moved ASA5510 to colocation now site to site VPN not working. (can ping servers from one router and VPN says it is up)

I had a cisco PIX 502 and a ASA 5510 working perfectly in the local location. now I shipped the 5510 to a colocation after changing its IP address and get no love all of a sudden.

from the PIX (local) I can get in and ping the servers at the colocation but no traffic is routing between the 2.

So from pix 502 I can ping 192.168.26.10 but from 192.168.4.10 I cannot ping 192.168.26.10

+-----------------+       +----------------+      +--------------+         +-----------------+
|192.168.4.0/    |         |                      |        |                    |          |192.168.26.0/  |
|255.255.255.0 |-------| PIX 502         |------|ASA 5510   |--------|255.255.255.0|
|     Local          |          |10.1.10.164   |       |10.10.10.162|          |    colo             |
+----------------+         +----------------+     +---------------+         +---------------+


Can someone see what I missed before shipping?

---- PIX config ------
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXX encrypted
passwd XXXX encrypted
hostname PIX502E
domain-name domain.com
clock timezone GMT
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.26.0 colo
name 192.168.27.0 colo-vpns
access-list inside_access_in permit ip any any
access-list inside_access_in permit icmp any any
access-list inside_access_in permit gre any any
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit tcp any any eq https
access-list outside_access_in permit tcp any any eq pop3
access-list outside_access_in permit tcp any any eq pptp
access-list outside_access_in permit icmp any any
access-list outside_access_in deny ip any any
access-list 100 permit ip 192.168.4.0 255.255.255.0 colo 255.255.255.0
access-list 100 permit ip 192.168.4.0 255.255.255.0 colo-vpns 255.255.255.0
access-list colo_access permit ip 192.168.4.0 255.255.255.0 colo 255.255.255.0
access-list colo_access permit ip 192.168.4.0 255.255.255.0 colo-vpns 255.255.255.0
pager lines 1000
logging on
logging history informational
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 10.1.10.164 255.255.255.248
ip address inside 192.168.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnrange 172.23.23.10-172.23.23.50
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 192.168.4.10 www dns netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.4.10 https dns netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.1.10.161 1
route inside ISApool 255.255.255.0 192.168.4.7 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
http server enable
http 192.168.4.0 255.255.255.0 inside
snmp-server host inside 192.168.4.184
snmp-server location city
snmp-server contact person
snmp-server community snmppass
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set esp-3des-md5
crypto map newmap 40 match address colo_access
crypto map newmap 40 set peer 10.10.10.162
crypto map newmap 40 set transform-set esp-3des-md5
crypto map newmap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map newmap interface outside
isakmp enable outside
isakmp key XXXXX address 10.10.10.162 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn1 address-pool vpnrange
vpngroup vpn1 dns-server 192.168.4.10
vpngroup vpn1 default-domain domain.com
vpngroup vpn1 split-tunnel ptechvpn_splitTunnelAcl
vpngroup vpn1 idle-time 7200
vpngroup vpn1 password XXXXXX
telnet 192.168.4.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 60
management-access inside
console timeout 0
dhcpd address 192.168.4.155-192.168.4.230 inside
dhcpd dns 192.168.4.10 192.168.4.11
dhcpd wins 192.168.4.10 192.168.4.11
dhcpd lease 86400
dhcpd ping_timeout 750
dhcpd domain domain.com
dhcpd auto_config outside
dhcpd enable inside
username admin password XXXXXX encrypted privilege 15
username jpadmin password XXXXXX encrypted privilege 15
terminal width 80
Cryptochecksum:hex#s
------ end pix config -----


----- 5510 config ------
ASA Version 8.2(2)
!
hostname ASA-5510
domain-name domain.com
enable password XXXX encrypted
passwd XXXX encrypted
no names

!
interface Ethernet0/0
 nameif internet
 security-level 0
 ip address 10.10.10.162 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 75
 ip address 192.168.26.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone GMT 0
dns domain-lookup internet
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.4.10
 name-server 192.168.26.10
 domain-name domain.com
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network DM_INLINE_NETWORK_1
access-list inside_access_in extended permit ip 192.168.26.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.26.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.8.0 255.255.255.0 192.168.26.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.26.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.4.0 255.255.255.0 192.168.26.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.27.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.4.0 255.255.255.0 192.168.27.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.26.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.25.0 255.255.255.0 192.168.26.0 255.255.255.0
access-list inside_access_in extended permit icmp any any
access-list internet_access_in extended permit object-group TCPUDP any host 10.10.10.162 eq www
access-list internet_access_in extended permit tcp any host 10.10.10.162 eq https
access-list internet_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 host 10.10.10.162 eq smtp
access-list internet_access_in extended permit icmp any any
access-list internet_cryptomap_0 extended permit ip 192.168.26.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list internet_cryptomap_0 extended permit ip 192.168.27.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list vpns extended permit ip 192.168.26.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list vpns extended permit ip 192.168.27.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list vpns extended permit ip any 192.168.27.0 255.255.255.0
access-list vpns extended permit ip 192.168.26.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list vpns extended permit ip 192.168.26.0 255.255.255.0 192.168.27.0 255.255.255.0
access-list vpns extended permit ip 192.168.4.0 255.255.255.0 192.168.27.0 255.255.255.0
access-list Split_tunnel_list remark Internal colo network.
access-list Split_tunnel_list standard permit 192.168.26.0 255.255.255.0
access-list Split_tunnel_list remark HQ IP address
access-list Split_tunnel_list standard permit 192.168.4.0 255.255.255.0
access-list internet_cryptomap extended permit ip 192.168.26.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.26.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.4.0 255.255.255.0
access-list management_nat0_outbound extended permit ip 192.168.26.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list internet_3_cryptomap extended permit ip 192.168.26.0 255.255.255.0 192.168.8.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 100000
logging buffered debugging
logging asdm informational
mtu internet 1500
mtu inside 1500
mtu management 1500
ip local pool CLIENT_VPNS 192.168.27.100-192.168.27.250 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-625.bin
asdm history enable
arp timeout 14400
nat-control
global (internet) 101 192.168.26.2-192.168.26.254 netmask 255.255.255.0
global (internet) 102 interface
nat (internet) 102 192.168.26.0 255.255.255.0
nat (inside) 0 access-list vpns
nat (inside) 102 192.168.26.0 255.255.255.0
nat (management) 0 access-list management_nat0_outbound
nat (management) 102 0.0.0.0 0.0.0.0
static (inside,internet) tcp interface www 192.168.26.107 www netmask 255.255.255.255
static (inside,internet) udp interface www 192.168.26.107 www netmask 255.255.255.255
static (inside,internet) tcp interface https 192.168.26.102 https netmask 255.255.255.255
static (inside,internet) tcp interface smtp 192.168.26.102 smtp netmask 255.255.255.255
access-group internet_access_in in interface internet
access-group inside_access_in in interface inside
route internet 0.0.0.0 0.0.0.0 10.10.10.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server DOMAIN protocol nt
aaa-server DOMAIN (inside) host 192.168.26.103
 nt-auth-domain-controller 192.168.26.10
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.4.0 255.255.255.0 inside
http 192.168.26.0 255.255.255.0 inside
snmp-server host inside 192.168.4.184 poll community snmpcomm version 2c
snmp-server location colo
snmp-server contact user
snmp-server community snmpcomm
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map internet_map 1 match address internet_cryptomap_0
crypto map internet_map 1 set pfs
crypto map internet_map 1 set peer 10.1.10.164
crypto map internet_map 1 set transform-set ESP-3DES-MD5
crypto map internet_map 2 match address internet_cryptomap
crypto map internet_map 2 set peer 69.199.70.22
crypto map internet_map 2 set transform-set ESP-3DES-MD5
crypto map internet_map 2 set reverse-route
crypto map internet_map 3 match address internet_3_cryptomap
crypto map internet_map 3 set pfs
crypto map internet_map 3 set peer 66.244.163.138
crypto map internet_map 3 set transform-set ESP-3DES-MD5
crypto map internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map internet_map interface internet
crypto isakmp enable internet
crypto isakmp enable inside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet 192.168.26.0 255.255.255.0 inside
telnet 192.168.4.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.24.0 255.255.255.0 inside
ssh 192.168.26.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.26.25-192.168.26.50 inside
dhcpd dns 192.168.26.103 192.168.4.19 interface inside
dhcpd domain domain.com interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.50-192.168.1.75 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 192.168.26.111 /
webvpn
 port 9943
 enable internet
 dtls port 9943
 svc image disk0:/anyconnect-dart-win-2.4.1012-k9.pkg 1
 svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
 svc image disk0:/anyconnect-macosx-powerpc-2.4.1012-k9.pkg 3
 svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4
 svc enable
 tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server value 192.168.26.103 192.168.4.19
 dns-server value 192.168.26.103 192.168.4.19
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
 default-domain value domain.com
group-policy DfltGrpPolicy attributes
 wins-server value 192.168.26.103
 dns-server value 192.168.26.103
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-dns value domain.com
group-policy phonehome internal
group-policy phonehome attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy RS internal
group-policy RS attributes
 wins-server value 192.168.26.103 192.168.4.19
 dns-server value 192.168.26.103 192.168.4.19
 vpn-tunnel-protocol IPSec l2tp-ipsec svc
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_tunnel_list
 default-domain value domain.com
 webvpn
  svc ask enable default svc timeout 30
group-policy TAC internal
group-policy TAC attributes
 vpn-tunnel-protocol svc
username user1 password B0GUs77hGXhsoEV3 encrypted privilege 1
username user2 password sxjjNM2lkzE2IKMa encrypted privilege 15
username cisco password C2w56cH7RedRxnln encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 address-pool CLIENT_VPNS
 authentication-server-group DOMAIN
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key XXXXX
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 isakmp ikev1-user-authentication none
tunnel-group 10.1.10.164 type ipsec-l2l
tunnel-group 10.1.10.164 ipsec-attributes
 pre-shared-key XXXXX
tunnel-group CLIENT_VPN type remote-access
tunnel-group CLIENT_VPN general-attributes
 authentication-server-group DOMAIN
 default-group-policy RS
tunnel-group CLIENT_VPN ipsec-attributes
 pre-shared-key XXXX
tunnel-group RS type remote-access
tunnel-group RS general-attributes
 address-pool CLIENT_VPNS
 authentication-server-group DOMAIN
 authentication-server-group (inside) DOMAIN
 default-group-policy RS
tunnel-group RS webvpn-attributes
 group-alias RS enable
 group-url https://10.10.10.164:9943/domain enable
tunnel-group RS ipsec-attributes
 pre-shared-key XXXX
tunnel-group RS ppp-attributes
 authentication ms-chap-v2
!
!
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:XXXX
----- end 5510 config -----
cisco_idiotAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cisco_idiotAuthor Commented:
and of course before I shipped everything worked with no issues. only thing I changed was IP addresses.
0
gavvingCommented:
Everything seems to look ok.  Can you post the output of some commands to help give us more info?

show crypto isakmp sa
and
show crypto ipsec sa
0
cisco_idiotAuthor Commented:
Yeah this is now more confusing to me I see the old IP before the box was shipped but none of the new location.

How am I getting Ping replys?

PIX502# ping 192.168.26.103
        192.168.26.103 response received -- 60ms
        192.168.26.103 response received -- 60ms
        192.168.26.103 response received -- 50ms
PIX502# show crypto isakmp sa
Total     : 15
Embryonic : 0
        dst               src        state     pending     created
   10.1.10.164   YYY.XXX.ZZZ.148    QM_IDLE         0           1
   10.1.10.164   YYY.XXX.ZZZ.127    QM_IDLE         0           1
   10.1.10.164   YYY.XXX.ZZZ.65     QM_IDLE         0           1
   10.1.10.164   YYY.XXX.ZZZ.65     QM_IDLE         0           1
   10.1.10.164   YYY.XXX.ZZZ.107    QM_IDLE         0           2
   10.1.10.164   YYY.XXX.ZZZ.193    QM_IDLE         0           3
   10.1.10.164   YYY.XXX.ZZZ.215    QM_IDLE         0           2
   10.1.10.164   YYY.XXX.ZZZ.223    QM_IDLE         0           2
   10.1.10.164   YYY.XXX.ZZZ.174    QM_IDLE         0           2
   10.1.10.164   YYY.XXX.ZZZ.5      QM_IDLE         0           1
   YYY.XXX.ZZZ.138    10.1.10.164    QM_IDLE         0           3
   10.1.10.164   YYY.XXX.ZZZ.178    QM_IDLE         0           1
   10.1.10.164   YYY.XXX.ZZZ.201    QM_IDLE         0           2
   YYY.XXX.ZZZ.22    10.1.10.164    QM_IDLE         0           2
   10.1.10.164    YYY.XXX.ZZZ.198    QM_IDLE         0           3


PIX502# show crypto ipsec sa


interface: outside
    Crypto map tag: newmap, local addr. 10.1.10.164

<pulled all dynamic entries>


   local  ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.26.0/255.255.255.0/0/0)
   current_peer: 10.1.10.166:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 6709, #pkts encrypt: 6709, #pkts digest 6709
    #pkts decaps: 3445, #pkts decrypt: 3445, #pkts verify 3445
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 148246, #recv errors 0

     local crypto endpt.: 10.1.10.164, remote crypto endpt.: 10.1.10.166   <------ this is what the machine was named before shipping that IP no longer has anything assinged)
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.27.0/255.255.255.0/0/0)
   current_peer: 10.1.10.166:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 445, #recv errors 0

     local crypto endpt.: 10.1.10.164, remote crypto endpt.: 10.1.10.166 <------ this is what the machine was named before shipping that IP no longer has anything assinged)
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:



   
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

gavvingCommented:
Did you clear out or reboot the end that didn't get moved or changed?  Try this on both ends:

clear crypto isakmp sa
clear crypto ipsec sa

0
cisco_idiotAuthor Commented:
Yes that makes more sense to me.

(had to do a reload as the clear crypto is not available on the PIX)

PIX502# ping 192.168.26.10
      192.168.26.10 response received -- 70ms
      192.168.26.10 response received -- 50ms
      192.168.26.10 response received -- 50ms
PIX502# show crypto isakmp sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
   10.1.10.164     10.10.10.162    QM_IDLE         0           1
PIX502# show crypto ipsec sa


interface: outside
    Crypto map tag: newmap, local addr. 10.1.10.164


   local  ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.26.0/255.255.255.0/0/0)
   current_peer: 10.10.10.162:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 3, #pkts encrypt: 3, #pkts digest 3
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 5, #recv errors 0

     local crypto endpt.: 10.1.10.164, remote crypto endpt.: 10.10.10.162
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: a7ed9271

     inbound esp sas:
      spi: 0x17ca2a94(399125140)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 3, crypto map: newmap
        sa timing: remaining key lifetime (k/sec): (4608000/28691)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0xa7ed9271(2817364593)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 4, crypto map: newmap
        sa timing: remaining key lifetime (k/sec): (4607999/28686)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.27.0/255.255.255.0/0/0)
   current_peer: 10.10.10.162:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.1.10.164, remote crypto endpt.: 10.10.10.162
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:
0
gavvingCommented:
I'm not sure I trust the ping replies directly from the PIX502.  Historically it wasn't possible to ping through a VPN tunnel until ASA 7.x implemented the 'management-access' command.  What is the result of attempting to source traffic from either the 192.168.4.0 network or the 192.168.26.0 network?
0
cisco_idiotAuthor Commented:
from the 192.168.4.x network I get (no replies):

[name@103 ~]$ ping 192.168.26.10
PING 192.168.26.10 (192.168.26.10) 56(84) bytes of data.
^C
--- 192.168.26.10 ping statistics ---
15 packets transmitted, 0 received, 100% packet loss, time 14175ms

from the 192.168.26.x network I will have to wait till tomorrow as my counter part over there has now left.
0
zwart072Commented:
where is your no nat statement specific for you ipsec traffic. It seems your ipsec traffic get natted now which it shoudn't

create no statement for your ipsec traffic, like this:
access-list nonat extended permit ip 192.168.26.0 255.255.255.0 192.168.4.0 255.255.255.0


!--- Access-list for traffic to bypass the network address
!--- translation (NAT) process.

nat (inside) 0 access-list nonat
0
cisco_idiotAuthor Commented:
Thanks Zwart072 but  this is where the no nating should be taking place correct.

access-list 100 permit ip 192.168.4.0 255.255.255.0 colo 255.255.255.0
access-list 100 permit ip 192.168.4.0 255.255.255.0 colo-vpns 255.255.255.0

nat (inside) 0 access-list 100

isn't this the same?
0
zwart072Commented:
no it is not the same, access-list 100 is configured on the pix, what is ok, but you have to do it also in inverse on the asa!!

Both access-lists on both devices should also be a "mirror" of each other
0
cisco_idiotAuthor Commented:
and then on the back word path this should be stripping the nat as well.  (ASA side)

access-list vpns extended permit ip 192.168.26.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list vpns extended permit ip 192.168.27.0 255.255.255.0 192.168.4.0 255.255.255.0

nat (inside) 0 access-list vpns

let me know if I am wrong after staring at these things too long I get a bit stupid.
0
gavvingCommented:
Can you give the 'show crypto ipsec sa' information from both sides?  Does it show the traffic being sent/received in only one direction?  That can help troubleshoot the problem as well.
0
cisco_idiotAuthor Commented:
trying to get information from the other side. sorry it takes forever its not on the action list for the people over there.
0
cisco_idiotAuthor Commented:
OK I finally got a response back from the other side.

the tunnel is definatly not connected.

ASA5510#ping 192.168.4.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.19, timeout is 2 seconds:
?????
Sucess rate is 0 percent (0/5)
ASA5510#Show crypto isakmp sa

There are no isakmp sas
ASA5510#show crypto ipsec sa

There are no ipsec sas

how do I force the connection and find out where it is failing?
0
cisco_idiotAuthor Commented:
ok here is the debug from crypto isakmp 4 (times change but since I have no copy past ability the are the same since I have to type)

apr 6 20:32:14 [IKEv1]: IP = 10.1.10.164, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
apr 6 20:32:14 [IKEv1]: IP = 10.1.10.164, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
apr 6 20:32:14 [IKEv1]: IP = 10.1.10.164, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
apr 6 20:32:14 [IKEv1]: IP = 10.1.10.164, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
apr 6 20:32:14 [IKEv1]: IP = 10.1.10.164, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
apr 6 20:32:14 [IKEv1]: IP = 10.1.10.164, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
apr 6 20:32:14 [IKEv1]: IP = 10.1.10.164, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
apr 06 20:32:29 [IKEv1]: IP = 10.1.10.164, IKE initiator: New Phase 1, Intf inside, IKE peer 10.1.10.164 local Proxy Adress 192.168.26.0, remote Proxy Address 192.168.4.0, Crypto_map (internet_map)

and then it repeats.
0
gavvingCommented:
I just noticed that PFS is enabled on the ASA end.  Try removing that.  

no crypto map internet_map 1 set pfs

Also for a ping to work directly from a PIX/ASA and go through the vpn tunnel you have to specify to source the traffic from the inside interface.  

from the ASA:
ping inside 192.168.4.10

You may also need to set the "management-access inside" command for that to work.  From the PIX running 6.3x or earlier, that command isn't supported.
0
cisco_idiotAuthor Commented:
OK after removing the pfs on the ASA I get no joy pinging from a host on either side through the VPN (timeouts) and what might be even worse is the debug now provides no information.  ASA also produces nothing and tunnel appears to be down.

ASA5510#ping inside 192.168.4.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.10, timeout is 2 seconds:
?????
Sucess rate is 0 percent (0/5)
ASA5510#Show crypto isakmp sa

There are no isakmp sas
ASA5510#show crypto ipsec sa

There are no ipsec sas
0
cisco_idiotAuthor Commented:
ok boosted debug up to 10 to start getting more information:

<DATE TIME> [IKEv1]: IP = 10.1.10.164, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
<DATE TIME> [IKEv1 DEBUG]: Pitcher: received a key acquired message, spi 0x0
(repeats a bunch)
<DATE TIME> [IKEv1 DEBUG]: IP = 10.1.10.164, IKE MM Initiator FSM error history (struct &0xd78814e8) <state>, <event>: MM_DONE, EV_ERROR--MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG1->>MMSND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV RETRY
<DATE TIME>[IKEv1 DEBUG]: IP = 10.1.10.164,  IKE SA MM:fcdd4e37 terminating: flags 0x01000022, refcnt 0, tuncnt0
<DATE TIME> [IKEv1 DEBUG]: IP = 10.1.10.164 sending delete/delete with reason message
0
cisco_idiotAuthor Commented:
and a full section from  debug #10
Apr 06 21:25:45 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 06 21:25:45 [IKEv1]: IP = 10.1.10.164, IKE Initiator: New Phase 1, Intf inside, IKE Peer 10.1.10.164  local Proxy Address 192.168.26.0, remote Proxy Address 192.168.4.0,  Crypto map (internet_map)
Apr 06 21:25:45 [IKEv1 DEBUG]: IP = 10.1.10.164, constructing ISAKMP SA payload
Apr 06 21:25:45 [IKEv1 DEBUG]: IP = 10.1.10.164, constructing NAT-Traversal VID ver 02 payload
Apr 06 21:25:45 [IKEv1 DEBUG]: IP = 10.1.10.164, constructing NAT-Traversal VID ver 03 payload
Apr 06 21:25:45 [IKEv1 DEBUG]: IP = 10.1.10.164, constructing NAT-Traversal VID ver RFC payload
Apr 06 21:25:45 [IKEv1 DEBUG]: IP = 10.1.10.164, constructing Fragmentation VID + extended capabilities payload
Apr 06 21:25:45 [IKEv1]: IP = 10.1.10.164, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 240
Apr 06 21:25:46 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 06 21:25:46 [IKEv1]: IP = 10.1.10.164, Queuing KEY-ACQUIRE messages to beprocessed when P1 SA is complete.
Apr 06 21:25:48 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 06 21:25:48 [IKEv1]: IP = 10.1.10.164, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Apr 06 21:25:49 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 06 21:25:49 [IKEv1]: IP = 10.1.10.164, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Apr 06 21:25:51 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 06 21:25:51 [IKEv1]: IP = 10.1.10.164, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Apr 06 21:25:53 [IKEv1]: IP = 10.1.10.164, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 240
Apr 06 21:26:01 [IKEv1]: IP = 10.1.10.164, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 240
Apr 06 21:26:09 [IKEv1]: IP = 10.1.10.164, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 240
Apr 06 21:26:17 [IKEv1 DEBUG]: IP = 10.1.10.164, IKE MM Initiator FSM error history (struct &0xd78814e8)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Apr 06 21:26:17 [IKEv1 DEBUG]: IP = 10.1.10.164, IKE SA MM:43d53219 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Apr 06 21:26:17 [IKEv1 DEBUG]: IP = 10.1.10.164, sending delete/delete with reason message
0
cisco_idiotAuthor Commented:
well good news now I can at least get to the asdm from the internal network. however it says it is connected to the site to site network but still no traffic is passing between the 2. I ran one of the traces and the packets say they should pass through nat's and everything.
0
gavvingCommented:
Is it possible that there's something in the middle that's blocking ipsec traffic?  The debug info wasn't very helpful unfortunately.  
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cisco_idiotAuthor Commented:
That is the big question I did have firewall issues before getting this installed and was just told that everything was open to the 10.10.10.162 address. but I will let you know.
0
cisco_idiotAuthor Commented:
well after all that the ISP changed "nothing" but all VPN connections started working I am pretty sure they finally allowed ESP and AH protocols through.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.