Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1070
Views
5
Helpful
5
Replies

Simple VPN set up, phase 1 won't initiate

Jiten87
Level 1
Level 1

‎05-07-2020 07:56 PM

Diagram (sorry for quality) and both asa configs are attached, please help!

Labels:
Preview file
5 KB
Preview file
5 KB
Preview file
34 KB
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎05-08-2020 02:54 AM

Hi,
How are you testing connectivity? - You should attempt to establish connectivity from an IP address defined in your access-list that defines interesting traffic, don't test this from the ASA, rather from a device behind the ASA.

Can you enable debugs "debug crypto ikev1 128", attempt to establish the VPN and provide the debug output for review.

HTH
0 Helpful

Jiten87
Level 1
Level 1
In response to Rob Ingram

‎05-08-2020 06:42 PM

I'm testing connectivity with two (PC) hosts behind both ASAs

 

On the left side of the diagram I have a host with ip 10.55.100.50/24

On the right, 192.168.100.250/24

 

When I try to ping either end I get the following message on each asa under the debug command:

 

Failed to locate egress interface for ICMP from inside:10.55.100.50/63497 to 192.168.100.250/0

Failed to locate egress interface for ICMP from inside:192.168.100.250/43785 to 10.55.100.50/0

0 Helpful

Rob Ingram
VIP
VIP
In response to Jiten87

‎05-09-2020 01:12 AM

In your configuration I see no default route, e.g - route outside 0.0.0.0 0.0.0.0 <next hop ip>

 

Define the default route on both ASA and try again - if you still have an issue, please provide the debugs.

Jiten87
Level 1
Level 1
In response to Rob Ingram

‎05-09-2020 03:53 PM - edited ‎05-09-2020 03:54 PM

Progress! After adding the routes I am no getting attempts at phase 1, but still not successful

 

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 208.184.100.100
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2

 

Debug messages on right ASA after trying to send icmp messages from the right side host to the left side:

 

%ASA-7-609001: Built local-host inside:192.168.100.250
%ASA-7-609001: Built local-host outside:10.55.100.50
%ASA-7-609002: Teardown local-host inside:192.168.100.250 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:10.55.100.50 duration 0:00:00
%ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = outside_map. Map Sequence Number = 20.
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-5-713041: IP = 208.184.100.100, IKE Initiator: New Phase 1, Intf inside, IKE Peer 208.184.100.100 local Proxy Address 192.168.100.0, remote Proxy Address 10.55.100.0, Crypto map (outside_map)
%ASA-7-715046: IP = 208.184.100.100, constructing ISAKMP SA payload
%ASA-7-715046: IP = 208.184.100.100, constructing NAT-Traversal VID ver 02 payload
%ASA-7-715046: IP = 208.184.100.100, constructing NAT-Traversal VID ver 03 payload
%ASA-7-715046: IP = 208.184.100.100, constructing NAT-Traversal VID ver RFC payload
%ASA-7-715046: IP = 208.184.100.100, constructing Fragmentation VID + extended capabilities payload
%ASA-7-713236: IP = 208.184.100.100, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
%ASA-7-609001: Built local-host inside:192.168.100.250
%ASA-7-609001: Built local-host outside:10.55.100.50
%ASA-7-609002: Teardown local-host inside:192.168.100.250 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:10.55.100.50 duration 0:00:00
%ASA-7-752008: Duplicate entry already in Tunnel Manager
%ASA-7-609001: Built local-host inside:192.168.100.250
%ASA-7-609001: Built local-host outside:10.55.100.50
%ASA-7-609002: Teardown local-host inside:192.168.100.250 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:10.55.100.50 duration 0:00:00
%ASA-7-752008: Duplicate entry already in Tunnel Manager
%ASA-7-609001: Built local-host inside:192.168.100.250
%ASA-7-609001: Built local-host outside:10.55.100.50
%ASA-7-609002: Teardown local-host inside:192.168.100.250 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:10.55.100.50 duration 0:00:00
%ASA-7-752008: Duplicate entry already in Tunnel Manager
%ASA-7-713236: IP = 208.184.100.100, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
%ASA-7-609001: Built local-host inside:192.168.100.250
%ASA-7-609001: Built local-host outside:10.55.100.50
%ASA-7-609002: Teardown local-host inside:192.168.100.250 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:10.55.100.50 duration 0:00:00
%ASA-7-752008: Duplicate entry already in Tunnel Manager
%ASA-7-713236: IP = 208.184.100.100, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172

 

0 Helpful

Sheraz.Salim
VIP
VIP
In response to Jiten87

‎05-10-2020 02:18 AM

MM_WAIT_MSG2 mean initiator send encr/hash/dh ike policy details to create initial contact. initiator will wait at MM_WAIT_MSG2 until it hears back from it peer.

check if the other ASA have a defaut route or can access to internet. etc.

need debug from both side. also the provided debug information is very limited need more debug logs.

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents