01-22-2021 03:11 AM - edited 01-22-2021 04:48 AM
Hi,
I've been having major problems creating new tunnels since I upgraded my ASA5525-X from version 9.4 (4) 34 to version 9.8. (4) 22, all the tunnels I created before the upgrade continue to work fine.
I give you an example of a tunnel that doesn't work (it's towards the Oracle cloud and I have 2 others that work and are identical but created before the update):
crypto ikev2 enable outside
crypto ikev2 policy 10
encryption aes-256
integrity sha384
group 5
prf sha
lifetime seconds 28800
group-policy oracle internal
group-policy oracle attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev2
crypto ipsec ikev2 ipsec-proposal oracle_v2_ipsec_proposal
protocol esp encryption aes-256
protocol esp integrity sha-1
object network obj-192.168.51.0
subnet 192.168.51.0 255.255.255.0
access-list CRY-ACL-NET51 extend permit ip object obj-172.30.248.0 object obj-192.168.51.0
crypto map outside_map 13 match address CRY-ACL-NET51
crypto map outside_map 13 set pfs group5
crypto map outside_map 13 set peer xxx.xxx.xxx.xxx
crypto map outside_map 13 set ikev2 ipsec-proposal oracle_v2_ipsec_proposal
crypto map outside_map 13 set security-association lifetime seconds 3600
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx general-attributes
default-group-policy oracle
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
ikev2 local-authentication pre-shared-key yyyyyyyyyyyyyyyyyyyyyy
ikev2 remote-authentication pre-shared-key zzzzzzzzzzzzzzzzzzzzzz
access-list acl_in extended permit ip object obj-172.30.248.0 object obj-192.168.51.0
nat (inside,outside) source static obj-172.30.248.0 obj-172.30.248.0 destination static obj-192.168.51.0 obj-192.168.51.0 no-proxy-arp route-lookup
The tunnel goes up correctly:
1342443445 fff.fff.fff.fff/500 xxx.xxx.xxx.xxx/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/1449 sec
Child sa: local selector 172.30.255.163/0 - 172.30.255.163/65535 (there is something strange here, because it is a single IP instead of 172.30.248.0/0 - 172.30.255.255/65535)
remote selector 192.168.51.160/0 - 192.168.51.160/65535
If I force the logout of the tunnel and I try the ping on a client of 192.168.51.0/24, the tunnel returns UP and I get a reply from the ping, if I try to ping on 2 different clients of the same network then none of the 2 pings work. If I try to ping from two different clients to 192.168.51.0/24 then no one reaches the clients on that network anymore. Every time I want to do a test I have to force the tunnel logout.
Can you help me?
Kind regards,
Luciano
Update 1
I have also noticed that when I try to ping a client on the network 192.168.51.0/24 the outbound trafficking counter increases, while the inbound trafficking counter remains stopped.
01-22-2021 04:05 AM - edited 01-22-2021 04:45 AM
Hello,
how many policies do you have configured (with 20 being the maximum supported for ikev1 and ikev2) ?
Also, post the output of:
debug crypto ikev2
debug crypto isakmp
01-22-2021 04:47 AM
Ciao Georg,
I have 15 group-policies.
Thank's for help.
Kind regards,
Luciano
01-22-2021 06:01 AM
I think your ASA peer is use in multi IPSec S2S tunnel?
01-22-2021 06:11 AM
crypto map 13 interface outside
do this command and see the effect of it, I think this is issue here
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide