Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

S2S vpn help

HI All ,

                I have S2S paremeter in both asa device , when my intresting traffic is initated from site A to site B , I am getting Show crypto  isakmp sa as below

site a (config)# sh crypto is
site a (config)# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 207.x.x.x
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2

site a (config)# Aug 11 23:19:55 [IKEv1]: IP = 207.x.x.x, Removing peer from peer table failed, no match!
[IKEv1]: IP = 207.x.x.x, Error: Unable to remove PeerTblEntry

but when i check at Site B i am nt receving ISAKMP request from siteA  , but from both side ping is happening and traceroute is completley perfect .

i have checked both side ISAKMP parameter ,

I am just wondering y Site B is not recieving site A ISAKMP packet , but i can see ping request packet at site b firewall which is coming from site a , but i dont find isakmp hits . kindly help me

7 REPLIES
Cisco Employee

Re: S2S vpn help

#1 apply captures on the other end and see if you get any packet

     you should see packets on port udp 500 from the peer


     if you do not see it, then contact your isp and get the ports required for vpn opened - udp 500, ip 50,51 , udp 4500

#2  also you will need to open these ports on firewall using access-list on your outside interface

      alternativly to open vpn related ports on your firewall you can give the command

      sysopt connection permit-vpn

Re: S2S vpn help

Hi

           Thanx for your reply when i give debug cryto isakmp sa i am getting follwoing message

e5t-pf-sprint(config)# Aug 12 00:16:22 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 12 00:16:22 [IKEv1]: IP = 207.x.x.x, IKE Initiator: New Phase 1, Intf inside, IKE Peer 207.x.xx  local Proxy Address .x98.x.x, remote Proxy Address x.x.x.0,  Crypto map
Aug 12 00:16:22 [IKEv1 DEBUG]: IP = x.x.x.x, constructing ISAKMP SA payload
Aug 12 00:16:22 [IKEv1 DEBUG]: IP = x.x.x.x, constructing Fragmentation VID + extended capabilities payload
Aug 12 00:16:22 [IKEv1]: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Aug 12 00:16:24 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 12 00:16:24 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 12 00:16:28 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
+ NONE (0) total length : 108
Aug 12 00:16:54 [IKEv1 DEBUG]: IP = 207.x.x.x, IKE MM Initiator FSM error history (struct &0x5085a20)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Aug 12 00:16:54 [IKEv1 DEBUG]: IP = 207.0.x.x, IKE SA MM:15e2aabd terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Aug 12 00:16:54 [IKEv1 DEBUG]: IP = 207.x.x, sending delete/delete with reason message
Aug 12 00:16:54 [IKEv1]: IP = 207.x.x.x, Removing peer from peer table failed, no match!
Aug 12 00:16:54 [IKEv1]: IP = 207.x.x.x, Error: Unable to remove PeerTblEntry

wht does FSM error history ..

i will post u capture comands , i am have enable syspot connection permit-vpn. could you help me over here

Cisco Employee

Re: S2S vpn help

these look like debugs from site a... can you paste debugs from site b

Re: S2S vpn help

Site B is not recieveing site A ISAKMP handshaking traffic . simiarly my ISP link is directly termiated on site A firewall outside interface . i wondering y site B is nt receving ISAKMP traffic .

how to do capture for outside interafce ..

Cisco Employee

Re: S2S vpn help

access-list capout extended permit ip host host

access-list capout extended permit ip host host

capture capo interface outside access-list capout

i think it could well be the isp blocking it

do you have any other active tunnels on site b

Re: S2S vpn help

yes i have active tunnel connection to other location at site B ,

similarly i have done capture command for outside interface i dont see any traffic for 500 which recieving to my firerwall or my firewall is sending out , similarly i have binded capture acl to inbound direction of outside interface .

similalry by using my ISP connection i can use vpn dialer to connect to my HO ..

Cisco Employee

Re: S2S vpn help

if this issue is still un resolved can you paste the config on the both ends

459
Views
0
Helpful
7
Replies
CreatePlease to create content