Static to Dynamic ASA VPN Problems

Kristopher Cowen · ‎11-21-2011

I am getting errors and unable to send traffic across my VPN tunnel. I am using a ASA 5505 and 5510. The 5505 is setup static with the 5510 dynamic. I am getting the following errors on the 5510 and getting similar errors on the 5505:

Nov 21 [IKEv1]Group = DefaultL2LGroup, IP = xxx.xxx.xxx.xxx, Removing peer from correlator table failed, no match!

Nov 21 [IKEv1]Group = DefaultL2LGroup, IP = xxx.xxx.xxx.xxx, QM FSM error (P2 struct &0xae2d6d70, mess id 0x9df74ed4)

These are with just debugging at level 1 with ipsec and ikev1. Both ASA's are running code 8.4(2) and ASDM 6.4(5) 106. The SA is established:

5510# show crypto ikev1 sa

IKEv1 SAs:

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: xxx.xxx.xxx.xxx

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

I am showing active tunnels in ipsec, ikev1, and isakmp stats. It may have something to do with NAT. You do not want VPN traffic to be NAT'd correct? Any ideas, help, and suggestions would be appreciated. Thank you. Attached is a example drawing.

acomiskey · ‎11-21-2011

I usually have to enable/disable pfs on one end or the other when I see the qm fsm error...but would need to see the configs.

Kristopher Cowen · ‎11-22-2011

This is my first site to site setup. Here is the configuration for the 5510:

ASA Version 8.4(2)

!

hostname 5510

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.1.1.1 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.2.2.1 255.255.255.252

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

management-only

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network Remote-Network

subnet 10.10.10.0 255.255.255.252

object network Local-Network

subnet 10.2.2.0 255.255.255.252

access-list global_access extended permit ip any any log debugging

access-list outside_cryptomap extended permit ip any any log debugging

pager lines 24

logging enable

logging console debugging

logging monitor debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

icmp permit any management

no asdm history enable

arp timeout 14400

nat (inside,outside) source static Local-Network Local-Network destination static Remote-Network Remote-Network no-proxy-arp

access-group global_access global

route outside 0.0.0.0 0.0.0.0 10.1.1.2 1

route inside 0.0.0.0 0.0.0.0 10.2.2.1 tunneled

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

sysopt noproxyarp outside

sysopt noproxyarp inside

sysopt noproxyarp management

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto dynamic-map 10.1.1.1 1 match address outside_cryptomap

crypto dynamic-map 10.1.1.1 1 set pfs

crypto dynamic-map 10.1.1.1 1 set ikev1 transform-set ESP-AES-256-SHA

crypto map outside_map1 1 ipsec-isakmp dynamic 10.1.1.1

crypto map outside_map1 interface outside

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 60

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1 l2tp-ipsec

tunnel-group DefaultL2LGroup ipsec-attributes

ikev1 pre-shared-key *****

peer-id-validate nocheck

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

tunnel-group 10.1.1.1 type ipsec-l2l

tunnel-group 10.1.1.1 ipsec-attributes

ikev1 pre-shared-key *****

peer-id-validate nocheck

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Kristopher Cowen · ‎11-22-2011

Configuration for the 5505:

ASA Version 8.4(2)

!

hostname 5505

names

!

interface Ethernet0/0

description WAN-DHCP-Connection

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.252

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.1.2 255.255.255.0

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Remote_Network

subnet 10.2.2.0 255.255.255.252

access-list global_access extended permit ip any any

access-list outside_cryptomap extended permit ip any any

pager lines 24

logging enable

logging console emergencies

logging monitor informational

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

access-group global_access global

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

route inside 0.0.0.0 0.0.0.0 10.10.10.1 tunneled