RE: IPSec VPN - Interesting traffic only trigger crypto map from Kanishka Acharya (kaachary) on 2009-08-04 (Ccielab archives 08/2009)

From: Kanishka Acharya (kaachary) <kaachary_at_cisco.com>
Date: Tue, 4 Aug 2009 22:11:40 +0530

Hi Teu,

This is a common problem with PIX 6.X.

IPSEC(sa_initiate): ACL = deny; no sa created

The resolution is to remove the crypto map from the PIX interface and reapply. That should do it.

No crypto map Tempe interface outside
crypto map Tempe interface outside

Regards,

-Kanishka

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Teu Kim Loon ???
Sent: Thursday, July 23, 2009 12:00 PM
To: Craig Miller
Cc: Alberto Rivai; Cisco certification; ccielab_at_groupstudy.com
Subject: Re: IPSec VPN - Interesting traffic only trigger crypto map from one end

I do have crypto maps with the same name. I truncated the config output. I have to use the same name because the crypto map is tied to one interface.
I don't see a way to tie different crypto maps to the same interface.

I didn't use ASDM to configure ASA.

I have reconfigured the Crypto ACL to make them mirror of each other. Still not luck.

On Thu, Jul 23, 2009 at 10:55 AM, Craig Miller
<ripperthejack2001_at_yahoo.com>wrote:

>
> That bug doesn't apply, you don't have multiple crypto maps with the
> same name, unless you truncated the output of your show run.
>
> The previous poster was right, look at your protected networks, they
> don't match on both sides, also, if you have a dynamic cryptomap (whih
> I don't
see
> but could be truncated off the list), the dynamic map needs to be
> placed at the bottom of hte list, or it could cause SA issues as well.
>
> Other things to check, NAT-T, verify ISAKMP is enabled properly etc. I
> have seen the ASA ASDM leave off the ISAKMP configuration before.
>
> But I think your mis-matched ACL / protected networks is your problem.
>
> Craig
>
> --- On Thu, 7/23/09, Teu Kim Loon e<5i&e+ <kim.teu_at_gmail.com> wrote:
>
> > From: Teu Kim Loon e<5i&e+ <kim.teu_at_gmail.com>
> > Subject: Re: IPSec VPN - Interesting traffic only trigger crypto map
> from one end
> > To: "Alberto Rivai" <bartoqid_at_yahoo.com>
> > Cc: "Cisco certification" <security_at_groupstudy.com>,
> ccielab_at_groupstudy.com
> > Date: Thursday, July 23, 2009, 9:21 AM Below is the error I see when
> > trying to initiate connections behind PIX. On the ASA side, I
> > didn't see any error or traffic.
> > IPSEC(sa_initiate): ACL = deny; no sa created
> > IPSEC(sa_initiate): ACL = deny; no sa created
> > IPSEC(sa_initiate): ACL = deny; no sa created
> > IPSEC(sa_initiate): ACL = deny; no sa created
> >
> > I found this bug. Is this application to PIX?
> > "Configuring two crypto map entries using the same name but
> > different priorities, different peers, different access lists,
> > causes the second crypto map entry to be ineffective and no
> > corresponding security associations are established. [...] The
> > workaround is to avoid configuring two crypto map entries with the
> > same name but different priority, different peers, and different
> > access lists [...] (CSCea25305)"
> >
> >
> >
> > <<<<ASA Config>>>>
> >
> > object-group network BRAZIL_REMOTE
> > network-object 192.168.95.128 255.255.255.128 network-object
> > 192.168.96.0 255.255.254.0 object-group network BRAZIL_LOCAL
> > network-object host 144.72.247.54 network-object 172.26.39.0
> > 255.255.255.0 network-object 192.168.120.0 255.255.255.0
> > network-object 192.168.122.0 255.255.255.0 network-object
> > 192.168.124.0 255.255.255.0 network-object 172.26.72.0
> > 255.255.254.0 network-object 172.17.248.0 255.255.248.0
> >
> > access-list L2L_BRAZIL extended permit ip object-group BRAZIL_LOCAL
> > object-group BRAZIL_REMOTE
> >
> > crypto ipsec transform-set L2L_GM_BRAZIL esp-des esp-md5-hmac
> >
> > group-policy 1.1.1.1 internal
> > group-policy 1.1.1.1 attributes
> > vpn-tunnel-protocol ipsec
> > vpn-filter none
> > vpn-idle-timeout none
> > webvpn
> > functions none
> >
> > tunnel-group 1.1.1.1 type ipsec-l2l
> > tunnel-group 1.1.1.1 general-attributes default-group-policy 1.1.1.1
> > accounting-server-group default_ar tunnel-group 1.1.1.1
> > ipsec-attributes pre-shared-key XXXXXXX no chain no trust-point
> > isakmp keepalive disable peer-id-validate req
> >
> > crypto map static-map 5 match address L2L_BRAZIL crypto map
> > static-map 5 set peer 1.1.1.1 crypto map static-map 5 set
> > transform-set L2L_BRAZIL crypto map static-map 5 set
> > security-association lifetime seconds 86400 crypto map static-map 5
> > set security-association lifetime kilobytes 4608000 crypto map
> > static-map 5 set nat-t-disable crypto map static-map 5 set
> > phase1-mode aggressive crypto map static-map 5 set connection-type
> > bi-directional
> >
> > crypto map static-map interface outside crypto isakmp enable
> > outside
> >
> > <<<<PIX Config>>>>
> >
> > access-list dallas1_vpn permit ip 192.168.95.128
> > 255.255.255.128
> > 192.168.120.0 255.255.255.0
> > access-list dallas1_vpn permit ip 192.168.96.0 255.255.254.0
> > 192.168.120.0 255.255.255.0 access-list dallas1_vpn permit ip
> > 192.168.95.128
> > 255.255.255.128 172.26.39.0
> > 255.255.255.0
> > access-list dallas1_vpn permit ip 192.168.96.0 255.255.254.0
> > 172.26.39.0 255.255.255.0 access-list dallas1_vpn permit ip
> > 192.168.95.128
> > 255.255.255.128
> > 192.168.122.0 255.255.255.0
> > access-list dallas1_vpn permit ip 192.168.96.0 255.255.254.0
> > 192.168.122.0 255.255.255.0 access-list dallas1_vpn permit ip
> > 192.168.95.128
> > 255.255.255.128
> > 192.168.124.0 255.255.255.0
> > access-list dallas1_vpn permit ip 192.168.96.0 255.255.254.0
> > 192.168.124.0 255.255.255.0 access-list dallas1_vpn permit ip
> > 192.168.95.128
> > 255.255.255.128 172.26.72.0
> > 255.255.254.0
> > access-list dallas1_vpn permit ip 192.168.96.0 255.255.254.0
> > 172.26.72.0 255.255.254.0 access-list dallas1_vpn permit ip
> > 192.168.96.0 255.255.254.0 host
> > 144.72.247.54
> > access-list dallas1_vpn permit ip 192.168.95.128
> > 255.255.255.128 host
> > 144.72.247.54
> > access-list dallas1_vpn permit ip 192.168.95.128
> > 255.255.255.128
> > 172.17.248.0 255.255.248.0
> > access-list dallas1_vpn permit ip 192.168.96.0 255.255.254.0
> > 172.17.248.0 255.255.248.0
> >
> > nat (inside) 0 access-list inside_nonat access-list inside_nonat
> > permit ip any 192.168.122.0 255.255.255.0 access-list inside_nonat
> > permit ip any 192.168.124.0 255.255.255.0 ....
> >
> > crypto map Tempe interface outside
> > isakmp enable outside
> > isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 no-xauth
> > no-config-mode
> >
> > crypto map Tempe 20 ipsec-isakmp
> > crypto map Tempe 20 match address dallas1_vpn crypto map Tempe 20
> > set peer 2.2.2.2 crypto map Tempe 20 set transform-set Tempe crypto
> > map Tempe 20 set security-association lifetime seconds 86400
> > kilobytes 4602000
> >
> >
> >
> > On Thu, Jul 23, 2009 at 7:49 AM, Alberto Rivai <bartoqid_at_yahoo.com>
> > wrote:
> >
> > > Usually its because wrong access-list to match the
> > encrypted traffic,
> > > common
> > > mistake
> > >
> > > --- On Thu, 7/23/09, Teu Kim Loon e<5i &e+
> > <kim.teu_at_gmail.com>
> > wrote:
> > >
> > > From: Teu Kim Loon e<5i &e+ <kim.teu_at_gmail.com>
> > > Subject: IPSec VPN - Interesting traffic only trigger
> > crypto map from one
> > > end
> > > To: "Cisco certification" <security_at_groupstudy.com>,
> > > ccielab_at_groupstudy.com
> > > Date: Thursday, July 23, 2009, 10:14 AM
> > >
> > > Hello Experts,
> > > IPSec VPN between ASA 8.0 and PIX 6.3.B I
> > verified identical IKE and IPSec
> > > configuration on both ends.B However, I am only
> > able to initiate
> > > connection
> > > from ASA.
> > >
> > > Any idea why?
> > >
> > > Thanks.
> > > Kim
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > >
> > ____________________________________________________________________
> > ___
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> > --
> > May All Behappy!!!
> > Kim Loon Teu
> > UE=uBW
> > CCIE 19369
> > www.kimteu.com
> > http://www.linkedin.com/in/kimteu
> >
> > All conditioned phenomena
> > Are like a dream, an illusion, a bubble, a shadow Like the dew, or
> > like lightning You should discern them like this
> > R;GPSPN*7(#,HgCN;CE]S0#,HgB6R`Hg5g#,S&WwHgJG9[
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > ____________________________________________________________________
> > ___ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
>
>

--
May All Behappy!!!
Kim Loon Teu
e< i&d<&
CCIE 19369
www.kimteu.com
http://www.linkedin.com/in/kimteu
All conditioned phenomena
Are like a dream, an illusion, a bubble, a shadow Like the dew, or like lightning You should discern them like this
d8e f	d8:f3o<e&f"&e9;f3!e=1o<e&i2d:&e&g5o<e:d=e&f/h'
Blogs and organic groups at http://www.ccie.net

Received on Tue Aug 04 2009 - 22:11:40 ART

This archive was generated by hypermail 2.2.0 : Tue Sep 01 2009 - 05:43:56 ART