11-13-2017 09:47 AM - edited 03-12-2019 04:44 AM
Hello,
I have problems establishing a tunnel between ASA 5505 and Cisco 2801
This is the config i use and it has been working for a while. For some reason it suddenly stopped working.
Can you help me to spot the error? Thanks
Cisco 2801(Main Office):
crypto isakmp policy 5
encr aes 256
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 6
encr aes 256
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 7
encr aes 256
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 8
encr aes 256
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 9
encr aes 256
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 11
encr aes 256
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 12
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 14
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 15
encr aes 256
hash md5
authentication pre-share
group 2
crypto isakmp key salugano address ASA 5505 IP
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 periodic
!
crypto ipsec security-association idle-time 1800
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set myset2 ah-sha-hmac esp-aes esp-sha-hmac
crypto ipsec transform-set strongSA-IMC esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile VTI-PROFILE
set transform-set strongBEUSA2
!
!
crypto dynamic-map securidvpnclient 15
set transform-set myset
set isakmp-profile securidprofile
reverse-route
!
crypto dynamic-map vpnclient 10
set transform-set myset
set isakmp-profile testprofile
reverse-route
!
!
crypto map vpn local-address FastEthernet0/0
crypto map vpn 16 ipsec-isakmp
description VPNTEST
set peer ASA 5505 IP
set security-association lifetime seconds 86400
set security-association idle-time 120 default
set transform-set strongSA-IMC
match address 129
crypto map vpn 17 ipsec-isakmp
description -=Corina=-
set peer 1xxx
set security-association lifetime seconds 86400
set security-association idle-time 86400
set transform-set strongvoip
match address 130
crypto map vpn 25 ipsec-isakmp dynamic securidvpnclient
!
ASA 5505 (remote location):
crypto ipsec ikev1 transform-set strongSA-IMC esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map IMC-map 1 match address VPN-SA-IMCL
crypto map IMC-map 1 set pfs
crypto map IMC-map 1 set peer Cisco 2801 IP
crypto map IMC-map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map IMC-map 1 set reverse-route
crypto map IMC-map interface outside-telefonica(ASA 5505 IP)
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable outside-fibertel
crypto ikev1 enable outside-telefonica
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
tunnel-group Cisco 2801 IP type ipsec-l2l
tunnel-group Cisco 2801 IP general-attributes
default-group-policy GroupPolicy1
tunnel-group Cisco 2801 IP ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key C
tunnel-group Cisco 2801 IP type ipsec-l2l
tunnel-group Cisco 2801 IP general-attributes
default-group-policy GroupPolicy1
tunnel-group Cisco 2801 IP ipsec-attributes
ikev1 pre-shared-key *****
!
ASA 5505 sh crypto isa sa shows nothing
ON Cicso 2801 side :
.Nov 13 14:52:25.378 ARG: ISAKMP:(0:1777:HW:2):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
.Nov 13 14:52:27.086 ARG: ISAKMP:(0:0:N/A:0):purging SA., sa=659E3E88, delme=659E3E88
.Nov 13 14:52:27.158 ARG: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 172.31.4.2, remote= ASA 5505 IP,
local_proxy= 10.0.0.0/255.0.0.0/0/0 (type=4),
remote_proxy= 192.168.22.0/255.255.255.0/0/0 (type=4)
.Nov 13 14:52:27.158 ARG: ISAKMP: received ke message (3/1)
.Nov 13 14:52:27.158 ARG: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.
.Nov 13 14:52:27.158 ARG: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer ASA 5505 IP)
.Nov 13 14:52:27.158 ARG: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peerASA 5505 IP)
.Nov 13 14:52:27.158 ARG: ISAKMP: Unlocking IKE struct 0x66015574 for isadb_mark_sa_deleted(), count 0
.Nov 13 14:52:27.158 ARG: ISAKMP: Deleting peer node by peer_reap for ASA 5505 IP: 66015574
.Nov 13 14:52:27.158 ARG: ISAKMP:(0:0:N/A:0):deleting node -879990099 error FALSE reason "IKE deleted"
.Nov 13 14:52:27.158 ARG: ISAKMP:(0:0:N/A:0):deleting node -158567796 error FALSE reason "IKE deleted"
.Nov 13 14:52:27.158 ARG: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
.Nov 13 14:52:27.158 ARG: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
.Nov 13 14:52:27.158 ARG: IPSEC(key_engine): got a queue event with 1 kei messages
.Nov 13 14:52:27.202 ARG: ISAKMP:(0:0:N/A:0):purging SA., sa=651AD370, delme=651AD370
.Nov 13 14:52:27.238 ARG: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 172.31.4.2, remote= ASA 5505 IP,
local_proxy= 10.0.0.0/255.0.0.0/0/0 (type=4),
remote_proxy= 192.168.X.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-sha-hmac (Tunnel),
lifedur= 86400s and 4608000kb,
spi= 0x790311F3(2030244339), conn_id= 0, keysize= 0, flags= 0x400E
.Nov 13 14:52:27.238 ARG: ISAKMP: received ke message (1/1)
.Nov 13 14:52:27.238 ARG: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
.Nov 13 14:52:27.238 ARG: ISAKMP: Created a peer struct for ASA 5505 IP, peer port 500
.Nov 13 14:52:27.238 ARG: ISAKMP: New peer created peer = 0x66015574 peer_handle = 0x80283735
.Nov 13 14:52:27.238 ARG: ISAKMP: Locking peer struct 0x66015574, IKE refcount 1 for isakmp_initiator
.Nov 13 14:52:27.238 ARG: ISAKMP: local port 500, remote port 500
.Nov 13 14:52:27.238 ARG: ISAKMP: set new node 0 to QM_IDLE
.Nov 13 14:52:27.238 ARG: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 65A28830
.Nov 13 14:52:27.238 ARG: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
.Nov 13 14:52:27.238 ARG: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching ASA 5505 IP
.Nov 13 14:52:27.238 ARG: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
.Nov 13 14:52:27.238 ARG: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
.Nov 13 14:52:27.238 ARG: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
.Nov 13 14:52:27.238 ARG: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
.Nov 13 14:52:27.238 ARG: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1
.Nov 13 14:52:27.238 ARG: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
.Nov 13 14:52:27.238 ARG: ISAKMP:(0:0:N/A:0): sending packet to ASA 5505 IP my_port 500 peer_port 500 (I) MM_NO_STATE
11-13-2017 10:02 AM
Hi,
What about the command show crypto isakmp sa and show crypto ipsec sa ?
Also, do you have two tunnel to 2801 ? I´d recommend you clean up everything that is not necessary, this can bring caos when something went wrong.
!
tunnel-group Cisco 2801 IP type ipsec-l2l
tunnel-group Cisco 2801 IP general-attributes
default-group-policy GroupPolicy1
tunnel-group Cisco 2801 IP ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key C
tunnel-group Cisco 2801 IP type ipsec-l2l
tunnel-group Cisco 2801 IP general-attributes
default-group-policy GroupPolicy1
tunnel-group Cisco 2801 IP ipsec-attributes
ikev1 pre-shared-key *****
!
-If I helped you somehow, please, rate it as useful.-
11-13-2017 10:53 AM - edited 11-23-2017 12:44 PM
Thanks for your reply.
ASA-55051# sh crypto isa sa
There are no IKEv1 SAs
There are no IKEv2 SAs
ASA-5505 show crypto ipsec sa
There are no ipsec sas
vpnserver#sh crypto isakmp sa
dst src state conn-id slot status
xxxxxxxxxxxx 172.31.4.2 MM_NO_STATE 0 0 ACTIVE
xxxxxxxxxxxx 172.31.4.2 MM_NO_STATE 0 0 ACTIVE (deleted)
vpnserver# sh crypto ipsec sa
current_peer ASA 5505 IP port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 10118, #recv errors 0
local crypto endpt.: 172.31.4.2, remote crypto endpt.: ASA 5505 IP
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
11-13-2017 11:02 AM
You have no Phase 1 mounted. Can both device ping each other?
Try to force the tunnel to go up. From some device behind ASA or Router try to ping some device on the other end.
-If I helped you somehow, please, rate it as useful.-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide