03-05-2014 11:45 AM
Hello all I could use some help before I scream
I have at my main office 5510. I have 4 remote offices with 5505. These 4 office connect L2L VPN to my main office with NO problems and have for a couple years.
We recently added a 5th office with yet another 5505. So I am doing the same thing having the new office VPN to the main office. But for the life of me I cannot seem to get it to connect. I have used the same set up on the NEW office as I did all the old office but for whatever reason I cannot establish a tunnel / connection.
Here are the results from a couple commands:
Result of the command: "show crypto isakmp sa"
There are no isakmp sas
Result of the command: "show crypto ipsec sa"
There are no ipsec sas
I am kinda lost as to what to do now.......
Thanks for any help.
Solved! Go to Solution.
03-05-2014 12:32 PM
One thing that initially alerts me is the ACLs for the encryption domain and nat exemption. Is the remote site really at 192.198.10.0/24 or is it 192.168.10.0/24?
access-list 106 extended permit ip 192.168.90.0 255.255.255.0 192.198.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.90.0 255.255.255.0 192.198.10.0 255.255.255.0
Other than that, the configuration, to me, looks good assuming you have the same ISAKMP and IPSEC configuration on the 5510 side.
03-05-2014 12:07 PM
I would imagine you have a phase 1 mismatch or you have not configured the tunnel-group on the 5510 for the new site. Hard to say w/o the configurations.
Please post the relevant configuration from the new ASA 5505 and post your ASA 5510 configuration.
03-05-2014 12:24 PM
Here is the 5505
: Saved : ASA Version 8.2(5) ! hostname ******** enable password mrNAzLB3WoDGll7l encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 switchport access vlan 12 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.90.1 255.255.255.0 ! interface Vlan12 nameif outside security-level 0 pppoe client vpdn group AT&T ip address pppoe setroute ! ftp mode passive clock timezone CST -6 clock summer-time CDT recurring same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group network outbound access-list 106 extended permit ip 192.168.90.0 255.255.255.0 192.198.10.0 255.255.255.0 access-list nonat extended permit ip 192.168.90.0 255.255.255.0 192.198.10.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1492 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.90.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set MM esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map outside_map 90 match address 106 crypto map outside_map 90 set peer 222.222.222.22 crypto map outside_map 90 set transform-set MM crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 43200 crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group ATT request dialout pppoe vpdn group ATT localname mm@att.net vpdn group ATT ppp authentication pap vpdn username mm@att.net password ***** dhcpd dns 208.67.222.222 208.67.220.220 dhcpd auto_config outside ! dhcpd address 192.168.90.5-192.168.90.254 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 webvpn tunnel-group 222.222.222.22 type ipsec-l2l tunnel-group 222.222.222.22 ipsec-attributes pre-shared-key **** tunnel-group 77.77.777.777 type ipsec-l2l tunnel-group 77.77.777.777 ipsec-attributes pre-shared-key **** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:748218d8f392a0ead093b8ebd225d599 : end no asdm history enable
5510
: Saved
:
ASA Version 8.0(5)
!
hostname MC
enable password mrNAzLB3WoDGll7l encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
pppoe client vpdn group cl
ip address pppoe setroute
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.2.5 255.255.255.0
management-only
!
boot system disk0:/asa805-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_mpc extended permit tcp any any inactive
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.90.0 255.255.255.0
access-list 101 extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list 100 extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list 102 extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 105 extended permit ip 192.168.10.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list 106 extended permit ip 192.168.10.0 255.255.255.0 192.168.90.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
logging from-address tshoemate@loqw.com
logging recipient-address tshoemate@loqw.com level alerts
logging debug-trace
mtu outside 1492
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list nonat
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 192.168.1.0 255.255.255.0 209.142.191.13 1
route outside 192.168.20.0 255.255.255.0 209.142.191.13 1
route outside 192.168.30.0 255.255.255.0 209.142.191.13 1
route outside 192.168.40.0 255.255.255.0 209.142.191.13 1
route outside 192.168.90.0 255.255.255.0 209.142.191.13 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set KV esp-3des esp-sha-hmac
crypto ipsec transform-set Macon esp-3des esp-sha-hmac
crypto ipsec transform-set Shelby esp-3des esp-sha-hmac
crypto ipsec transform-set Han esp-3des esp-sha-hmac
crypto ipsec transform-set Moberly esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 10 match address 102
crypto map outside_map 10 set peer 10.10.10.10
crypto map outside_map 10 set transform-set Shelby
crypto map outside_map 20 match address 101
crypto map outside_map 20 set peer 20.20.20.20
crypto map outside_map 20 set transform-set Macon
crypto map outside_map 30 match address 100
crypto map outside_map 30 set peer 30.30.30.30
crypto map outside_map 30 set transform-set KV
crypto map outside_map 40 match address 105
crypto map outside_map 40 set peer 40.40.40.40
crypto map outside_map 40 set transform-set Han
crypto map outside_map 90 match address 106
crypto map outside_map 90 set peer 222.222.222.222
crypto map outside_map 90 set transform-set Moberly
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
vpdn group cl request dialout pppoe
vpdn group cl localname xxxxxxxx
vpdn group cl ppp authentication pap
vpdn username xxxxxxxx password ********* store-local
dhcpd dns 208.67.222.222 208.67.220.220
!
dhcpd address 192.168.10.3-192.168.10.50 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
username admin password vx8BkOWfWwvYuBKw encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group 20.20.20.20 type ipsec-l2l
tunnel-group 20.20.20.20 ipsec-attributes
pre-shared-key *
tunnel-group 30.30.30.30 type ipsec-l2l
tunnel-group 30.30.30.30ipsec-attributes
pre-shared-key *
tunnel-group 40.40.40.40 type ipsec-l2l
tunnel-group 40.40.40.40 ipsec-attributes
pre-shared-key *
tunnel-group 10.10.10.10 type ipsec-l2l
tunnel-group 10.10.10.10 ipsec-attributes
pre-shared-key *
tunnel-group 222.222.222.222 type ipsec-l2l
tunnel-group 222.222.222.222 ipsec-attributes
pre-shared-key *
tunnel-group 77.77.777.777 type ipsec-l2l
!
class-map type regex match-any domainblocklist1
match regex domainlist1
class-map type inspect http match-all BlockDomainsClass
match request header host regex class domainblocklist1
class-map type regex match-any URLBlockList
match regex urlist4
class-map type inspect http match-all BlockURLsCLass
match request uri regex class URLBlockList
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all AppHeaderClass
match request header regex applicationheader regex applicationheader
class-map httptraffic
match access-list inside_mpc
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
match request method connect
drop-connection log
class AppHeaderClass
drop-connection log
class BlockDomainsClass
reset log
class BlockURLsCLass
reset log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
policy-map inside-policy
class httptraffic
inspect http http_inspection_policy
!
service-policy global_policy global
service-policy inside-policy interface inside
prompt hostname context
Cryptochecksum:ab762e380a0b975c824ad0037acf0f72
: end
asdm image disk0:/asdm-631.bin
asdm history enable
03-05-2014 12:32 PM
One thing that initially alerts me is the ACLs for the encryption domain and nat exemption. Is the remote site really at 192.198.10.0/24 or is it 192.168.10.0/24?
access-list 106 extended permit ip 192.168.90.0 255.255.255.0 192.198.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.90.0 255.255.255.0 192.198.10.0 255.255.255.0
Other than that, the configuration, to me, looks good assuming you have the same ISAKMP and IPSEC configuration on the 5510 side.
03-05-2014 01:58 PM
Good Grief... Don't I feel dumb. I will make that change tonight and HOPEFULLLY that will fix it.
I will let you know.
Thanks!!!!!
03-05-2014 08:59 PM
So glad this was simple fix.....but feel so dumb to have over looked something so simple.
Thanks for the help!
03-05-2014 09:02 PM
Hey, typos happen! I've had my fair share over the years. Glad it was something simple rather than hours of troubleshooting.
Take care.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide