This topic is to discuss the following lesson:
Config remote tunnel with Dynamic IP to Datacenter static IP (ASA 5520)
Hi Rene !
Are you using GNS3 beacuase i have some truoble to get the config saved. After i reopen it doesnt stay.
I use Cisco VIRL for pretty much all labs nowadays, including the ASA labs.
Thats great Rene .Thx
How are you? I have similar topology at work and issue we see is remote end db servers SQL db servers makes call to collect logs from home office SQL db server and sometimes it droops. End to end host connectivity is there as well as IPSEC is all up, VPN is up too. Even I see net flow via LIVE action network analyzer tool.
From home office ASA 5505, I have loggedout /in site to site vpn session which reestablishes with in 30 se . ASDM packet tracer would isolate issue ? I am not sure if that could be something high on CPU or memory to spike ?
Would Clear connection and clear xlate would help?
is it service affecting event?
Is there any other test or troubleshooting would you suggest on intermittent drop like this?
Any update on my post above? I am trying to isolate issue that customer server is sending calls to SQL sever at home office and it gets error message on server side at customer end that connections has failed, and call has not completed , 3 call out of 1000 does that however it is important to isolate this issue.
Are you still having issues?
Something you might want to check is if you have SQL inspection enabled on your ASA. I’ve had issues with this before with Oracle database servers. This is something you could see in ASDM packet tracer. In my case I noticed some unusual TCP sessions that were resetted immediately.
Thank you for update. I missed this question you posted. sorry for delay in reply.
Issue got resolved.
I am using GNS3 ASAv for above lab. configuration is perfectly fine however vpn would not come up. There is a warning message I see on GNS3 as below. Not sure if that is reason or something else. Can you assiste?
Warning: ASAv platform license state is Unlicensed. Install ASAv platform license for full functionality.
You can ignore this message, it shows up all the time on my ASAv devices that I run in Cisco VIRL.
Have you tried packet-tracer yet to see if it gives you any information why the VPN is not working?
Is this topology is the peering IP of IPsec must be in the same network ?
No, the peering addresses don’t have to be the same. The only prerequisite is that the outside IP addresses of the Internet facing interfaces should be able to have network connectivity between them.
I hope this has been helpful!
After adding: crypto map Outside_map 1 set ikev1 phase1-mode aggressive
My tunnel dropped and stopped working.
HomeASA(config)# show version Cisco Adaptive Security Appliance Software Version 9.1(7)16 Device Manager Version 7.7(1)150 Compiled on Thu 30-Mar-17 17:39 by builders System image file is "disk0:/asa917-16-k8.bin" Config file at boot was "startup-config" HomeASA up 2 hours 10 mins Hardware: ASA5520-K8, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz, Internal ATA Compact Flash, 256MB BIOS Flash AT49LW080 @ 0xfff00000, 1024KB Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0) Boot microcode : CN1000-MC-BOOT-2.00 SSL/IKE microcode : CNlite-MC-SSLm-PLUS-2.08 IPSec microcode : CNlite-MC-IPSECm-MAIN-2.09 Number of accelerators: 1
HomeASA(config)# show run object-group network object-group network FLL_DC_Networks network-object 10.158.0.0 255.255.252.0 network-object 172.16.20.0 255.255.252.0 network-object 192.168.16.0 255.255.255.0 object-group network HomeNetworks description Home LAN and WLAN network-object 10.10.250.0 255.255.255.0 network-object 192.168.2.0 255.255.255.0 network-object 192.168.3.0 255.255.255.0
HomeASA(config)# show run access-list access-list Outside_cryptomap extended permit ip object-group HomeNetworks object-group FLL_DC_Networks access-list Outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 access-list Outside_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 object REMOTE_2 access-list Outside_cryptomap_1 extended permit ip 10.10.250.0 255.255.255.0 object REMOTE_2 access-list Outside_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 object REMOTE_2 access-list Outside_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 object REMOTE_3 access-list Outside_cryptomap_1 extended permit ip 10.10.250.0 255.255.255.0 object REMOTE_3
HomeASA(config)# show run crypto map crypto map Outside_map 1 match address Outside_cryptomap crypto map Outside_map 1 set peer 184.108.40.206 crypto map Outside_map 1 set ikev1 phase1-mode aggressive crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 crypto map Outside_map interface Outside
What do you use to identify your ASA with the dynamic IP to the remote ASA with static IP? Take a look at this example:
I use this on my dynamic peer:
crypto isakmp identity key-id ASA1_ASA2
Which matches the tunnel-group on the static IP peer:
tunnel-group ASA1_ASA2 type ipsec-l2l tunnel-group ASA1_ASA2 ipsec-attributes ikev1 pre-shared-key ASA1_ASA2_KEY
Hope this helps!
I am trying to do lab, but I have on ASA2 and ASA3 from debug
[IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0 Mar 06 12:44:34 [IKEv1]There is no valid IKE proposal available, check IPSec SA configuration! Mar 06 12:44:34 [IKEv1]Warning: Ignoring IKE SA (dst) without VM bit set IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.2.2, sport=64343, daddr=192.168.1.1, dport=5888 IPSEC(crypto_map_check)-3: Checking crypto map LTS_CRYPTO 10: matched. IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.2.2, sport=64343, daddr=192.168.1.1, dport=5888 IPSEC(crypto_map_check)-3: Checking crypto map LTS_CRYPTO 10: matched.
I see that phase 1 init,
using vASA v 9.9.(2) on GNS,
Config is the SAME as in LAB, also IPs,
If you are getting the “There is no valid IKE proposal available, check IPSec SA configuration!” message then this means that there is a mismatch in the configuration of the peers. Verify that your config does indeed match on both ends.
I hope this has been helpful!
That’s all I know, the configuration is like in the task, and the error remains…
Maybe I will have chance to do it on real devices, on vASA that is the one that not work in my excises
Hmm, that’s strange. There’s always the chance that GNS3 is to blame, as it does occasionally cause errors where there should be none . I hope you get the chance to try it out on real devices at some point.
There are two errors in the configuration:
One of them is access-list, as it is shown below:
ASA1(config)# access-list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
ASA2(config)# access-list LAN1_LAN2 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
ASA2 access-list name should be LAN2_LAN1.
Second mistake is show below:
ASA2(config)# tunnel-group 10.10.10.2 type ipsec-l2l
ASA2(config)# tunnel-group 10.10.10.2 ipsec-attributes
ASA2(config-tunnel-ipsec)# ikev1 pre-shared-key MY_SHARED_KEY
The ip address should be 10.10.10.1, as it is shown in lesson 1 regarding ipsec VPN.
Once I fix these mistakes, my configuration started working.