Solved: Cisco PIX 501 behind ASUS RT-AC1900

Kris McCormick · ‎08-29-2016

Hello,

I'm trying to help a co-worker get an IPsec VPN working on his CIsco PIX 501 working from home. He has it installed behind an Asus RT-AC1900 router/firewall. The far end of the VPN is a Cisco ASA 5510. We can ping the outside interface of the 501 from the 5510 and vice versa so we know there is some level of connectivity. However, the VPN does not come up. Running debug crypto isakmp on the 501 while trying to pass traffic to the remote network gives these errors:

VPN Peer:ISAKMP: Peer Info for xx.174.143.98/500 not found - peers:0

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:xx.174.143.98, dest:xx.25.107.240 spt:500 dpt:500
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): deleting SA: src xx.25.107.240, dst xx.174.143.98
ISADB: reaper checking SA 0xaa239c, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for xx.174.143.98/500 not found - peers:0

Some digging has shown that this error can occur when the Pix is behind another firewall and that firewall is blocking IPsec or ISAKMP. My co-worker insists his Asus is not blocking anything related to the PIX (such as UDP 500, UDP 4500 or ESP). I've checked and double-checked the config on the 501 and 5510 but would appreciate if another set of eyes could take a look. Maybe I missed something. I've attached the PIX 501 and ASA 5510 configs.

The 501 gets a DHCP address but I confirmed the address it currently has matches the peer address in the 5510. That IP is xx.25.107.240.

Thanks in advance.

Kris

Richard Burts · ‎09-01-2016

Kris

Thanks for the output. I wish it were a bit more informative. I looked through the config and I have this suggestion: remove this line

crypto map public_map 2 set phase1-mode aggressive

Give this a try and let us know if the behavior changes.

HTH

Rick

HTH

Rick

View solution in original post

pjain2 · ‎08-29-2016

Hi Kris,

there is a mismatch in the phase 1 policy.

on Pix:

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption 3des

isakmp policy 2 hash md5

isakmp policy 2 group 2

isakmp policy 2 lifetime 86400

on ASA:

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 28800

please make sure that you have same isakmp policy on both ends.

after making the changes, apply a packet capture on outside interface of both the devices to check if there are bi-directional udp 500 packets

on ASA:

capture cap interface outside match ip host <asa public ip> host <pix public ip>

on pix:

access-list cap_test perm ip host <asa public ip> host <pix public ip>

access-list cap_test perm ip host <pix public ip> host <asa public ip>

cap cap int outside match access-list cap_test

show cap cap

Kris McCormick · ‎09-01-2016

Hello and thanks for the reply.

I modified the PIX isakmp policy to match the ASA. Current policy on the PIX:

isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash md5
isakmp policy 2 group 1
isakmp policy 2 lifetime 28800

I also enabled packet captures on both devices and did some pings from computers at both ends. The pings failed but I did capture some packets.

From the PIX:

Mark-Home# sho cap cap
28 packets captured
05:21:33.774084 98.174.143.98.500 > 173.25.107.240.500: udp 312
05:21:33.775136 173.25.107.240.500 > 98.174.143.98.500: udp 100
05:21:41.772848 98.174.143.98.500 > 173.25.107.240.500: udp 312
05:21:49.772893 98.174.143.98.500 > 173.25.107.240.500: udp 312
05:21:57.773260 98.174.143.98.500 > 173.25.107.240.500: udp 312
05:28:50.349637 173.25.107.240.500 > 98.174.143.98.500: udp 120
05:28:50.426705 98.174.143.98.500 > 173.25.107.240.500: udp 104
05:28:50.746802 173.25.107.240.500 > 98.174.143.98.500: udp 224
05:28:50.823947 98.174.143.98.500 > 173.25.107.240.500: udp 224
05:28:51.150337 173.25.107.240.500 > 98.174.143.98.500: udp 68
05:28:51.226688 98.174.143.98.500 > 173.25.107.240.500: udp 92
05:28:51.539950 173.25.107.240.500 > 98.174.143.98.500: udp 332
05:28:51.618406 98.174.143.98.500 > 173.25.107.240.500: udp 84
05:28:51.619764 98.174.143.98.500 > 173.25.107.240.500: udp 76
05:29:20.347256 173.25.107.240.500 > 98.174.143.98.500: udp 120
05:29:20.424126 98.174.143.98.500 > 173.25.107.240.500: udp 104
05:29:20.749823 173.25.107.240.500 > 98.174.143.98.500: udp 224
05:29:20.826937 98.174.143.98.500 > 173.25.107.240.500: udp 224
05:29:21.159217 173.25.107.240.500 > 98.174.143.98.500: udp 68
05:29:21.237155 98.174.143.98.500 > 173.25.107.240.500: udp 92
05:29:21.561067 173.25.107.240.500 > 98.174.143.98.500: udp 332
05:29:21.638776 98.174.143.98.500 > 173.25.107.240.500: udp 84
05:29:21.640042 98.174.143.98.500 > 173.25.107.240.500: udp 76
05:32:00.606246 98.174.143.98.500 > 173.25.107.240.500: udp 312
05:32:00.607298 173.25.107.240.500 > 98.174.143.98.500: udp 100
05:32:08.604705 98.174.143.98.500 > 173.25.107.240.500: udp 312
05:32:16.604857 98.174.143.98.500 > 173.25.107.240.500: udp 312
05:32:24.605055 98.174.143.98.500 > 173.25.107.240.500: udp 312
28 packets shown

And from the ASA:

mfw01# sho cap cap

28 packets captured

1: 07:15:28.262422 98.174.143.98.500 > 173.25.107.240.500: udp 312
2: 07:15:28.339612 173.25.107.240.500 > 98.174.143.98.500: udp 100
3: 07:15:36.261522 98.174.143.98.500 > 173.25.107.240.500: udp 312
4: 07:15:44.261857 98.174.143.98.500 > 173.25.107.240.500: udp 312
5: 07:15:52.262178 98.174.143.98.500 > 173.25.107.240.500: udp 312
6: 07:22:44.930936 173.25.107.240.500 > 98.174.143.98.500: udp 120
7: 07:22:44.931561 98.174.143.98.500 > 173.25.107.240.500: udp 104
8: 07:22:45.327177 173.25.107.240.500 > 98.174.143.98.500: udp 224
9: 07:22:45.328504 98.174.143.98.500 > 173.25.107.240.500: udp 224
10: 07:22:45.731041 173.25.107.240.500 > 98.174.143.98.500: udp 68
11: 07:22:45.731712 98.174.143.98.500 > 173.25.107.240.500: udp 92
12: 07:22:46.121697 173.25.107.240.500 > 98.174.143.98.500: udp 332
13: 07:22:46.122781 98.174.143.98.500 > 173.25.107.240.500: udp 84
14: 07:22:46.123467 98.174.143.98.500 > 173.25.107.240.500: udp 76
15: 07:23:14.929639 173.25.107.240.500 > 98.174.143.98.500: udp 120
16: 07:23:14.930158 98.174.143.98.500 > 173.25.107.240.500: udp 104
17: 07:23:15.331785 173.25.107.240.500 > 98.174.143.98.500: udp 224
18: 07:23:15.333158 98.174.143.98.500 > 173.25.107.240.500: udp 224
19: 07:23:15.741889 173.25.107.240.500 > 98.174.143.98.500: udp 68
20: 07:23:15.742576 98.174.143.98.500 > 173.25.107.240.500: udp 92
21: 07:23:16.144127 173.25.107.240.500 > 98.174.143.98.500: udp 332
22: 07:23:16.145149 98.174.143.98.500 > 173.25.107.240.500: udp 84
23: 07:23:16.145759 98.174.143.98.500 > 173.25.107.240.500: udp 76
24: 07:25:55.118508 98.174.143.98.500 > 173.25.107.240.500: udp 312
25: 07:25:55.195561 173.25.107.240.500 > 98.174.143.98.500: udp 100
26: 07:26:03.117349 98.174.143.98.500 > 173.25.107.240.500: udp 312
27: 07:26:11.117669 98.174.143.98.500 > 173.25.107.240.500: udp 312
28: 07:26:19.118005 98.174.143.98.500 > 173.25.107.240.500: udp 312
28 packets shown

Richard Burts · ‎09-01-2016

The captures do show two way ISAKMP traffic. So that is good. Perhaps you could run debug for ISAKMP and post the output?

HTH

Rick

HTH

Rick

Kris McCormick · ‎09-01-2016

Hello Richard,

Here is the result of the debug crypto isakmp on the PIX

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:98.174.143.98, dest:173.25.107.240 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 2 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 28800
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:98.174.143.98, dest:173.25.107.240 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP: Created a peer struct for 98.174.143.98, peer port 62465
ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 0
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:98.174.143.98, dest:173.25.107.240 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of 392826030:176a0cae
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:98.174.143.98, dest:173.25.107.240 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 3
        spi 0, message ID = 3080902284
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:98.174.143.98, dest:173.25.107.240 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 266633460, spi size = 16
ISAKMP (0): deleting SA: src 173.25.107.240, dst 98.174.143.98
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0xab0a6c, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 98.174.143.98/500 not found - peers:0

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:98.174.143.98, dest:173.25.107.240 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 2 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 28800
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:98.174.143.98, dest:173.25.107.240 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 0
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:98.174.143.98, dest:173.25.107.240 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of -1556193360:a33e5fb0
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:98.174.143.98, dest:173.25.107.240 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 3
        spi 0, message ID = 3931753681
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:98.174.143.98, dest:173.25.107.240 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 3831034006, spi size = 16
ISAKMP (0): deleting SA: src 173.25.107.240, dst 98.174.143.98
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0xab0a6c, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 98.174.143.98/500 not found - peers:0

Richard Burts · ‎09-01-2016

Kris

Thanks for the debug output. It does show that negotiation is taking place but is not successful. Would it be possible to get debug for ISAKMP from the ASA?

HTH

Rick

HTH

Rick

Richard Burts · ‎09-01-2016

Kris

Thanks for the debug output. It does show that negotiation is taking place but is not successful. Would it be possible to get debug for ISAKMP from the ASA?

HTH

Rick

HTH

Rick

Kris McCormick · ‎09-01-2016

Richard,

Yes I will get that but have to leave the office now. I will have the output from the ASA tomorrow morning.

Thanks!

Kris McCormick · ‎09-01-2016

This is the debug for ISAKMP on the ASA; it's very short:

mfw01# Sep 01 14:37:05 [IKEv1]: IP = 173.25.107.240, Information Exchange processing failed

mfw01# Sep 01 14:38:25 [IKEv1]: IP = 173.25.107.240, Information Exchange processing failed

Richard Burts · ‎09-01-2016

Kris

Thanks for the output. I wish it were a bit more informative. I looked through the config and I have this suggestion: remove this line

crypto map public_map 2 set phase1-mode aggressive

Give this a try and let us know if the behavior changes.

HTH

Rick

HTH

Rick

Kris McCormick · ‎09-02-2016

Richard,

I removed the line as suggested and it did resolve the issue. The remote can now access resources at the main office.

Thanks for your help!

Richard Burts · ‎09-02-2016

Kris

You are welcome. This was an interesting one to investigate and a subtle reason for the problem. I am glad that my suggestion led you to the solution. Thank you for using the rating system to mark this question as answered. This will help other readers in the forum to identify discussions that have helpful information.

HTH

Rick

HTH

Rick