cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
913
Views
10
Helpful
7
Replies
Highlighted
Beginner

Cisco ASA l2l VPN Trouble

Hello Cisco Experts,

I'm running into trouble with one of my l2l ipec vpn between a cisco 5510 and 5520 asa running version 8.2.2.

Our existing l2l vpns are connected fine and working fine. Currently SITE A (10.10.0.0/16) connects to SITE B (10.20.0.0/16). SITE A also connects to SITE C (10.100.8.0/21). These are OK.

What's failing is when I try to connect SITE B to SITE C. The tunnel does come up and phase 1 and 2 complete successfully. However while running: 'packet-tracer input inside icmp 10.20.8.2 8 0 10.100.8.1 detailed' i get the following:

Phase: 10

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xad1c4500, priority=70, domain=encrypt, deny=false

hits=609, user_data=0x0, cs_id=0xad1c2e10, reverse, flags=0x0, protocol=0

src ip=10.20.0.0, mask=255.255.0.0, port=0

dst ip=10.100.8.0, mask=255.255.248.0, port=0, dscp=0x0

I noticed when the tunnel came up, the 10.100.8.0/21 route was not added in the routing table and the cyrpto ACL was not applied on the remote ASA. I added the route manually but cant get the cryto ACL to apply.

More usefull info:

SITE C

object-group network NoNatDMZ-objgrp

network-object 10.10.0.0 255.255.0.0

network-object 10.10.12.0 255.255.255.0

network-object 10.20.0.0 255.255.0.0

access-list outside_30_cryptomap extended permit ip 10.100.8.0 255.255.248.0 10.20.0.0 255.255.0.0

access-list NoNat extended permit ip 10.100.8.0 255.255.248.0 object-group NoNat-objgrp

crypto map outside_map 30 match address outside_30_cryptomap

crypto map outside_map 30 set peer x.x.x.x

crypto map outside_map 30 set transform-set ESP-AES256-SHA

crypto map outside_map 30 set reverse-route

crypto map outside_map interface outside

SITE B

object-group network NoNat-objgrp

network-object 10.10.0.0 255.255.0.0

network-object 10.21.0.0 255.255.0.0

network-object 10.10.12.0 255.255.255.0

network-object 10.100.8.0 255.255.248.0

access-list NoNat extended permit ip 10.20.0.0 255.255.0.0 object-group NoNat-objgrp

access-list outside_50_cryptomap extended permit ip 10.20.0.0 255.255.0.0 10.100.8.0 255.255.248.0

crypto map outside_map 50 match address outside_50_cryptomap

crypto map outside_map 50 set peer XX.XX.XX.XX

crypto map outside_map 50 set transform-set ESP-AES256-SHA

crypto map outside_map 50 set reverse-route

crypto map outside_map interface outside

I've been struggling with this the past few days. Any help is much appreciated!

Thanks!!

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Cisco ASA l2l VPN Trouble

Please do the following:

no crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map 

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

clear crypto ipsec sa peer SITE_B_Public

Try again and attach the same outputs.

Let me know.

Thanks.

View solution in original post

7 REPLIES 7
Highlighted

Cisco ASA l2l VPN Trouble

Hi,

So there is direct tunnel between B and C, right?

Please attach:

From ASA B:

debug crypto condition peer C_Public_IP

clear crypto ipsec sa peer C_Public_IP

debug crypto ipsec sa 127

show crypto ipsec sa peer C_Public_IP

From ASA C:

show crypto ipsec sa peer B_Public_IP

Thanks.

Portu.

Please rate any helpful posts

Highlighted
Beginner

Cisco ASA l2l VPN Trouble

Hi,

Thanks for replying. 

SITE C:

datchi-gw02(config)# show crypto ipsec sa peer  XXXXXX.66
peer address: XXXXXX.66
    Crypto map tag: outside_dyn_map, seq num: 10, local addr: XXXXXX.196

                                   MISSING CRYPTO ACL HERE 

      local ident (addr/mask/prot/port): (10.100.8.0/255.255.248.0/0/0)
      remote ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)
      current_peer: XXXXX.66

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: XXXXXX.196, remote crypto endpt.: XXXXXX.66

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 569074E6
      current inbound spi : D3FCA9DE

    inbound esp sas:
      spi: 0xD3FCA9DE (3556551134)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 106496, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (kB/sec): (4373999/28678)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x000001FF
    outbound esp sas:
      spi: 0x569074E6 (1452307686)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 106496, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (kB/sec): (4374000/28676)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

SITE B

datchi-gw01(config)# show crypto ipsec sa peer XXXXXX.196
peer address: XXXXXX.196
    Crypto map tag: outside_map, seq num: 50, local addr: XXXXXX.66

     access-list outside_50_cryptomap extended permit ip 10.20.0.0 255.255.0.0 10.100.8.0 255.255.248.0 
      local ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.100.8.0/255.255.248.0/0/0)
      current_peer: XXXXXX.196

      #pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 8, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: XXXXXX.66, remote crypto endpt.: XXXXXX.196

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: D3FCA9DE
      current inbound spi : 569074E6

    inbound esp sas:
      spi: 0x569074E6 (1452307686)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 28672, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3915000/28255)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xD3FCA9DE (3556551134)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 28672, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914999/28255)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Highlighted

Re: Cisco ASA l2l VPN Trouble

Thanks for the heads up.

Site C:

Crypto map tag: outside_dyn_map, seq num: 10, local

Why is it hitting the dynamic crypto-map?

Could you please share the "show run crypto" output?

Thanks.

Message was edited by: Javier Portuguez

Highlighted
Beginner

Cisco ASA l2l VPN Trouble

Just a heads up.  adding or removing the reverse route didnt help.  Should I remove the dynamic map since we dont use it?

SITE C:

datchi-gw02(config)# show run crypto

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-AES256-SHA  

crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000

crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map   <--- SHOULD I REMOVE?

crypto map outside_map 20 match address outside_20_cryptomap  <--- THIS IS SITE A.  IT WORKS

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer XXXXXX.98

crypto map outside_map 20 set transform-set ESP-AES256-SHA

crypto map outside_map 20 set reverse-route

crypto map outside_map 30 match address outside_30_cryptomap  <---- THIS IS SITE B.  DOESNT WORK

crypto map outside_map 30 set peer XXXXXX.66

crypto map outside_map 30 set transform-set ESP-AES256-SHA

crypto map outside_map interface outside

crypto ca trustpoint local-datchi-gw02

enrollment self

fqdn .....

subject-name CN=......

keypair EHGWCert02

crl configure

crypto ca certificate chain local-datchi-gw02

certificate BLAH BLAH BLAH.....

  quit

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

Highlighted

Cisco ASA l2l VPN Trouble

Please do the following:

no crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map 

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

clear crypto ipsec sa peer SITE_B_Public

Try again and attach the same outputs.

Let me know.

Thanks.

View solution in original post

Highlighted
Beginner

Cisco ASA l2l VPN Trouble

YOU THE MAN!!!

I changed the MAP priority on both ASAs and it works!  You saved me countless of hours.

Thanks again!

Highlighted

Cisco ASA l2l VPN Trouble

You are very welcome

Thanks for counting on this great Support Community