Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

urgent help with ASA with site-site vpn , tunnel is down !!!

hi all ,

im trying to connetc my asa to remote asa vpn , abd it seems that the remote asa has ike v1 ,

tunnel is down  and here is sample of log when client try to access reomte ip in the remote asa vpn subnet

here is printscreen from the sas logs vpn:

http://www3.0zz0.com/2014/02/20/08/193210472.png

regards

17 REPLIES
Community Member

urgent help with ASA with site-site vpn , tunnel is down !!!

hi ,

i tried

Result of the command: "show crypto isakmp sa"

There are no IKEv1 SAs

There are no IKEv2 SAs

?????????????????????

is thewr an issue ?

urgent help with ASA with site-site vpn , tunnel is down !!!

Use the following command to turn on debugging for just this specific PEER IP.

'debug crypto condition peer x.x.x.x'     Where x.x.x.x is the IP-Address

Then run the following command 'debug crypto isakmp 250'

Can you post the results from this?

Also from the logs above, it looks like Phase 1 completed.

Have you verified matching Phase 1 and Phase 2 configurations?

Have you verified Interesting Traffic?

Community Member

urgent help with ASA with site-site vpn , tunnel is down !!!

IS-23433(config)#   Feb 20 04:07:19 [IKEv1]IP = x.x.x.x, IKE Initiator: New Phase 1, Intf Inside,   IKE Peer x.x.x.x  local Proxy Address   s.s.s.s, remote Proxy Address R.R.R.R,    Crypto map (CMAP)
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, constructing ISAKMP SA payload
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, constructing Fragmentation VID + extended   capabilities payload
Feb 20 04:07:19   [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR   + SA (1) + VENDOR (13) + NONE (0) total length : 108
Feb 20 04:07:19   [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads :   HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, processing SA payload
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, Oakley proposal is acceptable
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, processing VID payload
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, Received Fragmentation VID
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, IKE Peer included IKE fragmentation capability   flags:  Main Mode:        True    Aggressive Mode:  True
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, constructing ke payload
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, constructing nonce payload
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, constructing Cisco Unity VID payload
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, constructing xauth V6 VID payload
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, Send IOS VID
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, Constructing ASA spoofing IOS Vendor ID payload   (version: 1.0.0, capabilities: 20000001)
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, constructing VID payload
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Feb 20 04:07:19   [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR   + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13)   + NONE (0) total length : 256
Feb 20 04:07:19   [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads :   HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR   (13) + NONE (0) total length : 256
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, processing ke payload
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, processing ISA_KE payload
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, processing nonce payload
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, processing VID payload
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, Received Cisco Unity client VID
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, processing VID payload
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, Received xauth V6 VID
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, processing VID payload
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, Processing VPN3000/ASA spoofing IOS Vendor ID   payload (version: 1.0.0, capabilities: 20000001)
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, processing VID payload
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Feb 20 04:07:19   [IKEv1]IP = x.x.x.x, Connection landed on tunnel_group x.x.x.x
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Generating keys for Initiator...
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing ID payload
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing hash payload
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Computing hash for ISAKMP
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, Constructing IOS keep alive payload:   proposal=32767/32767 sec.
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing dpd vid payload
Feb 20 04:07:19   [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR   + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total   length : 96
Feb 20 04:07:19   [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads :   HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total   length : 96
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing ID payload
Feb 20 04:07:19   [IKEv1 DECODE]Group = x.x.x.x, IP = x.x.x.x, ID_IPV4_ADDR ID received
x.x.x.x
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Computing hash for ISAKMP
Feb 20 04:07:19   [IKEv1 DEBUG]IP = x.x.x.x, Processing IOS keep alive payload:   proposal=32767/32767 sec.
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing VID payload
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Received DPD VID
Feb 20 04:07:19   [IKEv1]IP = x.x.x.x, Connection landed on tunnel_group x.x.x.x
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Oakley begin quick mode
Feb 20 04:07:19   [IKEv1 DECODE]Group = x.x.x.x, IP = x.x.x.x, IKE Initiator starting QM: msg   id = 782078fa
Feb 20 04:07:19   [IKEv1]Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED
Feb 20 04:07:19   [IKEv1]IP = x.x.x.x, Keep-alive type for this connection: DPD
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Starting P1 rekey timer: 73440   seconds.
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI   = 0x4f3799a6
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI   = 0x832c9159
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI   = 0xe4ee0306
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI   = 0xda774fb8
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI   = 0x5635723e
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI   = 0x2efd94b5
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI   = 0x9f004634
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI   = 0xaa826662
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI   = 0x123d8c63
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI   = 0x0177e63c
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, oakley constucting quick mode
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing IPSec SA payload
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing IPSec nonce payload
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing pfs ke payload
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing proxy ID
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Transmitting Proxy Id:
  Local host:    s.s.s.s  Protocol 0  Port 0
  Remote host: R.R.R.R  Protocol 0    Port 0
Feb 20 04:07:19   [IKEv1 DECODE]Group = x.x.x.x, IP = x.x.x.x, IKE Initiator sending Initial   Contact
Feb 20 04:07:19   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload
Feb 20 04:07:19   [IKEv1 DECODE]Group = x.x.x.x, IP = x.x.x.x, IKE Initiator sending 1st QM   pkt: msg id = 782078fa
Feb 20 04:07:19   [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=782078fa) with   payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) +   NOTIFY (11) + NONE (0) total length : 816
Feb 20 04:07:20   [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=55177916) with   payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Feb 20 04:07:20   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Feb 20 04:07:20   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing notify payload
Feb 20 04:07:20   [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No   proposal chosen (14)
Feb 20 04:07:20   [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=bff6f3cb) with   payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Feb 20 04:07:20   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Feb 20 04:07:20   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing delete
Feb 20 04:07:20   [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Connection terminated for peer   x.x.x.x.  Reason: Peer Terminate  Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
Feb 20 04:07:20   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, sending delete/delete with reason   message
Feb 20 04:07:20   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload
Feb 20 04:07:20   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing IPSec delete payload
Feb 20 04:07:20   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload
Feb 20 04:07:20   [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=44174b85) with   payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Feb 20 04:07:20   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy   R.R.R.R, Local Proxy s.s.s.s
Feb 20 04:07:20   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy   R.R.R.R, Local Proxy s.s.s.s
Feb 20 04:07:20   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy   R.R.R.R, Local Proxy s.s.s.s
Feb 20 04:07:20   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy   R.R.R.R, Local Proxy s.s.s.s
Feb 20 04:07:20   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy   R.R.R.R, Local Proxy s.s.s.s
Feb 20 04:07:20   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy   R.R.R.R, Local Proxy s.s.s.s
Feb 20 04:07:20   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy   R.R.R.R, Local Proxy s.s.s.s
Feb 20 04:07:20   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy   R.R.R.R, Local Proxy s.s.s.s
Feb 20 04:07:20   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy   R.R.R.R, Local Proxy s.s.s.s
Feb 20 04:07:20   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy   R.R.R.R, Local Proxy s.s.s.s
Feb 20 04:07:20   [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table   failed, no match!
Feb 20 04:07:20   [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE SA MM:1d158d23   terminating:  flags 0x0100c822, refcnt   0, tuncnt 0

Feb 20 04:07:20   [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Session is being torn down. Reason:   User Requested

=======================

HI ,

YES IVE INISTAED TRAFFIC FROM MY SIDE

agian ,

remote side use ikev1 not ikev2

======================

rergards

Community Member

urgent help with ASA with site-site vpn , tunnel is down !!!

what could be possible problems ?

urgent help with ASA with site-site vpn , tunnel is down !!!

Notice this ri ght here.

Feb 20 04:07:20   [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No   proposal chosen (14)

Check out your IKE Phase 1 policies and make sure they match.

Can you post the IKE policy from the ASA and remote ASA (if you have access)

Community Member

urgent help with ASA with site-site vpn , tunnel is down !!!

hi ,

i have no access tyo remote asa ,

do u think we may have missmatched ike policeis from my side and the other side ?

urgent help with ASA with site-site vpn , tunnel is down !!!

It looks that way.

I would verify that both sides have the same IKE policies.

urgent help with ASA with site-site vpn , tunnel is down !!!

This message says it all really:

[IKEv1]Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

urgent help with ASA with site-site vpn , tunnel is down !!!

I am not sure I agree with everyone on this. To me, this looks like a phase II issue. Could you run "debug crypto ipsec127" while sending interesting traffic, and post the output here.

urgent help with ASA with site-site vpn , tunnel is down !!!

Gabriel,

You bring up a good point, I didn't see this earlier. BUt then again, I was up at 3am in the morning

Feb 20 04:07:19   [IKEv1]Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED

Either way check both your IKE Phase 1 and IKE Phase 2 configurations and Transform set.

urgent help with ASA with site-site vpn , tunnel is down !!!

The reason he is getting this message:

[IKEv1]Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!

Is because there is a transform set mismatch. I would contact the admin from the other ASA and ask him for a:

show run crypto

And then compare it to his show run crypto.  You can probably spot the problem pretty quickly .  Once they have been configured to match, you will need to generate interesting traffic to bring the tunnel up.  A simple ping to a host on the other side should do it.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

urgent help with ASA with site-site vpn , tunnel is down !!!

John - Those 3 am's can do that to a person :-)

Christopher - It is not necessarily a transform set mismatch (it could be), but it could also relate to the interesting traffic identified, which "sh run crypto" wont show. Debugging ipsec will give a better idea as to what is happening. If he is able to get access to the configs from the remote ASA, seeing both the crypto configs and interesting traffic ACL's would be preferable.

Community Member

urgent help with ASA with site-site vpn , tunnel is down !!!

how grap  intersting taffic acl from cli ?

regards

urgent help with ASA with site-site vpn , tunnel is down !!!

You will want to find the ACL associated with the tunnel you are working on:

crypto map MAPNAME # match address ACL

Then run something like: sh running-config access-list ACL

urgent help with ASA with site-site vpn , tunnel is down !!!

@Gabriel - yes sir, you are correct.  Dubugging ipsec will give a much more granular picture, but in my exp 95% of these issues are solved with show run crypto and maybe a show run acess-list.

@CSCO - Interesting traffic is traffic generated from one LAN to the other LAN meant to go over the VPN.  So if you have an IP address on the other side that you should be able to connect to over the VPN, start a ping from your workstation to that IP and it should bring the tunnel up if it's configured correctly.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
Community Member

urgent help with ASA with site-site vpn , tunnel is down !!!

hi all ,

still not solved

i have

Result of the command: "show crypto isakmp sa"

There are no IKEv1 SAs

There are no IKEv2 SAs

?????????????????????

is thewr an issue ?

do i miss something ? is it issue from my side ?

urgent help with ASA with site-site vpn , tunnel is down !!!

Can you post the results of

'debug crypto ipsec 250'

I would do the 'debug crypto condtiion peer x.x.x.x' command as well.

But you need to also check what the transform-set is on EACH side. Make sure they are the same.

3363
Views
5
Helpful
17
Replies
CreatePlease to create content