[c-nsp] asa ipsec problem

Sergey Alexanov salexanov at gmail.com
Thu Jun 5 03:32:43 EDT 2008 

Thanks to all for your attention.
The problem was quite trivial.
Cause of it is the device with dynamic cryptomap cannot  be an initiator of
VPN session.



2008/6/5 Luan Nguyen <luan.m.nguyen at gmail.com>:

> I have 7.2.2 and using your config along with
>
> http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805e8c80.shtml
> everything is working fine for me.
>
> -lmn
>
> P.S  It's nice to see Peter ventures down CPE lane :)
>
>
> On Tue, Jun 3, 2008 at 6:49 AM, Sergey Alexanov <salexanov at gmail.com>
> wrote:
>
>> 2008/6/3 Peter Rathlev <peter at rathlev.dk>:
>>
>> > Hi Sergey,
>> >
>> > On Mon, 2008-06-02 at 14:45 +0300, Sergey Alexanov wrote:
>> > <snip>
>> > > When I ping from ISR to ASA everyting is ok:
>> > >
>> > > ISR# ping ip 192.168.56.1 source 192.168.55.55
>> > <snip>
>> > > But in vise versa ipsec tunnel is not established:
>> > >
>> > > ASA# clear isa sa
>> > >
>> > > PC host# ping -c 2 192.168.55.55
>> > > PING 192.168.55.55 (192.168.55.55) 56(84) bytes of data.
>> > >
>> > > --- 192.168.55.55 ping statistics ---
>> > > 2 packets transmitted, 0 received, 100% packet loss, time 1010ms
>> > >
>> > > and on the ASA I have seen follow debug messages:
>> > >
>> > > Jun 02 03:18:07 [IKEv1]: IKE Initiator unable to find policy: Intf
>> > inside,
>> > > Src: 192.168.56.1, Dst: 192.168.55.55
>> > > Jun 02 03:18:16 [IKEv1 DEBUG]: Pitcher: received a key acquire
>> message,
>> > spi
>> > > 0x0
>> > > Jun 02 03:18:16 [IKEv1]: IKE Initiator unable to find policy: Intf
>> > inside,
>> > > Src: 192.168.56.1, Dst: 192.168.55.55
>> > > Jun 02 03:18:17 [IKEv1 DEBUG]: Pitcher: received a key acquire
>> message,
>> > spi
>> > > 0x0
>> > >
>> > > Can anybody help me with this problem?
>> >
>> > How does your crypto configuration look? Do you have the relevant
>> > "match" expression, allowing from 192.168.56.0/24 to 192.168.55.0/24?
>> > CCO says it could be timing related, but you see this all the time,
>> > right?
>>
>>
>> I haven't seen this issue is timing related.
>>
>> The crypto config of devices is below:
>>
>> ISR# sh run
>> Current configuration : 4833 bytes
>> !
>> version 12.4
>> <snip>
>> crypto isakmp policy 10
>>  encr 3des
>>  hash md5
>>  authentication pre-share
>>  group 2
>> crypto isakmp key KEY1 address x.x.x.56
>> !
>> !
>> crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
>> !
>> crypto map VPN_MAP1 1 ipsec-isakmp
>>  set peer x.x.x.56
>>  set transform-set ESP-AES-MD5
>>  match address NET-192-168
>> !
>> !
>> interface Loopback55
>>  ip address 192.168.55.55 255.255.255.0
>> !
>> interface FastEthernet0
>>  description External->ASA
>>  ip address x.x.x.55 255.255.255.192
>>  speed 100
>>  full-duplex
>>  crypto map VPN_MAP1
>> <snip>
>> ip access-list extended NET-192-168
>>  permit ip 192.168.55.0 0.0.0.255 192.168.56.0 0.0.0.255
>> <snip>
>> end
>>
>> ASA# sh run cry
>> crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
>> crypto ipsec security-association lifetime seconds 28800
>> crypto ipsec security-association lifetime kilobytes 4608000
>> crypto dynamic-map DYN-VPN-MAP1 1 match address NET-192-168
>> crypto dynamic-map DYN-VPN-MAP1 1 set peer x.x.x.55
>> crypto dynamic-map DYN-VPN-MAP1 1 set transform-set ESP-AES-MD5
>> crypto dynamic-map DYN-VPN-MAP1 1 set security-association lifetime
>> seconds
>> 28800
>> crypto dynamic-map DYN-VPN-MAP1 1 set security-association lifetime
>> kilobytes 4608000
>> crypto map VPN-MAP1 1 ipsec-isakmp dynamic DYN-VPN-MAP1
>> crypto map VPN-MAP1 interface outside
>> isakmp enable outside
>> isakmp policy 1 authentication pre-share
>> isakmp policy 1 encryption 3des
>> isakmp policy 1 hash md5
>> isakmp policy 1 group 2
>> isakmp policy 1 lifetime 86400
>>
>> ASA# sh run tunnel-group
>> tunnel-group x.x.x.55 type ipsec-l2l
>> tunnel-group x.x.x.55 ipsec-attributes
>>  pre-shared-key *
>>
>> ASA# sh run access-list NET-192-168
>> access-list NET-192-168 extended permit ip 192.168.56.0 255.255.255.0
>> 192.168.55.0 255.255.255.0
>>
>>
>> I have tryed either version of ASA software 7 and 8, the issue is same.
>>
>> >
>> >
>> > The error is ASA-3-713042, documented here:
>> >
>> >
>> http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html
>>
>> Yes, I already had seen this interpretation of system log message, but
>> it's
>> not useful.
>>
>>
>> >
>> > <
>> http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html
>> >
>> > > Thanks.
>> > > _______________________________________________
>> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
>> >
>> >
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>

More information about the cisco-nsp mailing list