Cisco ASA Site-to-Site IKEv1 IPsec VPN Dynamic Peer

This topic is to discuss the following lesson:

Hi Rene !

Are you using GNS3 beacuase i have some truoble to get the config saved. After i reopen it doesnt stay.

/Oskar

Hi Oskar,

I use Cisco VIRL for pretty much all labs nowadays, including the ASA labs.

Rene

Thats great Rene .Thx

Hi, Rene
How are you? I have similar topology at work and issue we see is remote end db servers SQL db servers makes call to collect logs from home office SQL db server and sometimes it droops. End to end host connectivity is there as well as IPSEC is all up, VPN is up too. Even I see net flow via LIVE action network analyzer tool.

From home office ASA 5505, I have loggedout /in site to site vpn session which reestablishes with in 30 se . ASDM packet tracer would isolate issue ? I am not sure if that could be something high on CPU or memory to spike ?
Would Clear connection and clear xlate would help?
is it service affecting event?
Is there any other test or troubleshooting would you suggest on intermittent drop like this?

Thank you
Shraddha

Hi, Rene
Any update on my post above? I am trying to isolate issue that customer server is sending calls to SQL sever at home office and it gets error message on server side at customer end that connections has failed, and call has not completed , 3 call out of 1000 does that however it is important to isolate this issue.

Hi Shraddha,

Are you still having issues?

Something you might want to check is if you have SQL inspection enabled on your ASA. I’ve had issues with this before with Oracle database servers. This is something you could see in ASDM packet tracer. In my case I noticed some unusual TCP sessions that were resetted immediately.

Rene

Hi Rene
Thank you for update. I missed this question you posted. sorry for delay in reply.
Issue got resolved.

Thank you
Shraddha

Hi Rene,

I am using GNS3 ASAv for above lab. configuration is perfectly fine however vpn would not come up. There is a warning message I see on GNS3 as below. Not sure if that is reason or something else. Can you assiste?

Warning: ASAv platform license state is Unlicensed.
Install ASAv platform license for full functionality.

Hi Shraddha,

You can ignore this message, it shows up all the time on my ASAv devices that I run in Cisco VIRL.

Have you tried packet-tracer yet to see if it gives you any information why the VPN is not working?

Hi Rene
Is this topology is the peering IP of IPsec must be in the same network ?

Hello Heng

No, the peering addresses don’t have to be the same. The only prerequisite is that the outside IP addresses of the Internet facing interfaces should be able to have network connectivity between them.

I hope this has been helpful!

Laz

After adding: crypto map Outside_map 1 set ikev1 phase1-mode aggressive
My tunnel dropped and stopped working.

Version:

HomeASA(config)# show version
Cisco Adaptive Security Appliance Software Version 9.1(7)16
Device Manager Version 7.7(1)150
Compiled on Thu 30-Mar-17 17:39 by builders
System image file is "disk0:/asa917-16-k8.bin"
Config file at boot was "startup-config"
HomeASA up 2 hours 10 mins
Hardware: ASA5520-K8, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz,
Internal ATA Compact Flash, 256MB
BIOS Flash AT49LW080 @ 0xfff00000, 1024KB
Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNlite-MC-SSLm-PLUS-2.08
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.09
Number of accelerators: 1

Object-group:

HomeASA(config)# show run object-group network
object-group network FLL_DC_Networks
network-object 10.158.0.0 255.255.252.0
network-object 172.16.20.0 255.255.252.0
network-object 192.168.16.0 255.255.255.0
object-group network HomeNetworks
description Home LAN and WLAN
network-object 10.10.250.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0

Access-list:

HomeASA(config)# show run access-list
access-list Outside_cryptomap extended permit ip object-group HomeNetworks object-group FLL_DC_Networks
access-list Outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list Outside_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 object REMOTE_2
access-list Outside_cryptomap_1 extended permit ip 10.10.250.0 255.255.255.0 object REMOTE_2
access-list Outside_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 object REMOTE_2
access-list Outside_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 object REMOTE_3
access-list Outside_cryptomap_1 extended permit ip 10.10.250.0 255.255.255.0 object REMOTE_3

Crypto map:


HomeASA(config)# show run crypto map
crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set peer 199.227.242.218
crypto map Outside_map 1 set ikev1 phase1-mode aggressive
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map Outside_map interface Outside

Hi Adrian,

What do you use to identify your ASA with the dynamic IP to the remote ASA with static IP? Take a look at this example:

I use this on my dynamic peer:

crypto isakmp identity key-id ASA1_ASA2

Which matches the tunnel-group on the static IP peer:

tunnel-group ASA1_ASA2 type ipsec-l2l
tunnel-group ASA1_ASA2 ipsec-attributes
ikev1 pre-shared-key ASA1_ASA2_KEY

Hope this helps!

Rene

Hello,
I am trying to do lab, but I have on ASA2 and ASA3 from debug

[IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Mar 06 12:44:34 [IKEv1]There is no valid IKE proposal available, check IPSec SA configuration!
Mar 06 12:44:34 [IKEv1]Warning: Ignoring IKE SA (dst) without VM bit set


IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.2.2, sport=64343, daddr=192.168.1.1, dport=5888
IPSEC(crypto_map_check)-3: Checking crypto map LTS_CRYPTO 10: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.2.2, sport=64343, daddr=192.168.1.1, dport=5888
IPSEC(crypto_map_check)-3: Checking crypto map LTS_CRYPTO 10: matched.

I see that phase 1 init,
using vASA v 9.9.(2) on GNS,
Config is the SAME as in LAB, also IPs,
Please help…
Regards,
Maciek

Hello Maciej

If you are getting the “There is no valid IKE proposal available, check IPSec SA configuration!” message then this means that there is a mismatch in the configuration of the peers. Verify that your config does indeed match on both ends.

I hope this has been helpful!

Laz

Hello,
That’s all I know, the configuration is like in the task, and the error remains…
Maybe I will have chance to do it on real devices, on vASA that is the one that not work in my excises :smile:
Regards,
Maciek

Hello Maciej

Hmm, that’s strange. There’s always the chance that GNS3 is to blame, as it does occasionally cause errors where there should be none :stuck_out_tongue:. I hope you get the chance to try it out on real devices at some point.

Laz

Hello,

There are two errors in the configuration:
One of them is access-list, as it is shown below:

ASA1(config)# access-list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

ASA2(config)# access-list **LAN1_LAN2** extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

ASA2 access-list name should be LAN2_LAN1.

Second mistake is show below:

ASA2(config)# tunnel-group **10.10.10.2** type ipsec-l2l
ASA2(config)# tunnel-group **10.10.10.2** ipsec-attributes
ASA2(config-tunnel-ipsec)# ikev1 pre-shared-key MY_SHARED_KEY

The ip address should be 10.10.10.1, as it is shown in lesson 1 regarding ipsec VPN.

Once I fix these mistakes, my configuration started working.

Hello Sinasi,

You are correct, I just fixed these typos. Thanks for letting me know!

Rene