cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
364
Views
0
Helpful
8
Replies
Beginner

ASA5540 to Cisco2650XM VPN issues

Hello,

I am trying to create a VPN between a service provider's ASA5540 and our Cisco2650XM device.

Here's our config :

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

crypto isakmp key ********* address XX.YY.223.126

crypto ipsec transform-set ipcom esp-3des esp-sha-hmac

crypto map serviceprovider local-address Loopback99

crypto map serviceprovider 1 ipsec-isakmp

description Tunnel to Service Provider

set peer XX.YY.223.126

set transform-set ipcom

set pfs group1

match address 100

interface Loopback99

ip address ZZ.YY.196.2 255.255.255.0

ip ospf 10 area 0

interface FastEthernet0/0

ip address XX.HH.126.90 255.255.255.224

duplex auto

speed auto

crypto map serviceprovider

access-list 100 permit ip any host 172.16.3.133

access-list 100 permit ip any host 172.16.3.131

And below, service provider ASA config:

object-group network Customer

network-object host ZZ.YY.196.129

network-object host ZZ.YY.196.130

network-object host XX.HH.126.129

network-object host XX.HH.126.130

object-group network DM_INLINE_NETWORK_4

network-object host 172.16.3.131

network-object host 172.16.3.133

access-list inside_nat0_outbound_1 extended permit ip object-group Itelnet host 172.16.3.133

access-list outside_20_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 object-group Customer

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer ZZ.YY.196.2

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 set security-association lifetime seconds 3600

group-policy ZZ.YY.196.2 internal

group-policy ZZ.YY.196.2 attributes

vpn-filter value outside_20_cryptomap

vpn-tunnel-protocol IPSec l2tp-ipsec

tunnel-group ZZ.YY.196.2 type ipsec-l2l

tunnel-group ZZ.YY.196.2 general-attributes

default-group-policy ZZ.YY.196.2

tunnel-group ZZ.YY.196.2 ipsec-attributes

pre-shared-key *****

network ZZ.YY.196.130 0.0.0.0 area 0

=-=========================================================================

We cannot get past phase 1. Here's the log:

===========================================================================

May  8 00:47:56.863: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= ZZ.YY.196.2, remote= XX.YY.223.126,

    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    remote_proxy= 172.16.3.133/255.255.255.255/0/0 (type=1),

    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0xE0E40431(3773039665), conn_id= 0, keysize= 0, flags= 0x400B

May  8 00:47:57.043: CryptoEngine0: generating alg parameter for connid 19

May  8 00:47:57.043: CryptoEngine0: CRYPTO_ISA_DH_CREATE(hw)(ipsec)

May  8 00:47:57.083: CRYPTO_ENGINE: Dh phase 1 status: OK

May  8 00:47:57.264: CryptoEngine0: generating alg parameter for connid 0

May  8 00:47:57.264: CryptoEngine0: CRYPTO_ISA_DH_SHARE_SECRET(hw)(ipsec)

May  8 00:47:57.308: CryptoEngine0: create ISAKMP SKEYID for conn id 19

May  8 00:47:57.308: CryptoEngine0: CRYPTO_ISA_SA_CREATE(hw)(ipsec)

May  8 00:47:57.348: CryptoEngine0: generate hmac context for conn id 19

May  8 00:47:57.588: CryptoEngine0: generate hmac context for conn id 19

May  8 00:47:57.588: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)

May  8 00:47:57.596: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT(hw)(ipsec)

May  8 00:47:57.781: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT(hw)(ipsec)

May  8 00:47:57.785: CryptoEngine0: generate hmac context for conn id 19

May  8 00:47:57.785: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)

May  8 00:47:57.797: CryptoEngine0: generate hmac context for conn id 19

May  8 00:47:57.797: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)

May  8 00:47:57.805: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT(hw)(ipsec)

May  8 00:47:57.813: IPSEC(key_engine): got a queue event with 1 kei messages....

May  8 00:48:47.815: CryptoEngine0: clear dh number for conn id 36

May  8 00:48:47.815: CryptoEngine0: CRYPTO_ISA_DH_DELETE(hw)(ipsec)

May  8 00:48:56.865: IPSEC(key_engine): request timer fired: count = 2,

  (identity) local= ZZ.YY.196.2, remote= XX.YY.223.126,

    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    remote_proxy= 172.16.3.133/255.255.255.255/0/0 (type=1)

May  8 00:48:57.815: CryptoEngine0: delete connection 19

May  8 00:48:57.815: CryptoEngine0: CRYPTO_ISA_SA_DELETE(hw)(ipsec)

May  8 00:49:17.844: CryptoEngine0: clear dh number for conn id 38

May  8 00:49:17.844: CryptoEngine0: CRYPTO_ISA_DH_DELETE(hw)(ipsec)

May  8 00:49:27.844: CryptoEngine0: delete connection 20

May  8 00:49:27.844: CryptoEngine0: CRYPTO_ISA_SA_DELETE(hw)(ipsec)

The IKE never comes up, I mostly see it in DOWN or DOWN-NEGOTIATING:

Router#sho cry sess

Crypto session current status

Interface: Loopback99

Session status: DOWN-NEGOTIATING

Peer: XX.YY.223.126 port 500

  IKE SA: local ZZ.YY.196.2/500 remote XX.YY.223.126/500 Inactive

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 172.16.3.131

        Active SAs: 0, origin: crypto map

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 172.16.3.133

        Active SAs: 0, origin: crypto map

c2650#

Any idea what might be wrong here?

Thanks,

D.

Everyone's tags (7)
8 REPLIES 8
Highlighted
Beginner

ASA5540 to Cisco2650XM VPN issues

On a more comprehensive debug i get this:

ay  8 02:28:03.389: CryptoEngine0: CRYPTO_ISA_DH_DELETE(hw)(ipsec)

May  8 02:28:03.393: CryptoEngine0: generate hmac context for conn id 28

May  8 02:28:03.393: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)

May  8 02:28:03.401: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT(hw)(ipsec)

May  8 02:28:03.582: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT(hw)(ipsec)

May  8 02:28:03.590: CryptoEngine0: generate hmac context for conn id 28

May  8 02:28:03.590: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)

May  8 02:28:03.598: ISAKMP:(0:28:HW:2):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer XX.YY.223.126)

May  8 02:28:03.602: CryptoEngine0: generate hmac context for conn id 28

May  8 02:28:03.602: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)

May  8 02:28:03.610: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT(hw)(ipsec)

May  8 02:28:03.618: IPSEC(key_engine): got a queue event with 1 kei messages

Thanks,

D.

Highlighted
Cisco Employee

ASA5540 to Cisco2650XM VPN issues

Hi Daniel,

It seems you have pfs enabled on ASA but no on router. Can you remove the following command from ASA:

no crypto map outside_map 20 set pfs

If issue persists, please paste 'show run crypto' from ASA as well.

-

Sourav

Highlighted
Beginner

ASA5540 to Cisco2650XM VPN issues

Router#sho cry isa sa

dst             src             state          conn-id slot status

XX.YY.223.126  ZZ.YY.196.2   MM_NO_STATE         30    0 ACTIVE (deleted)

Router#

Help please?

Highlighted
Cisco Employee

ASA5540 to Cisco2650XM VPN issues

Infact, can you please post 'show run' from both router and ASA for review? Problem seems to be in phase 1 and we don't have complete config to look at.

Thanks.

-

Sourav/

Highlighted
Beginner

ASA5540 to Cisco2650XM VPN issues

Links with configs from the 2650XM and the partial config I have from the service provider.

http://pastebin.com/bZA5WwMp    --- Config from 2650XM

http://pastebin.com/cyy1hdNN   -- partial config I have from ASA

Thanks,

D.

Highlighted
Cisco Employee

ASA5540 to Cisco2650XM VPN issues

Thanks Daniel. Ok so we have pfs enabled on both ASA and router.

Few things to consider:

ASA has following access-list which seems to be for nat exempt (i don't see nat 0 anywhere in config, so can't verify):

access-list inside_nat0_outbound_1 extended permit ip object-group Itelnet host 172.16.3.133

Here is the crypto acl:

access-list outside_20_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 object-group Itelnet

Itelnet seems to be on other end of router so nat exempt acl should look like:

access-list inside_nat0_outbound_1 extended permit ip object-group DM_INLINE_NETWORK_4 object-group Itelnet

no access-list inside_nat0_outbound_1 extended permit ip object-group Itelnet host 172.16.3.133

Please fix this.

Secondly, you've a VPN filter on ASA, not sure why is that needed as crypto acl is only allowing the specific traffic anyways:

group-policy 197.157.196.2 internal

group-policy 197.157.196.2 attributes

vpn-filter value outside_20_cryptomap

vpn-tunnel-protocol IPSec l2tp-ipsec

tunnel-group 197.157.196.2 type ipsec-l2l

tunnel-group 197.157.196.2 general-attributes

default-group-policy 197.157.196.2

But most important thing is phase 1 policy on ASA which is not available in this config. On router we have;

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

Can you check if parameters are same on ASA as well?

-

Sourav

Highlighted
Beginner

ASA5540 to Cisco2650XM VPN issues

Sourav,

This is what I received from the service provider:

http://pastebin.com/fSyDmLPR

This above is their phase 1 config.

Is it of any use?

Highlighted
Cisco Employee

ASA5540 to Cisco2650XM VPN issues

Thanks Daniel. I checked the output and we definately have a phase 1 policy match on two devices. We might need to collect more debugging info. I would recommend opening a TAC case so that we can further investigate this.

-

Sourav

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here