Cisco ASA 5510 site to site VPN tunnel issue

Ok I have removed the crypto map_outside map 20 set pfs and selected the sho crypto isakmp sa and sho crypto ipsec sa and my resutls were:

There are no ipsec sas
There are no isakmp sas
 
All I still see is 0 stats.  Any other suggestions.

I also added the crypto isakmp nat-traversal on both side.  Still no connection.  Thanks..

Issue the following commands:

debug crypto isakmp 200
debug crypto ipsec 200
debug crypto engine 200

Then try to ping a remote host and watch to see if you see any messages on the screen indicating that the tunnel is trying to be brought up...you should see tons of messages if it is trying.

If you see the debug messages, please post.  If you don't see any messages, please post the remote site ASA config so we can compare the configs and make sure everything looks right...

Built ICMP connection for faddr 10.1.2.6/0 gaddr x.x.x.66/4388 laddr x.x.x.66/4388
User 'enable_15' executed the 'ping 10.1.2.6' command.
Teardown ICMP connection for faddr 10.1.2.6/0 gaddr x.x.x.66/4388 laddr x.x.x.66/4388

Here is the remote config:

ASA Version 7.2(2)10
!
hostname ASA2
domain-name default.domain.invalid
enable password 5frNYRGa9UhR7jLh encrypted
names
dns-guard
!
interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address x.x.x.2 255.255.255.0
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.1.2.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd w9ITcun.WwJmfyK5 encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid

access-list acl_out extended permit tcp any host x.x.x.12 eq www
access-list acl_out extended permit tcp any host x.x.x.12 eq 5000
access-list acl_out extended permit tcp any host x.x.x.12 eq 5002
access-list acl_out extended permit tcp any host x.x.x.6 eq www
access-list acl_out extended permit tcp any host x.x.x.6 eq 5000
access-list acl_out extended permit tcp any host x.x.x.6 eq 5002
access-list acl_out extended permit icmp any any echo-reply
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 110 extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0


pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.2.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0


static (inside,outside) x.x.x.12 10.1.2.12 netmask 255.255.255.255
static (inside,outside) x.x.x.6 10.1.2.6 netmask 255.255.255.255

access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute

http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 set peer x.x.x.66
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20

tunnel-group asatoasa2 type ipsec-l2l
tunnel-group asatoasa2 ipsec-attributes
 pre-shared-key *

telnet 10.1.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0

prompt hostname context
Cryptochecksum:ff2c7d84927360fef8acfacd302215ed
: end

batry boy, I forgot to mention on one end of the cisco asa, I have cisco router as well.  Here is the config on that:

Router#sh run
Building configuration...

Current configuration : 2610 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router
!
boot-start-marker
boot system disk0:c7200-jk9o3s-mz.123-3.bin
boot system disk1:c7200-jk9o3s-mz.123-3.bin
boot bootldr bootflash:c7200-boot-mz.120-2.XE2
boot-end-marker
!
enable secret 5 $1$r6HJ$TnPlU4u.3aQAn8R8tIJUA.
!
username sadmin password 7 11274A4E47025E
aaa new-model
!
!
aaa authentication login default local-case
aaa authentication login ops local-case
aaa session-id common
ip subnet-zero
!
!
ip domain name blank.com
!
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
no voice hpi capture buffer
no voice hpi capture destination
!
controller T1 1/0
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
controller T1 1/1
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
controller T1 1/2
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
controller T1 1/3
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
interface FastEthernet0/0
 description VDat LAN
 ip address x.x.x.1 255.255.255.0
 no ip redirects
 no ip mroute-cache
 duplex full
 no cdp enable
!
interface Serial1/0:0
 ip address x.x.x.98 255.255.255.252
 ip load-sharing per-packet
 encapsulation ppp
 no cdp enable
!
interface Serial1/1:0
 ip address x.x.x.114 255.255.255.252
 ip load-sharing per-packet
 encapsulation ppp
 no cdp enable
!
interface Serial1/2:0
 ip address x.x.x.122 255.255.255.252
 ip load-sharing per-packet
 encapsulation ppp
 no cdp enable
!
interface Serial1/3:0
 ip address x.x.x.126 255.255.255.252
 ip load-sharing per-packet
 encapsulation ppp
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.97
ip route 0.0.0.0 0.0.0.0 x.x.x.113
ip route 0.0.0.0 0.0.0.0 x.x.x.121
ip route 0.0.0.0 0.0.0.0 x.x.x.125
no ip http server
no ip http secure-server
!
access-list 101 permit ip host x.x.x.66 any
no cdp run
!
dial-peer cor custom
!
gatekeeper
 shutdown
!
end

Your debug output that you posted did not show that a tunnel is even trying to establish when you ping a remote host on the other side of the tunnel.  What host did you try to ping?

Never mind...I see it.

Set up an ACL to reference in a capture command:

access-list cap_acl permit ip 10.1.1.0 255.255.255.0 host 10.1.2.6
capture vpncap access-list cap_acl interface inside

Then perform your "ping 10.1.2.6" test again from a host on the 10.1.1.0 network.  Then look at your capture to see what it says and post the output:

show capture vpncap

Here is the logs and show capture vpncap below.

6                    Apr 02 2007      13:37:25      302021      10.1.2.6      x.x.x.66       Teardown ICMP connection for faddr 10.1.2.6/0 gaddr x.x.x.66/4388 laddr x.x.x.66/4388
5      Apr 02 2007      13:37:25      111008                   User 'enable_15' executed the 'ping 10.1.2.6' command.
6      Apr 02 2007      13:37:15      302020      10.1.2.6      x.x.x.66       Built ICMP connection for faddr 10.1.2.6/0 gaddr x.x.x.66/4388 laddr x.x.x.66/4388
5      Apr 02 2007      13:37:09      111008                   User 'enable_15' executed the 'access-list cap_acl permit ip 10.1.1.0 255.255.255.0 host 10.1.2.6' command.
5      Apr 02 2007      13:37:03      111008                   User 'enable_15' executed the 'capture vpncap access-list cap_acl interface inside' command.
5      Apr 02 2007      13:37:01      111008                   User 'enable_15' executed the 'access-list cap_acl permit ip 10.1.1.0 255.255.255.0 host 10.1.2.6' command.


sh capture vpncap
0 packet captured
0 packet shown

That looks like syslog output.  I'm talking about the debug output from a console session on the ASA.

when I run the command sh capturn vpngroup I get:

sh capture vpncap
4 packets captured
   1: 13:51:02.300780 10.1.1.71 > 10.1.2.6: icmp: echo request
   2: 13:51:07.386759 10.1.1.71 > 10.1.2.6: icmp: echo request
   3: 13:51:12.887390 10.1.1.71 > 10.1.2.6: icmp: echo request
   4: 13:51:18.388087 10.1.1.71 > 10.1.2.6: icmp: echo request
4 packets shown

Any access I need to set on the cisco router that I posted.  Please let me know.

When you are pinging the remote host and are looking at the ASA and you have the debug levels for ISAKMP, IPSEC and the crypto engine set at level 200, you should see output similar to the following that shows the tunnel is trying to come up:

asa# Apr 02 20:42:11 [IKEv1]: IP = x.x.x.2, IKE_DECODE RECEIVED Message (msgid=27e6e24e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, processing hash payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, processing notify payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, Received keep-alive of type DPD R-U-THERE (seq number 0x4d485715)
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x4d485715)
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, constructing blank hash payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, constructing qm hash payload
Apr 02 20:42:11 [IKEv1]: IP = x.x.x.2, IKE_DECODE SENDING Message (msgid=4ee452d4) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x7a72a709)
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, constructing blank hash payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, constructing qm hash payload
Apr 02 20:42:11 [IKEv1]: IP = x.x.x.2, IKE_DECODE SENDING Message (msgid=a40931cd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 02 20:42:11 [IKEv1]: IP = x.x.x.2, IKE_DECODE RECEIVED Message (msgid=235f0f5a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, processing hash payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, processing notify payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x7a72a709)


Do you see anything like this?

I have the debug level at 200 and the vpn capture as you have recommended.  I do not see the output that you posted.   I'm pinging the 10.1.2.6 and all I get is that echo request.  Debug messages should pop up right on the CLI correct?  I'm on limbo on this.  I appreciate all your help.

Yes, you should see the debug output in the CLI.

I just noticed on your remote ASA config that you don't have a line that specifies the crypto ACL.  You need to add a line to the remote config that looks like this:

crypto map outside_map 20 match address 110

If that doesn't fix it, please repost your current configs since I know you've made some changes since the last config posts.

Here you go.. Both configs:<><><
<><>><>><

ASA1(config)# sh run
: Saved
:
ASA Version 7.2(2)10
!
hostname ASA1
domain-name default.domain.invalid
enable password wOxhKGo/tyiLkXIn encrypted
names
dns-guard
!
interface Ethernet0/0
 speed 100
 nameif outside
 security-level 0
 ip address x.x.x.66 255.255.255.192
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd w9ITcun.WwJmfyK5 encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_cryptomap_20 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit icmp 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 110 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list cap_acl extended permit ip 10.1.1.0 255.255.255.0 host 10.1.2.6
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.1.0 255.255.255.0
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.71 10.1.1.71 netmask 255.255.255.255
static (inside,outside) x.x.x.72 10.1.1.72 netmask 255.255.255.255
static (inside,outside) x.x.x.73 10.1.1.73 netmask 255.255.255.255
static (inside,outside) x.x.x.74 10.1.1.74 netmask 255.255.255.255
static (inside,outside) x.x.x.75 10.1.1.75 netmask 255.255.255.255
static (inside,outside) x.x.x.76 10.1.1.76 netmask 255.255.255.255
static (inside,outside) x.x.x.77 10.1.1.77 netmask 255.255.255.255
static (inside,outside) x.x.x.70 10.1.1.70 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address 110
crypto map outside_map 20 set peer x.x.23.2
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group x.x.23.2 type ipsec-l2l
tunnel-group x.x.23.2 ipsec-attributes
 pre-shared-key *
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
!
!
prompt hostname context
Cryptochecksum:f58f5a18a2f3531a3f1710d73b860390
: end

--------------------------------------------------------------------------------------------

ASA2(config)# sh run
: Saved
:
ASA Version 7.2(2)10
!
hostname ASA2
domain-name default.domain.invalid
enable password 5frNYRGa9UhR7jLh encrypted
names
dns-guard
!
interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address x.x.23.2 255.255.255.0
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.1.2.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd w9ITcun.WwJmfyK5 encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
clock timezone EST -5
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_cryptomap_20 extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list acl_out extended permit tcp any host x.x.23.12 eq www
access-list acl_out extended permit tcp any host x.x.23.12 eq 5000
access-list acl_out extended permit tcp any host x.x.23.12 eq 5002
access-list acl_out extended permit tcp any host x.x.23.6 eq www
access-list acl_out extended permit tcp any host x.x.23.6 eq 5000
access-list acl_out extended permit tcp any host x.x.23.6 eq 5002
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit icmp 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list cap_acl extended permit ip 10.1.2.0 255.255.255.0 host 10.1.1.70
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 110 extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.2.0 255.255.255.0
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) x.x.23.6 10.1.2.6 netmask 255.255.255.255
static (inside,outside) x.x.23.12 10.1.2.12 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.23.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute

http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address 110
crypto map outside_map 20 set peer x.x.x.66
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group x.x.x.66 type ipsec-l2l
tunnel-group x.x.x.66 ipsec-attributes
 pre-shared-key *
telnet 10.1.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
!
prompt hostname context
Cryptochecksum:c2e4131013c321415ec904bf75a1efa8
: end

add the following on both devices

crypto isakmp identity address

Let me know

I do not see the Crypto-map ISAKMP. Try adding following

crypto map Outside_map 20 ipsec-isakmp

This crypto map defines the IKE SA.