Solved: Re: strange asa 5505 behaviour SAs does not exists ?

Riccardo Veraldi · ‎02-21-2011

Hello,

just bought a new ASA 5505 to set up 2 lan to lan VPNs.

it looks to me that it is configured properly but tunnels does not go up.

asaccb2# show crypto ipsec sa

There are no ipsec sas

I cannot see any SAs configured even if I DO HAVE configured them.

I se nothing with "debug crypto ipsec"

I do not know what is going wrong here and I am clueless.

This similar configuration has always been working on many other ASAs I have set up.

I have also same problem with

show xlate detail
0 in use, 0 most used

looks like NAT and VPN are not activated but I issued nat-control command and I Assigned the crypto map to the outside interface

so I do not understand.

The VPN config is correct in my opinion.

my local lan is 192.168.203.0/24

my public outside address is 89.e.r.h

my inside address is 192.168.203.1

the default router for asa is 89.e.r.f

First L2L:

peer VPN 80.x.y.z

destination networks

80.93.77.0

80.93.78.0

10.174.0.0

172.19.0.0

my lan has to be translated to 10.178.54.224/27 to the other side of the tunnel

Second L2L:

peer VPN 91.a.b.c.d

destination networks 192.168.200.0/24 no particular addressing of my client to the other side

here is my asa config

: Written by enable_15 at 13:11:43.279 CEST Mon Feb 21 2011
!
ASA Version 8.2(1)
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.203.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 89.e.r.h 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list SEAT extended permit ip 192.168.203.0 255.255.255.0 80.93.77.0 255.255.255.0
access-list SEAT extended permit ip 192.168.203.0 255.255.255.0 80.93.78.0 255.255.255.0
access-list SEAT extended permit ip 192.168.203.0 255.255.255.0 10.174.0.0 255.255.0.0
access-list SEAT extended permit ip 192.168.203.0 255.255.255.0 172.19.0.0 255.255.0.0
access-list SEATvpn extended permit ip 10.178.54.224 255.255.255.224 80.93.77.0 255.255.255.0
access-list SEATvpn extended permit ip 10.178.54.224 255.255.255.224 80.93.78.0 255.255.255.0
access-list SEATvpn extended permit ip 10.178.54.224 255.255.255.224 10.174.0.0 255.255.0.0
access-list SEATvpn extended permit ip 10.178.54.224 255.255.255.224 172.19.0.0 255.255.0.0
access-list DVRvpn extended permit ip 192.168.203.0 255.255.255.0 192.168.200.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 10.178.54.224-10.178.54.254 netmask 255.255.255.224
nat (inside) 1 access-list SEAT
route outside 10.174.0.0 255.255.0.0 89.e.r.f 1
route outside 80.93.77.0 255.255.255.0 89.e.r.f 1
route outside 80.93.78.0 255.255.255.0 89.e.r.f 1
route outside 80.93.79.168 255.255.255.255 89.e.r.f 1
route outside 172.19.0.0 255.255.0.0 89.e.r.f 1
route outside 192.168.200.0 255.255.255.0 89.e.r.f 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set SEATset esp-3des esp-md5-hmac
crypto ipsec transform-set DVRset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
crypto map SEATmap 10 match address SEATvpn
crypto map SEATmap 10 set peer 80.93.79.168
crypto map SEATmap 10 set transform-set SEATset
crypto map SEATmap 20 match address DVRvpn
crypto map SEATmap 20 set peer 91.213.197.63
crypto map SEATmap 20 set transform-set DVRset
crypto map SEATmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.203.0 255.255.255.0 inside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password riAch9TfWXn0ZOOQ encrypted privilege 15
tunnel-group 80.x.y.z type ipsec-l2l
tunnel-group 80.x.y.z ipsec-attributes
pre-shared-key *
tunnel-group 91.a.b.c type ipsec-l2l
tunnel-group 91.a.b.c ipsec-attributes
pre-shared-key *
!
!

where is my mistake ?

thank you

hdashnau · ‎02-21-2011

Collect some captures, logs, and packet-tracer to get a better idea of what is happening to the traffic:

1. Capture to confirm traffic making it to inside:

access-list cap permit ip host host

cap cap access-list cap interface inside

(initiate the traffic accross the tunnel)

show cap cap

2. Capture to see if ASA is dropping the packe

cap asp type asp-drop all

(initiate the traffic accross the tunnel)

show cap asp | i

3. Syslogs to see what happens to the traffic:

logging buffered debug

logging buffer-size 1000000

(initiate the traffic accross the tunnel)

show log | i

4. Packet tracer to see how hypothetically ASA will handle the traffic:

packet-tracer input inside icmp  8 0  detail

-heather

View solution in original post

Jennifer Halim · ‎02-21-2011

You are missing a default route on the ASA, that is probably why it's not working.

The first VPN tunnel should probably work as you have static route for the peer as well as remote LAN subnet pointing to the next hop. Have you tried to generate interesting traffic to trigger the VPN tunnel?

The second VPN tunnel is missing route as well as NAT exemption.

NAT exemption would be as follows:

access-list nonat extended permit ip 192.168.203.0 255.255.255.0 192.168.200.0 255.255.255.0

nat (inside) 0 access-list nonat

Please share the output of:

show cry isa sa

show cry ipsec sa

after the above changes.

Hope that helps.

Riccardo Veraldi · ‎02-21-2011

Hi,

I have the defult route I just omitted it in the configuration above.

also with default route it does not work.

both the first and the seond L2L does not work.

debug crypto ipsec does not show anything

and

show crypto ipsec sa

asaccb2# show crypto ipsec sa

There are no ipsec sas

even if the L2L tunnel is not established the command above should tell which are the SAs configured but it shows nothing

isn't it weird ?

when interesting traffic goes to the ASA VPN does not start at all...

REally I Am speachless this never happened to me

hdashnau · ‎02-21-2011

Collect some captures, logs, and packet-tracer to get a better idea of what is happening to the traffic:

1. Capture to confirm traffic making it to inside:

access-list cap permit ip host host

cap cap access-list cap interface inside

(initiate the traffic accross the tunnel)

show cap cap

2. Capture to see if ASA is dropping the packe

cap asp type asp-drop all

(initiate the traffic accross the tunnel)

show cap asp | i

3. Syslogs to see what happens to the traffic:

logging buffered debug

logging buffer-size 1000000

(initiate the traffic accross the tunnel)

show log | i

4. Packet tracer to see how hypothetically ASA will handle the traffic:

packet-tracer input inside icmp  8 0  detail

-heather

Riccardo Veraldi · ‎02-21-2011

thank you very much

with the packet tracer I could fix the issue, really thanks again.

hdashnau · ‎02-21-2011

youre welcome!

please rate the posts that helped you and remember to mark your question as resolved if the issue is fixed.

Riccardo Veraldi · ‎02-21-2011

done