07-08-2013 02:47 AM - edited 03-11-2019 07:08 PM
Hello guys,
I was wondering if someone can assist me solving my issue.
I had one vpn connection on asa (created a while ago by someone else) and now i want also to create a second connection to azure cloud.
I am really confused since when i use the command "crypto map dyn-map interface outside" the <remote branch ip> connection is working properly
but azure connection is not.
If i use the command " crypto map outside-map interface outside" Azure l2l is working but Remote branch is not.
What am i doing wrong?
FW# show run | include crypto
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.168.21.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 192.168.21.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.12.0 255.255.255.0 192.168.21.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.21.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 host 192.168.22.1
access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 host 192.168.20.1
access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 host 192.168.22.1
access-list outside_2_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.6.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list russia_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list russia_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.168.21.0 255.255.255.0
access-list russia_cryptomap extended permit ip 192.168.6.0 255.255.255.0 192.168.21.0 255.255.255.0
access-list russia_cryptomap extended permit ip 192.168.12.0 255.255.255.0 192.168.21.0 255.255.255.0
access-list russia_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.21.0 255.255.255.0
access-list russia_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set TRANSFORMSET-NEOCLOUD esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TRANSET esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map DYNMAP 1 set ikev1 transform-set TRANSET
crypto dynamic-map DYNMAP 1 set security-association lifetime seconds 28800
crypto dynamic-map DYNMAP 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map DYNMAP 1 set reverse-route
crypto dynamic-map DYNMAP 2 match address ACCESSLISTNEOCLOUD
crypto dynamic-map DYNMAP 2 set peer <azure ip>
crypto dynamic-map DYNMAP 2 set ikev1 transform-set TRANSFORMSET-CLOUD
crypto dynamic-map DYNMAP 2 set security-association lifetime seconds 3600
crypto dynamic-map DYNMAP 2 set security-association lifetime kilobytes 102400000
crypto dynamic-map DYNMAP 2 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 match address outside_1_cryptomap
crypto map outside_map 2 set peer <remote branch ip>
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 11 match address ACCESSLISTNEOCLOUD
crypto map outside_map 11 set peer <azure ip>
crypto map outside_map 11 set ikev1 transform-set TRANSFORMSET-CLOUD
crypto map outside_map 11 set security-association lifetime seconds 3600
crypto map outside_map 11 set security-association lifetime kilobytes 102400000
crypto map dyn-map 10 ipsec-isakmp dynamic DYNMAP
crypto map dyn-map interface outside
crypto map dmz_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map dmz_map interface dmz
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 enable dmz
crypto ikev1 policy 5
crypto ikev1 policy 9
crypto ikev1 policy 10
crypto ikev1 policy 20
crypto ikev1 policy 30
crypto ikev1 policy 50
crypto ikev1 policy 70
crypto ikev1 policy 65535
Solved! Go to Solution.
07-08-2013 03:56 AM
Hi,
Well since we are talking about L2L VPN / Site to Site VPN we shouldnt be using Dynamic Map at all.
Also Dynamic Map configurations if needed for VPN Client connections on the same time SHOULD ALWAYS be configured at a very low priority in the "crypto map" configurations.
In your configuration they are listed as 1 and 2. I typically go with the default that even the ASDM uses which is 65535 that is the lowest priority/sequence number.
Though you didnt answer yet (or I didnt notice) if you were using any VPN Client connections on the ASA? If not then you should probably remove ALL dynamic-map related configurations from the ASA as they should not be needed for these L2L VPN configurations. They are more likely to cause problems when configured the wrong way.
More detailed information on the connection when its actually up can be gotten with the following commands for example
show vpn-sessiondb detail l2l filter ipaddress
show crypto ipsec sa peer
First one lists a lot of information
Second one tells you which "crypto map" section was matched.
- Jouni
07-08-2013 02:54 AM
Hi,
If you are configuring L2L VPN connections you wont need any dynamic-map configurations at all.
I presume that both the remote branch and the new connection are both L2L VPN where the VPN peer has a static public IP address also?
Are you using IPsec VPN client connections on this ASA?
- Jouni
07-08-2013 03:01 AM
Hi again Jouni,
Yes i am using also IPsec Vpn connections, honestly i've created these ipsec connections using ASDM so i don't know if dynamic-map was created that time.
Do you want me to provide more details ? (object groups, access-lists)
07-08-2013 03:03 AM
Essentially, your basic "crypto map" configuration might be as simply as the following
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto ipsec transform-set CONNECTION-1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set CONNECTION-2 esp-aes-256 esp-sha-hmac
crypto map CRYPTOMAP 10 match address CONNECTION-1
crypto map CRYPTOMAP 10 set peer 1.1.1.1
crypto map CRYPTOMAP 10 set transform-set CONNECTION-1
crypto map CRYPTOMAP 10 set reverse-route
crypto map CRYPTOMAP 20 match address CONNECTION-2
crypto map CRYPTOMAP 20 set peer 2.2.2.2
crypto map CRYPTOMAP 20 set transform-set CONNECTION-2
crypto map CRYPTOMAP 20 set reverse-route
crypto map CRYPTOMAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map CRYPTOMAP interface outside
Naturally the above configuration doesnt match your configurations but its just an example how simple the "crypto map" section could be. You seem to have a lot of configurations that are not needed.
EDIT: Also as you can see I have not provided any ACL configurations or the actual transform-set configurations. The above is simply giving an example of the configuration format on the command line interface.
- Jouni
07-08-2013 03:36 AM
Thanks Jouni,
Also could you please let me know if i have any error on DYNMAP and maybe this is the reason that i am not able to establish azure connection to this..
I forgot to mentioned that when i use the command show isakmp sa sometimes i see azure connections and sometimes it dissapears.
Could you please give me some troubleshooting commands in order to find out the following
Which crypto map is applied?
Which ikev1 policy is applied?
07-08-2013 03:56 AM
Hi,
Well since we are talking about L2L VPN / Site to Site VPN we shouldnt be using Dynamic Map at all.
Also Dynamic Map configurations if needed for VPN Client connections on the same time SHOULD ALWAYS be configured at a very low priority in the "crypto map" configurations.
In your configuration they are listed as 1 and 2. I typically go with the default that even the ASDM uses which is 65535 that is the lowest priority/sequence number.
Though you didnt answer yet (or I didnt notice) if you were using any VPN Client connections on the ASA? If not then you should probably remove ALL dynamic-map related configurations from the ASA as they should not be needed for these L2L VPN configurations. They are more likely to cause problems when configured the wrong way.
More detailed information on the connection when its actually up can be gotten with the following commands for example
show vpn-sessiondb detail l2l filter ipaddress
show crypto ipsec sa peer
First one lists a lot of information
Second one tells you which "crypto map" section was matched.
- Jouni
07-08-2013 04:37 AM
Thanks a lot Jouni, if i need anything else i will let you know.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide