Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
864
Views
0
Helpful
2
Replies

Problems between ASA 5510 and Draytek 2820

rpsribeiro
Level 1
Level 1

‎02-10-2013 09:34 AM

Hello,

I'm trying to made a VPN Connection between a Cisco ASA 5510 with appliance 8.2(1), and the VPN is established i receive traffic i see the responses come to firewall but this responses never came to the  destination, sometimes in the ipsec sa stats i saw the follwint two errors:

      *** ESP SA deleted ***

    *** Tunnel rekeyed or deleted ***

Did anyone know how to resolve this?

There are the stats from the tunnel:

peer address: 82.154.252.14

    Crypto map tag: routemap, seq num: 3, local addr: 194.38.128.122

      access-list vpn2benfica permit ip 10.35.0.0 255.255.0.0 10.35.105.0 255.255.255.0

      local ident (addr/mask/prot/port): (10.35.0.0/255.255.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.35.105.0/255.255.255.0/0/0)

      current_peer: 82.154.252.14

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 25, #pkts decrypt: 25, #pkts verify: 25

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 194.38.128.122, remote crypto endpt.: 82.154.252.14

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 6656E3A1

    inbound esp sas:

      spi: 0xA27D9582 (2726139266)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 49012736, crypto-map: routemap

         sa timing: remaining key lifetime (sec): 3567

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x03FFFFFF

    outbound esp sas:

      spi: 0x6656E3A1 (1716970401)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 49012736, crypto-map: routemap

         sa timing: remaining key lifetime (sec): 3567

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

Some captures:

   1: 08:45:50.145668 10.35.105.253 > 10.35.100.1: icmp: echo request

   2: 08:45:50.145896 10.35.100.1 > 10.35.105.253: icmp: echo reply

   3: 08:45:52.147407 10.35.105.253 > 10.35.100.1: icmp: echo request

   4: 08:45:52.147682 10.35.100.1 > 10.35.105.253: icmp: echo reply

   5: 08:45:52.677134 10.35.105.11.137 > 10.35.100.7.137:  udp 50

   6: 08:45:52.679926 10.35.100.7.137 > 10.35.105.11.137:  udp 157

   7: 08:45:52.696634 10.35.105.11.137 > 10.35.100.7.137:  udp 50

   8: 08:45:52.696848 10.35.100.7.137 > 10.35.105.11.137:  udp 157

   9: 08:45:52.728355 10.35.105.11.137 > 10.35.100.7.137:  udp 50

  10: 08:45:52.728752 10.35.100.7.137 > 10.35.105.11.137:  udp 157

  11: 08:45:52.729103 10.35.105.11.137 > 10.35.100.7.137:  udp 50

  12: 08:45:52.729378 10.35.100.7.137 > 10.35.105.11.137:  udp 157

  13: 08:45:54.149986 10.35.105.253 > 10.35.100.1: icmp: echo request

  14: 08:45:54.150489 10.35.100.1 > 10.35.105.253: icmp: echo reply

  15: 08:45:56.152320 10.35.105.253 > 10.35.100.1: icmp: echo request

  16: 08:45:56.152702 10.35.100.1 > 10.35.105.253: icmp: echo reply

  17: 08:45:58.154868 10.35.105.253 > 10.35.100.1: icmp: echo request

  18: 08:45:58.155112 10.35.100.1 > 10.35.105.253: icmp: echo reply

  19: 08:46:00.156333 10.35.105.253 > 10.35.100.1: icmp: echo request

  20: 08:46:00.156638 10.35.100.1 > 10.35.105.253: icmp: echo reply

  21: 08:46:02.167166 10.35.105.253 > 10.35.100.1: icmp: echo request

  22: 08:46:02.167380 10.35.100.1 > 10.35.105.253: icmp: echo reply

   4: 08:45:52.147682 10.35.100.1 > 10.35.105.253: icmp: echo reply

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:      

Additional Information:

Found flow with id 482926463, using existing flow

Phase: 4

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found flow with id 482805212, using existing flow

Result:

Action: allow

   5: 08:46:18.226825 10.35.105.253 > 10.35.100.1: icmp: echo request

   6: 08:46:18.227069 10.35.100.1 > 10.35.105.253: icmp: echo reply

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found flow with id 482928087, using existing flow

Phase: 4

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found flow with id 482805212, using existing flow

Result:

Action: allow

   7: 08:46:20.235858 10.35.105.253 > 10.35.100.1: icmp: echo request

   8: 08:46:20.236102 10.35.100.1 > 10.35.105.253: icmp: echo reply

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found flow with id 482928260, using existing flow

Phase: 4

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found flow with id 482805212, using existing flow

Result:

Action: allow

Labels:
0 Helpful
2 Replies 2

malshbou
Level 1
Level 1

‎02-10-2013 11:02 AM

can you initiate the tunnel from your side (ASA) ?

did you check routing to the correct egress interface that has the crypto map ?

please get the asp-drop captures:

capture drop type asp-drop all

show cap drop

----

HTH

Mashal

------------------ Mashal Shboul
0 Helpful

rpsribeiro
Level 1
Level 1
In response to malshbou

‎02-11-2013 01:49 AM

I've already checked the routing an its ok.

Here's the capture you ask:

  8: 00:57:41.337888 10.35.100.1 > 10.35.105.253: icmp: echo reply Drop-reason: (inspect-icmp-seq-num-not-matched) ICMP Inspect seq num not matched

  25: 00:57:45.831042 10.35.105.253 > 224.0.0.9:  ip-proto-2, length 8

  34: 00:57:47.395350 10.35.100.1 > 10.35.105.253: icmp: echo reply Drop-reason: (inspect-icmp-seq-num-not-matched) ICMP Inspect seq num not matched

  43: 00:57:49.396448 10.35.100.1 > 10.35.105.253: icmp: echo reply Drop-reason: (inspect-icmp-seq-num-not-matched) ICMP Inspect seq num not matched

  56: 00:57:51.411859 10.35.100.1 > 10.35.105.253: icmp: echo reply

  72: 00:57:53.401590 10.35.100.1 > 10.35.105.253: icmp: echo reply

  84: 00:57:55.403711 10.35.100.1 > 10.35.105.253: icmp: echo reply

  93: 00:57:57.405344 10.35.100.1 > 10.35.105.253: icmp: echo reply

  99: 00:57:59.407571 10.35.100.1 > 10.35.105.253: icmp: echo reply

111: 00:58:01.250399 10.35.105.152.54591 > 239.255.255.250.1900:  udp 293

112: 00:58:01.263490 10.35.105.152.54593 > 239.255.255.250.1900:  udp 302

113: 00:58:01.278077 10.35.105.152.54595 > 239.255.255.250.1900:  udp 337

114: 00:58:01.291320 10.35.105.152.54597 > 239.255.255.250.1900:  udp 345

115: 00:58:01.410638 10.35.100.1 > 10.35.105.253: icmp: echo reply

118: 00:58:02.250338 10.35.105.152.54599 > 239.255.255.250.1900:  udp 293

119: 00:58:02.263810 10.35.105.152.54601 > 239.255.255.250.1900:  udp 302

120: 00:58:02.277573 10.35.105.152.54603 > 239.255.255.250.1900:  udp 337

121: 00:58:02.291275 10.35.105.152.54605 > 239.255.255.250.1900:  udp 345

125: 00:58:03.412377 10.35.100.1 > 10.35.105.253: icmp: echo reply

133: 00:58:05.414025 10.35.100.1 > 10.35.105.253: icmp: echo reply

140: 00:58:07.416665 10.35.100.1 > 10.35.105.253: icmp: echo reply

145: 00:58:09.432030 10.35.100.1 > 10.35.105.253: icmp: echo reply

151: 00:58:11.420800 10.35.100.1 > 10.35.105.253: icmp: echo reply

164: 00:58:13.423150 10.35.100.1 > 10.35.105.253: icmp: echo reply

169: 00:58:15.425240 10.35.100.1 > 10.35.105.253: icmp: echo reply

175: 00:58:17.426995 10.35.100.1 > 10.35.105.253: icmp: echo reply

187: 00:58:19.429863 10.35.100.1 > 10.35.105.253: icmp: echo reply

192: 00:58:21.432152 10.35.100.1 > 10.35.105.253: icmp: echo reply

200: 00:58:23.434776 10.35.100.1 > 10.35.105.253: icmp: echo reply

209: 00:58:25.435417 10.35.100.1 > 10.35.105.253: icmp: echo reply

215: 00:58:27.452323 10.35.100.1 > 10.35.105.253: icmp: echo reply

221: 00:58:29.440605 10.35.100.1 > 10.35.105.253: icmp: echo reply

240: 00:58:31.442039 10.35.100.1 > 10.35.105.253: icmp: echo reply

257: 00:58:35.935071 10.35.105.253 > 224.0.0.9:  ip-proto-2, length 8

0 Helpful
Customers Also Viewed These Support Documents