Tunnel problem between 837 router and ASA 5510

mayrmartin · ‎12-02-2010

I have a problem to initiate the tunnel from the router side. If i do a ping to the other side i can on the router the ipsec sa but there are send errors. If i ping from ASA side the tunnel is comming up sucessfully without any problems.

Additional i want to tell you we want to use the router also for internet access with ativated NAT.

Here is the configuration on router side:

version 12.4
no service pad
service timestamps debug datetime
service timestamps log datetime localtime
service password-encryption
!
hostname xxxx
!
boot-start-marker
boot system flash c837-k9o3sy6-mz.124-3.bin
boot-end-marker
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 15 default stop-only group tacacs+
!
aaa session-id common
!
resource policy
!
clock timezone GMT 0
ip subnet-zero
!
!
!
!
ip cef
no ip domain lookup
ip name-server 194.158.37.196
ip name-server 194.158.37.211
ip sla monitor responder
!
!
!
username GNOuser password 7 xxxxx
username wetmalta password 7 xxxxx
!
!
!
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
crypto isakmp key <keypassword> address <remote>
!
!
crypto ipsec transform-set wet esp-3des esp-md5-hmac
!
crypto map nolan 11 ipsec-isakmp
set peer <remote>
set transform-set wet
match address 120
!
bridge irb
!
!
interface Loopback0
description MCI management address
ip address 10.252.39.206 255.255.255.255
!
interface Ethernet0
description to WET internal Network Malta
ip address 10.252.39.185 255.255.255.252 secondary
ip address 10.xx.48.11 255.255.0.0
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface Ethernet2
description VLAN to internal switch Port 4
no ip address
hold-queue 100 out
!
interface ATM0
bandwidth 1024
no ip address
ip virtual-reassembly
no atm auto-configuration
no atm ilmi-keepalive
no atm address-registration
no atm ilmi-enable
dsl operating-mode auto
!
interface ATM0.80 point-to-point
bandwidth 1024
ip address 194.158.34.46 255.255.255.252
ip nat outside
ip virtual-reassembly
crypto map nolan
pvc 8/80
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 194.158.34.45
!
ip http server
no ip http secure-server
!
ip nat inside source list 100 interface ATM0.80 overload
!
access-list 100 deny   ip 10.13.0.0 0.0.255.255 10.11.0.0 0.0.255.255
access-list 100 deny   ip 10.13.0.0 0.0.255.255 10.201.0.0 0.0.255.255
access-list 100 permit ip 10.13.0.0 0.0.255.255 any
access-list 120 permit ip 10.13.0.0 0.0.255.255 10.11.0.0 0.0.255.255
!
tacacs-server host 170.127.71.169
tacacs-server timeout 20
tacacs-server directed-request
tacacs-server key 7 0010120500540607062F1D1F
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner motd ^C
*****************************************************************
*                           Warning                             *
*           THIS DEVICE IS PART OF A PRIVATE NETWORK            *
*                                                               *
* DISCONNECT IMMEDIATELY IF YOU ARE NOT AN AUTHORISED USER !   *
*                                                               *
*             Unauthorised access is prohibited                 *
*                And may be punishable by law                   *
*                                                               *
*      This device is monitored for unauthorised access         *
*                                                               *
*****************************************************************^C
privilege exec level 15 tclsh
privilege exec level 0 traceroute
privilege exec level 0 ping
privilege exec level 0 show configuration
privilege exec level 0 show
!
line con 0
exec-timeout 5 0
password 7 yyyy
no modem enable
line aux 0
exec-timeout 5 0
password 7 yyyyyy
line vty 0 4
exec-timeout 30 0
password 7 yyyyyyyyyy
!
scheduler max-task-time 5000
ntp clock-period 17179112
ntp server 170.127.71.166
end

I hope somebody can help me

Federico Coto Fajardo · ‎12-02-2010

Hi,

You have a L2L tunnel between the router and ASA.

Can you do this test?

1. Clear the SAs on both ends.

2. Try to establish the tunnel from the router ''ping x.x.x.x source y.y.y.y'' x.x.x.x is the inside IP of the router and y.y.y.y the inside IP of the ASA

3. Check the ''sh cry isa sa'' to check for phase 1 being established

4. Check the ''sh cry ips sa'' for traffic through the tunnel

Federico.

mayrmartin · ‎12-02-2010

Here is the output of these commands:

Cisco837#ping 10.13.48.11 source 10.11.11.15

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.11.11.15, timeout is 2 seconds:
Packet sent with a source address of 10.13.48.11
.....
Success rate is 0 percent (0/5)
Cisco837#sh cry isa sa
dst             src             state          conn-id slot status
asa.asa.asa.asa rrr.rrr.rrr.rrr   MM_NO_STATE          2    0 ACTIVE (deleted)
asa.asa.asa.asa rrr.rrr.rrr.rrr   MM_NO_STATE          1    0 ACTIVE (deleted)

Cisco837#sh cry ips sa

interface: ATM0.80
Crypto map tag: nolan, local addr rrr.rrr.rrr.rrr

   protected vrf: (none)
   local ident (addr/mask/prot/port): (10.13.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.11.0.0/255.255.0.0/0/0)
   current_peer asa.asa.asa.asa port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 5, #recv errors 0

     local crypto endpt.: rrr.rrr.rrr.rrr, remote crypto endpt.: asa.asa.asa.asa
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Federico Coto Fajardo · ‎12-02-2010

So, if you do the same test but from the ASA side the tunnel works correct?

Can you do this test again with the commands:

debug cry isa

debug cry ips

Federico.