Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5520 / IPSEC Tunnel Not Working

I have a ASA 5520 with 3 IPSEC tunnels configured. Two of them work and the latest one im trying to configure doesnt seem to come up.  What I am doing is setting up a Vlan on my location and a different Vlan on the remote side. I have a Cisco MWR 2941 that connects to the ASA 5520 on my local side and ASA 5510's at each remote location with 2941's on the other side of them. Each remote location has a individual IPSEC tunnel coming from the 5520 going to the 5510's using cryptomaps. The latest link I am trying to configure isnt coming up From what i can see this is setup the exact same way as the others but I cannot reach my equipment on the other side. Here is a printout of the Debug Crypto Isakmp.

YPG-ASA5520-1(config)# debug crypto isakmp 127
YPG-ASA5520-1(config)# May 05 10:34:55 [IKEv1]: IP = 131.120.38.2, IKE_DECODE RECEIVED Message (msgid=6d04191a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
May 05 10:34:55 [IKEv1 DEBUG]: Group = 131.120.38.2, IP = 131.120.38.2, processing hash payload
May 05 10:34:55 [IKEv1 DEBUG]: Group = 131.120.38.2, IP = 131.120.38.2, processing notify payload
May 05 10:34:55 [IKEv1 DEBUG]: Group = 131.120.38.2, IP = 131.120.38.2, Received keep-alive of type DPD R-U-THERE (seq number 0x45031ca9)
May 05 10:34:55 [IKEv1 DEBUG]: Group = 131.120.38.2, IP = 131.120.38.2, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x45031ca9)
May 05 10:34:55 [IKEv1 DEBUG]: Group = 131.120.38.2, IP = 131.120.38.2, constructing blank hash payload
May 05 10:34:55 [IKEv1 DEBUG]: Group = 131.120.38.2, IP = 131.120.38.2, constructing qm hash payload
May 05 10:34:55 [IKEv1]: IP = 131.120.38.2, IKE_DECODE SENDING Message (msgid=88a9f9e1) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
May 05 10:35:05 [IKEv1]: IP = 131.120.38.2, IKE_DECODE RECEIVED Message (msgid=4eb936e2) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
May 05 10:35:05 [IKEv1 DEBUG]: Group = 131.120.38.2, IP = 131.120.38.2, processing hash payload
May 05 10:35:05 [IKEv1 DEBUG]: Group = 131.120.38.2, IP = 131.120.38.2, processing notify payload
May 05 10:35:05 [IKEv1 DEBUG]: Group = 131.120.38.2, IP = 131.120.38.2, Received keep-alive of type DPD R-U-THERE (seq number 0x45031caa)
May 05 10:35:05 [IKEv1 DEBUG]: Group = 131.120.38.2, IP = 131.120.38.2, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x45031caa)
May 05 10:35:05 [IKEv1 DEBUG]: Group = 131.120.38.2, IP = 131.120.38.2, constructing blank hash payload
May 05 10:35:05 [IKEv1 DEBUG]: Group = 131.120.38.2, IP = 131.120.38.2, constructing qm hash payload
May 05 10:35:05 [IKEv1]: IP = 131.120.38.2, IKE_DECODE SENDING Message (msgid=4903eb50) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
May 05 10:35:15 [IKEv1]: IP = 131.120.38.2, IKE_DECODE RECEIVED Message (msgid=97fd85fc) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
May 05 10:35:15 [IKEv1 DEBUG]: Group = 131.120.38.2, IP = 131.120.38.2, processing hash payload
May 05 10:35:15 [IKEv1 DEBUG]: Group = 131.120.38.2, IP = 131.120.38.2, processing notify payload
May 05 10:35:15 [IKEv1 DEBUG]: Group = 131.120.38.2, IP = 131.120.38.2, Received keep-alive of type DPD R-U-THERE (seq number 0x45031cab)
May 05 10:35:15 [IKEv1 DEBUG]: Group = 131.120.38.2, IP = 131.120.38.2, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x45031cab)
May 05 10:35:15 [IKEv1 DEBUG]: Group = 131.120.38.2, IP = 131.120.38.2, constructing blank hash payload
May 05 10:35:15 [IKEv1 DEBUG]: Group = 131.120.38.2, IP = 131.120.38.2, constructing qm hash payload
May 05 10:35:15 [IKEv1]: IP = 131.120.38.2, IKE_DECODE SENDING Message (msgid=fbee214f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
May 05 10:35:25 [IKEv1]: IP = 131.120.38.2, IKE_DECODE RECEIVED Message (msgid=bc8eb9d4) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
May 05 10:35:25 [IKEv1 DEBUG]: Group = 131.120.38.2, IP = 131.120.38.2, processing hash payload
May 05 10:35:25 [IKEv1 DEBUG]: Group = 131.120.38.2, IP = 131.120.38.2, processing notify payload
May 05 10:35:25 [IKEv1 DEBUG]: Group = 131.120.38.2, IP = 131.120.38.2, Received keep-alive of type DPD R-U-THERE (seq number 0x45031cac)
May 05 10:35:25 [IKEv1 DEBUG]: Group = 131.120.38.2, IP = 131.120.38.2, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x45031cac)
May 05 10:35:25 [IKEv1 DEBUG]: Group = 131.120.38.2, IP = 131.120.38.2, constructing blank hash payload
May 05 10:35:25 [IKEv1 DEBUG]: Group = 131.120.38.2, IP = 131.120.38.2, constructing qm hash payload
May 05 10:35:25 [IKEv1]: IP = 131.120.38.2, IKE_DECODE SENDING Message (msgid=2b07bd6d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Everyone's tags (2)
20 REPLIES

Re: ASA 5520 / IPSEC Tunnel Not Working

Joseph,

Does this new tunnel that is not coming up has a conflicting IP sheme with any of the previous two working tunnels?

You mentioned that the configuration is exactly the same as the previous tunnels?

What is the status of:

sh cry isa sa

sh cry ip sa

For this particular peer?

Federico.

New Member

Re: ASA 5520 / IPSEC Tunnel Not Working

We build a access list pointing our local network 10.10.10.0/24 to each individual network at the remote ends. One cryptomap tunnel goes to 10.10.20.0/24 the other is 10.10.30.0/24 and the latest one is 10.10.40.0/24. But the actual IPSEC tunnels are being routed over completely different IP networks that do not match the 10.10's. Basically we are hiding these two networks through a complete different IP network using Point to Point IPSEC tunnels.

YPG-ASA5520-1# sh cry isa sa

   Active SA: 3
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 3

1   IKE Peer: 140.32.167.58
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
2   IKE Peer: 140.32.171.2
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
3   IKE Peer: 131.120.38.2                 <~~~~~~~~~~~~~~~~~~~~~~~~~~ This is the one not working
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

YPG-ASA5520-1# sh cry ip sa
interface: outside
    Crypto map tag: outside_map, seq num: 3, local addr: 6.7.0.13

      access-list outside_3_cryptomap permit ip 10.10.10.0 255.255.255.0 10.10.40.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.10.40.0/255.255.255.0/0/0)
      current_peer: 131.120.38.2

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 6.7.0.13, remote crypto endpt.: 131.120.38.2

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: FABB7EEB

    inbound esp sas:
      spi: 0x6BC3D086 (1807995014)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1331200, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3915000/27620)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xFABB7EEB (4206591723)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1331200, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3915000/27619)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Re: ASA 5520 / IPSEC Tunnel Not Working

Phase 1 is being established and also phase 2, but no traffic is passing through yet.

I don't see any attempts or errors of packets between 10.10.10.0/24 and 10.40.10.0/24

Can you try a PING between those networks and see if the ''sh cry ips sa'' changes?

Have you verified that on the remote site (10.40.10.0/24), ESP is not being blocked by a local Firewall or by the ISP?

Federico.

New Member

Re: ASA 5520 / IPSEC Tunnel Not Working

I tried to ping with no success on the sh cry ips sa it still shows no packets going through. I also have a tunnel configured with the source the 10.10.10 interface on my side and the destination 10.10.40 on the remote side so as soon as the connection comes up my tunnel should come online. I spoke with the network personnel on the remote end and the assured me the firewall is opened up and allowing all IPSEC ports and protocols and i should be able to connect.

Re: ASA 5520 / IPSEC Tunnel Not Working

Joseph,

You attached the ''debug crypto isakmp 127'' but phase 1 is fine.

Could post the ''debug cry ipsec 127'' to check what's the problem with phase2?

Optionaly, can you get any logs from the remote site as well?

Federico.

New Member

Re: ASA 5520 / IPSEC Tunnel Not Working

i can work with the techs to get some printouts from the other side. i dont seem to be getting any information back when running Debug Crypto Ipsec 127??

Re: ASA 5520 / IPSEC Tunnel Not Working

Can you drop that particular tunnel and attempt to establish it again, and see if you get output from debug cry ips 127?

And post the debugs from the other side if possible please.

Federico.

New Member

Re: ASA 5520 / IPSEC Tunnel Not Working

Federico,

I completely erased the tunnel and cryptomap for this peer and rebuilt it. I get a printout when i finish the config and I put it

below but I am still not getting a printout from debug crypto ipsec 127. The techs on the remote end are working on getting me some printouts but it may be tomorrow before I get them.

YPG-ASA5520-1(config)# IPSEC: New embryonic SA created @ 0xCD0B7CD8,
    SCB: 0xCC4C85F8,
    Direction: inbound
    SPI      : 0x2836656E
    Session ID: 0x00272000
    VPIF num  : 0x00000001
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0xCD0FBB28,
    SCB: 0xCC4C7538,
    Direction: outbound
    SPI      : 0xEBFD2CA2
    Session ID: 0x00272000
    VPIF num  : 0x00000001
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: Completed host OBSA update, SPI 0xEBFD2CA2
IPSEC: Creating outbound VPN context, SPI 0xEBFD2CA2
    Flags: 0x00000005
    SA   : 0xCD0FBB28
    SPI  : 0xEBFD2CA2
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00000000
    SCB  : 0x2C588309
    Channel: 0xC8E96580
IPSEC: Completed outbound VPN context, SPI 0xEBFD2CA2
    VPN handle: 0x003FB714
IPSEC: New outbound encrypt rule, SPI 0xEBFD2CA2
    Src addr: 10.10.10.0
    Src mask: 255.255.255.0
    Dst addr: 10.10.40.0
    Dst mask: 255.255.255.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0xEBFD2CA2
    Rule ID: 0xCD0055E8
IPSEC: New outbound permit rule, SPI 0xEBFD2CA2
    Src addr: 6.7.0.13
    Src mask: 255.255.255.255
    Dst addr: 131.120.38.2
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0xEBFD2CA2
    Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0xEBFD2CA2
    Rule ID: 0xCD107000
IPSEC: Completed host IBSA update, SPI 0x2836656E
IPSEC: Creating inbound VPN context, SPI 0x2836656E
    Flags: 0x00000006
    SA   : 0xCD0B7CD8
    SPI  : 0x2836656E
    MTU  : 0 bytes
    VCID : 0x00000000
    Peer : 0x003FB714
    SCB  : 0x2C539503
    Channel: 0xC8E96580
IPSEC: Completed inbound VPN context, SPI 0x2836656E
    VPN handle: 0x003FD2B4
IPSEC: Updating outbound VPN context 0x003FB714, SPI 0xEBFD2CA2
    Flags: 0x00000005
    SA   : 0xCD0FBB28
    SPI  : 0xEBFD2CA2
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x003FD2B4
    SCB  : 0x2C588309
    Channel: 0xC8E96580
IPSEC: Completed outbound VPN context, SPI 0xEBFD2CA2
    VPN handle: 0x003FB714
IPSEC: Completed outbound inner rule, SPI 0xEBFD2CA2
    Rule ID: 0xCD0055E8
IPSEC: Completed outbound outer SPD rule, SPI 0xEBFD2CA2
    Rule ID: 0xCD107000
IPSEC: New inbound tunnel flow rule, SPI 0x2836656E
    Src addr: 10.10.40.0
    Src mask: 255.255.255.0
    Dst addr: 10.10.10.0
    Dst mask: 255.255.255.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0x2836656E
    Rule ID: 0xCCE42E48
IPSEC: New inbound decrypt rule, SPI 0x2836656E
    Src addr: 131.120.38.2
    Src mask: 255.255.255.255
    Dst addr: 6.7.0.13
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x2836656E
    Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0x2836656E
    Rule ID: 0xCCE42EE0
IPSEC: New inbound permit rule, SPI 0x2836656E
    Src addr: 131.120.38.2
    Src mask: 255.255.255.255
    Dst addr: 6.7.0.13
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x2836656E
    Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0x2836656E
    Rule ID: 0xCD0FB860

YPG-ASA5520-1(config)#
YPG-ASA5520-1(config)#
YPG-ASA5520-1(config)#
YPG-ASA5520-1(config)#
YPG-ASA5520-1(config)#
YPG-ASA5520-1(config)#
YPG-ASA5520-1(config)# exit
YPG-ASA5520-1# debug crypto ipsec ?

  <1-255>  Specify an optional debug level (default is 1)
 
YPG-ASA5520-1# debug crypto ipsec 127
YPG-ASA5520-1#

New Member

Re: ASA 5520 / IPSEC Tunnel Not Working

This must be the Debug IPSEC, it doesnt come very often maybe every 10-15 minutes.

YPG-ASA5520-1# IPSEC: Deleted inbound decrypt rule, SPI 0xAC525918
    Rule ID: 0xCCE42E88
IPSEC: Deleted inbound permit rule, SPI 0xAC525918
    Rule ID: 0xCD0FB978
IPSEC: Deleted inbound tunnel flow rule, SPI 0xAC525918
    Rule ID: 0xCD0BF1B8
IPSEC: Deleted inbound VPN context, SPI 0xAC525918
    VPN handle: 0x00400DCC
IPSEC: Deleted outbound encrypt rule, SPI 0x883621DD
    Rule ID: 0xCD1F1DE0
IPSEC: Deleted outbound permit rule, SPI 0x883621DD
    Rule ID: 0xCD1F71E8
IPSEC: Deleted outbound VPN context, SPI 0x883621DD
    VPN handle: 0x003FEF8C
IPSEC: New embryonic SA created @ 0xCD0FBB28,
    SCB: 0xCD0FD678,
    Direction: inbound
    SPI      : 0xC3B0E7CA
    Session ID: 0x00274000
    VPIF num  : 0x00000001
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0xCD0FAFF0,
    SCB: 0xCD0055E8,
    Direction: outbound
    SPI      : 0x8A31F8C5
    Session ID: 0x00274000
    VPIF num  : 0x00000001
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: Completed host OBSA update, SPI 0x8A31F8C5
IPSEC: Creating outbound VPN context, SPI 0x8A31F8C5
    Flags: 0x00000005
    SA   : 0xCD0FAFF0
    SPI  : 0x8A31F8C5
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00000000
    SCB  : 0x3428525B
    Channel: 0xC8E96580
IPSEC: Completed outbound VPN context, SPI 0x8A31F8C5
    VPN handle: 0x004028C4
IPSEC: New outbound encrypt rule, SPI 0x8A31F8C5
    Src addr: 10.10.10.0
    Src mask: 255.255.255.0
    Dst addr: 10.10.40.0
    Dst mask: 255.255.255.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0x8A31F8C5
    Rule ID: 0xCD1F1DE0
IPSEC: New outbound permit rule, SPI 0x8A31F8C5
    Src addr: 6.7.0.13
    Src mask: 255.255.255.255
    Dst addr: 131.120.38.2
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x8A31F8C5
    Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0x8A31F8C5
    Rule ID: 0xCCE67330
IPSEC: Completed host IBSA update, SPI 0xC3B0E7CA
IPSEC: Creating inbound VPN context, SPI 0xC3B0E7CA
    Flags: 0x00000006
    SA   : 0xCD0FBB28
    SPI  : 0xC3B0E7CA
    MTU  : 0 bytes
    VCID : 0x00000000
    Peer : 0x004028C4
    SCB  : 0x3421DE17
    Channel: 0xC8E96580
IPSEC: Completed inbound VPN context, SPI 0xC3B0E7CA
    VPN handle: 0x00405AA4
IPSEC: Updating outbound VPN context 0x004028C4, SPI 0x8A31F8C5
    Flags: 0x00000005
    SA   : 0xCD0FAFF0
    SPI  : 0x8A31F8C5
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00405AA4
    SCB  : 0x3428525B
    Channel: 0xC8E96580
IPSEC: Completed outbound VPN context, SPI 0x8A31F8C5
    VPN handle: 0x004028C4
IPSEC: Completed outbound inner rule, SPI 0x8A31F8C5
    Rule ID: 0xCD1F1DE0
IPSEC: Completed outbound outer SPD rule, SPI 0x8A31F8C5
    Rule ID: 0xCCE67330
IPSEC: New inbound tunnel flow rule, SPI 0xC3B0E7CA
    Src addr: 10.10.40.0
    Src mask: 255.255.255.0
    Dst addr: 10.10.10.0
    Dst mask: 255.255.255.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0xC3B0E7CA
    Rule ID: 0xCD1F71E8
IPSEC: New inbound decrypt rule, SPI 0xC3B0E7CA
    Src addr: 131.120.38.2
    Src mask: 255.255.255.255
    Dst addr: 6.7.0.13
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0xC3B0E7CA
    Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0xC3B0E7CA
    Rule ID: 0xCC4C7538
IPSEC: New inbound permit rule, SPI 0xC3B0E7CA
    Src addr: 131.120.38.2
    Src mask: 255.255.255.255
    Dst addr: 6.7.0.13
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0xC3B0E7CA
    Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0xC3B0E7CA
    Rule ID: 0xCD14FDC0

Re: ASA 5520 / IPSEC Tunnel Not Working

I really don't see the error from the debugs.

Could you get the sh cry ips sa from the remote end?

We see this:

This are the proxy identities that generate the VPN traffic

    Src addr: 10.10.40.0
    Src mask: 255.255.255.0
    Dst addr: 10.10.10.0
    Dst mask: 255.255.255.0

This are the public IPs where the tunnel establishes

   Src addr: 6.7.0.13
    Src mask: 255.255.255.255
    Dst addr: 131.120.38.2
    Dst mask: 255.255.255.255

Is 6.7.0.13 your public IP?

Federico.

New Member

Re: ASA 5520 / IPSEC Tunnel Not Working

Yes and 131.120.38.2 is the public IP on the remote end. hopefully i will have the prints tomorrow and i will post them for you.

New Member

Re: ASA 5520 / IPSEC Tunnel Not Working

Federico,

Here are some prints from the remote end. They told me when they tried to run the debugs the router " didnt like them" not sure what that meant i will try to get some more clarification when i talk to them. I see the remote end is showing packets

NPS-ASA5510# show crypto ipsec sa   

interface: outside

  Crypto map tag: outside_map, seq num: 10, local addr: 131.120.38.2

    access-list outside_1_cryptomap permit ip 10.10.40.0 255.255.255.0 10.10.10.0 255.255.255.0

    local ident (addr/mask/prot/port): (10.10.40.0/255.255.255.0/0/0)

    remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)

    current_peer: 6.7.0.13

    #pkts encaps: 453, #pkts encrypt: 453, #pkts digest: 453

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 453, #pkts comp failed: 0, #pkts decomp failed: 0

    #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

    #send errors: 0, #recv errors: 0

    local crypto endpt.: 131.120.38.2, remote crypto endpt.: 6.7.0.13

    path mtu 1500, ipsec overhead 58, media mtu 1500

    current outbound spi: 9B419E69

  inbound esp sas:

    spi: 0xFF5DA91C (4284328220)

       transform: esp-des esp-sha-hmac no compression

       in use settings ={L2L, Tunnel, }

       slot: 0, conn_id: 1675264, crypto-map: outside_map

       sa timing: remaining key lifetime (kB/sec): (4374000/27624)

       IV size: 8 bytes

       replay detection support: Y

       Anti replay bitmap:

        0x00000000 0x00000001

  outbound esp sas:

    spi: 0x9B419E69 (2604768873)

       transform: esp-des esp-sha-hmac no compression

       in use settings ={L2L, Tunnel, }

       slot: 0, conn_id: 1675264, crypto-map: outside_map

       sa timing: remaining key lifetime (kB/sec): (4373973/27624)

       IV size: 8 bytes

       replay detection support: Y

       Anti replay bitmap:

        0x00000000 0x00000001

NPS-ASA5510# show cryp

NPS-ASA5510# show crypto isa

NPS-ASA5510# show crypto isakmp 12

NPS-ASA5510# show crypto isakmp 127

                              ^

ERROR: % Invalid input detected at '^' marker.

NPS-ASA5510# show cryp

NPS-ASA5510# show crypto isa

NPS-ASA5510# show crypto isakmp sa

Active SA: 1

  Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1

1   IKE Peer: 6.7.0.13

  Type    : L2L             Role    : initiator

  Rekey   : no              State   : MM_ACTIVE

NPS-ASA5510#

Re: ASA 5520 / IPSEC Tunnel Not Working

Joseph,

From the output on the remote site, it seems they're sending packets through the tunnel but not receiving anything back.

(This normally indicate a configuration problem on your side).

You need to check if your ASA is receiving packets from their side (sh cry ips sa)  --> we tried this last time and no output

I will do this:

1. Clear the tunnel on both ends

2. Initiate traffic from the remote site towards your internal 10.10.10.0/24

3. Check that the tunnel comes up and on the remote end you see the packets encrypted incrementing everytime (you're seeing no packets decrypted)

4. Check that on your side, the crypto packets are being received

Some things can happen here:

If your ASA is decrypting the crypto packets but not encrypting back (we need to check your side)

If your ASA is not receiving crypto packets for this peer (there might be a block ESP on their ISP)

Also,

Do the same test, but initiating traffic from your ASA (you should see packets encrypted incrementing and same thing applies to other end).

Federico.

New Member

Re: ASA 5520 / IPSEC Tunnel Not Working

I will work with them today to reconfigure the boxes. If something is being blocked on their end how would i know what it is? I guess my main question is to support a IPSEC tunnel like this what would they have to have opened up in their firewall to allow this traffic to go through?

Re: ASA 5520 / IPSEC Tunnel Not Working

If after clearing the tunnel on both ends, and then trying to establish the tunnel, you still see that they send the packets but you're not receiving is because the ESP packets are being bloked before reaching your ASA.

This could be a Firewall on their end, but if they say the're no filters on their side, perhaps is the ISP not allowing ESP.

With those tests we can determine what's happening.

Federico.

New Member

Re: ASA 5520 / IPSEC Tunnel Not Working

i spoke with the tech's on the far side, they were pretty sure Protocol 50 and 51 ( ESP, AH ) are not opened on their firewall. They are going to have those opened before rebuilding the config.

Re: ASA 5520 / IPSEC Tunnel Not Working

Ok Joseph,

Please keep us posted.

Federico.

New Member

Re: ASA 5520 / IPSEC Tunnel Not Working

Federico ,

i have been assured by the remote side all ports and protocols have been opened. the remote end is working on reconfiguring their box and sending us printouts. Here is the show cyrpto ipsec sa I am getting from myside. Please explain to me why i have pkts decaps and decrypts and verify's but no encap , encrypts or digests?

YPG-ASA5520-1# show crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 3, local addr: 6.7.0.13

      access-list outside_3_cryptomap permit ip 10.10.10.0 255.255.255.0 10.10.40.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.10.40.0/255.255.255.0/0/0)
      current_peer: 131.120.38.2

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 237, #pkts decrypt: 237, #pkts verify: 237
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 6.7.0.13, remote crypto endpt.: 131.120.38.2

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 58D5F047

    inbound esp sas:
      spi: 0xDC49F53C (3695834428)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 53248, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914985/28168)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFEFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x58D5F047 (1490415687)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 53248, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3915000/28167)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Re: ASA 5520 / IPSEC Tunnel Not Working

Hi Joseph,

On your previous output (days ago), you had packets both encrypted/decrypted for the tunnel to peer 131.120.38.2

Now, on your lates post, there are no packets encrypted only decrypted.

This means that your side is not sending any traffic through the tunnel.

Your side is receiving packets (decrypting), which says the VPN tunnel is setup correctly, but no traffic is being sent (encrypting).

Normally, I would say this is a routing problem or filtering problem.

Im not sure what else have changed on both sides.

Could you possibly post both current configurations so we can check exactly what's happening?

Federico.

New Member

Re: ASA 5520 / IPSEC Tunnel Not Working

The problem has been solved. the issue was on the remote side their firewall was restricting AH packets. Thank you for all your help on this matter.

11621
Views
0
Helpful
20
Replies