03-16-2020 06:32 AM - edited 03-16-2020 06:42 AM
Hi i have issue with VPN tunnel Please see the below error comments advise me thanks
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 103.228.120.100
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
Solved! Go to Solution.
03-16-2020 06:45 AM
03-16-2020 07:07 AM
03-16-2020 07:17 AM - edited 03-16-2020 07:20 AM
You run "packet-tracer input inside tcp 192.168.113.100 443 172.21.100.100 443"
...but your ACL used to define the VPN's interesting traffic has a different source IP address.
"access-list SITEOFFICE_AClist extended permit ip host 192.168.100.150 host 172.21.100.100"
...meaning that traffic would not go over the VPN tunnel.
03-16-2020 07:42 AM
03-16-2020 07:53 AM
03-16-2020 06:45 AM
03-16-2020 07:00 AM
Dear RJI
nat (inside,backup) source static LOCA SERVER LOCA SERVER destination static SITE-SERVER SITE-SERVER no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.113.150/80 to 192.168.113.150/80
nat its working and i checked before its given wrong interface thanks and im trying to user
port www
03-16-2020 07:07 AM
03-16-2020 07:11 AM
yes beocuse of the nat now nat its okay
i seen its something like a encryption ?
ASA# packet-tracer input inside tcp 192.168.113.100 443 172.21.100.100 443
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 78.100.23.100, backup
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,backup) source static LOCASERVER LOCASERVER destination static SITE-SERVER SITE-SERVER no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface backup
Untranslate 172.21.100.100/443 to 172.21.100.100/443
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group To_Local in interface inside
access-list To_Local extended permit ip any any
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,backup) source static LOCASERVER LOCASERVER destination static SITE-SERVER SITE-SERVER no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.113.100/443 to 192.168.113.100/443
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: backup
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ALDAR-DR-ASA# sh crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 103.228.120.100
Type : L2L Role : initiator
Rekey : no State : MM_WAIT_MSG6
03-16-2020 07:17 AM - edited 03-16-2020 07:20 AM
You run "packet-tracer input inside tcp 192.168.113.100 443 172.21.100.100 443"
...but your ACL used to define the VPN's interesting traffic has a different source IP address.
"access-list SITEOFFICE_AClist extended permit ip host 192.168.100.150 host 172.21.100.100"
...meaning that traffic would not go over the VPN tunnel.
03-16-2020 07:34 AM - edited 03-16-2020 07:37 AM
yes dear RJI
i have changed but still same
ASA# show runn crypto
access-list SITEOFFICE_AClist extended permit tcp host 192.168.113.150 host 172.21.100.100 eq https
access-list SITEOFFICE_AClist extended permit tcp host 192.168.113.150 host 172.21.100.100 eq www
access-list SITEOFFICE_AClist extended permit ip host 192.168.113.150 host 172.21.100.100
crypto ipsec ikev1 transform-set SITEOFFICE esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 5 match address SITEOFFICE_AClist
crypto map outside_map 5 set peer 103.228.120.100
crypto map outside_map 5 set ikev1 transform-set SITEOFFICE
crypto map outside_map 5 set security-association lifetime seconds 86400
crypto map outside_map 5 set nat-t-disable
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
nat (inside,outside) source static LOCA SERVER LOCA SERVER destination static SITE-SERVER SITE-SERVER no-proxy-arp route-lookup
+++++++++++++
its still seem like a
Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
03-16-2020 07:42 AM
03-16-2020 07:48 AM
03-16-2020 07:53 AM
03-16-2020 08:12 AM
Dear RJI
thanks you help i really appreciated
it's working now its issues with ACL and i just clear it the crypt season
then its working :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide