VPN site-to-site between ASA and Router issues (Cert Auth with another Router action as PKI Server)

tranthanh.sanjose · ‎10-01-2010

Hi Guys,

Anybody has been done VPN site-to-site between ASA and Router with certificate authentication by using another router action as PKI Server?

In my case:

|

R4(NTP/PKI Servers)

|

(dmz)

|-----R1------- (inside) ASA (outside) --------R3-------R2----|

Tested:

NTP is synchronized all Router and ASA
The authenticate/enroll process has been done and got the certificate
VPN site-to-site between R2 and R3 worked fine with certificate authentication
ISAKMP policy and IPSEC transform-set is the same all Router and ASA
The Routing traffic between Routers and ASA are OK.

I had some issue for the VPN traffic between ASA and R3 and I didn’t know why?

The certificate was successfully validated between ASA and R3 but the Phase 1 is not completed ...and I saw a trackback on ASA:

%ASA-7-711002: Task ran for 18 msec, Process = IKE Daemon, PC = 810ae25, Traceback =

%ASA-7-711002: Task ran for 18 msec, Process = IKE Daemon, PC = 810ae25, Traceback = 0x0810AE25 0x0814C6E6 0x084F269C 0x08491A32 0x084929FE 0x0925A6DF 0x0849206B 0x084A1879 0x084A2408 0x08062413

Anybody has been done this case before? Please let me know

Regards,

Tran

Herbert Baerten · ‎10-04-2010

Hi,

could you please attach a (sanitized) config of both the ASA and the router, as well as "show crypto pki cert" from both, and the output of the following debugs:

debug crypto isakmp (on router)

debug crypto isakmp 100 (on ASA)

(please enable the debugs at the same time, and leave them running long enough to capture the whole phase 1).

Herbert