01-28-2014 02:27 PM - edited 02-21-2020 05:05 AM
So I have a asa 5510 in my main office. I have 4 other remote offices that connect witha 5505 through L2L VPN. Have for years no problems everything is perfect.
We have added a new remote office so I am adding another 5505 to this office. I have everything set exactly the same but this new one won't establish a VPN connection. Have a nice interenet connection but no VPN. Is or was there some major change in ASA Version 8.2(5) that is causing a hicup. All my other ASA's have version 7.2(4).....
What am I missing......
Thanks!!
Result of the command: "show crypto isakmp sa"
There are no isakmp sas
Result of the command: "show crypto ipsec sa"
There are no ipsec sas
: Saved : ASA Version 8.2(5) ! hostname ******** enable password mrNAzLB3WoDGll7l encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 switchport access vlan 12 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.90.1 255.255.255.0 ! interface Vlan12 nameif outside security-level 0 pppoe client vpdn group AT&T ip address pppoe setroute ! ftp mode passive clock timezone CST -6 clock summer-time CDT recurring same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group network outbound access-list 106 extended permit ip 192.168.90.0 255.255.255.0 192.198.10.0 255.255.255.0 access-list nonat extended permit ip 192.168.90.0 255.255.255.0 192.198.10.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1492 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.90.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set MM esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map outside_map 90 match address 106 crypto map outside_map 90 set peer 222.222.222.22 crypto map outside_map 90 set transform-set MM crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 43200 crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group ATT request dialout pppoe vpdn group ATT localname mm@att.net vpdn group ATT ppp authentication pap vpdn username mm@att.net password ***** dhcpd dns 208.67.222.222 208.67.220.220 dhcpd auto_config outside ! dhcpd address 192.168.90.5-192.168.90.254 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 webvpn tunnel-group 222.222.222.22 type ipsec-l2l tunnel-group 222.222.222.22 ipsec-attributes pre-shared-key **** tunnel-group 77.77.777.777 type ipsec-l2l tunnel-group 77.77.777.777 ipsec-attributes pre-shared-key **** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:748218d8f392a0ead093b8ebd225d599 : end no asdm history enable
01-30-2014 11:33 AM
The above config looks OK at first glance. I assume your main site is just a replication of the same config for this site-site as the other ones you have.
When you introduce interesting traffic from the local subnet destined for the distant end, do you see the ISAKMP SA try to establish and fail? If so, the error message should be informative.
You may need to turn on debugging for the connection to get complete info - debug cry isa 7 (and maybe debug cry ips 7)
02-28-2014 09:45 AM
So other things came up so this problem got pushed back.......NOW its time to figure it out!!
Yes I have 4 remote sites all connecting to my main site L2L vpn perfectly.
I basicly copied and pasted those commands to the new ASA and changed the required info.
But can not establish any kind traffic between the new site and the main site.
From 5505 from New Site:
sh crypto ipsec sa
There are no isakmp sas
sh crypto ipsec sa
There are no ipsec sas
IF I try and ping the asa 5510 at my main site I recieve a 0% success rate.
I have remote access to this office so I can only currently make changes through the ASA from the asdm.
SO if I do a packet tracer from the 5505 to the 5510
Route-Look up is ok
IP-Options - ok
Nat - drops (acl-drop) Flow is denied by configured rule. But the rule is set the exact same as my others ASA????
Any idea what I should check? or do?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide