Solved

Cisco 871W to ASA5100 ipsec tunnel fails in Phase 1

Posted on 2008-06-21
5
3,790 Views
Last Modified: 2009-07-29
We have a VPN between a Cisco 871W to an ASA5100 at partner company that will not build.

We have worked on this for 8 hrs+ and gets seem to get it resolved

Here is the debug and configs

871w config (Southland is the VPN in question)

Current configuration : 8036 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Synergy-SC
!
boot-start-marker
boot system flash:c870-advsecurityk9-mz.124-15.T5.bin
boot-end-marker
!
logging buffered 4096
logging console critical
enable secret 5 $1$HTSD$2LnMa4nr/0YABU7uUhjQh1
!
no aaa new-model
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-481808195
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-481808195
 revocation-check none
 rsakeypair TP-self-signed-481808195
!
!
crypto pki certificate chain TP-self-signed-481808195
 certificate self-signed 01
  *****
dot11 syslog
!
dot11 ssid Synergy
   vlan 1

authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 03454812080A334B575D4A574653
!
dot11 ssid Synergywep
   vlan 2
   authentication open
!
dot11 ssid Synergywpa
   vlan 3
   authentication open
!
no ip source-route
ip cef
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name OUTSIDE_IN ftp timeout 300
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
no ip domain lookup
ip domain name synergy.com
ip name-server 206.13.28.12
ip name-server 206.13.31.12
!
!
!
username admin privilege 15 secret 5 $1$TLn8$gEWuTUgsXAoCP5FWkXNnD0
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 lifetime 2000
!
crypto isakmp policy 11
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key g3t0utn0w1 address 12.68.96.178
crypto isakmp key g3t0utn0w1 address 74.211.157.130
crypto isakmp keepalive 30
rypto ipsec transform-set southland esp-3des esp-md5-hmac
crypto ipsec transform-set westrux esp-3des esp-sha-hmac
!
crypto map outside_crypto_75_48_112_233 11 ipsec-isakmp
 description *** Tunnel to Southland
 set peer 12.68.96.178
 set transform-set southland
 match address 104
crypto map outside_crypto_75_48_112_233 20 ipsec-isakmp
 description *** Tunnel to Westrux
 set peer 74.211.157.130
 set transform-set westrux
 match address 105
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
bridge irb
!
!
interface FastEthernet0
 no cdp enable
!
interface FastEthernet1
 no cdp enable
!
interface FastEthernet2
 no cdp enable
!
interface FastEthernet3
 no cdp enable
!
interface FastEthernet4
 description $FW_OUTSIDE$$ES_WAN$
 ip address 75.48.112.233 255.255.255.248
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 duplex auto
 speed auto
 no cdp enable
 crypto map outside_crypto_75_48_112_233
!
interface Dot11Radio0
 no ip address
 ip helper-address 192.168.220.100
ip route-cache flow
 !
 encryption vlan 1 mode ciphers tkip
 !
 broadcast-key vlan 1 change 45
 !
 !
 ssid Synergy
 !
 ssid Synergywep
 !
 ssid Synergywpa
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel 2462
 station-role root
 rts threshold 2312
 no cdp enable
!
interface Dot11Radio0.1
 description Cisco Open
 encapsulation dot1Q 1 native
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
 encapsulation dot1Q 2
 no cdp enable
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 spanning-disabled
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
!
interface Dot11Radio0.3
 encapsulation dot1Q 3
 no cdp enable
 bridge-group 3
 bridge-group 3 subscriber-loop-control
 bridge-group 3 spanning-disabled
 bridge-group 3 block-unknown-source
 no bridge-group 3 source-learning
 no bridge-group 3 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.220.1 255.255.255.0
ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 75.48.112.238
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map RMAP_1 interface FastEthernet4 overload
ip nat inside source static 192.168.220.100 75.48.112.233 extendable
ip nat inside source static 192.168.220.100 75.48.112.234 extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 permit 192.168.220.0 0.0.0.255
access-list 100 remark Outbound list applied to Inside
access-list 100 deny   ip 75.48.112.232 0.0.0.7 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 103 deny   ip 192.168.220.0 0.0.0.255 172.21.2.0 0.0.0.255
access-list 103 deny   ip 192.168.220.0 0.0.0.255 10.16.222.0 0.0.0.255
access-list 103 permit ip 192.168.220.0 0.0.0.255 any
access-list 104 remark *** Tunnel to Southland
access-list 104 permit ip 192.168.220.0 0.0.0.255 172.21.2.0 0.0.0.255
access-list 105 remark *** Test Tunnel to Westrux
access-list 105 permit ip 192.168.220.0 0.0.0.255 10.16.222.0 0.0.0.255
no cdp run
!
!
route-map RMAP_1 permit 1
 match ip address 103
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 exec-timeout 30 0
 privilege level 15
 login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end



AS5100 Config Summary

access-list 103 extended permit ip 172.21.2.0 255.255.255.0 192.168.220.0 255.255.255.0  -- identifies traffic to be encrypted

access-list nonat extended permit ip 172.21.2.0 255.255.255.0 192.168.220.0 255.255.255.0  identifies traffic not to NATed for internet services purposes

nat (inside) 0 access-list nonat  --prevents the NATing of select inside ip addresses to the public interface of ASA firewall

nat (inside) 1 0.0.0.0 0.0.0.0  ALL other ip addresses on the inside are NATed.

 

route outside 0.0.0.0 0.0.0.0 12.68.96.177 1 route to external networks

crypto ipsec transform-set UC2 esp-3des esp-sha-hmac

crypto map newmap 13 match address 103

crypto map newmap 13 set peer 75.48.112.233

crypto map newmap 13 set transform-set UC2

crypto map newmap interface outside

 

 

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 9

 authentication pre-share

 encryption 3des

 hash sha

 group 1

 lifetime 2000

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 28800

crypto isakmp policy 11

 authentication pre-share

 encryption aes

 hash sha

 group 1

 lifetime 86400
 

tunnel-group 75.48.112.233 type ipsec-l2l

tunnel-group 75.48.112.233 ipsec-attributes

 pre-shared-key *

 

and on the internal router where inside network resides, there is a ip route 192.168.220.0 255.255.255.0 172.21.2.29 statement, where 172.21.2.29 is the inside interface

DEBUG

001121: *May  6 02:10:59.811 PCTime: ISAKMP:(0): SA request profile is (NULL)
001122: *May  6 02:10:59.811 PCTime: ISAKMP: Created a peer struct for 12.68.96.178, peer port 500
001123: *May  6 02:10:59.811 PCTime: ISAKMP: New peer created peer = 0x837528C4 peer_handle = 0x80000012
001124: *May  6 02:10:59.811 PCTime: ISAKMP: Locking peer struct 0x837528C4, refcount 1 for isakmp_initiator
001125: *May  6 02:10:59.811 PCTime: ISAKMP: local port 500, remote port 500
001126: *May  6 02:10:59.811 PCTime: ISAKMP: set new node 0 to QM_IDLE      
001127: *May  6 02:10:59.811 PCTime: insert sa successfully sa = 836E2400
001128: *May  6 02:10:59.811 PCTime: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
001129: *May  6 02:10:59.811 PCTime: ISAKMP:(0):found peer pre-shared key matching 12.68.96.178
001130: *May  6 02:10:59.815 PCTime: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
001131: *May  6 02:10:59.815 PCTime: ISAKMP:(0): constructed NAT-T vendor-07 ID
001132: *May  6 02:10:59.815 PCTime: ISAKMP:(0): constructed NAT-T vendor-03 ID
001133: *May  6 02:10:59.815 PCTime: ISAKMP:(0): constructed NAT-T vendor-02 ID
001134: *May  6 02:10:59.815 PCTime: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
001135: *May  6 02:10:59.815 PCTime: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

001136: *May  6 02:10:59.815 PCTime: ISAKMP:(0): beginning Main Mode exchange
001137: *May  6 02:10:59.815 PCTime: ISAKMP:(0): sending packet to 12.68.96.178 my_port 500 peer_port 500 (I) MM_NO_STATE
001138: *May  6 02:10:59.815 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
001139: *May  6 02:11:09.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001140: *May  6 02:11:09.815 PCTime: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
001141: *May  6 02:11:09.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
001142: *May  6 02:11:09.815 PCTime: ISAKMP:(0): sending packet to 12.68.96.178 my_port 500 peer_port 500 (I) MM_NO_STATE
001143: *May  6 02:11:09.815 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
001144: *May  6 02:11:19.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001145: *May  6 02:11:19.815 PCTime: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
001146: *May  6 02:11:19.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
001147: *May  6 02:11:19.815 PCTime: ISAKMP:(0): sending packet to 12.68.96.178 my_port 500 peer_port 500 (I) MM_NO_STATE
001148: *May  6 02:11:19.815 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
001149: *May  6 02:11:29.811 PCTime: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 75.48.112.233, remote= 12.68.96.178,
    local_proxy= 192.168.220.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.21.2.0/255.255.255.0/0/0 (type=4)
001150: *May  6 02:11:29.811 PCTime: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 75.48.112.233, remote= 12.68.96.178,
    local_proxy= 192.168.220.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.21.2.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
001151: *May  6 02:11:29.811 PCTime: ISAKMP: set new node 0 to QM_IDLE      
001152: *May  6 02:11:29.811 PCTime: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 75.48.112.233, remote 12.68.96.178)
001153: *May  6 02:11:29.811 PCTime: ISAKMP: Error while processing SA request: Failed to initialize SA
001154: *May  6 02:11:29.811 PCTime: ISAKMP: Error while processing KMI message 0, error 2.
001155: *May  6 02:11:29.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001156: *May  6 02:11:29.815 PCTime: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
001157: *May  6 02:11:29.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
001158: *May  6 02:11:29.815 PCTime: ISAKMP:(0): sending packet to 12.68.96.178 my_port 500 peer_port 500 (I) MM_NO_STATE
001159: *May  6 02:11:29.815 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
001160: *May  6 02:11:39.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001161: *May  6 02:11:39.815 PCTime: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
001162: *May  6 02:11:39.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
001163: *May  6 02:11:39.815 PCTime: ISAKMP:(0): sending packet to 12.68.96.178 my_port 500 peer_port 500 (I) MM_NO_STATE
001164: *May  6 02:11:39.815 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
001165: *May  6 02:11:49.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001166: *May  6 02:11:49.815 PCTime: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
001167: *May  6 02:11:49.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
001168: *May  6 02:11:49.815 PCTime: ISAKMP:(0): sending packet to 12.68.96.178 my_port 500 peer_port 500 (I) MM_NO_STATE
001169: *May  6 02:11:49.815 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
001170: *May  6 02:11:59.811 PCTime: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 75.48.112.233, remote= 12.68.96.178,
    local_proxy= 192.168.220.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.21.2.0/255.255.255.0/0/0 (type=4)
001171: *May  6 02:11:59.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001172: *May  6 02:11:59.815 PCTime: ISAKMP:(0):peer does not do paranoid keepalives.

001173: *May  6 02:11:59.815 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 12.68.96.178)
001174: *May  6 02:11:59.815 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 12.68.96.178)
001175: *May  6 02:11:59.815 PCTime: ISAKMP: Unlocking peer struct 0x837528C4 for isadb_mark_sa_deleted(), count 0
001176: *May  6 02:11:59.815 PCTime: ISAKMP: Deleting peer node by peer_reap for 12.68.96.178: 837528C4
001177: *May  6 02:11:59.815 PCTime: ISAKMP:(0):deleting node -985450246 error FALSE reason "IKE deleted"
001178: *May  6 02:11:59.815 PCTime: ISAKMP:(0):deleting node 288664037 error FALSE reason "IKE deleted"
001179: *May  6 02:11:59.815 PCTime: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
001180: *May  6 02:11:59.815 PCTime: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

001181: *May  6 02:11:59.815 PCTime: IPSEC(key_engine): got a queue event with 1 KMI message(s)
001182: *May  6 02:12:01.379 PCTime: crypto_engine: Generate public/private keypair
001183: *May  6 02:12:49.815 PCTime: ISAKMP:(0):purging node -985450246
001184: *May  6 02:12:49.815 PCTime: ISAKMP:(0):purging node 288664037

Thanks for any recommendations.
0
Comment
Question by:hotchkissj
  • 3
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 21840515
>crypto ipsec transform-set southland esp-3des esp-md5-hmac
There is no matching policy on either end. Change the transform for southland to the same 3des/sha as the other one

no crypto ipsec transform-set southland esp-3des esp-md5-hmac
crypto ipsec transform-set southland esp-3des esp-sha-hmac
crypto map outside_crypto_75_48_112_233 11 ipsec-isakmp
 set transform-set southland   <== you'll have to put this back in after you remove/replace it above

0
 

Author Comment

by:hotchkissj
ID: 21840944
Thanks for pointing that out.  We have changed it so many times.  I had the wrong transform in the post.

I did as you suggested  and received the same debug info.  Seems to be failing before Phase 2.

Any ideas?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 21841391
> protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
Without a matching policy, and after changing the transform, I would expect different results in the debug.

Did you remove and re-apply the crypto map to the router interface?

You may have a bigger issue with the same IP address assigned to the interface and static natted at the same time

interface FastEthernet4
 ip address 75.48.112.233 255.255.255.248  <==

ip nat inside source static 192.168.220.100 75.48.112.233 extendable <== same as interface -  not good
ip nat inside source static 192.168.220.100 75.48.112.234 extendable <== it let you do this? Assign same inside host to 2 different public IP's?


0
 

Author Comment

by:hotchkissj
ID: 21842362
Yes, it did allow me to this.  Good call.

The previous Cisco tech had port translation.  

ip nat inside source static tcp 192.168.220.100 21 75.48.112.233 20 extendable
ip nat inside source static tcp 192.168.220.100 21 75.48.112.233 21 extendable
ip nat inside source static tcp 192.168.220.100 25 75.48.112.233 25 extendable
ip nat inside source static tcp 192.168.220.100 80 75.48.112.233 80 extendable
ip nat inside source static tcp 192.168.220.100 443 75.48.112.233 443 extendable
ip nat inside source static tcp 192.168.220.100 3389 75.48.112.233 3389 extendable

When I switch back to this, the tunnel worked.

Is this port translation config recommended?  It had been like this for awhile.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 21891083
>When I switch back to this, the tunnel worked.
OK, so first problem solved, no?

>Is this port translation config recommended?  
Yes. It allows you to use the same public IP for multiple purposes, like forwarding some ports to an internal server and using VPN at the same time.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now