cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5647
Views
0
Helpful
6
Replies

ASA to Nortel l2l issue

David Schau
Level 1
Level 1

New ASA running 8.0(5) installed and recently put into service.  Using l2l connectiosn from existing Nortel VPN router 1010 as well as some other Nortel VPN SOHO devices.

The connections are mostly working except for an intermittant issue with the tunnel to the 1010.  I am trying to gather details but it seems to be in either the IKE or IPSEC timers.  I am still collecting data about when/what to get an idea what the root issue is.  Any suggestions on debugs I should run and send to a syslog to help?  The Nortel reports in it's log after the sessions are setup 30 secs later the ASA sends a delete message.

I would like to see if the ASA debug might help with fixing this. But I am not sure what debugsd to enable safely.

I have just today made sure IKE and IPSEC timers match and setup NTP so there is no clock drift issues contributing.   Any ideas or suggestions would be gretaly appreciated.

Nortel Log messages:

>>>>>>>>  04:34:05 0 tIsakmp [03] Delete message for IPsec SA received from XXX.YYY.163.93  <<<<<<<

01/20/2010 04:33:35 0 tIpsecDecap [16] ESP decap session SPI 0x6d2bea94 bound to s/w on cpu 0

01/20/2010 04:33:35 0 tIpsecDecap [16] ESP encap session SPI 0xfd3b9403 bound to s/w on cpu 0

01/20/2010 04:33:35 0 Security [15] Session: IPSEC[-]:282344 physical addresses: remote XXX.YYY.163.93 local AAA.BBB.206.78

01/20/2010 04:33:35 0 Security [15] Session: IPSEC[XXX.YYY.163.93]:282342 physical addresses: remote XXX.YYY.163.93 local AAA.BBB.206.78

01/20/2010 04:33:35 0 Security [16] Session: network IPSEC[172.16.1.0-255.255.255.0] logged in from gateway [XXX.YYY.163.93]

01/20/2010 04:33:35 0 Security [16] Session: network IPSEC[172.16.1.0-255.255.255.0] attempting login

01/20/2010 04:33:35 0 Syslog [24] Failed Login Attempt: Username=XXX.YYY.163.93: Date/Time=01/20/2010 04:33:35

01/20/2010 04:33:35 0 Security [16] Session: IPSEC[XXX.YYY.163.93] attempting login

01/20/2010 04:33:35 0 Branch Office [06] IPSEC branch office connection initiated to rem[172.16.1.0-255.255.255.0]@[XXX.YYY.163.93] loc[192.168.0.0-255.255.248.0]

01/20/2010 04:33:11 0 tIsakmp [05] Deleting ISAKMP SA with XXX.YYY.163.93

01/20/2010 04:33:11 0 Security [15] Session 2e30908: IPSEC[XXX.YYY.163.93]:282186 logged out

01/20/2010 04:33:11 0 Security [15] Session 2e35090: IPSEC[-]:282311 logged out

01/20/2010 04:33:11 0 tIsakmp [05] Delete message for ISAKMP SA received from XXX.YYY.163.93

01/20/2010 04:32:33 0 tIsakmp [05] ISAKMP SA established with XXX.YYY.163.93

01/20/2010 04:32:33 0 Security [16] Session: IPSEC[XXX.YYY.163.93]:282342 authorized

01/20/2010 04:32:33 0 Security [06] Session: IPSEC[XXX.YYY.163.93]:282342 Applying group filter permit all

01/20/2010 04:32:33 0 Security [06] Session: IPSEC[XXX.YYY.163.93]:282342 Building group filter permit all

01/20/2010 04:32:33 0 Security [16] Session: IPSEC[XXX.YYY.163.93]:282342 bound to group /Base/DCN/DCN Data Ctr

01/20/2010 04:32:33 0 Security [16] Session: IPSEC[XXX.YYY.163.93]:282342 authenticated using LOCAL

01/20/2010 04:32:33 0 Security [06] Session: IPSEC[XXX.YYY.163.93]:282342 attempting authentication using LOCAL

01/20/2010 04:32:33 0 Security [06] Session: IPSEC[XXX.YYY.163.93]:282342 SHARED-SECRET authenticate attempt...

01/20/2010 04:32:32 0 tIsakmp [05] Oakley Main Mode proposal accepted from XXX.YYY.163.93

01/20/2010 04:32:32 0 Security [16] Session: IPSEC[XXX.YYY.163.93] attempting login

6 Replies 6

Yudong Wu
Level 7
Level 7

On ASA, you can enable "debug crypto condition" to specify the peer IP which you would like to run debug on.

then you can use the following debug command

debug crypto ipsec

debug crypto isa

Since conditional debug is turned on, you should only see debug output which is related to Nortel 1010.

If the following message is related to ASA session, I am not sure why it asked for authentication for user if it is Lan-2-lan vpn.

Not sure how your implementation is. Is your ASA configured as hardware vpn client? Please provide ASA config as well with debug output.

01/20/2010 04:33:35 0 Security [16] Session: network IPSEC[172.16.1.0-255.255.255.0] attempting login

01/20/2010 04:33:35 0 Syslog [24] Failed Login Attempt: Username=XXX.YYY.163.93: Date/Time=01/20/2010 04:33:35

Below are the syslog messages I got this morning for the failed tunnel and also the ASA config.

I am not that familiar with what I should expect to see so deciphering the output is a bit beyond me.

SYSLOG:

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:08:22: %ASA-7-715077: Pitcher: received key delete msg, spi 0xb0cf882a "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:08:22: %ASA-7-713906: Group = 96.3.206.78, IP = 96.3.206.78, sending delete/delete with reason message "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:08:22: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing blank hash payload "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:08:22: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing IPSec delete payload "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:08:22: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing qm hash payload "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:08:22: %ASA-7-713236: IP = 96.3.206.78, IKE_DECODE SENDING Message (msgid=1c83e8ff) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68 "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:08:22: %ASA-7-713906: Group = 96.3.206.78, IP = 96.3.206.78, Active unit receives a centry expired event for remote peer 96.3.206.78. "

"1/21/2010 05:08" 172.16.1.1 Info "Jan 21 2010 05:08:22: %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x4774B8FD) between 216.147.163.93 and 96.3.206.78 (user= 96.3.206.78) has been deleted. "

"1/21/2010 05:08" 172.16.1.1 Info "Jan 21 2010 05:08:22: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xBB96F31F) between 216.147.163.93 and 96.3.206.78 (user= 96.3.206.78) has been deleted. "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:08:22: %ASA-7-715077: Pitcher: received key delete msg, spi 0x0 "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:08:22: %ASA-7-715009: Group = 96.3.206.78, IP = 96.3.206.78, IKE Deleting SA: Remote Proxy 192.168.0.0, Local Proxy 172.16.1.0 "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-713035: Group = 96.3.206.78, IP = 96.3.206.78, Received remote IP Proxy Subnet data in ID Payload: Address 192.168.0.0, Mask 255.255.248.0, Protocol 0, Port 0 "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-713222: Group = 96.3.206.78, IP = 96.3.206.78, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:GrandForks dst:172.16.1.0 "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-713221: Group = 96.3.206.78, IP = 96.3.206.78, Static Crypto Map check, checking map = outside_map, seq = 2... "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-713225: Group = 96.3.206.78, IP = 96.3.206.78, Static Crypto Map check, map outside_map, seq = 2 is a successful match "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-713066: Group = 96.3.206.78, IP = 96.3.206.78, IKE Remote Peer configured for crypto map: outside_map "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715047: Group = 96.3.206.78, IP = 96.3.206.78, processing IPSec SA payload "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-713906: Group = 96.3.206.78, IP = 96.3.206.78, IKE: requesting SPI! "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715047: Group = 96.3.206.78, IP = 96.3.206.78, processing hash payload "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing blank hash payload "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715047: Group = 96.3.206.78, IP = 96.3.206.78, processing SA payload "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715047: Group = 96.3.206.78, IP = 96.3.206.78, processing nonce payload "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-713221: Group = 96.3.206.78, IP = 96.3.206.78, Static Crypto Map check, checking map = outside_map, seq = 1... "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-713906: Group = 96.3.206.78, IP = 96.3.206.78, processing ISA_KE for PFS in phase 2 "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715027: Group = 96.3.206.78, IP = 96.3.206.78, IPSec SA Proposal # 2, Transform # 2 acceptable Matches global IPSec SA entry # 2 "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715047: Group = 96.3.206.78, IP = 96.3.206.78, processing ID payload "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-714011: Group = 96.3.206.78, IP = 96.3.206.78, ID_IPV4_ADDR_SUBNET ID received--192.168.0.0--255.255.248.0 "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-714003: IP = 96.3.206.78, IKE Responder starting QM: msg id = e9a8b8a1 "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-713236: IP = 96.3.206.78, IKE_DECODE RECEIVED Message (msgid=e9a8b8a1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 840 "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-713906: Group = 96.3.206.78, IP = 96.3.206.78, Transmitting Proxy Id: Remote subnet: 192.168.0.0 Mask 255.255.248.0 Protocol 0 Port 0 Local subnet: 172.16.1.0 mask 255.255.255.0 Protocol 0 Port 0 "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715001: Group = 96.3.206.78, IP = 96.3.206.78, constructing proxy ID "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing pfs ke payload "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing IPSec nonce payload "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing IPSec SA payload "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715047: Group = 96.3.206.78, IP = 96.3.206.78, processing ke payload "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-714011: Group = 96.3.206.78, IP = 96.3.206.78, ID_IPV4_ADDR_SUBNET ID received--172.16.1.0--255.255.255.0 "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715047: Group = 96.3.206.78, IP = 96.3.206.78, processing ID payload "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-713034: Group = 96.3.206.78, IP = 96.3.206.78, Received local IP Proxy Subnet data in ID Payload: Address 172.16.1.0, Mask 255.255.255.0, Protocol 0, Port 0 "

"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-713906: Group = 96.3.206.78, IP = 96.3.206.78, oakley constucting quick mode "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:40: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing IKE delete payload "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:40: %ASA-7-713906: Group = 96.3.206.78, IP = 96.3.206.78, IKE SA MM:57b742aa terminating: flags 0x01000026, refcnt 0, tuncnt 0 "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:40: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing blank hash payload "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:40: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing qm hash payload "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:40: %ASA-7-713236: IP = 96.3.206.78, IKE_DECODE SENDING Message (msgid=b1fe0b94) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80 "

"1/21/2010 05:07" 172.16.1.1 Notice "Jan 21 2010 05:07:40: %ASA-5-713904: IP = 96.3.206.78, Received encrypted packet with no matching SA, dropping "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:40: %ASA-7-713906: Group = 96.3.206.78, IP = 96.3.206.78, sending delete/delete with reason message "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715076: Group = 96.3.206.78, IP = 96.3.206.78, Computing hash for ISAKMP "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-713236: IP = 96.3.206.78, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64 "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715080: Group = 96.3.206.78, IP = 96.3.206.78, Starting P1 rekey timer: 64800 seconds. "

"1/21/2010 05:07" 172.16.1.1 Error "Jan 21 2010 05:07:06: %ASA-3-713122: IP = 96.3.206.78, Keep-alives configured on but peer does not support keep-alives (type = None) "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-713121: IP = 96.3.206.78, Keep-alive type for this connection: None "

"1/21/2010 05:07" 172.16.1.1 Notice "Jan 21 2010 05:07:06: %ASA-5-713119: Group = 96.3.206.78, IP = 96.3.206.78, PHASE 1 COMPLETED "

"1/21/2010 05:07" 172.16.1.1 Warning "Jan 21 2010 05:07:06: %ASA-4-713903: Group = 96.3.206.78, IP = 96.3.206.78, Freeing previously allocated memory for authorization-dn-attributes "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-713236: IP = 96.3.206.78, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84 "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715047: Group = 96.3.206.78, IP = 96.3.206.78, processing ID payload "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-714011: Group = 96.3.206.78, IP = 96.3.206.78, ID_IPV4_ADDR ID received 96.3.206.78 "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-713906: IP = 96.3.206.78, Connection landed on tunnel_group 96.3.206.78 "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715046: IP = 96.3.206.78, constructing ke payload "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715046: IP = 96.3.206.78, constructing NAT-Traversal VID ver 03 payload "

"1/21/2010 05:07" 172.16.1.1 Notice "Jan 21 2010 05:07:06: %ASA-5-713041: IP = 96.3.206.78, IKE Initiator: Rekeying Phase 1, Intf outside, IKE Peer 96.3.206.78 local Proxy Address N/A, remote Proxy Address N/A, Crypto map (N/A) "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715046: IP = 96.3.206.78, constructing NAT-Traversal VID ver 02 payload "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-713906: IP = 96.3.206.78, Starting phase 1 rekey "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715046: IP = 96.3.206.78, constructing ISAKMP SA payload "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715046: IP = 96.3.206.78, constructing Fragmentation VID + extended capabilities payload "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-713236: IP = 96.3.206.78, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 148 "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-713236: IP = 96.3.206.78, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 96 "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715047: IP = 96.3.206.78, processing SA payload "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715047: IP = 96.3.206.78, processing VID payload "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715046: IP = 96.3.206.78, constructing nonce payload "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715046: IP = 96.3.206.78, constructing Cisco Unity VID payload "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-713906: Group = 96.3.206.78, IP = 96.3.206.78, Generating keys for Initiator... "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-713906: IP = 96.3.206.78, Oakley proposal is acceptable "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715048: IP = 96.3.206.78, Send Altiga/Cisco VPN3000/Cisco ASA GW VID "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715046: IP = 96.3.206.78, constructing xauth V6 VID payload "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715048: IP = 96.3.206.78, Send IOS VID "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715038: IP = 96.3.206.78, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing hash payload "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing dpd vid payload "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-713236: IP = 96.3.206.78, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224 "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-713236: IP = 96.3.206.78, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 152 "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715076: Group = 96.3.206.78, IP = 96.3.206.78, Computing hash for ISAKMP "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715047: IP = 96.3.206.78, processing ke payload "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715047: IP = 96.3.206.78, processing ISA_KE payload "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715047: IP = 96.3.206.78, processing nonce payload "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-713906: IP = 96.3.206.78, Connection landed on tunnel_group 96.3.206.78 "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715046: IP = 96.3.206.78, constructing VID payload "

"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing ID payload "

ASA:

: Saved

:

ASA Version 8.0(5)

!

hostname ciscoasa1

domain-name xport.ca

enable password x3loyGZvrFHA5bzV encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 216.147.163.81 smartclient

name 172.16.1.107 smartclient-in

name 216.147.163.83 Optima

name 172.16.1.114 Optima-in

name 216.147.163.82 staging

name 172.16.1.111 staging-in

name 216.147.163.85 Appsrvr

name 172.16.1.115 Appsrvr-in

name 216.147.163.84 crm

name 172.16.1.110 crm-in

name 216.147.163.87 CBP871-1

name 172.16.1.5 CBP871-1-in

name 216.147.163.88 CBP871-2

name 172.16.1.6 CBP871-2-in

name 216.147.163.86 Alpha

name 172.16.1.101 Alpha-in

name 216.147.163.90 FaxSrvr

name 172.16.1.103 FaxSrvr-in

name 216.147.163.89 imaging

name 172.16.1.102 imaging-in

name 198.70.226.25 CBP871-1-rem

name 66.181.246.114 CBP871-2-rem

name 192.168.30.0 Pembina

name 192.168.0.0 GrandForks

name 192.168.55.0 Marco

name 192.168.50.0 Raymond

name 192.168.44.0 Portal

name 192.168.41.0 Rochester

!

interface Vlan1

nameif inside

security-level 100

ip address 172.16.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 216.147.163.93 255.255.255.240

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa805-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 172.16.1.120

name-server 172.16.1.121

domain-name xport.ca

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq ftp-data

port-object eq telnet

object-group service DM_INLINE_TCP_2 tcp

port-object eq 3389

port-object eq ftp

port-object eq ftp-data

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_3 tcp

port-object eq 3389

port-object eq ftp

port-object eq ftp-data

port-object eq www

port-object eq https

object-group service RDP tcp

port-object eq 3389

object-group service DM_INLINE_TCP_4 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_5 tcp

port-object eq 3389

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_6 tcp

port-object eq 3389

port-object eq www

port-object eq https

object-group service RDP2 tcp

port-object eq 3390

access-list Spectrum_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0

access-list Spectrum_splitTunnelAcl standard permit GrandForks 255.255.248.0

access-list Spectrum_splitTunnelAcl standard permit Pembina 255.255.255.0

access-list Spectrum_splitTunnelAcl standard permit Marco 255.255.255.0

access-list Spectrum_splitTunnelAcl standard permit Raymond 255.255.255.0

access-list Spectrum_splitTunnelAcl standard permit Rochester 255.255.255.0

access-list Spectrum_splitTunnelAcl standard permit Portal 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 172.16.1.0 255.255.255.192

access-list inside_nat0_outbound extended permit ip any 216.147.163.80 255.255.255.240

access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 Marco 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 Raymond 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 GrandForks 255.255.248.0

access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 Pembina 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 Portal 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 Rochester 255.255.255.0

access-list outside_access_in extended permit tcp any host smartclient object-group DM_INLINE_TCP_3

access-list outside_access_in extended permit tcp any host staging object-group DM_INLINE_TCP_2

access-list outside_access_in extended permit tcp any host Optima object-group DM_INLINE_TCP_5

access-list outside_access_in extended permit tcp any host crm object-group DM_INLINE_TCP_6

access-list outside_access_in extended permit tcp any host Appsrvr object-group DM_INLINE_TCP_4

access-list outside_access_in extended permit tcp any host Alpha object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit tcp any host imaging eq 3389

access-list outside_access_in extended permit tcp any host FaxSrvr eq 3389

access-list outside_1_cryptomap extended permit ip 172.16.1.0 255.255.255.0 Pembina 255.255.255.0

access-list outside_2_cryptomap extended permit ip 172.16.1.0 255.255.255.0 GrandForks 255.255.248.0

access-list ITS_splitTunnelAcl standard permit any

access-list outside_3_cryptomap extended permit ip 172.16.1.0 255.255.255.0 Marco 255.255.255.0

access-list outside_4_cryptomap extended permit ip 172.16.1.0 255.255.255.0 Raymond 255.255.255.0

access-list outside_5_cryptomap extended permit ip 172.16.1.0 255.255.255.0 Portal 255.255.255.0

access-list outside_6_cryptomap extended permit ip 172.16.1.0 255.255.255.0 Rochester 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging buffer-size 16384

logging trap notifications

logging asdm notifications

logging host inside 172.16.1.33

logging class vpdn trap debugging

logging class vpn trap debugging

logging class vpnc trap debugging

logging class vpnfo trap debugging

mtu inside 1500

mtu outside 1500

ip local pool VPN 172.16.1.31-172.16.1.40 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-623.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) smartclient smartclient-in netmask 255.255.255.255

static (inside,outside) staging staging-in netmask 255.255.255.255

static (inside,outside) Optima Optima-in netmask 255.255.255.255

static (inside,outside) crm crm-in netmask 255.255.255.255

static (inside,outside) Appsrvr Appsrvr-in netmask 255.255.255.255

static (inside,outside) Alpha Alpha-in netmask 255.255.255.255

static (inside,outside) FaxSrvr FaxSrvr-in netmask 255.255.255.255

static (inside,outside) imaging imaging-in netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 216.147.163.94 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

nac-policy DfltGrpPolicy-nac-framework-create nac-framework

reval-period 36000

sq-period 300

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 172.16.1.0 255.255.255.0 inside

snmp-server location Fargo DCN

snmp-server contact Jason Berberich

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto dynamic-map outside_dyn_map 40 set pfs group1

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 66.231.111.192

crypto map outside_map 1 set transform-set ESP-DES-SHA ESP-DES-MD5 ESP-3DES-SHA ESP-3DES-MD5

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs group1

crypto map outside_map 2 set peer 96.3.206.78

crypto map outside_map 2 set transform-set ESP-DES-SHA ESP-DES-MD5 ESP-3DES-SHA ESP-3DES-MD5

crypto map outside_map 2 set security-association lifetime seconds 86399

crypto map outside_map 3 match address outside_3_cryptomap

crypto map outside_map 3 set pfs

crypto map outside_map 3 set connection-type answer-only

crypto map outside_map 3 set peer 208.84.69.233

crypto map outside_map 3 set transform-set ESP-DES-MD5

crypto map outside_map 3 set nat-t-disable

crypto map outside_map 4 match address outside_4_cryptomap

crypto map outside_map 4 set pfs

crypto map outside_map 4 set peer 65.19.230.54

crypto map outside_map 4 set transform-set ESP-DES-MD5

crypto map outside_map 5 match address outside_5_cryptomap

crypto map outside_map 5 set pfs

crypto map outside_map 5 set peer 216.147.161.178

crypto map outside_map 5 set transform-set ESP-DES-MD5

crypto map outside_map 6 match address outside_6_cryptomap

crypto map outside_map 6 set pfs

crypto map outside_map 6 set connection-type answer-only

crypto map outside_map 6 set peer 209.181.191.252

crypto map outside_map 6 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 8

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 9

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 11

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 12

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

crypto isakmp policy 13

authentication pre-share

encryption des

hash md5

group 1

lifetime 86400

telnet 172.16.1.0 255.255.255.0 inside

telnet timeout 5

ssh 172.16.1.0 255.255.255.0 inside

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 172.16.1.120 172.16.1.121

dhcpd domain xport.ca

!

dhcpd address 172.16.1.11-172.16.1.30 inside

dhcpd dns 172.16.1.120 172.16.1.121 interface inside

dhcpd lease 604800 interface inside

dhcpd domain xport.ca interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 132.163.4.103 source outside prefer

ssl encryption des-sha1 rc4-md5

webvpn

enable outside

svc image disk0:/sslclient-win-1.1.0.154.pkg 1

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

password-storage enable

ip-comp enable

re-xauth enable

pfs enable

ipsec-udp enable

nac-settings value DfltGrpPolicy-nac-framework-create

address-pools value VPN

webvpn

svc keepalive none

svc dpd-interval client none

svc dpd-interval gateway none

svc compression deflate

customization value DfltCustomization

group-policy Spectrum internal

group-policy Spectrum attributes

vpn-simultaneous-logins 3

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-lock none

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Spectrum_splitTunnelAcl

group-policy DCN internal

group-policy DCN attributes

vpn-idle-timeout 480

vpn-filter value outside_2_cryptomap

vpn-tunnel-protocol IPSec

group-policy ITS internal

group-policy ITS attributes

dns-server value 172.16.1.120 172.16.1.121

vpn-tunnel-protocol IPSec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ITS_splitTunnelAcl

default-domain value xport.ca

username adminspectrum password 3k5V5jGcR0wb5pNa encrypted privilege 15

username adminspectrum attributes

vpn-group-policy Spectrum

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username howood password lPTuyzSHBoFXs8Ur encrypted privilege 15

username howood attributes

vpn-group-policy ITS

username jberberich password pEOwroN.s0RzypOT encrypted privilege 15

username jberberich attributes

vpn-group-policy ITS

tunnel-group DefaultRAGroup general-attributes

address-pool VPN

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool VPN

tunnel-group Spectrum type remote-access

tunnel-group Spectrum general-attributes

address-pool VPN

authorization-server-group LOCAL

default-group-policy Spectrum

tunnel-group Spectrum ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication none

tunnel-group 66.231.111.192 type ipsec-l2l

tunnel-group 66.231.111.192 ipsec-attributes

pre-shared-key *

tunnel-group 96.3.206.78 type ipsec-l2l

tunnel-group 96.3.206.78 ipsec-attributes

pre-shared-key *

tunnel-group ITS type remote-access

tunnel-group ITS general-attributes

address-pool VPN

default-group-policy ITS

tunnel-group ITS ipsec-attributes

pre-shared-key *

tunnel-group 208.84.69.233 type ipsec-l2l

tunnel-group 208.84.69.233 ipsec-attributes

pre-shared-key *

tunnel-group 65.19.230.54 type ipsec-l2l

tunnel-group 65.19.230.54 ipsec-attributes

pre-shared-key *

tunnel-group 216.147.161.178 type ipsec-l2l

tunnel-group 216.147.161.178 ipsec-attributes

pre-shared-key *

tunnel-group 209.181.191.252 type ipsec-l2l

tunnel-group 209.181.191.252 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:7fc7b2bd866fb444e182bf1d21318ced

: end

asdm image disk0:/asdm-623.bin

asdm location smartclient 255.255.255.255 inside

asdm location staging-in 255.255.255.255 inside

asdm location Optima-in 255.255.255.255 inside

asdm location staging 255.255.255.255 inside

asdm location Optima 255.255.255.255 inside

asdm location crm-in 255.255.255.255 inside

asdm location Appsrvr-in 255.255.255.255 inside

asdm location crm 255.255.255.255 inside

asdm location Appsrvr 255.255.255.255 inside

asdm location CBP871-1-in 255.255.255.255 inside

asdm location CBP871-1 255.255.255.255 inside

asdm location CBP871-2-in 255.255.255.255 inside

asdm location CBP871-2 255.255.255.255 inside

asdm location Alpha-in 255.255.255.255 inside

asdm location imaging-in 255.255.255.255 inside

asdm location FaxSrvr-in 255.255.255.255 inside

asdm location Alpha 255.255.255.255 inside

asdm location imaging 255.255.255.255 inside

asdm location FaxSrvr 255.255.255.255 inside

asdm location CBP871-1-rem 255.255.255.255 inside

asdm location CBP871-2-rem 255.255.255.255 inside

asdm location Marco 255.255.255.0 inside

asdm location Raymond 255.255.255.0 inside

asdm location Portal 255.255.255.0 inside

asdm location Rochester 255.255.255.0 inside

no asdm history enable

Any ideas?

I could not find the reason from debug output.It looks like the issue might be related to related to "rekey"

Jan 21 2010 05:07:06: %ASA-7-713906: IP = 96.3.206.78, Starting phase 1 rekey         <<< Rekey start

Jan 21 2010 05:07:06: %ASA-5-713041: IP = 96.3.206.78, IKE Initiator: Rekeying Phase 1, Intf outside, IKE Peer 96.3.206.78 local Proxy Address N/A, remote Proxy Address N/A, Crypto map (N/A)

Jan 21 2010 05:07:06: %ASA-5-713119: Group = 96.3.206.78, IP = 96.3.206.78, PHASE 1 COMPLETED   <<<<< Phase 1 completed

Jan 21 2010 05:07:06: %ASA-7-715080: Group = 96.3.206.78, IP = 96.3.206.78, Starting P1 rekey timer: 64800 seconds. 

        <<<<< Start a new rekey timer 64800 seconds, which is different from the default value on ASA 86400 seconds.

Then around 30 second later, we saw the following delete message.

Jan 21 2010 05:07:40: %ASA-7-713906: Group = 96.3.206.78, IP = 96.3.206.78, sending delete/delete with reason message

Can you turn the following debug to get more info?

debug crypto ipsec 255

debug crypto isa 255

I'll see what I can do to capture more info.  This happens so infrequently I may have a hard time catching it but I'll see what I can do.  Not usre if I'll catch the debug messages that will help.

I agree it seems to be somehow related to a re-key but it seems all the timers and settings are matched up.  I may try some other options to see if it clears up the random hangs ups.

kerstin-534
Level 1
Level 1

You can do a capture with the "capture cap1 type isakmp" command, then upload the capture and analyze them in Wireshark.

Maybe this helps.

David Schau
Level 1
Level 1

I seemed to clear up the major issues by turning the IKE lifetime to unlimited.  I learned that the Nortel NVR does not timeout the IKE phase 1 so this was what appears to be getting the two ends confused on the SAs.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: