Tim OBrien
asked on
Cisco 5505 Configuration - KEv1 was unsuccessful at setting up a tunnel
I am a new Employee at a company and was asked to configure a CISCO ASA 5505 , first time doing this and was told to copy the running configuration from a current working ASA and modify it on the current ASA.
Both ASAs have same firmware - 8.4.3
Ran crypto key generation rsa (Don't know if relevant as I am leaning how all the protocols are involved in VPN communication)
I copied the running configuration and thought I modified it correctly but when ASA startup configure was reload the logging loops with the following
%ASA-4-713157: IP = <I removed this as not sure if this is a security risk>, Timed out on initial contact to server [ XXX Deleted ] Tunnel could not be established.
%ASA-4-752012: I. Map Tag = _vpnc_cm. Map Sequence Number = 10.
%ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= _vpnc_cm. Map Sequence Number = 10.
%ASA-5-111008: User 'Easy VPN Dynamic Configurator' executed the 'clear configure tunnel-group' command.
%ASA-5-111010: User 'Easy VPN Dynamic Configurator', running 'N/A' from IP 0.0.0.0, executed 'clear configure tunnel-group'
%ASA-5-111008: User 'Easy VPN Dynamic Configurator' executed the 'clear configure crypto map _vpnc_cm' command.
%ASA-5-111010: User 'Easy VPN Dynamic Configurator', running 'N/A' from IP 0.0.0.0, executed 'clear configure crypto map _vpnc_cm'
%ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = _vpnc_cm. Map Sequence Number = 10.
%ASA-4-752010: IKEv2 Doesn't have a proposal specified
Not sure if relevant but I added a VPN Client User to the Domain Account but I don't think this matters as I believe this issue relates that the ASA can't connect get a tunnel established?
Additional Information which may be helpful:
show crypto ikev1 sa
1 IKE Peer: <I removed this IP>
Type : user Role : initiator
Rekey : no State : AM_WAIT_MSG2
Lastly when I was googling I saw a comment stating "appears you have not applied the crypto map to the interfaces" but I don't know which interface I should apply to as I don't want cause more issues? Thanks for any help and let me know what logs could help.
Both ASAs have same firmware - 8.4.3
Ran crypto key generation rsa (Don't know if relevant as I am leaning how all the protocols are involved in VPN communication)
I copied the running configuration and thought I modified it correctly but when ASA startup configure was reload the logging loops with the following
%ASA-4-713157: IP = <I removed this as not sure if this is a security risk>, Timed out on initial contact to server [ XXX Deleted ] Tunnel could not be established.
%ASA-4-752012: I. Map Tag = _vpnc_cm. Map Sequence Number = 10.
%ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= _vpnc_cm. Map Sequence Number = 10.
%ASA-5-111008: User 'Easy VPN Dynamic Configurator' executed the 'clear configure tunnel-group' command.
%ASA-5-111010: User 'Easy VPN Dynamic Configurator', running 'N/A' from IP 0.0.0.0, executed 'clear configure tunnel-group'
%ASA-5-111008: User 'Easy VPN Dynamic Configurator' executed the 'clear configure crypto map _vpnc_cm' command.
%ASA-5-111010: User 'Easy VPN Dynamic Configurator', running 'N/A' from IP 0.0.0.0, executed 'clear configure crypto map _vpnc_cm'
%ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = _vpnc_cm. Map Sequence Number = 10.
%ASA-4-752010: IKEv2 Doesn't have a proposal specified
Not sure if relevant but I added a VPN Client User to the Domain Account but I don't think this matters as I believe this issue relates that the ASA can't connect get a tunnel established?
Additional Information which may be helpful:
show crypto ikev1 sa
1 IKE Peer: <I removed this IP>
Type : user Role : initiator
Rekey : no State : AM_WAIT_MSG2
Lastly when I was googling I saw a comment stating "appears you have not applied the crypto map to the interfaces" but I don't know which interface I should apply to as I don't want cause more issues? Thanks for any help and let me know what logs could help.
You need to apply the crypto map on the outside interface, the one "closer" to the other ASA.
Still, you need to specify the IKE keys. Can you paste the sanitized configuration?
ASKER
I apologize in advance for not understanding the ASA VPN as well as I should, I have a certification test I am taking this week so been studying that. I will focus more on the technical aspects how ASA works and VPN functionality when I finish and hopefully pass my VCP cert, anyways this is what I can provide you....
I run a crypto key generate rsa
Reading the configuration document from the employee who left I should get prompted to enter 2048 but this never happened. I assume this is when the IKE keys get generated?
When troubleshooting I ran the command: crypto key generate rsa modulus 2048 and generated the keys but this didn't solve the issue.
Don't know if this will help but I get this as well when I plug the ASA into a Comcast Modem
Aug 08 15:44:28 [IKEv1]IP = x.x.x.x, ISAKMP: VPNC anti-DoS, drop unsolicited request from x.x.x.x
Aug 08 15:44:28 [IKEv1]IP = x.x.x.x, ISAKMP: VPNC anti-DoS, drop unsolicited request from x.x.x.x
Aug 08 15:44:28 [IKEv1]IP = x.x.x.x, Invalid packet detected!
Aug 08 15:44:29 [IKEv1]IP = x.x.x.x, ISAKMP: VPNC anti-DoS, drop unsolicite
Aug 08 15:44:29 [IKEv1]IP = x.x.x.x, ISAKMP: VPNC anti-DoS, drop unsolicite
Aug 08 15:44:29 [IKEv1]IP = x.x.x.x, Invalid packet detected!
Running Configuration of ASA is as follows:
ASA Version 8.4(3)
!
hostname asa-va
domain-name domainame.com
enable password 8IUpdK56RC3IBrk2 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.191.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
no forward interface Vlan1
nameif guest
security-level 50
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EST recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name domainname.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_inside
subnet 192.168.191.0 255.255.255.0
object network obj_guest
subnet 192.168.1.0 255.255.255.0
access-list snmp extended permit udp any any eq snmp
access-list global_access extended deny ip object obj_inside object obj_guest
access-list global_access extended permit ip object obj_inside any
access-list global_access extended deny ip object obj_guest object obj_inside
access-list global_access extended permit ip object obj_guest any
access-list global_access extended deny ip any any
access-list TCP extended permit tcp any any
!
tcp-map tmap
tcp-options range 76 78 allow
!
pager lines 24
logging enable
logging console notifications
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu guest 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
!
object network obj_inside
nat (inside,outside) dynamic interface
object network obj_guest
nat (guest,outside) dynamic interface
access-group global_access global
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
aaa-server Radius protocol radius
aaa-server Radius (inside) host x.x.x.x
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication http console Radius LOCAL
aaa authentication ssh console Radius LOCAL
http server enable
http 192.168.0.0 255.255.0.0 inside
http 10.0.0.0 255.0.0.0 inside
snmp-server host inside 10.0.x.x community ***** version 2c
snmp-server host inside 10.0.x.x community ***** version 2c
snmp-server host inside 10.0.x.x community ***** version 2c
snmp-server host inside 10.0.x.x community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto isakmp identity hostname
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
vpnclient server vpn3.domain.com vpn4.domain.com
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup VPN800SplitTunnel password *****
vpnclient username va-test password *****
vpnclient management tunnel 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0
vpnclient enable
dhcpd auto_config outside
!
dhcpd address 192.168.191.100-192.168.19
dhcpd dns x.x.x.x x.x.x.x interface inside
dhcpd domain domainname.com interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.20-192.168.1.240
dhcpd dns 8.8.8.8 8.8.4.4 interface guest
dhcpd enable guest
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server x.x.x.x
ntp server x.x.x.x
webvpn
username xxxx password QM5r3k9yGlewJRxf encrypted
!
class-map cmap
match access-list TCP
class-map voice-signaling
match dscp af41
class-map inspection_default
match default-inspection-traffic
class-map voice-traffic
match dscp ef
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map pmap
class cmap
set connection advanced-options tmap
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
class cmap
set connection advanced-options tmap
policy-map llq-policy
class voice-traffic
priority
class voice-signaling
priority
policy-map type inspect h323 H323_Low
parameters
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f09958d1676
: end
I run a crypto key generate rsa
Reading the configuration document from the employee who left I should get prompted to enter 2048 but this never happened. I assume this is when the IKE keys get generated?
When troubleshooting I ran the command: crypto key generate rsa modulus 2048 and generated the keys but this didn't solve the issue.
Don't know if this will help but I get this as well when I plug the ASA into a Comcast Modem
Aug 08 15:44:28 [IKEv1]IP = x.x.x.x, ISAKMP: VPNC anti-DoS, drop unsolicited request from x.x.x.x
Aug 08 15:44:28 [IKEv1]IP = x.x.x.x, ISAKMP: VPNC anti-DoS, drop unsolicited request from x.x.x.x
Aug 08 15:44:28 [IKEv1]IP = x.x.x.x, Invalid packet detected!
Aug 08 15:44:29 [IKEv1]IP = x.x.x.x, ISAKMP: VPNC anti-DoS, drop unsolicite
Aug 08 15:44:29 [IKEv1]IP = x.x.x.x, ISAKMP: VPNC anti-DoS, drop unsolicite
Aug 08 15:44:29 [IKEv1]IP = x.x.x.x, Invalid packet detected!
Running Configuration of ASA is as follows:
ASA Version 8.4(3)
!
hostname asa-va
domain-name domainame.com
enable password 8IUpdK56RC3IBrk2 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.191.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
no forward interface Vlan1
nameif guest
security-level 50
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EST recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name domainname.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_inside
subnet 192.168.191.0 255.255.255.0
object network obj_guest
subnet 192.168.1.0 255.255.255.0
access-list snmp extended permit udp any any eq snmp
access-list global_access extended deny ip object obj_inside object obj_guest
access-list global_access extended permit ip object obj_inside any
access-list global_access extended deny ip object obj_guest object obj_inside
access-list global_access extended permit ip object obj_guest any
access-list global_access extended deny ip any any
access-list TCP extended permit tcp any any
!
tcp-map tmap
tcp-options range 76 78 allow
!
pager lines 24
logging enable
logging console notifications
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu guest 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
!
object network obj_inside
nat (inside,outside) dynamic interface
object network obj_guest
nat (guest,outside) dynamic interface
access-group global_access global
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
aaa-server Radius protocol radius
aaa-server Radius (inside) host x.x.x.x
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication http console Radius LOCAL
aaa authentication ssh console Radius LOCAL
http server enable
http 192.168.0.0 255.255.0.0 inside
http 10.0.0.0 255.0.0.0 inside
snmp-server host inside 10.0.x.x community ***** version 2c
snmp-server host inside 10.0.x.x community ***** version 2c
snmp-server host inside 10.0.x.x community ***** version 2c
snmp-server host inside 10.0.x.x community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto isakmp identity hostname
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
vpnclient server vpn3.domain.com vpn4.domain.com
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup VPN800SplitTunnel password *****
vpnclient username va-test password *****
vpnclient management tunnel 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0
vpnclient enable
dhcpd auto_config outside
!
dhcpd address 192.168.191.100-192.168.19
dhcpd dns x.x.x.x x.x.x.x interface inside
dhcpd domain domainname.com interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.20-192.168.1.240
dhcpd dns 8.8.8.8 8.8.4.4 interface guest
dhcpd enable guest
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server x.x.x.x
ntp server x.x.x.x
webvpn
username xxxx password QM5r3k9yGlewJRxf encrypted
!
class-map cmap
match access-list TCP
class-map voice-signaling
match dscp af41
class-map inspection_default
match default-inspection-traffic
class-map voice-traffic
match dscp ef
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map pmap
class cmap
set connection advanced-options tmap
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
class cmap
set connection advanced-options tmap
policy-map llq-policy
class voice-traffic
priority
class voice-signaling
priority
policy-map type inspect h323 H323_Low
parameters
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f09958d1676
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I believe we are using IKEv1 but not 100% sure, where could I confirm the setting?
ASKER
I ran the command show crypto ikev2 sa and "There are no IKEv2 SAs
so safe to assume we are using IKEv1 only
so safe to assume we are using IKEv1 only
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok I turned on debugging and I am getting close...ikev2 can be ignored using ikev1 for sure. I am not entering a key on the configuration I am simply running the crypto key generate rsa command and not sure how I can screw that up. Key on the other end must be fine because we have any ASA routers configured so def. must be something on this ASA.
...
Aug 11 13:58:59 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Aug 11 13:58:59 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Computing hash for ISAKMP
Aug 11 13:58:59 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Rxed Hash is incorrect: Pre-shared key or Digital Signature mismatch
Aug 11 13:58:59 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE AM Initiator FSM error hi story (struct &0xcade9e48) <state>, <event>: AM_DONE, EV_ERROR-->AM_WAIT_MSG2, EV_PROB_AUTH_FAIL- ->AM_WAIT_MSG2, EV_PROCESS_HASH-->AM_WAIT_
Aug 11 13:58:59 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE SA AM:35dd18ef terminating: flags 0x0100c021, refcnt 0, tuncnt 0
Aug 11 13:58:59 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, sending delete/delete with reason message
Aug 11 13:58:59 [IKEv1]IP = x.x.x.x, No crypto map bound to interface... dropping pkt
Seems like crypto map is not bound to correct interface, I don't know the crypto map name? I would bound it to the outside interface but again the name is where I am now stuck. I believe
...
Aug 11 13:58:59 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Aug 11 13:58:59 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Computing hash for ISAKMP
Aug 11 13:58:59 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Rxed Hash is incorrect: Pre-shared key or Digital Signature mismatch
Aug 11 13:58:59 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE AM Initiator FSM error hi story (struct &0xcade9e48) <state>, <event>: AM_DONE, EV_ERROR-->AM_WAIT_MSG2, EV_PROB_AUTH_FAIL- ->AM_WAIT_MSG2, EV_PROCESS_HASH-->AM_WAIT_
Aug 11 13:58:59 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE SA AM:35dd18ef terminating: flags 0x0100c021, refcnt 0, tuncnt 0
Aug 11 13:58:59 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, sending delete/delete with reason message
Aug 11 13:58:59 [IKEv1]IP = x.x.x.x, No crypto map bound to interface... dropping pkt
Seems like crypto map is not bound to correct interface, I don't know the crypto map name? I would bound it to the outside interface but again the name is where I am now stuck. I believe
The crypto key generate rsa command is not used for the IKE key, it generates the private key for the ASA.
Just looked at my conf backup:
Can you access the CLI?
Just looked at my conf backup:
crypto ikev1 enable outside
crypto ipsec ikev1 transform-set ikev1-set esp-aes esp-sha-hmac
access-list ikev1-list extended permit ip LAN_ORIGIN LAN_MASK DESTINATION_NW DESTINATION_MASK
ikev1 pre-shared-key this_is_a_key
crypto map ikev1-map 1 match address ikev1-list
crypto map ikev1-map 1 set peer REMOTE_SITE_IP
crypto map ikev1-map 1 set ikev1 transform-set ikev1-set
crypto map ikev1-map interface outsideCan you access the CLI?
ASKER
I may have figure out issue. please hold off on suggestions as I don't want to waste you time. Update coming shortly. Thanks.
ASKER
I indeed messed up the password, the Radius Server and the passwords required were not added correctly.
ASA is now up and running with an active VPN connection. Thanks all for helping
ASA is now up and running with an active VPN connection. Thanks all for helping