[c-nsp] asa ipsec problem

Luan Nguyen luan.m.nguyen at gmail.com
Wed Jun 4 17:03:00 EDT 2008 

I have 7.2.2 and using your config along with
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805e8c80.shtml
everything is working fine for me.

-lmn

P.S  It's nice to see Peter ventures down CPE lane :)


On Tue, Jun 3, 2008 at 6:49 AM, Sergey Alexanov <salexanov at gmail.com> wrote:

> 2008/6/3 Peter Rathlev <peter at rathlev.dk>:
>
> > Hi Sergey,
> >
> > On Mon, 2008-06-02 at 14:45 +0300, Sergey Alexanov wrote:
> > <snip>
> > > When I ping from ISR to ASA everyting is ok:
> > >
> > > ISR# ping ip 192.168.56.1 source 192.168.55.55
> > <snip>
> > > But in vise versa ipsec tunnel is not established:
> > >
> > > ASA# clear isa sa
> > >
> > > PC host# ping -c 2 192.168.55.55
> > > PING 192.168.55.55 (192.168.55.55) 56(84) bytes of data.
> > >
> > > --- 192.168.55.55 ping statistics ---
> > > 2 packets transmitted, 0 received, 100% packet loss, time 1010ms
> > >
> > > and on the ASA I have seen follow debug messages:
> > >
> > > Jun 02 03:18:07 [IKEv1]: IKE Initiator unable to find policy: Intf
> > inside,
> > > Src: 192.168.56.1, Dst: 192.168.55.55
> > > Jun 02 03:18:16 [IKEv1 DEBUG]: Pitcher: received a key acquire message,
> > spi
> > > 0x0
> > > Jun 02 03:18:16 [IKEv1]: IKE Initiator unable to find policy: Intf
> > inside,
> > > Src: 192.168.56.1, Dst: 192.168.55.55
> > > Jun 02 03:18:17 [IKEv1 DEBUG]: Pitcher: received a key acquire message,
> > spi
> > > 0x0
> > >
> > > Can anybody help me with this problem?
> >
> > How does your crypto configuration look? Do you have the relevant
> > "match" expression, allowing from 192.168.56.0/24 to 192.168.55.0/24?
> > CCO says it could be timing related, but you see this all the time,
> > right?
>
>
> I haven't seen this issue is timing related.
>
> The crypto config of devices is below:
>
> ISR# sh run
> Current configuration : 4833 bytes
> !
> version 12.4
> <snip>
> crypto isakmp policy 10
>  encr 3des
>  hash md5
>  authentication pre-share
>  group 2
> crypto isakmp key KEY1 address x.x.x.56
> !
> !
> crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
> !
> crypto map VPN_MAP1 1 ipsec-isakmp
>  set peer x.x.x.56
>  set transform-set ESP-AES-MD5
>  match address NET-192-168
> !
> !
> interface Loopback55
>  ip address 192.168.55.55 255.255.255.0
> !
> interface FastEthernet0
>  description External->ASA
>  ip address x.x.x.55 255.255.255.192
>  speed 100
>  full-duplex
>  crypto map VPN_MAP1
> <snip>
> ip access-list extended NET-192-168
>  permit ip 192.168.55.0 0.0.0.255 192.168.56.0 0.0.0.255
> <snip>
> end
>
> ASA# sh run cry
> crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
> crypto ipsec security-association lifetime seconds 28800
> crypto ipsec security-association lifetime kilobytes 4608000
> crypto dynamic-map DYN-VPN-MAP1 1 match address NET-192-168
> crypto dynamic-map DYN-VPN-MAP1 1 set peer x.x.x.55
> crypto dynamic-map DYN-VPN-MAP1 1 set transform-set ESP-AES-MD5
> crypto dynamic-map DYN-VPN-MAP1 1 set security-association lifetime seconds
> 28800
> crypto dynamic-map DYN-VPN-MAP1 1 set security-association lifetime
> kilobytes 4608000
> crypto map VPN-MAP1 1 ipsec-isakmp dynamic DYN-VPN-MAP1
> crypto map VPN-MAP1 interface outside
> isakmp enable outside
> isakmp policy 1 authentication pre-share
> isakmp policy 1 encryption 3des
> isakmp policy 1 hash md5
> isakmp policy 1 group 2
> isakmp policy 1 lifetime 86400
>
> ASA# sh run tunnel-group
> tunnel-group x.x.x.55 type ipsec-l2l
> tunnel-group x.x.x.55 ipsec-attributes
>  pre-shared-key *
>
> ASA# sh run access-list NET-192-168
> access-list NET-192-168 extended permit ip 192.168.56.0 255.255.255.0
> 192.168.55.0 255.255.255.0
>
>
> I have tryed either version of ASA software 7 and 8, the issue is same.
>
> >
> >
> > The error is ASA-3-713042, documented here:
> >
> >
> http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html
>
> Yes, I already had seen this interpretation of system log message, but it's
> not useful.
>
>
> >
> > <
> http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html
> >
> > > Thanks.
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list