cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1490
Views
0
Helpful
13
Replies

Cannot connect ASA5505 to 3000 Concentrator

agonza07
Level 1
Level 1

Hi everyone,

I followed the document

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008064a06f.shtml

but I am still unable to get my ASA to connect. I'm thinking it's because of the ISP's DSL router but I'm not sure. I even enabled NAT-T but that didn't do anything. Here is my layout:

ASA -> DSL Router -> Internet -> Concentrator

ASA inside: 10.103.0.1

ASA outside: 192.168.1.250

DSL Router LAN: 192.168.1.254

DSL Router WAN: 148.X.X.X

Concentrator: 24.X.X.X

Concentrator LAN: 172.16.0.1

Here's my config too with some debugs. Can someone shed some light please? Thanks.

1 Accepted Solution

Accepted Solutions

Sorry logs are not helping

debug crypto isakmp 127

debug crypto ipsec 127

debug crypto engine

show crypto isakmp sa detail

show crypto ipsec sa detail

It could be Phase 1 identity issue also. ASA accepts and moves on the Phast 1, but VPNC reject.

Also if possible IKE,IKEDBG,IPSEC,IPSECDBG logs from VPNC.

Regards

Farrukh

View solution in original post

13 Replies 13

Farrukh Haroon
VIP Alumni
VIP Alumni

Double check your Pre-shared key and phase 2 parameters. The document uses a /16 mask on the VPN concentrator side, on the ASA you are using a /24 for the concentrator LAN, is it the same on the other side?

Regards

Farrukh

Yeah I checked both of them and still nothing. The subnets are like that because I was making changes to the config so as to not give out my real config.

I'm being NAT's behind a cisco 1800 that belongs to the ISP, but the IP address is the one that I set up on the concentrator. Do you think this has something to do with it.

If there is NAT in the transit path, why don't you enable NAT-T on the Concentrator?

Its enabled on IOS by default, but disabled on PIX/ASA/VPNC.

Regards

Farrukh

I'm not very familiar with the ASA, but I believe I configured NAT-T already. Here is another screenshot and updated config. Thanks for all your help guys, i really hope we can get this up and running.

I had to edit some of the subnets but it all should be exactly off the Cisco doc 69115. I'm trying to get the ISP to give me the IP directly to my ASA, but it's been hard trying to get ahold of them, and I want to get this up ASAP.

BTW, is my NAT set up correctly?

Thanks,

On the ASA add:

crypto isakmp nat-traversal

On the VPN concentrator you have enabled NAT-T on the L2L Connection itself, but have you enabled it globally? LIke this:

#

Configure IPSec over NAT-T and/or IPSec over TCP:

1. On the VPN Concentrator select Configuration > System > Tunneling Protocols > IPSec > NAT Transparency.

2. Check the IPSec over NAT-T and/or TCP check box.

Regards

Farrukh

Both are active.

Initiate the tunnel from the ASA and post the output of show crypto isakmp sa detail

Also if possible the debug output 'debug crypto isakmp 127'

Do 'find and replace' for your public IPs to hide them.

Regards

Farrukh

Mexico-ASA5501# ping inside 172.16.0.4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.0.4, timeout is 2 seconds:

Aug 07 06:51:09 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 07 06:51:09 [IKEv1]: IP = 24.X.X.X, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer 24.X.X.X local Proxy Address 10.103.0.0, remote Proxy Address 50.0.0.0, Crypto map (EP-Map)

Aug 07 06:51:09 [IKEv1 DEBUG]: IP = 24.X.X.X, constructing ISAKMP SA payload

Aug 07 06:51:09 [IKEv1 DEBUG]: IP = 24.X.X.X, constructing NAT-Traversal VID ver 02 payload

Aug 07 06:51:09 [IKEv1 DEBUG]: IP = 24.X.X.X, constructing NAT-Traversal VID ver 03 payload

Aug 07 06:51:09 [IKEv1 DEBUG]: IP = 24.X.X.X, constructing Fragmentation VID + extended capabilities payload

Aug 07 06:51:09 [IKEv1]: IP = 24.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152

?Aug 07 06:51:11 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 07 06:51:11 [IKEv1]: IP = 24.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

?Aug 07 06:51:13 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 07 06:51:13 [IKEv1]: IP = 24.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

?Aug 07 06:51:15 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 07 06:51:15 [IKEv1]: IP = 24.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

?Aug 07 06:51:17 [IKEv1]: IP = 24.X.X.X, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152

Aug 07 06:51:17 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 07 06:51:17 [IKEv1]: IP = 24.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

?

Success rate is 0 percent (0/5)

Mexico-ASA5501# Aug 07 06:51:25 [IKEv1]: IP = 24.X.X.X, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152

Aug 07 06:51:33 [IKEv1]: IP = 24.X.X.X, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152

Aug 07 06:51:41 [IKEv1 DEBUG]: IP = 24.X.X.X, IKE MM Initiator FSM error history (struct &0x3c71290) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

Aug 07 06:51:41 [IKEv1 DEBUG]: IP = 24.X.X.X, IKE SA MM:02d189d8 terminating: flags 0x01000022, refcnt 0, tuncnt 0

Aug 07 06:51:41 [IKEv1 DEBUG]: IP = 24.X.X.X, sending delete/delete with reason message

Aug 07 06:51:41 [IKEv1]: IP = 24.X.X.X, Removing peer from peer table failed, no match!

Aug 07 06:51:41 [IKEv1]: IP = 24.X.X.X, Error: Unable to remove PeerTblEntry

Sorry logs are not helping

debug crypto isakmp 127

debug crypto ipsec 127

debug crypto engine

show crypto isakmp sa detail

show crypto ipsec sa detail

It could be Phase 1 identity issue also. ASA accepts and moves on the Phast 1, but VPNC reject.

Also if possible IKE,IKEDBG,IPSEC,IPSECDBG logs from VPNC.

Regards

Farrukh

Mexico-ASA5501# debug crypto isakmp 127

Mexico-ASA5501# debug crypto ipsec 127

Mexico-ASA5501# debug crypto engine

Mexico-ASA5501#

Mexico-ASA5501# show crypto isakmp sa detail

There are no isakmp sas

Mexico-ASA5501# show crypto ipsec sa detail

There are no ipsec sas

Mexico-ASA5501# ping inside 172.16.0.4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.0.4, timeout is 2 seconds:

Aug 07 07:31:21 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 07 07:31:21 [IKEv1]: IP = 24.X.X.X, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer 24.X.X.X local Proxy Address 10.103.0.0, remote Proxy Address 172.16.0.0, Crypto map (EP-Map)

Aug 07 07:31:21 [IKEv1 DEBUG]: IP = 24.X.X.X, constructing ISAKMP SA payload

Aug 07 07:31:21 [IKEv1 DEBUG]: IP = 24.X.X.X, constructing NAT-Traversal VID ver 02 payload

Aug 07 07:31:21 [IKEv1 DEBUG]: IP = 24.X.X.X, constructing NAT-Traversal VID ver 03 payload

Aug 07 07:31:21 [IKEv1 DEBUG]: IP = 24.X.X.X, constructing Fragmentation VID + extended capabilities payload

Aug 07 07:31:21 [IKEv1]: IP = 24.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152

?Aug 07 07:31:23 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 07 07:31:23 [IKEv1]: IP = 24.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

?Aug 07 07:31:25 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 07 07:31:25 [IKEv1]: IP = 24.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

?Aug 07 07:31:27 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 07 07:31:27 [IKEv1]: IP = 24.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

?Aug 07 07:31:29 [IKEv1]: IP = 24.X.X.X, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152

Aug 07 07:31:29 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 07 07:31:29 [IKEv1]: IP = 24.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

?

Success rate is 0 percent (0/5)

Mexico-ASA5501# show crypto isakmp sa detail

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 24.X.X.X

Type : user Role : initiator

Rekey : no State : MM_WAIT_MSG2

Encrypt : aes-256 Hash : SHA

Auth : preshared Lifetime: 0

Mexico-ASA5501# show crypto ipsec sa detail

There are no ipsec sas

GOT IT!!!

my IKE proposals had the aes-128 above the 256, so I just moved the 256 above the 128 and that did it. Thanks for all your help Farrukh.

--mando

NO problem buddy, I'm glad you have it working.

A debug almost always helps :)

Regards

Farrukh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: