Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2903
Views
0
Helpful
3
Replies

ASA 5505 as Easy VPN Client Status AM _ACTIVE

Go to solution
Anup Sasikumar
Level 1
Level 1

‎06-09-2012 05:56 AM

Hi Experts,

We have an ASA5505 which is configured to work as a Easy VPN Client. The output of #show isakmp sa shows the tunnels status as AM_ACTIVE.

But we are not able to establish connectivity to any of the inside nodes.

What does AM_ACTIVE imply ? From my understanding all Easy VPN Clients either Hardware or Software , uses Aggressive Mode and the tunnel is established and working . Easy VPN Server configurations is not under our management which is most probably a router and we think it 's the configuration issue at the Server end.

Moreover , there is hardly anything to do on a Easy VPN Client other than specify the authentication and tunnel group details in the client and it gets connected. All the other configurations are pushed from the Easy VPN Server end , right ?

On the output of #show ipsec sa , the following was noted

dynamic allocated peer ip: 0.0.0.0 -----> Does this mean that my ASA5505 is not assigned any IP by the Easy VPN Server ?

#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0  ---------> No decryption , which probably means that there is no response from remote end,right?

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0                 

From #show vpnclient detail output I could see a lot of ISAKMP policies being created .

-------------------------------------------

crypto isakmp policy 65001

authentication xauth-pre-share

encryption aes-256

hash sha

group 2

lifetime 2147483647

crypto isakmp policy 65002

authentication xauth-pre-share

encryption aes-256

hash md5

group 2

lifetime 2147483647

crypto isakmp policy 65003

authentication xauth-pre-share

encryption aes-192

hash sha

group 2

lifetime 2147483647

crypto isakmp policy 65004

authentication xauth-pre-share

encryption aes-192

hash md5

group 2

lifetime 2147483647

crypto isakmp policy 65005

authentication xauth-pre-share

encryption aes

hash sha

group 2

lifetime 2147483647

crypto isakmp policy 65006

authentication xauth-pre-share

encryption aes

hash md5

group 2

lifetime 2147483647

crypto isakmp policy 65007

authentication xauth-pre-share

encryption 3des

hash sha

group 2

lifetime 2147483647

crypto isakmp policy 65008

authentication xauth-pre-share

encryption 3des

hash md5

group 2

lifetime 2147483647

crypto isakmp policy 65009

authentication xauth-pre-share

encryption des

hash md5

group 2

lifetime 2147483647

crypto isakmp policy 65010

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 2147483647

crypto isakmp policy 65011

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 2147483647

crypto isakmp policy 65012

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 2147483647

crypto isakmp policy 65013

authentication pre-share

encryption aes-192

hash md5

group 2

lifetime 2147483647

crypto isakmp policy 65014

authentication pre-share

encryption aes

hash sha

group 2

lifetime 2147483647

crypto isakmp policy 65015

authentication pre-share

encryption aes

hash md5

group 2

lifetime 2147483647

crypto isakmp policy 65016

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 2147483647

crypto isakmp policy 65017

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 2147483647

crypto isakmp policy 65018

authentication pre-share

encryption des

hash md5

group 2

lifetime 2147483647

--------------------

Can this possibly due to misconfiguration at Server end and the cause of not being able to establish connectivity to Server end nodes?

Please help ! Sorry for the mess But we just want to make sure it 's not anything wrong with the configuration on our end !!!

Regards,

Anup Sasikumar

Regards,
Anup
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎06-10-2012 01:24 AM

There are 2 phases of IPSec: IKE (Phase 1), status of AM_Active means Phase 1 is up and running, and IPSec (Phase 2), and if you have both encrypts and decrypts incrementing that means the tunnel is passing traffic.

Base on the output, the VPN tunnel is up, and is sending traffic towards the headend/VPN server, however, there is no reply back.

You should check the VPN server end to see if there is any misconfiguration. Check out the NAT exemption and make sure that you have that configured on the headend. What mode do you configure it as? PAT/Client mode or NEM mode?

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎06-10-2012 01:24 AM

There are 2 phases of IPSec: IKE (Phase 1), status of AM_Active means Phase 1 is up and running, and IPSec (Phase 2), and if you have both encrypts and decrypts incrementing that means the tunnel is passing traffic.

Base on the output, the VPN tunnel is up, and is sending traffic towards the headend/VPN server, however, there is no reply back.

You should check the VPN server end to see if there is any misconfiguration. Check out the NAT exemption and make sure that you have that configured on the headend. What mode do you configure it as? PAT/Client mode or NEM mode?

0 Helpful

Go to solution
Anup Sasikumar
Level 1
Level 1
In response to Jennifer Halim

‎06-13-2012 07:31 AM

Thanks , Jennifer ! The issue is resolved ! We are able to connect now !

You were absolutely correct . The traffic were being encrypted and sent to Server but couldnt get any reply.

When it was checked they could see packets being received on the interface

They have resolved it now.It was the misconfiguration at the Server end. But couldn 't get clarification on what exactly the misconfiguration was.

It would be great if you could please help me on one more thing .. Why are these many ISAKMP policies being pushed to our end even though just one is only required and the matching one is taken automatically right ?

Regards,

Anup

Regards,
Anup
0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Anup Sasikumar

‎06-13-2012 08:50 PM

Great to hear, and thanks for your update.

With ISAKMP policies, it tries to match the policy from top to bottom, with the lowest isakmp policy number and down the list until it finds a match.

0 Helpful
Customers Also Viewed These Support Documents