06-21-2010 02:41 PM
Hi everyone, I am super lost at this point, please help, I cannot get a site to site VPN connection between an ASA 5510 and 1841.
Below is the output of the ISAKMP, IPSEC and Crypto Maps for the 1841
Router#show cry isakmp sa
dst src state conn-id slot status
70.33.178.164 66.160.11.132 MM_NO_STATE 0 0 ACTIVE (deleted)
66.160.11.132 70.33.178.164 MM_NO_STATE 1 0 ACTIVE (deleted)
Router#sh cry ipsec sa
interface: FastEthernet0/1
Crypto map tag: asa1, local addr 66.160.11.132
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer 70.33.178.164 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 319, #recv errors 0
local crypto endpt.: 66.160.11.132, remote crypto endpt.: 70.33.178.164
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
current_peer 70.33.178.164 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 66.160.11.132, remote crypto endpt.: 70.33.178.164
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Router#sh cry map
Crypto Map "asa1" 1 ipsec-isakmp
Peer = 70.33.178.164
Extended IP access list 100
access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.11.0 0.0.0.255
Current peer: 70.33.178.164
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
ESP-3DES-SHA,
}
Crypto Map "asa1" 10 ipsec-isakmp
Peer = 70.33.178.164
Extended IP access list 100
access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.11.0 0.0.0.255
Current peer: 70.33.178.164
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
ESP-3DES-SHA,
}
Interfaces using crypto map asa1:
FastEthernet0/1
ASA 5510
Result of the command: "sh cry ipsec sa"
interface: outside
Crypto map tag: outside_map0, seq num: 2, local addr: 70.33.178.164
access-list outside_2_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
current_peer: 71.191.130.50
#pkts encaps: 175781, #pkts encrypt: 175781, #pkts digest: 175781
#pkts decaps: 267694, #pkts decrypt: 267694, #pkts verify: 267694
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 175781, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 70.33.178.164/4500, remote crypto endpt.:
71.191.130.50/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 552987DF
inbound esp sas:
spi: 0x4FFF5AF2 (1342135026)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (4373516/2107)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x552987DF (1428785119)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (4373641/2107)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Result of the command: "sh cry isakmp sa"
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 2
1 IKE Peer: 71.191.130.50
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 66.160.11.132
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
let me know if I should post anyting else please.
Thanks in advance
06-21-2010 04:20 PM
When I ran sh run managment, it only listed: management-access inside
IPs are correct
From Router
Router#ping 192.168.10.1 source 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.30.1
.....
Success rate is 0 percent (0/5)
From ASA
Result of the command: "ping inside 192.168.30.1"
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
06-21-2010 04:26 PM
Ok, so let's do the following:
Clear the crypto SAs on both sides:
ASA:
clear cry isa sa 66.160.11.132
clear cry ips sa peer 66.160.11.132
Router:
clear cry isa
clear cry sa
Then turn on this debugs on both sides:
ASA:
debug cry condition peer 66.160.11.132
debug cry isa 127
debug cry ips 127
Router:
debug cry isa
debug cry ips
You might need the command: term mon
on both sides to see the debugs.
Please attach the outputs.
Federico.
06-21-2010 04:34 PM
Attached is the output from Router, awefully long, not sure if that is what your looking for.
06-21-2010 04:40 PM
Jackie,
Phase 1 is establishing correctly.
We need to check what is happening with Phase 2.
When you get CLI access to the ASA, you should be able to run the debug commands that I gave you.
Federico.
06-21-2010 05:19 PM
post
06-21-2010 05:46 PM
FW-COLO# show cry debug
Crypto conditional debug is turned ON
IKE debug context unmatched flag: OFF
IPSec debug context unmatched flag: OFF
IKE debug context error flag: OFF
IPSec debug context error flag: OFF
IKE peer IP address filters:
66.160.11.132/32
FW-COLO# debug cry ips 127
INFO: 'logging debug-trace' is enabled. All debug messages are currently being redirected to syslog:711001 and will not appear in any monitor session
FW-COLO# debug cry ips 127
INFO: 'logging debug-trace' is enabled. All debug messages are currently being redirected to syslog:711001 and will not appear in any monitor session
how can i see the 711001, i can't find in the syslog view?
06-21-2010 06:07 PM
I was able to figure out how to show it in the console, but I still can't see it in the syslog. maybe it's just me.
here is some of the lines from asa related to the 66
%ASA-7-713236: IP = 66.160.11.132, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
%ASA-7-715065: IP = 66.160.11.132, IKE MM Initiator FSM error history (struct &0xd8e9e7a0)
%ASA-7-713906: IP = 66.160.11.132, IKE SA MM:b49d70c1 terminating: flags 0x01000022, refcnt 0, tuncnt 0
%ASA-7-713906: IP = 66.160.11.132, sending delete/delete with reason message
attached is the output from the asa
thanks
06-22-2010 06:03 AM
Jackie,
We're not getting much from the debugs in this case.
Could you post a copy of the ''sh run'' from both devices?
Federico.
06-22-2010 06:17 AM
post
06-22-2010 06:34 AM
Jackie,
This is the next step:
Clear the SAs on both units.
Post the complete output from the debugs.
With these debugs and the configurations hopefully we'll find out what's going on.
Federico.
06-22-2010 06:50 AM
post
06-22-2010 07:04 AM
What I've seen is that eventhough phase 1 seems to be down, there's an entry for phase 2.
According to the logs, phase 1 establishes, but then goes down, because the VPN won't establish.
Have you cleared the SAs both for phase 1 and phase 2?
Federico.
06-22-2010 07:12 AM
I have used the clear commands stated before on both routers. Is there another command to clear Phase 2?
06-22-2010 07:16 AM
The
clear cry ips sa peer x.x.x.x
is the command to clear the SA for phase 2.
Try doing the command and checking again:
sh cry ips sa
To make sure there's no SA for phase 2.
Federico.
06-22-2010 07:21 AM
ok, i ran the clear cmd and here is the sh
FW-COLO# sh cry ips sa
interface: outside
Crypto map tag: outside_map0, seq num: 2, local addr: 70.33.178.164
access-list outside_2_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
current_peer: 71.191.130.50
#pkts encaps: 16551, #pkts encrypt: 16551, #pkts digest: 16551
#pkts decaps: 16645, #pkts decrypt: 16645, #pkts verify: 16645
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 16551, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 70.33.178.164/4500, remote crypto endpt.: 71.191.130.50/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 7E575FCD
inbound esp sas:
spi: 0x21BBA596 (565945750)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 8192, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (4373213/2268)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x7E575FCD (2119655373)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 8192, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (4373221/2264)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: