cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1629
Views
0
Helpful
2
Replies

ASA 8.4(3) Dynamic to Static L2L issue

shihabhamsa
Level 1
Level 1

Hi guys,

         I have an issue with hub and spoke vpn connectivity.

My connection is like the following

                          ------ ISP1 (Static IP)    ----

SPOKE (Branch)-|                                     |---------------- INTERNET ------------- HUB with Static IP (HQ)

                          ----- ISP2 (Dynamic IP) ----

         To achieve vpn fail over for the branch I configured Dynamic to Static L2L with DefaultL2LGroup on HQ

HQ uses ASA 5540 with 8.4(3) and branch runs ASA 5520 with 8.2(2) 

HQ Config

tunnel-group DefaultL2LGroup ipsec-attributes

ikev1 pre-shared-key *****

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map mydyn 10 set transform-set myset

crypto map mymap 60000 ipsec-isakmp dynamic mydyn

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

Branch Config

access-list ISPBackup_1_cryptomap extended permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer x.x.x.x

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 set reverse-route

crypto map outside_map interface outside

crypto map ISPBackup_map 1 match address ISPBackup_1_cryptomap

crypto map ISPBackup_map 1 set peer x.x.x.x

crypto map ISPBackup_map 1 set transform-set ESP-3DES-SHA

crypto map ISPBackup_map 1 set reverse-route

crypto map ISPBackup_map interface ISPBackup

crypto isakmp enable outside

crypto isakmp enable ISPBackup

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 3600

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

The default route on Branch is tracked one, always taking priority with the ISP1.

My concern is whenever an interesting traffic hits the brach ASA, it initiates a vpn to HQ, and I am getting Phase 1 completed. But always getting Phase 2 error.

When I check the debug on HQ ASA, what I see is, the HQ ASA after phase 1 checks for each STATIC crypto map and then gives the message as the connection is pointing to dynamic map. But never checks any of my dynamic crypto map, Instead on next log ASA will complain that All IPSec proposals found unacceptable. then it will cut the phase1.

I know that phase2 error can be because of transform sets, pfs, interesting traffic etc mismatch, I tried all the combinations making everything look exact mirror, without any luck. I will stand around the same problem.

The interesting fact is that, it was working perfect, with the setup but before I upgrade to 8.4(3)

Any idea, what to do now?


2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

HQ running 8.4.3

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map mydyn 10 set transform-set myset

crypto map mymap 60000 ipsec-isakmp dynamic mydyn

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

This cannot be the configuration as now we use ikev1 commands,

Can you share the updated config please?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Very true,

          I just gave the normal command sets for the HUB :-)

My actual configuration is as following

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set my-set esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set test esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set myset esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set mydynset esp-3des esp-sha-hmac

crypto dynamic-map DYN_L2L 3 match address Outside_cryptomap_1

crypto dynamic-map DYN_L2L 3 set ikev1 transform-set my-set mydynset

crypto dynamic-map DYN_L2L 3 set reverse-route

crypto map mymap 3 ipsec-isakmp dynamic DYN_L2L

crypto map mymap 60000 ipsec-isakmp dynamic dynmap

crypto map mymap interface Outside