Solved: show crypto isakmp/ipsec sa shows nothing

chan.puilai · ‎02-26-2012

Dear All,

I have setup ipsec VPN in my C2811 router but when "show crypto isakmp/ipsec sa" shows nothing.

Remote end point is an "ASA5520". Does it indicates that the remote ASA5520 not yet configured?

Here are my Router configuration:

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

lifetime 28800

crypto isakmp key <pre-shared key> address 202.70.53.xx

!

crypto ipsec transform-set ipsec esp-aes esp-sha-hmac

!

crypto map cisco 1 ipsec-isakmp

set peer 202.70.53.xx

set transform-set ipsec

match address vpn

!

interface FastEthernet0/0

description WAN

ip address 202.55.8.zzz 255.255.255.252 secondary

ip address 202.55.8.yy 255.255.255.224

ip nat outside

ip virtual-reassembly

duplex full

speed 100

crypto map cisco

eemee#sh crypto isakmp sa

dst src state conn-id slot status

eemee#sh crypto ipsec sa

interface: FastEthernet0/0

Crypto map tag: cisco, local addr 202.55.8.yy

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.17.91.190/255.255.255.255/0/0)

current_peer 202.70.53.xx port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 202.55.8.yy, remote crypto endpt.: 202.70.53.xx

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Ping to peer is normal:

eemee#ping 202.70.53.xx so 202.55.8.yy

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 202.70.53.1, timeout is 2 seconds:

Packet sent with a source address of 202.55.8.yy

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 64/64/68 ms

Extended IP access list nat

10 deny ip 192.168.13.0 0.0.0.255 host 10.17.91.190

20 permit ip 192.168.13.0 0.0.0.255 any (1356 matches)

Extended IP access list vpn

10 permit ip 192.168.13.0 0.0.0.255 host 10.17.91.190

Richard Burts · ‎02-26-2012

Lai

The fact that there are no matches in the access list vpn seems to mean that there has not been any traffic from your end (from 192.168.13.0./24) that would go through the VPN. If there has not been any traffic that matches the access list then there has not been anything that would initiate the ISAKMP negotiation or the IPSec negotiation. And that is probably why your original show commands had empty results.

Can you arrange for someone in 192.168.13.0 to send traffic to 10.17.91.190? That should initiate the ISAKMP negotiation.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎02-26-2012

There are several things that could cause these symptoms, and we do not have enough information provided to identify which one it is.

- Certainly it could cause these symptoms if the peer ASA5520 is not yet configured.

- It could also cause these symptoms if the peer ASA5520 is configured but some of the configuration parameters do not match what you have configured.

- I am puzzled why there are two addresses configured on the interface. If the peer ASA5520 configured its peer address to use the secondary address it might cause these symptoms.

- I see that address translation is configured. Some mistakes in configuring address translation might cause symptoms like these.

As a first step I would suggest that you contact the administrator of the ASA5520 and ask if their configuration is complete. If they believe that their configuration is complete then you might ask them to specify what parameters they have configured and compare them to your parameters.

As a follow up step, running debug crypto isakmp might provide some insight into what is happening and what is the problem.

HTH

Rick

HTH

Rick

chan.puilai · ‎02-26-2012

Rick, Thank you for your advice.

-The secondary IP is configured on WAN interface since ISP provided default gateway is within the secondary IP subnet.

And I have provided the administrator of the ASA5520 the Primary IP 202.55.8.yy as the peer.

I am trying to contact the administrator to get the ASA5520 configuration but I am not sure whether I can get it.

If I cannot get it how can I check whether the remote ASA5520 is configured?

-I have just cancel the NAT of 202.55.8.yy to an IP of internal vlan. But the same result as above is given.

-I have run "debug crypto isakmp" before and now but no message is coming up from the console.

C2811#debug crypto isakm

Crypto ISAKMP debugging is on

C2811#

Thanks.

Richard Burts · ‎02-26-2012

If you have turned on debug and there is no output, then my first question would be to confirm that you have used the command terminal monitor, so that copies of the log messages would be sent to your session? And also to confirm that monitor logging includes severity level of debugging.

If we are sure that the issue is that there is no debug output (and not that the debug output just was not sent to your session) then we can move to looking at a different aspect of the problem. The ISAKMP negotiation should be initiated when there is "interesting" traffic that would attempt to use the VPN. The "interesting" traffic is defined by access list vpn. So can you confirm that there is traffic that matches the access list while debug was running?

HTH

Rick

HTH

Rick

chan.puilai · ‎02-26-2012

I have turned on term mon

and

C2811#debug arp

ARP packet debugging is on

eemee#

*Feb 27 04:33:19.822: IP ARP rep filtered src 192.168.0.120 d4ae.526a.9212, dst 192.168.0.120 0000.0000.0000 wrong cable, interface Vlan10

*Feb 27 04:33:20.042: IP ARP rep filtered src 192.168.0.120 d4ae.526d.92fa, dst 192.168.0.120 0000.0000.0000 wrong cable, interface Vlan10

*Feb 27 04:33:22.794: IP ARP rep filtered src 192.168.0.120 d4ae.526b.65ec, dst 192.168.0.120 0000.0000.0000 wrong cable, interface Vlan10

I suppose that it is not the first problem.

For the second question:

I cannot find any traffic matched in access list vpn:

C2811#sh access-list

Extended IP access list nat

10 deny ip 192.168.13.0 0.0.0.255 host 10.17.91.190

20 permit ip 192.168.13.0 0.0.0.255 any (1377 matches)

Extended IP access list vpn

10 permit ip 192.168.13.0 0.0.0.255 host 10.17.91.190

What does it indicate?

Lai

Richard Burts · ‎02-26-2012

Lai

The fact that there are no matches in the access list vpn seems to mean that there has not been any traffic from your end (from 192.168.13.0./24) that would go through the VPN. If there has not been any traffic that matches the access list then there has not been anything that would initiate the ISAKMP negotiation or the IPSec negotiation. And that is probably why your original show commands had empty results.

Can you arrange for someone in 192.168.13.0 to send traffic to 10.17.91.190? That should initiate the ISAKMP negotiation.

HTH

Rick

HTH

Rick

chan.puilai · ‎02-26-2012

Can I achieve by doing this? vlan 10 is our LAN.

C2811#ping 10.17.91.190 so 192.168.13.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.17.91.190, timeout is 2 seconds:

Packet sent with a source address of 192.168.13.254

.....

Success rate is 0 percent (0/5)

eemee#sh run int vlan 10

Building configuration...

Current configuration : 106 bytes

!

interface Vlan10

ip address 192.168.13.254 255.255.255.0

ip nat inside

no ip virtual-reassembly

end

One more question:

Is it necessary the "Transform-set" name the same on both sides?

chan.puilai · ‎02-26-2012

Ricky,

If the VPN at ASA got only one configuration for VPN and it is now connecting to another site's VPN router C2811.

Is it possible to to configured one more VPN at the router C2811 at third site and "join" the ASA's VPN?

Thanks.

Lai

chan.puilai · ‎02-27-2012

Ricky,

Remote side ASA administrator ping to our LAN 192.168.0.16/24 and the tunnel is up.

Thank you very much.

Lai

Richard Burts · ‎02-29-2012

Lai

I am glad that it is working now. Thank you for posting back to the thread and indicating that it is working.

HTH

Rick

HTH

Rick

ubiifere · ‎03-30-2023

Hi Rich,
I got a similar problem. my end is 2911 and the remote is Firepower. The VPN connection is not established. Any idea what could cause it?

#Sh crypto isakmp sa shows nothing