11-01-2012 09:15 AM
Hello Cisco Experts,
I'm running into trouble with one of my l2l ipec vpn between a cisco 5510 and 5520 asa running version 8.2.2.
Our existing l2l vpns are connected fine and working fine. Currently SITE A (10.10.0.0/16) connects to SITE B (10.20.0.0/16). SITE A also connects to SITE C (10.100.8.0/21). These are OK.
What's failing is when I try to connect SITE B to SITE C. The tunnel does come up and phase 1 and 2 complete successfully. However while running: 'packet-tracer input inside icmp 10.20.8.2 8 0 10.100.8.1 detailed' i get the following:
Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xad1c4500, priority=70, domain=encrypt, deny=false
hits=609, user_data=0x0, cs_id=0xad1c2e10, reverse, flags=0x0, protocol=0
src ip=10.20.0.0, mask=255.255.0.0, port=0
dst ip=10.100.8.0, mask=255.255.248.0, port=0, dscp=0x0
I noticed when the tunnel came up, the 10.100.8.0/21 route was not added in the routing table and the cyrpto ACL was not applied on the remote ASA. I added the route manually but cant get the cryto ACL to apply.
More usefull info:
SITE C
object-group network NoNatDMZ-objgrp
network-object 10.10.0.0 255.255.0.0
network-object 10.10.12.0 255.255.255.0
network-object 10.20.0.0 255.255.0.0
access-list outside_30_cryptomap extended permit ip 10.100.8.0 255.255.248.0 10.20.0.0 255.255.0.0
access-list NoNat extended permit ip 10.100.8.0 255.255.248.0 object-group NoNat-objgrp
crypto map outside_map 30 match address outside_30_cryptomap
crypto map outside_map 30 set peer x.x.x.x
crypto map outside_map 30 set transform-set ESP-AES256-SHA
crypto map outside_map 30 set reverse-route
crypto map outside_map interface outside
SITE B
object-group network NoNat-objgrp
network-object 10.10.0.0 255.255.0.0
network-object 10.21.0.0 255.255.0.0
network-object 10.10.12.0 255.255.255.0
network-object 10.100.8.0 255.255.248.0
access-list NoNat extended permit ip 10.20.0.0 255.255.0.0 object-group NoNat-objgrp
access-list outside_50_cryptomap extended permit ip 10.20.0.0 255.255.0.0 10.100.8.0 255.255.248.0
crypto map outside_map 50 match address outside_50_cryptomap
crypto map outside_map 50 set peer XX.XX.XX.XX
crypto map outside_map 50 set transform-set ESP-AES256-SHA
crypto map outside_map 50 set reverse-route
crypto map outside_map interface outside
I've been struggling with this the past few days. Any help is much appreciated!
Thanks!!
Solved! Go to Solution.
11-01-2012 10:23 AM
Please do the following:
no crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
clear crypto ipsec sa peer SITE_B_Public
Try again and attach the same outputs.
Let me know.
Thanks.
11-01-2012 09:33 AM
Hi,
So there is direct tunnel between B and C, right?
Please attach:
From ASA B:
debug crypto condition peer C_Public_IP
clear crypto ipsec sa peer C_Public_IP
debug crypto ipsec sa 127
show crypto ipsec sa peer C_Public_IP
From ASA C:
show crypto ipsec sa peer B_Public_IP
Thanks.
Portu.
Please rate any helpful posts
11-01-2012 09:54 AM
Hi,
Thanks for replying.
SITE C:
datchi-gw02(config)# show crypto ipsec sa peer XXXXXX.66
peer address: XXXXXX.66
Crypto map tag: outside_dyn_map, seq num: 10, local addr: XXXXXX.196
MISSING CRYPTO ACL HERE
local ident (addr/mask/prot/port): (10.100.8.0/255.255.248.0/0/0)
remote ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)
current_peer: XXXXX.66
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: XXXXXX.196, remote crypto endpt.: XXXXXX.66
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 569074E6
current inbound spi : D3FCA9DE
inbound esp sas:
spi: 0xD3FCA9DE (3556551134)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 106496, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (kB/sec): (4373999/28678)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000001FF
outbound esp sas:
spi: 0x569074E6 (1452307686)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 106496, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (kB/sec): (4374000/28676)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
SITE B
datchi-gw01(config)# show crypto ipsec sa peer XXXXXX.196
peer address: XXXXXX.196
Crypto map tag: outside_map, seq num: 50, local addr: XXXXXX.66
access-list outside_50_cryptomap extended permit ip 10.20.0.0 255.255.0.0 10.100.8.0 255.255.248.0
local ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.100.8.0/255.255.248.0/0/0)
current_peer: XXXXXX.196
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 8, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: XXXXXX.66, remote crypto endpt.: XXXXXX.196
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: D3FCA9DE
current inbound spi : 569074E6
inbound esp sas:
spi: 0x569074E6 (1452307686)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 28672, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/28255)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xD3FCA9DE (3556551134)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 28672, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914999/28255)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
11-01-2012 10:06 AM
Thanks for the heads up.
Site C:
Crypto map tag: outside_dyn_map, seq num: 10, local
Why is it hitting the dynamic crypto-map?
Could you please share the "show run crypto" output?
Thanks.
Message was edited by: Javier Portuguez
11-01-2012 10:18 AM
Just a heads up. adding or removing the reverse route didnt help. Should I remove the dynamic map since we dont use it?
SITE C:
datchi-gw02(config)# show run crypto
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-AES256-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map <--- SHOULD I REMOVE?
crypto map outside_map 20 match address outside_20_cryptomap <--- THIS IS SITE A. IT WORKS
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer XXXXXX.98
crypto map outside_map 20 set transform-set ESP-AES256-SHA
crypto map outside_map 20 set reverse-route
crypto map outside_map 30 match address outside_30_cryptomap <---- THIS IS SITE B. DOESNT WORK
crypto map outside_map 30 set peer XXXXXX.66
crypto map outside_map 30 set transform-set ESP-AES256-SHA
crypto map outside_map interface outside
crypto ca trustpoint local-datchi-gw02
enrollment self
fqdn .....
subject-name CN=......
keypair EHGWCert02
crl configure
crypto ca certificate chain local-datchi-gw02
certificate BLAH BLAH BLAH.....
quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
11-01-2012 10:23 AM
Please do the following:
no crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
clear crypto ipsec sa peer SITE_B_Public
Try again and attach the same outputs.
Let me know.
Thanks.
11-01-2012 10:33 AM
YOU THE MAN!!!
I changed the MAP priority on both ASAs and it works! You saved me countless of hours.
Thanks again!
11-01-2012 10:39 AM
You are very welcome
Thanks for counting on this great Support Community
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide