Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5130
Views
0
Helpful
1
Replies

Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall

cisco
Level 1
Level 1

‎11-21-2012 07:00 AM - edited ‎02-21-2020 06:29 PM

Hi,

I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.

When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa

After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.

They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.

Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....

3Nov 21 201207:11:09713902



Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!

3Nov 21 201207:11:09713902



Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!

3Nov 21 201207:11:09713061



Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside

5Nov 21 201207:11:09713119



Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED

Here is from the syntax: show crypto isakmp sa

Result of the command: "show crypto isakmp sa"

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 195.149.180.254

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

Result of the command: "show crypto ipsec sa"

interface: outside

    Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29

      access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0

      local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)

      current_peer:195.149.180.254

      #pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188

      #pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: E715B315

    inbound esp sas:

      spi: 0xFAC769EB (4207372779)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 5, }

         slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap

         sa timing: remaining key lifetime (kB/sec): (38738/2061)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0xE715B315 (3876958997)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 5, }

         slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap

         sa timing: remaining key lifetime (kB/sec): (38673/2061)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

And here are my Accesslists and vpn site to site config:

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 84600

crypto isakmp nat-traversal 40

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map CustomerCryptoMap 10 match address VPN_Tunnel

crypto map CustomerCryptoMap 10 set pfs group5

crypto map CustomerCryptoMap 10 set peer 195.149.180.254

crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA

crypto map CustomerCryptoMap interface outside

access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..

access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5

access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76

access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221

access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0

access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0

access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5

access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76

access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221

access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0

nat (inside) 0 access-list nonat

All these remote networks are at the Main Site Clavister Firewall.

Best Regards

Michael

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎11-30-2012 01:44 AM

Hi,

I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.

If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup

Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.

I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.

Maybe you could try to change the Encryption Domain configurations a bit and test it then.

You could also maybe take some debugs on the Phase2 and see if you get anymore  hints as to what could be the problem when only one network is working for the L2L VPN.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents