Re: Cisco ASA VPN - Page 2

iburlacu · ‎07-28-2023

I have a vpn connection between two cisco asa 5512 that failed. I restored an older backup with ASDM but the vpn is still down. What can I do to restore the vpn? Thank you.

iburlacu · ‎07-28-2023

When I restored, why can't identity certificates be ticked?

iburlacu · ‎07-28-2023

I can access both asa, i clear crypto command and the same results: MM_WAIT_MSG2.

iburlacu · ‎07-28-2023

MHM Cisco World · ‎07-29-2023

Sorry but I see ikev2 in log ?

Can you share config of both asa

Thanks

MHM

iburlacu · ‎07-29-2023

Such a cisco has 120 VPNs and it is difficult for me to hide confidential data. The other cisco has only one vpn and I can send you the configuration.

MHM Cisco World · ‎07-29-2023

I understand

share config of asa s2s vpn ikev1 only of both asa

iburlacu · ‎07-29-2023

Sorry, I delete some information.

iburlacu · ‎07-29-2023

Sorry. The second configuration has 84 pages and it is difficult to select the configuration just for one VPN.

iburlacu · ‎07-30-2023

Thanks for your time.

MHM Cisco World · ‎07-30-2023

debug crypto ikev1 127

debug crypto ipsec 127

Share this if you can.

Thanks

MHM

iburlacu · ‎07-30-2023

Jul 31 08:43:06 [IKEv1]IP = 192.168.0.31, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324
Jul 31 08:43:14 [IKEv1]IP = 192.168.0.31, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324
Jul 31 08:43:22 [IKEv1 DEBUG]IP = 192.168.0.31, IKE MM Initiator FSM error history (struct &0x00007fff9e5d9c40) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Jul 31 08:43:22 [IKEv1 DEBUG]IP = 192.168.0.31, IKE SA MM:7aee13b6 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Jul 31 08:43:22 [IKEv1 DEBUG]IP = 192.168.0.31, sending delete/delete with reason message
Jul 31 08:43:28 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jul 31 08:43:28 [IKEv1]IP = 192.168.0.31, IKE Initiator: New Phase 1, Intf LAN, IKE Peer 192.168.0.31 local Proxy Address 192.168.9.80, remote Proxy Address 192.168.4.0, Crypto map (WAN_map)
Jul 31 08:43:28 [IKEv1 DEBUG]IP = 192.168.0.31, constructing ISAKMP SA payload
Jul 31 08:43:28 [IKEv1 DEBUG]IP = 192.168.0.31, constructing NAT-Traversal VID ver 02 payload
Jul 31 08:43:28 [IKEv1 DEBUG]IP = 192.168.0.31, constructing NAT-Traversal VID ver 03 payload
Jul 31 08:43:28 [IKEv1 DEBUG]IP = 192.168.0.31, constructing NAT-Traversal VID ver RFC payload
Jul 31 08:43:28 [IKEv1 DEBUG]IP = 192.168.0.31, constructing Fragmentation VID + extended capabilities payload
Jul 31 08:43:28 [IKEv1]IP = 192.168.0.31, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324
Jul 31 08:43:36 [IKEv1]IP = 192.168.0.31, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324
Jul 31 08:43:44 [IKEv1]IP = 192.168.0.31, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324
Jul 31 08:43:52 [IKEv1]IP = 192.168.0.31, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324
Jul 31 08:44:00 [IKEv1 DEBUG]IP = 192.168.0.31, IKE MM Initiator FSM error history (struct &0x00007fff9e5d9c40) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Jul 31 08:44:00 [IKEv1 DEBUG]IP = 192.168.0.31, IKE SA MM:72419d5f terminating: flags 0x01000022, refcnt 0, tuncnt 0
Jul 31 08:44:00 [IKEv1 DEBUG]IP = 192.168.0.31, sending delete/delete with reason message
Jul 31 08:44:05 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jul 31 08:44:05 [IKEv1]IP = 192.168.0.31, IKE Initiator: New Phase 1, Intf LAN, IKE Peer 192.168.0.31 local Proxy Address 192.168.9.80, remote Proxy Address 192.168.4.0, Crypto map (WAN_map)
Jul 31 08:44:05 [IKEv1 DEBUG]IP = 192.168.0.31, constructing ISAKMP SA payload
Jul 31 08:44:05 [IKEv1 DEBUG]IP = 192.168.0.31, constructing NAT-Traversal VID ver 02 payload
Jul 31 08:44:05 [IKEv1 DEBUG]IP = 192.168.0.31, constructing NAT-Traversal VID ver 03 payload
Jul 31 08:44:05 [IKEv1 DEBUG]IP = 192.168.0.31, constructing NAT-Traversal VID ver RFC payload
Jul 31 08:44:05 [IKEv1 DEBUG]IP = 192.168.0.31, constructing Fragmentation VID + extended capabilities payload
Jul 31 08:44:05 [IKEv1]IP = 192.168.0.31, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324

iburlacu · ‎07-30-2023

gw-ab13dec# debug crypto ipsec 127
gw-ab13dec# IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=27110, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=31688, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=4809, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=4809, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=4809, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=4809, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.83, sport=31488, daddr=192.168.4.5, dport=31488
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=47833, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=47833, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=1495, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=1495, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=47833, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=1495, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.83, sport=31488, daddr=192.168.4.5, dport=31488
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=4084, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=4084, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.81, sport=65535, daddr=192.168.4.5, dport=31488
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=4084, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=4084, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.83, sport=31488, daddr=192.168.4.5, dport=31488
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=43236, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=43236, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=43236, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=43236, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=23496, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=23496, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.