cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1237
Views
0
Helpful
24
Replies
Azubuike Obiora
Beginner

5505 and 5510 l2l vpn tunnel not up

Hi Experts!

Having a funny issue I'm experience, just thinking to myself what I could be doing wrong. I have 2 ASA's with software code 8.4.5 running on both of them, ASA1 is a 5510 that I have two active vpn connections on it a l2l with another ASA 5505 and Remote VPN for remote users. see attached the topology 

Now I am trying to introduce another ASA to do a site to site vpn connection on it. Call it ASA3, since I have an already established l2l VPN configuration on ASA2.

See the config for ASA1 & 2 l2l VPN that's working:

object network Creek_net
subnet 10.10.0.0 255.255.255.0
object network river_net
subnet 192.168.200.192 255.255.255.224
access-list outside_1_cryptomap permit ip 10.10.0.0 255.255.255.0 192.168.200.192 255.255.255.224
tunnel-group 11.11.11.11 type ipsec-l2l
tunnel-group 11.11.11.11 ipsec-attributes
pre-shared-key ratrace1!
isakmp keepalive threshold 10 retry 2
crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt aes
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 11.11.11.11
crypto map outside_map 1 set transform-set ESP-AES-SHA
crypto map outside_map interface outside
nat (inside,outside) 1 source static Creek_net Creek_net  destination static river_net river_net



object network river_net
subnet 192.168.200.192 255.255.255.224
object network creek_net
subnet 10.10.0.0 255.255.255.0
access-list outside_1_cryptomap permit ip 192.168.200.192 255.255.255.224 10.10.0.0 255.255.255.0
tunnel-group 12.12.12.12 type ipsec-l2l
tunnel-group 12.12.12.12 ipsec-attributes
pre-shared-key ratrace1!
isakmp keepalive threshold 10 retry 2 crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share crypto isakmp policy 10 encrypt aes crypto isakmp policy 10 hash sha crypto isakmp policy 10 group 2 crypto isakmp policy 10 lifetime 86400 crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs group1 crypto map outside_map 1 set peer 80.248.11.15 crypto map outside_map 1 set transform-set ESP-AES-SHA crypto map outside_map interface outside nat (inside,outside) 1 source static river_net river_net  destination static Creek_net Creek_net

Above is the working VPN configuration that is perfectly fine! No issue whatsoever.

===============================================================================================================

Then i tried introducing ASA3 for a branch office with the below configuration.

ASA3

object network dallas_net
subnet 10.10.0.0 255.255.255.0
object network river_net
subnet 192.168.200.192 255.255.255.224
access-list outside_1_cryptomap permit ip 10.10.0.0 255.255.255.0 192.168.200.192 255.255.255.224
tunnel-group 11.11.11.11 type ipsec-l2l
tunnel-group 11.11.11.11 ipsec-attributes
pre-shared-key mouserace1!
isakmp keepalive threshold 10 retry 2
crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt aes
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 11.11.11.11
crypto map outside_map 1 set transform-set ESP-AES-SHA
crypto map outside_map interface outside
nat (inside,outside) 1 source static dallas_net dallas_net  destination static river_net river_net

ASA1

object network river_net
subnet 192.168.200.192 255.255.255.224
object network dallas_net
subnet 10.10.4.0 255.255.255.0
access-list outside_2_cryptomap permit ip 192.168.200.192 255.255.255.224 10.10.0.0 255.255.255.0
tunnel-group 13.13.13.13 type ipsec-l2l
tunnel-group 13.13.13.13 ipsec-attributes
pre-shared-key mousrace1!
isakmp keepalive threshold 10 retry 2
crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt aes
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto map outside_map 12 match address outside_2_cryptomap
crypto map outside_map 12 set pfs group1
crypto map outside_map 12 set peer 13.13.13.13
crypto map outside_map 12 set transform-set ESP-AES-SHA
crypto map outside_map interface outside
nat (inside,outside) 1 source static river_net river_net  destination static dallas_net dallas_net

I would appreciate someone pointing out my mistake. 

Thanks

Teddy

24 REPLIES 24
czaja0000
Beginner

Hi,

You must correct the subnet in the object "network dallas_net" and in the access list.

From 10.10.0.0 to 10.10.4.0.

Your current configuration:

ASA3

object network dallas_net

subnet 10.10.0.0 255.255.255.0

access-list outside_1_cryptomap permit ip 10.10.0.0 255.255.255.0 192.168.200.192 255.255.255.224

ASA1

object network dallas_net

subnet 10.10.4.0 255.255.255.0

access-list outside_2_cryptomap permit ip 192.168.200.192 255.255.255.224 10.10.0.0 255.255.255.0

________________

Best regards,
MB

________________ Best regards, MB

Hi MB,

Thanks for responding! thanks for pointing that out, I noticed it later fixed it I mean the acl! still no joys at all! very annoying!

Hi,

You say that both of the ASAs are running 8.4(5) yet to me it seems the VPN configuration commands are in older format?

For example "crypto isakmp policy x" in the newer software have changed to "crypto ikev1 policy x" etc.

Or have you just mistaken about the software level? I think they were in the old format still in 8.3.

- Jouni

Also,

The PSK on the other ASA is missing letter "e"

- Jouni

Hi, Teddi.

Look more precisely to your pre-shared keys. They seem to be different a little)). Plus, if still no joy, enable debug for crypto isakmp/ipsec on ASA3 and see what's going on there.

Hi Andrew and Jouni,

@ Andrew, Thanks for your response! Well truth is that's not what i have on the main config! I changed the real thing to what you see here!

@ Jouni, I get what you mean, even at this, the ASA automagically inputs the ikev1 command in there! after configuring it I did the "sh run crypto ikev1"

crypto ikev1 policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

Thanks

Teddy

Hi,

Next you should probably take the output of a "packet-tracer" command to confirm which rules are hit on the ASA1

packet-tracer input inside tcp 192.168.200.193 12345 10.10.4.100 80

The above are just random IP addresses and ports

Issue the command twice as even if the L2L VPN was itself configured correctly it would take 2 commands to first get it up and then pass the "packet-tracer" normally.

Right after issuing this command check

show crypto ikev1 sa

Or have some host generate a constant ICMP Echo to the remote net and then issue the above command several times and check the output. With this we should be able to determine if the Phase1 negotiation is fine.

- Jouni

Jouni!

Thanks, I will look into that! but If you don't mind me asking you a question please, Do you think on ASA1 because I have an existing working l2l vpn connection, when adding the new ASA3 static nat statemen I should increase the number see how I mean below

ASA1 to ASA2 vpn working

nat (inside,outside) 1 source static river_net river_net  destination static Creek_net Creek_net

then for ASA 1 to ASA 3 I should make it something like this

nat (inside,outside) 2 source static river_net river_net  destination static dallas_net dallas_net

What do you suggest I do keep it all the nat statement at 1 or I should increase it?

Hi,

The numbering/ordering in the "nat" configurations work the same as with ACLs.

If you have a existing "nat" statement at the very top of the rules and you insert another with the number 1 then it will simply move the previous number 1 rule one step down.

In this case with L2L VPN NAT0 / NAT Exempt type configurations the ordering doesnt really matter between these 2 rules as they have no overlap because of the different destination network.

What I see here on the CSC every now and then is people expiriencing problems with NAT rules when they reuse the same "object network" or "object-group network" in the "nat" configurations.

If we cant find a clear reason for this problem I would suggest that you try out configuring new "object network" or "object-group network" to define the local network for this new L2L VPN connection and use that in the "nat" configuration and try again.

If this doesnt help it might be an idea to reload the firewall (ofcourse saving configurations before that)

But for now should first determine what is happening to the connection attempts and VPN negotiation.

- Jouni

See the output of packt tracer from ASA 1

packet-tracer input inside icmp 192.168.200.196 0 8 10.10.4.202

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static river_net river_net destination static dallas_net dallas_net

Additional Information:

NAT divert to egress interface outside

Untranslate 10.10.4.202/0 to 10.10.4.202/0

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static river_net river_net destination static dallas_net dallas_net

Additional Information:

Static translate 192.168.200.196/0 to 192.168.200.196/0

Phase: 7

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

The same on ASA3 too

sh crypto ikev1 sa

1   IKE Peer: 12.12.12.12 (this is for ASA2 i mentioned that was up and running)

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

2   IKE Peer: 13.13.13.13

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_WAIT_MSG5

I am doing futher troubleshooting now! before I wasnt able to establish this at all!! I know I am one step closer! I wouldn't mind your two cents as to how I can best resolve this

Hi,

I dont know why always people change the provided commands The tested ICMP message doesnt correspond to ICMP Echo anymore as you mixed the Type and Code fields. But I guess it doesnt matter in this case.

It would seem to me that the negotiation fails when the peers check the PSK / Pre-shared-key.

So please reconfigure the PSK with matching PSK and test again.

- Jouni

Jouni,

Hehehehe ok, kindly tell me the code type for ICMP in such scenario if you don't mind please.

I have also change the pre-shared-key to something way much simpler, but here's the thing, ASA give me MM_WAIT_MSG5 before the psk change, after that it gives me MM_WAIT_MSG4 while on the other hand ASA3 changes  see below

Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 13.13.13.13

    Type    : user            Role    : initiator

    Rekey   : no              State   : MM_WAIT_MSG4

ASA3(config-tunnel-ipsec)# sh crypto ikev1 sa

IKEv1 SAs:

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1  

IKE Peer: 13.13.13.13

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

ASA3(config-tunnel-ipsec)# sh crypto ikev1 sa

IKEv1 SAs:

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1  

IKE Peer: 13.13.13.13

    Type    : user            Role    : initiator

    Rekey   : no              State   : MM_WAIT_MSG2

All these happened within 3 minutes.

Teddy

Hi,

I guess there is always a chance that you got a state of negotiation from a point that was not the one where the negotiation failed.

MM_ACTIVE would seem to point out that the Phase1 is fine.

It might be something wrong with Phase2 configurations.

Can you share the output of

show run crypto map

From the ASA1 and ASA3

And the related output of the ACLs, transform-set and NAT configurations currently active on the devices.

- Jouni

Here it is, I also changed the

ASA1

sh run crypto map

crypto map outside_map 12 match address saka2edo

crypto map outside_map 12 set pfs group1

crypto map outside_map 12 set peer 13.13.13.13

crypto map outside_map 12 set ikev1 transform-set ESP-AES-MD5

crypto map outside_map interface outside

sh run access-list

access-list saka2edo extended permit ip 192.168.200.192 255.255.255.224 10.10.4.0 255.255.255.0

sh run crypto ipsec

crypto ipsec ikev1 transform-set ESP-AES-MD5 esp-aes esp-md5-hmac

sh nat

1 (inside) to (outside) source static river_net river_net   destination static dallas_net dallas_net

    translate_hits = 3, untranslate_hits = 3

2 (inside) to (outside) source static SERVER_SUBNET SERVER_SUBNET   destination static EZVPN_SUBNET EZVPN_SUBNET

    translate_hits = 0, untranslate_hits = 0

3 (inside) to (outside) source static river_net river_net destination static Creek_net Creek_net

    translate_hits = 45080, untranslate_hits = 45080 (this is for ASA2)

ASA3

sh run crypto map

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 11.11.11.11

crypto map outside_map 1 set ikev1 transform-set ESP-AES-MD5

crypto map outside_map interface outside

sh run access-list

access-list outside_1_cryptomap extended permit ip 10.10.4.0 255.255.255.0 192.168.200.192 255.255.255.224

sh run crypto ipsec

crypto ipsec ikev1 transform-set ESP-AES-MD5 esp-aes esp-md5-hmac


sh nat

1 (inside) to (outside) source static dallas_net dallas_net   destination static river_net river_net

    translate_hits = 1137, untranslate_hits = 1137

There you have them.