VPN from ASA5505 (static IP) and router with dyn IP.

Unanswered Question
Jul 15th, 2010

Hello everybody,

I have to establish a VPN tunnel between an ASA5505 with static IP and a Zyxel router with dynamic IP.
I think I've tried almost everything but the VPN channel don't want to come up.

My ASA conf follows, I hope someone of you can find the error:

ASA Version 7.2(4)
hostname ASA-DYN-VPN
domain-name bbb.com
enable password **************** encrypted
passwd **************** encrypted
name Cas
name sh_5555
interface Vlan1
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx
interface Vlan2
nameif inside
security-level 100
ip address
interface Ethernet0/0
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
switchport access vlan 2
interface Ethernet0/3
switchport access vlan 2
interface Ethernet0/4
switchport access vlan 2
interface Ethernet0/5
switchport access vlan 2
interface Ethernet0/6
switchport access vlan 2
interface Ethernet0/7
switchport access vlan 2
ftp mode passive
dns server-group DefaultDNS
domain-name bbb.com
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip Cas sh_5555
access-list inside_access_in extended deny ip any any
access-list 100 extended permit ip Cas sh_5555
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside xxx.xxx.xxx.xxy 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set bnet esp-3des esp-md5-hmac
crypto dynamic-map bdyn 1 set transform-set bnet
crypto map bmap 10 ipsec-isakmp dynamic bdyn
crypto map bmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal  3600
telnet Cas inside
telnet timeout 5
console timeout 0

group-policy groupb internal
group-policy groupb attributes
vpn-tunnel-protocol IPSec
default-domain value bbb.local
tunnel-group DefaultL2LGroup general-attributes
default-group-policy groupb
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****************
policy-map type inspect dns preset_dns_map
  message-length maximum 512
  message-length maximum client auto
policy-map global_policy
service-policy global_policy global
prompt hostname context
: end

From the Zyxel logs I cannot see the phase 1 starting. So I tried to remove the VPN from the Zyxel and to connect in cascade to it a Netgear FVS338 NATting the public IP address to this last; then I've setup the VPN from the Netgear. The netgear is giving me some more interesting logs: it says that the hash payload is missing so the phase1 goes in timeout. (but actually I don't know what it means!!!)

Giving a show isa sa on the ASA I can't see anything happening.

How can I solve this problem???

Many thanks for your help!!!

Best regards.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Todd Pula Thu, 07/15/2010 - 10:48

In this case the ASA is going to be the Responder for the tunnel negotiations.  If interesting traffic on the remote router is triggering the ISAKMP exchange, you will want to verify that these UDP500 packets are being received inbound on the ASA's outside interface.  Make sure that the ASA is configured with the "sysopt connection permit-vpn" command or add the necessary permit rules on your inbound ACL for UDP500, UDP4500, and ESP.  You can enable an IP packet capture for the peer IPs in question on the ASA's outside interface to review the packet flow on the wire.  You could also rely on ACL hit counters.  If you enable ISAKMP and IPSec debugs on the ASA, do you see any output?

BallyITservices Fri, 07/16/2010 - 01:38

Hi Todd,

first of all thanks for your suggestions.

I've put the "access-list outside_access_in extended permit ip any any" and the "sysopt connection permit-vpn" too, but nothing changed.

Enabling the debug and packet capture can be a problem because I cannot easily access to the ASA console port, the ASA is in a near branch office, but I cannot go there anytime. Anyway I've launched a "show crypto isakmp stats" and the result follows:

Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 35204
In Packets: 142
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 11328
Out Packets: 118
Out Drop Packets: 0
Out Notifys: 118
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 118
System Capacity Fails: 0
Auth Fails: 118
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0

Is there a way to try something else before phisically go in place to see the debug messages and packet capture? Any idea?

Many thanks.


This Discussion