Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN

Hi everyone, I am super lost at this point, please help, I cannot get a site to site VPN connection between an ASA 5510 and 1841.

Below is the output of the ISAKMP, IPSEC and Crypto Maps for the 1841

Router#show cry isakmp sa
dst             src             state          conn-id slot status
70.33.178.164   66.160.11.132   MM_NO_STATE          0    0 ACTIVE (deleted)
66.160.11.132   70.33.178.164   MM_NO_STATE          1    0 ACTIVE (deleted)

Router#sh cry ipsec sa

interface: FastEthernet0/1
    Crypto map tag: asa1, local addr 66.160.11.132

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
   current_peer 70.33.178.164 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 319, #recv errors 0

     local crypto endpt.: 66.160.11.132, remote crypto endpt.: 70.33.178.164
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
   current_peer 70.33.178.164 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 66.160.11.132, remote crypto endpt.: 70.33.178.164
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:


Router#sh cry map
Crypto Map "asa1" 1 ipsec-isakmp
        Peer = 70.33.178.164
        Extended IP access list 100
            access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
            access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.11.0 0.0.0.255
        Current peer: 70.33.178.164
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                ESP-3DES-SHA,
        }

Crypto Map "asa1" 10 ipsec-isakmp
        Peer = 70.33.178.164
        Extended IP access list 100
            access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
            access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.11.0 0.0.0.255
        Current peer: 70.33.178.164
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                ESP-3DES-SHA,
        }
        Interfaces using crypto map asa1:
                FastEthernet0/1

ASA 5510

Result of the command: "sh cry ipsec sa"

interface: outside

    Crypto map tag: outside_map0, seq num: 2, local addr: 70.33.178.164

      access-list outside_2_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)

      current_peer: 71.191.130.50

      #pkts encaps: 175781, #pkts encrypt: 175781, #pkts digest: 175781

      #pkts decaps: 267694, #pkts decrypt: 267694, #pkts verify: 267694

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 175781, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 70.33.178.164/4500, remote crypto endpt.:

71.191.130.50/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 552987DF

    inbound esp sas:

      spi: 0x4FFF5AF2 (1342135026)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 12288, crypto-map: outside_map0

         sa timing: remaining key lifetime (kB/sec): (4373516/2107)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x552987DF (1428785119)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 12288, crypto-map: outside_map0

         sa timing: remaining key lifetime (kB/sec): (4373641/2107)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

Result of the command: "sh cry isakmp sa"

   Active SA: 2

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 2

1  IKE Peer: 71.191.130.50

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

2   IKE Peer: 66.160.11.132

    Type    : user            Role    : initiator

    Rekey   : no              State   : MM_WAIT_MSG2

let me know if I should post anyting else please.

Thanks in advance

30 REPLIES

Re: VPN

Hi,

According to the output:

ASA's public IP: 70.33.178.164

Router's public IP: 66.160.11.132

ASA's internal LAN:

192.168.10.0/24

192.168.11.0/24

Router's internal LAN:

192.168.30.0/24

The interesting traffic seems defined on the ASA to the 192.168.20.0/24 which is nowhere.

Please confirm the above addresses and clear the SAs and try again.

Federico.

New Member

Re: VPN

The intresting traffic 192.168.20.0/24 is the second VPN connection that connects from a different address then 66.160.x.x. The intresting traffic from 66 is 192.168.30.0/24.

I noticed in my own post that the type for 66.x.x is user where the other VPN that is connected is L2L. Is that the problem?

Thanks

Re: VPN

Yes,

The fact that you're seeing the connection on the ASA from 66.160.11.132 as user indicates that is landing on the dynamic crypto map instead than using the appropiate tunnel-group.

This could be because the ACL for interesting traffic is not matching on both ends.

Could you post the relevant VPN configuration from both sides (but just for this particular tunnel)?

Federico.

New Member

Re: VPN

what commands do you want me to run to show the VPN config?

New Member

Re: VPN

post

Re: VPN

ASA:

sh run crypt map

sh run access-list NAME --> name is the ACL defined in the crypto map

sh run access-list NAME --> name is the ACL defined in the NAT 0 statement

sh run tunnel-group

sh run cry isa

sh run cry ips

Router:

sh run | i cry

sh access-list NAME --> name is the ACL defined in the crypto map

In case that you're doing NAT on the router, then copy the NAT configuration:  sh run | i ip nat

From the above commands, just post the VPN configuration that pertains to this tunnel.

Federico.

New Member

Re: VPN

ASA

Result of the command: "sh run crypt map"

crypto map outside_map0 1 match address outside_cryptomap_2 crypto map outside_map0 1 set peer 66.160.11.132 70.108.240.44 crypto map outside_map0 1 set transform-set ESP-3DES-SHA crypto map outside_map0 interface outside

Result of the command: "sh run access-list outside_cryptomap_2"

access-list outside_cryptomap_2 extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0

Result of the command: "sh run access-list NAT 0 I am not sure what Name to put

Result of the command: "sh run tunnel-group"

tunnel-group 66.160.11.132 type ipsec-l2l tunnel-group 66.160.11.132 ipsec-attributes  pre-shared-key *

Result of the command: "sh run cry isa"

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

Result of the command: "sh run cry ips"

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000

1841

no service password-encryption
crypto isakmp policy 1
crypto isakmp key ****** address 70.33.178.164 no-xauth
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto map asa1 1 ipsec-isakmp
crypto map asa1 10 ipsec-isakmp
crypto map asa1

sh access-list asa1

nothing

Router#sh run | i ip nat
ip nat inside
ip nat outside
ip nat translation dns-timeout 180
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload

Not sure if I did the access list right for ASA and 1841. The return for 1841 was blank, and the ASA returned alot. I tried to post what was relevant.

Re: VPN

We need this output from the ASA:


sh run nat
sh run access-list NAME  --> name is the ACL that shows under the NAT0 statement from the command above

From the router:


sh run | sect route-map SDM_RMAP_1
sh access-list NAME --> name for the ACL that shows under the route-map above

Also try this:

ASA:


clear cry isa sa 66.160.11.132
clear cry ips sa peer 66.160.11.132

Router:
clear cry isa
clear cry sa

Then try to establish the tunnel again and see the results of both devices:


sh cry isa sa
sh cry ips sa

Federico.

New Member

Re: VPN

post

Re: VPN

Instead of:

Router#sh access-list SDM_RMAP_1

Please post:

Router#sh access-list 101

I think that we can see the entire picture after this last post.

Federico.

New Member

Re: VPN

Router#sh access-list 101
Extended IP access list 101
    10 deny ip 192.168.30.0 0.0.0.255 192.168.11.0 0.0.0.255
    20 deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255 (557 matches)
    30 permit ip 192.168.30.0 0.0.0.255 any (2371 matches)

thanks a lot for your help

Re: VPN

Let me know the results of these tests:

From the ASA can you PING 66.160.11.132?

From the router can you PING 70.33.178.164?

If both PINGs are succesful, then let's try to send traffic through the tunnel.

First clear the SAs again and...

Add this two commands to the ASA:

management-access inside

sysopt connection permit-vpn

Then, from the router do this:

ping x.x.x.x source y.y.y.y

x.x.x.x is the IP of the inside interface of the ASA (192.168.10.x)

y.y.y.y is the IP of the internal interface of the router (192.168.30.x)

Check again:

sh cry isa sa

sh cry ips sa

Federico.

New Member

Re: VPN

Ok, I was able to ping each device from either other.

When I ran the command management-access inside, it returned: Please remove the management access before configure a new one

As you can see below, I was not able to ping the inside addresses.

Router#ping 192.168.10.1 source 192.168.30.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.30.1
.....
Success rate is 0 percent (0/5)
Router#sh cry isa sa
dst             src             state          conn-id slot status
70.33.178.164   66.160.11.132   MM_NO_STATE          0    0 ACTIVE
70.33.178.164   66.160.11.132   MM_NO_STATE          0    0 ACTIVE (deleted)
66.160.11.132   70.33.178.164   MM_SA_SETUP          1    0 ACTIVE

Router#sh cry ips sa

interface: FastEthernet0/1
    Crypto map tag: asa1, local addr 66.160.11.132

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
   current_peer 70.33.178.164 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 13, #recv errors 0

     local crypto endpt.: 66.160.11.132, remote crypto endpt.: 70.33.178.164
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
   current_peer 70.33.178.164 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 66.160.11.132, remote crypto endpt.: 70.33.178.164
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Re: VPN

Check this on the ASA:

sh run management

Make sure that you remove the management-access xxxxx and then add it as ''management-access inside''

Check that the internal IP of the ASA is something in the 192.168.10.x and the internal IP of the router something in the 192.168.30.x

And try it both ways:

From the router:

ping 192.168.10.x source 192.168.30.x

From the ASA:

ping inside 192.168.30.x

Federico.

New Member

Re: VPN

When I ran sh run managment, it only listed:  management-access inside

IPs are correct

From Router

Router#ping 192.168.10.1 source 192.168.30.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.30.1
.....
Success rate is 0 percent (0/5)

From ASA

Result of the command: "ping inside 192.168.30.1"

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

Re: VPN

Ok, so let's do the following:

Clear the crypto SAs on both sides:

ASA:

clear cry isa sa 66.160.11.132

clear cry ips sa peer 66.160.11.132

Router:

clear cry isa

clear cry sa

Then turn on this debugs on both sides:

ASA:

debug cry condition peer 66.160.11.132

debug cry isa 127

debug cry ips 127

Router:

debug cry isa

debug cry ips

You might need the command:  term mon

on both sides to see the debugs.

Please attach the outputs.

Federico.

New Member

Re: VPN

Attached is the output from Router, awefully long, not sure if that is what your looking for.

Re: VPN

Jackie,

Phase 1 is establishing correctly.

We need to check what is happening with Phase 2.

When you get CLI access to the ASA, you should be able to run the debug commands that I gave you.

Federico.

New Member

Re: VPN

post

New Member

Re: VPN


FW-COLO# show cry debug

Crypto conditional debug is turned ON
IKE debug context unmatched flag:  OFF
IPSec debug context unmatched flag:  OFF
IKE debug context error flag:  OFF
IPSec debug context error flag:  OFF

IKE peer IP address filters:
66.160.11.132/32

FW-COLO# debug cry ips 127
INFO: 'logging debug-trace' is enabled. All debug messages are currently being redirected to syslog:711001 and will not appear in any monitor session
FW-COLO# debug cry ips 127
INFO: 'logging debug-trace' is enabled. All debug messages are currently being redirected to syslog:711001 and will not appear in any monitor session

how can i see the 711001, i can't find in the syslog view?

New Member

Re: VPN

I was able to figure out how to show it in the console, but I still can't see it in the syslog. maybe it's just me.

here is some of the lines from asa related to the 66

%ASA-7-713236: IP = 66.160.11.132, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

%ASA-7-715065: IP = 66.160.11.132, IKE MM Initiator FSM error history (struct &0xd8e9e7a0)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

%ASA-7-713906: IP = 66.160.11.132, IKE SA MM:b49d70c1 terminating:  flags 0x01000022, refcnt 0, tuncnt 0

%ASA-7-713906: IP = 66.160.11.132, sending delete/delete with reason message

attached is the output from the asa

thanks

Re: VPN

Jackie,

We're not getting much from the debugs in this case.

Could you post a copy of the ''sh run'' from both devices?

Federico.

New Member

Re: VPN

post

Re: VPN

Jackie,

This is the next step:

Clear the SAs on both units.

Post the complete output from the debugs.

With these debugs and the configurations hopefully we'll find out what's going on.

Federico.

New Member

Re: VPN

post

Re: VPN

What I've seen is that eventhough phase 1 seems to be down, there's an entry for phase 2.

According to the logs, phase 1 establishes, but then goes down, because the VPN won't establish.

Have you cleared the SAs both for phase 1 and phase 2?

Federico.

New Member

Re: VPN

I have used the clear commands stated before on both routers. Is there another command to clear Phase 2?

Re: VPN

The

clear cry ips sa peer x.x.x.x

is the command to clear the SA for phase 2.

Try doing the command and checking again:

sh cry ips sa

To make sure there's no SA for phase 2.

Federico.

New Member

Re: VPN

ok, i ran the clear cmd and here is the sh

FW-COLO# sh cry ips sa
interface: outside
    Crypto map tag: outside_map0, seq num: 2, local addr: 70.33.178.164

      access-list outside_2_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
      current_peer: 71.191.130.50

      #pkts encaps: 16551, #pkts encrypt: 16551, #pkts digest: 16551
      #pkts decaps: 16645, #pkts decrypt: 16645, #pkts verify: 16645
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 16551, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 70.33.178.164/4500, remote crypto endpt.: 71.191.130.50/4500
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 7E575FCD

    inbound esp sas:
      spi: 0x21BBA596 (565945750)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 8192, crypto-map: outside_map0
         sa timing: remaining key lifetime (kB/sec): (4373213/2268)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x7E575FCD (2119655373)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 8192, crypto-map: outside_map0
         sa timing: remaining key lifetime (kB/sec): (4373221/2264)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

1137
Views
0
Helpful
30
Replies
CreatePlease login to create content