Announcement

Collapse
No announcement yet.

Cisco Site to Site VPN issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco Site to Site VPN issue

    Dear All;
    I have problem with the Lan-to-Lan VPN tunnel.
    the VPN working fines since 9 months ago without any problems.
    Suddenly got the problem!
    In last two days we faced problem the VPN down.

    in first time the problem in phase-2.. but after that in phase-1... in latest no data packet received to their side.

    We are not made any change on configuration for beginning..
    My Cisco ASA 5505 and their side Cisco ASA 5540

    Below in First the configuration from our side:
    =========================================
    access-list 202 extended permit ip host 20.1.1.2 host 10.1.1.5
    access-list 202 extended permit ip host 20.1.1.2 host 10.1.1.6
    access-list 202 extended permit ip host 20.1.1.2 host 10.1.1.7
    access-list 202 extended permit ip host 20.1.1.3 host 10.1.1.5
    access-list 202 extended permit ip host 20.1.1.3 host 10.1.1.6
    access-list 202 extended permit ip host 20.1.1.3 host 10.1.1.7

    crypto map rackmap 202 match address 202
    crypto map rackmap 202 set peer 12.12.12.1
    crypto map rackmap 202 set transform-set ESP-3DES-MD5
    crypto map rackmap 202 set security-association lifetime seconds 28800

    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    crypto isakmp policy 20
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 28800

    tunnel-group 12.12.12.1 type ipsec-l2l
    tunnel-group 12.12.12.1 ipsec-attributes
    pre-shared-key *********
    =========================================
    And now the configuration for their side:
    =========================================
    crypto map outside_map 81 match address outside_81_cryptomap
    crypto map outside_map 81 set peer 11.11.11.1
    crypto map outside_map 81 set transform-set ESP-3DES-MD5
    crypto map outside_map 81 set security-association lifetime seconds 28800
    crypto map outside_map 81 set security-association lifetime kilobytes 4608000

    access-list outside_81_cryptomap extended permit ip object-group DM_INLINE_NETWORK_74 object-group DM_INLINE_NETWORK_75
    access-list DMZ5_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_74 object-group DM_INLINE_NETWORK_75

    object-group network DM_INLINE_NETWORK_74
    network-object host 10.1.1.5
    network-object host 10.1.1.6
    network-object host 10.1.1.7

    object-group network DM_INLINE_NETWORK_75
    network-object host 20.1.1.2
    network-object host 20.1.1.3

    tunnel-group 11.11.11.1 type ipsec-l2l
    tunnel-group 11.11.11.1 ipsec-attributes
    pre-shared-key *****

    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    crypto isakmp policy 20
    authentication pre-share
    encryption des
    hash sha
    group 1
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption 3des
    hash sha
    group 1
    lifetime 86400
    crypto isakmp policy 40
    authentication pre-share
    encryption des
    hash md5
    group 1
    lifetime 86400
    crypto isakmp policy 50
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 70
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400
    crypto isakmp policy 90
    authentication pre-share
    encryption des
    hash md5
    group 2
    lifetime 86400
    crypto isakmp policy 110
    authentication pre-share
    encryption 3des
    hash md5
    group 1
    lifetime 86400
    =========================================

    When trying to initiate the tunnel we got the below error:


    Feb 12 2012 07:24:54: %ASA-7-715065: IP = 12.12.12.1, IKE MM Initiator FSM error history (struct &0xc5516d8 <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
    Feb 12 2012 07:24:54: %ASA-7-713906: IP = 12.12.12.1, IKE SA MM:0ce19fb3 terminating: flags 0x01000022, refcnt 0, tuncnt 0
    Feb 12 2012 07:24:54: [IKEv1 DEBUG]: IP = 12.12.12.1, sending delete/delete with reason message



    we triad to do ... re create the tunnel from beginning... and restart the firewall.. but all times we got the up error

    Please advice and help me ASAP

    Best Regards

  • #2
    Re: Cisco Site to Site VPN issue

    Have you tried:


    debug crypto isakmp


    If your doing this from a telnet session make sure you enable terminal monitor.


    Also this will produce alot of output and it may be better to send it to a syslog server or at least log to the buffer.

    Where any changes made on either end regarding your isakmp policy? Any ip addressing that has changed?
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Cisco Site to Site VPN issue

      Nothing change anything from both side

      Running the packet capture confirms were sending UDP 500 but not receiving anything from 12.12.12.1


      BR

      Comment


      • #4
        Re: Cisco Site to Site VPN issue

        I didn't see a default route in your configs. Also look at the debug, if it is failing on Phase 1 negotiation the debug will tell you why.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment

        Working...
        X