cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2622
Views
0
Helpful
30
Replies

VPN

siclines1234
Level 1
Level 1

Hi everyone, I am super lost at this point, please help, I cannot get a site to site VPN connection between an ASA 5510 and 1841.

Below is the output of the ISAKMP, IPSEC and Crypto Maps for the 1841

Router#show cry isakmp sa
dst             src             state          conn-id slot status
70.33.178.164   66.160.11.132   MM_NO_STATE          0    0 ACTIVE (deleted)
66.160.11.132   70.33.178.164   MM_NO_STATE          1    0 ACTIVE (deleted)

Router#sh cry ipsec sa

interface: FastEthernet0/1
    Crypto map tag: asa1, local addr 66.160.11.132

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
   current_peer 70.33.178.164 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 319, #recv errors 0

     local crypto endpt.: 66.160.11.132, remote crypto endpt.: 70.33.178.164
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
   current_peer 70.33.178.164 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 66.160.11.132, remote crypto endpt.: 70.33.178.164
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:


Router#sh cry map
Crypto Map "asa1" 1 ipsec-isakmp
        Peer = 70.33.178.164
        Extended IP access list 100
            access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
            access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.11.0 0.0.0.255
        Current peer: 70.33.178.164
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                ESP-3DES-SHA,
        }

Crypto Map "asa1" 10 ipsec-isakmp
        Peer = 70.33.178.164
        Extended IP access list 100
            access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
            access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.11.0 0.0.0.255
        Current peer: 70.33.178.164
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                ESP-3DES-SHA,
        }
        Interfaces using crypto map asa1:
                FastEthernet0/1

ASA 5510

Result of the command: "sh cry ipsec sa"

interface: outside

    Crypto map tag: outside_map0, seq num: 2, local addr: 70.33.178.164

      access-list outside_2_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)

      current_peer: 71.191.130.50

      #pkts encaps: 175781, #pkts encrypt: 175781, #pkts digest: 175781

      #pkts decaps: 267694, #pkts decrypt: 267694, #pkts verify: 267694

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 175781, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 70.33.178.164/4500, remote crypto endpt.:

71.191.130.50/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 552987DF

    inbound esp sas:

      spi: 0x4FFF5AF2 (1342135026)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 12288, crypto-map: outside_map0

         sa timing: remaining key lifetime (kB/sec): (4373516/2107)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x552987DF (1428785119)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 12288, crypto-map: outside_map0

         sa timing: remaining key lifetime (kB/sec): (4373641/2107)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

Result of the command: "sh cry isakmp sa"

   Active SA: 2

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 2

1  IKE Peer: 71.191.130.50

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

2   IKE Peer: 66.160.11.132

    Type    : user            Role    : initiator

    Rekey   : no              State   : MM_WAIT_MSG2

let me know if I should post anyting else please.

Thanks in advance

30 Replies 30

When I ran sh run managment, it only listed:  management-access inside

IPs are correct

From Router

Router#ping 192.168.10.1 source 192.168.30.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.30.1
.....
Success rate is 0 percent (0/5)

From ASA

Result of the command: "ping inside 192.168.30.1"

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

Ok, so let's do the following:

Clear the crypto SAs on both sides:

ASA:

clear cry isa sa 66.160.11.132

clear cry ips sa peer 66.160.11.132

Router:

clear cry isa

clear cry sa

Then turn on this debugs on both sides:

ASA:

debug cry condition peer 66.160.11.132

debug cry isa 127

debug cry ips 127

Router:

debug cry isa

debug cry ips

You might need the command:  term mon

on both sides to see the debugs.

Please attach the outputs.

Federico.

Attached is the output from Router, awefully long, not sure if that is what your looking for.

Jackie,

Phase 1 is establishing correctly.

We need to check what is happening with Phase 2.

When you get CLI access to the ASA, you should be able to run the debug commands that I gave you.

Federico.

post

siclines1234
Level 1
Level 1


FW-COLO# show cry debug

Crypto conditional debug is turned ON
IKE debug context unmatched flag:  OFF
IPSec debug context unmatched flag:  OFF
IKE debug context error flag:  OFF
IPSec debug context error flag:  OFF

IKE peer IP address filters:
66.160.11.132/32

FW-COLO# debug cry ips 127
INFO: 'logging debug-trace' is enabled. All debug messages are currently being redirected to syslog:711001 and will not appear in any monitor session
FW-COLO# debug cry ips 127
INFO: 'logging debug-trace' is enabled. All debug messages are currently being redirected to syslog:711001 and will not appear in any monitor session

how can i see the 711001, i can't find in the syslog view?

I was able to figure out how to show it in the console, but I still can't see it in the syslog. maybe it's just me.

here is some of the lines from asa related to the 66

%ASA-7-713236: IP = 66.160.11.132, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

%ASA-7-715065: IP = 66.160.11.132, IKE MM Initiator FSM error history (struct &0xd8e9e7a0)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

%ASA-7-713906: IP = 66.160.11.132, IKE SA MM:b49d70c1 terminating:  flags 0x01000022, refcnt 0, tuncnt 0

%ASA-7-713906: IP = 66.160.11.132, sending delete/delete with reason message

attached is the output from the asa

thanks

Jackie,

We're not getting much from the debugs in this case.

Could you post a copy of the ''sh run'' from both devices?

Federico.

post

Jackie,

This is the next step:

Clear the SAs on both units.

Post the complete output from the debugs.

With these debugs and the configurations hopefully we'll find out what's going on.

Federico.

post

What I've seen is that eventhough phase 1 seems to be down, there's an entry for phase 2.

According to the logs, phase 1 establishes, but then goes down, because the VPN won't establish.

Have you cleared the SAs both for phase 1 and phase 2?

Federico.

I have used the clear commands stated before on both routers. Is there another command to clear Phase 2?

The

clear cry ips sa peer x.x.x.x

is the command to clear the SA for phase 2.

Try doing the command and checking again:

sh cry ips sa

To make sure there's no SA for phase 2.

Federico.

ok, i ran the clear cmd and here is the sh

FW-COLO# sh cry ips sa
interface: outside
    Crypto map tag: outside_map0, seq num: 2, local addr: 70.33.178.164

      access-list outside_2_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
      current_peer: 71.191.130.50

      #pkts encaps: 16551, #pkts encrypt: 16551, #pkts digest: 16551
      #pkts decaps: 16645, #pkts decrypt: 16645, #pkts verify: 16645
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 16551, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 70.33.178.164/4500, remote crypto endpt.: 71.191.130.50/4500
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 7E575FCD

    inbound esp sas:
      spi: 0x21BBA596 (565945750)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 8192, crypto-map: outside_map0
         sa timing: remaining key lifetime (kB/sec): (4373213/2268)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x7E575FCD (2119655373)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 8192, crypto-map: outside_map0
         sa timing: remaining key lifetime (kB/sec): (4373221/2264)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: