How can I get my VTI interface 'up' and complete the VPN connection. ASA 5506 to Cisco 4321

I'm trying to replace a Cisco 887 with an ASA to connect our CoLo Cisco 4321 router via VTI tunnel.  Looks like I have everything configured properly but my Tunnel Interface on the ASA will not turn up.   Line and protocol are both down.  When I debug you can see they are trying to establish a connection:

 RECV PACKET from X.X.X.X
ISAKMP Header
  Initiator COOKIE: e7 4e 84 d4 08 39 37 d1
  Responder COOKIE: 00 00 00 00 00 00 00 00
  Next Payload: Security Association
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 204
  Payload Security Association
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 96
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 84
      Proposal #: 1
      Protocol-Id: PROTO_ISAKMP
      SPI Size: 0
      # of transforms: 2
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 1
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: MD5
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 01 51 80
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 40
        Transform #: 2
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Key Length: 128
        Hash Algorithm: SHA1
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 01 51 80
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      43 9b 59 f8 ba 67 6c 4c 77 37 ae 22 ea b8 f5 82
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
Mar 15 22:47:59 [IKEv1]IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204
Mar 15 22:47:59 [IKEv1 DEBUG]IP = X.X.X.X, processing SA payload
Mar 15 22:47:59 [IKEv1 DEBUG]IP = X.X.X.X, Oakley proposal is acceptable
Mar 15 22:47:59 [IKEv1 DEBUG]IP = X.X.X.X, processing VID payload
Mar 15 22:47:59 [IKEv1 DEBUG]IP = X.X.X.X, Received NAT-Traversal RFC VID
Mar 15 22:47:59 [IKEv1 DEBUG]IP = X.X.X.X, processing VID payload
Mar 15 22:47:59 [IKEv1 DEBUG]IP = X.X.X.X, processing VID payload
Mar 15 22:47:59 [IKEv1 DEBUG]IP = X.X.X.X, Received NAT-Traversal ver 03 VID
Mar 15 22:47:59 [IKEv1 DEBUG]IP = X.X.X.X, processing VID payload
Mar 15 22:47:59 [IKEv1 DEBUG]IP = X.X.X.X, Received NAT-Traversal ver 02 VID
Mar 15 22:47:59 [IKEv1 DEBUG]IP = X.X.X.X, processing IKE SA payload
Mar 15 22:47:59 [IKEv1 DEBUG]IP = X.X.X.X, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 7
Mar 15 22:47:59 [IKEv1 DEBUG]IP = X.X.X.X, constructing ISAKMP SA payload
Mar 15 22:47:59 [IKEv1 DEBUG]IP = X.X.X.X, constructing NAT-Traversal VID ver RFC payload
Mar 15 22:47:59 [IKEv1 DEBUG]IP = X.X.X.X, constructing Fragmentation VID + extended capabilities payload
Mar 15 22:47:59 [IKEv1]IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128


My 4321 config:

Building configuration...


Current configuration : 4935 bytes
!
! Last configuration change at 22:30:24 utc Thu Mar 15 2018 by bellcoadmin
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname host
!
boot-start-marker
boot system tftp isr4300-universalk9.03.16.05.S.155-3.S5-ext.SPA.bin 255.255.255.255
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
!
no aaa new-model
clock timezone EST -5 0
clock summer-time utc recurring
!
!
!
!
!
!
!
!
!
!
!



no ip domain lookup
ip domain name
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
domain
!
!
crypto pki trustpoint tpselfsigned
 enrollment selfsigned
 revocation-check crl
 rsakeypair tpkeypair
!
!
crypto pki certificate chain tpselfsigned
 certificate self-signed 01
  3082019A 30820144 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  2B312930 2706092A 864886F7 0D010902 161A4265 6C6C636F 4D445434 3332312E
  62656C6C 636F6375 2E6F7267 301E170D 31373039 31333139 34343135 5A170D32
  30303130 31303030 3030305A 302B3129 30270609 2A864886 F70D0109 02161A42
  656C6C63 6F4D4454 34333231 2E62656C 6C636F63 752E6F72 67305C30 0D06092A
  864886F7 0D010101 0500034B 00304802 4100B2BC 6AFCE059 02CD1B43 AF04089F
  05C0BF54 2EBB6F76 CE42DC43 95D5574C 4E20460F 363D5106 BB35E58D F993F644
  108A869D FDCF1FA3 282C478F 25655C44 B02B0203 010001A3 53305130 0F060355
  1D130101 FF040530 030101FF 301F0603 551D2304 18301680 141C5333 F56502E8
  60078948 DD88304C 7E5CEA49 A7301D06 03551D0E 04160414 1C5333F5 6502E860
  078948DD 88304C7E 5CEA49A7 300D0609 2A864886 F70D0101 05050003 41009C45
  A1467437 5C154320 B42ACC75 D1F31F4D FAE48E26 2E554514 BA052A65 DDB8CFFA
  834E29E6 76871620 2E900C06 5D26537E E1F644D7 0B293EC0 7F043B9F 6FA3
        quit
license udi pid ISR4321/K9 sn FDO21070PDL
!
spanning-tree extend system-id
!
redundancy
 mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 30
 encr aes
 authentication pre-share
 group 2
crypto isakmp key s3cu address X.X.X.X
crypto isakmp key s3cu address X.X.X.X no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 5 periodic
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
 mode tunnel
crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac
 mode tunnel
crypto ipsec df-bit clear
!
crypto ipsec profile IPSEC-PROF-1
 set transform-set ESP-AES-256-SHA
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Tunnel2
 no ip address
!
interface Tunnel10
 description "Tunnel to XXXXXXXX"
 ip address 10.255.255.1 255.255.255.252
 tunnel source X.X.X.X
 tunnel mode ipsec ipv4
 tunnel destination X.X.X.X
 tunnel protection ipsec profile IPSEC-PROF-1
!
interface Tunnel11
 description "Tunnel to Sinking Spring"
 ip address 10.255.255.5 255.255.255.252
 tunnel source GigabitEthernet0/0/1
 tunnel mode ipsec ipv4
 tunnel destination X.X.X.X
 tunnel protection ipsec profile IPSEC-PROF-1
!
interface GigabitEthernet0/0/0
 description LAN
 ip address 192.168.61.4 255.255.255.248
 negotiation auto
!
interface GigabitEthernet0/0/1
 description X.X.X.X 255.255.255.252
 negotiation auto
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 negotiation auto
!
interface Vlan1
 no ip address
 shutdown
!
!
router eigrp 7
 default-metric 1536 10000 255 1 1500
 network 10.255.255.0 0.0.0.3
 network 10.255.255.4 0.0.0.3
 redistribute eigrp 99
!
!
router eigrp 99
 network 10.61.1.0 0.0.0.255
 network 10.61.128.1 0.0.0.0
 network 192.168.61.0 0.0.0.7
 redistribute eigrp 7
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 96.66.28.234
!
!
ip access-list standard vty-acl
 permit 0.0.0.0
 permit any
!
!
ip prefix-list EIGRP-MDT-VLAN10-OUT-PL seq 10 permit 10.0.0.0/16 le 32
ip prefix-list EIGRP-MDT-VLAN10-OUT-PL seq 20 permit 10.1.0.0/16 le 32
ip prefix-list EIGRP-MDT-VLAN10-OUT-PL seq 30 permit 172.28.61.0/24 le 32
ip prefix-list EIGRP-MDT-VLAN10-OUT-PL seq 40 permit 172.29.61.0/24 le 32
ip prefix-list EIGRP-MDT-VLAN10-OUT-PL seq 50 permit 10.61.200.0/24 le 32
ip prefix-list EIGRP-MDT-VLAN10-OUT-PL seq 60 permit 192.168.61.0/29
ip prefix-list EIGRP-MDT-VLAN10-OUT-PL seq 70 permit 10.255.255.0/24 le 32
!
!
!
control-plane
!
!
line con 0
 login local
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class vty-acl in
 login local
 transport input telnet ssh
!
ntp server 129.6.15.30
!
end


Relevant ASA config:
interface Tunnel10
 description "Tunnel to CoLo"
 ip address 10.255.255.2 255.255.255.252
 tunnel source SOURCE_NIC
 tunnel mode ipsec ipv4
 tunnel destination DESTINATION

crypto ipsec profile MDT
 set ikev1 transform-set ESP-3DES-MD5
 set pfs group2
 responder-only

 tunnel protection ipsec profile IPSEC-PROF-1
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
 ikev1 pre-shared-key *****
syarmushAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joseph HornseyPresident and JanitorCommented:
On the ASA, have you created a NAT exclusion?

Something like:

object network NET_A
  subnet x.x.x.x
object network NET_B
 subnet y.y.y.y

Assuming NET_A is the source and NET_B is the destination:
nat (inside,any) source static NET_A NET_A destination static NET_B NET_B no-proxy-arp route-lookup

I don't think that would keep the interface from coming up, but your tunnel definitely won't work without it.

You need to include more config off the ASA.  Crypto config?  Transform sets?  ACLs?
0
syarmushAuthor Commented:
Yes.  Here is more info:

object network NETWORK_OBJ_10.0.61.0_24
 subnet 10.0.61.0 255.255.255.0
object network NETWORK_OBJ_10.61.1.0_24
 subnet 10.61.1.0 255.255.255.0

nat (inside,any) source static NETWORK_OBJ_10.61.1.0_24 destination static object network NETWORK_OBJ_10.0.61.0_24 no-proxy-arp route-lookup


Transform Sets

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set MDT esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec profile MDT
  set ikev1 transform-set ESP-3DES-MD5
  set pfs group2
  responder-only
0
Joseph HornseyPresident and JanitorCommented:
Is there a reason why you have so many transform-sets?

Looks like your tunnels on the router side are using:
crypto ipsec profile IPSEC-PROF-1
 set transform-set ESP-AES-256-SHA

On the ipsec profile MDT on the ASA:
crypto ipsec profile MDT
  set ikev1 transform-set ESP-3DES-MD5
  set pfs group2
  responder-only

That's a mismatch.

I'd HIGHLY recommend cleaning up your configs.  Get rid of any transform-sets you're not using and get rid of any ipsec profiles you're not using.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
syarmushAuthor Commented:
We inherited this ASA and I haven't had time to clean it up.  I did have the IPsec profile set to the following:

crypto ipsec profile MDT
   set ikev1 transform-set ESP-AES-256-SHA
   set pfs group2
   responder-only

I added the pfs group2 setting after I saw the feedback from the debug.  I'll change it back and test as soon as I can.   Will send an update then.
0
Joseph HornseyPresident and JanitorCommented:
Cool.

Don't you just love inheriting someone else's stuff?  LOL
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.