06-09-2012 05:56 AM
Hi Experts,
We have an ASA5505 which is configured to work as a Easy VPN Client. The output of #show isakmp sa shows the tunnels status as AM_ACTIVE.
But we are not able to establish connectivity to any of the inside nodes.
What does AM_ACTIVE imply ? From my understanding all Easy VPN Clients either Hardware or Software , uses Aggressive Mode and the tunnel is established and working . Easy VPN Server configurations is not under our management which is most probably a router and we think it 's the configuration issue at the Server end.
Moreover , there is hardly anything to do on a Easy VPN Client other than specify the authentication and tunnel group details in the client and it gets connected. All the other configurations are pushed from the Easy VPN Server end , right ?
On the output of #show ipsec sa , the following was noted
dynamic allocated peer ip: 0.0.0.0 -----> Does this mean that my ASA5505 is not assigned any IP by the Easy VPN Server ?
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 ---------> No decryption , which probably means that there is no response from remote end,right?
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
From #show vpnclient detail output I could see a lot of ISAKMP policies being created .
-------------------------------------------
crypto isakmp policy 65001
authentication xauth-pre-share
encryption aes-256
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65002
authentication xauth-pre-share
encryption aes-256
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65003
authentication xauth-pre-share
encryption aes-192
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65004
authentication xauth-pre-share
encryption aes-192
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65005
authentication xauth-pre-share
encryption aes
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65006
authentication xauth-pre-share
encryption aes
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65007
authentication xauth-pre-share
encryption 3des
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65008
authentication xauth-pre-share
encryption 3des
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65009
authentication xauth-pre-share
encryption des
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65010
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65011
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65012
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65013
authentication pre-share
encryption aes-192
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65014
authentication pre-share
encryption aes
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65015
authentication pre-share
encryption aes
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65016
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65017
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65018
authentication pre-share
encryption des
hash md5
group 2
lifetime 2147483647
--------------------
Can this possibly due to misconfiguration at Server end and the cause of not being able to establish connectivity to Server end nodes?
Please help ! Sorry for the mess But we just want to make sure it 's not anything wrong with the configuration on our end !!!
Regards,
Anup Sasikumar
Solved! Go to Solution.
06-10-2012 01:24 AM
There are 2 phases of IPSec: IKE (Phase 1), status of AM_Active means Phase 1 is up and running, and IPSec (Phase 2), and if you have both encrypts and decrypts incrementing that means the tunnel is passing traffic.
Base on the output, the VPN tunnel is up, and is sending traffic towards the headend/VPN server, however, there is no reply back.
You should check the VPN server end to see if there is any misconfiguration. Check out the NAT exemption and make sure that you have that configured on the headend. What mode do you configure it as? PAT/Client mode or NEM mode?
06-10-2012 01:24 AM
There are 2 phases of IPSec: IKE (Phase 1), status of AM_Active means Phase 1 is up and running, and IPSec (Phase 2), and if you have both encrypts and decrypts incrementing that means the tunnel is passing traffic.
Base on the output, the VPN tunnel is up, and is sending traffic towards the headend/VPN server, however, there is no reply back.
You should check the VPN server end to see if there is any misconfiguration. Check out the NAT exemption and make sure that you have that configured on the headend. What mode do you configure it as? PAT/Client mode or NEM mode?
06-13-2012 07:31 AM
Thanks , Jennifer ! The issue is resolved ! We are able to connect now !
You were absolutely correct . The traffic were being encrypted and sent to Server but couldnt get any reply.
When it was checked they could see packets being received on the interface
They have resolved it now.It was the misconfiguration at the Server end. But couldn 't get clarification on what exactly the misconfiguration was.
It would be great if you could please help me on one more thing .. Why are these many ISAKMP policies being pushed to our end even though just one is only required and the matching one is taken automatically right ?
Regards,
Anup
06-13-2012 08:50 PM
Great to hear, and thanks for your update.
With ISAKMP policies, it tries to match the policy from top to bottom, with the lowest isakmp policy number and down the list until it finds a match.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide