Solved: Hey Jon,I haven't heard back - Page 5

Ken Mackay · ‎02-27-2015

I can't seem to get by the error's. Phase 1 completes, then the errors start, 7.0.0.2 recieved non-routine notify message no proposal choosen, connection terminated for peer 7.0.0.2 reason peer terminate remote proxy N/A local Proxy N/A, 7.0.0.2 removing peer from correlator table failed, no match, seesion being torn down reason user requested, group 7.0.0.2 automatic NAT detection status remote end is not behind NAT device, this end is not behind NAT device. The other end the ASA5512 I get IP 7.1.0.2 no valid authentication type found for the tunnel group, Remote end is not behind NAT device, the DAP records were selected for connection DfltAccessPolicy, Phase 1 completed, All IPSEC SA proposals found unacceptable, IP 7.1.0.2 QM FSM error, removing peer from correlator table failed no match, 7.1.0.2 session being torn down reason Phase 2 Mismatch, 7.1.0.2 session disconnected type IKEV1, recevied encrypted packet with no matchin SA dropping.

I have searched internet and found many results however as changes implemented I always end back at this point. Any HELP would be greatly appreciated. Lost two days in the LAB. I will post configs. This a test soon to go into production. Thanks

Ken

ASA1# sho run
: Saved
:
ASA Version 9.1(2)
!
hostname ASA1
domain-name TEST1.CA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
nameif Outside
security-level 100
ip address 7.0.0.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif AS1toR1
security-level 50
ip address 1.0.0.2 255.255.255.0
!
interface GigabitEthernet0/2
nameif AS1toR2
security-level 50
ip address 3.0.0.2 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns domain-lookup Outside
dns domain-lookup AS1toR1
dns domain-lookup AS1toR2
dns domain-lookup management
dns server-group DefaultDNS
name-server 201.201.201.201
domain-name TEST1.CA
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-1.0.0.0
object network 2.0.0.0
subnet 2.0.0.0 255.255.255.0
object network 6.0.0.0
subnet 6.0.0.0 255.255.255.0
object network 7.1.0.0
subnet 7.1.0.0 255.255.255.0
object network 8.0.0.0
subnet 8.0.0.0 255.255.255.0
object network 9.0.0.0
subnet 9.0.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object 1.0.0.0 255.255.255.0
network-object 3.0.0.0 255.255.255.0
network-object object 2.0.0.0
network-object object 8.0.0.0
object-group network DM_INLINE_NETWORK_4
network-object object 6.0.0.0
network-object object 9.0.0.0
object-group network DM_INLINE_NETWORK_1
network-object object 6.0.0.0
network-object object 9.0.0.0
object-group network DM_INLINE_NETWORK_2
network-object 1.0.0.0 255.255.255.0
network-object 3.0.0.0 255.255.255.0
network-object object 2.0.0.0
network-object object 8.0.0.0
object-group network DM_INLINE_NETWORK_5
network-object 1.0.0.0 255.255.255.0
network-object 3.0.0.0 255.255.255.0
network-object object 2.0.0.0
network-object object 8.0.0.0
object-group network DM_INLINE_NETWORK_6
network-object object 6.0.0.0
network-object object 9.0.0.0
access-list HEADEND extended permit ip any any
access-list hq-to-vpnend extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_4
access-list vpnend-to-hq extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list Outside_cryptomap_15 extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list Outside_access_in extended permit ip any any
access-list Outside_access_in extended permit icmp any4 any4
access-list AS1toR2_access_in extended permit icmp any4 any4
access-list AS1toR2_access_in extended permit ip any any
access-list AS1toR1_access_in extended permit ip any any
access-list AS1toR1_access_in extended permit icmp any4 any4
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu AS1toR1 1500
mtu AS1toR2 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group Outside_access_in in interface Outside
access-group AS1toR1_access_in in interface AS1toR1
access-group AS1toR2_access_in in interface AS1toR2
!
router ospf 1
network 1.0.0.0 255.255.255.0 area 0
network 3.0.0.0 255.255.255.0 area 0
network 7.0.0.0 255.255.255.0 area 0
log-adj-changes
!
route Outside 0.0.0.0 0.0.0.0 7.0.0.1 125
route Outside 6.0.0.0 255.255.255.0 7.0.0.1 125
route Outside 9.0.0.0 255.255.255.0 7.0.0.1 125
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
eou allow none
http server enable
http 192.168.1.2 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection preserve-vpn-flows
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set MAP-VPN1 esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 match address Outside_cryptomap_15
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set ikev1 transform-set MAP-VPN1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set reverse-route
crypto dynamic-map DYNMAP 10 set pfs
crypto dynamic-map DYNMAP 10 set ikev1 transform-set MAP-VPN1
crypto dynamic-map DYNMAP 10 set reverse-route
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map HQ2REMOTE 10 ipsec-isakmp dynamic DYNMAP
crypto map HQ2REMOTE interface Outside
crypto ca trustpool policy
crypto ikev1 enable Outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign local reuse-delay 30
vpn load-balancing
interface lbpublic Outside
interface lbprivate AS1toR1
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Outside
no anyconnect-essentials
group-policy DfltGrpPolicy attributes
wins-server value 10.10.10.10
dns-server value 201.201.201.201
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
split-tunnel-network-list value HEADEND
default-domain value TEST1.CA
webvpn
activex-relay disable
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup general-attributes
secondary-authentication-server-group LOCAL
authorization-server-group LOCAL
nat-assigned-to-public-ip Outside
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
ikev1 user-authentication none
tunnel-group DefaultWEBVPNGroup general-attributes
secondary-authentication-server-group LOCAL
tunnel-group DefaultWEBVPNGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
ikev1 user-authentication none
tunnel-group-map default-group DefaultL2LGroup
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 24
subscribe-to-alert-group configuration periodic monthly 24
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:022709234965ad8943628e790ed5ed1f
: end
ASA1#

ASA2# sho run
: Saved
:
ASA Version 8.2(5)
!
hostname ASA2
domain-name TEST2.CA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 14
!
interface Ethernet0/1
switchport access vlan 24
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
switchport access vlan 4
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan4
nameif management.
security-level 0
ip address 192.168.1.101 255.255.255.0
management-only
!
interface Vlan14
nameif Outside
security-level 100
ip address dhcp setroute
!
interface Vlan24
nameif Inside
security-level 50
ip address 6.0.0.2 255.255.255.0
!
ftp mode passive
dns domain-lookup management.
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
domain-name TEST2.CA
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object 1.0.0.0 255.255.255.0
network-object 2.0.0.0 255.255.255.0
network-object 3.0.0.0 255.255.255.0
network-object 8.0.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 6.0.0.0 255.255.255.0
network-object 9.0.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_5
network-object 1.0.0.0 255.255.255.0
network-object 2.0.0.0 255.255.255.0
network-object 3.0.0.0 255.255.255.0
network-object 8.0.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object 6.0.0.0 255.255.255.0
network-object 9.0.0.0 255.255.255.0
access-list vpnend-to-hq extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list REMOTEEND extended permit ip any any
access-list hq-to-vpnend extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list Outside_access_in extended permit ip any any
access-list Outside_access_in extended permit icmp any any
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu management. 1500
mtu Outside 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
!
router ospf 1
network 6.0.0.0 255.255.255.0 area 0
network 7.1.0.0 255.255.255.0 area 0
log-adj-changes
!
route Outside 1.0.0.0 255.255.255.0 7.0.0.2 125
route Outside 2.0.0.0 255.255.255.0 7.0.0.2 125
route Outside 3.0.0.0 255.255.255.0 7.0.0.2 125
route Outside 8.0.0.0 255.255.255.0 7.0.0.2 125
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
network-acl REMOTEEND
eou allow none
http server enable
http 0.0.0.0 0.0.0.0 management.
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set MAP-VPN1 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set MAP-VPN1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map HQ2REMOTE 15 match address vpnend-to-hq
crypto map HQ2REMOTE 15 set pfs
crypto map HQ2REMOTE 15 set connection-type originate-only
crypto map HQ2REMOTE 15 set peer 7.0.0.2
crypto map HQ2REMOTE 15 set transform-set MAP-VPN1
crypto map HQ2REMOTE 15 set security-association lifetime seconds 28800
crypto map HQ2REMOTE 15 set security-association lifetime kilobytes 4608000
crypto map HQ2REMOTE 15 set reverse-route
crypto map HQ2REMOTE 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map HQ2REMOTE interface Outside
crypto isakmp enable Outside
crypto isakmp policy 15
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp ipsec-over-tcp port 10000
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface Outside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption 3des-sha1
webvpn
enable Outside
group-policy DfltGrpPolicy attributes
wins-server value 10.10.10.10
dns-server value 201.201.201.201
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-network-list value REMOTEEND
default-domain value TEST2.CA
smartcard-removal-disconnect disable
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup general-attributes
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultWEBVPNGroup ipsec-attributes
pre-shared-key *****
tunnel-group 7.0.0.2 type ipsec-l2l
tunnel-group 7.0.0.2 ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
tunnel-group-map default-group 7.0.0.2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0d04273f55e788e2a4ad4d025084d33d
: end
ASA2#

Jon Marshall · ‎03-04-2015

Ken

Are you saying it was working with the pings ?

If not can you post both configurations again.

Jon

Ken Mackay · ‎03-04-2015

Jon,

It was working with pings. Attached the working config and the non-working config.

Thanks,

Ken

Jon Marshall · ‎03-04-2015

Ken

Okay, it looks like you do not need to reference a crypto map acl on ASA1 and it just picks up what ASA2 proposes.

I just checked a Cisco configuration document for a dynamic L2L and they are not referencing an acl on the ASA with a static IP.

So can you go back to the configuration that worked ie. remove that line referencing the crypto map on ASA1, save all configurations, reload both ASAs and then start your ping again.

Hopefully it should work.

If it does can you post a "sh crypto ipsec sa" from both ASAs so I can have a look.

It looks like we are there but I just want to verify with this last test.

Is that okay with you ?

Jon

Ken Mackay · ‎03-04-2015

Jon,

Ok thanks for all your hard work. Attached the "sho crypto ipsec sa's Let me know if you see an issue. The tunnel is up and passing traffic.

Thanks,

Ken

Jon Marshall · ‎03-04-2015

Ken

Firstly apologies for the misleading information about the crypto map acl on ASA1.

That obviously wasn't the only issue as even without it we couldn't get this working until we got it using the DefaultL2LGroup but it certainly didn't help.

I think if we had got the acls matching exactly it might of but it looks to be working without it on ASA1 and you only need it on ASA2 so I probably delayed us getting a working solution.

It looks okay apart from the first set of SAs which are not for any networks mentioned in your crypto map acl on ASA2 which is not what I would expect to see and haven't seen in any docs but I don't believe it's causing any issues.

The only other thing is your crypto map acl on ASA2 mentions other subnets apart from just 8.0.0.0 and 9.0.0.0.

Do you need the other subnets working and if you do then it would worth testing a ping between those as well.

What should happen is it should create a new pair of SAs in the "sh crypto ipsec sa" output for those subnets.

Apart from that it looks like it is working.

Jon

Ken Mackay · ‎03-04-2015

Jon,

All networks are pingable/reachable. It's good you pointed out that the tunnel was using DefaultRAGroup. I have left the key out for DefaultRAGroup and DefaultWEBVPNGroup to ensure we only use the DefaultL2LGroup. I'm glad it finally worked out. I will attemp to build a new test configuration with multiple spokes now and then begin work on a production configuration. Once again thanks for all your hard work and support.

Ken

Ken Mackay · ‎03-10-2015

Hey Jon,

Don't know if your around? Perhaps your tied up with something else? I'm working on another thread, but working on adding another spoke to the Hub and Spoke envoironment we worked on. My understanding is that the Hub config doesn't change and the second spoke use's the same config as the first with exception of some ACL changes to all. I'll attach to this thread the crypto setup and current configs. The tunnel to ASA2 remains up however recieving error's on ASA3. Those error's are "IKE initiator unable to find policy Intf Inside, Src: 5.0.0.2, Dst: 8.0.0.1", Routing failed to locate next hop for UDP from NP Identity Ifc: 0.0.0.0 to Outside: 7.0.0.2", and Failed to locate egress interface for TCP from Inside: 5.0.0.2.

Thanks,

Ken

Ken Mackay · ‎03-12-2015

Hey Jon,

I haven't heard back from Rizwan. So perhaps you can help. I am a bit confused. After reading Rizwan's document and some other's. I have come up with a script that I believe can just be applied to each ASA. Keeping in mind that ASA1 is the hub (5512) and is running 9.1 software and ASA2 & ASA3 are (5505's) the spokes running 8.2 software. They will originate-only L2L tunnels back to ASA1. So I'd like to hear your thoughts/concerns. Attached script for your review.

Thank you,

Ken

Ken Mackay · ‎03-12-2015

Jon,

Ok I have a working config. ASA1 has built the tunnel to ASA2. However ASA3 has failed to come up yet. Getting closer.

Thanks,

Ken

Ken Mackay · ‎04-16-2015

John,

How are you these days? I'm contacting because you may be able to help. I have posted another discussion. "Administrative distance on ASA5505 continues to hold the value of 1 instead of 125 ?" I have yet to find anyone to repond? Perhaps if you have the time you could review. The configs and show routes are posted as well.

Thanks,

Ken

Jon Marshall · ‎03-02-2015

By the way "clear crypto iskamp" and "clear crypto ipsec sa" should bring the tunnels down.

Jon

Jon Marshall · ‎03-02-2015

Ken

I just did a bit of searching and I can confirm if the same key is used for both it will use the DefaultRAGroup because that is the first one that is checked after any specific tunnel groups.

I am wondering now why after changing the key it still is using it.

Can you make sure you clear the tunnels on both firewalls before you try to initiate a new connection.

Finally there is a command you can use to make the DefaultL2LGroup be used before the RA group.

Are you using the ASA 9.1 for any remote access VPNs ?

Jon

Jon Marshall · ‎03-02-2015

Ken

You are not by any chance using the same key for both remote access and L2L VPNs are you ?

Jon

Jon Marshall · ‎03-02-2015

The other thing I noticed is the ASA is using te DefaultRAGroup to match the incoming connection which is wrong as I far as I can see as it should be using the DefaultL2LGroup.

Not sure why at the moment.

Jon

Ken Mackay · ‎03-02-2015

Jon,

I also ran those commands on the ASA2. I hope it helps.

ASA2(config)# undebug all
ASA2(config)# debug crypto ipsec 127
ASA2(config)# IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=0, Src=7.1.0.2:1, Dest=7.0.0.2:1
IPSEC(crypto_map_check)-5: Checking crypto map HQ2REMOTE 15: skipping dormant map.
IPSEC(crypto_map_check)-3: Checking crypto map HQ2REMOTE 15: matched.
IPSEC: New embryonic SA created @ 0xC977E9B8,
    SCB: 0xC977E5F8,
    Direction: inbound
    SPI      : 0x90B2EB94
    Session ID: 0x0014D000
    VPIF num : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=0, Src=7.1.0.2:1, Dest=7.0.0.2:1
IPSEC(crypto_map_check)-5: Checking crypto map HQ2REMOTE 15: skipping dormant map.
IPSEC(crypto_map_check)-3: Checking crypto map HQ2REMOTE 15: matched.
IPSEC: New embryonic SA created @ 0xC977E9B8,
    SCB: 0xC9770108,
    Direction: inbound
    SPI      : 0xBC848A5E
    Session ID: 0x0014E000
    VPIF num : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=0, Src=7.1.0.2:1, Dest=7.0.0.2:1
IPSEC(crypto_map_check)-5: Checking crypto map HQ2REMOTE 15: skipping dormant map.
IPSEC(crypto_map_check)-3: Checking crypto map HQ2REMOTE 15: matched.
IPSEC: New embryonic SA created @ 0xC9309C48,
    SCB: 0xC97703F0,
    Direction: inbound
    SPI      : 0xF3331429
    Session ID: 0x0014F000
    VPIF num : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=0, Src=7.1.0.2:1, Dest=7.0.0.2:1
IPSEC(crypto_map_check)-5: Checking crypto map HQ2REMOTE 15: skipping dormant map.
IPSEC(crypto_map_check)-3: Checking crypto map HQ2REMOTE 15: matched.
IPSEC: New embryonic SA created @ 0xC9309C48,
    SCB: 0xC977E460,
    Direction: inbound
    SPI      : 0x77E845EB
    Session ID: 0x00150000
    VPIF num : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=0, Src=7.1.0.2:1, Dest=7.0.0.2:1
IPSEC(crypto_map_check)-5: Checking crypto map HQ2REMOTE 15: skipping dormant map.
IPSEC(crypto_map_check)-3: Checking crypto map HQ2REMOTE 15: matched.
IPSEC: New embryonic SA created @ 0xCA27A8D8,
    SCB: 0xC977E578,
    Direction: inbound
    SPI      : 0x5733A9BD
    Session ID: 0x00151000
    VPIF num : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds

ASA2(config)# debug crypto ipsec 127
ASA2(config)#
ASA2(config)#
ASA2(config)#
ASA2(config)# IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=0, Src=7.1.0.2:1, Dest=7.0.0.2:1
IPSEC(crypto_map_check)-5: Checking crypto map HQ2REMOTE 15: skipping dormant map.
IPSEC(crypto_map_check)-3: Checking crypto map HQ2REMOTE 15: matched.
IPSEC: New embryonic SA created @ 0xC9309C48,
    SCB: 0xCA27ABE0,
    Direction: inbound
    SPI      : 0x9E82B162
    Session ID: 0x0015A000
    VPIF num : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=0, Src=7.1.0.2:1, Dest=7.0.0.2:1
IPSEC(crypto_map_check)-5: Checking crypto map HQ2REMOTE 15: skipping dormant map.
IPSEC(crypto_map_check)-3: Checking crypto map HQ2REMOTE 15: matched.
IPSEC: New embryonic SA created @ 0xC9309C48,
    SCB: 0xC9770188,
    Direction: inbound
    SPI      : 0x3A6D528B
    Session ID: 0x0015B000
    VPIF num : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=0, Src=7.1.0.2:1, Dest=7.0.0.2:1
IPSEC(crypto_map_check)-5: Checking crypto map HQ2REMOTE 15: skipping dormant map.
IPSEC(crypto_map_check)-3: Checking crypto map HQ2REMOTE 15: matched.
IPSEC: New embryonic SA created @ 0xC9309C48,
    SCB: 0xC977E578,
    Direction: inbound
    SPI      : 0x984AEA1F
    Session ID: 0x0015C000
    VPIF num : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds

ASA2(config)#
ASA2(config)#
ASA2(config)#
ASA2(config)#
ASA2(config)#
ASA2(config)#
ASA2(config)#
ASA2(config)# IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=0, Src=7.1.0.2:1, Dest=7.0.0.2:1
IPSEC(crypto_map_check)-5: Checking crypto map HQ2REMOTE 15: skipping dormant map.
IPSEC(crypto_map_check)-3: Checking crypto map HQ2REMOTE 15: matched.
IPSEC: New embryonic SA created @ 0xC9309C48,
    SCB: 0xC977E578,
    Direction: inbound
    SPI      : 0x231B7269
    Session ID: 0x0015D000
    VPIF num : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds

Thanks,

Ken

HUB & SPOKE environment with ASA5512 as the HUB and ASA5505 as spoke.