12-20-2011 07:49 AM
We have installed an ASA 5510, running version 8.3(1)of the software. In a remote location, we have a Cisco 851 Router with an IPSec VPN tunnel to a PIX 515e. I am attempting to initiate a backup connection between the 851 and the new ASA, and I am having trouble. I have used ASDM on the ASA side, and CCP on the 851 side, and created a new site-to-site VPN on both, with matching PSK, encryption algorithms, etc. I have verified connectivity between the outside interfaces of both devices, and the associated ACLs are simple, in that they allow all IP traffic from the internal side of both devices to talk to each other.
When I do a "show crypto isakmp sa" on the ASA, I receive "there are no isakmp sas". When I do that same on the 851 router, I see only the existing connection to the PIX. It seems that the tunnel is not even initiating. I've turned various crypto debugs on, and sent a series of pings, and I still do not see any tunnel initiaion even being attempted.
CCP has a VPN test tool built in for the router. Does ASDM have a similar feature? Below are the relevant configs (at least I think...the ASA is pretty greek to me):
ASA 5510 (Inside network of 10.20.0.0/16. The perfectly functional PIX is also on this network, with a different public IP)
access-list ATTOutside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 10.192.0.0 255.255.0.0 !nat (Inside,ATTOutside) source static NETWORK_OBJ_10.20.0.0_16 NETWORK_OBJ_10.20.0.0_16 destination static NETWORK_OBJ_10.192.0.0_16 NETWORK_OBJ_10.192.0.0_16!crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map ATTOutside_map 2 match address ATTOutside_2_cryptomap crypto map ATTOutside_map 2 set peer 24.140.152.144 crypto map ATTOutside_map 2 set transform-set ESP-3DES-MD5 crypto map ATTOutside_map interface ATTOutside!crypto isakmp enable ATTOutside crypto isakmp enable Inside crypto isakmp policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 170 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400!tunnel-group 24.140.152.144 type ipsec-l2l tunnel-group 24.140.152.144 ipsec-attributes!
851 Router (Inside network of 10.192.4.0/24)
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key si9bw1u8woaz address 65.42.15.142
crypto isakmp key 123 address 12.49.251.3
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP_3DES_MD5 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to65.42.15.142
set peer 65.42.15.142
set transform-set ESP-3DES-SHA1
match address 102
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to12.49.251.3
set peer 12.49.251.3
set transform-set ESP_3DES_MD5
match address 102
!access-list 102 permit ip 10.192.4.0 0.0.0.255 10.20.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.12.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.13.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.14.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.18.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.19.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.22.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.23.0.0 0.0.255.255
Solved! Go to Solution.
12-20-2011 09:46 AM
Michael,
Since you are using the same ACL, same subnets and same everything on your Router config for your VPN tunnels 1 and 2, your second VPN tunnel will fail to come up becuase the Router already has a tunnel with the PIX for that same traffic.
If you want to configure the ASA as backup peer scratch the second crypto map and instead add the ASA public IP address as a second peer under the original crypto configuration.
Like this:
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to65.42.15.142
set peer 65.42.15.142
set transform-set ESP-3DES-SHA1set peer 12.49.251.3
match address 102
The router will attempt to connect to the PIX and if that fails(meaning the PIX never responded) then it will try to connect to the ASA.
To test it you could do either one of two things: 1. take the PIX internet conection down will make the router try to connect to the secondary peer. 2: on the router change (temporarily) the peer address of the PIX to a bogus IP that will not respond, when that one fails the router should try to negotiate with the ASA.
I hope this helps.
Raga
12-20-2011 09:46 AM
Michael,
Since you are using the same ACL, same subnets and same everything on your Router config for your VPN tunnels 1 and 2, your second VPN tunnel will fail to come up becuase the Router already has a tunnel with the PIX for that same traffic.
If you want to configure the ASA as backup peer scratch the second crypto map and instead add the ASA public IP address as a second peer under the original crypto configuration.
Like this:
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to65.42.15.142
set peer 65.42.15.142
set transform-set ESP-3DES-SHA1set peer 12.49.251.3
match address 102
The router will attempt to connect to the PIX and if that fails(meaning the PIX never responded) then it will try to connect to the ASA.
To test it you could do either one of two things: 1. take the PIX internet conection down will make the router try to connect to the secondary peer. 2: on the router change (temporarily) the peer address of the PIX to a bogus IP that will not respond, when that one fails the router should try to negotiate with the ASA.
I hope this helps.
Raga
12-20-2011 11:04 AM
Thanks Luis. I will give that a try when I have a short outage window, just in case the second tunnel fails to come online.
As a side note, I added an ACE to the Global ACL on the ASA allowing all Inside network traffic (10.20.0.0/16) to access the 10.192.4.0/24 network. Now, when I do a packet trace, the tunnels show as QM_IDLE for the new test tunnel on both ends, however, it appears that Phase 2 is not completing, and the packet is dropped. I suspect I have a mismatch or bad ACE somewhere. I am recieving debugs now as well:
ASA-NCA-SVRRM-5510# Dec 20 12:02:30 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=0, saddr=10.20.1.249, sport=0, daddr=10.192.4.1, dport=0
IPSEC(crypto_map_check)-3: Checking crypto map ATTOutside_map 2: matched.
Dec 20 12:02:30 [IKEv1]: IP = 24.140.152.144, IKE Initiator: New Phase 1, Intf ATTOutside, IKE Peer 24.140.152.144 local Proxy Address 10.20.0.0, remote Proxy Address 10.192.4.0, Crypto map (ATTOutside_map)
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, constructing ISAKMP SA payload
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, constructing NAT-Traversal VID ver 02 payload
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, constructing NAT-Traversal VID ver 03 payload
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, constructing NAT-Traversal VID ver RFC payload
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, constructing Fragmentation VID + extended capabilities payload
Dec 20 12:02:30 [IKEv1]: IP = 24.140.152.144, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 360
Dec 20 12:02:30 [IKEv1]: IP = 24.140.152.144, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, processing SA payload
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, Oakley proposal is acceptable
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, processing VID payload
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, Received NAT-Traversal ver 03 VID
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, constructing ke payload
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, constructing nonce payload
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, constructing Cisco Unity VID payload
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, constructing xauth V6 VID payload
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, Send IOS VID
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, constructing VID payload
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, constructing NAT-Discovery payload
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, computing NAT Discovery hash
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, constructing NAT-Discovery payload
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, computing NAT Discovery hash
Dec 20 12:02:30 [IKEv1]: IP = 24.140.152.144, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
Dec 20 12:02:30 [IKEv1]: IP = 24.140.152.144, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, processing ke payload
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, processing ISA_KE payload
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, processing nonce payload
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, processing VID payload
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, Received Cisco Unity client VID
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, processing VID payload
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, Received DPD VID
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, processing VID payload
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 0000077f)
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, processing VID payload
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, Received xauth V6 VID
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, processing NAT-Discovery payload
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, computing NAT Discovery hash
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, processing NAT-Discovery payload
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, computing NAT Discovery hash
Dec 20 12:02:30 [IKEv1]: IP = 24.140.152.144, Connection landed on tunnel_group 24.140.152.144
Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, Generating keys for Initiator...
Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing ID payload
Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing hash payload
Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, Computing hash for ISAKMP
Dec 20 12:02:30 [IKEv1 DEBUG]: IP = 24.140.152.144, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing dpd vid payload
Dec 20 12:02:30 [IKEv1]: IP = 24.140.152.144, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Dec 20 12:02:30 [IKEv1]: Group = 24.140.152.144, IP = 24.140.152.144, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Dec 20 12:02:30 [IKEv1]: IP = 24.140.152.144, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, processing ID payload
Dec 20 12:02:30 [IKEv1 DECODE]: Group = 24.140.152.144, IP = 24.140.152.144, ID_IPV4_ADDR ID received
24.140.152.144
Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, processing hash payload
Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, Computing hash for ISAKMP
Dec 20 12:02:30 [IKEv1]: IP = 24.140.152.144, Connection landed on tunnel_group 24.140.152.144
Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, Oakley begin quick mode
Dec 20 12:02:30 [IKEv1 DECODE]: Group = 24.140.152.144, IP = 24.140.152.144, IKE Initiator starting QM: msg id = 163e1e74
Dec 20 12:02:30 [IKEv1]: Group = 24.140.152.144, IP = 24.140.152.144, PHASE 1 COMPLETED
Dec 20 12:02:30 [IKEv1]: IP = 24.140.152.144, Keep-alive type for this connection: DPD
Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, Starting P1 rekey timer: 82080 seconds.
IPSEC: New embryonic SA created @ 0xAD5F9C68,
SCB: 0xACABE8F0,
Direction: inbound
SPI : 0x7842D0EA
Session ID: 0x00005000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, IKE got SPI from key engine: SPI = 0x7842d0ea
IPSEC: New embryonic SA created @ 0xAD31BD60,
SCB: 0xAC6CA9A0,
Direction: inbound
SPI : 0x56372EA8
Session ID: 0x00005000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, IKE got SPI from key engine: SPI = 0x56372ea8
Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, oakley constucting quick mode
Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing blank hash payload
Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing IPSec SA payload
Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing IPSec nonce payload
Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing proxy ID
Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, Transmitting Proxy Id:
Local subnet: 10.20.0.0 mask 255.255.0.0 Protocol 0 Port 0
Remote subnet: 10.192.4.0 Mask 255.255.255.0 Protocol 0 Port 0
Dec 20 12:02:30 [IKEv1 DECODE]: Group = 24.140.152.144, IP = 24.140.152.144, IKE Initiator sending Initial Contact
Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing qm hash payload
Dec 20 12:02:30 [IKEv1 DECODE]: Group = 24.140.152.144, IP = 24.140.152.144, IKE Initiator sending 1st QM pkt: msg id = 163e1e74
Dec 20 12:02:30 [IKEv1]: IP = 24.140.152.144, IKE_DECODE SENDING Message (msgid=163e1e74) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 252
Dec 20 12:02:30 [IKEv1]: IP = 24.140.152.144, IKE_DECODE RECEIVED Message (msgid=7e0195a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 184
Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, processing hash payload
Dec 20 12:02:30 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, processing notify payload
Dec 20 12:02:30 [IKEv1]: Group = 24.140.152.144, IP = 24.140.152.144, Received non-routine Notify message: No proposal chosen (14)
Dec 20 12:03:02 [IKEv1]: Group = 24.140.152.144, IP = 24.140.152.144, QM FSM error (P2 struct &0xad5f8af8, mess id 0x163e1e74)!
Dec 20 12:03:02 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, IKE QM Initiator FSM error history (struct &0xad5f8af8)
Dec 20 12:03:02 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, sending delete/delete with reason message
Dec 20 12:03:02 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing blank hash payload
Dec 20 12:03:02 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing IPSec delete payload
Dec 20 12:03:02 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing qm hash payload
Dec 20 12:03:02 [IKEv1]: IP = 24.140.152.144, IKE_DECODE SENDING Message (msgid=c75f1d0f) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Dec 20 12:03:02 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, IKE Deleting SA: Remote Proxy 10.192.4.0, Local Proxy 10.20.0.0
Dec 20 12:03:02 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, IKE Deleting SA: Remote Proxy 10.192.4.0, Local Proxy 10.20.0.0
Dec 20 12:03:02 [IKEv1]: Group = 24.140.152.144, IP = 24.140.152.144, Removing peer from correlator table failed, no match!
Dec 20 12:03:02 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, IKE SA MM:cdf99a95 rcv'd Terminate: state MM_ACTIVE flags 0x0000c062, refcnt 1, tuncnt 0
Dec 20 12:03:02 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, IKE SA MM:cdf99a95 terminating: flags 0x0100c022, refcnt 0, tuncnt 0
Dec 20 12:03:02 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, sending delete/delete with reason message
Dec 20 12:03:02 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing blank hash payload
Dec 20 12:03:02 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing IKE delete payload
Dec 20 12:03:02 [IKEv1 DEBUG]: Group = 24.140.152.144, IP = 24.140.152.144, constructing qm hash payload
Dec 20 12:03:02 [IKEv1]: IP = 24.140.152.144, IKE_DECODE SENDING Message (msgid=37d23f05) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Dec 20 12:03:02 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x56372ea8
Dec 20 12:03:02 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x56372ea8
Dec 20 12:03:02 [IKEv1]: Group = 24.140.152.144, IP = 24.140.152.144, Session is being torn down. Reason: Lost Service
Dec 20 12:03:02 [IKEv1]: Ignoring msg to mark SA with dsID 20480 dead because SA deleted
Dec 20 12:03:02 [IKEv1]: IP = 24.140.152.144, Received encrypted packet with no matching SA, dropping
12-20-2011 11:18 AM
Yeah, well like I mentioned if the Router already has an IPSec SA created for that traffic then the ASA will fail to negotiate the tunnel becuase the router will reject the IPSec Negotiation. That's why you need to take the first tunnel down to be able to fully test it.
Have fun.
Raga
12-20-2011 11:34 AM
Ah, now I get it. I did a quick test. On the router, I removed the PIX peer address...the ASA tunnel came right online fully. Now, with that said, my core routers at the head end still use the PIX as thier default gateway, thus, a ping was not returning to my remote 851 as of yet. I will need a slightly longe outage window to completley test end-to-end because of the core router gateway change.
For what it's worth, my ASA is connected to the production network, but none of my network devices are using it as a gateway at this time. That change will probably come early next week.
Thank you for your help.
12-20-2011 11:43 AM
Great to hear that! yeah basically you need to have the main line "down" so that the tunnel gets negotiated with the other peer.
About the routing you might need to add some back up routes with IP SLAs to determine how the traffic needs to be routed.
Have a good one!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide