04-29-2010 10:41 AM
Hello Everybody
I have a problem to add new site-to-site VPN to existing RA VPN and ASA running load-balancing cluster. No message about IKE Phase 1 on both devices. RA VPN work fine but L2L VPN not work. Please help me. I try to debug crypto isakmp on both ASA and Router but no messages from devices. Both of devices can ping each other.
Here are configuration on ASA and Router
#################################################################################
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.1.1.2 255.255.255.0
crypto ipsec transform-set RA-SET esp-aes esp-sha-hmac
crypto ipsec transform-set L2L-SET esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set RA-SET
crypto dynamic-map dyn1 1 set reverse-route
crypto map VPN-MAP 1 ipsec-isakmp dynamic dyn1
crypto map VPN-MAP 10 match address ACL-L2L-TEST
crypto map VPN-MAP 10 set peer 10.1.1.10
crypto map VPN-MAP 10 set transform-set L2L-SET
crypto map VPN-MAP interface outside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 5000
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 5500
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 10.1.1.10 type ipsec-l2l
tunnel-group 10.1.1.10 ipsec-attributes
pre-sharekey test123
vpn load-balancing
redirect-fqdn enable
priority 2
cluster key vpn*cluster
cluster ip address 10.1.1.1
cluster encryption
participate
#################################################################################
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 10.1.1.2 -----> This ip address shoule be real ip address of ASA or VIP (Cluster)
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set L2L-SET esp-3des esp-sha-hmac
!
crypto map L2L-TEST 1 ipsec-isakmp
set peer 10.1.1.2 -----> This ip address shoule be real ip address of ASA or VIP (Cluster)
set transform-set L2L-SET
match address ACL-L2L
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 10.1.1.10 255.255.255.0
ip nat outside
ip virtual-reassembly
crypto map L2L-TEST
#################################################################################
ASA-1# sh crypto isa sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 10.1.1.3
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
****** No L2L Tunnel status between ASA and Router *****
#################################################################################
ROUTER#sh crypto isa sa
dst src state conn-id slot status
****** No L2L Tunnel status between ASA and Router *****
04-29-2010 10:45 AM
Hi,
You have the dynamic crypto map associated with the static crypto map with an ID of 1.
The L2L has an ID of 10.
The Site-to-Site should always have a lower ID.
Please change the ID to 100 for example.
no crypto map VPN-MAP 1 ipsec-isakmp dynamic dyn1
crypto map VPN-MAP 100 ipsec-isakmp dynamic dyn1
Let's see if that makes any difference (the reason is because the VPN will try to match the crypto maps in sequential order).
Federico.
04-29-2010 10:58 AM
Hi Federico
Thank for you reply my post. I already changed configuration on ASA but my problem still occured.
Here is new configuration
crypto map VPN-MAP 10 match address ACL-L2L-TEST
crypto map VPN-MAP 10 set peer 10.1.1.10
crypto map VPN-MAP 10 set transform-set L2L-SET
crypto map VPN-MAP 65000 ipsec-isakmp dynamic dyn1
After changer configuration on ASA, i cleared crypto isakmp on both ASA and Router.
04-29-2010 11:01 AM
Can you post the output of the debugs to see why phase 2 is not coming up?
On the ASA:
debug cry isa 127
debug cry ips 127
On the router:
debug cry isa
debug cry ips
Federico.
04-29-2010 11:10 AM
As my first post, I already debug crypto isakmp and ipsec on both ASA and Router. I didn't get any messages from both of devices. It's look like no communicate between ASA and Router for VPN tunnel.
Am i misses configuration on device.
ASA 5550 with SW version 8.2
Router 2801 with IOS 12.4T (Advanced Enterprise)
04-29-2010 11:14 AM
Is there any device in between, or in either end, blocking ISAKMP (UDP 500) or ESP protocol?
You need to make sure that both are permitted through along the path.
I don't think that you have this problem on the ASA side (since RA connections are working fine), but what about the Router side?
Federico.
04-29-2010 11:18 AM
Between ASA and Router is L3 switch that i simulated as ISP. No ACL on router and opened firewall policy as permit ip any any on outside interface also.
Lenka,
04-29-2010 11:34 AM
Ok, since you're getting no debugs you can do a test:
For example on the router:
access-list ISAKMP permit udp host ASA's_IP host Router's_IP eq 500
access-list ISAKMP permit ip any any
If you apply this ACL on your router's outside interface in the inbound direction, you should see if the ISAKMP traffic is getting to the router.
You should see hitcounts on the ACL.
If you don't get hitcounts, either the ASA is not sending the packets to the router or something is blocking the packets from reaching the router.
Federico.
04-29-2010 12:02 PM
Hi Federico,
I put an ACL on router and use command "capture" for monitor packet that coming to asa. Neither router nor asa send any packets to each other. Except an icmp that both devices can capture and see those packets.
No ACL apply on any interfaces L3 switch that connect to asa and router.
Lenka.
04-29-2010 12:07 PM
That is very weird.
If both ASA and router can PING each other that means the routing is ok too.
Sometimes I've seen the ISP blocking ISAKMP, have you checked if this is the case on the router side?
Can you also post the ''sh run'' from both sides?
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide