cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1251
Views
0
Helpful
7
Replies

ASA 5510 Site 2 Site Tunnel

cofee
Level 5
Level 5

We have a site to site VPN tunnel between two sites using ASA 5510 and for authentication we are using self signed certificates. While I was on vacation VPN tunnel broke down because the certificates expired and we have no IT support at the COOP site so we will have to send someone down there to log into the firewall so we can fix the issue. I inherited this network infrastructure few months ago and tried renewing certificates at the primary site, but it appears certificates at the COOP firewall also expired so therefore it didn't work. Is it possible to fix this issue without sending someone to the COOP site? we are planning to go away from the self signed certificate and use the pre-shared key in the future. Any suggestions would be appreciated.

1 Accepted Solution

Accepted Solutions

Yeah, looks like you are validating the cert ok, but they are not doing the same on their side. This is after you renewing your cert. Only way I can think of is to have someone change is to PSK manually.

View solution in original post

7 Replies 7

Rahul Govindan
VIP Alumni
VIP Alumni

If you don't have access to the remote site, one option I can think of is turning your clock on your ASA back to the time before the cert expired. This plus disabling revocation check should still keep your expired cert showing up as valid. If you have access to the remote site, your plan of changing it back to PSK should work.

I rolled back time and turned off revocation check, but still having the same issue. I guess since the remote firewall certificate also expired it's preventing itself from forming the tunnel. There is no backdoor to access remote site and make necessary changes on the remote firewall to bring tunnel back up.

Let me know your thoughts. Thanks for your help.

Can you collect the following debugs when it tries to connect:

debug cry isak 127

debug cry ips 127

debug cry ca trans 255

Please let me know if this helps:

Dec 10 2016 12:46:05: %ASA-7-713906: IP = 1.2.3.4, Connection landed on tunnel_group 1.2.3.4 Dec 10 2016 12:46:05: %ASA-7-717025: Validating certificate chain containing 1 certificate(s).
Dec 10 2016 12:46:05: %ASA-7-717029: Identified client certificate within certificate chain. serial number: 611A88A9000000000010, subject name: cn=VPN-2.                                     alpha.cp,ou=IT,o=ALPHA,st=VA,c=US,hostname=VPN-2.alpha.cp.
Dec 10 2016 12:46:05: %ASA-7-717030: Found a suitable trustpoint ALPHA-ROOT-CA to validate certificate.
Dec 10 2016 12:46:05: %ASA-6-717022: Certificate was successfully validated. serial number: 611A8, subject name:  cn=VPN-2.alpha.cp,ou=IT,                                     o=ALPHA,st=VA,c=US,hostname=VPN-2.alpha.cp.
Dec 10 2016 12:46:05: %ASA-6-717028: Certificate chain was successfully validated with warning, revocation status was not checked.
Dec 10 2016 12:46:05: %ASA-7-713906: Group = 1.2.3.4, IP = 1.2.3.4, peer ID type 9 received (DER_ASN1_DN) Dec 10 2016 12:46:05: %ASA-7-715046: Group = 1.2.3.4, IP = 1.2.3.4, constructing ID payload Dec 10 2016 12:46:05: %ASA-7-715046: Group = 1.2.3.4, IP = 1.2.3.4, constructing cert payload Dec 10 2016 12:46:05: %ASA-7-715001: Group = 1.2.3.4, IP = 1.2.3.4, constructing RSA signature Dec 10 2016 12:46:05: %ASA-7-715076: Group = 1.2.3.4, IP = 1.2.3.4, Computing hash for ISAKMP Dec 10 2016 12:46:05: %ASA-7-713906: Constructed Signature Len: 256 Dec 10 2016 12:46:05: %ASA-7-713906: Constructed Signature:
0000: 1E3F0E37 22C29FD4 B2498D7C C0D2D20C     .?.7"....I.|....
0010: 09C85683 2DF97268 8F67D659 D67BE9ED     ..V.-.rh.g.Y.{..
0020: 91EB3461 4FD94D9F 187C5DC2 A9EA3A81     ..4aO.M..|]...:.
0030: 84921167 03F4769A 7C891EA3 0AAE2CB6     ...g..v.|.....,.
0040: A189A79B C36ECCFB 6F52EA21 A57EFC06     .....n..oR.!.~..
0050: 00B8AB7B E2259013 BE4A84D1 EAA7E5F4     ...{.%...J......
0060: 0B724E8F 0F5391DC 73837CD3 6F94E3E0     .rN..S..s.|.o...
0070: 78B5Dec 10 2016 12:46:05: %ASA-7-715034: IP = 1.2.3.4, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Dec 10 2016 12:46:05: %ASA-7-715046: Group = 1.2.3.4, IP = 1.2.3.4, constructing dpd vid payload
Dec 10 2016 12:46:05: %ASA-7-713236: IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + SIG (9) + IOS KEEPAL                                     IVE (128) + VENDOR (13) + NONE (0) total length : 1858
Dec 10 2016 12:46:05: %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 1.2.3.4 Dec 10 2016 12:46:05: %ASA-7-713906: Group = 1.2.3.4, IP = 1.2.3.4, Delete with reason code and text capabilities are negotiated Dec 10 2016 12:46:05: %ASA-5-713119: Group = 1.2.3.4, IP = 1.2.3.4, PHASE 1 COMPLETED Dec 10 2016 12:46:05: %ASA-7-713121: IP = 1.2.3.4, Keep-alive type for this connection: DPD Dec 10 2016 12:46:05: %ASA-7-715080: Group = 1.2.3.4, IP = 1.2.3.4, Starting P1 rekey timer: 73440 seconds.
Dec 10 2016 12:46:05: %ASA-7-713906: IKE Receiver: Packet received on 172.16.1.1:500 from 1.2.3.4:500
Dec 10 2016 12:46:05: %ASA-7-713236: IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=3c125f80) with payloads : HDR + HASH (8) + DWR (129) + NONE (0)                                      total length : 84
Dec 10 2016 12:46:05: %ASA-7-715047: Group = 1.2.3.4, IP = 1.2.3.4, processing hash payload Dec 10 2016 12:46:05: %ASA-7-715047: Group = 1.2.3.4, IP = 1.2.3.4, processing delete with reason payload
Dec 10 2016 12:46:05: %ASA-5-713050: Group = 1.2.3.4, IP = 1.2.3.4, Connection terminated for peer 1.2.3.4.  Reason: Peer Terminate, No Reason P                                     rovided.  Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
Dec 10 2016 12:46:05: %ASA-7-713906: Group = 1.2.3.4, IP = 1.2.3.4, IKE SA MM:637d8d75 terminating:  flags 0x0100c802, refcnt 0, tuncnt 0 Dec 10 2016 12:46:05: %ASA-5-713259: Group = 1.2.3.4, IP = 1.2.3.4, Session is being torn down. Reason: User Requested
Dec 10 2016 12:46:05: %ASA-4-113019: Group = 1.2.3.4, Username = 1.2.3.4, IP = 1.2.3.4, Session disconnected. Session Type: LAN-to-LAN, Duration                                     : 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested
Dec 10 2016 12:46:05: %ASA-7-713906: Ignoring msg to mark SA with dsID 55762944 dead because SA deleted

Yeah, looks like you are validating the cert ok, but they are not doing the same on their side. This is after you renewing your cert. Only way I can think of is to have someone change is to PSK manually.

Yeah I guess we will need to send someone there to fix the other side.

Thanks a lot for your help.

We were able to bring up the tunnel with a pre-shared key.

Would appreciate if you can answer following question:

* Is it possible to use multiple isakmp/ikev policies for one particular peer, for example one policy that's using certificates for authentication and another with pre-shared key so if certificates expire it will move on to the next policy? or would it keep trying to use the policy with the lower number?

Review Cisco Networking for a $25 gift card