07-31-2008 09:53 AM - edited 02-21-2020 02:56 AM
Hi everyone,
I followed the document
but I am still unable to get my ASA to connect. I'm thinking it's because of the ISP's DSL router but I'm not sure. I even enabled NAT-T but that didn't do anything. Here is my layout:
ASA -> DSL Router -> Internet -> Concentrator
ASA inside: 10.103.0.1
ASA outside: 192.168.1.250
DSL Router LAN: 192.168.1.254
DSL Router WAN: 148.X.X.X
Concentrator: 24.X.X.X
Concentrator LAN: 172.16.0.1
Here's my config too with some debugs. Can someone shed some light please? Thanks.
Solved! Go to Solution.
08-07-2008 09:02 AM
Sorry logs are not helping
debug crypto isakmp 127
debug crypto ipsec 127
debug crypto engine
show crypto isakmp sa detail
show crypto ipsec sa detail
It could be Phase 1 identity issue also. ASA accepts and moves on the Phast 1, but VPNC reject.
Also if possible IKE,IKEDBG,IPSEC,IPSECDBG logs from VPNC.
Regards
Farrukh
07-31-2008 07:32 PM
Double check your Pre-shared key and phase 2 parameters. The document uses a /16 mask on the VPN concentrator side, on the ASA you are using a /24 for the concentrator LAN, is it the same on the other side?
Regards
Farrukh
08-05-2008 01:49 PM
Yeah I checked both of them and still nothing. The subnets are like that because I was making changes to the config so as to not give out my real config.
I'm being NAT's behind a cisco 1800 that belongs to the ISP, but the IP address is the one that I set up on the concentrator. Do you think this has something to do with it.
08-06-2008 10:54 AM
If there is NAT in the transit path, why don't you enable NAT-T on the Concentrator?
Its enabled on IOS by default, but disabled on PIX/ASA/VPNC.
Regards
Farrukh
08-06-2008 11:49 AM
I'm not very familiar with the ASA, but I believe I configured NAT-T already. Here is another screenshot and updated config. Thanks for all your help guys, i really hope we can get this up and running.
I had to edit some of the subnets but it all should be exactly off the Cisco doc 69115. I'm trying to get the ISP to give me the IP directly to my ASA, but it's been hard trying to get ahold of them, and I want to get this up ASAP.
08-06-2008 11:52 AM
BTW, is my NAT set up correctly?
Thanks,
08-07-2008 04:12 AM
On the ASA add:
crypto isakmp nat-traversal
On the VPN concentrator you have enabled NAT-T on the L2L Connection itself, but have you enabled it globally? LIke this:
#
Configure IPSec over NAT-T and/or IPSec over TCP:
1. On the VPN Concentrator select Configuration > System > Tunneling Protocols > IPSec > NAT Transparency.
2. Check the IPSec over NAT-T and/or TCP check box.
Regards
Farrukh
08-07-2008 07:33 AM
Both are active.
08-07-2008 08:16 AM
Initiate the tunnel from the ASA and post the output of show crypto isakmp sa detail
Also if possible the debug output 'debug crypto isakmp 127'
Do 'find and replace' for your public IPs to hide them.
Regards
Farrukh
08-07-2008 08:29 AM
Mexico-ASA5501# ping inside 172.16.0.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.4, timeout is 2 seconds:
Aug 07 06:51:09 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 07 06:51:09 [IKEv1]: IP = 24.X.X.X, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer 24.X.X.X local Proxy Address 10.103.0.0, remote Proxy Address 50.0.0.0, Crypto map (EP-Map)
Aug 07 06:51:09 [IKEv1 DEBUG]: IP = 24.X.X.X, constructing ISAKMP SA payload
Aug 07 06:51:09 [IKEv1 DEBUG]: IP = 24.X.X.X, constructing NAT-Traversal VID ver 02 payload
Aug 07 06:51:09 [IKEv1 DEBUG]: IP = 24.X.X.X, constructing NAT-Traversal VID ver 03 payload
Aug 07 06:51:09 [IKEv1 DEBUG]: IP = 24.X.X.X, constructing Fragmentation VID + extended capabilities payload
Aug 07 06:51:09 [IKEv1]: IP = 24.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152
?Aug 07 06:51:11 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 07 06:51:11 [IKEv1]: IP = 24.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
?Aug 07 06:51:13 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 07 06:51:13 [IKEv1]: IP = 24.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
?Aug 07 06:51:15 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 07 06:51:15 [IKEv1]: IP = 24.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
?Aug 07 06:51:17 [IKEv1]: IP = 24.X.X.X, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152
Aug 07 06:51:17 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 07 06:51:17 [IKEv1]: IP = 24.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
?
Success rate is 0 percent (0/5)
Mexico-ASA5501# Aug 07 06:51:25 [IKEv1]: IP = 24.X.X.X, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152
Aug 07 06:51:33 [IKEv1]: IP = 24.X.X.X, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152
Aug 07 06:51:41 [IKEv1 DEBUG]: IP = 24.X.X.X, IKE MM Initiator FSM error history (struct &0x3c71290)
Aug 07 06:51:41 [IKEv1 DEBUG]: IP = 24.X.X.X, IKE SA MM:02d189d8 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Aug 07 06:51:41 [IKEv1 DEBUG]: IP = 24.X.X.X, sending delete/delete with reason message
Aug 07 06:51:41 [IKEv1]: IP = 24.X.X.X, Removing peer from peer table failed, no match!
Aug 07 06:51:41 [IKEv1]: IP = 24.X.X.X, Error: Unable to remove PeerTblEntry
08-07-2008 09:02 AM
Sorry logs are not helping
debug crypto isakmp 127
debug crypto ipsec 127
debug crypto engine
show crypto isakmp sa detail
show crypto ipsec sa detail
It could be Phase 1 identity issue also. ASA accepts and moves on the Phast 1, but VPNC reject.
Also if possible IKE,IKEDBG,IPSEC,IPSECDBG logs from VPNC.
Regards
Farrukh
08-07-2008 09:20 AM
Mexico-ASA5501# debug crypto isakmp 127
Mexico-ASA5501# debug crypto ipsec 127
Mexico-ASA5501# debug crypto engine
Mexico-ASA5501#
Mexico-ASA5501# show crypto isakmp sa detail
There are no isakmp sas
Mexico-ASA5501# show crypto ipsec sa detail
There are no ipsec sas
Mexico-ASA5501# ping inside 172.16.0.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.4, timeout is 2 seconds:
Aug 07 07:31:21 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 07 07:31:21 [IKEv1]: IP = 24.X.X.X, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer 24.X.X.X local Proxy Address 10.103.0.0, remote Proxy Address 172.16.0.0, Crypto map (EP-Map)
Aug 07 07:31:21 [IKEv1 DEBUG]: IP = 24.X.X.X, constructing ISAKMP SA payload
Aug 07 07:31:21 [IKEv1 DEBUG]: IP = 24.X.X.X, constructing NAT-Traversal VID ver 02 payload
Aug 07 07:31:21 [IKEv1 DEBUG]: IP = 24.X.X.X, constructing NAT-Traversal VID ver 03 payload
Aug 07 07:31:21 [IKEv1 DEBUG]: IP = 24.X.X.X, constructing Fragmentation VID + extended capabilities payload
Aug 07 07:31:21 [IKEv1]: IP = 24.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152
?Aug 07 07:31:23 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 07 07:31:23 [IKEv1]: IP = 24.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
?Aug 07 07:31:25 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 07 07:31:25 [IKEv1]: IP = 24.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
?Aug 07 07:31:27 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 07 07:31:27 [IKEv1]: IP = 24.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
?Aug 07 07:31:29 [IKEv1]: IP = 24.X.X.X, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152
Aug 07 07:31:29 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 07 07:31:29 [IKEv1]: IP = 24.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
?
Success rate is 0 percent (0/5)
Mexico-ASA5501# show crypto isakmp sa detail
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 24.X.X.X
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 0
Mexico-ASA5501# show crypto ipsec sa detail
There are no ipsec sas
08-07-2008 09:30 AM
GOT IT!!!
my IKE proposals had the aes-128 above the 256, so I just moved the 256 above the 128 and that did it. Thanks for all your help Farrukh.
--mando
08-07-2008 11:14 AM
NO problem buddy, I'm glad you have it working.
A debug almost always helps :)
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide