07-06-2018 12:43 PM - edited 02-21-2020 07:57 AM
Hi Everyone,
I am having trouble getting my Site 2 Site VPN working. It shows the tunnel is initiated on both sides, but I cannot ping across to any of the subnets.
One is an ASA5510 (8.2) the other is an ASA5505 (8.2)
I am sure I'm missing something simple, but I just can't seem to figure it out.
Here is my code:
ASA5505 (OFFICE)
ASA5505# show crypto isakmp sa detail Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 50.0.0.1 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE Encrypt : 3des Hash : MD5 Auth : preshared Lifetime: 28800 Lifetime Remaining: 28750 ASA5505# show run : Saved : ASA Version 8.2(5) ! hostname ASA5505 domain-name .LOCAL enable password l6TfH6cW.FyTs0Rc encrypted passwd zsGJHLUedCLLSkmz encrypted names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 description Connection to Switch ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 description Untangle Link shutdown ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.10.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 104.0.0.1 255.255.255.248 ! ftp mode passive dns server-group DefaultDNS domain-name .LOCAL object-group network -IP network-object host 64.40.115.156 network-object host 64.40.115.157 network-object host 64.40.115.158 network-object host 64.40.115.155 object-group network VPN-INSIDE-IP network-object host 192.168.10.4 object-group network SOUTH-NETWORK network-object 192.168.11.0 255.255.255.0 network-object 192.168.96.0 255.255.255.0 network-object 192.168.97.0 255.255.255.0 network-object 192.168.98.0 255.255.255.0 object-group network OFFICE-NETWORK network-object 192.168.99.0 255.255.255.0 network-object 192.168.20.0 255.255.255.0 network-object 192.168.10.0 255.255.255.0 access-list inbound extended permit icmp any any access-list inbound extended permit tcp any host 104.0.0.1 eq 81 access-list inbound extended permit tcp any host 104.0.0.1 eq 5000 access-list inbound extended permit tcp any host 104.0.0.1 eq 85 access-list inbound extended permit tcp any host 104.0.0.1 eq 6690 access-list inbound extended permit tcp any host 104.0.0.1 eq 5222 access-list inbound extended permit tcp object-group IP host 104.0.0.1 eq 8351 access-list inbound extended permit tcp host 209.0.0.1 host 104.0.0.1 eq 3389 access-list inbound extended permit udp any host 104.0.0.2 eq 1194 access-list nonat extended permit ip 192.168.99.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list nonat extended permit ip 192.168.20.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list nonat extended permit ip object-group OFFICE-NETWORK object-group SOUTH-NETWORK access-list splittunnel standard permit 192.168.99.0 255.255.255.0 access-list splittunnel standard permit 192.168.20.0 255.255.255.0 access-list splittunnel standard permit 192.168.10.0 255.255.255.0 access-list outside_1_cryptomap extended permit ip object-group OFFICE-NETWORK object-group SOUTH-NETWORK pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool vpnclientpool 192.168.5.1-192.168.5.254 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface global (outside) 2 104.0.0.2 netmask 255.255.255.248 nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface 81 192.168.99.253 81 netmask 255.255.255.255 static (inside,outside) tcp interface 5000 192.168.99.253 5000 netmask 255.255.255.255 static (inside,outside) tcp interface 85 192.168.99.252 85 netmask 255.255.255.255 static (inside,outside) tcp interface 6690 192.168.99.12 6690 netmask 255.255.255.255 static (inside,outside) tcp interface 8500 192.168.10.5 8500 netmask 255.255.255.255 static (inside,outside) tcp interface 8351 192.168.20.7 8351 netmask 255.255.255.255 static (inside,outside) tcp interface 3389 192.168.20.7 3389 netmask 255.255.255.255 static (inside,outside) tcp interface 5222 192.168.20.19 5222 netmask 255.255.255.255 static (inside,outside) udp 104.11.119.180 1194 192.168.10.5 1194 netmask 255.255.255.255 access-group inbound in interface outside route outside 0.0.0.0 0.0.0.0 104.0.0.10 1 route inside 192.168.20.0 255.255.255.0 192.168.10.2 1 route inside 192.168.99.0 255.255.255.0 192.168.10.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server vpn protocol radius aaa-server vpn (inside) host 192.168.20.16 key ***** aaa authentication telnet console LOCAL aaa authentication enable console LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.99.0 255.255.255.0 inside http 192.168.20.0 255.255.255.0 inside http 192.168.10.0 255.255.255.0 inside snmp-server group v3group v3 auth snmp-server user v3user v3group v3 encrypted auth md5 8f:e2:21:74:8e:e0:e0:bf:e6:47:68:71:1e:3e:ed:d7 snmp-server host inside 192.168.20.10 community ***** version 2c snmp-server host inside 192.168.99.2 community ***** version 2c snmp-server location office snmp-server contact snmp-server community ***** snmp-server enable traps snmp authentication linkup linkdown coldstart snmp-server enable traps syslog snmp-server enable traps ipsec start stop snmp-server enable traps entity config-change fru-insert fru-remove snmp-server enable traps remote-access session-threshold-exceeded crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac crypto ipsec transform-set des-md5 esp-des esp-md5-hmac crypto ipsec transform-set des-sha esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map clienttunnel 10 set transform-set 3des-md5 3des-sha crypto map vpntunnel 30 match address outside_1_cryptomap crypto map vpntunnel 30 set pfs group1 crypto map vpntunnel 30 set peer 50.0.0.1 crypto map vpntunnel 30 set transform-set ESP-3DES-SHA crypto map vpntunnel 65000 ipsec-isakmp dynamic clienttunnel crypto map vpntunnel interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 28800 crypto isakmp policy 20 authentication pre-share encryption des hash md5 group 2 lifetime 28800 crypto isakmp policy 30 authentication pre-share encryption 3des hash sha group 2 lifetime 28800 crypto isakmp policy 40 authentication pre-share encryption des hash sha group 2 lifetime 28800 telnet 192.168.1.0 255.255.255.0 inside telnet 192.168.99.0 255.255.255.0 inside telnet timeout 15 ssh 0.0.0.0 0.0.0.0 inside ssh 0.0.0.0 0.0.0.0 outside ssh timeout 30 ssh version 2 console timeout 0 management-access inside threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn group-policy vpnclient internal group-policy vpnclient attributes dns-server value 192.168.20.16 split-tunnel-policy tunnelspecified split-tunnel-network-list value splittunnel default-domain value airinnovationsllc.local username admin password gKsOtAE6fzcD/7Hh encrypted privilege 15 username adminasa password APBxx13XKOB9uRKd encrypted tunnel-group vpnclient type remote-access tunnel-group vpnclient general-attributes address-pool vpnclientpool authentication-server-group vpn default-group-policy vpnclient tunnel-group vpnclient ipsec-attributes pre-shared-key ***** tunnel-group 50.0.0.1 type ipsec-l2l tunnel-group 50.0.0.1 ipsec-attributes pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp inspect http inspect snmp inspect pptp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:8b826892f526483687b2934e4cbab68c : end
ASA5510 (SOUTH)
SOUTH-WAREHOUSE-ASA5510# show crypto isakmp sa detail Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 104.0.0.1 Type : L2L Role : responder Rekey : no State : MM_ACTIVE Encrypt : 3des Hash : MD5 Auth : preshared Lifetime: 28800 Lifetime Remaining: 28666 SOUTH-WAREHOUSE-ASA5510# show run : Saved : ASA Version 8.2(5) ! hostname SOUTH-WAREHOUSE-ASA5510 domain-name .local enable password l6TfH6cW.FyTs0Rc encrypted passwd l6TfH6cW.FyTs0Rc encrypted names dns-guard ! interface Ethernet0/0 nameif outside security-level 0 ip address 50.0.0.1 255.255.255.252 ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.11.1 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! boot system disk0:/asa825-k8.bin ftp mode passive clock timezone CST -6 clock summer-time CDT recurring dns server-group DefaultDNS domain-name .local object-group network OFFICE-NETWORK network-object 192.168.99.0 255.255.255.0 network-object 192.168.20.0 255.255.255.0 network-object 192.168.10.0 255.255.255.0 object-group network SOUTH-NETWORK network-object 192.168.11.0 255.255.255.0 network-object 192.168.96.0 255.255.255.0 network-object 192.168.97.0 255.255.255.0 network-object 192.168.98.0 255.255.255.0 access-list inbound extended permit icmp any any access-list inbound extended permit tcp any host 50.0.0.1 eq 81 access-list OUTSIDE_1_CRYPTOMAP extended permit ip object-group SOUTH-NETWORK object-group OFFICE-NETWORK access-list NONAT extended permit ip object-group SOUTH-NETWORK object-group OFFICE-NETWORK pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-645.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list NONAT nat (inside) 1 0.0.0.0 0.0.0.0 access-group inbound in interface outside route outside 0.0.0.0 0.0.0.0 50.0.0.10 1 route inside 192.168.96.0 255.255.255.0 192.168.11.2 1 route inside 192.168.97.0 255.255.255.0 192.168.11.2 1 route inside 192.168.98.0 255.255.255.0 192.168.11.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication serial console LOCAL aaa authentication telnet console LOCAL aaa authentication enable console LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.97.0 255.255.255.0 inside http 192.168.98.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac crypto ipsec transform-set des-md5 esp-des esp-md5-hmac crypto ipsec transform-set des-sha esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map vpntunnel 30 match address OUTSIDE_1_CRYPTOMAP crypto map vpntunnel 30 set pfs group1 crypto map vpntunnel 30 set peer 104.0.0.1 crypto map vpntunnel 30 set transform-set ESP-3DES-SHA crypto map vpntunnel interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 28800 crypto isakmp policy 20 authentication pre-share encryption des hash md5 group 2 lifetime 28800 crypto isakmp policy 30 authentication pre-share encryption 3des hash sha group 2 lifetime 28800 crypto isakmp policy 40 authentication pre-share encryption des hash sha group 2 lifetime 28800 telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh timeout 5 console timeout 0 management-access inside dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn username adminasa password APBxx13XKOB9uRKd encrypted tunnel-group 104.0.0.1 type ipsec-l2l tunnel-group 104.0.0.1 ipsec-attributes pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:2799251874696d5e2bb2bf6c17f6699c : end
Solved! Go to Solution.
07-09-2018 05:41 PM
Hello,
From ASA5505 - you notice drop in Phase 10. Also in Phase:9 - host-limits. What is license on the ASA.
You can find from 'show ver' and 'show local-host'. Try reboot the unit and also update the code.
Thx
MS
07-06-2018 03:02 PM
can you post
show crypto ipsec sa
and enable debug both side for the tunnel establish logs to capture.
BB
07-06-2018 04:32 PM
Here is the sh ipsec sa for one of the ASAs, and below that is the debug log.
ASA5505# show crypto ipsec sa interface: outside Crypto map tag: vpntunnel, seq num: 30, local addr: 104.0.0.1 access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.98.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.98.0/255.255.255.0/0/0) current_peer: 50.0.0.1 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 104.0.0.1, remote crypto endpt.: 50.0.0.1 path mtu 1500, ipsec overhead 58, media mtu 1500 current outbound spi: 79577892 current inbound spi : 3DA7C416 inbound esp sas: spi: 0x3DA7C416 (1034404886) transform: esp-3des esp-sha-hmac no compression in use settings ={L2L, Tunnel, PFS Group 1, } slot: 0, conn_id: 3055616, crypto-map: vpntunnel sa timing: remaining key lifetime (kB/sec): (4373999/28662) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x000001FF outbound esp sas: spi: 0x79577892 (2035775634) transform: esp-3des esp-sha-hmac no compression in use settings ={L2L, Tunnel, PFS Group 1, } slot: 0, conn_id: 3055616, crypto-map: vpntunnel sa timing: remaining key lifetime (kB/sec): (4374000/28662) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 Crypto map tag: vpntunnel, seq num: 30, local addr: 104.0.0.1 access-list outside_1_cryptomap extended permit ip 192.168.99.0 255.255.255.0 192.168.98.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.98.0/255.255.255.0/0/0) current_peer: 50.0.0.1 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 104.0.0.1, remote crypto endpt.: 50.0.0.1 path mtu 1500, ipsec overhead 58, media mtu 1500 current outbound spi: 5A695337 current inbound spi : C378EECD inbound esp sas: spi: 0xC378EECD (3279482573) transform: esp-3des esp-sha-hmac no compression in use settings ={L2L, Tunnel, PFS Group 1, } slot: 0, conn_id: 3055616, crypto-map: vpntunnel sa timing: remaining key lifetime (kB/sec): (4374000/28608) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 outbound esp sas: spi: 0x5A695337 (1516852023) transform: esp-3des esp-sha-hmac no compression in use settings ={L2L, Tunnel, PFS Group 1, } slot: 0, conn_id: 3055616, crypto-map: vpntunnel sa timing: remaining key lifetime (kB/sec): (4374000/28608) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001
DEBUG LOG FOR ASA
AIR-ASA5505# Jul 06 12:35:50 [IKEv1 DEBUG]: IP = 50.0.0.1, Oakley proposal is acceptable Jul 06 12:35:50 [IKEv1 DEBUG]: IP = 50.0.0.1, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True Jul 06 12:35:50 [IKEv1 DEBUG]: IP = 50.0.0.1, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 1 Jul 06 12:35:50 [IKEv1]: IP = 50.0.0.1, Connection landed on tunnel_group 50.0.0.1 Jul 06 12:35:50 [IKEv1]: Group = 50.0.0.1, IP = 50.0.0.1, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device Jul 06 12:35:50 [IKEv1]: IP = 50.0.0.1, Connection landed on tunnel_group 50.0.0.1 Jul 06 12:35:50 [IKEv1]: Group = 50.0.0.1, IP = 50.0.0.1, PHASE 1 COMPLETED Jul 06 12:35:50 [IKEv1]: IP = 50.0.0.1, Keep-alive type for this connection: DPD Jul 06 12:35:50 [IKEv1 DEBUG]: Group = 50.0.0.1, IP = 50.0.0.1, Starting P1 rekey timer: 27360 seconds. Jul 06 12:35:50 [IKEv1]: Group = 50.0.0.1, IP = 50.0.0.1, Received remote IP Proxy Subnet data in ID Payloa d: Address 192.168.98.0, Mask 255.255.255.0, Protocol 0, Port 0 Jul 06 12:35:50 [IKEv1]: Group = 50.0.0.1, IP = 50.0.0.1, Received local IP Proxy Subnet data in ID Payload : Address 192.168.99.0, Mask 255.255.255.0, Protocol 0, Port 0 Jul 06 12:35:50 [IKEv1]: Group = 50.0.0.1, IP = 50.0.0.1, QM IsRekeyed old sa not found by addr Jul 06 12:35:50 [IKEv1]: Group = 50.0.0.1, IP = 50.0.0.1, Static Crypto Map check, checking map = vpntunnel , seq = 30... Jul 06 12:35:50 [IKEv1]: Group = 50.0.0.1, IP = 50.0.0.1, Static Crypto Map check, map vpntunnel, seq = 30 is a successful match Jul 06 12:35:50 [IKEv1]: Group = 50.0.0.1, IP = 50.0.0.1, IKE Remote Peer configured for crypto map: vpntun nel Jul 06 12:35:50 [IKEv1 DEBUG]: Group = 50.0.0.1, IP = 50.0.0.1, processing IPSec SA payload Jul 06 12:35:50 [IKEv1 DEBUG]: Group = 50.0.0.1, IP = 50.0.0.1, IPSec SA Proposal # 1, Transform # 1 accept able Matches global IPSec SA entry # 30 Jul 06 12:35:50 [IKEv1]: Group = 50.0.0.1, IP = 50.0.0.1, IKE: requesting SPI! Jul 06 12:35:50 [IKEv1 DEBUG]: Group = 50.0.0.1, IP = 50.0.0.1, Transmitting Proxy Id: Remote subnet: 192.168.98.0 Mask 255.255.255.0 Protocol 0 Port 0 Local subnet: 192.168.99.0 mask 255.255.255.0 Protocol 0 Port 0 Jul 06 12:35:50 [IKEv1]: Group = 50.0.0.1, IP = 50.0.0.1, Security negotiation complete for LAN-to-LAN Grou p (50.0.0.1) Responder, Inbound SPI = 0xfe4c8b45, Outbound SPI = 0xac1aebef Jul 06 12:35:50 [IKEv1 DEBUG]: Group = 50.0.0.1, IP = 50.0.0.1, Starting P2 rekey timer: 27360 seconds. Jul 06 12:35:50 [IKEv1]: Group = 50.0.0.1, IP = 50.0.0.1, PHASE 2 COMPLETED (msgid=7e3a52b2) sh crypto isakmp sa detail Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 50.0.0.1 Type : L2L Role : responder Rekey : no State : MM_ACTIVE Encrypt : 3des Hash : MD5 Auth : preshared Lifetime: 28800 Lifetime Remaining: 28784 AIR-ASA5505# sh crypto isakmp sa detail Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 50.0.0.1 Type : L2L Role : responder Rekey : no State : MM_ACTIVE Encrypt : 3des Hash : MD5 Auth : preshared Lifetime: 28800 Lifetime Remaining: 28775
07-06-2018 04:34 PM
Jul 06 12:44:03 [IKEv1 DEBUG]: Group = 50.0.0.1, IP = 50.0.0.1, processing hash payload Jul 06 12:44:03 [IKEv1 DEBUG]: Group = 50.0.0.1, IP = 50.0.0.1, processing notify payload Jul 06 12:44:03 [IKEv1 DEBUG]: Group = 50.0.0.1, IP = 50.0.0.1, Received keep-alive of type DPD R-U-THERE (seq number 0x47399f7e) Jul 06 12:44:03 [IKEv1 DEBUG]: Group = 50.0.0.1, IP = 50.0.0.1, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x47399f7e) Jul 06 12:44:03 [IKEv1 DEBUG]: Group = 50.0.0.1, IP = 50.0.0.1, constructing blank hash payload Jul 06 12:44:03 [IKEv1 DEBUG]: Group = 50.0.0.1, IP = 50.0.0.1, constructing qm hash payload Jul 06 12:44:03 [IKEv1]: IP = 50.0.0.1, IKE_DECODE SENDING Message (msgid=f2ff2fe5) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
07-06-2018 06:54 PM
Hi,
This Questions may not be related to your issue but wanted to check. The default gateways on both ends are correct? I see Vlan2 interfaces: one side got 255.255.255.248 and other side 255.255.255.252, but the gateway are .10 - do not fall under that subnets.
Thanks
MS
07-06-2018 06:59 PM
07-06-2018 07:28 PM
Quick check on config- looks fine. You can try by adding 'sysopt connection permit-vpn' on both ends (global config mode). If you still have troubles, 1. enable 'debug icmp trace' on both sides and see if icmp packets (between private IPs) reaching other end (and getting dropped) 2. Try packet tracer command to simulate traffic (between two private IPs) and post the results.
Thanks,
MS
07-06-2018 07:59 PM - edited 07-06-2018 08:09 PM
I am getting some weird results..
ASA5510 (SOUTH)
SOUTH-WAREHOUSE-ASA5510(config)# ping inside 192.168.10.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds: ICMP echo request from 192.168.11.1 to 192.168.10.1 ID=39632 seq=48845 len=72 ?ICMP echo request from 192.168.11.1 to 192.168.10.1 ID=39632 seq=48845 len=72 ?ICMP echo request from 192.168.11.1 to 192.168.10.1 ID=39632 seq=48845 len=72 ?ICMP echo request from 192.168.11.1 to 192.168.10.1 ID=39632 seq=48845 len=72 ?ICMP echo request from 192.168.11.1 to 192.168.10.1 ID=39632 seq=48845 len=72 ? Success rate is 0 percent (0/5)
ASA5505 (OFFICE)
AIR-ASA5505(config)# ICMP echo request from 192.168.11.1 to 192.168.10.1 ID=39632 seq=48845 len=72 ICMP echo reply from 192.168.10.1 to 192.168.11.1 ID=39632 seq=48845 len=72 ICMP echo request from 192.168.11.1 to 192.168.10.1 ID=39632 seq=48845 len=72 ICMP echo reply from 192.168.10.1 to 192.168.11.1 ID=39632 seq=48845 len=72 ICMP echo request from 192.168.11.1 to 192.168.10.1 ID=39632 seq=48845 len=72 ICMP echo reply from 192.168.10.1 to 192.168.11.1 ID=39632 seq=48845 len=72 ICMP echo request from 192.168.11.1 to 192.168.10.1 ID=39632 seq=48845 len=72 ICMP echo reply from 192.168.10.1 to 192.168.11.1 ID=39632 seq=48845 len=72 ICMP echo request from 192.168.11.1 to 192.168.10.1 ID=39632 seq=48845 len=72 ICMP echo reply from 192.168.10.1 to 192.168.11.1 ID=39632 seq=48845 len=72
07-06-2018 08:19 PM - edited 07-06-2018 08:35 PM
Here is the icmp events when pinging from a computer on the subnet 192.168.99.0 to 192.168.97.1
No reply on ASA5510 SOUTH side, below is ASA5505 (OFFICE)
ASA5505(config)# ICMP echo request from inside:192.168.99.16 to outside:192.168.97.1 ID=1 seq=139 len=32 ICMP echo request translating inside:192.168.99.16/1 to outside:104.0.0.1/22174 ICMP echo request from inside:192.168.99.16 to outside:192.168.97.1 ID=1 seq=140 len=32 ICMP echo request translating inside:192.168.99.16/1 to outside:104.0.0.1/22174 ICMP echo request from inside:192.168.99.16 to outside:192.168.97.1 ID=1 seq=141 len=32 ICMP echo request translating inside:192.168.99.16/1 to outside:104.0.0.1/62982
But when I ping from the SOUTH to the inside firewall IP of the OFFICE I see requests on the ASAs, but the ICMP fails on the users computers that it was performed on.
ASA5510 (SOUTH)
ICMP echo request from inside:192.168.98.101 to outside:192.168.10.1 ID=1 seq=69 len=32 ICMP echo request from inside:192.168.98.101 to outside:192.168.10.1 ID=1 seq=70 len=32 ICMP echo request from inside:192.168.98.101 to outside:192.168.10.1 ID=1 seq=71 len=32
ASA5505 (OFFICE)
ASA5505# ICMP echo request from 192.168.98.101 to 192.168.10.1 ID=1 seq=69 len=32 ICMP echo reply from 192.168.10.1 to 192.168.98.101 ID=1 seq=69 len=32 ICMP echo request from 192.168.98.101 to 192.168.10.1 ID=1 seq=70 len=32 ICMP echo reply from 192.168.10.1 to 192.168.98.101 ID=1 seq=70 len=32 ICMP echo request from 192.168.98.101 to 192.168.10.1 ID=1 seq=71 len=32 ICMP echo reply from 192.168.10.1 to 192.168.98.101 ID=1 seq=71 len=32
07-06-2018 08:50 PM
Here is the icmp events when pinging from a computer on the subnet 192.168.99.0 to 192.168.97.1
No reply on ASA5510 SOUTH side, below is ASA5505 (OFFICE)
ASA5505(config)# ICMP echo request from inside:192.168.99.16 to outside:192.168.97.1 ID=1 seq=139 len=32 ICMP echo request translating inside:192.168.99.16/1 to outside:104.0.0.1/22174 ICMP echo request from inside:192.168.99.16 to outside:192.168.97.1 ID=1 seq=140 len=32 ICMP echo request translating inside:192.168.99.16/1 to outside:104.0.0.1/22174 ICMP echo request from inside:192.168.99.16 to outside:192.168.97.1 ID=1 seq=141 len=32 ICMP echo request translating inside:192.168.99.16/1 to outside:104.0.0.1/62982
But when I ping from the SOUTH to the inside firewall IP of the OFFICE I see requests on the ASAs, but the ICMP fails on the users computers that it was performed on.
ASA5510 (SOUTH)
ICMP echo request from inside:192.168.98.101 to outside:192.168.10.1 ID=1 seq=69 len=32 ICMP echo request from inside:192.168.98.101 to outside:192.168.10.1 ID=1 seq=70 len=32 ICMP echo request from inside:192.168.98.101 to outside:192.168.10.1 ID=1 seq=71 len=32
ASA5505 (OFFICE)
ASA5505# ICMP echo request from 192.168.98.101 to 192.168.10.1 ID=1 seq=69 len=32 ICMP echo reply from 192.168.10.1 to 192.168.98.101 ID=1 seq=69 len=32 ICMP echo request from 192.168.98.101 to 192.168.10.1 ID=1 seq=70 len=32 ICMP echo reply from 192.168.10.1 to 192.168.98.101 ID=1 seq=70 len=32 ICMP echo request from 192.168.98.101 to 192.168.10.1 ID=1 seq=71 len=32 ICMP echo reply from 192.168.10.1 to 192.168.98.101 ID=1 seq=71 len=32
07-07-2018 09:27 AM - edited 07-07-2018 09:57 AM
Looking at 'ping' results... my understanding is 5505 not processing 'no nat' rule..
ICMP echo request from inside:192.168.99.16 to outside:192.168.97.1 ID=1 seq=139 len=32 ICMP echo request translating inside:192.168.99.16/1 to outside:104.0.0.1/22174 ICMP echo request from inside:192.168.99.16 to outside:192.168.97.1 ID=1 seq=140 len=32 ICMP echo request translating inside:192.168.99.16/1 to outside:104.0.0.1/2217
Try by removing no nat config and add it back. Also try placing nonat statement for these networks on top (may not make much difference though)
Thx
MS
07-06-2018 08:54 PM
Here is the icmp events when pinging from a computer on the subnet 192.168.99.0 to 192.168.97.1
No reply on ASA5510 SOUTH side, below is ASA5505 (OFFICE)
ASA5505(config)# ICMP echo request from inside:192.168.99.16 to outside:192.168.97.1 ID=1 seq=139 len=32 ICMP echo request translating inside:192.168.99.16/1 to outside:104.0.0.1/22174 ICMP echo request from inside:192.168.99.16 to outside:192.168.97.1 ID=1 seq=140 len=32
But when I ping from the SOUTH to the inside firewall IP of the OFFICE I see requests on the ASAs, but the ICMP fails on the users computers that it was performed on.
ASA5510 (SOUTH)
ICMP echo request from inside:192.168.98.101 to outside:192.168.10.1 ID=1 seq=69 len=32
ASA5505 (OFFICE)
ASA5505# ICMP echo request from 192.168.98.101 to 192.168.10.1 ID=1 seq=69 len=32 ICMP echo reply from 192.168.10.1 to 192.168.98.101 ID=1 seq=69 len=32
07-08-2018 01:17 PM
Tried removing the NONAT and placing the NAT statement for the tunnel at the top. Still not working...
Is there a bug in the code?
07-08-2018 08:05 PM
Hi,
1. Did you try by adding 'sysopt connection permit-vpn' on both ends (or on 5505 end to start with)?
2. 8.2 (5) code is pretty old and 8.2 train itself is 'eol' from Cisco and I'm not sure of related bugs .. i think latest in that train in 8.2(5)59.
3. You can try rebooting 5505 and try upgrading as well. If none works run below from 5505 and post the output...
packet-tracer input inside icmp 192.168.99.16 0 192.168.97.10 detailed
hth
MS
07-09-2018 06:19 AM - edited 07-09-2018 06:48 AM
Sys OPT did not work. Added it to both.
Here is the packet tracer results..
SOUTH-WAREHOUSE-ASA5510# packet-tracer input inside icmp 192.168.97.1 0 0 192.$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 192.168.97.0 255.255.255.0 outside 192.168.99.0 255.255.255.0
NAT exempt
translate_hits = 2, untranslate_hits = 0
Additional Information:
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (50.0.0.1 [Interface PAT])
translate_hits = 11868, untranslate_hits = 1750
Additional Information:
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (50.0.0.1 [Interface PAT])
translate_hits = 11868, untranslate_hits = 1750
Additional Information:
Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 15184, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide