12-24-2012 09:06 PM - edited 02-21-2020 06:34 PM
Hi There,
I am having a weird issue creating a tunnel between ASA and Cisco router. The both devices are behind NAT device with all the correct Port forwardings but for some reason they are not establishing a VPN connection.
Any suggestion / help is appreaciated. Thanks in advance.
---Router Config---
Building configuration...
Current configuration : 3784 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname VPN_Router
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
aaa new-model
!
!
!
aaa session-id common
no ip cef
!
!
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
crypto pki trustpoint TP-self-signed-2050611130
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2050611130
revocation-check none
rsakeypair TP-self-signed-2050611130
!
!
crypto pki certificate chain TP-self-signed-2050611130
certificate self-signed 01
30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32303530 36313131 3330301E 170D3132 31323231 32303031
30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30353036
31313133 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A002 84283B6A C3CD910A 5E17865A 22C3A93D 4207D6E9 C18AF47F E217FD14
6EA8B43B CA762D78 400412F0 21CA4510 60614A2A 859A2C9F 8FA2E435 A65D354A
C145FAAF 3E2B8ED9 8221AD32 C99DE542 212762AA 2594708C 4DF7DAEA 240F4C65
A780A7B6 A3302962 9FF08EA6 B70AC3EC 7935716A 225BA2A2 7E13C24E 5FBB9F42
E2750203 010001A3 6A306830 0F060355 1D130101 FF040530 030101FF 30150603
551D1104 0E300C82 0A56504E 5F526F75 74657230 1F060355 1D230418 30168014
22F277B3 96CF5C93 F8ABB16E 595AA22F DA653D18 301D0603 551D0E04 16041422
F277B396 CF5C93F8 ABB16E59 5AA22FDA 653D1830 0D06092A 864886F7 0D010104
05000381 810063CB 96D23E60 DABD9E16 17ED39E5 A040B82E 7377FDB8 662223A6
1EA0807A C79520C4 9DBC1B2C 58E7F9E1 B9D94331 E202C58A 4E05F326 83B59F58
AF1E333D 1B4E025D B81E9FDA 29883217 6971E9FC BA74A6EE 9BE328A2 338138BD
301F8D67 3BD76E0A 26EA4676 169F789B 675C3C6A BFD69AD0 E490C354 1BC7047A
E157B5C8 A5FC
quit
!
!
controller DSL 0/0/0
line-term cpe
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ******* address 203.109.197.XXX no-xauth
!
!
crypto ipsec transform-set rtpset esp-3des esp-sha-hmac
!
crypto map rtp 1 ipsec-isakmp
set peer 203.109.197.XXX
set security-association lifetime seconds 28800
set transform-set rtpset
match address 115
!
!
!
interface FastEthernet0/0
ip address 10.0.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.100.253 255.255.255.0
ip nat outside
ip virtual-reassembly
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
crypto map rtp
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.100.254
!
!
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0/1 overload
ip nat inside source static tcp 10.0.1.100 7777 interface FastEthernet0/1 7777
ip nat inside source static tcp 10.0.1.100 8888 interface FastEthernet0/1 8888
!
access-list 10 permit 203.109.197.XXX log
access-list 101 remark NAT Traffic
access-list 101 deny ip 10.0.1.0 0.0.0.255 172.31.1.0 0.0.0.255
access-list 101 permit ip 10.0.1.0 0.0.0.255 any
access-list 115 permit ip 10.0.1.0 0.0.0.255 172.31.1.0 0.0.0.255
access-list 115 deny ip 10.0.1.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 101
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 10 in
privilege level 15
!
scheduler allocate 20000 1000
end
---//Router Config End---
---ASA Config---
ASA Version 8.3(2)
!
hostname CKFWAKL01
domain-name none.com
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.254.253.254 255.255.255.252
!
interface Vlan100
nameif outside
security-level 0
ip address 10.254.254.253 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 100
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name ciscokid.co.nz
object network Internal
subnet 172.16.0.0 255.240.0.0
object network NETWORK_OBJ_10.0.1.0_24
subnet 10.0.1.0 255.255.255.0
object network NETWORK_OBJ_172.31.1.0_24
subnet 172.31.1.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_1_cryptomap extended permit ip 172.31.1.0 255.255.255.0 10.0.1.0 255.255.255.0
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_172.31.1.0_24 NETWORK_OBJ_172.31.1.0_24 destination static NETWORK_OBJ_10.0.1.0_24 NETWORK_OBJ_10.0.1.0_24
!
object network Internal
nat (any,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.254.254.254 1
route inside 172.16.0.0 255.240.0.0 10.254.253.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable 8443
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 203.109.197.YYY
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set phase1-mode aggressive
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 203.109.197.YYY type ipsec-l2l
tunnel-group 203.109.197.YYY ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d0751c2cc360dfc9b7ae54635dd38585
: end
[OK]
---//ASA Config End---
Debug on the router:
*Dec 24 23:16:33.403: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Dec 24 23:16:33.403: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Dec 24 23:16:33.403: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Dec 24 23:16:33.403: ISAKMP:(0:0:N/A:0): sending packet to 203.109.197.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
*Dec 24 23:16:34.667: del_node src 192.168.100.253:500 dst 203.109.197.XXX:500 fvrf 0x0, ivrf 0x0
*Dec 24 23:16:34.667: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.
*Dec 24 23:16:34.671: ISAKMP:(0:0:N/A:0):deleting SA reason "Death by tree-walk" state (I) MM_NO_STATE (peer 203.109.197.XXX)
*Dec 24 23:16:34.671: del_node src 192.168.100.253:500 dst 203.109.197.XXX:500 fvrf 0x0, ivrf 0x0
*Dec 24 23:16:34.671: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.
*Dec 24 23:16:34.671: ISAKMP:(0:0:N/A:0):deleting SA reason "Death by tree-walk" state (I) MM_NO_STATE (peer 203.109.197.XXX)
*Dec 24 23:16:34.671: ISAKMP:(0:0:N/A:0):deleting node -221444746 error FALSE reason "IKE deleted"
*Dec 24 23:16:34.671: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Dec 24 23:16:34.671: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
*Dec 24 23:16:39.395: ISAKMP: local port 500, remote port 500
*Dec 24 23:16:39.395: ISAKMP: set new node 0 to QM_IDLE
*Dec 24 23:16:39.395: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 63D3F414
*Dec 24 23:16:39.395: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Dec 24 23:16:39.395: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 203.109.197.XXX
*Dec 24 23:16:39.395: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Dec 24 23:16:39.395: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Dec 24 23:16:39.395: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Dec 24 23:16:39.395: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Dec 24 23:16:39.395: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1
*Dec 24 23:16:39.395: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Dec 24 23:16:39.395: ISAKMP:(0:0:N/A:0): sending packet to 203.109.197.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
*Dec 24 23:16:49.395: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Dec 24 23:16:49.395: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Dec 24 23:16:49.395: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Dec 24 23:16:49.395: ISAKMP:(0:0:N/A:0): sending packet to 203.109.197.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
*Dec 24 23:16:59.395: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Dec 24 23:16:59.395: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Dec 24 23:16:59.395: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Dec 24 23:16:59.395: ISAKMP:(0:0:N/A:0): sending packet to 203.109.197.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
*Dec 24 23:17:09.391: ISAKMP: set new node 0 to QM_IDLE
*Dec 24 23:17:09.391: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec request to it. (local 192.168.100.253, remote 203.109.197.XXX)
*Dec 24 23:17:09.395: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Dec 24 23:17:09.395: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Dec 24 23:17:09.395: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Dec 24 23:17:09.395: ISAKMP:(0:0:N/A:0): sending packet to 203.109.197.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
*Dec 24 23:17:13.319: ISAKMP:(0:0:N/A:0):purging node -2117718654
*Dec 24 23:17:13.319: ISAKMP:(0:0:N/A:0):purging node -908425583
*Dec 24 23:17:19.395: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Dec 24 23:17:19.395: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Dec 24 23:17:19.395: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Dec 24 23:17:19.395: ISAKMP:(0:0:N/A:0): sending packet to 203.109.197.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
*Dec 24 23:17:23.319: ISAKMP:(0:0:N/A:0):purging SA., sa=63396DC8, delme=63396DC8
*Dec 24 23:17:24.671: ISAKMP:(0:0:N/A:0):purging node -221444746
*Dec 24 23:17:29.395: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Dec 24 23:17:29.395: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Dec 24 23:17:29.395: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Dec 24 23:17:29.395: ISAKMP:(0:0:N/A:0): sending packet to 203.109.197.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
*Dec 24 23:17:34.671: ISAKMP:(0:0:N/A:0):purging SA., sa=63D4B490, delme=63D4B490
*Dec 24 23:17:39.391: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.
*Dec 24 23:17:39.391: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 203.109.197.XXX)
*Dec 24 23:17:39.391: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 203.109.197.XXX)
*Dec 24 23:17:39.391: ISAKMP:(0:0:N/A:0):deleting node -856967187 error FALSE reason "IKE deleted"
*Dec 24 23:17:39.391: ISAKMP:(0:0:N/A:0):deleting node -163150498 error FALSE reason "IKE deleted"
*Dec 24 23:17:39.391: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Dec 24 23:17:39.391: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
Thanks again...
12-25-2012 04:13 AM
Hi,
- The configuration looks fine.
- We can clearly see from the debug that MM1 message is beeing retransmitted so that packet is somewhere blocked/dropped.
Some questions which might help you:
- Do you have udp/500 and udp/4500 allowed along the path in both directions?
- Is it a static - bi-directional NAT?
- Do we receive something on the ASA?
I suggest to:
- collect debugs on the ASA
- collect captures on the ASA to verify if you receive the MM1 packet from the IOS (capture ISAKMP type isakmp interface outside)
Pawel
12-25-2012 03:08 PM
Hello.
I think you have problem in ASA configuration. Here´s the reason.
"access-group outside_access_in in interface outside"
You´re applying ACL outside_access_in to your outside interface but there is no such ACL present in your ASA cfg so I think packets are droped.
Try to permit you VPN traffic or Public IP of the router at outside ACL in the ASA. (not sure which one will work for u)
12-25-2012 03:26 PM
Jiri Zvolanek wrote:
Hello.
I think you have problem in ASA configuration. Here´s the reason.
"access-group outside_access_in in interface outside"
You´re applying ACL outside_access_in to your outside interface but there is no such ACL present in your ASA cfg so I think packets are droped.
Try to permit you VPN traffic or Public IP of the router at outside ACL in the ASA. (not sure which one will work for u)
As long as there is the default 'sysopt connection permit-vpn' the vpn traffic will be allowed regardless of the inbound ACL.
Either the ASA is not receiving the MM1 or after the ASA is replying with MM2 it gets dropped somewhere. All in all I suggest to collect captures or debugs.
Pawel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide