01-22-2021 03:11 AM - edited 01-22-2021 04:48 AM
Hi,
I've been having major problems creating new tunnels since I upgraded my ASA5525-X from version 9.4 (4) 34 to version 9.8. (4) 22, all the tunnels I created before the upgrade continue to work fine.
I give you an example of a tunnel that doesn't work (it's towards the Oracle cloud and I have 2 others that work and are identical but created before the update):
crypto ikev2 enable outside
crypto ikev2 policy 10
encryption aes-256
integrity sha384
group 5
prf sha
lifetime seconds 28800
group-policy oracle internal
group-policy oracle attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev2
crypto ipsec ikev2 ipsec-proposal oracle_v2_ipsec_proposal
protocol esp encryption aes-256
protocol esp integrity sha-1
object network obj-192.168.51.0
subnet 192.168.51.0 255.255.255.0
access-list CRY-ACL-NET51 extend permit ip object obj-172.30.248.0 object obj-192.168.51.0
crypto map outside_map 13 match address CRY-ACL-NET51
crypto map outside_map 13 set pfs group5
crypto map outside_map 13 set peer xxx.xxx.xxx.xxx
crypto map outside_map 13 set ikev2 ipsec-proposal oracle_v2_ipsec_proposal
crypto map outside_map 13 set security-association lifetime seconds 3600
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx general-attributes
default-group-policy oracle
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
ikev2 local-authentication pre-shared-key yyyyyyyyyyyyyyyyyyyyyy
ikev2 remote-authentication pre-shared-key zzzzzzzzzzzzzzzzzzzzzz
access-list acl_in extended permit ip object obj-172.30.248.0 object obj-192.168.51.0
nat (inside,outside) source static obj-172.30.248.0 obj-172.30.248.0 destination static obj-192.168.51.0 obj-192.168.51.0 no-proxy-arp route-lookup
The tunnel goes up correctly:
1342443445 fff.fff.fff.fff/500 xxx.xxx.xxx.xxx/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/1449 sec
Child sa: local selector 172.30.255.163/0 - 172.30.255.163/65535 (there is something strange here, because it is a single IP instead of 172.30.248.0/0 - 172.30.255.255/65535)
remote selector 192.168.51.160/0 - 192.168.51.160/65535
If I force the logout of the tunnel and I try the ping on a client of 192.168.51.0/24, the tunnel returns UP and I get a reply from the ping, if I try to ping on 2 different clients of the same network then none of the 2 pings work. If I try to ping from two different clients to 192.168.51.0/24 then no one reaches the clients on that network anymore. Every time I want to do a test I have to force the tunnel logout.
Can you help me?
Kind regards,
Luciano
Update 1
I have also noticed that when I try to ping a client on the network 192.168.51.0/24 the outbound trafficking counter increases, while the inbound trafficking counter remains stopped.
01-22-2021 04:05 AM - edited 01-22-2021 04:45 AM
Hello,
how many policies do you have configured (with 20 being the maximum supported for ikev1 and ikev2) ?
Also, post the output of:
debug crypto ikev2
debug crypto isakmp
01-22-2021 04:47 AM
Ciao Georg,
I have 15 group-policies.
Thank's for help.
Kind regards,
Luciano
01-22-2021 06:01 AM
I think your ASA peer is use in multi IPSec S2S tunnel?
01-22-2021 06:11 AM
crypto map 13 interface outside
do this command and see the effect of it, I think this is issue here
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: