Solved: Help with ipsec problem

jakubholly · ‎08-16-2017

Hi, we have problem between Cisco ASA and Cisco router: tunnel status

<status on asa>

IKE Peer: xx.xx.xx.78
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2

<status on router>

#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

xx.xx.xx.166 xx.xx.xx..78 MM_NO_STATE 0 0 ACTIVE

<debug on asa>

IKEv1 DEBUG]IP = xx.xx.xx.78, IKE MM Initiator FSM error history (struct &0x00007fff9e406480) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

<debug on router>

000561: Aug 16 14:56:15: ISAKMP:(0): SA request profile is (NULL)

000562: Aug 16 14:56:15: ISAKMP: Created a peer struct for xx.xx.xx.166, peer port 500

000563: Aug 16 14:56:15: ISAKMP: New peer created peer = 0x840073D4 peer_handle = 0x80000011

000564: Aug 16 14:56:15: ISAKMP: Locking peer struct 0x840073D4, refcount 1 for isakmp_initiator

000565: Aug 16 14:56:15: ISAKMP: local port 500, remote port 500

000566: Aug 16 14:56:15: ISAKMP: set new node 0 to QM_IDLE

000567: Aug 16 14:56:15: insert sa successfully sa = 83E90D44

000568: Aug 16 14:56:15: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled

000569: Aug 16 14:56:15: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

000570: Aug 16 14:56:15: ISAKMP:(0):found peer pre-shared key matching xx.xx.xx.166

000571: Aug 16 14:56:15: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

000572: Aug 16 14:56:15: ISAKMP:(0): constructed NAT-T vendor-07 ID

000573: Aug 16 14:56:15: ISAKMP:(0): constructed NAT-T vendor-03 ID

000574: Aug 16 14:56:15: ISAKMP:(0): constructed NAT-T vendor-02 ID

000575: Aug 16 14:56:15: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

000576: Aug 16 14:56:15: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

000577: Aug 16 14:56:15: ISAKMP:(0): beginning Main Mode exchange

000578: Aug 16 14:56:15: ISAKMP:(0): sending packet to xx.xx.xx.166 my_port 500 peer_port 500 (I) MM_NO_STATE

00579: Aug 16 14:56:15: ISAKMP:(0):Sending an IKE IPv4 Packet......

Success rate is 0 percent (0/5)

000580: Aug 16 14:56:25: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

000581: Aug 16 14:56:25: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

000582: Aug 16 14:56:25: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

000583: Aug 16 14:56:25: ISAKMP:(0): sending packet to xx.xx.xx.166 my_port 500 peer_port 500 (I) MM_NO_STATE

000584: Aug 16 14:56:25: ISAKMP:(0):Sending an IKE IPv4 Packet.

<config on ASA>

crypto ikev1 policy 4
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

crypto ipsec ikev1 transform-set SecondSet esp-3des esp-sha-hmac

crypto map VPNPEER 5 match address l2l
crypto map VPNPEER 5 set peer xx.xx.xx.78
crypto map VPNPEER 5 set ikev1 transform-set SecondSet

crypto map VPNPEER interface outside

tunnel-group xx.xx.xx.78 type ipsec-l2l
tunnel-group xx.xx.xx.78 ipsec-attributes
ikev1 pre-shared-key *****

access-list l2l line 1 extended permit ip 10.115.152.0 255.255.255.0 192.168.175.0 255.255.255.0

<config on router>

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

!

crypto isakmp key ****** address xx.xx.xx.166 no-xauth

crypto isakmp invalid-spi-recovery

crypto isakmp aggressive-mode disable

crypto ipsec transform-set vpnset esp-3des esp-sha-hmac

crypto map vpn local-address FastEthernet4.3067

crypto map vpn 10 ipsec-isakmp

set peer xx.xx.xx.166

set transform-set vpnset

set pfs group2

match address 113

!

access-list 113 remark VPN

access-list 113 permit ip 192.168.175.0 0.0.0.255 10.115.152.0 0.0.0.255

interface FastEthernet4.3067

ip address x.x.x.78 255.255.255.252

ip nat outside

crypto map vpn

access-list 100 remark NAT

access-list 100 deny ip 192.168.175.0 0.0.0.255 10.115.152.0 0.0.0.255

access-list 100 permit ip 192.168.175.0 0.0.0.255 any

thanks for advice!

Aditya Ganjoo · ‎08-16-2017

Hi,

It seems UDP 500 port is blocked between the two devices.

Also,was this working before ?

Regards,

Aditya

Please rate helpful and mark correct answers

View solution in original post

Aditya Ganjoo · ‎08-16-2017

Hi,

It seems UDP 500 port is blocked between the two devices.

Also,was this working before ?

Regards,

Aditya

Please rate helpful and mark correct answers

jakubholly · ‎08-22-2017

jakubholly · ‎08-22-2017

500 is not blocked never worked before (but difference tunnels from my devices are up) routing - we have checked, it works correctly

a.adetunji · ‎08-16-2017

Try to check your routes on both devices. You might want to have a static route for the interesting traffics pointing to the outside interface even though you may have a default route. And make sure you also have a routes to your inside network from each device.

jakubholly · ‎08-22-2017

no problem with routes, we ping each other and inside routes are ok!

jakubholly · ‎08-22-2017

for 2 mins it was on MSG3 but then goes back to MSG2

# sh isakmp sa detail

7 IKE Peer: x.x.x.78
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 0

in debug still bug of

Aug 22 11:41:28 [IKEv1 DEBUG]IP = x.x.x.78, IKE MM Initiator FSM error history (struct &0x00007fff9e3eb380) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

# ping x.x.x.78
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to x.x.x.78, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 110/120/130 ms
#

jakubholly · ‎08-22-2017

ok solved, problem was on the router side, there was na PAT for port 500 to another device. So that was a reason why ASA doesnt have reponse.