Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3489
Views
20
Helpful
18
Replies

ASA l2l IKEv2

Go to solution
ThariqAli
Level 1
Level 1

‎04-17-2022 05:55 PM

I am having as issue getting the l2l IPSec tunnel to come up. I have attached an output from the 2 ASAs running 9.15(1).

 

Labels:
Preview file
9 KB
Preview file
9 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to ThariqAli

‎04-18-2022 03:49 PM

ASA-1
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 10.0.1.250 255.255.255.0

!

crypto map MY_CRYPTO_MAP 1 set peer 10.0.2.250 <- finally the issue 

!

 

ASA-2

interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 10.0.1.251 255.255.255.0

!

crypto map MY_CRYPTO_MAP 1 set peer 10.0.1.250

View solution in original post

0 Helpful
18 Replies 18

Go to solution
MHM Cisco World
VIP
VIP

‎04-17-2022 06:48 PM

Ping from site to site to force asa up the tunnel.

Ping from host behind asa not from asa.

0 Helpful

Go to solution
ThariqAli
Level 1
Level 1
In response to MHM Cisco World

‎04-17-2022 08:08 PM

Yes, unfortunately I can’t ping the other end for some reason.

Go to solution
MHM Cisco World
VIP
VIP
In response to ThariqAli

‎04-17-2022 08:11 PM

Your ACL for L2L allow only one host are you use this host for ping, if not then ping will failed 
you need to include Inside and remote LAN in ACL of L2L.

0 Helpful

Go to solution
ThariqAli
Level 1
Level 1
In response to MHM Cisco World

‎04-17-2022 08:19 PM

Yes sir one host for now from each end.

192.168.10.50 is behind ASA-1

192.168.20.50 is behind ASA-2

 

Thank you.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to ThariqAli

‎04-17-2022 08:43 PM

Ping 182.168.10.50 source 192.168.20.50

 

show crypto ikev2 sa  <-please share this

 

0 Helpful

Go to solution
ThariqAli
Level 1
Level 1
In response to MHM Cisco World

‎04-18-2022 05:33 AM

# ping 192.168.10.50
PING 192.168.10.50 (192.168.10.50): 56 data bytes

 

asa-2(config)# show crypto ikev2 sa

There are no IKEv2 SAs

 

ASA-Test.png

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to ThariqAli

‎04-18-2022 06:16 AM - edited ‎04-18-2022 06:16 AM

packet-tracer input Inside icmp 192.168.10.50 8 0 192.168.20.50 detailed
share the output for above command in ASA-1

Go to solution
ThariqAli
Level 1
Level 1
In response to MHM Cisco World

‎04-18-2022 12:38 PM - edited ‎04-18-2022 12:42 PM

config)# packet-tracer input INSIDE icmp 192.168.10.50 8 0 192.168.20.50$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efd95375b00, priority=1, domain=permit, deny=false
hits=62, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=INSIDE, output_ifc=any

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static INSIDE INSIDE destination static LAN2 LAN2
Additional Information:
NAT divert to egress interface OUTSIDE
Untranslate 192.168.20.50/0 to 192.168.20.50/0

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static INSIDE INSIDE destination static LAN2 LAN2
Additional Information:
Static translate 192.168.10.50/0 to 192.168.10.50/0
Forward Flow based lookup yields rule:
in id=0x7efd95391580, priority=6, domain=nat, deny=false
hits=62, user_data=0x7efd952b3cf0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.20.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=OUTSIDE

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efd94fe96e0, priority=0, domain=nat-per-session, deny=true
hits=62, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efd9537dd50, priority=0, domain=inspect-ip-options, deny=true
hits=62, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=any

Phase: 6
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efd953c5900, priority=70, domain=qos-per-class, deny=false
hits=63, user_data=0x7efd9544ff90, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efd9537d560, priority=66, domain=inspect-icmp-error, deny=false
hits=63, user_data=0x7efd9537d1f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=any

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7efd953a87c0, priority=70, domain=encrypt, deny=false
hits=63, user_data=0x0, cs_id=0x7efd9539f8c0, reverse, flags=0x0, protocol=0
src ip/id=192.168.10.50, mask=255.255.255.255, port=0, tag=any
dst ip/id=192.168.20.50, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=OUTSIDE

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055b0382c7c06 flow (need-ike)/snp_sp_action_cb:1575

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to ThariqAli

‎04-18-2022 12:48 PM - edited ‎04-18-2022 12:59 PM

packet-tracer input inside tcp 192.168.10.50 12345 192.168.20.50 80 detailed <- change the protocol to be TCP not ICMP may be there is any FW in path deny the ICMP. 

also do the packet tracer twice 

Go to solution
ThariqAli
Level 1
Level 1
In response to MHM Cisco World

‎04-18-2022 12:58 PM

(config)# packet-tracer input INSIDE icmp 192.168.10.50 8 0 192.168.20.50$

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static INSIDE INSIDE destination static LAN2 LAN2
Additional Information:
NAT divert to egress interface OUTSIDE
Untranslate 192.168.20.50/0 to 192.168.20.50/0

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static INSIDE INSIDE destination static LAN2 LAN2
Additional Information:
Static translate 192.168.10.50/0 to 192.168.10.50/0
Forward Flow based lookup yields rule:
in id=0x7efd95391580, priority=6, domain=nat, deny=false
hits=1216, user_data=0x7efd952b3cf0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.20.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=OUTSIDE

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efd94fe96e0, priority=0, domain=nat-per-session, deny=true
hits=1216, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efd9537dd50, priority=0, domain=inspect-ip-options, deny=true
hits=1216, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=any

Phase: 5
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efd953c5900, priority=70, domain=qos-per-class, deny=false
hits=1217, user_data=0x7efd9544ff90, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efd9537d560, priority=66, domain=inspect-icmp-error, deny=false
hits=1217, user_data=0x7efd9537d1f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=any

Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7efd953a87c0, priority=70, domain=encrypt, deny=false
hits=1217, user_data=0x0, cs_id=0x7efd9539f8c0, reverse, flags=0x0, protocol=0
src ip/id=192.168.10.50, mask=255.255.255.255, port=0, tag=any
dst ip/id=192.168.20.50, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=OUTSIDE

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055b0382c7c06 flow (need-ike)/snp_sp_action_cb:1575

Go to solution
ThariqAli
Level 1
Level 1
In response to MHM Cisco World

‎04-18-2022 01:11 PM - edited ‎04-18-2022 02:15 PM

asa-1(config)# packet-tracer input INSIDE tcp 192.168.10.50 12345 192.168.20.5$

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static INSIDE INSIDE destination static LAN2 LAN2
Additional Information:
NAT divert to egress interface OUTSIDE
Untranslate 192.168.20.50/80 to 192.168.20.50/80

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static INSIDE INSIDE destination static LAN2 LAN2
Additional Information:
Static translate 192.168.10.50/12345 to 192.168.10.50/12345
Forward Flow based lookup yields rule:
in id=0x7efd95391580, priority=6, domain=nat, deny=false
hits=5833, user_data=0x7efd952b3cf0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.20.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=OUTSIDE

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efd94fe5fe0, priority=0, domain=nat-per-session, deny=false
hits=2, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efd9537dd50, priority=0, domain=inspect-ip-options, deny=true
hits=5833, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=any

Phase: 5
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efd953c5900, priority=70, domain=qos-per-class, deny=false
hits=5834, user_data=0x7efd9544ff90, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7efd953a87c0, priority=70, domain=encrypt, deny=false
hits=5834, user_data=0x0, cs_id=0x7efd9539f8c0, reverse, flags=0x0, protocol=0
src ip/id=192.168.10.50, mask=255.255.255.255, port=0, tag=any
dst ip/id=192.168.20.50, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=OUTSIDE

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055b0382c7c06 flow (need-ike)/snp_sp_action_cb:1575

asa-1(config)# packet-tracer input INSIDE tcp 192.168.10.50 12345 192.168.20.5$

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static INSIDE INSIDE destination static LAN2 LAN2
Additional Information:
NAT divert to egress interface OUTSIDE
Untranslate 192.168.20.50/80 to 192.168.20.50/80

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static INSIDE INSIDE destination static LAN2 LAN2
Additional Information:
Static translate 192.168.10.50/12345 to 192.168.10.50/12345
Forward Flow based lookup yields rule:
in id=0x7efd95391580, priority=6, domain=nat, deny=false
hits=5855, user_data=0x7efd952b3cf0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.20.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=OUTSIDE

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efd94fe5fe0, priority=0, domain=nat-per-session, deny=false
hits=3, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efd9537dd50, priority=0, domain=inspect-ip-options, deny=true
hits=5855, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=any

Phase: 5
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efd953c5900, priority=70, domain=qos-per-class, deny=false
hits=5856, user_data=0x7efd9544ff90, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7efd953a87c0, priority=70, domain=encrypt, deny=false
hits=5856, user_data=0x0, cs_id=0x7efd9539f8c0, reverse, flags=0x0, protocol=0
src ip/id=192.168.10.50, mask=255.255.255.255, port=0, tag=any
dst ip/id=192.168.20.50, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=OUTSIDE

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055b0382c7c06 flow (need-ike)/snp_sp_action_cb:1575

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to ThariqAli

‎04-18-2022 01:35 PM - edited ‎04-18-2022 01:45 PM

this packet-tracer for ASA-1 which 192.168.10.50 connect to it?
the name of Interface must match what you enter in packet tracer, you enter inside where it INSIDE.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to ThariqAli

‎04-18-2022 01:57 PM - edited ‎04-18-2022 02:16 PM

after check the config and all packet-tracer the issue is 
access-list global "allow icmp any any" you config that allow only ICMP please remove it and Do packet-tracer I think this solution for your issue. 

0 Helpful

Go to solution
ThariqAli
Level 1
Level 1
In response to MHM Cisco World

‎04-18-2022 02:47 PM

This is the current access-lists.....

 

asa-1# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list LAN1_LAN2; 1 elements; name hash: 0xed8ba9f
access-list LAN1_LAN2 line 1 extended permit ip host 192.168.10.50 host 192.168.20.50 (hitcnt=10799) 0xd5944752
access-list 100; 1 elements; name hash: 0xc6c44b7c
access-list 100 line 1 extended permit icmp any any (hitcnt=0) 0x94aa4719
access-list global_access; 1 elements; name hash: 0xbd6c87a7
access-list global_access line 1 extended permit icmp any any (hitcnt=0) 0xf1efa630

 

 

asa-2# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list LAN2_LAN1; 1 elements; name hash: 0x3d54c408
access-list LAN2_LAN1 line 1 extended permit ip host 192.168.20.50 host 192.168.10.50 (hitcnt=0) 0x12ab28ed
access-list 100; 1 elements; name hash: 0xc6c44b7c
access-list 100 line 1 extended permit icmp any any (hitcnt=0) 0x94aa4719
access-list global_access; 1 elements; name hash: 0xbd6c87a7
access-list global_access line 1 extended permit icmp any any (hitcnt=0) 0xf1efa630

0 Helpful
Customers Also Viewed These Support Documents