Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2950
Views
10
Helpful
7
Replies

Unable to establish VPN tunnel (ASA <> CSR1000)

InTheJuniverse
Level 1
Level 1

‎12-24-2019 07:31 AM - edited ‎12-24-2019 07:45 AM

topology1.png

 

On EVE-NG, I am trying to establish an IKEv1 Site to Site VPN tunnel between CSR1 and ASA.

 

CSR version : CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.6(1)S3,

ASA Version: ASA5520 Version 9.1(5)16 

 

I have attached the configs and debug message, ASA always complains 'no matching SA found', this is not correct AFAIK.

 

If I configure exact same config using two CSRs, everything is working.

 

What am I doing wrong?

 

EDIT: Even if I remove everything and just connect ASA  to CSR1, the exact same error occurs.

Labels:
Preview file
14 KB
Preview file
18 KB
Preview file
1 KB
Preview file
8 KB
Preview file
14 KB
Preview file
2 KB
Preview file
18 KB
Preview file
2 KB
0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

‎12-24-2019 08:01 AM

Hi,
I don't see anything obviously wrong in the configuration.
Can you confirm are you just observing errors in the debug logs or is the IKEv1 SA and IPSec SAs not being established?
The timestamps are not the same, were the debugs logs generated on the ASA and CSR at the sametime?
0 Helpful

Firepowered
Level 1
Level 1
In response to Rob Ingram

‎12-24-2019 08:51 AM

Thank you for your response.

 

Phase 1 establishes just fine, Phase 2 moans about "Received encrypted packet with no matching SA, dropping" error if i debug.

 

I could have taken logs differently, but they are similar all the time.

0 Helpful

Rob Ingram
VIP
VIP
In response to Firepowered

‎12-24-2019 09:30 AM

Try using a different transform set, use aes and sha and try again. Provide a full ipsec sa debug - "debug crypto ipsec sa" and upload for review.

InTheJuniverse
Level 1
Level 1
In response to Rob Ingram

‎12-27-2019 03:08 AM

Thank you.

 

I did and I have exact same output.

 

I removed that asa and used another one (ASAv) and everything is working. So, I am assuming this is some sort of but in EVE or the image.

 

Alsa, when I do a destination NAT (identity) from CLI, it does not show on ASDM, I have to explicitly click 'NAT Exempt' from connection profile, and it ends up creating two NATs, something that Shiraz also suggested,

 

So I am definitely doubting the ASA image.

0 Helpful

Sheraz.Salim
VIP
VIP
In response to Firepowered

‎12-26-2019 01:35 PM

I lab this up only difference did is i used a this nat uses

 



nat (inside,outside) source static NETWORK_OBJ_10.10.9.0_24 NETWORK_OBJ_10.10.9.0_24 destination static NETWORK_OBJ_10.11.11.0_24 NETWORK_OBJ_10.11.11.0_24 no-proxy-arp route-lookup

 

change into this

 

nat (inside,outside) source static LAN09 LAN09 destin static LAN11 LAN11 no-proxy-arp route-lookup

 

 

please do not forget to rate.

InTheJuniverse
Level 1
Level 1
In response to Sheraz.Salim

‎12-27-2019 03:10 AM

Thanks Shiraz

 

Good catch. I noticed that even after creating Destination NAT (identity) from CLI, ASDM still does not show it, I have to explicitly click 'Nat Exempt' under connection profile.

 

BTW, I changed NAT and it still did not work.

 

I used another ASA image and it worked, so I am doubting ASA / EVE here

0 Helpful

Sheraz.Salim
VIP
VIP
In response to InTheJuniverse

‎12-27-2019 04:28 AM

Hi mate.

 

I just double check my ASA version is 9.12. just realize your was on 9.1. I have seen this site-to-site vpn issue with identity nat in production network too. Glad it work out for you. happy labbing :)

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card