03-27-2014 07:08 AM - edited 02-21-2020 05:08 AM
Hi,
We have to remote sites which are connected with Cisco ASA appliances to our data center and the other remote site's ASA has some very strange log entries.
Strange thing is that the site-to-site VPN connection works anyway and other ASA appliances have no similar log entries.
Here is some of the configurations (I tried to shorten it) from the ASA that has these strange log entries:
ASA Version 8.4(3)
!
hostname xxxxxxxx
domain-name xxxxxx
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxx encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address xxxxxxxxxxxxxx 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxxxxxxxxxxxxx 255.255.255.192
!
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map0 2 match address outside_cryptomap_1
crypto map outside_map0 2 set pfs
crypto map outside_map0 2 set peer xxxxxxxxxxxxxxx
crypto map outside_map0 2 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map0 interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
ntp server xxxxxxxxxxxxx source outside prefer
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_xxxxxxxxxxxxx internal
group-policy GroupPolicy_xxxxxxxxxxxxx attributes
vpn-tunnel-protocol ikev1
username admin password xxxxxxxxxxxxx encrypted privilege 15
tunnel-group xxxxxxxxxxxxx type ipsec-l2l
tunnel-group xxxxxxxxxx ipsec-attributes
ikev1 pre-shared-key xxxxxxxxxxxxx
!
: end
03-27-2014 03:22 PM
Turn your logging level up to 5. There is no remote IP address specified in the log entries above, so you don't know exactly the endpoint IP related to these syslog entries. Once you learn the far end IP you can be more focused in your troubleshooting and remediation efforts.
03-28-2014 12:13 AM
Hi Joe and thanks for quick reply,
Here is screenshot with logging level 5.
I have wiped out our data center's ASA's public IP from the log entries that show setting up tunnel succesfully. But unsuccesfull tunnel settings have no additional information.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide