ASA5505 Replaces Pix 501 Tunnel fails...

just replaced and aging pix 501 running 6.3 with a fancypants new
ASA5505 at my office. For the last 5 years ive a had a working tunnel
between my home and the office with two pix 501's. Now i cant get
this tunnel back up to save my life.
Since i installed the 5505 i have not been able to get the tunnel
back
up. It looks to me like its failing at phase one, but im not sure.
Attribuites in the debug are ok, no mismatch.
Any help would be appreciated. Im sure its an IOS change in config
with the ASA, but i just have no clue what the issue is. Possible the
tunnel group config, or a crytpo map change?
Debugs are at the very bottom of the post.
Thanks,
Chip- (old ccie #2807, trying to shake off a little rust)
wri t
: Saved
:
ASA Version 8.0(4)
!
hostname vny5505
domain-name coastal.com
enable password me5DgyBO6Uspd1dO encrypted
passwd me5DgyBO6Uspd1dO encrypted
names
name 10.10.254.0 Encino description Casa de chip
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 74.62.46.246 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.0.0.2
name-server 206.13.29.12
name-server 66.75.164.90
domain-name coastal.com
access-list outside_cryptomap_40 extended permit ip 10.0.0.0
255.255.255.0 Encino 255.255.255.0
access-list vnypix extended permit tcp any any eq 19813
access-list vnypix extended permit tcp any host 74.62.46.242 eq 3389
access-list vnypix extended permit tcp any host 74.62.46.242 eq smtp
access-list vnypix extended permit tcp any host 74.62.46.243 eq 3389
access-list vnypix extended permit tcp any host 74.62.46.242 eq www
access-list outside_1_cryptomap extended permit ip 10.0.0.0
255.255.255.0 Encino 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0
255.255.255.0 Encino 255.255.255.0
pager lines 24
logging enable
logging monitor errors
logging trap debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 74.62.46.242 10.0.0.2 netmask 255.255.255.255
static (inside,outside) 74.62.46.243 10.0.0.3 netmask 255.255.255.255
access-group vnypix in interface outside
route outside 0.0.0.0 0.0.0.0 74.62.46.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-
pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown
coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 67.127.2.234
crypto map outside_map 1 set transform-set ESP-AES-128-MD5 ESP-DES-
MD5
crypto map outside_map 1 set security-association lifetime seconds
28800
crypto map outside_map 1 set security-association lifetime kilobytes
4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 67.127.2.234 type ipsec-l2l
tunnel-group 67.127.2.234 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:03b83c4f4647319d864e58540f3cdd25
: end
[OK]
vny5505#
end 5505
Remote site pix 501 config...
wri t
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password me5DgyBO6Uspd1dO encrypted
passwd me5DgyBO6Uspd1dO encrypted
hostname chpix-home
domain-name tsrhelicopters.com
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.0 WHP_HQ_NET
access-list inside_outbound_nat0_acl permit ip 10.10.254.0
255.255.255.0 WHP_HQ_NET 255.255.255.0
access-list acl_4dout permit icmp any any
access-list acl_4dout permit tcp any any eq 19813
access-list acl_4dout permit icmp any any echo
access-list acl_4dout permit icmp any any echo-reply
access-list acl_4dout permit icmp any any unreachable
access-list acl_4dout permit icmp any any time-exceeded
access-list acl_4dout permit tcp any host 66.127.2.235 eq 3389
access-list acl_4dout permit udp any any eq 6112
access-list acl_4dout permit udp any any eq 9103
access-list acl_4dout permit udp any any eq 30350
access-list acl_4dout permit udp any any eq 30351
access-list acl_4dout permit tcp any any eq 8767
access-list acl_4dout permit tcp any any eq 2251
access-list acl_4dout permit udp any any eq 8767
access-list acl_4dout permit tcp any any eq 14534
access-list outside_cryptomap_40 permit ip 10.10.254.0 255.255.255.0
WHP_HQ_NET 255.255.255.0
pager lines 24
logging on
logging timestamp
logging console errors
logging buffered errors
logging trap notifications
logging host inside 10.10.254.10
mtu outside 1500
mtu inside 1500
ip address outside 66.127.2.234 255.255.255.248
ip address inside 10.10.254.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.254.0 255.255.255.0 inside
pdm location 10.10.10.0 255.255.255.0 outside
pdm location 10.10.254.10 255.255.255.255 inside
pdm location WHP_HQ_NET 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 10.10.254.0 255.255.255.0 0 0
static (inside,outside) 66.127.2.235 10.10.254.10 netmask
255.255.255.255 0 0
static (inside,outside) 66.127.2.236 10.10.254.50 netmask
255.255.255.255 0 0
access-group acl_4dout in interface outside
route outside 0.0.0.0 0.0.0.0 66.127.2.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.10.254.0 255.255.255.0 inside
snmp-server host inside 10.10.254.10 poll
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 74.62.46.246
crypto map outside_map 40 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key *
******* address 74.62.46.246 netmask 255.255.255.255
isakmp identity address
isakmp log 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 10.10.254.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd address 10.10.254.30-10.10.254.60 inside
dhcpd dns 206.13.29.12 206.13.30.12
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain tsrhelicopters.com
dhcpd enable inside
terminal width 80
Cryptochecksum:e66cac842fe9415455fb251ebb56a695
: end
[OK]
chpix-home(config)#
Debugs...
chpix-home(config)# IPSEC(key_engine): request timer fired: count =
2,
(identity) local= 66.127.2.234, remote= 74.62.46.246,
local_proxy= 10.10.254.0/255.255.255.0/0/0 (type=4),
remote_proxy= WHP_HQ_NET/255.255.255.0/0/0 (type=4)
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:74.62.46.246, dest:66.127.2.234 spt:
500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:74.62.46.246, dest:66.127.2.234 spt:
500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a VPN3000 concentrator
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:74.62.46.246, dest:66.127.2.234 spt:
500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of
-946756640:c791a3e0IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xde20a13b(3726680379) for SA
from 74.62.46.246 to 66.127.2.234 for prot 3
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:74.62.46.246/500 Total VPN
Peers:
1
VPN Peer: ISAKMP: Peer ip:74.62.46.246/500 Ref cnt incremented to:1
Total VPN Peers:1
crypto_isakmp_process_block:src:74.62.46.246, dest:66.127.2.234 spt:
500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 2536656321, spi
size = 16
ISAKMP (0): deleting SA: src 66.127.2.234, dst 74.62.46.246
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0xb051cc, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:74.62.46.246/500 Ref cnt decremented to:0
Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:74.62.46.246/500 Total VPN peers:
0IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with
74.62.46.246
IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 66.127.2.234, remote= 74.62.46.246,
local_proxy= 10.10.254.0/255.255.255.0/0/0 (type=4),
remote_proxy= WHP_HQ_NET/255.255.255.0/0/0 (type=4)
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:74.62.46.246, dest:66.127.2.234 spt:
500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:74.62.46.246, dest:66.127.2.234 spt:
500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a VPN3000 concentrator
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:74.62.46.246, dest:66.127.2.234 spt:
500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of
1354031411:50b4e133IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x2887c12e(679985454) for SA
from 74.62.46.246 to 66.127.2.234 for prot 3
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:74.62.46.246/500 Total VPN
Peers:
1
VPN Peer: ISAKMP: Peer ip:74.62.46.246/500 Ref cnt incremented to:1
Total VPN Peers:1
crypto_isakmp_process_block:src:74.62.46.246, dest:66.127.2.234 spt:
500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 1155976642, spi
size = 16
ISAKMP (0): deleting SA: src 66.127.2.234, dst 74.62.46.246
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0xb051cc, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:74.62.46.246/500 Ref cnt decremented to:0
Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:74.62.46.246/500 Total VPN peers:
0IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with
74.62.46.246
Reply to
chip_paige
Loading thread data ...
Are you using same set of Hash
from 501
crypto map outside_map 40 set transform-set ESP-DES-MD5
from asa
crypto map outside_map 1 set transform-set ESP-AES-128-MD5 ESP-DES-
Peter
Reply to
peter
peter wrote:
You might be having a problem with PFS (perfect forward secrecy..) i forget if the pix's have it by default but i believe the ASA's do...
try doing this on the asa 5505: no crypto map outside_map 1 set pfs...
you could also add more cryptomap's to make sure those are matching..
from the error's it appears as though it is completed phase 1 and running into problems with phase 2..
shawn
Reply to
b3nder

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.