Solved: ONE WAY INITIATION PROBLEM ON IPSEC VPN

veltech · ‎08-14-2013

Hi all,

We are posting this question again as when we tried to edit the original question I think it got deleted... Also, this time with the configuration causing the issue.

PROBLEM

In this example we will use site A and site B. We have a Pix 515E at site A and a Cisco 1801 at site B with a site to site between the two. If we ping from site B to site A then the tunnel comes up and we can ping in either direction and traffic flows in both directions. If we try to ping from site A to site B to bring up the tunnel then the pings will fail. So, put another way we can only initiate the tunnel from site B.

TROUBLE SHOOTING SO FAR

We have checked the NAT and ACLs, all of which seem fine and seem comparable with other configs on working systems in the field.

rt23#sh run

Building configuration...

Current configuration : 6871 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname rt23

!

boot-start-marker

boot-end-marker

!

logging buffered 52000

enable secret XXXXXXXXXXXXXXXX

!

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

!

aaa session-id common

clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00

!

dot11 syslog

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 172.16.99.1 172.16.99.10

ip dhcp excluded-address 172.16.99.240 172.16.99.254

!

ip dhcp pool LAN23

network 172.16.99.0 255.255.255.0

default-router 172.16.99.1

dns-server 172.16.99.1

domain-name XXXXX

!

ip name-server 208.67.220.220

ip name-server 208.67.222.222

ip inspect tcp reassembly queue length 128

ip inspect tcp reassembly timeout 10

ip inspect name myfw cuseeme timeout 3600

ip inspect name myfw ftp timeout 3600

ip inspect name myfw rcmd timeout 3600

ip inspect name myfw realaudio timeout 3600

ip inspect name myfw smtp timeout 3600

ip inspect name myfw tftp timeout 3600

ip inspect name myfw udp timeout 15

ip inspect name myfw h323 timeout 3600

ip inspect name myfw sip

ip inspect name myfw icmp

ip inspect name myfw tcp timeout 3600

ip inspect name myfw http timeout 3600

ip ddns update method ddns

HTTP

add http://XXXXXXXXXXXXXXXXX

interval maximum 0 0 10 0

interval minimum 0 0 5 0

!

multilink bundle-name authenticated

!

username XXXXXXXXXXXXXXXXXX

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key XXXXXXXXXXXX hostname ZZZZZZZZZZZZ

crypto isakmp keepalive 20 5

crypto isakmp nat keepalive 20

!

crypto ipsec transform-set SET23 esp-3des esp-sha-hmac

!

crypto map MAP23 10 ipsec-isakmp

set peer ZZZZZZZZZZ dynamic

set transform-set SET23

set pfs group2

match address 100

!

archive

log config

hidekeys

!

interface Loopback0

ip address 10.0.0.1 255.255.255.255

!

interface FastEthernet0

description PPPoE Interface

ip address dhcp

shutdown

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet1

switchport access vlan 10

!

interface FastEthernet2

switchport access vlan 10

!

interface FastEthernet3

switchport access vlan 10

!

interface FastEthernet4

switchport access vlan 10

!

interface FastEthernet5

switchport access vlan 10

!

interface FastEthernet6

switchport access vlan 10

!

interface FastEthernet7

switchport access vlan 10

!

interface FastEthernet8

switchport access vlan 10

!

interface ATM0

description DSL Modem

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no ip mroute-cache

atm vc-per-vp 128

no atm ilmi-keepalive

pvc 0/38

no oam-pvc manage

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

hold-queue 224 in

!

interface Vlan1

no ip address

!

interface Vlan10

ip address 172.16.99.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Dialer0

description Virtual DSL Interface

ip ddns update hostname XXXXXXXXX

ip ddns update ddns

ip address negotiated

ip access-group Internet-In in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect myfw out

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname XXXXXXXXX

ppp chap password XXXXXXXXX

ppp pap sent-username XXXXXXXXX

ppp ipcp dns request

crypto map MAP23

crypto ipsec df-bit clear

hold-queue 224 in

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http authentication local

ip http secure-server

ip dns server

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

!

ip access-list extended Internet-In

permit icmp any any echo-reply

permit tcp any any established

permit udp any any eq bootps

permit udp any any eq bootpc

permit esp any any

permit udp any any eq isakmp

permit gre any any

permit tcp any any eq 2221 log

permit udp host 192.53.103.104 eq ntp any eq ntp

permit tcp any any eq 22

permit udp any any eq domain

permit udp any eq domain any

permit ip host XXXXXXXXXX any log

!

access-list 100 permit ip 172.16.99.0 0.0.0.255 172.16.0.0 0.0.0.255 log

access-list 101 remark CCP_ACL Category=16

access-list 101 deny ip 172.16.99.0 0.0.0.255 172.16.0.0 0.0.0.255 log

access-list 101 permit ip 172.16.99.0 0.0.0.255 any

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

control-plane

!

line con 0

logging synchronous

line aux 0

line vty 0 4

password XXXXXXXX

transport input ssh

!

ntp update-calendar

ntp server 172.16.0.1 source Vlan10

end

===================================================================================

Thanks again,

Julio Carvajal · ‎08-17-2013

Hello,

Can you share the configuration with the domain-name mapping instead of IP addresses?

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎08-14-2013

Hello,

I can see that the IP address is dynamically obtained on the Router side correct?

If this is the case then that's expected as the other side will never know what's the IP address of the other Peer,

This is a regular dynamic to static scenario which tell's us that.

Please check this link on my personal blog as that's exactly what you are looking for:

http://www.laguiadelnetworking.com/vpn-tunnel-dynamic-to-static-router-to-asa/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

veltech · ‎08-17-2013

Hi Julio,

Thank you for your input. Just to clarify that the 1801 has a static IP address and Pix has the Dynamic address. However for testing we have set the peers as IP addresses rather than a domain name. I have included the output from "debug crypto isakmp" taken from the Pix. We have checked and checked again the configuration and there are absolutely no mismatches. Once the tunnel is up, initiated from the 1801 only traffic flows fine in both directions.

We reviewed your posting which was in effect our setup in reverse.

Any more suggestions?

Regards,

88.88.88.88 replaces the real peer address of 1801..

Aug 17 17:25:46 [IKEv1]: IP = 88.88.88.88, Removing peer from peer table failed, no match!

Aug 17 17:25:46 [IKEv1]: IP = 88.88.88.88, Error: Unable to remove PeerTblEntry

Aug 17 17:25:47 [IKEv1]: IP = 88.88.88.88, Information Exchange processing failed

Julio Carvajal · ‎08-17-2013

Hello,

Can you share the configuration with the domain-name mapping instead of IP addresses?

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

veltech · ‎08-17-2013

Hi Julio,

Which configuration do you want us to post? The 1801 config is listed above.. Not sure what you mean by domain-name mapping ?? Do you mean the peer domain names?

regards,

Richard Burts · ‎08-18-2013

I am interested in this line in the config

set peer ZZZZZZZZZZ dynamic

I have not used the parameter for dynamic and am not very familiar with it. But it suggests that it is being set up with a peer in a situation where the address will be learned dynamically. And I agree with Julio that the expected behavior when one peer is learning its address dynamically is that the tunnel is initiated from the peer whose address is dynamic and not initiated from the peer with the static address.

HTH

Rick

HTH

Rick

veltech · ‎08-19-2013

Hi All,

OK, we have now sorted this problem out and would like to share the results of our investigation and fix with you all.

The problem was on the router (1801) that has the static IP address, the Pix end unusually has a dynamic IP address, not our preferred set up but that's the way the customer has it set up. As Julio pointed out it is possible to set up a tunnel between ASA and router where one is dynamic and the other is static, albeit that this is usually done with the ASA on static and the remote office router dynamic. On the router side we set the peer towards a ddns entry, for example 123.ddns.com whereas on the ASA we had to use the actual IP address of the remote router, which is static in any event. When we tried to initiate a tunnel from the Pix end it saw a mismatch in the ISAKMP phase 1 policy and therefore did not establish. However, and interestingly, we could establish ISAKMP from the router end. We cannot set the ddns name on the Pix as it is my understanding that ASA/Pix cannot resolve TLDs. We use a dynamic DNS entry which is then resolved by NO-IP which helps to cut costs for customers by not having static IPs that are being charged at around £20 a month by many ISPs now. Although not what we wanted to do we had to manually set the IP address on both ends and it worked just fine. We may need to get the customer to pay for static IPs both ends.

So, does anyone know of a workaround that would allow us to use the dynamic IP on the ASA/Pix side at static on the router end??

Thank you to you all for input I have given the correct answer to Julio as his suggestion and link to configuration was whet led us to find the problem.

Regards,