Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IOS to ASA vpn failing

I have an ASA which has a few static vpn sessions setup on it already from PIX boxes. I need a 2621 router to be able to setup a vpn connection to this

ASA. I have not been able to get it working.

Out from debugs on router:

*Mar  1 01:19:38.979: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 74.80.56.70, remote= ASA-IP,

    local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x7348980A(1934137354), conn_id= 0, keysize= 0, flags= 0x400A

*Mar  1 01:19:38.979: ISAKMP: received ke message (1/1)

*Mar  1 01:19:38.979: ISAKMP (0:0): SA request profile is (NULL)

*Mar  1 01:19:38.983: ISAKMP: local port 500, remote port 500

*Mar  1 01:19:38.983: ISAKMP: set new node 0 to QM_IDLE     

*Mar  1 01:19:38.983: ISAKMP: insert sa successfully sa = 830CF4BC

*Mar  1 01:19:38.983: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.

*Mar  1 01:19:38.983: ISAKMP: Looking for a matching key for ASA-IP in default : success

*Mar  1 01:19:38.983: ISAKMP (0:1): found peer pre-shared key matching ASA-IP

*Mar  1 01:19:38.987: ISAKMP (0:1): constructed NAT-T vendor-07 ID

*Mar  1 01:19:38.987: ISAKMP (0:1): constructed NAT-T vendor-03 ID

*Mar  1 01:19:38.987: ISAKMP (0:1): constructed NAT-T vendor-02 ID

*Mar  1 01:19:38.987: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Mar  1 01:19:38.987: ISAKMP (0:1): Old State = IKE_READY  New State = IKE_I_MM1

*Mar  1 01:19:38.987: ISAKMP (0:1): beginning Main Mode exchange

*Mar  1 01:19:38.987: ISAKMP (0:1): sending packet to ASA-IP my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar  1 01:19:48.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...

*Mar  1 01:19:48.991: ISAKMP (0:1): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Mar  1 01:19:48.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE

*Mar  1 01:19:48.991: ISAKMP (0:1): sending packet to ASA-IP my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar  1 01:19:58.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...

*Mar  1 01:19:58.991: ISAKMP (0:1): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Mar  1 01:19:58.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE

*Mar  1 01:19:58.991: ISAKMP (0:1): sending packet to ASA-IP my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar  1 01:20:08.979: IPSEC(key_engine): request timer fired: count = 1,

  (identity) local= 74.80.56.70, remote= ASA-IP,

    local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4)

*Mar  1 01:20:08.979: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 74.80.56.70, remote= ASA-IP,

    local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0xCB8582CD(3414524621), conn_id= 0, keysize= 0, flags= 0x400A

*Mar  1 01:20:08.983: ISAKMP: received ke message (1/1)

*Mar  1 01:20:08.983: ISAKMP: set new node 0 to QM_IDLE     

*Mar  1 01:20:08.983: ISAKMP (0:1): SA is still budding. Attached new ipsec request to it. (local 74.80.56.70, remote ASA-IP)

*Mar  1 01:20:08.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...

*Mar  1 01:20:08.991: ISAKMP (0:1): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Mar  1 01:20:08.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE

*Mar  1 01:20:08.991: ISAKMP (0:1): sending packet to ASA-IP my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar  1 01:20:18.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...

*Mar  1 01:20:18.991: ISAKMP (0:1): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Mar  1 01:20:18.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE

*Mar  1 01:20:18.991: ISAKMP (0:1): sending packet to ASA-IP my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar  1 01:20:28.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...

*Mar  1 01:20:28.991: ISAKMP (0:1): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

*Mar  1 01:20:28.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE

*Mar  1 01:20:28.991: ISAKMP (0:1): sending packet to ASA-IP my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar  1 01:20:38.979: IPSEC(key_engine): request timer fired: count = 2,

  (identity) local= 74.80.56.70, remote= ASA-IP,

    local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4)

*Mar  1 01:20:38.979: ISAKMP: received ke message (3/1)

*Mar  1 01:20:38.979: ISAKMP (0:1): peer does not do paranoid keepalives.

*Mar  1 01:20:38.979: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer ASA-IP) input queue 0

*Mar  1 01:20:38.983: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer ASA-IP) input queue 0

*Mar  1 01:20:38.983: ISAKMP (0:1): deleting node 1094787083 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"

*Mar  1 01:20:38.983: ISAKMP (0:1): deleting node -1121124209 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"

*Mar  1 01:20:38.983: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Mar  1 01:20:38.983: ISAKMP (0:1): Old State = IKE_I_MM1  New State = IKE_DEST_SA

*Mar  1 01:21:28.983: ISAKMP (0:1): purging node 1094787083

*Mar  1 01:21:28.983: ISAKMP (0:1): purging node -1121124209

*Mar  1 01:21:38.983: ISAKMP (0:1): purging SA., sa=830CF4BC, delme=830CF4BC

*Mar  1 01:21:38.983: CryptoEngine0: delete connection 1

ncollege#

Output from ASA:

Jul 19 14:17:57 [IKEv1]: IP = 74.80.56.70, Removing peer from peer table failed, no match!

Jul 19 14:17:57 [IKEv1]: IP = 74.80.56.70, Error: Unable to remove PeerTblEntry

Jul 19 14:18:27 [IKEv1]: IP = 74.80.56.70, Removing peer from peer table failed, no match!

Jul 19 14:18:27 [IKEv1]: IP = 74.80.56.70, Error: Unable to remove PeerTblEntry

I will note that I am doing some PAT the router location... at that location, I can not seem to ping the outside interface

of the ASA from the router. From the internal hosts that are not going through the vpn I can ping the outside interface

of the ASA.

Relevant config of router:

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key MYKEY address ASA-IP no-xauth

!

!

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto ipsec transform-set myset2 esp-3des esp-sha-hmac

!

crypto map mymap 1 ipsec-isakmp

set peer ASA-IP

set transform-set myset2

match address 101

!

interface FastEthernet0/0

ip address dhcp

ip nat outside

no ip route-cache cef

no ip route-cache

no ip mroute-cache

duplex auto

speed auto

crypto map mymap

!

interface FastEthernet0/1.108

description intRAnetVLAN

encapsulation dot1Q 108

ip address 192.168.8.1 255.255.255.0

!

interface FastEthernet0/1.109

description intERnetVLAN

encapsulation dot1Q 109

ip address 192.168.9.1 255.255.255.0

ip nat inside

ip nat pool overit 74.80.56.70 74.80.56.70 netmask 255.255.255.0

ip nat inside source route-map nonat pool overit overload

ip route 192.168.1.0 255.255.255.0 ASA-IP

ip route 192.168.3.0 255.255.255.0 ASA-IP

ip route 192.168.5.0 255.255.255.0 ASA-IP

!

access-list 1 permit 192.168.9.0 0.0.0.255

access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 120 deny   ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 120 deny   ip 192.168.8.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 120 deny   ip 192.168.8.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 120 permit ip 192.168.8.0 0.0.0.255 any

access-list 120 permit ip 192.168.9.0 0.0.0.255 any

!

route-map sip_nat permit 10

match ip address udp_rtp

!

route-map nonat permit 10

match ip address 120

Everyone's tags (5)
19 REPLIES
Cisco Employee

IOS to ASA vpn failing

The following configuration is incorrect and you should remove it:

ip route 192.168.1.0 255.255.255.0 ASA-IP

ip route 192.168.3.0 255.255.255.0 ASA-IP

ip route 192.168.5.0 255.255.255.0 ASA-IP

Are you saying that in front of the router there is a PAT device? and is there any acl that might be blocking the traffic?

It seems that you are just passing IKE Message 1 and there is no reply, so assuming that it doesn't even get to the ASA as you can't ping the ASA outside interface from the router.

New Member

IOS to ASA vpn failing

Ok, I thought I had read in the CISCO docs I needed to tell the router to route those LANs to the ASA.. however,

there is nothing but the ISP on the other side of the router with a static (dhcp assigned) IP address. I can not for the life of me figure out why this router can not ping the ASA from the console. Even with extended attributes on ping and giving it the source of the fastethernet0/0, I can not ping the ASA or for example 8.8.8.8. However, on an inside client

I can ping anything on the intenet.

We have this particular ISP at two other locations, with the same service, and they are not blocking ports there, so I

do not think it is an ISP blocking issue. Does it look like I have some kind of strange PAT/NAT problem that would prevent the router itself from being able to ping?

Thanks.

Cisco Employee

IOS to ASA vpn failing

I assume that the router has default route configured, right?

If you try to ping sourcing the ping from FastEthernet0/1.108 interface towards ASA LAN, anything in 192.168.1.0/24, 192.168.3.0/24 or 192.168.5.0/24, does the tunnel get established?

If not, can you please share the full config of both the router and the ASA. Thanks.

New Member

Re: IOS to ASA vpn failing

Ok, so I can not do a source ping. I will note again, I think this is part of the problem, from the 2621, I can not ping anything on the outside. I can ping inside, but not out. From the inside, after I removed the three nat statements you suggested, my internal hosts can not ping to the internet at all.

Here are my configs and some diags I tried.

::::::::::::::

cisco2600_07202012.txt

::::::::::::::

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ncollege

!

boot-start-marker

boot-end-marker

!

enable secret 5

!

clock timezone CST -6

aaa new-model

!

!

aaa session-id common

ip subnet-zero

ip cef

!

!        

ip domain name somedomain.com

!

ip audit po max-events 100

vlan ifdescr detail

!

!

!

!

!

!

!

!

!

!

!

!

username

!

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

!        

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key mykey address ASA-IP

!

!

crypto ipsec transform-set myset2 esp-3des esp-sha-hmac

!

crypto map mymap 1 ipsec-isakmp

set peer ASA-IP

set transform-set myset2

match address 101

!

!

!

!

interface FastEthernet0/0

ip address dhcp

ip nat outside

no ip route-cache cef

no ip route-cache

no ip mroute-cache

duplex auto

speed auto

crypto map mymap

!

interface FastEthernet0/1

no ip address

speed auto

full-duplex

!

interface FastEthernet0/1.108

description intRAnetVLAN

encapsulation dot1Q 108

ip address 192.168.8.1 255.255.255.0

!

interface FastEthernet0/1.109

description intERnetVLAN

encapsulation dot1Q 109

ip address 192.168.9.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/1.120

description cameraVLAN

encapsulation dot1Q 120

ip address 192.168.120.1 255.255.255.0

!

interface FastEthernet0/1.127

description collegeVoiceVLAN

encapsulation dot1Q 127

ip address 192.168.127.1 255.255.255.0

!

ip nat pool overit 74.80.56.70 74.80.56.70 netmask 255.255.255.0

ip nat inside source route-map nonat pool overit overload

ip nat inside source static udp 192.168.9.10 5060 interface FastEthernet0/1 5060

ip nat inside source static udp 192.168.9.10 5060 74.80.56.70 5060 extendable

ip nat inside source static 192.168.9.10 74.80.56.70 route-map sip_nat

ip nat inside source static tcp 192.168.9.10 22 74.80.56.70 2222 extendable

ip http server

no ip http secure-server

ip classless

!        

!

ip access-list extended udp_rtp

permit udp host 192.168.9.10 any range 10001 20000

access-list 1 permit 192.168.9.0 0.0.0.255

access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 120 deny   ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 120 deny   ip 192.168.8.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 120 deny   ip 192.168.8.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 120 permit ip 192.168.8.0 0.0.0.255 any

access-list 120 permit ip 192.168.9.0 0.0.0.255 any

!

route-map sip_nat permit 10

match ip address udp_rtp

!

route-map nonat permit 10

match ip address 120

!

!

!

!

!        

!

line con 0

password 7

line aux 0

line vty 0 4

password 7

transport input ssh

!

ntp server 66.207.226.14

!

end

ncollege#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 74.80.56.1 to network 0.0.0.0

     69.0.0.0/32 is subnetted, 1 subnets

S       69.1.184.70 [254/0] via 74.80.56.1, FastEthernet0/0

C    192.168.120.0/24 is directly connected, FastEthernet0/1.120

C    192.168.8.0/24 is directly connected, FastEthernet0/1.108

C    192.168.127.0/24 is directly connected, FastEthernet0/1.127

C    192.168.9.0/24 is directly connected, FastEthernet0/1.109

     74.0.0.0/21 is subnetted, 1 subnets

C       74.80.56.0 is directly connected, FastEthernet0/0

S*   0.0.0.0/0 [254/0] via 74.80.56.1

ncollege#ping

Protocol [ip]:

Target IP address: 174.79.16.121

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 74.80.56.70

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 174.79.16.121, timeout is 2 seconds:

Packet sent with a source address of 74.80.56.70

.....

Success rate is 0 percent (0/5)

ncollege#ping

Protocol [ip]: 

Target IP address: 192.168.1.1

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 192.168.8.1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.8.1

.....

