Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14226
Views
0
Helpful
16
Replies

Site to Site VPN connected but no traffic passing

Adam Coombs
Level 1
Level 1

‎08-11-2014 07:48 AM - edited ‎03-11-2019 09:37 PM

Ok, I need some help please with a problem with a Site to Site VPN. 

Ok, well we have a ASA5520 using asa825-k8.bin that connects to another company site to site vpn tunnel it is working fine no issue, until the other company is changing the connection from there current firewall to a new firewall with a new IOS and different public IP address. 

The problem when we try to get the new tunnel up with the new public ip address with the new PSK, but we are using the same internal ip address and Group Policy no traffic will pass not pinging or traceroute from here side. 

The other company makes a few routing changes on there side but nothing works.  

What commands could i used to find out the issue is either on my side or the another company side? 

Labels:
0 Helpful
16 Replies 16

Roger Base
Level 1
Level 1

‎08-11-2014 07:59 AM

Paste your config to this page.

0 Helpful

Adam Coombs
Level 1
Level 1
In response to Roger Base

‎08-11-2014 08:09 AM

Well this firewall has multi site to site vpn tunnels

What are the commands i can run to show just this tunnel? 

Thank you for the help in advance.

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to Adam Coombs

‎08-11-2014 10:50 AM

Hi Highlander,

 

First try to ping the destination peer ip address (new address) from your ASA. If so then connectivity is fine for the same..... then check on the crypto-acl / no-nat policies, which would have not changed, since you just changed the peer-ip.....

 

check the isakmp/ikev1/2/tunnel-group configurations has the peer-ip configured with new address......

make sure old ip address on device for isakmp/ikev1/2/tunnel-group is removed and cleared.....

initiate the intresting traffic and check phase 1 comes-up..... if that is okay... then go and check on phase 2 check...... clear the isakmp and ipsec peers @ both the ends and try once.... it should work.....

Regards

Karthik

0 Helpful

Adam Coombs
Level 1
Level 1
In response to nkarthikeyan

‎08-11-2014 11:31 AM

Well, from my ASA device i can ping the new public ip address no problem. They can ping our public ip address that has not change.

when the tunnel comes up i cant ping any though that tunnel 

1   IKE Peer: pubic ip address 
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
 

how do you check phase 1 and phase 2 

how do you clear isakmp 
 

thank you for the help in adavnce 

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to Adam Coombs

‎08-11-2014 09:53 PM

Hi,

 

To check phase 1 - sh crypto isakmp sa

to check phase 2 - sh crypto ipsec sa

 

As i see your phase 1 is up and your end is responder, since the traffic is initiated from other end.....
no issues.....

we need to check on the phase 2...... can you paste your crypto acl used for this phase 2.....

 

Outputs required:

sh crypto isakmp sa

sh crypto ipsec sa peer <peer ip>

sh runn tunnel-group <pper ip address>

sh runn crypto ikev1 and sh runn crypto ikev2

sh runn crypto ipsec

sh runn crypto map | in <name of crypto map>

sh runn access-list <name of crypto acl>

sh runn nat

 

your lan subnet info, remote lan info.....

 

Regards

Karthik

0 Helpful

Adam Coombs
Level 1
Level 1
In response to nkarthikeyan

‎08-12-2014 06:06 AM

Ok, I have a maintenace window to try this wednesday night 

I pasted that from my notes when we get it connected the first time. We always seem to be the responder.

I will get all these commands run on my side and have the other guy run them on there side.

Thank you very much for the list of commands to run!!

Thank you advance for your help 

 

0 Helpful

Roger Base
Level 1
Level 1
In response to Adam Coombs

‎08-11-2014 11:21 AM

Show run will help us to help you. 

0 Helpful

Adam Coombs
Level 1
Level 1
In response to Roger Base

‎08-11-2014 11:26 AM

Well I wish I could do a show run on this firewall that config text would be a couple of pages longer. 

