04-03-2008 09:43 AM
I've purchased a brand new ASA 5505 to connect to the Cisco 3640 and I can't even bring up the tunnel. I have tried changing the transform-set to just DES but know luck. I have recently brought up a VPN using DMVPN and the Cisco 501 in a site-to-site but this one has been wondering what is going on.
The router (3640 running 12.4 code)looks ok and with the Cisco 501 working great I don't think I have an issue with the router.
This is a lab environment.
This is the feature set on the ASA 5505
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
This platform has a Base license.
This is a ping from 10.3.4.10 to 10.1.1.1. It doesn't say anything about IPSEC or ISAKMP.
This is what I get when I do the: show crypto ipsec sa
ASA5505(config)# show crypto ipsec sa
There are no ipsec sas
ASA5505(config)# show crypto isakmp sa
There are no isakmp sas
debug crypto isakmp 10
packet input inside icmp 10.3.4.10 8 0 10.1.1.1 detail
I've been working on this for a week and don't really know if I have a bad ASA5505. Since normal stuff like browsing the Internet works and I can ping outside and inside I don't know what to think. See attachments.
Solved! Go to Solution.
04-05-2008 10:17 AM
"Doing what you asked worked"
Nice to hear that your issue is resolved.
"My question is can I use the ESP-3DES-SHA transform-set instead of the MD5?"
Sure you can.
Regards.
Please do not forget to rate helpful posts and check "Resolved my issue" box, if the post resolved your issue.
04-03-2008 10:15 AM
Hi Bryan
Try reloading ASA
Are you talking about the Remote access or site-to-site VPN?
Regards
04-03-2008 10:20 AM
I'm working on a site to site VPN. The logs show the router is trying to talk to the ASA.
I have tried to set the defaults back to factory and nothing has changed. I can provide the router side if you think it would help.
LOGS:
4|Apr 03 2008|16:49:24|713903|||IP = 67.166.99.36, Error: Unable to remove PeerTblEntry
3|Apr 03 2008|16:49:24|713902|||IP = 67.166.99.36, Removing peer from peer table failed, no match!
4|Apr 03 2008|16:48:52|713903|||IP = 67.166.99.36, Information Exchange processing failed
5|Apr 03 2008|16:48:52|713904|||IP = 67.166.99.36, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
5|Apr 03 2008|16:48:52|713041|||IP = 67.166.99.36, IKE Initiator: New Phase 1, Intf inside, IKE Peer 67.166.99.36 local Proxy Address 10.3.4.0, remote Proxy Address 10.1.1.0, Crypto map (outside_map1)
4|Apr 03 2008|16:48:28|713903|||IP = 67.166.99.36, Error: Unable to remove PeerTblEntry
3|Apr 03 2008|16:48:28|713902|||IP = 67.166.99.36, Removing peer from peer table failed, no match
04-03-2008 11:58 AM
Hi,
Do you have 'pfs' enabled on ASA..? From your upload..
crypto map outside_map1 1 set pfs
disable pfs (unless it is existing on other end also). check if it works.
thank you
MS
04-04-2008 03:25 AM
Bryan,
Can you send the config of router and current config of ASA please?
Most probably, transform-set is not set. You would get a PFS mismatch error if it was a PFS issue.
04-04-2008 05:57 AM
04-04-2008 06:54 AM
I have attached the configs for both. Still know luck.
04-04-2008 12:30 PM
In 3640, do the following
no crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map SDM_CMAP_1 2 ipsec-isakmp
no set transform-set ESP-3DES-SHA1
set transform-set ESP-3DES-MD5
no ip nat inside source route-map SDM_RMAP_3 interface Ethernet2/0 overload
no access-list 105 deny ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255
no access-list 105 permit ip 10.1.2.0 0.0.0.255 any
no access-list 105 permit ip 10.1.1.0 0.0.0.255 any
no access-list 105 permit ip 10.1.1.0 0.0.0.255 10.3.4.0 0.0.0.255
no access-list 106 remark IPSec Rule
no access-list 106 deny ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255
no access-list 106 permit ip 10.3.3.0 0.0.0.255 any
no access-list 106 permit icmp any any
access-list 105 deny ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255
access-list 105 deny ip 10.1.1.0 0.0.0.255 10.3.4.0 0.0.0.255
access-list 105 permit ip 10.1.2.0 0.0.0.255 any
access-list 105 permit ip 10.1.1.0 0.0.0.255 any
access-list 105 permit ip 10.3.3.0 0.0.0.255 any
access-list 105 permit icmp any any
In ASA, do the following
no crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
no crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
no crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
no crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
no crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
no crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
no crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
no crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
no crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
no crypto ipsec transform-set ESP-3DES-SHA_BES esp-3des esp-sha-hmac
no crypto ipsec fragmentation after-encryption inside
no crypto map outside_map1 1 set transform-set ESP-3DES-MD5 ESP-3DES-SHA_BES ESP-3DES-SHA
crypto map outside_map1 1 set transform-set ESP-3DES-MD5
Restart both devices, then let me know if all is right. If not, post the last configs of both again
04-05-2008 08:53 AM
Doing what you asked worked. My question is can I use the ESP-3DES-SHA transform-set instead of the MD5?
04-05-2008 10:17 AM
"Doing what you asked worked"
Nice to hear that your issue is resolved.
"My question is can I use the ESP-3DES-SHA transform-set instead of the MD5?"
Sure you can.
Regards.
Please do not forget to rate helpful posts and check "Resolved my issue" box, if the post resolved your issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide