07-02-2019 12:36 PM - edited 02-21-2020 09:41 PM
Hello all,
I have a Cisco ASA 5510 which I try to connect to SherWeb Performance Cloud.
The tunnel did go up and stayed for a day. But through the weekend something happened and it is down.
I've run the debug commands, loggings as well as packet-tracer command. I'll skip posting the original content just to keep this short. Below are my observations:
07-02-2019 07:33 PM
07-02-2019 07:42 PM
I do not have control over the other side. However, on my ASA5510, for ikev2 only there is no option of choosing a specific authentication method. But I only input PSKs and left certificate blank. Thus it should work (That's also what I see from sample debug messages using PSKs)
07-02-2019 08:26 PM
07-03-2019 05:20 AM
Yes, they are as I have a success example right beside me. Despite the tunnel I'm currently trying to build between ASA5510 and SherWeb Performance Cloud, I have an up tunnel between Fortigate 200D and SherWeb Performance Cloud as an example. So I would hardly say that there are config differences, which confuses me even more why the current tunnel is failing.
That being said, Fortigate products indicate phase 1 and phase 2 DH group in a clearer manner than Cisco. Maybe I did set the DH group wrong? How do I match the policy DH group / PFS DH group and phase 1/2 groups?
Thank you so much for answering.
07-03-2019 10:00 PM
07-03-2019 07:02 PM
Here's some update.
Since the debugger mainly returns error on the auth_exchange stage, I decided to re-do the config and refresh the interface and see what changes, and here comes the really strange result.
I had the tunnel session established successfully, with the exact same config (meaning the config isn't wrong). But when it is up, the nat exempt isn't working. (It wasn't configured first). When I added the nat exempt command, somehow ACL decides to skip the packet and let it drop by implicit deny.
I've confirmed multiple + multiple times that the nat and ACL configurations are pointing the correct interfaces and subnets.
I also learned that the Cisco ASA is really slow on resetting the tunnel session? I basically had to clear the crypto map command and re-configure to reset the session (including these non-expired packets)
This is getting out of control. : ((
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide