Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix2ASA Vpn

We have a pix 515 (6.3.5) and a ASA5510 (8.2.1)

We must set up a site2site vpn but seems to have problems which cannot find

It seems that even the ISAKMP phase has got problem

Below an extract of the debug crypto isakmp taken from the PIX

The strange thing I noticed is that it thinks it connect to a VPN concentrator

ISAKMP (0): Checking ISAKMP transform 1 against priority 5 policy
ISAKMP:      default group 2
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP (0:0): Detected NAT-D payload

can anyone tell me if there are problem with pix 6.3 and ASA 8.x or if there 's something in the configuration ?

thanks

15 REPLIES

Re: Pix2ASA Vpn

The debugs here do not show anything wrong, the message speaking to a vpn 3000 concentrator is normal when using ASA and pix, in your case we can say that phase 1 is going ok, I would advise you to get the debugs from the ASA since they are more complete than the pix ones.

Bronze

Re: Pix2ASA Vpn

Ivan is correct. The only thing I would add is to please provide the output with the ASA as the responder using 'debug crypto isakmp 254'

New Member

Re: Pix2ASA Vpn

Hi ,

It took time to get back on this issue but here I am again.

I've checked again the configuration of the ASA and it seems correct to me .

Then I tried to ping the ethernet interface of the PIX 515 from the console of the ASA5510

Below the result . It seems to me that PHASE 1 Isakmp is ok

The IP of the internal interface of PIX is 192.168.0.230

The IP of the internal interface of ASA is 172.16.2.248

asa5510# ping 192.168.0.230
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to PIX-515, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
asa5510# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: PIX_515
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

I'm going to check the configuration of PIX as well.

thanks

New Member

Re: Pix2ASA Vpn

having the debug crypto isakmp enabled on the asa and trying to ping

from the PIX I got this on the asa console

%ASA-7-713222: Group = 194.x.x.2, IP = 194.x.x.2, Static Crypto Map check, map = Internet_map, seq = 20, ACL does not match proxy IDs src:0.0.0.0 dst:REMOTE_LAN_CLIENT %ASA-3-713061: Group = 194.x.x.2, IP = 194.x.x.2, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/1/0 local proxy 172.16.2.0/255.255.254.0/1/0 on interface Internet %ASA-7-713906: Group = 194.x.x.2, IP = 194.x.x.2, sending notify message %ASA-7-715046: Group = 194.x.x.2, IP = 194.x.x.2, constructing blank hash payload %ASA-7-715046: Group = 194.x.x.2, IP = 194.x.x.2, constructing qm hash payload %ASA-7-713236: IP = 194.x.x.2, IKE_DECODE SENDING Message (msgid=16b8d4c6) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 416 %ASA-3-713902: Group = 194.x.x.2, IP = 194.x.x.2, QM FSM error (P2 struct &0xd82fd598, mess id 0xc6f734d4)! %ASA-7-715065: Group = 194.x.x.2, IP = 194.x.x.2, IKE QM Responder FSM error history (struct &0xd82fd598)  , :  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH %ASA-7-713906: Group = 194.x.x.2, IP = 194.x.x.2, sending delete/delete with reason message %2, Username = 194.x.x.2, IP = REMOTEPIX_NAT, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found %ASA-7-713906: Ignoring msg to mark SA with dsID 49152 dead because SA deleted .27.2, IKE Responder starting QM: msg id = 6ea4a349

Green

Re: Pix2ASA Vpn

Pinging from the console will typically not work to bring up the vpn as the outside interfaces are probably not part of your

crypto acl.

Post your configs.

Re: Pix2ASA Vpn

Your problem is the following:

nat (inside) 0 access-list outside_40_cryptomap

access-list outside_40_cryptomap is being used on the nat exempt config, and it is also used on the following crypto map:

crypto map STS 40 match address outside_40_cryptomap

AND the tunnel you are trying to configure is defined after this crypto map, since the traffic for tunnel 600 is included on line outside_40_crypto map this will be the crypto map processed intead of 600.

You should never define the nat exempt list to be one already used for the crypto map of another tunnel, so go ahead and duplicate access-list outside_40_crypto map into another one called something like nonat make sure it has all the lines for all the tunnels (which I believe crypto 40 has) and apply it to the nat (inside) 0 access-list nonat setup.

Then clean your crypto 40 from lines on the acl that do not belong to it. And try again.

Green

Re: Pix2ASA Vpn

I think you posted in the wrong thread.

Re: Pix2ASA Vpn

I think you are right.. my apologies, will check your debugs in a second.

Re: Pix2ASA Vpn

All right, I made sure I am reading the right one now, based on this line:

ejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/1/0 local proxy 172.16.2.0/255.255.254.0/1/0 on interface Internet

it means that either you are receiving an SA formed with 0.0.0.0 mask of 0.0.0.0 in other words any any, which either you or the remote side will have to mirror, can you please post your crypto acls here as well as the remote side ones?

New Member

Re: Pix2ASA Vpn

Here the config at the moment

PIX 515:

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 hostname terminator .... .... access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.128.0 172.16.2.0 255.255.255.0 access-list inside_outbound_nat0_acl  "contains other entries for local dmz zones" ..... access-list outside_cryptomap_50 permit ip 192.168.0.0 255.255.128.0 172.16.2.0 255.255.255.0 ip address outside 194.x.x.2 255.255.255.240 ip address inside 192.168.0.230 255.255.128.0 global (outside) 1 interface global (dmz) 1 192.168.168.8 nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (dmz) 1 0.0.0.0 0.0.0.0 0 0 ..... sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40 crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60 crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80 crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100 crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-MD5 crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer xxxxx crypto map outside_map 20 set transform-set ESP-DES-MD5 crypto map outside_map 30 ipsec-isakmp crypto map outside_map 30 match address vpn_tc crypto map outside_map 30 set peer xxxxx crypto map outside_map 30 set transform-set ESP-DES-MD5 crypto map outside_map 50 ipsec-isakmp crypto map outside_map 50 match address outside_cryptomap_50 crypto map outside_map 50 set pfs group2 crypto map outside_map 50 set peer 80.x.x.x crypto map outside_map 50 set transform-set ESP-3DES-MD5 ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map client authentication RADIUS crypto map outside_map interface outside isakmp enable outside isakmp key ******** address x netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address x netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 80.x.x.x netmask 255.255.255.255 no-xauth no-config-mode isakmp nat-traversal 20 isakmp policy 5 authentication pre-share isakmp policy 5 encryption 3des isakmp policy 5 hash sha isakmp policy 5 group 2 isakmp policy 5 lifetime 86400 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 isakmp policy 40 authentication pre-share isakmp policy 40 encryption des isakmp policy 40 hash md5 isakmp policy 40 group 2 isakmp policy 40 lifetime 86400 ASA5510 interface Ethernet0/0 nameif Internet security-level 0 ip address 80.x.x.x 255.255.255.240 interface Ethernet0/3 nameif Internal security-level 100 ip address 172.16.2.248 255.255.255.0 ..... access-list Internal_Internet_Nat0 extended permit ip 172.16.2.0 255.255.255.0 192.168.0.0 255.255.128.0 access-list Crypto_Map_ACL extended permit ip 172.16.2.0 255.255.255.0 192.168.0.0 255.255.128.0 nat (Internal) 0 access-list Internal_Internet_Nat0 crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 rypto map Internet_map 20 match address Crypto_Map_ACL crypto map Internet_map 20 set pfs crypto map Internet_map 20 set peer 194.x.x.x crypto map Internet_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-MD5 ESP-DES-SHA crypto map Internet_map interface Internet crypto isakmp identity address crypto isakmp enable Internet crypto isakmp policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 15 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp policy 20 authentication pre-share encryption des hash md5 group 2 lifetime 86400 tunnel-group 194.244.27.2 type ipsec-l2l tunnel-group 194.244.27.2 ipsec-attributes pre-shared-key * ....

Re: Pix2ASA Vpn

Mhhh can you attach it on a text file and upload it, it is all mixed up, can't read it.

New Member

Re: Pix2ASA Vpn

Sorry ...

attached a text file with the relevant part of configuration

New Member

Re: Pix2ASA Vpn

Hi ,

Today I'm back on this issue hoping for some help.

I started again from the basics and checked the configuration , which seems to be good ( at least to me ) ,

I made some basic troubleshooting ( sh crypto isakmp sa , sh crypto ipsec sa ) and found a change from last week.

Here below the findings. It seems that the tunnel is established but somehow the traffic is not treated as interesting and crypted(tunneled)

The configuration are :

PIX 515  Internal IP 192.168.0.230/24  Outside IP 192.x.x.x

ASA5510  Internal IP  172.16.0.248    Outside IP  80.x.x.x

PIX 515 SIDE :

terminator# sh crypto isakmp sa

Total    : 2

Embryonic : 0

    dst            src            state    pending    created

    194.x.x.x    151.x.x.x    QM_IDLE        0          1

    194.x.x.x    80.x.x.x      QM_IDLE        0          1

terminator# sh crypto ipsec sa

interface: outside

    Crypto map tag: outside_map, local addr. 194.x.x.x

  local  ident (addr/mask/prot/port): (192.168.0.0/255.255.128.0/1/0)

  remote ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/1/0)

  current_peer: 80.x.x.x:0

    PERMIT, flags={origin_is_acl,}

  #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

  #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

  #pkts compressed: 0, #pkts decompressed: 0

  #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

  #send errors 0, #recv errors 0

    local crypto endpt.: 194.x.x.x, remote crypto endpt.: 80.x.x.x

    path mtu 1500, ipsec overhead 0, media mtu 1500

    current outbound spi: 0

    inbound esp sas:

local  ident (addr/mask/prot/port): (192.168.0.0/255.255.128.0/0/0)

remote ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)

current_peer: 80.x.x.x:500

dynamic allocated peer ip: 0.0.0.0

  PERMIT, flags={origin_is_acl,}

  #pkts encaps: 201, #pkts encrypt: 201, #pkts digest 201

  #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

  #pkts compressed: 0, #pkts decompressed: 0

  #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

  #send errors 1, #recv errors 0

  local crypto endpt.: 194.x.x.x, remote crypto endpt.: 80.x.x.x

  path mtu 1500, ipsec overhead 56, media mtu 1500

BELOW THE OUTPUT OF SH CRYPTO IPSEC WHILE PINGING THE REMOTE SITE

local  ident (addr/mask/prot/port): (192.168.0.0/255.255.128.0/0/0)

remote ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)

current_peer: 80.x.x.x:500

dynamic allocated peer ip: 0.0.0.0

  PERMIT, flags={origin_is_acl,}

  #pkts encaps: 264, #pkts encrypt: 264, #pkts digest 264

  #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

  #pkts compressed: 0, #pkts decompressed: 0

  #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

  #send errors 2, #recv errors 0

  local crypto endpt.: 194.x.x.x, remote crypto endpt.: 80.x.x.x

  path mtu 1500, ipsec overhead 56, media mtu 1500

  current outbound spi: 821a3915

  inbound esp sas:

    spi: 0x1cc96a1b(482961947)

      transform: esp-3des esp-md5-hmac ,

      in use settings ={Tunnel, }

      slot: 0, conn id: 3, crypto map: outside_map

      sa timing: remaining key lifetime (k/sec): (4608000/28506)

      IV size: 8 bytes

      replay detection support: Y

  inbound ah sas:

  inbound pcp sas:

  outbound esp sas:

    spi: 0x821a3915(2182756629)

      transform: esp-3des esp-md5-hmac ,

      in use settings ={Tunnel, }

      slot: 0, conn id: 4, crypto map: outside_map

      sa timing: remaining key lifetime (k/sec): (4607993/28483)

      IV size: 8 bytes

      replay detection support: Y

  outbound ah sas:

  outbound pcp sas:

Re: Pix2ASA Vpn

What I see here is that your pix is encrypting the traffic, however the remote side (ASA?) is not encrypting back, can you get the show crypto ipsec sa from the asa for this tunnel? Do you see the opposite behavior? decrypted packets and no encrypted packets?

New Member

Re: Pix2ASA Vpn

That's what I noticed too . I found that for some reason the ASA didn't treat the traffic as interesting and so it was encrypted.

I made the configuration again , this time I didn't use network objects in the access list used in the crypto map.

I don't know it that was the problem but now it's working

Thanks

1129
Views
0
Helpful
15
Replies