VPN on ASA-5510 not show crypto isakmp policy

pingciscoid · ‎02-26-2013

Dear All,

i have a ASA-5510 configuring as VPN site to site and i have created 4 vpn connection for connection to 4 defferent site, befor i have finished 3 connection and all are worked but after i add one more connection to the other differenc site, i got error when i use command "show run crypto isakmp" nothing showed for any policy that i had configured befor, it make me deffical to identify the problem when i run debug command it show like mismatch with crypto isakmp policy, any one know about this please help me for key idea.

warm regard,

ping,

Jouni Forss · ‎02-26-2013

Hi,

Cant say I have never run into this problem. Specifically that some "show run" command would stop working?

You wouldnt by any chance have updated your firewall from a software 8.2 (or below) to 8.3 (or newer)? After that the command would be "show run crypto ikev1"

The command "show run crypto" should also list all your Phase1 policys on the ASA firewall. Can you try that.

If you get problem with the 4th connection regarding the Phase1 policy I would suggest checking with the remote end if they truly have the Phase1 policy that you have decided for the connection.

The ASA doesnt really pair a certain Phase1 policy for certain L2L VPN connection. All the combinations for Phase1 policy are gone through in the priority order you have configured on the ASA and they are gone through as long as a match is found or the negotiation fails because no matching Phase1 policy was found between the VPN peers.

- Jouni

jawad-mukhtar · ‎02-26-2013

Share Config that might Help

Jawad

pingciscoid · ‎02-26-2013

Dear JouniForss,

I tried to use with "show run crypto" already it showed only the crypto map and some other configuration but not show any policy number that i need please check below what i have show on My ASA

#show run crypto

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 4 match address IMTELCO_to_Smart

crypto map outside_map 4 set peer x.x.x.x

crypto map outside_map 4 set transform-set ESP-3DES-SHA

crypto map outside_map 4 set security-association lifetime seconds 28800

crypto map outside_map 5 match address IMTELCO_to_Hello

crypto map outside_map 5 set peer x.x.x.x

crypto map outside_map 5 set transform-set ESP-3DES-SHA

crypto map outside_map 5 set security-association lifetime seconds 28800

crypto map outside-map 6 match address IMTELCO_to_f1soft

crypto map outside-map 6 set peer x.x.x.x

crypto map outside-map 6 set transform-set ESP-3DES-SHA

crypto map outside-map 6 set security-association lifetime seconds 86400

crypto map outside-map 20 match address IMTELCO-to-Metfone

crypto map outside-map 20 set pfs

crypto map outside-map 20 set peer x.x.x.x

crypto map outside-map 20 set security-association lifetime seconds 3600

crypto map outside-map interface outside

crypto isakmp identity address

crypto isakmp enable outside

jawad-mukhtar · ‎02-26-2013

crypto map outside-map 20 match address IMTELCO-to-Metfone

crypto map outside-map 20 set pfs

crypto map outside-map 20 set peer x.x.x.x

(Missing )crypto map outside-map 20 set transform-set

crypto map outside-map 20 set security-association lifetime seconds 3600

Do Rate Helpful Posts

Jawad

Jouni Forss · ‎02-26-2013

Hi,

That command should list the "crypto isakmp policy" configurations if there is any on the ASA.

I cant think of a reason for it not showing them unless its some sort of bug. What is your ASA software?

If you simply use "show run" command can you see any of them?

Are all the previous L2L VPN connections working? They shouldnt be working if you dont have any Phase1 policys configured.

- Jouni

pingciscoid · ‎02-26-2013

Hello ,

this is my updated configuration On my ASA and please note that my ASA-5510 is version 8.2

ImtelcoASA2# show running-config crypto isakmp

crypto isakmp identity address

crypto isakmp enable outside

ImtelcoASA2# show running-config crypto

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 4 match address IMTELCO_to_Smart

crypto map outside_map 4 set peer x.x.x.x

crypto map outside_map 4 set transform-set ESP-3DES-SHA

crypto map outside_map 4 set security-association lifetime seconds 28800

crypto map outside_map 5 match address IMTELCO_to_Hello

crypto map outside_map 5 set peer x.x.x.x

crypto map outside_map 5 set transform-set ESP-3DES-SHA

crypto map outside_map 5 set security-association lifetime seconds 28800

crypto map outside-map 6 match address IMTELCO_to_f1soft

crypto map outside-map 6 set peer x.x.x.x

crypto map outside-map 6 set transform-set ESP-3DES-SHA

crypto map outside-map 6 set security-association lifetime seconds 86400

crypto map outside-map 20 match address IMTELCO-to-Metfone

crypto map outside-map 20 set pfs

crypto map outside-map 20 set peer x.x.x.x

crypto map outside-map 20 set transform-set ESP-3DES-SHA

crypto map outside-map 20 set security-association lifetime seconds 3600

crypto map outside-map interface outside

crypto isakmp identity address

crypto isakmp enable outside

ImtelcoASA2#

Jouni Forss · ‎02-26-2013

Hi,

If you want to go through the whole Running Configuration of the ASA you can use the command

"sh run | begin crypto isakmp policy"

That should begin showing the configuration when it finds a configuration line matching to "crypto isakmp policy"

Is any of your L2L VPN actually working at the moment?

Does the commad "show crypto isakmp sa" show anything?

- Jouni

pingciscoid · ‎02-26-2013

Dear all,

Please check on this it nothing to show but at my partner peer thire tunnel is up and we can ping each other

ImtelcoASA2# show run | begin crypto isakmp policy

ImtelcoASA2# show run | begin crypto isakmp policy

ImtelcoASA2# sho

ImtelcoASA2# show cryp

ImtelcoASA2# show crypto is

ImtelcoASA2# show crypto isakmp sa

There are no isakmp sas

ImtelcoASA2#

Jouni Forss · ‎02-26-2013

Hi,

I'm not quite sure what the situation is.

You have no isakmp SAs which would mean the current device doesnt have ANY VPN connections Active at the moment.

And if everything is working it should mean that the VPN connections are on some other device than this ASA in question.

- Jouni

Andrew Phirsov · ‎02-26-2013

There's nothing unusual in it. Isakmp sa may time out after the tunnel is established and lifetime of isakmp sa is expired. So you may have situations, where ipsec SAs, wich used for actual traffic protection, are established and at the same time there's no isakmp SAs.

Jouni Forss · ‎02-26-2013

I would imagine seeing something with the "show crypto isakmp sa" output if you have an Active L2L VPN or IPsec VPN Client connection.

For example one of our devices currently has 20 Active L2L VPN connections and naturally also 20 matching outputs in "show crypto isakmp sa"

- Jouni

Andrew Phirsov · ‎02-26-2013

Jouni, i think it's possible to have ipsec sa but no isakm sa in case, where isakmp sa lifetime is shorter then ipsec sa lifetime. Probably it's not good solution, cause ipsec rekey may fail if by the time of rekey there's no isakmp sa, but it might happen.

pingciscoid · ‎02-26-2013

Hello every ONE,

So what going on for my connection? what should i do next? and i have any wrong poin need to change ,please every tell me what is the solution for the current situation?

warm regard,

ping,

pingciscoid · ‎02-26-2013

Hello Everyone,

Now i got one up, but it only one showed up, after i recreated crypto isakmp policy for all 4 connection and then i try to show policy again actualy it show only 2 policy then it just working for on peer as show below:

#show run crypto isakmp policy

crypto isakmp policy 4

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 6

authentication pre-share

encryption 3des

hash sha

group 5

lifetime 28800

ImtelcoASA2# show vpn-sessiondb

Active Session Summary

Sessions:

Active : Cumulative : Peak Concurrent : Inactive

SSL VPN : 0 : 0 : 0

Clientless only : 0 : 0 : 0

With client : 0 : 0 : 0 : 0

Email Proxy : 0 : 0 : 0

IPsec LAN-to-LAN : 1 : 423 : 2

IPsec Remote Access : 0 : 0 : 0

VPN Load Balancing : 0 : 0 : 0

Totals : 1 : 423

License Information:

IPsec : 250 Configured : 250 Active : 1 Load : 0%

SSL VPN : 2 Configured : 2 Active : 0 Load : 0%

Active : Cumulative : Peak Concurrent

IPsec : 1 : 423 : 2

SSL VPN : 0 : 0 : 0

AnyConnect Mobile : 0 : 0 : 0

Linksys Phone : 0 : 0 : 0

Totals : 1 : 423

Tunnels:

Active : Cumulative : Peak Concurrent

IKE : 1 : 423 : 2

IPsec : 1 : 16 : 1

Totals : 2 : 439

Active NAC Sessions:

No NAC sessions to display

Active VLAN Mapping Sessions:

No VLAN Mapping sessions to display

ImtelcoASA2#

ImtelcoASA2# show crypto isakmp

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: x.x.x.1

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

any one have any idia ?please share if have,

warm regard,

ping,