ASA as VPN server, R5 as client...having issues.

parvikramparvikram
in CCIE Security Technical

Hi All,

  I am trying to establish the IPSec connection on R5 by running it in client mode. The show crypto isakmp sa shows the following:

Rack6R5#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
174.6.124.12    204.12.6.5      CONF_XAUTH        1010    0 ACTIVE
174.6.124.12    204.12.6.5      MM_NO_STATE       1009    0 ACTIVE (deleted).

I do a debug on the ASA( the server) and I see the following :



%ASA-7-715046: Group = IELAB, IP = 204.12.6.5, constructing blank hash payload
%ASA-7-715046: Group = IELAB, IP = 204.12.6.5, constructing qm hash payload
%ASA-7-713236: IP = 204.12.6.5, IKE_DECODE SENDING Message (msgid=e7f7f30f) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
%ASA-7-713906: Group = IELAB, IP = 204.12.6.5, IKE SA AM:6eaApr 03 22:25:08 [IKEv1]62cd7 terminating:  flags 0x0105c001, refcnt 0, tuncnt 0
%ASA-7-713906: Group = IELAB, IP = 204.12.6.5, sending delete/delete with reason message
%ASA-7-715046: Group = IELAB, IP = 204.12.6.5, constructing blank hash payload
%ASA-7-715046: Group = IELAB, IP = 204.12.6.5, constructing IKE delete payload
%ASA-7-715046: Group = IELAB, IP = 204.12.6.5, constructing qm hash payload
%ASA-7-713236: IP = 204.12.6.5, IKE_DECODE SENDING Message (msgid=eb73f95d) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
%ASA-3-713902: Group = IELAB, IP = 204.12.6.5, Removing peer from peer table failed, no match!
%ASA-4-713903: Group = IELAB, IP = 204.12.6.5, Error: Unable to remove PeerTblEntry
%ASA-4-113019: Group = , Username = , IP = 0.0.0.0, Session disconnected. Session Type: , Duration: 0h:00m:59s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown
: Group = IELAB, IP = 204.12.6.5, Removing peer from peer table failed, no match!
Apr 03 22:25:08 [IKEv1]: Group = IELAB, IP = 204.12.6.5, Error: Unable to remove PeerTblEntry

My configuration is like this:

crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
!
!
crypto ipsec client ezvpn IELAB
 connect auto
 group IELAB key CISCO
 local-address FastEthernet0/1
 mode client
 peer 174.6.124.12
 username IPSECUSER password CISCO
 xauth userid mode local

interface FastEthernet0/1
 ip address 204.12.6.5 255.255.255.0
 speed auto
 half-duplex
 crypto ipsec client ezvpn IELAB inside

interface Serial0/0
 ip address 174.6.145.5 255.255.255.0
 encapsulation frame-relay
 frame-relay map ip 174.6.145.4 501 broadcast
 frame-relay map ip 174.6.145.1 501 broadcast
 no frame-relay inverse-arp
 crypto ipsec client ezvpn IELAB


Any help would be greatly appreciated!!!

 

Thanks,

Vikram Parmar

CCIE#22735

· Share on FacebookShare on Twitter

Comments

  • qqabdalqqabdal

    Hi,

    Can you please share the ASA config as well? Configs for tunnel-group, local pool, group-policy and crypto.

    Thanks!

    · Share on FacebookShare on Twitter
  • parvikramparvikram

    I could not find the attachment link. Hence , the complete configuration of ASA (server)

     

    Rack6ASA1(config)# sh run
    : Saved
    :
    ASA Version 8.0(4)
    !
    hostname Rack6ASA1
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 174.6.124.100 ACS_POST_NAT_IP
    name 10.0.0.100 ACS_PRE_NAT_IP
    name 174.6.124.6 R6_POST_NAT_IP
    name 150.6.6.6 R6_PRE_NAT_IP
    name 150.6.5.5 R5
    name 174.6.135.13 ASA2
    !
    interface Ethernet0/0
     no nameif
     no security-level
     no ip address
    !
    interface Ethernet0/1
     no nameif
     no security-level
     no ip address
    !
    interface Ethernet0/2
     shutdown
     no nameif
     no security-level
     no ip address
    !
    interface Ethernet0/3
     shutdown
     no nameif
     no security-level
     no ip address
    !
    interface Management0/0
     shutdown
     no nameif
     no security-level
     no ip address
    !
    interface Redundant8
     member-interface Ethernet0/1
     member-interface Ethernet0/0
     nameif IN
     security-level 99
     ip address 174.6.127.12 255.255.255.0
     ospf authentication-key CISCO
     ospf authentication
    !
    interface Redundant8.124
     vlan 124
     nameif OUT
     security-level 1
     ip address 174.6.124.12 255.255.255.0
    !
    ftp mode passive
    object-group network HOSTS1
     network-object host 10.0.0.101
    object-group network HOSTS2
     network-object host 10.0.0.200
    object-group network HOSTS
     group-object HOSTS1
     group-object HOSTS2
    access-list OUTSIDE_IN extended permit tcp any host ACS_POST_NAT_IP eq tacacs
    access-list OUTSIDE_IN extended permit udp any host ACS_POST_NAT_IP eq radius
    access-list OUTSIDE_IN extended permit udp any host ACS_POST_NAT_IP eq radius-acct
    access-list OUTSIDE_IN extended permit udp any host ACS_POST_NAT_IP eq 1812
    access-list OUTSIDE_IN extended permit udp any host ACS_POST_NAT_IP eq 1813
    access-list OUTSIDE_IN extended permit tcp host R5 eq bgp host R6_POST_NAT_IP
    access-list OUTSIDE_IN extended permit tcp host R5 host R6_POST_NAT_IP eq bgp
    access-list OUTSIDE_IN extended permit icmp any any echo
    access-list OUTSIDE_IN extended permit tcp host ASA2 host ACS_POST_NAT_IP eq 1470
    access-list OUTSIDE_IN extended permit udp host R5 host ACS_POST_NAT_IP eq syslog
    access-list INSIDE_OUT extended deny icmp object-group HOSTS any echo
    access-list INSIDE_OUT extended permit ip any any
    access-list SPLIT_TUNNEL extended permit ip 174.6.127.0 255.255.255.0 any
    pager lines 24
    logging enable
    mtu IN 1500
    mtu OUT 1500
    ip local pool CCIEPOOL 10.105.105.1-10.105.105.50 mask 255.255.255.0
    ip verify reverse-path interface IN
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    static (IN,OUT) ACS_POST_NAT_IP ACS_PRE_NAT_IP netmask 255.255.255.255 tcp 250 200 udp 300
    static (IN,OUT) R6_POST_NAT_IP R6_PRE_NAT_IP netmask 255.255.255.255
    access-group INSIDE_OUT in interface IN
    !
    router ospf 1
     network 174.6.127.12 255.255.255.255 area 51
     log-adj-changes
     default-information originate
    !
    route OUT 0.0.0.0 0.0.0.0 174.6.124.4 1
    route IN 10.0.0.0 255.255.255.0 174.6.127.7 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (IN) host ACS_PRE_NAT_IP
     key CISCO
     authentication-port 1812
     accounting-port 1813
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map DYNAMIC 10 set transform-set 3DESSHA
    crypto dynamic-map DYNAMIC 10 set security-association lifetime seconds 28800
    crypto dynamic-map DYNAMIC 10 set security-association lifetime kilobytes 4608000
    crypto map VPN 10 ipsec-isakmp dynamic DYNAMIC
    crypto map VPN interface OUT
    crypto isakmp enable OUT
    crypto isakmp policy 20
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto isakmp policy 65535
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy IELAB internal
    group-policy IELAB attributes
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value SPLIT_TUNNEL
     address-pools value CCIEPOOL
    username IPSECUSER password GlECUFrs9HVxCBI8 encrypted
    username CISCO password TYX7NfYD.Yf733Bn encrypted
    tunnel-group IELAB type remote-access
    tunnel-group IELAB general-attributes
     authentication-server-group RADIUS
     default-group-policy IELAB
    tunnel-group IELAB ipsec-attributes
     pre-shared-key *
    tunnel-group IELAB2 type remote-access
    !
    class-map inspection_default
     match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
      inspect icmp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
    : end

    · Share on FacebookShare on Twitter
  • parvikramparvikram

    Still looking for some help!!!

    · Share on FacebookShare on Twitter
  • qqabdalqqabdal

    Parvikram,

    I was going through the configs you provided and I am still looking at them. But I found something here:

    tunnel-group IELAB general-attributes
     authentication-server-group RADIUS
     default-group-policy IELAB

    I do see that you are setting your x-auth to use Radius, but I believe you may want to try it locally, as you have the IPSECUSER locally created. Can you change this to authentication-server-group LOCAL?

    I am still checking the rest of the configs.

    HTH

    Good luck!

    · Share on FacebookShare on Twitter
  • parvikramparvikram

    Thanks qqabdal. I will try the same and let you know.

    · Share on FacebookShare on Twitter
  • qqabdalqqabdal

    Hi,

    Did you have a chance to try this out?

    Regards,

    · Share on FacebookShare on Twitter
Sign In or Register to comment.