Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PROBLEM L2L ASA TO CENTOS LINUX

I'm having problems with a VPN l2l disconnection is done with Linux Centos establishing the VPN but after restart the desert while I send the log link

Could not find centry for IPSec SA delete with reason message - SPI 0x180DFA53

Thanks,

Alfredo Elias.

10 REPLIES
Cisco Employee

Re: PROBLEM L2L ASA TO CENTOS LINUX

Alfredo,

Can you please share your config and running version?

When has thsis started appearing, does reload help for a while? Is Nat-t in use? etc etc

Marcin

New Member

Re: PROBLEM L2L ASA TO CENTOS LINUX

thank you the configuration is

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

crypto map outside_vpn 7 match address outside_cryptomap_5

crypto map outside_vpn 7 set peer x.x.x.x

crypto map outside_vpn 7 set transform-set ESP-AES-256-SHA

access-list outside_cryptomap_5 line 1 extended permit ip object-group CIBERSONSSV host x.x.x.x

  access-list outside_cryptomap_5 line 1 extended permit ip host 10.19.x.x0 host 72.24.x.x (hitcnt=606)

  access-list outside_cryptomap_5 line 1 extended permit ip host 10.19.x.x host 72.24.x.x (hitcnt=39

the version de IOS 8.0.4-k8 and yes nat-t

thanks

Re: PROBLEM L2L ASA TO CENTOS LINUX

Is the remote peer behind a NAT device ?

I mean to say that the centos linux machine has a private ip thats being NATTED by any device inbetween ? also linux isnt running iptables if it is then try after shutting down iptables.

IF not then try to clear crypto sa's and send intersecting traffic.

Thanks

Manish

Cisco Employee

Re: PROBLEM L2L ASA TO CENTOS LINUX

To add to post above.

There is nothing fixed from 8.0.4 on in 8.0 train that would seems like a bug.

Debugging + capture might be a good way to start dealing with this.

Marcin

New Member

Re: PROBLEM L2L ASA TO CENTOS LINUX

that I can run debug commands in the ASA to get more clear what is the problem thank you very much for your help

Re: PROBLEM L2L ASA TO CENTOS LINUX

Hi Alfredo,

can you please clarify few thing ?

1> is it tunnel between an ASA and linux router ( centos) ?

2> If the linux side is just a host and you want to incrypt traffic between that linux server and you clients , then is that Linux machine behind a NAT device ?

3> post debug from ASA  debug crypto iskamp & ipsec sa ?

4> post debug from LINUX -- > cat /etc/ipsec.secrets and match the PSK on both sides ?

5> cat /etc/sysconfig/network-scripts/ifcfg-ipsecx ?

Thanks

Manish

New Member

Re: PROBLEM L2L ASA TO CENTOS LINUX

1.- yes the tunnel is between ASA and Centos linux

2.-  I want to incrypt traffic between that linux server and not client the server

Cisco Employee

Re: PROBLEM L2L ASA TO CENTOS LINUX

hi alfredo

please clarify - i understand that tunnel comes up fine, but when you restart the linux server, after that the tunnel does not come up fine

i havent read the entire thread, so just trying to understand

if what i think is right, then there is one side which is not bringing down the tunnel entirely, before i proceed further on this line would like your confirmation

New Member

Re: PROBLEM L2L ASA TO CENTOS LINUX

Hi Jathaval

I mention following the tunnel is established between the ASA and the CentOS Linux server pas phase 1 and phase 2 but after settling the tunnel goes down.

to debug I put in the ASA to find a solution to this problem

Thanks for your help.

Cisco Employee

Re: PROBLEM L2L ASA TO CENTOS LINUX

please enable thew conditional debugs and paste the output

debug crypto condition peer

debug crypto isakmp 127

debug crypto ipsec 127

1086
Views
0
Helpful
10
Replies
CreatePlease login to create content