[c-nsp] asa ipsec problem

Sergey Alexanov salexanov at gmail.com
Tue Jun 3 06:49:08 EDT 2008


2008/6/3 Peter Rathlev <peter at rathlev.dk>:

> Hi Sergey,
>
> On Mon, 2008-06-02 at 14:45 +0300, Sergey Alexanov wrote:
> <snip>
> > When I ping from ISR to ASA everyting is ok:
> >
> > ISR# ping ip 192.168.56.1 source 192.168.55.55
> <snip>
> > But in vise versa ipsec tunnel is not established:
> >
> > ASA# clear isa sa
> >
> > PC host# ping -c 2 192.168.55.55
> > PING 192.168.55.55 (192.168.55.55) 56(84) bytes of data.
> >
> > --- 192.168.55.55 ping statistics ---
> > 2 packets transmitted, 0 received, 100% packet loss, time 1010ms
> >
> > and on the ASA I have seen follow debug messages:
> >
> > Jun 02 03:18:07 [IKEv1]: IKE Initiator unable to find policy: Intf
> inside,
> > Src: 192.168.56.1, Dst: 192.168.55.55
> > Jun 02 03:18:16 [IKEv1 DEBUG]: Pitcher: received a key acquire message,
> spi
> > 0x0
> > Jun 02 03:18:16 [IKEv1]: IKE Initiator unable to find policy: Intf
> inside,
> > Src: 192.168.56.1, Dst: 192.168.55.55
> > Jun 02 03:18:17 [IKEv1 DEBUG]: Pitcher: received a key acquire message,
> spi
> > 0x0
> >
> > Can anybody help me with this problem?
>
> How does your crypto configuration look? Do you have the relevant
> "match" expression, allowing from 192.168.56.0/24 to 192.168.55.0/24?
> CCO says it could be timing related, but you see this all the time,
> right?


I haven't seen this issue is timing related.

The crypto config of devices is below:

ISR# sh run
Current configuration : 4833 bytes
!
version 12.4
<snip>
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key KEY1 address x.x.x.56
!
!
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
!
crypto map VPN_MAP1 1 ipsec-isakmp
 set peer x.x.x.56
 set transform-set ESP-AES-MD5
 match address NET-192-168
!
!
interface Loopback55
 ip address 192.168.55.55 255.255.255.0
!
interface FastEthernet0
 description External->ASA
 ip address x.x.x.55 255.255.255.192
 speed 100
 full-duplex
 crypto map VPN_MAP1
<snip>
ip access-list extended NET-192-168
 permit ip 192.168.55.0 0.0.0.255 192.168.56.0 0.0.0.255
<snip>
end

ASA# sh run cry
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN-VPN-MAP1 1 match address NET-192-168
crypto dynamic-map DYN-VPN-MAP1 1 set peer x.x.x.55
crypto dynamic-map DYN-VPN-MAP1 1 set transform-set ESP-AES-MD5
crypto dynamic-map DYN-VPN-MAP1 1 set security-association lifetime seconds
28800
crypto dynamic-map DYN-VPN-MAP1 1 set security-association lifetime
kilobytes 4608000
crypto map VPN-MAP1 1 ipsec-isakmp dynamic DYN-VPN-MAP1
crypto map VPN-MAP1 interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400

ASA# sh run tunnel-group
tunnel-group x.x.x.55 type ipsec-l2l
tunnel-group x.x.x.55 ipsec-attributes
 pre-shared-key *

ASA# sh run access-list NET-192-168
access-list NET-192-168 extended permit ip 192.168.56.0 255.255.255.0
192.168.55.0 255.255.255.0


I have tryed either version of ASA software 7 and 8, the issue is same.

>
>
> The error is ASA-3-713042, documented here:
>
> http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html

Yes, I already had seen this interpretation of system log message, but it's
not useful.


>
> <http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html>
> > Thanks.
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>


More information about the cisco-nsp mailing list