Solved: Hi, Can you run debug crypto

louis0001 · ‎08-05-2014

Hi, I'm trying to setup an ipsec from an ASA 5505 (8.4) to a Sophos UTM (9.2)

Internet etc is up and accessible. Ipsec tunnel is up also but I can't pass traffic through it.

I get this message in the logs:

3

Aug 05 2014

22:38:52

81.111.111.156

82.222.222.38

Deny inbound protocol 50 src outside:81.111.111.156 dst outside:82.222.222.38

SITE A (ASA 5505) = 82.222.222.38
SITE B (UTM 9) = 81.111.111.156

Any pointers would be good as this is the first time I've tried this. Thank you.

Running config below:

hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description Zen Internet
nameif outside
security-level 0
pppoe client vpdn group Zen
ip address 82.222.222.38 255.255.255.255 pppoe setroute
!
boot system disk0:/asa922-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network MY-LAN
subnet 192.168.1.0 255.255.255.0
object network THIER-LAN
subnet 192.168.30.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.30.0_24
subnet 192.168.30.0 255.255.255.0
object network THIER_VPN
host 81.111.111.156
description THIER VPN
object service Sophos_Admin
service tcp destination eq 4444
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object esp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object esp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
protocol-object esp
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object udp destination eq domain
service-object object Sophos_Admin
service-object tcp destination eq www
service-object tcp destination eq https
service-object esp
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object object Sophos_Admin
service-object esp
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object esp
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_4
service-object object Sophos_Admin
service-object icmp echo
service-object icmp echo-reply
access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_3 object MY-LAN object THIER-LAN
access-list outside_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_2 object MY-LAN object THIER-LAN
access-list inside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 object THIER-LAN object MY-LAN
access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_3 object THIER_VPN host 82.222.222.38
access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_1 any any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object THIER_VPN host 82.222.222.38
access-list inside_access_out extended permit object-group DM_INLINE_SERVICE_4 object MY-LAN object THIER-LAN
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-722.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 81.111.111.156
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map 1 set ikev2 ipsec-proposal AES
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 81.111.111.156
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 20
encryption aes
integrity sha
group 2
prf sha
lifetime seconds 7800
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 7800
telnet timeout 5
ssh scopy enable
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group Zen request dialout pppoe
vpdn group Zen localname MYISP@zen
vpdn group Zen ppp authentication chap
vpdn username MYISP@zen password ***** store-local

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable interface outside
dynamic-filter drop blacklist interface outside
webvpn
anyconnect-essentials
group-policy GroupPolicy_81.111.111.156 internal
group-policy GroupPolicy_81.111.111.156 attributes
vpn-tunnel-protocol ikev1
username admin password JsE9Hv42G/zRUcG4 encrypted privilege 15
username bob password lTKS32e90Yo5l2L/ encrypted
tunnel-group 81.111.111.156 type ipsec-l2l
tunnel-group 81.111.111.156 general-attributes
default-group-policy GroupPolicy_81.111.111.156
tunnel-group 81.111.111.156 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect dns preset_dns_map dynamic-filter-snoop
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:9430c8a44d330d2b55f981274599a67e
: end
ciscoasa#

nkarthikeyan · ‎08-06-2014

Hi,

By looking at your sh crypto ipsec output... i can see packets are getting encapsulated.... that means packets are going out from the peer network 88.222.222.38 and i do not see the return packet coming from UTM site 81.111.111.156 to ASA..... This means the UTM firewall either drops the packet or not able to get the return packet...... Peer to peer routing is there... but you need to check from LAN to other site peer....

Please check the crypto map (This should match at both ends), NAT (exemption should be there @ both ends) and routing at both the ends from inside LAN.....

I suggest you to try with the crypto map wthout specific port... say source LAN to destination LAN with any port....

access-list cryptomap extended permit ip <source LAN> <mask> <destination LAN> <mask>

Regards

Karthik

Regards

Karthik

View solution in original post

nkarthikeyan · ‎08-06-2014

Hi,

Have you enabled NAT-Traversal?

crypto isakmp nat-traversal <keepalive>

also you need to add no-nat for the source-lan to the destination LAN.....

object network locallan

subnet 192.168.1.0 255.255.255.0
object network remotelan
subnet 192.168.30.0 255.255.255.0

!

nat (inside,outside) source static locallan locallan destination static remotelan remotelan

!

similar thing is needed on the other end as well...

Regards

Karthik

louis0001 · ‎08-06-2014

Hi,

just added that and it's giving the same error. I had it in before and things didn't work so I'm not sure what's causing this. I do know that the UTM works fine as I can hook up another UTM to it.

Just struggling with the ASA a bit.

nkarthikeyan · ‎08-06-2014

Hi,

Can you run debug crypto ipsec 128 on ASA and share the output.... also do initiate traffic from one lan to the other LAN during the debug....

Regards

Karthik

louis0001 · ‎08-06-2014

Hi,

I started again and used various combinations of encryption etc but they all come back the same so I'm at a loss.

output of debug crypto ipsec 128

IPSEC: New embryonic SA created @ 0xcdbaeff8,
SCB: 0xCDC33C70,
Direction: inbound
SPI : 0x6699A5F8
Session ID: 0x00006000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xcdc76048,
SCB: 0xCDB97B98,
Direction: outbound
SPI : 0xB4E5EBD5
Session ID: 0x00006000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Completed host OBSA update, SPI 0xB4E5EBD5
IPSEC: Creating outbound VPN context, SPI 0xB4E5EBD5
Flags: 0x00000005
SA : 0xcdc76048
SPI : 0xB4E5EBD5
MTU : 1492 bytes
VCID : 0x00000000
Peer : 0x00000000
SCB : 0x3653C7F5
Channel: 0xc8c234e0
IPSEC: Completed outbound VPN context, SPI 0xB4E5EBD5
VPN handle: 0x0003820c
IPSEC: New outbound encrypt rule, SPI 0xB4E5EBD5
Src addr: 192.168.1.0
Src mask: 255.255.255.0
Dst addr: 192.168.30.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0xB4E5EBD5
Rule ID: 0xca9505d8
IPSEC: New outbound permit rule, SPI 0xB4E5EBD5
Src addr: 88.222.222.38
Src mask: 255.255.255.255
Dst addr: 80.111.111.156
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0xB4E5EBD5
Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0xB4E5EBD5
Rule ID: 0xcdc482c8
IPSEC: New embryonic SA created @ 0xcdbaeff8,
SCB: 0xCDC33C70,
Direction: inbound
SPI : 0x6699A5F8
Session ID: 0x00006000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Completed host IBSA update, SPI 0x6699A5F8
IPSEC: Creating inbound VPN context, SPI 0x6699A5F8
Flags: 0x00000006
SA : 0xcdbaeff8
SPI : 0x6699A5F8
MTU : 0 bytes
VCID : 0x00000000
Peer : 0x0003820C
SCB : 0x363F2BE7
Channel: 0xc8c234e0
IPSEC: Completed inbound VPN context, SPI 0x6699A5F8
VPN handle: 0x00040e4c
IPSEC: Updating outbound VPN context 0x0003820C, SPI 0xB4E5EBD5
Flags: 0x00000005
SA : 0xcdc76048
SPI : 0xB4E5EBD5
MTU : 1492 bytes
VCID : 0x00000000
Peer : 0x00040E4C
SCB : 0x3653C7F5
Channel: 0xc8c234e0
IPSEC: Completed outbound VPN context, SPI 0xB4E5EBD5
VPN handle: 0x0003820c
IPSEC: Completed outbound inner rule, SPI 0xB4E5EBD5
Rule ID: 0xca9505d8
IPSEC: Completed outbound outer SPD rule, SPI 0xB4E5EBD5
Rule ID: 0xcdc482c8
IPSEC: New inbound tunnel flow rule, SPI 0x6699A5F8
Src addr: 192.168.30.0
Src mask: 255.255.255.0
Dst addr: 192.168.1.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0x6699A5F8
Rule ID: 0xcdc35348
IPSEC: New inbound decrypt rule, SPI 0x6699A5F8
Src addr: 80.111.111.156
Src mask: 255.255.255.255
Dst addr: 88.222.222.38
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x6699A5F8
Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0x6699A5F8
Rule ID: 0xc96f7cc8
IPSEC: New inbound permit rule, SPI 0x6699A5F8
Src addr: 80.111.111.156
Src mask: 255.255.255.255
Dst addr: 88.222.222.38
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x6699A5F8
Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0x6699A5F8
Rule ID: 0xc96f6388

louis0001 · ‎08-06-2014

ciscoasa# show cry ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 88.222.222.38

access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
current_peer: 80.111.111.156

#pkts encaps: 250, #pkts encrypt: 250, #pkts digest: 250
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 250, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 88.222.222.38/0, remote crypto endpt.: 80.111.111.156/0
path mtu 1492, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: B4E5EBD5
current inbound spi : 6699A5F8

inbound esp sas:
spi: 0x6699A5F8 (1721345528)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 24576, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/28269)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xB4E5EBD5 (3034966997)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 24576, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373985/28269)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

nkarthikeyan · ‎08-06-2014

Hi,

By looking at your sh crypto ipsec output... i can see packets are getting encapsulated.... that means packets are going out from the peer network 88.222.222.38 and i do not see the return packet coming from UTM site 81.111.111.156 to ASA..... This means the UTM firewall either drops the packet or not able to get the return packet...... Peer to peer routing is there... but you need to check from LAN to other site peer....

Please check the crypto map (This should match at both ends), NAT (exemption should be there @ both ends) and routing at both the ends from inside LAN.....

I suggest you to try with the crypto map wthout specific port... say source LAN to destination LAN with any port....

access-list cryptomap extended permit ip <source LAN> <mask> <destination LAN> <mask>

Regards

Karthik

Regards

Karthik

louis0001 · ‎08-08-2014

Many thanks for your efforts. It beat me in the end and I ended up tearing it down and starting again. This time it came up first time so I'm not sure what was going on.

Thanks for the assistance.

Rudy Sanjoko · ‎08-07-2014

Hi,

3

Aug 05 2014

22:38:52

81.111.111.156

82.222.222.38

Deny inbound protocol 50 src outside:81.111.111.156 dst outside:82.222.222.38

Above error log tells me that your ASA is denying protocol 50/esp from 81.111.111.156.

Other thing that I notice, the tunnel is established between 82.x.x.x and 80.x.x.x. Shouldn't it between 82.x.x.x and 81.x.x.x as the returning packet coming from 81.x.x.x?

louis0001 · ‎08-07-2014

*

ASA 5505 rookie - can't ping remote site or vice versa