Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Second ASA not connecting to Router

I had another thread going, but when I got past my current hang up, I marked the thread as answered, so I wasn't sure if I should start another or continue on...        

I've tried going through that troubleshooting doc, but I still can't figure this out.

When turning on debug for the 2811, I'm not seeing any thing.

show debug

Cryptographic Subsystem:
  Crypto ISAKMP debugging is on
  Crypto ISAKMP Error debugging is on
  Crypto IPSEC debugging is on
  Crypto IPSEC Error debugging is on

#show crypto session
Crypto session current status

Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 108.x.x.x port 500
  IKE SA: local 64.x.x.x/500 remote 108.x.x.x/500 Active
  IPSEC FLOW: permit ip 192.168.26.0/255.255.255.0 192.168.27.0/255.255.255.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 10.130.15.0/255.255.255.0 192.168.27.0/255.255.255.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 10.131.16.0/255.255.255.0 192.168.27.0/255.255.255.0
        Active SAs: 2, origin: crypto map
  IPSEC FLOW: permit ip 172.20.15.0/255.255.255.0 192.168.27.0/255.255.255.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 172.21.16.0/255.255.255.0 192.168.27.0/255.255.255.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 10.21.0.0/255.255.255.0 192.168.27.0/255.255.255.0
        Active SAs: 2, origin: crypto map
  IPSEC FLOW: permit ip 10.30.18.0/255.255.255.0 192.168.27.0/255.255.255.0
        Active SAs: 2, origin: crypto map

Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 99.x.x.x port 500
  IKE SA: local 64.x.x.x/500 remote 99.x.x.x/500 Active
  IPSEC FLOW: permit ip 192.168.27.0/255.255.255.0 192.168.26.0/255.255.255.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 10.130.15.0/255.255.255.0 192.168.26.0/255.255.255.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 10.131.16.0/255.255.255.0 192.168.26.0/255.255.255.0
        Active SAs: 2, origin: crypto map
  IPSEC FLOW: permit ip 172.20.15.0/255.255.255.0 192.168.26.0/255.255.255.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 172.21.16.0/255.255.255.0 192.168.26.0/255.255.255.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 10.21.0.0/255.255.255.0 192.168.26.0/255.255.255.0
        Active SAs: 2, origin: crypto map
  IPSEC FLOW: permit ip 10.30.18.0/255.255.255.0 192.168.26.0/255.255.255.0
        Active SAs: 2, origin: crypto map

From the show crypto, to me, it looks like it's working, but 192.168.27.x isn't accessible..

The original ASA is still connecte, I can post more details/config is needed.

The original thread is below...

https://supportforums.cisco.com/thread/2167470?tstart=0

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Second ASA not connecting to Router

1) Your last ping-test can't work when you ping from the ASA. You have to test from an internal PC that is part of the encryption definition.

2) In the "show crypto ipsec sa" you see that this ASA encrypts traffic, but there is nothing decrypted. So most likely the other end of the tunnel is not sending anything back.

How to move on:

Show us the actual Crypto- and routing-config from the IPSec-peer.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
3 REPLIES

Second ASA not connecting to Router

ASA2# show crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 2, local addr: 108.x.x.x

      access-list outside_cryptomap permit ip 192.168.27.0 255.255.255.0 10.21.0.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.27.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.21.0.0/255.255.255.0/0/0)
      current_peer: 64.x.x.x

      #pkts encaps: 96, #pkts encrypt: 96, #pkts digest: 96
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 96, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 108.x.x.x, remote crypto endpt.: 64.x.x.x

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 5FF3DE35

    inbound esp sas:
      spi: 0x68AAE4B9 (1756030137)
         transform: esp-aes esp-sha-hmac none
         in use settings ={L2L, Tunnel, PFS Group 2, }


ASA2# ping 10.21.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.21.0.1, timeout is 2 seconds:
?????

VIP Purple

Second ASA not connecting to Router

1) Your last ping-test can't work when you ping from the ASA. You have to test from an internal PC that is part of the encryption definition.

2) In the "show crypto ipsec sa" you see that this ASA encrypts traffic, but there is nothing decrypted. So most likely the other end of the tunnel is not sending anything back.

How to move on:

Show us the actual Crypto- and routing-config from the IPSec-peer.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

Second ASA not connecting to Router

You were correct, the other end was not sending anything back.

There is a reason why it looked like the VPN was working, because it was.

I was so focused on the VPN settings, kept skipped over an ACL on the router. Needed to no NAT the local ASA's new subnet.

Will the ASA's ever have the extended ping commads like the routers, where you can ping from a specific interface?

Thanks,

Jason

323
Views
0
Helpful
3
Replies