cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13419
Views
0
Helpful
29
Replies

VPN Tunnel up, But cannot ping across it??

jtmullis82
Level 1
Level 1

i have a L2L VPN tunnel from a 5520 to a 5510 with Cisco 2941's on each end of the ASA's. I cannot ping from my local 2941 to the remote 2941. The tunnel doesnt block ICMP  and i have mutiple other sites configured with the same equipment working. i have setup a debug icmp trace and i can see on both ASA's when the ping is initiated it makes it to the ASA it is connected to but never gets across. Please help this is the last step in finishing my project....

29 Replies 29

Everything else looks fine. Two last ideas...

1. Maybe the PSK got mistyped. Remove and replace on both sides.

2. Reload on the hub site firewall?

if the PSK was wrong would then tunnel come up? because the tunnel is working. i will reset the key anyhow. i cannot currently reload the hub because it is carrying traffic for other sites, but on my next maintenance windown i will do this as well.

post sh crypto ipsec sa from both sides. try to ping and see if the  decrypt or encrypt counters increases with the ping packets ?

also, post sh logging output ( parts showing 10.10.x.x network errors only )

debug crypto ipsec sa output with some traffic.

Thanks

Manish

If the PSK was wrong the tunnel or SA will never establish.

when i initiated the ping i didnt see the packet counter going up. also the debug crypto ipsec didnt generate anything...

!! LOCAL 5520 !!

YPG-ASA5520-1# sh crypto ipsec sa peer 140.32.132.73
peer address: 140.32.132.73
    Crypto map tag: outside_map, seq num: 3, local addr: 6.7.0.13

      access-list outside_3_cryptomap permit ip 10.10.10.0 255.255.255.0 10.10.50.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.10.50.0/255.255.255.0/0/0)
      current_peer: 140.32.132.73

      #pkts encaps: 283, #pkts encrypt: 283, #pkts digest: 283
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 283, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 6.7.0.13, remote crypto endpt.: 140.32.132.73

      path mtu 1522, ipsec overhead 58, media mtu 1500
      current outbound spi: C0D8CF16

    inbound esp sas:
      spi: 0x8DB6DD98 (2377571736)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 15613952, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3915000/27760)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xC0D8CF16 (3235434262)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 15613952, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914984/27759)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

YPG-ASA5520-1#
YPG-ASA5520-1#
YPG-ASA5520-1#
YPG-ASA5520-1#
YPG-ASA5520-1#

!! REMOTE 5510 !!

NPS-ASA5510# show crypto ipsec sa peer 6.7.0.13
peer address: 6.7.0.13
    Crypto map tag: outside_map, seq num: 10, local addr: 140.32.132.73

      access-list outside_1_cryptomap permit ip 10.10.50.0 255.255.255.0 10.10.10.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.10.50.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
      current_peer: 6.7.0.13

      #pkts encaps: 219, #pkts encrypt: 219, #pkts digest: 219
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 219, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 140.32.132.73, remote crypto endpt.: 6.7.0.13

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 8DB6DD98

    inbound esp sas:
      spi: 0xC0D8CF16 (3235434262)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 45056, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4374000/27701)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x8DB6DD98 (2377571736)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 45056, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373989/27700)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

NPS-ASA5510#

=============================================================================================================

!! SHOW LOGGING LOCAL 5520!!

YPG-ASA5520-1# show logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 2643514 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 430134 messages logged
loads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 140.32.132.73, IKE_DECODE RECEIVED Message (msgid=175ac1) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 140.32.132.73, IP = 140.32.132.73, processing hash payload
%ASA-7-715047: Group = 140.32.132.73, IP = 140.32.132.73, processing notify payload
%ASA-7-715075: Group = 140.32.132.73, IP = 140.32.132.73, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x224afcec)
%ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15
%ASA-7-714003: IP = 140.32.132.73, IKE Responder starting QM: msg id = f0915402
%ASA-7-713236: IP = 140.32.132.73, IKE_DECODE RECEIVED Message (msgid=f0915402) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168
%ASA-7-715047: Group = 140.32.132.73, IP = 140.32.132.73, processing hash payload
%ASA-7-715047: Group = 140.32.132.73, IP = 140.32.132.73, processing SA payload
%ASA-7-715047: Group = 140.32.132.73, IP = 140.32.132.73, processing nonce payload
%ASA-7-715047: Group = 140.32.132.73, IP = 140.32.132.73, processing ID payload
%ASA-7-714011: Group = 140.32.132.73, IP = 140.32.132.73, ID_IPV4_ADDR_SUBNET ID received--10.10.40.0--255.255.255.0
%ASA-7-713035: Group = 140.32.132.73, IP = 140.32.132.73, Received remote IP Proxy Subnet data in ID Payload:   Address 10.10.40.0, Mask 255.255.255.0, Protocol 0, Port 0
%ASA-7-715047: Group = 140.32.132.73, IP = 140.32.132.73, processing ID payload
%ASA-7-714011: Group = 140.32.132.73, IP = 140.32.132.73, ID_IPV4_ADDR_SUBNET ID received--10.10.10.0--255.255.255.0
%ASA-7-713034: Group = 140.32.132.73, IP = 140.32.132.73, Received local IP Proxy Subnet data in ID Payload:   Address 10.10.10.0, Mask 255.255.255.0, Protocol 0, Port 0
%ASA-7-713906: Group = 140.32.132.73, IP = 140.32.132.73, QM IsRekeyed old sa not found by addr
%ASA-7-713221: Group = 140.32.132.73, IP = 140.32.132.73, Static Crypto Map check, checking map = outside_map, seq = 1...
%ASA-7-713222: Group = 140.32.132.73, IP = 140.32.132.73, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:10.10.40.0 dst:10.10.10.0
%ASA-7-713221: Group = 140.32.132.73, IP = 140.32.132.73, Static Crypto Map check, checking map = outside_map, seq = 2...
%ASA-7-713222: Group = 140.32.132.73, IP = 140.32.132.73, Static Crypto Map check, map = outside_map, seq = 2, ACL does not match proxy IDs src:10.10.40.0 dst:10.10.10.0
%ASA-7-713221: Group = 140.32.132.73, IP = 140.32.132.73, Static Crypto Map check, checking map = outside_map, seq = 3...
%ASA-7-713222: Group = 140.32.132.73, IP = 140.32.132.73, Static Crypto Map check, map = outside_map, seq = 3, ACL does not match proxy IDs src:10.10.40.0 dst:10.10.10.0
%ASA-3-713061: Group = 140.32.132.73, IP = 140.32.132.73, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.10.40.0/255.255.255.0/0/0 local proxy 10.10.10.0/255.255.255.0/0/0 on interface outside
%ASA-7-713906: Group = 140.32.132.73, IP = 140.32.132.73, sending notify message
%ASA-7-715046: Group = 140.32.132.73, IP = 140.32.132.73, constructing blank hash payload
%ASA-7-715046: Group = 140.32.132.73, IP = 140.32.132.73, constructing qm hash payload
%ASA-7-713236: IP = 140.32.132.73, IKE_DECODE SENDING Message (msgid=2150743a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 224
%ASA-3-713902: Group = 140.32.132.73, IP = 140.32.132.73, QM FSM error (P2 struct &0xcd208978, mess id 0xf0915402)!
%ASA-7-715065: Group = 140.32.132.73, IP = 140.32.132.73, IKE QM Responder FSM error history (struct &0xcd208978)  , :  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
%ASA-7-713906: Group = 140.32.132.73, IP = 140.32.132.73, sending delete/delete with reason message
%ASA-3-713902: Group = 140.32.132.73, IP = 140.32.132.73, Removing peer from correlator table failed, no match!
YPG-ASA5520-1#
YPG-ASA5520-1#

add the line

access-list outside_3_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.10.40.0 255.255.255.0

on 5520

thanks

manish

i added it, still doesnt work. 10.10.40.0 /24 is a old subnet that we are no longer using. the equipment is now on 10.10.50.0 /24

ok , if you are not using it then remove it from both ASA's and remove the crypto map's on both sides and reapply them.

make sure you do that with downtime request as removing crypto map and reapply will stop all tunnels.

Thanks

Manish

Hi,

to clean up a bit the situation (as you made many changes so far) , can you please attach (no copy past) the following:

1- configuration both peers

2- topology including peers and host you are pining from and pinging to

3- show crypto ipsec sa peer from both ASA

After that we will proceed with the troubleshooting.

Stefano

i currently do not have access to the computer needed to get this information. i will post as soon as i have access. i am pretty sure i have found the problem. it doesnt appear the packets are getting sent across the right VPN. There are multiple VPN's on the 5520 and the ACL list has mutiple ACL's trying to push the same 10.10.10.0 /24 subnet. ( Please see the show run above ). do you think it would help to isolat the ACL's with the 10.10.10.0 /24's to 1 single 10.10.10.0 address and make it a /32?

here is the file you requested. your help in this is greatly appreciated.

Also when i initiate a ping i notice on the ipsec SA that the

#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14 will increase

but the ............#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0, do not increase.

Anyone see anything out of the ordinary in the config??

configuration looks fine, well I see you do not have mirrored acl so you might want to go back to a proper config:

1- on remote ASA5520

no access-list outside_1_cryptomap extended permit ip 10.10.40.0 255.255.255.0 10.10.10.0 255.255.255.0

The only thing I can think of is if there is a NAT device in the middle.

Can you enable nat-t on both ASA:

ASA(config)#crypto isakmp nat-traversal

If it does not work, please open a TAC case so we can investigate further

I opened up a TAC case, they found that somewhere in the ISP connection between the two ASA the protocol ESP is being dropped. thanks for your help with this. i will consult with my ISP technicians to try to solve this problem.

great, hope our suggestion helped.

Stefano