11-04-2011 11:05 AM
Hi,
I am having problems with this tunnel. It is configured on a second wan interface that uses SLA monitoring. The idea is that when there is a problem with the primary ISP, the backup connection is enabled and establishes the tunnel. In testing, the sla portion works normally, the backup becomes the primary route, but the tunnel is not established. All config was done using ASDM. Here is the log I got on the local side with public ip of the backup isp connection stripped:
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 368
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-715047: IP = 1.1.1.1, processing SA payload
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-715047: IP = 1.1.1.1, processing ke payload
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-715047: IP = 1.1.1.1, processing ISA_KE payload
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-715047: IP = 1.1.1.1, processing nonce payload
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-715047: IP = 1.1.1.1, processing ID payload
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-714011: IP = 1.1.1.1, ID_IPV4_ADDR ID received
1.1.1.1
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-715047: IP = 1.1.1.1, processing VID payload
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-715049: IP = 1.1.1.1, Received Cisco Unity client VID
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-715047: IP = 1.1.1.1, processing VID payload
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-715049: IP = 1.1.1.1, Received xauth V6 VID
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-715047: IP = 1.1.1.1, processing VID payload
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-715049: IP = 1.1.1.1, Received NAT-Traversal ver 02 VID
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-715047: IP = 1.1.1.1, processing VID payload
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-715049: IP = 1.1.1.1, Received NAT-Traversal ver 03 VID
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-715047: IP = 1.1.1.1, processing VID payload
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-715049: IP = 1.1.1.1, Received NAT-Traversal RFC VID
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-715047: IP = 1.1.1.1, processing VID payload
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-715049: IP = 1.1.1.1, Received Fragmentation VID
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-715064: IP = 1.1.1.1, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
2011-11-04 00:05:37 Local4.Warning 192.168.50.30 Nov 04 2011 00:05:38: %ASA-4-713255: IP = 1.1.1.1, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name '1.1.1.1'.
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-715047: Group = DefaultRAGroup, IP = 1.1.1.1, processing IKE SA payload
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 96
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-713906: Group = DefaultRAGroup, IP = 1.1.1.1, All SA proposals found unacceptable
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-713906: IP = 1.1.1.1, All IKE SA proposals found unacceptable!
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-715065: Group = DefaultRAGroup, IP = 1.1.1.1, IKE AM Responder FSM error history (struct &0xd937a248) <state>, <event>: AM_DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->AM_START, EV_START_AM-->AM_START, EV_START_AM
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-713906: Group = DefaultRAGroup, IP = 1.1.1.1, IKE SA AM:97ffd215 terminating: flags 0x0100c001, refcnt 0, tuncnt 0
2011-11-04 00:05:37 Local4.Debug 192.168.50.30 Nov 04 2011 00:05:38: %ASA-7-713906: Group = DefaultRAGroup, IP = 1.1.1.1, sending delete/delete with reason message
2011-11-04 00:05:37 Local4.Error 192.168.50.30 Nov 04 2011 00:05:38: %ASA-3-713902: Group = DefaultRAGroup, IP = 1.1.1.1, Removing peer from peer table failed, no match!
2011-11-04 00:05:37 Local4.Warning 192.168.50.30 Nov 04 2011 00:05:38: %ASA-4-713903: Group = DefaultRAGroup, IP = 1.1.1.1, Error: Unable to remove PeerTblEntry
11-05-2011 02:02 AM
Looking at the debug output I wonder about this message
%ASA-4-713255: IP = 1.1.1.1, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name '1.1.1.1'.
and it leads me to wonder what tunnel group(s) you do have configured?
Do you have a crypto map entry for this peer? Perhaps it would be helpful if you would post the config (or at least the crypto part of the config).
HTH
Rick
11-05-2011 06:28 AM
Hi,
Looks like its failing the group and when its trying to match the default group its failing the isakmp polices(group,encryption,authentication) etc..
You probably dont have the following in your config.
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
As rick suggested if you can post your config sans IP that would great.
HTH
Kishore
11-07-2011 04:51 PM
Below is some of the configuration from the local side, configured by ASDM. Could the fact the the remote ASA has two tunnels configured for the same local IP address be causing the problem? The normal (working) tunnel is Main Mode PSK, using the remote IP address as the tunnel-group name.
crypto map VPNMAP 12 match address outside_12_cryptomap
crypto map VPNMAP 12 set pfs
crypto map VPNMAP 12 set peer 1.1.1.1
crypto map VPNMAP 12 set transform-set ESP-3DES-SHA
crypto map VPNMAP 12 set security-association lifetime seconds 28800
crypto map VPNMAP 12 set security-association lifetime kilobytes 4608000
crypto map VPNMAP 12 set phase1-mode aggressive
tunnel-group GL-Backup type ipsec-l2l
tunnel-group GL-Backup ipsec-attributes
pre-shared-key *
11-07-2011 08:59 PM
Dustin
Am I understanding correctly that this ASA has a single crypto map, and a single entry for the remote peer, and is using the same crypto map on 2 interfaces. And am I correct in understanding that the remote ASA has a single crypto map and that map has 2 instances (2 sequence numbers) one for each of the interfaces on this ASA?
If those understandings are correct then I believe that this is the underlying problem. I do not believe that it is possible to have 2 working tunnels which have the same source device and the same destination device.
HTH
Rick
11-08-2011 03:24 PM
I am actually trying to use seperate crypto maps and tunnel groups on both devices. The log I posted above is from the 5510 showing the attempts of the 5505 connecting via the backup ISP after failing over.
Going into this I thought it would be relatively simple, seeing as the security plus license on the ASA allows a backup ISP. Basic outline below, the fake IP addresses match with the ones in the log. Is there a better way to do this?
11-08-2011 07:40 PM
Dustin
How are you using separate cyrpto maps on the 5510? You show only one interface to the Internet and I believe that an interface can have only a single crypto map.
Perhaps someone from Cisco who is more authoritative than me can speak to this. But I do not believe that it is supported to have 2 separate tunnels from the same single source device to the same single destination device.
HTH
Rick
11-16-2011 01:35 PM
I found this article that seems to address what I'm looking for:
I haven't gotten it working yet, I'm guessing there is some other config in the local asa that is causing problems.
*Edit*
I was able to get it up and running using the link above. I removed and then re-added the config and all was well, I probably just mis-typed something. I can't mark the question answered so if anyone wants to reply with the link above...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: