Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ASA5505 VPN IPSEC Config Issue

I am trying to connect my onsite ASA to a remote ASA and without success. I have done the before to another 3rd Party and it works.

Does anybody see anything wrong with the configuration that was sent to me to input into my ASA other than what I XXX out.

 

crypto isakmp policy 132
   auth pre-share
   enc aes-256
   hash sha
   group 2
   lifetime 28800


access-list ACL-USIDBReplication permit ip 192.168.100.32 255.255.255.255 172.27.123.20 255.255.255.255

crypto ipsec transform-set USITransform esp-aes-256 esp-sha-hmac

crypto map Outside_map 10 match address ACL-USIDBReplication
crypto map Outside_map 10 set peer 54.XXX.XXX.XXX
crypto map Outside_map 10 set pfs
crypto map Outside_map 10 set transform-set USITransform
crypto map Outside_map 10 set security-association lifetime seconds 28800
crypto map Outside_map 10 set security-association lifetime kilobytes 4608000


tunnel-group 54.XXX.XXX.XXX type ipsec-l2l
tunnel-group 54.XXX.XXX.XXX ipsec-attrib
    pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

17 REPLIES
Hall of Fame Super Gold

What you have posted seems

What you have posted seems fairly reasonable. You do not show enabling isakmp on the interface or assigning the crypto map to an interface, you do not show exempting the VPN traffic from encryption, are these things in your configuration? are you really going through VPN for a single host address to a single host address?

 

If none of that indicates a problem then I would suggest starting with debug for isakmp. Is the negotiation starting? Does the negotiation encounter a problem? Is the isakmp security association negotiated?

 

HTH

 

Rick

Community Member

That is the config that was

That is the config that was sent to me. I do have another VPN connection from the same ASA that is working correctly. I did see it finish Phase 1, one time.

Yes, we are do a VPN from a single IP to IP for database replication.

I am getting this in my log.

4|Aug 29 2014|10:33:44|713903|||||Group = 54.213.xxx.xxx, IP = 54.213.xxx.xxx, Error: Unable to remove PeerTblEntry
3|Aug 29 2014|10:33:44|713902|||||Group = 54.213.xxx.xxx, IP = 54.213.xxx.xxx, Removing peer from peer table failed, no match!
6|Aug 29 2014|10:33:28|713905|||||Group = 54.213.xxx.xxx, IP = 54.213.xxx.xxx, P1 Retransmit msg dispatched to MM FSM
5|Aug 29 2014|10:33:28|713201|||||Group = 54.213.xxx.xxx, IP = 54.213.xxx.xxx, Duplicate Phase 1 packet detected.  Retransmitting last packet.
6|Aug 29 2014|10:33:18|713172|||||Group = 54.213.xxx.xxx, IP = 54.213.xxx.xxx, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end   IS   behind a NAT device


4|Aug 29 2014|10:33:18|713903|||||IP =54.213.xxx.xxx, Header invalid, missing SA payload! (next payload = 4)
5|Aug 29 2014|10:33:18|713041|||||IP = 54.213.54.244, IKE Initiator: New Phase 1, Intf inside, IKE Peer 54.213.54.244  local Proxy Address 192.168.100.32, remote Proxy Address 172.27.123.20,  Crypto map (Outside_map)

 

Hall of Fame Super Gold

Thanks for the additional

Thanks for the additional information. It does address most of the questions that I asked. And since we seem to be having an issue with ISAKMP negotiation it does not yet matter whether the NAT exemption is in place.

 

I am puzzled about this message

5|Aug 29 2014|10:33:18|713041|||||IP = 54.213.54.244, IKE Initiator: New Phase 1, Intf inside,

and most especially why it mentions Intf inside. Can you provide any clarification about that?

 

HTH

 

Rick

Community Member

Here is my run config. I

Here is my run config. I think I have everything for the new connection highlighted.

 

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.100.220 255.255.255.0
!
interface Vlan11
 nameif DMZ
 security-level 10
 ip address 172.16.0.1 255.255.255.240
!
interface Vlan21
 nameif Outside
 security-level 0
 ip address 10.255.255.2 255.255.255.0
!
interface Ethernet0/0
 shutdown
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 21
!
interface Ethernet0/7
 switchport access vlan 11
!
dns server-group DefaultDNS
 domain-name ASA
object-group service RDP tcp
 port-object eq 1433
object-group service SQLClient tcp
 port-object eq 1433
object-group service DM_INLINE_SERVICE_1
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
 service-object esp
object-group service DM_INLINE_SERVICE_2
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
 service-object esp
object-group service VPNPorts udp
 port-object eq 4500
 port-object eq isakmp
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list DMZ_access_in extended permit tcp any 192.168.100.0 255.255.255.0 object-group SQLClient
access-list DMZ_access_in extended permit udp any any object-group VPNPorts
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any object-group SQLClient
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any 172.16.0.0 255.255.255.240
access-list Outside_access_in extended permit udp any any object-group VPNPorts
access-list Outside_access_in extended permit ip host 216.XXX.XXX.72 any
access-list Outside_access_in extended permit ip host 54.XXX.XX.244 any
access-list Outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.192.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 any
access-list ACL-USIDBReplication extended permit ip host 192.168.100.32 host 172.27.123.20
ip verify reverse-path interface inside
ip verify reverse-path interface Outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 10.255.255.1 1
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set USITransform esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer 216.XXX.XXX.72
crypto map Outside_map 1 set transform-set ESP-AES128-SHA
crypto map Outside_map 10 match address ACL-USIDBReplication
crypto map Outside_map 10 set pfs
crypto map Outside_map 10 set peer 54.XXX.XX.244
crypto map Outside_map 10 set transform-set USITransform

crypto map Outside_map interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 132
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800

telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 100
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 216.XXX.XX.72 type ipsec-l2l
tunnel-group 216.XXX.XX.72 ipsec-attributes
 pre-shared-key *
tunnel-group 54.XXX.XX.244 type ipsec-l2l
tunnel-group 54.XXX.XX.244 ipsec-attributes
 pre-shared-key *

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global

 

Community Member

I think that you can execute

I think that you can execute the following command :

no crypto isakmp policy 132
crypto isakmp 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
 

Community Member

Unfortunately I cannot change

Unfortunately I cannot change the isakmp 10, it is being used by a separate VPN connection to a different 3rd Party.

Community Member

In your configuration there

In your configuration there is

crypto map Outside_map 10 match address ACL-USIDBReplication
crypto map Outside_map 10 set pfs
crypto map Outside_map 10 set peer 54.XXX.XX.244
crypto map Outside_map 10 set transform-set USITransform

Why can't you use crypto isakmp policy 10 ?

Community Member

Policy 10 is set at a

Policy 10 is set at a different encryption level than Policy 132

Community Member

You must set the IKE phase 2

You must set the IKE phase 2 with this command :

 

crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800

Community Member

Would that break the VPN

Would that break the VPN connection policy 10 that uses aes-128 currently?

Community Member

If you write IKE phase 1 as

If you write IKE phase 1 as :

crypto map Outside_map 10 match address ACL-USIDBReplication
crypto map Outside_map 10 set pfs
crypto map Outside_map 10 set peer 54.XXX.XX.244
crypto map Outside_map 10 set transform-set USITransform

then you must write IKE Phase 2 as :

crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800

What is your configuration about IKE Phase 2 crypto isakmp policy 10 ?

What is your configuration about IKE Phase 1 crypto map Outside_map 10 ?

Community Member

What is your configuration

What is your configuration about IKE Phase 1 crypto map Outside_map 132?

Community Member

Would something like this

Would something like this work.

 

crypto map Outside_map 132 match address ACL-USIDBReplication
crypto map Outside_map 132 set pfs
crypto map Outside_map 132 set peer 54.XXX.XX.244
crypto map Outside_map 132 set transform-set USITransform

crypto isakmp policy 132
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800

 

Sorry guys, this is fairly new to me. Kind of got thrown in my lap.

Hall of Fame Super Gold

I am not sure why Walter is

I am not sure why Walter is so hung up on isakmp policy 10 other than to assume that he believes that there is a relationship between the crypto map number and the isakmp policy number. But that is not the case. As the VPN peers negotiate they compare their configured policies until they find a policy that is configured on both peers.

 

You could re-write the crypto map and make your new entry Outside_map 132 but I would be absolutely amazed if that made any difference.

 

I have looked through the config that you posted and do not see obvious issues. So my advice is to run debug crypto isakmp, let the tunnel attempt to initiate (may require being sure that the host in your network attempts to communicate with the host in the remote network), let it run a bit and then post the output.

 

HTH

 

Rick

Community Member

This is what I am getting

This is what I am getting over and over again. Unfortunately I cannot check the other end since it is a third party. What gets me is that I have another VPN that is setup almost exactly the same except for the key, peer IP and encryption level and it works just fine.

 

CiscoASA(config)# debug crypto isakmp 6
CiscoASA(config)# Sep 02 07:15:32 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Sep 02 07:15:33 [IKEv1]: Group = 54.213.54.244, IP = 54.213.54.244, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Sep 02 07:15:33 [IKEv1]: Group = 54.213.54.244, IP = 54.213.54.244, P1 Retransmit msg dispatched to MM FSM
Sep 02 07:15:37 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Sep 02 07:15:42 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Sep 02 07:15:47 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Sep 02 07:15:49 [IKEv1 DEBUG]: Group = 54.213.54.244, IP = 54.213.54.244, IKE MM Initiator FSM error history (struct &0xd63a6790)  <state>, <event>:  MM_DONET
Sep 02 07:15:49 [IKEv1]: Group = 54.213.54.244, IP = 54.213.54.244, Removing peer from peer table failed, no match!
Sep 02 07:15:49 [IKEv1]: Group = 54.213.54.244, IP = 54.213.54.244, Error: Unable to remove PeerTblEntry
Sep 02 07:15:52 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Sep 02 07:15:52 [IKEv1]: IP = 54.213.54.244, IKE Initiator: New Phase 1, Intf inside, IKE Peer 54.213.54.244  local Proxy Address 192.168.100.32, remote Prox)
Sep 02 07:15:52 [IKEv1 DEBUG]: IP = 54.213.54.244, Oakley proposal is acceptable
Sep 02 07:15:52 [IKEv1]: IP = 54.213.54.244, Header invalid, missing SA payload! (next payload = 4)
Sep 02 07:15:52 [IKEv1]: IP = 54.213.54.244, Connection landed on tunnel_group 54.213.54.244
Sep 02 07:15:52 [IKEv1]: Group = 54.213.54.244, IP = 54.213.54.244, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end e
Sep 02 07:15:57 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Sep 02 07:16:02 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Sep 02 07:16:03 [IKEv1]: Group = 54.213.54.244, IP = 54.213.54.244, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Sep 02 07:16:03 [IKEv1]: Group = 54.213.54.244, IP = 54.213.54.244, P1 Retransmit msg dispatched to MM FSM

Hall of Fame Super Gold

In this debug output I see

In this debug output I see multiple instances of where the remote peer sends a key acquire message but no indication of any other traffic from them. Perhaps if the debug ran longer there might be other messages from them, or perhaps they are really not sending anything else. Perhaps you can check with the person at the remote peer and find what they are seeing on their end?

 

And on the positive side there are several messages look like there might be some negotiation going on that we have not yet seen in the debug output. In particular this message

Oakley proposal is acceptable

and this message

Connection landed on tunnel_group

are perhaps a bit encouraging.

 

HTH

 

Rick

Community Member

The 3rd party is insistent it

The 3rd party is insistent it is an issue on our end. He has asked that I do a NAT for this. Not sure why since all of our NAT is done by our ISP on there firewall.

access-list USI extended permit ip host 192.168.100.32 host 172.27.123.20

 

I currently have a single NAT rule to exempt all inside network to Any outside.

I have attached a basic layout of what we have. Again, a VPN to another 3rd Party works.

 

 

114
Views
0
Helpful
17
Replies
CreatePlease to create content