I'm having problem getting this 2nd site-site VPN on an ASA5505 running.
There's an ASA5505 running in the main office and then 2 remote sites with PIX501.
Both PIX501 are running the identical configurations and the 1st VPN is running no problem, however I can't figure out why the 2nd wont come up.
I'm guessing I'm missing something on my ASA config.


ASA config


hostname asa5505
domain-name
enable password
passwd
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.31.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.224
!
interface Vlan5
nameif dmz
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 5
!
interface Ethernet0/2
switchport access vlan 5
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name
!
access-list inside_access_in extended permit ip 192.168.31.0 255.255.255.0 any
!
access-list dmz_access_in extended permit tcp host 172.16.1.3 any eq smtp
!
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit icmp any interface outside
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 444
access-list outside_access_in extended permit tcp any interface outside eq 4125
access-list outside_access_in extended permit udp any interface outside eq 4125
access-list outside_access_in extended permit tcp any interface outside eq ldap
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq pptp
access-list outside_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in extended permit udp any interface outside eq ntp
!
access-list 101 extended permit ip 192.168.31.0 255.255.255.0 192.168.33.0 255.255.255.0
!
access-list 102 extended permit ip 192.168.31.0 255.255.255.0 192.168.32.0 255.255.255.0
!
access-list NoNAT extended permit ip 192.168.31.0 255.255.255.0 192.168.32.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.31.0 255.255.255.0 192.168.33.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.31.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.31.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.31.0 255.255.255.0 192.168.30.0 255.255.255.0
!
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
!
nat-control
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp interface smtp 172.16.1.3 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 444 192.168.31.5 444 netmask 255.255.255.255
static (inside,outside) tcp interface imap4 192.168.31.5 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface 4125 192.168.31.5 4125 netmask 255.255.255.255
static (inside,outside) udp interface 4125 192.168.31.5 4125 netmask 255.255.255.255
static (inside,outside) tcp interface ldap 192.168.31.5 ldap netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.31.5 https netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.31.5 pptp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 192.168.31.5 pop3 netmask 255.255.255.255
static (inside,outside) udp interface ntp 192.168.31.5 ntp netmask 255.255.255.255
static (inside,dmz) 192.168.31.0 192.168.31.0 netmask 255.255.255.0

!
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
!
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
route dmz 192.168.31.5 255.255.255.255 192.168.31.10 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.31.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
crypto dynamic-map dynmap 30 set transform-set myset
crypto dynamic-map dynmap 30 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 30 set security-association lifetime kilobytes 4608000
!
crypto map transam 10 match address 101
crypto map transam 10 set peer site1
crypto map transam 10 set transform-set myset
crypto map transam 10 set security-association lifetime seconds 28800
crypto map transam 10 set security-association lifetime kilobytes 4608000
!
crypto map transam 20 match address 102
crypto map transam 20 set peer site2
crypto map transam 20 set transform-set myset
crypto map transam 20 set security-association lifetime seconds 28800
crypto map transam 20 set security-association lifetime kilobytes 4608000
!
crypto map transam 65000 ipsec-isakmp dynamic dynmap
crypto map transam interface outside
!
crypto isakmp enable outside
!
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!
telnet timeout 5
!
ssh 192.168.31.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
!
console timeout 0
!
dhcpd auto_config outside
!
dhcpd address 192.168.31.51-192.168.31.254 inside
dhcpd dns 192.168.31.5 interface inside
dhcpd wins 192.168.31.5 interface inside
dhcpd lease 302400 interface inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
tunnel-group site2 type ipsec-l2l
tunnel-group site2 ipsec-attributes
pre-shared-key *
!
tunnel-group site1 type ipsec-l2l
tunnel-group site1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map type inspect dns pres
parameters
!
service-policy global_policy global
prompt hostname context
!
end


PIX501 Site1



interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname
domain-name
!
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
!
names
name 192.168.31.0 Calgary
!
access-list 101 permit ip 192.168.33.0 255.255.255.0 Calgary 255.255.255.0
access-list NoNAT permit ip 192.168.33.0 255.255.255.0 Calgary 255.255.255.0
access-list NoNAT permit ip 192.168.33.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list NoNAT permit ip Calgary 255.255.255.0 192.168.30.0 255.255.255.0
access-list NoNAT permit ip 192.168.33.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list NoNAT permit ip Calgary 255.255.255.0 192.168.10.0 255.255.255.0
!
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any time-exceeded
!
access-list split_tunnel_acl permit ip Calgary 255.255.255.0 192.168.30.0 255.255.255.0
access-list split_tunnel_acl permit ip 192.168.33.0 255.255.255.0 192.168.30.0 255.255.255.0
!
pager lines 24
mtu outside 1500
mtu inside 1500
!
ip address outside x.x.x.x 255.255.255.248
ip address inside 192.168.33.1 255.255.255.0
!
ip audit info action alarm
ip audit attack action alarm
!
ip local pool clientpool 192.168.30.1-192.168.30.254
!
pdm location 192.168.33.0 255.255.255.0 inside
pdm location 192.168.33.2 255.255.255.255 inside
pdm location 192.168.30.0 255.255.255.0 outside
pdm location Calgary 255.255.255.0 outside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 192.168.33.0 255.255.255.255 outside
pdm location 192.168.33.0 255.255.255.0 outside
pdm location 192.168.33.5 255.255.255.255 inside
pdm history enable
arp timeout 14400
!
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 80
route inside 192.168.30.0 255.255.255.0 192.168.33.1 1
route inside Calgary 255.255.255.0 192.168.33.1 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
!
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
!
http server enable
http 192.168.33.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
!
sysopt connection permit-ipsec
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set myset
!
crypto map transam 10 ipsec-isakmp
crypto map transam 10 match address 101
crypto map transam 10 set peer x.x.x.x
crypto map transam 10 set transform-set myset
crypto map transam 65000 ipsec-isakmp dynamic dynmap
crypto map transam interface outside
!
isakmp enable outside
isakmp key * address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
!
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
!
vpngroup * address-pool clientpool
vpngroup * dns-server 192.168.33.1
vpngroup * default-domain
vpngroup * split-tunnel split_tunnel_acl
vpngroup * idle-time 1000
vpngroup * password *
!
telnet timeout 5
!
ssh 0.0.0.0 0.0.0.0 outside
ssh x.x.x.x 255.255.255.255 outside
ssh 192.168.33.0 255.255.255.0 inside
ssh timeout 5
!
management-access inside
console timeout 0
!
dhcpd address 192.168.33.30-192.168.33.61 inside
dhcpd dns x
dhcpd lease 3600
dhcpd ping_timeout 100
dhcpd auto_config outside
dhcpd enable inside
dhcprelay timeout 60
!
terminal width 80
end


I ran debug crypto isakmp on the ASA and all I'm seeing is related to the up tunnel

Have you tried re-entering your pre-share key on both devices and then clearing the crypto sa / se's ?

Also check your debug on isakmp along with ipsec.

This is driving me nuts.

So site1 client-VPN is working fine but the site-site VPN to Calgary won't come up.

I ran debug crypto ipsec and isakmp on the ASA, no mentions of anything related to site1 SA, only for site2 which works great.
The "PEER_REAPER_TIMER" message shows on site1 pix though which apparently means the SA key is getting deleted
I also copy&pasted the key on both devices numerous times to make sure it matches.

here's a short snip from the sh crypto ipsec sa on the site1 pix

interface: outside
Crypto map tag: transam, local addr. 71.137.x.x

local ident (addr/mask/prot/port): (192.168.33.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (Calgary/255.255.255.0/0/0)
current_peer: 66.18.x.x:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 71.137.x.x, remote crypto endpt.: 66.18.x.x
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0


this current_peer: 66.18.x.x:0 is rather odd however as on our site2 pix which runs no problem it says current_peer: 66.18.x.x:500 which is the UDP port for ISAKMP.

Also, site1 ISP AT&T is really weird...on the front end they have a netopia router and behind it is our pix.
When we disabled the firewall on the ISP router I could ping and SSH our pix.
There's an IPSec option on the Netopia router


Two separate mechanisms for IPSec tunnel support are provided by your Gateway:

* IPSec PassThrough supports VPN clients running on LAN-connected computers. Disable this checkbox if your LAN-side VPN client includes its own NAT interoperability solution.
* SafeHarbour is a keyed feature that enables Gateway-terminated VPN support.


IPSec PassThrough
Enable IPSec PassThrough

SafeHarbour IPSec
Enable SafeHarbour IPSec
currently both options are unchecked.


I'll pay $100 whoever gets this resolved.

Put this in on the ASA
crypto isakmp identity address

Also for the netopia isp device, see if it can run transparent, or in bridge mode so that it doesnt interfere at all with your pix 501.

set up a packet capture on the asa and try bringing up the vpn connection. see if you are getting packets and they are reaching the asa

You might need to specify no-xauth and/or no-config-mode also.

PIX501
----------

isakmp key * x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode

Originally posted by cityhunter2501
I'll pay $100 whoever gets this resolved.

Is this a DSL line? MTU of a DSL line is typically 1492 not 1500. Baring that, it seems apparent that the issue is not with the configuration of the PIX, so I would jump in there with a packet sniffer and see what's what.

got it up and running.

changed the nat-traversal from 20 to 25 on the ASA,
re-enabled IPsec through on the netopia box, VPN went up right away.


thanks for trying to help guys

Originally posted by cityhunter2501
got it up and running.

changed the nat-traversal from 20 to 25 on the ASA,
re-enabled IPsec through on the netopia box, VPN went up right away.


thanks for trying to help guys

Strange. Did you change anything else while you were playing with it? None of those changes should've fixed this. The natkeepalive change from 20 to 25 wouldn't really change anything. The IPsec pass-through on the Netopia router only helps if your PIX has a private IP address from the router, and if nat-traversal is turned off. I was under the impression the PIX has a public facing IP and had nat-traversal turned on (as shown in the PIX config).

I'm glad it works, but I think something else is going on.