Success rate is 0 percent (0/5)

ncollege#

::::::::::::::

asa.txt

::::::::::::::

ASA Version 8.2(1)

!

terminal width 100

hostname mouton

domain-name oilcenter.com

enable password

passwd

names

name 192.168.3.28 surveillix2

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.3.7 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address ASA-IP 255.255.255.240

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!            

interface Ethernet0/7

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name oilcenter.com

same-security-traffic permit intra-interface

access-list outside extended permit icmp any any

access-list outside extended permit tcp any interface outside eq 3100

access-list outside extended permit tcp any interface outside range 3001 3004

access-list outside extended permit tcp any interface outside eq 9000

access-list outside extended permit tcp any interface outside eq 3389

access-list outside extended permit tcp any interface outside range 1999 2003

access-list 105 extended permit ip 192.168.1.0 255.255.255.0 192.168.16.0 255.255.255.0

access-list 105 extended permit ip 192.168.3.0 255.255.255.0 192.168.16.0 255.255.255.0

access-list 105 extended permit ip 192.168.5.0 255.255.255.0 192.168.16.0 255.255.255.0

access-list 105 extended permit ip 192.168.8.0 255.255.255.0 192.168.16.0 255.255.255.0

access-list 105 extended permit ip 192.168.10.0 255.255.255.0 192.168.16.0 255.255.255.0

access-list 105 extended permit ip 192.168.11.0 255.255.255.0 192.168.16.0 255.255.255.0

access-list 105 extended permit ip 192.168.18.0 255.255.255.0 192.168.16.0 255.255.255.0

access-list 105 extended permit ip 192.168.20.0 255.255.255.0 192.168.16.0 255.255.255.0

access-list 105 extended permit ip 192.168.22.0 255.255.255.0 192.168.16.0 255.255.255.0

access-list 90 extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list 90 extended permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list 90 extended permit ip 192.168.8.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list 90 extended permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list 90 extended permit ip 192.168.11.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list 90 extended permit ip 192.168.16.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list 90 extended permit ip 192.168.1.0 255.255.255.0 192.168.18.0 255.255.255.0

access-list 90 extended permit ip 192.168.3.0 255.255.255.0 192.168.18.0 255.255.255.0

access-list 90 extended permit ip 192.168.10.0 255.255.255.0 192.168.18.0 255.255.255.0

access-list 90 extended permit ip 192.168.16.0 255.255.255.0 192.168.18.0 255.255.255.0

access-list 90 extended permit ip 192.168.20.0 255.255.255.0 192.168.18.0 255.255.255.0

access-list 90 extended permit ip 192.168.22.0 255.255.255.0 192.168.18.0 255.255.255.0

access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list 100 extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list 100 extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list 100 extended permit ip 192.168.16.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list 100 extended permit ip 192.168.18.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list 100 extended permit ip 192.168.22.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.16.0 255.255.255.0

access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.16.0 255.255.255.0

access-list 95 extended permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list 95 extended permit ip 192.168.3.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list 95 extended permit ip 192.168.5.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list 95 extended permit ip 192.168.8.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list 95 extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list 95 extended permit ip 192.168.16.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list 95 extended permit ip 192.168.1.0 255.255.255.0 192.168.22.0 255.255.255.0

access-list 95 extended permit ip 192.168.3.0 255.255.255.0 192.168.22.0 255.255.255.0

access-list 95 extended permit ip 192.168.10.0 255.255.255.0 192.168.22.0 255.255.255.0

access-list 95 extended permit ip 192.168.16.0 255.255.255.0 192.168.22.0 255.255.255.0

access-list 95 extended permit ip 192.168.18.0 255.255.255.0 192.168.22.0 255.255.255.0

access-list 95 extended permit ip 192.168.20.0 255.255.255.0 192.168.22.0 255.255.255.0

access-list 108 extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list 108 extended permit ip 192.168.3.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list 108 extended permit ip 192.168.5.0 255.255.255.0 192.168.8.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool rw 192.168.10.1-192.168.10.10 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 174.79.16.113 1

route outside ASA-GW 255.255.255.240 ASA-IP 1

route inside 192.168.1.0 255.255.255.0 192.168.3.1 1

route inside 192.168.3.0 255.255.255.0 192.168.3.7 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set strong esp-3des esp-sha-hmac

crypto ipsec transform-set rw esp-3des esp-sha-hmac

crypto ipsec transform-set rw mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map houston_dyn_map 60 set transform-set rw

crypto map houston 20 match address 90

crypto map houston 20 set peer 173.11.176.173

crypto map houston 20 set transform-set strong

crypto map houston 30 match address 100

crypto map houston 30 set peer 71.22.29.120

crypto map houston 30 set transform-set strong

crypto map houston 40 match address 95

crypto map houston 40 set peer 68.15.195.66

crypto map houston 40 set transform-set strong

crypto map houston 50 match address 105

crypto map houston 50 set peer 166.142.221.164

crypto map houston 50 set transform-set strong

crypto map houston 58 match address 108

crypto map houston 58 set peer 74.80.56.70

crypto map houston 58 set transform-set strong

crypto map houston 60 ipsec-isakmp dynamic houston_dyn_map

crypto map houston interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 9

authentication pre-share

encryption 3des

hash sha    

group 1

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tftp-server inside 192.168.3.2 \moutonasa_config

webvpn

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

wins-server value 192.168.3.2

dns-server value 192.168.3.2

vpn-tunnel-protocol IPSec l2tp-ipsec

default-domain value ocr-1.local

username remote password

tunnel-group DefaultRAGroup general-attributes

address-pool rw

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group 173.11.176.173 type ipsec-l2l

tunnel-group 173.11.176.173 ipsec-attributes

pre-shared-key *

tunnel-group 71.22.29.120 type ipsec-l2l

tunnel-group 71.22.29.120 ipsec-attributes

pre-shared-key *

tunnel-group 68.15.195.66 type ipsec-l2l

tunnel-group 68.15.195.66 ipsec-attributes

pre-shared-key *

tunnel-group 166.142.221.164 type ipsec-l2l

tunnel-group 166.142.221.164 ipsec-attributes

pre-shared-key *

tunnel-group 74.80.56.70 type ipsec-l2l

tunnel-group 74.80.56.70 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect http

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:9b03f678bfdc3ec682a6c04b64b4b3ec

: end

Cisco Employee

IOS to ASA vpn failing

On the ASA, you are using the NAT ip address on the router for the set peer command:

crypto map houston 58 set peer 74.80.56.70

This is not supported. You can't use the NATed ip on the router.

If you want to use that ip address, you would need to assign it to the loopback interface on the router and you can't use that ip address on the NAT statement.

interface loopback1

  ip address 74.80.56.70 255.255.255.255

crypto map mymap local-address loopback1

New Member

IOS to ASA vpn failing

I think I understand what you are saying... but it works on the pix units.. I suppose that is because they are

a firewall.

So, let me ask this, my ISP gave me two more IP addresses, but not in the same subnet (they gave us a block

of four, so only two are usable)... would it be possible for me to keep the nat statement and assign the other IP

address to the loopback for the VPN to use? Here is another question, if I wanted to assign another IP that my

ISP assigned (again, not in the same block as the main dhcp IP address) is that possible with the vlans on

fastethernet 0/1, even though I would assign one of them to the loopback interface?

Thank you for all of your help... we are trying to get this working for now until we get a good plan in place

of how to upgrade all of these old units (other offices have old pix and we want to move to an ASA or ISR).

Cisco Employee

IOS to ASA vpn failing

Yes, you can assign a different public ip address assigned to you by your ISP on the loopback interface as long as this public IP is routed towards your router.

New Member

Re: IOS to ASA vpn failing

This is not working... I have set an IP from the ISP to my loopback. I can ping that IP address from the ASA now, and from the internet. The CISCO 2621 can not ping the ASA.

UPDATE: If I ping the ASA from the 2621 and use the ip address of the loopback as the source, that works.

When I go to a client on the .8 network behind the 2621 and try to ping say 192.168.1.1 to initiate a VPN between the 2621 and the ASA nothing happens on the ASA even though I have debugs on and a term mon going.

The changes I made on the 2600 are:

interface Loopback1

ip address 76.72.91.93 255.255.255.255

crypto map mymap

!

interface FastEthernet0/0

ip address dhcp

ip nat outside

no ip route-cache cef

no ip route-cache

no ip mroute-cache

duplex auto

speed auto

On the ASA:

crypto map houston 58 match address 108

crypto map houston 58 set peer 76.72.91.93

crypto map houston 58 set transform-set strong

tunnel-group 76.72.91.93 type ipsec-l2l

tunnel-group 76.72.91.93 ipsec-attributes

pre-shared-key *

I don't know why nothing is going on now, but I will say that those three ip route lines that you had me remove... I thought I needed them for this vpn to work.

Any help would be greatly appreciated.

Thanks.

Cisco Employee

IOS to ASA vpn failing

Can you please remove the "crypto map mymap" from loopback interface and apply that to fa0/0 instead as originally configured.

Also from host behind the router, pls try to ping the ASA inside interface: 192.168.3.7

New Member

Re: IOS to ASA vpn failing

Did that, no change. I will note that I have the following debugging on on the router:

crypto isakmp debugging

crypto engine debugging

crypto ipsec debugging


Now, when I ping from the inside after doing a term mon on the router, I see nothing. No output, no initiation, nothing. If I try to source ping from the router, I still get no debug output. Nothing I do maked a debug output from the current session.

Also, if I do sh isakmp sa I see no peers.

New Member

Re: IOS to ASA vpn failing

Ok, I got it hitting the 2621 again... here is my current debug output from the 2621...

      

*Mar  5 00:52:31.603: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 74.80.56.70, remote= 174.79.16.121,
    local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0xACEEC20B(2901328395), conn_id= 0, keysize= 0, flags= 0x400A
*Mar  5 00:52:31.603: ISAKMP: received ke message (1/1)
*Mar  5 00:52:31.603: ISAKMP (0:0): SA request profile is (NULL)
*Mar  5 00:52:31.607: ISAKMP: local port 500, remote port 500
*Mar  5 00:52:31.607: ISAKMP: set new node 0 to QM_IDLE
*Mar  5 00:52:31.607: ISAKMP: insert sa successfully sa = 830A27DC
*Mar  5 00:52:31.607: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
*Mar  5 00:52:31.607: ISAKMP: Looking for a matching key for 174.79.16.121 in default : success
*Mar  5 00:52:31.607: ISAKMP (0:1): found peer pre-shared key matching 174.79.16.121
*Mar  5 00:52:31.611: ISAKMP (0:1): constructed NAT-T vendor-07 ID
*Mar  5 00:52:31.611: ISAKMP (0:1): constructed NAT-T vendor-03 ID
*Mar  5 00:52:31.611: ISAKMP (0:1): constructed NAT-T vendor-02 ID
*Mar  5 00:52:31.611: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar  5 00:52:31.611: ISAKMP (0:1): Old State = IKE_READY  New State = IKE_I_MM1

*Mar  5 00:52:31.611: ISAKMP (0:1): beginning Main Mode exchange
*Mar  5 00:52:31.611: ISAKMP (0:1): sending packet to 174.79.16.121 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  5 00:52:41.615: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar  5 00:52:41.615: ISAKMP (0:1): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar  5 00:52:41.615: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar  5 00:52:41.615: ISAKMP (0:1): sending packet to 174.79.16.121 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  5 00:52:51.615: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar  5 00:52:51.615: ISAKMP (0:1): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar  5 00:52:51.615: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar  5 00:52:51.615: ISAKMP (0:1): sending packet to 174.79.16.121 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  5 00:53:01.603: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 74.80.56.70, remote= 174.79.16.121,
    local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4)
*Mar  5 00:53:01.603: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 74.80.56.70, remote= 174.79.16.121,
    local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x4A760EC5(1249251013), conn_id= 0, keysize= 0, flags= 0x400A
*Mar  5 00:53:01.607: ISAKMP: received ke message (1/1)
*Mar  5 00:53:01.607: ISAKMP: set new node 0 to QM_IDLE
*Mar  5 00:53:01.607: ISAKMP (0:1): SA is still budding. Attached new ipsec request to it. (local 74.80.56.70, remote 174.79.16.121)
*Mar  5 00:53:01.615: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar  5 00:53:01.615: ISAKMP (0:1): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Mar  5 00:53:01.615: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar  5 00:53:01.615: ISAKMP (0:1): sending packet to 174.79.16.121 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  5 00:53:11.615: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar  5 00:53:11.615: ISAKMP (0:1): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Mar  5 00:53:11.615: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar  5 00:53:11.615: ISAKMP (0:1): sending packet to 174.79.16.121 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  5 00:53:21.615: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar  5 00:53:21.615: ISAKMP (0:1): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar  5 00:53:21.615: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar  5 00:53:21.615: ISAKMP (0:1): sending packet to 174.79.16.121 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  5 00:53:31.603: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 74.80.56.70, remote= 174.79.16.121,
    local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4)
*Mar  5 00:53:31.603: ISAKMP: received ke message (3/1)
*Mar  5 00:53:31.603: ISAKMP (0:1): peer does not do paranoid keepalives.

*Mar  5 00:53:31.603: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 174.79.16.121) input queue 0
*Mar  5 00:53:31.607: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 174.79.16.121) input queue 0
*Mar  5 00:53:31.607: ISAKMP (0:1): deleting node 1699033836 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar  5 00:53:31.607: ISAKMP (0:1): deleting node 2014091798 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar  5 00:53:31.607: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  5 00:53:31.607: ISAKMP (0:1): Old State = IKE_I_MM1  New State = IKE_DEST_SA

I think that reason given means that they keys are not the same, but I have double checked it.

New Member

Re: IOS to ASA vpn failing

Also, I keep seeing a lot of this on the console now...

*Mar  5 01:11:16.175: CRYPTO_ENGINE: key process suspended and continued

*Mar  5 01:11:16.375: CRYPTO_ENGINE: key process suspended and continued

*Mar  5 01:11:16.575: CRYPTO_ENGINE: key process suspended and continued

*Mar  5 01:11:16.775: CRYPTO_ENGINE: key process suspended and continued

*Mar  5 01:11:16.979: CRYPTO_ENGINE: key process suspended and continued

*Mar  5 01:11:17.175: CRYPTO_ENGINE: key process suspended and continued

*Mar  5 01:11:17.379: CRYPTO_ENGINE: key process suspended and continued

*Mar  5 01:11:17.579: CRYPTO_ENGINE: key process suspended and continued

*Mar  5 01:11:17.779: CRYPTO_ENGINE: key process suspended and continued

      

UPDATE: added debug statements on the ASA... the ONLY messages that appear on the ASA when I try to ping from a client to the ASAs internal network is...

[IKEv1]: IP = 74.80.56.70, Error: Unable to remove PeerTblEntry

[IKEv1]: IP = 74.80.56.70, Removing peer from peer table failed, no matc!

Which I find odd... I suppose the secondary IP address I am using is not showing up on the front side of the router?

Cisco Employee

IOS to ASA vpn failing

Any chance you can save the router config and reload it?

New Member

IOS to ASA vpn failing

I have tried that, I can try it again.

New Member

IOS to ASA vpn failing

After the reboot, I can not ping to the inside of the remote ASA, but now I see:

ncollege#  sh crypto isakmp sa

dst             src             state          conn-id slot

174.79.16.121   74.80.56.70     MM_NO_STATE          1    0

ncollege#  sh crypto ipsec sa

interface: FastEthernet0/0

    Crypto map tag: mymap, local addr. 74.80.56.70

   protected vrf:

   local  ident (addr/mask/prot/port): (192.168.8.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

   current_peer: 174.79.16.121:500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 74.80.56.70, remote crypto endpt.: 174.79.16.121

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf:

   local  ident (addr/mask/prot/port): (192.168.8.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

   current_peer: 174.79.16.121:500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 10, #recv errors 0

     local crypto endpt.: 74.80.56.70, remote crypto endpt.: 174.79.16.121

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf:

   local  ident (addr/mask/prot/port): (192.168.8.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)

   current_peer: 174.79.16.121:500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 74.80.56.70, remote crypto endpt.: 174.79.16.121

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

and debug on the 2621:

*Mar  1 00:46:00.923: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 74.80.56.70, remote= 174.79.16.121,

    local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x7E29DEBB(2116673211), conn_id= 0, keysize= 0, flags= 0x400A

*Mar  1 00:46:00.927: ISAKMP: received ke message (1/1)

*Mar  1 00:46:00.927: ISAKMP (0:0): SA request profile is (NULL)

*Mar  1 00:46:00.931: ISAKMP: local port 500, remote port 500

*Mar  1 00:46:00.931: ISAKMP: set new node 0 to QM_IDLE

*Mar  1 00:46:00.931: ISAKMP: insert sa successfully sa = 82ACEE04

*Mar  1 00:46:00.931: ISAKMP (0:1): Can not start Aggressive mode, trying Main m

ode.

*Mar  1 00:46:00.931: ISAKMP: Looking for a matching key for 174.79.16.121 in de

fault : success

*Mar  1 00:46:00.931: ISAKMP (0:1): found peer pre-shared key matching 174.79.16

.121

*Mar  1 00:46:00.935: ISAKMP (0:1): constructed NAT-T vendor-07 ID

*Mar  1 00:46:00.935: ISAKMP (0:1): constructed NAT-T vendor-03 ID

*Mar  1 00:46:00.935: ISAKMP (0:1): constructed NAT-T vendor-02 ID

*Mar  1 00:46:00.935: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Mar  1 00:46:00.935: ISAKMP (0:1): Old State = IKE_READY  New State = IKE_I_MM1

*Mar  1 00:46:00.935: ISAKMP (0:1): beginning Main Mode exchange

*Mar  1 00:46:00.935: ISAKMP (0:1): sending packet to 174.79.16.121 my_port 500

peer_port 500 (I) MM_NO_STATE...

*Mar  1 00:46:10.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...

*Mar  1 00:46:10.939: ISAKMP (0:1): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Mar  1 00:46:10.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE

*Mar  1 00:46:10.939: ISAKMP (0:1): sending packet to 174.79.16.121 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar  1 00:46:20.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...

*Mar  1 00:46:20.939: ISAKMP (0:1): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Mar  1 00:46:20.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE

*Mar  1 00:46:20.939: ISAKMP (0:1): sending packet to 174.79.16.121 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar  1 00:46:30.923: IPSEC(key_engine): request timer fired: count = 1,

  (identity) local= 74.80.56.70, remote= 174.79.16.121,

    local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4)

*Mar  1 00:46:30.923: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 74.80.56.70, remote= 174.79.16.121,

    local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0xB34E87CE(3008268238), conn_id= 0, keysize= 0, flags= 0x400A

*Mar  1 00:46:30.927: ISAKMP: received ke message (1/1)

*Mar  1 00:46:30.927: ISAKMP: set new node 0 to QM_IDLE

*Mar  1 00:46:30.927: ISAKMP (0:1): SA is still budding. Attached new ipsec request to it. (local 74.80.56.70, remote 174.79.16.121)

*Mar  1 00:46:30.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...

*Mar  1 00:46:30.939: ISAKMP (0:1): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Mar  1 00:46:30.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE

*Mar  1 00:46:30.939: ISAKMP (0:1): sending packet to 174.79.16.121 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar  1 00:46:40.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...

*Mar  1 00:46:40.939: ISAKMP (0:1): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Mar  1 00:46:40.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE

*Mar  1 00:46:40.939: ISAKMP (0:1): sending packet to 174.79.16.121 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar  1 00:46:50.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...

*Mar  1 00:46:50.939: ISAKMP (0:1): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

*Mar  1 00:46:50.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE

*Mar  1 00:46:50.939: ISAKMP (0:1): sending packet to 174.79.16.121 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar  1 00:47:00.923: IPSEC(key_engine): request timer fired: count = 2,

  (identity) local= 74.80.56.70, remote= 174.79.16.121,

    local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4)

*Mar  1 00:47:00.923: ISAKMP: received ke message (3/1)

*Mar  1 00:47:00.923: ISAKMP (0:1): peer does not do paranoid keepalives.

*Mar  1 00:47:00.923: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 174.79.16.121) input queue 0

*Mar  1 00:47:00.927: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 174.79.16.121) input queue 0

*Mar  1 00:47:00.927: ISAKMP (0:1): deleting node 674391746 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"

*Mar  1 00:47:00.927: ISAKMP (0:1): deleting node -609125903 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"

*Mar  1 00:47:00.927: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Mar  1 00:47:00.927: ISAKMP (0:1): Old State = IKE_I_MM1  New State = IKE_DEST_SA

New Member

IOS to ASA vpn failing

I still only see this in the debugs on the ASA side...

Jul 24 07:00:20 [IKEv1]: IP = 74.80.56.70, Removing peer from peer table failed, no match!

Jul 24 07:00:20 [IKEv1]: IP = 74.80.56.70, Error: Unable to remove PeerTblEntry

It sure seems like the entire process is not showing up on the ASA, even though on the 2621 I see all of the debug output that I posted in my last post.

New Member

IOS to ASA vpn failing

Really odd, the only response I can see on the ASA is th

IKE Peer: 74.80.56.70

    Type    : user            Role    : responder

    Rekey   : no              State   : MM_WAIT_MSG3

from sh isakmp sa

and also in the deubgs on the ASA all I see is:

Jul 24 12:35:25 [IKEv1]: IP = 74.80.56.70, Removing peer from peer table failed, no match!

Jul 24 12:35:25 [IKEv1]: IP = 74.80.56.70, Error: Unable to remove PeerTblEntry

New Member

IOS to ASA vpn failing

Ok, I have this all working now (at least the VPN). As it turns out you can not do the loopback (or at least it was not working in that capacity). What I did was the following:

Set the NAT/PAT to go out the IP address of the loopback interface.

Reapply the crypto map on the ASA to use the dynamically (static) assigned IP from the ISP that goes to fa0/0 on the 2621.

Reload the router.

It came up first try.

Cisco Employee

IOS to ASA vpn failing

Great work, and thanks for sharing..

1383
Views
5
Helpful
19
Replies
CreatePlease login to create content