Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

New Firmware available for RV340 Series Router family! This includes the RV340, RV340W, RV345, and RV345P

To learn more and get the latest Firmware version click here.

Community Member

RV110W IPsec VPN to ASA 5510

hi guys , 

I am trying to make working the RV110W router to make L2L VPN tunnel to my central ASA 5510 , but not trafic is passing thru and after few minutes tunnel gets dropped .

 

Essentialy the tunnel seems to be established properly .

 

On ASA looks good

Group = DefaultL2LGroup, IP = 90.176.134.35, PHASE 2 COMPLETED (msgid=d2875ba0)
IPSEC: An inbound LAN-to-LAN SA (SPI= 0xEA540B50) between 194.228.36.138 and 90.176.134.35 (user= DefaultL2LGroup) has been created.
Group = DefaultL2LGroup, IP = 90.176.134.35, Security negotiation complete for LAN-to-LAN Group (DefaultL2LGroup) Responder, Inbound SPI = 0xea540b50, Outbound SPI = 0x7c2ea426
IPSEC: An outbound LAN-to-LAN SA (SPI= 0x7C2EA426) between 194.228.36.138 and 90.176.134.35 (user= DefaultL2LGroup) has been created.
Group = DefaultL2LGroup, IP = 90.176.134.35, PHASE 1 COMPLETED

AAA retrieved default group policy (Dynamic) for user = DefaultL2LGroup

 

also on the RV110W the tunnel looks established 

------------------------------------------------------------------

but after few minutes the tunnel fails on ASA looks like connectivity problem 

 

Group = DefaultL2LGroup, Username = DefaultL2LGroup, IP = 90.176.134.35, Session disconnected. Session Type: IPsec, Duration: 0h:07m:42s, Bytes xmt: 0, Bytes rcv: 0, Reason: Lost Service
IPSEC: An outbound LAN-to-LAN SA (SPI= 0x3DEA0704) between 194.228.36.138 and 90.176.134.35 (user= DefaultL2LGroup) has been deleted.
IPSEC: An inbound LAN-to-LAN SA (SPI= 0x273F53FD) between 194.228.36.138 and 90.176.134.35 (user= DefaultL2LGroup) has been deleted.
Group = DefaultL2LGroup, IP = 90.176.134.35, Deleting static route for L2L peer that came in on a dynamic map. address: 172.16.28.0, mask: 255.255.255.0
Group = DefaultL2LGroup, IP = 90.176.134.35, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)

------------------------------------------------------------------

On RV110W the situation looks folowing 

2014-10-24 06:06:02 RV110W authpriv.debug pluto[672]: \"apexCB\" #7: initiating Main Mode 
2014-10-24 06:06:02 RV110W authpriv.debug pluto[672]: \"apexCB\" #7: ignoring Vendor ID payload [FRAGMENTATION c0000000] 
2014-10-24 06:06:02 RV110W authpriv.debug pluto[672]: \"apexCB\" #7: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 
2014-10-24 06:06:02 RV110W authpriv.debug pluto[672]: \"apexCB\" #7: STATE_MAIN_I2: sent MI2, expecting MR2 
2014-10-24 06:06:02 RV110W authpriv.debug pluto[672]: \"apexCB\" #7: received Vendor ID payload [Cisco-Unity] 
2014-10-24 06:06:02 RV110W authpriv.debug pluto[672]: \"apexCB\" #7: received Vendor ID payload [XAUTH] 
2014-10-24 06:06:02 RV110W authpriv.debug pluto[672]: \"apexCB\" #7: ignoring unknown Vendor ID payload [8bda214879f829b4932e29a7af1695d3] 
2014-10-24 06:06:02 RV110W authpriv.debug pluto[672]: \"apexCB\" #7: ignoring Vendor ID payload [Cisco VPN 3000 Series] 
2014-10-24 06:06:02 RV110W authpriv.debug pluto[672]: \"apexCB\" #7: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 
2014-10-24 06:06:02 RV110W authpriv.debug pluto[672]: \"apexCB\" #7: STATE_MAIN_I3: sent MI3, expecting MR3 
2014-10-24 06:06:02 RV110W authpriv.debug pluto[672]: \"apexCB\" #7: received Vendor ID payload [Dead Peer Detection] 
2014-10-24 06:06:02 RV110W authpriv.debug pluto[672]: \"apexCB\" #7: Main mode peer ID is ID_IPV4_ADDR: \'194.228.36.138\' 
2014-10-24 06:06:02 RV110W authpriv.debug pluto[672]: \"apexCB\" #7: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 
2014-10-24 06:06:02 RV110W authpriv.debug pluto[672]: \"apexCB\" #7: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024} 
2014-10-24 06:06:02 RV110W authpriv.info pluto[672]: \"apexCB\" #7: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024} 
2014-10-24 06:06:02 RV110W authpriv.debug pluto[672]: \"apexCB\" #7: Dead Peer Detection (RFC 3706): enabled 
2014-10-24 06:06:02 RV110W authpriv.debug pluto[672]: \"apexCB\" #8: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#7 msgid:cee047ff proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs} 
2014-10-24 06:06:03 RV110W authpriv.debug pluto[672]: \"apexCB\" #8: Dead Peer Detection (RFC 3706): enabled 
2014-10-24 06:06:03 RV110W authpriv.debug pluto[672]: \"apexCB\" #8: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 
2014-10-24 06:06:03 RV110W authpriv.debug pluto[672]: \"apexCB\" #8: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x273f53fd <0x3dea0704 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=enabled} 
2014-10-24 06:06:03 RV110W authpriv.info pluto[672]: \"apexCB\" #8: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x273f53fd <0x3dea0704 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=enabled} 
2014-10-24 06:06:03 RV110W authpriv.debug pluto[672]: | *received pfkey message 
2014-10-24 06:06:03 RV110W authpriv.debug pluto[672]: | pluto: pfkey fd is 12  
2014-10-24 06:06:03 RV110W authpriv.debug pluto[672]: | *received pfkey message 
2014-10-24 06:06:03 RV110W authpriv.debug pluto[672]: | pluto: pfkey fd is 12  
2014-10-24 06:06:03 RV110W authpriv.debug pluto[672]: | *received pfkey message 
2014-10-24 06:06:03 RV110W authpriv.debug pluto[672]: | pluto: pfkey fd is 12  
2014-10-24 06:06:03 RV110W authpriv.debug pluto[672]: | *received pfkey message 
2014-10-24 06:06:03 RV110W authpriv.debug pluto[672]: | pluto: pfkey fd is 12  
2014-10-24 06:06:03 RV110W authpriv.debug pluto[672]: | *received pfkey message 
2014-10-24 06:06:03 RV110W authpriv.debug pluto[672]: | pluto: pfkey fd is 12  
2014-10-24 06:14:02 RV110W authpriv.debug pluto[672]: ERROR: asynchronous network error report on vlan2 (sport=500) for message to 194.228.36.138 port 500, complainant 10.0.0.43: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)] 
2014-10-24 06:14:08 RV110W authpriv.debug pluto[672]: \"apexCB\" #7: DPD: No response from peer - declaring peer dead 
2014-10-24 06:14:08 RV110W authpriv.debug pluto[672]: \"apexCB\" #7: stop-client output: Run command qkvpn_rekey -o 1 -n apexCB -p 194.228.36.138 -r 194.228.36.138 
2014-10-24 06:14:08 RV110W authpriv.debug pluto[672]: \"apexCB\" #7: stop-client output: /usr/local/lib/ipsec/_updown.netkey: eval: line 1: rekey_option:1: not found 
2014-10-24 06:14:08 RV110W authpriv.debug pluto[672]: \"apexCB\" #7: stop-client command exited with status 127 
2014-10-24 06:14:08 RV110W authpriv.debug pluto[672]: \"apexCB\" #7: DPD: Clearing Connection 
2014-10-24 06:14:08 RV110W authpriv.debug pluto[672]: \"apexCB\" #8: deleting state (STATE_QUICK_I2) 
2014-10-24 06:14:08 RV110W authpriv.debug pluto[672]: \"apexCB\" #7: deleting state (STATE_MAIN_I4) 
2014-10-24 06:14:08 RV110W authpriv.debug pluto[672]: ERROR: asynchronous network error report on vlan2 (sport=500) for message to 194.228.36.138 port 500, complainant 10.0.0.138: Network is unreachable [errno 128, origin ICMP type 3 code 0 (not authenticated)] 
2014-10-24 06:14:08 RV110W authpriv.debug pluto[672]: ERROR: asynchronous network error report on vlan2 (sport=500) for message to 194.228.36.138 port 500, complainant 10.0.0.138: Network is unreachable [errno 128, origin ICMP type 3 code 0 (not authenticated)] 

 

 

please can you gimme a hint what can be wrong and tip for debug ? I similar configuration on older type WRV210 which works great and stable , but its not avalable on market anymore.   

 

here is some of the ASA configuration

tunnel-group DefaultL2LGroup general-attributes
 default-group-policy Dynamic
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 match address outside_cryptomap_65535.1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set transform-set ESP-3DES-SHA ESP-AES-256-MD5 ESP-AES-256-SHA ESP-AES-192-MD5 ESP-AES-192-SHA ESP-AES-128-MD5 ESP-AES-128-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set security-association lifetime kilobytes 4608000

 

 access-list outside_cryptomap_65535.1 extended permit ip 192.168.0.0 255.255.0.0 172.16.28.0 255.255.255.0

 

 

 

Thanks for help ;) 

260
Views
0
Helpful
0
Replies
CreatePlease to create content