Can only initiate from 501's not from ASA5510

[68chicayne]

I have a central location with a Cisco ASA5510 and 6 remote locations using 5- Cisco 501's and 1 - ASA5505. I've been able to establish one-way site to site connectivity between the remote locations and the central location.  
However, I can't seem to initiate a session from the central location to 5 of the remote sites. I can get to one of my remote sites from the central location. All configs are similar.
Any ideas?
Also, any additional thoughts or comments on my configs is welcome -as I'm fairly new at this.

Below are my scrubbed configs.

Thanks!

ASA 5510 Version 7.0(7)
name 64.xxx.xxx.xxx FMP_Server
name 69.xxx.xxx.xxx weybridgeIP
name 208.xxx.xxx.xxx shoreham
name 208.xxx.xxx.xxx cornwall
name 72.xxx.xxx.xxx SalisburyIP
name 64.xxx.xxx.xxx1 RiptonIP
dns-guard
!
interface Ethernet0/0
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/0.1
 vlan 100
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.252
!
interface Ethernet0/0.2
 vlan 101
 nameif dmz
 security-level 10
 ip address 192.168.0.1 255.255.252.0
!
interface Ethernet0/1.1
 vlan 102
 nameif inside
 security-level 100
 ip address 10.128.0.1 255.255.252.0
!
ftp mode passive
same-security-traffic permit intra-interface
 
access-list ravpn extended permit ip 10.1.0.0 255.255.252.0 172.18.10.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.252.0 172.18.10.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.252.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.252.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.252.0 192.168.3.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.252.0 192.168.4.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.252.0 192.168.5.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.252.0 192.168.6.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.252.0 192.168.7.0 255.255.255.0
access-list splitt extended permit ip 10.128.0.0 255.255.252.0 172.18.10.0 255.255.255.0
access-list tocornwall extended permit ip 10.128.0.0 255.255.252.0 192.168.3.0 255.255.255.0
access-list toshoreham extended permit ip 10.128.0.0 255.255.252.0 192.168.6.0 255.255.255.0
access-list toweybridge extended permit ip 10.128.0.0 255.255.252.0 192.168.4.0 255.255.255.0
access-list toripton extended permit ip 10.128.0.0 255.255.252.0 192.168.5.0 255.255.255.0
access-list tobridport extended permit ip 10.128.0.0 255.255.252.0 192.168.7.0 255.255.255.0
access-list tosalisbury extended permit ip 10.128.0.0 255.255.252.0 192.168.1.0 255.255.255.0
mtu outside 1500
mtu dmz 1500
mtu inside 1500
mtu management 1500
ip local pool ra_vpn 172.18.10.1-172.18.10.254
no failover
asdm image disk0:/asdm-507.bin
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 192.168.0.9-192.168.3.254
nat (dmz) 1 192.168.0.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) fcis 192.168.0.4 netmask 255.255.255.255
static (inside,outside) GPS GPSinside netmask 255.255.255.255
static (inside,dmz) 10.128.0.0 10.128.0.0 netmask 255.255.252.0
static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.252.0
access-group aclout in interface outside
route outside 0.0.0.0 0.0.0.0 64.xxx.xxx.xxx 1
route inside 10.1.0.0 255.255.0.0 10.128.0.2 1
aaa-server Authinbound protocol radius
aaa-server Authinbound host dnsserver
 key blister834d
group-policy acsuafp4 internal
group-policy acsuafp4 attributes
 dns-server value 10.128.0.102
crypto ipsec transform-set acsuvpn esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set acsuvpn
crypto map myvpn 25 match address tosalisbury
crypto map myvpn 25 set peer SalisburyIP
crypto map myvpn 25 set transform-set acsuvpn
crypto map myvpn 30 match address tobridport
crypto map myvpn 30 set peer 69.xxx.xxx.xxx
crypto map myvpn 30 set transform-set acsuvpn
crypto map myvpn 35 match address toweybridge
crypto map myvpn 35 set peer weybridgeIP
crypto map myvpn 35 set transform-set acsuvpn
crypto map myvpn 40 match address tocornwall
crypto map myvpn 40 set peer cornwall
crypto map myvpn 40 set transform-set acsuvpn
crypto map myvpn 70 ipsec-isakmp dynamic dynmap
crypto map myvpn interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group acsuafp4 type ipsec-ra
tunnel-group acsuafp4 general-attributes
 address-pool ra_vpn
 authentication-server-group Authinbound
 default-group-policy acsuafp4
tunnel-group acsuafp4 ipsec-attributes
 pre-shared-key *
tunnel-group 64.xxx.xxx.xxx type ipsec-l2l
tunnel-group 64.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group 69.xxx.xxx.xxx type ipsec-l2l
tunnel-group 69.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group 208.xxx.xxx.xxx type ipsec-l2l
tunnel-group 208.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group 69.xxx.xxx.xxx type ipsec-l2l
tunnel-group 69.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group 72.xxx.xxx.xxx type ipsec-l2l
tunnel-group 72.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group 208.xxx.xxx.xxx type ipsec-l2l
tunnel-group 208.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
telnet timeout 5

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
: end



Non-working two-way VPN config -

PIX Version 6.3(4)
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list nonat permit ip 192.168.3.0 255.255.255.0 10.128.0.0 255.255.252.0
access-list tocentral permit ip 192.168.3.0 255.255.255.0 10.128.0.0 255.255.252.0
access-list allowin permit icmp any any
mtu outside 1492
mtu inside 1492
ip address outside 208.xxx.xxx.xxx 255.255.255.0 pppoe
ip address inside 192.168.3.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group allowin in interface outside
route outside 0.0.0.0 0.0.0.0 208.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set acsuset esp-des esp-md5-hmac
crypto map vpn 80 ipsec-isakmp
crypto map vpn 80 match address tocentral
crypto map vpn 80 set peer 64.xxx.xxx.xxx
crypto map vpn 80 set transform-set acsuset
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address 64.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpdn group ISP request dialout pppoe
vpdn group ISP localname binghams@XXXXXXXXXX
vpdn group ISP ppp authentication chap
vpdn username binghams@XXXXXXXX password *********
dhcpd address 192.168.3.2-192.168.3.129 inside
dhcpd dns 65.xxx.xxx.xxx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
 end


Working Site to Site Connection

PIX Version 6.3(4)
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list nonat permit ip 192.168.4.0 255.255.255.0 10.128.0.0 255.255.252.0
access-list tocentral permit ip 192.168.4.0 255.255.255.0 10.128.0.0 255.255.252.0
access-list MarcRecords permit tcp any any eq 2007
access-list allowin permit icmp any any
ip address outside 69.xxx.xxx.xxx 255.255.255.0 pppoe
ip address inside 192.168.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group allowin in interface outside
route outside 0.0.0.0 0.0.0.0 69.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set acsuset esp-des esp-md5-hmac
crypto map vpn 50 ipsec-isakmp
crypto map vpn 50 match address tocentral
crypto map vpn 50 set peer 64.xxx.xxx.xxx
crypto map vpn 50 set transform-set acsuset
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address 64.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname weybridgexxx.xxx.xxx
vpdn group pppoex ppp authentication chap
vpdn username XXXXXXXXXXXXXl password *********
end

 

[unclerico]

have you run any debugs for the crypto process??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[68chicayne]

have you run any debugs for the crypto process?? "

Yes, and here's something odd that I don't understand -
I'm pinging 192.168.7.1 / 69.xxx.xxx.xxx which corresponds with access-list tobridport, but the ASA appears to be trying to establish a tunnel with tocornwall 192.168.3.0 / 208.xxx.xxx.xxx

Here's a snip of my access-list, crypto maps and some debugging -

access-list tocornwall extended permit ip 10.128.0.0 255.255.252.0 192.168.3.0 255.255.255.0
access-list tobridport extended permit ip 10.128.0.0 255.255.252.0 192.168.7.0 255.255.255.0

crypto map myvpn 30 match address tobridport <--192.168.7.0
crypto map myvpn 30 set peer 69.xxx.xxx.xxx
crypto map myvpn 30 set transform-set acsuvpn
crypto map myvpn 40 match address tocornwall <--192.168.3.0
crypto map myvpn 40 set peer 208.xxx.xxx.xxx
crypto map myvpn 40 set transform-set acsuvpn


...snip...
Aug 25 06:32:40 [IKEv1 DEBUG]: Group = 208.xx.xx.xx, IP = 208.xx.xx.xx, sending delete/delete with reason message
Aug 25 06:32:40 [IKEv1 DEBUG]: Group = 208.xx.xx.xx, IP = 208.xx.xx.xx, constructing blank hash payload
Aug 25 06:32:40 [IKEv1]: Group = 208.xx.xx.xx, IP = 208.xx.xx.xx, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Aug 25 06:32:40 [IKEv1 DEBUG]: Group = 208.xx.xx.xx, IP = 208.xx.xx.xx, IKE Deleting SA: Remote Proxy 192.168.7.0, Local Proxy 10.128.0.0
Aug 25 06:32:40 [IKEv1]: Group = 208.xx.xx.xx, IP = 208.xx.xx.xx, Removing peer from correlator table failed, no match!
Aug 25 06:32:40 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x7a7cdcaf
?Aug 25 06:32:42 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 25 06:32:42 [IKEv1]: Group = 208.xx.xx.xx, IP = 208.xx.xx.xx, IKE Initiator: New Phase 2, Intf NP Identity Ifc, IKE Peer 208.xx.xx.xx local Proxy Address 10.128.0.0, remote Proxy Address 192.168.7.0, Crypto map (myvpn)
Aug 25 06:32:42 [IKEv1 DEBUG]: Group = 208.xx.xx.xx, IP = 208.xx.xx.xx, Oakley begin quick mode
....snip.....


asa# show crypto isakmp sa

Active SA: 4
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 4

1 IKE Peer: Shoreham_IP
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: Weybridge_IP
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
3 IKE Peer: Salisbury_IP
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
4 IKE Peer: cornwall_IP
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
asa#

Thanks!

 

[68chicayne]

Here's another debug snip. Same thing is happening as above. I'm trying to initiate a tunnel to 192.168.4.0, but it looks like my ASA is trying to establish a tunnel with 192.168.3.0
192.168.4.0 = 69.xxx.xxx.218 and 192.168.3.0 = 208.xxx.xxx.xxx

Aug 25 08:15:05 [IKEv1 DEBUG]: Group = 208.xxx.xxx.4, IP = 208.xxx.xxx.4, sending delete/delete with reason message
Aug 25 08:15:05 [IKEv1 DEBUG]: Group = 208.xxx.xxx.4, IP = 208.xxx.xxx.4, constructing blank hash payload
Aug 25 08:15:05 [IKEv1]: Group = 208.xxx.xxx.4, IP = 208.xxx.xxx.4, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Aug 25 08:15:05 [IKEv1 DEBUG]: Group = 208.xxx.xxx.4, IP = 208.xxx.xxx.4, IKE Deleting SA: Remote Proxy 192.168.4.0, Local Proxy 10.128.0.0
Aug 25 08:15:05 [IKEv1]: Group = 208.xxx.xxx.4, IP = 208.xxx.xxx.4, Removing peer from correlator table failed, no match!

 

[unclerico]

have you tried rebooting the ASA?? i would also look at doing a code update, 8.2 is out now and it might be worth looking at.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[68chicayne]

"have you tried rebooting the ASA?? i would also look at doing a code update, 8.2 is out now and it might be worth looking at."

I'll try reboot it again bit later today.

 

[68chicayne]

After a reboot I was once again able to initiate a tunnel to remote site I could originally tunnel to.

Here's some additional output from a debug while pinging and trying to ssh from 10.128.1.210 to 192.168.3.10 and 192.168.6.10

10.128.2.175 is an AD Boxes and 10.128.0.11 is a switch. Why would they be part of the equation?

Aug 26 05:16:25 [IKEv1 DEBUG]: Group = 69.xx.xx.xx, IP = 69.xx.xx.xx, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x653fdea7)
Aug 26 05:16:25 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 26 05:16:25 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.128.0.102, Dst: 192.168.3.14
Aug 26 05:16:30 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 26 05:16:30 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.128.2.175, Dst: 192.168.3.14

Aug 26 05:16:43 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.128.0.11, Dst: 192.168.6.10
Aug 26 05:16:44 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 26 05:16:44 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.128.0.11, Dst: 192.168.6.10

Also, after reboot I'm still getting some of the same as before. I'm trying to initiate a tunnel to 192.168.6.0, but it looks like my ASA is trying to establish a tunnel with 192.168.7.0. 192.168.7.0 = 69.xxx.xxx.218 and 192.168.6.0 = 208.xxx.xxx.xxx

Aug 26 05:16:34 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 26 05:16:34 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 10.128.0.11, Dst: 192.168.6.10
Aug 26 05:16:35 [IKEv1]: Group = 69.xx.xx.xx, IP = 69.xx.xx.xx, QM FSM error (P2 struct &0x3ab9c80, mess id 0xe8752252)!
Aug 26 05:16:35 [IKEv1 DEBUG]: Group = 69.xx.xx.xx, IP = 69.xx.xx.xx, IKE QM Initiator FSM error history (struct &0x3ab9c80) <state>, <event>: QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
Aug 26 05:16:35 [IKEv1 DEBUG]: Group = 69.xx.xx.xx, IP = 69.xx.xx.xx, sending delete/delete with reason message
Aug 26 05:16:35 [IKEv1 DEBUG]: Group = 69.xx.xx.xx, IP = 69.xx.xx.xx, constructing blank hash payload
Aug 26 05:16:35 [IKEv1]: Group = 69.xx.xx.xx, IP = 69.xx.xx.xx, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Aug 26 05:16:35 [IKEv1 DEBUG]: Group = 69.xx.xx.xx, IP = 69.xx.xx.xx, IKE Deleting SA: Remote Proxy 192.168.6.0, Local Proxy 10.128.0.0
Aug 26 05:16:35 [IKEv1]: Group = 69.xx.xx.xx, IP = 69.xx.xx.xx, Removing peer from correlator table failed, no match!
Aug 26 05:16:35 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x5029468a

Thanks again.

 

[df96]

I have the same problem as yours and getting similar errors:

1 Nov 13 2009 09:53:25 713900 Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

I have updated to 8.2 asa system on all asa, reconfigure asa from the begining and still hav this sort of errors only in one direction, from the small office to the main site...
Did you sold your issue ?