cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1836
Views
0
Helpful
10
Replies

PROBLEM L2L ASA TO CENTOS LINUX

alfredoelias
Level 1
Level 1

I'm having problems with a VPN l2l disconnection is done with Linux Centos establishing the VPN but after restart the desert while I send the log link

Could not find centry for IPSec SA delete with reason message - SPI 0x180DFA53

Thanks,

Alfredo Elias.

10 Replies 10

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Alfredo,

Can you please share your config and running version?

When has thsis started appearing, does reload help for a while? Is Nat-t in use? etc etc

Marcin

thank you the configuration is

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

crypto map outside_vpn 7 match address outside_cryptomap_5

crypto map outside_vpn 7 set peer x.x.x.x

crypto map outside_vpn 7 set transform-set ESP-AES-256-SHA

access-list outside_cryptomap_5 line 1 extended permit ip object-group CIBERSONSSV host x.x.x.x

  access-list outside_cryptomap_5 line 1 extended permit ip host 10.19.x.x0 host 72.24.x.x (hitcnt=606)

  access-list outside_cryptomap_5 line 1 extended permit ip host 10.19.x.x host 72.24.x.x (hitcnt=39

the version de IOS 8.0.4-k8 and yes nat-t

thanks

Is the remote peer behind a NAT device ?

I mean to say that the centos linux machine has a private ip thats being NATTED by any device inbetween ? also linux isnt running iptables if it is then try after shutting down iptables.

IF not then try to clear crypto sa's and send intersecting traffic.

Thanks

Manish

To add to post above.

There is nothing fixed from 8.0.4 on in 8.0 train that would seems like a bug.

Debugging + capture might be a good way to start dealing with this.

Marcin

that I can run debug commands in the ASA to get more clear what is the problem thank you very much for your help

Hi Alfredo,

can you please clarify few thing ?

1> is it tunnel between an ASA and linux router ( centos) ?

2> If the linux side is just a host and you want to incrypt traffic between that linux server and you clients , then is that Linux machine behind a NAT device ?

3> post debug from ASA  debug crypto iskamp & ipsec sa ?

4> post debug from LINUX -- > cat /etc/ipsec.secrets and match the PSK on both sides ?

5> cat /etc/sysconfig/network-scripts/ifcfg-ipsecx ?

Thanks

Manish

1.- yes the tunnel is between ASA and Centos linux

2.-  I want to incrypt traffic between that linux server and not client the server

hi alfredo

please clarify - i understand that tunnel comes up fine, but when you restart the linux server, after that the tunnel does not come up fine

i havent read the entire thread, so just trying to understand

if what i think is right, then there is one side which is not bringing down the tunnel entirely, before i proceed further on this line would like your confirmation

Hi Jathaval

I mention following the tunnel is established between the ASA and the CentOS Linux server pas phase 1 and phase 2 but after settling the tunnel goes down.

to debug I put in the ASA to find a solution to this problem

Thanks for your help.

please enable thew conditional debugs and paste the output

debug crypto condition peer

debug crypto isakmp 127

debug crypto ipsec 127