[c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel
Ryan West
rwest at zyedge.com
Thu Sep 3 14:39:18 EDT 2009
Scott,
A pointer for your ACLs, wrap up your secured networks into two object-groups. For example:
Object-group network internal
Network-object 10.1.0.0 255.255.0.0
Network-object 10.1.0.0 255.255.0.0
.....
Object-group network ny_nets
Network-object 10.18.14.0 255.255.255.0
Then craft your interesting traffic ACL on the ASA to look something like this:
Access-list vpn_ny permit ip object-group internal object-group ny_nets
Access-list nonat permit ip object-group internal object-group ny_nets
Any future changes are done at the object-groups and will be immediately reflected in your interesting traffic ACL and nonat ACL.
As Michael has said, the error can be a number of things, I would start with the crypto key though. A lot of the ISAKMP settings (at least in the ASA) are part of the default config and cover just about every common Phase1 setting. From the ASA, issue a 'show cry isa sa detail' and check out the entry that corresponds with your PIX endpoint. Post the results of that once you've got a stream of interesting traffic going from the ASA to the PIX. If possible post the debug results from the PIX to the ASA with the settings that I mentioned earlier, if there is a key mismatch, you'll see that error on the ASA side.
In case you're curious, this is the 7.2.4 bug I was referring to as well, it exists through 7.2.4(18):
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsq91271
-ryan
-----Original Message-----
Scott,
Can you provide debugs from the ASA, code versions on both devices and
your
associated no-nat ACLs?
Assuming you have nothing else logging to monitor, you can enable
'logging
class vpn monitor debug' and throw up a term mon to gather inbound
messages
to the ASA from the PIX side. You can gather the information on the PIX
with a debug cry isa 2 and then initiate interesting traffic from the
ASA
using the following, the more valuable information will be on the
receiving
end. It really doesn't matter which side you enable as the receiver,
but I
try to stay away from pre 7.x code on the PIXes.
packet-tracer input inside icmp 10.1.0.10 8 0 10.18.15.10 detailed
Phase: 10 or 11 should be subtype encrypt. If it fails the first time,
run
it again, the negotiation process causes the first packet to fail as the
tunnel is being brought. This type of traffic will also give you your
debug
information and help you figure out where the failure is.
-ryan
More information about the cisco-nsp
mailing list