07-22-2019 06:04 AM - edited 02-21-2020 09:42 PM
Hello Guys,
I have an IPsec VPN between a Cisco ASA 5515x and a Cisco 4331K9. The tunnel has been fine for a couple of months but suddenly started flapping and experiencing huge packet drops. I had thought it was an interface duplex config issue from my ISP. I adjusted settings but issue persisted. Attached are three files. One consists only the IPsec config on both routers (433K9 and ASA), the second one has the config for only the ASA and the last one has the config for only the iOS 4331K9.
Kindly help!!!
Solved! Go to Solution.
07-30-2019 06:04 AM
no matching crypto map entry for remote proxy 172.16.130.0/255.255.254.100/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
Looking at your configs, I can see an extra crypto ACL side on the ISR :
ip access-list extended Abuja-IV
permit ip 172.16.130.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 172.16.130.0 0.0.0.255 172.16.120.0 0.0.7.255
permit ip 172.16.130.0 0.0.1.155 any
Keep the ACL's the same on both sides. What might be happening is that there is some traffic triggering the Phase 2 tunnel from the ISR side. Since it cannot establish completely, it might be tearing down Phase 1 as well.
07-23-2019 06:28 AM
Run debugs on both the ASA and ISR. Since it is flapping constantly, there should be some log as to why this is happening. Also, do you see any logs on the ASA or ISR when the tunnel flaps?
On the ASA, run these debugs:
debug crypto ikev1 127
debug crypto ipsec 127
On the ISR:
debug crypto isakmp
debug crypto ipsec
07-29-2019 07:44 AM - edited 07-30-2019 09:51 AM
07-30-2019 06:04 AM
no matching crypto map entry for remote proxy 172.16.130.0/255.255.254.100/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
Looking at your configs, I can see an extra crypto ACL side on the ISR :
ip access-list extended Abuja-IV
permit ip 172.16.130.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 172.16.130.0 0.0.0.255 172.16.120.0 0.0.7.255
permit ip 172.16.130.0 0.0.1.155 any
Keep the ACL's the same on both sides. What might be happening is that there is some traffic triggering the Phase 2 tunnel from the ISR side. Since it cannot establish completely, it might be tearing down Phase 1 as well.
07-30-2019 09:49 AM
Hey Rahul,
Thanks so much for spotting that out. I noticed the alien ACL in the debugs, searched for the affected subnet in my config but couldn't find it for odd reasons. I was apparently focused on the numbered ACLs (100, 101, 102...especially the ones with deny statements) but then forgot to look through the most important one (permit ACL). ACLs were obviously conflicting.
You're helpful, thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide