VRF IPSec to ASA
I am trying to setup a VRF IPSec to ASA VPN tunnel. VRF IPSec is at head office and ASA is at the customer end. I am successfully establish the tunnel when I initiate a ping from the ASA end (ping was successful). However I am getting error in ipsec stats when I initiate the ping from the head office (ping between the same hosts as before). A debug was captured from the VRF router. I wonder if you can see the problem from the debug. I appreciate your help in advance.
GTO-ClientEdge-RT1#sh cry ipse sa
interface: GigabitEthernet0/0
Crypto map tag: gto_share_map, local addr 192.33.232.209
protected vrf: vrf-veridian
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 173.46.8.98 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 15, #recv errors 0
local crypto endpt.: 192.33.232.209, remote crypto endpt.: 173.46.8.98
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Crypto ISAKMP debugging is on
GTO-ClientEdge-RT1#
Nov 19 22:46:29.702: ISAKMP:(0): SA request profile is veridian-ike-prof
Nov 19 22:46:29.702: ISAKMP: Created a peer struct for 173.46.8.98, peer port 500
Nov 19 22:46:29.702: ISAKMP: New peer created peer = 0x10927E8 peer_handle = 0x80000019
Nov 19 22:46:29.702: ISAKMP: Locking peer struct 0x10927E8, refcount 1 for isakmp_initiator
Nov 19 22:46:29.702: ISAKMP:(0):Setting client config settings 131406B8
Nov 19 22:46:29.702: ISAKMP/xauth: initializing AAA request
Nov 19 22:46:29.702: ISAKMP: local port 500, remote port 500
Nov 19 22:46:29.702: ISAKMP: set new node 0 to QM_IDLE
Nov 19 22:46:29.702: ISAKMP:(0):insert sa successfully sa = 1235BF68
Nov 19 22:46:29.702: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Nov 19 22:46:29.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:29.702: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Nov 19 22:46:29.702: ISAKMP:(0): constructed NAT-T vendor-07 ID
Nov 19 22:46:29.702: ISAKMP:(0): c
GTO-ClientEdgeonstructed NAT-T vendor-03 ID
Nov 19 22:46:29.702: ISAKMP:(0): constructed NAT-T vendor-02 ID
Nov 19 22:46:29.702: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Nov 19 22:46:29.702: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Nov 19 22:46:29.702: ISAKMP:(0): beginning Main Mode exchange
Nov 19 22:46:29.702: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_NO_STATE
Nov 19 22:46:29.702: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.702: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE
Nov 19 22:46:29.702: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:29.702: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Nov 19 22:46:29.702: ISAKMP:(0): processing SA payload. message ID = 0
Nov 19 22:46:29.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:29.702: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov 19 22:46:29.702: ISAKMP:(0): vendor ID is NAT-T v2
Nov 19 22:46:29.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:29.702: ISAKMP:(0): processing IKE frag vendor id payload
Nov 19 22:46:29.702: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov 19 22:46:29.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:29.702: ISAKMP:(0): local preshared key found
Nov 19 22:46:29.702: ISAKMP : Looking for xauth in profile veridian-ike-prof
Nov 19 22:46:29.702: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Nov 19 22:46:29.702: ISAKMP: encryption AES-CBC
Nov 19 22:46:29.702: ISAKMP: keylength of 256
Nov 19 22:46:29.702: ISAKMP: hash SHA
Nov 19 22:46:29.702: ISAKMP: default group 5
Nov 19 22:46:29.702: ISAKMP: auth pre-share
Nov 19 22:46:29.702: ISAKMP: life type in seconds
Nov 19 22:46:29.702: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Nov 19 22:46:29.702: ISAKMP:(0):atts are acceptable. Next payload is 0
Nov 19 22:46:29.702: ISAKMP:(0):Acceptable atts:actual life: 0
Nov 19 22:46:29.702: ISAKMP:(0):Acceptable atts:life: 0
Nov 19 22:46:29.702: ISAKMP:(0):Fill atts in sa vpi_length:4
Nov 19 22:46:29.702: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Nov 19 22:46:29.702: ISAKMP:(0):Returning Actual lifetime: 86400
Nov 19 22:46:29.702: ISAKMP:(0)::Started lifetime timer: 86400.
Nov 19 22:46:29.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:29.706: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov 19 22:46:29.706: ISAKMP:(0): vendor ID is NAT-T v2
Nov 19 22:46:29.706: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:29.706: ISAKMP:(0): processing IKE frag vendor id payload
Nov 19 22:46:29.706: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov 19 22:46:29.706: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:29.706: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Nov 19 22:46:29.706: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_SA_SETUP
Nov 19 22:46:29.706: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.706: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:29.706: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Nov 19 22:46:29.802: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_SA_SETUP
Nov 19 22:46:29.802: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:29.802: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Nov 19 22:46:29.802: ISAKMP:(0): processing KE payload. message ID = 0
Nov 19 22:46:29.806: ISAKMP:(0): processing NONCE payload. message ID = 0
Nov 19 22:46:29.806: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID is Unity
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID seems Unity/DPD but major 86 mismatch
Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID is XAUTH
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023): speaking to another IOS box!
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023):vendor ID seems Unity/DPD but hash mismatch
Nov 19 22:46:29.806: ISAKMP:received payload type 20
Nov 19 22:46:29.806: ISAKMP (9023): His hash no match - this node outside NAT
Nov 19 22:46:29.806: ISAKMP:received payload type 20
Nov 19 22:46:29.806: ISAKMP (9023): No NAT Found for self or peer
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM4 New State = IKE_I_MM4
Nov 19 22:46:29.806: ISAKMP:(9023):Send initial contact
Nov 19 22:46:29.806: ISAKMP:(9023):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Nov 19 22:46:29.806: ISAKMP (9023): ID payload
next-payload : 8
type : 1
address : 192.33.232.209
protocol : 17
port : 500
length : 12
Nov 19 22:46:29.806: ISAKMP:(9023):Total payload length: 12
Nov 19 22:46:29.806: ISAKMP:(9023): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Nov 19 22:46:29.806: ISAKMP:(9023):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM4 New State = IKE_I_MM5
Nov 19 22:46:29.806: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_KEY_EXCH
Nov 19 22:46:29.806: ISAKMP:(9023): processing ID payload. message ID = 0
Nov 19 22:46:29.806: ISAKMP (9023): ID payload
next-payload : 8
type : 1
address : 173.46.8.98
protocol : 17
port : 0
length : 12
Nov 19 22:46:29.806: ISAKMP:(9023): processing HASH payload. message ID = 0
Nov 19 22:46:29.806: ISAKMP:received payload type 17
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID is DPD
Nov 19 22:46:29.806: ISAKMP:(9023):SA authentication status:
authenticated
Nov 19 22:46:29.806: ISAKMP:(9023):SA has been authenticated with 173.46.8.98
Nov 19 22:46:29.806: ISAKMP: Trying to insert a peer 192.33.232.209/173.46.8.98/500/vrf-internet, and inserted successfully 10927E8.
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM5 New State = IKE_I_MM6
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM6 New State = IKE_I_MM6
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Nov 19 22:46:29.806: ISAKMP:(9023):beginning Quick Mode exchange, M-ID of 2851020903
Nov 19 22:46:29.806: ISAKMP:(9023):QM Initiator gets spi
Nov 19 22:46:29.806: ISAKMP:(9023): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE
Nov 19 22:46:29.806: ISAKMP:(9023):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.806: ISAKMP:(9023):Node 2851020903, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 19 22:46:29.810: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) QM_IDLE
Nov 19 22:46:29.810: ISAKMP: set new node 1512038398 to QM_IDLE
Nov 19 22:46:29.810: ISAKMP:(9023): processing HASH payload. message ID = 1512038398
Nov 19 22:46:29.810: ISAKMP:(9023): processing NOTIFY INVALID_ID_INFO protocol 1
spi 0, message ID = 1512038398, sa = 0x1235BF68
Nov 19 22:46:29.810: ISAKMP:(9023):peer does not do paranoid keepalives.
Nov 19 22:46:29.810: ISAKMP:(9023):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 173.46.8.98)
Nov 19 22:46:29.810: ISAKMP:(9023):deleting node 1512038398 error FALSE reason "Informational (in) state 1"
Nov 19 22:46:29.810: ISAKMP:(9023):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Nov 19 22:46:29.810: ISAKMP:(9023):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 19 22:46:29.810: ISAKMP: set new node 260072841 to QM_IDLE
Nov 19 22:46:29.810: ISAKMP:(9023): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE
Nov 19 22:46:29.810: ISAKMP:(9023):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.810: ISAKMP:(9023):purging node 260072841
Nov 19 22:46:29.810: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Nov 19 22:46:29.810: ISAKMP:(9023):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Nov 19 22:46:29.810: ISAKMP:(9023):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 173.46.8.98)
Nov 19 22:46:29.810: ISAKMP: Unlocking peer struct 0x10927E8 for isadb_mark_sa_deleted(), count 0
Nov 19 22:46:29.810: ISAKMP: Deleting peer node by peer_reap for 173.46.8.98: 10927E8
Nov 19 22:46:29.810: ISAKMP:(9023):deleting node -1443946393 error FALSE reason "IKE deleted"
Nov 19 22:46:29.810: ISAKMP:(9023):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:29.810: ISAKMP:(9023):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Nov 19 22:46:29.810: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE-RT1#
GTO-ClientEdge-RT1#sh cry isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
173.46.8.98 192.33.232.209 MM_NO_STATE 9023 ACTIVE (deleted) veridian-ike-prof
IPv6 Crypto ISAKMP SA
GTO-ClientEdge-RT1#
Nov 19 22:46:59.702: ISAKMP:(0): SA request profile is veridian-ike-prof
Nov 19 22:46:59.702: ISAKMP: Created a peer struct for 173.46.8.98, peer port 500
Nov 19 22:46:59.702: ISAKMP: New peer created peer = 0x10927E8 peer_handle = 0x8000001A
Nov 19 22:46:59.702: ISAKMP: Locking peer struct 0x10927E8, refcount 1 for isakmp_initiator
Nov 19 22:46:59.702: ISAKMP:(0):Setting client config settings 1CA9BE8
Nov 19 22:46:59.702: ISAKMP/xauth: initializing AAA request
Nov 19 22:46:59.702: ISAKMP: local port 500, remote port 500
Nov 19 22:46:59.702: ISAKMP: set new node 0 to QM_IDLE
Nov 19 22:46:59.702: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 1235C984
Nov 19 22:46:59.702: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Nov 19 22:46:59.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Nov 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-07 ID
Nov
GTO-ClientEdge 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-03 ID
Nov 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-02 ID
Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Nov 19 22:46:59.702: ISAKMP:(0): beginning Main Mode exchange
Nov 19 22:46:59.702: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_NO_STATE
Nov 19 22:46:59.702: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.702: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE
Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Nov 19 22:46:59.702: ISAKMP:(0): processing SA payload. message ID = 0
Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov 19 22:46:59.702: ISAKMP:(0): vendor ID is NAT-T v2
Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0): processing IKE frag vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov 19 22:46:59.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:59.702: ISAKMP:(0): local preshared key found
Nov 19 22:46:59.702: ISAKMP : Looking for xauth in profile veridian-ike-prof
Nov 19 22:46:59.702: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Nov 19 22:46:59.702: ISAKMP: encryption AES-CBC
Nov 19 22:46:59.702: ISAKMP: keylength of 256
Nov 19 22:46:59.702: ISAKMP: hash SHA
Nov 19 22:46:59.702: ISAKMP: default group 5
Nov 19 22:46:59.702: ISAKMP: auth pre-share
Nov 19 22:46:59.702: ISAKMP: life type in seconds
Nov 19 22:46:59.702: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Nov 19 22:46:59.702: ISAKMP:(0):atts are acceptable. Next payload is 0
Nov 19 22:46:59.702: ISAKMP:(0):Acceptable atts:actual life: 0
Nov 19 22:46:59.702: ISAKMP:(0):Acceptable atts:life: 0
Nov 19 22:46:59.702: ISAKMP:(0):Fill atts in sa vpi_length:4
Nov 19 22:46:59.702: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Nov 19 22:46:59.702: ISAKMP:(0):Returning Actual lifetime: 86400
Nov 19 22:46:59.702: ISAKMP:(0)::Started lifetime timer: 86400.
Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov 19 22:46:59.702: ISAKMP:(0): vendor ID is NAT-T v2
Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0): processing IKE frag vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Nov 19 22:46:59.702: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_SA_SETUP
Nov 19 22:46:59.702: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Nov 19 22:46:59.798: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_SA_SETUP
Nov 19 22:46:59.798: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:59.798: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Nov 19 22:46:59.798: ISAKMP:(0): processing KE payload. message ID = 0
Nov 19 22:46:59.802: ISAKMP:(0): processing NONCE payload. message ID = 0
Nov 19 22:46:59.802: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.802: ISAKMP:(9024): vendor ID is Unity
Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.802: ISAKMP:(9024): vendor ID seems Unity/DPD but major 108 mismatch
Nov 19 22:46:59.802: ISAKMP:(9024): vendor ID is XAUTH
Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.802: ISAKMP:(9024): speaking to another IOS box!
Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.802: ISAKMP:(9024):vendor ID seems Unity/DPD but hash mismatch
Nov 19 22:46:59.802: ISAKMP:received payload type 20
Nov 19 22:46:59.802: ISAKMP (9024): His hash no match - this node outside NAT
Nov 19 22:46:59.802: ISAKMP:received payload type 20
Nov 19 22:46:59.802: ISAKMP (9024): No NAT Found for self or peer
Nov 19 22:46:59.802: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:59.802: ISAKMP:(9024):Old State = IKE_I_MM4 New State = IKE_I_MM4
Nov 19 22:46:59.802: ISAKMP:(9024):Send initial contact
Nov 19 22:46:59.802: ISAKMP:(9024):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Nov 19 22:46:59.802: ISAKMP (9024): ID payload
next-payload : 8
type : 1
address : 192.33.232.209
protocol : 17
port : 500
length : 12
Nov 19 22:46:59.802: ISAKMP:(9024):Total payload length: 12
Nov 19 22:46:59.802: ISAKMP:(9024): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Nov 19 22:46:59.802: ISAKMP:(9024):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.802: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:59.802: ISAKMP:(9024):Old State = IKE_I_MM4 New State = IKE_I_MM5
Nov 19 22:46:59.806: ISAKMP (9024): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_KEY_EXCH
Nov 19 22:46:59.806: ISAKMP:(9024): processing ID payload. message ID = 0
Nov 19 22:46:59.806: ISAKMP (9024): ID payload
next-payload : 8
type : 1
address : 173.46.8.98
protocol : 17
port : 0
length : 12
Nov 19 22:46:59.806: ISAKMP:(9024): processing HASH payload. message ID = 0
Nov 19 22:46:59.806: ISAKMP:received payload type 17
Nov 19 22:46:59.806: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.806: ISAKMP:(9024): vendor ID is DPD
Nov 19 22:46:59.806: ISAKMP:(9024):SA authentication status:
authenticated
Nov 19 22:46:59.806: ISAKMP:(9024):SA has been authenticated with 173.46.8.98
Nov 19 22:46:59.806: ISAKMP: Trying to insert a peer 192.33.232.209/173.46.8.98/500/vrf-internet, and inserted successfully 10927E8.
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_I_MM5 New State = IKE_I_MM6
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_I_MM6 New State = IKE_I_MM6
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Nov 19 22:46:59.806: ISAKMP:(9024):beginning Quick Mode exchange, M-ID of 920032514
Nov 19 22:46:59.806: ISAKMP:(9024):QM Initiator gets spi
Nov 19 22:46:59.806: ISAKMP:(9024): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE
Nov 19 22:46:59.806: ISAKMP:(9024):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.806: ISAKMP:(9024):Node 920032514, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 19 22:46:59.806: ISAKMP (9024): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) QM_IDLE
Nov 19 22:46:59.806: ISAKMP: set new node -165090978 to QM_IDLE
Nov 19 22:46:59.806: ISAKMP:(9024): processing HASH payload. message ID = 4129876318
Nov 19 22:46:59.806: ISAKMP:(9024): processing NOTIFY INVALID_ID_INFO protocol 1
spi 0, message ID = 4129876318, sa = 0x1235C984
Nov 19 22:46:59.806: ISAKMP:(9024):peer does not do paranoid keepalives.
Nov 19 22:46:59.806: ISAKMP:(9024):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 173.46.8.98)
Nov 19 22:46:59.806: ISAKMP:(9024):deleting node -165090978 error FALSE reason "Informational (in) state 1"
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 19 22:46:59.806: ISAKMP: set new node 1564252651 to QM_IDLE
Nov 19 22:46:59.806: ISAKMP:(9024): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE
Nov 19 22:46:59.806: ISAKMP:(9024):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.806: ISAKMP:(9024):purging node 1564252651
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Nov 19 22:46:59.810: ISAKMP:(9024):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 173.46.8.98)
Nov 19 22:46:59.810: ISAKMP: Unlocking peer struct 0x10927E8 for isadb_mark_sa_deleted(), count 0
Nov 19 22:46:59.810: ISAKMP: Deleting peer node by peer_reap for 173.46.8.98: 10927E8
Nov 19 22:46:59.810: ISAKMP:(9024):deleting node 920032514 error FALSE reason "IKE deleted"
Nov 19 22:46:59.810: ISAKMP:(9024):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:59.810: ISAKMP:(9024):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Nov 19 22:46:59.810: ISAKMP (9024): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE-RT1#
ASA doesn't like what you're sending.
Nov 19 22:46:29.810: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) QM_IDLE Nov 19 22:46:29.810: ISAKMP: set new node 1512038398 to QM_IDLE Nov 19 22:46:29.810: ISAKMP:(9023): processing HASH payload. message ID = 1512038398Nov 19 22:46:29.810: ISAKMP:(9023): processing NOTIFY INVALID_ID_INFO protocol 1
Check what's happening around QM1 on ASA.
For reference working debugs:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bce100.shtml
Similar Messages
-
Ipsec ikev1 ASA Tunnel droping down.
Greetings people.
I have a typical ISAKMP/IKEV1 Hub-and-spoke topology.
My hub is ASA5510 and spokes are 5505.
On one of the spokes 5505 , I have two tunnels , one to the HUB and another to another SPOKE.
The tunnel to the HUB from asa 5505 is breaking as soon as some traffic gets trough, or sometimes in general. The breaks during the production hours occur every 20 minutes someties every hour. The tunnel comes back pretty fast, in a couple of minutes but still it is breaking. I have an asa846-k8 image on the spoke.
The interesting thing that the tunnel on that spoke to the other spoke is not breaking so often, but it does not have so much traffic on it, as the problematic one.
I have checked the configurations, and the tunnel settings are the same on both sides like the auth protocol, the DH group and similar.
I will post some configs here. I also have tried to use the debug crypto ikev1 but did not get anything useful there.
SPOKE
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto map CoCo_map 1 match address CoCo_cryptomap
crypto map CoCo_map 1 set pfs
crypto map CoCo_map 1 set peer xxx.xxx.xxx.xxx
crypto map CoCo_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
HUB
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer x.x.x.x.
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map interface outside
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
If there is any more conf outputs I will be glad to send. I have tried to collect some info with PRTG Asa VPN SNMP traffic sensor but no luck in getting it to work.
Thanks in advance.hi,
Perfect Forward Secrecy (PFS)—PFS ensures that a given IPsec SA key was not derived from any other secret, like some other keys. In other words, if someone breaks a key, PFS ensures that the attacker is not able to derive any other key. If PFS is not enabled, someone can potentially break the IKE SA secret key, copy all the IPsec protected data, and then use knowledge of the IKE SA secret in order to compromise the IPsec SAs setup by this IKE SA. With PFS, breaking IKE does not give an attacker immediate access to IPsec. The attacker needs to break each IPsec SA individually. The Cisco IOS IPsec implementation uses PFS group 1 (D-H 768 bit) by default.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml
HTH -
AP registration over IPSEC Tunnel(ASA)
Guys,
I have my WAP sitting behind ASA and have ipsec tunnel between ASA and router.below is the topology:-
WAP>>ASA<<< IPSEC TUNNEL>>> Router<<<WLC
Recently we have replaced router with ASA 5505 for security reasons and since then WAP is not able to registered to WLC. we have VPN tunnel up and working. Even WAP is able to ping to WLC ip address.
Do we have any special configuration in my ASA considering my above topology. I can confirm that capwap and lwap ports are opened in asa.
Please let me know if some one has faced this issue before.Hi,
I hope you have already allowed the below mentioned ports as per your requirement.
You must enable these ports:
Enable these UDP ports for LWAPP traffic:
Data - 12222
Control - 12223
Enable these UDP ports for mobility traffic:
16666 - 16666
16667 - 16667
Enable UDP ports 5246 and 5247 for CAPWAP traffic.
TCP 161 and 162 for SNMP (for the Wireless Control System [WCS])
These ports are optional (depending on your requirements):
UDP 69 for TFTP
TCP 80 and/or 443 for HTTP or HTTPS for GUI access
TCP 23 and/or 22 for Telnet or SSH for CLI access
Also if it goes over the IPSec VPN, MTU size for the path between AP and WLC should be of 1500, if it has the lesser MTU, then communication fails.
Can you get me your WLC and ASA OS versions?
Regards
Karthik -
DMVPN + IPSec protected VRFs; IPSec SAs established only on one tunnel interface
Hello folks!
I have a setup between two Cisco ISR routers, running IOS 15.1(4)M3. I have tried to establish DMVPN connectivity with two VRFs (ie. two tunnel interfaces per router) between the routers and it mostly seems to be working as I expected. But... IPSec SAs seem to get tied to only one of the tunnel interface, not two (one per direction) per tunnel interface as they should. There's no MPLS backbone in between the routers, only "global VRF", routed IP network.
Command "show crypto ipsec sa" or indirectly a missing OSPF neighborhood between the routers verifies the erroneuous situation. Occasionally, after an "interface tunnel[ 0 or 1] shut, no shut" or "clear crypto sa" command I seem to get it up and running, two SAs per tunnel interface, but if I reboot either one of the routers or just clear the IPSec SA, they most likely will appear under either one of two tunnel interfaces. So, what should I change to instruct the router setup SAs correctly, two SAs (one per direction) per tunnel interface?
I'll enclose appropriate parts of the configurations and output of command "show crypto ipsec sa".I think I figured it out, for anyone who might stumble across this post in the future. It looks like you need to add the shared keyword to the tunnel protection command. ie...
interface tunnel 0
tunnel protection ipsec profile MyProfile shared
end
I should note that one of the first things I tried was to created a separate IPSec profile for each unique tunnel interface. It ended up not fixing the problem and I had to go with the solution above. -
IPsec Issues ASA 8.0 and Watchguard XTM 510
Hi Everyone,
I am trying to merge two networks, one using an ASA 5510 as its edge device, and the other using a Watchguard XTM 510. For some reason, when a connection is initiated from the Watchguard side, phase 1 complets with MM_ACTIVE, but when the ASA initiates, IKE shows the following status:
IKE Peer: x.x.x.145 (Watchguard Side)
Type : L2L Role : initiator
Rekey : no State : MM_WAIT_MSG6
Regardless, however, even at MM_ACTIVE, phase 1 resets and phase 2 never begins and so a connection is never made. I have collected a debug from both sides and they are as follows
ASA IP: x.x.x.60
Watchguard IP: x.x.x.145
ASA:
Jan 07 06:51:02 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x2f6a83f)
Jan 07 06:51:02 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:02 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:02 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=e57925a0) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 07 06:51:04 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x2f6a840)
Jan 07 06:51:04 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:04 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:04 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=6bfb344) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 07 06:51:06 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x2f6a841)
Jan 07 06:51:06 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:06 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:06 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=51a5ab4d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 07 06:51:08 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, IKE SA MM:7a82c06c rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0
Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, IKE SA MM:7a82c06c terminating: flags 0x01000002, refcnt 0, tuncnt 0
Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, sending delete/delete with reason message
Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing IKE delete payload
Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:08 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=1ef674ce) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jan 07 06:51:08 [IKEv1]: Ignoring msg to mark SA with dsID 2019328 dead because SA deleted
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing SA payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Oakley proposal is acceptable
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing VID payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Received DPD VID
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing VID payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Received NAT-Traversal ver 02 VID
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing IKE SA payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 5
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing ISAKMP SA payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing NAT-Traversal VID ver 02 payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing Fragmentation VID + extended capabilities payload
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 284
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing ke payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing ISA_KE payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing nonce payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing NAT-Discovery payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, computing NAT Discovery hash
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing NAT-Discovery payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, computing NAT Discovery hash
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing ke payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing nonce payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing Cisco Unity VID payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing xauth V6 VID payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Send IOS VID
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing VID payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing NAT-Discovery payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, computing NAT Discovery hash
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing NAT-Discovery payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, computing NAT Discovery hash
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, Connection landed on tunnel_group x.x.x.145
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Generating keys for Responder...
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 368
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, processing ID payload
Jan 07 06:51:19 [IKEv1 DECODE]: Group = x.x.x.145, IP = x.x.x.145, ID_IPV4_ADDR ID received
x.x.x.145
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, processing hash payload
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Computing hash for ISAKMP
Jan 07 06:51:19 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, Connection landed on tunnel_group x.x.x.145
Jan 07 06:51:19 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Freeing previously allocated memory for authorization-dn-attributes
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing ID payload
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing hash payload
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Computing hash for ISAKMP
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing dpd vid payload
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 107
Jan 07 06:51:19 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, PHASE 1 COMPLETED
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, Keep-alive type for this connection: DPD
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Starting P1 rekey timer: 64800 seconds.
Jan 07 06:51:23 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Duplicate Phase 1 packet detected. Retransmitting last packet.
Jan 07 06:51:23 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, P1 Retransmit msg dispatched to MM FSM
Jan 07 06:51:23 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Responder resending last msg
Jan 07 06:51:27 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Duplicate Phase 1 packet detected. Retransmitting last packet.
Jan 07 06:51:27 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, P1 Retransmit msg dispatched to MM FSM
Jan 07 06:51:27 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Responder resending last msg
Jan 07 06:51:31 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Duplicate Phase 1 packet detected. Retransmitting last packet.
Jan 07 06:51:31 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, P1 Retransmit msg dispatched to MM FSM
Jan 07 06:51:31 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Responder resending last msg
Jan 07 06:51:32 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x7a794f28)
Jan 07 06:51:32 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:32 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:32 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=96f50614) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 07 06:51:34 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x7a794f29)
Jan 07 06:51:34 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:34 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:34 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=f17efc6e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 07 06:51:36 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x7a794f2a)
Jan 07 06:51:36 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:36 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:36 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=a4d9cf11) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 07 06:51:38 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, IKE SA MM:7b9076bf rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0
Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, IKE SA MM:7b9076bf terminating: flags 0x01000002, refcnt 0, tuncnt 0
Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, sending delete/delete with reason message
Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing IKE delete payload
Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:38 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=f1d3a895) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jan 07 06:51:38 [IKEv1]: Ignoring msg to mark SA with dsID 2023424 dead because SA deleted
Watchguard:
<158>Jan 7 13:57:11 iked[1976]: unsupported WG notification event - 524293
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCreateIsakmpSA: init vpnDpdSequenceNum = 384341539(Isakmp SA 0x81b26a0)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)MainMode: recv 1st msg pcy [newbury] peer x.x.x.60:500 (Ct=324)
<156>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Phase 1 started by peer with policy [newbury] from x.x.x.60:500 main mode
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloads : Payload(SA) Len(172)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(24)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeProposalNtoH : Recv SPI(0x03 0000 0000 0x28) SPI(0000 0000 0000 0000)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_NAT-T_VID(first 4bytes: 0x9180cb90)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)P1__Mode: NAT-T negotiated [newbury] peer 0xd5534a3c:500
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeProposalHtoN : net order spi(0000 0000 0000 0000)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Sending second message with policy [newbury] to x.x.x.60:500 main mode
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Received third message with policy [newbury] from x.x.x.60:500 main mode
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(4) Len(196)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(10) Len(24)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(12)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(130) Len(24)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(130) Len(24)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_XAUTH06_VID(first 4bytes: 0x89260009)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Sending fourth message with policy [newbury] to x.x.x.60:500 main mode
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Received fifth message with policy [newbury] from x.x.x.60:500 main mode
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : SAState.sState(7)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkePrepareIsakmpKeyMat()
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkeCipherMsg()
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(5) Len(35)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(8) Len(24)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_DPD_VID(first 4bytes: 0x13d7caaf)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Enable DPD locally
<156>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)WARNING: Mismatched ID settings at peer x.x.x.60:500 caused an authentication failure
<155>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Process 5/6 Msg : failed to process ID payload
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Cannot process MM ID payload from x.x.x.60:500 to x.x.x.145 cookies i=4114a226 2bd42182 r=40856ef5 71cb0439
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)ike_process_pkt : ProcessData returned error (-1)
<158>Jan 7 13:57:17 iked[1976]: unsupported WG notification event - 524293
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Phase 1 IkeRetryTimeout:: Retrying 1st phase.. (Gateway newbury)
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Received fifth message with policy [newbury] from x.x.x.60:500 main mode
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : SAState.sState(7)
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkePrepareIsakmpKeyMat()
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkeCipherMsg()
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(5) Len(35)
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(8) Len(24)
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_DPD_VID(first 4bytes: 0x13d7caaf)
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Enable DPD locally
<156>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)WARNING: Mismatched ID settings at peer x.x.x.60:500 caused an authentication failure
<155>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Process 5/6 Msg : failed to process ID payload
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Cannot process MM ID payload from x.x.x.60:500 to x.x.x.145 cookies i=4114a226 2bd42182 r=40856ef5 71cb0439
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)ike_process_pkt : ProcessData returned error (-1)
<158>Jan 7 13:57:21 iked[1976]: unsupported WG notification event - 524293
<158>Jan 7 13:57:24 iked[1976]: (x.x.x.145<->x.x.x.60)Phase 1 IkeRetryTimeout:: Retrying 1st phase.. (Gateway newbury)
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)Received fifth message with policy [newbury] from x.x.x.60:500 main mode
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : SAState.sState(7)
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkePrepareIsakmpKeyMat()
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkeCipherMsg()
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(5) Len(35)
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(8) Len(24)
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_DPD_VID(first 4bytes: 0x13d7caaf)
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)Enable DPD locally
<156>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)WARNING: Mismatched ID settings at peer x.x.x.60:500 caused an authentication failure
<155>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)Process 5/6 Msg : failed to process ID payload
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)Cannot process MM ID payload from x.x.x.60:500 to x.x.x.145 cookies i=4114a226 2bd42182 r=40856ef5 71cb0439
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)ike_process_pkt : ProcessData returned error (-1)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Phase 1 IkeRetryTimeout:: Retrying 1st phase.. (Gateway newbury)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Received fifth message with policy [newbury] from x.x.x.60:500 main mode
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : SAState.sState(7)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkePrepareIsakmpKeyMat()
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkeCipherMsg()
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(5) Len(35)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(8) Len(24)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_DPD_VID(first 4bytes: 0x13d7caaf)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Enable DPD locally
<156>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)WARNING: Mismatched ID settings at peer x.x.x.60:500 caused an authentication failure
<155>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Process 5/6 Msg : failed to process ID payload
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Cannot process MM ID payload from x.x.x.60:500 to x.x.x.145 cookies i=4114a226 2bd42182 r=40856ef5 71cb0439
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)ike_process_pkt : ProcessData returned error (-1)
Any insight you can provide in this regard would be greatly appreciated.The issue was resolved. Watchguard uses both a "Remote Gateway IP", as well as a "Remote Gateway ID." In most cases, these will have the same IPv4 value. However, in this case, the ASA was using an old FQDN as its ID so it was causing a mismatch with the ID configured for that gateway on the Watchguard side. Once, the ID was changed to the FQDN of the ASA, the tunnel came up and started passing traffic.
-
Two Cisco ASA 5505, IPSec Multiple Subnets, Problem with Phase2, DSL
Hi all.
we have following IPSec configuration:
ASA Site 1:
Cisco Adaptive Security Appliance Software Version 9.1(1)
crypto ipsec ikev1 transform-set TSAES esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TSMD5 esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal PropAES256
access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.28.60.0 255.255.254.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.99.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.99.0 255.255.255.0
crypto map CMVPN 5 match address SITE_2
crypto map CMVPN 5 set peer IP_SITE2
crypto map CMVPN 5 set ikev2 ipsec-proposal PropAES256
crypto map CMVPN interface OUTSIDE
route OUTSIDE 172.27.97.0 255.255.255.0 citic-internet-gw 255
route OUTSIDE 172.27.99.0 255.255.255.0 citic-internet-gw 255
tunnel-group IP_SITE2 type ipsec-l2l
tunnel-group IP_SITE2 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
ASA Site 2:
Cisco Adaptive Security Appliance Software Version 9.1(4)
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.28.60.0 255.255.254.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.22.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.22.0.0 255.255.0.0
crypto map CMVPN 10 match address SITE_1
crypto map CMVPN 10 match address SITE_1
crypto map CMVPN 10 set peer IP_SITE1
crypto map CMVPN 10 set ikev2 ipsec-proposal IKEV2AES
crypto map CMVPN 10 set reverse-route
crypto map CMVPN interface OUTSIDE
tunnel-group IP_SITE1 type ipsec-l2l
tunnel-group IP_SITE1 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
We are not able to reach from 172.22.20.x ips 172.27.99.x.
It seems so that the phase2 for this subnet is missing…...... as long as we try to reach from 172.27.99.x any ip in 172.22.20.x.
We are using similar configuration on many sites and it works correctly expect sites with DSL line.
We can exclude problem with NAT,ACL or routing. The connection is working fine as long as “we open all phase 2 manually” . After re-open (idle timeout) the tunnel the problem comes back.
Thanks in advance for your help.
Regards.
Jan
ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
Session Type: LAN-to-LAN Detailed
Connection : IP ASA Site 2
Index : 3058 IP Addr : IP ASA Site 2
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (3)AES256
Hashing : IKEv2: (1)SHA512 IPsec: (3)SHA1
Bytes Tx : 423634 Bytes Rx : 450526
Login Time : 19:59:35 HKT Tue Apr 29 2014
Duration : 1h:50m:45s
IKEv2 Tunnels: 1
IPsec Tunnels: 3
IKEv2:
Tunnel ID : 3058.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA512
Rekey Int (T): 86400 Seconds Rekey Left(T): 79756 Seconds
PRF : SHA512 D/H Group : 5
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID : 3058.2
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22156 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607648 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 312546 Bytes Rx : 361444
Pkts Tx : 3745 Pkts Rx : 3785
IPsec:
Tunnel ID : 3058.3
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22165 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607952 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 50014 Bytes Rx : 44621
Pkts Tx : 496 Pkts Rx : 503
IPsec:
Tunnel ID : 3058.4
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22324 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607941 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 61074 Bytes Rx : 44461
Pkts Tx : 402 Pkts Rx : 437
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 6648 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
.... after ping from 172.27.99.x any ip in 172.22.20.x.
ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
Session Type: LAN-to-LAN Detailed
Connection : IP ASA Site 2
Index : 3058 IP Addr : IP ASA Site 2
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (4)AES256
Hashing : IKEv2: (1)SHA512 IPsec: (4)SHA1
Bytes Tx : 784455 Bytes Rx : 1808965
Login Time : 19:59:35 HKT Tue Apr 29 2014
Duration : 2h:10m:48s
IKEv2 Tunnels: 1
IPsec Tunnels: 4
IKEv2:
Tunnel ID : 3058.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA512
Rekey Int (T): 86400 Seconds Rekey Left(T): 78553 Seconds
PRF : SHA512 D/H Group : 5
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID : 3058.2
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 20953 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4606335 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 652492 Bytes Rx : 1705136
Pkts Tx : 7419 Pkts Rx : 7611
IPsec:
Tunnel ID : 3058.3
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 20962 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607942 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 60128 Bytes Rx : 52359
Pkts Tx : 587 Pkts Rx : 594
IPsec:
Tunnel ID : 3058.4
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 21121 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607931 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 70949 Bytes Rx : 50684
Pkts Tx : 475 Pkts Rx : 514
IPsec:
Tunnel ID : 3058.5
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 28767 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 961 Bytes Rx : 871
Pkts Tx : 17 Pkts Rx : 14
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 7852 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :Hi,
on 212 is see
tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
tunnel-group 195.xxx.xxx.xxx ipsec-attributes
pre-shared-key
When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
Regards,
Abaji. -
Cisco ASA 5505 IPSEC, one endpoint behind NAT device
We have two Cisco ASA 5505 devices.
Both are identical, however, one of them is behind a NAT device.
We are attempting to create an IPSEC network.
Site fg:
<ipsec subnet1> -- ASA 5505 (ASA1) -- <internet>
ASA1: 10.1.1.2/24 (inside), 212.xxx.xxx.xxx/28 (outside)
Site be:
<ipsec_subnet2> -- ASA 5505 (ASA3) -- Zywall USG (USG1) -- <internet>
ASA3: 10.1.4.1/24 (inside), 192.168.4.50/24 (outside)
USG1: 192.168.4.100/24 (inside), 195.xxx.xxx.xxx/30 (outside)
USG1: UDP port 500/4500 forwarded to 192.168.4.50
It seems that ASA1 stops the procedure (we verified this with debug crypto isakmp 254):
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, QM FSM error (P2 struct &0xd1111cd8, mess id 0x81111a78)!
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.4.50/255.255.255.255/0/0 local proxy 212.xxx.xxx.xxx/255.255.255.255/0/0 on interface outside
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, PHASE 1 COMPLETED
We verified / attempted the following:
- NAT excemption on both sides for IPSEC subnets
- Mirror image crypto maps
- Disabled IKE peer ID validation (yes, pre-shared key but we ran out of ideas)
- Toggled between static to dynamic crypto maps on ASA1
Most search results turned up results referring to the incorrect settings of the crypto map or the lack of NAT excemption.
Does anyone have any idea?
195.txt contains show running-config of ASA3
212.txt contains show running-config of ASA1
log.txt contains somewhat entire log snipper of ASA1Hi,
on 212 is see
tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
tunnel-group 195.xxx.xxx.xxx ipsec-attributes
pre-shared-key
When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
Regards,
Abaji. -
Ironport Email - VRF(Routers) ou Context(ASA) equivalent
We have 5 costumers that filter their e-mails in our IronPort.
Everything is OK, Ironport and senderbase are beautiful!
But we are having some problems with bandwidth control.
Today the MX of their domain is the same ip address of IronPort, and we are only able to control bandwidth by IP address.
The solution that we used is a shared bandwidth limitation for this propose.
But we and the costumer don't like very much of that.
So we are looking for a way to force IronPort use different sources for each domain.
With that I can control the bandwith based on IP address.
Another, and better, solution would be something like VRF on routers world, or Context in ASA world.
Something like a virtual mini-ironport to each costumer.
Each one with their on Vlan, their on default gateway, rules and every thing else.
Any suggestion?I'm feeling the stupidest in the world.
Reading IronPort 7.5 Advanced Guide I found the Virtual Gateway Feature.
Which solves partially our problem delivering and receiving e-mails with specific source addresses.
That will allowme to control the bandwith based on the IP addresses.
But allying "Virtual Gateway" with "Internal Vlans", I see that the solution that we really need is almost formed.
The only missing piece would by a per "Virtual Gateway" "Default Router(IP Gateway)".
With that I can put one InternalVlan into the respective servers vlan of each costumer, and Each Virtual Gateway will use the specific costumer gateway that is associated with their on VRF and FirewallContext(ASA). -
Hello to every one:-
1)i want to know the show command to verify the DPD on ASAs. i tried couple of commands but unable to findout DPD is enable on my ASA.
2) when i try to enable the DPD on ASA the old commands was below.
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
but on my ASA their is no command as specify above to enable isakmp DPD.
My ASA shows me.
ASA(config)# tunnel-group x.x.x.x ipsec-attributes
ASA(config-tunnel-ipsec)# isakmp ?
tunnel-group-ipsec mode commands/options:
keepalive Configure ISAKMP keepalives
configure mode commands/options:
disconnect-notify Enable disconnect notification to peers
identity Set identity type (address, hostname or key-id)
nat-traversal Enable and configure nat-traversal
reload-wait Wait for voluntary termination of existing connections before reboot
ASA(config-tunnel-ipsec)# isakmp disconnect-notify
1)The isakmp disconnect-notify looks like new command to enable DPD on ASA??
2) anyone please let me know if their is any show command available to check the DPD is enable......??
Thanks a loti think DPD is enable by default and your command helps and now i can see isakmp keepalive commands under tunnel group.
but if i want to modiy it the config and type (? make) after isakmp no keepalive option popin. four options available its define below.
ASA(config)# tunnel-group x.x.x.x ipsec-attributes
ASA(config-tunnel-ipsec)# isakmp ?
tunnel-group-ipsec mode commands/options:
keepalive Configure ISAKMP keepalives
configure mode commands/options:
disconnect-notify Enable disconnect notification to peers
identity Set identity type (address, hostname or key-id)
nat-traversal Enable and configure nat-traversal
reload-wait Wait for voluntary termination of existing connections before reboot
ASA(config-tunnel-ipsec)# isakmp disconnect-notify
its look like isakmp keepalive command no more avaible or replace by isakmp disconnect-notify..
i am using 8.6.1 version of ios -
Hey people. I'm trying to solve a small VRF Lite project I've been working on. Router has one public interface. I have GRE tunnels going to a VTI. I also created a second tunnel VTI and put it in a VRF so that I could have one plain GRE tunnel and also a second GRE tunnel that supports IPSEC. I can't seem to figure out how to route packets in and out of the VRF and global table. From a tunnel established on the VRF, I would like to ping one of the global table peers networks (or even a loopback interface on the router itself). Below is my config. Any help is appreciated.
ip vrf IPSEC-Customers
rd 65000:1
route-target export 65000:1
route-target import 65000:1
interface Tunnel0
bandwidth 100000
bandwidth inherit
ip address 10.1.1.1 255.255.255.0
no ip redirects
ip mtu 1500
ip nat inside
ip nhrp map multicast dynamic
ip nhrp network-id 1011
ip nhrp holdtime 30
ip nhrp registration timeout 30
ip virtual-reassembly
ip tcp adjust-mss 1400
load-interval 30
qos pre-classify
tunnel source 204.12.X.X
tunnel mode gre multipoint
tunnel bandwidth transmit 100000
tunnel bandwidth receive 100000
interface Tunnel1
bandwidth 10000
bandwidth inherit
ip vrf forwarding IPSEC-Customers
ip address 10.1.2.1 255.255.255.0
no ip redirects
ip mtu 1500
ip nhrp map multicast dynamic
ip nhrp network-id 1012
ip nhrp holdtime 30
ip nhrp registration timeout 30
ip tcp adjust-mss 1400
load-interval 30
qos pre-classify
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 50
tunnel bandwidth transmit 100000
tunnel bandwidth receive 100000
tunnel protection ipsec profile DMVPN1
interface FastEthernet0/0
bandwidth 10000
ip address 204.12.X.X 255.255.2X.X
ip access-group Outside_In in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
router bgp 65000
no synchronization
bgp log-neighbor-changes
no auto-summary
address-family ipv4 vrf IPSEC-Customers
redistribute connected
redistribute static
no synchronization
exit-address-family
ip route vrf IPSEC-Customers 10.2.7.0 255.255.255.0 10.1.2.3 name TestHello,
The tunnel source and destination must be in the same vrf for this to work. In another case you can use a tunnel to ride over a vrf if required.
So your global table would then become a vrf, i am not sure if we can do this with the global table... :-/ Using your example below:
ip vrf IPSEC-Customers
rd 65000:1
route-target export 65000:1
route-target import 65000:1
ip vrf GLOBAL
rd 1:1
interface Tunnel0
ip vrf forwarding GLOBAL
bandwidth 100000
bandwidth inherit
ip address 10.1.1.1 255.255.255.0
no ip redirects
ip mtu 1500
ip nat inside
ip nhrp map multicast dynamic
ip nhrp network-id 1011
ip nhrp holdtime 30
ip nhrp registration timeout 30
ip virtual-reassembly
ip tcp adjust-mss 1400
load-interval 30
qos pre-classify
tunnel source 204.12.X.X
tunnel mode gre multipoint
tunnel bandwidth transmit 100000
tunnel bandwidth receive 100000
interface Tunnel1
bandwidth 10000
bandwidth inherit
ip vrf forwarding IPSEC-Customers
ip address 10.1.2.1 255.255.255.0
no ip redirects
ip mtu 1500
ip nhrp map multicast dynamic
ip nhrp network-id 1012
ip nhrp holdtime 30
ip nhrp registration timeout 30
ip tcp adjust-mss 1400
load-interval 30
qos pre-classify
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 50
tunnel bandwidth transmit 100000
tunnel bandwidth receive 100000
tunnel protection ipsec profile DMVPN1
tunnel vrf GLOBAL
interface FastEthernet0/0
ip vrf forwarding GLOBAL
bandwidth 10000
ip address 204.12.X.X 255.255.2X.X
ip access-group Outside_In in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
I haven't tested this myself but I have come across this in my studies. In theory this should work.
hope this helps
Bilal (CCIE #45032) -
DMVPN & GRE over IPsec on the same physical interface
Dear All,
I'm configuring two WAN routers, each wan router has one physical interface connecting to branches and regional office using same provider.
We'll be using GRE over IPsec to connect to regional office and DMVPN + EIGRP to branches.
I would like to know if it's possible to configure tunnels for GRE over IPsec and DMVPN + EIGRP using the same source physical interface.
Kindly reply, it's an urgent request and your response is highly appreciated.
Regards,Hi Savio,
It should work. we can configure dmvpn and gre-over-ipsec on ASA using same physical interface.
Regards,
Naresh -
IKEv2 AnyConnect and Pool allocation via RADIUS
I am configured a CSR1000V (03.09.00a.S.153-2.S) for AnyConnect with IKEv2. I am storing username and IKEv2 authorization policy on the RADIUS server. Clients are dropped into their own iVRFs through RADIUS attributes passed back to the NAS.
e.g. in FreeRadius (2.1.12), the following is defined (home is the 'group') in username@group format.
home Cleartext-Password := "cisco"
Cisco-AVPair += "ip:interface-config=vrf forwarding CUST-A",
Cisco-AVPair += "ip:interface-config=ip unnumbered loopback100",
Framed-Pool = "CUST-A-POOL"
matt@home Cleartext-Password := "test123"
Group and user authorization information is then merged and cloned onto the virtual template:
crypto ikev2 name-mangler EXTRACT-GROUP
eap suffix delimiter @
crypto ikev2 profile FlexVPN-IKEv2-Profile-1
match fvrf IPSEC-FVRF
match identity remote key-id FlexAnyConnect
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint cacert.org
dpd 60 2 on-demand
aaa authentication eap FlexVPN-AuthC-List1
aaa authorization group eap list FlexVPN-AuthZ-List-1 name-mangler EXTRACT-GROUP
aaa authorization user eap cached
virtual-template 1
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
tunnel vrf IPSEC-FVRF
tunnel protection ipsec profile FlexVPN-IPsec-Profile-1
However, it appears that the RADIUS attribute specifying the pool is ignored; I can see the RADIUS attribute (IETF 88) passed back to the NAS in the RADIUS debugs:
*Aug 16 21:36:39.384 BST: RADIUS: Framed-IP-Pool [88] 13 "CUST-A-POOL"
However, the crypto debugs state that an IP address cannot be assigned:
*Aug 16 21:36:39.435 BST: IKEv2:Failed to allocate IP addr
<snip>
Payload contents:
AUTH NOTIFY(INTERNAL_ADDRESS_FAILURE)
If the Framed-Pool is removed and a Framed-IP-Address defined instead for the user, then the address is assigned. The CUST-A-POOL is defined locally on the NAS. Is there anything I am missing? Can any more detailed debugs be generated?
Cheers,
MattMarcin,
Thank you for your response; sending "ipsec:addr-pool" does work. I did a bug scrape, but didn't find this (if I try to view it in the new Bug Tool, I get "Insufficient Permissions to View Bug"), but it was possible to paste the Bug ID into the old Bug Toolkit to get the detail.
As an aside, I also found that "include-local-lan" doesn't appear to work with IKEv2 AnyConnect and isn't likely to be fixed; according to CSCud65859, the workaround is to use split-tunneling ("ipsec:route-set=prefix prefix/len").
Cheers,
Matt -
VPN ACL IP range - IP range not working
Hi
I'm having a smaller problem and need some help to clarify it.
I'm NAT'ing my inside to my external interface when passing traffic through the VPN
So
access-list vpn extended permit ip external_interface 192.168.20.1 255.255.255.0
I get hitcounts on this but it doesnt work.
So I add this line instead (line 1)
access-list vpn extended permit ip external_interface HOST 192.168.20.5
access-list vpn extended line 2 permit ip external_interface 192.168.20.0/24
And I can successfully connect to that host through the VPN connection..
But why cant I use the network range (/24) ? Why must I use hosts to be able to pass traffic?
Lets say that I want 192.168.10.0/24 to be able to communicate with my other VPN side who has ip 192.168.20.0/24
My acl would look like this
access-list vpn extended permit ip 192.168.10.0/24 192.168.20.0/24
of course I have to insert another ACL rule in the no_nat ACL.
But that doesnt work either? I have to manually type in the hosts in the 192.168.20.x/24 network to be able to connect to them?
What am I doing wrong here?
ThanksI have found something.. something strange
I try to start the VPN tunnel and i get this while debugging crypto ipsec 200
ASA(config)# IPSEC: New embryonic SA created @ 0x02644920,
SCB: 0x026401F8,
Direction: inbound <--
SPI : 0x132D3130
Session ID: 0x00003312
VPIF num : 0x00000001
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Direction Inbound?
So I change my VPN ACL to make it host->host communication (from C net -> host) and restart the tunnel, I get the same message but this time its Direction: outbound
anyone got any idea? -
Question about C6509 with FWSM IDSM
HI,
I'm configure the FWSM with IDSM, but not worked. I using the follow commands.
access-list aclips permit ip any any
class-map ips_class
match access-list aclips
policy-map ips_policy
class ips_class
ips inline fail-open
service-policy ips_policy interface outside
Any idea?
RegardsIPSec on FWSM in not supported with or without contexts.
IPSec on ASA is supported with a single mode
IPSec on ASA is not supported with a context mode -
Hi,
I'm in the process of migrating some old IOS IPsec VPN configurations from IOS to ASA.
What immediately becomes a problem is that there is no way to virtualize the routing tables on a single ASA. The original IOS setups uses separate VRF:s for each customers and therefore overlapping LAN networks or even VPN pools aint a problem.
This has been in the past avoided (in other ASAs) by using default route for each customer interface on the ASA (with different metric). With this we can have overlapping LAN networks for the customer. Though the limit for the customer links become = metric value range. So basically even if we had an ASA with support for 1000 Vlans we still couldnt use this setup as we would run out of usable metric values for the default routes pointing to the customer links/networks.
So looking at the above situation it seems we would just need to have a load of ASAs with support for 250 Vlans handling each customer groups and not a single ASA which could handle all the VPNs (if theres more than the mentioned approx. 250)
Another option is I guess using a single link on the ASA for all the customer with a tunneled default route and handling the virtualisation on the core device by using PBR to route the packets to different VRF. This in turn would create alot of more configurations on the core device and a single VPN configuration/connection would become harder to manage.
Has anyone run into a similiar situation and how have you handled it? Have you moved to another device manufacturer or sticked with the IOS perhaps? Its unfortunate that the ASA can't handle this by itself.
- JouniHi,
I've heard from our local Cisco contact that L2L VPN is coming. (Though in his words most people were waiting for Client VPN support, as were we) L2L VPN only provides minimal help to our situation as most connections are Client VPN.
Basically the ultimate goal is to eventually migrate all IPsec Client VPN users to start using AnyConnect.
The goal now is to get the old IPsec Client and L2L VPNs of the current device so we can remove the actual 6509/VPN/FWSM device from the network. (Because of the old hardware)
Even though we have newer IOS devices in our network we would rather keep the Client VPN off the IOS devices. So the idea was to quickly move the Client VPNs to ASA and L2L VPN to another IOS device (by moving the L2L VPN peer IP address to the newer IOS device along with the configurations)
We also started considering hosting the VPN services on a more high end device(s) which could support everything we need. In this case the ASA seemed a natural choice. Then again IOS gives alot more flexibility and the most important to us is the ability to virtualise routing.
I've read that AnyConnect VPN has also come to IOS devices.
Quick Google search gives this Cisco document
http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080af314a.shtml#intro
How is the AnyConnect on IOS compared to ASA? Would IOS devices at some point (or already?) become a viable option for hosting all the VPNs? (The use of AnyConnect and Clientless VPN has kept us away from continuing with IOS)
Also on another note, I guess I missed one thing when writing the original post.
I guess you can actually use specific routes on the ASA for the overlapping customer networks with different metrics (instead of the default routes with different metrics) This would enable you to handle the routing for more customer links than when simply using default routes towards each customer link with different metric. As now each network range could overlap on 255 customers.
Heres a small sample of a lab configuration of that kind of situation
interface GigabitEthernet0/0
description TRUNK
no nameif
no security-level
no ip address
interface GigabitEthernet0/0.1000
description ASIAKAS-1
vlan 1000
nameif asiakas-1
security-level 100
ip address 172.32.100.2 255.255.255.0
interface GigabitEthernet0/0.2000
description ASIAKAS-2
vlan 2000
nameif asiakas-2
security-level 100
ip address 172.32.200.2 255.255.255.0
route asiakas-1 10.10.10.0 255.255.255.0 172.32.100.1 1
route asiakas-2 10.10.10.0 255.255.255.0 172.32.200.1 2
group-policy ASIAKAS-1-GP attributes
vlan 1000
group-policy ASIAKAS-2-GP attributes
vlan 2000
Basically to my understanding in the above situation the "vlan xxxx" configuration under group-policy defines the eggress interface of the traffic from the VPN and therefore the route for vlan2000/GigabitEthernet0/0.2000 would apply in the case (and provide the next-hop IP) where the VPN user was connecting with a connection using group-policy ASIAKAS-2-GP
I tested this setup and it seemed to work fine. Though this would naturally be an administrative nightmare to manage. (As would be the PBR solution mentioned in the original post)
I'm not sure if I'm making any sense
- Jouni
Maybe you are looking for
-
New view object row does not get committed to DB
Hi guys, on a taskflow with a new transaction I have a form to enter a new record on an entity-based view object. Before the page is called I call the CreateInsert Operation to create the new record on that view object. There are quite a few attribut
-
I test a scenario as file->xi->IDOC->R/3 and another scenario as R/3->IDOC->XI-file i think, it should be two Communication channel to R/3,one is Receiver another is Sender But when i create the channel ,after select the adapter tyep as IDOC, i can
-
Reinstalling Lion OS to clear 2nd partition..
I bought a used IMAC. It has 2 other partitions taking up 800GB of the HD. Disk Utility says it appears to be a Bootcamp partition and will not let me change it. Bootcamp is giving me the error message "Boot Camp Assistant cannot be used. This startu
-
Kpro usages with common server storage and Content server storage
Hi Sap Gurus, Can any one tell me is KPro tick that we make in Document type if it is related to the storage types we are going to use, Can this KPro feature for Document type can be used for any document type irrespective of the Storage type, like w
-
I want to get rid of sync i cant print and i hate it
i hate theis sync thing i can no longer print and have to go to google chrome to print anything.. i hate this i dont get it.. and i dont use it.. how do i go back to the way it used to be.. without this.. i need to print stuff for a writing class and