cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3385
Views
0
Helpful
22
Replies

VPN Tunnel ping Branch side but not other way around

mrasad83
Level 1
Level 1

Hi

I am getting very crazy as this problem remains

I have HQ side with ASA 5520 (8.4) & Branch Side with ASA 5505

Design

VPN LAN<------->ASA5520(8.4)----->Thomson Business TG628s----->Internet<--->ADSL Modem------>ASA5505(8.2)

Now on both modems UDP 500 & TCP/UDP 4500 ports are enabled

I can ping from internal lan of HQ to internal lan of branch but

I cant ping from internal lan of branch to internal lan of HQ

HQ ASA 5520 Side

ASA Version 8.4(3)

!

hostname aljoaib-fw01

domain-name aljoaib.com

names

!

interface GigabitEthernet0/0

nameif External

security-level 0

ip address xxx.xxx.xxx.xxx 255.255.255.252

!

interface GigabitEthernet0/1

nameif dmz_ext

security-level 50

ip address 192.168.100.254 255.255.255.252

!

interface GigabitEthernet0/2

nameif dmz_int

security-level 50

ip address 192.168.200.254 255.255.255.252

!

interface GigabitEthernet0/3

nameif internal-lan

security-level 100

ip address 172.16.1.251 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.0.1 255.255.255.0

management-only

!

ftp mode passive

dns domain-lookup External

dns domain-lookup internal-lan

dns server-group DefaultDNS

  domain-name aljoaib.com

object network HQ-Subnet

subnet 172.16.1.0 255.255.255.0

object service http

service tcp destination eq www

object service https

service tcp source eq https destination eq https

object service telnet

service tcp destination eq telnet

object network Main-Internet-Link

host xxx.xxx.xxx.xxx

object network GTC-DMM

subnet 172.16.8.0 255.255.255.0

object network Mgmt

host 213.177.250.80

object network Main-Internet-Link-GW

host xxx.xxx.xxx.xxx

object network GTC-HASA

subnet 172.16.7.0 255.255.255.0

object-group icmp-type ICMP

icmp-object echo

icmp-object echo-reply

icmp-object source-quench

icmp-object time-exceeded

icmp-object traceroute

object-group icmp-type ICMP_GRP

icmp-object echo

icmp-object echo-reply

icmp-object information-reply

icmp-object information-request

icmp-object time-exceeded

icmp-object timestamp-reply

icmp-object traceroute

object-group service TCP_GRP tcp

port-object eq cifs

port-object eq citrix-ica

port-object eq ctiqbe

port-object eq echo

port-object eq www

port-object eq https

object-group protocol RDP_GRP

protocol-object tcp

object-group service POP-SMTP_GRP tcp

port-object eq pop3

port-object eq smtp

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_SERVICE_3

service-object icmp

service-object udp

service-object tcp

service-object icmp echo

service-object icmp echo-reply

service-object icmp traceroute

service-object icmp unreachable

service-object tcp-udp destination eq domain

service-object tcp-udp destination eq sip

service-object tcp destination eq domain

service-object tcp destination eq echo

service-object tcp destination eq https

service-object tcp destination eq login

service-object tcp destination eq sip

service-object tcp destination eq ssh

service-object udp destination eq domain

service-object udp destination eq echo

service-object udp destination eq sip

service-object udp destination eq talk

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object icmp

object-group protocol ip_icmp

protocol-object ip

protocol-object icmp

object-group service esp-ip

service-object ip

service-object esp

object-group service ip-icmp

service-object ip

service-object icmp

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object icmp

service-object icmp echo

service-object icmp echo-reply

service-object tcp-udp destination eq echo

service-object tcp destination eq echo

service-object udp destination eq echo

object-group service DM_INLINE_SERVICE_2

service-object ip

service-object icmp

service-object icmp echo

service-object icmp echo-reply

access-list internal-lan_access_in extended permit object-group ip_icmp object HQ-Subnet any

access-list internal-lan_access_in extended permit ip 172.16.1.0 255.255.255.0 any

access-list External_cryptomap extended permit ip object HQ-Subnet object GTC-HASA

access-list External_cryptomap_1 extended permit object-group DM_INLINE_SERVICE_1 object HQ-Subnet object GTC-DMM

pager lines 24

logging enable

logging asdm-buffer-size 500

logging buffered debugging

logging asdm informational

mtu External 1500

mtu dmz_ext 1500

mtu dmz_int 1500

mtu internal-lan 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any External

icmp permit 213.177.250.80 255.255.255.248 External

icmp permit any internal-lan

icmp permit xxx.xxx.xxx.xxx 255.255.255.252 internal-lan

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

nat (internal-lan,External) source static HQ-Subnet HQ-Subnet destination static GTC-DMM GTC-DMM

nat (internal-lan,External) source static HQ-Subnet HQ-Subnet destination static GTC-HASA GTC-HASA

nat (internal-lan,External) source dynamic HQ-Subnet interface

access-group internal-lan_access_in in interface internal-lan

route External 0.0.0.0 0.0.0.0 84.235.87.182 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no user-identity enable

user-identity default-domain LOCAL

http server enable

http 192.168.0.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set HO_VPN esp-aes esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal aes-128-sha

protocol esp encryption aes

protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto map External_map 1 match address External_cryptomap_1

crypto map External_map 1 set peer 2.91.51.82

crypto map External_map 1 set ikev1 transform-set ESP-AES-128-SHA

crypto map External_map 2 match address External_cryptomap

crypto map External_map 2 set peer 77.31.136.89

crypto map External_map 2 set ikev1 transform-set ESP-AES-128-SHA

crypto map External_map interface External

no crypto isakmp nat-traversal

crypto isakmp disconnect-notify

crypto ikev2 policy 60

encryption 3des

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev2 enable External

crypto ikev1 enable External

crypto ikev1 am-disable

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

ssh version 2

console timeout 0

dhcpd address 172.16.1.150-172.16.1.220 internal-lan

dhcpd dns 84.235.6.55 84.235.57.235 interface internal-lan

dhcpd domain aljoaib.com interface internal-lan

!

dhcpd address 192.168.0.2-192.168.0.10 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption 3des-sha1 des-sha1

webvpn

group-policy DfltGrpPolicy attributes

vpn-idle-timeout none

group-policy GroupPolicy_77.31.136.89 internal

group-policy GroupPolicy_77.31.136.89 attributes

vpn-tunnel-protocol ikev1

group-policy GroupPolicy_2.91.51.82 internal

group-policy GroupPolicy_2.91.51.82 attributes

vpn-tunnel-protocol ikev1

tunnel-group 2.91.51.82 type ipsec-l2l

tunnel-group 2.91.51.82 general-attributes

default-group-policy GroupPolicy_2.91.51.82

tunnel-group 2.91.51.82 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 77.31.136.89 type ipsec-l2l

tunnel-group 77.31.136.89 general-attributes

default-group-policy GroupPolicy_77.31.136.89

tunnel-group 77.31.136.89 ipsec-attributes

ikev1 pre-shared-key *****

!

class-map ICMP-CMAP

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map global_policy

class ICMP-CMAP

  inspect icmp

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DD

CEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:6c3a455f1315b5310629b4c0705ad18a

: end

Branch side ASA 5505

:

ASA Version 8.2(5)

!

hostname GTC-DMM-FIREWALL

domain-name ALJOAIB.COM

enable password 7pgp93AEPfHtDc5N encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 172.16.1.0 HQ-Network

name XXX.xxx.xxx.xxx HO_WAN description WAN Link

name 77.31.3.192 WAN_Branch description WAN bRANCH

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 172.16.8.251 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan5

no nameif

security-level 50

ip address dhcp setroute

!

ftp mode passive

dns server-group DefaultDNS

domain-name ALJOAIB.COM

object-group service xpata

description port 81

service-object tcp-udp eq 81

service-object tcp eq 81

service-object udp eq 81

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_SERVICE_4

service-object icmp

service-object udp

service-object tcp

service-object icmp echo

service-object icmp echo-reply

service-object icmp traceroute

service-object icmp unreachable

service-object tcp-udp eq domain

service-object tcp-udp eq sip

service-object tcp eq echo

service-object tcp eq https

service-object tcp eq login

service-object tcp eq sip

service-object udp eq domain

service-object udp eq echo

service-object udp eq sip

service-object udp eq talk

group-object xpata

object-group service DM_INLINE_SERVICE_5

service-object ip

service-object icmp

service-object udp

service-object tcp

service-object icmp echo

service-object icmp echo-reply

service-object tcp-udp eq echo

service-object tcp eq echo

service-object udp eq echo

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_4

protocol-object ip

protocol-object icmp

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object icmp

service-object icmp echo

service-object icmp echo-reply

service-object tcp-udp eq echo

service-object tcp eq echo

service-object udp eq echo

access-list outside_cryptomap_1 extended permit object-group DM_INLINE_SERVICE_1 172.16.8.0 255.255.255.0 HQ-Network 255.255.255.0

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 172.16.8.0 255.255.255.0 any

access-list inside_nat0_outbound_1 extended permit ip 172.16.8.0 255.255.255.0 HQ-Network 255.255.255.0

pager lines 24

logging enable

logging console notifications

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 1 172.16.8.0 255.255.255.0

access-group inside_access_in in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.16.8.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_cryptomap_1

crypto map outside_map 1 set peer xxx.xxx.xxx.xxx

crypto map outside_map 1 set transform-set ESP-AES-128-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd auto_config outside

!

dhcpd address 172.16.8.1-172.16.8.50 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1

webvpn

group-policy DfltGrpPolicy attributes

vpn-idle-timeout none

tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l

tunnel-group xxx.xxx.xxx.xxx ipsec-attributes

pre-shared-key *****

peer-id-validate nocheck

!

!

!

policy-map outside-policy

policy-map inside-policy

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:ed909e1a3b55aa58f36325855e6a825b

: end

GTC-DMM-FIREWALL#  sh crypto isakmp sa

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 84.235.87.181

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

Both sides have static ip address

Could Some one Help me to solve this issue.

22 Replies 22

Hello Asad,

Can you give me the output of the following from both asa

show sysopt

regards

Harish

hi harish

this command aint on both asa

Doesn't look like the service policy is applied on 5520 side, and the inspection wasn't even configured on the 5505 side.

Pls kindly configure the following:

ASA 5520:

service-policy global_policy global

ASA 5505:

class-map inspection_default

   match default-inspection-traffic

exit

policy-map global_policy

  class inspection_default

        inspect icmp

service-policy global_policy global

Hi Jennifer

After adding these commands to ASA5520 & ASA5505,

Tunnel went up as it was before but now there is no ping from both sides

Pls delete the class-map that you configure for icmp as it doesn't contain any match statement.

ASA 5520:

policy-map global_policy

    no class ICMP-CMAP

Then try again.

Hi Jennifer

Still the same no ping from both side

I think data can not travel by blocking ACL because iam running out of options here I need to go live next week.

What are you trying to ping to and from? pls share the ip address.

Also the output of the following from both ASA:

show cry isa sa

show cry ipsec sa

Hi Jennifer

I am trying to ping from host of HQ network to Host of Branch network

tomorrow i will send what comes from these commands, its off time here

HOST IP: 172.16.1.22 GW:172.16.1.251

HQ ASA 5520

sh crypto isakmp sa

IKEv1 SAs:

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 37.106.21.191

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs

sh crypto ipsec sa

interface: External

    Crypto map tag: External_map, seq num: 3, local addr: 84.235.87.181

      access-list External_cryptomap_2 extended permit ip 172.16.1.0 255.255.255

.0 172.16.8.0 255.255.255.0

      local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (172.16.8.0/255.255.255.0/0/0)

      current_peer: 37.106.21.191

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 16822, #pkts decrypt: 16822, #pkts verify: 16822

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 84.235.87.181/0, remote crypto endpt.: 37.106.21.191/

0

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 0DD3A664

      current inbound spi : 8CE6630A

    inbound esp sas:

      spi: 0x8CE6630A (2363908874)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 45056, crypto-map: External_map

         sa timing: remaining key lifetime (kB/sec): (4373893/19698)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x0DD3A664 (231974500)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 45056, crypto-map: External_map

         sa timing: remaining key lifetime (kB/sec): (4374000/19698)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

Branch ASA 5505

HOST IP:172.16.8.1 GW:172.16.8.251

sh crypto isakmp sa

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 84.235.87.181

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

sh crypto ipsec sa

interface: outside

    Crypto map tag: outside_map, seq num: 1, local addr: 192.168.1.8

      access-list outside_cryptomap_1 extended permit ip 172.16.8.0 255.255.255.

0 172.16.1.0 255.255.255.0

      local ident (addr/mask/prot/port): (172.16.8.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (HQ-Network/255.255.255.0/0/0)

      current_peer: 84.235.87.181

      #pkts encaps: 16847, #pkts encrypt: 16847, #pkts digest: 16847

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 16847, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.8, remote crypto endpt.: 84.235.87.181

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 8CE6630A

      current inbound spi : 0DD3A664

    inbound esp sas:

      spi: 0x0DD3A664 (231974500)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 36864, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4374000/19596)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0x8CE6630A (2363908874)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 36864, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4373892/19596)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

Hi Harish

after running this command on branch side ASA 5505got this msg

GTC-DMM-FIREWALL(config)# sho runn sysopt

no sysopt connection reclassify-vpn

after running this command on HQ ASA 5520 side got this msg

aljoaib-fw01(config)# sh runn sysopt

aljoaib-fw01(config)#

In taking a quick peek at your config, it looks as though you have NAT-T (port 4500) disabled on both sides:

no crypto isakmp nat-traversal

Have you tried enabling it to see if that helps?

The fact that the "show crypto ipsec sa" is showing packets being encapsulated but not decapsulated on one side means you're very close to having the tunnel up and running, and I suspect it's probably something to do with NAT-T or how you are NAT'ing across the tunnel.

Config for dynamic is

ASA Version 8.4(3)

!

hostname aljoaib-fw01

domain-name aljoaib.com

enable password 7pgp93AEPfHtDc5N encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif External

security-level 0

ip address 84.235.87.181 255.255.255.252

!

interface GigabitEthernet0/1

nameif dmz_ext

security-level 50

ip address 192.168.100.254 255.255.255.252

!

interface GigabitEthernet0/2

nameif dmz_int

security-level 50

ip address 192.168.200.254 255.255.255.252

!

interface GigabitEthernet0/3

nameif internal-lan

security-level 100

ip address 172.16.1.251 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.0.1 255.255.255.0

management-only

!

ftp mode passive

dns domain-lookup External

dns domain-lookup internal-lan

dns server-group DefaultDNS

name-server 84.235.6.55

name-server 84.235.57.230

domain-name aljoaib.com

object network HQ-Subnet

subnet 172.16.1.0 255.255.255.0

object service http

service tcp destination eq www

object service https

service tcp source eq https destination eq https

object service telnet

service tcp destination eq telnet

object network Main-Internet-Link

host 84.235.87.181

object network GTC-DMM

subnet 172.16.8.0 255.255.255.0

object network Mgmt

host 213.177.250.80

object network Main-Internet-Link-GW

host 84.235.87.182

object network GTC-HASA

subnet 172.16.7.0 255.255.255.0

object-group icmp-type ICMP

icmp-object echo

icmp-object echo-reply

icmp-object source-quench

icmp-object time-exceeded

icmp-object traceroute

object-group icmp-type ICMP_GRP

icmp-object echo

icmp-object echo-reply

icmp-object information-reply

icmp-object information-request

icmp-object time-exceeded

icmp-object timestamp-reply

icmp-object traceroute

object-group service TCP_GRP tcp

port-object eq cifs

port-object eq citrix-ica

port-object eq ctiqbe

port-object eq echo

port-object eq www

port-object eq https

object-group protocol RDP_GRP

protocol-object tcp

object-group service POP-SMTP_GRP tcp

port-object eq pop3

port-object eq smtp

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_SERVICE_3

service-object icmp

service-object udp

service-object tcp

service-object icmp echo

service-object icmp echo-reply

service-object icmp traceroute

service-object icmp unreachable

service-object tcp-udp destination eq domain

service-object tcp-udp destination eq sip

service-object tcp destination eq domain

service-object tcp destination eq echo

service-object tcp destination eq https

service-object tcp destination eq login

service-object tcp destination eq sip

service-object tcp destination eq ssh

service-object udp destination eq domain

service-object udp destination eq echo

service-object udp destination eq sip

service-object udp destination eq talk

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object icmp

object-group protocol ip_icmp

protocol-object ip

protocol-object icmp

object-group service esp-ip

service-object ip

service-object esp

object-group service ip-icmp

service-object ip

service-object icmp

object-group protocol DM_INLINE_PROTOCOL_3

protocol-object ip

protocol-object icmp

object-group service DM_INLINE_SERVICE_2

service-object ip

service-object icmp

service-object icmp echo

service-object icmp echo-reply

access-list internal-lan_access_in extended permit object-group ip_icmp object HQ-Subnet any

access-list External_cryptomap extended permit ip object HQ-Subnet object GTC-HASA

access-list External_cryptomap_2 extended permit ip object HQ-Subnet object GTC-DMM

pager lines 24

logging enable

logging asdm-buffer-size 500

logging buffered debugging

logging asdm informational

mtu External 1500

mtu dmz_ext 1500

mtu dmz_int 1500

mtu internal-lan 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any External

icmp permit 213.177.250.80 255.255.255.248 External

icmp permit any internal-lan

icmp permit 84.235.87.180 255.255.255.252 internal-lan

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

nat (internal-lan,External) source static HQ-Subnet HQ-Subnet destination static GTC-DMM GTC-DMM

nat (internal-lan,External) source static HQ-Subnet HQ-Subnet destination static GTC-HASA GTC-HASA

nat (internal-lan,External) source dynamic HQ-Subnet interface

access-group internal-lan_access_in in interface internal-lan

route External 0.0.0.0 0.0.0.0 84.235.87.182 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no user-identity enable

user-identity default-domain LOCAL

http server enable

http 192.168.0.0 255.255.255.0 management

http 84.235.87.181 255.255.255.255 External

http 213.177.250.80 255.255.255.248 External

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set HO_VPN esp-aes esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal aes-128-sha

protocol esp encryption aes

protocol esp integrity sha-1

crypto dynamic-map GTC-DMM 3 match address External_cryptomap_2

crypto dynamic-map GTC-DMM 3 set ikev1 transform-set ESP-AES-128-SHA

crypto map External_map 2 match address External_cryptomap

crypto map External_map 2 set peer 77.31.136.89

crypto map External_map 2 set ikev1 transform-set ESP-AES-128-SHA

crypto map External_map 3 ipsec-isakmp dynamic GTC-DMM

crypto map External_map interface External

no crypto isakmp nat-traversal

crypto isakmp disconnect-notify

crypto ikev2 policy 60

encryption 3des

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev2 enable External

crypto ikev1 enable External

crypto ikev1 am-disable

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

ssh version 2

console timeout 0

dhcpd address 172.16.1.150-172.16.1.220 internal-lan

dhcpd dns 84.235.6.55 84.235.57.235 interface internal-lan

dhcpd domain aljoaib.com interface internal-lan

!

dhcpd address 192.168.0.2-192.168.0.10 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption 3des-sha1 des-sha1

webvpn

group-policy DfltGrpPolicy attributes

vpn-idle-timeout none

group-policy GroupPolicy_77.31.136.89 internal

group-policy GroupPolicy_77.31.136.89 attributes

vpn-tunnel-protocol ikev1

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-tunnel-protocol ikev1

tunnel-group 77.31.136.89 type ipsec-l2l

tunnel-group 77.31.136.89 general-attributes

default-group-policy GroupPolicy_77.31.136.89

tunnel-group 77.31.136.89 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group GTC-DMM type ipsec-l2l

tunnel-group GTC-DMM general-attributes

default-group-policy GroupPolicy1

tunnel-group GTC-DMM ipsec-attributes

ikev1 pre-shared-key *****

!

class-map ICMP-CMAP

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map global_policy

class ICMP-CMAP

  inspect icmp

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

policy-map type inspect ipsec-pass-thru IPsec_pass

description for all branches

parameters

  esp

  ah

policy-map type inspect sip sip_pass

description for VoIP fone

parameters

  max-forwards-validation action drop log

!

asadmaqsood
Level 1
Level 1

Hi Jonathan

I try this command as well but nothing is happening either now new issue came

static ip of branch has been changed to dynamic and I configured ASA5520 HQ on dynamic, so now iam having this error and tunnel wont goes up at all.

Nov 12 20:30:08 [IKEv1]IP = 94.98.240.216, Header invalid, missing SA payload! (

next payload = 4)

Nov 12 20:30:16 [IKEv1]IP = 94.98.240.216, Header invalid, missing SA payload! (

next payload = 4)

Nov 12 20:30:24 [IKEv1]IP = 94.98.240.216, Header invalid, missing SA payload! (

next payload = 4)

Nov 12 20:30:34 [IKEv1]Group = 94.98.240.216, IP = 94.98.240.216, Can't find a v

alid tunnel group, aborting...!

Nov 12 20:30:42 [IKEv1]IP = 94.98.240.216, Header invalid, missing SA payload! (

next payload = 4)

Nov 12 20:30:50 [IKEv1]IP = 94.98.240.216, Header invalid, missing SA payload! (

next payload = 4)

Nov 12 20:30:58 [IKEv1]IP = 94.98.240.216, Header invalid, missing SA payload! (

next payload = 4)

what is it about

Can any one reply on this how to get tunnel up on dynamic on branch side