Advertisement

05.15.2008 at 03:53PM PDT, ID: 23406961
[x]
Attachment Details

Cisco VPN troubleshooting

Asked by ishelpll in Virtual Private Networking (VPN), IPSec Security Protocol, Cisco PIX Firewall

Tags: ,

I am working on setting up a VPN tunnel from a cisco 2821 to a ASA 5520.

The tunnel was up on both ends, and looking at my debug info, it seemed like everything was negotiating properly.

The problem is that the tunnel wont pass traffic, and after about 20-30 minutes the tunnel goes down.
I happened to catch some debug info when it went down, which im pasting in as a code snippet.

I know there are no problems on the ASA side, as there are 3 functioning tunnels currently there.

Another weird thing is when the tunnel came up and I did a sh crypto isakmp sa on the ASA, my new tunnel was listed in the state of QM_IDLE instead of MM_ACTIVE and the role was responder, and not initiator like the other 3 connections.

Does anyone have any suggestions?Start Free Trial 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:

First: here is the relevant config first from the ASA, then from the router
 
-----
 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
 
crypto map outside_map 100 match address WORKING_SOLUTIONS
crypto map outside_map 100 set peer  xxxx 
crypto map outside_map 100 set transform-set ESP-AES-256-SHA
 
access-list WORKING_SOLUTIONS permit 10.0.0.0 255.0.0.0 10.30.0.0 255.255.0.0
 
tunnel-group xxx type ipsec-l2l
tunnel-group xxx ipsec-attributes
 pre-shared-key xxxxx
 isakmp keepalive threshold 120 retry 5
 
---- now from the router ----
crypto isakmp policy 69
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key xxxxx address xxxxx
!
!
crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac
 
crypto map clientmap 10 ipsec-isakmp
 set peer xxxx
 set transform-set ESP-AES-256-SHA
 match address 120
 
Extended IP access list 120
    10 permit ip 10.30.0.0 0.0.255.255 10.0.0.0 0.255.255.255 (3 matches)
 
crypto map clientmap is also applied on the outside interface.
 
----- here is the debug info from when it goes down-----
 
*May 15 22:42:22.099: ISAKMP:(4001):deleting node 1058610532 error FALSE reason "Informational (in) state 1"
*May 15 22:42:22.099: ISAKMP (0:4001): received packet from 208.99.166.84 dport 500 sport 500 Global (I) QM_IDLE
*May 15 22:42:22.099: ISAKMP: set new node -1090516651 to QM_IDLE
*May 15 22:42:22.103: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*May 15 22:42:22.103: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*May 15 22:42:22.103: IPSEC(key_engine_delete_sas): delete SA with spi 0xA0FD559B proto 50 for 208.99.166.84
*May 15 22:42:22.103: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 208.47.40.98, sa_proto= 50,
    sa_spi= 0x7316A90C(1930864908),
    sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 1,
  (identity) local= 208.47.40.98, remote= 208.99.166.84,
    local_proxy= 10.30.0.0/255.255.0.0/0/0 (type=4),
    remote_proxy= 10.0.0.0/255.0.0.0/0/0 (type=4)
*May 15 22:42:22.103: IPSEC(update_current_outbound_sa): updated peer 208.99.166.84 current outbound sa to SPI 0
*May 15 22:42:22.103: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 208.99.166.84, sa_proto= 50,
    sa_spi= 0xA0FD559B(2700957083),
    sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 2,
  (identity) local= 208.47.40.98, remote= 208.99.166.84,
    local_proxy= 10.30.0.0/255.255.0.0/0/0 (type=4),
    remote_proxy= 10.0.0.0/255.0.0.0/0/0 (type=4)
*May 15 22:42:22.107: ISAKMP:(4001): processing HASH payload. message ID = -1090516651
*May 15 22:42:22.107: ISAKMP:(4001): processing DELETE payload. message ID = -1090516651
*May 15 22:42:22.107: ISAKMP:(4001):peer does not do paranoid keepalives.
 
*May 15 22:42:22.107: ISAKMP:(4001):deleting SA reason "No reason" state (I) QM_IDLE       (peer 208.99.166.84)
*May 15 22:42:22.107: ISAKMP:(4001):deleting node -1090516651 error FALSE reason "Informational (in) state 1"
*May 15 22:42:22.107: ISAKMP: set new node 591365886 to QM_IDLE
*May 15 22:42:22.107: ISAKMP:(4001): sending packet to 208.99.166.84 my_port 500 peer_port 500 (I) QM_IDLE
*May 15 22:42:22.107: ISAKMP:(4001):Sending an IKE IPv4 Packet.
*May 15 22:42:22.111: ISAKMP:(4001):purging node 591365886
*May 15 22:42:22.111: ISAKMP:(4001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*May 15 22:42:22.111: ISAKMP:(4001):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA
 
*May 15 22:42:22.111: ISAKMP:(4001):deleting SA reason "No reason" state (I) QM_IDLE       (peer 208.99.166.84)
*May 15 22:42:22.111: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.
*May 15 22:42:22.111: ISAKMP: Unlocking peer struct 0x4704AD48 for isadb_mark_sa_deleted(), count 0
*May 15 22:42:22.111: ISAKMP: Deleting peer node by peer_reap for 208.99.166.84: 4704AD48
*May 15 22:42:22.111: ISAKMP:(4001):deleting node 1958413569 error FALSE reason "IKE deleted"
*May 15 22:42:22.111: ISAKMP:(4001):deleting node 1058610532 error FALSE reason "IKE deleted"
*May 15 22:42:22.111: ISAKMP:(4001):deleting node -1090516651 error FALSE reason "IKE deleted"
*May 15 22:42:22.111: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*May 15 22:42:22.115: ISAKMP:(4001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 15 22:42:22.115: ISAKMP:(4001):Old State = IKE_DEST_SA  New State = IKE_DEST_SA
sh crypto ipsec sa
[+][-]05.16.2008 at 01:27AM PDT, ID: 21580840

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05.16.2008 at 03:44AM PDT, ID: 21581579

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05.16.2008 at 08:37AM PDT, ID: 21583692

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.20.2008 at 07:40AM PDT, ID: 21606560

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05.20.2008 at 08:44AM PDT, ID: 21607288

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Virtual Private Networking (VPN), IPSec Security Protocol, Cisco PIX Firewall
Tags: Cisco, 2821 and asa 5520
Sign Up Now!
Solution Provided By: ishelpll
Participating Experts: 2
Solution Grade: A
 
 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628