12-21-2007 05:56 AM - edited 02-21-2020 03:26 PM
Hi all.I have a rather strange situation regarding site-to-site VPN tunnel.
On one end I have a PIX 501 and on the other end an ASA5505 and a tunnel set up between them.
The problem is that from the side of the PIX I cannot establish a tunnel but when the traffic start from the ASA's side the tunnel establishes as normal.
I have checked the configurations on both ends and keys, passwords, mirror ACLs seem OK. The only thing that springs to attention is that I have the same transform set used for 2 different tunnels on the PIX side.
Can I use the same transform set on multiple tunnels or should I define a different transform set for every tunnel? Could this be the source of the problem?
Solved! Go to Solution.
12-27-2007 11:54 AM
Use this on PIX
crypto map
Or on ASA, use :
crypto map
12-21-2007 08:25 AM
Hi
No that won't be an issue. I have used the same transform set on a pix for over 60 site-to-site VPN tunnels.
What does the debugging show ?
Jon
12-24-2007 02:22 AM
Here are the results of the debugging on both sides of the tunnel. I was out of action for a couple of days so sorry for the late reply.
ASA side:
Dec 20 12:24:27 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x3a81b50, mess id 0x4bf27953)!
Dec 20 12:24:27 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!
PIX side:
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 7200
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a VPN3000 concentrator
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of -245075964:f1647004
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 3
spi 0, message ID = 1293387221
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 3694378254, spi size = 16
ISAKMP (0): deleting SA: src y.y.y.y, dst x.x.x.x
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0xad3ac4, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for x.x.x.x/500 not found - peers:2
ISADB: reaper checking SA 0xaec8dc, conn_id = 0
ISADB: reaper checking SA 0xaebd5c, conn_id = 0
ISADB: reaper checking SA 0xae6f2c, conn_id = 0
I can also post the related parts of configs from both sides.
12-25-2007 03:36 PM
Can you please post the relevant part of the config and the debugs for ipsec as well.
deb cry ipsec
12-27-2007 08:13 AM
Here are the relevant parts of the configs from both devices.
ASA side:
crypto ipsec transform-set cp esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map vpn 20 match address 120
crypto map vpn 20 set pfs
crypto map vpn 20 set peer x.x.x.x
crypto map vpn 20 set transform-set cp
crypto map vpn interface outside
isakmp identity address
isakmp enable outside
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption aes-256
isakmp policy 2 hash sha
isakmp policy 2 group 5
isakmp policy 2 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 7200
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key xxxxxxxxxxxxxxxxx
access-list 120 extended permit ip 172.20.8.0 255.255.255.0 172.20.9.0 255.255.255.0
access-list 120 extended permit ip 10.100.8.0 255.255.255.0 172.20.9.0 255.255.255.0
access-list 120 extended permit ip 10.100.16.0 255.255.255.0 172.20.9.0 255.255.255.0
PIX side:
crypto ipsec transform-set cp esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map vpn 20 ipsec-isakmp
crypto map vpn 20 match address 120
crypto map vpn 20 set pfs
crypto map vpn 20 set peer x.x.x.x
crypto map vpn 20 set transform-set cp
crypto map vpn interface outside
isakmp enable outside
isakmp key xxxxxxxxxxxx address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 7200
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
access-list 120 permit ip 172.20.9.0 255.255.255.0 172.20.8.0 255.255.255.0
access-list 120 permit ip 172.20.9.0 255.255.255.0 10.100.8.0 255.255.255.0
access-list 120 permit ip 172.20.9.0 255.255.255.0 10.100.16.0 255.255.255.0
12-27-2007 08:15 AM
Forgot the debug of ipsec.
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x9b7d0784(2608662404) for SA
from y.y.y.y to x.x.x.x for prot 3
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with y.y.y.y
IPSEC(key_engine): request timer fired: count = 1,
(identity) local= x.x.x.x, remote= y.y.y.y,
local_proxy= 172.20.9.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.20.8.0/255.255.255.0/0/0 (type=4)
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x79d3f3bf(2043933631) for SA
from y.y.y.y to x.x.x.x for prot 3
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with y.y.y.y
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= x.x.x.x, remote= y.y.y.y,
local_proxy= 172.20.9.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.20.8.0/255.255.255.0/0/0 (type=4)
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xaa3f5dbd(2856279485) for SA
from y.y.y.y to x.x.x.x for prot 3
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with y.y.y.y
IPSEC(key_engine): request timer fired: count = 1,
(identity) local= x.x.x.x, remote= y.y.y.y,
local_proxy= 172.20.9.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.20.8.0/255.255.255.0/0/0 (type=4)
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xa22a0c10(2720664592) for SA
from y.y.y.y to x.x.x.x for prot 3
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with y.y.y.y
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= x.x.x.x, remote= y.y.y.y,
local_proxy= 172.20.9.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.20.8.0/255.255.255.0/0/0 (type=4)
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xef2ba5c0(4012615104) for SA
from y.y.y.y to x.x.x.x for prot 3
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with y.y.y.y
IPSEC(key_engine): request timer fired: count = 1,
(identity) local= x.x.x.x, remote= y.y.y.y,
local_proxy= 172.20.9.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.20.8.0/255.255.255.0/0/0 (type=4)
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xe9030f5b(3909291867) for SA
from y.y.y.y to x.x.x.x for prot 3
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xf86c4794(4167845780) for SA
from y.y.y.y to x.x.x.x for prot 3
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with y.y.y.y
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= x.x.x.x, remote= y.y.y.y,
local_proxy= 172.20.9.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.20.8.0/255.255.255.0/0/0 (type=4)
IPSEC(key_engine): request timer fired: count = 1,
(identity) local= x.x.x.x, remote= y.y.y.y,
local_proxy= 172.20.9.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.100.8.0/255.255.255.0/0/0 (type=4)
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xdc627d36(3697442102) for SA
from y.y.y.y to x.x.x.x for prot 3
12-27-2007 11:51 AM
ASA, by default, uses PFS group 2 if group is not specified. Whereas PIX 6.X uses PFS group 1 if group is not specified.
So, you need to change the PFS group on any of the devices to match the other.
Hope that helps.
12-27-2007 11:54 AM
Use this on PIX
crypto map
Or on ASA, use :
crypto map
12-27-2007 02:42 PM
I didn't know that ASA uses PFS group 2 as default. I guess you learn something new every day. I'll change that and let you know how it went and if the problem persists.
01-11-2008 12:47 AM
The changing of PFS values on ASA solved the problem. There are no more dropped tunnels.
Thanks for all your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide