I have restarted both asa's and than rebuild the l2l and Ra Tunnel.

Is it possible that the  asa5505 with Base license is not capable of doing this?

No, base license should be able to perform that.

Can you please share the output of "show cry ipsec sa" from Site B ASA.

show crypto ipsec sa detail

Crypto map tag: LAN2LANMAP, seq num: 1, local addr:

      access-list Lan2Lan extended permit ip 192.168.2.0 255.255.255.0 192.168.13.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)

      current_peer:

      #pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8

      #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 8, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0

      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0

      #pkts invalid prot (rcv): 0, #pkts verify failed: 0

      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0

      #pkts invalid pad (rcv): 0,

      #pkts invalid ip version (rcv): 0,

      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0

      #pkts replay failed (rcv): 0

      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0

      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: /0, remote crypto endpt.: /0

      path mtu 1492, ipsec overhead 58, media mtu 1500

      current outbound spi: 3812DF50

      current inbound spi : 45BA5EC9

    inbound esp sas:

      spi: 0x45BA5EC9 (1169841865)

         transform: esp-3des esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 4096, crypto-map: LAN2LANMAP

         sa timing: remaining key lifetime (kB/sec): (4373999/28536)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x000001FF

    outbound esp sas:

      spi: 0x3812DF50 (940760912)

         transform: esp-3des esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 4096, crypto-map: LAN2LANMAP

         sa timing: remaining key lifetime (kB/sec): (4373999/28536)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

debug cryp ipsec 255 (while im pinging a remote host at the other site from my vpn client)

Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.25.3, sport=3, daddr=192.168.13.3, dport=3

IPSEC(crypto_map_check)-3: Checking crypto map LAN2LANMAP 1: matched.

- As i said earlier .. the asa matched the l2l tunnel for the traffic but:

#pkts encaps: 8, #pkts encrypt: 8

the packets getting not encrypted, as you can see in the show crypto ipsec sa output

Edit:

I noticed another problem. When the tunnel drops it can be only re-established from site A.

If i try to re-establish the tunnel from site b - the asa on A tells me that there is a "Phase 2 mismatch"

ikev1 debugging capture from asa site a while B tries to establish the tunnel:

  Payload Security Association

    Next Payload: Nonce

    Reserved: 00

    Payload Length: 60

    DOI: IPsec

    Situation:(SIT_IDENTITY_ONLY)

    Payload Proposal

      Next Payload: None

      Reserved: 00

      Payload Length: 48

      Proposal #: 1

      Protocol-Id: PROTO_IPSEC_ESP

      SPI Size: 4

      # of transforms: 1

      SPI: 95 d7 eb 1f

      Payload Transform

        Next Payload: None

        Reserved: 00

        Payload Length: 36

        Transform #: 1

        Transform-Id: ESP_3DES

        Reserved2: 0000

        Life Type: Seconds

        Life Duration (Hex): 70 80

        Life Type: Kilobytes

        Life Duration (Hex): 00 46 50 00

        Encapsulation Mode: Tunnel

        Authentication Algorithm: MD5

ID_IPV4_ADDR_SUBNET ID received--192.168.13.0-255.255.255.0

Received remote IP Proxy Subnet data in ID Payload:   Address 192.168.13.0, Mask 255.255.255.0, Protocol 0, Port 0

processing ID payload

ID_IPV4_ADDR_SUBNET ID received--192.168.2.0--255.255.255.0

Received local IP Proxy Subnet data in ID Payload:   Address 192.168.2.0, Mask 255.255.255.0, Protocol 0, Port 0

processing notify payload

QM IsRekeyed old sa not found by addr

IKE Remote Peer configured for crypto map: RemoteAccess

processing IPSec SA payload

All IPSec SA proposals found unacceptable!

As soon i try a ping from my inside A network to the B network the tunnel will be established again without any errors.

The proposals on both sites are the same.. esp-3des esp-md5-hmac.

Ive also tried other proposals with the same result.

Push

The output of "show cry ipsec sa" does not look correct. There is no SA created for the VPN client connection, nor there is any SA created between VPN Client pool subnet towards Site A subnet. You should have an SA created between 192.168.25.0/24 and 192.168.13.0/24.

Can you please share the whole existing configuration from both sites, as well as get the LAN-to-LAN tunnel established between the 2 sites, then connect the VPN Client and try to access both site A and site B LAN, and lastly please share the output of "show cry ipsec sa" from both sites.

Okay, check this out:

As i mention in my last post the asa on site B is not able to establish the tunnel because of phase 2 mismatches..

Now i have noticed that when i try to ping from my vpn client on site B to site A the Asa on B wants to establish the SA for the remoteaccess-pool-b to the local network on A .. And this procedure is continually failing with the exact same reason:  All IPSec SA proposals found unacceptable!

Now.. when i do a ping from local A network to the vpn pool on site B.. boom.. my remoteclient can reach site a! AWESOME!

So the only problem is that my ASA on B cannot establish any SA with ASA on A.. but the other way works well

Running config and logs:

SITE A RUNNING CONFIG:

ASA Version 8.4(2)

!

hostname ********

domain-name ********

enable password ******** encrypted

passwd ******** encrypted

names

dns-guard

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

<--- More --->

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.13.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address ******** 255.255.255.252

!

boot system disk0:/asa842-k8.bin

boot system disk0:/asa724-k8.bin

ftp mode passive

clock timezone CET 1

clock summer-time CEST date Mar 27 2011 3:00 Oct 30 2011 2:59

dns domain-lookup inside

dns server-group DefaultDNS

retries 3

timeout 3

expire-entry-timer minutes 10

name-server 192.168.13.5

domain-name dni.local

object network nat_policy

subnet 192.168.13.0 255.255.255.0

object network SITEA

subnet 192.168.13.0 255.255.255.0

object network POOLSITEA

subnet 10.210.100.0 255.255.255.0

object network POOLSITEB

subnet 192.168.25.0 255.255.255.0

object network SITEB

subnet 192.168.2.0 255.255.255.0

object-group network TUNNEL2B

network-object object POOLSITEB

network-object object SITEB

access-list SplitTunnel standard permit 192.168.13.0 255.255.255.0

access-list outside_in extended permit icmp any 192.168.13.0 255.255.255.0 echo

access-list outside_in extended permit icmp any 192.168.13.0 255.255.255.0 time-exceeded

access-list outside_in extended deny ip any any log

access-list inside_in extended deny ip 192.168.13.192 255.255.255.224 any log

access-list inside_in extended permit ip any any

access-list vpnfilter_ra extended permit ip 10.210.100.0 255.255.255.0 192.168.13.0 255.255.255.0

access-list L2L extended permit ip 192.168.13.0 255.255.255.0 object-group TUNNEL2B

pager lines 24

logging enable

logging timestamp

logging buffer-size 1048576

logging asdm-buffer-size 512

logging console critical

logging monitor alerts

logging trap informational

logging asdm debugging

logging mail alerts

mtu inside 1500

mtu outside 1500

ip local pool RemoteAccessPool 10.210.100.1-10.210.100.254 mask 255.255.255.0

icmp unreachable rate-limit 10 burst-size 5

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static SITEA SITEA destination static POOLSITEA POOLSITEA

nat (inside,outside) source static SITEA SITEA destination static POOLSITEB POOLSITEB

nat (inside,outside) source static SITEA SITEA destination static SITEB SITEB

!

object network nat_policy

nat (inside,outside) dynamic interface

access-group inside_in in interface inside

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 ********* 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

aaa authentication telnet console LOCAL

http server enable 443

http 192.168.13.0 255.255.255.0 inside

http redirect inside 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set RemoteAccessTrans esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set Lan2LanTrans esp-3des esp-md5-hmac

crypto dynamic-map RemoteAccess 1 set ikev1 transform-set RemoteAccessTrans

crypto map RemoteAccessMap 1 ipsec-isakmp dynamic RemoteAccess

crypto map RemoteAccessMap 2 match address L2L

crypto map RemoteAccessMap 2 set peer *************

crypto map RemoteAccessMap 2 set ikev1 transform-set Lan2LanTrans

crypto map RemoteAccessMap interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 43200

crypto ikev1 policy 2

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 14400

telnet timeout 5

ssh scopy enable

ssh 192.168.13.0 255.255.255.0 inside

ssh timeout 15

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server **************

webvpn

group-policy RemoteAccessPolicy internal

group-policy RemoteAccessPolicy attributes

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout 720

vpn-filter value vpnfilter_ra

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SplitTunnel

default-domain value **************

address-pools value RemoteAccessPool

group-policy L2LPOLICY internal

group-policy L2LPOLICY attributes

vpn-tunnel-protocol ikev1

username cadmin password ************ encrypted privilege 15

tunnel-group RemoteAccess type remote-access

tunnel-group RemoteAccess general-attributes

default-group-policy RemoteAccessPolicy

tunnel-group RemoteAccess ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group *********** type ipsec-l2l

tunnel-group *********** general-attributes

default-group-policy L2LPOLICY

tunnel-group *********** ipsec-attributes

ikev1 pre-shared-key *****

!

class-map match-everything

match any

class-map default-traffic

match default-inspection-traffic

!

!

policy-map default-inspection

class default-traffic

  inspect icmp

  inspect ftp

class match-everything

  set connection decrement-ttl

!

service-policy default-inspection global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:8473b8f08f5f06f38d97e20ea3e3a9cd

RUNNING CONFIG SITE B:

ASA Version 8.4(2)

!

hostname *************

domain-name *************

enable password ****************** encrypted

passwd ****************** encrypted

names

dns-guard

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

<--- More --->

switchport access vlan 100

!

interface Ethernet0/7

switchport access vlan 100

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group HEAG

ip address pppoe setroute

!

interface Vlan100

no nameif

no security-level

no ip address

!

boot system disk0:/asa842-k8.bin

boot system disk0:/asa822-9-k8.bin

ftp mode passive

clock timezone CET 1

clock summer-time CEST date Mar 27 2011 3:00 Oct 30 2011 2:59

dns domain-lookup inside

dns server-group DefaultDNS

retries 3

timeout 3

expire-entry-timer minutes 10

poll-timer minutes 60

name-server *************

domain-name **************

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network NAT

subnet 192.168.2.0 255.255.255.0

object network SITEB

subnet 192.168.2.0 255.255.255.0

object network SITEA

subnet 192.168.13.0 255.255.255.0

object network VPNPOOL

subnet 192.168.25.0 255.255.255.0

object-group network 10

network-object object VPNPOOL

network-object object SITEB

access-list outside_in extended permit icmp any any echo-reply

access-list outside_in extended permit icmp any any time-exceeded

access-list outside_in extended deny ip any any log

access-list inside_in extended permit ip any any

access-list inside_in extended deny ip any any log

access-list Lan2Lan extended permit ip object-group 192.168.13.0 255.255.255.0

access-list SplitTunnel1 standard permit 192.168.13.0 255.255.255.0

access-list SplitTunnel1 standard permit 192.168.2.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging asdm-buffer-size 512

logging console warnings

logging monitor warnings

logging trap informational

logging asdm debugging

logging mail critical

mtu inside 1500

mtu outside 1492

ip local pool RemoteAccess 192.168.25.1-192.168.25.254 mask 255.255.255.0

icmp unreachable rate-limit 10 burst-size 5

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static SITEB SITEB destination static SITEA SITEA

nat (inside,outside) source static SITEB SITEB destination static VPNPOOL VPNPOOL

!

object network NAT

nat (inside,outside) dynamic interface

access-group inside_in in interface inside

access-group outside_in in interface outside

route inside 10.210.22.0 255.255.255.255 192.168.2.27 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication serial console LOCAL

http server enable

http 10.210.21.0 255.255.255.0 inside

http redirect inside 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set RemoteAccessSet esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set DIGINTRANS esp-3des esp-md5-hmac

crypto dynamic-map RADYNMAP 1 set ikev1 transform-set RemoteAccessSet

crypto map LAN2LANMAP 1 match address Lan2Lan

crypto map LAN2LANMAP 1 set peer *************

crypto map LAN2LANMAP 1 set ikev1 transform-set DIGINTRANS

crypto map LAN2LANMAP 2 ipsec-isakmp dynamic RADYNMAP

crypto map LAN2LANMAP interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 43200

telnet timeout 5

ssh scopy enable

ssh 192.168.2.0 255.255.255.0 inside

ssh timeout 30

ssh version 2

console timeout 0

vpdn group HEAG request dialout pppoe

vpdn group HEAG localname ***************

vpdn group HEAG ppp authentication chap

vpdn username ************* password *****

dhcpd lease 259200

!

dhcpd address 192.168.2.80-192.168.2.120 inside

dhcpd dns 192.168.2.7 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server ********** source outside prefer

webvpn

group-policy RemoteClientPolicy internal

group-policy RemoteClientPolicy attributes

dns-server value 192.168.2.7

vpn-simultaneous-logins 3

vpn-session-timeout 720

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SplitTunnel1

default-domain value *************

address-pools value RemoteAccess

group-policy LAN2LAN internal

group-policy LAN2LAN attributes

vpn-tunnel-protocol ikev1

username cadmin password ************* encrypted privilege 15

tunnel-group *********** type ipsec-l2l

tunnel-group ********** general-attributes

default-group-policy LAN2LAN

tunnel-group ************* ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group REMOTECLIENTS type remote-access

tunnel-group REMOTECLIENTS general-attributes

default-group-policy RemoteClientPolicy

tunnel-group REMOTECLIENTS ipsec-attributes

ikev1 pre-shared-key *****

!

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:7e891f089d0898e60cb3eeced9c0f73e

: end

SHOW SA SITE A:

show crypto ipsec sa detail

interface: outside

    Crypto map tag: RemoteAccessMap, seq num: 2, local addr: **********

      access-list L2L extended permit ip 192.168.13.0 255.255.255.0 192.168.2.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

      current_peer: *****************

      #pkts encaps: 24, #pkts encrypt: 24, #pkts digest: 24

      #pkts decaps: 22, #pkts decrypt: 22, #pkts verify: 22

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 24, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0

      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0

      #pkts invalid prot (rcv): 0, #pkts verify failed: 0

      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0

      #pkts invalid pad (rcv): 0,

      #pkts invalid ip version (rcv): 0,

      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0

      #pkts replay failed (rcv): 0

      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0

      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: **********/0, remote crypto endpt.: ***************/0

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: E8E20FEE

      current inbound spi : E7FC0E8A

    inbound esp sas:

      spi: 0xE7FC0E8A (3892055690)

         transform: esp-3des esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 3735552, crypto-map: RemoteAccessMap

         sa timing: remaining key lifetime (kB/sec): (4373998/27764)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x007FFFFF

    outbound esp sas:

      spi: 0xE8E20FEE (3907129326)

         transform: esp-3des esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 3735552, crypto-map: RemoteAccessMap

         sa timing: remaining key lifetime (kB/sec): (4373998/27764)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    Crypto map tag: RemoteAccess, seq num: 1, local addr: ************

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.210.100.4/255.255.255.255/0/0)

      current_peer: *************, username: cadmin

      dynamic allocated peer ip: 10.210.100.4

      #pkts encaps: 509, #pkts encrypt: 509, #pkts digest: 509

      #pkts decaps: 533, #pkts decrypt: 533, #pkts verify: 533

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 509, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0

      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0

      #pkts invalid prot (rcv): 0, #pkts verify failed: 0

      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0

      #pkts invalid pad (rcv): 0,

      #pkts invalid ip version (rcv): 0,

      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0

      #pkts replay failed (rcv): 0

      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0

      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: *********/4500, remote crypto endpt.: ***************/56488

      path mtu 1500, ipsec overhead 82, media mtu 1500

      current outbound spi: 561758C9

      current inbound spi : ABA08050

    inbound esp sas:

      spi: 0xABA08050 (2879422544)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 3747840, crypto-map: RemoteAccess

         sa timing: remaining key lifetime (sec): 28722

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x561758C9 (1444370633)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 3747840, crypto-map: RemoteAccess

         sa timing: remaining key lifetime (sec): 28722

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

show cryp sa SITE B:

show crypto ipsec sa detail

interface: outside

    Crypto map tag: RADYNMAP, seq num: 1, local addr: ***************

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.25.1/255.255.255.255/0/0)

      current_peer: ************, username: cadmin

      dynamic allocated peer ip: 192.168.25.1

      #pkts encaps: 4145, #pkts encrypt: 4145, #pkts digest: 4145

      #pkts decaps: 5031, #pkts decrypt: 5031, #pkts verify: 5031

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 4145, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0

      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0

      #pkts invalid prot (rcv): 0, #pkts verify failed: 0

      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0

      #pkts invalid pad (rcv): 0,

      #pkts invalid ip version (rcv): 0,

      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0

      #pkts replay failed (rcv): 0

      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0

      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: ************/4500, remote crypto endpt.: *************/53105

      path mtu 1492, ipsec overhead 82, media mtu 1500

      current outbound spi: EF484663

      current inbound spi : 1E8903F2

    inbound esp sas:

      spi: 0x1E8903F2 (512295922)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 3518464, crypto-map: RADYNMAP

         sa timing: remaining key lifetime (sec): 28029

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0xEF484663 (4014491235)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 3518464, crypto-map: RADYNMAP

         sa timing: remaining key lifetime (sec): 28029

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

         0x00000000 0x00000001

    Crypto map tag: LAN2LANMAP, seq num: 1, local addr: **************

      access-list Lan2Lan extended permit ip 192.168.2.0 255.255.255.0 192.168.13.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)

      current_peer: ****************

      #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10

      #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0

      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0

      #pkts invalid prot (rcv): 0, #pkts verify failed: 0

      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0

      #pkts invalid pad (rcv): 0,

      #pkts invalid ip version (rcv): 0,

      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0

      #pkts replay failed (rcv): 0

      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0

      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: ***********/0, remote crypto endpt.: *************/0

      path mtu 1492, ipsec overhead 58, media mtu 1500

      current outbound spi: E7FC0E8A

      current inbound spi : E8E20FEE

    inbound esp sas:

      spi: 0xE8E20FEE (3907129326)

         transform: esp-3des esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 3522560, crypto-map: LAN2LANMAP

         sa timing: remaining key lifetime (kB/sec): (3914999/28412)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x000007FF

    outbound esp sas:

      spi: 0xE7FC0E8A (3892055690)

         transform: esp-3des esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 3522560, crypto-map: LAN2LANMAP

         sa timing: remaining key lifetime (kB/sec): (3914999/28412)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

debug ipsec 255 while pinging with RA-Client (SITEB):

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.25.1, sport=256, daddr=192.168.13.5, dport=256

IPSEC(crypto_map_check)-3: Checking crypto map LAN2LANMAP 1: matched.

IPSEC: Received a PFKey message from IKE

IPSEC: Parsing PFKey GETSPI message

IPSEC: Creating IPsec SA

IPSEC: Getting the inbound SPI

IPSEC: New embryonic SA created @ 0xd987dd28,

    SCB: 0xD9865838,

    Direction: inbound

    SPI      : 0xCAFF153F

    Session ID: 0x0035C000

    VPIF num  : 0x00000003

    Tunnel type: l2l

    Protocol   : esp

    Lifetime   : 240 seconds

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.25.1, sport=256, daddr=192.168.13.5, dport=256

IPSEC(crypto_map_check)-3: Checking crypto map LAN2LANMAP 1: matched.

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.25.1, sport=256, daddr=192.168.13.5, dport=256

IPSEC(crypto_map_check)-3: Checking crypto map LAN2LANMAP 1: matched.

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.25.1, sport=256, daddr=192.168.13.5, dport=256

IPSEC(crypto_map_check)-3: Checking crypto map LAN2LANMAP 1: matched.

IPSEC: Received a PFKey message from IKE

IPSEC: Destroy current inbound SPI: 0xCAFF153F

Logfile on ASA A while pinging with RA-Client from VPNPOOL on B:

|Oct 05 2011 15:59:36|714003: IP = *****, IKE Responder starting QM: msg id = 6893a6ce

7|Oct 05 2011 15:59:36|713236: IP = ****, IKE_DECODE RECEIVED Message (msgid=6893a6ce) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 164

7|Oct 05 2011 15:59:36|715047: Group = ***, IP = ***, processing hash payload

7|Oct 05 2011 15:59:36|715047: Group = *****, IP = ***, processing SA payload

7|Oct 05 2011 15:59:36|715047: Group = *****, IP = ***, processing nonce payload

7|Oct 05 2011 15:59:36|715047: Group = ***, IP = ***, processing ID payload

7|Oct 05 2011 15:59:36|714011: Group = ***, IP = ***, ID_IPV4_ADDR_SUBNET ID received--192.168.25.0--255.255.255.0

7|Oct 05 2011 15:59:36|713035: Group = ***, IP = ***, Received remote IP Proxy Subnet data in ID Payload:   Address 192.168.25.0, Mask 255.255.255.0, Protocol 0, Port 0

7|Oct 05 2011 15:59:36|715047: Group = ***, IP = ***, processing ID payload

7|Oct 05 2011 15:59:36|714011: Group = ***, IP = ***, ID_IPV4_ADDR_SUBNET ID received--192.168.13.0--255.255.255.0

7|Oct 05 2011 15:59:36|713034: Group = ***, IP = ***, Received local IP Proxy Subnet data in ID Payload:   Address 192.168.13.0, Mask 255.255.255.0, Protocol 0, Port 0

7|Oct 05 2011 15:59:36|713906: Group = ***, IP = ***, QM IsRekeyed old sa not found by addr

7|Oct 05 2011 15:59:36|713066: Group = ***, IP = ***, IKE Remote Peer configured for crypto map: RemoteAccess

7|Oct 05 2011 15:59:36|715047: Group = ***, IP = ***, processing IPSec SA payload

5|Oct 05 2011 15:59:36|713904: Group = ***, IP = ***, All IPSec SA proposals found unacceptable!

7|Oct 05 2011 15:59:36|713906: Group = ***, IP = ***, sending notify message

7|Oct 05 2011 15:59:36|715046: Group = ***, IP = ***, constructing blank hash payload

7|Oct 05 2011 15:59:36|713906: Group = ***, IP = ***, constructing ipsec notify payload for msg id 6893a6ce

7|Oct 05 2011 15:59:36|715046: Group = ***, IP = ***, constructing qm hash payload

7|Oct 05 2011 15:59:36|713236: IP = ***, IKE_DECODE SENDING Message (msgid=5be432ac) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80

3|Oct 05 2011 15:59:36|713902: Group = ***, IP = ***, QM FSM error (P2 struct &0xd9bf5660, mess id 0x6893a6ce)!

7|Oct 05 2011 15:59:36|715065: Group = ***, IP = ***, IKE QM Responder FSM error history (struct &0xd9bf5660)  , :  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH

7|Oct 05 2011 15:59:36|713906: Group = ***, IP = ***, sending delete/delete with reason message

3|Oct 05 2011 15:59:36|713902: Group = ***, IP = ***, Removing peer from correlator table failed, no match!

7|Oct 05 2011 15:59:37|715036: Group = ***, IP = ***, Sending keep-alive of type DPD R-U-THERE (seq number 0x20198062)

7|Oct 05 2011 15:59:37|715046: Group = ***, IP = ***, constructing blank hash payload

7|Oct 05 2011 15:59:37|715046: Group = ***, IP = ***, constructing qm hash payload

7|Oct 05 2011 15:59:37|713236: IP = ***, IKE_DECODE SENDING Message (msgid=9d79aa5e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80

7|Oct 05 2011 15:59:37|713236: IP = ***, IKE_DECODE RECEIVED Message (msgid=f72c1210) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80

7|Oct 05 2011 15:59:37|715047: Group = ***, IP = ***, processing hash payload

7|Oct 05 2011 15:59:37|715047: Group = ***, IP = ***, processing notify payload

7|Oct 05 2011 15:59:37|715075: Group = ***, IP = ***, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x20198062)

Why isnt my ASA on B able to establish a SA with A?

Thanks for your support.

TJ

Jennifer Halim schrieb:
2) It is also advisible to configure dynamic map with the lowest sequence number instead of the highest seq number within the crypto map. Currently your site A has the following:
crypto map RemoteAccessMap 1 ipsec-isakmp dynamic RemoteAccess
crypto map RemoteAccessMap 2 match address L2L
I would move the dynamic map to a lower sequence number as follows:
no crypto map RemoteAccessMap 1 ipsec-isakmp dynamic RemoteAccess
crypto map RemoteAccessMap 65000 ipsec-isakmp dynamic RemoteAccess

Thank you!

Because of the low numbered dynamic map my asa on A has associated every incoming SA with the ra map.. which surely didnt worked very well...

Problem solved.