[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 523
  • Last Modified:

Site to Site VPN problem

Hello guys and girls.

Happy christmas to you all.

Here is the case.

I have this client that has a Site to site VPN connections betweeen two remote sites.
Using two Cisco ASA 5505
 

This has been working great but now site A got a new ISP and a new IP.

I modified the site B to and set the Peer to the correct IP
but it still did not work.

I also tried to change the preshared password (yes on both ends)

I assumed this would be an easy switch.

Any ideas?

I could set them up from scratch again im sure that would work but
its not very educational. A bit like formatting your HD when you get spyware og viruses.
 

How do i troubleshoot these connections?


PS im unable to post the config since im not in the office.
I cant seem to get it out of my mind.
0
daxa78
Asked:
daxa78
  • 13
  • 10
  • 4
  • +2
1 Solution
 
rdmldaCommented:
Did you remember to create a new tunnel group with the correct new IP address on the 5505 that didn't change IP?
0
 
daxa78Author Commented:
Ok so i have to modify both boxes?
0
 
rdmldaCommented:
yes you have
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
RPPreacherCommented:
And you need to clear the translation table and reset the crypto maps.  (or just reboot).
0
 
diepesCommented:
any thing in the log ?
0
 
rdmldaCommented:
can you post the configs?
0
 
daxa78Author Commented:
What do i need to change in the router a that has the new IP? Except setting the fw up so that its online again? I assumed i only had to change the peer ip on router B.

0
 
daxa78Author Commented:
Here are the running configs that i have. It is ASA A that has gotten a new IP.

Here are some info from the log

4      Dec 27 2009      07:59:17      713903  IP = 215.145.177.74, Header invalid, missing SA payload! (next payload = 4)
5      Dec 27 2009      07:59:19      713904 IP = 215.145.177.74, Received encrypted packet with no matching SA, dropping
4      Dec 27 2009      07:59:29      713903      Group = 215.145.177.74, IP = 215.145.177.74, Can't find a valid tunnel group, aborting...!
ASA-A.txt
ASA-B.txt
0
 
joelmerryCommented:
Typo in your ASA-A access lists. :) You have 84.* instead of 85.*
 
0
 
daxa78Author Commented:
Nevemind that its just a poor attempt at hiding IP addresses.
0
 
RPPreacherCommented:
did you reboot after the change?  (both ASAs?)
0
 
daxa78Author Commented:
yes
0
 
rdmldaCommented:
As I told you before you need to change the tunnel group, here is what you have on the configuration,

tunnel-group 62.101.223.50 type ipsec-l2l
tunnel-group 62.101.223.50 ipsec-attributes
 pre-shared-key *

and it needs to be,

tunnel-group 215.145.177.74 type ipsec-l2l
tunnel-group 215.145.177.74 ipsec-attributes
 pre-shared-key *

Without this the VPN tunnel will never exchange the PSK
0
 
daxa78Author Commented:
Cool how do i change that ?

I cant use the no command to remove it?  I thought that was only a naming thing and did not refer to an ip address.
0
 
RPPreacherCommented:
clear config tunnel-group 62.101.223.50
0
 
rdmldaCommented:
As RPPreacher said in order to eliminate that you need to enter the clear config command, and after that you just need to enter the correct one, remember that you need to have the same Pre Shared Key on both devices.

Regards,
0
 
daxa78Author Commented:
I have done that now but im still unable to connect. I have not made any changes to asa A.

I still dont know what i need to change there. I have changed the Preshared key on both locations and i have restarted the boxes.
0
 
RPPreacherCommented:
Once you enter the new tunnel-group you need to shut down the crypto map and reenable the crypto map or reboot (which achieves the same thing).
0
 
rdmldaCommented:
The PSK is key sensitive, so you need to take that into consideration, you can enable debugs to see what is the problem,

   debug crypto isakmp 155
   debug crypto ipsec 155

This can give us a clue of what is going on, this will trow a lot of information if you can post everything it would be great.

Regards,
0
 
daxa78Author Commented:
Debug ipsec does not display anything but i get this from isakmp.

                          Dec 28 05:47:24 [IKEv1]: IP = 213.145.177.74, IKE_DECODE RECEI                                                                                            VED Message (msgid=89f1aa33) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE                                                                                             (0) total length : 84
Dec 28 05:47:24 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, proc                                                                                            essing hash payload
Dec 28 05:47:24 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, proc                                                                                            essing notify payload
Dec 28 05:47:24 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, Rece                                                                                            ived keep-alive of type DPD R-U-THERE (seq number 0x7725f067)
Dec 28 05:47:24 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, Send                                                                                            ing keep-alive of type DPD R-U-THERE-ACK (seq number 0x7725f067)
Dec 28 05:47:24 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, cons                                                                                            tructing blank hash payload
Dec 28 05:47:24 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, cons                                                                                            tructing qm hash payload
Dec 28 05:47:24 [IKEv1]: IP = 213.145.177.74, IKE_DECODE SENDING Message (msgid=                                                                                            675132fa) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length :                                                                                             84
Dec 28 05:47:34 [IKEv1]: IP = 213.145.177.74, IKE_DECODE RECEIVED Message (msgid=29a9f23f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Dec 28 05:47:34 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, processing hash payload
Dec 28 05:47:34 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, processing notify payload
Dec 28 05:47:34 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, Received keep-alive of type DPD R-U-THERE (seq number 0x7725f068)
Dec 28 05:47:34 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x7725f068)
Dec 28 05:47:34 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, constructing blank hash payload
Dec 28 05:47:34 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, constructing qm hash payload
Dec 28 05:47:34 [IKEv1]: IP = 213.145.177.74, IKE_DECODE SENDING Message (msgid=4567d72b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Dec 28 05:47:48 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, Sending keep-alive of type DPD R-U-THERE (seq number 0x206d52a2)
Dec 28 05:47:48 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, constructing blank hash payload
Dec 28 05:47:48 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, constructing qm hash payload
Dec 28 05:47:48 [IKEv1]: IP = 213.145.177.74, IKE_DECODE SENDING Message (msgid=6a867e72) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Dec 28 05:47:48 [IKEv1]: IP = 213.145.177.74, IKE_DECODE RECEIVED Message (msgid=10bc2df7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Dec 28 05:47:48 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, processing hash payload
Dec 28 05:47:48 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, processing notify payload
Dec 28 05:47:48 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x206d52a2)
Dec 28 05:47:58 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, Sending keep-alive of type DPD R-U-THERE (seq number 0x206d52a3)
Dec 28 05:47:58 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, constructing blank hash payload
Dec 28 05:47:58 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, constructing qm hash payload
Dec 28 05:47:58 [IKEv1]: IP = 213.145.177.74, IKE_DECODE SENDING Message (msgid=1a736217) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Dec 28 05:47:58 [IKEv1]: IP = 213.145.177.74, IKE_DECODE RECEIVED Message (msgid=145261c9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Dec 28 05:47:58 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, processing hash payload
Dec 28 05:47:58 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, processing notify payload
Dec 28 05:47:58 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x206d52a3)
Dec 28 05:48:08 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, Sending keep-alive of type DPD R-U-THERE (seq number 0x206d52a4)
Dec 28 05:48:08 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, constructing blank hash payload
Dec 28 05:48:08 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, constructing qm hash payload
Dec 28 05:48:08 [IKEv1]: IP = 213.145.177.74, IKE_DECODE SENDING Message (msgid=41b2dfa3) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Dec 28 05:48:08 [IKEv1]: IP = 213.145.177.74, IKE_DECODE RECEIVED Message (msgid=80017ea8) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Dec 28 05:48:08 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, processing hash payload
Dec 28 05:48:08 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, processing notify payload
Dec 28 05:48:08 [IKEv1 DEBUG]: Group = 213.145.177.74, IP = 213.145.177.74, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x206d52a4)

0
 
rdmldaCommented:
All I see in the debugs are keepalives coming and going, this tell us that the VPN tunnel is up, if you do a "sh crypto isakmp sa" you should see that the tunnel has been created.

0
 
daxa78Author Commented:
ciscoasa(config)# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 213.145.177.74
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

According to this the tunnel should be up and running right?

But im still unable to ping any host on the inside...
0
 
rdmldaCommented:
Correct the VPN is up, do a "sh crypto ipsec sa" to see the SA's and if the traffic is reaching the peer device.

Regards,
0
 
daxa78Author Commented:
Yes thats nice but it does not help me much since im not able to ping any hosts :-)

Here is the output

    Crypto map tag: outside_map, seq num: 1, local addr: 84.205.45.74

      access-list outside_1_cryptomap permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0/0)
      current_peer: 213.145.177.74

      #pkts encaps: 8640, #pkts encrypt: 8640, #pkts digest: 8640
      #pkts decaps: 9565, #pkts decrypt: 9565, #pkts verify: 9565
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 8640, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 84.205.45.74, remote crypto endpt.: 213.145.177.74

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 8D2860FD

    inbound esp sas:
      spi: 0xFD31AF72 (4247891826)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 8192, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3824291/17925)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x8D2860FD (2368233725)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 8192, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3824862/17925)
         IV size: 8 bytes
         replay detection support: Y
0
 
rdmldaCommented:
From where are you pinging? because according the information you posted the traffic is flowing across the VPN.

      #pkts encaps: 8640, #pkts encrypt: 8640, #pkts digest: 8640
      #pkts decaps: 9565, #pkts decrypt: 9565, #pkts verify: 9565

Encaps is outgoing traffic, and decaps is incoming traffic, make sure you are trying to ping from a computer within this range 192.168.1.0/24 to a computer within this range 10.10.1.0/24.

 If you are trying to ping from the ASA you need to make sure that the management is on the correct interface and you are sourcing the ping from the correct interface as well.

Regards,
0
 
daxa78Author Commented:
Im trying to ping a server on the 192.168.1.0 network it has the IP of 192.168.1.2.

Im trying from the 10.10.1.0 network.

0
 
daxa78Author Commented:
PS Not trying from ASA trying from computer on the 10.10.1.0 network.
0
 
rdmldaCommented:
Have you try to map the drive or something else besides ICMP?
0
 
daxa78Author Commented:
This is what i needed
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 13
  • 10
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now