Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

1841 - ASA 5520 VPN

I have set up a site to site VPN between a Cisco 1841 ISR and a Cisco ASA 5520, all appears to be working however I have a couple of questions.

1. I have to explicitly allow all VPN traffic in the ACL on the outside interface of the 1841, is there a router equivilent of "sysopt connection permit-vpn"?

2. Although the VPN comes up and passes traffic I occasionally see the following?

*Jun 22 14:11:52.883: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 1.1.1.1

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: 1841 - ASA 5520 VPN

Can you share the full outputs? Both sides at the same time?

Bottom line I don't think it's normal in 12.4 mainline IOS unless packets are leaking out in clear ;/

8 REPLIES
Cisco Employee

Re: 1841 - ASA 5520 VPN

Ad 1.

The "outside" interface on router (I assume we're talking about the one with crypto map applied) will only see encrypted packets or IKE (ESP, UDP/4500 and udp/500). Unless you're running A VERY old IOS version.

Ad.2

Mutiple possibilities Quick Mode is Phase 2 negotiation. Would need to debug and see the configs.

Marcin

New Member

Re: 1841 - ASA 5520 VPN

I am finding the outside ACL has to include the encryption domain traffic as well.. I have to permit ICMP
etc.. if not it fails

Cisco Employee

Re: 1841 - ASA 5520 VPN

What is the version of IOS you're using.

Show me the outputs of:

"show ver"

"show crypto map"

"show run interface NAME NUMBER" for interfaces facing LAN and WAN.

New Member

Re: 1841 - ASA 5520 VPN

Version: (C1841-ADVSECURITYK9-M), Version 12.4(25c), RELEASE SOFTWARE (fc2)

+++++++++++++++++++

ROUTER#sh crypto map
Crypto Map "MYMAP" 10 ipsec-isakmp
        Peer = 1.1.1.1
        Extended IP access list VPN2OFFICE
            access-list VPN2OFFICE permit ip 10.71.0.0 0.0.3.255 any
        Current peer: 1.1.1.1
        Security association lifetime: 4608000 kilobytes/28800 seconds
        PFS (Y/N): N
        Transform sets={
                TRANSFORM,
        }
        Interfaces using crypto map MYMAP:
                FastEthernet0/0

+++++++++++++++++++++++++++++++++++++

!
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
ip access-group outside_in in
duplex auto
speed auto
crypto map MYMAP
end

+++++++++++++++++++++++++++++++++++++

interface FastEthernet0/1
description inside
ip address 10.71.3.225 255.255.252.0
duplex auto
speed auto
end

Cisco Employee

Re: 1841 - ASA 5520 VPN

That's odd.

And you're saying that if you ping from other side to 10.71.3.225 traffic gets denied by ACL?


Are you sure it's entering the tunnel in the first place?

"show crypto ipsec sa" on both sides will show you.

Maybe phase 2 does not establish?

Marcin

edit:

Command syntax.

New Member

Re: 1841 - ASA 5520 VPN

That is correct.  If I do "sh crypto ipsec sa" I see packets being encrypted/decrypted

Cisco Employee

Re: 1841 - ASA 5520 VPN

Can you share the full outputs? Both sides at the same time?

Bottom line I don't think it's normal in 12.4 mainline IOS unless packets are leaking out in clear ;/

New Member

Re: 1841 - ASA 5520 VPN

Found the issue.. I had not permitted ESP in the ACL, all now working..  Thanks for all your help

596
Views
0
Helpful
8
Replies