That is why i was asking for specific commands to used to help me sorry I am new at this but this project was put on me to figure this out. I dont know very much about site to site setup that is why i used the ADSM wizard 

0 Helpful

Adam Coombs
Level 1
Level 1

‎08-13-2014 08:11 PM

Ok, here a updated on the problem i am having 

1.1.1.1 is the other company network 

2.2.2.2 is my network 

 

I used ASDM i go to 
Configuration > Site-to-Site VPN > Advanced > Crypto Maps
we used the same tunnel that is working and change the Peer Setting 
Remove the old IP address and add the new IP address 
when i check the connection profiles the old connection disappear
so i went back to crypto maps peer setting i added the old ip address back in there 
connection profile came back 

did not work, i could not get phase 1 to work at all 
this is the error message i see 
Group = 1.1.1.1, IP = 1.1.1.1, Can't find a valid tunnel group, aborting...!
Aug 13 2014 16:32:40: %ASA-7-715065: Group = 1.1.1.1, IP = 1.1.1.1, IKE MM Initiator FSM error history (struct &0x725cd4e8)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_BLD_MSG5, EV_GROUP_LOOKUP-->MM_BLD_MSG5, EV_TEST_CERT-->MM_BLD_MSG5, EV_SECRET_KEY_OK-->MM_BLD_MSG5, NullEvent-->MM_BLD_MSG5, EV_GEN_SECRET_KEY-->MM_WAIT_MSG4, EV_PROCESS_MSG-->MM_WAIT_MSG4, EV_RCV_MSG
Aug 13 2014 16:32:40: %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, IKE SA MM:6696bf2a terminating:  flags 0x0100c022, refcnt 0, tuncnt 0
Aug 13 2014 16:32:40: %ASA-7-713906: Group = 1.1.1.1, IP = 1.1.1.1, sending delete/delete with reason message
Aug 13 2014 16:32:40: %ASA-4-713903: IP = 1.1.1.1, Header invalid, missing SA payload! (next payload = 4)

I restore the old tunnel back to pervouis config and add a new tunnel config 
I did not remove the old tunnel as well 

In ASDM i created a new tunnel with the new ip address same local and remote groups and same group policy same filter instant the phase 1 is complete
phase 2 is working but not working i can recieve data but i cant send out any data 

Crypto map tag: outside_map, seq num: 4, local addr: 2.2.2.2

      access-list outside_4_cryptomap extended permit ip 10.48.0.0 255.255.252.0 10.20.0.0 255.255.0.0
      local ident (addr/mask/prot/port): (10.48.0.0/255.255.252.0/0/0)
      remote ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)
      current_peer: 1.1.1.1

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 46, #pkts decrypt: 46, #pkts verify: 46
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 0CA9CEC6
      current inbound spi : 83DEBAD1

    inbound esp sas:
      spi: 0x83DEBAD1 (2212412113)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 7069696, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373996/28693)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00007FFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x0CA9CEC6 (212455110)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 7069696, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4374000/28693)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 1.1.1.1
crypto map outside_map 4 set transform-set ESP-AES-128-SHA

 

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to Adam Coombs

‎08-13-2014 10:01 PM

Hi ,

 

Can you check your no-nat configuration is in place for this tunnel? or get me the webex session or someway of remote session we can be able to solve the issue....

Regards

Karthik

0 Helpful

Adam Coombs
Level 1
Level 1
In response to nkarthikeyan

‎08-14-2014 06:27 AM

well I dont know about the no nat rule 

only nat rule i know about is the exempt for the remote and local networks that are in the site to site tunnel

nat exempt outbound traffic from inside (default) 

 

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to Adam Coombs

‎08-14-2014 06:29 AM

nonat or nat exempt is same terms only.....

 

Regards

Karthik

0 Helpful

Adam Coombs
Level 1
Level 1
In response to nkarthikeyan

‎08-14-2014 07:02 AM

Ok, cool well then it is a nat exempt rule for the remote and local network on that tunnel 

do you packet tracer on the firewall will tell him if it is acl or nat problem when the tunnel is not working correctly 

I did a packet tracer on the working old tunnel but did not think about doing it on the new tunnel at that time.

 

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to Adam Coombs

‎08-14-2014 07:10 AM

yeah you can do packet tracer and check vpn... also you are generating intresting traffic here, when you do that...

 

Regards

Karthik

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card