cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
387
Views
5
Helpful
5
Replies
Highlighted
Beginner

Simultaneous L2L VPN

Hello, 

 

I'm migrating from using an ASA5506-X firewall to Firepower 1010 running ASA code. The ASA was able to create multiple L2L ipsec tunnels using IKEv2.  Running the same config on the Firepower, I'm only able to create one connection at a time. If it catches traffic destined for the other remote network, it drops the first tunnel and creates a new one. As far as I can tell the code is identical, so I'm at a bit of loss.

 

 

crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-512
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256
crypto map CRYPTO_MAP 102 match address SITE1_INTERESTING_ACL
crypto map CRYPTO_MAP 102 set peer a.b.c.d
crypto map CRYPTO_MAP 102 set ikev2 ipsec-proposal AES256
crypto map CRYPTO_MAP 102 set reverse-route
crypto map CRYPTO_MAP 103 match address SITE2_INTERESTING_ACL
crypto map CRYPTO_MAP 103 set peer m.n.o.p
crypto map CRYPTO_MAP 103 set ikev2 ipsec-proposal AES256
crypto map CRYPTO_MAP 103 set reverse-route
crypto map CRYPTO_MAP interface outside

crypto ikev2 policy 2
 encryption aes-256
 integrity sha512
 group 24
 prf sha512
 lifetime seconds 86400
crypto ikev2 enable outside


group-policy GP_DSL internal
group-policy GP_DSL attributes
 dns-server value *.*.*.*
 vpn-tunnel-protocol ikev2

tunnel-group a.b.c.d ipsec-l2l
tunnel-group a.b.c.d general-attributes
 default-group-policy GP_DSL
tunnel-group a.b.c.d ipsec-attributes
 ikev2 remote-authentication pre-shared-key ****
 ikev2 local-authentication pre-shared-key ****
tunnel-group m.n.o.p ipsec-l2l
tunnel-group m.n.o.p general-attributes
 default-group-policy GP_DSL
tunnel-group m.n.o.p ipsec-attributes
 ikev2 remote-authentication pre-shared-key ****
 ikev2 local-authentication pre-shared-key ****

 

 

 

 

 

5 REPLIES 5
Highlighted
VIP Expert

If ASA  code it should work as expected.

 

But what you see on the Logs ? can you post the logs  also what Code running ?



BB


*** Rate All Helpful Responses ***

Highlighted

Thanks for the reply. The Firepower is running: ASA Version 9.13(1)2

 

The syslog entries I'm gettings are below. IPs replaced with text, and repeated messages removed. The period of the log entries covers a few flip-flops of the VPN tunnels. The only thing I can tell from that is that it discards one tunnel when the other is initialized.

 

If it's useful, I can probably post more detailed debug output (debug crypto ikev2 protocal/platform, debug crypto ipsec), but it seems like a lot of data, so I haven't done that yet.

 

 

Nov  4 08:50:27 10.99.96.253 %ASA-7-713906: IKE Receiver: Packet received on HEAD_OFFICE_IP:4500 from REMOTE_SITE_2_IP:4500
Nov  4 08:50:30 10.99.96.253 %ASA-7-609002: Teardown local-host outside:SITE_2_REMOTE_LAN duration 0:01:30
Nov  4 08:50:40 10.99.96.253 %ASA-7-710007: NAT-T keepalive received from REMOTE_SITE_1_IP/4500 to outside:HEAD_OFFICE_IP/4500
Nov  4 08:51:00 10.99.96.253 %ASA-7-609001: Built local-host outside:SITE_2_REMOTE_LAN
Nov  4 08:51:00 10.99.96.253 %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2.  Map Tag = CRYPTO_MAP.  Map Sequence Number = 104.
Nov  4 08:51:00 10.99.96.253 %ASA-7-713906: IKE Receiver: Packet received on HEAD_OFFICE_IP:500 from REMOTE_SITE_2_IP:500
Nov  4 08:51:00 10.99.96.253 %ASA-7-713906: IKE Receiver: Packet received on HEAD_OFFICE_IP:4500 from REMOTE_SITE_2_IP:4500
Nov  4 08:51:00 10.99.96.253 %ASA-6-302016: Teardown UDP connection 804381 for outside:REMOTE_SITE_1_IP/4500 to identity:HEAD_OFFICE_IP/4500 duration 0:01:48 bytes 3057559
Nov  4 08:51:00 10.99.96.253 %ASA-5-750006: Local:HEAD_OFFICE_IP:4500 Remote:REMOTE_SITE_2_IP:4500 Username:REMOTE_SITE_2_IP IKEv2 SA UP. Reason: New Connection Established
Nov  4 08:51:00 10.99.96.253 %ASA-4-750014: Local:HEAD_OFFICE_IP:4500 Remote:REMOTE_SITE_1_IP:4500 Username:REMOTE_SITE_1_IP IKEv2 Session Aborted. Reason: Initial contact received for Local ID: HEAD_OFFICE_IP, Remote ID: 192.168.1.4 from remote peer: REMOTE_SITE_2_IP:4500 to HEAD_OFFICE_IP:4500
Nov  4 08:51:00 10.99.96.253 %ASA-4-113019: Group = REMOTE_SITE_1_IP, Username = REMOTE_SITE_1_IP, IP = REMOTE_SITE_1_IP, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:01m:00s, Bytes xmt: 56080, Bytes rcv: 2757501, Reason: Peer Reconnected
Nov  4 08:51:00 10.99.96.253 %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x109802E0) between HEAD_OFFICE_IP and REMOTE_SITE_1_IP (user= REMOTE_SITE_1_IP) has been deleted.
Nov  4 08:51:00 10.99.96.253 %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xB62434A0) between REMOTE_SITE_1_IP and HEAD_OFFICE_IP (user= REMOTE_SITE_1_IP) has been deleted.
Nov  4 08:51:00 10.99.96.253 %ASA-6-113009: AAA retrieved default group policy (GP_DSL) for user = REMOTE_SITE_2_IP
Nov  4 08:51:00 10.99.96.253 %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x41E9FD11) between HEAD_OFFICE_IP and REMOTE_SITE_2_IP (user= REMOTE_SITE_2_IP) has been created.
Nov  4 08:51:00 10.99.96.253 %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x27F364A9) between HEAD_OFFICE_IP and REMOTE_SITE_2_IP (user= REMOTE_SITE_2_IP) has been created.
Nov  4 08:51:00 10.99.96.253 %ASA-5-752016: IKEv2 was successful at setting up a tunnel.  Map Tag = CRYPTO_MAP. Map Sequence Number = 104.
Nov  4 08:51:00 10.99.96.253 %ASA-7-752002: Tunnel Manager Removed entry.  Map Tag = CRYPTO_MAP.  Map Sequence Number = 104.
Nov  4 08:51:01 10.99.96.253 %ASA-7-710005: UDP request discarded from REMOTE_SITE_1_IP/4500 to outside:HEAD_OFFICE_IP/4500 (REPEATED MANY TIMES)
Nov  4 08:51:01 10.99.96.253 %ASA-7-710005: UDP request discarded from REMOTE_SITE_1_IP/4500 to outside:HEAD_OFFICE_IP/4500
Nov  4 08:51:12 10.99.96.253 %ASA-6-302015: Built inbound UDP connection 804477 for outside:REMOTE_SITE_1_IP/4500 (REMOTE_SITE_1_IP/4500) to identity:HEAD_OFFICE_IP/4500 (HEAD_OFFICE_IP/4500)
Nov  4 08:51:12 10.99.96.253 %ASA-7-713906: IKE Receiver: Packet received on HEAD_OFFICE_IP:4500 from REMOTE_SITE_1_IP:4500
Nov  4 08:51:12 10.99.96.253 %ASA-7-710005: UDP request discarded from REMOTE_SITE_1_IP/4500 to outside:HEAD_OFFICE_IP/4500
Nov  4 08:51:30 10.99.96.253 %ASA-7-609002: Teardown local-host outside:SITE_1_REMOTE_LAN duration 0:01:30
Nov  4 08:51:40 10.99.96.253 %ASA-7-710007: NAT-T keepalive received from REMOTE_SITE_2_IP/4500 to outside:HEAD_OFFICE_IP/4500
Nov  4 08:52:00 10.99.96.253 %ASA-7-609001: Built local-host outside:SITE_1_REMOTE_LAN
Nov  4 08:52:00 10.99.96.253 %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2.  Map Tag = CRYPTO_MAP.  Map Sequence Number = 102.
Nov  4 08:52:00 10.99.96.253 %ASA-7-713906: IKE Receiver: Packet received on HEAD_OFFICE_IP:500 from REMOTE_SITE_1_IP:500
Nov  4 08:52:00 10.99.96.253 %ASA-7-713906: IKE Receiver: Packet received on HEAD_OFFICE_IP:4500 from REMOTE_SITE_1_IP:4500
Nov  4 08:52:00 10.99.96.253 %ASA-5-750006: Local:HEAD_OFFICE_IP:4500 Remote:REMOTE_SITE_1_IP:4500 Username:REMOTE_SITE_1_IP IKEv2 SA UP. Reason: New Connection Established
Nov  4 08:52:00 10.99.96.253 %ASA-4-750014: Local:HEAD_OFFICE_IP:4500 Remote:REMOTE_SITE_2_IP:4500 Username:REMOTE_SITE_2_IP IKEv2 Session Aborted. Reason: Initial contact received for Local ID: HEAD_OFFICE_IP, Remote ID: 192.168.1.4 from remote peer: REMOTE_SITE_1_IP:4500 to HEAD_OFFICE_IP:4500
Nov  4 08:52:00 10.99.96.253 %ASA-4-113019: Group = REMOTE_SITE_2_IP, Username = REMOTE_SITE_2_IP, IP = REMOTE_SITE_2_IP, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:01m:00s, Bytes xmt: 45036, Bytes rcv: 1928035, Reason: Peer Reconnected
Nov  4 08:52:00 10.99.96.253 %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x41E9FD11) between HEAD_OFFICE_IP and REMOTE_SITE_2_IP (user= REMOTE_SITE_2_IP) has been deleted.
Nov  4 08:52:00 10.99.96.253 %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x27F364A9) between REMOTE_SITE_2_IP and HEAD_OFFICE_IP (user= REMOTE_SITE_2_IP) has been deleted.
Nov  4 08:52:00 10.99.96.253 %ASA-7-710005: UDP request discarded from REMOTE_SITE_2_IP/4500 to outside:HEAD_OFFICE_IP/4500
Nov  4 08:52:00 10.99.96.253 %ASA-6-113009: AAA retrieved default group policy (GP_DSL) for user = REMOTE_SITE_1_IP
Nov  4 08:52:00 10.99.96.253 %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xA0C30F9F) between HEAD_OFFICE_IP and REMOTE_SITE_1_IP (user= REMOTE_SITE_1_IP) has been created.
Nov  4 08:52:00 10.99.96.253 %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x7B456993) between HEAD_OFFICE_IP and REMOTE_SITE_1_IP (user= REMOTE_SITE_1_IP) has been created.
Nov  4 08:52:00 10.99.96.253 %ASA-5-752016: IKEv2 was successful at setting up a tunnel.  Map Tag = CRYPTO_MAP. Map Sequence Number = 102.
Nov  4 08:52:00 10.99.96.253 %ASA-7-752002: Tunnel Manager Removed entry.  Map Tag = CRYPTO_MAP.  Map Sequence Number = 102.
Nov  4 08:52:00 10.99.96.253 %ASA-7-710005: UDP request discarded from REMOTE_SITE_2_IP/4500 to outside:HEAD_OFFICE_IP/4500 (REPEATED MANY TIMES)
Nov  4 08:52:14 10.99.96.253 %ASA-7-710005: UDP request discarded from REMOTE_SITE_2_IP/4500 to outside:HEAD_OFFICE_IP/4500
Nov  4 08:52:15 10.99.96.253 %ASA-6-302015: Built inbound UDP connection 804528 for outside:REMOTE_SITE_2_IP/4500 (REMOTE_SITE_2_IP/4500) to identity:HEAD_OFFICE_IP/4500 (HEAD_OFFICE_IP/4500)
Nov  4 08:52:15 10.99.96.253 %ASA-7-713906: IKE Receiver: Packet received on HEAD_OFFICE_IP:4500 from REMOTE_SITE_2_IP:4500
Nov  4 08:52:15 10.99.96.253 %ASA-7-710005: UDP request discarded from REMOTE_SITE_2_IP/4500 to outside:HEAD_OFFICE_IP/4500
Nov  4 08:52:30 10.99.96.253 %ASA-7-609002: Teardown local-host outside:SITE_2_REMOTE_LAN duration 0:01:30
Nov  4 08:52:40 10.99.96.253 %ASA-7-710007: NAT-T keepalive received from REMOTE_SITE_1_IP/4500 to outside:HEAD_OFFICE_IP/4500
Nov  4 08:53:00 10.99.96.253 %ASA-7-609001: Built local-host outside:SITE_2_REMOTE_LAN
Nov  4 08:53:00 10.99.96.253 %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2.  Map Tag = CRYPTO_MAP.  Map Sequence Number = 104.
Nov  4 08:53:00 10.99.96.253 %ASA-7-713906: IKE Receiver: Packet received on HEAD_OFFICE_IP:500 from REMOTE_SITE_2_IP:500
Nov  4 08:53:00 10.99.96.253 %ASA-7-713906: IKE Receiver: Packet received on HEAD_OFFICE_IP:4500 from REMOTE_SITE_2_IP:4500
Nov  4 08:53:00 10.99.96.253 %ASA-6-302016: Teardown UDP connection 804477 for outside:REMOTE_SITE_1_IP/4500 to identity:HEAD_OFFICE_IP/4500 duration 0:01:48 bytes 3071815
Nov  4 08:53:00 10.99.96.253 %ASA-5-750006: Local:HEAD_OFFICE_IP:4500 Remote:REMOTE_SITE_2_IP:4500 Username:REMOTE_SITE_2_IP IKEv2 SA UP. Reason: New Connection Established
Nov  4 08:53:00 10.99.96.253 %ASA-4-750014: Local:HEAD_OFFICE_IP:4500 Remote:REMOTE_SITE_1_IP:4500 Username:REMOTE_SITE_1_IP IKEv2 Session Aborted. Reason: Initial contact received for Local ID: HEAD_OFFICE_IP, Remote ID: 192.168.1.4 from remote peer: REMOTE_SITE_2_IP:4500 to HEAD_OFFICE_IP:4500
Nov  4 08:53:00 10.99.96.253 %ASA-4-113019: Group = REMOTE_SITE_1_IP, Username = REMOTE_SITE_1_IP, IP = REMOTE_SITE_1_IP, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:01m:00s, Bytes xmt: 56240, Bytes rcv: 2769554, Reason: Peer Reconnected
Nov  4 08:53:00 10.99.96.253 %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xA0C30F9F) between HEAD_OFFICE_IP and REMOTE_SITE_1_IP (user= REMOTE_SITE_1_IP) has been deleted.
Nov  4 08:53:00 10.99.96.253 %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x7B456993) between REMOTE_SITE_1_IP and HEAD_OFFICE_IP (user= REMOTE_SITE_1_IP) has been deleted.
Nov  4 08:53:00 10.99.96.253 %ASA-6-113009: AAA retrieved default group policy (GP_DSL) for user = REMOTE_SITE_2_IP
Nov  4 08:53:00 10.99.96.253 %ASA-7-710005: UDP request discarded from REMOTE_SITE_1_IP/4500 to outside:HEAD_OFFICE_IP/4500
Nov  4 08:53:00 10.99.96.253 %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xD8379D2B) between HEAD_OFFICE_IP and REMOTE_SITE_2_IP (user= REMOTE_SITE_2_IP) has been created.
Nov  4 08:53:00 10.99.96.253 %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x111183D8) between HEAD_OFFICE_IP and REMOTE_SITE_2_IP (user= REMOTE_SITE_2_IP) has been created.
Nov  4 08:53:00 10.99.96.253 %ASA-5-752016: IKEv2 was successful at setting up a tunnel.  Map Tag = CRYPTO_MAP. Map Sequence Number = 104.
Nov  4 08:53:00 10.99.96.253 %ASA-7-752002: Tunnel Manager Removed entry.  Map Tag = CRYPTO_MAP.  Map Sequence Number = 104.
Nov  4 08:53:01 10.99.96.253 %ASA-7-710005: UDP request discarded from REMOTE_SITE_1_IP/4500 to outside:HEAD_OFFICE_IP/4500 (REPEATED MANY TIMES)
Nov  4 08:53:01 10.99.96.253 %ASA-7-710005: UDP request discarded from REMOTE_SITE_1_IP/4500 to outside:HEAD_OFFICE_IP/4500
Nov  4 08:53:12 10.99.96.253 %ASA-6-302015: Built inbound UDP connection 804573 for outside:REMOTE_SITE_1_IP/4500 (REMOTE_SITE_1_IP/4500) to identity:HEAD_OFFICE_IP/4500 (HEAD_OFFICE_IP/4500)
Nov  4 08:53:12 10.99.96.253 %ASA-7-713906: IKE Receiver: Packet received on HEAD_OFFICE_IP:4500 from REMOTE_SITE_1_IP:4500
Nov  4 08:53:12 10.99.96.253 %ASA-7-710005: UDP request discarded from REMOTE_SITE_1_IP/4500 to outside:HEAD_OFFICE_IP/4500
Nov  4 08:53:30 10.99.96.253 %ASA-7-609002: Teardown local-host outside:SITE_1_REMOTE_LAN duration 0:01:30
Nov  4 08:53:40 10.99.96.253 %ASA-7-710007: NAT-T keepalive received from REMOTE_SITE_2_IP/4500 to outside:HEAD_OFFICE_IP/4500
Nov  4 08:54:00 10.99.96.253 %ASA-7-609001: Built local-host outside:SITE_1_REMOTE_LAN
Nov  4 08:54:00 10.99.96.253 %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2.  Map Tag = CRYPTO_MAP.  Map Sequence Number = 102.
Nov  4 08:54:00 10.99.96.253 %ASA-7-713906: IKE Receiver: Packet received on HEAD_OFFICE_IP:500 from REMOTE_SITE_1_IP:500
Nov  4 08:54:00 10.99.96.253 %ASA-7-713906: IKE Receiver: Packet received on HEAD_OFFICE_IP:4500 from REMOTE_SITE_1_IP:4500
Nov  4 08:54:00 10.99.96.253 %ASA-6-302016: Teardown UDP connection 804528 for outside:REMOTE_SITE_2_IP/4500 to identity:HEAD_OFFICE_IP/4500 duration 0:01:44 bytes 2078807
Nov  4 08:54:00 10.99.96.253 %ASA-7-710005: UDP request discarded from REMOTE_SITE_2_IP/4500 to outside:HEAD_OFFICE_IP/4500
Nov  4 08:54:00 10.99.96.253 %ASA-5-750006: Local:HEAD_OFFICE_IP:4500 Remote:REMOTE_SITE_1_IP:4500 Username:REMOTE_SITE_1_IP IKEv2 SA UP. Reason: New Connection Established
Nov  4 08:54:00 10.99.96.253 %ASA-4-750014: Local:HEAD_OFFICE_IP:4500 Remote:REMOTE_SITE_2_IP:4500 Username:REMOTE_SITE_2_IP IKEv2 Session Aborted. Reason: Initial contact received for Local ID: HEAD_OFFICE_IP, Remote ID: 192.168.1.4 from remote peer: REMOTE_SITE_1_IP:4500 to HEAD_OFFICE_IP:4500
Nov  4 08:54:00 10.99.96.253 %ASA-4-113019: Group = REMOTE_SITE_2_IP, Username = REMOTE_SITE_2_IP, IP = REMOTE_SITE_2_IP, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:01m:00s, Bytes xmt: 41596, Bytes rcv: 1812265, Reason: Peer Reconnected
Nov  4 08:54:00 10.99.96.253 %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xD8379D2B) between HEAD_OFFICE_IP and REMOTE_SITE_2_IP (user= REMOTE_SITE_2_IP) has been deleted.
Nov  4 08:54:00 10.99.96.253 %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x111183D8) between REMOTE_SITE_2_IP and HEAD_OFFICE_IP (user= REMOTE_SITE_2_IP) has been deleted.
Nov  4 08:54:00 10.99.96.253 %ASA-6-113009: AAA retrieved default group policy (GP_DSL) for user = REMOTE_SITE_1_IP
Nov  4 08:54:00 10.99.96.253 %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xA27EB407) between HEAD_OFFICE_IP and REMOTE_SITE_1_IP (user= REMOTE_SITE_1_IP) has been created.
Nov  4 08:54:00 10.99.96.253 %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xAC541AE3) between HEAD_OFFICE_IP and REMOTE_SITE_1_IP (user= REMOTE_SITE_1_IP) has been created.
Nov  4 08:54:00 10.99.96.253 %ASA-5-752016: IKEv2 was successful at setting up a tunnel.  Map Tag = CRYPTO_MAP. Map Sequence Number = 102.
Nov  4 08:54:00 10.99.96.253 %ASA-7-752002: Tunnel Manager Removed entry.  Map Tag = CRYPTO_MAP.  Map Sequence Number = 102.

 

Highlighted

I've turned on debugging as follows, and attached output from one of the remote devices and the head unit. The head unit is a Firepower 1010, the remote units are still ASA5506-x units.

debug crypto ipsec  127

debug crypto ikev2 platform 127

debug crypto ikev2 protocl 127

 

Highlighted
Rising star

Are there any NAT Static with udp4500?

Highlighted

Thanks for the reponse!

 

Except for the NAT for tunnels, it's not running any.  Here's the output from the "show nat" command:

 

I've turned on debugging as follows, and attached output from one of the remote devices and the head unit. The head unit is a Firepower 1010, the remote units are still ASA5506-x units.

debug crypto ipsec  127

debug crypto ikev2 platform 127

debug crypto ikev2 protocl 127

 

 

 

Manual NAT Policies (Section 1)
1 (inside) to (outside) source static HEAD_OFFICE_LAN HEAD_OFFICE_LAN destination static REMOTE_SITE_1_LAN REMOTE_SITE_1_LAN
    translate_hits = 38150, untranslate_hits = 66519
2 (inside) to (outside) source static HEAD_OFFICE_LAN HEAD_OFFICE_LAN destination static REMOTE_SITE_2_LAN REMOTE_SITE_2_LAN
    translate_hits = 36747, untranslate_hits = 65495

 

 

Content for Community-Ad