Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2419
Views
0
Helpful
20
Replies

Site to Site VPN Issue

Go to solution
TXITGUY9000
Level 1
Level 1

‎07-06-2018 12:43 PM - edited ‎02-21-2020 07:57 AM

Hi Everyone,

I am having trouble getting my Site 2 Site VPN working. It shows the tunnel is initiated on both sides, but I cannot ping across to any of the subnets.

One is an ASA5510 (8.2) the other is an ASA5505 (8.2)

I am sure I'm missing something simple, but I just can't seem to figure it out.

Here is my code:

ASA5505 (OFFICE)

ASA5505# show crypto isakmp sa detail

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 50.0.0.1
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : 3des            Hash    : MD5
    Auth    : preshared       Lifetime: 28800
    Lifetime Remaining: 28750
ASA5505# show run
: Saved
:
ASA Version 8.2(5)
!
hostname ASA5505
domain-name .LOCAL
enable password l6TfH6cW.FyTs0Rc encrypted
passwd zsGJHLUedCLLSkmz encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 description Connection to Switch
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 description Untangle Link
 shutdown
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 104.0.0.1 255.255.255.248
!
ftp mode passive
dns server-group DefaultDNS
 domain-name .LOCAL
object-group network -IP
 network-object host 64.40.115.156
 network-object host 64.40.115.157
 network-object host 64.40.115.158
 network-object host 64.40.115.155
object-group network VPN-INSIDE-IP
 network-object host 192.168.10.4
object-group network SOUTH-NETWORK
 network-object 192.168.11.0 255.255.255.0
 network-object 192.168.96.0 255.255.255.0
 network-object 192.168.97.0 255.255.255.0
 network-object 192.168.98.0 255.255.255.0
object-group network OFFICE-NETWORK
 network-object 192.168.99.0 255.255.255.0
 network-object 192.168.20.0 255.255.255.0
 network-object 192.168.10.0 255.255.255.0
access-list inbound extended permit icmp any any
access-list inbound extended permit tcp any host 104.0.0.1 eq 81
access-list inbound extended permit tcp any host 104.0.0.1 eq 5000
access-list inbound extended permit tcp any host 104.0.0.1 eq 85
access-list inbound extended permit tcp any host 104.0.0.1 eq 6690
access-list inbound extended permit tcp any host 104.0.0.1 eq 5222
access-list inbound extended permit tcp object-group IP host 104.0.0.1 eq 8351
access-list inbound extended permit tcp host 209.0.0.1 host 104.0.0.1 eq 3389
access-list inbound extended permit udp any host 104.0.0.2 eq 1194
access-list nonat extended permit ip 192.168.99.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat extended permit ip 192.168.20.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat extended permit ip object-group OFFICE-NETWORK object-group SOUTH-NETWORK
access-list splittunnel standard permit 192.168.99.0 255.255.255.0
access-list splittunnel standard permit 192.168.20.0 255.255.255.0
access-list splittunnel standard permit 192.168.10.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object-group OFFICE-NETWORK object-group SOUTH-NETWORK
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnclientpool 192.168.5.1-192.168.5.254
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 104.0.0.2 netmask 255.255.255.248
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 81 192.168.99.253 81 netmask 255.255.255.255
static (inside,outside) tcp interface 5000 192.168.99.253 5000 netmask 255.255.255.255
static (inside,outside) tcp interface 85 192.168.99.252 85 netmask 255.255.255.255
static (inside,outside) tcp interface 6690 192.168.99.12 6690 netmask 255.255.255.255
static (inside,outside) tcp interface 8500 192.168.10.5 8500 netmask 255.255.255.255
static (inside,outside) tcp interface 8351 192.168.20.7 8351 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.20.7 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 5222 192.168.20.19 5222 netmask 255.255.255.255
static (inside,outside) udp 104.11.119.180 1194 192.168.10.5 1194 netmask 255.255.255.255
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 104.0.0.10 1
route inside 192.168.20.0 255.255.255.0 192.168.10.2 1
route inside 192.168.99.0 255.255.255.0 192.168.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn (inside) host 192.168.20.16
 key *****
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.99.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
snmp-server group v3group v3 auth
snmp-server user v3user v3group v3 encrypted auth md5 8f:e2:21:74:8e:e0:e0:bf:e6:47:68:71:1e:3e:ed:d7
snmp-server host inside 192.168.20.10 community ***** version 2c
snmp-server host inside 192.168.99.2 community ***** version 2c
snmp-server location office
snmp-server contact 
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set des-md5 esp-des esp-md5-hmac
crypto ipsec transform-set des-sha esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map clienttunnel 10 set transform-set 3des-md5 3des-sha
crypto map vpntunnel 30 match address outside_1_cryptomap
crypto map vpntunnel 30 set pfs group1
crypto map vpntunnel 30 set peer 50.0.0.1
crypto map vpntunnel 30 set transform-set ESP-3DES-SHA
crypto map vpntunnel 65000 ipsec-isakmp dynamic clienttunnel
crypto map vpntunnel interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 28800
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto isakmp policy 40
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 28800
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.99.0 255.255.255.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
ssh version 2
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpnclient internal
group-policy vpnclient attributes
 dns-server value 192.168.20.16
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splittunnel
 default-domain value airinnovationsllc.local
username admin password gKsOtAE6fzcD/7Hh encrypted privilege 15
username adminasa password APBxx13XKOB9uRKd encrypted
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
 address-pool vpnclientpool
 authentication-server-group vpn
 default-group-policy vpnclient
tunnel-group vpnclient ipsec-attributes
 pre-shared-key *****
tunnel-group 50.0.0.1 type ipsec-l2l
tunnel-group 50.0.0.1 ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect http
  inspect snmp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:8b826892f526483687b2934e4cbab68c
: end

ASA5510 (SOUTH)

SOUTH-WAREHOUSE-ASA5510# show crypto isakmp sa detail

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 104.0.0.1
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : 3des            Hash    : MD5
    Auth    : preshared       Lifetime: 28800
    Lifetime Remaining: 28666

SOUTH-WAREHOUSE-ASA5510# show run
: Saved
:
ASA Version 8.2(5)
!
hostname SOUTH-WAREHOUSE-ASA5510
domain-name .local
enable password l6TfH6cW.FyTs0Rc encrypted
passwd l6TfH6cW.FyTs0Rc encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 50.0.0.1 255.255.255.252
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.11.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name .local
object-group network OFFICE-NETWORK
 network-object 192.168.99.0 255.255.255.0
 network-object 192.168.20.0 255.255.255.0
 network-object 192.168.10.0 255.255.255.0
object-group network SOUTH-NETWORK
 network-object 192.168.11.0 255.255.255.0
 network-object 192.168.96.0 255.255.255.0
 network-object 192.168.97.0 255.255.255.0
 network-object 192.168.98.0 255.255.255.0
access-list inbound extended permit icmp any any
access-list inbound extended permit tcp any host 50.0.0.1 eq 81
access-list OUTSIDE_1_CRYPTOMAP extended permit ip object-group SOUTH-NETWORK object-group OFFICE-NETWORK
access-list NONAT extended permit ip object-group SOUTH-NETWORK object-group OFFICE-NETWORK
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 50.0.0.10 1
route inside 192.168.96.0 255.255.255.0 192.168.11.2 1
route inside 192.168.97.0 255.255.255.0 192.168.11.2 1
route inside 192.168.98.0 255.255.255.0 192.168.11.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.97.0 255.255.255.0 inside
http 192.168.98.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set des-md5 esp-des esp-md5-hmac
crypto ipsec transform-set des-sha esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map vpntunnel 30 match address OUTSIDE_1_CRYPTOMAP
crypto map vpntunnel 30 set pfs group1
crypto map vpntunnel 30 set peer 104.0.0.1
crypto map vpntunnel 30 set transform-set ESP-3DES-SHA
crypto map vpntunnel interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 28800
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto isakmp policy 40
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 28800
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username adminasa password APBxx13XKOB9uRKd encrypted
tunnel-group 104.0.0.1 type ipsec-l2l
tunnel-group 104.0.0.1 ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2799251874696d5e2bb2bf6c17f6699c
: end
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mvsheik123
Level 7
Level 7
In response to TXITGUY9000

‎07-09-2018 05:41 PM

Hello,

From ASA5505 - you notice drop in Phase 10. Also in Phase:9 - host-limits. What is license on the ASA.

You can find from 'show ver' and 'show local-host'. Try reboot the unit and also update the code.

Thx

MS

View solution in original post

0 Helpful
20 Replies 20

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-06-2018 03:02 PM

can you post 

 

show crypto ipsec sa

 

and enable debug both side for the tunnel establish logs to capture.

 

BB

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
TXITGUY9000
Level 1
Level 1
In response to balaji.bandi

‎07-06-2018 04:32 PM

Here is the sh ipsec sa for one of the ASAs, and below that is the debug log.

 

ASA5505# show crypto ipsec sa
interface: outside
    Crypto map tag: vpntunnel, seq num: 30, local addr: 104.0.0.1

      access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.98.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.98.0/255.255.255.0/0/0)
      current_peer: 50.0.0.1

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 104.0.0.1, remote crypto endpt.: 50.0.0.1

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 79577892
      current inbound spi : 3DA7C416

    inbound esp sas:
      spi: 0x3DA7C416 (1034404886)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 3055616, crypto-map: vpntunnel
         sa timing: remaining key lifetime (kB/sec): (4373999/28662)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x000001FF
    outbound esp sas:
      spi: 0x79577892 (2035775634)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 3055616, crypto-map: vpntunnel
         sa timing: remaining key lifetime (kB/sec): (4374000/28662)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: vpntunnel, seq num: 30, local addr: 104.0.0.1

      access-list outside_1_cryptomap extended permit ip 192.168.99.0 255.255.255.0 192.168.98.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.98.0/255.255.255.0/0/0)
      current_peer: 50.0.0.1

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 104.0.0.1, remote crypto endpt.: 50.0.0.1

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 5A695337
      current inbound spi : C378EECD

    inbound esp sas:
      spi: 0xC378EECD (3279482573)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 3055616, crypto-map: vpntunnel
         sa timing: remaining key lifetime (kB/sec): (4374000/28608)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x5A695337 (1516852023)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 3055616, crypto-map: vpntunnel
         sa timing: remaining key lifetime (kB/sec): (4374000/28608)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

DEBUG LOG FOR ASA

 

AIR-ASA5505# Jul 06 12:35:50 [IKEv1 DEBUG]: IP = 50.0.0.1, Oakley proposal is acceptable
Jul 06 12:35:50 [IKEv1 DEBUG]: IP = 50.0.0.1, IKE Peer included IKE fragmentation capability flags:  Main Mode:                                                                                                                                True  Aggressive Mode:  True
Jul 06 12:35:50 [IKEv1 DEBUG]: IP = 50.0.0.1, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE                                                                                                                         entry # 1
Jul 06 12:35:50 [IKEv1]: IP = 50.0.0.1, Connection landed on tunnel_group 50.0.0.1
Jul 06 12:35:50 [IKEv1]: Group = 50.0.0.1, IP = 50.0.0.1, Automatic NAT Detection Status:     Remote end is                                                                                                                         NOT behind a NAT device     This   end is NOT behind a NAT device
Jul 06 12:35:50 [IKEv1]: IP = 50.0.0.1, Connection landed on tunnel_group 50.0.0.1
Jul 06 12:35:50 [IKEv1]: Group = 50.0.0.1, IP = 50.0.0.1, PHASE 1 COMPLETED
Jul 06 12:35:50 [IKEv1]: IP = 50.0.0.1, Keep-alive type for this connection: DPD
Jul 06 12:35:50 [IKEv1 DEBUG]: Group = 50.0.0.1, IP = 50.0.0.1, Starting P1 rekey timer: 27360 seconds.
Jul 06 12:35:50 [IKEv1]: Group = 50.0.0.1, IP = 50.0.0.1, Received remote IP Proxy Subnet data in ID Payloa                                                                                                                        d:   Address 192.168.98.0, Mask 255.255.255.0, Protocol 0, Port 0
Jul 06 12:35:50 [IKEv1]: Group = 50.0.0.1, IP = 50.0.0.1, Received local IP Proxy Subnet data in ID Payload                                                                                                                        :   Address 192.168.99.0, Mask 255.255.255.0, Protocol 0, Port 0
Jul 06 12:35:50 [IKEv1]: Group = 50.0.0.1, IP = 50.0.0.1, QM IsRekeyed old sa not found by addr
Jul 06 12:35:50 [IKEv1]: Group = 50.0.0.1, IP = 50.0.0.1, Static Crypto Map check, checking map = vpntunnel                                                                                                                        , seq = 30...
Jul 06 12:35:50 [IKEv1]: Group = 50.0.0.1, IP = 50.0.0.1, Static Crypto Map check, map vpntunnel, seq = 30                                                                                                                         is a successful match
Jul 06 12:35:50 [IKEv1]: Group = 50.0.0.1, IP = 50.0.0.1, IKE Remote Peer configured for crypto map: vpntun                                                                                                                        nel
Jul 06 12:35:50 [IKEv1 DEBUG]: Group = 50.0.0.1, IP = 50.0.0.1, processing IPSec SA payload
Jul 06 12:35:50 [IKEv1 DEBUG]: Group = 50.0.0.1, IP = 50.0.0.1, IPSec SA Proposal # 1, Transform # 1 accept                                                                                                                        able  Matches global IPSec SA entry # 30
Jul 06 12:35:50 [IKEv1]: Group = 50.0.0.1, IP = 50.0.0.1, IKE: requesting SPI!
Jul 06 12:35:50 [IKEv1 DEBUG]: Group = 50.0.0.1, IP = 50.0.0.1, Transmitting Proxy Id:
  Remote subnet: 192.168.98.0  Mask 255.255.255.0 Protocol 0  Port 0
  Local subnet:  192.168.99.0  mask 255.255.255.0 Protocol 0  Port 0
Jul 06 12:35:50 [IKEv1]: Group = 50.0.0.1, IP = 50.0.0.1, Security negotiation complete for LAN-to-LAN Grou                                                                                                                        p (50.0.0.1)  Responder, Inbound SPI = 0xfe4c8b45, Outbound SPI = 0xac1aebef
Jul 06 12:35:50 [IKEv1 DEBUG]: Group = 50.0.0.1, IP = 50.0.0.1, Starting P2 rekey timer: 27360 seconds.
Jul 06 12:35:50 [IKEv1]: Group = 50.0.0.1, IP = 50.0.0.1, PHASE 2 COMPLETED (msgid=7e3a52b2)
sh crypto isakmp sa detail

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 50.0.0.1
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : 3des            Hash    : MD5
    Auth    : preshared       Lifetime: 28800
    Lifetime Remaining: 28784
AIR-ASA5505# sh crypto isakmp sa detail

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 50.0.0.1
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : 3des            Hash    : MD5
    Auth    : preshared       Lifetime: 28800
    Lifetime Remaining: 28775

 

 

0 Helpful

Go to solution
TXITGUY9000
Level 1
Level 1
In response to TXITGUY9000

‎07-06-2018 04:34 PM 

Jul 06 12:44:03 [IKEv1 DEBUG]: Group = 50.0.0.1, IP = 50.0.0.1, processing hash payload
Jul 06 12:44:03 [IKEv1 DEBUG]: Group = 50.0.0.1, IP = 50.0.0.1, processing notify payload
Jul 06 12:44:03 [IKEv1 DEBUG]: Group = 50.0.0.1, IP = 50.0.0.1, Received keep-alive of type DPD R-U-THERE (seq number 0x47399f7e)
Jul 06 12:44:03 [IKEv1 DEBUG]: Group = 50.0.0.1, IP = 50.0.0.1, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x47399f7e)
Jul 06 12:44:03 [IKEv1 DEBUG]: Group = 50.0.0.1, IP = 50.0.0.1, constructing blank hash payload
Jul 06 12:44:03 [IKEv1 DEBUG]: Group = 50.0.0.1, IP = 50.0.0.1, constructing qm hash payload
Jul 06 12:44:03 [IKEv1]: IP = 50.0.0.1, IKE_DECODE SENDING Message (msgid=f2ff2fe5) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
0 Helpful

Go to solution
mvsheik123
Level 7
Level 7
In response to TXITGUY9000

‎07-06-2018 06:54 PM

Hi,

 

This Questions may not be related to your issue but wanted to check. The default gateways on both ends are correct? I see Vlan2 interfaces: one side got 255.255.255.248 and other side 255.255.255.252, but the gateway are .10 - do not fall under that subnets. 

 

Thanks

MS

0 Helpful

Go to solution
TXITGUY9000
Level 1
Level 1
In response to mvsheik123

‎07-06-2018 06:59 PM

It is correct. I changed the public IPs in the forum for privacy reasons.
0 Helpful

Go to solution
mvsheik123
Level 7
Level 7
In response to TXITGUY9000

‎07-06-2018 07:28 PM

Quick check on config- looks fine. You can try by adding 'sysopt connection permit-vpn' on both ends (global config mode). If you still have troubles, 1. enable 'debug icmp trace' on both sides and see if icmp packets (between private IPs) reaching other end (and getting dropped) 2. Try packet tracer command to simulate traffic (between two private IPs) and post the results.

 

Thanks,

MS

0 Helpful

Go to solution
TXITGUY9000
Level 1
Level 1
In response to mvsheik123

‎07-06-2018 07:59 PM - edited ‎07-06-2018 08:09 PM

I am getting some weird results..

 

ASA5510 (SOUTH)

SOUTH-WAREHOUSE-ASA5510(config)# ping inside 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
ICMP echo request from 192.168.11.1 to 192.168.10.1 ID=39632 seq=48845 len=72
?ICMP echo request from 192.168.11.1 to 192.168.10.1 ID=39632 seq=48845 len=72
?ICMP echo request from 192.168.11.1 to 192.168.10.1 ID=39632 seq=48845 len=72
?ICMP echo request from 192.168.11.1 to 192.168.10.1 ID=39632 seq=48845 len=72
?ICMP echo request from 192.168.11.1 to 192.168.10.1 ID=39632 seq=48845 len=72
?
Success rate is 0 percent (0/5)

 

ASA5505 (OFFICE)

 

AIR-ASA5505(config)# ICMP echo request from 192.168.11.1 to 192.168.10.1 ID=39632 seq=48845 len=72
ICMP echo reply from 192.168.10.1 to 192.168.11.1 ID=39632 seq=48845 len=72
ICMP echo request from 192.168.11.1 to 192.168.10.1 ID=39632 seq=48845 len=72
ICMP echo reply from 192.168.10.1 to 192.168.11.1 ID=39632 seq=48845 len=72
ICMP echo request from 192.168.11.1 to 192.168.10.1 ID=39632 seq=48845 len=72
ICMP echo reply from 192.168.10.1 to 192.168.11.1 ID=39632 seq=48845 len=72
ICMP echo request from 192.168.11.1 to 192.168.10.1 ID=39632 seq=48845 len=72
ICMP echo reply from 192.168.10.1 to 192.168.11.1 ID=39632 seq=48845 len=72
ICMP echo request from 192.168.11.1 to 192.168.10.1 ID=39632 seq=48845 len=72
ICMP echo reply from 192.168.10.1 to 192.168.11.1 ID=39632 seq=48845 len=72
0 Helpful

Go to solution
TXITGUY9000
Level 1
Level 1
In response to TXITGUY9000

‎07-06-2018 08:19 PM - edited ‎07-06-2018 08:35 PM

Here is the icmp events when pinging from a computer on the subnet 192.168.99.0 to 192.168.97.1

No reply on ASA5510 SOUTH side, below is ASA5505 (OFFICE)

ASA5505(config)# ICMP echo request from inside:192.168.99.16 to outside:192.168.97.1 ID=1 seq=139 len=32
ICMP echo request translating inside:192.168.99.16/1 to outside:104.0.0.1/22174
ICMP echo request from inside:192.168.99.16 to outside:192.168.97.1 ID=1 seq=140 len=32
ICMP echo request translating inside:192.168.99.16/1 to outside:104.0.0.1/22174
ICMP echo request from inside:192.168.99.16 to outside:192.168.97.1 ID=1 seq=141 len=32
ICMP echo request translating inside:192.168.99.16/1 to outside:104.0.0.1/62982

 

But when I ping from the SOUTH to the inside firewall IP of the OFFICE I see requests on the ASAs, but the ICMP fails on the users computers that it was performed on.

 

ASA5510 (SOUTH)

ICMP echo request from inside:192.168.98.101 to outside:192.168.10.1 ID=1 seq=69 len=32
ICMP echo request from inside:192.168.98.101 to outside:192.168.10.1 ID=1 seq=70 len=32
ICMP echo request from inside:192.168.98.101 to outside:192.168.10.1 ID=1 seq=71 len=32

ASA5505 (OFFICE)

ASA5505# ICMP echo request from 192.168.98.101 to 192.168.10.1 ID=1 seq=69 len=32
ICMP echo reply from 192.168.10.1 to 192.168.98.101 ID=1 seq=69 len=32
ICMP echo request from 192.168.98.101 to 192.168.10.1 ID=1 seq=70 len=32
ICMP echo reply from 192.168.10.1 to 192.168.98.101 ID=1 seq=70 len=32
ICMP echo request from 192.168.98.101 to 192.168.10.1 ID=1 seq=71 len=32
ICMP echo reply from 192.168.10.1 to 192.168.98.101 ID=1 seq=71 len=32
0 Helpful

Go to solution
TXITGUY9000
Level 1
Level 1
In response to TXITGUY9000

‎07-06-2018 08:50 PM

Here is the icmp events when pinging from a computer on the subnet 192.168.99.0 to 192.168.97.1

No reply on ASA5510 SOUTH side, below is ASA5505 (OFFICE)

 

ASA5505(config)# ICMP echo request from inside:192.168.99.16 to outside:192.168.97.1 ID=1 seq=139 len=32

ICMP echo request translating inside:192.168.99.16/1 to outside:104.0.0.1/22174

ICMP echo request from inside:192.168.99.16 to outside:192.168.97.1 ID=1 seq=140 len=32

ICMP echo request translating inside:192.168.99.16/1 to outside:104.0.0.1/22174

ICMP echo request from inside:192.168.99.16 to outside:192.168.97.1 ID=1 seq=141 len=32

ICMP echo request translating inside:192.168.99.16/1 to outside:104.0.0.1/62982

 

 

But when I ping from the SOUTH to the inside firewall IP of the OFFICE I see requests on the ASAs, but the ICMP fails on the users computers that it was performed on.

 

ASA5510 (SOUTH)

 

ICMP echo request from inside:192.168.98.101 to outside:192.168.10.1 ID=1 seq=69 len=32

ICMP echo request from inside:192.168.98.101 to outside:192.168.10.1 ID=1 seq=70 len=32

ICMP echo request from inside:192.168.98.101 to outside:192.168.10.1 ID=1 seq=71 len=32

 

 

ASA5505 (OFFICE)

 

ASA5505# ICMP echo request from 192.168.98.101 to 192.168.10.1 ID=1 seq=69 len=32

ICMP echo reply from 192.168.10.1 to 192.168.98.101 ID=1 seq=69 len=32

ICMP echo request from 192.168.98.101 to 192.168.10.1 ID=1 seq=70 len=32

ICMP echo reply from 192.168.10.1 to 192.168.98.101 ID=1 seq=70 len=32

ICMP echo request from 192.168.98.101 to 192.168.10.1 ID=1 seq=71 len=32

ICMP echo reply from 192.168.10.1 to 192.168.98.101 ID=1 seq=71 len=32

 

0 Helpful

Go to solution
mvsheik123
Level 7
Level 7
In response to TXITGUY9000

‎07-07-2018 09:27 AM - edited ‎07-07-2018 09:57 AM

 Looking at 'ping' results... my understanding is 5505 not processing 'no nat' rule..

ICMP echo request from inside:192.168.99.16 to outside:192.168.97.1 ID=1 seq=139 len=32
ICMP echo request translating inside:192.168.99.16/1 to outside:104.0.0.1/22174
ICMP echo request from inside:192.168.99.16 to outside:192.168.97.1 ID=1 seq=140 len=32
ICMP echo request translating inside:192.168.99.16/1 to outside:104.0.0.1/2217

Try by removing no nat config and add it back. Also try placing nonat statement for these networks on top (may not make much difference though)
Thx
MS

 

0 Helpful

Go to solution
TXITGUY9000
Level 1
Level 1
In response to TXITGUY9000

‎07-06-2018 08:54 PM

Here is the icmp events when pinging from a computer on the subnet 192.168.99.0 to 192.168.97.1

No reply on ASA5510 SOUTH side, below is ASA5505 (OFFICE)

 

 

ASA5505(config)# ICMP echo request from inside:192.168.99.16 to outside:192.168.97.1 ID=1 seq=139 len=32
ICMP echo request translating inside:192.168.99.16/1 to outside:104.0.0.1/22174
ICMP echo request from inside:192.168.99.16 to outside:192.168.97.1 ID=1 seq=140 len=32

 

 

 But when I ping from the SOUTH to the inside firewall IP of the OFFICE I see requests on the ASAs, but the ICMP fails on the users computers that it was performed on.

 

ASA5510 (SOUTH)

ICMP echo request from inside:192.168.98.101 to outside:192.168.10.1 ID=1 seq=69 len=32

 

ASA5505 (OFFICE)

 

ASA5505# ICMP echo request from 192.168.98.101 to 192.168.10.1 ID=1 seq=69 len=32
ICMP echo reply from 192.168.10.1 to 192.168.98.101 ID=1 seq=69 len=32

 

 

0 Helpful

Go to solution
TXITGUY9000
Level 1
Level 1
In response to TXITGUY9000

‎07-08-2018 01:17 PM

Tried removing the NONAT and placing the NAT statement for the tunnel at the top. Still not working...

 

Is there a bug in the code?

0 Helpful

Go to solution
mvsheik123
Level 7
Level 7
In response to TXITGUY9000

‎07-08-2018 08:05 PM

Hi,

 

1. Did you try by adding 'sysopt connection permit-vpn' on both ends (or on 5505 end to start with)?

2. 8.2 (5) code is pretty old and 8.2 train itself is 'eol' from Cisco and I'm not sure of related bugs .. i think latest in that train in 8.2(5)59.

3. You can try rebooting 5505 and try upgrading as well.  If none works run below from 5505 and post the output...

 

packet-tracer input inside icmp 192.168.99.16 0 192.168.97.10 detailed

 

hth

MS

 

0 Helpful

Go to solution
TXITGUY9000
Level 1
Level 1
In response to mvsheik123

‎07-09-2018 06:19 AM - edited ‎07-09-2018 06:48 AM

Sys OPT did not work. Added it to both.

 

Here is the packet tracer results..

SOUTH-WAREHOUSE-ASA5510# packet-tracer input inside icmp 192.168.97.1 0 0 192.$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip inside 192.168.97.0 255.255.255.0 outside 192.168.99.0 255.255.255.0
    NAT exempt
    translate_hits = 2, untranslate_hits = 0
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 1 (50.0.0.1 [Interface PAT])
    translate_hits = 11868, untranslate_hits = 1750
Additional Information:

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 1 (50.0.0.1 [Interface PAT])
    translate_hits = 11868, untranslate_hits = 1750
Additional Information:

Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 15184, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card