04-17-2019 08:14 AM
Dear Support,
i used cisco ASA 5520 with a site-to-site to à Cisco router, the vpn is running well.
recently, i decide to migrate my asa 5520 to asa 5525-x and configure the vpn on the asa 5525-x
My issue is the vpn don't coming up
when i back to asa 5520, it's work properly, i think the issue is my config on asa 5525-x
can somebody help to solve this?
attache is the both cisco asa config
Many Thanks
Solved! Go to Solution.
04-18-2019 03:06 PM
Looks like you are decrypting traffic ok, but nothing is being encrypted.
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 34, #pkts decrypt: 34, #pkts verify: 34
I would imagine the problem is NAT and the VPN traffic is matching the first rule:-
nat (inside,outside) source dynamic OBJ_GENERAL_ALL interface
You can confirm this by using the command show nat you should probably see this nat rule above the no-nat rule for the VPN networks and no-hits on the other nat rule.
You could move this nat rule to Manual NAT Section 3.
no nat (inside,outside) source dynamic OBJ_GENERAL_ALL interface
nat (INSIDE,OUTSIDE) after-auto source dynamic OBJ_GENERAL_ALL interface
HTH
04-17-2019 08:44 AM
Hi,
Please can you enable debugging "debug crypto ikev1" on the 5525x ASA and upload here for review.
04-17-2019 08:49 AM
Hi RJI,
i can't debbug because i back to the old asa and can do a new test maybe on saturday when users will be out of office
04-17-2019 05:31 PM
Probably want to clean your 5525-x config by removing unnecessary IKEv2 configuration.
04-17-2019 10:05 PM
04-18-2019 02:42 PM - edited 04-18-2019 03:03 PM
Hi Dear
Here is the debug crypto ikev1
pr 18 16:41:57 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
Apr 18 16:41:58 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
Apr 18 16:41:59 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
Apr 18 16:42:00 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
Apr 18 16:42:00 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
Apr 18 16:42:03 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
Apr 18 16:42:06 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
Apr 18 16:42:07 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
Apr 18 16:42:08 [IKEv1]IP = 94.107.139.137, Header invalid, missing SA payload! (next payload = 133)
here is sh crypto
ciscoasa# sh cry ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 2, local addr: 1.1.1.1
access-list outside_cryptomap extended permit ip 10.4.2.0 255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (10.4.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 34, #pkts decrypt: 34, #pkts verify: 34
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 0BEDD314
current inbound spi : A1404C65
inbound esp sas:
spi: 0xA1404C65 (2705345637)
SA State: active
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 86437888, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914996/2936)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000007 0xFFFFFFFF
outbound esp sas:
spi: 0x0BEDD314 (200135444)
SA State: active
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 86437888, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/2936)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ciscoasa#
04-18-2019 03:06 PM
Looks like you are decrypting traffic ok, but nothing is being encrypted.
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 34, #pkts decrypt: 34, #pkts verify: 34
I would imagine the problem is NAT and the VPN traffic is matching the first rule:-
nat (inside,outside) source dynamic OBJ_GENERAL_ALL interface
You can confirm this by using the command show nat you should probably see this nat rule above the no-nat rule for the VPN networks and no-hits on the other nat rule.
You could move this nat rule to Manual NAT Section 3.
no nat (inside,outside) source dynamic OBJ_GENERAL_ALL interface
nat (INSIDE,OUTSIDE) after-auto source dynamic OBJ_GENERAL_ALL interface
HTH
04-19-2019 08:46 AM
Hi RJI,
Many thanks for your support, it's solved my issue, Now the VPN is UP and working
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: