07-17-2013 03:09 PM
Hi Experts!
Having a funny issue I'm experience, just thinking to myself what I could be doing wrong. I have 2 ASA's with software code 8.4.5 running on both of them, ASA1 is a 5510 that I have two active vpn connections on it a l2l with another ASA 5505 and Remote VPN for remote users. see attached the topology
Now I am trying to introduce another ASA to do a site to site vpn connection on it. Call it ASA3, since I have an already established l2l VPN configuration on ASA2.
See the config for ASA1 & 2 l2l VPN that's working:
object network Creek_net subnet 10.10.0.0 255.255.255.0 object network river_net subnet 192.168.200.192 255.255.255.224 access-list outside_1_cryptomap permit ip 10.10.0.0 255.255.255.0 192.168.200.192 255.255.255.224 tunnel-group 11.11.11.11 type ipsec-l2l tunnel-group 11.11.11.11 ipsec-attributes pre-shared-key ratrace1! isakmp keepalive threshold 10 retry 2 crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share crypto isakmp policy 10 encrypt aes crypto isakmp policy 10 hash sha crypto isakmp policy 10 group 2 crypto isakmp policy 10 lifetime 86400 crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs group1 crypto map outside_map 1 set peer 11.11.11.11 crypto map outside_map 1 set transform-set ESP-AES-SHA crypto map outside_map interface outside nat (inside,outside) 1 source static Creek_net Creek_net destination static river_net river_net object network river_net subnet 192.168.200.192 255.255.255.224 object network creek_net subnet 10.10.0.0 255.255.255.0 access-list outside_1_cryptomap permit ip 192.168.200.192 255.255.255.224 10.10.0.0 255.255.255.0 tunnel-group 12.12.12.12 type ipsec-l2l tunnel-group 12.12.12.12 ipsec-attributes pre-shared-key ratrace1!
isakmp keepalive threshold 10 retry 2 crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share crypto isakmp policy 10 encrypt aes crypto isakmp policy 10 hash sha crypto isakmp policy 10 group 2 crypto isakmp policy 10 lifetime 86400 crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs group1 crypto map outside_map 1 set peer 80.248.11.15 crypto map outside_map 1 set transform-set ESP-AES-SHA crypto map outside_map interface outside nat (inside,outside) 1 source static river_net river_net destination static Creek_net Creek_net
Above is the working VPN configuration that is perfectly fine! No issue whatsoever.
===============================================================================================================
Then i tried introducing ASA3 for a branch office with the below configuration.
ASA3
object network dallas_net subnet 10.10.0.0 255.255.255.0 object network river_net subnet 192.168.200.192 255.255.255.224 access-list outside_1_cryptomap permit ip 10.10.0.0 255.255.255.0 192.168.200.192 255.255.255.224 tunnel-group 11.11.11.11 type ipsec-l2l tunnel-group 11.11.11.11 ipsec-attributes pre-shared-key mouserace1! isakmp keepalive threshold 10 retry 2 crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share crypto isakmp policy 10 encrypt aes crypto isakmp policy 10 hash sha crypto isakmp policy 10 group 2 crypto isakmp policy 10 lifetime 86400 crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs group1 crypto map outside_map 1 set peer 11.11.11.11 crypto map outside_map 1 set transform-set ESP-AES-SHA crypto map outside_map interface outside nat (inside,outside) 1 source static dallas_net dallas_net destination static river_net river_net
ASA1
object network river_net subnet 192.168.200.192 255.255.255.224 object network dallas_net subnet 10.10.4.0 255.255.255.0 access-list outside_2_cryptomap permit ip 192.168.200.192 255.255.255.224 10.10.0.0 255.255.255.0 tunnel-group 13.13.13.13 type ipsec-l2l tunnel-group 13.13.13.13 ipsec-attributes pre-shared-key mousrace1! isakmp keepalive threshold 10 retry 2 crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share crypto isakmp policy 10 encrypt aes crypto isakmp policy 10 hash sha crypto isakmp policy 10 group 2 crypto isakmp policy 10 lifetime 86400 crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac crypto map outside_map 12 match address outside_2_cryptomap crypto map outside_map 12 set pfs group1 crypto map outside_map 12 set peer 13.13.13.13 crypto map outside_map 12 set transform-set ESP-AES-SHA crypto map outside_map interface outside nat (inside,outside) 1 source static river_net river_net destination static dallas_net dallas_net
I would appreciate someone pointing out my mistake.
Thanks
Teddy
07-18-2013 12:34 AM
Hi,
You must correct the subnet in the object "network dallas_net" and in the access list.
From 10.10.0.0 to 10.10.4.0.
Your current configuration:
ASA3
object network dallas_net
subnet 10.10.0.0 255.255.255.0
access-list outside_1_cryptomap permit ip 10.10.0.0 255.255.255.0 192.168.200.192 255.255.255.224
ASA1
object network dallas_net
subnet 10.10.4.0 255.255.255.0
access-list outside_2_cryptomap permit ip 192.168.200.192 255.255.255.224 10.10.0.0 255.255.255.0
________________
Best regards,
MB
07-18-2013 01:23 AM
Hi MB,
Thanks for responding! thanks for pointing that out, I noticed it later fixed it I mean the acl! still no joys at all! very annoying!
07-18-2013 01:33 AM
Hi,
You say that both of the ASAs are running 8.4(5) yet to me it seems the VPN configuration commands are in older format?
For example "crypto isakmp policy x" in the newer software have changed to "crypto ikev1 policy x" etc.
Or have you just mistaken about the software level? I think they were in the old format still in 8.3.
- Jouni
07-18-2013 01:34 AM
Also,
The PSK on the other ASA is missing letter "e"
- Jouni
07-18-2013 01:34 AM
Hi, Teddi.
Look more precisely to your pre-shared keys. They seem to be different a little)). Plus, if still no joy, enable debug for crypto isakmp/ipsec on ASA3 and see what's going on there.
07-18-2013 02:38 AM
Hi Andrew and Jouni,
@ Andrew, Thanks for your response! Well truth is that's not what i have on the main config! I changed the real thing to what you see here!
@ Jouni, I get what you mean, even at this, the ASA automagically inputs the ikev1 command in there! after configuring it I did the "sh run crypto ikev1"
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
Thanks
Teddy
07-18-2013 02:43 AM
Hi,
Next you should probably take the output of a "packet-tracer" command to confirm which rules are hit on the ASA1
packet-tracer input inside tcp 192.168.200.193 12345 10.10.4.100 80
The above are just random IP addresses and ports
Issue the command twice as even if the L2L VPN was itself configured correctly it would take 2 commands to first get it up and then pass the "packet-tracer" normally.
Right after issuing this command check
show crypto ikev1 sa
Or have some host generate a constant ICMP Echo to the remote net and then issue the above command several times and check the output. With this we should be able to determine if the Phase1 negotiation is fine.
- Jouni
07-18-2013 03:05 AM
Jouni!
Thanks, I will look into that! but If you don't mind me asking you a question please, Do you think on ASA1 because I have an existing working l2l vpn connection, when adding the new ASA3 static nat statemen I should increase the number see how I mean below
ASA1 to ASA2 vpn working
nat (inside,outside) 1 source static river_net river_net destination static Creek_net Creek_net
then for ASA 1 to ASA 3 I should make it something like this
nat (inside,outside) 2 source static river_net river_net destination static dallas_net dallas_net
What do you suggest I do keep it all the nat statement at 1 or I should increase it?
07-18-2013 03:13 AM
Hi,
The numbering/ordering in the "nat" configurations work the same as with ACLs.
If you have a existing "nat" statement at the very top of the rules and you insert another with the number 1 then it will simply move the previous number 1 rule one step down.
In this case with L2L VPN NAT0 / NAT Exempt type configurations the ordering doesnt really matter between these 2 rules as they have no overlap because of the different destination network.
What I see here on the CSC every now and then is people expiriencing problems with NAT rules when they reuse the same "object network" or "object-group network" in the "nat" configurations.
If we cant find a clear reason for this problem I would suggest that you try out configuring new "object network" or "object-group network" to define the local network for this new L2L VPN connection and use that in the "nat" configuration and try again.
If this doesnt help it might be an idea to reload the firewall (ofcourse saving configurations before that)
But for now should first determine what is happening to the connection attempts and VPN negotiation.
- Jouni
07-18-2013 03:56 AM
See the output of packt tracer from ASA 1
packet-tracer input inside icmp 192.168.200.196 0 8 10.10.4.202
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static river_net river_net destination static dallas_net dallas_net
Additional Information:
NAT divert to egress interface outside
Untranslate 10.10.4.202/0 to 10.10.4.202/0
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static river_net river_net destination static dallas_net dallas_net
Additional Information:
Static translate 192.168.200.196/0 to 192.168.200.196/0
Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
The same on ASA3 too
sh crypto ikev1 sa
1 IKE Peer: 12.12.12.12 (this is for ASA2 i mentioned that was up and running)
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: 13.13.13.13
Type : L2L Role : responder
Rekey : no State : MM_WAIT_MSG5
I am doing futher troubleshooting now! before I wasnt able to establish this at all!! I know I am one step closer! I wouldn't mind your two cents as to how I can best resolve this
07-18-2013 04:13 AM
Hi,
I dont know why always people change the provided commands The tested ICMP message doesnt correspond to ICMP Echo anymore as you mixed the Type and Code fields. But I guess it doesnt matter in this case.
It would seem to me that the negotiation fails when the peers check the PSK / Pre-shared-key.
So please reconfigure the PSK with matching PSK and test again.
- Jouni
07-18-2013 04:27 AM
Jouni,
Hehehehe ok, kindly tell me the code type for ICMP in such scenario if you don't mind please.
I have also change the pre-shared-key to something way much simpler, but here's the thing, ASA give me MM_WAIT_MSG5 before the psk change, after that it gives me MM_WAIT_MSG4 while on the other hand ASA3 changes see below
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 13.13.13.13
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG4
ASA3(config-tunnel-ipsec)# sh crypto ikev1 sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1
IKE Peer: 13.13.13.13
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
ASA3(config-tunnel-ipsec)# sh crypto ikev1 sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1
IKE Peer: 13.13.13.13
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
All these happened within 3 minutes.
Teddy
07-18-2013 04:37 AM
Hi,
I guess there is always a chance that you got a state of negotiation from a point that was not the one where the negotiation failed.
MM_ACTIVE would seem to point out that the Phase1 is fine.
It might be something wrong with Phase2 configurations.
Can you share the output of
show run crypto map
From the ASA1 and ASA3
And the related output of the ACLs, transform-set and NAT configurations currently active on the devices.
- Jouni
07-18-2013 04:58 AM
Here it is, I also changed the
ASA1
sh run crypto map
crypto map outside_map 12 match address saka2edo
crypto map outside_map 12 set pfs group1
crypto map outside_map 12 set peer 13.13.13.13
crypto map outside_map 12 set ikev1 transform-set ESP-AES-MD5
crypto map outside_map interface outside
sh run access-list
access-list saka2edo extended permit ip 192.168.200.192 255.255.255.224 10.10.4.0 255.255.255.0
sh run crypto ipsec
crypto ipsec ikev1 transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
sh nat
1 (inside) to (outside) source static river_net river_net destination static dallas_net dallas_net
translate_hits = 3, untranslate_hits = 3
2 (inside) to (outside) source static SERVER_SUBNET SERVER_SUBNET destination static EZVPN_SUBNET EZVPN_SUBNET
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source static river_net river_net destination static Creek_net Creek_net
translate_hits = 45080, untranslate_hits = 45080 (this is for ASA2)
ASA3
sh run crypto map
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 11.11.11.11
crypto map outside_map 1 set ikev1 transform-set ESP-AES-MD5
crypto map outside_map interface outside
sh run access-list
access-list outside_1_cryptomap extended permit ip 10.10.4.0 255.255.255.0 192.168.200.192 255.255.255.224
sh run crypto ipsec
crypto ipsec ikev1 transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
sh nat
1 (inside) to (outside) source static dallas_net dallas_net destination static river_net river_net
translate_hits = 1137, untranslate_hits = 1137
There you have them.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: