Solved: Site to Site VPN - ASA 5510/ 851 Router - No Sas?

mike.welker · ‎12-20-2011

We have installed an ASA 5510, running version 8.3(1)of the software. In a remote location, we have a Cisco 851 Router with an IPSec VPN tunnel to a PIX 515e. I am attempting to initiate a backup connection between the 851 and the new ASA, and I am having trouble. I have used ASDM on the ASA side, and CCP on the 851 side, and created a new site-to-site VPN on both, with matching PSK, encryption algorithms, etc. I have verified connectivity between the outside interfaces of both devices, and the associated ACLs are simple, in that they allow all IP traffic from the internal side of both devices to talk to each other.

When I do a "show crypto isakmp sa" on the ASA, I receive "there are no isakmp sas". When I do that same on the 851 router, I see only the existing connection to the PIX. It seems that the tunnel is not even initiating. I've turned various crypto debugs on, and sent a series of pings, and I still do not see any tunnel initiaion even being attempted.

CCP has a VPN test tool built in for the router. Does ASDM have a similar feature? Below are the relevant configs (at least I think...the ASA is pretty greek to me):

ASA 5510 (Inside network of 10.20.0.0/16. The perfectly functional PIX is also on this network, with a different public IP)

 

access-list ATTOutside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 10.192.0.0 255.255.0.0
!
nat (Inside,ATTOutside) source static NETWORK_OBJ_10.20.0.0_16 NETWORK_OBJ_10.20.0.0_16 destination static NETWORK_OBJ_10.192.0.0_16 NETWORK_OBJ_10.192.0.0_16

!
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map ATTOutside_map 2 match address ATTOutside_2_cryptomap
crypto map ATTOutside_map 2 set peer 24.140.152.144 
crypto map ATTOutside_map 2 set transform-set ESP-3DES-MD5
crypto map ATTOutside_map interface ATTOutside

!
crypto isakmp enable ATTOutside
crypto isakmp enable Inside
crypto isakmp policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 170
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400

!
tunnel-group 24.140.152.144 type ipsec-l2l
tunnel-group 24.140.152.144 ipsec-attributes

! 
851 Router (Inside network of 10.192.4.0/24)

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 3

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key si9bw1u8woaz address 65.42.15.142

crypto isakmp key 123 address 12.49.251.3

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP_3DES_MD5 esp-3des esp-md5-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to65.42.15.142

set peer 65.42.15.142

set transform-set ESP-3DES-SHA1

match address 102

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel to12.49.251.3

set peer 12.49.251.3

set transform-set ESP_3DES_MD5

match address 102

!

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.20.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.11.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.12.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.13.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.14.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.18.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.19.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.22.0.0 0.0.255.255

access-list 102 permit ip 10.192.4.0 0.0.0.255 10.23.0.0 0.0.255.255

raga.fusionet · ‎12-20-2011

Michael,

Since you are using the same ACL, same subnets and same everything on your Router config for your VPN tunnels 1 and 2, your second VPN tunnel will fail to come up becuase the Router already has a tunnel with the PIX for that same traffic.

If you want to configure the ASA as backup peer scratch the second crypto map and instead add the ASA public IP address as a second peer under the original crypto configuration.

Like this:

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to65.42.15.142

set peer 65.42.15.142

set peer 12.49.251.3

set transform-set ESP-3DES-SHA1

match address 102

The router will attempt to connect to the PIX and if that fails(meaning the PIX never responded) then it will try to connect to the ASA.

To test it you could do either one of two things: 1. take the PIX internet conection down will make the router try to connect to the secondary peer. 2: on the router change (temporarily) the peer address of the PIX to a bogus IP that will not respond, when that one fails the router should try to negotiate with the ASA.

I hope this helps.

Raga

View solution in original post

raga.fusionet · ‎12-20-2011

Michael,

Since you are using the same ACL, same subnets and same everything on your Router config for your VPN tunnels 1 and 2, your second VPN tunnel will fail to come up becuase the Router already has a tunnel with the PIX for that same traffic.

If you want to configure the ASA as backup peer scratch the second crypto map and instead add the ASA public IP address as a second peer under the original crypto configuration.

Like this:

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to65.42.15.142

set peer 65.42.15.142

set peer 12.49.251.3

set transform-set ESP-3DES-SHA1

match address 102

The router will attempt to connect to the PIX and if that fails(meaning the PIX never responded) then it will try to connect to the ASA.

To test it you could do either one of two things: 1. take the PIX internet conection down will make the router try to connect to the secondary peer. 2: on the router change (temporarily) the peer address of the PIX to a bogus IP that will not respond, when that one fails the router should try to negotiate with the ASA.

I hope this helps.

Raga

mike.welker · ‎12-20-2011

Thanks Luis. I will give that a try when I have a short outage window, just in case the second tunnel fails to come online.

As a side note, I added an ACE to the Global ACL on the ASA allowing all Inside network traffic (10.20.0.0/16) to access the 10.192.4.0/24 network. Now, when I do a packet trace, the tunnels show as QM_IDLE for the new test tunnel on both ends, however, it appears that Phase 2 is not completing, and the packet is dropped. I suspect I have a mismatch or bad ACE somewhere. I am recieving debugs now as well:

ASA-NCA-SVRRM-5510# Dec 20 12:02:30 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=0, saddr=10.20.1.249, sport=0, daddr=10.192.4.1, dport=0

IPSEC(crypto_map_check)-3: Checking crypto map ATTOutside_map 2: matched.

Dec 20 12:02:30 [IKEv1]: IP = 24.140.152.144, IKE Initiator: New Phase 1, Intf ATTOutside, IKE Peer 24.140.152.144 local Proxy Address 10.20.0.0, remote Proxy Address 10.192.4.0, Crypto map (ATTOutside_map)

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, constructing ISAKMP SA payload

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, constructing NAT-Traversal VID ver 02 payload

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, constructing NAT-Traversal VID ver 03 payload

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, constructing NAT-Traversal VID ver RFC payload

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, constructing Fragmentation VID + extended capabilities payload

Dec 20 12:02:30 [IKEv1]: IP = 24.140.152.144, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 360

Dec 20 12:02:30 [IKEv1]: IP = 24.140.152.144, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, processing SA payload

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, Oakley proposal is acceptable

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, processing VID payload

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, Received NAT-Traversal ver 03 VID

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, constructing ke payload

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, constructing nonce payload

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, constructing Cisco Unity VID payload

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, constructing xauth V6 VID payload

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, Send IOS VID

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, constructing VID payload

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, constructing NAT-Discovery payload

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, computing NAT Discovery hash

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, constructing NAT-Discovery payload

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, computing NAT Discovery hash

Dec 20 12:02:30 [IKEv1]: IP = 24.140.152.144, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304

Dec 20 12:02:30 [IKEv1]: IP = 24.140.152.144, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, processing ke payload

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, processing ISA_KE payload

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, processing nonce payload

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, processing VID payload

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, Received Cisco Unity client VID

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, processing VID payload

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, Received DPD VID

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, processing VID payload

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 0000077f)

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, processing VID payload

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, Received xauth V6 VID

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, processing NAT-Discovery payload

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, computing NAT Discovery hash

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, processing NAT-Discovery payload

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, computing NAT Discovery hash

Dec 20 12:02:30 [IKEv1]: IP = 24.140.152.144, Connection landed on tunnel_group 24.140.152.144

Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, Generating keys for Initiator...

Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing ID payload

Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing hash payload

Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, Computing hash for ISAKMP

Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, Constructing IOS keep alive payload: proposal=32767/32767 sec.

Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing dpd vid payload

Dec 20 12:02:30 [IKEv1]: IP = 24.140.152.144, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96

Dec 20 12:02:30 [IKEv1]: Group = 24.140.152.144, IP = 24.140.152.144, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

Dec 20 12:02:30 [IKEv1]: IP = 24.140.152.144, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64

Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, processing ID payload

Dec 20 12:02:30 [IKEv1 DECODE]: Group = 24.140.152.144, IP = 24.140.152.144, ID_IPV4_ADDR ID received

24.140.152.144

Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, processing hash payload

Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, Computing hash for ISAKMP

Dec 20 12:02:30 [IKEv1]: IP = 24.140.152.144, Connection landed on tunnel_group 24.140.152.144

Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, Oakley begin quick mode

Dec 20 12:02:30 [IKEv1 DECODE]: Group = 24.140.152.144, IP = 24.140.152.144, IKE Initiator starting QM: msg id = 163e1e74

Dec 20 12:02:30 [IKEv1]: Group = 24.140.152.144, IP = 24.140.152.144, PHASE 1 COMPLETED

Dec 20 12:02:30 [IKEv1]: IP = 24.140.152.144, Keep-alive type for this connection: DPD

Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, Starting P1 rekey timer: 82080 seconds.

IPSEC: New embryonic SA created @ 0xAD5F9C68,

SCB: 0xACABE8F0,

Direction: inbound

SPI : 0x7842D0EA

Session ID: 0x00005000

VPIF num : 0x00000002

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, IKE got SPI from key engine: SPI = 0x7842d0ea

IPSEC: New embryonic SA created @ 0xAD31BD60,

SCB: 0xAC6CA9A0,

Direction: inbound

SPI : 0x56372EA8

Session ID: 0x00005000

VPIF num : 0x00000002

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, IKE got SPI from key engine: SPI = 0x56372ea8

Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, oakley constucting quick mode

Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing blank hash payload

Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing IPSec SA payload

Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing IPSec nonce payload

Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing proxy ID

Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, Transmitting Proxy Id:

Local subnet: 10.20.0.0 mask 255.255.0.0 Protocol 0 Port 0

Remote subnet: 10.192.4.0 Mask 255.255.255.0 Protocol 0 Port 0

Dec 20 12:02:30 [IKEv1 DECODE]: Group = 24.140.152.144, IP = 24.140.152.144, IKE Initiator sending Initial Contact

Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing qm hash payload

Dec 20 12:02:30 [IKEv1 DECODE]: Group = 24.140.152.144, IP = 24.140.152.144, IKE Initiator sending 1st QM pkt: msg id = 163e1e74

Dec 20 12:02:30 [IKEv1]: IP = 24.140.152.144, IKE_DECODE SENDING Message (msgid=163e1e74) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 252

Dec 20 12:02:30 [IKEv1]: IP = 24.140.152.144, IKE_DECODE RECEIVED Message (msgid=7e0195a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 184

Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, processing hash payload

Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, processing notify payload

Dec 20 12:02:30 [IKEv1]: Group = 24.140.152.144, IP = 24.140.152.144, Received non-routine Notify message: No proposal chosen (14)

Dec 20 12:03:02 [IKEv1]: Group = 24.140.152.144, IP = 24.140.152.144, QM FSM error (P2 struct &0xad5f8af8, mess id 0x163e1e74)!

Dec 20 12:03:02 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, IKE QM Initiator FSM error history (struct &0xad5f8af8) , : QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent

Dec 20 12:03:02 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, sending delete/delete with reason message

Dec 20 12:03:02 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing blank hash payload

Dec 20 12:03:02 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing IPSec delete payload

Dec 20 12:03:02 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing qm hash payload

Dec 20 12:03:02 [IKEv1]: IP = 24.140.152.144, IKE_DECODE SENDING Message (msgid=c75f1d0f) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68

Dec 20 12:03:02 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, IKE Deleting SA: Remote Proxy 10.192.4.0, Local Proxy 10.20.0.0

Dec 20 12:03:02 [IKEv1]: Group = 24.140.152.144, IP = 24.140.152.144, Removing peer from correlator table failed, no match!

Dec 20 12:03:02 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, IKE SA MM:cdf99a95 rcv'd Terminate: state MM_ACTIVE flags 0x0000c062, refcnt 1, tuncnt 0

Dec 20 12:03:02 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, IKE SA MM:cdf99a95 terminating: flags 0x0100c022, refcnt 0, tuncnt 0

Dec 20 12:03:02 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, sending delete/delete with reason message

Dec 20 12:03:02 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing blank hash payload

Dec 20 12:03:02 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing IKE delete payload

Dec 20 12:03:02 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing qm hash payload

Dec 20 12:03:02 [IKEv1]: IP = 24.140.152.144, IKE_DECODE SENDING Message (msgid=37d23f05) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Dec 20 12:03:02 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x56372ea8

Dec 20 12:03:02 [IKEv1]: Group = 24.140.152.144, IP = 24.140.152.144, Session is being torn down. Reason: Lost Service

Dec 20 12:03:02 [IKEv1]: Ignoring msg to mark SA with dsID 20480 dead because SA deleted

Dec 20 12:03:02 [IKEv1]: IP = 24.140.152.144, Received encrypted packet with no matching SA, dropping

raga.fusionet · ‎12-20-2011

Yeah, well like I mentioned if the Router already has an IPSec SA created for that traffic then the ASA will fail to negotiate the tunnel becuase the router will reject the IPSec Negotiation. That's why you need to take the first tunnel down to be able to fully test it.

Have fun.

Raga

mike.welker · ‎12-20-2011

Ah, now I get it. I did a quick test. On the router, I removed the PIX peer address...the ASA tunnel came right online fully. Now, with that said, my core routers at the head end still use the PIX as thier default gateway, thus, a ping was not returning to my remote 851 as of yet. I will need a slightly longe outage window to completley test end-to-end because of the core router gateway change.

For what it's worth, my ASA is connected to the production network, but none of my network devices are using it as a gateway at this time. That change will probably come early next week.

Thank you for your help.

raga.fusionet · ‎12-20-2011

Great to hear that! yeah basically you need to have the main line "down" so that the tunnel gets negotiated with the other peer.

About the routing you might need to add some back up routes with IP SLAs to determine how the traffic needs to be routed.

Have a good one!