Marcin Latosiewicz Mon, 09/20/2010 - 07:33

Felix,

is the tunnel establishing?

Deb cry isa 100

deb crypto ipsec 100

If you could get those two, from both sides at the same time,  please ;-)

Marcin

Felix Bowman Mon, 09/20/2010 - 07:40

Those aren't giving output after I turn them on and ping to the LAN address on the other side.

The weird thing is that I setup a capture and it's showing that the NAT isn't happening and the traffic is being sent out of the WAN interface.

Marcin Latosiewicz Mon, 09/20/2010 - 07:48

Felix,

Are you sure  mthat it didn't populate buffer with logs?

In this case it's not starting the tunnel at all ... where are you poining from and what destination?

nat (lan,wan) source static LAN LAN destination static Head_Office Head_Office

works essentially like nat exemption in pre-8.3 NAT.

Marcin

Felix Bowman Mon, 09/20/2010 - 07:53

I just checked the buffer logs but there's nothing there for the tunnel.

In my reading, I found that for the new NAT exemptions. I'm surprised that the packets are being sent to the WAN interface even though it's configured.

Marcin Latosiewicz Mon, 09/20/2010 - 07:59

Felix,

Try to initiate on the other side.

Isakmp is enabled on interfaces, provided that the IP addresses are correct and IP addresses are matching actual IPs used we should see the tunnel coming up.

If the tunnel doesn't start for any reason check logs for both tested IP addresses. sh logg | i IP_ADDR

Marcin

Felix Bowman Mon, 09/20/2010 - 08:43

Still no dice.

The IP addresses are correct, I just double-checked them.

The logs aren't giving any hints that an attempt is being made to bring up the tunnel nor am I getting any debug output.

Marcin Latosiewicz Mon, 09/20/2010 - 08:57

Felix,

Would  you be able to open a TAC case for this?

I don't see any mistake in config but I might have missed something.

Clearlt packets matching correctly configured IPsec tunnel should not be leaked out in clear.

It's either something stupid that neither of us can see or a bug ;-)

If you cannot open TAC cases please reload both the boxes - but I find it strange that on both the tunnel does not start - possibly an interaction with PPPoE config on 8.3...?

Marcin

Felix Bowman Mon, 09/20/2010 - 09:11

Thanks a lot for your help so far.

I'm just a stumped. If I get nowhere with it by the end of the day, I'll get a TAC case opened and see if they can help me resolve it.

Once again, I really appreciate your help on the matter.

Marcin Latosiewicz Mon, 09/20/2010 - 09:20

Felix,

Once you have it open, please post the number I would be intersted to track this one.

Marcin

Felix Bowman Mon, 09/20/2010 - 09:35

Sure. I'll do that. No problem at all.

I just did a reconfiguration of the tunnels and here's the log after doing that.


Edit: Too condensed. I'll re-post it for more space.

Felix Bowman Mon, 09/20/2010 - 09:36

ASA02(config)# show logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 364 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 206 messages logged
37.95/21261 to wan:72.22.139.92/60860
%ASA-5-111008: User 'enable_15' executed the 'crypto map map_ho 1 set peer 216.110.121.71' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'crypto map map_ho 1 set peer 216.110.121.71'
%ASA-7-713906: Ignoring msg to mark SA with specified coordinates dead
%ASA-5-111008: User 'enable_15' executed the 'crypto map map_ho 1 set transform-set ESP-AES256-SHA' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'crypto map map_ho 1 set transform-set ESP-AES256-SHA'
%ASA-7-713906: Ignoring msg to mark SA with specified coordinates dead
%ASA-5-111008: User 'enable_15' executed the 'crypto map map_ho interface wan' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'crypto map map_ho interface wan'
%ASA-7-609001: Built local-host lan:192.168.21.100
%ASA-7-609001: Built local-host wan:4.2.2.2
%ASA-6-305011: Built dynamic UDP translation from lan:192.168.21.100/2144 to wan:72.22.139.92/9314
%ASA-6-302015: Built outbound UDP connection 8 for wan:4.2.2.2/53 (4.2.2.2/53) to lan:192.168.21.100/2144 (72.22.139.92/9314)
%ASA-6-302016: Teardown UDP connection 8 for wan:4.2.2.2/53 to lan:192.168.21.100/2144 duration 0:00:00 bytes 173
%ASA-7-609002: Teardown local-host wan:4.2.2.2 duration 0:00:00
%ASA-6-305012: Teardown dynamic UDP translation from lan:192.168.21.100/2144 to wan:72.22.139.92/9314 duration 0:00:30
%ASA-7-609002: Teardown local-host lan:192.168.21.100 duration 0:00:30
%ASA-6-305009: Built static translation from lan:192.168.21.0 to wan:192.168.21.0
%ASA-5-111008: User 'enable_15' executed the 'nat lan wan 1 source static LAN LAN destination static Head_Office Head_Office' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'nat lan wan 1 source static LAN LAN destination static Head_Office Head_Office'
%ASA-5-111008: User 'enable_15' executed the 'debug crypto isakmp 175' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'debug crypto isakmp 175'
%ASA-5-111008: User 'enable_15' executed the 'debug crypto ipsec 175' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'debug crypto ipsec 175'
%ASA-7-609001: Built local-host identity:72.22.139.92
%ASA-7-609001: Built local-host wan:192.168.15.250
%ASA-6-302020: Built outbound ICMP connection for faddr 192.168.15.250/0 gaddr 72.22.139.92/50592 laddr 72.22.139.92/50592
%ASA-5-111008: User 'enable_15' executed the 'ping 192.168.15.250' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'ping 192.168.15.250'
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.15.250/0 gaddr 72.22.139.92/50592 laddr 72.22.139.92/50592
%ASA-7-609002: Teardown local-host identity:72.22.139.92 duration 0:00:10
%ASA-7-609002: Teardown local-host wan:192.168.15.250 duration 0:00:10
%ASA-7-609001: Built local-host identity:72.22.139.92
%ASA-7-609001: Built local-host wan:192.168.15.250
%ASA-6-302020: Built outbound ICMP connection for faddr 192.168.15.250/0 gaddr 72.22.139.92/25886 laddr 72.22.139.92/25886
%ASA-5-111008: User 'enable_15' executed the 'ping 192.168.15.250' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'ping 192.168.15.250'
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.15.250/0 gaddr 72.22.139.92/25886 laddr 72.22.139.92/25886
%ASA-7-609002: Teardown local-host identity:72.22.139.92 duration 0:00:10
%ASA-7-609002: Teardown local-host wan:192.168.15.250 duration 0:00:10
%ASA-7-609001: Built local-host lan:192.168.21.100
%ASA-7-609001: Built local-host wan:4.2.2.2
%ASA-6-305011: Built dynamic UDP translation from lan:192.168.21.100/2145 to wan:72.22.139.92/50876
%ASA-6-302015: Built outbound UDP connection 11 for wan:4.2.2.2/53 (4.2.2.2/53) to lan:192.168.21.100/2145 (72.22.139.92/50876)
%ASA-6-302016: Teardown UDP connection 11 for wan:4.2.2.2/53 to lan:192.168.21.100/2145 duration 0:00:00 bytes 143
%ASA-7-609002: Teardown local-host wan:4.2.2.2 duration 0:00:00

Marcin Latosiewicz Mon, 09/20/2010 - 09:41

Felix,

You pinging from the ASA itself only? If so can you ping from a device behind too?

I noticed you did "ping 192.168.15.250" and not "ping lan 192.168.15.250"

Marcin

Felix Bowman Tue, 09/21/2010 - 04:50

        -Marcin,

I was also pinging from a machine that sits behind the 5505.

I tried the command that you gave me by the tunnel still refuses to come up. Nothing in the logs or from the debug. Weird.

I'll get a TAC case open and post the case no. here as you requested.

hdashnau Tue, 09/21/2010 - 12:56

Please move this NAT statement to the top of the list on the 5505:

conf t

no nat (lan,wan) source static LAN LAN destination static Head_Office Head_Office

nat (lan,wan) 1 source static LAN LAN destination static Head_Office Head_Office

Please move this NAT statement to the top of the list on the 5510:

no nat (lan,wan) source static LAN LAN destination static UI_Office UI_Office

nat (lan,wan) 1 source static LAN LAN destination static UI_Office UI_Office

-heather

Actions

This Discussion