VPN site-to-site between ASA and Router issues (Cert Auth with another Router action as PKI Server)

Unanswered Question
Oct 1st, 2010
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Hi Guys,


Anybody has been done VPN site-to-site between ASA and Router with certificate authentication by using another router action as PKI Server?


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

In my case:


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}


|

                          R4(NTP/PKI Servers)

|

|

(dmz)

             |-----R1------- (inside) ASA (outside) --------R3-------R2----|


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Tested:


  1. NTP is synchronized all Router and ASA
  2. The      authenticate/enroll process has been done and got the certificate
  3. VPN      site-to-site between R2 and R3 worked fine with certificate authentication
  4. ISAKMP      policy and IPSEC transform-set is the same all Router and ASA
  5. The Routing      traffic between Routers and ASA are OK.


I had some issue for the VPN traffic between ASA and R3 and I didn’t know why?


  1. The certificate      was successfully validated between ASA and R3 but the Phase 1 is not completed      ...and I saw a trackback on ASA:


%ASA-7-711002: Task ran for 18 msec, Process = IKE Daemon, PC = 810ae25, Traceback =

%ASA-7-711002: Task ran for 18 msec, Process = IKE Daemon, PC = 810ae25, Traceback =   0x0810AE25  0x0814C6E6  0x084F269C  0x08491A32  0x084929FE  0x0925A6DF  0x0849206B  0x084A1879  0x084A2408  0x08062413


Anybody has been done this case before? Please let me know

Regards,

Tran

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Herbert Baerten Mon, 10/04/2010 - 12:21
User Badges:
  • Cisco Employee,

Hi,


could you please attach a (sanitized) config of both the ASA and the router, as well as "show crypto pki cert" from both, and the output of the following debugs:

  debug crypto isakmp (on router)

  debug crypto isakmp 100 (on ASA)


(please enable the debugs at the same time, and leave them running long enough to capture the whole phase 1).


Herbert

Actions

This Discussion