06-04-2010 10:47 PM
Hi Experts,
I hope all are doing good
Last week , we had setup L2L vpn between ASA and 2851 router. Below is our setup:
10.71.x.x /16 ==>3750==>ASA5540 ==>INTERNET==> ROUTER-2851==>3750==>10.1.X.X/16
(LOCAL) (REMOTE)
Our problem is that remote site cannot access our network but we can access their network.ACL+routing were check and all are correct.
I check one of our setup L2L vpn setup also, 3845 -> 2851 when I do show crypto ipsec sa, i see all the networks active define in local and remote networks but in our setup of ASA-2851 i don't see this kind of output. I see only two subnets active. After initiating ping to remote networks, then i can see the another two networks when i do show crypto ipsec sa. Is this normal? i know that there should be rekeying of sa but why do (local+remote networks) is missing when no traffic is passing from the local network.
Please help and advice!
cheers,
reymon
06-05-2010 02:34 AM
Reymon,
L2L IPsec tunnels are always on demand - when no traffic is passing tunnels will not initiate.
In your particular case it's hard to say whether:
1. Tunnel initiation from router subnet to ASA is blocked.
or
2. Traffic inside established tunnel from router subnet to ASA is blocked.
I would frist make sure that you have correct SPIs while you're running the test (yes, show crypto ipsec sa). If the SPIs are in place and traffic is passing from ASA to router subnets and not vice versa then you're running into a problem with something stateful on the way (maybe vpn-filter on ASA?)
Now if you initiate tested from router networks and still see the issue and SPIs are not there, there might be something blocking your IKE traffic not allowing router to initiate properly.
In short ... it all depends
Marcin
06-05-2010 06:50 AM
Hi Marcin,
When I do show crypto ipsec sa on ASA, i cannot see the local and remote networks on the ASA but once i ping from inside network of ASA to router side then i can see them from my show crypto ipsec sa. I already enable sysopt connection permit-vpn on the ASA, but it is same.
Below is the debug i capture when there is no traffic passing thru the two network and i get this debug:
Jun 05 14:32:54 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xf7ba8d0b
Jun 05 14:34:20 [IKEv1 DEBUG]: Group = 207.107.203.X, IP = 207.107.203.X, Pitcher: received key delete msg, spi 0x7a23d721
Jun 05 14:34:20 [IKEv1]: Group = 207.107.203.X, IP = 207.107.203.X, Connection terminated for peer 207.107.203.X. Reason: IPSec SA Idle Timeout Remote Proxy 10.200.18.0, Local Proxy 10.71.0.0
Jun 05 14:34:20 [IKEv1 DEBUG]: Group = 207.107.203.X, IP = 207.107.203.X, sending delete/delete with reason message
Jun 05 14:34:20 [IKEv1 DEBUG]: Group = 207.107.203.X, IP = 207.107.203.X, constructing blank hash payload
Jun 05 14:34:20 [IKEv1 DEBUG]: Group = 207.107.203.X, IP = 207.107.203.X, constructing IPSec delete payload
Jun 05 14:34:20 [IKEv1 DEBUG]: Group = 207.107.203.X, IP = 207.107.203.X, constructing qm hash payload
Jun 05 14:34:20 [IKEv1]: IP = 207.107.203.X, IKE_DECODE SENDING Message (msgid=71d4e9b6) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Jun 05 14:34:20 [IKEv1 DEBUG]: Group = 207.107.203.X, IP = 207.107.203.X, Active unit receives a delete event for remote peer 207.107.203.X.
Jun 05 14:34:20 [IKEv1 DEBUG]: Group = 207.107.203.X, IP = 207.107.203.X, IKE Deleting SA: Remote Proxy 10.200.18.0, Local Proxy 10.71.0.0
IPSEC: Deleted inbound decrypt rule, SPI 0x7A23D721
Rule ID: 0xB2B3E498
IPSEC: Deleted inbound permit rule, SPI 0x7A23D721
Rule ID: 0xB3A0ADB0
IPSEC: Deleted inbound tunnel flow rule, SPI 0x7A23D721
Rule ID: 0xAD7721A8
IPSEC: Deleted inbound VPN context, SPI 0x7A23D721
VPN handle: 0x00A7D834
Jun 05 14:34:20 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x7a23d721
IPSEC: Deleted outbound encrypt rule, SPI 0xCD6A59C3
Rule ID: 0xB3A78878
IPSEC: Deleted outbound permit rule, SPI 0xCD6A59C3
Rule ID: 0xB0EE17A0
IPSEC: Deleted outbound VPN context, SPI 0xCD6A59C3
VPN handle: 0x00A7A294
Jun 05 14:34:20 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xcd6a59c3
Reason: IPSec SA Idle Timeout Remote Proxy 10.200.18.0, Local Proxy 10.71.0.0 ==> is this normal?
Thanks,
reymon
06-06-2010 12:24 AM
Reymon,
The part of debug you attached is related to ASA deleting SAs because of vpn-idle-timeout (it seems) quite frankly a bit strange for L2L tunnel
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1630720
Can you please share with us (masking IP addresses if you want)
from ASA
--------
sh ver
show run crypto
show run tunnel-g
show run group-p
----------
from router:
--------
show run | s crypto
show crypto map
--------
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide