Skip to main content

cisco ASA 5505 problem with IPSEC phase 1 (ISAKM)

More
13 years 11 months ago #36125 by eldo
Hello fiends,

First problem:

I have problem with IPSEC phase 1 (ISAKM) on my cisco on
customer side B. Sometimes is not able to establish
phase 1 (ISAKMP) and I must do this steps to make it UP:
siteB(config)#no crypto map outside_map0 interface outside
siteB(config)#clear cryp isak sa
siteB(config)#crypto map outside_map0 interface outside

siteB# packet-tracer input inside icmp 172.16.68.11 0 0 10.16.1.4
siteB# packet-tracer input inside icmp 172.16.68.11 0 0 10.16.1.4
siteB# packet-tracer input inside icmp 172.16.68.11 0 0 10.16.1.4
siteB# packet-tracer input inside icmp 172.16.68.11 0 0 10.16.1.4

I must do this for several times! Then comes IPSEC full UP and
is working for unknown time.

I was tried to change crypting 3DES vs AES also not working.

Second problem:

i'm not able to ping from site A host 10.16.1.4 to site B eth0/1 IP 172.16.68.10 also when IPSEC is working correctly.

###########################################
Logs for site A:

siteA# sh crypto isakmp sa d

5 IKE Peer: 195.168.22.202
Type : L2L Role : initiator
Rekey : no State : MM_WAIT_MSG6
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 86400
Lifetime Remaining: 2143677223 ###not correct lifetime###

###########################################
Logs from site B:

siteB# sh crypto isak sa d

2 IKE Peer: 212.89.236.2
Type : L2L Role : responder
Rekey : no State : MM_WAIT_MSG5
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 86400
Lifetime Remaining: 2147416781 ###not correct lifetime###


sh logg asdm
5|Jan 13 2011 14:22:33|713904: Group = 212.89.236.2, IP = 212.89.236.2, Received an un-encrypted INVALID_COOKIE notify message, dropping
4|Jan 13 2011 14:22:33|713903: Group = 212.89.236.2, IP = 212.89.236.2, Information Exchange processing failed
3|Jan 13 2011 14:22:41|713902: Group = 212.89.236.2, IP = 212.89.236.2, Removing peer from peer table failed, no match!
4|Jan 13 2011 14:22:41|713903: Group = 212.89.236.2, IP = 212.89.236.2, Error: Unable to remove PeerTblEntry
###########################################

site A - 212.89.236.x - ASA5510
asa804-k8.bin

interface Ethernet0/1.2
vlan 200
nameif ds_dmz
security-level 10
ip address 10.16.1.1 255.255.255.240
ospf cost 10

access-list ds_dmz_access_in extended permit icmp any any

access-list ds_dmz_nat0_outbound extended permit ip host 10.16.1.4 172.16.68.8 255.255.255.248

access-list wust14 extended permit icmp host 10.16.1.4 172.16.68.8 255.255.255.248
access-list wust14 extended permit udp host 10.16.1.4 172.16.68.8 255.255.255.248

global (outside) 1 interface

nat (ds_dmz) 0 access-list ds_dmz_nat0_outbound
nat (ds_dmz) 0 access-list ds_dmz_nat0_outbound_1 outside
nat (ds_dmz) 1 10.16.1.0 255.255.255.0
nat (ds_dmz) 1 10.16.1.0 255.255.255.0 outside

access-group ds_dmz_access_in in interface ds_dmz

route outside 0.0.0.0 0.0.0.0 212.89.236.x 1 track 1

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 14 match address siteB
crypto map outside_map 14 set peer 195.168.22.x
crypto map outside_map 14 set transform-set ESP-AES-256-SHA
crypto map outside_map 14 set security-association lifetime seconds 28800
crypto map outside_map 14 set security-association lifetime kilobytes 4608000

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-lock value DefaultWEBVPNGroup

tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 10 retry 3
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 10 retry 3

tunnel-group 195.168.22.x type ipsec-l2l
tunnel-group 195.168.22.x ipsec-attributes
pre-shared-key xxx

###########################################
site B - 195.168.22.x - ASA5505
asa821-k8.bin

NAT1:1 = 195.168.22.x : 172.16.68.2

interface Vlan1
nameif inside
security-level 100
ip address 172.16.68.10 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
ip address 172.16.68.2 255.255.255.248

access-list outside_cryptomap_1 extended permit icmp 172.16.68.8 255.255.255.248 host 10.16.1.4
access-list outside_cryptomap_1 extended permit udp 172.16.68.8 255.255.255.248 host 10.16.1.4

access-list nonat extended permit ip 172.16.68.8 255.255.255.248 10.16.0.0 255.255.0.0

mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 172.16.68.1 1

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map0 2 match address outside_cryptomap_1
crypto map outside_map0 2 set peer 212.89.236.x
crypto map outside_map0 2 set transform-set ESP-AES-256-SHA
crypto map outside_map0 2 set security-association lifetime seconds 28800
crypto map outside_map0 2 set security-association lifetime kilobytes 4608000
crypto map outside_map0 interface outside

crypto isakmp identity hostname
crypto isakmp enable outside

crypto isakmp policy 3
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercep

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec

tunnel-group 212.89.236.x type ipsec-l2l
tunnel-group 212.89.236.x ipsec-attributes
pre-shared-key xxx
More
13 years 11 months ago #36126 by eldo
Replied by eldo on topic attachment
hmm, i'm not seeing my attachment here;(
so
www.eldo.sk/problem.gif
More
13 years 10 months ago #36179 by rizin
Have you tried Debug Command to get the correct details, if possible post that errors.

Regards,

Rizin

Known is a drop, unknown is an Ocean
More
13 years 10 months ago #36235 by eldo
Replied by eldo on topic problem solved
hello, my problem solved to decrease lifetime in isakmp

crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 300

thanks
Time to create page: 0.125 seconds