[c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel

Scott Granados gsgranados at comcast.net
Wed Sep 2 12:45:28 EDT 2009 

Hi, so right now my Pix in the field is pointing at a VPN 3000 so I can't 
take that path down until after hours but I will to capture the debug data.

A show ver on the asa shows device manager V5.0.7

The field pix shows V6.3
I have access to both ends so updating the firmware is definitely an option. 
Any suggested version?

On the ASA side I do not have a no nat statement at all.  I never configured 
NAT because this device isn't beingused for any features other than a VPN 
access device with split tunneling enabled for the clients.
On the NY pix side the nat config and acl are as follows.

global (outside) 1 208.x.x.100-208.x.x.115 netmask 255.255.255.224
global (outside) 1 208.x.x.99 netmask 255.255.255.224
nat (inside) 0 access-list vpn-1
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.1.0.0 255.255.0.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.18.0.0 
255.255.240.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.14.0.0 255.254.0.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 157.254.0.0 
255.255.0.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 141.11.0.0 
255.255.0.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.11.0.0 255.255.0.0

Thanks
Scott

----- Original Message ----- 
From: "Ryan West" <rwest at zyedge.com>
To: "Scott Granados" <gsgranados at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Wednesday, September 02, 2009 6:15 AM
Subject: RE: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel


Scott,

Can you provide debugs from the ASA, code versions on both devices and your 
associated no-nat ACLs?

Assuming you have nothing else logging to monitor, you can enable 'logging 
class vpn monitor debug' and throw up a term mon to gather inbound messages 
to the ASA from the PIX side.  You can gather the information on the PIX 
with a debug cry isa 2 and then initiate interesting traffic from the ASA 
using the following, the more valuable information will be on the receiving 
end.  It really doesn't matter which side you enable as the receiver, but I 
try to stay away from pre 7.x code on the PIXes.

packet-tracer input inside icmp 10.1.0.10 8 0 10.18.15.10 detailed

Phase: 10 or 11 should be subtype encrypt.  If it fails the first time, run 
it again, the negotiation process causes the first packet to fail as the 
tunnel is being brought.  This type of traffic will also give you your debug 
information and help you figure out where the failure is.

-ryan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net 
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados
Sent: Tuesday, September 01, 2009 8:29 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel

Hi, I have a Pix out in the field and an ASA5520 that I'm trying to
configure to pass L2L traffic.  I keep getting an error that says
IKEV1 IP=a.b.c.d removing peer from peer table failed, no match
ip=a.b.c.d unable to remove peer table entry

What am I doing wrong?

Here are the important config bits

asa-5520
crypto map
crypto ipsec transform-set vpn-transform1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set vpn-transform2 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set vpn-transform3 esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set vpn-transform1 vpn-transform2
vpn-transform3
crypto dynamic-map dynmap 10 set reverse-route
crypto map vpn-ra-map 10 match address ny-vpn-acl
crypto map vpn-ra-map 10 set peer ny-fw-outside
crypto map vpn-ra-map 10 set transform-set vpn-transform2
crypto map vpn-ra-map 10 set reverse-route
crypto map vpn-ra-map 65535 ipsec-isakmp dynamic dynmap
crypto map vpn-ra-map interface outside

ISAKMP

isakmp enable outside
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption aes-256
isakmp policy 5 hash sha
isakmp policy 5 group 7
isakmp policy 5 lifetime 3600
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-192
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 28800
isakmp nat-traversal  20
isakmp reload-wait

and the acl
access-list ny-vpn-acl extended permit ip 10.1.0.0 255.255.0.0 10.18.15.0
255.255.255.192
access-list ny-vpn-acl extended permit ip 10.18.0.0 255.255.254.0 10.18.15.0
255.255.255.192
access-list ny-vpn-acl extended permit ip 10.14.0.0 255.254.0.0 10.18.15.0
255.255.255.192
access-list ny-vpn-acl extended permit ip 157.254.0.0 255.255.0.0 10.18.15.0
255.255.255.192
access-list ny-vpn-acl extended permit ip 141.11.0.0 255.255.0.0 10.18.15.0
255.255.255.192
access-list ny-vpn-acl extended permit ip 10.11.0.0 255.255.0.0 10.18.15.0
255.255.255.192

TUNNEL GROUP

tunnel-group 208.37.161.98 type ipsec-l2l
tunnel-group 208.37.161.98 general-attributes
 tunnel-group 208.37.161.98 ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck

PIX

CRYPTO MAP and ISAKMP

crypto ipsec transform-set set1 esp-aes-192 esp-md5-hmac
crypto map map1 10 ipsec-isakmp
crypto map map1 10 match address vpn-1
crypto map map1 10 set peer vpnc
crypto map map1 10 set transform-set set1
crypto map map1 interface outside
isakmp enable outside
isakmp key *
 address vpnc netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800

ACL
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.1.0.0 255.255.0.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.18.0.0
255.255.240.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.14.0.0 255.254.0.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 157.254.0.0
255.255.0.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 141.11.0.0
255.255.0.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.11.0.0 255.255.0.0

)note on the ASA I use individual /24's and shortened the ACL for ease of
reasing.  I do this to exclued 10.18.14.0/24 from the tunnels since that
houses the ASA's inside interface and client access)

Any pointers would be appreciated.

Thanks
Scott

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list