Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2538
Views
0
Helpful
3
Replies

L2L VPN ASA - 2851 Problem

Mhon Baul
Level 1
Level 1

‎06-04-2010 10:47 PM

Hi Experts,

I hope all are doing good

Last week , we had setup L2L vpn between ASA and 2851 router. Below is our setup:

10.71.x.x /16 ==>3750==>ASA5540 ==>INTERNET==> ROUTER-2851==>3750==>10.1.X.X/16

(LOCAL)                                                                                                             (REMOTE)

Our problem is that remote site cannot access our network but we can access their network.ACL+routing were check and all are correct.

I check one of our setup L2L vpn setup also, 3845 -> 2851 when I do show crypto ipsec sa, i see all the networks active define in local and remote networks but in our setup of ASA-2851 i don't see this kind of output. I see only two subnets active. After initiating ping to remote networks, then i can see the another two networks when i do show crypto ipsec sa. Is this normal? i know that there should be rekeying of sa but why do (local+remote networks) is missing when no traffic is passing from the local network.

Please help and advice!

cheers,

reymon

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎06-05-2010 02:34 AM

Reymon,

L2L IPsec tunnels are always on demand - when no traffic is passing tunnels will not initiate.

In your particular case it's hard to say whether:

1. Tunnel initiation from router subnet to ASA is blocked.

or

2. Traffic inside established tunnel from router subnet to ASA is blocked.

I would frist make sure that you have correct SPIs while you're running the test (yes, show crypto ipsec sa). If the SPIs are in place and traffic is passing from ASA to router subnets and not vice versa then you're running into a problem with something stateful on the way (maybe vpn-filter on ASA?)

Now if you initiate tested from router networks and still see the issue and SPIs are not there, there might be something blocking your IKE traffic not allowing router to initiate properly.

In short ... it all depends

Marcin

0 Helpful

Mhon Baul
Level 1
Level 1
In response to Marcin Latosiewicz

‎06-05-2010 06:50 AM

Hi Marcin,

When I do show crypto ipsec sa on ASA, i cannot see the local and remote networks on the ASA but once i ping from inside network of ASA to router side then i can see them from my show crypto ipsec sa. I already enable sysopt connection       permit-vpn on the ASA, but it is same.

Below is the debug i capture when there is no traffic passing thru the two network and i get this debug:

Jun 05 14:32:54 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xf7ba8d0b
Jun 05 14:34:20 [IKEv1 DEBUG]: Group = 207.107.203.X, IP = 207.107.203.X, Pitcher: received key delete msg, spi 0x7a23d721
Jun 05 14:34:20 [IKEv1]: Group = 207.107.203.X, IP = 207.107.203.X, Connection terminated for peer 207.107.203.X.  Reason: IPSec SA Idle Timeout  Remote Proxy 10.200.18.0, Local Proxy 10.71.0.0
Jun 05 14:34:20 [IKEv1 DEBUG]: Group = 207.107.203.X, IP = 207.107.203.X, sending delete/delete with reason message
Jun 05 14:34:20 [IKEv1 DEBUG]: Group = 207.107.203.X, IP = 207.107.203.X, constructing blank hash payload
Jun 05 14:34:20 [IKEv1 DEBUG]: Group = 207.107.203.X, IP = 207.107.203.X, constructing IPSec delete payload
Jun 05 14:34:20 [IKEv1 DEBUG]: Group = 207.107.203.X, IP = 207.107.203.X, constructing qm hash payload
Jun 05 14:34:20 [IKEv1]: IP = 207.107.203.X, IKE_DECODE SENDING Message (msgid=71d4e9b6) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Jun 05 14:34:20 [IKEv1 DEBUG]: Group = 207.107.203.X, IP = 207.107.203.X, Active unit receives a delete event for remote peer 207.107.203.X.

Jun 05 14:34:20 [IKEv1 DEBUG]: Group = 207.107.203.X, IP = 207.107.203.X, IKE Deleting SA: Remote Proxy 10.200.18.0, Local Proxy 10.71.0.0
IPSEC: Deleted inbound decrypt rule, SPI 0x7A23D721
    Rule ID: 0xB2B3E498
IPSEC: Deleted inbound permit rule, SPI 0x7A23D721
    Rule ID: 0xB3A0ADB0
IPSEC: Deleted inbound tunnel flow rule, SPI 0x7A23D721
    Rule ID: 0xAD7721A8
IPSEC: Deleted inbound VPN context, SPI 0x7A23D721
    VPN handle: 0x00A7D834
Jun 05 14:34:20 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x7a23d721
IPSEC: Deleted outbound encrypt rule, SPI 0xCD6A59C3
    Rule ID: 0xB3A78878
IPSEC: Deleted outbound permit rule, SPI 0xCD6A59C3
    Rule ID: 0xB0EE17A0
IPSEC: Deleted outbound VPN context, SPI 0xCD6A59C3
    VPN handle: 0x00A7A294
Jun 05 14:34:20 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xcd6a59c3

Reason: IPSec SA Idle Timeout  Remote Proxy  10.200.18.0, Local Proxy 10.71.0.0 ==> is this normal?

Thanks,

reymon

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Mhon Baul

‎06-06-2010 12:24 AM

Reymon,

The part of debug you attached is related to ASA deleting SAs because of vpn-idle-timeout (it seems)  quite frankly a bit strange for L2L tunnel
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1630720

Can you please share with us (masking IP addresses if you want)

from ASA

--------

sh ver

show run crypto

show run tunnel-g

show run group-p

----------

from router:

--------

show run | s crypto

show crypto map

--------

0 Helpful
Customers Also Viewed These Support Documents