- Cisco Community
- Technology and Support
- Security
- VPN
- ASA - L2L VPN IKE P1 completes but no IPSEC
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ASA - L2L VPN IKE P1 completes but no IPSEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-14-2019 06:57 PM - edited 02-21-2020 09:37 PM
Hi All,
Am stuck with a problem getting a L2L VPN tunnel to our business partner.
My side is running on ASA, the remote peer is a Palo Alto FW.
Phase 1 is complete, but no IPSEC SAs are forming.
NAT shows 0 hits.
This is the output:
show cryp isa sa deta
IKE Peer: 170.38.17.244
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : 3des Hash : SHA
Auth : preshared Lifetime: 28800
Lifetime Remaining: 28775
show cryp ikev1 sa
IKE Peer: 170.38.17.244
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : 3des Hash : SHA
Auth : preshared Lifetime: 28800
Lifetime Remaining: 28793
show cryp ipsec sa peer 170.38.17.244
There are no ipsec sas for peer 170.38.17.244
show access-list Outside2_cryptomap_1
MYKULM12FW1/sec/act# show access-list Outside2_cryptomap_1
access-list Outside2_cryptomap_1; 1 elements; name hash: 0xc40297cd
access-list Outside2_cryptomap_1 line 1 extended permit ip any4 object vcenpcsbpiapp01 (hitcnt=4076) 0x2be18ad9
access-list Outside2_cryptomap_1 line 1 extended permit ip any4 host 10.13.127.76 (hitcnt=4076) 0x2be18ad9
MYKULM12FW1/sec/act# show access-list Outside2_cryptomap_1
access-list Outside2_cryptomap_1; 1 elements; name hash: 0xc40297cd
access-list Outside2_cryptomap_1 line 1 extended permit ip any4 object vcenpcsbpiapp01 (hitcnt=4078) 0x2be18ad9
access-list Outside2_cryptomap_1 line 1 extended permit ip any4 host 10.13.127.76 (hitcnt=4078) 0x2be18ad9
MYKULM12FW1/sec/act# show nat tra 10.13.127.76 (this is the remote interesting traffic/host)
Manual NAT Policies (Section 1)
39 (Outside2) to (inside) source static vcenpcsbpiapp01 vcenpcsbpiapp01 no-proxy-arp route-lookup
translate_hits = 82014, untranslate_hits = 82014
41 (inside) to (Outside2) source static NETWORK_OBJ_10.9.0.0_16 NETWORK_OBJ_10.9.0.0_16 destination static vcenpcsbpiapp01 vcenpcsbpiapp01 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
MYKULM12FW1/sec/act#
MYKULM12FW1/sec/act# packet input inside tcp 10.9.19.25 www 10.13.127.76 www
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 210.19.37.177 using egress ifc Outside2
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Outside2,inside) source static vcenpcsbpiapp01 vcenpcsbpiapp01 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface Outside2
Untranslate 10.13.127.76/80 to 10.13.127.76/80
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in_1 in interface inside
access-list inside_access_in_1 remark ########## ACL FOR INBOUND TRAFFIC ON INSIDE INTERFACE ####
access-list inside_access_in_1 extended permit object-group DM_INLINE_SERVICE_3 any any
object-group service DM_INLINE_SERVICE_3
service-object icmp echo
service-object icmp echo-reply
service-object icmp
service-object ip
Additional Information:
Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map Riverbed_AutoDiscovery_Cmap
match access-list Riverbed_AutoDiscovery
policy-map global_policy
description NetFlow_Policy
class Riverbed_AutoDiscovery_Cmap
set connection advanced-options Riverbed_AutoDiscovery_Tmap
service-policy global_policy global
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Outside2,inside) source static vcenpcsbpiapp01 vcenpcsbpiapp01 no-proxy-arp route-lookup
Additional Information:
Static translate 10.9.19.25/80 to 10.9.19.25/80
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map sfr
match access-list sfr_redirect
policy-map global_policy
description NetFlow_Policy
class sfr
sfr fail-open
service-policy global_policy global
Additional Information:
Phase: 10
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: Outside2
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
MYKULM12FW1/sec/act#
Configuration:
Crypto map
crypto map outside2_map 2 match address Outside2_cryptomap_1
crypto map outside2_map 2 set pfs
crypto map outside2_map 2 set peer 170.38.17.244
crypto map outside2_map 2 set ikev1 transform-set ESP-3DES-SHA
Tunnel Group
tunnel-group 170.38.17.244 type ipsec-l2l
tunnel-group 170.38.17.244 general-attributes
default-group-policy GroupPolicy1
tunnel-group 170.38.17.244 ipsec-attributes
ikev1 pre-shared-key *****
NAT
nat (Outside2,inside) source static vcenpcsbpiapp01 vcenpcsbpiapp01 no-proxy-arp route-lookup
nat (inside,Outside2) source static NETWORK_OBJ_10.9.0.0_16 NETWORK_OBJ_10.9.0.0_16 destination static vcenpcsbpiapp01 vcenpcsbpiapp01 no-proxy-arp route-lookup
DEBUGS
Apr 15 2019 09:53:54 MYKULM12FW1 : %ASA-3-713902: Group = 170.38.17.244, IP = 170.38.17.244, QM FSM error (P2 struct &0x00002aaac8ceb440, mess id 0xcae12fbc)!
Apr 15 2019 09:53:54 MYKULM12FW1 : %ASA-7-715065: Group = 170.38.17.244, IP = 170.38.17.244, IKE QM Initiator FSM error history (struct &0x00002aaac8ceb440) <state>, <event>: QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
Apr 15 2019 09:53:54 MYKULM12FW1 : %ASA-7-713906: Group = 170.38.17.244, IP = 170.38.17.244, sending delete/delete with reason message
Apr 15 2019 09:53:54 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing blank hash payload
Apr 15 2019 09:53:54 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing IPSec delete payload
Apr 15 2019 09:53:54 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing qm hash payload
Apr 15 2019 09:53:54 MYKULM12FW1 : %ASA-7-713236: IP = 170.38.17.244, IKE_DECODE SENDING Message (msgid=44aab60f) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Apr 15 2019 09:53:54 MYKULM12FW1 : %ASA-7-715009: Group = 170.38.17.244, IP = 170.38.17.244, IKE Deleting SA: Remote Proxy 10.13.127.76, Local Proxy 0.0.0.0
Apr 15 2019 09:53:54 MYKULM12FW1 : %ASA-3-713902: Group = 170.38.17.244, IP = 170.38.17.244, Removing peer from correlator table failed, no match!
Apr 15 2019 09:53:54 MYKULM12FW1 : %ASA-7-713906: Group = 170.38.17.244, IP = 170.38.17.244, IKE SA MM:51d29263 rcv'd Terminate: state MM_ACTIVE flags 0x00000062, refcnt 1, tuncnt 0
Apr 15 2019 09:53:54 MYKULM12FW1 : %ASA-7-713906: Group = 170.38.17.244, IP = 170.38.17.244, Remove from IKEv1 Tunnel Table succeeded for SA with logicalId 47874048
Apr 15 2019 09:53:54 MYKULM12FW1 : %ASA-7-713906: Group = 170.38.17.244, IP = 170.38.17.244, Remove from IKEv1 MIB Table succeeded for SA with logical ID 47874048
Apr 15 2019 09:53:54 MYKULM12FW1 : %ASA-7-713906: Group = 170.38.17.244, IP = 170.38.17.244, IKE SA MM:51d29263 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Apr 15 2019 09:53:54 MYKULM12FW1 : %ASA-7-713906: Group = 170.38.17.244, IP = 170.38.17.244, sending delete/delete with reason message
Apr 15 2019 09:53:54 MYKULM12FW1 : %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel. Map Tag = outside2_map. Map Sequence Number = 2.
Apr 15 2019 09:53:54 MYKULM12FW1 : %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside2_map. Map Sequence Number = 2.
Apr 15 2019 09:53:54 MYKULM12FW1 : %ASA-7-752002: Tunnel Manager Removed entry. Map Tag = outside2_map. Map Sequence Number = 2.
Apr 15 2019 09:53:54 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing blank hash payload
Apr 15 2019 09:53:54 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing IKE delete payload
Apr 15 2019 09:53:54 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing qm hash payload
Apr 15 2019 09:53:54 MYKULM12FW1 : %ASA-7-713236: IP = 170.38.17.244, IKE_DECODE SENDING Message (msgid=9db19b8f) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Apr 15 2019 09:53:54 MYKULM12FW1 : %ASA-7-715077: Pitcher: received key delete msg, spi 0xf427efac
Apr 15 2019 09:53:54 MYKULM12FW1 : %ASA-5-713259: Group = 170.38.17.244, IP = 170.38.17.244, Session is being torn down. Reason: Lost Service
Apr 15 2019 09:53:54 MYKULM12FW1 : %ASA-7-713906: Ignoring msg to mark SA with dsID 47874048 dead because SA deleted
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = outside2_map. Map Sequence Number = 2.
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-4-752010: IKEv2 Doesn't have a proposal specified
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-5-713041: IP = 170.38.17.244, IKE Initiator: New Phase 1, Intf inside, IKE Peer 170.38.17.244 local Proxy Address 0.0.0.0, remote Proxy Address 10.13.127.76, Crypto map (outside2_map)
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715046: IP = 170.38.17.244, constructing ISAKMP SA payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715046: IP = 170.38.17.244, constructing NAT-Traversal VID ver 02 payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715046: IP = 170.38.17.244, constructing NAT-Traversal VID ver 03 payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715046: IP = 170.38.17.244, constructing NAT-Traversal VID ver RFC payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715046: IP = 170.38.17.244, constructing Fragmentation VID + extended capabilities payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-713236: IP = 170.38.17.244, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 468
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-713906: IKE Receiver: Packet received on 210.19.37.178:500 from 170.38.17.244:500
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-713236: IP = 170.38.17.244, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715047: IP = 170.38.17.244, processing SA payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-713906: IP = 170.38.17.244, Oakley proposal is acceptable
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715047: IP = 170.38.17.244, processing VID payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715049: IP = 170.38.17.244, Received Fragmentation VID
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715064: IP = 170.38.17.244, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715047: IP = 170.38.17.244, processing VID payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715046: IP = 170.38.17.244, constructing ke payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715046: IP = 170.38.17.244, constructing nonce payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715046: IP = 170.38.17.244, constructing Cisco Unity VID payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715046: IP = 170.38.17.244, constructing xauth V6 VID payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715048: IP = 170.38.17.244, Send IOS VID
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715038: IP = 170.38.17.244, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715046: IP = 170.38.17.244, constructing VID payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715048: IP = 170.38.17.244, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-713236: IP = 170.38.17.244, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-713906: IKE Receiver: Packet received on 210.19.37.178:500 from 170.38.17.244:500
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-713236: IP = 170.38.17.244, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715047: IP = 170.38.17.244, processing ke payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715047: IP = 170.38.17.244, processing ISA_KE payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715047: IP = 170.38.17.244, processing nonce payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-713906: IP = 170.38.17.244, Connection landed on tunnel_group 170.38.17.244
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-713906: Group = 170.38.17.244, IP = 170.38.17.244, Generating keys for Initiator...
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing ID payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing hash payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715076: Group = 170.38.17.244, IP = 170.38.17.244, Computing hash for ISAKMP
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing dpd vid payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-713236: IP = 170.38.17.244, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-713906: IKE Receiver: Packet received on 210.19.37.178:500 from 170.38.17.244:500
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-713236: IP = 170.38.17.244, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715047: Group = 170.38.17.244, IP = 170.38.17.244, processing ID payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-714011: Group = 170.38.17.244, IP = 170.38.17.244, ID_IPV4_ADDR ID received
170.38.17.244
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715047: Group = 170.38.17.244, IP = 170.38.17.244, processing hash payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715076: Group = 170.38.17.244, IP = 170.38.17.244, Computing hash for ISAKMP
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-713906: IP = 170.38.17.244, Connection landed on tunnel_group 170.38.17.244
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-713906: Group = 170.38.17.244, IP = 170.38.17.244, Oakley begin quick mode
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-714002: Group = 170.38.17.244, IP = 170.38.17.244, IKE Initiator starting QM: msg id = 42229030
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-5-713119: Group = 170.38.17.244, IP = 170.38.17.244, PHASE 1 COMPLETED
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-713121: IP = 170.38.17.244, Keep-alive type for this connection: None
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-3-713122: IP = 170.38.17.244, Keep-alives configured on but peer does not support keep-alives (type = None)
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715080: Group = 170.38.17.244, IP = 170.38.17.244, Starting P1 rekey timer: 21600 seconds.
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-713906: Group = 170.38.17.244, IP = 170.38.17.244, Add to IKEv1 Tunnel Table succeeded for SA with logical ID 254599168
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-713906: Group = 170.38.17.244, IP = 170.38.17.244, Add to IKEv1 MIB Table succeeded for SA with logical ID 254599168
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715006: Group = 170.38.17.244, IP = 170.38.17.244, IKE got SPI from key engine: SPI = 0x7c5c86eb
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-713906: Group = 170.38.17.244, IP = 170.38.17.244, oakley constucting quick mode
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing blank hash payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing IPSec SA payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing IPSec nonce payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing pfs ke payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715001: Group = 170.38.17.244, IP = 170.38.17.244, constructing proxy ID
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-713906: Group = 170.38.17.244, IP = 170.38.17.244, Transmitting Proxy Id:
Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol 0 Port 0
Remote host: 10.13.127.76 Protocol 0 Port 0
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-714007: Group = 170.38.17.244, IP = 170.38.17.244, IKE Initiator sending Initial Contact
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing qm hash payload
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-714004: Group = 170.38.17.244, IP = 170.38.17.244, IKE Initiator sending 1st QM pkt: msg id = 42229030
Apr 15 2019 09:53:57 MYKULM12FW1 : %ASA-7-713236: IP = 170.38.17.244, IKE_DECODE SENDING Message (msgid=42229030) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 328
- Labels:
-
IPSEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-14-2019 11:08 PM
Hi,
Your crypto ACL Outside2_cryptomap_1 is configured as "any4" for source, is the 3rd party VPN expecting that? .....I doubt it.
Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol 0 Port 0
Remote host: 10.13.127.76 Protocol 0 Port 0
You should modify the source network in the ACL to only your local network - NETWORK_OBJ_10.9.0.0_16.
You should only need the 2nd NAT rule
nat (inside,Outside2) source static NETWORK_OBJ_10.9.0.0_16 NETWORK_OBJ_10.9.0.0_16 destination static vcenpcsbpiapp01 vcenpcsbpiapp01 no-proxy-arp route-lookup
...it's probably hitting the rule #39 above the rule you are expecting it to hit.
After you've made those modifications, if it still does not work please provide more debugs. Your current debugs do provide enough information, try debug crypto ipsec aswell
HTH
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-14-2019 11:31 PM - edited 04-14-2019 11:33 PM
Hi,
Changes made as per suggestion, I've cleared cry isa sa and xlate, but still no response from the remote host.
IKEv1 showing as MM Active.
Packet tracer shows phase 12 VPN as DROP but the ACL shows hits.
MYKULM12FW1/sec/act# show cry ikev1 sa
IKE Peer: 170.38.17.244
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
MYKULM12FW1/sec/act# show cry ipsec sa peer 170.38.17.244
There are no ipsec sas for peer 170.38.17.244
ACL
MYKULM12FW1/sec/act# show access-list Outside2_cryptomap_1
access-list Outside2_cryptomap_1; 1 elements; name hash: 0xc40297cd
access-list Outside2_cryptomap_1 line 1 extended permit ip object NETWORK_OBJ_10.9.0.0_16 object vcenpcsbpiapp01 (hitcnt=362) 0xc9fb785d
access-list Outside2_cryptomap_1 line 1 extended permit ip 10.9.0.0 255.255.0.0 host 10.13.127.76 (hitcnt=362) 0xc9fb785d
NAT
MYKULM12FW1/sec/act# show nat trans 10.13.127.76
Manual NAT Policies (Section 1)
39 (Outside2) to (inside) source static vcenpcsbpiapp01 vcenpcsbpiapp01 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
41 (inside) to (Outside2) source static NETWORK_OBJ_10.9.0.0_16 NETWORK_OBJ_10.9.0.0_16 destination static vcenpcsbpiapp01 vcenpcsbpiapp01 no-proxy-arp route-lookup
translate_hits = 43, untranslate_hits = 43
DEBUG --> SYSLOG SERVER
MYKULM12FW1/sec/act# show debug
debug crypto ipsec enabled at level 1
debug crypto ikev1 enabled at level 1
Apr 15 2019 14:22:52 MYKULM12FW1 : %ASA-3-713902: Group = 170.38.17.244, IP = 170.38.17.244, QM FSM error (P2 struct &0x00002aaacb312b20, mess id 0xb9dae22a)!
Apr 15 2019 14:22:52 MYKULM12FW1 : %ASA-7-715065: Group = 170.38.17.244, IP = 170.38.17.244, IKE QM Initiator FSM error history (struct &0x00002aaacb312b20) <state>, <event>: QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
Apr 15 2019 14:22:52 MYKULM12FW1 : %ASA-7-713906: Group = 170.38.17.244, IP = 170.38.17.244, sending delete/delete with reason message
Apr 15 2019 14:22:52 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing blank hash payload
Apr 15 2019 14:22:52 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing IPSec delete payload
Apr 15 2019 14:22:52 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing qm hash payload
Apr 15 2019 14:22:52 MYKULM12FW1 : %ASA-7-713236: IP = 170.38.17.244, IKE_DECODE SENDING Message (msgid=83f5b33f) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Apr 15 2019 14:22:52 MYKULM12FW1 : %ASA-7-715009: Group = 170.38.17.244, IP = 170.38.17.244, IKE Deleting SA: Remote Proxy 10.13.127.76, Local Proxy 10.9.0.0
Apr 15 2019 14:22:52 MYKULM12FW1 : %ASA-3-713902: Group = 170.38.17.244, IP = 170.38.17.244, Removing peer from correlator table failed, no match!
Apr 15 2019 14:22:52 MYKULM12FW1 : %ASA-7-713906: Group = 170.38.17.244, IP = 170.38.17.244, IKE SA MM:44b9eaed rcv'd Terminate: state MM_ACTIVE flags 0x00000062, refcnt 1, tuncnt 0
Apr 15 2019 14:22:52 MYKULM12FW1 : %ASA-7-713906: Group = 170.38.17.244, IP = 170.38.17.244, Remove from IKEv1 Tunnel Table succeeded for SA with logicalId 264773632
Apr 15 2019 14:22:52 MYKULM12FW1 : %ASA-7-713906: Group = 170.38.17.244, IP = 170.38.17.244, Remove from IKEv1 MIB Table succeeded for SA with logical ID 264773632
Apr 15 2019 14:22:52 MYKULM12FW1 : %ASA-7-713906: Group = 170.38.17.244, IP = 170.38.17.244, IKE SA MM:44b9eaed terminating: flags 0x01000022, refcnt 0, tuncnt 0
Apr 15 2019 14:22:52 MYKULM12FW1 : %ASA-7-713906: Group = 170.38.17.244, IP = 170.38.17.244, sending delete/delete with reason message
Apr 15 2019 14:22:52 MYKULM12FW1 : %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel. Map Tag = outside2_map. Map Sequence Number = 2.
Apr 15 2019 14:22:52 MYKULM12FW1 : %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside2_map. Map Sequence Number = 2.
Apr 15 2019 14:22:52 MYKULM12FW1 : %ASA-7-752002: Tunnel Manager Removed entry. Map Tag = outside2_map. Map Sequence Number = 2.
Apr 15 2019 14:22:52 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing blank hash payload
Apr 15 2019 14:22:52 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing IKE delete payload
Apr 15 2019 14:22:52 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing qm hash payload
Apr 15 2019 14:22:52 MYKULM12FW1 : %ASA-7-713236: IP = 170.38.17.244, IKE_DECODE SENDING Message (msgid=23669a02) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Apr 15 2019 14:22:52 MYKULM12FW1 : %ASA-7-715077: Pitcher: received key delete msg, spi 0xb63070b9
Apr 15 2019 14:22:52 MYKULM12FW1 : %ASA-5-713259: Group = 170.38.17.244, IP = 170.38.17.244, Session is being torn down. Reason: Lost Service
Apr 15 2019 14:22:52 MYKULM12FW1 : %ASA-7-713906: Ignoring msg to mark SA with dsID 264773632 dead because SA deleted
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = outside2_map. Map Sequence Number = 2.
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-4-752010: IKEv2 Doesn't have a proposal specified
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-5-713041: IP = 170.38.17.244, IKE Initiator: New Phase 1, Intf inside, IKE Peer 170.38.17.244 local Proxy Address 10.9.0.0, remote Proxy Address 10.13.127.76, Crypto map (outside2_map)
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715046: IP = 170.38.17.244, constructing ISAKMP SA payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715046: IP = 170.38.17.244, constructing NAT-Traversal VID ver 02 payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715046: IP = 170.38.17.244, constructing NAT-Traversal VID ver 03 payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715046: IP = 170.38.17.244, constructing NAT-Traversal VID ver RFC payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715046: IP = 170.38.17.244, constructing Fragmentation VID + extended capabilities payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-713236: IP = 170.38.17.244, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 468
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-713906: IKE Receiver: Packet received on 210.19.37.178:500 from 170.38.17.244:500
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-713236: IP = 170.38.17.244, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715047: IP = 170.38.17.244, processing SA payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-713906: IP = 170.38.17.244, Oakley proposal is acceptable
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715047: IP = 170.38.17.244, processing VID payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715049: IP = 170.38.17.244, Received Fragmentation VID
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715064: IP = 170.38.17.244, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715047: IP = 170.38.17.244, processing VID payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715046: IP = 170.38.17.244, constructing ke payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715046: IP = 170.38.17.244, constructing nonce payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715046: IP = 170.38.17.244, constructing Cisco Unity VID payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715046: IP = 170.38.17.244, constructing xauth V6 VID payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715048: IP = 170.38.17.244, Send IOS VID
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715038: IP = 170.38.17.244, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715046: IP = 170.38.17.244, constructing VID payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715048: IP = 170.38.17.244, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-713236: IP = 170.38.17.244, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-713906: IKE Receiver: Packet received on 210.19.37.178:500 from 170.38.17.244:500
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-713236: IP = 170.38.17.244, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715047: IP = 170.38.17.244, processing ke payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715047: IP = 170.38.17.244, processing ISA_KE payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715047: IP = 170.38.17.244, processing nonce payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-713906: IP = 170.38.17.244, Connection landed on tunnel_group 170.38.17.244
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-713906: Group = 170.38.17.244, IP = 170.38.17.244, Generating keys for Initiator...
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing ID payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing hash payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715076: Group = 170.38.17.244, IP = 170.38.17.244, Computing hash for ISAKMP
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing dpd vid payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-713236: IP = 170.38.17.244, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-713906: IKE Receiver: Packet received on 210.19.37.178:500 from 170.38.17.244:500
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-713236: IP = 170.38.17.244, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715047: Group = 170.38.17.244, IP = 170.38.17.244, processing ID payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-714011: Group = 170.38.17.244, IP = 170.38.17.244, ID_IPV4_ADDR ID received
170.38.17.244
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715047: Group = 170.38.17.244, IP = 170.38.17.244, processing hash payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715076: Group = 170.38.17.244, IP = 170.38.17.244, Computing hash for ISAKMP
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-713906: IP = 170.38.17.244, Connection landed on tunnel_group 170.38.17.244
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-713906: Group = 170.38.17.244, IP = 170.38.17.244, Oakley begin quick mode
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-714002: Group = 170.38.17.244, IP = 170.38.17.244, IKE Initiator starting QM: msg id = b1324cd4
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-5-713119: Group = 170.38.17.244, IP = 170.38.17.244, PHASE 1 COMPLETED
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-713121: IP = 170.38.17.244, Keep-alive type for this connection: None
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-3-713122: IP = 170.38.17.244, Keep-alives configured on but peer does not support keep-alives (type = None)
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715080: Group = 170.38.17.244, IP = 170.38.17.244, Starting P1 rekey timer: 21600 seconds.
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-713906: Group = 170.38.17.244, IP = 170.38.17.244, Add to IKEv1 Tunnel Table succeeded for SA with logical ID 105861120
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-713906: Group = 170.38.17.244, IP = 170.38.17.244, Add to IKEv1 MIB Table succeeded for SA with logical ID 105861120
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715006: Group = 170.38.17.244, IP = 170.38.17.244, IKE got SPI from key engine: SPI = 0x107f7b46
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-713906: Group = 170.38.17.244, IP = 170.38.17.244, oakley constucting quick mode
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing blank hash payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing IPSec SA payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing IPSec nonce payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing pfs ke payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715001: Group = 170.38.17.244, IP = 170.38.17.244, constructing proxy ID
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-713906: Group = 170.38.17.244, IP = 170.38.17.244, Transmitting Proxy Id:
Local subnet: 10.9.0.0 mask 255.255.0.0 Protocol 0 Port 0
Remote host: 10.13.127.76 Protocol 0 Port 0
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-714007: Group = 170.38.17.244, IP = 170.38.17.244, IKE Initiator sending Initial Contact
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-715046: Group = 170.38.17.244, IP = 170.38.17.244, constructing qm hash payload
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-714004: Group = 170.38.17.244, IP = 170.38.17.244, IKE Initiator sending 1st QM pkt: msg id = b1324cd4
Apr 15 2019 14:22:55 MYKULM12FW1 : %ASA-7-713236: IP = 170.38.17.244, IKE_DECODE SENDING Message (msgid=b1324cd4) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 328
Packet Tracer (Phase 12 VPN shows DROP)
MYKULM12FW1/sec/act# packet input inside tcp 10.9.19.25 www 10.13.127.76 www deta
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac8c14fc0, priority=1, domain=permit, deny=false
hits=9391767907, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 210.19.37.177 using egress ifc Outside2
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,Outside2) source static NETWORK_OBJ_10.9.0.0_16 NETWORK_OBJ_10.9.0.0_16 destination static vcenpcsbpiapp01 vcenpcsbpiapp01 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface Outside2
Untranslate 10.13.127.76/80 to 10.13.127.76/80
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in_1 in interface inside
access-list inside_access_in_1 remark ########## ACL FOR INBOUND TRAFFIC ON INSIDE INTERFACE ####
access-list inside_access_in_1 extended permit object-group DM_INLINE_SERVICE_3 any any
object-group service DM_INLINE_SERVICE_3
service-object icmp echo
service-object icmp echo-reply
service-object icmp
service-object ip
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaacade6320, priority=13, domain=permit, deny=false
hits=41635246, user_data=0x2aaabdb4dc80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map Riverbed_AutoDiscovery_Cmap
match access-list Riverbed_AutoDiscovery
policy-map global_policy
description NetFlow_Policy
class Riverbed_AutoDiscovery_Cmap
set connection advanced-options Riverbed_AutoDiscovery_Tmap
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaacc482890, priority=7, domain=conn-set, deny=false
hits=30573011, user_data=0x2aaacc474650, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,Outside2) source static NETWORK_OBJ_10.9.0.0_16 NETWORK_OBJ_10.9.0.0_16 destination static vcenpcsbpiapp01 vcenpcsbpiapp01 no-proxy-arp route-lookup
Additional Information:
Static translate 10.9.19.25/80 to 10.9.19.25/80
Forward Flow based lookup yields rule:
in id=0x2aaacc4bb170, priority=6, domain=nat, deny=false
hits=522, user_data=0x2aaac8b59a10, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.9.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=10.13.127.76, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=Outside2
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac9375f30, priority=1, domain=nat-per-session, deny=true
hits=84215719, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaacad09740, priority=0, domain=inspect-ip-options, deny=true
hits=59140586, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 9
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map sfr
match access-list sfr_redirect
policy-map global_policy
description NetFlow_Policy
class sfr
sfr fail-open
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaacaf8ce00, priority=71, domain=sfr, deny=false
hits=49494387, user_data=0x2aaacc483a30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 10
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac8c11280, priority=20, domain=lu, deny=false
hits=29051292, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 11
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaacceaa270, priority=18, domain=flow-export, deny=false
hits=53127971, user_data=0x2aaac8b6d410, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 12
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2aaad9bdabb0, priority=70, domain=encrypt, deny=false
hits=638, user_data=0x0, cs_id=0x2aaad0548c70, reverse, flags=0x0, protocol=0
src ip/id=10.9.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=10.13.127.76, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=Outside2
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: Outside2
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
MYKULM12FW1/sec/act#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-15-2019 01:10 PM
Hi,
Have you confirmed with the other firewall that the crypto ACL to match the interesting traffic matches the exact networks you have configured on your ASA? They need to be the same
Also check the Phase 2 encryption/hash algorithms parameters are exactly the same on the PA firewall.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide