Second Site-to-Site VPN on a crypto map not coming up

tphipps
tphipps used Ask the Experts™
on
I've got a ASA 5510 running ASA 8.2(2) happily serving a single Site-to-Site VPN tunnel. Now, I'm trying to add a second tunnel on the same interface and running into issues. Although the second tunnel is defined and looks OK in the config, I don't see it in the output of "sh crypto isakmp sa". Only the first tunnel shows and it's up and active.

If I enable isakmp and ipsec debugging and do a "clear isakmp sa",  I see the first tunnel connecting and coming up, but the ASA doesn't even seem to be trying to bring up the second tunnel. No connection attempts, no errors.

Here's what I have configured (relevant parts only). In this example, 11.11.11.11 is the ASA at Site1, 22.22.22.22 is the ASA at Site2, and 99.99.99.99 is my local outside interface.

object-group service SiteToSiteVPN
 service-object esp
 service-object udp eq isakmp
object-group network SiteToSiteVPNSources
 network-object host 11.11.11.11
 network-object host 22.22.22.22

access-list OUTSIDE-TO-INSIDE extended permit object-group SiteToSiteVPN object-group SiteToSiteVPNSources host 99.99.99.99

access-list FIRST-SITE-TO-SITE-VPN extended permit ip object-group SiteToSiteVPN-Site1-Targets object-group SiteToSiteVPN-Site1-Sources
access-list SECOND-SITE-TO-SITE-VPN extended permit ip object-group SiteToSiteVPN-Site2-Targets object-group SiteToSiteVPN-Site2-Sources
(these object groups are setup with appropriate source/target IP in each end's private address space)

nat (outside) 0 access-list VPN-NO-NAT
nat (inside) 0 access-list VPN-NO-NAT
(appropriate ACLs are setup to prevent NAT on the VPN traffic)

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map SITE-TO-SITE-VPN 1 match address FIRST-SITE-TO-SITE-VPN
crypto map SITE-TO-SITE-VPN 1 set peer 11.11.11.11
crypto map SITE-TO-SITE-VPN 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map SITE-TO-SITE-VPN 1 set security-association lifetime seconds 604800
crypto map SITE-TO-SITE-VPN 1 set security-association lifetime kilobytes 1024000000
crypto map SITE-TO-SITE-VPN 2 match address FIRST-SITE-TO-SITE-VPN
crypto map SITE-TO-SITE-VPN 2 set peer 22.22.22.22
crypto map SITE-TO-SITE-VPN 2 set transform-set ESP-3DES-SHA
crypto map SITE-TO-SITE-VPN 2 set security-association lifetime seconds 28800
crypto map SITE-TO-SITE-VPN 2 set security-association lifetime kilobytes 1024000000
crypto map SITE-TO-SITE-VPN interface outside

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 3600
crypto isakmp disconnect-notify
no vpn-addr-assign aaa
no vpn-addr-assign dhcp

tunnel-group 22.22.22.22 type ipsec-l2l
tunnel-group 22.22.22.22 ipsec-attributes
 pre-shared-key *****
tunnel-group 11.11.11.11 type ipsec-l2l
tunnel-group 11.11.11.11 ipsec-attributes
 pre-shared-key *****

Here's the output of "sh crypto isakmp sa" - only the Site1 tunnel is showing:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 11.11.11.11
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

Any questions or clarifications needed, please ask!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Nico EismaSenior Network Engineer

Commented:
are you configuring via ASDM or via CLI? do you have an IP route towards the 2nd peer ip and the 2nd peer internal network? and finally do you have NAT exemption rule for your VPN internal networks?

Author

Commented:
I'm configuring via CLI.  ASDM creates meaningless names for all the objects and clutters the configuration greatly.

Both Site1 and Site2 peers (11.11.11.11 and 22.22.22.22 respectively in the config example) are  connected via the Internet and so should be covered by the default route (which is "route outside 0.0.0.0 0.0.0.0 ISP-gateway-ip 1"). No more specific routes exist for either destination and the VPN to Site1 is up.

I don't have a route to the internal networks in Site1 or Site2. I simply have both site's internal networks listed in the access list referenced in "nat (outside) 0" and "nat (inside) 0". I wasn't aware that a more specific route was required for a VPN tunnel. If so, where would I point the route to? The Site2 peer IP?
I think your porblem is in the match ACL's

crypto map SITE-TO-SITE-VPN 1 match address FIRST-SITE-TO-SITE-VPN
crypto map SITE-TO-SITE-VPN 2 match address FIRST-SITE-TO-SITE-VPN

You can't use the same SCL for both site to site VPN's.
Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

Change

crypto map SITE-TO-SITE-VPN 2 match address FIRST-SITE-TO-SITE-VPN

To

crypto map SITE-TO-SITE-VPN 2 match address SECOND-SITE-TO-SITE-VPN

Author

Commented:
IntearaX,

Thanks for the input. Sorry - that was my mistake in transcribing/obfuscating sensitive names in the config while writing the question on EE. The running config does have these set correctly, in this case:

crypto map SITE-TO-SITE-VPN 1 match address FIRST-SITE-TO-SITE-VPN
crypto map SITE-TO-SITE-VPN 2 match address SECOND-SITE-TO-SITE-VPN

As an aside, even if it was set wrongly, the tunnel should still come up or at least attempt to start, no? The ASA shouldn't be waiting for traffic to match the rule before attempting a connection...

Sorry for the transcription error!
The ASA always waits for traffic before initiating the tunnel. This is a method of saving resources until required.

Have you run a debug on ISAKMP to see if the second tunnel is attempting to come up?

Author

Commented:
InteraX,

Interesting - thanks, I didn't realize the tunnel start was delayed until traffic arrived. There must be enough traffic on the current link to bring it up immediately when it's created/reset.

So, I've made the ACL for the match address on Site2's crypto map much more liberal until this is working, specifically:

access-list SECOND-SITE-TO-SITE-VPN extended permit ip <local inside net> 255.255.255.0 <site2 inside net> 255.255.255.0
access-list SECOND-SITE-TO-SITE-VPN extended permit icmp <local inside net> 255.255.255.0 <site2 inside net> 255.255.255.0

If I do this with "debug crypto isakmp" turned on, I immediately get this message:

[IKEv1]: Ignoring msg to mark SA with specified coordinates <SITE-TO-SITE-VPN, 2> dead

As before, no other debug info on the Site2 VPN shows up - no connection attempt, no failures, nothing. I see the Site1 VPN doing keepalives every few seconds but that's all.  I'm throwing pings at the destination internal network from my local internal network (this should match the icmp ACL), and direct port connects also, trying to trigger the tunnel to come up, but nothing. I'm expecting it's something to do with the above error, which I'm trying to research the meaning of now.

Any ideas?

Author

Commented:
Tried reloading as per this thread: https://supportforums.cisco.com/thread/223723  No dice :-(
What I have done when getting problems with ISAKMP in the past is to to set the debugging for isakmp to maximum for a very short period and then trawl through the logs to try to find out what is happening. BEWARE! This will generate a LOT of information to trawl through.

debug crypto isakmp 255

Then very shortly afterwards

no debug crypto isakmp
You might want to re-initialise isakmp after the debug.

clear isakmp sa

This will cause all ISAKMP SA's to be removed and restarted, including the wqorking one, so you will have to iron out this.

It may be useful to have a ping running in the background.
BTW, the second ACE is unnecessary as ICMP is a subset of IP.

access-list SECOND-SITE-TO-SITE-VPN extended permit ip <local inside net> 255.255.255.0 <site2 inside net> 255.255.255.0
access-list SECOND-SITE-TO-SITE-VPN extended permit icmp <local inside net> 255.255.255.0 <site2 inside net> 255.255.255.0

Author

Commented:
InteraX,

Many thanks. The tunnel is up. The issue was that the NAT exemption wasn't setup correctly so the source address of traffic intended for Site2 was the post-NAT external IP and so it wasn't hitting the tunnel's match address ACL. Once I setup the correct nat 0 entries, the traffic triggered the tunnel to come up, and I finally got isakmp debug output. From that it was quickly obvious that pfs had to be enabled and once it was, the tunnel came up.

Thanks for your help!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial