Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA- Cannot set up Dynamic IP remote to central static IP VPN

Hi,

I'm trying to set up a VPN between an ASA5505 on Central Site with static IP and a remote ASA connected to a router having a dynamic IP.

I've tried tp follow the Cisco site sample named "PIX/ASA 7.x PIX-to-PIX Dynamic-to-Static IPsec with NAT and VPN Client Configuration Example" (http://cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml), but it doesn't work.

The problem is that when I generate some traffic, on the central ASA I have the message (Remote_Dynamic_IP is just to remove the real IP):

Jul 01 10:24:24 [IKEv1]: IP = Remote_Dynamic_IP, Error processing payload: Payload ID: 1

Jul 01 10:24:24 [IKEv1]: IP = Remote_Dynamic_IP, Removing peer from peer table failed, no match!

Jul 01 10:24:24 [IKEv1]: IP = Remote_Dynamic_IP, Error: Unable to remove PeerTblEntry

Jul 01 10:24:31 [IKEv1]: IP = Remote_Dynamic_IP, Error processing payload: Payload ID: 1

Jul 01 10:24:31 [IKEv1]: IP = Remote_Dynamic_IP, Removing peer from peer table failed, no match!

Jul 01 10:24:31 [IKEv1]: IP = Remote_Dynamic_IP, Error: Unable to remove PeerTblEntry

Remote router and remote asa are connected on a network with fixed addresses, i.e.:

dynamic_ip-->router<--static_ip(E.F.G.1)--static_ip(E.F.G.2/30)--|<!--remote_lan(A.B.C.0/24)

Attached you'll find the relevant part of CentralASA and RemoteASA configurations

What's wrong?

Thanks in advance

Ciao

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA- Cannot set up Dynamic IP remote to central static IP VP

On RemoteASA

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

12 REPLIES

Re: ASA- Cannot set up Dynamic IP remote to central static IP VP

try to replace you configuration

####

tunnel-group RemoteAsa type ipsec-l2l

tunnel-group RemoteASA ipsec-attributes

pre-shared-key *

####

with

####

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

authentication-server-group none

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

####

DefaultL2LGroup is a build in group.

New Member

Re: ASA- Cannot set up Dynamic IP remote to central static IP VP

CentralASA(config)# tunnel-group DefaultL2LGroup type ipsec-l2l

^

ERROR: % Invalid input detected at '^' marker.

It gives an error:

CentralASA(config)# tunnel-group DefaultL2LGroup general-attributes

CentralASA(config-tunnel-general)# authentication-server-group none

^

ERROR: % Invalid input detected at '^' marker.

CentralASA(config-tunnel-general)# tunnel-group DefaultL2LGroup ipsec-attributes

CentralASA(config-tunnel-ipsec)#

SW Release is: Cisco Adaptive Security Appliance Software Version 8.0(3)

Thanks

Re: ASA- Cannot set up Dynamic IP remote to central static IP VP

tunnel-group DefaultL2LGroup ipsec-attributes

set here the pre-shared-key for DefaultL2LGroup the same as you use on the RemoteASA.

New Member

Re: ASA- Cannot set up Dynamic IP remote to central static IP VP

No way:

Jul 01 16:19:38 [IKEv1]: IP = RemoteDynamicIP, Removing peer from peer table failed, no match!

Jul 01 16:19:38 [IKEv1]: IP = RemoteDynamicIP, Error: Unable to remove PeerTblEntry

Jul 01 16:19:46 [IKEv1]: IP = RemoteDynamicIP, Removing peer from peer table failed, no match!

Jul 01 16:19:46 [IKEv1]: IP = RemoteDynamicIP, Error: Unable to remove PeerTblEntry

Jul 01 16:19:54 [IKEv1]: IP = RemoteDynamicIP, Removing peer from peer table failed, no match!

Jul 01 16:19:54 [IKEv1]: IP = RemoteDynamicIP, Error: Unable to remove PeerTblEntry

Jul 01 16:20:02 [IKEv1]: IP = RemoteDynamicIP, Removing peer from peer table failed, no match!

Jul 01 16:20:02 [IKEv1]: IP = RemoteDynamicIP, Error: Unable to remove PeerTblEntry

I've attached a debug crypto isakmp 255 on the central site asa and on the remote.

Any idea?

Thanks a lot

Re: ASA- Cannot set up Dynamic IP remote to central static IP VP

On RemoteASA

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

New Member

Re: ASA- Cannot set up Dynamic IP remote to central static IP VP

Ok. Now VPN is up.

Now one more problem: if I try for example to connect via VNC from a computer on the remote lan to a computer on the central site lan, on the central ASA I have:

3 Jul 02 2008 08:05:26 713042 IKE Initiator unable to find policy: Intf outside, Src: IP_ON_REMOTE_LAN Dst: IP_ON_CENTRAL LAN

Am I missing something else?

Thanks for your answers

Re: ASA- Cannot set up Dynamic IP remote to central static IP VP

Hi,

show "sh crypto ipsec sa" on both sides when the vpn is up.

New Member

Re: ASA- Cannot set up Dynamic IP remote to central static IP VP

centralASA# sh crypto ipsec sa

interface: outside

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: CENTRAL_PUBLIC_IP

local ident (addr/mask/prot/port): (CentralLAN/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (RemoteLAN/255.255.255.0/0/0)

current_peer: PEER_DYNAMIC_IP

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: CENTRAL_PUBLIC_IP, remote crypto endpt.: PEER_DYNAMIC_IP

path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: 7D43EDFE

inbound esp sas:

spi: 0x4552E88B (1163061387)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (kB/sec): (4275000/28771)

IV size: 16 bytes

replay detection support: Y

outbound esp sas:

spi: 0x7D43EDFE (2101603838)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (kB/sec): (4275000/28771)

IV size: 16 bytes

replay detection support: Y

remoteASA# sh crypto ipsec sa

interface: outside

Crypto map tag: outside_map, seq num: 1, local addr: REMOTE_LAN_FIREWALL_IP

access-list outside_1_cryptomap permit ip RemoteLAN 255.255.255.0 CentralLAN 255.255.255.0

local ident (addr/mask/prot/port): (RemoteLAN/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (CentralLAN/255.255.255.0/0/0)

current_peer: CENTRAL_PUBLIC_IP

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: REMOTE_LAN_FIREWALL_IP, remote crypto endpt.: CENTRAL_PUBLIC_IP

path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: 4552E88B

inbound esp sas:

spi: 0x7D43EDFE (2101603838)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 16384, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4275000/28797)

IV size: 16 bytes

replay detection support: Y

outbound esp sas:

spi: 0x4552E88B (1163061387)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 16384, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4275000/28797)

IV size: 16 bytes

replay detection support: Y

Thanks once more

Re: ASA- Cannot set up Dynamic IP remote to central static IP VP

I see that the vpn is up but there are no packets encrypted or decrypted.

so could you show the configuations on both sides?

New Member

Re: ASA- Cannot set up Dynamic IP remote to central static IP VP

Here they are.

I've performed some editing, i.e. hiding the real IP's, but in a smart way.

Particulary, the conventions on both files are:

On central site the LAN is X.Y.Z.0/24

CENTRAL_PUBLIC_IP is the static central site public IP (the outside of centralASA). Note: everywhere in the real config, CENTRAL_PUBLIC_IP is explicit, i.e. a normal IP address, let's say 1.2.3.4:

On remote site, lan is A.B.C.0/24, firewall outside is D.E.F.2/30, router is D.E.F.1/30, DYNAMIC_PUBLIC_IP is the dynamic ip at remote.

I've also added a diagram.

Thanks

Re: ASA- Cannot set up Dynamic IP remote to central static IP VP

on central

access-list inside_access_in extended permit ip X.Y.Z.0 255.255.255.0 RemoteLAN 255.255.255.0

sysopt connection permit-vpn

on remote

sysopt connection permit-vpn

New Member

Re: ASA- Cannot set up Dynamic IP remote to central static IP VP

It doesn't work.

BTW, these are the show crypto ipsec sa

centralASA# sh crypto ipsec sa

interface: outside

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: CENTRAL_PUBLIC_IP

local ident (addr/mask/prot/port): (X.Y.Z.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (RemoteLAN/255.255.255.0/0/0)

current_peer: PEER_DYNAMIC_IP

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 293, #pkts decrypt: 293, #pkts verify: 293

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: CENTRAL_PUBLIC_IP, remote crypto endpt.: PEER_DYNAMIC_IP

path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: 3CC70558

inbound esp sas:

spi: 0xDAB0C0C8 (3669016776)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 20480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (kB/sec): (4274982/28294)

IV size: 16 bytes

replay detection support: Y

outbound esp sas:

spi: 0x3CC70558 (1019675992)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 20480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (kB/sec): (4275000/28293)

IV size: 16 bytes

replay detection support: Y

remoteASA# sh crypto ipsec sa

interface: outside

Crypto map tag: outside_map, seq num: 1, local addr: E.F.G.2

access-list outside_1_cryptomap permit ip A.B.C.0 255.255.255.0 ReteKB 255.255.255.0

local ident (addr/mask/prot/port): (A.B.C.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (ReteKB/255.255.255.0/0/0)

current_peer: CENTRAL_PUBLIC_IP

#pkts encaps: 294, #pkts encrypt: 294, #pkts digest: 294

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 294, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: E.F.G.2, remote crypto endpt.: CENTRAL_PUBLIC_IP

path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: DAB0C0C8

inbound esp sas:

spi: 0x3CC70558 (1019675992)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 20480, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4275000/28014)

IV size: 16 bytes

replay detection support: Y

outbound esp sas:

spi: 0xDAB0C0C8 (3669016776)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 20480, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4274982/28014)

IV size: 16 bytes

replay detection support: Y

Notice that remoteASA's has a

access-list outside_1_cryptomap permit ip A.B.C.0 255.255.255.0 ReteKB 255.255.255.0

local ident (addr/mask/prot/port): (A.B.C.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (ReteKB/255.255.255.0/0/0)

while centralASA has only a

local ident (addr/mask/prot/port): (A.B.C.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (ReteKB/255.255.255.0/0/0)

isn't this the problem, i.e. isn't centralASA that doesn't know how to send back packets?

Thanks

1552
Views
8
Helpful
12
Replies