Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
612
Views
0
Helpful
2
Replies

Migrated PIX to ASA VPN not working

Anish Chauhan
Level 1
Level 1

‎11-03-2012 08:20 AM

I’ve tried to perform a migration from a customer currently running a PIX that terminates 7 site to site VPNs to an ASA.  On the attempt to migrate the customer one of the tunnels wouldn’t fully form. The peer would appear in the sho crypto isakmp sa command but a sho crypto ipsec sa was showing no packets being encrypted/ decrypted.

The unusual thing about the current configuration is that this particular VPN is comprises multiple (16 in total) tunnel groups for the same peer.  Here’s some example config (peer IP address changed):

crypto map outside_map 300 match address outside_cryptomap_300

crypto map outside_map 300 set peer 1.1.1.1

crypto map outside_map 300 set transform-set ESP-AES-256-SHA

crypto map outside_map 320 ipsec-isakmp

crypto map outside_map 320 match address outside_cryptomap_320

crypto map outside_map 320 set peer 1.1.1.1

crypto map outside_map 320 set transform-set ESP-AES-256-SHA

crypto map outside_map 340 ipsec-isakmp

crypto map outside_map 340 match address outside_cryptomap_340

crypto map outside_map 340 set peer 1.1.1.1

crypto map outside_map 340 set transform-set ESP-AES-256-SHA

It seems to me that the administrator of the PIX had created a new tunnel for each individual subnet that was to be encrypted and sent down the tunnel rather than combining and adding the additional interesting traffic.

As there’s no equivalent tunnel-group statement in the PIX, the translated config for the ASA resolves to picking the access-list from first of set of crypto map statements and adds that to the tunnel group. So I then manually created a group to combine all of the interesting traffic into a single access-list statement and single crypto map policy and therefore single tunnel group.  However the tunnel doesn’t properly establish and my thoughts are that this is because the encryption domain/ interesting traffic configuration at this end doesn’t match the configuration at the remote end.  I tried enabling PFS and changing the DH group several other changes but to no avail. I even tried adding several tunnel group statements to the same peer but the ASA wouldn’t allow me to.

One of the biggest problems is that we don’t have access to the remote end which is provided by a large faceless service provider who will charge the customer for any changes and synchronising the changes at both ends is going to be pretty impossible.  The ASA is running version 8.2.

Does anyone have any other ways around this and any thoughts I’m right on my assumption of why the tunnel isn’t coming up?

Thanks, Anish

Labels:
0 Helpful
2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

‎11-03-2012 01:39 PM

Pls run debugs to see exactly where it's failing.

debug cry isa

debug cry ipsec

0 Helpful

Anish Chauhan
Level 1
Level 1
In response to Jennifer Halim

‎11-04-2012 10:30 AM

Hi Jennifer,

I wasn't able to capture and retain the debugs, but I was getting a number of different error messages but that was due to us changing the settings at our end a number of times. 

Basically the peer association establishes but no traffic is sent down the tunnel.  I appreciate that this is difficult to appreciate without the debugs but I was hoping that someone might be able to assist.

Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents