[c-nsp] ASA IPSec weirdness

Jan Gregor jan.gregor at chronix.org
Wed Nov 18 05:28:14 EST 2009


Hello all,

recently I got issue with L2L IPSec tunnel on one of our ASA firewalls.

The problem is that when remote site initiates the connection, ASA
negotiates the assotiation as thought it is an VPN Client (ipsec-ra is
also configured on same firewall).
Not working association (asa is responder):
    Crypto map tag: VPNClientMap, seq num: 1, local addr: x.x.x.x
    ...
    inbound esp sas:
      spi: 0xCD25D187 (3441807751)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2709, crypto-map: VPNClientMap

Working association (asa is initiator):
    Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.x
    ...
    inbound esp sas:
      spi: 0xF9214935 (4179708213)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2710, crypto-map: outside_map

ASA configuration looks like this:
crypto dynamic-map VPNClientMap 1 set transform-set ESP-3DES-SHA
crypto dynamic-map VPNClientMap 1 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer a.a.a.a
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 65535 ipsec-isakmp dynamic VPNClientMap

I have tried everything that I could think of - xauth disabling (which i
think is default on asa), upgrading router asa software, ... Nothing
worked and disabling the vpn clients is not an option for me :/ .
Anyone stumbled across something similar in the past and was able to fix
it? Thanks for any pointers.


Best regards,

Jan Gregor


More information about the cisco-nsp mailing list