?
Solved

Unable to establish site to site VPN between two Cisco ASA5505 devices

Posted on 2009-04-18
2
Medium Priority
?
746 Views
Last Modified: 2012-05-06
I am trying to establish a site to site VPN tunnel between two ASA 5505 devices, but the tunnel never comes up.  When I attempt to ping a device from the 172.30.0.0 /24 network, I can see that it is trying to bring the tunnel up, but it never gets past phase 1.  Here is what the log on the first ASA5505 shows:

IP = 216.210.204.71, IKE Initiator: New Phase 1, Intf inside, IKE Peer 216.210.204.71  local Proxy Address 172.30.0.0, remote Proxy Address 172.20.0.0,  Crypto map (outside_map)
IP = 216.210.204.71, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
IP = 216.210.204.71, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
IP = 216.210.204.71, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
IP = 216.210.204.71, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
IP = 216.210.204.71, Removing peer from peer table failed, no match!
IP = 216.210.204.71, Error: Unable to remove PeerTblEntry

Here's some info. about each of the ASA5505s:

ASA5505 #1:
hostname: asa5505-djome.comcast.net
Inside Network:  172.30.0.0 /24
Inside IP: 172.30.0.1
Outside IP: 76.103.2.207

ASA5505 #2:
hostname: ciscoasa.atgi.net
Inside Network: 172.20.0.0 /24
Inside IP: 172.20.0.2
Outside IP: 216.210.204.71

---
Here is the config for ASA5505 #1:

: Saved
:
ASA Version 8.0(4)
!
hostname asa5505-djhome
domain-name comcast.net
enable password .Qfz6D5FnbE3piW/ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 172.20.0.0 eyeq-hq-lan description eyeq-hq-lan
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.30.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 68.87.76.178
 name-server 68.87.78.130
 name-server 68.87.69.146
 domain-name comcast.net
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_1_cryptomap extended permit ip 172.30.0.0 255.255.255.0 eyeq-hq-lan 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.30.0.0 255.255.255.0 eyeq-hq-lan 255.255.255.0
access-list inside_access_in_1 extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in_1 in interface inside control-plane
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.30.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 216.210.204.71
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 172.30.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcp-client client-id interface outside
dhcpd dns 68.87.76.178 68.87.78.130
dhcpd domain comcast.net
dhcpd auto_config outside
dhcpd option 66 ip 172.20.0.214
!
dhcpd address 172.30.0.2-172.30.0.33 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec
tunnel-group 216.210.204.71 type ipsec-l2l
tunnel-group 216.210.204.71 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:3aed9d27bb823921796deafbd3466095
: end
asdm image disk0:/asdm-615.bin
asdm location eyeq-hq-lan 255.255.255.0 inside
no asdm history enable

---
And here is the config for the other ASA5505:

: Saved
:
ASA Version 8.0(4)
!
hostname ciscoasa
domain-name atgi.net
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.0 curtin_lan description curtin_lan
name 216.210.204.83 outside-ip description outside-ip
name 172.30.0.0 eyeq-dj-home description eyeq-dj-home
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.20.0.2 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address outside-ip 255.255.255.224
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 216.174.194.53
 name-server 216.174.194.54
 domain-name atgi.net
object-group service https-vpn tcp
 description https for vpn - dcj
 port-object eq https
access-list outside_1_cryptomap extended permit ip 172.20.0.0 255.255.255.0 curtin_lan 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.20.0.0 255.255.255.0 curtin_lan 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.20.0.0 255.255.255.0 eyeq-dj-home 255.255.255.0
access-list outside_access_in extended permit tcp any 172.20.0.0 255.255.255.0 object-group https-vpn
access-list outside_access_in extended permit tcp any host outside-ip eq https
access-list outside_2_cryptomap extended permit ip 172.20.0.0 255.255.255.0 eyeq-dj-home 255.255.255.0
pager lines 24
logging enable
logging asdm debugging
logging debug-trace
mtu inside 1500
mtu outside 1500
ip local pool eyeq-vpn-dhcp 172.20.0.50-172.20.0.60 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 216.210.204.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.20.0.0 255.255.255.0 inside
snmp-server host inside 172.20.0.212 community public version 2c
snmp-server location 1300 Commerce St. Suite D
snmp-server contact David Jones
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 75.149.39.97
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 76.103.2.207
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
 svc enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec
tunnel-group 75.149.39.97 type ipsec-l2l
tunnel-group 75.149.39.97 ipsec-attributes
 pre-shared-key *
tunnel-group 76.103.2.207 type ipsec-l2l
tunnel-group 76.103.2.207 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e8e842ff9d53d78ef1d7503ba6742255
: end
asdm image disk0:/asdm-615.bin
asdm location curtin_lan 255.255.255.0 inside
asdm location outside-ip 255.255.255.255 inside
asdm location eyeq-dj-home 255.255.255.0 inside
no asdm history enable

---

Any suggestions would be greatly appreciated.

Thanks,

DJ
0
Comment
Question by:davidcj79
2 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 24177492
Based on your config, ASA #2's outside IP is 216.210.204.83 (not 216.210.204.71).  On ASA #1, you need to change any reference to 216.210.204.71 to 216.210.204.83 (peer, tunnel-group).
0
 
LVL 1

Author Closing Comment

by:davidcj79
ID: 31571892
Thanks! I was pulling my hair out on this one.  I had somehow got the .71 address mixed up in the config. and was looking over the obvious.  Your suggestion resolved my problem.  Thank you very much.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month15 days, 8 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question