cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3974
Views
20
Helpful
18
Replies

ASA l2l IKEv2

ThariqAli
Level 1
Level 1

I am having as issue getting the l2l IPSec tunnel to come up. I have attached an output from the 2 ASAs running 9.15(1).

 

18 Replies 18

asa-1# packet-tracer input INSIDE tcp 192.168.10.50 12345 192.168.20.50 80 det$

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static INSIDE INSIDE destination static LAN2 LAN2
Additional Information:
NAT divert to egress interface OUTSIDE
Untranslate 192.168.20.50/80 to 192.168.20.50/80

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static INSIDE INSIDE destination static LAN2 LAN2
Additional Information:
Static translate 192.168.10.50/12345 to 192.168.10.50/12345
Forward Flow based lookup yields rule:
in id=0x7efd95391580, priority=6, domain=nat, deny=false
hits=7773, user_data=0x7efd952b3cf0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.20.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=OUTSIDE

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efd94fe5fe0, priority=0, domain=nat-per-session, deny=false
hits=5, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efd9537dd50, priority=0, domain=inspect-ip-options, deny=true
hits=7773, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=any

Phase: 5
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efd953c5900, priority=70, domain=qos-per-class, deny=false
hits=7774, user_data=0x7efd9544ff90, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7efd953a87c0, priority=70, domain=encrypt, deny=false
hits=7774, user_data=0x0, cs_id=0x7efd9539f8c0, reverse, flags=0x0, protocol=0
src ip/id=192.168.10.50, mask=255.255.255.255, port=0, tag=any
dst ip/id=192.168.20.50, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=OUTSIDE

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055b0382c7c06 flow (need-ike)/snp_sp_action_cb:1575

asa-1#
asa-1#
asa-1# packet-tracer input INSIDE tcp 192.168.10.50 12345 192.168.20.50 80 det$

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static INSIDE INSIDE destination static LAN2 LAN2
Additional Information:
NAT divert to egress interface OUTSIDE
Untranslate 192.168.20.50/80 to 192.168.20.50/80

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static INSIDE INSIDE destination static LAN2 LAN2
Additional Information:
Static translate 192.168.10.50/12345 to 192.168.10.50/12345
Forward Flow based lookup yields rule:
in id=0x7efd95391580, priority=6, domain=nat, deny=false
hits=7785, user_data=0x7efd952b3cf0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.20.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=OUTSIDE

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efd94fe5fe0, priority=0, domain=nat-per-session, deny=false
hits=6, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efd9537dd50, priority=0, domain=inspect-ip-options, deny=true
hits=7785, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=any

Phase: 5
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efd953c5900, priority=70, domain=qos-per-class, deny=false
hits=7786, user_data=0x7efd9544ff90, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7efd953a87c0, priority=70, domain=encrypt, deny=false
hits=7786, user_data=0x0, cs_id=0x7efd9539f8c0, reverse, flags=0x0, protocol=0
src ip/id=192.168.10.50, mask=255.255.255.255, port=0, tag=any
dst ip/id=192.168.20.50, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=OUTSIDE

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055b0382c7c06 flow (need-ike)/snp_sp_action_cb:1575

ASA-1
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 10.0.1.250 255.255.255.0

!

crypto map MY_CRYPTO_MAP 1 set peer 10.0.2.250 <- finally the issue 

!

 

ASA-2

interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 10.0.1.251 255.255.255.0

!

crypto map MY_CRYPTO_MAP 1 set peer 10.0.1.250

Mother of god.... lol

Thanks for the "fat finger" help.......

You Are so so welcome friend