[c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel

Ryan West rwest at zyedge.com
Wed Sep 2 09:15:57 EDT 2009


Scott,

Can you provide debugs from the ASA, code versions on both devices and your associated no-nat ACLs?

Assuming you have nothing else logging to monitor, you can enable 'logging class vpn monitor debug' and throw up a term mon to gather inbound messages to the ASA from the PIX side.  You can gather the information on the PIX with a debug cry isa 2 and then initiate interesting traffic from the ASA using the following, the more valuable information will be on the receiving end.  It really doesn't matter which side you enable as the receiver, but I try to stay away from pre 7.x code on the PIXes.

packet-tracer input inside icmp 10.1.0.10 8 0 10.18.15.10 detailed

Phase: 10 or 11 should be subtype encrypt.  If it fails the first time, run it again, the negotiation process causes the first packet to fail as the tunnel is being brought.  This type of traffic will also give you your debug information and help you figure out where the failure is.

-ryan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados
Sent: Tuesday, September 01, 2009 8:29 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel

Hi, I have a Pix out in the field and an ASA5520 that I'm trying to 
configure to pass L2L traffic.  I keep getting an error that says
IKEV1 IP=a.b.c.d removing peer from peer table failed, no match
ip=a.b.c.d unable to remove peer table entry

What am I doing wrong?

Here are the important config bits

asa-5520
crypto map
crypto ipsec transform-set vpn-transform1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set vpn-transform2 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set vpn-transform3 esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set vpn-transform1 vpn-transform2 
vpn-transform3
crypto dynamic-map dynmap 10 set reverse-route
crypto map vpn-ra-map 10 match address ny-vpn-acl
crypto map vpn-ra-map 10 set peer ny-fw-outside
crypto map vpn-ra-map 10 set transform-set vpn-transform2
crypto map vpn-ra-map 10 set reverse-route
crypto map vpn-ra-map 65535 ipsec-isakmp dynamic dynmap
crypto map vpn-ra-map interface outside

ISAKMP

isakmp enable outside
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption aes-256
isakmp policy 5 hash sha
isakmp policy 5 group 7
isakmp policy 5 lifetime 3600
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-192
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 28800
isakmp nat-traversal  20
isakmp reload-wait

and the acl
access-list ny-vpn-acl extended permit ip 10.1.0.0 255.255.0.0 10.18.15.0 
255.255.255.192
access-list ny-vpn-acl extended permit ip 10.18.0.0 255.255.254.0 10.18.15.0 
255.255.255.192
access-list ny-vpn-acl extended permit ip 10.14.0.0 255.254.0.0 10.18.15.0 
255.255.255.192
access-list ny-vpn-acl extended permit ip 157.254.0.0 255.255.0.0 10.18.15.0 
255.255.255.192
access-list ny-vpn-acl extended permit ip 141.11.0.0 255.255.0.0 10.18.15.0 
255.255.255.192
access-list ny-vpn-acl extended permit ip 10.11.0.0 255.255.0.0 10.18.15.0 
255.255.255.192

TUNNEL GROUP

tunnel-group 208.37.161.98 type ipsec-l2l
tunnel-group 208.37.161.98 general-attributes
 tunnel-group 208.37.161.98 ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck

PIX

CRYPTO MAP and ISAKMP

crypto ipsec transform-set set1 esp-aes-192 esp-md5-hmac
crypto map map1 10 ipsec-isakmp
crypto map map1 10 match address vpn-1
crypto map map1 10 set peer vpnc
crypto map map1 10 set transform-set set1
crypto map map1 interface outside
isakmp enable outside
isakmp key *
 address vpnc netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800

ACL
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.1.0.0 255.255.0.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.18.0.0 
255.255.240.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.14.0.0 255.254.0.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 157.254.0.0 
255.255.0.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 141.11.0.0 
255.255.0.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.11.0.0 255.255.0.0

)note on the ASA I use individual /24's and shortened the ACL for ease of 
reasing.  I do this to exclued 10.18.14.0/24 from the tunnels since that 
houses the ASA's inside interface and client access)

Any pointers would be appreciated.

Thanks
Scott

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list