[c-nsp] ASA IPSec weirdness

Ryan West rwest at zyedge.com
Wed Nov 18 07:04:02 EST 2009 

Jan,

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jan Gregor
Sent: Wednesday, November 18, 2009 5:28 AM

Hello all,

recently I got issue with L2L IPSec tunnel on one of our ASA firewalls.

The problem is that when remote site initiates the connection, ASA
negotiates the assotiation as thought it is an VPN Client (ipsec-ra is
also configured on same firewall).
Not working association (asa is responder):
    Crypto map tag: VPNClientMap, seq num: 1, local addr: x.x.x.x
    ...
    inbound esp sas:
      spi: 0xCD25D187 (3441807751)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2709, crypto-map: VPNClientMap

Working association (asa is initiator):
    Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.x
    ...
    inbound esp sas:
      spi: 0xF9214935 (4179708213)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2710, crypto-map: outside_map

ASA configuration looks like this:
crypto dynamic-map VPNClientMap 1 set transform-set ESP-3DES-SHA
crypto dynamic-map VPNClientMap 1 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer a.a.a.a
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 65535 ipsec-isakmp dynamic VPNClientMap

----------------

Are you sure they are landing on your tunnel with the right address?  The fact that it's hitting your dyn map makes me think they are coming from another address.  Do you have control of the remote end, do you know what type of device it is?  Can you enable some isakmp debugs to capture more traffic.  As the responder, you'll be able to gather the most useful debug, you should be able to figure out what's going with a debug cry isa 255.

-ryan

More information about the cisco-nsp mailing list