Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
863
Views
0
Helpful
4
Replies

Can't get 2 ASA firewalls to become SA's in IPSEC tunnel

randallwebb1976
Level 1
Level 1

ā€Ž10-14-2010 11:52 AM - edited ā€Ž02-21-2020 04:54 PM

I am trying to get a new ASA 5520 firewall to create an IPSEC tunnel with a pix 515 firewall that laready has existing tunnels. I have conifgured the IPSEC and IKE information on the ASA to match what is on the PIX.

When I type in  > show isakmp on the ASA firewall I get a message stating there are no SA's and there is no traffic of any kind listed. AS seen below:

-------------------------------------------------------

There are no isakmp sas

Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0

Global IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
---------------------------------------------------

Is there a command i need to run in order ot get the firewall to attempt the connection. Again I have all the crypto statements done. ANy help would be appreciated.

Labels:
0 Helpful
4 Replies 4

Federico Coto Fajardo
VIP Alumni
VIP Alumni

ā€Ž10-14-2010 12:33 PM

Hi,

If the IPsec VPN tunnel is configured correctly on both sides you should see phase 1 established with the command: sh cry isa sa

And phase 2: sh cry ips sa

If you don't see any attempt, you could use:

debug cry isa 127

debug cry ipsec 127

To check detailed messages (you can condition the debugs to this single peer if needed).

Perhaps there's a mismatch on the VPN configuration.


Federico.

0 Helpful

randallwebb1976
Level 1
Level 1
In response to Federico Coto Fajardo

ā€Ž10-14-2010 01:12 PM

As far as I can tell I have checked......rechecked and checked again both firewalls and I know the shared keys are the same. I also know that

I have tried to establish a connection using both ASDM and CLI with no luck.

When I run the "sh cry isa sa" I get the message " There are no isakmp sas.". Again when I run the "show isakmp" commmand I get 0 for everything. It'sas if the firewall is not attmepting to do anything.

Is there a command or something I am missing for the firewall to attempt to create a SA????? I know that one of the firewalls I am connecting to can create IPSEC tunnels becuase it already has 6 tunnels to other existing firewalls. The new firewall I am creating is the one that gives me NO information when attempting to create the tunnel.

If anyone has any advice please help. I have been on this for almost a week now and I am at my wit's end.

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to randallwebb1976

ā€Ž10-14-2010 01:35 PM

Nothing should prevent the ASA from establishing the tunnel if configured correctly.

Is there another device (firewall) in front of the ASA that might be blocking the ports for the VPN to establish?

The result of the debugs I told you should show if the ASA is trying to build the tunnel and where it's failing.

If you can configure a Remote-Access IPsec VPN to the ASA and connect from a VPN client, it will show if the ASA accepts IPsec and if it works.

On recent versions, if the ASA has an ACL applied to the outside interface with the keyword ''control-plane'' it will stop the ASA from responding to ISAKMP requests (if blocking UDP 500).

Federico.

0 Helpful

randallwebb1976
Level 1
Level 1
In response to Federico Coto Fajardo

ā€Ž10-18-2010 06:02 AM

I tqlked tyou our netwroking guys and traced the network path between the firewalls, and there are not any firewalls between them. There are however VANS that are used and it appears that the PIX firewall (currently in use) is in one VLAN and the ASA I am configuring is in another.

I am going to do the following 2 things and post my findings:

1) Get VLAN of all current PIX firewals in tunnels (6 total)

2) Attempt to create a test tunnel between two new ASA firewalls to make sure that I have everyting configured correctly.

0 Helpful
Customers Also Viewed These Support Documents