09-20-2010 05:51 AM
Greetings.
I've configured an L2L connection between our 5505 and 5510 but it won't come up after configuration and trying to ping.
I have attached both configurations.
Did I miss something?
09-20-2010 07:33 AM
Felix,
is the tunnel establishing?
Deb cry isa 100
deb crypto ipsec 100
If you could get those two, from both sides at the same time, please ;-)
Marcin
09-20-2010 07:40 AM
Those aren't giving output after I turn them on and ping to the LAN address on the other side.
The weird thing is that I setup a capture and it's showing that the NAT isn't happening and the traffic is being sent out of the WAN interface.
09-20-2010 07:48 AM
Felix,
Are you sure mthat it didn't populate buffer with logs?
In this case it's not starting the tunnel at all ... where are you poining from and what destination?
nat (lan,wan) source static LAN LAN destination static Head_Office Head_Office
works essentially like nat exemption in pre-8.3 NAT.
Marcin
09-20-2010 07:53 AM
I just checked the buffer logs but there's nothing there for the tunnel.
In my reading, I found that for the new NAT exemptions. I'm surprised that the packets are being sent to the WAN interface even though it's configured.
09-20-2010 07:59 AM
Felix,
Try to initiate on the other side.
Isakmp is enabled on interfaces, provided that the IP addresses are correct and IP addresses are matching actual IPs used we should see the tunnel coming up.
If the tunnel doesn't start for any reason check logs for both tested IP addresses. sh logg | i IP_ADDR
Marcin
09-20-2010 08:43 AM
Still no dice.
The IP addresses are correct, I just double-checked them.
The logs aren't giving any hints that an attempt is being made to bring up the tunnel nor am I getting any debug output.
09-20-2010 08:57 AM
Felix,
Would you be able to open a TAC case for this?
I don't see any mistake in config but I might have missed something.
Clearlt packets matching correctly configured IPsec tunnel should not be leaked out in clear.
It's either something stupid that neither of us can see or a bug ;-)
If you cannot open TAC cases please reload both the boxes - but I find it strange that on both the tunnel does not start - possibly an interaction with PPPoE config on 8.3...?
Marcin
09-20-2010 09:11 AM
Thanks a lot for your help so far.
I'm just a stumped. If I get nowhere with it by the end of the day, I'll get a TAC case opened and see if they can help me resolve it.
Once again, I really appreciate your help on the matter.
09-20-2010 09:20 AM
Felix,
Once you have it open, please post the number I would be intersted to track this one.
Marcin
09-20-2010 09:35 AM
Sure. I'll do that. No problem at all.
I just did a reconfiguration of the tunnels and here's the log after doing that.
Edit: Too condensed. I'll re-post it for more space.
09-21-2010 08:55 AM
TAC request opened.
Here is the number as requested:-
615513533
09-20-2010 09:36 AM
ASA02(config)# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 364 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 206 messages logged
37.95/21261 to wan:72.22.139.92/60860
%ASA-5-111008: User 'enable_15' executed the 'crypto map map_ho 1 set peer 216.110.121.71' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'crypto map map_ho 1 set peer 216.110.121.71'
%ASA-7-713906: Ignoring msg to mark SA with specified coordinatesdead
%ASA-5-111008: User 'enable_15' executed the 'crypto map map_ho 1 set transform-set ESP-AES256-SHA' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'crypto map map_ho 1 set transform-set ESP-AES256-SHA'
%ASA-7-713906: Ignoring msg to mark SA with specified coordinatesdead
%ASA-5-111008: User 'enable_15' executed the 'crypto map map_ho interface wan' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'crypto map map_ho interface wan'
%ASA-7-609001: Built local-host lan:192.168.21.100
%ASA-7-609001: Built local-host wan:4.2.2.2
%ASA-6-305011: Built dynamic UDP translation from lan:192.168.21.100/2144 to wan:72.22.139.92/9314
%ASA-6-302015: Built outbound UDP connection 8 for wan:4.2.2.2/53 (4.2.2.2/53) to lan:192.168.21.100/2144 (72.22.139.92/9314)
%ASA-6-302016: Teardown UDP connection 8 for wan:4.2.2.2/53 to lan:192.168.21.100/2144 duration 0:00:00 bytes 173
%ASA-7-609002: Teardown local-host wan:4.2.2.2 duration 0:00:00
%ASA-6-305012: Teardown dynamic UDP translation from lan:192.168.21.100/2144 to wan:72.22.139.92/9314 duration 0:00:30
%ASA-7-609002: Teardown local-host lan:192.168.21.100 duration 0:00:30
%ASA-6-305009: Built static translation from lan:192.168.21.0 to wan:192.168.21.0
%ASA-5-111008: User 'enable_15' executed the 'nat lan wan 1 source static LAN LAN destination static Head_Office Head_Office' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'nat lan wan 1 source static LAN LAN destination static Head_Office Head_Office'
%ASA-5-111008: User 'enable_15' executed the 'debug crypto isakmp 175' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'debug crypto isakmp 175'
%ASA-5-111008: User 'enable_15' executed the 'debug crypto ipsec 175' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'debug crypto ipsec 175'
%ASA-7-609001: Built local-host identity:72.22.139.92
%ASA-7-609001: Built local-host wan:192.168.15.250
%ASA-6-302020: Built outbound ICMP connection for faddr 192.168.15.250/0 gaddr 72.22.139.92/50592 laddr 72.22.139.92/50592
%ASA-5-111008: User 'enable_15' executed the 'ping 192.168.15.250' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'ping 192.168.15.250'
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.15.250/0 gaddr 72.22.139.92/50592 laddr 72.22.139.92/50592
%ASA-7-609002: Teardown local-host identity:72.22.139.92 duration 0:00:10
%ASA-7-609002: Teardown local-host wan:192.168.15.250 duration 0:00:10
%ASA-7-609001: Built local-host identity:72.22.139.92
%ASA-7-609001: Built local-host wan:192.168.15.250
%ASA-6-302020: Built outbound ICMP connection for faddr 192.168.15.250/0 gaddr 72.22.139.92/25886 laddr 72.22.139.92/25886
%ASA-5-111008: User 'enable_15' executed the 'ping 192.168.15.250' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'ping 192.168.15.250'
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.15.250/0 gaddr 72.22.139.92/25886 laddr 72.22.139.92/25886
%ASA-7-609002: Teardown local-host identity:72.22.139.92 duration 0:00:10
%ASA-7-609002: Teardown local-host wan:192.168.15.250 duration 0:00:10
%ASA-7-609001: Built local-host lan:192.168.21.100
%ASA-7-609001: Built local-host wan:4.2.2.2
%ASA-6-305011: Built dynamic UDP translation from lan:192.168.21.100/2145 to wan:72.22.139.92/50876
%ASA-6-302015: Built outbound UDP connection 11 for wan:4.2.2.2/53 (4.2.2.2/53) to lan:192.168.21.100/2145 (72.22.139.92/50876)
%ASA-6-302016: Teardown UDP connection 11 for wan:4.2.2.2/53 to lan:192.168.21.100/2145 duration 0:00:00 bytes 143
%ASA-7-609002: Teardown local-host wan:4.2.2.2 duration 0:00:00
09-20-2010 09:41 AM
Felix,
You pinging from the ASA itself only? If so can you ping from a device behind too?
I noticed you did "ping 192.168.15.250" and not "ping lan 192.168.15.250"
Marcin
09-21-2010 04:50 AM
-Marcin,
I was also pinging from a machine that sits behind the 5505.
I tried the command that you gave me by the tunnel still refuses to come up. Nothing in the logs or from the debug. Weird.
I'll get a TAC case open and post the case no. here as you requested.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide