01-10-2019 04:14 AM
Hi There,
I was trouble shooting a L2l vpn and was puuting captures and checking acl ,suddenly the "show crypto ikev1 sa " does not show peer MM_Active and details .
Neither in ASDM under monitor for Site to Site its showing up.
I can see that the Object group and the Site2Site config is there in the ASDM , but what is happening
Solved! Go to Solution.
01-10-2019 05:46 AM
The site-to-site VPN are on demand. by mean saying this. If Alpha want to send a encrypted packet to Beta than Alpha need to initiate the connection from his/her PC. now his/her PC subnet is define on Firewall access-list (Interested traffic with reference to destination traffic). Firewall see the packet coming in and check its rule and find this rule match XYZ ACL with natting applied if there is a public address exits/or natting in place. here now ASA check its crypto config and forward the packet to the destination address as of its peer ip (which could be an other firewall/router on the internet).
also ikev1 and ipsec have a timer when these values. as if this was working fine and no change is made. it could be there is no initiator from your side and from remote site.
01-10-2019 04:20 AM
01-10-2019 04:59 AM
it could be a number of reasons unless you share the config with us.
check
show crypto ikev1 sa detail
show run crypto map | make sure you have the peer ip addres |
try to initiate the traffic from the interested ACL(source ip to remote ip address). this will tigger the VPN and then see if the crypto ikev1 sa show you anything.
01-10-2019 05:36 AM
01-10-2019 05:40 AM
01-10-2019 05:46 AM
The site-to-site VPN are on demand. by mean saying this. If Alpha want to send a encrypted packet to Beta than Alpha need to initiate the connection from his/her PC. now his/her PC subnet is define on Firewall access-list (Interested traffic with reference to destination traffic). Firewall see the packet coming in and check its rule and find this rule match XYZ ACL with natting applied if there is a public address exits/or natting in place. here now ASA check its crypto config and forward the packet to the destination address as of its peer ip (which could be an other firewall/router on the internet).
also ikev1 and ipsec have a timer when these values. as if this was working fine and no change is made. it could be there is no initiator from your side and from remote site.
01-10-2019 07:48 AM
I am thankful for your answers.
i did a ping to the destination, still I don’t see MM active nor do I see any information.
acl is in place ..Asdm has config stored please 1 and 2 .
Just don’t know what is happening .. :(
01-10-2019 07:51 AM - edited 01-10-2019 08:05 AM
please share your configuration of the firewall. also would be great if you have other side config too.
or run these command and share the output
debug crypto conditon peer xxxxx (This is the remote public ip address of the other side)
logging monitor debug
if on ssh connection run this command
ter monitor
Adn to disable it enter
terminal no monitor
01-11-2019 10:57 AM
were you issue fix?
01-12-2019 08:36 PM
The other site has confirmed that their Site was down and the Vpn from there side was not up !!,, Still waiting for next 3 hours to check.This comes from the support staff , the real engineer is still to come !!!
01-13-2019 12:53 AM
share you vpn config and the remote site config to have a look a them. up till now we have very limited information.
01-10-2019 08:17 AM
01-15-2019 09:01 AM
got some logs !! tunnel shows up and goes away!!
Jan 15 12:59:22 [IKEv1]Group = 24.32.62.12, IP = 24.32.62.12, QM FSM error (P2 struct &0x00002aaad6678350, mess id 0xa5c39bd)!
Jan 15 12:59:22 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE QM Initiator FSM error history (struct &0x00002aaad6678350) <state>, <event>: QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
Jan 15 12:59:22 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, sending delete/delete with reason message
Jan 15 12:59:22 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, constructing blank hash payload
Jan 15 12:59:22 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, constructing IPSec delete payload
Jan 15 12:59:22 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, constructing qm hash payload
Jan 15 12:59:22 [IKEv1]IP = 24.32.62.12, IKE_DECODE SENDING Message (msgid=1d00d9a3) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 64
Jan 15 12:59:22 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE Deleting SA: Remote Proxy 192.168.11.0, Local Proxy 192.168.248.0
Jan 15 12:59:22 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE Deleting SA: Remote Proxy 192.168.11.0, Local Proxy 192.168.248.0
Jan 15 12:59:22 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE Deleting SA: Remote Proxy 192.168.11.0, Local Proxy 192.168.248.0
Jan 15 12:59:22 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE Deleting SA: Remote Proxy 192.168.11.0, Local Proxy 192.168.248.0
Jan 15 12:59:22 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE Deleting SA: Remote Proxy 192.168.11.0, Local Proxy 192.168.248.0
Jan 15 12:59:22 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE Deleting SA: Remote Proxy 192.168.11.0, Local Proxy 192.168.248.0
Jan 15 12:59:22 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE Deleting SA: Remote Proxy 192.168.11.0, Local Proxy 192.168.248.0
Jan 15 12:59:22 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE Deleting SA: Remote Proxy 192.168.11.0, Local Proxy 192.168.248.0
Jan 15 12:59:22 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE Deleting SA: Remote Proxy 192.168.11.0, Local Proxy 192.168.248.0
Jan 15 12:59:22 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE Deleting SA: Remote Proxy 192.168.11.0, Local Proxy 192.168.248.0
Jan 15 12:59:22 [IKEv1]Group = 24.32.62.12, IP = 24.32.62.12, Removing peer from correlator table failed, no match!
Jan 15 12:59:22 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x60005623
Jan 15 12:59:22 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x60005623
Jan 15 12:59:22 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x60005623
Jan 15 12:59:22 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x60005623
Jan 15 12:59:22 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x60005623
Jan 15 12:59:22 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x60005623
Jan 15 12:59:22 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x60005623
Jan 15 12:59:22 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x60005623
Jan 15 12:59:22 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x60005623
Jan 15 12:59:22 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x60005623
llJan 15 12:59:23 [IKEv1]IKE Receiver: Packet received on 185.41.216.7:500 from 24.32.62.12:500
Jan 15 12:59:23 [IKEv1]IP = 24.32.62.12, IKE_DECODE RECEIVED Message (msgid=99029f00) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jan 15 12:59:23 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, processing hash payload
Jan 15 12:59:23 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, processing notify payload
Jan 15 12:59:23 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, Received keep-alive of type DPD R-U-THERE (seq number 0xe37)
Jan 15 12:59:23 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xe37)
Jan 15 12:59:23 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, constructing blank hash payload
Jan 15 12:59:23 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, constructing qm hash payload
Jan 15 12:59:23 [IKEv1]IP = 24.32.62.12, IKE_DECODE SENDING Message (msgid=e3c84bdc) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jan 15 13:42:23 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jan 15 13:42:23 [IKEv1]Group = 24.32.62.12, IP = 24.32.62.12, IKE Initiator: New Phase 2, Intf Outside, IKE Peer 24.32.62.12 local Proxy Address 192.168.248.0, remote Proxy Address 192.168.11.0, Crypto map (lanlab)
Jan 15 13:42:23 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, Oakley begin quick mode
Jan 15 13:42:23 [IKEv1 DECODE]Group = 24.32.62.12, IP = 24.32.62.12, IKE Initiator starting QM: msg id = 51fcc798
Jan 15 13:42:23 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE got SPI from key engine: SPI = 0x4041f2c9
Jan 15 13:42:23 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE got SPI from key engine: SPI = 0xe5de5a8f
Jan 15 13:42:23 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE got SPI from key engine: SPI = 0x5cb49cb5
Jan 15 13:42:23 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE got SPI from key engine: SPI = 0xe9da1dca
Jan 15 13:42:23 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE got SPI from key engine: SPI = 0xa8f0c4dd
Jan 15 13:42:23 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE got SPI from key engine: SPI = 0x0949ce20
Jan 15 13:42:23 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE got SPI from key engine: SPI = 0x8813e04f
Jan 15 13:42:23 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE got SPI from key engine: SPI = 0x4a358b81
Jan 15 13:42:23 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE got SPI from key engine: SPI = 0xed4c9d87
Jan 15 13:42:23 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE got SPI from key engine: SPI = 0xfb5ed03b
Jan 15 13:42:23 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, oakley constucting quick mode
Jan 15 13:42:23 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, constructing blank hash payload
Jan 15 13:42:23 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, constructing IPSec SA payload
Jan 15 13:42:23 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, constructing IPSec nonce payload
Jan 15 13:42:23 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, constructing pfs ke payload
Jan 15 13:42:23 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, constructing proxy ID
Jan 15 13:42:23 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, Transmitting Proxy Id:
Local subnet: 192.168.248.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 192.168.11.0 Mask 255.255.255.0 Protocol 0 Port 0
Jan 15 13:42:23 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, constructing qm hash payload
Jan 15 13:42:23 [IKEv1 DECODE]Group = 24.32.62.12, IP = 24.32.62.12, IKE Initiator sending 1st QM pkt: msg id = 51fcc798
Jan 15 13:42:23 [IKEv1]IP = 24.32.62.12, IKE_DECODE SENDING Message (msgid=51fcc798) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 856
Jan 15 13:42:37 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, Sending keep-alive of type DPD R-U-THERE (seq number 0x7441c89b)
Jan 15 13:42:37 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, constructing blank hash payload
Jan 15 13:42:37 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, constructing qm hash payload
Jan 15 13:42:37 [IKEv1]IP = 24.32.62.12, IKE_DECODE SENDING Message (msgid=71c7d91c) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jan 15 13:42:37 [IKEv1]IKE Receiver: Packet received on 185.41.216.7:500 from 24.32.62.12:500
Jan 15 13:42:37 [IKEv1]IP = 24.32.62.12, IKE_DECODE RECEIVED Message (msgid=2a0743b2) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jan 15 13:42:37 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, processing hash payload
Jan 15 13:42:37 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, processing notify payload
Jan 15 13:42:37 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x7441c89b)
Jan 15 13:42:55 [IKEv1]Group = 24.32.62.12, IP = 24.32.62.12, QM FSM error (P2 struct &0x00002aaad680f490, mess id 0x51fcc798)!
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE QM Initiator FSM error history (struct &0x00002aaad680f490) <state>, <event>: QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, sending delete/delete with reason message
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, constructing blank hash payload
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, constructing IPSec delete payload
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, constructing qm hash payload
Jan 15 13:42:55 [IKEv1]IP = 24.32.62.12, IKE_DECODE SENDING Message (msgid=2f7c7e69) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 64
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE Deleting SA: Remote Proxy 192.168.11.0, Local Proxy 192.168.248.0
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE Deleting SA: Remote Proxy 192.168.11.0, Local Proxy 192.168.248.0
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE Deleting SA: Remote Proxy 192.168.11.0, Local Proxy 192.168.248.0
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE Deleting SA: Remote Proxy 192.168.11.0, Local Proxy 192.168.248.0
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE Deleting SA: Remote Proxy 192.168.11.0, Local Proxy 192.168.248.0
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE Deleting SA: Remote Proxy 192.168.11.0, Local Proxy 192.168.248.0
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE Deleting SA: Remote Proxy 192.168.11.0, Local Proxy 192.168.248.0
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE Deleting SA: Remote Proxy 192.168.11.0, Local Proxy 192.168.248.0
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE Deleting SA: Remote Proxy 192.168.11.0, Local Proxy 192.168.248.0
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE Deleting SA: Remote Proxy 192.168.11.0, Local Proxy 192.168.248.0
Jan 15 13:42:55 [IKEv1]Group = 24.32.62.12, IP = 24.32.62.12, Removing peer from correlator table failed, no match!
Jan 15 13:42:55 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0xfb5ed03b
Jan 15 13:42:55 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0xfb5ed03b
01-15-2019 09:09 AM
Can you upload the config of both side please
01-15-2019 09:10 AM
I dont have access to other side as of now , is there a tool or best way to interpret the logs pasted above !! any thing you would like to guide me to !!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide