Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Serious ASA issue going on

Status
Not open for further replies.
North323

North323

Technical User
Jan 13, 2009
966
US
OK...I think this issue will stump everyone here. We have an ATT circuit with one copper hand off but there are two vlan's. One is 'private' and one is 'internet'. currently we have the private (vlan1204) vpn tunnel to our main office. I am trying to get the 'internet' (vlan1201) to be the secondary link so when vlan1204 goes down, vlan1201 will build a tunnel and users will be able to work. When I shut vlan1204 I see the route fail over and tries to establish a tunnel. I get some MM_MSG4 and MM_MSG6. I think there is something up with my NAT from the local network to the Internet interface that is preventing the tunnel from coming up. Here is the config below...Good luck!

hostname AAAA0101025505
domain-name ABCDOH.NET
enable password j/k0Hj6QfsuzxJi0 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
no names
name X.X.67.0 hostsville_VLAN67
name X.X.2.0 hostsville_VLAN2
name X.X.7.0 hostsville_VLAN7
name X.X.6.0 hostsville_VLAN6
name X.X.8.0 hostsville_VLAN8
name X.X.5.0 hostsville_VLAN5
name X.X.1.0 hostsville_VLAN1
name X.X.4.0 hostsville_VLAN4
name X.X.32.0 Upperxome_Subnet32
name X.X.75.0 hostsville_Vlan75
!
interface Vlan64
nameif AAAANetwork
security-level 100
ip address X.X.64.251 255.255.255.0
interface Vlan1201
nameif Internet
security-level 0
ip address Y.X.176.182 255.255.255.252
!
interface Vlan1204
nameif AAAA
security-level 0
ip address X.X.99.251 255.255.255.0
!
interface Ethernet0/0
switchport trunk allowed vlan 1200-1204
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/1
switchport access vlan 64
!
interface Ethernet0/2
switchport access vlan 64
!
interface Ethernet0/3
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner exec c UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You MUST have explicit permission to access and configure this device. Violations of this policy will result in disciplinary action, and may be reported to law enforcement. c
banner login c UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You MUST have explicit permission to access and configure this device. Violations of this policy will result in disciplinary action, and may be reported to law enforcement. c
banner motd c UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You MUST have explicit permission to access and configure this device. Violations of this policy will result in disciplinary action, and may be reported to law enforcement. c
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone UTC -4
dns server-group DefaultDNS
domain-name ABCDOH.NET
object-group network AAAALocal
description ABCD AAAA Office
network-object X.X.64.0 255.255.255.0
object-group network AAAAgstownRemote
description Remote network list for the ABCD AAAAgstown office.
network-object X.X.2.0 255.255.255.0
network-object X.X.67.0 255.255.255.0
network-object X.X.7.0 255.255.255.0
network-object X.X.1.0 255.255.255.0
network-object X.X.5.0 255.255.255.0
network-object X.X.6.0 255.255.255.0
network-object X.X.8.0 255.255.255.0
network-object X.X.4.0 255.255.255.0
network-object X.X.32.0 255.255.255.0
network-object X.X.75.0 255.255.255.0
access-list crypto10 extended permit ip object-group AAAALocal any
access-list inside_outbound_nat0_acl extended permit ip object-group AAAALocal any
access-list ABCD extended permit icmp any any
access-list ABCD extended permit tcp host X.X.99.3 any eq 50 log
access-list ABCD extended permit tcp host X.X.99.3 any eq 51 log
access-list ABCD extended permit udp host X.X.99.3 any eq isakmp log
access-list ABCD extended permit ip host X.X.99.0 any log
access-list ABCD extended permit icmp X.X.0.0 255.255.0.0 any
access-list ABCD extended deny ip 14.2.6.0 255.255.255.0 any log
access-list ABCD extended deny ip 127.0.0.0 255.255.255.0 any log
access-list ABCD extended deny ip 10.0.0.0 255.255.255.0 any log
access-list ABCD extended deny ip 0.0.0.0 255.0.0.0 any log
access-list ABCD extended deny ip 192.168.0.0 255.255.0.0 any log
access-list ABCD extended deny ip 192.0.2.0 255.255.255.0 any log
access-list ABCD extended deny ip 169.254.0.0 255.255.0.0 any log
access-list ABCD extended deny ip 224.0.0.0 224.0.0.0 any log
access-list ABCD extended deny ip host 255.255.255.255 any log
access-list ABCD extended deny icmp any any echo log
access-list ABCD extended deny icmp any any redirect log
access-list ABCD extended deny icmp any any mask-request log
access-list ABCD extended permit ip host X.X.75.0 interface AAAANetwork log
access-list nonatInet extended permit ip object-group AAAALocal any
access-list ABCD_Internet extended permit icmp any any
access-list ABCD_Internet extended permit tcp host W.X.Y.7 any eq 50 log
access-list ABCD_Internet extended permit tcp host W.X.Y.7 any eq 51 log
access-list ABCD_Internet extended permit udp host W.X.Y.7 any eq isakmp log
access-list ABCD_Internet extended permit ip host W.X.Y.0 any
access-list ABCD_Internet extended deny ip 14.2.6.0 255.255.255.0 any log
access-list ABCD_Internet extended deny ip 127.0.0.0 255.255.255.0 any log
access-list ABCD_Internet extended deny ip 10.0.0.0 255.255.255.0 any log
access-list ABCD_Internet extended deny ip 0.0.0.0 255.0.0.0 any log
access-list ABCD_Internet extended deny ip 192.168.0.0 255.255.0.0 any log
access-list ABCD_Internet extended deny ip 192.0.2.0 255.255.255.0 any log
access-list ABCD_Internet extended deny ip 169.254.0.0 255.255.0.0 any log
access-list ABCD_Internet extended deny ip 224.0.0.0 224.0.0.0 any log
access-list ABCD_Internet extended deny ip host 255.255.255.255 any log
access-list ABCD_Internet extended deny icmp any any echo log
access-list ABCD_Internet extended deny icmp any any redirect log
access-list ABCD_Internet extended deny icmp any any mask-request log
access-list ABCD_Internet extended deny udp any any log
pager lines 24
logging console debugging
logging monitor warnings
logging buffered debugging
logging asdm informational
mtu AAAANetwork 1500
mtu Internet 1500
mtu AAAA 1500
ip verify reverse-path interface Internet
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any AAAANetwork
icmp permit any AAAA
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat (AAAANetwork) 0 access-list inside_outbound_nat0_acl
access-group ABCD in interface AAAA
route AAAA 0.0.0.0 0.0.0.0 X.X.99.251 1 track 1
route Internet 0.0.0.0 0.0.0.0 Y.X.176.181 254
timeout xlate 0:30:00
timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
no snmp-server enable
sla monitor 123
type echo protocol ipIcmpEcho X.X.99.251 interface Internet
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ABCDAAAA esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map AAAA 10 match address crypto10
crypto map AAAA 10 set peer X.X.99.3
crypto map AAAA 10 set transform-set ABCDAAAA
crypto map AAAA 10 set security-association lifetime seconds 28800
crypto map AAAA 10 set security-association lifetime kilobytes 4608000
crypto map AAAA interface AAAA
crypto map Internet 20 match address crypto10
crypto map Internet 20 set peer W.X.Y.7
crypto map Internet 20 set transform-set ABCDAAAA
crypto map Internet 20 set security-association lifetime seconds 28800
crypto map Internet 20 set security-association lifetime kilobytes 4608000
crypto map Internet interface Internet
crypto isakmp enable Internet
crypto isakmp enable AAAA
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 120
!
track 1 rtr 123 reachability
telnet timeout 1
ssh X.X.64.0 255.255.255.0 AAAANetwork
ssh X.X.75.0 255.255.255.0 AAAANetwork
ssh timeout 5
ssh version 2
console timeout 5
management-access AAAANetwork

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username R1t455hadmin password tnHS05OrzbBpUHY2 encrypted
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group X.X.99.3 type ipsec-l2l
tunnel-group X.X.99.3 ipsec-attributes
pre-shared-key *
tunnel-group W.X.Y.7 type ipsec-l2l
tunnel-group W.X.Y.7 ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:33f8e351a984156bde2d4d4bc7dc2872
: end
 
Sort by date Sort by votes
I would look at the other vpn endpoint to see what messages it is generating. I'm thinking the asa is trying to create the tunnel from an address that the other end point isn't expecting.
 
Upvote 0 Downvote
I would first like to confirm the nat statement I have...can that NAT my local network traffic out the "Internet" interface? Lastly, here is the Cisco Concentrator 3000 logs:

1049 03/18/2009 18:48:37.980 SEV=4 IKE/119 RPT=6018 X.X.176.182
Group [X.X.176.182]
PHASE 1 COMPLETED

1050 03/18/2009 18:48:37.980 SEV=6 IKE/121 RPT=5952 X.X.176.182
Keep-alive type for this connection: None

1051 03/18/2009 18:48:37.980 SEV=4 AUTH/22 RPT=5774
User [X.X.176.182] Group [X.X.176.182] connected, Session Type: IPSec/LAN-to
-LAN

1053 03/18/2009 18:48:37.980 SEV=4 AUTH/84 RPT=611
LAN-to-LAN tunnel to headend device X.X.176.182 connected

1054 03/18/2009 18:48:37.990 SEV=5 IKE/35 RPT=538 X.X.176.182
Group [X.X.176.182]
Received remote IP Proxy Subnet data in ID Payload:
Address W.W.64.0, Mask 255.255.255.0, Protocol 0, Port 0

1057 03/18/2009 18:48:37.990 SEV=5 IKE/34 RPT=10316 X.X.176.182
Group [X.X.176.182]
Received local IP Proxy Subnet data in ID Payload:
Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0

1060 03/18/2009 18:48:37.990 SEV=3 IKE/187 RPT=111
Tunnel Rejected: IKE peer does not match remote peer as defined in L2L policy
IKE peer address: X.X.176.182, Remote peer address: W.W.99.251

1062 03/18/2009 18:48:37.990 SEV=4 IKEDBG/97 RPT=517 X.X.176.182
Group [X.X.176.182]
QM FSM error (P2 struct &0x7043490, mess id 0x3bf6295b)!

1063 03/18/2009 18:48:37.990 SEV=6 IKE/0 RPT=2665
Received unexpected event EV_ACTIVATE_NEW_SA in state MM_ACTIVE

1064 03/18/2009 18:48:37.990 SEV=6 IKE/0 RPT=2666 X.X.176.182
Group [X.X.176.182]
Removing peer from correlator table failed, no match!
 
Upvote 0 Downvote
1060 03/18/2009 18:48:37.990 SEV=3 IKE/187 RPT=111 Tunnel Rejected: IKE peer does not match remote peer as defined in L2L policy IKE peer address: X.X.176.182, Remote peer address: W.W.99.251
Click to expand...

Bingo
 
Upvote 0 Downvote
this is one interface with two vlans. the internet vlan (public) is trying establish a tunnel vlan1204 that is the 'remote peer' from the above error message:

Remote peer address: W.W.99.251
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
842
intel233
intel233
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
570
gkreg
gkreg
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
314
PauS0n
PauS0n
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
988
intel233
intel233

Part and Inventory Search

Sponsor

Back
Top