Questions

Need some help with Cisco ASA 5510 Site to Site VPN please?

Tags:
+
0 Votes
Locked

Need some help with Cisco ASA 5510 Site to Site VPN please?

tonyrobinson
It should be straightforward but I'm missing something. I have two ASA 5510s, I have access to both ends. Due to not having access to the broadband routers, I stuck with one ASA having public outside address and the other having a private outside address. Added an extra route for the private outside address.

I also have a remote VPN which works to all servers behind each ASA. I've been through the ASA site to site wizard at both ends.

sho crypto isakmp returns: State: MM_WAIT_MSG2 at both ends so it's trying but not receiving a response. I've tried pumping through some interesting traffic but I can't get passed this stage.

The logs show very few errors, all informational messages until:
???IP=xxx.xxx.xxx.xxx, Removing peer from peer table, no match???

Any help would be appreciated.
  • +
    0 Votes
    rpevley

    If the IPsec tunnel is not UP, check that the ISAKMP policies match with the remote peers. This ISAKMP policy is applicable to both the Site-to-Site (L2L) and Remote Access IPsec VPN.

    If the Cisco VPN Clients or the Site-to-Site VPN are not able establish the tunnel with the remote-end device, check that the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values and when the remote peer policy specifies a lifetime less than or equal to the lifetime in the policy that the initiator sent. If the lifetimes are not identical, the security appliance uses the shorter lifetime. If no acceptable match exists, ISAKMP refuses negotiation, and the SA is not established.

    "Error: Unable to remove Peer TblEntry, Removing peer from peer table
    failed, no match!"
    Here is the detailed log message:

    4|Mar 24 2010 10:21:50|713903: IP = X.X.X.X, Error: Unable to remove PeerTblEntry
    3|Mar 24 2010 10:21:50|713902: IP = X.X.X.X, Removing peer from peer table failed,
    no match!
    3|Mar 24 2010 10:21:50|713048: IP = X.X.X.X, Error processing payload: Payload ID: 1
    4|Mar 24 2010 10:21:49|713903: IP = X.X.X.X, Information Exchange processing failed
    5|Mar 24 2010 10:21:49|713904: IP = X.X.X.X, Received an un-encrypted
    NO_PROPOSAL_CHOSEN notify message, dropping
    This message usually appears due to mismatched ISAKMP policies or a missing NAT 0 statement.

    In addition, this message appears:

    Error Message %PIX|ASA-6-713219: Queueing KEY-ACQUIRE messages to be processed when
    P1 SA is complete.
    This message indicates that Phase 2 messages are being enqueued after Phase 1 completes. This error message might be due to one of these reasons:

    Mismatch in phase on any of the peers

    ACL is blocking the peers from completing phase 1

    This message usually comes after the Removing peer from peer table failed, no match! error message.

    If the Cisco VPN Client is unable to connect the head-end device, the problem can be the mismatch of ISAKMP Policy. The head-end device must match with one of the IKE Proposals of the Cisco VPN Client.

    Note:??For the ISAKMP policy and IPsec Transform-set that is used on the PIX/ASA, the Cisco VPN client cannot use a policy with a combination of DES and SHA. If you use DES, you need to use MD5 for the hash algorithm, or you can use the other combinations, 3DES with SHA and 3DES with MD5.

    +
    0 Votes
    tonyrobinson

    Thanks for the comments, however, I'm still ahving the same problem.

    The isakmp policies at both ends are:

    isakmp identity address
    isakmp enable outside
    isakmp policy 50 authentication pre-share
    isakmp policy 50 encryption aes-256
    isakmp policy 50 hash sha
    isakmp policy 50 group 5
    isakmp policy 50 lifetime 86400
    isakmp policy 60 authentication pre-share
    isakmp policy 60 encryption 3des
    isakmp policy 60 hash sha
    isakmp policy 60 group 2
    isakmp policy 60 lifetime 86400

    I assume policy 60 is negotiated for the remote VPN and policy 50 (should be) being negotiated for the site to site VPN.

    I also have a nat0 acl:

    access-list Inside_nat0_outbound extended permit ip 10.0.2.0 255.255.255.0 RDP 255.255.255.0
    nat (inside) 0 access-list Inside_nat0_outbound

    +
    0 Votes
    tonyrobinson

    Further information:

    At one end there is a broadband router just before the ASA which translates an outside 212.xxx.xxx.xxx to another 212.xxx.xxx.xxx which means the outside address of the ASA is also on 212.xxx.xxx.xxx subnet.

    At the other end a broadband router just before the ASA translates an outside public IP of 87.xxx.xxx.xxx to 10.xxx.xxx.xxx which means the outside of the ASA is also on 10.xxx.xxx.xxx subnet.

    When I come to set the crypto map VPN_map peer, should I use the outside address of the ASA at both ends or the outside of the bb router at one end?

    Have tried various combinations resulting in MM_WAIT_MSG2, MM_WAIT_MSG3, MM_WAIT_MSG4.

    +
    0 Votes
    tonyrobinson

    Fixed it!

    I set the peer to the outside address of the BB router instead of the outside address of the ASA and it started working.

    +
    0 Votes
    sms21

    You're missing the private key configuration line.

    +
    0 Votes
    tonyrobinson

    I have a pre-shared-key - is that the same thing?

    +
    0 Votes
    lnl001

    There are lots of great discussions and content on the Cisco Support COmmunity regarding the ASA 5510..
    Here is a search result!

    https://supportforums.cisco.com/search.jspa?peopleEnabled=true&userID=&containerType=&container=&spotlight=true&q=ASA+5510

    +
    0 Votes
    sms21

    Key must match at both ends.

    +
    0 Votes
    sms21

    Always follow these rules in order.
    A-N-R-V I was taught this and it is fool proof.
    A= Access create access-lists to allow the tunnel traffic. Also access-lists to make your lan traffic interesting, so it goes in the tunnel.

    N=NAT( Network Address Translation) used when you want to disguise the real ip. Typically using the public ip of the internet facing interface.

    R=Route, the tunnel endpoints must be able to ping each other to support the tunnel.

    V=VPN, tunnel configuration to support the building of the tunnel and the encryption method.

  • +
    0 Votes
    rpevley

    If the IPsec tunnel is not UP, check that the ISAKMP policies match with the remote peers. This ISAKMP policy is applicable to both the Site-to-Site (L2L) and Remote Access IPsec VPN.

    If the Cisco VPN Clients or the Site-to-Site VPN are not able establish the tunnel with the remote-end device, check that the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values and when the remote peer policy specifies a lifetime less than or equal to the lifetime in the policy that the initiator sent. If the lifetimes are not identical, the security appliance uses the shorter lifetime. If no acceptable match exists, ISAKMP refuses negotiation, and the SA is not established.

    "Error: Unable to remove Peer TblEntry, Removing peer from peer table
    failed, no match!"
    Here is the detailed log message:

    4|Mar 24 2010 10:21:50|713903: IP = X.X.X.X, Error: Unable to remove PeerTblEntry
    3|Mar 24 2010 10:21:50|713902: IP = X.X.X.X, Removing peer from peer table failed,
    no match!
    3|Mar 24 2010 10:21:50|713048: IP = X.X.X.X, Error processing payload: Payload ID: 1
    4|Mar 24 2010 10:21:49|713903: IP = X.X.X.X, Information Exchange processing failed
    5|Mar 24 2010 10:21:49|713904: IP = X.X.X.X, Received an un-encrypted
    NO_PROPOSAL_CHOSEN notify message, dropping
    This message usually appears due to mismatched ISAKMP policies or a missing NAT 0 statement.

    In addition, this message appears:

    Error Message %PIX|ASA-6-713219: Queueing KEY-ACQUIRE messages to be processed when
    P1 SA is complete.
    This message indicates that Phase 2 messages are being enqueued after Phase 1 completes. This error message might be due to one of these reasons:

    Mismatch in phase on any of the peers

    ACL is blocking the peers from completing phase 1

    This message usually comes after the Removing peer from peer table failed, no match! error message.

    If the Cisco VPN Client is unable to connect the head-end device, the problem can be the mismatch of ISAKMP Policy. The head-end device must match with one of the IKE Proposals of the Cisco VPN Client.

    Note:??For the ISAKMP policy and IPsec Transform-set that is used on the PIX/ASA, the Cisco VPN client cannot use a policy with a combination of DES and SHA. If you use DES, you need to use MD5 for the hash algorithm, or you can use the other combinations, 3DES with SHA and 3DES with MD5.

    +
    0 Votes
    tonyrobinson

    Thanks for the comments, however, I'm still ahving the same problem.

    The isakmp policies at both ends are:

    isakmp identity address
    isakmp enable outside
    isakmp policy 50 authentication pre-share
    isakmp policy 50 encryption aes-256
    isakmp policy 50 hash sha
    isakmp policy 50 group 5
    isakmp policy 50 lifetime 86400
    isakmp policy 60 authentication pre-share
    isakmp policy 60 encryption 3des
    isakmp policy 60 hash sha
    isakmp policy 60 group 2
    isakmp policy 60 lifetime 86400

    I assume policy 60 is negotiated for the remote VPN and policy 50 (should be) being negotiated for the site to site VPN.

    I also have a nat0 acl:

    access-list Inside_nat0_outbound extended permit ip 10.0.2.0 255.255.255.0 RDP 255.255.255.0
    nat (inside) 0 access-list Inside_nat0_outbound

    +
    0 Votes
    tonyrobinson

    Further information:

    At one end there is a broadband router just before the ASA which translates an outside 212.xxx.xxx.xxx to another 212.xxx.xxx.xxx which means the outside address of the ASA is also on 212.xxx.xxx.xxx subnet.

    At the other end a broadband router just before the ASA translates an outside public IP of 87.xxx.xxx.xxx to 10.xxx.xxx.xxx which means the outside of the ASA is also on 10.xxx.xxx.xxx subnet.

    When I come to set the crypto map VPN_map peer, should I use the outside address of the ASA at both ends or the outside of the bb router at one end?

    Have tried various combinations resulting in MM_WAIT_MSG2, MM_WAIT_MSG3, MM_WAIT_MSG4.

    +
    0 Votes
    tonyrobinson

    Fixed it!

    I set the peer to the outside address of the BB router instead of the outside address of the ASA and it started working.

    +
    0 Votes
    sms21

    You're missing the private key configuration line.

    +
    0 Votes
    tonyrobinson

    I have a pre-shared-key - is that the same thing?

    +
    0 Votes
    lnl001

    There are lots of great discussions and content on the Cisco Support COmmunity regarding the ASA 5510..
    Here is a search result!

    https://supportforums.cisco.com/search.jspa?peopleEnabled=true&userID=&containerType=&container=&spotlight=true&q=ASA+5510

    +
    0 Votes
    sms21

    Key must match at both ends.

    +
    0 Votes
    sms21

    Always follow these rules in order.
    A-N-R-V I was taught this and it is fool proof.
    A= Access create access-lists to allow the tunnel traffic. Also access-lists to make your lan traffic interesting, so it goes in the tunnel.

    N=NAT( Network Address Translation) used when you want to disguise the real ip. Typically using the public ip of the internet facing interface.

    R=Route, the tunnel endpoints must be able to ping each other to support the tunnel.

    V=VPN, tunnel configuration to support the building of the tunnel and the encryption method.