VPN Problems ASA 5505 to 7206 Router MM_WAIT_MSG2

Paul Hathaway · ‎08-16-2012

Hi

Since I swapped a Pix Firewall for a Cisco ASA 5505 Firewall at one of our Sites the VPN Tunnel wont come up

I'm getting this:

asaXXXXX# sho crypto isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 10.150.242.23

Type : user Role : initiator

Rekey : no State : MM_WAIT_MSG2

asaXXXXX#

below is the crypto relevant settings off the ASA:

access-list outside_cryptomap_10 extended permit ip object-group Net_Inside any

access-list outside extended permit ip object-group Network_PPCUK any log debugging

access-list outside extended permit icmp any any

access-list outside extended permit ip object-group Network_QSec any log debugging

access-list inside extended permit ip object-group Net_Inside any

access-list inside extended permit icmp any any

access-list inside_nat0_outbound extended permit ip 10.xxx.xxx.x 255.255.255.192 any

access-list outside_1_cryptomap extended permit ip 10.xxx.xxx.x 255.255.255.192 any

access-list vpn extended permit ip object-group Net_Inside any

access-list outside_cryptomap_11 extended permit ip 10.xxx.xxx.x 255.255.255.192 any

crypto ipsec transform-set vue2 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 14400

crypto ipsec security-association lifetime kilobytes 4608000

crypto map site-crypto-map 10 match address outside_cryptomap_11

crypto map site-crypto-map 10 set pfs

crypto map site-crypto-map 10 set peer 10.150.242.23

crypto map site-crypto-map 10 set transform-set ESP-3DES-SHA

crypto map site-crypto-map 10 set security-association lifetime seconds 14400

crypto map site-crypto-map 10 set security-association lifetime kilobytes 209715

crypto map site-crypto-map 10 set trustpoint ukpvca

crypto map site-crypto-map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 14400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp am-disable

below is the crypto map settings off the 7206 Head End Router:

crypto isakmp policy 10

encr 3des

group 2

lifetime 14400

crypto isakmp identity hostname

crypto isakmp keepalive 30 3

!

crypto ipsec security-association lifetime kilobytes 2097152

crypto ipsec security-association lifetime seconds 14400

!

crypto ipsec transform-set xxx ah-sha-hmac esp-3des esp-sha-hmac

crypto ipsec transform-set xxxx esp-3des esp-sha-hmac

crypto map vue 2148 ipsec-isakmp

set peer 10.155.248.82

set transform-set vue2

set pfs group2

match address SITENAME

This 7206 Router has 140 VPN Tunnels running on it and the rest are all ok only this one Site thats not working

Any feedback would be much appreciated!

Thanks

CLIGuru

Jouni Forss · ‎08-16-2012

Hi,

I guess this usually means that the remote end doesnt reply to the initial message from initiator of the connection which in this case is the new ASA5505. Is there perhaps some errors in the new ASA configuration or with its routing?

- Jouni

Paul Hathaway · ‎08-16-2012

Hi

I've compared the configs to a known working ASA and theylook identical

I ran a debug crypto isakmp 251 and got the following:

Aug 16 14:29:11 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 16 14:29:11 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Aug 16 14:29:11 [IKEv1]: IP = 10.150.242.23, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

Aug 16 14:29:12 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 16 14:29:12 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Aug 16 14:29:13 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 16 14:29:13 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Aug 16 14:29:13 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 16 14:29:13 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Aug 16 14:29:14 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 16 14:29:14 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Aug 16 14:29:15 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 16 14:29:15 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Aug 16 14:29:15 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 16 14:29:15 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

en P1 SA is complete.

Aug 16 14:29:37 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 16 14:29:37 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Aug 16 14:29:38 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 16 14:29:38 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Aug 16 14:29:38 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 16 14:29:38 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Aug 16 14:29:39 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 16 14:29:39 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Strange eh ?!

Jouni Forss · ‎08-16-2012

Btw,

Why doesnt the router side policy have anykind of "authentication" under the isakmp policy ?

Paul Hathaway · ‎08-16-2012

Good question Im not sure its never had authentication before and we have another Head End Router that performs the same function and that has the same settings

its a really bizzare issue al lthe configs look right at both ends but the tunnel seems to be stuck possibly traffic being blocked?!

Paul Hathaway · ‎08-17-2012

Think I'm getting somehwere :

asaSITEName# packet-tracer input inside tcp 10.155.148.3 500 10.150.242.23 5$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

static (inside,outside) 10.155.148.0 10.155.148.0 netmask 255.255.255.192

match ip inside 10.155.148.0 255.255.255.192 outside any

static translation to 10.155.148.0

translate_hits = 3516, untranslate_hits = 0

Additional Information:

Static translate 10.155.148.0/0 to 10.155.148.0/0 using netmask 255.255.255.192

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) 10.155.148.0 10.155.148.0 netmask 255.255.255.192

match ip inside 10.155.148.0 255.255.255.192 outside any

static translation to 10.155.148.0

translate_hits = 3516, untranslate_hits = 0

Additional Information:

Phase: 7

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Traffic is being dropped at the encryption level question is is it at the ASA Side or the VPN Router ??