cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1365
Views
0
Helpful
8
Replies

ASA5540 to Cisco2650XM VPN issues

nextratel
Level 1
Level 1

Hello,

I am trying to create a VPN between a service provider's ASA5540 and our Cisco2650XM device.

Here's our config :

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

crypto isakmp key ********* address XX.YY.223.126

crypto ipsec transform-set ipcom esp-3des esp-sha-hmac

crypto map serviceprovider local-address Loopback99

crypto map serviceprovider 1 ipsec-isakmp

description Tunnel to Service Provider

set peer XX.YY.223.126

set transform-set ipcom

set pfs group1

match address 100

interface Loopback99

ip address ZZ.YY.196.2 255.255.255.0

ip ospf 10 area 0

interface FastEthernet0/0

ip address XX.HH.126.90 255.255.255.224

duplex auto

speed auto

crypto map serviceprovider

access-list 100 permit ip any host 172.16.3.133

access-list 100 permit ip any host 172.16.3.131

And below, service provider ASA config:

object-group network Customer

network-object host ZZ.YY.196.129

network-object host ZZ.YY.196.130

network-object host XX.HH.126.129

network-object host XX.HH.126.130

object-group network DM_INLINE_NETWORK_4

network-object host 172.16.3.131

network-object host 172.16.3.133

access-list inside_nat0_outbound_1 extended permit ip object-group Itelnet host 172.16.3.133

access-list outside_20_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 object-group Customer

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer ZZ.YY.196.2

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 set security-association lifetime seconds 3600

group-policy ZZ.YY.196.2 internal

group-policy ZZ.YY.196.2 attributes

vpn-filter value outside_20_cryptomap

vpn-tunnel-protocol IPSec l2tp-ipsec

tunnel-group ZZ.YY.196.2 type ipsec-l2l

tunnel-group ZZ.YY.196.2 general-attributes

default-group-policy ZZ.YY.196.2

tunnel-group ZZ.YY.196.2 ipsec-attributes

pre-shared-key *****

network ZZ.YY.196.130 0.0.0.0 area 0

=-=========================================================================

We cannot get past phase 1. Here's the log:

===========================================================================

May  8 00:47:56.863: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= ZZ.YY.196.2, remote= XX.YY.223.126,

    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    remote_proxy= 172.16.3.133/255.255.255.255/0/0 (type=1),

    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0xE0E40431(3773039665), conn_id= 0, keysize= 0, flags= 0x400B

May  8 00:47:57.043: CryptoEngine0: generating alg parameter for connid 19

May  8 00:47:57.043: CryptoEngine0: CRYPTO_ISA_DH_CREATE(hw)(ipsec)

May  8 00:47:57.083: CRYPTO_ENGINE: Dh phase 1 status: OK

May  8 00:47:57.264: CryptoEngine0: generating alg parameter for connid 0

May  8 00:47:57.264: CryptoEngine0: CRYPTO_ISA_DH_SHARE_SECRET(hw)(ipsec)

May  8 00:47:57.308: CryptoEngine0: create ISAKMP SKEYID for conn id 19

May  8 00:47:57.308: CryptoEngine0: CRYPTO_ISA_SA_CREATE(hw)(ipsec)

May  8 00:47:57.348: CryptoEngine0: generate hmac context for conn id 19

May  8 00:47:57.588: CryptoEngine0: generate hmac context for conn id 19

May  8 00:47:57.588: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)

May  8 00:47:57.596: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT(hw)(ipsec)

May  8 00:47:57.781: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT(hw)(ipsec)

May  8 00:47:57.785: CryptoEngine0: generate hmac context for conn id 19

May  8 00:47:57.785: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)

May  8 00:47:57.797: CryptoEngine0: generate hmac context for conn id 19

May  8 00:47:57.797: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)

May  8 00:47:57.805: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT(hw)(ipsec)

May  8 00:47:57.813: IPSEC(key_engine): got a queue event with 1 kei messages....

May  8 00:48:47.815: CryptoEngine0: clear dh number for conn id 36

May  8 00:48:47.815: CryptoEngine0: CRYPTO_ISA_DH_DELETE(hw)(ipsec)

May  8 00:48:56.865: IPSEC(key_engine): request timer fired: count = 2,

  (identity) local= ZZ.YY.196.2, remote= XX.YY.223.126,

    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    remote_proxy= 172.16.3.133/255.255.255.255/0/0 (type=1)

May  8 00:48:57.815: CryptoEngine0: delete connection 19

May  8 00:48:57.815: CryptoEngine0: CRYPTO_ISA_SA_DELETE(hw)(ipsec)

May  8 00:49:17.844: CryptoEngine0: clear dh number for conn id 38

May  8 00:49:17.844: CryptoEngine0: CRYPTO_ISA_DH_DELETE(hw)(ipsec)

May  8 00:49:27.844: CryptoEngine0: delete connection 20

May  8 00:49:27.844: CryptoEngine0: CRYPTO_ISA_SA_DELETE(hw)(ipsec)

The IKE never comes up, I mostly see it in DOWN or DOWN-NEGOTIATING:

Router#sho cry sess

Crypto session current status

Interface: Loopback99

Session status: DOWN-NEGOTIATING

Peer: XX.YY.223.126 port 500

  IKE SA: local ZZ.YY.196.2/500 remote XX.YY.223.126/500 Inactive

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 172.16.3.131

        Active SAs: 0, origin: crypto map

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 172.16.3.133

        Active SAs: 0, origin: crypto map

c2650#

Any idea what might be wrong here?

Thanks,

D.

8 Replies 8

nextratel
Level 1
Level 1

On a more comprehensive debug i get this:

ay  8 02:28:03.389: CryptoEngine0: CRYPTO_ISA_DH_DELETE(hw)(ipsec)

May  8 02:28:03.393: CryptoEngine0: generate hmac context for conn id 28

May  8 02:28:03.393: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)

May  8 02:28:03.401: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT(hw)(ipsec)

May  8 02:28:03.582: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT(hw)(ipsec)

May  8 02:28:03.590: CryptoEngine0: generate hmac context for conn id 28

May  8 02:28:03.590: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)

May  8 02:28:03.598: ISAKMP:(0:28:HW:2):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer XX.YY.223.126)

May  8 02:28:03.602: CryptoEngine0: generate hmac context for conn id 28

May  8 02:28:03.602: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)

May  8 02:28:03.610: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT(hw)(ipsec)

May  8 02:28:03.618: IPSEC(key_engine): got a queue event with 1 kei messages

Thanks,

D.

Hi Daniel,

It seems you have pfs enabled on ASA but no on router. Can you remove the following command from ASA:

no crypto map outside_map 20 set pfs

If issue persists, please paste 'show run crypto' from ASA as well.

-

Sourav

nextratel
Level 1
Level 1

Router#sho cry isa sa

dst             src             state          conn-id slot status

XX.YY.223.126  ZZ.YY.196.2   MM_NO_STATE         30    0 ACTIVE (deleted)

Router#

Help please?

Infact, can you please post 'show run' from both router and ASA for review? Problem seems to be in phase 1 and we don't have complete config to look at.

Thanks.

-

Sourav/

Links with configs from the 2650XM and the partial config I have from the service provider.

http://pastebin.com/bZA5WwMp    --- Config from 2650XM

http://pastebin.com/cyy1hdNN   -- partial config I have from ASA

Thanks,

D.

Thanks Daniel. Ok so we have pfs enabled on both ASA and router.

Few things to consider:

ASA has following access-list which seems to be for nat exempt (i don't see nat 0 anywhere in config, so can't verify):

access-list inside_nat0_outbound_1 extended permit ip object-group Itelnet host 172.16.3.133

Here is the crypto acl:

access-list outside_20_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 object-group Itelnet

Itelnet seems to be on other end of router so nat exempt acl should look like:

access-list inside_nat0_outbound_1 extended permit ip object-group DM_INLINE_NETWORK_4 object-group Itelnet

no access-list inside_nat0_outbound_1 extended permit ip object-group Itelnet host 172.16.3.133

Please fix this.

Secondly, you've a VPN filter on ASA, not sure why is that needed as crypto acl is only allowing the specific traffic anyways:

group-policy 197.157.196.2 internal

group-policy 197.157.196.2 attributes

vpn-filter value outside_20_cryptomap

vpn-tunnel-protocol IPSec l2tp-ipsec

tunnel-group 197.157.196.2 type ipsec-l2l

tunnel-group 197.157.196.2 general-attributes

default-group-policy 197.157.196.2

But most important thing is phase 1 policy on ASA which is not available in this config. On router we have;

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

Can you check if parameters are same on ASA as well?

-

Sourav

Sourav,

This is what I received from the service provider:

http://pastebin.com/fSyDmLPR

This above is their phase 1 config.

Is it of any use?

Thanks Daniel. I checked the output and we definately have a phase 1 policy match on two devices. We might need to collect more debugging info. I would recommend opening a TAC case so that we can further investigate this.

-

Sourav