Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1085
Views
0
Helpful
4
Replies

Can't manage ASA to ASA through ipsec tunnel?

Mohamed.razek
Level 1
Level 1

‎06-11-2019 06:46 PM - edited ‎02-21-2020 09:40 PM

I have 1 ASA in the main office with 2 internet connections, and a remote site with a 4G modem connection.

 

We need to connect the branch to the main office but the VPN is not coming UP.

 

Here is the configuration of the branch ASA

 

access-list Wifi_access_in_1 extended permit ip any any
access-list outside_access_in extended permit ip any any log debugging
access-list global_access extended permit ip any any
access-list outside_cryptomap_3 extended permit ip object Wifi-LAN object CAS-172.30.170.0
access-list outside_cryptomap_1 extended permit ip object Wifi-LAN object-group DM_INLINE_NETWORK_1
pager lines 24
logging enable

 

nat (Wifi,outside) source static Wifi-LAN Wifi-LAN destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2
!
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (Lan,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
object network Wifi-LAN
nat (Wifi,outside) dynamic interface dns
access-group outside_access_in in interface outside
access-group Wifi_access_in_1 in interface Wifi
access-group global_access global
route outside 0.0.0.0 0.0.0.0 10.1.1.1 1

crypto map outside_map 1 match address outside_cryptomap_3
crypto map outside_map 1 set connection-type originate-only
crypto map outside_map 1 set peer 49.255.184.173
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime kilobytes unlimited
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 49.255.184.173
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA

crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 5
lifetime none

 

 

 

and here is the IKEv1 Debug

ucting IPSec SA payload


Jun 12 01:43:12 [IKEv1 DEBUG]Group = 49.255.184.173, IP = 49.255.184.173, constructing IPSec nonce payload
Jun 12 01:43:12 [IKEv1 DEBUG]Group = 49.255.184.173, IP = 49.255.184.173, constructing proxy ID
Jun 12 01:43:12 [IKEv1 DEBUG]Group = 49.255.184.173, IP = 49.255.184.173, Transmitting Proxy Id:
Local host: 10.1.1.200 Protocol 0 Port 0
Remote host: 49.255.184.173 Protocol 0 Port 0
Jun 12 01:43:12 [IKEv1 DEBUG]Group = 49.255.184.173, IP = 49.255.184.173, constructing qm hash payload
Jun 12 01:43:12 [IKEv1]IP = 49.255.184.173, IKE_DECODE SENDING Message (msgid=ad663a5d) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 172
Jun 12 01:43:13 [IKEv1]IKE Receiver: Packet received on 10.1.1.200:4500 from 49.255.184.173:4500
Jun 12 01:43:13 [IKEv1]IP = 49.255.184.173, IKE_DECODE RECEIVED Message (msgid=1efecd58) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 208
Jun 12 01:43:13 [IKEv1 DEBUG]Group = 49.255.184.173, IP = 49.255.184.173, processing hash payload
Jun 12 01:43:13 [IKEv1 DEBUG]Group = 49.255.184.173, IP = 49.255.184.173, processing notify payload
Jun 12 01:43:13 [IKEv1]Group = 49.255.184.173, IP = 49.255.184.173, Received non-routine Notify message: Invalid ID info (18)
Jun 12 01:43:13 [IKEv1]IKE Receiver: Packet received on 10.1.1.200:4500 from 49.255.184.173:4500
Jun 12 01:43:13 [IKEv1]IP = 49.255.184.173, IKE_DECODE RECEIVED Message (msgid=17516ad6) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Jun 12 01:43:13 [IKEv1 DEBUG]Group = 49.255.184.173, IP = 49.255.184.173, processing hash payload
Jun 12 01:43:13 [IKEv1 DEBUG]Group = 49.255.184.173, IP = 49.255.184.173, processing delete
Jun 12 01:43:13 [IKEv1]Group = 49.255.184.173, IP = 49.255.184.173, Connection terminated for peer 49.255.184.173. Reason: Peer Terminate Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
Jun 12 01:43:13 [IKEv1]Group = 49.255.184.173, IP = 49.255.184.173, Remove from IKEv1 Tunnel Table succeeded for SA with logicalId 72826880
Jun 12 01:43:13 [IKEv1]Group = 49.255.184.173, IP = 49.255.184.173, Remove from IKEv1 MIB Table succeeded for SA with logical ID 72826880
Jun 12 01:43:13 [IKEv1 DEBUG]Group = 49.255.184.173, IP = 49.255.184.173, sending delete/delete with reason message
Jun 12 01:43:13 [IKEv1 DEBUG]Group = 49.255.184.173, IP = 49.255.184.173, constructing blank hash payload
Jun 12 01:43:13 [IKEv1 DEBUG]Group = 49.255.184.173, IP = 49.255.184.173, constructing IPSec delete payload
Jun 12 01:43:13 [IKEv1 DEBUG]Group = 49.255.184.173, IP = 49.255.184.173, constructing qm hash payload
Jun 12 01:43:13 [IKEv1]IP = 49.255.184.173, IKE_DECODE SENDING Message (msgid=ea89d775) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 64
Jun 12 01:43:13 [IKEv1 DEBUG]Group = 49.255.184.173, IP = 49.255.184.173, IKE Deleting SA: Remote Proxy 49.255.184.173, Local Proxy 10.1.1.200
Jun 12 01:43:13 [IKEv1]Group = 49.255.184.173, IP = 49.255.184.173, Removing peer from correlator table failed, no match!
Jun 12 01:43:13 [IKEv1 DEBUG]Group = 49.255.184.173, IP = 49.255.184.173, IKE SA MM:308bd185 terminating: flags 0x0100c822, refcnt 0, tuncnt 0
Jun 12 01:43:13 [IKEv1]Group = 49.255.184.173, IP = 49.255.184.173, Warning: Ignoring IKE SA (dst) without VM bit set
Jun 12 01:43:13 [IKEv1]Group = 49.255.184.173, IP = 49.255.184.173, Session is being torn down. Reason: User Requested
Jun 12 01:43:13 [IKEv1]Ignoring msg to mark SA with dsID 72826880 dead because SA deleted
Jun 12 01:43:13 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x31f8735b

 

 

Phase one is coming up but phase 2 doesnt

 

Labels:
0 Helpful
4 Replies 4

Sheraz.Salim
VIP
VIP

‎06-12-2019 01:50 AM

none of your cryptomap_1 and cryptomap_3 is missing the identity nat rule. the one you gave nat rule does not match any of the cryptomap.

 

fix your nat rule.

please do not forget to rate.
0 Helpful

Mohamed.razek
Level 1
Level 1
In response to Sheraz.Salim

‎06-12-2019 04:44 PM

Thanks for the reply, but what exactly you want me to update in the nat rule?

 

0 Helpful

Sheraz.Salim
VIP
VIP
In response to Mohamed.razek

‎06-13-2019 03:50 AM

you nat rules are missing for utside_cryptomap_3 and utside_cryptomap_1

!


nat (Wifi,outside) source static Wifi-LAN Wifi-LAN destination static CAS-172.30.170.0 CAS-172.30.170.0 no-proxy-arp route-lookup
nat (Wifi,outside) source static Wifi-LAN Wifi-LAN destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 no-proxy-arp route-lookup

 

you have to define the above rules.

 

 

the only nat rule you have mentioned earlier is this,

nat (Wifi,outside) source static Wifi-LAN Wifi-LAN destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2

!

 

 

 

 

 

please do not forget to rate.
0 Helpful

Shakti Kumar
Cisco Employee
Cisco Employee

‎06-19-2019 12:20 AM

Hi,

 

Please check if the ACL's match

 

Jun 12 01:43:13 [IKEv1]Group = 49.255.184.173, IP = 49.255.184.173, Removing peer from correlator table failed, no match!

 

Thanks

Shakti

0 Helpful
Customers Also Viewed These Support Documents