cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


270
Views
0
Helpful
7
Replies
Beginner

Site-to site vpn with ASA 5525-X doesn't work

Dear Support,

 

i used cisco ASA 5520 with a site-to-site to à Cisco router, the vpn is running well.

recently, i decide to migrate my asa 5520 to asa 5525-x and configure the vpn on the asa 5525-x

 

My issue is the vpn don't coming up

 

when i back to asa 5520, it's work properly, i think the issue is my config on asa 5525-x

 

can somebody help to solve this?

 

attache is the both cisco asa config

 

Many Thanks

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Site-to site vpn with ASA 5525-X doesn't work

Looks like you are decrypting traffic ok, but nothing is being encrypted.

 

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 34, #pkts decrypt: 34, #pkts verify: 34

 

I would imagine the problem is NAT and the VPN traffic is matching the first rule:-

 

nat (inside,outside) source dynamic OBJ_GENERAL_ALL interface

 

You can confirm this by using the command show nat you should probably see this nat rule above the no-nat rule for the VPN networks and no-hits on the other nat rule.

 

You could move this nat rule to Manual NAT Section 3.

 

no nat (inside,outside) source dynamic OBJ_GENERAL_ALL interface

nat (INSIDE,OUTSIDE) after-auto source dynamic OBJ_GENERAL_ALL interface

 

HTH

7 REPLIES 7
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Site-to site vpn with ASA 5525-X doesn't work

Hi,

Please can you enable debugging "debug crypto ikev1" on the 5525x ASA and upload here for review.

 

 

Beginner

Re: Site-to site vpn with ASA 5525-X doesn't work

Hi RJI,

i can't debbug because i back to the old asa and can do a new test maybe on saturday when users will be out of office

Highlighted

Re: Site-to site vpn with ASA 5525-X doesn't work

Probably want to clean your 5525-x config by removing unnecessary IKEv2 configuration. 

Beginner

Re: Site-to site vpn with ASA 5525-X doesn't work

Hi Joseph.

 

i already removed the IKEv2, still not working,

attached is the other site router configuration wich is working with 5520

Beginner

Re: Site-to site vpn with ASA 5525-X doesn't work

Hi Dear

 

Here is the debug crypto ikev1

 

pr 18 16:41:57 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
Apr 18 16:41:58 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
Apr 18 16:41:59 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
Apr 18 16:42:00 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
Apr 18 16:42:00 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
Apr 18 16:42:03 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
Apr 18 16:42:06 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
Apr 18 16:42:07 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
Apr 18 16:42:08 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)

 

here is sh crypto

 

ciscoasa# sh cry ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 2, local addr: 1.1.1.1

access-list outside_cryptomap extended permit ip 10.4.2.0 255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (10.4.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer: 2.2.2.2


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 34, #pkts decrypt: 34, #pkts verify: 34
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 0BEDD314
current inbound spi : A1404C65

inbound esp sas:
spi: 0xA1404C65 (2705345637)
SA State: active
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 86437888, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914996/2936)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000007 0xFFFFFFFF
outbound esp sas:
spi: 0x0BEDD314 (200135444)
SA State: active
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 86437888, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/2936)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

ciscoasa#

VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Site-to site vpn with ASA 5525-X doesn't work

Looks like you are decrypting traffic ok, but nothing is being encrypted.

 

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 34, #pkts decrypt: 34, #pkts verify: 34

 

I would imagine the problem is NAT and the VPN traffic is matching the first rule:-

 

nat (inside,outside) source dynamic OBJ_GENERAL_ALL interface

 

You can confirm this by using the command show nat you should probably see this nat rule above the no-nat rule for the VPN networks and no-hits on the other nat rule.

 

You could move this nat rule to Manual NAT Section 3.

 

no nat (inside,outside) source dynamic OBJ_GENERAL_ALL interface

nat (INSIDE,OUTSIDE) after-auto source dynamic OBJ_GENERAL_ALL interface

 

HTH

Beginner

Re: Site-to site vpn with ASA 5525-X doesn't work

Hi RJI,

 

Many thanks for your support, it's solved my issue,  Now the VPN is UP and working