168.1.60, Local Proxy 10.10.23.11

May 20 10:32:09 90.179.242.74 May 20 2010 10:33:16: %ASA-5-713120: Group = 194.30.80.226, IP = 194.30.80.226, PHASE 2 COMPLETED (msgid=7c0755e1)

May 20 10:32:09 90.179.242.74 May 20 2010 10:33:16: %ASA-5-713049: Group = 194.30.80.226, IP = 194.30.80.226, Security negotiation complete for LAN-to-LAN Group (194.30.80.226)  Responder, Inbound SPI = 0xfb667030, Outbound SPI = 0x19edcb55

May 20 10:32:05 90.179.242.74 May 20 2010 10:33:12: %ASA-5-713119: Group = 194.30.80.226, IP = 194.30.80.226, PHASE 1 COMPLETED

May 20 10:32:04 90.179.242.74 May 20 2010 10:33:11: %ASA-5-713904: IP = 194.30.80.226, Received encrypted packet with no matching SA, dropping

May 20 10:32:04 90.179.242.74 May 20 2010 10:33:11: %ASA-5-713050: Group = 194.30.80.226, IP = 194.30.80.226, Connection terminated for peer 194.30.80.226.  Reason: Peer Terminate  Remote Proxy 10.10.23.11, Local Proxy 192.168.1.60

May 20 10:29:35 202.111.0.82 %ASA-3-713902: Group = 194.30.80.130, IP = 194.30.80.130, Removing peer from correlator table failed, no match!

May 20 10:29:35 202.111.0.82 %ASA-1-713900: Group = 194.30.80.130, IP = 194.30.80.130, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

May 20 10:29:35 202.111.0.82 %ASA-3-713902: Group = 194.30.80.130, IP = 194.30.80.130, QM FSM error (P2 struct &0xda1b9ba0, mess id 0xd73b8690)!

May 20 10:29:03 202.111.0.82 %ASA-5-713068: Group = 194.30.80.130, IP = 194.30.80.130, Received non-routine Notify message: Invalid ID info (18)

Thanks for your help!!