Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- Networking
- Switching
- Site to Site VPN between two ASA 5505 not working
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
5284
Views
0
Helpful
3
Replies
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-05-2014 05:00 AM - edited 03-07-2019 07:38 PM
Good afternoon gents,
I am trying to use the VPN Wizard to setup a site to site VPN tunnel between two identical ASA 5505 firewalls but having different IOS versions (8.2 and 8.4). Although I managed to created VPN connections on both ends, they do not seem to communicate and the Real Time Log Viewer is display these error messages (i modified IP's for security reasons):
4|Jun 05 2014|13:34:49|113019|||||Group = 2.2.2.2, Username = 2.2.2.2, IP = SiteB-FW, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested 5|Jun 05 2014|13:34:49|713259|||||Group = 2.2.2.2, IP = 2.2.2.2, Session is being torn down. Reason: User Requested 7|Jun 05 2014|13:34:49|713906|||||Group = 2.2.2.2, IP = 2.2.2.2, IKE SA MM:299483b5 terminating: flags 0x0100c822, refcnt 0, tuncnt 0 3|Jun 05 2014|13:34:49|713902|||||Group = 2.2.2.2, IP = 2.2.2.2, Removing peer from correlator table failed, no match! 7|Jun 05 2014|13:34:49|715009|||||Group = 2.2.2.2, IP = 2.2.2.2, IKE Deleting SA: Remote Proxy 192.168.200.0, Local Proxy 192.168.100.0 7|Jun 05 2014|13:34:49|713236|||||IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=eacc21a4) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68 7|Jun 05 2014|13:34:49|715046|||||Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload 7|Jun 05 2014|13:34:49|715046|||||Group = 2.2.2.2, IP = 2.2.2.2, constructing IPSec delete payload 7|Jun 05 2014|13:34:49|715046|||||Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload 7|Jun 05 2014|13:34:49|713906|||||Group = 2.2.2.2, IP = 2.2.2.2, sending delete/delete with reason message 5|Jun 05 2014|13:34:49|713050|||||Group = 2.2.2.2, IP = 2.2.2.2, Connection terminated for peer 2.2.2.2. Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A 7|Jun 05 2014|13:34:49|713906|||||Group = 2.2.2.2, IP = 2.2.2.2, processing delete 7|Jun 05 2014|13:34:49|715047|||||Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload 7|Jun 05 2014|13:34:49|713236|||||IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=70148cdb) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80 5|Jun 05 2014|13:34:49|713068|||||Group = 2.2.2.2, IP = 2.2.2.2, Received non-routine Notify message: No proposal chosen (14) 7|Jun 05 2014|13:34:49|715047|||||Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload 7|Jun 05 2014|13:34:49|715047|||||Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload 7|Jun 05 2014|13:34:49|713236|||||IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=423f193d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84 7|Jun 05 2014|13:34:49|713236|||||IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=feaa0acd) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 400 7|Jun 05 2014|13:34:49|714004|||||Group = 2.2.2.2, IP = 2.2.2.2, IKE Initiator sending 1st QM pkt: msg id = feaa0acd 7|Jun 05 2014|13:34:49|715046|||||Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload 7|Jun 05 2014|13:34:49|714007|||||Group = 2.2.2.2, IP = 2.2.2.2, IKE Initiator sending Initial Contact 7|Jun 05 2014|13:34:49|713906|||||Group = 2.2.2.2, IP = 2.2.2.2, Transmitting Proxy Id: 7|Jun 05 2014|13:34:49|715001|||||Group = 2.2.2.2, IP = 2.2.2.2, constructing proxy ID 7|Jun 05 2014|13:34:49|715046|||||Group = 2.2.2.2, IP = 2.2.2.2, constructing pfs ke payload 7|Jun 05 2014|13:34:49|715046|||||Group = 2.2.2.2, IP = 2.2.2.2, constructing IPSec nonce payload 7|Jun 05 2014|13:34:49|715046|||||Group = 2.2.2.2, IP = 2.2.2.2, constructing IPSec SA payload 7|Jun 05 2014|13:34:49|715046|||||Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload 7|Jun 05 2014|13:34:49|713906|||||Group = 2.2.2.2, IP = 2.2.2.2, oakley constucting quick mode 7|Jun 05 2014|13:34:49|715006|||||Group = 2.2.2.2, IP = 2.2.2.2, IKE got SPI from key engine: SPI = 0xfddfaa1f 6|Jun 05 2014|13:34:49|713220|||||Group = 2.2.2.2, IP = 2.2.2.2, De-queuing KEY-ACQUIRE messages that were left pending. 7|Jun 05 2014|13:34:49|715080|||||Group = 2.2.2.2, IP = 2.2.2.2, Starting P1 rekey timer: 82080 seconds. 7|Jun 05 2014|13:34:49|713121|||||IP = 2.2.2.2, Keep-alive type for this connection: DPD 5|Jun 05 2014|13:34:49|713119|||||Group = 2.2.2.2, IP = 2.2.2.2, PHASE 1 COMPLETED 7|Jun 05 2014|13:34:49|714002|||||Group = 2.2.2.2, IP = 2.2.2.2, IKE Initiator starting QM: msg id = feaa0acd 7|Jun 05 2014|13:34:49|713906|||||Group = 2.2.2.2, IP = 2.2.2.2, Oakley begin quick mode 6|Jun 05 2014|13:34:49|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = 2.2.2.2 7|Jun 05 2014|13:34:49|713906|||||IP = 2.2.2.2, Connection landed on tunnel_group 2.2.2.2 7|Jun 05 2014|13:34:49|715049|||||Group = 2.2.2.2, IP = 2.2.2.2, Received DPD VID 7|Jun 05 2014|13:34:49|715047|||||Group = 2.2.2.2, IP = 2.2.2.2, processing VID payload 7|Jun 05 2014|13:34:49|715034|||||IP = 2.2.2.2, Processing IOS keep alive payload: proposal=32767/32767 sec. 7|Jun 05 2014|13:34:49|715076|||||Group = 2.2.2.2, IP = 2.2.2.2, Computing hash for ISAKMP 7|Jun 05 2014|13:34:49|715047|||||Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload 7|Jun 05 2014|13:34:49|714011|||||Group = 2.2.2.2, IP = 2.2.2.2, ID_IPV4_ADDR ID received 7|Jun 05 2014|13:34:49|715047|||||Group = 2.2.2.2, IP = 2.2.2.2, processing ID payload 7|Jun 05 2014|13:34:49|713236|||||IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96 6|Jun 05 2014|13:34:49|713172|||||Group = 2.2.2.2, IP = 2.2.2.2, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device 7|Jun 05 2014|13:34:49|713236|||||IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96 7|Jun 05 2014|13:34:49|715046|||||Group = 2.2.2.2, IP = 2.2.2.2, constructing dpd vid payload 7|Jun 05 2014|13:34:49|715034|||||IP = 2.2.2.2, Constructing IOS keep alive payload: proposal=32767/32767 sec. 7|Jun 05 2014|13:34:49|715076|||||Group = 2.2.2.2, IP = 2.2.2.2, Computing hash for ISAKMP 7|Jun 05 2014|13:34:49|715046|||||Group = 2.2.2.2, IP = 2.2.2.2, constructing hash payload 7|Jun 05 2014|13:34:49|715046|||||Group = 2.2.2.2, IP = 2.2.2.2, constructing ID payload 7|Jun 05 2014|13:34:49|713906|||||Group = 2.2.2.2, IP = 2.2.2.2, Generating keys for Initiator... 7|Jun 05 2014|13:34:49|713906|||||IP = 2.2.2.2, Connection landed on tunnel_group 2.2.2.2 7|Jun 05 2014|13:34:49|713906|||||IP = 2.2.2.2, computing NAT Discovery hash 7|Jun 05 2014|13:34:49|715047|||||IP = 2.2.2.2, processing NAT-Discovery payload 7|Jun 05 2014|13:34:49|713906|||||IP = 2.2.2.2, computing NAT Discovery hash 7|Jun 05 2014|13:34:49|715047|||||IP = 2.2.2.2, processing NAT-Discovery payload 7|Jun 05 2014|13:34:49|715049|||||IP = 2.2.2.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID 7|Jun 05 2014|13:34:49|715047|||||IP = 2.2.2.2, processing VID payload 7|Jun 05 2014|13:34:49|715038|||||IP = 2.2.2.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) 7|Jun 05 2014|13:34:49|715047|||||IP = 2.2.2.2, processing VID payload 7|Jun 05 2014|13:34:49|715049|||||IP = 2.2.2.2, Received xauth V6 VID 7|Jun 05 2014|13:34:49|715047|||||IP = 2.2.2.2, processing VID payload 7|Jun 05 2014|13:34:49|715049|||||IP = 2.2.2.2, Received Cisco Unity client VID 7|Jun 05 2014|13:34:49|715047|||||IP = 2.2.2.2, processing VID payload 7|Jun 05 2014|13:34:49|715047|||||IP = 2.2.2.2, processing nonce payload 7|Jun 05 2014|13:34:49|715047|||||IP = 2.2.2.2, processing ISA_KE payload 7|Jun 05 2014|13:34:49|715047|||||IP = 2.2.2.2, processing ke payload 7|Jun 05 2014|13:34:49|713236|||||IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 368 7|Jun 05 2014|13:34:49|713236|||||IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 368 7|Jun 05 2014|13:34:49|713906|||||IP = 2.2.2.2, computing NAT Discovery hash 7|Jun 05 2014|13:34:49|715046|||||IP = 2.2.2.2, constructing NAT-Discovery payload 7|Jun 05 2014|13:34:49|713906|||||IP = 2.2.2.2, computing NAT Discovery hash 7|Jun 05 2014|13:34:49|715046|||||IP = 2.2.2.2, constructing NAT-Discovery payload 7|Jun 05 2014|13:34:49|715048|||||IP = 2.2.2.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID 7|Jun 05 2014|13:34:49|715046|||||IP = 2.2.2.2, constructing VID payload 7|Jun 05 2014|13:34:49|715038|||||IP = 2.2.2.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) 7|Jun 05 2014|13:34:49|715048|||||IP = 2.2.2.2, Send IOS VID 7|Jun 05 2014|13:34:49|715046|||||IP = 2.2.2.2, constructing xauth V6 VID payload 7|Jun 05 2014|13:34:49|715046|||||IP = 2.2.2.2, constructing Cisco Unity VID payload 7|Jun 05 2014|13:34:49|715046|||||IP = 2.2.2.2, constructing nonce payload 7|Jun 05 2014|13:34:49|715046|||||IP = 2.2.2.2, constructing ke payload 7|Jun 05 2014|13:34:49|715064|||||IP = 2.2.2.2, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True 7|Jun 05 2014|13:34:49|715049|||||IP = 2.2.2.2, Received Fragmentation VID 7|Jun 05 2014|13:34:49|715047|||||IP = 2.2.2.2, processing VID payload 7|Jun 05 2014|13:34:49|715049|||||IP = 2.2.2.2, Received NAT-Traversal RFC VID 7|Jun 05 2014|13:34:49|715047|||||IP = 2.2.2.2, processing VID payload 7|Jun 05 2014|13:34:49|713906|||||IP = 2.2.2.2, Oakley proposal is acceptable 7|Jun 05 2014|13:34:49|715047|||||IP = 2.2.2.2, processing SA payload 7|Jun 05 2014|13:34:49|713236|||||IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132 7|Jun 05 2014|13:34:49|713236|||||IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 248 7|Jun 05 2014|13:34:49|715046|||||IP = 2.2.2.2, constructing Fragmentation VID + extended capabilities payload 7|Jun 05 2014|13:34:49|715046|||||IP = 2.2.2.2, constructing NAT-Traversal VID ver RFC payload 7|Jun 05 2014|13:34:49|715046|||||IP = 2.2.2.2, constructing NAT-Traversal VID ver 03 payload 7|Jun 05 2014|13:34:49|715046|||||IP = 2.2.2.2, constructing NAT-Traversal VID ver 02 payload 7|Jun 05 2014|13:34:49|715046|||||IP = 2.2.2.2, constructing ISAKMP SA payload 6|Jun 05 2014|13:34:49|713219|||||IP = 2.2.2.2, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. 5|Jun 05 2014|13:34:49|713041|||||IP = 2.2.2.2, IKE Initiator: New Phase 1, Intf LAN, IKE Peer 2.2.2.2 local Proxy Address 192.168.100.0, remote Proxy Address 192.168.200.0, Crypto map (Internet_map)
SiteA IP is 1.1.1.1 with internet network 192.168.100.0/24....SiteB IP is 2.2.2.2 with internal network 192.168.200.0/24. I am also pasting the conf of both firewalls.
SITE A:
Result of the command: "show conf" ! ASA Version 8.2(5) ! hostname ciscositeA enable password xxx encrypted passwd xxx encrypted names name 2.2.2.2 SiteB-FW name 192.168.200.0 SiteB-network ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 switchport access vlan 12 ! interface Ethernet0/2 switchport access vlan 12 ! interface Ethernet0/3 switchport access vlan 12 ! interface Ethernet0/4 switchport access vlan 12 ! interface Ethernet0/5 switchport access vlan 12 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif mgmt security-level 100 ip address 192.168.2.1 255.255.255.0 ! interface Vlan2 nameif Internet security-level 0 ip address 1.1.1.1 255.255.255.240 ! interface Vlan12 no forward interface Vlan1 nameif LAN security-level 100 ip address 192.168.100.254 255.255.255.0 ! ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 dns domain-lookup mgmt dns domain-lookup Internet dns server-group DefaultDNS name-server 8.8.8.8 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group network DM_INLINE_NETWORK_1 object-group service DM_INLINE_TCP_1 tcp port-object eq www port-object eq https object-group service DM_INLINE_TCP_0 tcp port-object eq www port-object eq https object-group service DM_INLINE_TCP_3 tcp port-object eq www port-object eq https object-group service DM_INLINE_TCP_4 tcp port-object eq www port-object eq https object-group service DM_INLINE_TCP_5 tcp port-object eq www port-object eq https object-group service DM_INLINE_TCP_6 tcp port-object eq www port-object eq https object-group service DM_INLINE_TCP_7 tcp port-object eq www port-object eq https object-group service DM_INLINE_TCP_8 tcp port-object eq www port-object eq https object-group service DM_INLINE_TCP_9 tcp port-object eq www port-object eq https access-list outside_access_in extended permit tcp host 2.2.2.2 host 1.1.1.1 eq www access-list dmz_access_in extended permit ip any any access-list LAN-nat0 extended permit ip 192.168.100.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list LAN-nat0 extended permit ip 10.250.0.0 255.255.0.0 any access-list LAN-nat0 extended permit ip 192.168.100.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list LAN-nat0 extended permit ip any 192.168.100.0 255.255.255.0 access-list LAN-nat0 extended permit ip 192.168.100.0 255.255.255.0 SiteB-network 255.255.255.0 access-list mgmt-nat0 extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list mgmt-nat0 extended permit ip 10.250.0.0 255.255.0.0 any access-list Internet_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 SiteB-network 255.255.255.0 pager lines 24 logging enable logging asdm errors mtu mgmt 1500 mtu Internet 1500 mtu LAN 1500 ipv6 access-list dmz_access_ipv6_in permit ip any any ipv6 access-list Atlassian_ipv6 deny ip any any icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (Internet) 1 interface nat (mgmt) 0 access-list mgmt-nat0 nat (mgmt) 1 0.0.0.0 0.0.0.0 nat (LAN) 0 access-list LAN-nat0 nat (LAN) 1 0.0.0.0 0.0.0.0 access-group outside_access_in in interface Internet route Internet 0.0.0.0 0.0.0.0 1.1.1.1 1 route mgmt 192.168.100.0 255.255.255.0 192.168.100.254 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL aaa authentication enable console LOCAL aaa authorization command LOCAL http server enable http 192.168.2.0 255.255.255.0 mgmt no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Internet_map 1 match address Internet_1_cryptomap crypto map Internet_map 1 set pfs group5 crypto map Internet_map 1 set peer SiteB-FW crypto map Internet_map 1 set transform-set ESP-AES-256-SHA crypto map Internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Internet_map interface Internet crypto isakmp enable Internet crypto isakmp policy 1 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption aes-256 hash sha group 5 lifetime 86400 telnet timeout 5 ssh 192.168.2.0 255.255.255.0 mgmt ssh timeout 5 ssh version 2 console timeout 0 dhcpd dns 8.8.8.8 192.168.100.11 dhcpd lease 1048575 dhcpd update dns both override ! dhcpd address 192.168.2.50-192.168.2.136 mgmt dhcpd dns 192.168.100.11 8.8.8.8 interface mgmt dhcpd lease 6000 interface mgmt dhcpd update dns both override interface mgmt dhcpd enable mgmt ! dhcpd update dns both override interface LAN ! threat-detection basic-threat threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 85.254.216.1 source Internet webvpn tunnel-group 2.2.2.2 type ipsec-l2l tunnel-group 1.1.1.1 ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect icmp inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global privilege cmd level 3 mode exec command perfmon privilege cmd level 3 mode exec command ping privilege cmd level 3 mode exec command who privilege cmd level 3 mode exec command logging privilege cmd level 3 mode exec command failover privilege cmd level 3 mode exec command packet-tracer privilege show level 5 mode exec command import privilege show level 5 mode exec command running-config privilege show level 3 mode exec command reload privilege show level 3 mode exec command mode privilege show level 3 mode exec command firewall privilege show level 3 mode exec command asp privilege show level 3 mode exec command cpu privilege show level 3 mode exec command interface privilege show level 3 mode exec command clock privilege show level 3 mode exec command dns-hosts privilege show level 3 mode exec command access-list privilege show level 3 mode exec command logging privilege show level 3 mode exec command vlan privilege show level 3 mode exec command ip privilege show level 3 mode exec command ipv6 privilege show level 3 mode exec command failover privilege show level 3 mode exec command asdm privilege show level 3 mode exec command arp privilege show level 3 mode exec command route privilege show level 3 mode exec command ospf privilege show level 3 mode exec command aaa-server privilege show level 3 mode exec command aaa privilege show level 3 mode exec command eigrp privilege show level 3 mode exec command crypto privilege show level 3 mode exec command vpn-sessiondb privilege show level 3 mode exec command ssh privilege show level 3 mode exec command dhcpd privilege show level 3 mode exec command vpnclient privilege show level 3 mode exec command vpn privilege show level 3 mode exec command blocks privilege show level 3 mode exec command wccp privilege show level 3 mode exec command dynamic-filter privilege show level 3 mode exec command webvpn privilege show level 3 mode exec command module privilege show level 3 mode exec command uauth privilege show level 3 mode exec command compression privilege show level 3 mode configure command interface privilege show level 3 mode configure command clock privilege show level 3 mode configure command access-list privilege show level 3 mode configure command logging privilege show level 3 mode configure command ip privilege show level 3 mode configure command failover privilege show level 5 mode configure command asdm privilege show level 3 mode configure command arp privilege show level 3 mode configure command route privilege show level 3 mode configure command aaa-server privilege show level 3 mode configure command aaa privilege show level 3 mode configure command crypto privilege show level 3 mode configure command ssh privilege show level 3 mode configure command dhcpd privilege show level 5 mode configure command privilege privilege clear level 3 mode exec command dns-hosts privilege clear level 3 mode exec command logging privilege clear level 3 mode exec command arp privilege clear level 3 mode exec command aaa-server privilege clear level 3 mode exec command crypto privilege clear level 3 mode exec command dynamic-filter privilege cmd level 3 mode configure command failover privilege clear level 3 mode configure command logging privilege clear level 3 mode configure command arp privilege clear level 3 mode configure command crypto privilege clear level 3 mode configure command aaa-server prompt hostname context no call-home reporting anonymous Cryptochecksum:xxx
Site B:
Result of the command: "show conf" ! ASA Version 8.4(5) ! hostname ciscositeB enable password xxx encrypted passwd 2KFQnbNIdI.2KYOU encrypted multicast-routing names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 switchport access vlan 12 ! interface Ethernet0/7 ! interface Vlan1 nameif mgmt security-level 100 ip address 192.168.3.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 pppoe client vpdn group pp_group ip address pppoe setroute ! interface Vlan12 no forward interface Vlan1 nameif LAN security-level 100 ip address 192.168.200.1 255.255.255.0 ! ftp mode passive clock timezone GMT 2 dns domain-lookup outside dns server-group DefaultDNS name-server 8.8.8.8 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network Poland-LAN-Network subnet 192.168.200.0 255.255.255.0 object network SiteA-FW host 2.2.2.2 object network SiteA-Network subnet 192.168.100.0 255.255.255.0 access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 any access-list outside_access_in extended permit tcp any any eq ssh access-list outside_cryptomap extended permit ip object SiteB-Network object SiteA-Network pager lines 24 logging enable logging asdm informational mtu mgmt 1500 mtu outside 1500 mtu LAN 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (mgmt,outside) source static SiteB-Network SiteB-Network destination static SiteA-Network SiteA-Network no-proxy-arp route-lookup nat (LAN,outside) source static SiteB-Network SiteB-Network destination static SiteA-Network SiteA-Network no-proxy-arp route-lookup ! object network obj_any nat (mgmt,outside) dynamic interface ! nat (mgmt,outside) after-auto source dynamic any interface access-group inside_access_in in interface mgmt access-group outside_access_in in interface outside timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy no user-identity enable user-identity default-domain LOCAL http server enable http 192.168.3.0 255.255.255.0 mgmt http 1.1.1.1 255.255.255.255 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto map outside_map 1 match address outside_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer 2.2.2.2 crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 1 set ikev2 ipsec-proposal AES AES192 AES256 crypto map outside_map interface outside crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev1 enable outside crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 5 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 5 lifetime 86400 telnet timeout 5 ssh 192.168.3.103 255.255.255.255 mgmt ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd dns 87.204.204.204 62.233.233.233 dhcpd auto_config outside dhcpd update dns ! dhcpd address 192.168.3.101-192.168.3.132 mgmt dhcpd dns 8.8.8.8 interface mgmt dhcpd update dns both interface mgmt dhcpd enable mgmt ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 85.254.216.1 source outside prefer webvpn group-policy GroupPolicy_1.1.1.1 internal group-policy GroupPolicy_1.1.1.1 attributes vpn-tunnel-protocol ikev1 tunnel-group 1.1.1.1 type ipsec-l2l tunnel-group 1.1.1.1 general-attributes default-group-policy GroupPolicy_2.2.2.2 tunnel-group 1.1.1.1 ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:abc
Solved! Go to Solution.
Labels:
- Labels:
-
LAN Switching
1 Accepted Solution
Accepted Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-11-2014 08:02 AM
Hi James
In the real time output it shows Phase 1 completed. That means your 2 ends are talking so the tunnel groups good and the isakmp policies found a match. To get to Phase 2 completed (which is missing) you need the ipsec sections to match. It looks like you have a mismatch in the pfs value as you state 5 in site A but leave it blank in site B which will default to 2.
Site A: crypto map Internet_map 1 set pfs group5
Site B: crypto map outside_map 1 set pfs
so either redo the wizard or at the command line on B change it to: crypto map outside_map 1 set pfs group5
Hope it helps (:
3 Replies 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-05-2014 11:50 PM
Hi James,
I wonder why do you have both l2l and ipsec have the diff tg IP addresses in Site A??
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
!
Regards
Karthik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-11-2014 08:02 AM
Hi James
In the real time output it shows Phase 1 completed. That means your 2 ends are talking so the tunnel groups good and the isakmp policies found a match. To get to Phase 2 completed (which is missing) you need the ipsec sections to match. It looks like you have a mismatch in the pfs value as you state 5 in site A but leave it blank in site B which will default to 2.
Site A: crypto map Internet_map 1 set pfs group5
Site B: crypto map outside_map 1 set pfs
so either redo the wizard or at the command line on B change it to: crypto map outside_map 1 set pfs group5
Hope it helps (:
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-11-2014 08:32 AM
Hi RobertMogan_2, that was exactly the issue. It just slipped through the cracks! Thanks for your feedback.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Customers Also Viewed These Support Documents
