I have established the VPN tunnel, verified with show isakmp and ipsec commands as well as watching the real time log in ASDM. The catch is the VPN tunnel can only be initiated from the remote end (Fortigate VPN Firewall) and I can ping from a remote computer, see the ICMP packet enter the tunnel, and see in the log on the ASA the ICMP with the remote source IP and no echo reply is sent back over the tunnel. If I try to ping from behind the local ASA and the tunnel isn't up, it never goes up. I am not sure what the problem is. I setup a different tunnel to my home ASA to ASA and everything works fine between the local ASA (192.168.150.1) and my home ASA (192.168.1.1).
I have been going through the "Most common L2L and Remote Access VPN" troubleshooting doc form Cisco and will turn on NAT-T on both ends, but what else do I need to do?
ASA Version 8.2(1)
enable password <HIDDEN> encrypted
passwd <HIDDEN> encrypted
ip address 192.168.150.1 255.255.255.0
ip address 188.8.131.52 255.255.255.252
switchport access vlan 2
banner motd [WARNING]
banner motd If you are not authorised to access this system exit immediately.
banner motd Unauthorised access to this system is forbidden by company policies, national, and
banner motd Unauthorised users are subject to criminal and civil penalties as well as company
initiated disciplinary proceedings.
banner motd By entry into this system you acknowledge that you are authorised to access it and
have the level of privilege at which you subsequently operate on this system.
banner motd You consent by entry into this system to the monitoring of your activities.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service rdp tcp
description used for windows remote desktop
port-object eq 3389
object-group service vnc tcp
description used for vnc remote control software
port-object eq 5900
access-list outside_1_cryptomap extended permit ip 192.168.150.0 255.255.255.0 184.108.40.206
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 192.168.150.0 255.255.255.0 220.127.116.11
access-list inside_nat0_outbound extended permit ip 192.168.150.0 255.255.255.0 192.168.1.0
access-list outside_2_cryptomap extended permit ip 192.168.150.0 255.255.255.0 192.168.1.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.150.0 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 18.104.22.168 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
http server enable
http server idle-timeout 120
http 192.168.1.0 255.255.255.0 inside
http 192.168.150.0 255.255.255.0 inside
http 22.214.171.124 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.200.0 255.255.255.0 inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer <hiddenpublicip1>
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer <hiddenpublicip2>
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
crypto ca certificate chain ASDM_TrustPoint0
3082026d 308201d6 a0030201 0202049f 49814d30 0d06092a 864886f7 0d010104
0500307b 31173015 06035504 03130e49 6e656f73 2d44656c 61776172 65316030
12060355 0405130b 4a4d5831 35303434 32394330 1a06092a 864886f7 0d010908
130d3139 322e3136 382e3135 302e3130 2e06092a 864886f7 0d010902 1621496e
656f732d 44656c61 77617265 2e496e65 6f732d44 656c6177 6172652e 636f6d30
1e170d31 31303331 36323333 3730335a 170d3231 30333133 32333337 30335a30
7b311730 15060355 0403130e 496e656f 732d4465 6c617761 72653160 30120603
55040513 0b4a4d58 31353034 34323943 301a0609 2a864886 f70d0109 08130d31
39322e31 36382e31 35302e31 302e0609 2a864886 f70d0109 02162149 6e656f73
2d44656c 61776172 652e496e 656f732d 44656c61 77617265 2e636f6d 30819f30
0d06092a 864886f7 0d010101 05000381 8d003081 89028181 008bc900 70d74224
d5b0dd7f e3ee482d a236c04e 91f237f3 842198d3 30283a64 029d0ac3 19a40674
dd5faa07 ff5cbd76 62183f13 7903bb92 cb69c600 c87fec4e 7c420f55 86b2c3e0
fc948c5e b06e59ee dd9c1500 7578ef88 a06b3395 8f3040a0 71017df0 8e935f2f
fbd83fa0 f7413498 bd36d95e dd00386e 4344f483 2b68174f 9d020301 0001300d
06092a86 4886f70d 01010405 00038181 00275371 8660da69 ebcea01d 5fe969e8
919d0b96 3044f6c6 0052a4cc 14c89ec4 6d89b2e3 05069550 84740f26 6a03f28c
290cba8e 4d339abc a14db63e acc2e041 1a8fc569 fd3fd443 b9f73a6e 4e405cba
a77a4613 5c4c2f76 c861476c d7f4a404 5456c296 964614c2 4e69d02f a8b30c8e
845117de d21d7794 aaaf5866 160ee2bd de
crypto isakmp enable outside
crypto isakmp policy 10
crypto isakmp policy 30
no crypto isakmp nat-traversal
telnet 192.168.150.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 60
dhcpd address 192.168.150.100-192.168.150.131 inside
dhcpd dns 126.96.36.199 188.8.131.52 interface inside
dhcpd enable inside
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 184.108.40.206 source outside prefer
tunnel-group <hiddenpublicip1> type ipsec-l2l
tunnel-group <hiddenpublicip1> ipsec-attributes
tunnel-group <hiddenpublicip2> type ipsec-l2l
tunnel-group <hiddenpublicip2> ipsec-attributes
prompt hostname context
no asdm history enable
If you can establish another tunnel from the same ASA, I do not believe that it is issue with the ASA.
When you are trying to establish the VPN towards the Fortiget end, can you please share the output of :
show cry isa sa
show cry ipsec sa
You might want to run debug as well to further investigate the issue as this will provide us more details to see where exactly it's failing:
debug cry isa
debug cry ipsec
You've also disabled NAT-T on your crypto map towards the Fortigate: "crypto map outside_map 1 set nat-t-disable". Just want to confirm that there is no NAT/PAT device in between the 2 peers.
Thanks for your help. There are no NAT devices between the endpoints (the ASA has NAT but I have exempted this traffic from it, don't think I would still need NAT-T).
Here are the results when I try to initiate the VPN from the ASA to the Fortigate, just sits there (if I initiated from the Fortigate it was be State:ACTIVE).
sho crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: x.x.x.x
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
sho crypto ipsec sa
There are no ipsec sas
debug crypto isakmp
HOSTNAME# debug crypto ipsec
HOSTNAME# Mar 20 20:14:43 [IKEv1]: IP = x.x.x.x, Removing peer from p
eer table failed, no match!
Mar 20 20:14:43 [IKEv1]: IP = x.x.x.x, Error: Unable to remove PeerTblEntry
Mar 20 20:15:18 [IKEv1]: IP = x.x.x.x, Removing peer from peer table failed
, no match!
Mar 20 20:15:18 [IKEv1]: IP = x.x.x.x, Error: Unable to remove PeerTblEntr
From the ASA point of view, it has send the first message to Fortigate, and waiting for Fortigate to respond back, and at this stage, there is no reply from Fortigate.
You can see that from the message: MM_WAIT_MSG2, that means MM_WAIT_MSG1 has been sent towards the Fortigate, however, there is no further reply after that.
I would check if there is any firewall/ ACL, etc that blocks UDP/500 between the ASA and Fortigate, maybe more importantly, in the direction from ASA towards the Fortigate.
Since Fortigate is able to initiate the VPN, that means UDP/500 in the direction of Fortigate towards ASA is not blocked.
I had the person on site send me a picture of this new "cable modem" that COMCAST sent them, because she said she was going to bypass the ASA by plugging into one of the free ports on the cable modem... as soon as she said that I knew we were not dealing with a regular old cable modem. Turns out this SMC SMCD3G is a full on gateway with built in cable modem. It has NAT, firewall, DHCP, a whole slew of things a regular cable modem wouldn't!
We were assured Comcast would send us just a cable modem, so frustrating! So we are sending it back, to get a regular cable modem.
I think I know why the ASA to ASA tunnel works both ways, we had NAT-T enabled. For the Fortigate it had NAT-T disabled.
I will let you all know once this gateway is replaced with a regular cable modem, I bet everything will work.
Dear michaeldodd98 ,
If Message : MM_WAIT_MSG2 Means you have to check the Opposite end firewall ( no route towards your end firewall or ISAKMP is down or Not configure the ISAKMP properly ).
I have faced the same issue then i troubleshoot it & it's working fine .
I hope it will helpful for all!!!