Link to home
Start Free TrialLog in
Avatar of pcguy74
pcguy74Flag for United States of America

asked on

Cisco ASA 5505 vpn tunnel Issues

I am setting up an vpn tunnel between a cisco asa 5505 and a digi connectport wan. The outside interfaces can ping each other, but the inside interfaces can't ping each other. I have a feeling it has to do with the configuration on the CISCO ASA, but I could be wrong. Below is configuration and some of the debug information I got from the asa.
hostname ciscoasa
domain-name default.domain.invalid
enable password xH1416txXpxPJMEO encrypted
passwd xH1416txXpxPJMEO encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 69.129.75.76 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 shutdown
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 172.31.0.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn1_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 172.31.0.100-172.31.0.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 69.129.75.73 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 default-acl  unused
 reval-period 36000
 sq-period 300
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map FT 10 set transform-set ESP-3DES-MD5
crypto dynamic-map FT 10 set reverse-route
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 166.130.95.194
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map 2 set security-association lifetime seconds 28200
crypto map outside_map 2 set nat-t-disable
crypto map outside_map 1000 ipsec-isakmp dynamic FT
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp am-disable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.0.0.100-10.0.0.131 inside
dhcpd enable inside
!
 
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none
 vpn-tunnel-protocol IPSec
 pfs enable
 nac-settings value DfltGrpPolicy-nac-framework-create
username LockandDam password z7GLbfZ78IPw/.hf encrypted
tunnel-group 166.130.95.194 type ipsec-l2l
tunnel-group 166.130.95.194 ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
 isakmp keepalive disable
!
class-map icmp
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no compression svc http-comp
Cryptochecksum:4f33bf10a228b203901f3df494522da7
: end
 
 
 
ciscoasa(config-if)# Jun 30 17:53:03 [IKEv1]: Group = 166.130.95.194, IP = 166.1                                                                                                 30.95.194, QM FSM error (P2 struct &0xd81184b0, mess id 0x3959c154)!
Jun 30 17:53:03 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, construct_                                                                                                 ipsec_delete(): No SPI to identify Phase 2 SA!
Jun 30 17:53:03 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, Removing p                                                                                                 eer from correlator table failed, no match!
Jun 30 17:53:08 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, QM FSM err                                                                                                 or (P2 struct &0xd819fa18, mess id 0x4693f426)!
Jun 30 17:53:08 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, construct_                                                                                                 ipsec_delete(): No SPI to identify Phase 2 SA!
Jun 30 17:53:08 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, Removing p                                                                                                 eer from correlator table failed, no match!
Jun 30 17:53:14 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, QM FSM error (P2 struct &0xd89e06c0, mess id 0xd1bce62c)!
Jun 30 17:53:14 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Jun 30 17:53:14 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, Removing peer from correlator table failed, no match!
Jun 30 17:53:19 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, QM FSM error (P2 struct &0xd80e5d50, mess id 0x5083976a)!
Jun 30 17:53:19 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Jun 30 17:53:19 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, Removing peer from correlator table failed, no match!
Jun 30 17:53:19 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, Removing peer from peer table failed, no match!
Jun 30 17:53:19 [IKEv1]: Group = 166.130.95.194, IP = 166.130.95.194, Error: Unable to remove PeerTblEntry

Open in new window

Avatar of Quori
Quori
Flag of Australia image
Check the pre-shared key.
Check transforms match up (since you've not provided the IPsec details of the other end, I can only go on what I see, which is basically nothing)
Check the ACLs.
ASKER CERTIFIED SOLUTION
Avatar of Alan Huseyin Kayahan
Alan Huseyin Kayahan
Flag of Sweden image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial