Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

RV082 VPN (ASA5505 originating VPN session)

Hi,

I'm having trouble making a VPN connection between an ASA5505 and a RV082.

My VPN tunnel is working perfectly when it's the RV082 which initiate the VPN connection.

But if I configure the ASA with "VPN originate only mode" [crypto map outside_map 20 set connection-type originate-only] (which means, it's the ASA which originate the VPN connection), the VPN tunnel is not established and I can get the following error message in the RV082 System log:

Cannot respond to IPsec SA request because no connection is known for xx.xx.xx.247/32===192.168.30.1:4500...xx.xx.xx.xx:4500===192.168.5.100/32

Here, shemes of my network configurations:

Scheme Site 1 :

   -----------     C------------------ D

---| ASA5505 |------| Provider Box 1 |--- (Internet)

A  ---------- B     ------------------

A=192.168.9.50/24

B=192.168.5.100/24

C=192.168.5.1/24

D=Public IP Address

Scheme Site 2 :

   ---------     G------------------ H

---| RV082 |------| Provider Box 2 |--- (Internet)

E  --------- F    ------------------

E=192.168.1.50/24

F=192.168.20.1/24

G=192.168.20.2/24

H=Public IP Address

NAT-T is enabled on both VPN routers. All routers (ASA + Box1 + RV082 + Box2) use NAT.

What can affect the VPN connection in one way and not in the other way (RV082->ASA works while ASA->RV082 doesn't) ?

I found a similar problem in Expert-Exchange with no solution : http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_24785229.html

Thanks,

David

Box1 +
4 REPLIES
Silver

RV082 VPN (ASA5505 originating VPN session)

David,

Looks like the RV082 is referencing your connection to the private ip address that's infront or a different private ip address. Since the tunnel settings inside the RV082 isn't responding because it doesn't match. I don't understand where the (192.168.30.1) coming from since it's not in your diagram. 

Cannot respond to IPSec SA request because no connection is known for xx.xx.xx.247/32===192.168.30.1:4500...xx.xx.xx.xx:4500===192.168.5.100/32

I imagine the problem is coming from the router in front of the RV082- since it's giving out a private ip address to the RV082. We don’t support this type of connection since the RV082 doesn’t hold the routable public ip address. Since we’re not the gateway router I can assume this is the reason why it’s working one way and not the other.

Thanks,

Jasbryan

New Member

RV082 VPN (ASA5505 originating VPN session)

Hi Jasbryan,

Thank you for your response.

The 192.168.30.1 is the address of the point F for a third site.

This third site uses the same configuration as the site 2: One Box with NAT + One RV082 with NAT too.

And on this site, the VPN connection with the site 2 works on both way.

Could you precise which private ip address you're talking about (since it's giving out a private ip address to the RV082)?

My comprehension of this problem  is the RV082 that doesn't understand correctly the NAT-T sent by the  ASA and think the remote VPN network is 192.168.5.0 while it's actually 192.168.9.0.

But that's weird because with two RV082 behind a NAT router, it works. So it should be a NAT-T implementation difference between the ASA and the RV082.

Thanks

David

Silver

Re: RV082 VPN (ASA5505 originating VPN session)

David,

As you know when dealing with IPSec vpn tunnel for a tunnel to establish both side have to be identical or match when sending IPSec SA request. When the ASA is sending the IPSec SA request something is different and your connection isn’t matching therefore RV082 is replying with unknown connection error. Very few options on the RV082 we can change, I would look at different configuration options on your ASA. What I was saying about the private ip address on the RV082 – Since it’s private you are just adding another step in the connection process of the IPSec tunnel, with this type of setup many customers run into trouble especially when you have to different model routers. Supported configuration for SBSC products is when the RV082 holds the routable public ip address. Connection process is simpler when you’re the Gateway device.

Added note: In the link you provided with Site to Site ASA (Main error was ignoring vendor payload) this generally happens when the router is behind another device and doesn't hold the routable public ip address. In the ASA you change the vendor payload to specify actual public address. Generally is done

config>#crypto map ipsec-isakmp

config>crypto>#identity address

I would repost this over on support forms for ASA and let those guys better direct you on what exactly needs to be done.

Jasbryan

New Member

Re: RV082 VPN (ASA5505 originating VPN session)

Hi Jasbryan.

I tried to find this option to change manually the identity address to specify the inside network (192.168.9.0) but I can't.

I just found an option which is "crypto isakmp identity address" but I can't specify the address manually.

My ASA version is: 8.4(3).

Thank you for asking to ASA support guys.

David

1230
Views
0
Helpful
4
Replies
CreatePlease to create content