cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2947
Views
0
Helpful
13
Replies

ASA 5505: VPN Led off, Sh cry ips sa empty

Lebon Mudumba
Level 1
Level 1

Dear Team

After many power shortage, the VPN led went off, I can ping all my peers but the sh cry ips sa is empty.

I've tried to clear both the isakmp and ipsec but nothing work worthy, I debugged to and reload, still off.

Here is both the sh run config.

interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
description UPLINK TO INTERNET
switchport access vlan 2
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.179.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 41.79.225.174 255.255.255.252
!
ftp mode passive
access-list outside_1_cryptomap extended permit ip 192.168.179.0 255.255.255.0 host 10.226.22.160
access-list outside_1_cryptomap extended permit ip host 41.79.225.174 host 10.226.22.160
access-list inside_nat0_outbound extended permit ip 192.168.179.0 255.255.255.0 host 10.226.22.160
access-list inside_nat0_outbound extended permit ip 192.168.179.0 255.255.255.0 10.225.6.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 41.79.225.174 host 41.79.47.28
access-list inside_nat0_outbound extended permit ip host 41.79.225.174 host 154.73.104.100
access-list access-in extended permit tcp host 10.226.22.160 192.168.179.0 255.255.255.0
access-list access-in extended permit tcp 10.225.6.0 255.255.255.0 192.168.179.0 255.255.255.0
access-list access-in extended permit tcp host 41.79.47.28 host 41.79.225.174
access-list access-in extended permit tcp host 154.73.104.100 host 41.79.225.174
access-list outside_2_cryptomap extended permit ip host 192.168.179.51 host 10.225.6.95
access-list outside_2_cryptomap extended permit ip host 192.168.179.51 host 10.225.6.96
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any host 41.79.225.174 eq www
access-list inside_access_in extended permit tcp any host 41.79.225.174 eq ssh
access-list inside_access_in extended permit tcp any host 41.79.225.174 eq 13013
access-list ip-qos extended permit ip host 192.168.179.40 any
access-list ip-qos extended permit ip any host 192.168.179.40
pager lines 24
logging enable
logging timestamp
logging asdm debugging
logging class auth console debugging
logging class webvpn console debugging
logging class svc console debugging
logging class ssl console debugging
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ssh 192.168.179.51 ssh netmask 255.255.255.255
static (inside,outside) tcp interface 13013 192.168.179.51 13013 netmask 255.255.255.255
access-group inside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 41.79.225.173 1
route outside 10.225.6.0 255.255.255.0 41.79.225.173 1
route outside 10.226.22.160 255.255.255.255 41.79.225.173 1
route outside 41.79.47.28 255.255.255.255 41.79.225.173 1
route outside 154.73.104.100 255.255.255.255 41.79.225.173 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.179.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 41.79.47.28
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer 154.73.104.100
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 2 set security-association lifetime seconds 3600
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp nat-traversal 10
telnet 192.168.179.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.179.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 3
dhcpd dns 8.8.8.8
dhcpd auto_config outside
!
dhcpd address 192.168.179.50-192.168.179.81 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
tunnel-group 154.73.104.100 type ipsec-l2l
tunnel-group 154.73.104.100 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
class-map qos
match access-list ip-qos
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map qos
class qos
police output 1000000
police input 1000000
!
service-policy global_policy global
service-policy qos interface inside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c11da0a7271528535b1af4ed84ee01ed
: end

 

PS: I do still access the internet from the firewall.

 

I will much appreciate your time and contributions

 

With best regards

Lebon

13 Replies 13

Hi,
I assume the configuration was saved before the power cut? Assuming the configuration hasn't changed then, potentially the other VPN peers still have IPSec SAs for the old connection, if you have access to the peers clear the connections "clear crypto ipsec sa".

The VPN will not automatically establish, you will need to generate interesting traffic in order to establish the VPN tunnels. Run a ping to a device on the other end of the VPN tunnel, but don't ping from the ASA itself.

If that doesn't work, please provide some debugs "debug crypto isakmp 128" and "debug crypto ipsec 128"

HTH


@Rob Ingram wrote:
Hi,
I assume the configuration was saved before the power cut? Assuming the configuration hasn't changed then, potentially the other VPN peers still have IPSec SAs for the old connection, if you have access to the peers clear the connections "clear crypto ipsec sa".

The VPN will not automatically establish, you will need to generate interesting traffic in order to establish the VPN tunnels. Run a ping to a device on the other end of the VPN tunnel, but don't ping from the ASA itself.

If that doesn't work, please provide some debugs "debug crypto isakmp 128" and "debug crypto ipsec 128"

HTH

Thank you RIJ for you time, however this is what I have done, yet nothing new

SacodeFw# sh cry eli
^
ERROR: % Invalid input detected at '^' marker.
SacodeFw# clear crypto ipsec sa
SacodeFw# ping 154.73.104.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 154.73.104.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
SacodeFw# ping 41.79.47.28
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 41.79.47.28, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
SacodeFw# sh cry ips sa

There are no ipsec sas
SacodeFw#

You need to ping an IP address defined in the Crypto ACLs highlighted below - in order for the VPN to be established.

 

access-list outside_1_cryptomap extended permit ip 192.168.179.0 255.255.255.0 host 10.226.22.160
access-list outside_1_cryptomap extended permit ip host 41.79.225.174 host 10.226.22.160

access-list outside_2_cryptomap extended permit ip host 192.168.179.51 host 10.225.6.95
access-list outside_2_cryptomap extended permit ip host 192.168.179.51 host 10.225.6.96

 

HTH

from the ASA:

SacodeFw# ping 10.226.22.160
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.226.22.160, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
SacodeFw# ping 10.226.6.95
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.226.6.95, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
SacodeFw# ping 10.226.6.96
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.226.6.96, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
SacodeFw# ping 10.226.22.160
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.226.22.160, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
SacodeFw#

 

From a local machine:

lebon@Kansaco:~$ ping 10.226.22.160
PING 10.226.22.160 (10.226.22.160) 56(84) bytes of data.
^C
--- 10.226.22.160 ping statistics ---
16 packets transmitted, 0 received, 100% packet loss, time 15000ms

lebon@Kansaco:~$ ping 10.225.6.95
PING 10.225.6.95 (10.225.6.95) 56(84) bytes of data.
^C
--- 10.225.6.95 ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 9057ms

lebon@Kansaco:~$ ping 10.225.6.96
PING 10.225.6.96 (10.225.6.96) 56(84) bytes of data.

 

Ok, but is the source of those pings in the crypto ACL on both devices? Have you successfully previously pinged the other device from those devices before?

What about the requested debug information? this would indicate where the issues lies.

Do you control the other firewalls? Can you provide the configuration and debugs?

I don't control them as they are hosted by different Mobile Network Operators.
Let me share with you the debug in a while

Ipsec debug:

IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, src=192.168.179.51:6104, Dest=10.225.6.95:37926
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
NIPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
O DEIPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
BUIPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
FIPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
GIPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.
ALLIPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, src=192.168.179.51:38660, Dest=10.225.6.95:38660
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 2: matched.

isa debug too: 

:50:44 [IKEv1]: IP = 154.73.104.100, P1 Retransmit msg dispatched to MM FSM
Aug 31 00:50:44 [IKEv1]: IP = 154.73.104.100, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Aug 31 00:50:44 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:50:44 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:50:45 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:50:45 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:50:46 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:50:46 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:50:47 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:50:47 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:50:48 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:50:48 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:50:49 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:50:49 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:50:50 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:50:50 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:50:51 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:50:51 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:50:52 [IKEv1 DEBUG]: IP = 154.73.104.100, IKE MM Responder FSM error history (struct &0xc9eab118) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG3, NullEvent
Aug 31 00:50:52 [IKEv1 DEBUG]: IP = 154.73.104.100, IKE SA MM:aed55e60 terminating: flags 0x01000002, refcnt 0, tuncnt 0
Aug 31 00:50:52 [IKEv1 DEBUG]: IP = 154.73.104.100, sending delete/delete with reason message
Aug 31 00:50:52 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:50:52 [IKEv1]: IP = 154.73.104.100, IKE Initiator: New Phase 1, Intf inside, IKE Peer 154.73.104.100 local Proxy Address 192.168.179.51, remote Proxy Address 10.225.6.95, Crypto map (outside_map)
Aug 31 00:50:52 [IKEv1 DEBUG]: IP = 154.73.104.100, constructing ISAKMP SA payload
Aug 31 00:50:52 [IKEv1 DEBUG]: IP = 154.73.104.100, constructing NAT-Traversal VID ver 02 payload
Aug 31 00:50:52 [IKEv1 DEBUG]: IP = 154.73.104.100, constructing NAT-Traversal VID ver 03 payload
Aug 31 00:50:52 [IKEv1 DEBUG]: IP = 154.73.104.100, constructing NAT-Traversal VID ver RFC payload
Aug 31 00:50:52 [IKEv1 DEBUG]: IP = 154.73.104.100, constructing Fragmentation VID + extended capabilities payload
Aug 31 00:50:52 [IKEv1]: IP = 154.73.104.100, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204
Aug 31 00:50:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:50:53 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:50:54 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:50:54 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:50:55 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:50:55 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:50:57 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:50:57 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:50:57 [IKEv1]: IP = 154.73.104.100, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 264
Aug 31 00:50:57 [IKEv1 DEBUG]: IP = 154.73.104.100, processing SA payload
Aug 31 00:50:57 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 31 00:50:57 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 31 00:50:57 [IKEv1 DEBUG]: IP = 154.73.104.100, Oakley proposal is acceptable
Aug 31 00:50:57 [IKEv1 DEBUG]: IP = 154.73.104.100, processing VID payload
Aug 31 00:50:57 [IKEv1 DEBUG]: IP = 154.73.104.100, Received NAT-Traversal RFC VID
Aug 31 00:50:57 [IKEv1 DEBUG]: IP = 154.73.104.100, processing VID payload
Aug 31 00:50:57 [IKEv1 DEBUG]: IP = 154.73.104.100, Received NAT-Traversal ver 03 VID
Aug 31 00:50:57 [IKEv1 DEBUG]: IP = 154.73.104.100, processing VID payload
Aug 31 00:50:57 [IKEv1 DEBUG]: IP = 154.73.104.100, processing VID payload
Aug 31 00:50:57 [IKEv1 DEBUG]: IP = 154.73.104.100, Received NAT-Traversal ver 02 VID
Aug 31 00:50:57 [IKEv1 DEBUG]: IP = 154.73.104.100, processing VID payload
Aug 31 00:50:57 [IKEv1 DEBUG]: IP = 154.73.104.100, processing VID payload
Aug 31 00:50:57 [IKEv1 DEBUG]: IP = 154.73.104.100, processing VID payload
Aug 31 00:50:57 [IKEv1 DEBUG]: IP = 154.73.104.100, Received DPD VID
Aug 31 00:50:57 [IKEv1 DEBUG]: IP = 154.73.104.100, processing VID payload
Aug 31 00:50:57 [IKEv1 DEBUG]: IP = 154.73.104.100, Received Fragmentation VID
Aug 31 00:50:57 [IKEv1 DEBUG]: IP = 154.73.104.100, processing VID payload
Aug 31 00:50:57 [IKEv1 DEBUG]: IP = 154.73.104.100, processing IKE SA payload
Aug 31 00:50:57 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 31 00:50:57 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 31 00:50:57 [IKEv1 DEBUG]: IP = 154.73.104.100, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2
Aug 31 00:50:57 [IKEv1 DEBUG]: IP = 154.73.104.100, constructing ISAKMP SA payload
Aug 31 00:50:57 [IKEv1 DEBUG]: IP = 154.73.104.100, constructing NAT-Traversal VID ver 02 payload
Aug 31 00:50:57 [IKEv1 DEBUG]: IP = 154.73.104.100, constructing Fragmentation VID + extended capabilities payload
Aug 31 00:50:57 [IKEv1]: IP = 154.73.104.100, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Aug 31 00:50:58 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:50:58 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:50:59 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:50:59 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:51:00 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:00 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:51:00 [IKEv1]: IP = 154.73.104.100, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204
Aug 31 00:51:01 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:01 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:51:02 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:02 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:51:03 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:03 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:51:03 [IKEv1]: IP = 154.73.104.100, Duplicate Phase 1 packet detected. Retransmitting last packet.
Aug 31 00:51:03 [IKEv1]: IP = 154.73.104.100, P1 Retransmit msg dispatched to MM FSM
Aug 31 00:51:03 [IKEv1]: IP = 154.73.104.100, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Aug 31 00:51:04 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:04 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:51:05 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:05 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:51:05 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:05 [IKEv1]: IP = 41.79.47.28, IKE Initiator: New Phase 1, Intf inside, IKE Peer 41.79.47.28 local Proxy Address 192.168.179.0, remote Proxy Address 10.226.22.160, Crypto map (outside_map)
Aug 31 00:51:05 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:05 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:51:05 [IKEv1 DEBUG]: IP = 41.79.47.28, constructing ISAKMP SA payload
Aug 31 00:51:05 [IKEv1 DEBUG]: IP = 41.79.47.28, constructing NAT-Traversal VID ver 02 payload
Aug 31 00:51:05 [IKEv1 DEBUG]: IP = 41.79.47.28, constructing NAT-Traversal VID ver 03 payload
Aug 31 00:51:05 [IKEv1 DEBUG]: IP = 41.79.47.28, constructing NAT-Traversal VID ver RFC payload
Aug 31 00:51:05 [IKEv1 DEBUG]: IP = 41.79.47.28, constructing Fragmentation VID + extended capabilities payload
Aug 31 00:51:05 [IKEv1]: IP = 41.79.47.28, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204
Aug 31 00:51:06 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:06 [IKEv1]: IP = 41.79.47.28, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:51:07 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:07 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:51:08 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:08 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:51:08 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:08 [IKEv1]: IP = 41.79.47.28, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:51:08 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:08 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:51:08 [IKEv1]: IP = 154.73.104.100, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204
Aug 31 00:51:10 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:10 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:51:11 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:11 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:51:11 [IKEv1]: IP = 154.73.104.100, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Aug 31 00:51:12 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:12 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:51:12 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:12 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:51:12 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:12 [IKEv1]: IP = 41.79.47.28, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:51:13 [IKEv1]: IP = 41.79.47.28, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204
Aug 31 00:51:14 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:14 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:51:15 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:15 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:51:15 [IKEv1]: IP = 154.73.104.100, Duplicate Phase 1 packet detected. Retransmitting last packet.
Aug 31 00:51:15 [IKEv1]: IP = 154.73.104.100, P1 Retransmit msg dispatched to MM FSM
Aug 31 00:51:15 [IKEv1]: IP = 154.73.104.100, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Aug 31 00:51:16 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:16 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:51:16 [IKEv1]: IP = 154.73.104.100, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204
Aug 31 00:51:17 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:17 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:51:18 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:18 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
no Aug 31 00:51:19 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:19 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
debAug 31 00:51:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:20 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
ug Aug 31 00:51:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:20 [IKEv1]: IP = 41.79.47.28, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 31 00:51:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:20 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
allAug 31 00:51:21 [IKEv1]: IP = 41.79.47.28, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204
Aug 31 00:51:22 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 31 00:51:22 [IKEv1]: IP = 154.73.104.100, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

From the debugs "Duplicate Phase 1 packet detected. Retransmitting last packet."

Potentially the peer device is not responding to your ASA to establish an ISAKMP SA or something is blocking your output packets.

The output of "show crypto acc stats" confirmed output bytes 4536 (no output packets though) and no input packets/bytes.

Do you have a device in front of your ASA with an ACL that could be blocking communication (UDP/500)?

Can take a packet capture on the ASA to/from the IP addresses of the VPN peers and upload the pcap file?

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi Lebon,

 

First of all, you should never post unaltered configuration to public forums, that contains usernames, passwords, PSKs and/or public IPs.

 

You could check status of crypto accelerator with "sh crypto accelerator statistics", to see stats there.

 

As you already said, you had multiple power outages, and no configuration was changed, so those outages which could lead to HW failure, so I would advise to go for TAC case, and possible RMA.

 

Best regards

Thank you for the remark Sir.

This is the output of sh cry acc stat


Crypto Accelerator Status
-------------------------
[Capability]
Supports hardware crypto: True
Supports modular hardware crypto: False
Max accelerators: 1
Max crypto throughput: 100 Mbps
Max crypto connections: 10
[Global Statistics]
Number of active accelerators: 1
Number of non-operational accelerators: 0
Input packets: 0
Input bytes: 0
Output packets: 0
Output error packets: 0
Output bytes: 4536

[Accelerator 0]
Status: OK
Software crypto engine
Slot: 0
Active time: 216 seconds
Total crypto transforms: 609
Total dropped packets: 0
[Input statistics]
Input packets: 0
Input bytes: 0
Input hashed packets: 0
Input hashed bytes: 0
Decrypted packets: 0
Decrypted bytes: 0
[Output statistics]
Output packets: 0
Output bad packets: 0
Output bytes: 4536
Output hashed packets: 0
Output hashed bytes: 0
Encrypted packets: 0
Encrypted bytes: 4536
[Diffie-Hellman statistics]
Keys generated: 32
Secret keys derived: 0
[RSA statistics]
Keys generated: 1
Signatures: 0
Verifications: 0
Encrypted packets: 0
Encrypted bytes: 0
Decrypted packets: 0
Decrypted bytes: 0
[SSL statistics]
Outbound records: 0
Inbound records: 0
[RNG statistics]
Random number requests: 65
Random number request failures: 0
[HMAC statistics]
HMAC requests: 0

[Accelerator 1]
Status: OK
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
Slot: 1
Active time: 228 seconds
Total crypto transforms: 97
Total dropped packets: 0
[Input statistics]
Input packets: 0
Input bytes: 0
Input hashed packets: 0
Input hashed bytes: 0
Decrypted packets: 0
Decrypted bytes: 0
[Output statistics]
Output packets: 0
Output bad packets: 0
Output bytes: 0
Output hashed packets: 0
Output hashed bytes: 0
Encrypted packets: 0
Encrypted bytes: 0
[Diffie-Hellman statistics]
Keys generated: 96
Secret keys derived: 0
[RSA statistics]
Keys generated: 0
Signatures: 0
Verifications: 0
Encrypted packets: 0
Encrypted bytes: 0
Decrypted packets: 0
Decrypted bytes: 0
[SSL statistics]
Outbound records: 0
Inbound records: 0
[RNG statistics]
Random number requests: 1
Random number request failures: 0
[HMAC statistics]
HMAC requests: 0

I don't think that the RAM is the cause because the other services from my ISP are working, if RAM was the problem I think I could not have internet access too

I don't think it is the RAM either, as in that case, ASA probably wouldn't even boot.

I mentioned RMA (Return Material Authorization), a process in which faulty HW is replaced by Cisco, if under service. However, based on the provided outputs, it looks that crypto engine is ok - it is sending the packets, just not receiving anything to process.

 

Also, based on one of your debug outputs:

Aug 31 00:50:57 [IKEv1 DEBUG]: IP = 154.73.104.100, processing IKE SA payload
Aug 31 00:50:57 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 31 00:50:57 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2

Aug 31 00:50:57 [IKEv1 DEBUG]: IP = 154.73.104.100, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2

 

it does seem that you are receiving some traffic back from the peer 154.73.104.100.

 

As advised by RJI, please make a packet capture on outside interface of traffic destined to 154.73.104.100. That would confirm that logs don't lie, and that indeed there is some packet exchange between these peers.

 

Regarding other VPN peer that appears in logs, one with IP 41.79.47.28, you are missing configuration for PSK, something like:

tunnel-group 41.79.47.28 type ipsec-l2l
tunnel-group 41.79.47.28 ipsec-attributes
pre-shared-key your_psk

 

If this tunnel was working before, than we can conclude, with great certainty, that your configuration was not saved, which manifested after power outage .

 

Best regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: