11-01-2012 09:15 AM
Hello Cisco Experts,
I'm running into trouble with one of my l2l ipec vpn between a cisco 5510 and 5520 asa running version 8.2.2.
Our existing l2l vpns are connected fine and working fine. Currently SITE A (10.10.0.0/16) connects to SITE B (10.20.0.0/16). SITE A also connects to SITE C (10.100.8.0/21). These are OK.
What's failing is when I try to connect SITE B to SITE C. The tunnel does come up and phase 1 and 2 complete successfully. However while running: 'packet-tracer input inside icmp 10.20.8.2 8 0 10.100.8.1 detailed' i get the following:
Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xad1c4500, priority=70, domain=encrypt, deny=false
hits=609, user_data=0x0, cs_id=0xad1c2e10, reverse, flags=0x0, protocol=0
src ip=10.20.0.0, mask=255.255.0.0, port=0
dst ip=10.100.8.0, mask=255.255.248.0, port=0, dscp=0x0
I noticed when the tunnel came up, the 10.100.8.0/21 route was not added in the routing table and the cyrpto ACL was not applied on the remote ASA. I added the route manually but cant get the cryto ACL to apply.
More usefull info:
SITE C
object-group network NoNatDMZ-objgrp
network-object 10.10.0.0 255.255.0.0
network-object 10.10.12.0 255.255.255.0
network-object 10.20.0.0 255.255.0.0
access-list outside_30_cryptomap extended permit ip 10.100.8.0 255.255.248.0 10.20.0.0 255.255.0.0
access-list NoNat extended permit ip 10.100.8.0 255.255.248.0 object-group NoNat-objgrp
crypto map outside_map 30 match address outside_30_cryptomap
crypto map outside_map 30 set peer x.x.x.x
crypto map outside_map 30 set transform-set ESP-AES256-SHA
crypto map outside_map 30 set reverse-route
crypto map outside_map interface outside
SITE B
object-group network NoNat-objgrp
network-object 10.10.0.0 255.255.0.0
network-object 10.21.0.0 255.255.0.0
network-object 10.10.12.0 255.255.255.0
network-object 10.100.8.0 255.255.248.0
access-list NoNat extended permit ip 10.20.0.0 255.255.0.0 object-group NoNat-objgrp
access-list outside_50_cryptomap extended permit ip 10.20.0.0 255.255.0.0 10.100.8.0 255.255.248.0
crypto map outside_map 50 match address outside_50_cryptomap
crypto map outside_map 50 set peer XX.XX.XX.XX
crypto map outside_map 50 set transform-set ESP-AES256-SHA
crypto map outside_map 50 set reverse-route
crypto map outside_map interface outside
I've been struggling with this the past few days. Any help is much appreciated!
Thanks!!
Solved! Go to Solution.
11-01-2012 10:23 AM
Please do the following:
no crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
clear crypto ipsec sa peer SITE_B_Public
Try again and attach the same outputs.
Let me know.
Thanks.
11-01-2012 09:33 AM
Hi,
So there is direct tunnel between B and C, right?
Please attach:
From ASA B:
debug crypto condition peer C_Public_IP
clear crypto ipsec sa peer C_Public_IP
debug crypto ipsec sa 127
show crypto ipsec sa peer C_Public_IP
From ASA C:
show crypto ipsec sa peer B_Public_IP
Thanks.
Portu.
Please rate any helpful posts
11-01-2012 09:54 AM
Hi,
Thanks for replying.
SITE C:
datchi-gw02(config)# show crypto ipsec sa peer XXXXXX.66
peer address: XXXXXX.66
Crypto map tag: outside_dyn_map, seq num: 10, local addr: XXXXXX.196
MISSING CRYPTO ACL HERE
local ident (addr/mask/prot/port): (10.100.8.0/255.255.248.0/0/0)
remote ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)
current_peer: XXXXX.66
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: XXXXXX.196, remote crypto endpt.: XXXXXX.66
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 569074E6
current inbound spi : D3FCA9DE
inbound esp sas:
spi: 0xD3FCA9DE (3556551134)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 106496, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (kB/sec): (4373999/28678)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000001FF
outbound esp sas:
spi: 0x569074E6 (1452307686)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 106496, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (kB/sec): (4374000/28676)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
SITE B
datchi-gw01(config)# show crypto ipsec sa peer XXXXXX.196
peer address: XXXXXX.196
Crypto map tag: outside_map, seq num: 50, local addr: XXXXXX.66
access-list outside_50_cryptomap extended permit ip 10.20.0.0 255.255.0.0 10.100.8.0 255.255.248.0
local ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.100.8.0/255.255.248.0/0/0)
current_peer: XXXXXX.196
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 8, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: XXXXXX.66, remote crypto endpt.: XXXXXX.196
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: D3FCA9DE
current inbound spi : 569074E6
inbound esp sas:
spi: 0x569074E6 (1452307686)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 28672, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/28255)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xD3FCA9DE (3556551134)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 28672, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914999/28255)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
11-01-2012 10:06 AM
Thanks for the heads up.
Site C:
Crypto map tag: outside_dyn_map, seq num: 10, local
Why is it hitting the dynamic crypto-map?
Could you please share the "show run crypto" output?
Thanks.
Message was edited by: Javier Portuguez
11-01-2012 10:18 AM
Just a heads up. adding or removing the reverse route didnt help. Should I remove the dynamic map since we dont use it?
SITE C:
datchi-gw02(config)# show run crypto
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-AES256-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map <--- SHOULD I REMOVE?
crypto map outside_map 20 match address outside_20_cryptomap <--- THIS IS SITE A. IT WORKS
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer XXXXXX.98
crypto map outside_map 20 set transform-set ESP-AES256-SHA
crypto map outside_map 20 set reverse-route
crypto map outside_map 30 match address outside_30_cryptomap <---- THIS IS SITE B. DOESNT WORK
crypto map outside_map 30 set peer XXXXXX.66
crypto map outside_map 30 set transform-set ESP-AES256-SHA
crypto map outside_map interface outside
crypto ca trustpoint local-datchi-gw02
enrollment self
fqdn .....
subject-name CN=......
keypair EHGWCert02
crl configure
crypto ca certificate chain local-datchi-gw02
certificate BLAH BLAH BLAH.....
quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
11-01-2012 10:23 AM
Please do the following:
no crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
clear crypto ipsec sa peer SITE_B_Public
Try again and attach the same outputs.
Let me know.
Thanks.
11-01-2012 10:33 AM
YOU THE MAN!!!
I changed the MAP priority on both ASAs and it works! You saved me countless of hours.
Thanks again!
11-01-2012 10:39 AM
You are very welcome
Thanks for counting on this great Support Community
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: