06-08-2011 04:59 PM - edited 02-21-2020 05:23 PM
Hello,
we are trying to establish IPsec VPN between two locations from ASA 5510 to Cisco 3845 and the setup is as follows:
ASA end:
The ASA receives a PPPoE dynamic public address from the Service provider A through a Cisco 1941 router set up as a bridge. All standard IPsec VPN policies ie interesting traffic, crypto maps etc are implemented on the ASA and the software version is 8.4(1). Existing users on the LAN also access a cloud based service on the Internet by means of dynamic NAT to the cloud service. The IPsec session is set up to peer to the remote site public IP which is provided by Service Provider B
Cisco3845 end:
The Cisco router is connected to the Service Provider B firewall through a local gateway. Service Provider B provides a Static IP address which is used as the peer IP address from the ASA. All IPsec policies are implemented on Cisco 3845 router which is in the private network. The Cisco 3845 is configured with a default route to the provider firewall using Private IP as the next hop. The Service Provider B also implement 1:1 NAT to translate incoming session requests to the public IP and also NAT Traversal.
The scenario is depicted as follows:
Customer LAN/WLAN -> ASA-> Bridge -> PPPoE (SP A) --------------------------(SP B) Firewall -> Default Gateway -> Cisco IOS 3845
Public IP Public IP +NAT+NAT-traversal VPN Policies
VPN Policies
If a VPN tunnel is initiated by a ping from the Cisco 3845 end, the crypto isakmp sa output shows MM_NO_STATE
If a VPN tunnel is initiated by a ping from the ASA end the crypto ikev1 sa output shows MM_WAIT_MSG2.
The state above describes that both the devices have sent their IKE requests and as there is no response from the remote end, the state information is set to either MSG2 at ASA end or NO_STATE on the 3845.
The extract of the log capture on the ASA is as follows:
[IKEv1 DEBUG]IP = 210.50.52.22, IKE MM Initiator FSM error history (struct &0xade91ce0) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Jun 08 12:01:32 [IKEv1 DEBUG]IP = 210.50.52.22, IKE SA MM:98976544 terminating: flags 0x01000022, refcnt 0, tuncnt 0
and the IKE fails to establish. Sometimes can see "Duplicate packets" in the log messages.
Suspected problems may be due to
1) Routing related : From the ASA, can ping to the public IP of the SP B, but from Cisco 3845 we cannot ping to the public IP of ASA
2) ASA users are connected to a cloud based service on the Internet and advise needed if some kind of split tunneling is required for IPsec traffic
and any NAT or ACLs required to ensure that IPsec traffic is pushed out through the tunnel.
Currently, interesting traffic is configured to permit IP traffic from LAN A to LAN B and mirror image on the other end.
NAT and ACLs allow icmp inbound to the LAN/WLAN devices and management access is allowed in the ASA for this subnet.
3) ASA version is 8.4(1) is implemented with IKEv1 policies.
Let me know if you need detailed configs and i can send this through
06-10-2011 05:53 AM
Hi
Please check if the ISPs or firewalls which you have in between the two peers allow
the following types of traffic for both inbound and outbound filters with regard to
ASA and c3845.
1). Allow Encapsulating Security Protocol (ESP) traffic to be forwarded, i.e. IP Protocol 50 (ESP) :
2). Allow ISAKMP traffic to be forwarded, i.e. UDP Port 500
3). Allow ISAKMP NAT-T (NAT Transparency), i.e. UDP 4500
4). In cause you will also use Authentication Header (AH), make sure that IP Protocol 51 is allowed forr both inbound
and outbound filters.
If this is allowed and still not working, please share further debug details.
Best regards
Istvan
06-10-2011 06:10 PM
Hey Istvan,
Thanks very much for your response and we have confirmed with the remote provider that UDP 500, 4500 and ESP 50 traffic is allowed for inbound as well as outbound on their firewalls and there seems to be no improvement.
We have tried this setup with another provider and we got IPsec tunnel come up without any problems. This time i am not sure if a firewall is located at the remote end, but tunnel comes up and seems to be working fine.
We will revert to the original provider and test again and here is the extract of the logs for the failed tests.
Teardown local-host Outside:10.77.15.250 duration 0:00:00
%ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = ABCD. Map Sequence Number = 10.
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-5-713041: IP = 210.50.52.22, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer X.X.X.X local Proxy Address X.X.X.X, remote Proxy Address X.X.X.X, Crypto map (ABCD)
%ASA-7-715046: IP = 210.50.52.22, constructing ISAKMP SA payload
%ASA-7-715046: IP = 210.50.52.22, constructing NAT-Traversal VID ver 02 payload
%ASA-7-715046: IP = 210.50.52.22, constructing NAT-Traversal VID ver 03 payload
%ASA-7-715046: IP = 210.50.52.22, constructing NAT-Traversal VID ver RFC payload
%ASA-7-715046: IP = 210.50.52.22, constructing Fragmentation VID + extended capabilities payload
%ASA-7-713236: IP = 210.50.52.22, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
%ASA-7-609001: Built local-host identity:120.151.192.110
%ASA-7-609001: Built local-host Outside:210.50.52.22
%ASA-7-715065: IP = 210.50.52.22, IKE MM Initiator FSM error history (struct &0xadef3480)
%ASA-7-713906: IP = 210.50.52.22, IKE SA MM:6c33e07d terminating: flags 0x01000022, refcnt 0, tuncnt 0
%ASA-7-713906: IP = 210.50.52.22, sending delete/delete with reason message
%ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel. Map Tag = MELSYD. Map Sequence Number = 10.
%ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= MELSYD. Map Sequence Number = 10.
%ASA-7-752002: Tunnel Manager Removed entry. Map Tag = ABCD. Map Sequence Number = 10
120.151.192.110 is the local IP on ASA and 210.50.52.22 is the remote IP on the SP firewall. From the ASA, i can ping to 210.x.x.x, but from the remote VPN router i cannot ping to 120.x.x.x (Firewall does NAT 1:1 translation)
Thanks and Regards,
Mohan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide