Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
475
Views
0
Helpful
3
Replies

Issue with VPN between router and ASA

admins0011111
Level 1
Level 1

‎10-27-2015 09:51 PM

Hi all,

I have Cisco 7301 and Cisco ASA 5512X and IPSEC between.

But recently vpn started falling permanently

Cisco 7301 (1.1.1.1):

Oct 28 07:14:00.271: ISAKMP (0:1357): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE      
Oct 28 07:14:00.271: ISAKMP: set new node 1927194918 to QM_IDLE      
Oct 28 07:14:00.271: ISAKMP:(1357): processing HASH payload. message ID = 1927194918
Oct 28 07:14:00.271: ISAKMP:(1357): processing SA payload. message ID = 1927194918
Oct 28 07:14:00.271: ISAKMP:(1357):Checking IPSec proposal 1
Oct 28 07:14:00.271: ISAKMP: transform 1, ESP_AES
Oct 28 07:14:00.271: ISAKMP:   attributes in transform:
Oct 28 07:14:00.271: ISAKMP:      SA life type in seconds
Oct 28 07:14:00.271: ISAKMP:      SA life duration (basic) of 28800
Oct 28 07:14:00.271: ISAKMP:      SA life type in kilobytes
Oct 28 07:14:00.271: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
Oct 28 07:14:00.271: ISAKMP:      encaps is 1 (Tunnel)
Oct 28 07:14:00.271: ISAKMP:      authenticator is HMAC-SHA
Oct 28 07:14:00.271: ISAKMP:      group is 2
Oct 28 07:14:00.271: ISAKMP:      key length is 128
Oct 28 07:14:00.271: ISAKMP:(1357):atts are acceptable.
Oct 28 07:14:00.271: IPSEC(validate_proposal_request): proposal part #1
Oct 28 07:14:00.271: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 1.1.1.1, remote= 2.2.2.2,
    local_proxy= 192.168.0.0/255.255.248.0/0/0 (type=4),
    remote_proxy= 172.16.0.0/255.255.248.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Oct 28 07:14:00.271: Crypto mapdb : proxy_match
src addr     : 192.168.0.0
dst addr     : 172.16.0.0
protocol     : 0
src port     : 0
dst port     : 0
Oct 28 07:14:00.271: Crypto mapdb : proxy_match
src addr     : 192.168.0.0
dst addr     : 172.16.0.0
protocol     : 0
src port     : 0
dst port     : 0
Oct 28 07:14:00.271: Crypto mapdb : proxy_match
src addr     : 192.168.0.0
dst addr     : 172.16.0.0
protocol     : 0
src port     : 0
dst port     : 0
Oct 28 07:14:00.271: Crypto mapdb : proxy_match
src addr     : 192.168.0.0
dst addr     : 172.16.0.0
protocol     : 0
src port     : 0
dst port     : 0
Oct 28 07:14:00.271: Crypto mapdb : proxy_match
src addr     : 192.168.0.0
dst addr     : 172.16.0.0
protocol     : 0
src port     : 0
dst port     : 0
Oct 28 07:14:00.271: map_db_find_best did not find matching map
Oct 28 07:14:00.271: Crypto mapdb : proxy_match
src addr     : 192.168.0.0
dst addr     : 172.16.0.0
protocol     : 0
src port     : 0
dst port     : 0
Oct 28 07:14:00.271: ISAKMP:(1357): processing NONCE payload. message ID = 1927194918
Oct 28 07:14:00.271: ISAKMP:(1357): processing KE payload. message ID = 1927194918
Oct 28 07:14:00.287: ISAKMP:(1357): processing ID payload. message ID = 1927194918
Oct 28 07:14:00.287: ISAKMP:(1357): processing ID payload. message ID = 1927194918
Oct 28 07:14:00.287: ISAKMP:(1357):QM Responder gets spi
Oct 28 07:14:00.287: ISAKMP:(1357):Node 1927194918, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Oct 28 07:14:00.287: ISAKMP:(1357):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
Oct 28 07:14:00.287: ISAKMP:(1357): Creating IPSec SAs
Oct 28 07:14:00.287:         inbound SA from 2.2.2.2 to 1.1.1.1 (f/i)  0/ 0
        (proxy 172.16.0.0 to 192.168.0.0)
Oct 28 07:14:00.287:         has spi 0xD95E070 and conn_id 0
Oct 28 07:14:00.287:         lifetime of 28800 seconds
Oct 28 07:14:00.287:         lifetime of 4608000 kilobytes
Oct 28 07:14:00.287:         outbound SA from 1.1.1.1 to 2.2.2.2 (f/i) 0/0
        (proxy 192.168.0.0 to 172.16.0.0)
Oct 28 07:14:00.287:         has spi  0x51F74D18 and conn_id 0
Oct 28 07:14:00.287:         lifetime of 28800 seconds
Oct 28 07:14:00.287:         lifetime of 4608000 kilobytes
Oct 28 07:14:00.287: ISAKMP:(1357): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE      
Oct 28 07:14:00.287: ISAKMP:(1357):Node 1927194918, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
Oct 28 07:14:00.287: ISAKMP:(1357):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2
Oct 28 07:14:00.287: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Oct 28 07:14:00.287: Crypto mapdb : proxy_match
src addr     : 192.168.0.0
dst addr     : 172.16.0.0
protocol     : 0
src port     : 0
dst port     : 0
Oct 28 07:14:00.287: Crypto mapdb : proxy_match
src addr     : 192.168.0.0
dst addr     : 172.16.0.0
protocol     : 0
src port     : 0
dst port     : 0
Oct 28 07:14:00.287: Crypto mapdb : proxy_match
src addr     : 192.168.0.0
dst addr     : 172.16.0.0
protocol     : 0
src port     : 0
dst port     : 0
Oct 28 07:14:00.287: Crypto mapdb : proxy_match
src addr     : 192.168.0.0
dst addr     : 172.16.0.0
protocol     : 0
src port     : 0
dst port     : 0
Oct 28 07:14:00.287: Crypto mapdb : proxy_match
src addr     : 192.168.0.0
dst addr     : 172.16.0.0
protocol     : 0
src port     : 0
dst port     : 0
Oct 28 07:14:00.287: map_db_find_best did not find matching map
Oct 28 07:14:00.287: Crypto mapdb : proxy_match
src addr     : 192.168.0.0
dst addr     : 172.16.0.0
protocol     : 0
src port     : 0
dst port     : 0
Oct 28 07:14:00.287: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 2.2.2.2
Oct 28 07:14:00.287: IPSec: Flow_switching Allocated flow for sibling 8000816A
Oct 28 07:14:00.287: IPSEC(create_sa): sa created,
  (sa) sa_dest= 1.1.1.1, sa_proto= 50,
    sa_spi= 0xD95E070(227926128),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 415
Oct 28 07:14:00.287: IPSEC(create_sa): sa created,
  (sa) sa_dest= 2.2.2.2, sa_proto= 50,
    sa_spi= 0x51F74D18(1375161624),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 416
Oct 28 07:14:00.287: IPSEC(early_age_out_sibling): sibling outbound SPI 46659F04 expiring in 30 seconds
Oct 28 07:14:00.287: ISAKMP: set new node -1018030525 to QM_IDLE      
Oct 28 07:14:00.287: ISAKMP:(1357): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE      
Oct 28 07:14:00.287: ISAKMP:(1357):purging node -1018030525
Oct 28 07:14:00.287: ISAKMP:(1357):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
Oct 28 07:14:00.287: ISAKMP:(1357):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Oct 28 07:14:00.367: ISAKMP (0:1357): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE      
Oct 28 07:14:00.367: ISAKMP:(1357):deleting node 1927194918 error FALSE reason "QM done (await)"
Oct 28 07:14:00.367: ISAKMP:(1357):Node 1927194918, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Oct 28 07:14:00.367: ISAKMP:(1357):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
Oct 28 07:14:00.367: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Oct 28 07:14:00.367: IPSEC(key_engine_enable_outbound): recd enable notify from ISAKMP
Oct 28 07:14:00.367: IPSEC(update_current_outbound_sa): updated peer 2.2.2.2 current outbound sa to SPI 51F74D18
Oct 28 07:14:30.287: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 1.1.1.1, sa_proto= 50,
    sa_spi= 0xCFBD8074(3485302900),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 399,
  (identity) local= 1.1.1.1, remote= 2.2.2.2,
    local_proxy= 192.168.0.0/255.255.248.0/0/0 (type=4),
    remote_proxy= 172.16.0.0/255.255.248.0/0/0 (type=4)
Oct 28 07:14:30.287: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 2.2.2.2, sa_proto= 50,
    sa_spi= 0x46659F04(1181064964),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 400,
  (identity)
    local= 1.1.1.1, remote= 2.2.2.2,
    local_proxy= 192.168.0.0/255.255.248.0/0/0 (type=4),
    remote_proxy= 172.16.0.0/255.255.248.0/0/0 (type=4)
Oct 28 07:14:30.287: IPSec: Flow_switching Deallocated flow for sibling 8000814B
Oct 28 07:14:30.287: ISAKMP: set new node 241419644 to QM_IDLE      
Oct 28 07:14:30.287: ISAKMP:(1357): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE      
Oct 28 07:14:30.287: ISAKMP:(1357):purging node 241419644
Oct 28 07:14:30.287: ISAKMP:(1357):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
Oct 28 07:14:30.287: ISAKMP:(1357):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Oct 28 07:14:50.368: ISAKMP:(1357):purging node 1927194918
Oct 28 07:14:00.367: IPSEC(key_engine_enable_outbound): enable SA with spi 1375161624/50
Oct 28 07:14:00.367: IPSEC(update_current_outbound_sa): updated peer 2.2.2.2 current outbound sa to SPI 51F74D18

On the Cisco ASA (2.2.2.2) I see:

IPSEC: Received an ESP packet (SPI= 0x46659F04, sequence number= 0x154E8) from 2.2.2.2 to 1.1.1.1 with an invalid SPI.

Cisco 7301 config:

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key KEY address 2.2.2.2
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto map nolan 10 ipsec-isakmp 
 set peer 2.2.2.2
 set transform-set ESP-AES-SHA 
 set pfs group2
 match address 120

Cisco ASA config:

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
 default-group-policy VPN
group-policy VPN internal
group-policy VPN attributes
 vpn-idle-timeout 30
 vpn-tunnel-protocol ikev1 l2tp-ipsec
crypto map outside_map 10 match address ip_vpn
crypto map outside_map 10 set pfs 
crypto map outside_map 10 set peer 1.1.1.1 
crypto map outside_map 10 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map 10 set security-association lifetime seconds 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 28800

Labels:
0 Helpful
3 Replies 3

Marius Gunnerud
VIP
VIP

‎10-28-2015 10:29 AM

You are missing the preshared key on the ASA konfig. the config might differ a little depending on the ASA version you are running, but for newer version the following is the syntax.

tunnel-group 1.1.1.1 ipsec-attributes

  ikev1 pre-shared-key KEY

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

admins0011111
Level 1
Level 1
In response to Marius Gunnerud

‎10-28-2015 09:06 PM

Sorry of course I have it. I didn't copy

0 Helpful

Marius Gunnerud
VIP
VIP
In response to admins0011111

‎10-29-2015 01:26 AM

on the ASA could you provide the output of the following commands

show crypto isakmp

show crypto ipsec sa

show access-list ip_vpn

show run nat  !(also include any object-groups that might be defined for the identity NAT for this VPN)

could you run the following debug and then try to initiate traffic:

debug crypto condition peer 1.1.1.1

debug crypto ikev1 127

debug crypto ipsec 127

--

please remember to select a correct answer and rate helpfull posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents