Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

5505 and 5510 l2l vpn tunnel not up

Hi Experts!

Having a funny issue I'm experience, just thinking to myself what I could be doing wrong. I have 2 ASA's with software code 8.4.5 running on both of them, ASA1 is a 5510 that I have two active vpn connections on it a l2l with another ASA 5505 and Remote VPN for remote users. see attached the topology 

Now I am trying to introduce another ASA to do a site to site vpn connection on it. Call it ASA3, since I have an already established l2l VPN configuration on ASA2.

See the config for ASA1 & 2 l2l VPN that's working:

object network Creek_net
subnet 10.10.0.0 255.255.255.0
object network river_net
subnet 192.168.200.192 255.255.255.224
access-list outside_1_cryptomap permit ip 10.10.0.0 255.255.255.0 192.168.200.192 255.255.255.224
tunnel-group 11.11.11.11 type ipsec-l2l
tunnel-group 11.11.11.11 ipsec-attributes
pre-shared-key ratrace1!
isakmp keepalive threshold 10 retry 2
crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt aes
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 11.11.11.11
crypto map outside_map 1 set transform-set ESP-AES-SHA
crypto map outside_map interface outside
nat (inside,outside) 1 source static Creek_net Creek_net  destination static river_net river_net



object network river_net
subnet 192.168.200.192 255.255.255.224
object network creek_net
subnet 10.10.0.0 255.255.255.0
access-list outside_1_cryptomap permit ip 192.168.200.192 255.255.255.224 10.10.0.0 255.255.255.0
tunnel-group 12.12.12.12 type ipsec-l2l
tunnel-group 12.12.12.12 ipsec-attributes
pre-shared-key ratrace1!
isakmp keepalive threshold 10 retry 2 crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share crypto isakmp policy 10 encrypt aes crypto isakmp policy 10 hash sha crypto isakmp policy 10 group 2 crypto isakmp policy 10 lifetime 86400 crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs group1 crypto map outside_map 1 set peer 80.248.11.15 crypto map outside_map 1 set transform-set ESP-AES-SHA crypto map outside_map interface outside nat (inside,outside) 1 source static river_net river_net  destination static Creek_net Creek_net

Above is the working VPN configuration that is perfectly fine! No issue whatsoever.

===============================================================================================================

Then i tried introducing ASA3 for a branch office with the below configuration.

ASA3

object network dallas_net
subnet 10.10.0.0 255.255.255.0
object network river_net
subnet 192.168.200.192 255.255.255.224
access-list outside_1_cryptomap permit ip 10.10.0.0 255.255.255.0 192.168.200.192 255.255.255.224
tunnel-group 11.11.11.11 type ipsec-l2l
tunnel-group 11.11.11.11 ipsec-attributes
pre-shared-key mouserace1!
isakmp keepalive threshold 10 retry 2
crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt aes
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 11.11.11.11
crypto map outside_map 1 set transform-set ESP-AES-SHA
crypto map outside_map interface outside
nat (inside,outside) 1 source static dallas_net dallas_net  destination static river_net river_net

ASA1

object network river_net
subnet 192.168.200.192 255.255.255.224
object network dallas_net
subnet 10.10.4.0 255.255.255.0
access-list outside_2_cryptomap permit ip 192.168.200.192 255.255.255.224 10.10.0.0 255.255.255.0
tunnel-group 13.13.13.13 type ipsec-l2l
tunnel-group 13.13.13.13 ipsec-attributes
pre-shared-key mousrace1!
isakmp keepalive threshold 10 retry 2
crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt aes
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto map outside_map 12 match address outside_2_cryptomap
crypto map outside_map 12 set pfs group1
crypto map outside_map 12 set peer 13.13.13.13
crypto map outside_map 12 set transform-set ESP-AES-SHA
crypto map outside_map interface outside
nat (inside,outside) 1 source static river_net river_net  destination static dallas_net dallas_net

I would appreciate someone pointing out my mistake. 

Thanks

Teddy

24 REPLIES
New Member

Re: 5505 and 5510 l2l vpn tunnel not up

Hi,

You must correct the subnet in the object "network dallas_net" and in the access list.

From 10.10.0.0 to 10.10.4.0.

Your current configuration:

ASA3

object network dallas_net

subnet 10.10.0.0 255.255.255.0

access-list outside_1_cryptomap permit ip 10.10.0.0 255.255.255.0 192.168.200.192 255.255.255.224

ASA1

object network dallas_net

subnet 10.10.4.0 255.255.255.0

access-list outside_2_cryptomap permit ip 192.168.200.192 255.255.255.224 10.10.0.0 255.255.255.0

________________

Best regards,
MB

________________ Best regards, MB
New Member

5505 and 5510 l2l vpn tunnel not up

Hi MB,

Thanks for responding! thanks for pointing that out, I noticed it later fixed it I mean the acl! still no joys at all! very annoying!

Super Bronze

5505 and 5510 l2l vpn tunnel not up

Hi,

You say that both of the ASAs are running 8.4(5) yet to me it seems the VPN configuration commands are in older format?

For example "crypto isakmp policy x" in the newer software have changed to "crypto ikev1 policy x" etc.

Or have you just mistaken about the software level? I think they were in the old format still in 8.3.

- Jouni

Super Bronze

5505 and 5510 l2l vpn tunnel not up

Also,

The PSK on the other ASA is missing letter "e"

- Jouni

5505 and 5510 l2l vpn tunnel not up

Hi, Teddi.

Look more precisely to your pre-shared keys. They seem to be different a little)). Plus, if still no joy, enable debug for crypto isakmp/ipsec on ASA3 and see what's going on there.

New Member

5505 and 5510 l2l vpn tunnel not up

Hi Andrew and Jouni,

@ Andrew, Thanks for your response! Well truth is that's not what i have on the main config! I changed the real thing to what you see here!

@ Jouni, I get what you mean, even at this, the ASA automagically inputs the ikev1 command in there! after configuring it I did the "sh run crypto ikev1"

crypto ikev1 policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

Thanks

Teddy

Super Bronze

5505 and 5510 l2l vpn tunnel not up

Hi,

Next you should probably take the output of a "packet-tracer" command to confirm which rules are hit on the ASA1

packet-tracer input inside tcp 192.168.200.193 12345 10.10.4.100 80

The above are just random IP addresses and ports

Issue the command twice as even if the L2L VPN was itself configured correctly it would take 2 commands to first get it up and then pass the "packet-tracer" normally.

Right after issuing this command check

show crypto ikev1 sa

Or have some host generate a constant ICMP Echo to the remote net and then issue the above command several times and check the output. With this we should be able to determine if the Phase1 negotiation is fine.

- Jouni

New Member

5505 and 5510 l2l vpn tunnel not up

Jouni!

Thanks, I will look into that! but If you don't mind me asking you a question please, Do you think on ASA1 because I have an existing working l2l vpn connection, when adding the new ASA3 static nat statemen I should increase the number see how I mean below

ASA1 to ASA2 vpn working

nat (inside,outside) 1 source static river_net river_net  destination static Creek_net Creek_net

then for ASA 1 to ASA 3 I should make it something like this

nat (inside,outside) 2 source static river_net river_net  destination static dallas_net dallas_net

What do you suggest I do keep it all the nat statement at 1 or I should increase it?

Super Bronze

5505 and 5510 l2l vpn tunnel not up

Hi,

The numbering/ordering in the "nat" configurations work the same as with ACLs.

If you have a existing "nat" statement at the very top of the rules and you insert another with the number 1 then it will simply move the previous number 1 rule one step down.

In this case with L2L VPN NAT0 / NAT Exempt type configurations the ordering doesnt really matter between these 2 rules as they have no overlap because of the different destination network.

What I see here on the CSC every now and then is people expiriencing problems with NAT rules when they reuse the same "object network" or "object-group network" in the "nat" configurations.

If we cant find a clear reason for this problem I would suggest that you try out configuring new "object network" or "object-group network" to define the local network for this new L2L VPN connection and use that in the "nat" configuration and try again.

If this doesnt help it might be an idea to reload the firewall (ofcourse saving configurations before that)

But for now should first determine what is happening to the connection attempts and VPN negotiation.

- Jouni

New Member

5505 and 5510 l2l vpn tunnel not up

See the output of packt tracer from ASA 1

packet-tracer input inside icmp 192.168.200.196 0 8 10.10.4.202

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static river_net river_net destination static dallas_net dallas_net

Additional Information:

NAT divert to egress interface outside

Untranslate 10.10.4.202/0 to 10.10.4.202/0

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static river_net river_net destination static dallas_net dallas_net

Additional Information:

Static translate 192.168.200.196/0 to 192.168.200.196/0

Phase: 7

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

The same on ASA3 too

sh crypto ikev1 sa

1   IKE Peer: 12.12.12.12 (this is for ASA2 i mentioned that was up and running)

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

2   IKE Peer: 13.13.13.13

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_WAIT_MSG5

I am doing futher troubleshooting now! before I wasnt able to establish this at all!! I know I am one step closer! I wouldn't mind your two cents as to how I can best resolve this

Super Bronze

5505 and 5510 l2l vpn tunnel not up

Hi,

I dont know why always people change the provided commands The tested ICMP message doesnt correspond to ICMP Echo anymore as you mixed the Type and Code fields. But I guess it doesnt matter in this case.

It would seem to me that the negotiation fails when the peers check the PSK / Pre-shared-key.

So please reconfigure the PSK with matching PSK and test again.

- Jouni

New Member

5505 and 5510 l2l vpn tunnel not up

Jouni,

Hehehehe ok, kindly tell me the code type for ICMP in such scenario if you don't mind please.

I have also change the pre-shared-key to something way much simpler, but here's the thing, ASA give me MM_WAIT_MSG5 before the psk change, after that it gives me MM_WAIT_MSG4 while on the other hand ASA3 changes  see below

Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 13.13.13.13

    Type    : user            Role    : initiator

    Rekey   : no              State   : MM_WAIT_MSG4

ASA3(config-tunnel-ipsec)# sh crypto ikev1 sa

IKEv1 SAs:

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1  

IKE Peer: 13.13.13.13

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

ASA3(config-tunnel-ipsec)# sh crypto ikev1 sa

IKEv1 SAs:

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1  

IKE Peer: 13.13.13.13

    Type    : user            Role    : initiator

    Rekey   : no              State   : MM_WAIT_MSG2

All these happened within 3 minutes.

Teddy

Super Bronze

5505 and 5510 l2l vpn tunnel not up

Hi,

I guess there is always a chance that you got a state of negotiation from a point that was not the one where the negotiation failed.

MM_ACTIVE would seem to point out that the Phase1 is fine.

It might be something wrong with Phase2 configurations.

Can you share the output of

show run crypto map

From the ASA1 and ASA3

And the related output of the ACLs, transform-set and NAT configurations currently active on the devices.

- Jouni

New Member

5505 and 5510 l2l vpn tunnel not up

Here it is, I also changed the

ASA1

sh run crypto map

crypto map outside_map 12 match address saka2edo

crypto map outside_map 12 set pfs group1

crypto map outside_map 12 set peer 13.13.13.13

crypto map outside_map 12 set ikev1 transform-set ESP-AES-MD5

crypto map outside_map interface outside

sh run access-list

access-list saka2edo extended permit ip 192.168.200.192 255.255.255.224 10.10.4.0 255.255.255.0

sh run crypto ipsec

crypto ipsec ikev1 transform-set ESP-AES-MD5 esp-aes esp-md5-hmac

sh nat

1 (inside) to (outside) source static river_net river_net   destination static dallas_net dallas_net

    translate_hits = 3, untranslate_hits = 3

2 (inside) to (outside) source static SERVER_SUBNET SERVER_SUBNET   destination static EZVPN_SUBNET EZVPN_SUBNET

    translate_hits = 0, untranslate_hits = 0

3 (inside) to (outside) source static river_net river_net destination static Creek_net Creek_net

    translate_hits = 45080, untranslate_hits = 45080 (this is for ASA2)

ASA3

sh run crypto map

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 11.11.11.11

crypto map outside_map 1 set ikev1 transform-set ESP-AES-MD5

crypto map outside_map interface outside

sh run access-list

access-list outside_1_cryptomap extended permit ip 10.10.4.0 255.255.255.0 192.168.200.192 255.255.255.224

sh run crypto ipsec

crypto ipsec ikev1 transform-set ESP-AES-MD5 esp-aes esp-md5-hmac


sh nat

1 (inside) to (outside) source static dallas_net dallas_net   destination static river_net river_net

    translate_hits = 1137, untranslate_hits = 1137

There you have them.

Super Bronze

5505 and 5510 l2l vpn tunnel not up

Hi,

Would seem that they match.

I am not sure why the other one shows so many translate/untranslate hits.

Have you monitored the VPN negotiation through ASDM to see if there are any clear indications where the negotiation fails?

Can you take some additional outputs during the generating traffic for the L2L VPN

show crypto ikev1 sa detail

This should more information on which policy was chosen.

Did you issue the "packet-tracer" command twice? As I said the first one always fails if the tunnel isnt up during the test.

What are you using to test the connectivity? ICMP?

I think we might need to see the device configurations if there is no clear reason found for this problem.

- Jouni

New Member

5505 and 5510 l2l vpn tunnel not up

Hey Jouni!

Ok I replied other post not looking at mine to see you've said something. Sad enough for ASA3 I can't use ASDM link is to slow to initiate ASDM connection. I decided to take screen shot just for you to see the different mode this get into! I feel there's something flapping in the link I can't tell, I give all the state modes you can think of within 1 - 2mins interval.  To your point device configuration might add to it!

Yes I did use the packet tracer this time not ICMP but tcp cos I have a cisco 2960 switch behind ASA3.

packet-tracer input inside tcp 192.168.200.196 22 10.10.4.253 22

That's why I said I might need to contact TAC for see if they could help me resolve this!! before then I want to configure a remote vpn on ASA3 to get into the switch and check the configs making sure it has the ASA as it's default gateway! I have done this before troubleshooting at last what resolved the problem was just to configure the ip default-gateway for the switch to the ASA and my connection came through! So that's the last resort for me before I go ahead to do this with TAC.

Thanks all the say.....I still look fwd to your thoughts on the snap shot

Teddy

Cisco Employee

5505 and 5510 l2l vpn tunnel not up

Hi Teddy,

I think I'm little bit "fresh" with your situation, but from your output, it seems that you have been established Phase 1 with ASA 3. What about Phase 2 ?

New Member

5505 and 5510 l2l vpn tunnel not up

Hi Artem!

For me I think the issue is with routing! Why i think so? Ok here's what I did! I configured RA VPN on ASA3 see attached the following show command outputs + the topology of the network too! I would appreciate candid view.

If you notice, on the client side, packets encrypts and doesn't decrypt, on the ASA3 it Decrypts and doesn't Encrypts. So what do you make if such! It's fairly a straigh fwd topology as you can see there are no many hops in the network. ASA3 is the defaultgateway to the network.

Thanks

Teddy

Cisco Employee

5505 and 5510 l2l vpn tunnel not up

Hello Teddy,

Can you make a capture on inside interface with interested traffic ? If you will see that traffic is hitting inside interface of ASA, it will proof that there is not problem with routing...

And from your output, seems that traffic is :

1. Not hitting interface

2. ASA doesn't encrypt.

Let's investigate routing firts, since we need to be shure that ASA receives this traffic.

Thank you.

New Member

Re: 5505 and 5510 l2l vpn tunnel not up

Hi All!

I have figured out what the problem is! with l2l vpn! BANDWIDTH yes the monster bandwidth. Fact is I was configuring both VPN remotely, now the site where ASA3 is located had bandwidth problem.....in the day time I couldn't achieve this, so while it was night time at the site. I was able to establist the tunnel.

Funny right?! This is my very first time configuring VPN with bandwidth related issues!  So it was the bandwidth that was triggering the connections to come on and off! A day ago! Also the bandwidth problem has been taken care of by the customer too! I pointed that out to them. 

I have learnt a vital lesson from this! Thanks to everyone who contributed in one way or the other! I do appreciate you all, best forum ever.

Have a good one people.

Teddy

Cisco Employee

Re: 5505 and 5510 l2l vpn tunnel not up

Hey Teddy,

Nice to hear that you was able to solve this problem. =)

And thank you raised that discussion here. I think It was helpfull for all of us.

Cheers,

Artem.

New Member

5505 and 5510 l2l vpn tunnel not up

Jouni & Artem!

Thanks guys for your support! Glad it's all working fine now! We all learn from the forum so yes it's expected to give back!

Have a good one guys!

Teddy

Super Bronze

5505 and 5510 l2l vpn tunnel not up

Hi Teddy,

As with many problems related to ASAs, it might be sometime easier to go through the situation if we saw the device configurations. While we did see the VPN configurations there are still some things on the ASA configurations that can cause problems.

In your ASA3 site it would seem that there cant be that many things that could prevent the traffic from being forwarded to the ASA. Actually probably only one thing and that is incorrect default gateway. But I would imagine that this is not the case here since noone on the ASA3 site would be able to use the Internet then.

So is it possible to see the actual configurations. Maybe even just the ASA3 configurations for starters?

- Jouni

New Member

Re: 5505 and 5510 l2l vpn tunnel not up

Ok after a day of the tunnel being up! Next i got a call they can't ping across the tunnel! data wasn't going via the tunnel at all! I wasn't getting the MM_ACTIVE as shown in my screen shoot above!  Tunnel kept going from MM_ACTIVE to MM_WAIT_MSG2 - 6 basically the tunnel was droping. I had to debug crypto isakmp to see the below msg.

Jul 20 12:39:52 [IKEv1]Group = 13.13.13.13, IP =13.13.13.13, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:10.10.4.0 dst:192.168.200.192

Jul 20 12:39:52 [IKEv1]Group =13.13.13.13, IP = 13.13.13.13, IKE Remote Peer configured for crypto map: BUAGROUP_MAP

Jul 20 12:39:52 [IKEv1 DEBUG]Group =13.13.13.13, IP = 13.13.13.13, processing IPSec SA payload

Jul 20 12:39:52 [IKEv1]Group = 13.13.13.13, IP = 13.13.13.13, All IPSec SA proposals found unacceptable!

I did troubleshooting till the last breath! I just didn't figure it out! After a while I had to take timeout to look at my 

crypto map [crypto map name] placement on ASA1!

Only to find out that the crypto maps I had configured for on ASA1 was the problem. I had 3 Crypto maps placed like this

crypto map outside_map 1 set pfs group1 (this is for the first l2l to ASA2 that's working perfectly.)

crypto map outside_map 7 ipsec-isakmp dynamic our_map ( for RA VPN on ASA1 also working perfectly too!)

crypto map outside_map 10 set pfs group1 (for l2l vpn to ASA3 that keep changing modes)

It never crossed my mind that crypto maps acts like acl's! how you place them determines how the ASA would negotiate your tunnels with it. To fix this I had to bring crypto map for ASA3 and place it above the dynamic crypto map for the RA vpn with cryptomap number 2. That sorted out my problem finally.

A hard lesson there to learn but it was worth the troubleshooting.

Cheers everyone

Teddy.

730
Views
0
Helpful
24
Replies