Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2121
Views
5
Helpful
8
Replies

Site-to-site VPN Problem

santiago.jem
Level 1
Level 1

‎09-19-2012 02:30 AM

Hi guys,

Been troubleshooting on an IPSec tunnel that went down without warning:

As described in the forum thread, https://supportforums.cisco.com/thread/2091809
the policies look identical on both sides.

I've checked on the IKEv1 policy on both asa's and here's the output:

asa_branch:

asa_branch# sh run crypto ma

crypto map outside_map0 1 match address outside_cryptomap

crypto map outside_map0 1 set pfs

crypto map outside_map0 1 set peer x.x.x.x

crypto map outside_map0 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map0 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

asa_hq:

asa_hq# sh run crypto ma

crypto map Outside_map0 1 match address Outside_cryptomap

crypto map Outside_map0 1 set pfs

crypto map Outside_map0 1 set peer y.y.y.y

crypto map Outside_map0 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Outside_map0 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

They are identical. But still no VPN tunnel is up:

asa_branch# sh crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

asa#

May I know what other troubleshooting steps that I need to do?

Thank you.


Labels:
0 Helpful
8 Replies 8

shine pothen
Level 3
Level 3

‎09-19-2012 05:59 AM

can you get the config of both the location

in the above config tunnel-group is missing and pre-shared key.

is the cry and iskamp set to the outside interface.

0 Helpful

santiago.jem
Level 1
Level 1
In response to shine pothen

‎09-19-2012 07:02 AM

Hello Shine,

Thanks for the reply. I'm really wondering, what could have I done wrong?

No vpn tunnel is forming not even MM_MSG are there.

Here is the config:

asa_branch:

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto map outside_map0 1 match address outside_cryptomap

crypto map outside_map0 1 set pfs

crypto map outside_map0 1 set peer x.x.x.x

crypto map outside_map0 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map0 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

crypto map outside_map0 2 match address outside_cryptomap_1

crypto map outside_map0 2 set pfs

crypto map outside_map0 2 set peer a.a.a.a

crypto map outside_map0 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map0 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map0 interface outside

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 enable inside

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

!

!

!

!

!

!

!

!

!

dhcpd address 10.1.1.10-10.1.1.30 inside

dhcpd auto_config outside interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1

group-policy GroupPolicy_x.x.x.x internal

group-policy GroupPolicy_x.x.x.x attributes

vpn-tunnel-protocol ikev1 ikev2

group-policy GroupPolicy_a.a.a.a internal

group-policy GroupPolicy_a.a.a.a attributes

vpn-tunnel-protocol ikev1 ikev2

!

!

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x general-attributes

default-group-policy GroupPolicy_x.x.x.x

tunnel-group x.x.x.x ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

tunnel-group a.a.a.a type ipsec-l2l

tunnel-group a.a.a.a general-attributes

default-group-policy GroupPolicy_a.a.a.a

tunnel-group a.a.a.a ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

I have very limited access to to asa_hq here are some of it:

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto dynamic-map Outside_dyn_map 20 set ikev1 transform-set ESP-AES-128-SHA ESP-3DES-MD5

crypto dynamic-map Outside_dyn_map 40 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map 60 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map0 1 match address Outside_cryptomap

crypto map Outside_map0 1 set pfs

crypto map Outside_map0 1 set peer y.y.y.y

crypto map Outside_map0 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Outside_map0 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map Outside_map0 2 match address Outside_cryptomap_1

crypto map Outside_map0 2 set pfs

crypto map Outside_map0 2 set peer a.a.a.a

crypto map Outside_map0 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Outside_map0 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

crypto map Outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Outside_map0 interface Outside

!

!

!

!

!

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable Outside

crypto ikev1 enable Outside

crypto ikev1 policy 40

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

!

tunnel-group y.y.y.y type ipsec-l2l

tunnel-group y.y.y.y general-attributes

default-group-policy GroupPolicy_y.y.y.y

tunnel-group y.y.y.y ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

tunnel-group a.a.a.a type ipsec-l2l

tunnel-group a.a.a.a general-attributes

default-group-policy GroupPolicy_a.a.a.a

tunnel-group a.a.a.a ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

0 Helpful

nkarthikeyan
Level 7
Level 7

‎09-19-2012 07:01 AM

Hi Jemel,

Is it a new setup or which was working earlier??????

Just post the complete VPN configuration with phase 1 and phase 2 parameters, crypto acl's.....

If everything is configured then have you tried establishing the intresting traffic....

You can verify with the helpful command which is builtin help command.

asa-pri(config)# vpnsetup site-to-site steps and check whether you have all the parameters set as per the help command...

however that help command shows Site to Site setup samples which prior to 8.3. If you ASA version is 8.3 and above then you may need to make some changes in command syntax like the below

crypto ipsec ikev1 transform-set myset esp-3des esp-md5-hmac

crypto map rlc 10 match address s2svpn

crypto map rlc 10 set peer 10.144.139.213

crypto map rlc 10 set ikev1 transform-set myset

crypto map rlc interface outside

crypto map abc 100 match address s2svpn

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

!

tunnel-group SF type ipsec-l2l

tunnel-group 10.144.139.213 type ipsec-l2l

tunnel-group 10.144.139.213 ipsec-attributes

ikev1 pre-shared-key *****

!            

Please do rate if the given information helps.

By

Karthik

0 Helpful

santiago.jem
Level 1
Level 1
In response to nkarthikeyan

‎09-19-2012 07:19 AM

Hello Karthik,

This was a working config.

All of sudden VPN Tunnel can't be established with me doing nothing.

I've posted the vpn parameters above.

Corret me if I'm wrong, on the first match of the IKEv1 transform set between peers and IKEv1 policy and VPN Tunnel should be established right?

Do you any ways to possibly find the culprit of this issue?

0 Helpful

santiago.jem
Level 1
Level 1
In response to santiago.jem

‎09-19-2012 07:31 PM

After a series of debugs and reading other websites, this issue pointed out on pre-shared key mismatch.

Thanks to http://www.petenetlive.com/KB/Article/0000216.htm

I just keyed-in the pre-shared key again and the VPN Tunnel is up and running.

0 Helpful

shine pothen
Level 3
Level 3
In response to santiago.jem

‎09-19-2012 10:17 PM


Hello Jemel,

good to hear that VPN is up and running. but if it was just the pre-shared key mismatch.. which u have re-entered. then before itself you should have got error message like Msg_Wait 5 or Msg_Wait_6 which says it is pre-shared key mistach u know.

Shine

0 Helpful

santiago.jem
Level 1
Level 1
In response to shine pothen

‎09-20-2012 12:17 AM

Hi Shine,

The reason that there was no error messages like Msg_Wait 5 or Msg_Wait_6 was that because there was no traffic initiated. I tried pinging the server on the other side. While pinging, "show crypto isakmp sa" showed the

Msg_Wait_6. Right there, I had concluded that it was the pre-shared key.

Thanks for the information Shine!

Regards,

Jeme

shine pothen
Level 3
Level 3
In response to santiago.jem

‎09-20-2012 02:24 AM

Good good ...:)

Shine

0 Helpful
Customers Also Viewed These Support Documents