How to fix VPN tunnel-related issues on the PIX Firewall, Concentrator, ASA and Router

Document

Jul 22, 2009 7:49 PM
Jun 22nd, 2009

Core issue

These are a few of the common reasons why a VPN tunnel does not come up or fails to pass traffic on a PIX Firewall,Concentrator, ASA or router:
  • The wrong IP address is configured in the pre-shared key or crypto map.
  • The crypto map is not bound to the outside interface.
  • There are mismatched access control lists (ACLs) on the peers.
  • The ACLs overlap with other tunnels.
  • NATting is not bypassed on the router or PIX Firewall.
  • The same ACLs applied for crypto map and NAT bypass (NAT 0 ACLs) on the PIX Firewall.
  • ACLs for NAT bypass configured with keyword any, instead of specific source and destination.
  • The ISP blocks UDP port 500 or changes the IP address of the remote peer.
  • There is a mismatch in the ISAKMP policies.
  • There are routing issues.
  • There are older Security Associations.
  • Perfect Forward Secracy (PFS) is incorrectly enabled or disabled.


Resolution

In order to isolate and resolve these issues, review this checklist:

  1. Make sure crypto map is applied to the outside interface, the interface that faces the Internet.

  2. Match the access-lists with peers and make sure these do not overlap with the ACLs of any other tunnels that exist.

  3. Match the ISAKMP policies on peers. Both end devices must have similar ISAKMP policies.

  4. If the show crypto isakmp sa command shows MM_KEY_EXCH in the output, refer to The user receives the ISAKMP (0:xxx): deleting SA reason gen_ipsec_isakmp_delete but doi isakmp state (I) MM_KEY_EXCH (peer x.x.x.x) input queue 0 message


  5. If the ISP has changed the IP address of the remote peer, refer to The VPN tunnel fails to come up on the PIX Firewall after the ISP changes the IP address for the remote device

  6. While you troubleshoot, it is always good practice to reapply crypto map on the outside interface and to clear older Security Associations with the use of the clear crypto sa command on the router and the clear isakmp sa command on the PIX Firewall. But, these commands bring down other tunnels and Security Associations are cleared for tunnels that exist.

  7. On the PIX Firewall, always create and bind separate access-lists to NAT 0 and crypto map. NAT 0 and crypto ACLs should be identical but with a different sequence number.

  8. Make sure that interesting traffic should be DENIED first in order to correct the NAT bypass order on routers, and the PERMIT statement should come in last. For example:

    Bad Configuration

    ip access-list extended nonat
    deny   ip 192.168.15.0 0.0.0.255 10.1.2.0 0.0.0.255
    permit ip 192.168.15.0 0.0.0.255 any
    deny   ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255

    Good Configuration

    ip access-list extended nonat
    deny   ip 192.168.15.0 0.0.0.255 10.1.2.0 0.0.0.255
    deny   ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255
    permit ip 192.168.15.0 0.0.0.255 any

  9. PFS must be enabled or disabled on both peers. Refer to How to configure PFS with IPSec VPN for more information about PFS.

  10. If PIX, ASA or Router is configured for LAN-to-LAN and VPN client access, make sure that dynamic crypto map comes in the last. For example, according to this configuration, LAN-to-LAN tunnel for peer 2.2.2.2 fails to come up, as PIX stops to look for actual peer once it hits dynamic crypto map according to sequence number. It is always a good idea to assign highest sequence number to dynamic maps, for example, 65535.

BAD configuration

crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set myset
crypto map newmap 20 ipsec-isakmp dynamic dynmap
crypto map newmap 30 ipsec-isakmp
crypto map newmap 30 match address 120
crypto map newmap 30 set peer 2.2.2.2
crypto map newmap 30 set transform-set myset
crypto map newmap interface outside

Good configuration

crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set myset
crypto map newmap 30 ipsec-isakmp
crypto map newmap 30 match address 120
crypto map newmap 30 set peer 2.2.2.2
crypto map newmap 30 set transform-set myset
crypto map newmap 65535 ipsec-isakmp dynamic dynmap
crypto map newmap interface outside


Refer to IP Security Troubleshooting - Understanding and Using debug Commands for more information and to resolve common VPN related issues that use debug commands.

Overall Rating: 0 (0 ratings)

Actions

Login or Register to take actions

This Document

Posted June 22, 2009 at 5:39 PM
Updated July 22, 2009 at 7:49 PM
Stats:
Comments:0 Overall Rating:0
Views:4875 Contributors:0
Shares:0
Categories: ASA
+

Related Content