10-31-2014 08:40 AM
Hi,
I currently have a problem building an IPsec tunnel from a Cisco RV042G to a Cisco ASA 5510.
I check all the security parameters and local/remote group as well, tunnel is shown up on the ASA side, phase 1 IKE passed but it seems that phase 2 IPsec is not.
On the Cisco RV042 it just says "waiting for connection" and no error is shown in the logs.
Here are some CLI commands output from the ASA:
6 IKE Peer: 185.42.177.179 Type : L2L Role : responder Rekey : no State : MM_ACTIVE Result of the command: "show crypto ipsec sa peer 185.42.177.179" There are no ipsec sas for peer 185.42.177.179
Please find attached a screenshot from the ASA ASDM Site to site vpn status.
10-31-2014 05:31 PM
Michael D.
11-01-2014 10:40 AM
Hi Michael,
Thanks for your quick reply, I tried to reboot the Cisco RV042 and the ASA as well but this is the same result: when I click on the Connect button the Tunnel seems to be UP on the ASA side but the IPsec phase 2 is not completed.
I sometimes get this error message on the ASA but not everytime when I'm trying to established the tunnel : 1 Nov 01 2014 18:10:15 Group = 185.42.177.179, IP = 185.42.177.179, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
We are trying to build a tunnel from our local LAN to a remote site LAN as shown below :
ASA 5510 RV042
Local LAN : 150.9.200.0 >>>>> Local LAN : 192.168.1.0
The RV042 WAN interface has been setup on PPPOE mode, it is directly connected to an ADSL modem which has been put on bridge mode.
I know that our local LAN subnet is quite unusual but this was configured like this for years and we already built IPsec tunnels without any problems.
I tried to modify several times both security settings on the ASA and RV042 sides, choosing from basic settings to more complex, the best result I get was the tunnel up on the ASA side (Phase 1 only) and still "waiting for connection" status on the RV042.
Do I have to look on NAT rules on the ASA side? The RV042 has very limited options, I just added firewall rules to authorize traffic from 150.9.200.0 255.255.255.0 to 192.168.1.0 255.255.255.0.
Do I also need to set up IP forwarding for the IPsec tunnel ports on the RV042? I assume that I don't have to do it as the VPN passthrough is enabled on the device.
Please find both configuration attached.
Thanks for you help!
11-03-2014 04:22 PM
Hello antoinenowak,
From what you have provided the configuration looks good. Though adding "I just added firewall rules to authorize traffic from 150.9.200.0 255.255.255.0 to 192.168.1.0 255.255.255.0." Should not be needed as the Gateway to Gateway configuration puts that in for you, though normally you can't see it as an actual rule.
As I am not as familiar with the ASA as I like to be the set up looks good. If needed you may want to open a case with Cisco TAC to have them look at the ASA.
One thing that I would try though is try changing the SA Phase 2 lifetime to a lower value for both the ASA and the RV042. I seem to have had issues with the tunnel negotiating when the SA Lifte time value is set at 28800. Try with 3600 (default value) and see if that will work.
Regards,
Michael D.
11-04-2014 09:02 AM
Hi Michael,
I did try your solution but I still get the same result, I did remove my firewall rules (RV042 side) and change the SA Phase 2 lifetime to a lower value with no luck.
I'm out of ideas now to solve this issue as I spent almost one week on this issue...
I hope someone that ever succeeded to build an IPsec tunnel between a Cisco RV042 and a Cisco ASA 55XX could help me on this.
I thought those two products were compatible but it seems there are not completly.
Thanks for your help.
Antoine.
11-04-2014 01:56 PM
Hello Antoinenowak,
The example in the below document may help.
http://sbkb.cisco.com/CiscoSB/ukp.aspx?vw=1&docid=7200e3b590e443af8f27a1ca957705ba_Configuring_a_Site_to_Site_VPN_tunnel_between_RV_Series_Rout.xml&pid=2&respid=0&snid=4&dispid=0&cpage=search
Nagaraja
11-25-2014 02:05 AM
Thanks for your answer Nagaraja.
I follow your instructions now I have this messages in my RV042 logs:
I can't ping anything from both sides.
Do you have an idea of what I should try next?
Nov 25 10:57:36 2014 | VPN Log | | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T |
Nov 25 10:57:56 2014 | VPN Log | (g2gips0) #958: [Tunnel Established] ISAKMP SA established
|
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: