Re: Certain SA's not being negotiated on IPSec tunnel

cchughes · ‎01-06-2011

I am having an issue involving a Cisco ASA that has an IPSec tunnel to a Fortigate firewall. In brief, the issue is that a couple of SA's establish but at least 2 subnet pairs defined in the crypto map ACL will not form an SA.

I have troubleshot on the Fortigate and I can see the packets get encrypted and assigned to the tunnel. On the ASA all I see in the log for the packets is:

Jan 05 2011 23:56:29: %ASA-7-609001: Built local-host outside:192.168.13.1

Jan 05 2011 23:56:29: %ASA-7-609002: Teardown local-host outside:192.168.13.1 duration 0:00:00

I have run "debug ipsec 200 " and while the traffic for the subnet pair is generated I see no attempt to negotiate an SA. I've reviewed the ACL for the crypto map on both devices to validate that the subnet and mask are identical. Other subnet pairs are working fine to the Fortigate for this tunnel
I wanted to troubleshoot this further so I tried a packet capture but no packets are displayed. I'm looking for other troubleshooting steps to perform in order to find the problem. Any suggestions?

vickyleach1 · ‎01-06-2011

I have done some configuration on a Fortigate and a lot on the ASAs (site-to-sites included) I do enjoy a challenge, could you post your config from the ASA? just to start, to see what we are dealing with.

cchughes · ‎01-06-2011

I can post the parts dealing with the tunnel..

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *****

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer x.x.x.x

crypto map outside_map 1 set transform-set ESP-DES-MD5

access-list outside_1_cryptomap line 1 extended permit ip 10.0.0.0 255.252.0.0 192.168.12.0 255.255.255.0 (hitcnt=3047)

access-list outside_1_cryptomap line 1 extended permit ip 10.0.0.0 255.252.0.0 192.168.13.0 255.255.255.0 (hitcnt=3794)

access-list outside_1_cryptomap line 1 extended permit ip 10.0.0.0 255.252.0.0 192.168.200.0 255.255.255.0 (hitcnt=332)

access-list outside_1_cryptomap line 1 extended permit ip 10.0.0.0 255.252.0.0 192.168.22.0 255.255.255.0 (hitcnt=982)

access-list outside_1_cryptomap line 1 extended permit ip 10.0.0.0 255.252.0.0 192.168.8.0 255.255.255.0 (hitcnt=2834)

access-list outside_1_cryptomap line 1 extended permit ip 10.0.0.0 255.252.0.0 192.168.9.0 255.255.255.0 (hitcnt=74)

access-list outside_1_cryptomap line 1 extended permit ip 10.4.0.0 255.255.254.0 192.168.12.0 255.255.255.0 (hitcnt=0)

access-list outside_1_cryptomap line 1 extended permit ip 10.4.0.0 255.255.254.0 192.168.13.0 255.255.255.0 (hitcnt=0)

access-list outside_1_cryptomap line 1 extended permit ip 10.4.0.0 255.255.254.0 192.168.200.0 255.255.255.0 (hitcnt=0)

access-list outside_1_cryptomap line 1 extended permit ip 10.4.0.0 255.255.254.0 192.168.22.0 255.255.255.0 (hitcnt=2)

access-list outside_1_cryptomap line 1 extended permit ip 10.4.0.0 255.255.254.0 192.168.8.0 255.255.255.0 (hitcnt=337)

access-list outside_1_cryptomap line 1 extended permit ip 10.4.0.0 255.255.254.0 192.168.9.0 255.255.255.0 (hitcnt=0)

access-list outside_1_cryptomap line 1 extended permit ip 10.5.0.0 255.255.254.0 192.168.12.0 255.255.255.0 (hitcnt=0)

access-list outside_1_cryptomap line 1 extended permit ip 10.5.0.0 255.255.254.0 192.168.13.0 255.255.255.0 (hitcnt=0)

access-list outside_1_cryptomap line 1 extended permit ip 10.5.0.0 255.255.254.0 192.168.200.0 255.255.255.0 (hitcnt=0)

access-list outside_1_cryptomap line 1 extended permit ip 10.5.0.0 255.255.254.0 192.168.22.0 255.255.255.0 (hitcnt=0)

access-list outside_1_cryptomap line 1 extended permit ip 10.5.0.0 255.255.254.0 192.168.8.0 255.255.255.0 (hitcnt=0)

access-list outside_1_cryptomap line 1 extended permit ip 10.5.0.0 255.255.254.0 192.168.9.0 255.255.255.0 (hitcnt=0)

vickyleach1 · ‎01-07-2011

Ok, what version of IOS are you running on the ASA? Have you enable ISAKMP and your Crypto map on the outside interface?

crypto isakmp enable outside

crypto map outside_1_cryptomap interface outside

Here is an article that may help with the Fortigate and may explain the SA issues:

http://firewallguru.blogspot.com/2008/03/fortinet-to-non-fortinet-site-to-site.html

Let me know if this helps

cchughes · ‎01-07-2011

Thanks Vicky. i was originally setup that way on the fortigate with all the subnet pairs contained in a group. at some point before this issue i seperated the subnets in the firewall policy and set them to encrypt. do you thing the firewall policy being setup this way is a problem? i'll try regrouping them and see how it goes.

Chris Hughes

Layer8 Consulting

Chughes@l8c.com

(240)460-7283

vickyleach1 · ‎01-07-2011

Alright, I have a couple of jobs that have just come up, you go ahead and let me know how it all goes and I will get back with you when I can.

vickyleach1 · ‎01-10-2011

Did you get it working? I also found this article, just for you to double check that Fortigate side.

cchughes · ‎01-10-2011

no, i'm in nexus training today. i will be revisiting this in the evening. thanks for the links.

Chris Hughes

Layer8 Consulting

Chughes@l8c.com

(240)460-7283

vickyleach1 · ‎01-10-2011

It would help if I posted the link =/

http://it.mmjp.net/?p=223