Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco ASA 5505 -> Cisco 5510 VPN (Site to Site) Not Working

Posted on 2011-10-31
42
Medium Priority
?
2,654 Views
Last Modified: 2012-05-12
Hello,

We have two offices.  Office A is 192.168.1.0 (255.255.255.0) w/ outside IP 70.91.xxx.22
Office B is 172.16.4.0 (255.255.252.0) w/ outside IP 90.106.xxx.41

I can not get the VPN connection to be established.  I've set up a VPN with two PIX in the past and had no issues, but it took a little bit of time, since I am not a Cisco nor VPN expert.  

Could you take a look at these running configurations and give me your first thoughts?  The VPN won't establish and it looks like it should!


---  RUNNING CVILE (OFFICE A) ---


ASA Version 8.2(1)
!
names
name 192.168.1.0 SMTNetwork
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 10.1.10.200 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.6.1 255.255.255.0
 management-only
!
ftp mode passive
clock timezone CST -6
dns server-group DefaultDNS
 domain-name smt.local
access-list inside_access_in extended permit ip SMTNetwork 255.255.255.0 any
access-list inbound extended permit tcp any host 70.91.xxx.21 eq www
access-list inbound extended permit tcp any host 70.91.xxx.21 eq domain
access-list inbound extended permit udp any host 70.91.xxx.21 eq domain
access-list inbound extended permit tcp any host 70.91.xxx.17 eq www
access-list inbound extended permit tcp any host 70.91.xxx.17 eq domain
access-list inbound extended permit udp any host 70.91.xxx.17 eq domain
access-list inbound extended permit tcp any host 70.91.xxx.18 eq smtp
access-list inbound extended permit tcp any host 70.91.xxx.19 eq https
access-list LAN_Traffic extended permit ip SMTNetwork 255.255.255.0 172.16.4.0 255.255.252.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 70.91.xxx.21 192.168.1.24 netmask 255.255.255.255
static (inside,outside) 70.91.xxx.17 192.168.1.12 netmask 255.255.255.255
static (inside,outside) 70.91.xxx.18 192.168.1.3 netmask 255.255.255.255
static (inside,outside) 70.91.xxx.19 192.168.1.16 netmask 255.255.255.255
static (inside,outside) 172.16.4.0  access-list LAN_Traffic
access-group inbound in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.1.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.6.0 255.255.255.0 management
http SMTNetwork 255.255.255.0 inside
http 99.106.xxx.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map L2L 1 match address LAN_Traffic
crypto map L2L 1 set peer 99.106.xxx.41
crypto map L2L 1 set transform-set L2L
crypto map L2L interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
telnet SMTNetwork 255.255.255.0 inside
telnet timeout 5
ssh SMTNetwork 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.6.2-192.168.6.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 99.106.xxx.41 type ipsec-l2l
tunnel-group 99.106.xxx.41 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b40bbdefa6f7c4a620920d2be0dc3b6b
: end

--- RUNNING OFFICE B ---

ASA Version 8.2(3)
!



names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.4.1 255.255.252.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp
!
boot system disk0:/asa823-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name smt.local
same-security-traffic permit inter-interface
access-list VPN_Traffic extended permit ip 172.16.4.0 255.255.252.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.4.0 255.255.252.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 172.16.4.0 255.255.252.0 192.168.1.0 255.255.255.0
access-list encrypt_acl extended permit ip 172.16.4.0 255.255.252.0 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 99.106.xxx.41 netmask 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 99.106.10.46 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.4.0 255.255.252.0 inside
http 70.91.xxx.22 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set l2l esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map l2l 1 match address VPN_Traffic
crypto map l2l 1 set peer 70.91.xxx.22
crypto map l2l 1 set transform-set l2l
crypto map l2l interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.16.7.100-172.16.7.254 inside
dhcpd dns 68.94.156.1 68.94.157.1 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 70.91.xxx.22 type ipsec-l2l
tunnel-group 70.91.xxx.22 ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e9144ec144cd4c98e73aeddac9fce567
: end

Thank you in advanced!


0
Comment
Question by:Jesh1975
  • 21
  • 8
  • 6
  • +3
41 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 37058570
hi,

you missed to create nonat on the first ASA:

access-list LAN_nonatextended permit ip SMTNetwork 255.255.255.0 172.16.4.0 255.255.252.0
nat (inside) 0 access-list nonat
0
 

Author Comment

by:Jesh1975
ID: 37058607
Just added and tried ping 172.16.4.1 (to office b asa) and still no go...

Other thoughts?
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 37059154
Hi,

try

sysopt connection permit-ipsec or sysopt connection permit-vpn.

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37059158
Anything showing in the logs of the asas?
0
 

Author Comment

by:Jesh1975
ID: 37059388
rochey: should I run sysopt on both ASAs?  If so I won't be able to until tomorrow.

ernie: I will do some looking into this - end of the day here so I'll be back in the AM.
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 37059401
Yes.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37059429
We'll be here :)
0
 

Author Comment

by:Jesh1975
ID: 37063845
Tried this on both sides (sysopt connection permit-ipsec) and no luck.  tried the other and nothing either.  I am looking into logs

5      Nov 01 2011      10:45:01      713041                              IP = 99.106.10.41, IKE Initiator: New Phase 1, Intf inside, IKE Peer 99.106.10.41  local Proxy Address 192.168.1.0, remote Proxy Address 172.16.4.0,  Crypto map (L2L)

6      Nov 01 2011      10:45:06      713219                              IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

6      Nov 01 2011      10:45:11      713219                              IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

3      Nov 01 2011      10:46:16      713902                              IP = 99.106.10.41, Removing peer from peer table failed, no match!

4      Nov 01 2011      10:46:16      713903                              IP = 99.106.10.41, Error: Unable to remove PeerTblEntry

???
0
 

Author Comment

by:Jesh1975
ID: 37069541
Does anybody have any further information on the above errors or any information on why this configuration isn't working?

More information:  Our DSL (Site B) has a gateway of 99.106.xxx.46, but we have the ASA get 99.106.xxx.41 from one of the available addresses.  Any ideas?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37069560
So the asa (site B) gets the address through dhcp? Not sure if that might cause an issue. Are you able to set that address statically on the asa?
It looks like phase1 isn't even established at the moment.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 37069562
plase show the output of

deb cry isa 128
deb cry ips 128
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37069573
Hi ikalmar,

Do tell me, what's the 128 for (haven't seen that before)?
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 37069610
it gives more informations on the debugging,.,..
0
 

Author Comment

by:Jesh1975
ID: 37069651
It gets an address from DHCP but it's only one IP address in the pool.  It was set up stupidly by the previous IT years ago - I will change it to static when I get to that office and I'll turn off DHCP.  Regardless, the IP address isn't changing and the lease time is set for 30 days.

I am working on the debug log please give me a little bit.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37069691
No problem, we'll be here.

@ikalmar: Neat! Had my learning experience for today :)
0
 

Author Comment

by:Jesh1975
ID: 37069750
ikalmar: Could you tell me what's the best way I can view just the debug logging for the VPN traffic?  When I set up syslog for debug, it is showing all the teardowns and so on.

Any help would be appreciated.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 37069781
1. You need to enable debugging booth devices:

deb cry isakmp 128
deb cry ipsec  128

2. You need to to crate interesting traffic for VPN,

3. and after please provide us the output of debugging....
0
 

Author Comment

by:Jesh1975
ID: 37069799
Some more information on Site A: ASA shows outside of 10.1.10.200/24 which is the IP the cable modem is giving.  In turn the public IP is translated to 70.91.xxx.22.  Just some more information.  Working on the debugging log.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 37069814
yes, that is the problem... Do you able to make real one to ony NAT on the cable modem?:
0
 

Author Comment

by:Jesh1975
ID: 37069833
There is no 1-to-1 NAT enabled on the Cable Modem.

Old VPN between two PIX worked OK with this same setup and same IP's I used.  But let's ignore that obviously the ASA is different than the PIX.
0
 

Author Comment

by:Jesh1975
ID: 37069845
(70.91.xxx.22 = WAN IP / Public Address).  We use the other IP's for email, web server, and so on.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37069917
Is it a possibility to put the modem in bridged mode so you can put the public address on the outside interface of the ASA?
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 37069955
the config working if those ASA bulit up the vpn which is behind the modem.... please try it.... did you enable nat-t?

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ike.html#wp1066013
0
 

Author Comment

by:Jesh1975
ID: 37069987
the config working if those ASA bulit up the vpn which is behind the modem.... please try it.... did you enable nat-t?

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ike.html#wp1066013

Does this need to be done on both sites, or only Site A?  If only on site A - it did not help.
0
 

Author Comment

by:Jesh1975
ID: 37070042
I noticed in old PIX, Site A had command: crypto map mymap 20 ipsec-isakmp  - nothing like this in running config on ASA.  Just more info...
0
 

Author Comment

by:Jesh1975
ID: 37070432
Do we have any other ideas here?  I might try the old configuration which was like this:

http://fengnet.com/book/vpnconf/ch21lev1sec3.html

0
 
LVL 17

Expert Comment

by:rochey2009
ID: 37072679
what was the output of the debug?
0
 
LVL 3

Expert Comment

by:Mystique_87
ID: 37074509
Hi Jesh,

The configuration of the Running Office B has DHCP configured for the outside IP address.
In this case you would not be able to configure a peer IP address for VPN in the Office A ASA.

You would need to use a dynamic crypto map in the Office A ASA.

Here is a document to configure the dynamic crypto map:
Dynamic Lan to Lan between pix and router
Check if this is the case and let me know. Hope this helps.
0
 

Author Comment

by:Jesh1975
ID: 37076462
Mystique: office B's DHCP pool is just 1 address, the previous IT person had it set up that way. I disabled DHCP and assigned an IP address.

rochey: I didn't go through the debug since we have begun to make assumptions that this has to do with Comcast Business Gateway - however I did have this working in the past with the same configuration and would like to know if the Cisco ASA operates differently than the Cisco PIX.  If so we can make that a possibility.  If not, then we know it is something else.  Does anyone know for SURE that the ASA and PIX operate differently and would cause this setup to not work?

rochey: also, could you tell me how to reset all the logging to default and just display the debug to our syslog server and or ssh session?
0
 

Author Comment

by:Jesh1975
ID: 37076536
Nov 03 09:28:37 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:28:37 [IKEv1]: IP = 99.106.10.41, IKE Initiator: New Phase 1, Intf inside, IKE Peer 99.106.10.41  local Proxy Address 192.168.1.0, remote Proxy Address 172.16.4.0,  Crypto map (VPN_map)
Nov 03 09:28:37 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing ISAKMP SA payload
Nov 03 09:28:37 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 02 payload
Nov 03 09:28:37 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 03 payload
Nov 03 09:28:37 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver RFC payload
Nov 03 09:28:37 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing Fragmentation VID + extended capabilities payload
Nov 03 09:28:37 [IKEv1]: IP = 99.106.10.41, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:28:40 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:28:40 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:28:45 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:28:46 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:28:46 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:28:53 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:29:01 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:29:09 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE MM Initiator FSM error history (struct &0xac153738)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Nov 03 09:29:09 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE SA MM:51b38963 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Nov 03 09:29:09 [IKEv1 DEBUG]: IP = 99.106.10.41, sending delete/delete with reason message
Nov 03 09:29:09 [IKEv1]: IP = 99.106.10.41, Removing peer from peer table failed, no match!
Nov 03 09:29:09 [IKEv1]: IP = 99.106.10.41, Error: Unable to remove PeerTblEntry
Nov 03 09:30:07 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:07 [IKEv1]: IP = 99.106.10.41, IKE Initiator: New Phase 1, Intf inside, IKE Peer 99.106.10.41  local Proxy Address 192.168.1.0, remote Proxy Address 172.16.4.0,  Crypto map (VPN_map)
Nov 03 09:30:07 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing ISAKMP SA payload
Nov 03 09:30:07 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 02 payload
Nov 03 09:30:07 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 03 payload
Nov 03 09:30:07 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver RFC payload
Nov 03 09:30:07 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing Fragmentation VID + extended capabilities payload
Nov 03 09:30:07 [IKEv1]: IP = 99.106.10.41, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:30:10 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:10 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:30:15 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:30:16 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:16 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:30:17 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:17 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:30:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:20 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:30:23 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:30:26 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:26 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:30:31 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:30:38 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:38 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:30:39 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE MM Initiator FSM error history (struct &0xac32f190)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Nov 03 09:30:39 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE SA MM:d26c529e terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Nov 03 09:30:39 [IKEv1 DEBUG]: IP = 99.106.10.41, sending delete/delete with reason message
Nov 03 09:30:39 [IKEv1]: IP = 99.106.10.41, Removing peer from peer table failed, no match!
Nov 03 09:30:39 [IKEv1]: IP = 99.106.10.41, Error: Unable to remove PeerTblEntry
Nov 03 09:30:41 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:41 [IKEv1]: IP = 99.106.10.41, IKE Initiator: New Phase 1, Intf inside, IKE Peer 99.106.10.41  local Proxy Address 192.168.1.0, remote Proxy Address 172.16.4.0,  Crypto map (VPN_map)
Nov 03 09:30:41 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing ISAKMP SA payload
Nov 03 09:30:41 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 02 payload
Nov 03 09:30:41 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 03 payload
Nov 03 09:30:41 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver RFC payload
Nov 03 09:30:41 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing Fragmentation VID + extended capabilities payload
Nov 03 09:30:41 [IKEv1]: IP = 99.106.10.41, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:30:47 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:30:47 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:30:49 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:30:57 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:31:05 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:31:05 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:31:05 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:31:08 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:31:08 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:31:13 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE MM Initiator FSM error history (struct &0xac139658)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Nov 03 09:31:13 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE SA MM:d1e9e94a terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Nov 03 09:31:13 [IKEv1 DEBUG]: IP = 99.106.10.41, sending delete/delete with reason message
Nov 03 09:31:13 [IKEv1]: IP = 99.106.10.41, Removing peer from peer table failed, no match!
Nov 03 09:31:13 [IKEv1]: IP = 99.106.10.41, Error: Unable to remove PeerTblEntry
Nov 03 09:31:14 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:31:14 [IKEv1]: IP = 99.106.10.41, IKE Initiator: New Phase 1, Intf inside, IKE Peer 99.106.10.41  local Proxy Address 192.168.1.0, remote Proxy Address 172.16.4.0,  Crypto map (VPN_map)
Nov 03 09:31:14 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing ISAKMP SA payload
Nov 03 09:31:14 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 02 payload
Nov 03 09:31:14 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 03 payload
Nov 03 09:31:14 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver RFC payload
Nov 03 09:31:14 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing Fragmentation VID + extended capabilities payload
Nov 03 09:31:14 [IKEv1]: IP = 99.106.10.41, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:31:22 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:31:26 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:31:26 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:31:29 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:31:29 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:31:30 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:31:35 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:31:35 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:31:38 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:31:05 [IKEv1 DEBUG]: Pitcher: received a key acquir$
0
 

Author Comment

by:Jesh1975
ID: 37076567
I'm sorry here is a little better one, the other was spammed a little bit:

 Nov 03 09:34:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:34:20 [IKEv1]: IP = 99.106.10.41, IKE Initiator: New Phase 1, Intf inside, IKE Peer 99.106.10.41  local Proxy Address 192.168.1.0, remote Proxy Address 172.16.4.0,  Crypto map (VPN_map)
Nov 03 09:34:20 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing ISAKMP SA payload
Nov 03 09:34:20 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 02 payload
Nov 03 09:34:20 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 03 payload
Nov 03 09:34:20 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver RFC payload
Nov 03 09:34:20 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing Fragmentation VID + extended capabilities payload
Nov 03 09:34:20 [IKEv1]: IP = 99.106.10.41, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:34:23 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:34:23 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:34:28 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:34:29 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 09:34:29 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 09:34:36 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:34:44 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 09:34:52 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE MM Initiator FSM error history (struct &0xac139658)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Nov 03 09:34:52 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE SA MM:01e3d49f terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Nov 03 09:34:52 [IKEv1 DEBUG]: IP = 99.106.10.41, sending delete/delete with reason message
Nov 03 09:34:52 [IKEv1]: IP = 99.106.10.41, Removing peer from peer table failed, no match!
Nov 03 09:34:52 [IKEv1]: IP = 99.106.10.41, Error: Unable to remove PeerTblEntry

0
 

Author Comment

by:Jesh1975
ID: 37077060
Here it another debug log, this time when I tried to ping 172.16.4.1.  I see now it says construction NAT-Traversal...

 Nov 03 10:37:51 [IKEv1 DEBUG]: Pitcher: received a key                                                                                                                                acquire message, spi 0x0
Nov 03 10:37:51 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be p                                                                                                                               rocessed when P1 SA is complete.
Nov 03 10:37:54 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 10:37:56 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 10:37:56 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 10:38:01 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 10:38:01 [IKEv1]: IP = 99.106.10.41, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 03 10:38:02 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE MM Initiator FSM error history (struct &0xac2698f8)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Nov 03 10:38:02 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE SA MM:cd013b23 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Nov 03 10:38:02 [IKEv1 DEBUG]: IP = 99.106.10.41, sending delete/delete with reason message
Nov 03 10:38:02 [IKEv1]: IP = 99.106.10.41, Removing peer from peer table failed, no match!
Nov 03 10:38:02 [IKEv1]: IP = 99.106.10.41, Error: Unable to remove PeerTblEntry
Nov 03 10:38:06 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 03 10:38:06 [IKEv1]: IP = 99.106.10.41, IKE Initiator: New Phase 1, Intf inside, IKE Peer 99.106.10.41  local Proxy Address 192.168.1.0, remote Proxy Address 172.16.4.0,  Crypto map (VPN_map)
Nov 03 10:38:06 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing ISAKMP SA payload
Nov 03 10:38:06 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 02 payload
Nov 03 10:38:06 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver 03 payload
Nov 03 10:38:06 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing NAT-Traversal VID ver RFC payload
Nov 03 10:38:06 [IKEv1 DEBUG]: IP = 99.106.10.41, constructing Fragmentation VID + extended capabilities payload
Nov 03 10:38:06 [IKEv1]: IP = 99.106.10.41, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 10:38:14 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 10:38:22 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 10:38:30 [IKEv1]: IP = 99.106.10.41, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 03 10:38:38 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE MM Initiator FSM error history (struct &0xac13e730)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Nov 03 10:38:38 [IKEv1 DEBUG]: IP = 99.106.10.41, IKE SA MM:90c0ca18 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Nov 03 10:38:38 [IKEv1 DEBUG]: IP = 99.106.10.41, sending delete/delete with reason message
Nov 03 10:38:38 [IKEv1]: IP = 99.106.10.41, Removing peer from peer table failed, no match!
Nov 03 10:38:38 [IKEv1]: IP = 99.106.10.41, Error: Unable to remove PeerTblEntry
0
 

Author Comment

by:Jesh1975
ID: 37078482
If any more information is required please let me know.  I'd like to get this issue resolved as soon as possible. Thanks!!
0
 

Author Comment

by:Jesh1975
ID: 37078749
More information... SH RUN SYSOPT never returns anything, even though I am using 'sysopt conn permit-vpn'.

Ideas??  Is this the stupid problem!?!
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 37079892
Hi,

post

show sysopt

make sure the preshared keys match and that the peer ip addresses are correct.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 37080036
Hi,


Did you enabled IPSEC pass through on  the modem?
0
 

Author Comment

by:Jesh1975
ID: 37082738
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt noproxyarp outside
no sysopt noproxyarp inside
no sysopt noproxyarp management

preshared keys match, I have redone the configuration 2x to make sure.

ikalmar - I don't see a setting anywhere for IPSEC?

Some more information: Site A is Comcast Cable Modem (Small business, 5 ip's), Site B is AT&T DSL with 5 ip's.  I've set up this configuration before and had no problems :(
0
 

Author Comment

by:Jesh1975
ID: 37082760
DSL Info: IP Address 99.106.xxx.41 - 99.106.xxx.45
Gateway: 99.106.xxx.46

I've assigned the ASA to use the address of .41 and NAT to use outside IP address.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 37083647
Hi,

It is possible to turn on bridge on the modem?
0
 

Accepted Solution

by:
Jesh1975 earned 0 total points
ID: 37084274
I turned on bridge mode and it didn't help.  I ended up turning off bridge mode, rebooting the router again and changing the outside IP of the ASA to .41 and all public traffic to use .42, and now it works?

I don't understand why it would not work if I used .41 for the public.  The only other options I did was allow all traffic from 70.91.xxx.22 to 90.106.xxx.41 and vice versa, even though sysopt con permit-vpn was on.  

I also went to the DSL Router, and as per (https://learningnetwork.cisco.com/thread/32684) did:

Under Security-->Stateful inspection
                          |___
                                 Expose address <-exposed the VPN IP.

So one of these things did it.  I am not sure who to give credit for on a solution here?
0
 
LVL 33

Expert Comment

by:digitap
ID: 37693344
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question