kobalt_systems
asked on
Problems with Site-to-Site VPN between Cisco 877 and ASA 5505
I'm having difficulty re-establishing a VPN connection at a client site that I inherited.
I've posted a previous question with a slightly different configuration but no success
Layout (site1 - site2)
Cisco ASA 5505 (with bridging/PPPoE relay modem) ---| c l o u d |--- bridging modem---Cisco 877 (vlan with pppoe)
Both sites can access internet ok.
Where it broke is when I setup a new internet connection at site1 with a new static IP.
Long story short, I've discovered that one of the routers (the 877) has a bridging modem ahead of it so when I look at the interface state for Dialer0 it says initializing and down, even though the internet connection is working fine (however not sure if its relevant)
I've tried a bunch of things including:
- updating IPs in pre-shared key, peer etc
- recreating the IPSEC policies from scratch
- associated the IPSEC policy with the VLAN
- setting up easy VPN server (on the 877)
- and more (https://www.experts-exchange.com/questions/26879380/Problems-with-Site-to-Site-VPN-between-Cisco-877-and-857W.html)
I'm fairly green with Cisco (using CLI and SDM) so will not be offended by any comments like "wtf are you doing...?";;)
Also, when I run a packet trace on the ASA, it halts at the VPN step with "(acl-drop) flow is denied by configured rule"
I've attached show run and some other commands from both devices
I'd give any amount of points to have this resolved!!
877-show-run.txt
877-show-others.txt
asa5505-show-run.txt
asa5505-show-others.txt
I've posted a previous question with a slightly different configuration but no success
Layout (site1 - site2)
Cisco ASA 5505 (with bridging/PPPoE relay modem) ---| c l o u d |--- bridging modem---Cisco 877 (vlan with pppoe)
Both sites can access internet ok.
Where it broke is when I setup a new internet connection at site1 with a new static IP.
Long story short, I've discovered that one of the routers (the 877) has a bridging modem ahead of it so when I look at the interface state for Dialer0 it says initializing and down, even though the internet connection is working fine (however not sure if its relevant)
I've tried a bunch of things including:
- updating IPs in pre-shared key, peer etc
- recreating the IPSEC policies from scratch
- associated the IPSEC policy with the VLAN
- setting up easy VPN server (on the 877)
- and more (https://www.experts-exchange.com/questions/26879380/Problems-with-Site-to-Site-VPN-between-Cisco-877-and-857W.html)
I'm fairly green with Cisco (using CLI and SDM) so will not be offended by any comments like "wtf are you doing...?";;)
Also, when I run a packet trace on the ASA, it halts at the VPN step with "(acl-drop) flow is denied by configured rule"
I've attached show run and some other commands from both devices
I'd give any amount of points to have this resolved!!
877-show-run.txt
877-show-others.txt
asa5505-show-run.txt
asa5505-show-others.txt
Your transform sets do not match.
The transform set on the 877 is named "ESP-3DES-SHA" but it actually uses MD5.
On the 877, enter these commands:
crypto map SDM_CMAP_1 1 ipsec-isakmp
no set transform-set ESP-3DES-SHA
set transform-set ESP-3DES-SHA1
The transform set on the 877 is named "ESP-3DES-SHA" but it actually uses MD5.
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac
On the 877, enter these commands:
crypto map SDM_CMAP_1 1 ipsec-isakmp
no set transform-set ESP-3DES-SHA
set transform-set ESP-3DES-SHA1
ASKER
hi asavener,
many thanks for your response, it's really appreciated.
I made a mistake with the 877 yesterday and had to reload (latest config attached). I've matched the config again and updated the transform set as you suggested without luck.
there is one difference with access-lists...do I need to run the following?
--------------------------
ip access-list extended VPN
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
crypto map SDM_CMAP_1 1 ipsec-isakmp
no match address 123
match address VPN
interface Dialer0
no crypto map SDM_CMAP_1
crypto map SDM_CMAP_1
877-update-110318.txt
many thanks for your response, it's really appreciated.
I made a mistake with the 877 yesterday and had to reload (latest config attached). I've matched the config again and updated the transform set as you suggested without luck.
there is one difference with access-lists...do I need to run the following?
--------------------------
ip access-list extended VPN
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
crypto map SDM_CMAP_1 1 ipsec-isakmp
no match address 123
match address VPN
interface Dialer0
no crypto map SDM_CMAP_1
crypto map SDM_CMAP_1
877-update-110318.txt
Yes.
ASKER
ok, ran the commands but no dice
I'm seeing this on the ASA
"3 Mar 18 2011 00:23:39 713902 IP = 203.206.180.123, Removing peer from peer table failed, no match!"
and this on the 877
"ISAKMP :(0):deleting SA reason "Death by retransmission P1" state etc etc
is there anything else you need re debuggin logs, config?
I'm seeing this on the ASA
"3 Mar 18 2011 00:23:39 713902 IP = 203.206.180.123, Removing peer from peer table failed, no match!"
and this on the 877
"ISAKMP :(0):deleting SA reason "Death by retransmission P1" state etc etc
is there anything else you need re debuggin logs, config?
Can you run "debug crypto isakmp error" and provide the output here? Preferably from both devices.
ASKER
###### output from 877 ##########
006994: *Jul 21 08:30:17.060 Sydney: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 203.206.211.229)
006995: *Jul 21 08:30:17.060 Sydney: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 203.206.211.229)
006996: *Jul 21 08:30:50.076 Sydney: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 203.206.180.123, remote 203.206.211.229)
006997: *Jul 21 08:30:50.076 Sydney: ISAKMP: Error while processing SA request: Failed to initialize SA
006998: *Jul 21 08:30:50.076 Sydney: ISAKMP: Error while processing KMI message 0, error 2.
006999: *Jul 21 08:31:20.092 Sydney: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 203.206.211.229)
007000: *Jul 21 08:31:20.092 Sydney: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 203.206.211.229)
007001: *Jul 21 08:31:53.080 Sydney: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 203.206.180.123, remote 203.206.211.229)
007002: *Jul 21 08:31:53.080 Sydney: ISAKMP: Error while processing SA request: Failed to initialize SA
007003: *Jul 21 08:31:53.080 Sydney: ISAKMP: Error while processing KMI message 0, error 2.
007004: *Jul 21 08:32:23.088 Sydney: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 203.206.211.229)
007005: *Jul 21 08:32:23.088 Sydney: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 203.206.211.229)
######### from ASA ##################
6|Mar 18 2011|23:25:57|713219|||IP = 203.206.180.123, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
4|Mar 18 2011|23:25:56|713903|||IP = 203.206.180.123, Error: Unable to remove PeerTblEntry
3|Mar 18 2011|23:25:56|713902|||IP = 203.206.180.123, Removing peer from peer table failed, no match!
6|Mar 18 2011|23:25:56|713905|||IP = 203.206.180.123, P1 Retransmit msg dispatched to MM FSM
5|Mar 18 2011|23:25:56|713201|||IP = 203.206.180.123, Duplicate Phase 1 packet detected. Retransmitting last packet.
6|Mar 18 2011|23:25:55|713219|||IP = 203.206.180.123, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Mar 18 2011|23:25:54|713219|||IP = 203.206.180.123, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Mar 18 2011|23:25:48|713219|||IP = 203.206.180.123, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Mar 18 2011|23:25:46|713905|||IP = 203.206.180.123, P1 Retransmit msg dispatched to MM FSM
5|Mar 18 2011|23:25:46|713201|||IP = 203.206.180.123, Duplicate Phase 1 packet detected. Retransmitting last packet.
6|Mar 18 2011|23:25:43|713219|||IP = 203.206.180.123, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
4|Mar 18 2011|23:25:42|106023|203.2
6|Mar 18 2011|23:25:40|305012|192.1
6|Mar 18 2011|23:25:40|305012|192.1
6|Mar 18 2011|23:25:39|305012|192.1
6|Mar 18 2011|23:25:37|713219|||IP = 203.206.180.123, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
5|Mar 18 2011|23:25:31|713041|||IP = 203.206.180.123, IKE Initiator: New Phase 1, Intf inside, IKE Peer 203.206.180.123 local Proxy Address 192.168.2.0, remote Proxy Address 192.168.1.0, Crypto map (outside_map)
6|Mar 18 2011|23:25:26|302021|195.1
6|Mar 18 2011|23:25:26|302020|195.1
4|Mar 18 2011|23:25:26|713903|||IP = 203.206.180.123, Error: Unable to remove PeerTblEntry
3|Mar 18 2011|23:25:26|713902|||IP = 203.206.180.123, Removing peer from peer table failed, no match!
6|Mar 18 2011|23:25:26|713905|||IP = 203.206.180.123, P1 Retransmit msg dispatched to MM FSM
5|Mar 18 2011|23:25:26|713201|||IP = 203.206.180.123, Duplicate Phase 1 packet detected. Retransmitting last packet.
6|Mar 18 2011|23:25:25|302021|195.1
6|Mar 18 2011|23:25:25|302020|195.1
6|Mar 18 2011|23:25:16|713905|||IP = 203.206.180.123, P1 Retransmit msg dispatched to MM FSM
5|Mar 18 2011|23:25:16|713201|||IP = 203.206.180.123, Duplicate Phase 1 packet detected. Retransmitting last packet.
6|Mar 18 2011|23:25:12|302016|61.88
6|Mar 18 2011|23:25:12|302016|61.88
006994: *Jul 21 08:30:17.060 Sydney: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 203.206.211.229)
006995: *Jul 21 08:30:17.060 Sydney: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 203.206.211.229)
006996: *Jul 21 08:30:50.076 Sydney: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 203.206.180.123, remote 203.206.211.229)
006997: *Jul 21 08:30:50.076 Sydney: ISAKMP: Error while processing SA request: Failed to initialize SA
006998: *Jul 21 08:30:50.076 Sydney: ISAKMP: Error while processing KMI message 0, error 2.
006999: *Jul 21 08:31:20.092 Sydney: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 203.206.211.229)
007000: *Jul 21 08:31:20.092 Sydney: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 203.206.211.229)
007001: *Jul 21 08:31:53.080 Sydney: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 203.206.180.123, remote 203.206.211.229)
007002: *Jul 21 08:31:53.080 Sydney: ISAKMP: Error while processing SA request: Failed to initialize SA
007003: *Jul 21 08:31:53.080 Sydney: ISAKMP: Error while processing KMI message 0, error 2.
007004: *Jul 21 08:32:23.088 Sydney: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 203.206.211.229)
007005: *Jul 21 08:32:23.088 Sydney: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 203.206.211.229)
######### from ASA ##################
6|Mar 18 2011|23:25:57|713219|||IP = 203.206.180.123, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
4|Mar 18 2011|23:25:56|713903|||IP = 203.206.180.123, Error: Unable to remove PeerTblEntry
3|Mar 18 2011|23:25:56|713902|||IP = 203.206.180.123, Removing peer from peer table failed, no match!
6|Mar 18 2011|23:25:56|713905|||IP = 203.206.180.123, P1 Retransmit msg dispatched to MM FSM
5|Mar 18 2011|23:25:56|713201|||IP = 203.206.180.123, Duplicate Phase 1 packet detected. Retransmitting last packet.
6|Mar 18 2011|23:25:55|713219|||IP = 203.206.180.123, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Mar 18 2011|23:25:54|713219|||IP = 203.206.180.123, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Mar 18 2011|23:25:48|713219|||IP = 203.206.180.123, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Mar 18 2011|23:25:46|713905|||IP = 203.206.180.123, P1 Retransmit msg dispatched to MM FSM
5|Mar 18 2011|23:25:46|713201|||IP = 203.206.180.123, Duplicate Phase 1 packet detected. Retransmitting last packet.
6|Mar 18 2011|23:25:43|713219|||IP = 203.206.180.123, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
4|Mar 18 2011|23:25:42|106023|203.2
6|Mar 18 2011|23:25:40|305012|192.1
6|Mar 18 2011|23:25:40|305012|192.1
6|Mar 18 2011|23:25:39|305012|192.1
6|Mar 18 2011|23:25:37|713219|||IP = 203.206.180.123, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
5|Mar 18 2011|23:25:31|713041|||IP = 203.206.180.123, IKE Initiator: New Phase 1, Intf inside, IKE Peer 203.206.180.123 local Proxy Address 192.168.2.0, remote Proxy Address 192.168.1.0, Crypto map (outside_map)
6|Mar 18 2011|23:25:26|302021|195.1
6|Mar 18 2011|23:25:26|302020|195.1
4|Mar 18 2011|23:25:26|713903|||IP = 203.206.180.123, Error: Unable to remove PeerTblEntry
3|Mar 18 2011|23:25:26|713902|||IP = 203.206.180.123, Removing peer from peer table failed, no match!
6|Mar 18 2011|23:25:26|713905|||IP = 203.206.180.123, P1 Retransmit msg dispatched to MM FSM
5|Mar 18 2011|23:25:26|713201|||IP = 203.206.180.123, Duplicate Phase 1 packet detected. Retransmitting last packet.
6|Mar 18 2011|23:25:25|302021|195.1
6|Mar 18 2011|23:25:25|302020|195.1
6|Mar 18 2011|23:25:16|713905|||IP = 203.206.180.123, P1 Retransmit msg dispatched to MM FSM
5|Mar 18 2011|23:25:16|713201|||IP = 203.206.180.123, Duplicate Phase 1 packet detected. Retransmitting last packet.
6|Mar 18 2011|23:25:12|302016|61.88
6|Mar 18 2011|23:25:12|302016|61.88
ASKER
well you know what they say....learn by doing...
...and by doing I mean hours of trial and error hacking but in the end I installed CCP, reloaded the config and carefully swapped IP addresses.
many thanks for your input asavener
...and by doing I mean hours of trial and error hacking but in the end I installed CCP, reloaded the config and carefully swapped IP addresses.
many thanks for your input asavener
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
yep, forgot to add that in my post...(too excited ;)
will allocate points shortly
will allocate points shortly
ASKER
ip route 10.10.10.0 255.255.255.0 Dialer0
and changed it to ip route 192.168.2.0 255.255.255.0 Dialer0
no success