[c-nsp] ASA IPSec weirdness

Jan Gregor jan.gregor at chronix.org
Thu Nov 19 09:44:26 EST 2009 

Hello,


Ryan West wrote:
> Jan,
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jan Gregor
> Sent: Wednesday, November 18, 2009 5:28 AM
> 
> Hello all,
> 
> recently I got issue with L2L IPSec tunnel on one of our ASA firewalls.
> 
> The problem is that when remote site initiates the connection, ASA
> negotiates the assotiation as thought it is an VPN Client (ipsec-ra is
> also configured on same firewall).
> Not working association (asa is responder):
>     Crypto map tag: VPNClientMap, seq num: 1, local addr: x.x.x.x
>     ...
>     inbound esp sas:
>       spi: 0xCD25D187 (3441807751)
>          transform: esp-3des esp-sha-hmac none
>          in use settings ={L2L, Tunnel, }
>          slot: 0, conn_id: 2709, crypto-map: VPNClientMap
> 
> Working association (asa is initiator):
>     Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.x
>     ...
>     inbound esp sas:
>       spi: 0xF9214935 (4179708213)
>          transform: esp-3des esp-sha-hmac none
>          in use settings ={L2L, Tunnel, }
>          slot: 0, conn_id: 2710, crypto-map: outside_map
> 
> ASA configuration looks like this:
> crypto dynamic-map VPNClientMap 1 set transform-set ESP-3DES-SHA
> crypto dynamic-map VPNClientMap 1 set reverse-route
> crypto map outside_map 1 match address outside_1_cryptomap
> crypto map outside_map 1 set peer a.a.a.a
> crypto map outside_map 1 set transform-set ESP-3DES-SHA
> crypto map outside_map 1 set security-association lifetime seconds 3600
> crypto map outside_map 2 match address outside_2_cryptomap
> crypto map outside_map 65535 ipsec-isakmp dynamic VPNClientMap
> 
> ----------------
> 
> Are you sure they are landing on your tunnel with the right address?  The fact that it's hitting your dyn map makes me think they are coming from another address.  Do you have control of the remote end, do you know what type of device it is?  Can you enable some isakmp debugs to capture more traffic.  As the responder, you'll be able to gather the most useful debug, you should be able to figure out what's going with a debug cry isa 255.
> 
> -ryan

You got it almost right. Problem was that remote endpoind tried to
establish the vpn with different local proxy, unknown to asa. This
caused mismatch in all crypto map instances and fell into VPN Client
map. Since both phase 1 and phase 2 policies were same for both L2L VPN
and VPN Clients, association established "ok", which pretty efectivelly
disabled any further IPSec associations to the same peer :).
Since the ASA is doing VPN connection to multiple sites, it was quite
some reading through debug logs, but "debug crypto isakmp 255" really
did the trick.
Many thanks.

Best regards,

Jan Gregor

More information about the cisco-nsp mailing list