Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

5585 ASA Dropping UDP 500 ISAKMP

We have 2 data center locations.  We are attempting to connect them together using 2 ASAs.

Data Center 1 -  ASA 5520 8.0(4)

Data Center 2 -  ASA 5585-10 8.4(3)

DC 1 ASA 5520

INSIDE - Security 100

OUTSIDE - Security 0

MIGRATION  - Security 50

DC 2 ASA 5585-10

Edge_Inside Security 100

Edge_Outside - Security 0

The OUTSIDE interface of the 5585-10 is using a private network (connection to our corporate Internet routers not advertised to the Internet) so we have to use the INSIDE interface to build VPN tunnels (our public network).  (Note NAT is not an option on the Corp routers)

We are attempting to build a standard L2L IPSEC VPN tunnel from the DC1 5520 MIGRATION  to DC2 5585-10 INSIDE interface.

You see IKE fire up on the 5520 and then goes into a MSG WAIT 2 waiting for reply from the 5585.  However on the 5585 side we see no IKE engagement.  "show cry isa" output shows no IKEv1 Packets arrive at all in or out.  Packet captures show UDP 500 enter the firewall from the 5520 with correct source and destination but no reponse packets from the 5585. 

Here are the syslogs from 5585-10 when I start interesting traffic from 5520 DC1 side(Public IP's changed to private in syslog FYI)

Mar 23, 2012 12:58:7|Built local-host Edge_Outside:192.168.1.110

Mar 23, 2012 12:58:7|Built inbound UDP connection 235278 for Edge_Outside:192.168.1.110/500 (192.168.1.110/500) to identity:10.10.193.252/500 (10.10.193.252/500)

Mar 23, 2012 12:58:7|Teardown UDP connection 235278 for Edge_Outside:192.168.1.110/500 to identity:10.10.193.252/500 duration 0:00:00 bytes 296

Mar 23, 2012 12:58:7|Teardown local-host Edge_Outside:192.168.1.110 duration 0:00:00

I know this is not conventional however I dont' see why this shouldn't work.  The crypto map is applied to the Edge_Inside interface. 

Any ideas?

Everyone's tags (5)
1053
Views
0
Helpful
0
Replies
CreatePlease login to create content