05-04-2007 01:27 PM
A VPN client is successfully connected, can't ping to any internal network. I got here a show crypto output ... my config was never changed and was working before.
sh crypto ipsec sa | beg 12.193.124.74
current_peer: 12.193.124.74:42679
dynamic allocated peer ip: 172.16.1.105
PERMIT, flags={transport_parent,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 241, #pkts decrypt: 241, #pkts verify 241
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 65.248.74.50, remote crypto endpt.: 12.193.124.74
path mtu 1500, ipsec overhead 64, media mtu 1500
current outbound spi: 53d90a0e
inbound esp sas:
spi: 0xaaa61839(2863011897)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 15, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4607974/27671)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
++++++++++++++++++++++++++++++++++++
spi 0, message ID = 1916052501
ISAMKP (0): received DPD_R_U_THERE from peer 12.193.124.74
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:12.193.124.74, dest:65.248.74.50 spt:42679 dpt:4500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 44511908
ISAMKP (0): received DPD_R_U_THERE from peer 12.193.124.74
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:12.193.124.74, dest:65.248.74.50 spt:42679 dpt:4500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 3164594634
ISAMKP (0): received DPD_R_U_THERE from peer 12.193.124.74
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:12.193.124.74, dest:65.248.74.50 spt:42679 dpt:4500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 1976932664
ISAMKP (0): received DPD_R_U_THERE from peer 12.193.124.74
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:12.193.124.74, dest:65.248.74.50 spt:42679 dpt:4500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 180126391
ISAMKP (0): received DPD_R_U_THERE from peer 12.193.124.74
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANSu all
05-05-2007 08:11 AM
Hi Gerard,
From the output that you had sent, it seems that the packets are reaching the device...Getting decrypted but not returning back.
#pkts encaps: 0, #pkts encrypt: 0,
#pkts decaps: 241, #pkts decrypt: 241,
What is the head end device? Can you check your NAT entries or see if there is any kind of route that is missing on your internal network?
If you could post the config of the head end device, I can take a look at it and let you know.
Cheers
Gilbert
08-09-2012 11:40 AM
I have the same problem could you help me to solve it, i have a Pix 515E 6.3 (Dynamic IP) and ASA 5515 (Static IP)
Pix 515E:
access-list 101 permit ip 198.155.164.0 255.255.255.0 198.155.162.0 255.255.255.0
ip address outside dhcp setroute
ip address inside 198.155.164.254 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 198.155.0.0 255.255.0.0 0 0
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address 101
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
ASA 5510:
interface Ethernet0/0
description Interfase enlace
nameif outside
security-level 0
ip address
!
interface Ethernet0/1
description Red KE
nameif inside
security-level 100
ip address 198.155.162.253 255.255.255.0
!
access-list inside_nat0_outbound extended permit ip 198.155.162.0 255.255.255.0 VPNKOBINT 255.255.255.0
access-list inside_nat0_outbound extended permit ip 198.155.162.0 255.255.255.0 VPNKOBINT2 255.255.255.192
access-list inside_nat0_outbound extended permit ip 198.155.162.0 255.255.255.0 198.155.163.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 198.155.162.0 255.255.255.0 198.155.164.0 255.255.255.0
global (outside) 1
global (outside) 1
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set transform-set ESP-3DES-MD5 ESP-DES-MD5
crypto map outside_map 10 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
____________
In the ASA 5510 8.2 have configured 3 tunnel remote-access and they are functioning ok
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide