?
Solved

Cisco ASA 5505 vpn tunnel Issues

Posted on 2009-06-30
2
Medium Priority
?
5,174 Views
Last Modified: 2012-05-07
I am setting up an vpn tunnel between a cisco asa 5505 and a digi connectport wan. The outside interfaces can ping each other, but the inside interfaces can't ping each other. I have a feeling it has to do with the configuration on the CISCO ASA, but I could be wrong. Below is configuration and some of the debug information I got from the asa.
hostname ciscoasa
domain-name default.domain.invalid
enable password xH1416txXpxPJMEO encrypted
passwd xH1416txXpxPJMEO encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 69.129.75.76 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 shutdown
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 172.31.0.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn1_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 172.31.0.100-172.31.0.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 69.129.75.73 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 default-acl  unused
 reval-period 36000
 sq-period 300
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map FT 10 set transform-set ESP-3DES-MD5
crypto dynamic-map FT 10 set reverse-route
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 166.130.95.194
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map 2 set security-association lifetime seconds 28200
crypto map outside_map 2 set nat-t-disable
crypto map outside_map 1000 ipsec-isakmp dynamic FT
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp am-disable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.0.0.100-10.0.0.131 inside
dhcpd enable inside
!
 
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none
 vpn-tunnel-protocol IPSec
 pfs enable
 nac-settings value DfltGrpPolicy-nac-framework-create
username LockandDam password z7GLbfZ78IPw/.hf encrypted
tunnel-group 166.130.95.194 type ipsec-l2l
tunnel-group 166.130.95.194 ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
 isakmp keepalive disable
!
class-map icmp
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no compression svc http-comp
Cryptochecksum:4f33bf10a228b203901f3df494522da7
: end
 
 
 
ciscoasa(config-if)# Jun 30 17:53:03 [IKEv1]: Group = 166.130.95.194, IP = 166.1                                                                                                 30.95.194, QM FSM error (P2 struct &0xd81184b0, mess id 0x3959c154)!
Jun 30 17:53:03 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, construct_                                                                                                 ipsec_delete(): No SPI to identify Phase 2 SA!
Jun 30 17:53:03 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, Removing p                                                                                                 eer from correlator table failed, no match!
Jun 30 17:53:08 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, QM FSM err                                                                                                 or (P2 struct &0xd819fa18, mess id 0x4693f426)!
Jun 30 17:53:08 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, construct_                                                                                                 ipsec_delete(): No SPI to identify Phase 2 SA!
Jun 30 17:53:08 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, Removing p                                                                                                 eer from correlator table failed, no match!
Jun 30 17:53:14 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, QM FSM error (P2 struct &0xd89e06c0, mess id 0xd1bce62c)!
Jun 30 17:53:14 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Jun 30 17:53:14 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, Removing peer from correlator table failed, no match!
Jun 30 17:53:19 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, QM FSM error (P2 struct &0xd80e5d50, mess id 0x5083976a)!
Jun 30 17:53:19 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Jun 30 17:53:19 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, Removing peer from correlator table failed, no match!
Jun 30 17:53:19 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, Removing peer from peer table failed, no match!
Jun 30 17:53:19 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, Error: Unable to remove PeerTblEntry

Open in new window

0
Comment
Question by:pcguy74
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 13

Expert Comment

by:Quori
ID: 24752083
Check the pre-shared key.
Check transforms match up (since you've not provided the IPsec details of the other end, I can only go on what I see, which is basically nothing)
Check the ACLs.
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 2000 total points
ID: 24752517
Hello pcguy74,
    It is supposed to work that way already. Inside interface IP iteself should not be pingable from another interface, yet this is not necessary. But if you really need to achieve this, add the following command
management-interface inside

Regards
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question