Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1197
Views
0
Helpful
3
Replies

ASA-2621 S2S vpn

Go to solution
saimunpial
Level 1
Level 1

‎06-07-2010 12:38 PM

Hello,

I have a big issue for last two days to figure out site to site vpn between  asa 5520 and router 2621. On my end there is a firewall and customer end there is a router. The phase-1 and phase-2 negotiation is succeed and also I have seen the packet is coming from the remote side. But from side I did not see packet is flowing. I check the host and it response icmp and there is no router or firewall in between where it can be re route or any other ACL. The interesting thing is if I do packet trace it didn't show any failure. I am sending the log report also some screen shots I did with packet tracer and other output commands (configuration on the firewall and on the router) with attachment.

thanks advance for the help.

/var/log/firewall # tail -f firewall.log | grep X.X.X.X

Jun  7 21:28:34 172.25.215.1 %ASA-7-713236: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=ef02801e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Jun  7 21:28:34 172.25.215.1 %ASA-7-715047: Group = X.X.X.X, IP = X.X.X.X, processing hash payload

Jun  7 21:28:34 172.25.215.1 %ASA-7-715047: Group = X.X.X.X, IP = X.X.X.X, processing notify payload

Jun  7 21:28:34 172.25.215.1 %ASA-7-715075: Group = X.X.X.X, IP = X.X.X.X, Received keep-alive of type DPD R-U-THERE (seq number 0x55622a9e)

Jun  7 21:28:34 172.25.215.1 %ASA-7-715036: Group = X.X.X.X, IP = X.X.X.X, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x55622a9e)

Jun  7 21:28:34 172.25.215.1 %ASA-7-715046: Group = X.X.X.X, IP = X.X.X.X, constructing blank hash payload

Jun  7 21:28:34 172.25.215.1 %ASA-7-715046: Group = X.X.X.X, IP = X.X.X.X, constructing qm hash payload

Jun  7 21:28:34 172.25.215.1 %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=3c17cf80) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Jun  7 21:28:47 172.25.215.1 %ASA-7-713236: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=50c9b74e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Jun  7 21:28:47 172.25.215.1 %ASA-7-715047: Group = X.X.X.X, IP = X.X.X.X, processing hash payload

Jun  7 21:28:47 172.25.215.1 %ASA-7-715047: Group = X.X.X.X, IP = X.X.X.X, processing notify payload

Jun  7 21:28:47 172.25.215.1 %ASA-7-715075: Group = X.X.X.X, IP = X.X.X.X, Received keep-alive of type DPD R-U-THERE (seq number 0x55622a9f)

Jun  7 21:28:47 172.25.215.1 %ASA-7-715036: Group = X.X.X.X, IP = X.X.X.X, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x55622a9f)

Jun  7 21:28:47 172.25.215.1 %ASA-7-715046: Group = X.X.X.X, IP = X.X.X.X, constructing blank hash payload

Jun  7 21:28:47 172.25.215.1 %ASA-7-715046: Group = X.X.X.X, IP = X.X.X.X, constructing qm hash payload

Jun  7 21:28:47 172.25.215.1 %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=1caec174) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Jun  7 21:29:00 172.25.215.1 %ASA-7-713236: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=45868afa) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Jun  7 21:29:00 172.25.215.1 %ASA-7-715047: Group = X.X.X.X, IP = 85.18.56.130, processing hash payload

Jun  7 21:29:00 172.25.215.1 %ASA-7-715047: Group = X.X.X.X, IP = 85.18.56.130, processing notify payload

Jun  7 21:29:00 172.25.215.1 %ASA-7-715075: Group = X.X.X.X, IP = 85.18.56.130, Received keep-alive of type DPD R-U-THERE (seq number 0x55622aa0)

Jun  7 21:29:00 172.25.215.1 %ASA-7-715036: Group = X.X.X.X, IP = 85.18.56.130, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x55622aa0)

Jun  7 21:29:00 172.25.215.1 %ASA-7-715046: Group = X.X.X.X, IP = 85.18.56.130, constructing blank hash payload

Jun  7 21:29:00 172.25.215.1 %ASA-7-715046: Group = X.X.X.X, IP = 85.18.56.130, constructing qm hash payload

Jun  7 21:29:00 172.25.215.1 %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=46b88111) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
slmansfield
Level 4
Level 4

‎06-08-2010 09:04 AM

Looks like the problem is on the ASA.  From your other post, I see that you are using WAN_2_cryptomap_2 as your interesting traffic ACL, but it does not exist on the ASA.  The interesting traffic ACLs should be mirror images of each other. 

The router is sending traffic to the ASA, but there is no return traffic from the ASA to the router.   You might check to see if the devices on the 172.25.100.0/24 network have a route through the ASA back to the 10.50.90.0/24 network.

HTH

View solution in original post

0 Helpful
3 Replies 3

Go to solution
slmansfield
Level 4
Level 4

‎06-08-2010 09:04 AM

Looks like the problem is on the ASA.  From your other post, I see that you are using WAN_2_cryptomap_2 as your interesting traffic ACL, but it does not exist on the ASA.  The interesting traffic ACLs should be mirror images of each other. 

The router is sending traffic to the ASA, but there is no return traffic from the ASA to the router.   You might check to see if the devices on the 172.25.100.0/24 network have a route through the ASA back to the 10.50.90.0/24 network.

HTH

0 Helpful

Go to solution
saimunpial
Level 1
Level 1
In response to slmansfield

‎06-08-2010 01:05 PM

Hello Simansfield,

You will see the crypto map ACL is associated with  wan crypto map. I found when I ping the packet is not encrypted on my firewall. there is no issue on the routing as far as I have seen. Because from the same local vlan there are other vpn and those works perfectly. I found in packet trace one thing from the nat exempt when I packet trace from my local lan to the remote lan where the vpn problem exist won't do IPSec tunnel flow where as for the other vpn which are working can do that.

I have one question whether the IOS 8.2(1) has some bug for vpn connection with different devices. Because last week we had a VPN which is now not working anymore. But that time the vpn needs to be initiated from my side. Otherwise the remote network cannot reach the local network. The remote network is added DNS IP to resolve the name and the VPN tunnel goes down. After they remote that line the VPN comes up but no traffic flows from my local network anymore.

0 Helpful

Go to solution
slmansfield
Level 4
Level 4

‎06-08-2010 07:37 PM

On the firewall it looks like you have an inbound access list on the VLAN 100 interface.  Since there is an implicit deny all at the end of this ACL, and I don't see any rules allowing traffic from 172.25.100.0/24 to 10.50.90.0/24, this statement could be blocking the VPN traffic.

I did find a bug in IOS version 12.2.  I did not see any bugs specific to this problem on the ASA.

CSCdu34352

0 Helpful
Customers Also Viewed These Support Documents