Dual Site to Site VPN @ Both Ends - Cisco ASA
====================================
Here we are going to see how to configure Dual Site to Site IPSec VPN using Cisco ASA with 2 WAN links @ Both Sites. So always the defined priority 1 tunnel will be up and taking the traffic and if there is a failure in ISP1 link and the secondary tunnel will come up and take the traffic.
Fig 1.0 - Design Dual VPN
Site A Router
==========
interface FastEthernet0/0
description *** Unused for Layer2 SW ***
ip address 192.168.1.10 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
We just have the basic configuration on it to make sure that it can be reachable and it can route the traffic.
Site A FW:
=========
ASA1# sh runn
: Saved
:
ASA Version 8.4(2)
!
hostname ASA1
enable password N7FecZuSHJlVZC2P encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet2
nameif outside2
security-level 0
ip address 172.16.2.1 255.255.255.0
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list new extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list new extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list test extended permit icmp any any echo-reply
access-list test extended permit icmp any any unreachable
access-list test extended permit icmp any any time-exceeded
access-list outbound extended permit ip any any
pager lines 24
logging enable
logging buffered notifications
mtu outside 1500
mtu inside 1500
mtu outside2 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
route outside2 0.0.0.0 0.0.0.0 172.16.2.2 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set CISCO esp-des esp-md5-hmac
crypto map outside_map 20 match address new
crypto map outside_map 20 set peer 172.16.1.2 172.16.2.2
crypto map outside_map 20 set ikev1 transform-set CISCO
crypto map outside_map interface outside
crypto map outside_map interface outside2
crypto ikev1 enable outside
crypto ikev1 enable outside2
crypto ikev1 policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside2
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group 172.16.1.2 type ipsec-l2l
tunnel-group 172.16.1.2 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 172.16.2.2 type ipsec-l2l
tunnel-group 172.16.2.2 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ipsec-pass-thru
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:277baec4046859ee4b5bdc2ee0dbe7d3
: end
ASA1#
Site B Router:
===========
interface FastEthernet0/0
description *** Unused for Layer2 SW ***
ip address 192.168.2.10 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
Site B FW
========
ASA2# sh runn
: Saved
:
ASA Version 8.4(2)
!
hostname ASA2
enable password N7FecZuSHJlVZC2P encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 172.16.1.2 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet2
nameif outside2
security-level 0
ip address 172.16.2.2 255.255.255.0
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network obj_192.168.2.0
subnet 192.168.2.0 255.255.255.0
access-list new extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list new extended permit icmp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outbound extended permit ip any any
pager lines 24
logging enable
logging buffered notifications
mtu outside 1500
mtu inside 1500
mtu outside2 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
route outside2 0.0.0.0 0.0.0.0 172.16.2.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set CISCO esp-des esp-md5-hmac
crypto map outside_map 20 match address new
crypto map outside_map 20 set peer 172.16.1.1 172.16.2.1
crypto map outside_map 20 set ikev1 transform-set CISCO
crypto map outside_map interface outside
crypto map outside_map interface outside2
crypto ikev1 enable outside
crypto ikev1 enable outside2
crypto ikev1 policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 172.16.2.1 type ipsec-l2l
tunnel-group 172.16.2.1 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ipsec-pass-thru
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:846f7f2f8c1b7f38b8b05f9e98d10030
: end
ASA2#
IP SLA Configurations:
=================
ASA1# sh runn sla monitor
sla monitor 10
type echo protocol ipIcmpEcho 172.16.1.2 interface outside
timeout 3
frequency 5
sla monitor schedule 10 life forever start-time now
ASA1# sh runn route
route outside 0.0.0.0 0.0.0.0 172.16.1.2 1 track 1
route outside2 0.0.0.0 0.0.0.0 172.16.2.2 254
ASA1# sh runn track 1
track 1 rtr 10 reachability
ASA1#
##################################################################
ASA2# sh run sla monitor
sla monitor 10
type echo protocol ipIcmpEcho 172.16.1.1 interface outside
timeout 3
frequency 5
sla monitor schedule 10 life forever start-time now
ASA2# sh runn route
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1 track 1
route outside2 0.0.0.0 0.0.0.0 172.16.2.1 254
ASA2# sh runn trac
ASA2# sh runn track 1
track 1 rtr 10 reachability
ASA2#
##################################################################
Testing Results:
**************
In a normal scenario, by default LAN initiated traffic will pass through Tunnel 1/ISP1.
ASA1# sh isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 172.16.1.2 ===> Primary Peer Phase 1 Up
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
ASA1#
=========================================================================
ASA2# sh isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 172.16.1.1 ==> Primary Peer Phase 1 Up
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
ASA2#
R1-SW#ping 192.168.2.10 repeat 25
Type escape sequence to abort.
Sending 25, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (25/25), round-trip min/avg/max = 48/80/240 ms
R1-SW#
========================================================================
R2-SW#ping 192.168.1.10 repeat 25
Type escape sequence to abort.
Sending 25, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (25/25), round-trip min/avg/max = 40/72/140 ms
R2-SW#
======================================================================
ASA1# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 20, local addr: 172.16.1.1
access-list new extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 172.16.1.2
#pkts encaps: 58, #pkts encrypt: 58, #pkts digest: 58
#pkts decaps: 58, #pkts decrypt: 58, #pkts verify: 58
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 58, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.1.1/0, remote crypto endpt.: 172.16.1.2/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 6B27F453
current inbound spi : 5127FCF8
inbound esp sas:
spi: 0x5127FCF8 (1361575160)
transform: esp-des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914994/28479)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x07FFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x6B27F453 (1797780563)
transform: esp-des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914994/28479)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA1#
=========================================================================
ASA2# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 20, local addr: 172.16.1.2
access-list new extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 172.16.1.1
#pkts encaps: 58, #pkts encrypt: 58, #pkts digest: 58
#pkts decaps: 58, #pkts decrypt: 58, #pkts verify: 58
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 58, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.1.2/0, remote crypto endpt.: 172.16.1.1/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 5127FCF8
current inbound spi : 6B27F453
inbound esp sas:
spi: 0x6B27F453 (1797780563)
transform: esp-des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373994/28454)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x07FFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x5127FCF8 (1361575160)
transform: esp-des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373994/28454)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA2#
##################################################################################
Result when ISP1 fails @ Site A:
=========================
R1-SW#ping 192.168.2.10 repeat 25
Type escape sequence to abort.
Sending 25, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:
..................!!!!!!!
Success rate is 28 percent (7/25), round-trip min/avg/max = 48/74/96 ms
R1-SW#
ASA1# debug crypto ikev1 7
ASA1# Jul 24 13:05:44 [IKEv1]IP = 172.16.1.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204
Jul 24 13:05:52 [IKEv1]IP = 172.16.1.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204
Jul 24 13:06:00 [IKEv1 DEBUG]IP = 172.16.1.2, IKE MM Initiator FSM error history (struct &0xbc43c200) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Jul 24 13:06:00 [IKEv1 DEBUG]IP = 172.16.1.2, IKE SA MM:20617c56 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Jul 24 13:06:00 [IKEv1 DEBUG]IP = 172.16.1.2, sending delete/delete with reason message
Jul 24 13:06:02 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jul 24 13:06:02 [IKEv1]IP = 172.16.2.2, IKE Initiator: New Phase 1, Intf inside, IKE Peer 172.16.2.2 local Proxy Address 192.168.1.0, remote Proxy Address 192.168.2.0, Crypto map (outside_map)
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing ISAKMP SA payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing NAT-Traversal VID ver 02 payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing NAT-Traversal VID ver 03 payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing NAT-Traversal VID ver RFC payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing Fragmentation VID + extended capabilities payload
Jul 24 13:06:02 [IKEv1]IP = 172.16.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204
Jul 24 13:06:02 [IKEv1]IP = 172.16.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, processing SA payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, Oakley proposal is acceptable
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, processing VID payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, Received NAT-Traversal ver 02 VID
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, processing VID payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, Received Fragmentation VID
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing ke payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing nonce payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing Cisco Unity VID payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing xauth V6 VID payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, Send IOS VID
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing VID payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing NAT-Discovery payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, computing NAT Discovery hash
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing NAT-Discovery payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, computing NAT Discovery hash
Jul 24 13:06:02 [IKEv1]IP = 172.16.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing ke payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing ISA_KE payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing nonce payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing VID payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, Received Cisco Unity client VID
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing VID payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, Received xauth V6 VID
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing VID payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing VID payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing NAT-Discovery payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, computing NAT Discovery hash
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing NAT-Discovery payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, computing NAT Discovery hash
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, Connection landed on tunnel_group 172.16.2.2
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Generating keys for Initiator...
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing ID payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing hash payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Computing hash for ISAKMP
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing dpd vid payload
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Jul 24 13:06:03 [IKEv1]Group = 172.16.2.2, IP = 172.16.2.2, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing ID payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing hash payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Computing hash for ISAKMP
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing VID payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Received DPD VID
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, Connection landed on tunnel_group 172.16.2.2
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Oakley begin quick mode
Jul 24 13:06:03 [IKEv1]Group = 172.16.2.2, IP = 172.16.2.2, PHASE 1 COMPLETED
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, Keep-alive type for this connection: DPD
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Starting P1 rekey timer: 73440 seconds.
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, IKE got SPI from key engine: SPI = 0xb383b691
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, oakley constucting quick mode
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing blank hash payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing IPSec SA payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing IPSec nonce payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing proxy ID
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Transmitting Proxy Id:
Local subnet: 192.168.1.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 192.168.2.0 Mask 255.255.255.0 Protocol 0 Port 0
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing qm hash payload
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, IKE_DECODE SENDING Message (msgid=5fc17fe) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, IKE_DECODE RECEIVED Message (msgid=5fc17fe) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 164
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing hash payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing SA payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing nonce payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing ID payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing ID payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, loading all IPSEC SAs
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Generating Quick Mode Key!
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, NP encrypt rule look up for crypto map outside_map 20 matching ACL new: returned cs_id=b636e600; rule=bc159bb8
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Generating Quick Mode Key!
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, NP encrypt rule look up for crypto map outside_map 20 matching ACL new: returned cs_id=b636e600; rule=bc159bb8
Jul 24 13:06:03 [IKEv1]Group = 172.16.2.2, IP = 172.16.2.2, Security negotiation complete for LAN-to-LAN Group (172.16.2.2) Initiator, Inbound SPI = 0xb383b691, Outbound SPI = 0x13d5e43f
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, oakley constructing final quick mode
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, IKE_DECODE SENDING Message (msgid=5fc17fe) with payloads : HDR + HASH (8) + NONE (0) total length : 72
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, IKE got a KEY_ADD msg for SA: SPI = 0x13d5e43f
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Pitcher: received KEY_UPDATE, spi 0xb383b691
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Starting P2 rekey timer: 24480 seconds.
Jul 24 13:06:03 [IKEv1]Group = 172.16.2.2, IP = 172.16.2.2, PHASE 2 COMPLETED (msgid=05fc17fe)
Jul 24 13:06:22 [IKEv1]IP = 172.16.2.2, IKE_DECODE RECEIVED Message (msgid=f63b396) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jul 24 13:06:22 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing hash payload
Jul 24 13:06:22 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing notify payload
Jul 24 13:06:22 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Received keep-alive of type DPD R-U-THERE (seq number 0x505739f5)
Jul 24 13:06:22 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x505739f5)
Jul 24 13:06:22 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing blank hash payload
Jul 24 13:06:22 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing qm hash payload
Jul 24 13:06:22 [IKEv1]IP = 172.16.2.2, IKE_DECODE SENDING Message (msgid=4270e0c1) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
=========================================================================
ASA1# sh isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 172.16.2.2 ==> Secondary Peer Phase 1 Up
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
ASA1#
Now the tunnel is up through 2nd ISP link.
Scenario where ISP1 comes Back: ASA1(config-if)# Jul 24 13:10:01 [IKEv1 DEBUG]IP = 172.16.2.2, IKE MM Initiator FSM error history (struct &0xbc4ae930) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Jul 24 13:10:01 [IKEv1 DEBUG]IP = 172.16.2.2, IKE SA MM:0e40d19b terminating: flags 0x01000022, refcnt 0, tuncnt 0
Jul 24 13:10:01 [IKEv1 DEBUG]IP = 172.16.2.2, sending delete/delete with reason message
Jul 24 13:10:03 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE Initiator: New Phase 1, Intf inside, IKE Peer 172.16.1.2 local Proxy Address 192.168.1.0, remote Proxy Address 192.168.2.0, Crypto map (outside_map)
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing ISAKMP SA payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing NAT-Traversal VID ver 02 payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing NAT-Traversal VID ver 03 payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing NAT-Traversal VID ver RFC payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing Fragmentation VID + extended capabilities payload
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing SA payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Oakley proposal is acceptable
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Received NAT-Traversal ver 02 VID
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Received Fragmentation VID
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing ke payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing nonce payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing Cisco Unity VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing xauth V6 VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Send IOS VID
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing NAT-Discovery payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, computing NAT Discovery hash
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing NAT-Discovery payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, computing NAT Discovery hash
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing ke payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing ISA_KE payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing nonce payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Received Cisco Unity client VID
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Received xauth V6 VID
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing NAT-Discovery payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, computing NAT Discovery hash
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing NAT-Discovery payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, computing NAT Discovery hash
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, Connection landed on tunnel_group 172.16.1.2
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Generating keys for Initiator...
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, constructing ID payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, constructing hash payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Computing hash for ISAKMP
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, constructing dpd vid payload
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Jul 24 13:10:03 [IKEv1]Group = 172.16.1.2, IP = 172.16.1.2, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, processing ID payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, processing hash payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Computing hash for ISAKMP
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, processing VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Received DPD VID
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, Connection landed on tunnel_group 172.16.1.2
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Oakley begin quick mode
Jul 24 13:10:03 [IKEv1]Group = 172.16.1.2, IP = 172.16.1.2, PHASE 1 COMPLETED
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, Keep-alive type for this connection: DPD
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Starting P1 rekey timer: 73440 seconds.
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, IKE got SPI from key engine: SPI = 0x036b3e9a
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, oakley constucting quick mode
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, constructing blank hash payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, constructing IPSec SA payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, constructing IPSec nonce payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, constructing proxy ID
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Transmitting Proxy Id:
Local subnet: 192.168.1.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 192.168.2.0 Mask 255.255.255.0 Protocol 0 Port 0
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, constructing qm hash payload
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE SENDING Message (msgid=4ae1a6e7) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE RECEIVED Message (msgid=4ae1a6e7) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 164
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, processing hash payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, processing SA payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, processing nonce payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, processing ID payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, processing ID payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, loading all IPSEC SAs
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Generating Quick Mode Key!
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, NP encrypt rule look up for crypto map outside_map 20 matching ACL new: returned cs_id=b636e600; rule=b636eef8
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Generating Quick Mode Key!
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, NP encrypt rule look up for crypto map outside_map 20 matching ACL new: returned cs_id=b636e600; rule=b636eef8
Jul 24 13:10:03 [IKEv1]Group = 172.16.1.2, IP = 172.16.1.2, Security negotiation complete for LAN-to-LAN Group (172.16.1.2) Initiator, Inbound SPI = 0x036b3e9a, Outbound SPI = 0x1a99532d
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, oakley constructing final quick mode
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE SENDING Message (msgid=4ae1a6e7) with payloads : HDR + HASH (8) + NONE (0) total length : 72
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, IKE got a KEY_ADD msg for SA: SPI = 0x1a99532d
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Pitcher: received KEY_UPDATE, spi 0x36b3e9a
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Starting P2 rekey timer: 24480 seconds.
Jul 24 13:10:03 [IKEv1]Group = 172.16.1.2, IP = 172.16.1.2, PHASE 2 COMPLETED (msgid=4ae1a6e7)
u all
ASA1# sh isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 172.16.1.2 == > Primary Peer Again Came Back - Phase 1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
ASA1#
Hope this gives you a better idea. Please post your queries if any on this.
However there is a latency during failures, i will try to tweak to avoid latency to make it better. I will post if i find any.
Thanks Techies....
====================================
Here we are going to see how to configure Dual Site to Site IPSec VPN using Cisco ASA with 2 WAN links @ Both Sites. So always the defined priority 1 tunnel will be up and taking the traffic and if there is a failure in ISP1 link and the secondary tunnel will come up and take the traffic.
- Router-SW is used as a end client PC here to initiate and check the traffic between both sites.
- ASA FW is used an the VPN Box for L2L/S2S tunnel termination.
- ISP1/ISP2 can be considered as Primary and Backup ISP here.
Fig 1.0 - Design Dual VPN
Site A Router
==========
interface FastEthernet0/0
description *** Unused for Layer2 SW ***
ip address 192.168.1.10 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
We just have the basic configuration on it to make sure that it can be reachable and it can route the traffic.
Site A FW:
=========
ASA1# sh runn
: Saved
:
ASA Version 8.4(2)
!
hostname ASA1
enable password N7FecZuSHJlVZC2P encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet2
nameif outside2
security-level 0
ip address 172.16.2.1 255.255.255.0
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list new extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list new extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list test extended permit icmp any any echo-reply
access-list test extended permit icmp any any unreachable
access-list test extended permit icmp any any time-exceeded
access-list outbound extended permit ip any any
pager lines 24
logging enable
logging buffered notifications
mtu outside 1500
mtu inside 1500
mtu outside2 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
route outside2 0.0.0.0 0.0.0.0 172.16.2.2 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set CISCO esp-des esp-md5-hmac
crypto map outside_map 20 match address new
crypto map outside_map 20 set peer 172.16.1.2 172.16.2.2
crypto map outside_map 20 set ikev1 transform-set CISCO
crypto map outside_map interface outside
crypto map outside_map interface outside2
crypto ikev1 enable outside
crypto ikev1 enable outside2
crypto ikev1 policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside2
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group 172.16.1.2 type ipsec-l2l
tunnel-group 172.16.1.2 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 172.16.2.2 type ipsec-l2l
tunnel-group 172.16.2.2 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ipsec-pass-thru
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:277baec4046859ee4b5bdc2ee0dbe7d3
: end
ASA1#
Site B Router:
===========
interface FastEthernet0/0
description *** Unused for Layer2 SW ***
ip address 192.168.2.10 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
Site B FW
========
ASA2# sh runn
: Saved
:
ASA Version 8.4(2)
!
hostname ASA2
enable password N7FecZuSHJlVZC2P encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 172.16.1.2 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet2
nameif outside2
security-level 0
ip address 172.16.2.2 255.255.255.0
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network obj_192.168.2.0
subnet 192.168.2.0 255.255.255.0
access-list new extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list new extended permit icmp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outbound extended permit ip any any
pager lines 24
logging enable
logging buffered notifications
mtu outside 1500
mtu inside 1500
mtu outside2 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
route outside2 0.0.0.0 0.0.0.0 172.16.2.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set CISCO esp-des esp-md5-hmac
crypto map outside_map 20 match address new
crypto map outside_map 20 set peer 172.16.1.1 172.16.2.1
crypto map outside_map 20 set ikev1 transform-set CISCO
crypto map outside_map interface outside
crypto map outside_map interface outside2
crypto ikev1 enable outside
crypto ikev1 enable outside2
crypto ikev1 policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 172.16.2.1 type ipsec-l2l
tunnel-group 172.16.2.1 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ipsec-pass-thru
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:846f7f2f8c1b7f38b8b05f9e98d10030
: end
ASA2#
IP SLA Configurations:
=================
ASA1# sh runn sla monitor
sla monitor 10
type echo protocol ipIcmpEcho 172.16.1.2 interface outside
timeout 3
frequency 5
sla monitor schedule 10 life forever start-time now
ASA1# sh runn route
route outside 0.0.0.0 0.0.0.0 172.16.1.2 1 track 1
route outside2 0.0.0.0 0.0.0.0 172.16.2.2 254
ASA1# sh runn track 1
track 1 rtr 10 reachability
ASA1#
##################################################################
ASA2# sh run sla monitor
sla monitor 10
type echo protocol ipIcmpEcho 172.16.1.1 interface outside
timeout 3
frequency 5
sla monitor schedule 10 life forever start-time now
ASA2# sh runn route
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1 track 1
route outside2 0.0.0.0 0.0.0.0 172.16.2.1 254
ASA2# sh runn trac
ASA2# sh runn track 1
track 1 rtr 10 reachability
ASA2#
##################################################################
Testing Results:
**************
In a normal scenario, by default LAN initiated traffic will pass through Tunnel 1/ISP1.
ASA1# sh isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 172.16.1.2 ===> Primary Peer Phase 1 Up
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
ASA1#
=========================================================================
ASA2# sh isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 172.16.1.1 ==> Primary Peer Phase 1 Up
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
ASA2#
R1-SW#ping 192.168.2.10 repeat 25
Type escape sequence to abort.
Sending 25, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (25/25), round-trip min/avg/max = 48/80/240 ms
R1-SW#
========================================================================
R2-SW#ping 192.168.1.10 repeat 25
Type escape sequence to abort.
Sending 25, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (25/25), round-trip min/avg/max = 40/72/140 ms
R2-SW#
======================================================================
ASA1# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 20, local addr: 172.16.1.1
access-list new extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 172.16.1.2
#pkts encaps: 58, #pkts encrypt: 58, #pkts digest: 58
#pkts decaps: 58, #pkts decrypt: 58, #pkts verify: 58
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 58, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.1.1/0, remote crypto endpt.: 172.16.1.2/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 6B27F453
current inbound spi : 5127FCF8
inbound esp sas:
spi: 0x5127FCF8 (1361575160)
transform: esp-des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914994/28479)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x07FFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x6B27F453 (1797780563)
transform: esp-des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914994/28479)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA1#
=========================================================================
ASA2# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 20, local addr: 172.16.1.2
access-list new extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 172.16.1.1
#pkts encaps: 58, #pkts encrypt: 58, #pkts digest: 58
#pkts decaps: 58, #pkts decrypt: 58, #pkts verify: 58
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 58, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.1.2/0, remote crypto endpt.: 172.16.1.1/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 5127FCF8
current inbound spi : 6B27F453
inbound esp sas:
spi: 0x6B27F453 (1797780563)
transform: esp-des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373994/28454)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x07FFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x5127FCF8 (1361575160)
transform: esp-des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373994/28454)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA2#
##################################################################################
Result when ISP1 fails @ Site A:
=========================
R1-SW#ping 192.168.2.10 repeat 25
Type escape sequence to abort.
Sending 25, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:
..................!!!!!!!
Success rate is 28 percent (7/25), round-trip min/avg/max = 48/74/96 ms
R1-SW#
ASA1# debug crypto ikev1 7
ASA1# Jul 24 13:05:44 [IKEv1]IP = 172.16.1.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204
Jul 24 13:05:52 [IKEv1]IP = 172.16.1.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204
Jul 24 13:06:00 [IKEv1 DEBUG]IP = 172.16.1.2, IKE MM Initiator FSM error history (struct &0xbc43c200) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Jul 24 13:06:00 [IKEv1 DEBUG]IP = 172.16.1.2, IKE SA MM:20617c56 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Jul 24 13:06:00 [IKEv1 DEBUG]IP = 172.16.1.2, sending delete/delete with reason message
Jul 24 13:06:02 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jul 24 13:06:02 [IKEv1]IP = 172.16.2.2, IKE Initiator: New Phase 1, Intf inside, IKE Peer 172.16.2.2 local Proxy Address 192.168.1.0, remote Proxy Address 192.168.2.0, Crypto map (outside_map)
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing ISAKMP SA payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing NAT-Traversal VID ver 02 payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing NAT-Traversal VID ver 03 payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing NAT-Traversal VID ver RFC payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing Fragmentation VID + extended capabilities payload
Jul 24 13:06:02 [IKEv1]IP = 172.16.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204
Jul 24 13:06:02 [IKEv1]IP = 172.16.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, processing SA payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, Oakley proposal is acceptable
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, processing VID payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, Received NAT-Traversal ver 02 VID
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, processing VID payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, Received Fragmentation VID
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing ke payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing nonce payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing Cisco Unity VID payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing xauth V6 VID payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, Send IOS VID
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing VID payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing NAT-Discovery payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, computing NAT Discovery hash
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing NAT-Discovery payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, computing NAT Discovery hash
Jul 24 13:06:02 [IKEv1]IP = 172.16.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing ke payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing ISA_KE payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing nonce payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing VID payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, Received Cisco Unity client VID
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing VID payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, Received xauth V6 VID
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing VID payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing VID payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing NAT-Discovery payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, computing NAT Discovery hash
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing NAT-Discovery payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, computing NAT Discovery hash
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, Connection landed on tunnel_group 172.16.2.2
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Generating keys for Initiator...
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing ID payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing hash payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Computing hash for ISAKMP
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing dpd vid payload
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Jul 24 13:06:03 [IKEv1]Group = 172.16.2.2, IP = 172.16.2.2, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing ID payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing hash payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Computing hash for ISAKMP
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing VID payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Received DPD VID
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, Connection landed on tunnel_group 172.16.2.2
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Oakley begin quick mode
Jul 24 13:06:03 [IKEv1]Group = 172.16.2.2, IP = 172.16.2.2, PHASE 1 COMPLETED
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, Keep-alive type for this connection: DPD
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Starting P1 rekey timer: 73440 seconds.
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, IKE got SPI from key engine: SPI = 0xb383b691
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, oakley constucting quick mode
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing blank hash payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing IPSec SA payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing IPSec nonce payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing proxy ID
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Transmitting Proxy Id:
Local subnet: 192.168.1.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 192.168.2.0 Mask 255.255.255.0 Protocol 0 Port 0
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing qm hash payload
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, IKE_DECODE SENDING Message (msgid=5fc17fe) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, IKE_DECODE RECEIVED Message (msgid=5fc17fe) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 164
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing hash payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing SA payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing nonce payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing ID payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing ID payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, loading all IPSEC SAs
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Generating Quick Mode Key!
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, NP encrypt rule look up for crypto map outside_map 20 matching ACL new: returned cs_id=b636e600; rule=bc159bb8
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Generating Quick Mode Key!
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, NP encrypt rule look up for crypto map outside_map 20 matching ACL new: returned cs_id=b636e600; rule=bc159bb8
Jul 24 13:06:03 [IKEv1]Group = 172.16.2.2, IP = 172.16.2.2, Security negotiation complete for LAN-to-LAN Group (172.16.2.2) Initiator, Inbound SPI = 0xb383b691, Outbound SPI = 0x13d5e43f
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, oakley constructing final quick mode
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, IKE_DECODE SENDING Message (msgid=5fc17fe) with payloads : HDR + HASH (8) + NONE (0) total length : 72
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, IKE got a KEY_ADD msg for SA: SPI = 0x13d5e43f
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Pitcher: received KEY_UPDATE, spi 0xb383b691
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Starting P2 rekey timer: 24480 seconds.
Jul 24 13:06:03 [IKEv1]Group = 172.16.2.2, IP = 172.16.2.2, PHASE 2 COMPLETED (msgid=05fc17fe)
Jul 24 13:06:22 [IKEv1]IP = 172.16.2.2, IKE_DECODE RECEIVED Message (msgid=f63b396) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jul 24 13:06:22 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing hash payload
Jul 24 13:06:22 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing notify payload
Jul 24 13:06:22 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Received keep-alive of type DPD R-U-THERE (seq number 0x505739f5)
Jul 24 13:06:22 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x505739f5)
Jul 24 13:06:22 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing blank hash payload
Jul 24 13:06:22 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing qm hash payload
Jul 24 13:06:22 [IKEv1]IP = 172.16.2.2, IKE_DECODE SENDING Message (msgid=4270e0c1) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
=========================================================================
ASA1# sh isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 172.16.2.2 ==> Secondary Peer Phase 1 Up
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
ASA1#
Now the tunnel is up through 2nd ISP link.
Scenario where ISP1 comes Back: ASA1(config-if)# Jul 24 13:10:01 [IKEv1 DEBUG]IP = 172.16.2.2, IKE MM Initiator FSM error history (struct &0xbc4ae930) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Jul 24 13:10:01 [IKEv1 DEBUG]IP = 172.16.2.2, IKE SA MM:0e40d19b terminating: flags 0x01000022, refcnt 0, tuncnt 0
Jul 24 13:10:01 [IKEv1 DEBUG]IP = 172.16.2.2, sending delete/delete with reason message
Jul 24 13:10:03 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE Initiator: New Phase 1, Intf inside, IKE Peer 172.16.1.2 local Proxy Address 192.168.1.0, remote Proxy Address 192.168.2.0, Crypto map (outside_map)
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing ISAKMP SA payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing NAT-Traversal VID ver 02 payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing NAT-Traversal VID ver 03 payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing NAT-Traversal VID ver RFC payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing Fragmentation VID + extended capabilities payload
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing SA payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Oakley proposal is acceptable
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Received NAT-Traversal ver 02 VID
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Received Fragmentation VID
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing ke payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing nonce payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing Cisco Unity VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing xauth V6 VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Send IOS VID
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing NAT-Discovery payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, computing NAT Discovery hash
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing NAT-Discovery payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, computing NAT Discovery hash
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing ke payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing ISA_KE payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing nonce payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Received Cisco Unity client VID
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Received xauth V6 VID
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing NAT-Discovery payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, computing NAT Discovery hash
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing NAT-Discovery payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, computing NAT Discovery hash
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, Connection landed on tunnel_group 172.16.1.2
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Generating keys for Initiator...
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, constructing ID payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, constructing hash payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Computing hash for ISAKMP
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, constructing dpd vid payload
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Jul 24 13:10:03 [IKEv1]Group = 172.16.1.2, IP = 172.16.1.2, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, processing ID payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, processing hash payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Computing hash for ISAKMP
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, processing VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Received DPD VID
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, Connection landed on tunnel_group 172.16.1.2
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Oakley begin quick mode
Jul 24 13:10:03 [IKEv1]Group = 172.16.1.2, IP = 172.16.1.2, PHASE 1 COMPLETED
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, Keep-alive type for this connection: DPD
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Starting P1 rekey timer: 73440 seconds.
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, IKE got SPI from key engine: SPI = 0x036b3e9a
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, oakley constucting quick mode
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, constructing blank hash payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, constructing IPSec SA payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, constructing IPSec nonce payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, constructing proxy ID
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Transmitting Proxy Id:
Local subnet: 192.168.1.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 192.168.2.0 Mask 255.255.255.0 Protocol 0 Port 0
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, constructing qm hash payload
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE SENDING Message (msgid=4ae1a6e7) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE RECEIVED Message (msgid=4ae1a6e7) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 164
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, processing hash payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, processing SA payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, processing nonce payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, processing ID payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, processing ID payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, loading all IPSEC SAs
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Generating Quick Mode Key!
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, NP encrypt rule look up for crypto map outside_map 20 matching ACL new: returned cs_id=b636e600; rule=b636eef8
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Generating Quick Mode Key!
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, NP encrypt rule look up for crypto map outside_map 20 matching ACL new: returned cs_id=b636e600; rule=b636eef8
Jul 24 13:10:03 [IKEv1]Group = 172.16.1.2, IP = 172.16.1.2, Security negotiation complete for LAN-to-LAN Group (172.16.1.2) Initiator, Inbound SPI = 0x036b3e9a, Outbound SPI = 0x1a99532d
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, oakley constructing final quick mode
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE SENDING Message (msgid=4ae1a6e7) with payloads : HDR + HASH (8) + NONE (0) total length : 72
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, IKE got a KEY_ADD msg for SA: SPI = 0x1a99532d
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Pitcher: received KEY_UPDATE, spi 0x36b3e9a
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Starting P2 rekey timer: 24480 seconds.
Jul 24 13:10:03 [IKEv1]Group = 172.16.1.2, IP = 172.16.1.2, PHASE 2 COMPLETED (msgid=4ae1a6e7)
u all
ASA1# sh isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 172.16.1.2 == > Primary Peer Again Came Back - Phase 1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
ASA1#
Hope this gives you a better idea. Please post your queries if any on this.
However there is a latency during failures, i will try to tweak to avoid latency to make it better. I will post if i find any.
Thanks Techies....
