cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2621
Views
0
Helpful
6
Replies

Cisco RV042 to ASA 5510 IPsec tunnel issue

antoinenowak
Level 1
Level 1

Hi,

I currently have a problem building an IPsec tunnel from a Cisco RV042G to a Cisco ASA 5510.

I check all the security parameters and local/remote group as well, tunnel is shown up on the ASA side, phase 1 IKE passed but it seems that phase 2 IPsec is not.

On the Cisco RV042 it just says "waiting for connection" and no error is shown in the logs.

Here are some CLI commands output from the ASA: 

6   IKE Peer: 185.42.177.179
   Type    : L2L             Role    : responder
   Rekey   : no              State   : MM_ACTIVE


Result of the command: "show crypto ipsec sa peer 185.42.177.179"

There are no ipsec sas for peer 185.42.177.179

Please find attached a screenshot from the ASA ASDM Site to site vpn status.

 

6 Replies 6

mdobiac
Level 3
Level 3
Hello antoinenowak,
 
As I am not sure of your configuration on both sides of the tunnel in regards to the encryptions used and I can only really answer about the RV042.
 
However the way I would approach this setup is to configure the RV042 first as it is not as robust as the ASA firewall for encryption options.  If applicable.
 
Below is what I would verify that the ASA matches what you have configured on the RV042, besides having the local and remote IPs and local subnets configured correctly.
 
Phase1 DH Group:  
 
Phase1 Encryption:  
 
Phase1 Authentication:  
 
Phase1 SA Life Time ___ seconds
 
Phase2 DH Group:  
 
Phase2 Encryption:  
 
Phase2 Authentication: 
 
Phase2 SA Life Time  seconds
 
Preshared Key:  
 
If the configuration is correct, then I tend to see that the RV042 model needs to be power cycled to negotiate the tunnel.  You may need to do both sides sometimes.
 
Hope this helps,
 

Michael D.

Hi Michael,

Thanks for your quick reply, I tried to reboot the Cisco RV042 and the ASA as well but this is the same result: when I click on the Connect button the Tunnel seems to be UP on the ASA side but the IPsec phase 2 is not completed.

I sometimes get this error message on the ASA but not everytime when I'm trying to established the tunnel : 1    Nov 01 2014    18:10:15                        Group = 185.42.177.179, IP = 185.42.177.179, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

We are trying to build a tunnel from our local LAN to a remote site LAN as shown below :

ASA 5510                                     RV042

Local LAN : 150.9.200.0 >>>>> Local LAN : 192.168.1.0

The RV042 WAN interface has been setup on PPPOE mode, it is directly connected to an ADSL modem which has been put on bridge mode.

I know that our local LAN subnet is quite unusual but this was configured like this for years and we already built IPsec tunnels without any problems.

I tried to modify several times both security settings on the ASA and RV042 sides, choosing from basic settings to more complex, the best result I get was the tunnel up on the ASA side (Phase 1 only) and still "waiting for connection" status on the RV042.

Do I have to look on NAT rules on the ASA side? The RV042 has very limited options, I just added firewall rules to authorize traffic from 150.9.200.0 255.255.255.0 to 192.168.1.0 255.255.255.0.

Do I also need to set up IP forwarding for the IPsec tunnel ports on the RV042? I assume that I don't have to do it as the VPN passthrough is enabled on the device.

Please find both configuration attached.

Thanks for you help!

 

 

 

Hello antoinenowak,

From what you have provided the configuration looks good.  Though adding "I just added firewall rules to authorize traffic from 150.9.200.0 255.255.255.0 to 192.168.1.0 255.255.255.0."  Should not be needed as the Gateway to Gateway configuration puts that in for you, though normally you can't see it as an actual rule.

As I am not as familiar with the ASA as I like to be the set up looks good.  If needed you may want to open a case with Cisco TAC to have them look at the ASA.

One thing that I would try though is try changing the SA Phase 2 lifetime to a lower value for both the ASA and the RV042.  I seem to have had issues with the tunnel negotiating when the SA Lifte time value is set at 28800.  Try with 3600 (default value) and see if that will work.

Regards,

 

Michael D.

 

Hi Michael,

I did try your solution but I still get the same result, I did remove my firewall rules (RV042 side) and change the SA Phase 2 lifetime to a lower value with no luck.

I'm out of ideas now to solve this issue as I spent almost one week on this issue...

I hope someone that ever succeeded to build an IPsec tunnel between a Cisco RV042 and a Cisco ASA 55XX could help me on this.

I thought those two products were compatible but it seems there are not completly.

Thanks for your help.

Antoine.

Hello Antoinenowak,

 

The example in the below document may help.

 

http://sbkb.cisco.com/CiscoSB/ukp.aspx?vw=1&docid=7200e3b590e443af8f27a1ca957705ba_Configuring_a_Site_to_Site_VPN_tunnel_between_RV_Series_Rout.xml&pid=2&respid=0&snid=4&dispid=0&cpage=search

 

Nagaraja

Thanks for your answer Nagaraja.

I follow your instructions now I have this messages in my RV042 logs:

I can't ping anything from both sides.

Do you have an idea of what I should try next?

Nov 25 10:57:36 2014VPN Log| protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
Nov 25 10:57:56 2014VPN Log

(g2gips0) #958: [Tunnel Established] ISAKMP SA established

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: