topic Re: S2S vpn help in Network Security

S2S vpn help

SANTHOSHKUMAR SARAVANAN — Mon, 11 Mar 2019 18:24:02 GMT

HI All ,

I have S2S paremeter in both asa device , when my intresting traffic is initated from site A to site B , I am getting Show crypto isakmp sa as below

site a (config)# sh crypto is
site a (config)# sh crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 207.x.x.x
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2

site a (config)# Aug 11 23:19:55 [IKEv1]: IP = 207.x.x.x, Removing peer from peer table failed, no match!
[IKEv1]: IP = 207.x.x.x, Error: Unable to remove PeerTblEntry

but when i check at Site B i am nt receving ISAKMP request from siteA , but from both side ping is happening and traceroute is completley perfect .

i have checked both side ISAKMP parameter ,

I am just wondering y Site B is not recieving site A ISAKMP packet , but i can see ping request packet at site b firewall which is coming from site a , but i dont find isakmp hits . kindly help me

Re: S2S vpn help

Jitendriya Athavale — Wed, 11 Aug 2010 18:15:19 GMT

#1 apply captures on the other end and see if you get any packet

you should see packets on port udp 500 from the peer

if you do not see it, then contact your isp and get the ports required for vpn opened - udp 500, ip 50,51 , udp 4500

#2 also you will need to open these ports on firewall using access-list on your outside interface

alternativly to open vpn related ports on your firewall you can give the command

sysopt connection permit-vpn

Re: S2S vpn help

SANTHOSHKUMAR SARAVANAN — Wed, 11 Aug 2010 18:28:02 GMT

Thanx for your reply when i give debug cryto isakmp sa i am getting follwoing message

e5t-pf-sprint(config)# Aug 12 00:16:22 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 12 00:16:22 [IKEv1]: IP = 207.x.x.x, IKE Initiator: New Phase 1, Intf inside, IKE Peer 207.x.xx local Proxy Address .x98.x.x, remote Proxy Address x.x.x.0, Crypto map
Aug 12 00:16:22 [IKEv1 DEBUG]: IP = x.x.x.x, constructing ISAKMP SA payload
Aug 12 00:16:22 [IKEv1 DEBUG]: IP = x.x.x.x, constructing Fragmentation VID + extended capabilities payload
Aug 12 00:16:22 [IKEv1]: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Aug 12 00:16:24 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 12 00:16:24 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 12 00:16:28 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
+ NONE (0) total length : 108
Aug 12 00:16:54 [IKEv1 DEBUG]: IP = 207.x.x.x, IKE MM Initiator FSM error history (struct &0x5085a20) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Aug 12 00:16:54 [IKEv1 DEBUG]: IP = 207.0.x.x, IKE SA MM:15e2aabd terminating: flags 0x01000022, refcnt 0, tuncnt 0
Aug 12 00:16:54 [IKEv1 DEBUG]: IP = 207.x.x, sending delete/delete with reason message
Aug 12 00:16:54 [IKEv1]: IP = 207.x.x.x, Removing peer from peer table failed, no match!
Aug 12 00:16:54 [IKEv1]: IP = 207.x.x.x, Error: Unable to remove PeerTblEntry

wht does FSM error history ..

i will post u capture comands , i am have enable syspot connection permit-vpn. could you help me over here

Re: S2S vpn help

Jitendriya Athavale — Wed, 11 Aug 2010 18:34:02 GMT

these look like debugs from site a... can you paste debugs from site b

Re: S2S vpn help

SANTHOSHKUMAR SARAVANAN — Wed, 11 Aug 2010 18:40:03 GMT

Site B is not recieveing site A ISAKMP handshaking traffic . simiarly my ISP link is directly termiated on site A firewall outside interface . i wondering y site B is nt receving ISAKMP traffic .

how to do capture for outside interafce ..

Re: S2S vpn help

Jitendriya Athavale — Wed, 11 Aug 2010 18:45:42 GMT

access-list capout extended permit ip host host

capture capo interface outside access-list capout

i think it could well be the isp blocking it

do you have any other active tunnels on site b

Re: S2S vpn help

SANTHOSHKUMAR SARAVANAN — Wed, 11 Aug 2010 19:10:51 GMT

yes i have active tunnel connection to other location at site B ,

similarly i have done capture command for outside interface i dont see any traffic for 500 which recieving to my firerwall or my firewall is sending out , similarly i have binded capture acl to inbound direction of outside interface .

similalry by using my ISP connection i can use vpn dialer to connect to my HO ..

Re: S2S vpn help

Jitendriya Athavale — Thu, 12 Aug 2010 13:29:03 GMT

if this issue is still un resolved can you paste the config on the both ends