Solved: Site-To-Site VPN Problem...

sherif3745 · ‎06-02-2013

Hello Everybody,

Having a huge problem trying to connect 3 different offices via a site to site vpn. Main offices are Cisco 2821 running 12.4 IOS and the remote office is an ASA5505 running 8.4.4.1 and loaded with the Security Plus License. Config is identical on both sites, however, I can't get the VPN connection up and running, show crypto session on the 2821 indicates a Down status.

I'm suspecting it might be a NAT issue, on the 2821 I denied NATing between the 2 Local Subnets (2821 Internal and 5505 Internal) but on the 5505 I can't figure out how to do that, still not really sure if it relates to NAT or not. Debug Crypto IPSec and Debug Crypto ISAKAMP on the 2821 shows nothing but this message "

No peer struct to get peer description".

Here is the Show Run on the ASA5505

enable password ********** encrypted

passwd *********** encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group 1

ip address 129.106.21.xx 255.255.255.255 pppoe setroute

!

boot system disk0:/asa844-1-k8.bin

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

access-list ACL1 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list ACL2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-712.bin

no asdm history enable

arp timeout 14400

!

object network obj_any

nat (inside,outside) dynamic interface

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set TS1 esp-aes-256 esp-sha-hmac

crypto map abcmap 1 match address ACL1

crypto map abcmap 1 set peer 129.31.43.x

crypto map abcmap 1 set ikev1 transform-set TS1

crypto map abcmap 1 set security-association lifetime seconds 86400

crypto map abcmap 2 match address ACL2

crypto map abcmap 2 set peer 89.37.50.x

crypto map abcmap 2 set ikev1 transform-set TS1

crypto map abcmap 2 set security-association lifetime seconds 86400

crypto map abcmap interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 20

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 20

vpdn group 1 request dialout pppoe

vpdn group 1 localname 7638****

vpdn group 1 ppp authentication pap

vpdn username 7638**** password *****

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 21.x.x.x

ntp server 22.x.x.x

webvpn

anyconnect-essentials

username ****** password $$$$$$ encrypted privilege 15

tunnel-group 129.31.43.x type ipsec-l2l

tunnel-group 129.31.43.x ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 89.37.50.x type ipsec-l2l

tunnel-group 89.37.50.x ipsec-attributes

ikev1 pre-shared-key *****

!

prompt hostname context

Any Help would be highly appreciated .

Jouni Forss · ‎06-02-2013

Hi,

You seem to be lacking the NAT0 configurations on the ASA side

Insert these configurations

object network LAN

subnet 192.168.1.0 255.255.255.0

object network REMOTE-LAN1

subnet 192.168.0.0 255.255.255.0

object network REMOTE-LAN2

subnet 192.168.10.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static REMOTE-LAN1 REMOTE-LAN1

nat (inside,outside) source static LAN LAN destination static REMOTE-LAN2 REMOTE-LAN2

This basically tells the ASA that DONT do NAT for the network LAN when the destination is either REMOTE-LAN1 or REMOTE-LAN2.

This should handle the NAT portion. You can ofcourse use different "object network" names if you wish. Above ones are just to illustrate their purpose.

To me it seems that all essential VPN configurations are there. Naturally cant check if they match the other sites.

Please remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

View solution in original post

Jouni Forss · ‎06-04-2013

I have personally not used the software you mention on the ASA.

On my test ASAs I regularly use 8.4(5) software level.

I think it might be easier to troubleshoot the L2L VPN on the ASA actually. You can use the ASA itself to initiate the L2L VPN negotiation and monitor where the negotiation fails.

First you should naturally make sure that the Phase 1 goes through and the negotiation reaches Phase2.

There shouldnt be many things related to the VPN parameters that could be wrong.

Naturally you should also check the router side NAT configurations. My above NAT configurations presume that you DONT want to do any NAT between the sites. The sites should be able to communicate with their original IP addresses.

Sadly I am not that familiar with the Router side debugs output and Cisco hardly provides any supporting material to understand even half of them (or I just havent found any documents)

Have you tried to monitor the ASA through ASDM while you are attempting to bring the L2L VPN connection up?

- Jouni

View solution in original post

Jouni Forss · ‎06-02-2013

Hi,

You seem to be lacking the NAT0 configurations on the ASA side

Insert these configurations

object network LAN

subnet 192.168.1.0 255.255.255.0

object network REMOTE-LAN1

subnet 192.168.0.0 255.255.255.0

object network REMOTE-LAN2

subnet 192.168.10.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static REMOTE-LAN1 REMOTE-LAN1

nat (inside,outside) source static LAN LAN destination static REMOTE-LAN2 REMOTE-LAN2

This basically tells the ASA that DONT do NAT for the network LAN when the destination is either REMOTE-LAN1 or REMOTE-LAN2.

This should handle the NAT portion. You can ofcourse use different "object network" names if you wish. Above ones are just to illustrate their purpose.

To me it seems that all essential VPN configurations are there. Naturally cant check if they match the other sites.

Please remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

sherif3745 · ‎06-02-2013

Thanks a lot Jouni, too appreciated! Gonna try it asap and will let you know, will mark your answer either way because your response was lightning fast!

Other sites are having Cisco 2821 with Advanced Enterprise Services 12.4-15T as well as AIM-VPN/EPII-Plus .

sherif3745 · ‎06-02-2013

Still no luck Jouni, tried it and didn't still work.

Pinging anything from local to local to initiate the kick in for the tunnels doesn't bring anything up and it times out, debugging on the 2821 showed new errors like:

peer does not do paranoid keepalives

Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.

ignoring retransmission,because phase2 node marked dead -732089843

IPSec policy invalidated proposal with error 256

It's too frustrating for me since I got almost nothing configured on both sides but only the VPN config, I highly doubt that it might be a caveat on the ASA iamge but googled and saw that lots are also complaining from the same issue...

Jouni Forss · ‎06-04-2013

I have personally not used the software you mention on the ASA.

On my test ASAs I regularly use 8.4(5) software level.

I think it might be easier to troubleshoot the L2L VPN on the ASA actually. You can use the ASA itself to initiate the L2L VPN negotiation and monitor where the negotiation fails.

First you should naturally make sure that the Phase 1 goes through and the negotiation reaches Phase2.

There shouldnt be many things related to the VPN parameters that could be wrong.

Naturally you should also check the router side NAT configurations. My above NAT configurations presume that you DONT want to do any NAT between the sites. The sites should be able to communicate with their original IP addresses.

Sadly I am not that familiar with the Router side debugs output and Cisco hardly provides any supporting material to understand even half of them (or I just havent found any documents)

Have you tried to monitor the ASA through ASDM while you are attempting to bring the L2L VPN connection up?

- Jouni

sherif3745 · ‎06-05-2013

Thanks Jouni, it was kinda weird, disabling the inside interface on the ASA and bringing it up again solved the problem, your efforts was highly appreciated buddy .