Solved

Cisco ASA 5505 vpn tunnel Issues

Posted on 2009-06-30
2
5,162 Views
Last Modified: 2012-05-07
I am setting up an vpn tunnel between a cisco asa 5505 and a digi connectport wan. The outside interfaces can ping each other, but the inside interfaces can't ping each other. I have a feeling it has to do with the configuration on the CISCO ASA, but I could be wrong. Below is configuration and some of the debug information I got from the asa.
hostname ciscoasa

domain-name default.domain.invalid

enable password xH1416txXpxPJMEO encrypted

passwd xH1416txXpxPJMEO encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.0.0.1 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 69.129.75.76 255.255.255.248

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

 shutdown

!

interface Ethernet0/2

 shutdown

!

interface Ethernet0/3

 shutdown

!

interface Ethernet0/4

 shutdown

!

interface Ethernet0/5

 shutdown

!

interface Ethernet0/6

 shutdown

!

interface Ethernet0/7

 shutdown

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

 domain-name default.domain.invalid

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 172.31.0.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list vpn1_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpnpool 172.31.0.100-172.31.0.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 69.129.75.73 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

nac-policy DfltGrpPolicy-nac-framework-create nac-framework

 default-acl  unused

 reval-period 36000

 sq-period 300

http server enable

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map FT 10 set transform-set ESP-3DES-MD5

crypto dynamic-map FT 10 set reverse-route

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer 166.130.95.194

crypto map outside_map 2 set transform-set ESP-3DES-MD5

crypto map outside_map 2 set security-association lifetime seconds 28200

crypto map outside_map 2 set nat-t-disable

crypto map outside_map 1000 ipsec-isakmp dynamic FT

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

crypto isakmp am-disable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.0.0.100-10.0.0.131 inside

dhcpd enable inside

!

 

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

 vpn-idle-timeout none

 vpn-tunnel-protocol IPSec

 pfs enable

 nac-settings value DfltGrpPolicy-nac-framework-create

username LockandDam password z7GLbfZ78IPw/.hf encrypted

tunnel-group 166.130.95.194 type ipsec-l2l

tunnel-group 166.130.95.194 ipsec-attributes

 pre-shared-key *

 peer-id-validate nocheck

 isakmp keepalive disable

!

class-map icmp

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no compression svc http-comp

Cryptochecksum:4f33bf10a228b203901f3df494522da7

: end

 

 

 

ciscoasa(config-if)# Jun 30 17:53:03 [IKEv1]: Group = 166.130.95.194, IP = 166.1                                                                                                 30.95.194, QM FSM error (P2 struct &0xd81184b0, mess id 0x3959c154)!

Jun 30 17:53:03 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, construct_                                                                                                 ipsec_delete(): No SPI to identify Phase 2 SA!

Jun 30 17:53:03 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, Removing p                                                                                                 eer from correlator table failed, no match!

Jun 30 17:53:08 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, QM FSM err                                                                                                 or (P2 struct &0xd819fa18, mess id 0x4693f426)!

Jun 30 17:53:08 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, construct_                                                                                                 ipsec_delete(): No SPI to identify Phase 2 SA!

Jun 30 17:53:08 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, Removing p                                                                                                 eer from correlator table failed, no match!

Jun 30 17:53:14 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, QM FSM error (P2 struct &0xd89e06c0, mess id 0xd1bce62c)!

Jun 30 17:53:14 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Jun 30 17:53:14 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, Removing peer from correlator table failed, no match!

Jun 30 17:53:19 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, QM FSM error (P2 struct &0xd80e5d50, mess id 0x5083976a)!

Jun 30 17:53:19 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Jun 30 17:53:19 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, Removing peer from correlator table failed, no match!

Jun 30 17:53:19 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, Removing peer from peer table failed, no match!

Jun 30 17:53:19 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, Error: Unable to remove PeerTblEntry

Open in new window

0
Comment
Question by:pcguy74
2 Comments
 
LVL 13

Expert Comment

by:Quori
Comment Utility
Check the pre-shared key.
Check transforms match up (since you've not provided the IPsec details of the other end, I can only go on what I see, which is basically nothing)
Check the ACLs.
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
Comment Utility
Hello pcguy74,
    It is supposed to work that way already. Inside interface IP iteself should not be pingable from another interface, yet this is not necessary. But if you really need to achieve this, add the following command
management-interface inside

Regards
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now