07-11-2013 02:32 PM
Hi,
We have problems to establish vpn tunnel between two ASA's the problem begun after we migrate site from 5520 with 8.2 to 5515-X with 9.1(1).
On site one we have ASA5585-SSP-10 with 8.4(3), on site two we have 5515-X with 9.1(1).
VPN on both sites are stoping on MM2 but not always on site two it shows sometime MM3 . Packet tracer output on one site looks almost the same like two site.
Also , we have the same effect when we have identity nat like this : nat (CORE_HANDOVER,outside interface).
topology is like this :
(routed handover to ASA) L3 Switch --- ASA one --- internet --- ASA two --- L3 Swich (routed handover to ASA)
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.225.0 255.255.255.0 CORE_HANDOVER
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (CORE_HANDOVER,any) source static nonat-source nonat-source destination static nonat-destination nonat-destination no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface CORE_HANDOVER
Untranslate 192.168.225.10/80 to 192.168.225.10/80
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group blok in interface outside
access-list blok extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (CORE_HANDOVER,any) source static nonat-source nonat-source destination static nonat-destination nonat-destination no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.110.10/10000 to 192.168.110.10/10000
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (CORE_HANDOVER,any) source static nonat-source nonat-source destination static nonat-destination nonat-destination no-proxy-arp route-lookup
Additional Information:
Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: CORE_HANDOVER
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Phase 1 debug site one
Jul 07 01:12:30 [IKEv1 DEBUG]IP = 3.3.3.3, IKE SA MM:38d0a9db terminating: flags 0x01000022, refcnt 0, tuncnt 0
Jul 07 01:12:30 [IKEv1 DEBUG]IP = 3.3.3.3, sending delete/delete with reason message
Jul 07 01:12:30 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jul 07 01:12:30 [IKEv1]IP = 3.3.3.3, IKE Initiator: New Phase 1, Intf CORE_HANDOVER, IKE Peer 3.3.3.3 local Proxy Address 192.168.226.0, remote Proxy Address 192.168.1.0, Crypto map (cmap)
Jul 07 01:12:30 [IKEv1 DEBUG]IP = 3.3.3.3, constructing ISAKMP SA payload
Jul 07 01:12:30 [IKEv1 DEBUG]IP = 3.3.3.3, constructing NAT-Traversal VID ver 02 payload
Jul 07 01:12:30 [IKEv1 DEBUG]IP = 3.3.3.3, constructing NAT-Traversal VID ver 03 payload
Jul 07 01:12:30 [IKEv1 DEBUG]IP = 3.3.3.3, constructing NAT-Traversal VID ver RFC payload
Jul 07 01:12:30 [IKEv1 DEBUG]IP = 3.3.3.3, constructing Fragmentation VID + extended capabilities payload
Jul 07 01:12:30 [IKEv1]IP = 3.3.3.3, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 208
Jul 07 01:12:30 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jul 07 01:12:30 [IKEv1]IP = 3.3.3.3, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jul 07 01:12:36 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jul 07 01:12:36 [IKEv1]IP = 3.3.3.3 Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jul 07 01:12:38 [IKEv1]IP = 3.3.3.3, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 208
Jul 07 01:12:46 [IKEv1]IP = 3.3.3.3, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 208
Jul 07 01:12:54 [IKEv1]IP = 3.3.3.3, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 208
Jul 07 01:13:02 [IKEv1 DEBUG]IP = 3.3.3.3, IKE MM Initiator FSM error history (struct &0x00007fff2b71a990) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Jul 07 01:13:02 [IKEv1 DEBUG]IP = 3.3.3.3, IKE SA MM:05a6d31f terminating: flags 0x01000022, refcnt 0, tuncnt 0
Jul 07 01:13:02 [IKEv1 DEBUG]IP = 3.3.3.3, sending delete/delete with reason message
Jul 07 01:13:02 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jul 07 01:13:02 [IKEv1]IP = 3.3.3.3, IKE Initiator: New Phase 1, Intf CORE_HANDOVER, IKE Peer 3.3.3.3 local Proxy Address 213.189.38.192, remote Proxy Address 192.168.0.0, Crypto map (cmap)
Jul 07 01:13:02 [IKEv1 DEBUG]IP = 3.3.3.3, constructing ISAKMP SA payload
Jul 07 01:13:02 [IKEv1 DEBUG]IP = 3.3.3.3, constructing NAT-Traversal VID ver 02 payload
Jul 07 01:13:02 [IKEv1 DEBUG]IP = 3.3.3.3, constructing NAT-Traversal VID ver 03 payload
Jul 07 01:13:02 [IKEv1 DEBUG]IP = 3.3.3.3, constructing NAT-Traversal VID ver RFC payload
Jul 07 01:13:02 [IKEv1 DEBUG]IP = 3.3.3.3, constructing Fragmentation VID + extended capabilities payload
Jul 07 01:13:02 [IKEv1]IP = 3.3.3.3, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 208
Jul 07 01:13:02 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jul 07 01:13:02 [IKEv1]IP = 3.3.3.3, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jul 07 01:13:03 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jul 07 01:13:03 [IKEv1]IP = 3.3.3.3, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jul 07 01:13:10 [IKEv1]IP = 3.3.3.3, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 208
Jul 07 01:13:18 [IKEv1]IP = 3.3.3.3, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (
Debug isakmp site two
Jul 07 00:38:43 [IKEv1]IP = 4.4.4.4, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Jul 07 00:38:51 [IKEv1 DEBUG]IP = 4.4.4.4, IKE MM Initiator FSM error history (struct &0x00007ffed93eabb0) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Jul 07 00:38:51 [IKEv1 DEBUG]IP = 4.4.4.4, IKE SA MM:3d16134c terminating: flags 0x01000022, refcnt 0, tuncnt 0
Jul 07 00:38:51 [IKEv1 DEBUG]IP = 4.4.4.4, sending delete/delete with reason message
Jul 07 00:38:51 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jul 07 00:38:51 [IKEv1]IP = 4.4.4.4, IKE Initiator: New Phase 1, Intf office, IKE Peer 4.4.4.4 local Proxy Address 192.168.200.0, remote Proxy Address 192.168.224.0, Crypto map (cmap)
Jul 07 00:38:51 [IKEv1 DEBUG]IP = 4.4.4.4, constructing ISAKMP SA payload
Jul 07 00:38:51 [IKEv1 DEBUG]IP = 4.4.4.4, constructing NAT-Traversal VID ver 02 payload
Jul 07 00:38:51 [IKEv1 DEBUG]IP = 4.4.4.4, constructing NAT-Traversal VID ver 03 payload
Jul 07 00:38:51 [IKEv1 DEBUG]IP = 4.4.4.4, constructing NAT-Traversal VID ver RFC payload
Jul 07 00:38:51 [IKEv1 DEBUG]IP = 4.4.4.4, constructing Fragmentation VID + extended capabilities payload
Jul 07 00:38:51 [IKEv1]IP = 4.4.4.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Jul 07 00:38:52 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jul 07 00:38:52 [IKEv1]IP = 4.4.4.4, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jul 07 00:38:54 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jul 07 00:38:54 [IKEv1]IP = 4.4.4.4, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jul 07 00:38:59 [IKEv1]IP = 4.4.4.4, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Jul 07 00:39:07 [IKEv1]IP = 4.4.4.4, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
site ONE
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 3.3.3.3
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
site TWO
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 4.4.4.4
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
Nat configuration Site two (migrated one)
no arp permit-nonconnected
nat (CORE_HANDOVER,outside) source static obj-192.168.226.12 obj-11.189.38.252 dns
nat (CORE_HANDOVER,outside) source static obj-192.168.226.10 obj-11.189.38.250 dns
nat (CORE_HANDOVER,outside) source static obj-192.168.226.11 obj-11.189.38.251 dns
nat (CORE_HANDOVER,outside) source static obj-192.168.225.72 obj-11.189.38.242 dns
nat (CORE_HANDOVER,outside) source static obj-192.168.226.14 obj-11.189.38.249 dns
nat (CORE_HANDOVER,management) source static obj-192.168.251.35 obj-192.168.250.209 dns
nat (CORE_HANDOVER,outside) source static obj-192.168.226.13 obj-11.189.38.253 dns
nat (outside,DMZ-TOOL) source static obj-11.189.38.0 obj-11.189.38.0 destination static obj-11.189.38.0 obj-11.189.38.0 no-proxy-arp route-lookup
nat (DMZ-TOOL,outside) source static obj-11.189.38.0 obj-11.189.38.0 destination static obj-11.189.38.0 obj-11.189.38.0 no-proxy-arp route-lookup
nat (CORE_HANDOVER,outside) source static obj-192.168.225.10 obj-11.189.38.241 dns
!
object network obj-192.168.225.0
nat (CORE_HANDOVER,outside) dynamic 11.189.38.254
object network obj-192.168.249.0
nat (CORE_HANDOVER,outside) dynamic 11.189.38.254
object network obj-192.168.231.0
nat (CORE_HANDOVER,outside) dynamic 11.189.38.254
object network obj-192.168.226.0
nat (CORE_HANDOVER,outside) dynamic 11.189.38.254
object network obj-192.168.227.0
nat (CORE_HANDOVER,outside) dynamic 11.189.38.254
object network obj-192.168.228.0
nat (CORE_HANDOVER,outside) dynamic 11.189.38.254
object network obj-192.168.229.0
nat (CORE_HANDOVER,outside) dynamic 11.189.38.254
object network obj-192.168.248.0
nat (CORE_HANDOVER,outside) dynamic 11.189.38.254
Crypto Config
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set AES256MD5 esp-aes-256 esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map cmap 100 match address cacl
crypto map cmap 100 set peer 3.3.3.3
crypto map cmap 100 set ikev1 transform-set ESP-3DES-SHA AES256MD5
crypto map cmap interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 11
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 12
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
access-list cacl extended permit ip 11.189.38.192 255.255.255.192 195.182.34.0 255.255.255.0
access-list cacl extended permit ip 11.189.38.192 255.255.255.192 192.168.0.0 255.255.0.0
access-list cacl extended permit ip 192.168.224.0 255.255.224.0 192.168.200.0 255.255.255.0
access-list cacl extended permit ip 192.168.224.0 255.255.224.0 192.168.0.0 255.255.128.0
07-12-2013 02:37 PM
anyone?
12-14-2013 04:24 PM
I'm having the same issue. Endpoints that were working now are not. Find a fix?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide