I have no information about the other site because the Racoon and ASA are on two different geographic locations but I'm going to get it tomorrow.

I only have debug 255 output for these commands so I cut and pasted all lines started with date because debug 255 is too much.

Racoon uses certificate based authentication+XAUTH. Both of process are ok.

If you need specific part of the debug 255 please let me know.

I had problem with the ADSM dynamic crypto map and the automatically generated access-list because it didn't match somehow so I created an access-list "55" using the CLI to match for the traffic which works fine as you can see.

Regards

Norbert

What does the 'auto-generated' ACL look like?

How is it different from the one you created?

Regards

Farrukh

Nothing special. I think ASA used a string.65535.number and me just a number to identify the referred ACL for the dynamic crypto map.

When I started to modify the original (not-working) configuration using CLI ASA said that the original and automatically created dynamic crypto map configuration was inactive.

I wasn't me who created the initial (original) dynamic crypto map but it wasn't tested with racoon before.

The strangest thing was that original crypto map was fine..it was totally the same than mine..it just didn't match somehow..

I have the original config and mine one as well. I will copy both of them for you to see.

Q: How ASA uses the configuration? Does it generate a binary from the clear text version?..or..can it be that the binary version didn't match to the clear text..or whatever..?

Regards

Norbert

Automatically generated:

------------------------

access-list Internet_IPSec_cryptomap_65535.55 extended permit ip RA_VPN_POOL RA_VPN_POOL_MASK host INTERNAL_IP

crypto dynamic-map Internet_IPSec_dyn_map 55 match address Internet_IPSec_cryptomap_65535.55

crypto dynamic-map Internet_IPSec_dyn_map 55 set pfs

crypto dynamic-map Internet_IPSec_dyn_map 55 set transform-set ESP-AES-192-SHA ESP-3DES-SHA ESP-AES-128-SHA

crypto map Internet_IPSec_map 65535 ipsec-isakmp dynamic Internet_IPSec_dyn_map

crypto map Internet_IPSec_map interface Internet_IPSec

Manually generated:

-------------------

access-list 55 extended permit ip RA_VPN_POOL RA_VPN_POOL_MASK host INTERNAL_IP log

crypto dynamic-map Internet_IPSec_dyn_map 55 match address 55

crypto dynamic-map Internet_IPSec_dyn_map 55 set pfs

crypto dynamic-map Internet_IPSec_dyn_map 55 set transform-set ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-192-SHA

crypto map Internet_IPSec_map 65535 ipsec-isakmp dynamic Internet_IPSec_dyn_map

crypto map Internet_IPSec_map interface Internet_IPSec

I tried to generate the dynamic crypto map automatically several times but it didn't match to the required traffic somehow.

We have other automatically generated crypto maps as well without any problem.

However this is the first dynamic crypto map on that interface.

Regards

Norbert

Well the ACL seem identical to me?

regards

Farrukh

Can I debug somehow the ASA tested ACLs as well to see which ACLs were tested by ASA for the connection?

You could use the 'log' keyword at the end of the ACL.

Regards

Farrukh

Yes, I know and thank you for your help.

I really appreciate your time but I meant something similar than ASA has for debugging VPN traffic.

Regards

Norbert

Hi,

Problem is still the same.

I attached the SA information.

I can see the incoming and outgoing tunnel traffic (icmp and tcp) on the internal LAN and on ASA's inside interface as well using its packet capture capability (icmp requests/replies for example).

Unfortunately the remote racoon client can not see my outgoing packets from some reasons.

How can I debug where the tunneled packages are going from the inside interface back to racoon?

Should I see any captured tunnel traffic on on the Internet_IPSec interface (external)?

Thank you for help.

Regards

Norbert

Double check your routing and crypto ACLs.

Regards

Farrukh