11-03-2020 01:21 PM
Hello,
I'm migrating from using an ASA5506-X firewall to Firepower 1010 running ASA code. The ASA was able to create multiple L2L ipsec tunnels using IKEv2. Running the same config on the Firepower, I'm only able to create one connection at a time. If it catches traffic destined for the other remote network, it drops the first tunnel and creates a new one. As far as I can tell the code is identical, so I'm at a bit of loss.
crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-512 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 crypto map CRYPTO_MAP 102 match address SITE1_INTERESTING_ACL crypto map CRYPTO_MAP 102 set peer a.b.c.d crypto map CRYPTO_MAP 102 set ikev2 ipsec-proposal AES256 crypto map CRYPTO_MAP 102 set reverse-route crypto map CRYPTO_MAP 103 match address SITE2_INTERESTING_ACL crypto map CRYPTO_MAP 103 set peer m.n.o.p crypto map CRYPTO_MAP 103 set ikev2 ipsec-proposal AES256 crypto map CRYPTO_MAP 103 set reverse-route crypto map CRYPTO_MAP interface outside crypto ikev2 policy 2 encryption aes-256 integrity sha512 group 24 prf sha512 lifetime seconds 86400 crypto ikev2 enable outside group-policy GP_DSL internal group-policy GP_DSL attributes dns-server value *.*.*.* vpn-tunnel-protocol ikev2 tunnel-group a.b.c.d ipsec-l2l tunnel-group a.b.c.d general-attributes default-group-policy GP_DSL tunnel-group a.b.c.d ipsec-attributes ikev2 remote-authentication pre-shared-key **** ikev2 local-authentication pre-shared-key **** tunnel-group m.n.o.p ipsec-l2l tunnel-group m.n.o.p general-attributes default-group-policy GP_DSL tunnel-group m.n.o.p ipsec-attributes ikev2 remote-authentication pre-shared-key **** ikev2 local-authentication pre-shared-key ****
11-03-2020 01:49 PM
If ASA code it should work as expected.
But what you see on the Logs ? can you post the logs also what Code running ?
11-04-2020 07:29 AM - edited 11-04-2020 07:30 AM
Thanks for the reply. The Firepower is running: ASA Version 9.13(1)2
The syslog entries I'm gettings are below. IPs replaced with text, and repeated messages removed. The period of the log entries covers a few flip-flops of the VPN tunnels. The only thing I can tell from that is that it discards one tunnel when the other is initialized.
If it's useful, I can probably post more detailed debug output (debug crypto ikev2 protocal/platform, debug crypto ipsec), but it seems like a lot of data, so I haven't done that yet.
Nov 4 08:50:27 10.99.96.253 %ASA-7-713906: IKE Receiver: Packet received on HEAD_OFFICE_IP:4500 from REMOTE_SITE_2_IP:4500 Nov 4 08:50:30 10.99.96.253 %ASA-7-609002: Teardown local-host outside:SITE_2_REMOTE_LAN duration 0:01:30 Nov 4 08:50:40 10.99.96.253 %ASA-7-710007: NAT-T keepalive received from REMOTE_SITE_1_IP/4500 to outside:HEAD_OFFICE_IP/4500 Nov 4 08:51:00 10.99.96.253 %ASA-7-609001: Built local-host outside:SITE_2_REMOTE_LAN Nov 4 08:51:00 10.99.96.253 %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = CRYPTO_MAP. Map Sequence Number = 104. Nov 4 08:51:00 10.99.96.253 %ASA-7-713906: IKE Receiver: Packet received on HEAD_OFFICE_IP:500 from REMOTE_SITE_2_IP:500 Nov 4 08:51:00 10.99.96.253 %ASA-7-713906: IKE Receiver: Packet received on HEAD_OFFICE_IP:4500 from REMOTE_SITE_2_IP:4500 Nov 4 08:51:00 10.99.96.253 %ASA-6-302016: Teardown UDP connection 804381 for outside:REMOTE_SITE_1_IP/4500 to identity:HEAD_OFFICE_IP/4500 duration 0:01:48 bytes 3057559 Nov 4 08:51:00 10.99.96.253 %ASA-5-750006: Local:HEAD_OFFICE_IP:4500 Remote:REMOTE_SITE_2_IP:4500 Username:REMOTE_SITE_2_IP IKEv2 SA UP. Reason: New Connection Established Nov 4 08:51:00 10.99.96.253 %ASA-4-750014: Local:HEAD_OFFICE_IP:4500 Remote:REMOTE_SITE_1_IP:4500 Username:REMOTE_SITE_1_IP IKEv2 Session Aborted. Reason: Initial contact received for Local ID: HEAD_OFFICE_IP, Remote ID: 192.168.1.4 from remote peer: REMOTE_SITE_2_IP:4500 to HEAD_OFFICE_IP:4500 Nov 4 08:51:00 10.99.96.253 %ASA-4-113019: Group = REMOTE_SITE_1_IP, Username = REMOTE_SITE_1_IP, IP = REMOTE_SITE_1_IP, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:01m:00s, Bytes xmt: 56080, Bytes rcv: 2757501, Reason: Peer Reconnected Nov 4 08:51:00 10.99.96.253 %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x109802E0) between HEAD_OFFICE_IP and REMOTE_SITE_1_IP (user= REMOTE_SITE_1_IP) has been deleted. Nov 4 08:51:00 10.99.96.253 %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xB62434A0) between REMOTE_SITE_1_IP and HEAD_OFFICE_IP (user= REMOTE_SITE_1_IP) has been deleted. Nov 4 08:51:00 10.99.96.253 %ASA-6-113009: AAA retrieved default group policy (GP_DSL) for user = REMOTE_SITE_2_IP Nov 4 08:51:00 10.99.96.253 %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x41E9FD11) between HEAD_OFFICE_IP and REMOTE_SITE_2_IP (user= REMOTE_SITE_2_IP) has been created. Nov 4 08:51:00 10.99.96.253 %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x27F364A9) between HEAD_OFFICE_IP and REMOTE_SITE_2_IP (user= REMOTE_SITE_2_IP) has been created. Nov 4 08:51:00 10.99.96.253 %ASA-5-752016: IKEv2 was successful at setting up a tunnel. Map Tag = CRYPTO_MAP. Map Sequence Number = 104. Nov 4 08:51:00 10.99.96.253 %ASA-7-752002: Tunnel Manager Removed entry. Map Tag = CRYPTO_MAP. Map Sequence Number = 104. Nov 4 08:51:01 10.99.96.253 %ASA-7-710005: UDP request discarded from REMOTE_SITE_1_IP/4500 to outside:HEAD_OFFICE_IP/4500 (REPEATED MANY TIMES) Nov 4 08:51:01 10.99.96.253 %ASA-7-710005: UDP request discarded from REMOTE_SITE_1_IP/4500 to outside:HEAD_OFFICE_IP/4500 Nov 4 08:51:12 10.99.96.253 %ASA-6-302015: Built inbound UDP connection 804477 for outside:REMOTE_SITE_1_IP/4500 (REMOTE_SITE_1_IP/4500) to identity:HEAD_OFFICE_IP/4500 (HEAD_OFFICE_IP/4500) Nov 4 08:51:12 10.99.96.253 %ASA-7-713906: IKE Receiver: Packet received on HEAD_OFFICE_IP:4500 from REMOTE_SITE_1_IP:4500 Nov 4 08:51:12 10.99.96.253 %ASA-7-710005: UDP request discarded from REMOTE_SITE_1_IP/4500 to outside:HEAD_OFFICE_IP/4500 Nov 4 08:51:30 10.99.96.253 %ASA-7-609002: Teardown local-host outside:SITE_1_REMOTE_LAN duration 0:01:30 Nov 4 08:51:40 10.99.96.253 %ASA-7-710007: NAT-T keepalive received from REMOTE_SITE_2_IP/4500 to outside:HEAD_OFFICE_IP/4500 Nov 4 08:52:00 10.99.96.253 %ASA-7-609001: Built local-host outside:SITE_1_REMOTE_LAN Nov 4 08:52:00 10.99.96.253 %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = CRYPTO_MAP. Map Sequence Number = 102. Nov 4 08:52:00 10.99.96.253 %ASA-7-713906: IKE Receiver: Packet received on HEAD_OFFICE_IP:500 from REMOTE_SITE_1_IP:500 Nov 4 08:52:00 10.99.96.253 %ASA-7-713906: IKE Receiver: Packet received on HEAD_OFFICE_IP:4500 from REMOTE_SITE_1_IP:4500 Nov 4 08:52:00 10.99.96.253 %ASA-5-750006: Local:HEAD_OFFICE_IP:4500 Remote:REMOTE_SITE_1_IP:4500 Username:REMOTE_SITE_1_IP IKEv2 SA UP. Reason: New Connection Established Nov 4 08:52:00 10.99.96.253 %ASA-4-750014: Local:HEAD_OFFICE_IP:4500 Remote:REMOTE_SITE_2_IP:4500 Username:REMOTE_SITE_2_IP IKEv2 Session Aborted. Reason: Initial contact received for Local ID: HEAD_OFFICE_IP, Remote ID: 192.168.1.4 from remote peer: REMOTE_SITE_1_IP:4500 to HEAD_OFFICE_IP:4500 Nov 4 08:52:00 10.99.96.253 %ASA-4-113019: Group = REMOTE_SITE_2_IP, Username = REMOTE_SITE_2_IP, IP = REMOTE_SITE_2_IP, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:01m:00s, Bytes xmt: 45036, Bytes rcv: 1928035, Reason: Peer Reconnected Nov 4 08:52:00 10.99.96.253 %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x41E9FD11) between HEAD_OFFICE_IP and REMOTE_SITE_2_IP (user= REMOTE_SITE_2_IP) has been deleted. Nov 4 08:52:00 10.99.96.253 %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x27F364A9) between REMOTE_SITE_2_IP and HEAD_OFFICE_IP (user= REMOTE_SITE_2_IP) has been deleted. Nov 4 08:52:00 10.99.96.253 %ASA-7-710005: UDP request discarded from REMOTE_SITE_2_IP/4500 to outside:HEAD_OFFICE_IP/4500 Nov 4 08:52:00 10.99.96.253 %ASA-6-113009: AAA retrieved default group policy (GP_DSL) for user = REMOTE_SITE_1_IP Nov 4 08:52:00 10.99.96.253 %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xA0C30F9F) between HEAD_OFFICE_IP and REMOTE_SITE_1_IP (user= REMOTE_SITE_1_IP) has been created. Nov 4 08:52:00 10.99.96.253 %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x7B456993) between HEAD_OFFICE_IP and REMOTE_SITE_1_IP (user= REMOTE_SITE_1_IP) has been created. Nov 4 08:52:00 10.99.96.253 %ASA-5-752016: IKEv2 was successful at setting up a tunnel. Map Tag = CRYPTO_MAP. Map Sequence Number = 102. Nov 4 08:52:00 10.99.96.253 %ASA-7-752002: Tunnel Manager Removed entry. Map Tag = CRYPTO_MAP. Map Sequence Number = 102. Nov 4 08:52:00 10.99.96.253 %ASA-7-710005: UDP request discarded from REMOTE_SITE_2_IP/4500 to outside:HEAD_OFFICE_IP/4500 (REPEATED MANY TIMES) Nov 4 08:52:14 10.99.96.253 %ASA-7-710005: UDP request discarded from REMOTE_SITE_2_IP/4500 to outside:HEAD_OFFICE_IP/4500 Nov 4 08:52:15 10.99.96.253 %ASA-6-302015: Built inbound UDP connection 804528 for outside:REMOTE_SITE_2_IP/4500 (REMOTE_SITE_2_IP/4500) to identity:HEAD_OFFICE_IP/4500 (HEAD_OFFICE_IP/4500) Nov 4 08:52:15 10.99.96.253 %ASA-7-713906: IKE Receiver: Packet received on HEAD_OFFICE_IP:4500 from REMOTE_SITE_2_IP:4500 Nov 4 08:52:15 10.99.96.253 %ASA-7-710005: UDP request discarded from REMOTE_SITE_2_IP/4500 to outside:HEAD_OFFICE_IP/4500 Nov 4 08:52:30 10.99.96.253 %ASA-7-609002: Teardown local-host outside:SITE_2_REMOTE_LAN duration 0:01:30 Nov 4 08:52:40 10.99.96.253 %ASA-7-710007: NAT-T keepalive received from REMOTE_SITE_1_IP/4500 to outside:HEAD_OFFICE_IP/4500 Nov 4 08:53:00 10.99.96.253 %ASA-7-609001: Built local-host outside:SITE_2_REMOTE_LAN Nov 4 08:53:00 10.99.96.253 %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = CRYPTO_MAP. Map Sequence Number = 104. Nov 4 08:53:00 10.99.96.253 %ASA-7-713906: IKE Receiver: Packet received on HEAD_OFFICE_IP:500 from REMOTE_SITE_2_IP:500 Nov 4 08:53:00 10.99.96.253 %ASA-7-713906: IKE Receiver: Packet received on HEAD_OFFICE_IP:4500 from REMOTE_SITE_2_IP:4500 Nov 4 08:53:00 10.99.96.253 %ASA-6-302016: Teardown UDP connection 804477 for outside:REMOTE_SITE_1_IP/4500 to identity:HEAD_OFFICE_IP/4500 duration 0:01:48 bytes 3071815 Nov 4 08:53:00 10.99.96.253 %ASA-5-750006: Local:HEAD_OFFICE_IP:4500 Remote:REMOTE_SITE_2_IP:4500 Username:REMOTE_SITE_2_IP IKEv2 SA UP. Reason: New Connection Established Nov 4 08:53:00 10.99.96.253 %ASA-4-750014: Local:HEAD_OFFICE_IP:4500 Remote:REMOTE_SITE_1_IP:4500 Username:REMOTE_SITE_1_IP IKEv2 Session Aborted. Reason: Initial contact received for Local ID: HEAD_OFFICE_IP, Remote ID: 192.168.1.4 from remote peer: REMOTE_SITE_2_IP:4500 to HEAD_OFFICE_IP:4500 Nov 4 08:53:00 10.99.96.253 %ASA-4-113019: Group = REMOTE_SITE_1_IP, Username = REMOTE_SITE_1_IP, IP = REMOTE_SITE_1_IP, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:01m:00s, Bytes xmt: 56240, Bytes rcv: 2769554, Reason: Peer Reconnected Nov 4 08:53:00 10.99.96.253 %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xA0C30F9F) between HEAD_OFFICE_IP and REMOTE_SITE_1_IP (user= REMOTE_SITE_1_IP) has been deleted. Nov 4 08:53:00 10.99.96.253 %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x7B456993) between REMOTE_SITE_1_IP and HEAD_OFFICE_IP (user= REMOTE_SITE_1_IP) has been deleted. Nov 4 08:53:00 10.99.96.253 %ASA-6-113009: AAA retrieved default group policy (GP_DSL) for user = REMOTE_SITE_2_IP Nov 4 08:53:00 10.99.96.253 %ASA-7-710005: UDP request discarded from REMOTE_SITE_1_IP/4500 to outside:HEAD_OFFICE_IP/4500 Nov 4 08:53:00 10.99.96.253 %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xD8379D2B) between HEAD_OFFICE_IP and REMOTE_SITE_2_IP (user= REMOTE_SITE_2_IP) has been created. Nov 4 08:53:00 10.99.96.253 %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x111183D8) between HEAD_OFFICE_IP and REMOTE_SITE_2_IP (user= REMOTE_SITE_2_IP) has been created. Nov 4 08:53:00 10.99.96.253 %ASA-5-752016: IKEv2 was successful at setting up a tunnel. Map Tag = CRYPTO_MAP. Map Sequence Number = 104. Nov 4 08:53:00 10.99.96.253 %ASA-7-752002: Tunnel Manager Removed entry. Map Tag = CRYPTO_MAP. Map Sequence Number = 104. Nov 4 08:53:01 10.99.96.253 %ASA-7-710005: UDP request discarded from REMOTE_SITE_1_IP/4500 to outside:HEAD_OFFICE_IP/4500 (REPEATED MANY TIMES) Nov 4 08:53:01 10.99.96.253 %ASA-7-710005: UDP request discarded from REMOTE_SITE_1_IP/4500 to outside:HEAD_OFFICE_IP/4500 Nov 4 08:53:12 10.99.96.253 %ASA-6-302015: Built inbound UDP connection 804573 for outside:REMOTE_SITE_1_IP/4500 (REMOTE_SITE_1_IP/4500) to identity:HEAD_OFFICE_IP/4500 (HEAD_OFFICE_IP/4500) Nov 4 08:53:12 10.99.96.253 %ASA-7-713906: IKE Receiver: Packet received on HEAD_OFFICE_IP:4500 from REMOTE_SITE_1_IP:4500 Nov 4 08:53:12 10.99.96.253 %ASA-7-710005: UDP request discarded from REMOTE_SITE_1_IP/4500 to outside:HEAD_OFFICE_IP/4500 Nov 4 08:53:30 10.99.96.253 %ASA-7-609002: Teardown local-host outside:SITE_1_REMOTE_LAN duration 0:01:30 Nov 4 08:53:40 10.99.96.253 %ASA-7-710007: NAT-T keepalive received from REMOTE_SITE_2_IP/4500 to outside:HEAD_OFFICE_IP/4500 Nov 4 08:54:00 10.99.96.253 %ASA-7-609001: Built local-host outside:SITE_1_REMOTE_LAN Nov 4 08:54:00 10.99.96.253 %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = CRYPTO_MAP. Map Sequence Number = 102. Nov 4 08:54:00 10.99.96.253 %ASA-7-713906: IKE Receiver: Packet received on HEAD_OFFICE_IP:500 from REMOTE_SITE_1_IP:500 Nov 4 08:54:00 10.99.96.253 %ASA-7-713906: IKE Receiver: Packet received on HEAD_OFFICE_IP:4500 from REMOTE_SITE_1_IP:4500 Nov 4 08:54:00 10.99.96.253 %ASA-6-302016: Teardown UDP connection 804528 for outside:REMOTE_SITE_2_IP/4500 to identity:HEAD_OFFICE_IP/4500 duration 0:01:44 bytes 2078807 Nov 4 08:54:00 10.99.96.253 %ASA-7-710005: UDP request discarded from REMOTE_SITE_2_IP/4500 to outside:HEAD_OFFICE_IP/4500 Nov 4 08:54:00 10.99.96.253 %ASA-5-750006: Local:HEAD_OFFICE_IP:4500 Remote:REMOTE_SITE_1_IP:4500 Username:REMOTE_SITE_1_IP IKEv2 SA UP. Reason: New Connection Established Nov 4 08:54:00 10.99.96.253 %ASA-4-750014: Local:HEAD_OFFICE_IP:4500 Remote:REMOTE_SITE_2_IP:4500 Username:REMOTE_SITE_2_IP IKEv2 Session Aborted. Reason: Initial contact received for Local ID: HEAD_OFFICE_IP, Remote ID: 192.168.1.4 from remote peer: REMOTE_SITE_1_IP:4500 to HEAD_OFFICE_IP:4500 Nov 4 08:54:00 10.99.96.253 %ASA-4-113019: Group = REMOTE_SITE_2_IP, Username = REMOTE_SITE_2_IP, IP = REMOTE_SITE_2_IP, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:01m:00s, Bytes xmt: 41596, Bytes rcv: 1812265, Reason: Peer Reconnected Nov 4 08:54:00 10.99.96.253 %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xD8379D2B) between HEAD_OFFICE_IP and REMOTE_SITE_2_IP (user= REMOTE_SITE_2_IP) has been deleted. Nov 4 08:54:00 10.99.96.253 %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x111183D8) between REMOTE_SITE_2_IP and HEAD_OFFICE_IP (user= REMOTE_SITE_2_IP) has been deleted. Nov 4 08:54:00 10.99.96.253 %ASA-6-113009: AAA retrieved default group policy (GP_DSL) for user = REMOTE_SITE_1_IP Nov 4 08:54:00 10.99.96.253 %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xA27EB407) between HEAD_OFFICE_IP and REMOTE_SITE_1_IP (user= REMOTE_SITE_1_IP) has been created. Nov 4 08:54:00 10.99.96.253 %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xAC541AE3) between HEAD_OFFICE_IP and REMOTE_SITE_1_IP (user= REMOTE_SITE_1_IP) has been created. Nov 4 08:54:00 10.99.96.253 %ASA-5-752016: IKEv2 was successful at setting up a tunnel. Map Tag = CRYPTO_MAP. Map Sequence Number = 102. Nov 4 08:54:00 10.99.96.253 %ASA-7-752002: Tunnel Manager Removed entry. Map Tag = CRYPTO_MAP. Map Sequence Number = 102.
11-05-2020 02:03 PM
I've turned on debugging as follows, and attached output from one of the remote devices and the head unit. The head unit is a Firepower 1010, the remote units are still ASA5506-x units.
debug crypto ipsec 127
debug crypto ikev2 platform 127
debug crypto ikev2 protocl 127
11-04-2020 06:23 PM - edited 11-04-2020 06:24 PM
Are there any NAT Static with udp4500?
11-05-2020 02:02 PM - edited 11-05-2020 02:02 PM
Thanks for the reponse!
Except for the NAT for tunnels, it's not running any. Here's the output from the "show nat" command:
I've turned on debugging as follows, and attached output from one of the remote devices and the head unit. The head unit is a Firepower 1010, the remote units are still ASA5506-x units.
debug crypto ipsec 127
debug crypto ikev2 platform 127
debug crypto ikev2 protocl 127
Manual NAT Policies (Section 1) 1 (inside) to (outside) source static HEAD_OFFICE_LAN HEAD_OFFICE_LAN destination static REMOTE_SITE_1_LAN REMOTE_SITE_1_LAN translate_hits = 38150, untranslate_hits = 66519 2 (inside) to (outside) source static HEAD_OFFICE_LAN HEAD_OFFICE_LAN destination static REMOTE_SITE_2_LAN REMOTE_SITE_2_LAN translate_hits = 36747, untranslate_hits = 65495
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: