Solved: Cisco ASA l2l VPN Trouble

msadowski334 · ‎11-01-2012

Hello Cisco Experts,

I'm running into trouble with one of my l2l ipec vpn between a cisco 5510 and 5520 asa running version 8.2.2.

Our existing l2l vpns are connected fine and working fine. Currently SITE A (10.10.0.0/16) connects to SITE B (10.20.0.0/16). SITE A also connects to SITE C (10.100.8.0/21). These are OK.

What's failing is when I try to connect SITE B to SITE C. The tunnel does come up and phase 1 and 2 complete successfully. However while running: 'packet-tracer input inside icmp 10.20.8.2 8 0 10.100.8.1 detailed' i get the following:

Phase: 10

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xad1c4500, priority=70, domain=encrypt, deny=false

hits=609, user_data=0x0, cs_id=0xad1c2e10, reverse, flags=0x0, protocol=0

src ip=10.20.0.0, mask=255.255.0.0, port=0

dst ip=10.100.8.0, mask=255.255.248.0, port=0, dscp=0x0

I noticed when the tunnel came up, the 10.100.8.0/21 route was not added in the routing table and the cyrpto ACL was not applied on the remote ASA. I added the route manually but cant get the cryto ACL to apply.

More usefull info:

SITE C

object-group network NoNatDMZ-objgrp

network-object 10.10.0.0 255.255.0.0

network-object 10.10.12.0 255.255.255.0

network-object 10.20.0.0 255.255.0.0

access-list outside_30_cryptomap extended permit ip 10.100.8.0 255.255.248.0 10.20.0.0 255.255.0.0

access-list NoNat extended permit ip 10.100.8.0 255.255.248.0 object-group NoNat-objgrp

crypto map outside_map 30 match address outside_30_cryptomap

crypto map outside_map 30 set peer x.x.x.x

crypto map outside_map 30 set transform-set ESP-AES256-SHA

crypto map outside_map 30 set reverse-route

crypto map outside_map interface outside

SITE B

object-group network NoNat-objgrp

network-object 10.10.0.0 255.255.0.0

network-object 10.21.0.0 255.255.0.0

network-object 10.10.12.0 255.255.255.0

network-object 10.100.8.0 255.255.248.0

access-list NoNat extended permit ip 10.20.0.0 255.255.0.0 object-group NoNat-objgrp

access-list outside_50_cryptomap extended permit ip 10.20.0.0 255.255.0.0 10.100.8.0 255.255.248.0

crypto map outside_map 50 match address outside_50_cryptomap

crypto map outside_map 50 set peer XX.XX.XX.XX

crypto map outside_map 50 set transform-set ESP-AES256-SHA

crypto map outside_map 50 set reverse-route

crypto map outside_map interface outside

I've been struggling with this the past few days. Any help is much appreciated!

Thanks!!

Javier Portuguez · ‎11-01-2012

Please do the following:

no crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

clear crypto ipsec sa peer SITE_B_Public

Try again and attach the same outputs.

Let me know.

Thanks.

View solution in original post

Javier Portuguez · ‎11-01-2012

Hi,

So there is direct tunnel between B and C, right?

Please attach:

From ASA B:

debug crypto condition peer C_Public_IP

clear crypto ipsec sa peer C_Public_IP

debug crypto ipsec sa 127

show crypto ipsec sa peer C_Public_IP

From ASA C:

show crypto ipsec sa peer B_Public_IP

Thanks.

Portu.

Please rate any helpful posts

msadowski334 · ‎11-01-2012

Hi,

Thanks for replying.

SITE C:

datchi-gw02(config)# show crypto ipsec sa peer XXXXXX.66
peer address: XXXXXX.66
Crypto map tag: outside_dyn_map, seq num: 10, local addr: XXXXXX.196

MISSING CRYPTO ACL HERE

      local ident (addr/mask/prot/port): (10.100.8.0/255.255.248.0/0/0)
      remote ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)
      current_peer: XXXXX.66

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

local crypto endpt.: XXXXXX.196, remote crypto endpt.: XXXXXX.66

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 569074E6
      current inbound spi : D3FCA9DE

    inbound esp sas:
      spi: 0xD3FCA9DE (3556551134)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 106496, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (kB/sec): (4373999/28678)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x000001FF
    outbound esp sas:
      spi: 0x569074E6 (1452307686)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 106496, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (kB/sec): (4374000/28676)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

SITE B

datchi-gw01(config)# show crypto ipsec sa peer XXXXXX.196
peer address: XXXXXX.196
Crypto map tag: outside_map, seq num: 50, local addr: XXXXXX.66

     access-list outside_50_cryptomap extended permit ip 10.20.0.0 255.255.0.0 10.100.8.0 255.255.248.0
      local ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.100.8.0/255.255.248.0/0/0)
      current_peer: XXXXXX.196

      #pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 8, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

local crypto endpt.: XXXXXX.66, remote crypto endpt.: XXXXXX.196

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: D3FCA9DE
      current inbound spi : 569074E6

    inbound esp sas:
      spi: 0x569074E6 (1452307686)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 28672, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3915000/28255)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xD3FCA9DE (3556551134)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 28672, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914999/28255)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Javier Portuguez · ‎11-01-2012

Thanks for the heads up.

Site C:

Crypto map tag: outside_dyn_map, seq num: 10, local

Why is it hitting the dynamic crypto-map?

Could you please share the "show run crypto" output?

Thanks.

Message was edited by: Javier Portuguez

msadowski334 · ‎11-01-2012

Just a heads up. adding or removing the reverse route didnt help. Should I remove the dynamic map since we dont use it?

SITE C:

datchi-gw02(config)# show run crypto

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-AES256-SHA

crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000

crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map <--- SHOULD I REMOVE?

crypto map outside_map 20 match address outside_20_cryptomap <--- THIS IS SITE A. IT WORKS

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer XXXXXX.98

crypto map outside_map 20 set transform-set ESP-AES256-SHA

crypto map outside_map 20 set reverse-route

crypto map outside_map 30 match address outside_30_cryptomap <---- THIS IS SITE B. DOESNT WORK

crypto map outside_map 30 set peer XXXXXX.66

crypto map outside_map 30 set transform-set ESP-AES256-SHA

crypto map outside_map interface outside

crypto ca trustpoint local-datchi-gw02

enrollment self

fqdn .....

subject-name CN=......

keypair EHGWCert02

crl configure

crypto ca certificate chain local-datchi-gw02

certificate BLAH BLAH BLAH.....

quit

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

Javier Portuguez · ‎11-01-2012

Please do the following:

no crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

clear crypto ipsec sa peer SITE_B_Public

Try again and attach the same outputs.

Let me know.

Thanks.

msadowski334 · ‎11-01-2012

YOU THE MAN!!!

I changed the MAP priority on both ASAs and it works! You saved me countless of hours.

Thanks again!

Javier Portuguez · ‎11-01-2012

You are very welcome

Thanks for counting on this great Support Community