12-13-2013 04:47 AM
Hello, Good Day!!
I have a problem in site-to-site VPN between Cisco 2801 router running (C2801-ADVENTERPRISEK9-M Version12.4(16)) and Cisco ASA Firewall 5515 running Version 8.6(1)2.
Problem ocurring when the phase 1 and 2 is completed and when i give the command "sh crypto ipsec sa" on cisco 2801 router it show all zeros in output: but on the other side its show packets encapsulate/decapsulate are fine on Cisco ASA.
I have matched the configuration its all fine on both end and also both endpoints are reaching with 50% packets loss.
Please assist me I am stuck with this problem :~
Cisco Router 2801 | Cisco firewall ASA |
---|---|
crypto isakmp policy 70 encr 3des hash md5 authentication pre-share group 2 lifetime 28800 | phase 1: crypto ikev1 policy 95 authentication pre-share encryption 3des hash md5 group 2 lifetime 28800 |
crypto isakmp key KEY_STRING address XXX.XXX.XXXX.XXXX | crypto isakmp key KEY_STRING address XXX.XXX.XXXX.XXXX |
crypto ipsec transform-set TS_STRING esp-3des esp-md5-hmac | crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac |
crypto map KASBUAE 70 ipsec-isakmp set peer XXX.XXX.XXX.XXX set security-association lifetime seconds 28800 set transform-set TS_STRING match address 110 | crypto map outside_map 14 match address outside_cryptomap_13 crypto map outside_map 14 set peer XXX.XXX.XXX.XXX crypto map outside_map 14 set ikev1 transform-set ESP-3DES-MD5 crypto map outside_map 14 set security-association lifetime seconds 28800 |
access-list 110 permit ip host 10.10.10.10 host 20.20.20.20 access-list 110 permit tcp host10.10.10.10 eq 1251 host 20.20.20.20 access-list 110 permit icmp host10.10.10.10 host 20.20.20.20 | access-list outside_cryptomap_13 extended permit icmp object CISCO_ASA object CISCO_2811 ___________________ access-list outside_cryptomap_13 extended permit tcp object CISCO_ASA object CISCO_2811 ___________________ access-list outside_cryptomap_13 extended permit ip object CISCO_ASA object CISCO_2811 |
here: CISCO_ASA = 20.20.20.20 CISCO_2811 = 10.10.10.10 |
protected vrf: (none)
local ident (addr/mask/prot/port): (10.142.56.105/255.255.255.255/6/1251)
remote ident (addr/mask/prot/port): (10.0.31.6/255.255.255.255/6/0)
current_peer 212.112.188.194 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 202.44.92.18, remote crypto endpt.: 212.112.188.194
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Thanks & Regards,
12-14-2013 04:08 AM
The ipsec sa is not established (inbound esp sas: empty)
Verify that your crypt acls are mirrored (unless you know exactly what you are doing)
If in doubt run a debug on phase (deb cryp ipsec) to see whats happening.
Rgds,
MiKa
PS: if you obfuscate addresses in your pseudo-config you should also obfuscate them in your debug output.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: