04-17-2019 08:14 AM
Dear Support,
i used cisco ASA 5520 with a site-to-site to à Cisco router, the vpn is running well.
recently, i decide to migrate my asa 5520 to asa 5525-x and configure the vpn on the asa 5525-x
My issue is the vpn don't coming up
when i back to asa 5520, it's work properly, i think the issue is my config on asa 5525-x
can somebody help to solve this?
attache is the both cisco asa config
Many Thanks
Solved! Go to Solution.
04-18-2019 03:06 PM
Looks like you are decrypting traffic ok, but nothing is being encrypted.
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 34, #pkts decrypt: 34, #pkts verify: 34
I would imagine the problem is NAT and the VPN traffic is matching the first rule:-
nat (inside,outside) source dynamic OBJ_GENERAL_ALL interface
You can confirm this by using the command show nat you should probably see this nat rule above the no-nat rule for the VPN networks and no-hits on the other nat rule.
You could move this nat rule to Manual NAT Section 3.
no nat (inside,outside) source dynamic OBJ_GENERAL_ALL interface
nat (INSIDE,OUTSIDE) after-auto source dynamic OBJ_GENERAL_ALL interface
HTH
04-17-2019 08:44 AM
Hi,
Please can you enable debugging "debug crypto ikev1" on the 5525x ASA and upload here for review.
04-17-2019 08:49 AM
Hi RJI,
i can't debbug because i back to the old asa and can do a new test maybe on saturday when users will be out of office
04-17-2019 05:31 PM
Probably want to clean your 5525-x config by removing unnecessary IKEv2 configuration.
04-17-2019 10:05 PM
04-18-2019 02:42 PM - edited 04-18-2019 03:03 PM
Hi Dear
Here is the debug crypto ikev1
pr 18 16:41:57 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
Apr 18 16:41:58 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
Apr 18 16:41:59 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
Apr 18 16:42:00 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
Apr 18 16:42:00 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
Apr 18 16:42:03 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
Apr 18 16:42:06 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
Apr 18 16:42:07 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
Apr 18 16:42:08 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
here is sh crypto
ciscoasa# sh cry ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 2, local addr: 1.1.1.1
access-list outside_cryptomap extended permit ip 10.4.2.0 255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (10.4.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 34, #pkts decrypt: 34, #pkts verify: 34
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 0BEDD314
current inbound spi : A1404C65
inbound esp sas:
spi: 0xA1404C65 (2705345637)
SA State: active
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 86437888, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914996/2936)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000007 0xFFFFFFFF
outbound esp sas:
spi: 0x0BEDD314 (200135444)
SA State: active
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 86437888, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/2936)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ciscoasa#
04-18-2019 03:06 PM
Looks like you are decrypting traffic ok, but nothing is being encrypted.
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 34, #pkts decrypt: 34, #pkts verify: 34
I would imagine the problem is NAT and the VPN traffic is matching the first rule:-
nat (inside,outside) source dynamic OBJ_GENERAL_ALL interface
You can confirm this by using the command show nat you should probably see this nat rule above the no-nat rule for the VPN networks and no-hits on the other nat rule.
You could move this nat rule to Manual NAT Section 3.
no nat (inside,outside) source dynamic OBJ_GENERAL_ALL interface
nat (INSIDE,OUTSIDE) after-auto source dynamic OBJ_GENERAL_ALL interface
HTH
04-19-2019 08:46 AM
Hi RJI,
Many thanks for your support, it's solved my issue, Now the VPN is UP and working
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide