Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2298
Views
25
Helpful
10
Replies

VPN Tunnel ASA

Go to solution
katheer_4u
Level 1
Level 1

‎03-16-2020 06:32 AM - edited ‎03-16-2020 06:42 AM

Hi i have issue with VPN tunnel Please see the below error comments advise me thanks

 

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 103.228.120.100
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2

 

 

Labels:
Preview file
3 KB
Preview file
63 KB
0 Helpful
5 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-16-2020 06:45 AM

Hi,
Is the peer VPN configured to respond? Can you run a debug on the peer device.

Your packet-tracer output determines the input and output interface as "backup".
..but your NAT ACL inplies the source/input is "inside" and the destination/output is "outside"

Please confirm what packet-tracer syntax you used.
Also provide the output of "show nat detail"

HTH

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to katheer_4u

‎03-16-2020 07:07 AM

OK, but is the peer VPN configured correctly? The debug you proviously provided indicated it failed at MM2...which means your ASA is waiting to hear back from the peer. Confirm the configuration of the peer device and you have the correct peer IP address!

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to katheer_4u

‎03-16-2020 07:17 AM - edited ‎03-16-2020 07:20 AM

You run "packet-tracer input inside tcp 192.168.113.100 443 172.21.100.100 443"

 

...but your ACL used to define the VPN's interesting traffic has a different source IP address.

"access-list SITEOFFICE_AClist extended permit ip host 192.168.100.150 host 172.21.100.100"

 

...meaning that traffic would not go over the VPN tunnel.

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to katheer_4u

‎03-16-2020 07:42 AM

Please provide the full output of packet-tracer, it provides a lot of useful information that helps me help you.

Remove the first 2 lines of your crypto ACL, you don't need them if you have the 3rd line.
Ensure the peer VPN device mirrors your crypto ACL exactly.

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to katheer_4u

‎03-16-2020 07:53 AM

What is the state of the VPN?
Provide the output of "show crypto ikev1 sa" and "show crypto ipsec sa"
Did you check the ACL on the peer VPN device?

View solution in original post

10 Replies 10

Go to solution
Rob Ingram
VIP
VIP

‎03-16-2020 06:45 AM

Hi,
Is the peer VPN configured to respond? Can you run a debug on the peer device.

Your packet-tracer output determines the input and output interface as "backup".
..but your NAT ACL inplies the source/input is "inside" and the destination/output is "outside"

Please confirm what packet-tracer syntax you used.
Also provide the output of "show nat detail"

HTH

Go to solution
katheer_4u
Level 1
Level 1
In response to Rob Ingram

‎03-16-2020 07:00 AM

Dear RJI

 

nat (inside,backup) source static LOCA SERVER LOCA SERVER destination static SITE-SERVER SITE-SERVER no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.113.150/80 to 192.168.113.150/80

 

nat its working and i checked before its given wrong interface  thanks and im  trying to user 

port www

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to katheer_4u

‎03-16-2020 07:07 AM

OK, but is the peer VPN configured correctly? The debug you proviously provided indicated it failed at MM2...which means your ASA is waiting to hear back from the peer. Confirm the configuration of the peer device and you have the correct peer IP address!

Go to solution
katheer_4u
Level 1
Level 1
In response to Rob Ingram

‎03-16-2020 07:11 AM

yes beocuse of the nat now nat its okay 

 

i seen its something like a encryption ? 

 

ASA# packet-tracer input inside tcp 192.168.113.100 443 172.21.100.100 443

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 78.100.23.100, backup

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,backup) source static LOCASERVER LOCASERVER destination static SITE-SERVER SITE-SERVER no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface backup
Untranslate 172.21.100.100/443 to 172.21.100.100/443

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group To_Local in interface inside
access-list To_Local extended permit ip any any
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,backup) source static LOCASERVER LOCASERVER destination static SITE-SERVER SITE-SERVER no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.113.100/443 to 192.168.113.100/443

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: backup
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ALDAR-DR-ASA# sh crypto isakmp sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 103.228.120.100
Type : L2L Role : initiator
Rekey : no State : MM_WAIT_MSG6

 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to katheer_4u

‎03-16-2020 07:17 AM - edited ‎03-16-2020 07:20 AM

You run "packet-tracer input inside tcp 192.168.113.100 443 172.21.100.100 443"

 

...but your ACL used to define the VPN's interesting traffic has a different source IP address.

"access-list SITEOFFICE_AClist extended permit ip host 192.168.100.150 host 172.21.100.100"

 

...meaning that traffic would not go over the VPN tunnel.

Go to solution
katheer_4u
Level 1
Level 1
In response to Rob Ingram

‎03-16-2020 07:34 AM - edited ‎03-16-2020 07:37 AM

yes dear RJI

 

i have changed but still same 

 

ASA# show runn crypto


access-list SITEOFFICE_AClist extended permit tcp host 192.168.113.150 host 172.21.100.100 eq https
access-list SITEOFFICE_AClist extended permit tcp host 192.168.113.150 host 172.21.100.100 eq www
access-list SITEOFFICE_AClist extended permit ip host 192.168.113.150 host 172.21.100.100


crypto ipsec ikev1 transform-set SITEOFFICE esp-3des esp-md5-hmac

crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 5 match address SITEOFFICE_AClist
crypto map outside_map 5 set peer 103.228.120.100
crypto map outside_map 5 set ikev1 transform-set SITEOFFICE
crypto map outside_map 5 set security-association lifetime seconds 86400
crypto map outside_map 5 set nat-t-disable


crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

nat (inside,outside) source static LOCA SERVER LOCA SERVER destination static SITE-SERVER SITE-SERVER no-proxy-arp route-lookup

 

 

+++++++++++++

 

its still seem like a 

 

Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to katheer_4u

‎03-16-2020 07:42 AM

Please provide the full output of packet-tracer, it provides a lot of useful information that helps me help you.

Remove the first 2 lines of your crypto ACL, you don't need them if you have the 3rd line.
Ensure the peer VPN device mirrors your crypto ACL exactly.

Go to solution
katheer_4u
Level 1
Level 1
In response to Rob Ingram

‎03-16-2020 07:48 AM

yes your right and sorry for that and please see the attached 

Preview file
4 KB
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to katheer_4u

‎03-16-2020 07:53 AM

What is the state of the VPN?
Provide the output of "show crypto ikev1 sa" and "show crypto ipsec sa"
Did you check the ACL on the peer VPN device?

Go to solution
katheer_4u
Level 1
Level 1
In response to Rob Ingram

‎03-16-2020 08:12 AM

Dear RJI

 

thanks you  help i really appreciated 
it's working now its issues with ACL and i just clear it the crypt season

then its working :)

0 Helpful
Customers Also Viewed These Support Documents