cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1971
Views
20
Helpful
15
Replies

L2L 5510 - 5505 Won't Come Up

Felix Bowman
Level 1
Level 1

Greetings.

I've configured an L2L connection between our 5505 and 5510 but it won't come up after configuration and trying to ping.

I have attached both configurations.

Did I miss something?

15 Replies 15

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Felix,

is the tunnel establishing?

Deb cry isa 100

deb crypto ipsec 100

If you could get those two, from both sides at the same time,  please ;-)

Marcin

Those aren't giving output after I turn them on and ping to the LAN address on the other side.

The weird thing is that I setup a capture and it's showing that the NAT isn't happening and the traffic is being sent out of the WAN interface.

Felix,

Are you sure  mthat it didn't populate buffer with logs?

In this case it's not starting the tunnel at all ... where are you poining from and what destination?

nat (lan,wan) source static LAN LAN destination static Head_Office Head_Office

works essentially like nat exemption in pre-8.3 NAT.

Marcin

Felix Bowman
Level 1
Level 1

I just checked the buffer logs but there's nothing there for the tunnel.

In my reading, I found that for the new NAT exemptions. I'm surprised that the packets are being sent to the WAN interface even though it's configured.

Felix,

Try to initiate on the other side.

Isakmp is enabled on interfaces, provided that the IP addresses are correct and IP addresses are matching actual IPs used we should see the tunnel coming up.

If the tunnel doesn't start for any reason check logs for both tested IP addresses. sh logg | i IP_ADDR

Marcin

Still no dice.

The IP addresses are correct, I just double-checked them.

The logs aren't giving any hints that an attempt is being made to bring up the tunnel nor am I getting any debug output.

Felix,

Would  you be able to open a TAC case for this?

I don't see any mistake in config but I might have missed something.

Clearlt packets matching correctly configured IPsec tunnel should not be leaked out in clear.

It's either something stupid that neither of us can see or a bug ;-)

If you cannot open TAC cases please reload both the boxes - but I find it strange that on both the tunnel does not start - possibly an interaction with PPPoE config on 8.3...?

Marcin

Thanks a lot for your help so far.

I'm just a stumped. If I get nowhere with it by the end of the day, I'll get a TAC case opened and see if they can help me resolve it.

Once again, I really appreciate your help on the matter.

Felix,

Once you have it open, please post the number I would be intersted to track this one.

Marcin

Sure. I'll do that. No problem at all.

I just did a reconfiguration of the tunnels and here's the log after doing that.


Edit: Too condensed. I'll re-post it for more space.

TAC request opened.

Here is the number as requested:-

615513533

Felix Bowman
Level 1
Level 1

ASA02(config)# show logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 364 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 206 messages logged
37.95/21261 to wan:72.22.139.92/60860
%ASA-5-111008: User 'enable_15' executed the 'crypto map map_ho 1 set peer 216.110.121.71' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'crypto map map_ho 1 set peer 216.110.121.71'
%ASA-7-713906: Ignoring msg to mark SA with specified coordinates dead
%ASA-5-111008: User 'enable_15' executed the 'crypto map map_ho 1 set transform-set ESP-AES256-SHA' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'crypto map map_ho 1 set transform-set ESP-AES256-SHA'
%ASA-7-713906: Ignoring msg to mark SA with specified coordinates dead
%ASA-5-111008: User 'enable_15' executed the 'crypto map map_ho interface wan' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'crypto map map_ho interface wan'
%ASA-7-609001: Built local-host lan:192.168.21.100
%ASA-7-609001: Built local-host wan:4.2.2.2
%ASA-6-305011: Built dynamic UDP translation from lan:192.168.21.100/2144 to wan:72.22.139.92/9314
%ASA-6-302015: Built outbound UDP connection 8 for wan:4.2.2.2/53 (4.2.2.2/53) to lan:192.168.21.100/2144 (72.22.139.92/9314)
%ASA-6-302016: Teardown UDP connection 8 for wan:4.2.2.2/53 to lan:192.168.21.100/2144 duration 0:00:00 bytes 173
%ASA-7-609002: Teardown local-host wan:4.2.2.2 duration 0:00:00
%ASA-6-305012: Teardown dynamic UDP translation from lan:192.168.21.100/2144 to wan:72.22.139.92/9314 duration 0:00:30
%ASA-7-609002: Teardown local-host lan:192.168.21.100 duration 0:00:30
%ASA-6-305009: Built static translation from lan:192.168.21.0 to wan:192.168.21.0
%ASA-5-111008: User 'enable_15' executed the 'nat lan wan 1 source static LAN LAN destination static Head_Office Head_Office' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'nat lan wan 1 source static LAN LAN destination static Head_Office Head_Office'
%ASA-5-111008: User 'enable_15' executed the 'debug crypto isakmp 175' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'debug crypto isakmp 175'
%ASA-5-111008: User 'enable_15' executed the 'debug crypto ipsec 175' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'debug crypto ipsec 175'
%ASA-7-609001: Built local-host identity:72.22.139.92
%ASA-7-609001: Built local-host wan:192.168.15.250
%ASA-6-302020: Built outbound ICMP connection for faddr 192.168.15.250/0 gaddr 72.22.139.92/50592 laddr 72.22.139.92/50592
%ASA-5-111008: User 'enable_15' executed the 'ping 192.168.15.250' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'ping 192.168.15.250'
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.15.250/0 gaddr 72.22.139.92/50592 laddr 72.22.139.92/50592
%ASA-7-609002: Teardown local-host identity:72.22.139.92 duration 0:00:10
%ASA-7-609002: Teardown local-host wan:192.168.15.250 duration 0:00:10
%ASA-7-609001: Built local-host identity:72.22.139.92
%ASA-7-609001: Built local-host wan:192.168.15.250
%ASA-6-302020: Built outbound ICMP connection for faddr 192.168.15.250/0 gaddr 72.22.139.92/25886 laddr 72.22.139.92/25886
%ASA-5-111008: User 'enable_15' executed the 'ping 192.168.15.250' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'ping 192.168.15.250'
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.15.250/0 gaddr 72.22.139.92/25886 laddr 72.22.139.92/25886
%ASA-7-609002: Teardown local-host identity:72.22.139.92 duration 0:00:10
%ASA-7-609002: Teardown local-host wan:192.168.15.250 duration 0:00:10
%ASA-7-609001: Built local-host lan:192.168.21.100
%ASA-7-609001: Built local-host wan:4.2.2.2
%ASA-6-305011: Built dynamic UDP translation from lan:192.168.21.100/2145 to wan:72.22.139.92/50876
%ASA-6-302015: Built outbound UDP connection 11 for wan:4.2.2.2/53 (4.2.2.2/53) to lan:192.168.21.100/2145 (72.22.139.92/50876)
%ASA-6-302016: Teardown UDP connection 11 for wan:4.2.2.2/53 to lan:192.168.21.100/2145 duration 0:00:00 bytes 143
%ASA-7-609002: Teardown local-host wan:4.2.2.2 duration 0:00:00

Felix,

You pinging from the ASA itself only? If so can you ping from a device behind too?

I noticed you did "ping 192.168.15.250" and not "ping lan 192.168.15.250"

Marcin

        -Marcin,

I was also pinging from a machine that sits behind the 5505.

I tried the command that you gave me by the tunnel still refuses to come up. Nothing in the logs or from the debug. Weird.

I'll get a TAC case open and post the case no. here as you requested.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: