Link to home
Start Free TrialLog in
Avatar of ctagle
ctagleFlag for United States of America

asked on

Site to Site VPN Between Two ASA 5505's Up But Not Passing Traffic

hello experts,

i am setting up a site to site vpn between two asa 5505's.  the tunnel is up but i cannot get it to pass traffic and i have run out of ideas at this point.  i am on site as i am posting this question and only have about 4 hours left to figure this out, so any help asap is greatly appreciated.  i'll post the configs below along with the output of sh crypto isakmp sa and sh ipsec sa.

Note: 1.1.1.1 = public ip for Site A 2.2.2.2 = public ip for site B

Site A running config:

Result of the command: "sh run"

: Saved
:
ASA Version 8.2(2)
!
hostname csol-asa
enable password WI19w3dXj6ANP8c6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.0 san_antonio_inside
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 24.93.41.125
 name-server 24.93.41.126
object-group network NETWORK_OBJ_192.168.2.0_24
access-list inside_access_out extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in_1 extended permit icmp any interface outside
access-list outside_access_in_1 extended permit tcp any interface outside eq pop3
access-list outside_access_in_1 extended permit tcp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 5020
access-list outside_access_in_1 extended permit tcp any interface outside eq 8080
access-list outside_access_in_1 extended permit tcp any interface outside eq www
access-list outside_access_in_1 extended permit ip san_antonio_inside 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host san_antonio_inside
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (inside) 2 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface pop3 192.168.2.249 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
static (inside,outside) tcp interface 5020 192.168.2.8 5020 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.2.251 8080 netmask 255.255.255.255
static (inside,inside) tcp interface www 192.168.2.8 www netmask 255.255.255.255
static (inside,outside) tcp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 2.2.2.2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map1 1 match address outside_1_cryptomap_1
crypto map outside_map1 1 set peer 2.2.2.2
crypto map outside_map1 1 set transform-set ESP-3DES-SHA
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.30-192.168.2.155 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain corporatesolutionsfw.local interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 anyconnect-essentials
group-policy DfltGrpPolicy attributes
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 pre-shared-key *****
!
!
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:021cf43a4211a99232849372c380dda2
: end

Site A sh crypto isakmp sa:

Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 2.2.2.2
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

Site A sh ipsec sa:

Result of the command: "sh ipsec sa"

interface: outside
    Crypto map tag: outside_map1, seq num: 1, local addr: 1.1.1.1

      access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (san_antonio_inside/255.255.255.0/0/0)
      current_peer: 2.2.2.2

      #pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
      #pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 1.1.1.1, remote crypto endpt.: 71.40.110.179

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: C1074C40
      current inbound spi : B21273A9

    inbound esp sas:
      spi: 0xB21273A9 (2987553705)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1691648, crypto-map: outside_map1
         sa timing: remaining key lifetime (kB/sec): (3914989/27694)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xC1074C40 (3238480960)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1691648, crypto-map: outside_map1
         sa timing: remaining key lifetime (kB/sec): (3914999/27694)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001



Site B running config:

Result of the command: "sh run"

: Saved
:
: Serial Number: JMX184640WY
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(2)4
!
hostname CSOLSAASA
enable password WI19w3dXj6ANP8c6 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 2.2.2.2 255.255.255.248
!
ftp mode passive
object network NETWORK_OBJ_192.168.1.0_24
 subnet 192.168.1.0 255.255.255.0
object network mcallen_network
 subnet 192.168.2.0 255.255.255.0
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object mcallen_network
access-list outside_access_in extended permit ip object mcallen_network 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map3 1 match address outside_cryptomap
crypto map outside_map3 1 set peer 1.1.1.1
crypto map outside_map3 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map3 interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd address 192.168.1.200-192.168.1.250 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain CSOLSA.LOCAL interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 anyconnect-essentials
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4e058021a6e84ac7956dca0e5a143b8d
: end

Site B sh crypto isakmp sa:

Result of the command: "sh crypto isakmp sa"

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 1.1.1.1
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs

Site B sh ipsec sa:

Result of the command: "sh ipsec sa"

interface: outside
    Crypto map tag: outside_map3, seq num: 1, local addr: 71.40.110.179

      access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      current_peer: 1.1.1.1


      #pkts encaps: 286, #pkts encrypt: 286, #pkts digest: 286
      #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 286, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: B21273A9
      current inbound spi : C1074C40

    inbound esp sas:
      spi: 0xC1074C40 (3238480960)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 28672, crypto-map: outside_map3
         sa timing: remaining key lifetime (kB/sec): (4373999/27456)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000003
    outbound esp sas:
      spi: 0xB21273A9 (2987553705)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 28672, crypto-map: outside_map3
         sa timing: remaining key lifetime (kB/sec): (4373987/27456)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image

Are you doing NAT exemption for the two networks at both ends?
Avatar of ctagle

ASKER

Yes
packet-tracer input inside tcp 192.168.1.1 65535 192.168.2.1 25 detail

on the 192.168.1.x ASA and invert the IPs to do it on the other ASA.
Avatar of ctagle

ASKER

i'm not sure if this has anything to do with it or not, but i have been running packet traces and have noticed that the traffic can flow in all directions but into site B.  it looks like this when i run it:

Result of the command: "packet-tracer input outside icmp 192.168.2.11 0 1 192.168.1.11"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   inside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.1.11/0 to 192.168.1.11/0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip object mcallen_network any
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.2.11/0 to 192.168.2.11/0

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Avatar of ctagle

ASKER

sorry posted that last one to quickly, let my try your traces
And also, pull all statements that have anything to do with NAT from each of the configs.

With both phase I and phase II up, it has to be this (unless the destination server has a firewall of its own blocking the traffic).
Avatar of ctagle

ASKER

site b packet-tracer input inside tcp 192.168.1.1 65535 192.168.2.1 25 detail:

Result of the command: "packet-tracer input inside tcp 192.168.1.1 65535 192.168.2.1 25 detail"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         via 2.2.2.2, outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc83c9c8, priority=500, domain=permit, deny=true
      hits=6, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
      src ip/id=192.168.1.1, mask=255.255.255.255, port=0, tag=0
      dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
      input_ifc=inside, output_ifc=any

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


site b packet-tracer input outside tcp 192.168.2.1 65535 192.168.1.1 25 detail:

Result of the command: "packet-tracer input outside tcp 192.168.2.1 65535 192.168.1.1 25 detail"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   192.168.1.1     255.255.255.255 identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc8ba01b8, priority=1, domain=nat-per-session, deny=true
      hits=81063, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
      src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
      dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
      input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc85c080, priority=0, domain=permit, deny=true
      hits=8701, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
      src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
      dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
      input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

site a packet-tracer input inside tcp 192.168.2.1 65535 192.168.1.1 25 detail
Result of the command: "packet-tracer input inside tcp 192.168.2.1 65535 192.168.1.1 25 detail"

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd8232c48, priority=500, domain=permit, deny=true
      hits=6, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
      src ip=192.168.2.1, mask=255.255.255.255, port=0
      dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

site a
Result of the command: "packet-tracer input outside tcp 192.168.1.1 65535 192.168.2.1 25 detail"

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.2.1     255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd827bd28, priority=0, domain=permit, deny=true
      hits=298359, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0
      src ip=0.0.0.0, mask=0.0.0.0, port=0
      dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
it looks like site b might not have a nat exemption statement for traffic between 192.168.2.0/24 and 192.168.1.0/24.
Avatar of ctagle

ASKER

on the NAT statements are you referring to the sh xlate command or something different?
Avatar of ctagle

ASKER

thats kind of what i figured, but i cna't figure out how to add it, 9.2 is way different than 8.2.
hold on, i'll put it together for you.
ASKER CERTIFIED SOLUTION
Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ctagle

ASKER

that doesn't seem to have worked, i did modify the commands slightly though because i already have those network objects on the asa, see below what i put

nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network
nat (outside,inside) source static mcallen_network mcallen_network destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24

local for site b is 192.168.1.0 remote for site b is 192.168.2.0

if the above command won't i'll remove it and create the objects you specified.
on b run:

packet-tracer input inside tcp 192.168.1.1 65535 192.168.2.1 25 detail
Avatar of ctagle

ASKER

Result of the command: "packet-tracer input inside tcp 192.168.1.1 65535 192.168.2.1 25 detail"

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.2.1/25 to 192.168.2.1/25

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc83c9c8, priority=500, domain=permit, deny=true
      hits=7, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
      src ip/id=192.168.1.1, mask=255.255.255.255, port=0, tag=0
      dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
      input_ifc=inside, output_ifc=any

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
on b:

    sh log | i 192.168.2

and if there's nothing obvious:

   debug crypto isakmp 25
   debug crypto ipsec 25
   term mon

do a test and see if there is anything interesting in the debug.
Avatar of ctagle

ASKER

hmmm, ok let me see if i can find a way to get into the console, telnet doesn't work because have no idea what the password is, which is weird because its never been set since this thing was freshly wiped and setup.
if you can get into console, you can always do a password recovery.

power cycle
on startup, hit ESC
confreg (answer "no" and get the config register)
confreg 0x41
boot
ena
copy start run
config t
enable password PUT_SOMETHING_HERE
config-register 0x01
end
wr mem
reload
Avatar of ctagle

ASKER

the first command doesn't do anything
i'll post the output from debig crypto isakmp 25 below
debug ipsec didn't show anything
term mon said its not supported

output of debug crypto isakmp 25:
 Jan 23 13:14:11 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, S         ending keep-alive of type DPD R-U-THERE (seq number 0x76004143)
Jan 23 13:14:11 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, constructing          blank hash payload
Jan 23 13:14:11 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, constructing          qm hash payload
Jan 23 13:14:11 [IKEv1]IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=8056a         f3b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 23 13:14:11 [IKEv1]IKE Receiver: Packet received on 71.40.110.179:500 from 6         7.79.60.58:500
Jan 23 13:14:11 [IKEv1]IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=827b         14c5) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 23 13:14:11 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, processing h         ash payload
Jan 23 13:14:11 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, processing n         otify payload
Jan 23 13:14:11 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, Received kee         p-alive of type DPD R-U-THERE-ACK (seq number 0x76004143)
term mon
Monitor option not supported for the console.
CSOLSAASA# Jan 23 13:14:21 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, S         ending keep-alive of type DPD R-U-THERE (seq number 0x76004144)
Jan 23 13:14:21 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, constructing          blank hash payload
Jan 23 13:14:21 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, constructing          qm hash payload
Jan 23 13:14:21 [IKEv1]IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=11549         df8) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 23 13:14:21 [IKEv1]IKE Receiver: Packet received on 71.40.110.179:500 from 6         7.79.60.58:500
Jan 23 13:14:21 [IKEv1]IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=6351         ec94) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 23 13:14:21 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, processing h         ash payload
Jan 23 13:14:21 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, processing n         otify payload
Jan 23 13:14:21 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, Received kee         p-alive of type DPD R-U-THERE-ACK (seq number 0x76004144)
Jan 23 13:14:31 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, Sending keep         -alive of type DPD R-U-THERE (seq number 0x76004145)
Jan 23 13:14:31 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, constructing          blank hash payload
Jan 23 13:14:31 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, constructing          qm hash payload
Jan 23 13:14:31 [IKEv1]IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=899de         487) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 23 13:14:31 [IKEv1]IKE Receiver: Packet received on 71.40.110.179:500 from 6         7.79.60.58:500
Jan 23 13:14:31 [IKEv1]IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=4aca         325c) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 23 13:14:31 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, processing h         ash payload
Jan 23 13:14:31 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, processing n         otify payload
Jan 23 13:14:31 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, Received kee         p-alive of type DPD R-U-THERE-ACK (seq number 0x76004145)
debug crypto isakmp 2Jan 23 13:14:41 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 67.7         9.60.58, Sending keep-alive of type DPD R-U-THERE (seq number 0x76004146)
Jan 23 13:14:41 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, constructing          blank hash payload
Jan 23 13:14:41 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, constructing          qm hash payload
Jan 23 13:14:41 [IKEv1]IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=d7fdc         bf1) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 23 13:14:41 [IKEv1]IKE Receiver: Packet received on 71.40.110.179:500 from 6         7.79.60.58:500
Jan 23 13:14:41 [IKEv1]IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=f6f7         499b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 23 13:14:41 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, processing h         ash payload
Jan 23 13:14:41 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, processing n         otify payload
Jan 23 13:14:41 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, Received kee         p-alive of type DPD R-U-THERE-ACK (seq number 0x76004146)  no debug crypto isakm
Avatar of ctagle

ASKER

nothing in that really pops out at me, but i could be missing something.
Avatar of ctagle

ASKER

no matter what i do when i put the below trace command on the site b router it fails every time.  on the site a it succeeds with no problem (the ip's are reversed of course)

Result of the command: "packet-tracer input outside tcp 192.168.2.11 65535 192.168.1.11 25 detailed"

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,inside) source static mcallen_network mcallen_network destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.1.11/25 to 192.168.1.11/25

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip object mcallen_network any
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xccdb7620, priority=13, domain=permit, deny=false
      hits=1, user_data=0xca797fd0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
      src ip/id=192.168.2.0, mask=255.255.255.0, port=0, tag=0
      dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
      input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,inside) source static mcallen_network mcallen_network destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24
Additional Information:
Static translate 192.168.2.11/65535 to 192.168.2.11/65535
 Forward Flow based lookup yields rule:
 in  id=0xcd079c20, priority=6, domain=nat, deny=false
      hits=66, user_data=0xcceb8560, cs_id=0x0, flags=0x0, protocol=0
      src ip/id=192.168.2.0, mask=255.255.255.0, port=0, tag=0
      dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
      input_ifc=outside, output_ifc=inside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc8ba01b8, priority=1, domain=nat-per-session, deny=true
      hits=130766, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
      src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
      dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
      input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc8614d0, priority=0, domain=inspect-ip-options, deny=true
      hits=81231, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
      src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
      dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
      input_ifc=outside, output_ifc=any

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xccf2eaa8, priority=70, domain=ipsec-tunnel-flow, deny=false
      hits=1031, user_data=0x721c4, cs_id=0xcc891238, reverse, flags=0x0, protocol=0
      src ip/id=192.168.2.0, mask=255.255.255.0, port=0, tag=0
      dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
      input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
the trace on b should look like this:

packet-tracer input inside tcp 192.168.1.1 65535 192.168.2.1 25 detail
Avatar of ctagle

ASKER

that trace fails everytime, i'll put the results below.

Result of the command: "packet-tracer input inside tcp 192.168.1.1 65535 192.168.2.1 25 detail"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         via 1.1.1.1, outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.2.1/25 to 192.168.2.1/25

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc83c9c8, priority=500, domain=permit, deny=true
      hits=12, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
      src ip/id=192.168.1.1, mask=255.255.255.255, port=0, tag=0
      dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
      input_ifc=inside, output_ifc=any

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
do you have:

same-security-traffic permit inter-interface

?
Avatar of ctagle

ASKER

i didn't before, but i just added it right now, still the same result though
without debug, i'm shooting in the dark.  let's do some cleanup.

1) on b remove from the nat statement:
 
     no-proxy-arp route-lookup

2) set the transform-set on b to exact match a

3) on b, do a show access-list for the cryptomap and nat
Avatar of ctagle

ASKER

ipsec debug showed some stuff just now, i'll post it right now.

 IPSEC: Deleted outbound encrypt rule, SPI 0xCEC7C1AD
    Rule ID: 0xcc23f628
IPSEC: Deleted outbound permit rule, SPI 0xCEC7C1AD
    Rule ID: 0xcc0ae3a0
IPSEC: Deleted outbound VPN context, SPI 0xCEC7C1AD
    VPN handle: 0x0006d864
IPSEC: Deleted inbound decrypt rule, SPI 0x1365DF65
    Rule ID: 0xccfaf720
IPSEC: Deleted inbound permit rule, SPI 0x1365DF65
    Rule ID: 0xccda9b00
IPSEC: Deleted inbound tunnel flow rule, SPI 0x1365DF65
    Rule ID: 0xccf2eaa8
IPSEC: Deleted inbound VPN context, SPI 0x1365DF65
    VPN handle: 0x000721c4
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=19246, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=19246, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC: New embryonic SA created @ 0xcd077720,
    SCB: 0xCD09F800,
    Direction: inbound
    SPI      : 0x2F1CB7A9
    Session ID: 0x0000A000
    VPIF num  : 0x00000003
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0xccdbe508,
    SCB: 0xCD127378,
    Direction: inbound
    SPI      : 0x125F9589
    Session ID: 0x0000A000
    VPIF num  : 0x00000003
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0xcd07c580,
    SCB: 0xCD077478,
    Direction: inbound
    SPI      : 0x27E95D47
    Session ID: 0x0000A000
    VPIF num  : 0x00000003
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0xcd07ccb0,
    SCB: 0xCCDB4F50,
    Direction: inbound
    SPI      : 0x7E9A43E0
    Session ID: 0x0000A000
    VPIF num  : 0x00000003
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0xcd0760d8,
    SCB: 0xCCF2D450,
    Direction: inbound
    SPI      : 0x979C7F7B
    Session ID: 0x0000A000
    VPIF num  : 0x00000003
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=19246, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=19502, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=19502, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=19758, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=19758, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=20014, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=20014, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=20270, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=20270, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=20526, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=20526, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=20782, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=20782, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=19246, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC: New embryonic SA created @ 0xcd07c580,
    SCB: 0xCD076E20,
    Direction: inbound
    SPI      : 0x88FD5679
    Session ID: 0x0000B000
    VPIF num  : 0x00000003
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0xcd07ccb0,
    SCB: 0xCCFA3F50,
    Direction: inbound
    SPI      : 0x033EA9A9
    Session ID: 0x0000B000
    VPIF num  : 0x00000003
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0xcd0760d8,
    SCB: 0xCCF24320,
    Direction: inbound
    SPI      : 0xF2E27BAB
    Session ID: 0x0000B000
    VPIF num  : 0x00000003
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0xccdbec28,
    SCB: 0xCD077478,
    Direction: inbound
    SPI      : 0x4F9B4EBF
    Session ID: 0x0000B000
    VPIF num  : 0x00000003
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0xccdbf160,
    SCB: 0xCCF37FB0,
    Direction: inbound
    SPI      : 0x842EB49C
    Session ID: 0x0000B000
    VPIF num  : 0x00000003
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0xccdac348,
    SCB: 0xCC7A1B70,
    Direction: inbound
    SPI      : 0x874FB32E
    Session ID: 0x0000B000
    VPIF num  : 0x00000003
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0xccdac880,
    SCB: 0xCCF39560,
    Direction: inbound
    SPI      : 0xDDA0977E
    Session ID: 0x0000B000
    VPIF num  : 0x00000003
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0xcc85cb40,
    SCB: 0xCCF23888,
    Direction: inbound
    SPI      : 0xA7AE32C5
    Session ID: 0x0000B000
    VPIF num  : 0x00000003
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0xcc85d078,
    SCB: 0xCCFA4198,
    Direction: inbound
    SPI      : 0x15752DCF
    Session ID: 0x0000B000
    VPIF num  : 0x00000003
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0xcd079498,
    SCB: 0xCC158868,
    Direction: inbound
    SPI      : 0xEEE26CBF
    Session ID: 0x0000B000
    VPIF num  : 0x00000003
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0xccdac348,
    SCB: 0xCD076E20,
    Direction: outbound
    SPI      : 0x67E84CFB
    Session ID: 0x0000B000
    VPIF num  : 0x00000003
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: Completed host OBSA update, SPI 0x67E84CFB
IPSEC: Creating outbound VPN context, SPI 0x67E84CFB
    Flags: 0x00000005
    SA   : 0xccdac348
    SPI  : 0x67E84CFB
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00000000
    SCB  : 0x51E51835
    Channel: 0xc8c234e0
IPSEC: Completed outbound VPN context, SPI 0x67E84CFB
    VPN handle: 0x0007d95c
IPSEC: New outbound encrypt rule, SPI 0x67E84CFB
    Src addr: 192.168.1.0
    Src mask: 255.255.255.0
    Dst addr: 192.168.2.0
    Dst mask: 255.255.255.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0x67E84CFB
    Rule ID: 0xccda9c28
IPSEC: New outbound permit rule, SPI 0x67E84CFB
    Src addr: 2.2.2.2
    Src mask: 255.255.255.255
    Dst addr: 1.1.1.1
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x67E84CFB
    Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0x67E84CFB
    Rule ID: 0xcd077478
IPSEC: New embryonic SA created @ 0xccdac880,
    SCB: 0xCCF39560,
    Direction: inbound
    SPI      : 0xDDA0977E
    Session ID: 0x0000B000
    VPIF num  : 0x00000003
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: Completed host IBSA update, SPI 0xDDA0977E
IPSEC: Creating inbound VPN context, SPI 0xDDA0977E
    Flags: 0x00000006
    SA   : 0xccdac880
    SPI  : 0xDDA0977E
    MTU  : 0 bytes
    VCID : 0x00000000
    Peer : 0x0007D95C
    SCB  : 0x51DCCB89
    Channel: 0xc8c234e0
IPSEC: Completed inbound VPN context, SPI 0xDDA0977E
    VPN handle: 0x00081b5c
IPSEC: Updating outbound VPN context 0x0007D95C, SPI 0x67E84CFB
    Flags: 0x00000005
    SA   : 0xccdac348
    SPI  : 0x67E84CFB
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00081B5C
    SCB  : 0x51E51835
    Channel: 0xc8c234e0
IPSEC: Completed outbound VPN context, SPI 0x67E84CFB
    VPN handle: 0x0007d95c
IPSEC: Completed outbound inner rule, SPI 0x67E84CFB
    Rule ID: 0xccda9c28
IPSEC: Completed outbound outer SPD rule, SPI 0x67E84CFB
    Rule ID: 0xcd077478
IPSEC: New inbound tunnel flow rule, SPI 0xDDA0977E
    Src addr: 192.168.2.0
    Src mask: 255.255.255.0
    Dst addr: 192.168.1.0
    Dst mask: 255.255.255.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0xDDA0977E
    Rule ID: 0xccf37fb0
IPSEC: New inbound decrypt rule, SPI 0xDDA0977E
    Src addr: 1.1.1.1
    Src mask: 255.255.255.255
    Dst addr: 2.2.2.2
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0xDDA0977E
    Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0xDDA0977E
    Rule ID: 0xccf23888
IPSEC: New inbound permit rule, SPI 0xDDA0977E
    Src addr: 1.1.1.1
    Src mask: 255.255.255.255
    Dst addr: 2.2.2.2
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0xDDA0977E
    Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0xDDA0977E
    Rule ID: 0xccfa4198
i hate to do this, but i have to step away.  unless someone else can pick this up, i will be back tomorrow morning.

one other thing that i wanted to change for consistency, set the group to either 2 or 5 at both ends -- not both.
Avatar of ctagle

ASKER

did everything but no change, thank you for the help.
Avatar of ctagle

ASKER

There was some issues on the other end caused by the client that were skewing my testing, but this basically resolved the issue in the end.  Thanks for your help.