Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
836
Views
0
Helpful
2
Replies

UC520 IPSec VPN issue

Go to solution
ops2014bm
Level 1
Level 1

‎03-19-2014 08:53 AM - edited ‎02-21-2020 07:34 PM

Hello,

I have an issue with an IPSEC LAN to LAN between an ASA5505 and a UC520.

The LAN behind the ASA is 192.168.1.0 and the LAN behind the UC520 is 172.17.1.0.

When I try to ping from 192.168.1.10 to 172.17.1.254, the ASA shows that the IKE phase 1 is running but it never goes to the next step : 

FW137# show crypto isakmp sa

 

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

 

1   IKE Peer: IP_Publique_Epernay

    Type    : user            Role    : initiator

    Rekey   : no              State   : MM_WAIT_MSG2

 

On the UC520 there is no IKE SA: 

Bergere-uc520#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

 

IPv6 Crypto ISAKMP SA

 

Here is the configuration on the UC520 :

 

crypto isakmp policy 5

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key *** address 46.*.*.*

!

crypto ipsec security-association lifetime seconds 28800

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map EPERNAY-FEREBRIANGES 10 ipsec-isakmp

 set peer 46.*.*.*

 set security-association lifetime seconds 3600

 set transform-set ESP-3DES-SHA

 set pfs group2

 match address 110

!

 

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 172.17.1.0 0.0.0.255

access-list 1 permit 172.17.2.0 0.0.0.255

access-list 1 permit 172.17.3.0 0.0.0.255

access-list 1 permit 172.17.4.0 0.0.0.255

access-list 1 permit 172.17.5.0 0.0.0.255

access-list 1 permit 172.17.6.0 0.0.0.255

access-list 100 remark auto generated by SDM firewall configuration##NO_ACES_10##

access-list 100 remark SDM_ACL Category=1

access-list 100 remark Auto generated by SDM for NTP (123) 194.2.0.58

access-list 100 permit udp host 194.2.0.58 eq ntp any eq ntp

(other ACL's)

access-list 110 permit ip 172.17.1.0 0.0.0.255 192.168.1.0 0.0.0.255

(other ACL's)

access-list 120 permit ip 172.17.6.0 0.0.0.255 any

 

!

route-map NO_NAT_VPN permit 1

 match ip address 110

!

 

Here is the configuration on the ASA5505:

 

names
name 192.168.1.10 Serveur
name 79.*.*.* OPS_ADSL
name 217.*.*.* OPS_SDSL_2M
name 79.*.*.* OPS_SDSL_4M
name 172.17.1.0 LAN_Epernay
name 193.*.*.* IP_Publique_Epernay
!

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 interface outside object-group DM_INLINE_TCP_1
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 LAN_Epernay 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 LAN_Epernay 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 LAN_Epernay 255.255.255.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer IP_Publique_Epernay
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer IP_Publique_Epernay
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal

tunnel-group 193.*.*.* type ipsec-l2l
tunnel-group 193.*.*.* ipsec-attributes
 pre-shared-key *****
tunnel-group Epernay-193.*.*.* type ipsec-l2l
tunnel-group Epernay-193.*.*.* ipsec-attributes
 pre-shared-key *****

 

Here is real time log of ASA when trying to establish IKE phase 1 :

 

6|Mar 19 2014|08:41:52|713219|||||IP = 193.*.*.*, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Mar 19 2014|08:41:51|302021|IP_Publique_Epernay|0|46.*.*.*|0|Teardown ICMP connection for faddr IP_Publique_Epernay/0 gaddr 46.*.*.*/0 laddr 46.*.*.*/0
6|Mar 19 2014|08:41:51|302020|IP_Publique_Epernay|0|46.*.*.*|0|Built inbound ICMP connection for faddr IP_Publique_Epernay/0 gaddr 46.*.*.*/0 laddr 46.*.*.*/0
6|Mar 19 2014|08:41:50|106015|79.*.*.*|443|46.*.*.*|47122|Deny TCP (no connection) from 79.*.*.*/443 to 46.*.*.*/47122 flags ACK  on interface outside
6|Mar 19 2014|08:41:50|302014|79.*.*.*|443|Serveur|58769|Teardown TCP connection 28960 for outside:79.*.*.*/443 to inside:Serveur/58769 duration 0:00:00 bytes 2047 TCP Reset-I
6|Mar 19 2014|08:41:50|302013|Serveur|58770|79.*.*.*|443|Built outbound TCP connection 28961 for outside:79.*.*.*/443 (79.*.*.*/443) to inside:Serveur/58770 (46.*.*.*/57700)
6|Mar 19 2014|08:41:50|305011|Serveur|58770|46.*.*.*|57700|Built dynamic TCP translation from inside:Serveur/58770 to outside:46.*.*.*/57700
6|Mar 19 2014|08:41:49|302014|79.*.*.*|443|Serveur|58531|Teardown TCP connection 28910 for outside:79.*.*.*/443 to inside:Serveur/58531 duration 0:05:00 bytes 26268 TCP FINs
6|Mar 19 2014|08:41:49|302013|Serveur|58769|79.*.*.*|443|Built outbound TCP connection 28960 for outside:79.*.*.*/443 (79.*.*.*/443) to inside:Serveur/58769 (46.*.*.*/47122)
6|Mar 19 2014|08:41:49|305011|Serveur|58769|46.*.*.*|47122|Built dynamic TCP translation from inside:Serveur/58769 to outside:46.*.*.*/47122
6|Mar 19 2014|08:41:47|713219|||||IP = 193.*.*.*, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Mar 19 2014|08:41:43|302021|IP_Publique_Epernay|0|46.*.*.*|0|Teardown ICMP connection for faddr IP_Publique_Epernay/0 gaddr 46.*.*.*/0 laddr 46.*.*.*/0
6|Mar 19 2014|08:41:43|302020|IP_Publique_Epernay|0|46.*.*.*|0|Built inbound ICMP connection for faddr IP_Publique_Epernay/0 gaddr 46.*.*.*/0 laddr 46.*.*.*/0
6|Mar 19 2014|08:41:43|302015|IP_Publique_Epernay|500|46.*.*.*|500|Built outbound UDP connection 28957 for outside:IP_Publique_Epernay/500 (IP_Publique_Epernay/500) to identity:46.*.*.*/500 (46.*.*.*/500)
5|Mar 19 2014|08:41:43|713041|||||IP = 193.*.*.*, IKE Initiator: New Phase 1, Intf inside, IKE Peer 193.*.*.*  local Proxy Address 192.168.1.0, remote Proxy Address 172.17.1.0,  Crypto map (outside_map)

 

I have made other logging tests on the UC520 but unsuccessfully, especially I did not find the real time log option that I have in ASA ASDM java interface.

Do you have any other tests that I could try?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
laramire2
Level 1
Level 1

‎03-19-2014 10:26 AM

Hello,

 

Based on the outputs attached the configuration seems to be fine. We could see that the ASA is initiating phase 1 negotiation but the remote site is not replying back. That’s why you get the MM_WAIT_MSG2 (Main Mode Waiting Message 2) isakmp state.

 

1   IKE Peer: IP_Publique_Epernay

    Type    : user            Role    : initiator

    Rekey   : no              State   : MM_WAIT_MSG2

 

It seems like the UC520 is not even receiving the UDP 500 packets. Please make sure that the crypto map is applied to the correct interface of the UC520 (Public Interface). Also, check if there is any access-group applied on the interface blocking UDP 500.

We need to make sure that there is not any firewall in the middle blocking those packets before reaching the UC520.

 

Is the UC520 directly connected to the Internet?

 

Please get the following debugs from both sites for the specific peers:

 

ASA:

Debug crypto condition peer x.x.x.x (remote peer)

Debug crypto isakmp  200

Debug crypto ipsec 200

 

UC520:

Debug crypto condition peer ipv4 x.x.x.x (remote peer)

Debug crypto isakmp

Debug crypto ipsec

 

To disable the debugs use the command undebug all.

 

I hope this helps,

 

Luis. 

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
laramire2
Level 1
Level 1

‎03-19-2014 10:26 AM

Hello,

 

Based on the outputs attached the configuration seems to be fine. We could see that the ASA is initiating phase 1 negotiation but the remote site is not replying back. That’s why you get the MM_WAIT_MSG2 (Main Mode Waiting Message 2) isakmp state.

 

1   IKE Peer: IP_Publique_Epernay

    Type    : user            Role    : initiator

    Rekey   : no              State   : MM_WAIT_MSG2

 

It seems like the UC520 is not even receiving the UDP 500 packets. Please make sure that the crypto map is applied to the correct interface of the UC520 (Public Interface). Also, check if there is any access-group applied on the interface blocking UDP 500.

We need to make sure that there is not any firewall in the middle blocking those packets before reaching the UC520.

 

Is the UC520 directly connected to the Internet?

 

Please get the following debugs from both sites for the specific peers:

 

ASA:

Debug crypto condition peer x.x.x.x (remote peer)

Debug crypto isakmp  200

Debug crypto ipsec 200

 

UC520:

Debug crypto condition peer ipv4 x.x.x.x (remote peer)

Debug crypto isakmp

Debug crypto ipsec

 

To disable the debugs use the command undebug all.

 

I hope this helps,

 

Luis. 

 

0 Helpful

Go to solution
ops2014bm
Level 1
Level 1
In response to laramire2

‎03-28-2014 05:57 AM

Hello Luis,

Thank you for your answer.

The crypto map is applied to interface Dialer0, which seems to be bound to interface FastEthernet0/0. There is no other WAN interface so I think that crypto map is applied to the good interface except if I have to apply crypto map to Fa0/0.

 

FastEthernet0/0

 description Vers Internet$ETH-WAN$

 no ip address

 ip verify unicast reverse-path

 ip virtual-reassembly

 duplex auto

 speed auto

 snmp trap ip verify drop-rate

 pppoe enable group global

 pppoe-client dial-pool-number 1

!

interface Dialer0

 description $FW_OUTSIDE$

 ip address negotiated

 ip access-group 108 in

 ip mtu 1452

 ip nat outside

 ip inspect SDM_HIGH out

 ip virtual-reassembly

 encapsulation ppp

 dialer pool 1

 dialer-group 1

 ppp authentication chap pap callin

 ppp chap hostname ***

 ppp chap password 7 ***

 ppp pap sent-username *** password 7 ***

 ppp ipcp dns request

 crypto map EP**-FE**

 service-policy input sdmappfwp2p_SDM_HIGH

 service-policy output sdmappfwp2p_SDM_HIGH

!

 

There is an access group applied to interface Dialer0 :ACL108 in :

access-list 108 permit esp host 90.*host 193.*

access-list 108 permit ahp host 90.*host 193.*

access-list 108 permit udp host 90.*host 193.*

access-list 108 permit tcp host 79.*host 193.* eq 443

access-list 108 permit tcp host 79.*host 193.* eq www

access-list 108 permit tcp host 79.*host 193.* eq telnet

access-list 108 permit tcp host 79.*host 193.* eq 22

access-list 108 permit ip host 90.*host 193.*

access-list 108 permit ip host 80.* host 193.*

 

Finally, the error is in ACL108: IP 90.* is bad, I have to replace it by 46.*

 

I tested a ping and the tunnel goes UP, THANKS A LOT.

0 Helpful
Customers Also Viewed These Support Documents