09-19-2011 02:16 AM - edited 02-21-2020 05:35 PM
Hello guys,
I have problem with dual ISP + IPSEC on my cisco ASA5505 sec plus licence.
Routing is working correct (connect to Internet from siteA is working trought
1st also second ISP) but IPSEC is working just trought the first
ISP! It seemt that phase 1 and 2 of IPSEC is correct but packets
are just encrypting but not decrypting. Do you have any idea what is wrong?
I'm trying ping from siteA (PC - 10.4.1.66) to siteB (PC - 10.3.128.50)
Thanks
config site A:
##########################################################################
ASA5505 Version 8.2(1)
interface Vlan1
nameif inside
security-level 100
ip address 10.4.1.65 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Vlan3
nameif internet
security-level 0
ip address 212.89.235.yy 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
access-list outside_cryptomap extended permit icmp 10.4.1.64 255.255.255.248 10.3.128.0 255.255.255.0
access-list nonat extended permit ip 10.4.1.64 255.255.255.248 10.3.0.0 255.255.0.0
access-list nonat extended permit ip 10.4.1.64 255.255.255.248 10.16.0.0 255.255.0.0
access-list inside extended permit ip any any
access-list inside extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu internet 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (internet) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.4.1.64 255.255.255.248
access-group internet_in in interface outside
access-group internet_in in interface internet
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 track 1
route internet 0.0.0.0 0.0.0.0 212.89.235.yy 254
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 212.89.229.xx interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer 212.89.229.xx
crypto map outside_map0 1 set transform-set ESP-AES-256-SHA
crypto map outside_map0 1 set security-association lifetime seconds 28800
crypto map outside_map0 1 set security-association lifetime kilobytes 4608000
crypto map outside_map0 2 match address outside_cryptomap_1
crypto map outside_map0 interface outside
crypto map outside_map0 interface internet
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp enable internet
crypto isakmp policy 3
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 300
!
track 1 rtr 123 reachability
telnet 10.4.1.64 255.255.255.248 inside
telnet timeout 1440
ssh 10.4.1.64 255.255.255.248 inside
ssh 212.89.229.xx 255.255.255.255 outside
ssh timeout 60
ssh version 2
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 194.160.23.2 source outside
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
username xx
tunnel-group 212.89.229.xx type ipsec-l2l
tunnel-group 212.89.229.xx ipsec-attributes
pre-shared-key *
siteA# sh crypto isakmp sa d
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 212.89.229.xx
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 300
Lifetime Remaining: 91
siteA# sh crypto ipsec sa
interface: internet
Crypto map tag: outside_map0, seq num: 1, local addr: 212.89.235.yy
access-list outside_cryptomap permit icmp 10.4.1.64 255.255.255.248 10.3.128.0 255.255.255.0
local ident (addr/mask/prot/port): (10.4.1.64/255.255.255.248/1/0)
remote ident (addr/mask/prot/port): (10.3.128.0/255.255.255.0/1/0)
current_peer: 212.89.229.xx
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 7, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 212.89.235.115, remote crypto endpt.: 212.89.229.2
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 2A9B550B
inbound esp sas:
spi: 0xCF456F65 (3477434213)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 32768, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (4374000/28629)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x2A9B550B (714822923)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 32768, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (4373999/28629)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
siteA# sh logging asdm | i 10.3.128.50
6|Sep 19 2011 10:27:37|302020: Built outbound ICMP connection for faddr 10.3.128.50/0 gaddr 10.4.1.66/1024 laddr 10.4.1.66/1024
6|Sep 19 2011 10:27:39|302021: Teardown ICMP connection for faddr 10.3.128.50/0 gaddr 10.4.1.66/1024 laddr 10.4.1.66/1024
config site B:
##########################################################################
ASA 5510 Version 8.0(4)
interface Ethernet0/0
nameif outside
security-level 0
ip address 212.89.229.xx 255.255.255.240
ospf cost 10
interface Ethernet0/1.10
vlan 10
nameif users
security-level 50
ip address 10.3.128.0 255.255.255.0
access-list siteA extended permit ip 10.3.128.0 255.255.255.0 10.4.1.64 255.255.255.248
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 9 match address SiteA
crypto map outside_map 9 set peer 212.89.229.xx
crypto map outside_map 9 set transform-set ESP-AES-256-SHA
crypto map outside_map 9 set security-association lifetime seconds 28800
crypto map outside_map 9 set security-association lifetime kilobytes 4608000
crypto map outside_map 10 match address SiteA
crypto map outside_map 10 set peer 212.89.235.yy
crypto map outside_map 10 set transform-set ESP-AES-256-SHA
crypto map outside_map 10 set security-association lifetime seconds 28800
crypto map outside_map 10 set security-association lifetime kilobytes 4608000
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
tunnel-group 212.89.229.xx type ipsec-l2l
tunnel-group 212.89.229.xx ipsec-attributes
pre-shared-key *
tunnel-group 212.89.235.yy type ipsec-l2l
tunnel-group 212.89.235.yy ipsec-attributes
pre-shared-key *
SiteB# sh crypto isakmp sa d
Active SA: 7
Rekey SA: 1 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 8
8 IKE Peer: 212.89.235.115
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 300
Lifetime Remaining: 245
SiteB# sh crypto ipsec sa | b 212.89.235.yy
current_peer: 212.89.235.yy
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 212.89.229.xx, remote crypto endpt.: 212.89.235.yy
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: CF456F65
inbound esp sas:
spi: 0x2A9B550B (714822923)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4378624, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914999/27310)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00001FFF
outbound esp sas:
spi: 0xCF456F65 (3477434213)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4378624, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/27308)
IV size: 16 bytes
replay detection support: Y
siteB# sh logging asdm | i 10.4.1.66
6|Sep 19 2011 10:29:49|302021: Teardown ICMP connection for faddr 10.4.1.66/1024 gaddr 10.3.128.50/0 laddr 10.3.128.50/0
6|Sep 19 2011 10:29:50|302020: Built inbound ICMP connection for faddr 10.4.1.66/1024 gaddr 10.3.128.50/0 laddr 10.3.128.50/0
Solved! Go to Solution.
09-21-2011 02:31 AM
I'm glad that this answer your question, don't hesitate to mark the post as answered and rate useful posts
Have a nice day.
09-19-2011 02:33 AM
Hi Martin,
Did you applied crypto map in the interface of siteB ? I don't see any crypto map interface command in your config (whereas it's on siteA's config).
If you didn't applied the crypto map, also check if the output route for the SiteA is thru the interface where the crypto map is applied.
09-19-2011 03:14 AM
sorry, yes it is also on siteB:
crypto map outside_map interface outside
routing on siteA is working ok and crypto map is applied on bought interfaces
09-19-2011 03:44 AM
Mistake in topology on picture. I changed IP 212.89.236.xx to IP 212.89.229.xx
and IP 194.228.44 to 192.168.1.2
09-21-2011 01:25 AM
I found the problem but dont know how to fix it now!
Problem is on siteB with using the same ACL name "siteA" in both sequence numbers in cryptomap "outside_map"
crypto map outside_map 9 match address SiteA
crypto map outside_map 9 set peer 212.89.229.xx
crypto map outside_map 9 set transform-set ESP-AES-256-SHA
crypto map outside_map 9 set security-association lifetime seconds 28800
crypto map outside_map 9 set security-association lifetime kilobytes 4608000
crypto map outside_map 10 match address SiteA
crypto map outside_map 10 set peer 212.89.235.yy
crypto map outside_map 10 set transform-set ESP-AES-256-SHA
crypto map outside_map 10 set security-association lifetime seconds 28800
crypto map outside_map 10 set security-association lifetime kilobytes 4608000
If I remove:
no crypto map outside_map 9 match address SiteA
the IPSEC through 2nd ISP on siteA is working correct
09-21-2011 01:35 AM
Hello Martin,
The crypto maps are sequential, that means as you have the same ACL on both entry, the traffic will match every time seq #9 and be directed to the peer defined in this sequence. If you want to do active/Standby IPSEC tunnels between your two ISPs, you can use multiple peers, like:
crypto map outside_map 9 match address SiteA
crypto map outside_map 9 set peer 212.89.229.xx 212.89.235.yy
crypto map outside_map 9 set transform-set ESP-AES-256-SHA
crypto map outside_map 9 set security-association lifetime seconds 28800
crypto map outside_map 9 set security-association lifetime kilobytes 4608000
If you want to load balance between your two ISPs, you will need to have different ACLs, like sequence 9 is for traffic directed to remote network 1, and sequence 10 for remote network 2, but in that case, if remote peer is down, half of the traffic will be down.
09-21-2011 02:26 AM
many thanks, that's what i needed!
09-21-2011 02:31 AM
I'm glad that this answer your question, don't hesitate to mark the post as answered and rate useful posts
Have a nice day.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide