01-20-2010 10:30 AM
New ASA running 8.0(5) installed and recently put into service. Using l2l connectiosn from existing Nortel VPN router 1010 as well as some other Nortel VPN SOHO devices.
The connections are mostly working except for an intermittant issue with the tunnel to the 1010. I am trying to gather details but it seems to be in either the IKE or IPSEC timers. I am still collecting data about when/what to get an idea what the root issue is. Any suggestions on debugs I should run and send to a syslog to help? The Nortel reports in it's log after the sessions are setup 30 secs later the ASA sends a delete message.
I would like to see if the ASA debug might help with fixing this. But I am not sure what debugsd to enable safely.
I have just today made sure IKE and IPSEC timers match and setup NTP so there is no clock drift issues contributing. Any ideas or suggestions would be gretaly appreciated.
Nortel Log messages:
>>>>>>>> 04:34:05 0 tIsakmp [03] Delete message for IPsec SA received from XXX.YYY.163.93 <<<<<<<
01/20/2010 04:33:35 0 tIpsecDecap [16] ESP decap session SPI 0x6d2bea94 bound to s/w on cpu 0
01/20/2010 04:33:35 0 tIpsecDecap [16] ESP encap session SPI 0xfd3b9403 bound to s/w on cpu 0
01/20/2010 04:33:35 0 Security [15] Session: IPSEC[-]:282344 physical addresses: remote XXX.YYY.163.93 local AAA.BBB.206.78
01/20/2010 04:33:35 0 Security [15] Session: IPSEC[XXX.YYY.163.93]:282342 physical addresses: remote XXX.YYY.163.93 local AAA.BBB.206.78
01/20/2010 04:33:35 0 Security [16] Session: network IPSEC[172.16.1.0-255.255.255.0] logged in from gateway [XXX.YYY.163.93]
01/20/2010 04:33:35 0 Security [16] Session: network IPSEC[172.16.1.0-255.255.255.0] attempting login
01/20/2010 04:33:35 0 Syslog [24] Failed Login Attempt: Username=XXX.YYY.163.93: Date/Time=01/20/2010 04:33:35
01/20/2010 04:33:35 0 Security [16] Session: IPSEC[XXX.YYY.163.93] attempting login
01/20/2010 04:33:35 0 Branch Office [06] IPSEC branch office connection initiated to rem[172.16.1.0-255.255.255.0]@[XXX.YYY.163.93] loc[192.168.0.0-255.255.248.0]
01/20/2010 04:33:11 0 tIsakmp [05] Deleting ISAKMP SA with XXX.YYY.163.93
01/20/2010 04:33:11 0 Security [15] Session 2e30908: IPSEC[XXX.YYY.163.93]:282186 logged out
01/20/2010 04:33:11 0 Security [15] Session 2e35090: IPSEC[-]:282311 logged out
01/20/2010 04:33:11 0 tIsakmp [05] Delete message for ISAKMP SA received from XXX.YYY.163.93
01/20/2010 04:32:33 0 tIsakmp [05] ISAKMP SA established with XXX.YYY.163.93
01/20/2010 04:32:33 0 Security [16] Session: IPSEC[XXX.YYY.163.93]:282342 authorized
01/20/2010 04:32:33 0 Security [06] Session: IPSEC[XXX.YYY.163.93]:282342 Applying group filter permit all
01/20/2010 04:32:33 0 Security [06] Session: IPSEC[XXX.YYY.163.93]:282342 Building group filter permit all
01/20/2010 04:32:33 0 Security [16] Session: IPSEC[XXX.YYY.163.93]:282342 bound to group /Base/DCN/DCN Data Ctr
01/20/2010 04:32:33 0 Security [16] Session: IPSEC[XXX.YYY.163.93]:282342 authenticated using LOCAL
01/20/2010 04:32:33 0 Security [06] Session: IPSEC[XXX.YYY.163.93]:282342 attempting authentication using LOCAL
01/20/2010 04:32:33 0 Security [06] Session: IPSEC[XXX.YYY.163.93]:282342 SHARED-SECRET authenticate attempt...
01/20/2010 04:32:32 0 tIsakmp [05] Oakley Main Mode proposal accepted from XXX.YYY.163.93
01/20/2010 04:32:32 0 Security [16] Session: IPSEC[XXX.YYY.163.93] attempting login
01-20-2010 02:50 PM
On ASA, you can enable "debug crypto condition" to specify the peer IP which you would like to run debug on.
then you can use the following debug command
debug crypto ipsec
debug crypto isa
Since conditional debug is turned on, you should only see debug output which is related to Nortel 1010.
If the following message is related to ASA session, I am not sure why it asked for authentication for user if it is Lan-2-lan vpn.
Not sure how your implementation is. Is your ASA configured as hardware vpn client? Please provide ASA config as well with debug output.
01/20/2010 04:33:35 0 Security [16] Session: network IPSEC[172.16.1.0-255.255.255.0] attempting login
01/20/2010 04:33:35 0 Syslog [24] Failed Login Attempt: Username=XXX.YYY.163.93: Date/Time=01/20/2010 04:33:35
01-21-2010 12:10 PM
Below are the syslog messages I got this morning for the failed tunnel and also the ASA config.
I am not that familiar with what I should expect to see so deciphering the output is a bit beyond me.
SYSLOG:
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:08:22: %ASA-7-715077: Pitcher: received key delete msg, spi 0xb0cf882a "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:08:22: %ASA-7-713906: Group = 96.3.206.78, IP = 96.3.206.78, sending delete/delete with reason message "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:08:22: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing blank hash payload "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:08:22: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing IPSec delete payload "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:08:22: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing qm hash payload "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:08:22: %ASA-7-713236: IP = 96.3.206.78, IKE_DECODE SENDING Message (msgid=1c83e8ff) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68 "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:08:22: %ASA-7-713906: Group = 96.3.206.78, IP = 96.3.206.78, Active unit receives a centry expired event for remote peer 96.3.206.78. "
"1/21/2010 05:08" 172.16.1.1 Info "Jan 21 2010 05:08:22: %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x4774B8FD) between 216.147.163.93 and 96.3.206.78 (user= 96.3.206.78) has been deleted. "
"1/21/2010 05:08" 172.16.1.1 Info "Jan 21 2010 05:08:22: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xBB96F31F) between 216.147.163.93 and 96.3.206.78 (user= 96.3.206.78) has been deleted. "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:08:22: %ASA-7-715077: Pitcher: received key delete msg, spi 0x0 "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:08:22: %ASA-7-715009: Group = 96.3.206.78, IP = 96.3.206.78, IKE Deleting SA: Remote Proxy 192.168.0.0, Local Proxy 172.16.1.0 "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-713035: Group = 96.3.206.78, IP = 96.3.206.78, Received remote IP Proxy Subnet data in ID Payload: Address 192.168.0.0, Mask 255.255.248.0, Protocol 0, Port 0 "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-713222: Group = 96.3.206.78, IP = 96.3.206.78, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:GrandForks dst:172.16.1.0 "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-713221: Group = 96.3.206.78, IP = 96.3.206.78, Static Crypto Map check, checking map = outside_map, seq = 2... "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-713225: Group = 96.3.206.78, IP = 96.3.206.78, Static Crypto Map check, map outside_map, seq = 2 is a successful match "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-713066: Group = 96.3.206.78, IP = 96.3.206.78, IKE Remote Peer configured for crypto map: outside_map "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715047: Group = 96.3.206.78, IP = 96.3.206.78, processing IPSec SA payload "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-713906: Group = 96.3.206.78, IP = 96.3.206.78, IKE: requesting SPI! "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715047: Group = 96.3.206.78, IP = 96.3.206.78, processing hash payload "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing blank hash payload "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715047: Group = 96.3.206.78, IP = 96.3.206.78, processing SA payload "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715047: Group = 96.3.206.78, IP = 96.3.206.78, processing nonce payload "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-713221: Group = 96.3.206.78, IP = 96.3.206.78, Static Crypto Map check, checking map = outside_map, seq = 1... "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-713906: Group = 96.3.206.78, IP = 96.3.206.78, processing ISA_KE for PFS in phase 2 "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715027: Group = 96.3.206.78, IP = 96.3.206.78, IPSec SA Proposal # 2, Transform # 2 acceptable Matches global IPSec SA entry # 2 "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715047: Group = 96.3.206.78, IP = 96.3.206.78, processing ID payload "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-714011: Group = 96.3.206.78, IP = 96.3.206.78, ID_IPV4_ADDR_SUBNET ID received--192.168.0.0--255.255.248.0 "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-714003: IP = 96.3.206.78, IKE Responder starting QM: msg id = e9a8b8a1 "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-713236: IP = 96.3.206.78, IKE_DECODE RECEIVED Message (msgid=e9a8b8a1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 840 "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-713906: Group = 96.3.206.78, IP = 96.3.206.78, Transmitting Proxy Id: Remote subnet: 192.168.0.0 Mask 255.255.248.0 Protocol 0 Port 0 Local subnet: 172.16.1.0 mask 255.255.255.0 Protocol 0 Port 0 "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715001: Group = 96.3.206.78, IP = 96.3.206.78, constructing proxy ID "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing pfs ke payload "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing IPSec nonce payload "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing IPSec SA payload "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715047: Group = 96.3.206.78, IP = 96.3.206.78, processing ke payload "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-714011: Group = 96.3.206.78, IP = 96.3.206.78, ID_IPV4_ADDR_SUBNET ID received--172.16.1.0--255.255.255.0 "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-715047: Group = 96.3.206.78, IP = 96.3.206.78, processing ID payload "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-713034: Group = 96.3.206.78, IP = 96.3.206.78, Received local IP Proxy Subnet data in ID Payload: Address 172.16.1.0, Mask 255.255.255.0, Protocol 0, Port 0 "
"1/21/2010 05:08" 172.16.1.1 Debug "Jan 21 2010 05:07:52: %ASA-7-713906: Group = 96.3.206.78, IP = 96.3.206.78, oakley constucting quick mode "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:40: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing IKE delete payload "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:40: %ASA-7-713906: Group = 96.3.206.78, IP = 96.3.206.78, IKE SA MM:57b742aa terminating: flags 0x01000026, refcnt 0, tuncnt 0 "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:40: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing blank hash payload "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:40: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing qm hash payload "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:40: %ASA-7-713236: IP = 96.3.206.78, IKE_DECODE SENDING Message (msgid=b1fe0b94) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80 "
"1/21/2010 05:07" 172.16.1.1 Notice "Jan 21 2010 05:07:40: %ASA-5-713904: IP = 96.3.206.78, Received encrypted packet with no matching SA, dropping "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:40: %ASA-7-713906: Group = 96.3.206.78, IP = 96.3.206.78, sending delete/delete with reason message "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715076: Group = 96.3.206.78, IP = 96.3.206.78, Computing hash for ISAKMP "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-713236: IP = 96.3.206.78, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64 "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715080: Group = 96.3.206.78, IP = 96.3.206.78, Starting P1 rekey timer: 64800 seconds. "
"1/21/2010 05:07" 172.16.1.1 Error "Jan 21 2010 05:07:06: %ASA-3-713122: IP = 96.3.206.78, Keep-alives configured on but peer does not support keep-alives (type = None) "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-713121: IP = 96.3.206.78, Keep-alive type for this connection: None "
"1/21/2010 05:07" 172.16.1.1 Notice "Jan 21 2010 05:07:06: %ASA-5-713119: Group = 96.3.206.78, IP = 96.3.206.78, PHASE 1 COMPLETED "
"1/21/2010 05:07" 172.16.1.1 Warning "Jan 21 2010 05:07:06: %ASA-4-713903: Group = 96.3.206.78, IP = 96.3.206.78, Freeing previously allocated memory for authorization-dn-attributes "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-713236: IP = 96.3.206.78, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84 "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715047: Group = 96.3.206.78, IP = 96.3.206.78, processing ID payload "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-714011: Group = 96.3.206.78, IP = 96.3.206.78, ID_IPV4_ADDR ID received 96.3.206.78 "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-713906: IP = 96.3.206.78, Connection landed on tunnel_group 96.3.206.78 "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715046: IP = 96.3.206.78, constructing ke payload "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715046: IP = 96.3.206.78, constructing NAT-Traversal VID ver 03 payload "
"1/21/2010 05:07" 172.16.1.1 Notice "Jan 21 2010 05:07:06: %ASA-5-713041: IP = 96.3.206.78, IKE Initiator: Rekeying Phase 1, Intf outside, IKE Peer 96.3.206.78 local Proxy Address N/A, remote Proxy Address N/A, Crypto map (N/A) "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715046: IP = 96.3.206.78, constructing NAT-Traversal VID ver 02 payload "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-713906: IP = 96.3.206.78, Starting phase 1 rekey "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715046: IP = 96.3.206.78, constructing ISAKMP SA payload "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715046: IP = 96.3.206.78, constructing Fragmentation VID + extended capabilities payload "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-713236: IP = 96.3.206.78, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 148 "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-713236: IP = 96.3.206.78, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 96 "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715047: IP = 96.3.206.78, processing SA payload "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715047: IP = 96.3.206.78, processing VID payload "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715046: IP = 96.3.206.78, constructing nonce payload "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715046: IP = 96.3.206.78, constructing Cisco Unity VID payload "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-713906: Group = 96.3.206.78, IP = 96.3.206.78, Generating keys for Initiator... "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-713906: IP = 96.3.206.78, Oakley proposal is acceptable "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715048: IP = 96.3.206.78, Send Altiga/Cisco VPN3000/Cisco ASA GW VID "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715046: IP = 96.3.206.78, constructing xauth V6 VID payload "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715048: IP = 96.3.206.78, Send IOS VID "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715038: IP = 96.3.206.78, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing hash payload "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing dpd vid payload "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-713236: IP = 96.3.206.78, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224 "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-713236: IP = 96.3.206.78, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 152 "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715076: Group = 96.3.206.78, IP = 96.3.206.78, Computing hash for ISAKMP "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715047: IP = 96.3.206.78, processing ke payload "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715047: IP = 96.3.206.78, processing ISA_KE payload "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715047: IP = 96.3.206.78, processing nonce payload "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-713906: IP = 96.3.206.78, Connection landed on tunnel_group 96.3.206.78 "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715046: IP = 96.3.206.78, constructing VID payload "
"1/21/2010 05:07" 172.16.1.1 Debug "Jan 21 2010 05:07:06: %ASA-7-715046: Group = 96.3.206.78, IP = 96.3.206.78, constructing ID payload "
ASA:
: Saved
:
ASA Version 8.0(5)
!
hostname ciscoasa1
domain-name xport.ca
enable password x3loyGZvrFHA5bzV encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 216.147.163.81 smartclient
name 172.16.1.107 smartclient-in
name 216.147.163.83 Optima
name 172.16.1.114 Optima-in
name 216.147.163.82 staging
name 172.16.1.111 staging-in
name 216.147.163.85 Appsrvr
name 172.16.1.115 Appsrvr-in
name 216.147.163.84 crm
name 172.16.1.110 crm-in
name 216.147.163.87 CBP871-1
name 172.16.1.5 CBP871-1-in
name 216.147.163.88 CBP871-2
name 172.16.1.6 CBP871-2-in
name 216.147.163.86 Alpha
name 172.16.1.101 Alpha-in
name 216.147.163.90 FaxSrvr
name 172.16.1.103 FaxSrvr-in
name 216.147.163.89 imaging
name 172.16.1.102 imaging-in
name 198.70.226.25 CBP871-1-rem
name 66.181.246.114 CBP871-2-rem
name 192.168.30.0 Pembina
name 192.168.0.0 GrandForks
name 192.168.55.0 Marco
name 192.168.50.0 Raymond
name 192.168.44.0 Portal
name 192.168.41.0 Rochester
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 216.147.163.93 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa805-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 172.16.1.120
name-server 172.16.1.121
domain-name xport.ca
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq telnet
object-group service DM_INLINE_TCP_2 tcp
port-object eq 3389
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq 3389
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_5 tcp
port-object eq 3389
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_6 tcp
port-object eq 3389
port-object eq www
port-object eq https
object-group service RDP2 tcp
port-object eq 3390
access-list Spectrum_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0
access-list Spectrum_splitTunnelAcl standard permit GrandForks 255.255.248.0
access-list Spectrum_splitTunnelAcl standard permit Pembina 255.255.255.0
access-list Spectrum_splitTunnelAcl standard permit Marco 255.255.255.0
access-list Spectrum_splitTunnelAcl standard permit Raymond 255.255.255.0
access-list Spectrum_splitTunnelAcl standard permit Rochester 255.255.255.0
access-list Spectrum_splitTunnelAcl standard permit Portal 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.16.1.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip any 216.147.163.80 255.255.255.240
access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 Marco 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 Raymond 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 GrandForks 255.255.248.0
access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 Pembina 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 Portal 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 Rochester 255.255.255.0
access-list outside_access_in extended permit tcp any host smartclient object-group DM_INLINE_TCP_3
access-list outside_access_in extended permit tcp any host staging object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any host Optima object-group DM_INLINE_TCP_5
access-list outside_access_in extended permit tcp any host crm object-group DM_INLINE_TCP_6
access-list outside_access_in extended permit tcp any host Appsrvr object-group DM_INLINE_TCP_4
access-list outside_access_in extended permit tcp any host Alpha object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host imaging eq 3389
access-list outside_access_in extended permit tcp any host FaxSrvr eq 3389
access-list outside_1_cryptomap extended permit ip 172.16.1.0 255.255.255.0 Pembina 255.255.255.0
access-list outside_2_cryptomap extended permit ip 172.16.1.0 255.255.255.0 GrandForks 255.255.248.0
access-list ITS_splitTunnelAcl standard permit any
access-list outside_3_cryptomap extended permit ip 172.16.1.0 255.255.255.0 Marco 255.255.255.0
access-list outside_4_cryptomap extended permit ip 172.16.1.0 255.255.255.0 Raymond 255.255.255.0
access-list outside_5_cryptomap extended permit ip 172.16.1.0 255.255.255.0 Portal 255.255.255.0
access-list outside_6_cryptomap extended permit ip 172.16.1.0 255.255.255.0 Rochester 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 16384
logging trap notifications
logging asdm notifications
logging host inside 172.16.1.33
logging class vpdn trap debugging
logging class vpn trap debugging
logging class vpnc trap debugging
logging class vpnfo trap debugging
mtu inside 1500
mtu outside 1500
ip local pool VPN 172.16.1.31-172.16.1.40 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) smartclient smartclient-in netmask 255.255.255.255
static (inside,outside) staging staging-in netmask 255.255.255.255
static (inside,outside) Optima Optima-in netmask 255.255.255.255
static (inside,outside) crm crm-in netmask 255.255.255.255
static (inside,outside) Appsrvr Appsrvr-in netmask 255.255.255.255
static (inside,outside) Alpha Alpha-in netmask 255.255.255.255
static (inside,outside) FaxSrvr FaxSrvr-in netmask 255.255.255.255
static (inside,outside) imaging imaging-in netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 216.147.163.94 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.16.1.0 255.255.255.0 inside
snmp-server location Fargo DCN
snmp-server contact Jason Berberich
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 66.231.111.192
crypto map outside_map 1 set transform-set ESP-DES-SHA ESP-DES-MD5 ESP-3DES-SHA ESP-3DES-MD5
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer 96.3.206.78
crypto map outside_map 2 set transform-set ESP-DES-SHA ESP-DES-MD5 ESP-3DES-SHA ESP-3DES-MD5
crypto map outside_map 2 set security-association lifetime seconds 86399
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set connection-type answer-only
crypto map outside_map 3 set peer 208.84.69.233
crypto map outside_map 3 set transform-set ESP-DES-MD5
crypto map outside_map 3 set nat-t-disable
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 65.19.230.54
crypto map outside_map 4 set transform-set ESP-DES-MD5
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set pfs
crypto map outside_map 5 set peer 216.147.161.178
crypto map outside_map 5 set transform-set ESP-DES-MD5
crypto map outside_map 6 match address outside_6_cryptomap
crypto map outside_map 6 set pfs
crypto map outside_map 6 set connection-type answer-only
crypto map outside_map 6 set peer 209.181.191.252
crypto map outside_map 6 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 8
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 9
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 12
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 13
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
telnet 172.16.1.0 255.255.255.0 inside
telnet timeout 5
ssh 172.16.1.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 172.16.1.120 172.16.1.121
dhcpd domain xport.ca
!
dhcpd address 172.16.1.11-172.16.1.30 inside
dhcpd dns 172.16.1.120 172.16.1.121 interface inside
dhcpd lease 604800 interface inside
dhcpd domain xport.ca interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 132.163.4.103 source outside prefer
ssl encryption des-sha1 rc4-md5
webvpn
enable outside
svc image disk0:/sslclient-win-1.1.0.154.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
password-storage enable
ip-comp enable
re-xauth enable
pfs enable
ipsec-udp enable
nac-settings value DfltGrpPolicy-nac-framework-create
address-pools value VPN
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
customization value DfltCustomization
group-policy Spectrum internal
group-policy Spectrum attributes
vpn-simultaneous-logins 3
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-lock none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Spectrum_splitTunnelAcl
group-policy DCN internal
group-policy DCN attributes
vpn-idle-timeout 480
vpn-filter value outside_2_cryptomap
vpn-tunnel-protocol IPSec
group-policy ITS internal
group-policy ITS attributes
dns-server value 172.16.1.120 172.16.1.121
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ITS_splitTunnelAcl
default-domain value xport.ca
username adminspectrum password 3k5V5jGcR0wb5pNa encrypted privilege 15
username adminspectrum attributes
vpn-group-policy Spectrum
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username howood password lPTuyzSHBoFXs8Ur encrypted privilege 15
username howood attributes
vpn-group-policy ITS
username jberberich password pEOwroN.s0RzypOT encrypted privilege 15
username jberberich attributes
vpn-group-policy ITS
tunnel-group DefaultRAGroup general-attributes
address-pool VPN
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPN
tunnel-group Spectrum type remote-access
tunnel-group Spectrum general-attributes
address-pool VPN
authorization-server-group LOCAL
default-group-policy Spectrum
tunnel-group Spectrum ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication none
tunnel-group 66.231.111.192 type ipsec-l2l
tunnel-group 66.231.111.192 ipsec-attributes
pre-shared-key *
tunnel-group 96.3.206.78 type ipsec-l2l
tunnel-group 96.3.206.78 ipsec-attributes
pre-shared-key *
tunnel-group ITS type remote-access
tunnel-group ITS general-attributes
address-pool VPN
default-group-policy ITS
tunnel-group ITS ipsec-attributes
pre-shared-key *
tunnel-group 208.84.69.233 type ipsec-l2l
tunnel-group 208.84.69.233 ipsec-attributes
pre-shared-key *
tunnel-group 65.19.230.54 type ipsec-l2l
tunnel-group 65.19.230.54 ipsec-attributes
pre-shared-key *
tunnel-group 216.147.161.178 type ipsec-l2l
tunnel-group 216.147.161.178 ipsec-attributes
pre-shared-key *
tunnel-group 209.181.191.252 type ipsec-l2l
tunnel-group 209.181.191.252 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7fc7b2bd866fb444e182bf1d21318ced
: end
asdm image disk0:/asdm-623.bin
asdm location smartclient 255.255.255.255 inside
asdm location staging-in 255.255.255.255 inside
asdm location Optima-in 255.255.255.255 inside
asdm location staging 255.255.255.255 inside
asdm location Optima 255.255.255.255 inside
asdm location crm-in 255.255.255.255 inside
asdm location Appsrvr-in 255.255.255.255 inside
asdm location crm 255.255.255.255 inside
asdm location Appsrvr 255.255.255.255 inside
asdm location CBP871-1-in 255.255.255.255 inside
asdm location CBP871-1 255.255.255.255 inside
asdm location CBP871-2-in 255.255.255.255 inside
asdm location CBP871-2 255.255.255.255 inside
asdm location Alpha-in 255.255.255.255 inside
asdm location imaging-in 255.255.255.255 inside
asdm location FaxSrvr-in 255.255.255.255 inside
asdm location Alpha 255.255.255.255 inside
asdm location imaging 255.255.255.255 inside
asdm location FaxSrvr 255.255.255.255 inside
asdm location CBP871-1-rem 255.255.255.255 inside
asdm location CBP871-2-rem 255.255.255.255 inside
asdm location Marco 255.255.255.0 inside
asdm location Raymond 255.255.255.0 inside
asdm location Portal 255.255.255.0 inside
asdm location Rochester 255.255.255.0 inside
no asdm history enable
Any ideas?
01-22-2010 09:44 AM
I could not find the reason from debug output.It looks like the issue might be related to related to "rekey"
Jan 21 2010 05:07:06: %ASA-7-713906: IP = 96.3.206.78, Starting phase 1 rekey <<< Rekey start
Jan 21 2010 05:07:06: %ASA-5-713041: IP = 96.3.206.78, IKE Initiator: Rekeying Phase 1, Intf outside, IKE Peer 96.3.206.78 local Proxy Address N/A, remote Proxy Address N/A, Crypto map (N/A)
Jan 21 2010 05:07:06: %ASA-5-713119: Group = 96.3.206.78, IP = 96.3.206.78, PHASE 1 COMPLETED <<<<< Phase 1 completed
Jan 21 2010 05:07:06: %ASA-7-715080: Group = 96.3.206.78, IP = 96.3.206.78, Starting P1 rekey timer: 64800 seconds.
<<<<< Start a new rekey timer 64800 seconds, which is different from the default value on ASA 86400 seconds.
Then around 30 second later, we saw the following delete message.
Jan 21 2010 05:07:40: %ASA-7-713906: Group = 96.3.206.78, IP = 96.3.206.78, sending delete/delete with reason message
Can you turn the following debug to get more info?
debug crypto ipsec 255
debug crypto isa 255
01-22-2010 01:26 PM
I'll see what I can do to capture more info. This happens so infrequently I may have a hard time catching it but I'll see what I can do. Not usre if I'll catch the debug messages that will help.
I agree it seems to be somehow related to a re-key but it seems all the timers and settings are matched up. I may try some other options to see if it clears up the random hangs ups.
01-21-2010 06:57 AM
You can do a capture with the "capture cap1 type isakmp" command, then upload the capture and analyze them in Wireshark.
Maybe this helps.
01-28-2010 06:52 AM
I seemed to clear up the major issues by turning the IKE lifetime to unlimited. I learned that the Nortel NVR does not timeout the IKE phase 1 so this was what appears to be getting the two ends confused on the SAs.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: