02-03-2011 12:11 PM
I have an ASA sitting behind a DSL modem. ASA gets its outside address from dls model through DHCP.
Set for nat-traversal with crypto isakmp nat-traversal command. set the keep alive to 300 seconds.
The isakmp debug shows me its getting the peer shared key from the central site , but it keeps queing the message for processing and never brings up the tunnel, just seems stuck in phase 1. everything seems correct.
I have re entered pre-shared-key, and cleared sa's afterwards and still getting same response.
Anybody know something i should check.
02-03-2011 12:30 PM
Everyone would like to see :-
debug crypto isakmp 128
Manish
02-03-2011 12:42 PM
I will see what it shows in the morning. have unit it was going to replace handling traffic for right now.
is there much of a difference between level 60 and level 128 that is seen from the messages?
02-04-2011 06:16 AM
here is debug information,
Feb 03 23:53:36 [IKEv1]: IP = 172.168.16.25, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 03 23:53:36 [IKEv1]: IP = 172.168.16.25, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Feb 03 23:53:37 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 03 23:53:37 [IKEv1]: IP = 172.168.16.25, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
~lines remove to make this breif~
Feb 03 23:53:37 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 03 23:53:44 [IKEv1]: IP = 172.168.16.25, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 03 23:53:44 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 03 23:53:44 [IKEv1]: IP = 172.168.16.25, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 03 23:53:44 [IKEv1 DEBUG]: IP = 172.168.16.25, IKE MM Initiator FSM error history (struct &0xc9ee0bb0)
Feb 03 23:53:44 [IKEv1 DEBUG]: IP = 172.168.16.25, IKE SA MM:18349a95 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Feb 03 23:53:44 [IKEv1 DEBUG]: IP = 172.168.16.25, sending delete/delete with reason message
Feb 03 23:53:44 [IKEv1]: IP = 172.168.16.25, Removing peer from peer table failed, no match!
Feb 03 23:53:44 [IKEv1]: IP = 172.168.16.25, Error: Unable to remove PeerTblEntry
Feb 03 23:53:45 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 03 23:53:45 [IKEv1]: IP = 172.168.16.25, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer 172.168.16.25 local Proxy Address 192.168.3.0, remote Proxy Address 192.168.1.0, Crypto map (outside_map)
Feb 03 23:53:45 [IKEv1 DEBUG]: IP = 172.168.16.25, constructing ISAKMP SA payload
Feb 03 23:53:45 [IKEv1 DEBUG]: IP = 172.168.16.25, constructing NAT-Traversal VID ver 02 payload
Feb 03 23:53:45 [IKEv1 DEBUG]: IP = 172.168.16.25, constructing NAT-Traversal VID ver 03 payload
Feb 03 23:53:45 [IKEv1 DEBUG]: IP = 172.168.16.25, constructing NAT-Traversal VID ver RFC payload
Feb 03 23:53:45 [IKEv1 DEBUG]: IP = 172.168.16.25, constructing Fragmentation VID + extended capabilities payload
Feb 03 23:53:45 [IKEv1]: IP = 172.168.16.25, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
any ideas on what is going on with this?
Feb 03 23:53:45 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
02-04-2011 06:36 AM
Hi Keith,
Seems like your phase 2 is not coming you.
Could you please paste the output of "sh run cry" from both the ends of tunnel.
Regards,
Anisha
02-04-2011 07:33 AM
Hi Anisha,
Here is config information, i have include the access-list and tunnel groups.
nat-traversal is enabled with keep alive of 20 seconds
!
access-list outside_cryptomap_2 extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set peer 172.168.16.25
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
!
tunnel-group 172.168.16.25 type ipsec-l2l
tunnel-group 172.168.16.25 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
Thanks,
Keith
02-04-2011 07:40 AM
other end of tunnel:
IPSEC Keying Mode: IKE using Preshared Secret
name: OH
IPSEC primary gateway name 172.168.17.25
secondary gateway 0.0.0.0
shared secret *
destination 192.168.3.1 255.255.255.0
IKE(phase1)
exchanege: main mode
DH group: group 2
encryption: 3des
authentication: SHA1
lifetime: 28800
IPSEC(phase2)
protocol: ESP
encryption: 3des
authentication: SHA1
Lifetime: 28800
02-04-2011 08:10 AM
Hi Keith,
The phase two configuration seem same to me.
I noticed 1 thing though. The peer ip defined in the ASA config is 172.168.16.25 while the other end of the tunnel mentions "IPSEC primary gateway name 172.168.17.25".
Are you sure the peer ip is defined correctly?
Also please enable the following debugs and let me know the outputs:
debug cry isa 255
debug cry ips 255
Initiate the traffic and post the debugs.
Regards,
Anisha
02-04-2011 08:24 AM
Hi Anisha,
I mistype the one address, trying not to give out what the real addres is.
I will grab the debug information requested, and post it.
Thank you,
Keith
02-11-2011 07:38 AM
Been working on another project, so its take some time before i could post this.
this ASA is replaceing an older non-cisco firewall, so i can run on the other firewall intil i can get this issue resolved.
attached file is a capture of the debug from debug crypto isakmp 255 and debug crypto ipsec 255.
this unit sits behind a slipstream 5400 series dsl modem and is configured to get the outside address via dhcp,
I know traffic is going across , just can not figure out why the tunnel will not come up.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: