asa5505 site to site vpn question

Unanswered Question
Feb 3rd, 2011

I have an ASA sitting behind a DSL modem.  ASA gets its outside address from dls model through DHCP.

Set for nat-traversal with crypto isakmp nat-traversal command. set the keep alive to 300 seconds.

The isakmp debug shows me its getting the peer shared key from the central site , but it keeps queing the message for processing and never brings up the tunnel, just seems stuck in phase 1. everything seems correct.

I have re entered pre-shared-key, and cleared sa's afterwards and still getting same response.

Anybody know something i should check. 

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
kcraycraft Thu, 02/03/2011 - 12:42

I will see what it shows in the morning. have unit it was going to replace handling traffic for right now.

is there much of a difference between level 60 and level 128  that is seen from the messages?

kcraycraft Fri, 02/04/2011 - 06:16

here is debug information,

Feb 03 23:53:36 [IKEv1]: IP = 172.168.16.25, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Feb 03 23:53:36 [IKEv1]: IP = 172.168.16.25, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

Feb 03 23:53:37 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Feb 03 23:53:37 [IKEv1]: IP = 172.168.16.25, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

~lines remove to make this breif~

Feb 03 23:53:37 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Feb 03 23:53:44 [IKEv1]: IP = 172.168.16.25, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Feb 03 23:53:44 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Feb 03 23:53:44 [IKEv1]: IP = 172.168.16.25, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Feb 03 23:53:44 [IKEv1 DEBUG]: IP = 172.168.16.25, IKE MM Initiator FSM error history (struct &0xc9ee0bb0) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

Feb 03 23:53:44 [IKEv1 DEBUG]: IP = 172.168.16.25, IKE SA MM:18349a95 terminating: flags 0x01000022, refcnt 0, tuncnt 0

Feb 03 23:53:44 [IKEv1 DEBUG]: IP = 172.168.16.25, sending delete/delete with reason message

Feb 03 23:53:44 [IKEv1]: IP = 172.168.16.25, Removing peer from peer table failed, no match!

Feb 03 23:53:44 [IKEv1]: IP = 172.168.16.25, Error: Unable to remove PeerTblEntry

Feb 03 23:53:45 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Feb 03 23:53:45 [IKEv1]: IP = 172.168.16.25, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer 172.168.16.25 local Proxy Address 192.168.3.0, remote Proxy Address 192.168.1.0, Crypto map (outside_map)

Feb 03 23:53:45 [IKEv1 DEBUG]: IP = 172.168.16.25, constructing ISAKMP SA payload

Feb 03 23:53:45 [IKEv1 DEBUG]: IP = 172.168.16.25, constructing NAT-Traversal VID ver 02 payload

Feb 03 23:53:45 [IKEv1 DEBUG]: IP = 172.168.16.25, constructing NAT-Traversal VID ver 03 payload

Feb 03 23:53:45 [IKEv1 DEBUG]: IP = 172.168.16.25, constructing NAT-Traversal VID ver RFC payload

Feb 03 23:53:45 [IKEv1 DEBUG]: IP = 172.168.16.25, constructing Fragmentation VID + extended capabilities payload

Feb 03 23:53:45 [IKEv1]: IP = 172.168.16.25, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

any ideas on what is going on with this?

Feb 03 23:53:45 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

andamani Fri, 02/04/2011 - 06:36

Hi Keith,

Seems like your phase 2 is not coming you.

Could you please paste the output of "sh run cry" from both the ends of tunnel.

Regards,

Anisha

kcraycraft Fri, 02/04/2011 - 07:33

Hi Anisha,

Here is config information, i have include the access-list and tunnel groups.

nat-traversal is enabled with keep alive of 20 seconds

!

access-list outside_cryptomap_2 extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set peer 172.168.16.25

crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800

!

tunnel-group 172.168.16.25 type ipsec-l2l
tunnel-group 172.168.16.25 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck

Thanks,

Keith

kcraycraft Fri, 02/04/2011 - 07:40

other end of tunnel:

IPSEC Keying Mode:  IKE using Preshared Secret

name:                        OH

IPSEC primary gateway name   172.168.17.25

           secondary gateway        0.0.0.0

           shared secret                 *

destination  192.168.3.1            255.255.255.0

IKE(phase1)

exchanege: main mode

DH group:   group 2

encryption:   3des

authentication:   SHA1

lifetime:       28800

IPSEC(phase2)

protocol:         ESP

encryption:     3des

authentication:   SHA1

Lifetime: 28800

andamani Fri, 02/04/2011 - 08:10

Hi Keith,

The phase two configuration seem same to me.

I noticed 1 thing though. The peer ip defined in the ASA config is  172.168.16.25 while the other end of the tunnel mentions "IPSEC primary gateway name   172.168.17.25".

Are you sure the peer ip is defined correctly?

Also please enable the following debugs and let me know the outputs:

debug cry isa 255

debug cry ips 255

Initiate the traffic and post the debugs.

Regards,

Anisha

kcraycraft Fri, 02/04/2011 - 08:24

Hi Anisha,

I mistype the one address, trying not to give out what the real addres is.

I will grab the debug information requested, and post it.

Thank you,

Keith

kcraycraft Fri, 02/11/2011 - 07:38

Been working on another project, so its take some time before i could post this.

this ASA is replaceing an older non-cisco firewall, so i can run on the other firewall intil i can get this issue resolved.

attached file is a capture of the debug from debug crypto isakmp 255 and debug crypto ipsec 255.

this unit sits behind a slipstream 5400 series dsl modem and is configured to get the outside address via dhcp,

I know traffic is going across , just can not figure out why the tunnel will not come up.

Actions

Login or Register to take actions

This Discussion

Posted February 3, 2011 at 12:11 PM
Stats:
Replies:9 Avg. Rating:
Views:884 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard