- Posts: 7
- Thank you received: 0
cisco ASA 5505 problem with IPSEC phase 1 (ISAKM)
13 years 11 months ago #36125
by eldo
cisco ASA 5505 problem with IPSEC phase 1 (ISAKM) was created by eldo
Hello fiends,
First problem:
I have problem with IPSEC phase 1 (ISAKM) on my cisco on
customer side B. Sometimes is not able to establish
phase 1 (ISAKMP) and I must do this steps to make it UP:
siteB(config)#no crypto map outside_map0 interface outside
siteB(config)#clear cryp isak sa
siteB(config)#crypto map outside_map0 interface outside
siteB# packet-tracer input inside icmp 172.16.68.11 0 0 10.16.1.4
siteB# packet-tracer input inside icmp 172.16.68.11 0 0 10.16.1.4
siteB# packet-tracer input inside icmp 172.16.68.11 0 0 10.16.1.4
siteB# packet-tracer input inside icmp 172.16.68.11 0 0 10.16.1.4
I must do this for several times! Then comes IPSEC full UP and
is working for unknown time.
I was tried to change crypting 3DES vs AES also not working.
Second problem:
i'm not able to ping from site A host 10.16.1.4 to site B eth0/1 IP 172.16.68.10 also when IPSEC is working correctly.
###########################################
Logs for site A:
siteA# sh crypto isakmp sa d
5 IKE Peer: 195.168.22.202
Type : L2L Role : initiator
Rekey : no State : MM_WAIT_MSG6
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 86400
Lifetime Remaining: 2143677223 ###not correct lifetime###
###########################################
Logs from site B:
siteB# sh crypto isak sa d
2 IKE Peer: 212.89.236.2
Type : L2L Role : responder
Rekey : no State : MM_WAIT_MSG5
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 86400
Lifetime Remaining: 2147416781 ###not correct lifetime###
sh logg asdm
5|Jan 13 2011 14:22:33|713904: Group = 212.89.236.2, IP = 212.89.236.2, Received an un-encrypted INVALID_COOKIE notify message, dropping
4|Jan 13 2011 14:22:33|713903: Group = 212.89.236.2, IP = 212.89.236.2, Information Exchange processing failed
3|Jan 13 2011 14:22:41|713902: Group = 212.89.236.2, IP = 212.89.236.2, Removing peer from peer table failed, no match!
4|Jan 13 2011 14:22:41|713903: Group = 212.89.236.2, IP = 212.89.236.2, Error: Unable to remove PeerTblEntry
###########################################
site A - 212.89.236.x - ASA5510
asa804-k8.bin
interface Ethernet0/1.2
vlan 200
nameif ds_dmz
security-level 10
ip address 10.16.1.1 255.255.255.240
ospf cost 10
access-list ds_dmz_access_in extended permit icmp any any
access-list ds_dmz_nat0_outbound extended permit ip host 10.16.1.4 172.16.68.8 255.255.255.248
access-list wust14 extended permit icmp host 10.16.1.4 172.16.68.8 255.255.255.248
access-list wust14 extended permit udp host 10.16.1.4 172.16.68.8 255.255.255.248
global (outside) 1 interface
nat (ds_dmz) 0 access-list ds_dmz_nat0_outbound
nat (ds_dmz) 0 access-list ds_dmz_nat0_outbound_1 outside
nat (ds_dmz) 1 10.16.1.0 255.255.255.0
nat (ds_dmz) 1 10.16.1.0 255.255.255.0 outside
access-group ds_dmz_access_in in interface ds_dmz
route outside 0.0.0.0 0.0.0.0 212.89.236.x 1 track 1
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 14 match address siteB
crypto map outside_map 14 set peer 195.168.22.x
crypto map outside_map 14 set transform-set ESP-AES-256-SHA
crypto map outside_map 14 set security-association lifetime seconds 28800
crypto map outside_map 14 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-lock value DefaultWEBVPNGroup
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 10 retry 3
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 10 retry 3
tunnel-group 195.168.22.x type ipsec-l2l
tunnel-group 195.168.22.x ipsec-attributes
pre-shared-key xxx
###########################################
site B - 195.168.22.x - ASA5505
asa821-k8.bin
NAT1:1 = 195.168.22.x : 172.16.68.2
interface Vlan1
nameif inside
security-level 100
ip address 172.16.68.10 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
ip address 172.16.68.2 255.255.255.248
access-list outside_cryptomap_1 extended permit icmp 172.16.68.8 255.255.255.248 host 10.16.1.4
access-list outside_cryptomap_1 extended permit udp 172.16.68.8 255.255.255.248 host 10.16.1.4
access-list nonat extended permit ip 172.16.68.8 255.255.255.248 10.16.0.0 255.255.0.0
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 172.16.68.1 1
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 2 match address outside_cryptomap_1
crypto map outside_map0 2 set peer 212.89.236.x
crypto map outside_map0 2 set transform-set ESP-AES-256-SHA
crypto map outside_map0 2 set security-association lifetime seconds 28800
crypto map outside_map0 2 set security-association lifetime kilobytes 4608000
crypto map outside_map0 interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 3
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercep
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group 212.89.236.x type ipsec-l2l
tunnel-group 212.89.236.x ipsec-attributes
pre-shared-key xxx
First problem:
I have problem with IPSEC phase 1 (ISAKM) on my cisco on
customer side B. Sometimes is not able to establish
phase 1 (ISAKMP) and I must do this steps to make it UP:
siteB(config)#no crypto map outside_map0 interface outside
siteB(config)#clear cryp isak sa
siteB(config)#crypto map outside_map0 interface outside
siteB# packet-tracer input inside icmp 172.16.68.11 0 0 10.16.1.4
siteB# packet-tracer input inside icmp 172.16.68.11 0 0 10.16.1.4
siteB# packet-tracer input inside icmp 172.16.68.11 0 0 10.16.1.4
siteB# packet-tracer input inside icmp 172.16.68.11 0 0 10.16.1.4
I must do this for several times! Then comes IPSEC full UP and
is working for unknown time.
I was tried to change crypting 3DES vs AES also not working.
Second problem:
i'm not able to ping from site A host 10.16.1.4 to site B eth0/1 IP 172.16.68.10 also when IPSEC is working correctly.
###########################################
Logs for site A:
siteA# sh crypto isakmp sa d
5 IKE Peer: 195.168.22.202
Type : L2L Role : initiator
Rekey : no State : MM_WAIT_MSG6
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 86400
Lifetime Remaining: 2143677223 ###not correct lifetime###
###########################################
Logs from site B:
siteB# sh crypto isak sa d
2 IKE Peer: 212.89.236.2
Type : L2L Role : responder
Rekey : no State : MM_WAIT_MSG5
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 86400
Lifetime Remaining: 2147416781 ###not correct lifetime###
sh logg asdm
5|Jan 13 2011 14:22:33|713904: Group = 212.89.236.2, IP = 212.89.236.2, Received an un-encrypted INVALID_COOKIE notify message, dropping
4|Jan 13 2011 14:22:33|713903: Group = 212.89.236.2, IP = 212.89.236.2, Information Exchange processing failed
3|Jan 13 2011 14:22:41|713902: Group = 212.89.236.2, IP = 212.89.236.2, Removing peer from peer table failed, no match!
4|Jan 13 2011 14:22:41|713903: Group = 212.89.236.2, IP = 212.89.236.2, Error: Unable to remove PeerTblEntry
###########################################
site A - 212.89.236.x - ASA5510
asa804-k8.bin
interface Ethernet0/1.2
vlan 200
nameif ds_dmz
security-level 10
ip address 10.16.1.1 255.255.255.240
ospf cost 10
access-list ds_dmz_access_in extended permit icmp any any
access-list ds_dmz_nat0_outbound extended permit ip host 10.16.1.4 172.16.68.8 255.255.255.248
access-list wust14 extended permit icmp host 10.16.1.4 172.16.68.8 255.255.255.248
access-list wust14 extended permit udp host 10.16.1.4 172.16.68.8 255.255.255.248
global (outside) 1 interface
nat (ds_dmz) 0 access-list ds_dmz_nat0_outbound
nat (ds_dmz) 0 access-list ds_dmz_nat0_outbound_1 outside
nat (ds_dmz) 1 10.16.1.0 255.255.255.0
nat (ds_dmz) 1 10.16.1.0 255.255.255.0 outside
access-group ds_dmz_access_in in interface ds_dmz
route outside 0.0.0.0 0.0.0.0 212.89.236.x 1 track 1
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 14 match address siteB
crypto map outside_map 14 set peer 195.168.22.x
crypto map outside_map 14 set transform-set ESP-AES-256-SHA
crypto map outside_map 14 set security-association lifetime seconds 28800
crypto map outside_map 14 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-lock value DefaultWEBVPNGroup
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 10 retry 3
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 10 retry 3
tunnel-group 195.168.22.x type ipsec-l2l
tunnel-group 195.168.22.x ipsec-attributes
pre-shared-key xxx
###########################################
site B - 195.168.22.x - ASA5505
asa821-k8.bin
NAT1:1 = 195.168.22.x : 172.16.68.2
interface Vlan1
nameif inside
security-level 100
ip address 172.16.68.10 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
ip address 172.16.68.2 255.255.255.248
access-list outside_cryptomap_1 extended permit icmp 172.16.68.8 255.255.255.248 host 10.16.1.4
access-list outside_cryptomap_1 extended permit udp 172.16.68.8 255.255.255.248 host 10.16.1.4
access-list nonat extended permit ip 172.16.68.8 255.255.255.248 10.16.0.0 255.255.0.0
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 172.16.68.1 1
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 2 match address outside_cryptomap_1
crypto map outside_map0 2 set peer 212.89.236.x
crypto map outside_map0 2 set transform-set ESP-AES-256-SHA
crypto map outside_map0 2 set security-association lifetime seconds 28800
crypto map outside_map0 2 set security-association lifetime kilobytes 4608000
crypto map outside_map0 interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 3
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercep
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group 212.89.236.x type ipsec-l2l
tunnel-group 212.89.236.x ipsec-attributes
pre-shared-key xxx
13 years 11 months ago #36126
by eldo
Replied by eldo on topic attachment
13 years 10 months ago #36179
by rizin
Known is a drop, unknown is an Ocean
Replied by rizin on topic Re: cisco ASA 5505 problem with IPSEC phase 1 (ISAKM)
Have you tried Debug Command to get the correct details, if possible post that errors.
Regards,
Rizin
Regards,
Rizin
Known is a drop, unknown is an Ocean
13 years 10 months ago #36235
by eldo
Replied by eldo on topic problem solved
hello, my problem solved to decrease lifetime in isakmp
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 300
thanks
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 300
thanks
Time to create page: 0.125 seconds