just replaced and aging pix 501 running 6.3 with a fancypants new ASA5505 at my office. For the last 5 years ive a had a working tunnel between my home and the office with two pix 501's. Now i cant get this tunnel back up to save my life.
Since i installed the 5505 i have not been able to get the tunnel back up. It looks to me like its failing at phase one, but im not sure. Attribuites in the debug are ok, no mismatch.
Any help would be appreciated. Im sure its an IOS change in config with the ASA, but i just have no clue what the issue is. Possible the tunnel group config, or a crytpo map change?
Debugs are at the very bottom of the post.
Thanks, Chip- (old ccie #2807, trying to shake off a little rust)
wri t : Saved : ASA Version 8.0(4) ! hostname vny5505 domain-name coastal.com enable password me5DgyBO6Uspd1dO encrypted passwd me5DgyBO6Uspd1dO encrypted names name 10.10.254.0 Encino description Casa de chip ! interface Vlan1 nameif inside security-level 100 ip address 10.0.0.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 74.62.46.246 255.255.255.248 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1
! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive clock timezone PST -8 clock summer-time PDT recurring dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS name-server 10.0.0.2 name-server 206.13.29.12 name-server 66.75.164.90 domain-name coastal.com access-list outside_cryptomap_40 extended permit ip 10.0.0.0
255.255.255.0 Encino 255.255.255.0access-list vnypix extended permit tcp any any eq 19813 access-list vnypix extended permit tcp any host 74.62.46.242 eq 3389 access-list vnypix extended permit tcp any host 74.62.46.242 eq smtp access-list vnypix extended permit tcp any host 74.62.46.243 eq 3389 access-list vnypix extended permit tcp any host 74.62.46.242 eq www access-list outside_1_cryptomap extended permit ip 10.0.0.0
255.255.255.0 Encino 255.255.255.0 access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 Encino 255.255.255.0 pager lines 24 logging enable logging monitor errors logging trap debugging logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-613.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) 74.62.46.242 10.0.0.2 netmask 255.255.255.255 static (inside,outside) 74.62.46.243 10.0.0.3 netmask 255.255.255.255 access-group vnypix in interface outsideroute outside 0.0.0.0 0.0.0.0 74.62.46.241 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp- pat
0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy http server enable http 10.0.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set peer 67.127.2.234 crypto map outside_map 1 set transform-set ESP-AES-128-MD5 ESP-DES- MD5 crypto map outside_map 1 set security-association lifetime seconds 28800 crypto map outside_map 1 set security-association lifetime kilobytes 4608000 crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10authentication pre-share encryption des hash md5 group 2 lifetime 86400 no crypto isakmp nat-traversal telnet 10.0.0.0 255.255.255.0 inside telnet timeout 10 ssh timeout 5 console timeout 0
threat-detection basic-threat threat-detection statistics host threat-detection statistics access-list no threat-detection statistics tcp-intercept tunnel-group 67.127.2.234 type ipsec-l2l tunnel-group 67.127.2.234 ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map
parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:03b83c4f4647319d864e58540f3cdd25 : end [OK]
vny5505#
end 5505
Remote site pix 501 config...
wri t Building configuration... : Saved : PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password me5DgyBO6Uspd1dO encrypted passwd me5DgyBO6Uspd1dO encrypted hostname chpix-home domain-name tsrhelicopters.com clock timezone PST -8 clock summer-time PDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060
fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 10.0.0.0 WHP_HQ_NET access-list inside_outbound_nat0_acl permit ip 10.10.254.0
255.255.255.0 WHP_HQ_NET 255.255.255.0 access-list acl_4dout permit icmp any any access-list acl_4dout permit tcp any any eq 19813 access-list acl_4dout permit icmp any any echo access-list acl_4dout permit icmp any any echo-reply access-list acl_4dout permit icmp any any unreachable access-list acl_4dout permit icmp any any time-exceeded access-list acl_4dout permit tcp any host 66.127.2.235 eq 3389 access-list acl_4dout permit udp any any eq 6112 access-list acl_4dout permit udp any any eq 9103 access-list acl_4dout permit udp any any eq 30350 access-list acl_4dout permit udp any any eq 30351 access-list acl_4dout permit tcp any any eq 8767 access-list acl_4dout permit tcp any any eq 2251 access-list acl_4dout permit udp any any eq 8767 access-list acl_4dout permit tcp any any eq 14534 access-list outside_cryptomap_40 permit ip 10.10.254.0 255.255.255.0 WHP_HQ_NET 255.255.255.0 pager lines 24logging on logging timestamp logging console errors logging buffered errors logging trap notifications logging host inside 10.10.254.10 mtu outside 1500 mtu inside 1500 ip address outside 66.127.2.234 255.255.255.248 ip address inside 10.10.254.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 10.10.254.0 255.255.255.0 inside pdm location 10.10.10.0 255.255.255.0 outside pdm location 10.10.254.10 255.255.255.255 inside pdm location WHP_HQ_NET 255.255.255.0 outside pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 10.10.254.0 255.255.255.0 0 0 static (inside,outside) 66.127.2.235 10.10.254.10 netmask
255.255.255.255 0 0 static (inside,outside) 66.127.2.236 10.10.254.50 netmask 255.255.255.255 0 0 access-group acl_4dout in interface outsideroute outside 0.0.0.0 0.0.0.0 66.127.2.233 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 10.10.254.0 255.255.255.0 inside snmp-server host inside 10.10.254.10 poll no snmp-server location no snmp-server contact snmp-server community public snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto map outside_map 40 ipsec-isakmp crypto map outside_map 40 match address outside_cryptomap_40crypto map outside_map 40 set peer 74.62.46.246 crypto map outside_map 40 set transform-set ESP-DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 74.62.46.246 netmask 255.255.255.255 isakmp identity address isakmp log 20 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet 10.10.254.0 255.255.255.0 inside telnet timeout 60 ssh timeout 5 console timeout 0 dhcpd address 10.10.254.30-10.10.254.60 inside dhcpd dns 206.13.29.12 206.13.30.12 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd domain tsrhelicopters.com dhcpd enable inside terminal width 80 Cryptochecksum:e66cac842fe9415455fb251ebb56a695
: end [OK]
chpix-home(config)#
Debugs...
chpix-home(config)# IPSEC(key_engine): request timer fired: count =
2, (identity) local= 66.127.2.234, remote= 74.62.46.246, local_proxy= 10.10.254.0/255.255.255.0/0/0 (type=4), remote_proxy= WHP_HQ_NET/255.255.255.0/0/0 (type=4)ISAKMP (0): beginning Main Mode exchange crypto_isakmp_process_block:src:74.62.46.246, dest:66.127.2.234 spt:
500 dpt:500 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy ISAKMP: encryption DES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:74.62.46.246, dest:66.127.2.234 spt:
500 dpt:500 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a VPN3000 concentrator
ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:74.62.46.246, dest:66.127.2.234 spt:
500 dpt:500 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): processing vendor id payloadISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of
-946756640:c791a3e0IPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi 0xde20a13b(3726680379) for SA from 74.62.46.246 to 66.127.2.234 for prot 3
return status is IKMP_NO_ERROR ISAKMP (0): sending INITIAL_CONTACT notify ISAKMP (0): sending NOTIFY message 24578 protocol 1 VPN Peer: ISAKMP: Added new peer: ip:74.62.46.246/500 Total VPN Peers:
1 VPN Peer: ISAKMP: Peer ip:74.62.46.246/500 Ref cnt incremented to:1 Total VPN Peers:1 crypto_isakmp_process_block:src:74.62.46.246, dest:66.127.2.234 spt: 500 dpt:500 ISAKMP (0): processing DELETE payload. message ID = 2536656321, spi size = 16 ISAKMP (0): deleting SA: src 66.127.2.234, dst 74.62.46.246 return status is IKMP_NO_ERR_NO_TRANS ISADB: reaper checking SA 0xb051cc, conn_id = 0 DELETE IT!VPN Peer: ISAKMP: Peer ip:74.62.46.246/500 Ref cnt decremented to:0 Total VPN Peers:1 VPN Peer: ISAKMP: Deleted peer: ip:74.62.46.246/500 Total VPN peers:
0IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with 74.62.46.246 IPSEC(key_engine): request timer fired: count = 1, (identity) local= 66.127.2.234, remote= 74.62.46.246, local_proxy= 10.10.254.0/255.255.255.0/0/0 (type=4), remote_proxy= WHP_HQ_NET/255.255.255.0/0/0 (type=4)ISAKMP (0): beginning Main Mode exchange crypto_isakmp_process_block:src:74.62.46.246, dest:66.127.2.234 spt:
500 dpt:500 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy ISAKMP: encryption DES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:74.62.46.246, dest:66.127.2.234 spt:
500 dpt:500 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a VPN3000 concentrator
ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:74.62.46.246, dest:66.127.2.234 spt:
500 dpt:500 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): processing vendor id payloadISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of
1354031411:50b4e133IPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi 0x2887c12e(679985454) for SA from 74.62.46.246 to 66.127.2.234 for prot 3return status is IKMP_NO_ERROR ISAKMP (0): sending INITIAL_CONTACT notify ISAKMP (0): sending NOTIFY message 24578 protocol 1 VPN Peer: ISAKMP: Added new peer: ip:74.62.46.246/500 Total VPN Peers:
1 VPN Peer: ISAKMP: Peer ip:74.62.46.246/500 Ref cnt incremented to:1 Total VPN Peers:1 crypto_isakmp_process_block:src:74.62.46.246, dest:66.127.2.234 spt: 500 dpt:500 ISAKMP (0): processing DELETE payload. message ID = 1155976642, spi size = 16 ISAKMP (0): deleting SA: src 66.127.2.234, dst 74.62.46.246 return status is IKMP_NO_ERR_NO_TRANS ISADB: reaper checking SA 0xb051cc, conn_id = 0 DELETE IT!VPN Peer: ISAKMP: Peer ip:74.62.46.246/500 Ref cnt decremented to:0 Total VPN Peers:1 VPN Peer: ISAKMP: Deleted peer: ip:74.62.46.246/500 Total VPN peers:
0IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with 74.62.46.246