Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
21431
Views
0
Helpful
10
Replies

S2S Tunnel Error: Crypto Map Policy Not Found

Eric Snijders
Level 1
Level 1

‎06-13-2018 02:21 AM - edited ‎03-12-2019 05:22 AM

Hi All,

 

I'm trying to get a S2S tunnel between ASA and Juniper up and running, but i'm getting the following error in the ASA log:

 

Jun 13 2018 11:14:18: %ASA-3-751022: Local:ASASide:500 Remote:JuniperSide:500 Username:JuniperSide IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 0.0.0.0/255.255.255.255/0/65535/0 local traffic selector 0.0.0.0/255.255.255.255/0/65535/0!

 

I'm having some trouble understanding wether this is some configuration issue on my (ASA) side, or the remote (Juniper) side since it's a pretty simple configuration.

 

Output of show crypto ikve2 sa detail:

IKEv2 SAs:

Session-id:315, Status:UP-IDLE, IKE count:1, CHILD count:0

Tunnel-id Local Remote Status Role
1298385459 ASASide/500 JuniperSide/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/2010 sec
Session-id: 315
Status Description: Negotiation done
Local spi: XXXXXXXXXXXXX Remote spi: XXXXXXXXXXXXXXXX
Local id: ASASide
Remote id: JuniperSide
Local req mess id: 0 Remote req mess id: 35
Local next mess id: 0 Remote next mess id: 35
Local req queued: 0 Remote req queued: 35
Local window: 1 Remote window: 1
DPD configured for 10 seconds, retry 2
NAT-T is not detected
IKEv2 Fragmentation Configured MTU: 576 bytes, Overhead: 28 bytes, Effective MTU: 548 bytes
Parent SA Extended Status:
Delete in progress: FALSE
Marked for delete: FALSE

 

2 people had this problem
Labels:
0 Helpful
10 Replies 10

Rob Ingram
VIP
VIP

‎06-13-2018 02:25 AM

Hi,
Can you provide your configuration please? I'll have a look
0 Helpful

Eric Snijders
Level 1
Level 1
In response to Rob Ingram

‎06-13-2018 02:43 AM - edited ‎06-13-2018 02:44 AM

Hi RJI,

 

Thanks in advance. I've removed as much private info as possible, if something is missing please let me know, i'll provide the info.

 

Tunnel was created via ASDM Site-2-Site Wizard

 

ASA Version 9.9(2)1
!
!
interface GigabitEthernet0/0
 description TRUNK
 no nameif
 security-level 0
 no ip address
!
interface GigabitEthernet0/0.190
 vlan 123
 nameif LOCALVPNSUBNET
 security-level 65
 ip address LocalVPNSubnetIsHere
!
interface GigabitEthernet0/3
 description INTERNET
 speed 100
 duplex full
 nameif Internet
 security-level 0
 ip address ASASide
!
tcp-map TCP
  queue-limit 100 timeout 10
!
ip verify reverse-path interface Internet
ip audit name Info info action alarm
ip audit name Attack attack action alarm drop
ip audit interface Zorgnet Info
ip audit interface Zorgnet Attack
ip audit interface Internet Info
ip audit interface Internet Attack
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
icmp permit any Internet
asdm image disk0:/asdm-791.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (management,Internet) after-auto source dynamic CLIENT interface description PAT
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal InfoSupport
 protocol esp encryption aes-256
 protocol esp integrity sha-256
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes unlimited
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 14400
crypto map Internet_map 1 match address Internet_cryptomap
crypto map Internet_map 1 set pfs group14
crypto map Internet_map 1 set peer RemoteJuniperSide
crypto map Internet_map 1 set ikev2 ipsec-proposal AES256
crypto map Internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Internet_map interface Internet
crypto map KPN_WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map KPN_WAN_map interface Zorgnet
crypto ikev2 policy 1
 encryption aes-256
 integrity sha256
 group 14
 prf sha256
 lifetime seconds 28800
crypto ikev2 enable Internet client-services port 443
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default custom "AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1.2 custom "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256"
ssl cipher dtlsv1 custom "AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl dh-group group14
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map Shape-Outgoing-Internet
 class class-default
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
policy-map type inspect dns DNS
 parameters
  message-length maximum client auto
  message-length maximum 4096
  message-length maximum server auto
  no tcp-inspection
  id-randomization
  id-mismatch action log
!
service-policy global_policy global
prompt hostname state
no call-home reporting anonymous
Cryptochecksum:b66cf2ac2bd770a25fcaa1201619f3d5
: end

 

0 Helpful

Rob Ingram
VIP
VIP
In response to Eric Snijders

‎06-13-2018 02:51 AM

Hi,
Can you let me know your internal (private) IP addresses and the destination IP addresses of the Juniper?

Can you provide the configuration of the ACL for Internet_cryptomap aswell?
0 Helpful

Eric Snijders
Level 1
Level 1
In response to Rob Ingram

‎06-13-2018 03:06 AM

Hi RJI,

 

Internal Private IP = 172.24.2.218/32
Remote Subnet = 192.168.196.0/24

 

Output of "show run crypto map":

crypto map Internet_map 1 match address Internet_cryptomap
crypto map Internet_map 1 set pfs group14
crypto map Internet_map 1 set peer JuniperWANip
crypto map Internet_map 1 set ikev2 ipsec-proposal AES256
crypto map Internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Internet_map interface Internet
0 Helpful

Rob Ingram
VIP
VIP
In response to Eric Snijders

‎06-13-2018 03:10 AM

Thanks, but I'm looking for the access-list you've defined and are referencing in the crypto map.

Your internal range is very small, is that the only internal network accessing the tunnel?

What encryption domain (subnets) has been defined on the juniper?
0 Helpful

Eric Snijders
Level 1
Level 1
In response to Rob Ingram

‎06-13-2018 03:22 AM - edited ‎06-13-2018 03:23 AM

Hi RJI,

 

Yes, the internal subnet (or rather just 1 host) is very small since it's just 1 isolated host needing the tunnel.

Here is the ACL:

 

access-list Internet_cryptomap_65535.65535_1 extended permit ip any any
access-list Internet_cryptomap extended permit ip object InternalHost object RemoteJuniperSubnet

I don't have access to the Juniper since it's from another party, but if you think the issue lies there i can have somebody check it.

0 Helpful

Rob Ingram
VIP
VIP
In response to Eric Snijders

‎06-13-2018 03:30 AM

Ok, do you have a NAT rule defined, in order not to nat the traffic over the vpn tunnel?

Can you run packet tracer for me and upload the output. E.g "packet-tracer input inside tcp 172.24.2.218 www 192.168.196.? www"

Can you provide the output of "show crypto ipsec sa" and "show vpn-sessiondb detail l2l" please?

0 Helpful

Eric Snijders
Level 1
Level 1
In response to Rob Ingram

‎06-13-2018 03:47 AM - edited ‎06-13-2018 03:50 AM

Hi RJI,

NAT Exempt:

 

nat (LOCALVPNSUBNET,Internet) source static InternalHost InternalHost destination static RemoteJuniperSubnet RemoteJuniperSubnet no-proxy-arp route-lookup

 

Packet Tracer:

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop X.X.X.X using egress ifc Internet

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LOCALVPNSUBNET,Internet) source static InternalHost InternalHost destination static RemoteJuniperSubnet RemoteJuniperSubnet no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface Internet
Untranslate 192.168.196.100/22 to 192.168.196.100/22

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group LOCALVPNSUBNET_access_in in interface LOCALVPNSUBNET
access-list LOCALVPNSUBNET_access_in extended permit ip any any
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x2aaac5b83170, priority=13, domain=permit, deny=false
 hits=0, user_data=0x2aaaba303a00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
 input_ifc=LOCALVPNSUBNET, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LOCALVPNSUBNET,Internet) source static InternalHost InternalHost destination static RemoteJuniperSubne RemoteJuniperSubnet no-proxy-arp route-lookup
Additional Information:
Static translate 172.24.2.219/22 to 172.24.2.219/22
 Forward Flow based lookup yields rule:
 in id=0x2aaac7b83c40, priority=6, domain=nat, deny=false
 hits=1, user_data=0x2aaac5b83050, cs_id=0x0, flags=0x0, protocol=0
 src ip/id=172.24.2.219, mask=255.255.255.255, port=0, tag=any
 dst ip/id=192.168.196.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
 input_ifc=LOCALVPNSUBNET, output_ifc=Internet

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x2aaac3823a80, priority=0, domain=nat-per-session, deny=false
 hits=34860, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
 input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x2aaac5613fe0, priority=0, domain=inspect-ip-options, deny=true
 hits=3, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
 input_ifc=LOCALVPNSUBNET, output_ifc=any

Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x2aaac4781c90, priority=20, domain=lu, deny=false
 hits=4, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
 input_ifc=LOCALVPNSUBNET, output_ifc=any

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x2aaac7a5af90, priority=70, domain=encrypt, deny=false
 hits=3, user_data=0x0, cs_id=0x2aaac56786b0, reverse, flags=0x0, protocol=0
 src ip/id=172.24.2.219, mask=255.255.255.255, port=0, tag=any
 dst ip/id=192.168.196.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
 input_ifc=any, output_ifc=Internet

Result:
input-interface: LOCALVPNSUBNET
input-status: up
input-line-status: up
output-interface: Internet
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

show crypto ipsec sa

There are no ipsec sas

show vpn-sessiondb detail l2l

Session Type: LAN-to-LAN Detailed

Connection   : JuniperWANip
Index        : 167                    IP Addr      : JuniperWANip
Protocol     : IKEv2
Encryption   : IKEv2: (1)AES256       Hashing      : IKEv2: (1)SHA256
Bytes Tx     : 0                      Bytes Rx     : 0
Login Time   : 10:44:28 CEDT Wed Jun 13 2018
Duration     : 2h:01m:45s

IKEv2 Tunnels: 1

IKEv2:
  Tunnel ID    : 167.1
  UDP Src Port : 500                    UDP Dst Port : 500
  Rem Auth Mode: preSharedKeys
  Loc Auth Mode: preSharedKeys
  Encryption   : AES256                 Hashing      : SHA256
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 21495 Seconds
  PRF          : SHA256                 D/H Group    : 14
  Filter Name  :

 

0 Helpful

Rob Ingram
VIP
VIP
In response to Eric Snijders

‎06-13-2018 05:09 AM

Ok, You've previously stated "Internal Private IP = 172.24.2.218/32"....but the packet tracer shows "src ip/id=172.24.2.219". Can you confirm the IP/subnet mask in the object you've defined, modify it if necessary and try again. If it fails, can you re-run the packet tracer command

Ta
0 Helpful

Eric Snijders
Level 1
Level 1
In response to Rob Ingram

‎06-13-2018 05:32 AM

Hi RJI,

 

That was a typo from my side. I just deleted the S2S tunnel and recreated it and all of a sudden it's working perfectly now. No idea what went wrong...

0 Helpful
Customers Also Viewed These Support Documents