cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Lan2Lan VPN, ASA--NATED Router 2921 header invalid & IP changing

318
Views
0
Helpful
0
Comments
Beginner

Hi, everyone,  

We have L2L VPN working for long time until this week our Cisco Router is put behind Mart's PaloAlto router( I have no control) and NATED to a static IP, 10.200.130.2---8.y.y.47, like below
ASA (216.x.x.218)--Internet----PaloAltoRouter <-Lan-> (8.y.y.47) Router2921 (10.200.130.2)

Summary: I have errors like Invalid header( details below) but more importantly I have multiple entries for the NATED IP (8.y.y.47) and Mart PaloAlto router IP (8.y.y.252). They insist they did everything right  for the static NAT , they also told me I should use some kind of  VPN peer identity as there is IP translation between the path but still I can't get it working. Any suggestions and advises are greatly appreciated!


ASA(iOS 9.9) side:
crypto isakmp identity hostname
access-list outside_cryptomap_8 line 1 extended permit ip 10.1.0.0 255.255.0.0 10.14.0.0 255.255.0.0 (hitcnt=175925)
crypto map outside_map 4 match address outside_cryptomap_8
crypto map outside_map 4 set peer 8.y.y.47
crypto map outside_map 4 set ikev1 transform-set ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 4 match address outside_cryptomap_8

tunnel-group 8.y.y.47 type ipsec-l2l
tunnel-group 8.y.y.47 general-attributes
default-group-policy GroupPolicy_8.y.y.47
tunnel-group 8.y.y.47 ipsec-attributes
ikev1 pre-shared-key *****
>sh cry isa sa
3 IKE Peer: 8.y.y.252
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
8 IKE Peer: 8.y.y.47
Type : L2L Role : initiator
Rekey : no State : MM_WAIT_MSG6


Router(IOS 15.7) 2921:

crypto isakmp key **** address 8.y.y.47
crypto isakmp identity hostname
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel


crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to ASA
set peer 216.x.x.218
set transform-set ESP-3DES-SHA
match address 105


interface GigabitEthernet0/0
description $ETH-WAN$$FW_OUTSIDE$
ip address 10.200.130.2 255.255.255.0
ip nat outside
crypto map SDM_CMAP_1


ip route 0.0.0.0 0.0.0.0 10.200.130.1


> sh cry isa sa
10.200.130.2 216.x.x.218 MM_KEY_EXCH 9004 ACTIVE
10.200.130.2 216.x.x.218 MM_KEY_EXCH 9003 ACTIVE
10.200.130.2 216.x.x.218 MM_NO_STATE 9001 ACTIVE (deleted)
216.x.x.218 10.200.130.2 QM_IDLE 9002 ACTIVE


----ASA debug cry ikev1 127 -------------------------
un 18 18:18:39 [IKEv1]IP = 8.y.y.47, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
Jun 18 18:18:39 [IKEv1]IKE Receiver: Packet received on 216.x.x.218:500 from 8.y.y.47:500
Jun 18 18:18:39 [IKEv1]IP = 8.y.y.47, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
Jun 18 18:18:39 [IKEv1 DEBUG]IP = 8.y.y.47, processing ke payload
Jun 18 18:18:39 [IKEv1 DEBUG]IP = 8.y.y.47, processing ISA_KE payload
Jun 18 18:18:39 [IKEv1 DEBUG]IP = 8.y.y.47, processing nonce payload
Jun 18 18:18:39 [IKEv1 DEBUG]IP = 8.y.y.47, processing VID payload
Jun 18 18:18:39 [IKEv1 DEBUG]IP = 8.y.y.47, Received Cisco Unity client VID
Jun 18 18:18:39 [IKEv1 DEBUG]IP = 8.y.y.47, processing VID payload
Jun 18 18:18:39 [IKEv1 DEBUG]IP = 8.y.y.47, Received DPD VID
Jun 18 18:18:39 [IKEv1 DEBUG]IP = 8.y.y.47, processing VID payload
Jun 18 18:18:39 [IKEv1 DEBUG]IP = 8.y.y.47, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000f7f)
Jun 18 18:18:39 [IKEv1 DEBUG]IP = 8.y.y.47, processing VID payload
Jun 18 18:18:39 [IKEv1 DEBUG]IP = 8.y.y.47, Received xauth V6 VID
Jun 18 18:18:39 [IKEv1 DEBUG]IP = 8.y.y.47, processing NAT-Discovery payload
Jun 18 18:18:39 [IKEv1 DEBUG]IP = 8.y.y.47, computing NAT Discovery hash
Jun 18 18:18:39 [IKEv1 DEBUG]IP = 8.y.y.47, processing NAT-Discovery payload
Jun 18 18:18:39 [IKEv1 DEBUG]IP = 8.y.y.47, computing NAT Discovery hash
Jun 18 18:18:39 [IKEv1]IP = 8.y.y.47, Connection landed on tunnel_group 8.y.y.47
Jun 18 18:18:39 [IKEv1 DEBUG]Group = 8.y.y.47, IP = 8.y.y.47, Generating keys for Initiator...
Jun 18 18:18:39 [IKEv1 DEBUG]Group = 8.y.y.47, IP = 8.y.y.47, constructing ID payload
Jun 18 18:18:39 [IKEv1 DEBUG]Group = 8.y.y.47, IP = 8.y.y.47, constructing hash payload
Jun 18 18:18:39 [IKEv1 DEBUG]Group = 8.y.y.47, IP = 8.y.y.47, Computing hash for ISAKMP
Jun 18 18:18:39 [IKEv1 DEBUG]IP = 8.y.y.47, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Jun 18 18:18:39 [IKEv1 DEBUG]Group = 8.y.y.47, IP = 8.y.y.47, constructing dpd vid payload
Jun 18 18:18:39 [IKEv1]IP = 8.y.y.47, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 110
Jun 18 18:18:39 [IKEv1]Group = 8.y.y.47, IP = 8.y.y.47, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
Jun 18 18:18:39 [IKEv1]Group = 8.y.y.47, IP = 8.y.y.47, Floating NAT-T to port 4500
Jun 18 18:18:41 [IKEv1]IKE Receiver: Packet received on 216.54.34.218:500 from 8.y.y.47:500
Jun 18 18:18:41 [IKEv1]IP = 8.y.y.47, Header invalid, missing SA payload! (next payload = 4)
Jun 18 18:18:41 [IKEv1]IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Jun 18 18:18:42 [IKEv1]IKE Receiver: Packet received on 216.54.34.218:500 from 8.y.y.47:500
Jun 18 18:18:42 [IKEv1]IP = 8.y.y.47, Header invalid, missing SA payload! (next payload = 4)
Jun 18 18:18:42 [IKEv1]IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Jun 18 18:18:43 [IKEv1]IKE Receiver: Packet received on 216.x.x.218:500 from 96.82.196.129:500
:49 [IKEv1]IKE Receiver: Packet received on 216.x.x.218:500 from 104.2.1.169:500
Jun 18 18:18:49 [IKEv1]IKE Receiver: Packet received on 216.x.x.218:500 from 8.y.y.47:500
Jun 18 18:18:49 [IKEv1]Group = 8.y.y.47, IP = 8.y.y.47, Duplicate Phase 1 packet detected. Retransmitting last packet.
Jun 18 18:18:49 [IKEv1]Group = 8.y.y.47, IP = 8.y.y.47, P1 Retransmit msg dispatched to MM FSM

----------------ASA log--------
Jun 18 18:04:17 asa :Jun 18 18:04:22 EDT: %ASA-session-6-302016: Teardown UDP connection 103357699 for outside:8.y.y.252/14536 to identity:216.x.x.218/4500 duration 0:02:01 bytes 25498
Jun 18 18:04:18 asa :Jun 18 18:04:22 EDT: %ASA-session-6-302015: Built inbound UDP connection 103360452 for outside:8.y.y.252/14536 (8.y.y.252/14536) to identity:216.x.x.218/4500 (216.x.x.218/4500)
Jun 18 18:05:53 asa :Jun 18 18:05:41 EDT: %ASA-vpn-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xE6016033) between 216.x.x.218 and 8.y.y.252 (user= 8.y.y.47) has been deleted.
Jun 18 18:05:53 asa :Jun 18 18:05:41 EDT: %ASA-vpn-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xFEE0E986) between 8.y.y.252 and 216.x.x.218 (user= 8.y.y.47) has been deleted.
Jun 18 18:05:53 asa :Jun 18 18:05:41 EDT: %ASA-vpn-5-713259: Group = 8.y.y.47, IP = 8.y.y.252, Session is being torn down. Reason: Administrator Reset
Jun 18 18:05:53 asa :Jun 18 18:05:41 EDT: %ASA-auth-4-113019: Group = 8.y.y.47, Username = 8.y.y.47, IP = 8.y.y.252, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:03m:37s, Bytes xmt: 0, Bytes rcv: 31202, Reason: Administrator Reset
Jun 18 18:05:53 asa :Jun 18 18:05:41 EDT: %ASA-vpn-5-713904: IP = 8.y.y.252, Received encrypted packet with no matching SA, dropping
Jun 18 18:05:54 asa :Jun 18 18:05:41 EDT: %ASA-vpn-6-713905: Group = 8.y.y.47, IP = 8.y.y.47, Floating NAT-T from 8.y.y.47 port 500 to 8.y.y.252 port 14536
Jun 18 18:05:54 asa :Jun 18 18:05:41 EDT: %ASA-vpn-5-713119: Group = 8.y.y.47, IP = 8.y.y.252, PHASE 1 COMPLETED
Jun 18 18:05:54 asa :Jun 18 18:05:41 EDT: %ASA-vpn-6-713905: Group = 8.y.y.47, IP = 8.y.y.252, Skipping dynamic map SYSTEM_DEFAULT_CRYPTO_MAP sequence 69: access-list mismatch.
Jun 18 18:05:54 asa :Jun 18 18:05:41 EDT: %ASA-vpn-6-713905: Group = 8.y.y.47, IP = 8.y.y.252, Skipping dynamic map outside_dyn_map sequence 20: no transform set defined.
Jun 18 18:05:54 asa :Jun 18 18:05:41 EDT: %ASA-vpn-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xA64FC4F9) between 216.x.x.218 and 8.y.y.252 (user= 8.y.y.47) has been created.
Jun 18 18:05:54 asa :Jun 18 18:05:41 EDT: %ASA-vpn-5-713049: Group = 8.y.y.47, IP = 8.y.y.252, Security negotiation complete for LAN-to-LAN Group (8.y.y.47) Responder, Inbound SPI = 0x7ae9f420, Outbound SPI = 0xa64fc4f9
Jun 18 18:05:54 asa :Jun 18 18:05:41 EDT: %ASA-vpn-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x7AE9F420) between 216.x.x.218 and 8.y.y.252 (user= 8.y.y.47) has been created.
Jun 18 18:05:54 asa :Jun 18 18:05:41 EDT: %ASA-vpn-5-713120: Group = 8.y.y.47, IP = 8.y.y.252, PHASE 2 COMPLETED (msgid=1022afff)
Jun 18 18:07:55 asa :Jun 18 18:07:59 EDT: %ASA-session-6-302016: Teardown UDP connection 103360452 for outside:8.y.y.252/14536 to identity:216.x.x.218/4500 duration 0:03:37 bytes 43710
Jun 18 18:07:55 asa :Jun 18 18:08:00 EDT: %ASA-session-6-302015: Built inbound UDP connection 103366331 for outside:8.y.y.252/14536 (8.y.y.252/14536) to identity:216.x.x.218/4500 (216.x.x.218/4500)
Jun 18 18:09:57 asa :Jun 18 18:10:

 

This widget could not be displayed.