?
Solved

IKE Initiator

Posted on 2009-12-29
5
Medium Priority
?
1,245 Views
Last Modified: 2012-05-08
A site2site VPN has recently started giving me trouble. At the Remote site that is giving me problems I have an ASA5505. The main location has an ASA5510.

The remote site is unable to connect to the VPN or the internet, but at the main site there are messages showing up about the remote location.

Here are the errors I am getting (I will only block the external IP's:

03:02:25      713041                   IP = (REMOTE SITE IP), IKE Initiator: New Phase 1, Intf inside, IKE Peer (REMOTE SITE IP)  local Proxy Address 192.168.0.1, remote Proxy Address 192.168.10.0,  Crypto map (outside_map)

03:02:25      713219                   IP =  (REMOTE SITE IP), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

03:03:30      713902                   IP = (REMOTE SITE IP), Removing peer from peer table failed, no match!

03:03:30      713903                   IP = (REMOTE SITE IP), Error: Unable to remove PeerTblEntry


Below I will post the configuration of the remote site's ASA
: Saved
:
ASA Version 7.2(4) 
!
hostname ***********
domain-name default.domain.invalid
enable password cG6huoT7zkzEam1d encrypted
passwd ********** encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address pppoe setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 host 192.168.0.1 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 192.168.0.1 
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 host 192.168.0.1 
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 172.16.1.0 255.255.255.248 
access-list camhh extended permit ip 192.168.10.0 255.255.255.0 any 
access-list remotesupp_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0 
access-list in-out extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool remotesupp_ippool 172.16.1.1-172.16.1.6 mask 255.255.255.248
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group in-out in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication telnet console LOCAL 
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 172.16.1.0 255.255.255.248 inside
http 192.168.0.1 255.255.255.255 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer ****MAIN SITE IP**** 
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.10.0 255.255.255.0 inside
telnet 192.168.0.1 255.255.255.255 inside
telnet 172.16.1.0 255.255.255.248 inside
telnet timeout 5
ssh 65.68.21.56 255.255.255.248 outside
ssh timeout 5
console timeout 0
management-access inside
vpdn group homehealth request dialout pppoe
vpdn group homehealth localname ***************
vpdn group homehealth ppp authentication pap
vpdn username ************** password ********* 
dhcpd auto_config outside
!
dhcpd address 192.168.10.2-192.168.10.100 inside
dhcpd dns 192.168.0.1 ********** interface inside
dhcpd enable inside
!

group-policy remotesupp internal
group-policy remotesupp attributes
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value remotesupp_splitTunnelAcl
username cisco password ************** encrypted
username ******* password *************** encrypted privilege 15
tunnel-group ****MAIN SITE IP**** type ipsec-l2l
tunnel-group ****MAIN SITE IP**** ipsec-attributes
 pre-shared-key *
tunnel-group remotesupp type ipsec-ra
tunnel-group remotesupp general-attributes
 address-pool remotesupp_ippool
 default-group-policy remotesupp
tunnel-group remotesupp ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:e801bacb5dac260a7781027f7bbf137f
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

Open in new window

0
Comment
Question by:pchmark
  • 3
5 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 26138607
The errors you see are probably to local site trying to access the remote and finding no remote device.  

Obviously, if the remote ASA can't get to the internet, then of course, there will be no VPN.   So lets start with the internet issue.  

When did it begin, any changes to ASA, routing external, ISP , etc?     Can the Remote ASA's outside interface ping the gateway, can it ping beyond the Gateway to anything i.e. 4.2.2.2?  

Since it is PPPOE, a good test of the internet connection is to put a laptop connected to the PPPOE modem/router and try connecting to the ISP using the Windows PPPOE client.   I would check that before anything else.
0
 
LVL 7

Expert Comment

by:geergon
ID: 26142805
It is correct, please check the internet connection first...

1. Can you ping the remote peer? Or 4.2.2.2
Or try to ping your default gateway...
2. if you try to trigger the tunnel from the remote side, what do you see if you do
"show crypto isakmp sa"
3. Are you able to do an ike scan to your public IP?
http://www.nta-monitor.com/tools/ike-scan/
Do you see something?
Example: ike-scan PUBLIC_IP_REMOTE

Can you please attach the output of the "show arp" command.
0
 

Author Comment

by:pchmark
ID: 26147694
Nothing has changed on the ASA for over 1 year. this has happened for about 3 months now. I went to the site and checked a few things on it. the internet does work from the modem. I believe I know what a possible solution is to this. They have DSL. I checked the phone system and there is no filter on it so this could be the cause of the internet/vpn dropping.
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 2000 total points
ID: 26147916
Very possible.   Without the Filters on the lines, telephone signals can interfere with the DSL service...  

0
 
LVL 33

Expert Comment

by:MikeKane
ID: 27618237
I'm checking back on my older, open items...   was there anything else we could answer for you in relation to this post?
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question