Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Strange vpn problem two ASA's stuck on mm2

Hi,

We have problems to establish vpn tunnel between two ASA's the problem begun  after  we migrate site from 5520 with 8.2 to 5515-X with 9.1(1).

On  site one  we have ASA5585-SSP-10 with 8.4(3), on site two we have 5515-X with 9.1(1).

VPN on both sites are stoping on  MM2 but not always on site two it shows  sometime MM3  . Packet tracer output  on one  site looks almost the same like two site.

Also ,  we have the  same effect when we have identity  nat  like this : nat (CORE_HANDOVER,outside interface).

topology is like this :

(routed handover to ASA) L3 Switch  --- ASA one --- internet --- ASA two --- L3 Swich (routed handover to ASA)

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.225.0   255.255.255.0   CORE_HANDOVER

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (CORE_HANDOVER,any) source static nonat-source nonat-source destination static nonat-destination nonat-destination no-proxy-arp route-lookup

Additional Information:

NAT divert to egress interface CORE_HANDOVER

Untranslate 192.168.225.10/80 to 192.168.225.10/80

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group blok in interface outside

access-list blok extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (CORE_HANDOVER,any) source static nonat-source nonat-source destination static nonat-destination nonat-destination no-proxy-arp route-lookup

Additional Information:

Static translate 192.168.110.10/10000 to 192.168.110.10/10000

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 6    

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (CORE_HANDOVER,any) source static nonat-source nonat-source destination static nonat-destination nonat-destination no-proxy-arp route-lookup

Additional Information:

Phase: 11

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 12

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 13

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: CORE_HANDOVER

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Phase 1 debug  site one

Jul 07 01:12:30 [IKEv1 DEBUG]IP = 3.3.3.3, IKE SA MM:38d0a9db terminating:  flags 0x01000022, refcnt 0, tuncnt 0

Jul 07 01:12:30 [IKEv1 DEBUG]IP = 3.3.3.3, sending delete/delete with reason message

Jul 07 01:12:30 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0

Jul 07 01:12:30 [IKEv1]IP = 3.3.3.3, IKE Initiator: New Phase 1, Intf CORE_HANDOVER, IKE Peer 3.3.3.3  local Proxy Address 192.168.226.0, remote Proxy Address 192.168.1.0,  Crypto map (cmap)

Jul 07 01:12:30 [IKEv1 DEBUG]IP = 3.3.3.3, constructing ISAKMP SA payload

Jul 07 01:12:30 [IKEv1 DEBUG]IP = 3.3.3.3, constructing NAT-Traversal VID ver 02 payload

Jul 07 01:12:30 [IKEv1 DEBUG]IP = 3.3.3.3, constructing NAT-Traversal VID ver 03 payload

Jul 07 01:12:30 [IKEv1 DEBUG]IP = 3.3.3.3, constructing NAT-Traversal VID ver RFC payload

Jul 07 01:12:30 [IKEv1 DEBUG]IP = 3.3.3.3, constructing Fragmentation VID + extended capabilities payload

Jul 07 01:12:30 [IKEv1]IP = 3.3.3.3, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 208

Jul 07 01:12:30 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0

Jul 07 01:12:30 [IKEv1]IP = 3.3.3.3, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jul 07 01:12:36 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0

Jul 07 01:12:36 [IKEv1]IP = 3.3.3.3 Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jul 07 01:12:38 [IKEv1]IP = 3.3.3.3, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 208

Jul 07 01:12:46 [IKEv1]IP = 3.3.3.3, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 208

Jul 07 01:12:54 [IKEv1]IP = 3.3.3.3, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 208

Jul 07 01:13:02 [IKEv1 DEBUG]IP = 3.3.3.3, IKE MM Initiator FSM error history (struct &0x00007fff2b71a990)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

Jul 07 01:13:02 [IKEv1 DEBUG]IP = 3.3.3.3, IKE SA MM:05a6d31f terminating:  flags 0x01000022, refcnt 0, tuncnt 0

Jul 07 01:13:02 [IKEv1 DEBUG]IP = 3.3.3.3, sending delete/delete with reason message

Jul 07 01:13:02 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0

Jul 07 01:13:02 [IKEv1]IP = 3.3.3.3, IKE Initiator: New Phase 1, Intf CORE_HANDOVER, IKE Peer 3.3.3.3  local Proxy Address 213.189.38.192, remote Proxy Address 192.168.0.0,  Crypto map (cmap)

Jul 07 01:13:02 [IKEv1 DEBUG]IP = 3.3.3.3, constructing ISAKMP SA payload

Jul 07 01:13:02 [IKEv1 DEBUG]IP = 3.3.3.3, constructing NAT-Traversal VID ver 02 payload

Jul 07 01:13:02 [IKEv1 DEBUG]IP = 3.3.3.3, constructing NAT-Traversal VID ver 03 payload

Jul 07 01:13:02 [IKEv1 DEBUG]IP = 3.3.3.3, constructing NAT-Traversal VID ver RFC payload

Jul 07 01:13:02 [IKEv1 DEBUG]IP = 3.3.3.3, constructing Fragmentation VID + extended capabilities payload

Jul 07 01:13:02 [IKEv1]IP = 3.3.3.3, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 208

Jul 07 01:13:02 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0

Jul 07 01:13:02 [IKEv1]IP = 3.3.3.3, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jul 07 01:13:03 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0

Jul 07 01:13:03 [IKEv1]IP = 3.3.3.3, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jul 07 01:13:10 [IKEv1]IP = 3.3.3.3, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 208

Jul 07 01:13:18 [IKEv1]IP = 3.3.3.3, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (

Debug isakmp site two

Jul 07 00:38:43 [IKEv1]IP = 4.4.4.4, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172

Jul 07 00:38:51 [IKEv1 DEBUG]IP = 4.4.4.4, IKE MM Initiator FSM error history (struct &0x00007ffed93eabb0)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

Jul 07 00:38:51 [IKEv1 DEBUG]IP = 4.4.4.4, IKE SA MM:3d16134c terminating:  flags 0x01000022, refcnt 0, tuncnt 0

Jul 07 00:38:51 [IKEv1 DEBUG]IP = 4.4.4.4, sending delete/delete with reason message

Jul 07 00:38:51 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0

Jul 07 00:38:51 [IKEv1]IP = 4.4.4.4, IKE Initiator: New Phase 1, Intf office, IKE Peer 4.4.4.4  local Proxy Address 192.168.200.0, remote Proxy Address 192.168.224.0,  Crypto map (cmap)

Jul 07 00:38:51 [IKEv1 DEBUG]IP = 4.4.4.4, constructing ISAKMP SA payload

Jul 07 00:38:51 [IKEv1 DEBUG]IP = 4.4.4.4, constructing NAT-Traversal VID ver 02 payload

Jul 07 00:38:51 [IKEv1 DEBUG]IP = 4.4.4.4, constructing NAT-Traversal VID ver 03 payload

Jul 07 00:38:51 [IKEv1 DEBUG]IP = 4.4.4.4, constructing NAT-Traversal VID ver RFC payload

Jul 07 00:38:51 [IKEv1 DEBUG]IP = 4.4.4.4, constructing Fragmentation VID + extended capabilities payload

Jul 07 00:38:51 [IKEv1]IP = 4.4.4.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172

Jul 07 00:38:52 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0

Jul 07 00:38:52 [IKEv1]IP = 4.4.4.4, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jul 07 00:38:54 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0

Jul 07 00:38:54 [IKEv1]IP = 4.4.4.4, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jul 07 00:38:59 [IKEv1]IP = 4.4.4.4, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172

Jul 07 00:39:07 [IKEv1]IP = 4.4.4.4, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172

site ONE

IKEv1 SAs:

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 3.3.3.3

    Type    : user            Role    : initiator

    Rekey   : no              State   : MM_WAIT_MSG2

site TWO

IKEv1 SAs:

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 4.4.4.4

    Type    : user            Role    : initiator

    Rekey   : no              State   : MM_WAIT_MSG2

Nat configuration Site two (migrated one)

no arp permit-nonconnected

nat (CORE_HANDOVER,outside) source static obj-192.168.226.12 obj-11.189.38.252 dns

nat (CORE_HANDOVER,outside) source static obj-192.168.226.10 obj-11.189.38.250 dns

nat (CORE_HANDOVER,outside) source static obj-192.168.226.11 obj-11.189.38.251 dns

nat (CORE_HANDOVER,outside) source static obj-192.168.225.72 obj-11.189.38.242 dns

nat (CORE_HANDOVER,outside) source static obj-192.168.226.14 obj-11.189.38.249 dns

nat (CORE_HANDOVER,management) source static obj-192.168.251.35 obj-192.168.250.209 dns

nat (CORE_HANDOVER,outside) source static obj-192.168.226.13 obj-11.189.38.253 dns

nat (outside,DMZ-TOOL) source static obj-11.189.38.0 obj-11.189.38.0 destination static obj-11.189.38.0 obj-11.189.38.0 no-proxy-arp route-lookup

nat (DMZ-TOOL,outside) source static obj-11.189.38.0 obj-11.189.38.0 destination static obj-11.189.38.0 obj-11.189.38.0 no-proxy-arp route-lookup

nat (CORE_HANDOVER,outside) source static obj-192.168.225.10 obj-11.189.38.241 dns

!

object network obj-192.168.225.0

nat (CORE_HANDOVER,outside) dynamic 11.189.38.254

object network obj-192.168.249.0

nat (CORE_HANDOVER,outside) dynamic 11.189.38.254

object network obj-192.168.231.0

nat (CORE_HANDOVER,outside) dynamic 11.189.38.254

object network obj-192.168.226.0

nat (CORE_HANDOVER,outside) dynamic 11.189.38.254

object network obj-192.168.227.0

nat (CORE_HANDOVER,outside) dynamic 11.189.38.254

object network obj-192.168.228.0

nat (CORE_HANDOVER,outside) dynamic 11.189.38.254

object network obj-192.168.229.0

nat (CORE_HANDOVER,outside) dynamic 11.189.38.254

object network obj-192.168.248.0

nat (CORE_HANDOVER,outside) dynamic 11.189.38.254

Crypto Config

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set AES256MD5 esp-aes-256 esp-md5-hmac

crypto ipsec security-association pmtu-aging infinite

crypto map cmap 100 match address cacl

crypto map cmap 100 set peer 3.3.3.3

crypto map cmap 100 set ikev1 transform-set ESP-3DES-SHA AES256MD5

crypto map cmap interface outside

crypto ca trustpool policy

crypto ikev1 enable outside

crypto ikev1 policy 11

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 12

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

access-list cacl extended permit ip 11.189.38.192 255.255.255.192 195.182.34.0 255.255.255.0

access-list cacl extended permit ip 11.189.38.192 255.255.255.192 192.168.0.0 255.255.0.0

access-list cacl extended permit ip 192.168.224.0 255.255.224.0 192.168.200.0 255.255.255.0

access-list cacl extended permit ip 192.168.224.0 255.255.224.0 192.168.0.0 255.255.128.0

  • VPN
Everyone's tags (5)
2 REPLIES
New Member

Strange vpn problem two ASA's stuck on mm2

anyone?

New Member

Strange vpn problem two ASA's stuck on mm2

I'm having the same issue. Endpoints that were working now are not. Find a fix?

1458
Views
0
Helpful
2
Replies