VPN TUNNEL FAILURE
-
Guest
VPN TUNNEL FAILURE
Hello Guys, I have a ASA 5505 firewall am trying to create a site to site VPN tunnel with a 2621 router running Advanced IP services. The tunnel keeps failing and I don know why. The config is below. !hostname SeCuReWaLLdomain-name default.domain.invalidenable password 2KFQnbNIdI.2KYOU encryptedpasswd 2KFQnbNIdI.2KYOU encryptednamesname 192.168.2.0 Outsidename 192.168.3.0 inside!interface Vlan1 description Outside Wan Link nameif outside security-level 0 ip address 192.168.2.101 255.255.255.0!interface Vlan2 description Inside Private Network nameif inside security-level 100 ip address 192.168.3.1 255.255.255.0!interface Ethernet0/0!interface Ethernet0/1 switchport access vlan 2!interface Ethernet0/2 shutdown!interface Ethernet0/3 shutdown!interface Ethernet0/4 shutdown!interface Ethernet0/5 shutdown!interface Ethernet0/6 shutdown!interface Ethernet0/7 shutdown!boot system disk0:/asa822-k8.binftp mode passivedns server-group DefaultDNS domain-name default.domain.invalidaccess-list inside_access_in extended permit ip inside 255.255.255.0 Outside 255.255.255.0access-list outside_access_in extended permit icmp any any echo-replyaccess-list site_router extended permit ip inside 255.255.255.0 192.168.5.0 255.255.255.0pager lines 24mtu outside 1500mtu inside 1500icmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-625.binno asdm history enablearp timeout 14400global outside 1 interfacenat (inside) 0 access-list site_routernat (inside) 1 inside 255.255.255.0access-group outside_access_in in interface outsideroute outside 0.0.0.0 0.0.0.0 192.168.2.1 1route outside 192.168.5.0 255.255.255.0 192.168.2.107 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00dynamic-access-policy-record DfltAccessPolicyhttp server enablehttp inside 255.255.255.0 insideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set secure_set esp-3des esp-sha-hmaccrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto map ipsec_map 10 set peer 192.168.2.107crypto map ipsec_map 10 set transform-set secure_setcrypto map ipsec_map interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 5 lifetime 28800telnet timeout 5ssh timeout 5console timeout 0dhcpd dns 192.168.2.1!dhcpd address 192.168.3.10-192.168.3.40 insidedhcpd enable inside! threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpnusername admin password f3UhLvUj1QsXsuK7 encrypted privilege 15tunnel-group 192.168.2.107 type ipsec-l2ltunnel-group 192.168.2.107 ipsec-attributes pre-shared-key *****!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect ip-options!service-policy global_policy globalprompt hostname contextcall-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/odd ... DCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic dailyCryptochecksum:a6ffc4e9572dbee8e526c3013a96a510: end !hostname InternetRouter!boot-start-markerboot-end-marker!!no aaa new-modelno network-clock-participate slot 1no network-clock-participate wic 0ip cef!!!!no ip domain lookup!!!!!!!!!!!!!!!!!!crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 5 lifetime 28800crypto isakmp key cisco address 192.168.2.101 no-xauth!!crypto ipsec transform-set secure_set esp-3des!crypto map ipsec_map 10 ipsec-isakmp set peer 192.168.2.101 set transform-set secure_set match address router_site!!!!interface Loopback0 ip address 192.168.5.1 255.255.255.0!interface FastEthernet0/0 ip address 192.168.2.107 255.255.255.0 duplex auto speed auto crypto map ipsec_map!interface Serial0/0 no ip address shutdown!interface FastEthernet0/1 no ip address shutdown duplex auto speed auto!interface Serial0/1 no ip address shutdown!ip route 192.168.3.0 255.255.255.0 192.168.2.101!!ip http serverno ip http secure-server!ip access-list extended router_site permit ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255!!!!control-plane!!!voice-port 1/0/0!voice-port 1/0/1!voice-port 1/1/0!voice-port 1/1/1!!!!!!!!line con 0 exec-timeout 0 0 logging synchronousline aux 0line vty 0 4 login!!end InternetRouter#debug crypto isakmpCrypto ISAKMP debugging is onInternetRouter#pingProtocol [ip]:Target IP address: 192.168.3.10Repeat count [5]:Datagram size [100]:Timeout in seconds [2]:Extended commands [n]: ySource address or interface: 192.168.5.1Type of service [0]:Set DF bit in IP header? [no]:Validate reply data? [no]:Data pattern [0xABCD]:Loose, Strict, Record, Timestamp, Verbose[none]:Sweep range of sizes [n]:Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.3.10, timeout is 2 seconds:Packet sent with a source address of 192.168.5.1 *Mar 1 01:49:47.699: ISAKMP: received ke message (1/1)*Mar 1 01:49:47.699: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)*Mar 1 01:49:47.699: ISAKMP: Created a peer struct for 192.168.2.101, peer port 500*Mar 1 01:49:47.699: ISAKMP: New peer created peer = 0x8553C778 peer_handle = 0x80000013*Mar 1 01:49:47.699: ISAKMP: Locking peer struct 0x8553C778, IKE refcount 1 for isakmp_initiator*Mar 1 01:49:47.699: ISAKMP: local port 500, remote port 500*Mar 1 01:49:47.699: ISAKMP: set new node 0 to QM_IDLE*Mar 1 01:49:47.703: insert sa successfully sa = 84074CC8*Mar 1 01:49:47.703: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.*Mar 1 01:49:47.703: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 192.168.2.101*Mar 1 01:49:47.703: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID*Mar 1 01:49:47.703: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID*Mar 1 01:49:47.703: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID*Mar 1 01:49:47.703: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM*Mar 1 01:49:47.707: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1 *Mar 1 01:49:47.707: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange*Mar 1 01:49:47.707: ISAKMP:(0:0:N/A:0): sending packet to 192.168.2.101 my_port 500 peer_port 500 (I) MM_NO_STATE*Mar 1 01:49:47.711: ISAKMP (0:0): received packet from 192.168.2.101 dport 500 sport 500 Global (I) MM_NO_STATE*Mar 1 01:49:47.711: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Mar 1 01:49:47.711: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_I_MM2 *Mar 1 01:49:47.715: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0*Mar 1 01:49:47.715: ISAKMP:(0:0:N/A:0): processing vendor id payload*Mar 1 01:49:47.715: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major .123 mismatch*Mar 1 01:49:47.715: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2*Mar 1 01:49:47.719: ISAKMP:(0:0:N/A:0): processing vendor id payload*Mar 1 01:49:47.719: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 194 mismatch*Mar 1 01:49:47.719: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 192.168.2.101*Mar 1 01:49:47.719: ISAKMP:(0:0:N/A:0): local preshared key found*Mar 1 01:49:47.719: ISAKMP : Scanning profiles for xauth ...*Mar 1 01:49:47.719: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy*Mar 1 01:49:47.719: ISAKMP: encryption 3DES-CBC*Mar 1 01:49:47.719: ISAKMP: hash MD5*Mar 1 01:49:47.719: ISAKMP: default group 5*Mar 1 01:49:47.719: ISAKMP: auth pre-share*Mar 1 01:49:47.723: ISAKMP: life type in seconds*Mar 1 01:49:47.723: ISAKMP: life duration (basic) of 28800*Mar 1 01:49:47.723: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0*Mar 1 01:49:48.119: ISAKMP:(0:1:SW:1): processing vendor id payload*Mar 1 01:49:48.119: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 123 mismatch*Mar 1 01:49:48.123: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v2*Mar 1 01:49:48.123: ISAKMP:(0:1:SW:1): processing vendor id payload*Mar 1 01:49:48.123: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 194 mismatch*Mar 1 01:49:48.123: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE*Mar 1 01:49:48.123: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM2 *Mar 1 01:49:48.127: ISAKMP:(0:1:SW:1): sending packet to 192.168.2.101 my_port 500 peer_port 500 (I) MM_SA_SETUP*Mar 1 01:49:48.127: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE*Mar 1 01:49:.48.131: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM3 *Mar 1 01:49:48.383: ISAKMP (0:134217729): received packet from 192.168.2.101 dport 500 sport 500 Global (I) MM_SA_SETUP*Mar 1 01:49:48.383: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Mar 1 01:49:48.383: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM3 New State = IKE_I_MM4 *Mar 1 01:49:48.387: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0*Mar 1 01:49:48.887: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0*Mar 1 01:49:48.887: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 192.168.2.101*Mar 1 01:49:48.891: ISAKMP:(0:1:SW:1):SKEYID state generated*Mar 1 01:49:48.891: ISAKMP:(0:1:SW:1): processing vendor id payload*Mar 1 01:49:48.891: ISAKMP:(0:1:SW:1): vendor ID is Unity*Mar 1 01:49:48.891: ISAKMP:(0:1:SW:1): processing vendor id payload*Mar 1 01:49:48.891: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 145 mismatch*Mar 1 01:49:48.891: ISAKMP:(0:1:SW:1): vendor ID is XAUTH*Mar 1 01:49:48.895: ISAKMP:(0:1:SW:1): processing vendor id payload*Mar 1 01:49:48.895: ISAKMP:(0:1:SW:1): speaking to another IOS box!*Mar 1 01:49:48.895: ISAKMP:(0:1:SW:1): processing vendor id payload*Mar 1 01:49:48.895: ISAKMP:(0:1:SW:1):vendor ID seems Unity/DPD but hash mismatch*Mar 1 01:49:48.895: ISAKMP:received payload type 20*Mar 1 01:49:48.895: ISAKMP:received payload type 20*Mar 1 01:49:48.895: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE*Mar 1 01:49:48.899: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM4 *Mar 1 01:49:48.899: ISAKMP:(0:1:SW:1):Send initial contact*Mar 1 01:49:48.899: ISAKMP:(0:1:SW:1):SA is doing pr.e-shared key authentication using id type ID_IPV4_ADDR*Mar 1 01:49:48.899: ISAKMP (0:134217729): ID payload next-payload : 8 type : 1 address : 192.168.2.107 protocol : 17 port : 500 length : 12*Mar 1 01:49:48.903: ISAKMP:(0:1:SW:1):Total payload length: 12*Mar 1 01:49:48.903: ISAKMP:(0:1:SW:1): sending packet to 192.168.2.101 my_port 500 peer_port 500 (I) MM_KEY_EXCH*Mar 1 01:49:48.907: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE*Mar 1 01:49:48.907: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM5 *Mar 1 01:49:48.907: ISAKMP (0:134217729): received packet from 192.168.2.101 dport 500 sport 500 Global (I) MM_KEY_EXCH*Mar 1 01:49:48.911: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0*Mar 1 01:49:48.911: ISAKMP (0:134217729): ID payload next-payload : 8 type : 1 address : 192.168.2.101 protocol : 17 port : 0 length : 12*Mar 1 01:49:48.911: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles*Mar 1 01:49:48.911: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 0*Mar 1 01:49:48.915: ISAKMP:received payload type 17*Mar 1 01:49:48.915: ISAKMP:(0:1:SW:1): processing vendor id payload*Mar 1 01:49:48.915: ISAKMP:(0:1:SW:1): vendor ID is DPD*Mar 1 01:49:48.915: ISAKMP:(0:1:SW:1):SA authentication status: authenticated*Mar 1 01:49:48.915: ISAKMP:(0:1:SW:1):SA has been authenticated with 192.168.2.101*Mar 1 01:49:48.915: ISAKMP: Trying to insert a peer 192.168.2.107/192.168.2.101/500/, and inserted successfully 8553C778.*Mar 1 01:49:48.919: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Mar 1 01:49:48.919: ISAKMP:(0:1:SW:1.):Old State = IKE_I_MM5 New State = IKE_I_MM6 *Mar 1 01:49:48.919: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE*Mar 1 01:49:48.919: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6 New State = IKE_I_MM6 *Mar 1 01:49:48.923: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE*Mar 1 01:49:48.923: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE *Mar 1 01:49:48.927: ISAKMP:(0:1:SW:1):beginning Quick Mode exchange, M-ID of -590019425*Mar 1 01:49:48.931: ISAKMP:(0:1:SW:1): sending packet to 192.168.2.101 my_port 500 peer_port 500 (I) QM_IDLE*Mar 1 01:49:48.931: ISAKMP:(0:1:SW:1):Node -590019425, Input = IKE_MESG_INTERNAL, IKE_INIT_QM*Mar 1 01:49:48.931: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1*Mar 1 01:49:48.931: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE*Mar 1 01:49:48.935: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Mar 1 01:49:48.939: ISAKMP (0:134217729): received packet from 192.168.2.101 dport 500 sport 500 Global (I) QM_IDLE*Mar 1 01:49:48.939: ISAKMP: set new node 330122531 to QM_IDLE*Mar 1 01:49:48.943: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 330122531*Mar 1 01:49:48.943: ISAKMP:(0:1:SW:1): processing NOTIFY INVALID_ID_INFO protocol 1 spi 0, message ID = 330122531, sa = 84074CC8*Mar 1 01:49:48.943: ISAKMP:(0:1:SW:1):peer does not do paranoid keepalives. *Mar 1 01:49:48.943: ISAKMP:(0:1:SW:1):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 192.168.2.101)*Mar 1 01:49:48.943: ISAKMP:(0:1:SW:1):deleting node 330122531 error FALSE reason "Informational (in) st.Success rate is 0 percent (0/5)InternetRouter#ate 1"*Mar 1 01:49:48.943: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY*Mar 1 01:49:48.947: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Mar 1 01:49:48.947: ISAKMP (0:134217729): received packet from 192.168.2.101 dport 500 sport 500 Global (I) QM_IDLE*Mar 1 01:49:48.951: ISAKMP: set new node -412204705 to QM_IDLE*Mar 1 01:49:48.951: ISAKMP:(0:1:SW:1): sending packet to 192.168.2.101 my_port 500 peer_port 500 (I) QM_IDLE*Mar 1 01:49:48.951: ISAKMP:(0:1:SW:1):purging node -412204705*Mar 1 01:49:48.955: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL*Mar 1 01:49:48.955: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA *Mar 1 01:49:48.955: ISAKMP:(0:1:SW:1):deleting SA reason "No reason" state (I) QM_IDLE (peer 192.168.2.101)*Mar 1 01:49:48.955: ISAKMP: Unlocking IKE struct 0x8553C778 for isadb_mark_sa_deleted(), count 0*Mar 1 01:49:48.959: ISAKMP: Deleting peer node by peer_reap for 192.168.2.101: 8553C778*Mar 1 01:49:48.959: ISAKMP:(0:1:SW:1):deleting node -590019425 error FALSE reason "IKE deleted"*Mar 1 01:49:48.959: ISAKMP:(0:1:SW:1):deleting node 330122531 error FALSE reason "IKE deleted"*Mar 1 01:49:48.959: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Mar 1 01:49:48.959: ISAKMP:(0:1:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA
-
Guest
Re:VPN TUNNEL FAILURE
Hi, I gave a quick scan here for configuration on both devices, found couple of commands are missing in the ASA configurationASA---crypto map ipsec_map 10 match address site_routeraccess-list outside_access_in extended permit udp any any eq 500access-list outside_access_in extended permit udp any any eq 4500access-list outside_access_in extended permit esp any anyI am assuming pre-shared key defined on ASA is cisco same as on routerOn Router---------Trying running the following commands:-no crypto ipsec transform-set secure_set esp-3descrypto ipsec transform-set secure_set esp-3des esp-sha-hmacAt the time of initiating the tunnel , please gather the output for debug crypto isa 127 and debug crypto ipsec 127 from ASAYou can also refer the configuration document link belowhttp://www.cisco.com/en/US/products/ps6120/pro ... tml*Ignore the route map configuration on router given in the above document* HTH...Regards,Mohit
-
Guest
Re:VPN TUNNEL FAILURE
Hello Mopaul, I don know how my statement below got remove from the they ASA but I will replace it. crypto map ipsec_map 10 match address site_router As fa as these Access-list staments I thought this was used for was used for Easy VPN setups or the Client to Site VPN model. access-list outside_access_in extended permit udp any any eq 500access-list outside_access_in extended permit udp any any eq 4500access-list outside_access_in extended permit esp any any The statement below is what I had before but I thought it was causing a problem so I removed it. crypto ipsec transform-set secure_set esp-3des Portion removed=(esp-sha-hmac)
-
Guest
Re:VPN TUNNEL FAILURE
Hi,Those access rules are not restricted to any particular type of VPN set up. They allows the UDP traffic for 500,4500 which are used in IKE negotiations.I would suggest you to put the removed portion of transform set back in routers configuration as recommended and let me know how it goes.RegardsMohit
-
Guest
Re:VPN TUNNEL FAILURE
Thanks Mopaul, I changed this back statement crypto ipsec transform-set secure_set esp-3des esp-sha-hmac back and that may have been part of the problem too but I was missing a Map statement for the ACL on the Firewal for sure. Thanks again Man.