Escolar Documentos
Profissional Documentos
Cultura Documentos
ASA/PIX 8.02-2
Troubleshooting
Common Issues/Errors
ASA/PIX 8.02-3
show crypto isakmp sa (PIX / ASA and IOS routers) show crypto ipsec sa (PIX / ASA and IOS routers)
From the show commands we can determine if the SAs are in the right state, and if ISAKMP went through fine and now the IPSec traffic is being Encrypted/Decrypted between the two IPSec endpoints.
ASA/PIX 8.02-4
ASA/PIX 8.02-5
ASA/PIX 8.02-6
Interoperability Troubleshooting
ASA/PIX 8.02-7
ASA/PIX 8.02-8
VPN Gateway
Internet
VPN Client
IPSec pass-through: ISAKMP cookie and ESP SPI are used to build translation table ASA(config)# fixup protocol esp-ike
IPSec Nat Transparency (NAT-T): UDP 500 UDP 4500 ASA(config)# isakmp nat-traversal <natkeepalive> IPSec over TCP: TCP 10000 ASA(config) isakmp ipsec-over-tcp port 10000
ASA/PIX 8.02-9
Interoperability Troubleshooting
ASA/PIX 8.02-10
ASA/PIX 8.02-11
Interoperability Troubleshooting
ASA/PIX 8.02-12
Internet Internet
a. Original Packet b. IPSec Transport Mode 36 bytes c. IPSec Tunnel Mode 20+36=56 bytes a
IP Hdr 1 IP hdr 1 IP hdr 2 ESP hdr ESP hdr IP Hdr 1 TCP hdr TCP hdr TCP hdr Data Data Data
b
c
2006-7 Cisco Systems, Inc. All rights reserved.
ASA/PIX 8.02-13
Path 1500 Media 1500 1500 DF=1 ICMP Type3 Code 4 (1444) 1444 DF=1
ICMP: dst (10.1.2.2) frag. needed and DF set unreachable sent to 10.1.1.2 (debug ip icmp output)
ICMP: dst (172.16.172.20) frag. needed and DF set unreachable rcv from 172.16.172.11 Adjust path MTU on corresponding IPSec SA
path mtu 1400, media mtu 1500 current outbound spi: EB84DC85
(1344)
1344 DF=1
2006-7 Cisco Systems, Inc. All rights reserved.
1400
1400
1344
ASA/PIX 8.02-14
!!!!......
ASA/PIX 8.02-15
ASA/PIX 8.02-16
Interoperability Troubleshooting
ASA/PIX 8.02-17
Internet
IPSec SA SPI Peer Local_id Remote_id Transform IPSec SA SPI Peer Local_id Remote_id Transform
ESP SPI=0xB1D1EA3F
00:01:33: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSec packet has invalid spi for destaddr=172.16.172.28, prot=50, spi=0xB1D1EA3F(-1311643073)
2006-7 Cisco Systems, Inc. All rights reserved. ASA/PIX 8.02-18
crypto isakmp keepalive <# of sec. between keepalive> <# of sec. between retries if keepalive fails>
ASA/PIX 8.02-19
Interoperability Troubleshooting
ASA/PIX 8.02-20
IPSec
I sent decrypted packets, and got nothing from the local host
ASA/PIX 8.02-21
Interoperability Troubleshooting
ASA/PIX 8.02-22
Interoperability Tips
Start with configuring the two ends side by side with exact matching policies
Phase I Parameters
IKE authentication method Hash algorithm DH group
Phase II Parameters
IPSec mode (tunnel or transport) Encryption algorithm Authentication algorithm PFS group
ISAKMP SA lifetime
Encryption algorithm Turn off vendor specific features: Mode config, Xauth, IKE keepalive Matching pre-shared secret
IPSec SA Lifetime
Interesting traffic definition
ASA/PIX 8.02-23
ASA/PIX 8.02-24
ISAKMP (0): atts are not acceptable. Next payload is 0 ISAKMP (0): no offers accepted! ISAKMP (0): SA not acceptable!
ASA/PIX 8.02-25
ASA/PIX 8.02-26
Access-list mismatch
If the access-lists on the peer IPSEC devices do not match that is if they are not mirror images of each other then the following error will occur : IPSEC(validate_transform_proposal): proxy identities not supported ISAKMP: IPSec policy invalidated proposal It is also important to note that the word any should not be used in the access-list .
ASA/PIX 8.02-27
ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): SA not acceptable!
ASA/PIX 8.02-28
ASA/PIX 8.02-29
ASA/PIX 8.02-30
ASA/PIX 8.02-31
ASA/PIX 8.02-32
ASA/PIX 8.02-33
ASA/PIX 8.02-34
Q&A
ASA/PIX 8.02-35
ASA/PIX 8.02-36