VPN ASA<->7200 - Cisco Community

601

Views

0

Helpful

3

Replies

Hello,

I have been trying to get a tunnel established all day and seem to be having a problem that I have not ecountered a lot.

The local equiment is 5510 ASA and the remote equipment is a 7200 series router.

I'll post configs and debug output from each equipment. And both devices already have multiple VPN's running.

The wierd thing is, if you ping from the remote end to the local end, the tunnel builds and traffic flows both directions. But if you try to establish from the local end to the remote end, you get nothing.

Any idea what my be going on here?

Local: ASA

interface Ethernet0/0

nameif Outside-Verizon

security-level 0

ip address xxx.xxx.223.10 255.255.255.0

!

interface Ethernet0/1

nameif Inside-LAN

security-level 100

ip address xxx.xxx.253.10 255.255.255.0

!

crypto map Outside-Verizon_map 276 match address Outside-Verizon_cryptomap_276

crypto map Outside-Verizon_map 276 set peer xxx.xxx.182.249

crypto map Outside-Verizon_map 276 set transform-set ESP-AES-256-SHA

crypto map Outside-Verizon_map 276 set security-association lifetime seconds 3600

!

!

nat (Inside-LAN) 0 access-list Inside-LAN_nat0_outbound

!

access-list Inside-LAN_nat0_outbound line 119 extended permit ip host 192.168.253.213 10.100.20.0 255.255.255.0

access-list Inside-LAN_nat0_outbound line 120 extended permit ip host 192.168.253.192 10.100.20.0 255.255.255.0

!

crypto isakmp policy 110

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

!

route Outside-Verizon 10.100.20.0 255.255.255.0 xxx.xxx.223.1(WAN gateway) 1

!

tunnel-group xxx.xxx.182.249 type ipsec-l2l

tunnel-group xxx.xxx.182.249 ipsec-attributes

pre-shared-key xxxxxxxxx

DEBUG FROM LOCAL ASA:

, Header invalid, missing SA payload!

(and the ISAKMP SA keeps getting stuck at

MM_WAIT_MSG6)

Remote/Router

crypto isakmp profile radixx-dev-tunnel

vrf airsk-radixx

keyring radixx-dev-keyring

match identity address xxx.xxx.223.10 255.255.255.255

crypto keyring radixx-dev-keyring

pre-shared-key address xxx.xxx.223.10 key xxxxxxxxx

crypto map IPsec_VPN 710 ipsec-isakmp

description Tunnel to Radixx-Development

set peer xxx.xxx.223.10

set transform-set IPsec_VPN2

set isakmp-profile radixx-dev-tunnel

match address radixx-dev-acl

ip access-list extended radixx-dev-acl

permit ip 10.100.20.0 0.0.0.255 host 192.168.253.192

permit ip 10.100.20.0 0.0.0.255 host 192.168.253.213

ip route vrf radixx-dev 192.168.253.192 255.255.255.255 208.255.223.10 global name radixx-dev

ip route vrf radixx-dev 192.168.253.213 255.255.255.255 208.255.223.10 global name radixx-dev

****

crypto ipsec transform-set IPsec_VPN2 esp-aes 256 esp-sha-hmac

****

DEBUG From Router:

Jun 27 13:12:23.534: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from xxx.xxx.223.10 failed its sanity check or is malformed

Jun 27 13:12:43.414: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from xxx.xxx.223.10 was not encrypted and it should've been.

Jun 27 13:12:44.414: ISAKMP:(17694):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer xxx.xxx.223.10)

Jun 27 13:12:44.414: ISAKMP:(17694):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer xxx.xxx.223.10)

3 Replies 3

Ping from ASA to the router 7200 get the output and then get the output for the command

sh cry isa sa and sh cry ipsec sa

then

ping from Rotuer 7200 to ASA get the output and get the output for the command

sh cry session

sh cry ipsec sa

sh cry isa sa

please get the output for us.

Shine

I can already tell you what the output is.

When pinging from the ASA to the router,

show crypto isakmp sa outputs: MM_WAIT_MSG6

show crypto ipsec sa gives nothing

When pinging from the router to the ASA, the tunnel builds like normal with no issues.

I will get the output anyway, but will have to wait for the owner of the remote device to call me sometime today.

Output form the local router:

show crypto isakmp sa:

MM_WAIT_MSG6

show crypto ipsec sa: no output

This is the output from the remote router:

VPNKOPBR01#sho crypto isakmp sa | i xxx.xxx.233.10

VPNKOPBR01#ping vrf airsk-radixx ip 192.168.253.192 source loopback 27

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.253.192, timeout is 2 seconds:

Packet sent with a source address of 10.100.20.50

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 124/126/128 ms

VPNKOPBR01#sho crypto isakmp sa | i xxx.xxx.233.10

xxx.xxx.233.10 xxx.xxx.182.249 QM_IDLE 17347 ACTIVE

VPNKOPBR01#sho crypto ipsec sa | b xxx.xxx.233.10

current_peer xxx.xxx.233.10 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: xxx.xxx.182.249, remote crypto endpt.: xxx.xxx.233.10

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

I'm starting to wonder if it has to do with the remote ends config. They are using isakmp profile, which I am not sure if an ASA will play nicely with a router using that type of setup.

Any idea what could be causing this?