Solved

L2L problems with new ASA 5505's

Posted on 2011-03-24
12
605 Views
Last Modified: 2012-05-11
Hello all,

I just got 2 new asa's configured for internet acces and they are working fine in that respect.  The problem is that the site to site vpn is not coming up between them.  When I watch the logs it looks like it's not even trying to initiate phase 1.  Pasted below are both of the configs.  The site to site is between two networks with 10.91.150.0 being the main office and 10.92.39.0 being the remote office.  I'm kind of in a bind.  Can anyone help??

hostname south-tyler
enable password zkoJlu5hlJD encrypted
passwd zkoJl1SlJD encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.91.150.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 66.76.XXX.XXX 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
access-list outside_cryptomap extended permit ip 10.91.150.0 255.255.255.0 10.92
.39.0 255.255.255.0
access-list outside_access_in remark L2L with Lonview
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit ip 10.92.39.0 255.255.255.0 10.91.
150.0 255.255.255.0
access-list inside_nat0_outbound remark NAT exempt to Longview over vpn
access-list inside_nat0_outbound extended permit ip 10.91.150.0 255.255.255.0 10
.92.39.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 10.91.150.5 3389 netmask 255.255.255.
255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 66.76.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.91.150.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map3 1 set peer 206.255.XXX.XXX
crypto map outside_map3 1 set transform-set ESP-AES-256-SHA
crypto map outside_map3 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet 10.91.150.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 206.255.XXX.XXX type ipsec-l2l
tunnel-group 206.255.XXX.XXX ipsec-attributes
 pre-shared-key *
!
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
!
prompt hostname context
Cryptochecksum:ffde7e0d1d5f043

The remote config:

ASA Version 8.2(1)
!
hostname asa-longview
enable password zkoJl1ShlJD encrypted
passwd 2KFQnbYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.92.39.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 206.255.XXX.XXX 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
access-list outside_1_cryptomap extended permit ip 10.92.39.0 255.255.255.0 10.9
1.150.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.92.39.0 255.255.255.0 10.
91.150.0 255.255.255.0
access-list outside_access_in remark L2L with Tyler
access-list outside_access_in extended permit ip 10.91.150.0 255.255.255.0 10.92
.39.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 206.255.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.92.39.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 set peer 66.76.XXX.XXX
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.92.39.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 66.76.XXX.XXX type ipsec-l2l
tunnel-group 66.76.XXX.XXX ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7605a8a302b8c
: end

0
Comment
Question by:VNE
  • 9
  • 3
12 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 35212311
south-tyler is missing:

crypto map outside_map3 1 match address outside_cryptomap

longview is missing:
crypto map outside_map 1 match address outside_1_cryptomap
0
 

Author Comment

by:VNE
ID: 35212340
Done.  No joy.  I pinged 10.91.150.5 from 10.92.39.2 from a dos prompt.  Should i save and reload?

0
 

Author Comment

by:VNE
ID: 35212359
The subnet masks for the l2l traffic.  Are they correct?  The networks are seperated by the second octet not the third.  Should the subnet mask be something different than 255.255.255.0??

0
 

Author Comment

by:VNE
ID: 35212446
We're getting closer.  I'm getting this on the remote asa when I ping from the remote office to the home office:

3      Mar 24 2011      21:09:32      713902                              IP = 66.76.XXX.XXX, Removing peer from peer table failed, no match!
0
 

Author Comment

by:VNE
ID: 35212462
Here's more:

5      Mar 24 2011      21:09:29      713904                              IP = 66.76.XXX.XXX, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping

4      Mar 24 2011      21:09:29      713903                              IP = 66.76.XXX.XXX, Information Exchange processing failed

6      Mar 24 2011      21:09:31      713219                              IP = 66.76.XXX.XXX, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

3      Mar 24 2011      21:09:32      713048                              IP = 66.76.XXX.XXX, Error processing payload: Payload ID: 1
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 35212486
D'oh... Transform set and policies have to match exactly on both sides

On south tyler
crypto map outside_map3 1 set transform-set ESP-AES-256-SHA
Change to
 crypto map outside_map3 1 set transform-set ESP-3DES-SHA

and make the policy match the transform.
crypto isakmp policy 10
 authentication pre-share
 encryption des  <-- this should be 3des
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:VNE
ID: 35212508
This did it man  Thanks.  I'll close it later.
0
 

Author Comment

by:VNE
ID: 35216913
All of the WYSE terminals at the remote location arent getting an ip address when they start up.  They should be getting an ip address from the dhcp server at the home office at an address of 10.91.150.3

See anything in the config that might be stopping that?
0
 

Author Comment

by:VNE
ID: 35216917
The vpn is up and running for sure.
0
 

Author Comment

by:VNE
ID: 35217011
I might not be correct about their setup.  Hang on and let me see if the remote location is actually supposed to get it's addresses from the home office.  

vne
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 35219688
DHCP broadcasts are not passed over the VPN tunnel. I highly recommend a local DHCP server..
0
 

Author Comment

by:VNE
ID: 35220098
Thanks for your help Irmoore.  I just configured dhcp on the asa this morning and everything was good.  I didnt realize that dhcp broadcasts dont go out over the vpn.  Thanks for all your help.

vne
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now