Solved: Second ASA not connecting to Router

jasonchristophercobb · ‎08-26-2012

I had another thread going, but when I got past my current hang up, I marked the thread as answered, so I wasn't sure if I should start another or continue on...

I've tried going through that troubleshooting doc, but I still can't figure this out.

When turning on debug for the 2811, I'm not seeing any thing.

show debug

Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto ISAKMP Error debugging is on
Crypto IPSEC debugging is on
Crypto IPSEC Error debugging is on

#show crypto session
Crypto session current status

Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 108.x.x.x port 500
IKE SA: local 64.x.x.x/500 remote 108.x.x.x/500 Active
IPSEC FLOW: permit ip 192.168.26.0/255.255.255.0 192.168.27.0/255.255.255.0
        Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 10.130.15.0/255.255.255.0 192.168.27.0/255.255.255.0
        Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 10.131.16.0/255.255.255.0 192.168.27.0/255.255.255.0
        Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip 172.20.15.0/255.255.255.0 192.168.27.0/255.255.255.0
        Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 172.21.16.0/255.255.255.0 192.168.27.0/255.255.255.0
        Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 10.21.0.0/255.255.255.0 192.168.27.0/255.255.255.0
        Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip 10.30.18.0/255.255.255.0 192.168.27.0/255.255.255.0
        Active SAs: 2, origin: crypto map

Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 99.x.x.x port 500
IKE SA: local 64.x.x.x/500 remote 99.x.x.x/500 Active
IPSEC FLOW: permit ip 192.168.27.0/255.255.255.0 192.168.26.0/255.255.255.0
        Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 10.130.15.0/255.255.255.0 192.168.26.0/255.255.255.0
        Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 10.131.16.0/255.255.255.0 192.168.26.0/255.255.255.0
        Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip 172.20.15.0/255.255.255.0 192.168.26.0/255.255.255.0
        Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 172.21.16.0/255.255.255.0 192.168.26.0/255.255.255.0
        Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 10.21.0.0/255.255.255.0 192.168.26.0/255.255.255.0
        Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip 10.30.18.0/255.255.255.0 192.168.26.0/255.255.255.0
        Active SAs: 2, origin: crypto map

From the show crypto, to me, it looks like it's working, but 192.168.27.x isn't accessible..

The original ASA is still connecte, I can post more details/config is needed.

The original thread is below...

https://supportforums.cisco.com/thread/2167470?tstart=0

Karsten Iwen · ‎08-26-2012

1) Your last ping-test can't work when you ping from the ASA. You have to test from an internal PC that is part of the encryption definition.

2) In the "show crypto ipsec sa" you see that this ASA encrypts traffic, but there is nothing decrypted. So most likely the other end of the tunnel is not sending anything back.

How to move on:

Show us the actual Crypto- and routing-config from the IPSec-peer.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

jasonchristophercobb · ‎08-26-2012

ASA2# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 2, local addr: 108.x.x.x

      access-list outside_cryptomap permit ip 192.168.27.0 255.255.255.0 10.21.0.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.27.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.21.0.0/255.255.255.0/0/0)
      current_peer: 64.x.x.x

      #pkts encaps: 96, #pkts encrypt: 96, #pkts digest: 96
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 96, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

local crypto endpt.: 108.x.x.x, remote crypto endpt.: 64.x.x.x

path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 5FF3DE35

    inbound esp sas:
      spi: 0x68AAE4B9 (1756030137)
         transform: esp-aes esp-sha-hmac none
         in use settings ={L2L, Tunnel, PFS Group 2, }

ASA2# ping 10.21.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.21.0.1, timeout is 2 seconds:
?????

Karsten Iwen · ‎08-26-2012

1) Your last ping-test can't work when you ping from the ASA. You have to test from an internal PC that is part of the encryption definition.

2) In the "show crypto ipsec sa" you see that this ASA encrypts traffic, but there is nothing decrypted. So most likely the other end of the tunnel is not sending anything back.

How to move on:

Show us the actual Crypto- and routing-config from the IPSec-peer.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

jasonchristophercobb · ‎08-27-2012

You were correct, the other end was not sending anything back.

There is a reason why it looked like the VPN was working, because it was.

I was so focused on the VPN settings, kept skipped over an ACL on the router. Needed to no NAT the local ASA's new subnet.

Will the ASA's ever have the extended ping commads like the routers, where you can ping from a specific interface?

Thanks,

Jason