Solved

ASA Tunnel not coming up

Posted on 2014-12-23
4
335 Views
Last Modified: 2015-02-09
I have an ASA 5505 v9.1 and an 891w v15.2. I cannot get the tunnel to come up. 'sh ipsec sa' and 'sh isakmp sa' on the ASA shows nothing. The 891 at least shows info with 'sh crypto ipsec sa'. What am I missing?

## ASA ##

interface Vlan2
 nameif outside
 security-level 0
 ip address 199.x.x.125 255.255.255.248

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network inside_nets
 subnet 192.168.10.0 255.255.255.0
object network NEW_nets
 subnet 192.168.5.0 255.255.255.0

access-list Colo-New extended permit ip object inside_nets object NEW_nets

nat (inside,outside) source static inside_nets inside_nets destination static NEW_nets NEW_nets no-proxy-arp route-lookup

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map OutsideNet_map 2 match address Colo-New
crypto map OutsideNet_map 2 set peer 71.x.x.118
crypto map OutsideNet_map 2 set ikev1 transform-set ESP-3DES-MD5

crypto map OutsideNet_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400

tunnel-group 71.x.x.118 type ipsec-l2l
tunnel-group 71.x.x.118 ipsec-attributes
 ikev1 pre-shared-key *

Open in new window


## 891 ##

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key * address 199.x.x.125
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
 mode tunnel

crypto map CMAP_OUTSIDE 10 ipsec-isakmp
 set peer 199.x.x.125
 set transform-set ESP-3DES-MD5
 match address OFFICE

interface FastEthernet8
 description WAN Interface
 ip address 71.x.x.118 255.255.255.252
 crypto map CMAP_OUTSIDE

ip nat inside source list NAT-LIST interface FastEthernet8 overload

ip access-list extended NAT-LIST
 deny   ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255
 permit ip 192.168.5.0 0.0.0.255 any
ip access-list extended OFFICE
 permit ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255

Open in new window

0
Comment
Question by:lconnell
  • 2
4 Comments
 

Author Comment

by:lconnell
ID: 40515682
I also cannot seem to get 'debug crypto ipsec' or 'debug crypto isakmp' to show anything at all
0
 
LVL 11

Accepted Solution

by:
marek1712 earned 500 total points
ID: 40517890
Let's start from the beginning.
Do both sites have internet access and public IPs?
I'm asking because I've configured it in the GNS and it works.

Anyway - you can find sample configs below:

ROUTER - LEFT SIDE:
R1#show run
Building configuration...

Current configuration : 1967 bytes
!
! Last configuration change at 21:34:31 UTC Thu Dec 25 2014
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key test address 199.0.0.125
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
 mode tunnel
!
!
!
crypto map CMAP_OUTSIDE 10 ipsec-isakmp
 set peer 199.0.0.125
 set transform-set ESP-3DES-MD5
 match address OFFICE
!
!
!
!
!
interface Ethernet0/0
 no ip address
 shutdown
 duplex auto
!
interface GigabitEthernet0/0
 description WAN Interface
 ip address 71.0.0.118 255.255.255.252
 media-type gbic
 speed 1000
 duplex full
 negotiation auto
 crypto map CMAP_OUTSIDE
!
interface GigabitEthernet1/0
 ip address 192.168.5.1 255.255.255.0
 negotiation auto
!
interface FastEthernet2/0
 no ip address
 shutdown
 speed auto
 duplex auto
!
interface FastEthernet2/1
 no ip address
 shutdown
 speed auto
 duplex auto
!
router ospf 1
 network 71.0.0.116 0.0.0.3 area 0
 network 192.168.5.0 0.0.0.255 area 0
!
ip nat inside source list NAT-LIST interface GigabitEthernet0/0 overload
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 71.0.0.117
!
ip access-list extended NAT-LIST
 deny   ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255
 permit ip 192.168.5.0 0.0.0.255 any
ip access-list extended OFFICE
 permit ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
!
end

Open in new window


ASA 8.4 - RIGHT SIDE (don't have v9, shouldn't differ too much)
ciscoasa# show run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 199.0.0.125 255.255.255.248
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network inside_nets
 subnet 192.168.10.0 255.255.255.0
object network NEW_nets
 subnet 192.168.5.0 255.255.255.0
access-list Colo-New extended permit ip object inside_nets object NEW_nets
access-list ICMP extended permit icmp any any echo
access-list ICMP extended permit icmp any any echo-reply
access-list ICMP extended permit icmp any any time-exceeded
access-list ICMP extended permit icmp any any
pager lines 24
logging enable
logging timestamp
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static inside_nets inside_nets destination static NEW_nets NEW_nets no-proxy-arp route-lookup
access-group ICMP global
!
router ospf 1
 network 192.168.10.0 255.255.255.0 area 0
 network 199.0.0.120 255.255.255.248 area 0
 log-adj-changes
!
route outside 0.0.0.0 0.0.0.0 199.0.0.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map OutsideNet_map 2 match address Colo-New
crypto map OutsideNet_map 2 set peer 71.0.0.118
crypto map OutsideNet_map 2 set ikev1 transform-set ESP-3DES-MD5
crypto map OutsideNet_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 71.0.0.118 type ipsec-l2l
tunnel-group 71.0.0.118 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:49e70d5b546c324f96163817c5356f08
: end

Open in new window


Output:
R1:
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
199.0.0.125     71.0.0.118      QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

Open in new window

ASA:
ciscoasa#show crypto isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 71.0.0.118
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs

Open in new window


Did you try to enable debugging on ASA (beware, that you may hung your FW if it's already under heavy load!).
Remember to issue:
logging monitor debugging

Open in new window

Router should display debug info by default.
0
 
LVL 5

Expert Comment

by:Feroz Ahmed
ID: 40591967
Hi,

There is no traffic flow from any of the interfaces because of No shut command.
In you ASA configuration plz check on your interfaces by default it is "shutdown" remove shutdown and mention "No Shut" because of which ASA is not able to show any result for Sh IPsec SA and Sh ISAKMP SA.Do modify your configuration with "No Shut" .Try once and see.

If this is not the issue plz share running as well as start-up configuration of ASA.
0
 

Author Comment

by:lconnell
ID: 40598361
Hello,

I am sorry for the delay here. I have switched jobs and I no longer have access to that equipment. I am pretty sure the config was correct and there definitely was not a shutdown interface. I was going to reboot both devices and re-enter the config to see if that fixed it, however as I said I no longer have access so I will be closing this out.

Thanks for your assistance!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now