06-27-2013 03:16 PM
Hello,
I have been trying to get a tunnel established all day and seem to be having a problem that I have not ecountered a lot.
The local equiment is 5510 ASA and the remote equipment is a 7200 series router.
I'll post configs and debug output from each equipment. And both devices already have multiple VPN's running.
The wierd thing is, if you ping from the remote end to the local end, the tunnel builds and traffic flows both directions. But if you try to establish from the local end to the remote end, you get nothing.
Any idea what my be going on here?
Local: ASA
interface Ethernet0/0
nameif Outside-Verizon
security-level 0
ip address xxx.xxx.223.10 255.255.255.0
!
interface Ethernet0/1
nameif Inside-LAN
security-level 100
ip address xxx.xxx.253.10 255.255.255.0
!
crypto map Outside-Verizon_map 276 match address Outside-Verizon_cryptomap_276
crypto map Outside-Verizon_map 276 set peer xxx.xxx.182.249
crypto map Outside-Verizon_map 276 set transform-set ESP-AES-256-SHA
crypto map Outside-Verizon_map 276 set security-association lifetime seconds 3600
!
!
nat (Inside-LAN) 0 access-list Inside-LAN_nat0_outbound
!
access-list Inside-LAN_nat0_outbound line 119 extended permit ip host 192.168.253.213 10.100.20.0 255.255.255.0
access-list Inside-LAN_nat0_outbound line 120 extended permit ip host 192.168.253.192 10.100.20.0 255.255.255.0
!
crypto isakmp policy 110
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
route Outside-Verizon 10.100.20.0 255.255.255.0 xxx.xxx.223.1(WAN gateway) 1
!
tunnel-group xxx.xxx.182.249 type ipsec-l2l
tunnel-group xxx.xxx.182.249 ipsec-attributes
pre-shared-key xxxxxxxxx
DEBUG FROM LOCAL ASA:
, Header invalid, missing SA payload!
(and the ISAKMP SA keeps getting stuck at
MM_WAIT_MSG6)
Remote/Router
crypto isakmp profile radixx-dev-tunnel
vrf airsk-radixx
keyring radixx-dev-keyring
match identity address xxx.xxx.223.10 255.255.255.255
crypto keyring radixx-dev-keyring
pre-shared-key address xxx.xxx.223.10 key xxxxxxxxx
crypto map IPsec_VPN 710 ipsec-isakmp
description Tunnel to Radixx-Development
set peer xxx.xxx.223.10
set transform-set IPsec_VPN2
set isakmp-profile radixx-dev-tunnel
match address radixx-dev-acl
ip access-list extended radixx-dev-acl
permit ip 10.100.20.0 0.0.0.255 host 192.168.253.192
permit ip 10.100.20.0 0.0.0.255 host 192.168.253.213
ip route vrf radixx-dev 192.168.253.192 255.255.255.255 208.255.223.10 global name radixx-dev
ip route vrf radixx-dev 192.168.253.213 255.255.255.255 208.255.223.10 global name radixx-dev
****
crypto ipsec transform-set IPsec_VPN2 esp-aes 256 esp-sha-hmac
****
DEBUG From Router:
Jun 27 13:12:23.534: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from xxx.xxx.223.10 failed its sanity check or is malformed
Jun 27 13:12:43.414: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from xxx.xxx.223.10 was not encrypted and it should've been.
Jun 27 13:12:44.414: ISAKMP:(17694):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer xxx.xxx.223.10)
Jun 27 13:12:44.414: ISAKMP:(17694):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer xxx.xxx.223.10)
06-27-2013 04:22 PM
Ping from ASA to the router 7200 get the output and then get the output for the command
sh cry isa sa and sh cry ipsec sa
then
ping from Rotuer 7200 to ASA get the output and get the output for the command
sh cry session
sh cry ipsec sa
sh cry isa sa
please get the output for us.
Shine
06-28-2013 06:36 AM
I can already tell you what the output is.
When pinging from the ASA to the router,
show crypto isakmp sa outputs: MM_WAIT_MSG6
show crypto ipsec sa gives nothing
When pinging from the router to the ASA, the tunnel builds like normal with no issues.
I will get the output anyway, but will have to wait for the owner of the remote device to call me sometime today.
07-01-2013 01:10 PM
Output form the local router:
show crypto isakmp sa:
MM_WAIT_MSG6
show crypto ipsec sa: no output
This is the output from the remote router:
VPNKOPBR01#sho crypto isakmp sa | i xxx.xxx.233.10
VPNKOPBR01#ping vrf airsk-radixx ip 192.168.253.192 source loopback 27
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.253.192, timeout is 2 seconds:
Packet sent with a source address of 10.100.20.50
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 124/126/128 ms
VPNKOPBR01#sho crypto isakmp sa | i xxx.xxx.233.10
xxx.xxx.233.10 xxx.xxx.182.249 QM_IDLE 17347 ACTIVE
VPNKOPBR01#sho crypto ipsec sa | b xxx.xxx.233.10
current_peer xxx.xxx.233.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: xxx.xxx.182.249, remote crypto endpt.: xxx.xxx.233.10
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
I'm starting to wonder if it has to do with the remote ends config. They are using isakmp profile, which I am not sure if an ASA will play nicely with a router using that type of setup.
Any idea what could be causing this?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide