Re: PROBLEM L2L ASA TO CENTOS LINUX

alfredoelias · ‎10-07-2010

I'm having problems with a VPN l2l disconnection is done with Linux Centos establishing the VPN but after restart the desert while I send the log link

Could not find centry for IPSec SA delete with reason message - SPI 0x180DFA53

Thanks,

Alfredo Elias.

Marcin Latosiewicz · ‎10-07-2010

Alfredo,

Can you please share your config and running version?

When has thsis started appearing, does reload help for a while? Is Nat-t in use? etc etc

Marcin

alfredoelias · ‎10-07-2010

thank you the configuration is

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

crypto map outside_vpn 7 match address outside_cryptomap_5

crypto map outside_vpn 7 set peer x.x.x.x

crypto map outside_vpn 7 set transform-set ESP-AES-256-SHA

access-list outside_cryptomap_5 line 1 extended permit ip object-group CIBERSONSSV host x.x.x.x

access-list outside_cryptomap_5 line 1 extended permit ip host 10.19.x.x0 host 72.24.x.x (hitcnt=606)

access-list outside_cryptomap_5 line 1 extended permit ip host 10.19.x.x host 72.24.x.x (hitcnt=39

the version de IOS 8.0.4-k8 and yes nat-t

thanks

manish arora · ‎10-07-2010

Is the remote peer behind a NAT device ?

I mean to say that the centos linux machine has a private ip thats being NATTED by any device inbetween ? also linux isnt running iptables if it is then try after shutting down iptables.

IF not then try to clear crypto sa's and send intersecting traffic.

Thanks

Manish

Marcin Latosiewicz · ‎10-07-2010

To add to post above.

There is nothing fixed from 8.0.4 on in 8.0 train that would seems like a bug.

Debugging + capture might be a good way to start dealing with this.

Marcin

alfredoelias · ‎10-07-2010

that I can run debug commands in the ASA to get more clear what is the problem thank you very much for your help

manish arora · ‎10-07-2010

Hi Alfredo,

can you please clarify few thing ?

1> is it tunnel between an ASA and linux router ( centos) ?

2> If the linux side is just a host and you want to incrypt traffic between that linux server and you clients , then is that Linux machine behind a NAT device ?

3> post debug from ASA debug crypto iskamp & ipsec sa ?

4> post debug from LINUX -- > cat /etc/ipsec.secrets and match the PSK on both sides ?

5> cat /etc/sysconfig/network-scripts/ifcfg-ipsecx ?

Thanks

Manish

alfredoelias · ‎10-11-2010

1.- yes the tunnel is between ASA and Centos linux

2.- I want to incrypt traffic between that linux server and not client the server

Jitendriya Athavale · ‎10-11-2010

hi alfredo

please clarify - i understand that tunnel comes up fine, but when you restart the linux server, after that the tunnel does not come up fine

i havent read the entire thread, so just trying to understand

if what i think is right, then there is one side which is not bringing down the tunnel entirely, before i proceed further on this line would like your confirmation

alfredoelias · ‎10-11-2010

Hi Jathaval

I mention following the tunnel is established between the ASA and the CentOS Linux server pas phase 1 and phase 2 but after settling the tunnel goes down.

to debug I put in the ASA to find a solution to this problem

Thanks for your help.

Jitendriya Athavale · ‎10-11-2010

please enable thew conditional debugs and paste the output

debug crypto condition peer

debug crypto isakmp 127

debug crypto ipsec 127