6 Replies Latest reply: Mar 31, 2012 3:33 AM by Richy165 RSS

    ASA IPsec Phase 2 issue

    Netwrk1

      I have  ASA 5510 ver 8.2.(2).

       

      1. Issue: Phase 2 doesn't commence after completion of Phase 1

       

       

           -If I set the crypto map connection-type to bidirectional there are no errors and the remote side Fortigate shows the ipsec tunnels down. However if manually        bring them up then the tunnels come up for a while.

       

           - If I set the crypto map connection-type to answer-only or orignate-only i get error QM FSM error (P2 struct xxxxxx, mess id xxxxxx).

       

       

      2. Would really appretiate if someone could tell the commands to start debug on monitor/console. I use debug crypto ipsec but do not see any debug on my logs or on console.

       

       

       

       

       

       

      3. In the below output i see the Role as responder, If i set to originate-only i still do not see as initiator; is there a command as such for asa to initiate the connection.

       

      ASA# sh crypto isakmp sa

       

         Active SA: 2

          Rekey SA: 1 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

      Total IKE SA: 3

       

       

      1   IKE Peer: 204.x.x.15

          Type    : L2L             Role    : responder

          Rekey   : no              State   : AM_ACTIVE

         
        • 1. Re: ASA IPsec Phase 2 issue
          Paul Stewart  -  CCIE Security

          Almost every time this happens to me, I missed the NAT exemption. Is either of the endpoints doing NAT? Did you exempt the traffic to be tunnelled from the NAT process? Are you getting matches on the crypto and nat exempt acls? You can use the packet-tracer command to see if each ASA thinks their outbound traffic should be encrypted or not.

          • 2. Re: ASA IPsec Phase 2 issue
            Fabio - FW specialist

            to bring-up the tunnel setted with bidirectional type you need to create a real packet session (traffic matching your crypto map's access list)

            instead if the type is answer-only the first packet (SYN) that match your crypto map, must be sent from Fortigate side

             

            to view debug msg on your log modify your logging configuration to view the debug level

             

            fabio

            • 3. Re: ASA IPsec Phase 2 issue
              Netwrk1

              Paul,

               

               

               

               

              Below is the configs from my ASA.

              I think my nat exempt might be wrong. The line 3 is the one for my site-to-site i think.. and there are no hit counters.

                also the NONAT access list is applied to inside interface.

               

              As i see no hit counters would that indicate what Fabio has outlined regarding the traffic matching or interesting traffic?

               

              ------

              GTT-ASA# sh access-list NONAT

              access-list NONAT; 7 elements; name hash: 0xf0d9f49a

              access-list NONAT line 1 extended permit ip 192.168.0.0 255.255.0.0 SSL_subnet 255.255.255.0 (hitcnt=0) 0x4b741e52

              access-list NONAT line 2 extended permit ip object-group DM_INLINE_NETWORK_1 SSL_subnet 255.255.255.0

                access-list NONAT line 2 extended permit ip PrimaryCMD 255.255.255.0 SSL_subnet 255.255.255.0 (hitcnt=0)

                access-list NONAT line 2 extended permit ip 192.168.1.0 255.255.255.0 SSL_subnet 255.255.255.0 (hitcnt=0)

                access-list NONAT line 2 extended permit ip TC192.168.10.0 255.255.255.0 SSL_subnet 255.255.255.0 (hitcnt=0)

              access-list NONAT line 3 extended permit ip object-group London_Networks PrimaryCMD 255.255.255.0

                access-list NONAT line 3 extended permit ip 192.168.1.0 255.255.255.0 PrimaryCMD 255.255.255.0 (hitcnt=0)

                access-list NONAT line 3 extended permit ip TC192.168.10.0 255.255.255.0 PrimaryCMD 255.255.255.0 (hitcnt=0)

                access-list NONAT line 3 extended permit ip Mgmt 255.255.255.0 PrimaryCMD 255.255.255.0 (hitcnt=0)

              GTT-ASA#

               

               

              nat (inside) 0 access-list NONAT

               

               

              Enitre Configs

               

               

              : Saved

              :

              ASA Version 8.2(2)

              !

              hostname net-ASA

              domain-name net.local

              enable password .XXXXXXXX encrypted

              passwd xxxxxxxxx encrypted

              names

              name 192.168.10.0 TC192.168.10.0

              name 80.x.x.0 net80 description net-80

              name 10.10.10.0 McLean-Lan description McLeanLan

              name 10.10.20.0 PrimaryCMD description CMD-1275K

              name 192.168.2.0 Mgmt

              name 192.168.3.0 SSL_subnet

              !

              interface Ethernet0/0

              speed 100

              duplex full

              nameif outside

              security-level 0

              ip address 172.31.20.200 255.255.255.0

              !

              interface Ethernet0/1

              description To 2.0.11.TH-SW1 vlan32

              speed 100

              duplex full

              nameif inside

              security-level 100

              ip address 192.168.0.142 255.255.255.252

              ospf network point-to-point non-broadcast

              !

              interface Ethernet0/1.4

              no vlannet

              no nameif

              no security-level

              no ip address

              !

              interface Ethernet0/2

              shutdown

              no nameif

              no security-level

              no ip address

              !

              interface Ethernet0/3

              nameif DMZ

              security-level 50

              no ip address

              !

              interface Management0/0

              nameif managment

              security-level 0

              no ip address

              !

              ftp mode passive

              dns domain-lookup inside

              dns server-group DefaultDNS

              name-server 192.168.1.26

              name-server 192.168.10.3

              domain-name ettldn.local

              object-group network DM_INLINE_NETWORK_1

              network-object PrimaryCMD 255.255.255.0

              network-object 192.168.1.0 255.255.255.0

              network-object TC192.168.10.0 255.255.255.0

              object-group network London_Networks

              network-object 192.168.1.0 255.255.255.0

              network-object TC192.168.10.0 255.255.255.0

              network-object Mgmt 255.255.255.0

              object-group network McLean_Networks

              network-object McLean-Lan 255.255.255.0

              object-group network 1275KNetwork

              access-list StandardVPN standard permit 192.168.1.0 255.255.255.0

              access-list StandardVPN standard permit TC192.168.10.0 255.255.255.0

              access-list StandardVPN standard permit net80 255.255.255.0

              access-list StandardVPN standard permit McLean-Lan 255.255.255.0

              access-list StandardVPN standard permit PrimaryCMD 255.255.255.0

              access-list StandardVPN standard permit 192.168.0.0 255.255.0.0

              access-list StandardVPN standard permit Mgmt 255.255.255.0

              access-list ExtendedACL extended permit ip SSL_subnet 255.255.255.0 net80 255.255.255.0

              access-list NONAT extended permit ip 192.168.0.0 255.255.0.0 SSL_subnet 255.255.255.0

              access-list NONAT extended permit ip object-group DM_INLINE_NETWORK_1 SSL_subnet 255.255.255.0

              access-list NONAT extended permit ip object-group London_Networks PrimaryCMD 255.255.255.0

              access-list LonIPsec_splitTunnelAcl standard permit PrimaryCMD 255.255.255.0

              access-list LonIPsec_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0

              access-list LonIPsec_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

              access-list LonIPsec_splitTunnelAcl standard permit TC192.168.10.0 255.255.255.0

              access-list LonIPsec_splitTunnelAcl standard permit net80 255.255.255.0

              access-list LonIPsec_splitTunnelAcl standard permit McLean-Lan 255.255.255.0

              access-list LonIPsec_splitTunnelAcl standard permit Mgmt 255.255.255.0

              access-list 110 extended permit ip object-group London_Networks object-group McLean_Networks

              access-list VPN-1275K extended permit ip object-group London_Networks McLean-Lan 255.255.255.0

              access-list outside_cryptomap extended permit ip object-group London_Networks PrimaryCMD 255.255.255.0

              pager lines 24

              logging enable

              logging timestamp

              logging console debugging

              logging monitor debugging

              logging buffered debugging

              logging asdm informational

              logging debug-trace

              mtu outside 1500

              mtu inside 1500

              mtu DMZ 1500

              mtu managment 1500

              ip local pool SSLVPNPool 192.168.3.1-192.168.3.200 mask 255.255.255.0

              icmp unreachable rate-limit 1 burst-size 1

              asdm image disk0:/asdm-634.bin

              no asdm history enable

              arp timeout 14400

              nat (inside) 0 access-list NONAT

              !

              router ospf 1

              router-id 192.168.0.142

              network 192.168.0.140 255.255.255.252 area 0

              network SSL_subnet 255.255.255.0 area 0

              area 0

              area 1

              neighbor 192.168.0.141 interface inside

              log-adj-changes

              !

              route outside 0.0.0.0 0.0.0.0 172.31.20.30 1

              route inside McLean-Lan 255.255.255.0 192.168.0.141 1

              route inside PrimaryCMD 255.255.255.0 192.168.0.141 1

              route inside net80 255.255.255.0 192.168.0.141 1

              route inside 192.168.0.0 255.255.255.0 192.168.0.141 1

              route inside 192.168.1.0 255.255.255.0 192.168.0.141 1

              route inside 192.168.35.0 255.255.255.0 192.168.0.141 1

              timeout xlate 3:00:00

              timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

              timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

              timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

              timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

              timeout tcp-proxy-reassembly 0:01:00

              dynamic-access-policy-record DfltAccessPolicy

              aaa-server GttRadius protocol radius

              aaa-server GttRadius (inside) host 192.168.10.3

              aaa-server TACACS protocol tacacs+

              aaa-server TACACS (outside) host 80.x.x.95

              key *****

              aaa-server TACACS (outside) host 70.x.x.2

              key *****

              aaa authentication ssh console LOCAL

              aaa authentication http console LOCAL

              http server enable

              http server session-timeout 20

              http 192.168.1.0 255.255.255.0 inside

              http 0.0.0.0 0.0.0.0 inside

              no snmp-server location

              no snmp-server contact

              snmp-server enable traps snmp authentication linkup linkdown coldstart

              crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

              crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

              crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

              crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

              crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

              crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

              crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

              crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

              crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

              crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

              crypto ipsec transform-set McLean_Transformset esp-3des esp-sha-hmac

              crypto ipsec security-association lifetime seconds 3600

              crypto ipsec security-association lifetime kilobytes 4608000

              crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

              crypto map outside_map 100 match address 110

              crypto map outside_map 100 set peer 204.x.x.15

              crypto map outside_map 100 set transform-set McLean_Transformset

              crypto map outside_map 100 set security-association lifetime seconds 3600

              crypto map outside_map 100 set phase1-mode aggressive group5

              crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

              crypto map outside_map interface outside

              crypto ca trustpoint localtrust

              fqdn lonvpn.xx.net

              subject-name CN=lonvpn.xx.net

              keypair SSLvpn

              crl configure

              crypto isakmp identity address

              crypto isakmp enable outside

              crypto isakmp policy 5

              authentication pre-share

              encryption 3des

              hash sha

              group 5

              lifetime 86400

              no vpn-addr-assign aaa

              no vpn-addr-assign dhcp

              telnet timeout 5

              ssh 0.0.0.0 0.0.0.0 inside

              ssh timeout 5

              console timeout 0

              threat-detection basic-threat

              threat-detection statistics access-list

              no threat-detection statistics tcp-intercept

              webvpn

              enable outside

              svc image disk0:/anyconnect-dart-win-2.5.3055-k9.pkg 1

              svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2

              svc image disk0:/anyconnect-linux-2.5.3055-k9.pkg 3

              svc enable

              tunnel-group-list enable

              group-policy SSLGroup_Policy internal

              group-policy SSLGroup_Policy attributes

              banner none

              dns-server value 192.168.1.26 192.168.10.3

              vpn-simultaneous-logins 3

              vpn-idle-timeout 30

              vpn-tunnel-protocol svc

              split-tunnel-policy tunnelspecified

              split-tunnel-network-list value StandardVPN

              split-dns none

              address-pools value SSLVPNPool

              webvpn

                svc keep-installer installed

                svc ask enable default webvpn timeout 20

              group-policy DfltGrpPolicy attributes

              vpn-tunnel-protocol IPSec l2tp-ipsec

              group-policy LonIPsec internal

              group-policy LonIPsec attributes

              dns-server value 192.168.1.26 192.168.10.3

              vpn-idle-timeout 30

              vpn-filter none

              vpn-tunnel-protocol IPSec

              split-tunnel-policy tunnelspecified

              split-tunnel-network-list value LonIPsec_splitTunnelAcl

              default-domain value xx.net

               

               

               

               

              <------snip ---->   <username are sniped>

               

               

               

               

              tunnel-group SSLTunnelProfile type remote-access

              tunnel-group SSLTunnelProfile general-attributes

              default-group-policy SSLGroup_Policy

              tunnel-group SSLTunnelProfile webvpn-attributes

              group-alias sslvpn enable

              tunnel-group IPSECtunnel type remote-access

              tunnel-group LonIPsec type remote-access

              tunnel-group LonIPsec general-attributes

              address-pool SSLVPNPool

              default-group-policy LonIPsec

              tunnel-group LonIPsec ipsec-attributes

              pre-shared-key *****

              peer-id-validate nocheck

              tunnel-group 204.x.x.15 type ipsec-l2l

              tunnel-group 204.x.x.15 general-attributes

              default-group-policy LonIPsec

              tunnel-group 204.x.x.15 ipsec-attributes

              pre-shared-key *****

              peer-id-validate nocheck

              isakmp keepalive threshold infinite

               

               

              !

              !

              prompt hostname context

              call-home

              profile CiscoTAC-1

                no active

                destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

                destination address email callhome@cisco.com

                destination transport-method http

                subscribe-to-alert-group diagnostic

                subscribe-to-alert-group environment

                subscribe-to-alert-group inventory periodic monthly

                subscribe-to-alert-group configuration periodic monthly

                subscribe-to-alert-group telemetry periodic daily

              Cryptochecksum:bcfc994b18073739b613dcc5a54ba22c

              : end

              asdm image disk0:/asdm-634.bin

              asdm location TC192.168.10.0 255.255.255.0 inside

              asdm location net80 255.255.255.0 inside

              asdm location McLean-Lan 255.255.255.0 inside

              asdm location PrimaryCMD 255.255.255.0 inside

              asdm location SSL_subnet 255.255.255.0 inside

              no asdm history enable

               

               

               

               

               

              Thanks again guys

              • 4. Re: ASA IPsec Phase 2 issue
                Xavier

                As a standard, I tend to make my nonat ACL contain exactly the same statements as my crypto ACL. So make your nonat match the 110 ACL and your config looks fine to me in that regard.

                 

                To debug ipsec or isakmp, use:

                 

                debug crypto isakmp 7

                debug crypto ipsec 7

                 

                Then you'll get some messages. Don't do both at the same time, and be careful if you have more than 1 VPN connecting at any point in time. You may get lost in all the logs

                • 5. Re: ASA IPsec Phase 2 issue
                  Netwrk1

                  Alrite will give that a try and see thanx

                  • 6. Re: ASA IPsec Phase 2 issue
                    Richy165

                    Hey Guys,

                    To narrow down what your looking at in the logs, try this;

                     

                    debug crypto condition peer a.b.c.d

                     

                    Cheers,

                    Rich