Showing results for 
Search instead for 
Did you mean: 

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.
Get the latest news in this issue of the Cisco Small Business Monthly Newsletter


Wrong IP for Tunnel?

Hello Everyone,


I'm seeing something rather odd happening for a tunnel that we have setup.  At the HQ location there is a 5508 that has a few tunnels setup between satellite locations with 5506's.  One of the tunnels randomly went down earlier this morning.  When doing a sh crypto isakmp sa on the satellite location's ASA it shows a wait_msg2, when doing the same on the HQ ASA it shows a wait_msg3, indicating that it gets the initial message from the ASA and then tries to reply but doesn't recieve a response.  The part where it gets weird is this.  On the HQ ASA its showing an IP that is completely different from the one on the outside interface of the satellite ASA and there is no way it can be in the same subnet as the first octet is completely different.  I confirmed that this tunnel is causing that issue by disabling ikev1 on both sides, confirmed the sa was gone and then turned it back on and ran the command again, same thing popped up again.  I tried rebooting the ASA, changing the PSK, but there isn't much else I can think of to try, aside from just re-doing the config on the HQ ASA and see what happens.


I tried running a packet trace to see if the traffic is being redirected somewhere but wasn't able to really get any kind of meaningful result, it doesn't show the traffic being redirected to any IP, but i'm not sure how useful a packet trace would be in this case anyways as I'm not sure if I can simulate VPN initiation traffic.


I also tried running a packet capture, but I am not sure what parameters to enter to capture the VPN initiation traffic from the satellite location to the HQ ASA.  I tried doing ingress outside egress inside with the access-list assigned to sequence on the outside cryptomap for the location in question and it didn't capture anything. 


I tried turning debugging to view it across SSH but that wasn't really helpful as the session was completely inundated with all traffic and not just VPN.


The last step is going to be to go out with a network tap, laptop, and wireshark to see if I can tell whats going on, but I was hoping someone had heard of something like this before.


Below are the results from sh crypto isakmp sa from both locations with the actual IP's removed


Satellite location

Result of the command: "sh crypto isakmp sa"

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: **HQ IP**
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2

There are no IKEv2 SAs



Result of the command: "sh crypto isakmp sa"

IKEv1 SAs:

Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Type : user Role : responder
Rekey : no State : MM_WAIT_MSG3

There are no IKEv2 SAs


Re: Wrong IP for Tunnel?

Turns out the modem took a dump at the satellite location, never in my life have I seen something like this happen.


It turns out that the ASA was seeing the IP address on the coax interface of the modem and not the one on the ASA.  Craziness, but after a reboot it came back up.  Definitely not typical of a modem going poo as normally the internet goes out, but the only issue was that the ASA at the HQ was seeing the wrong IP.