I'm seeing something rather odd happening for a tunnel that we have setup. At the HQ location there is a 5508 that has a few tunnels setup between satellite locations with 5506's. One of the tunnels randomly went down earlier this morning. When doing a sh crypto isakmp sa on the satellite location's ASA it shows a wait_msg2, when doing the same on the HQ ASA it shows a wait_msg3, indicating that it gets the initial message from the ASA and then tries to reply but doesn't recieve a response. The part where it gets weird is this. On the HQ ASA its showing an IP that is completely different from the one on the outside interface of the satellite ASA and there is no way it can be in the same subnet as the first octet is completely different. I confirmed that this tunnel is causing that issue by disabling ikev1 on both sides, confirmed the sa was gone and then turned it back on and ran the command again, same thing popped up again. I tried rebooting the ASA, changing the PSK, but there isn't much else I can think of to try, aside from just re-doing the config on the HQ ASA and see what happens.
I tried running a packet trace to see if the traffic is being redirected somewhere but wasn't able to really get any kind of meaningful result, it doesn't show the traffic being redirected to any IP, but i'm not sure how useful a packet trace would be in this case anyways as I'm not sure if I can simulate VPN initiation traffic.
I also tried running a packet capture, but I am not sure what parameters to enter to capture the VPN initiation traffic from the satellite location to the HQ ASA. I tried doing ingress outside egress inside with the access-list assigned to sequence on the outside cryptomap for the location in question and it didn't capture anything.
I tried turning debugging to view it across SSH but that wasn't really helpful as the session was completely inundated with all traffic and not just VPN.
The last step is going to be to go out with a network tap, laptop, and wireshark to see if I can tell whats going on, but I was hoping someone had heard of something like this before.
Below are the results from sh crypto isakmp sa from both locations with the actual IP's removed
Result of the command: "sh crypto isakmp sa"
Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1
1 IKE Peer: **HQ IP** Type : user Role : initiator Rekey : no State : MM_WAIT_MSG2
There are no IKEv2 SAs
Result of the command: "sh crypto isakmp sa"
Active SA: 2 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 2
1 IKE Peer: **OTHER LOCATION WORKING** Type : L2L Role : initiator Rekey : no State : MM_ACTIVE 2 IKE Peer: **RANDOM IP, SHOULD BE SATELLITE LOCATION IP BUT ITS NOT** Type : user Role : responder Rekey : no State : MM_WAIT_MSG3
Turns out the modem took a dump at the satellite location, never in my life have I seen something like this happen.
It turns out that the ASA was seeing the IP address on the coax interface of the modem and not the one on the ASA. Craziness, but after a reboot it came back up. Definitely not typical of a modem going poo as normally the internet goes out, but the only issue was that the ASA at the HQ was seeing the wrong IP.
Small business owners are willing to try new ways to protect and grow their businesses by innovating, taking risks and pushing boundaries - and technology is a valuable tool to help drive that success.
Learn how Cisco helps small businesses think big and...
This document is attempt to recreate content of original document created by famous @Patrick Born. Cisco has considered to destroy such valuable document for an unknown reason.Cisco SPA series phones and ATAs can use certificate-authenticated HTTPS (SSL) ...
Stay up to date with monthly on-line briefings. Join Customer Connection to register for briefings presented by Cisco product managers who share technical deep-dive product presentations with interactive Q&A.
Catch up on previous new small business p...
Your small business needs secure, intelligent, simple to manage solutions to keep your business humming. Cisco Designed for Business solutions enable your company to connect, compute and collaborate securely.
Why Cisco for sm...
Learn how a two-man IT team manages all audio, video, voice and networking for Goodwill Industries stores in South Florida. Meraki enables them to consolidate, visualize and monitor their wireless network.