Hi MB,

Thanks for responding! thanks for pointing that out, I noticed it later fixed it I mean the acl! still no joys at all! very annoying!

Hi,

You say that both of the ASAs are running 8.4(5) yet to me it seems the VPN configuration commands are in older format?

For example "crypto isakmp policy x" in the newer software have changed to "crypto ikev1 policy x" etc.

Or have you just mistaken about the software level? I think they were in the old format still in 8.3.

- Jouni

Also,

The PSK on the other ASA is missing letter "e"

- Jouni

Hi, Teddi.

Look more precisely to your pre-shared keys. They seem to be different a little)). Plus, if still no joy, enable debug for crypto isakmp/ipsec on ASA3 and see what's going on there.

Hi Andrew and Jouni,

@ Andrew, Thanks for your response! Well truth is that's not what i have on the main config! I changed the real thing to what you see here!

@ Jouni, I get what you mean, even at this, the ASA automagically inputs the ikev1 command in there! after configuring it I did the "sh run crypto ikev1"

crypto ikev1 policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

Thanks

Teddy

Hi,

Next you should probably take the output of a "packet-tracer" command to confirm which rules are hit on the ASA1

packet-tracer input inside tcp 192.168.200.193 12345 10.10.4.100 80

The above are just random IP addresses and ports

Issue the command twice as even if the L2L VPN was itself configured correctly it would take 2 commands to first get it up and then pass the "packet-tracer" normally.

Right after issuing this command check

show crypto ikev1 sa

Or have some host generate a constant ICMP Echo to the remote net and then issue the above command several times and check the output. With this we should be able to determine if the Phase1 negotiation is fine.

- Jouni

Jouni!

Thanks, I will look into that! but If you don't mind me asking you a question please, Do you think on ASA1 because I have an existing working l2l vpn connection, when adding the new ASA3 static nat statemen I should increase the number see how I mean below

ASA1 to ASA2 vpn working

nat (inside,outside) 1 source static river_net river_net  destination static Creek_net Creek_net

then for ASA 1 to ASA 3 I should make it something like this

nat (inside,outside) 2 source static river_net river_net  destination static dallas_net dallas_net

What do you suggest I do keep it all the nat statement at 1 or I should increase it?

Hi,

The numbering/ordering in the "nat" configurations work the same as with ACLs.

If you have a existing "nat" statement at the very top of the rules and you insert another with the number 1 then it will simply move the previous number 1 rule one step down.

In this case with L2L VPN NAT0 / NAT Exempt type configurations the ordering doesnt really matter between these 2 rules as they have no overlap because of the different destination network.

What I see here on the CSC every now and then is people expiriencing problems with NAT rules when they reuse the same "object network" or "object-group network" in the "nat" configurations.

If we cant find a clear reason for this problem I would suggest that you try out configuring new "object network" or "object-group network" to define the local network for this new L2L VPN connection and use that in the "nat" configuration and try again.

If this doesnt help it might be an idea to reload the firewall (ofcourse saving configurations before that)

But for now should first determine what is happening to the connection attempts and VPN negotiation.

- Jouni

See the output of packt tracer from ASA 1

packet-tracer input inside icmp 192.168.200.196 0 8 10.10.4.202

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static river_net river_net destination static dallas_net dallas_net

Additional Information:

NAT divert to egress interface outside

Untranslate 10.10.4.202/0 to 10.10.4.202/0

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static river_net river_net destination static dallas_net dallas_net

Additional Information:

Static translate 192.168.200.196/0 to 192.168.200.196/0

Phase: 7

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

The same on ASA3 too

sh crypto ikev1 sa

1   IKE Peer: 12.12.12.12 (this is for ASA2 i mentioned that was up and running)

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

2   IKE Peer: 13.13.13.13

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_WAIT_MSG5

I am doing futher troubleshooting now! before I wasnt able to establish this at all!! I know I am one step closer! I wouldn't mind your two cents as to how I can best resolve this

Hi,

I dont know why always people change the provided commands The tested ICMP message doesnt correspond to ICMP Echo anymore as you mixed the Type and Code fields. But I guess it doesnt matter in this case.

It would seem to me that the negotiation fails when the peers check the PSK / Pre-shared-key.

So please reconfigure the PSK with matching PSK and test again.

- Jouni

Jouni,

Hehehehe ok, kindly tell me the code type for ICMP in such scenario if you don't mind please.

I have also change the pre-shared-key to something way much simpler, but here's the thing, ASA give me MM_WAIT_MSG5 before the psk change, after that it gives me MM_WAIT_MSG4 while on the other hand ASA3 changes  see below

Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 13.13.13.13

    Type    : user            Role    : initiator

    Rekey   : no              State   : MM_WAIT_MSG4

ASA3(config-tunnel-ipsec)# sh crypto ikev1 sa

IKEv1 SAs:

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1  

IKE Peer: 13.13.13.13

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

ASA3(config-tunnel-ipsec)# sh crypto ikev1 sa

IKEv1 SAs:

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1  

IKE Peer: 13.13.13.13

    Type    : user            Role    : initiator

    Rekey   : no              State   : MM_WAIT_MSG2

All these happened within 3 minutes.

Teddy

Hi,

I guess there is always a chance that you got a state of negotiation from a point that was not the one where the negotiation failed.

MM_ACTIVE would seem to point out that the Phase1 is fine.

It might be something wrong with Phase2 configurations.

Can you share the output of

show run crypto map

From the ASA1 and ASA3

And the related output of the ACLs, transform-set and NAT configurations currently active on the devices.

- Jouni

Here it is, I also changed the

ASA1

sh run crypto map

crypto map outside_map 12 match address saka2edo

crypto map outside_map 12 set pfs group1

crypto map outside_map 12 set peer 13.13.13.13

crypto map outside_map 12 set ikev1 transform-set ESP-AES-MD5

crypto map outside_map interface outside

sh run access-list

access-list saka2edo extended permit ip 192.168.200.192 255.255.255.224 10.10.4.0 255.255.255.0

sh run crypto ipsec

crypto ipsec ikev1 transform-set ESP-AES-MD5 esp-aes esp-md5-hmac

sh nat

1 (inside) to (outside) source static river_net river_net   destination static dallas_net dallas_net

    translate_hits = 3, untranslate_hits = 3

2 (inside) to (outside) source static SERVER_SUBNET SERVER_SUBNET   destination static EZVPN_SUBNET EZVPN_SUBNET

    translate_hits = 0, untranslate_hits = 0

3 (inside) to (outside) source static river_net river_net destination static Creek_net Creek_net

    translate_hits = 45080, untranslate_hits = 45080 (this is for ASA2)

ASA3

sh run crypto map

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 11.11.11.11

crypto map outside_map 1 set ikev1 transform-set ESP-AES-MD5

crypto map outside_map interface outside

sh run access-list

access-list outside_1_cryptomap extended permit ip 10.10.4.0 255.255.255.0 192.168.200.192 255.255.255.224

sh run crypto ipsec

crypto ipsec ikev1 transform-set ESP-AES-MD5 esp-aes esp-md5-hmac

sh nat

1 (inside) to (outside) source static dallas_net dallas_net   destination static river_net river_net

    translate_hits = 1137, untranslate_hits = 1137

There you have them.