VNE
asked on
L2L problems with new ASA 5505's
Hello all,
I just got 2 new asa's configured for internet acces and they are working fine in that respect. The problem is that the site to site vpn is not coming up between them. When I watch the logs it looks like it's not even trying to initiate phase 1. Pasted below are both of the configs. The site to site is between two networks with 10.91.150.0 being the main office and 10.92.39.0 being the remote office. I'm kind of in a bind. Can anyone help??
hostname south-tyler
enable password zkoJlu5hlJD encrypted
passwd zkoJl1SlJD encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.91.150.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 66.76.XXX.XXX 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
access-list outside_cryptomap extended permit ip 10.91.150.0 255.255.255.0 10.92
.39.0 255.255.255.0
access-list outside_access_in remark L2L with Lonview
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit ip 10.92.39.0 255.255.255.0 10.91.
150.0 255.255.255.0
access-list inside_nat0_outbound remark NAT exempt to Longview over vpn
access-list inside_nat0_outbound extended permit ip 10.91.150.0 255.255.255.0 10
.92.39.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 10.91.150.5 3389 netmask 255.255.255.
255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 66.76.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 10.91.150.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map3 1 set peer 206.255.XXX.XXX
crypto map outside_map3 1 set transform-set ESP-AES-256-SHA
crypto map outside_map3 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.91.150.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 206.255.XXX.XXX type ipsec-l2l
tunnel-group 206.255.XXX.XXX ipsec-attributes
pre-shared-key *
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
!
prompt hostname context
Cryptochecksum:ffde7e0d1d5
The remote config:
ASA Version 8.2(1)
!
hostname asa-longview
enable password zkoJl1ShlJD encrypted
passwd 2KFQnbYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.92.39.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 206.255.XXX.XXX 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
access-list outside_1_cryptomap extended permit ip 10.92.39.0 255.255.255.0 10.9
1.150.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.92.39.0 255.255.255.0 10.
91.150.0 255.255.255.0
access-list outside_access_in remark L2L with Tyler
access-list outside_access_in extended permit ip 10.91.150.0 255.255.255.0 10.92
.39.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 206.255.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 10.92.39.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 set peer 66.76.XXX.XXX
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.92.39.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 66.76.XXX.XXX type ipsec-l2l
tunnel-group 66.76.XXX.XXX ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7605a8a302b
: end
I just got 2 new asa's configured for internet acces and they are working fine in that respect. The problem is that the site to site vpn is not coming up between them. When I watch the logs it looks like it's not even trying to initiate phase 1. Pasted below are both of the configs. The site to site is between two networks with 10.91.150.0 being the main office and 10.92.39.0 being the remote office. I'm kind of in a bind. Can anyone help??
hostname south-tyler
enable password zkoJlu5hlJD encrypted
passwd zkoJl1SlJD encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.91.150.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 66.76.XXX.XXX 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
access-list outside_cryptomap extended permit ip 10.91.150.0 255.255.255.0 10.92
.39.0 255.255.255.0
access-list outside_access_in remark L2L with Lonview
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit ip 10.92.39.0 255.255.255.0 10.91.
150.0 255.255.255.0
access-list inside_nat0_outbound remark NAT exempt to Longview over vpn
access-list inside_nat0_outbound extended permit ip 10.91.150.0 255.255.255.0 10
.92.39.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 10.91.150.5 3389 netmask 255.255.255.
255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 66.76.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 10.91.150.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map3 1 set peer 206.255.XXX.XXX
crypto map outside_map3 1 set transform-set ESP-AES-256-SHA
crypto map outside_map3 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.91.150.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 206.255.XXX.XXX type ipsec-l2l
tunnel-group 206.255.XXX.XXX ipsec-attributes
pre-shared-key *
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
!
prompt hostname context
Cryptochecksum:ffde7e0d1d5
The remote config:
ASA Version 8.2(1)
!
hostname asa-longview
enable password zkoJl1ShlJD encrypted
passwd 2KFQnbYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.92.39.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 206.255.XXX.XXX 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
access-list outside_1_cryptomap extended permit ip 10.92.39.0 255.255.255.0 10.9
1.150.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.92.39.0 255.255.255.0 10.
91.150.0 255.255.255.0
access-list outside_access_in remark L2L with Tyler
access-list outside_access_in extended permit ip 10.91.150.0 255.255.255.0 10.92
.39.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 206.255.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 10.92.39.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 set peer 66.76.XXX.XXX
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.92.39.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 66.76.XXX.XXX type ipsec-l2l
tunnel-group 66.76.XXX.XXX ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7605a8a302b
: end
ASKER
Done. No joy. I pinged 10.91.150.5 from 10.92.39.2 from a dos prompt. Should i save and reload?
ASKER
The subnet masks for the l2l traffic. Are they correct? The networks are seperated by the second octet not the third. Should the subnet mask be something different than 255.255.255.0??
ASKER
We're getting closer. I'm getting this on the remote asa when I ping from the remote office to the home office:
3 Mar 24 2011 21:09:32 713902 IP = 66.76.XXX.XXX, Removing peer from peer table failed, no match!
3 Mar 24 2011 21:09:32 713902 IP = 66.76.XXX.XXX, Removing peer from peer table failed, no match!
ASKER
Here's more:
5 Mar 24 2011 21:09:29 713904 IP = 66.76.XXX.XXX, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
4 Mar 24 2011 21:09:29 713903 IP = 66.76.XXX.XXX, Information Exchange processing failed
6 Mar 24 2011 21:09:31 713219 IP = 66.76.XXX.XXX, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
3 Mar 24 2011 21:09:32 713048 IP = 66.76.XXX.XXX, Error processing payload: Payload ID: 1
5 Mar 24 2011 21:09:29 713904 IP = 66.76.XXX.XXX, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
4 Mar 24 2011 21:09:29 713903 IP = 66.76.XXX.XXX, Information Exchange processing failed
6 Mar 24 2011 21:09:31 713219 IP = 66.76.XXX.XXX, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
3 Mar 24 2011 21:09:32 713048 IP = 66.76.XXX.XXX, Error processing payload: Payload ID: 1
D'oh... Transform set and policies have to match exactly on both sides
On south tyler
crypto map outside_map3 1 set transform-set ESP-AES-256-SHA
Change to
crypto map outside_map3 1 set transform-set ESP-3DES-SHA
and make the policy match the transform.
crypto isakmp policy 10
authentication pre-share
encryption des <-- this should be 3des
On south tyler
crypto map outside_map3 1 set transform-set ESP-AES-256-SHA
Change to
crypto map outside_map3 1 set transform-set ESP-3DES-SHA
and make the policy match the transform.
crypto isakmp policy 10
authentication pre-share
encryption des <-- this should be 3des
ASKER
This did it man Thanks. I'll close it later.
ASKER
All of the WYSE terminals at the remote location arent getting an ip address when they start up. They should be getting an ip address from the dhcp server at the home office at an address of 10.91.150.3
See anything in the config that might be stopping that?
See anything in the config that might be stopping that?
ASKER
The vpn is up and running for sure.
ASKER
I might not be correct about their setup. Hang on and let me see if the remote location is actually supposed to get it's addresses from the home office.
vne
vne
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help Irmoore. I just configured dhcp on the asa this morning and everything was good. I didnt realize that dhcp broadcasts dont go out over the vpn. Thanks for all your help.
vne
vne
crypto map outside_map3 1 match address outside_cryptomap
longview is missing:
crypto map outside_map 1 match address outside_1_cryptomap