No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

IPSec Configuration in USG2200 with Cisco ASA issue

Publication Date:  2014-09-22 Views:  174 Downloads:  0
Issue Description
issue while trying to run IPSec. The far-end device is Cisco ASA
Alarm Information
N/A
Handling Process
ask customer about topology and some commands outputs as below:


•  Run the display ipsec sa [ brief | duration | policy policy-name [ seq-number ] | profile profile-name |peerip peer-ip-address ] command to check IPSec SA information.
•  Run the display ipsec policy [ brief | name policy-name [seq-number ] ] command to check IPSec policy information.
•  Run the display ipsec statistics { ah | esp } command to check statistics on IPSec packets.
•  Run the display ike statistics { all | msg | v1 | v2 } command to check statistics on IKE packets.
#display ike sa
#display ip routing-table
#dis ACL
#Dis ike peer

the result is:

USG2200]display ipsec sa   
16:58:30  2014/08/25
[USG2200]display ipsec policy
16:58:32  2014/08/25

===========================================
IPsec Policy Group: "phase2"
Using interface: {GigabitEthernet0/0/0}
===========================================

  -----------------------------
  IPsec policy name: "phase2"
  sequence number: 10
  mode: isakmp
  state: active
  -----------------------------
    security data flow : 3000
    ike-peer name:  phase1
    perfect forward secrecy: None
    proposal name:  prop25812272047
    IPsec sa local duration(time based): 3600 seconds
    sa soft-duration time-based buffer: 0 seconds
    sa soft-duration traffic-based buffer: 0 kilobytes
    IPsec sa local duration(traffic based): 1843200 kilobytes
    IPSec sa anti-replay: use global
    IPSec sa anti-replay window-size: use global

[USG2200]disp ipsec stat
16:58:43  2014/08/25
  the security packet statistics:
    input/output security packets: 0/0
    input/output security bytes: 0/0
    input/output dropped security packets: 0/0
    the encrypt packet statistics
      send sae:0, recv sae:0, send err:0
      local cpu:0, other cpu:0, recv other cpu:0
      intact packet:22, first slice:0, after slice:0
    the decrypt packet statistics
      send sae:0, recv sae:0, send err:0
      local cpu:0, other cpu:0, recv other cpu:0
      reass  first slice:0, after slice:0, len err:0
    dropped security packet detail:
      no enough memory: 0, too long: 0
      can't find SA: 0, wrong SA: 0
      authentication: 0, replay: 0
      front recheck: 0, after recheck: 0
      exceed byte limit: 0, exceed packet limit: 0
      change cpu enc: 0, dec change cpu: 0
      change datachan: 0, fib search: 0
      rcv enc(dec) form sae said err: 0, 0
      port number error: 0
      send port: 0, output l3: 0, l2tp input: 0
  negotiate about packet statistics:     
    IP packet  ok:22, err:0, drop:0
    IP rcv other cpu   to ike:0, drop:0
    IKE packet inbound   ok:1344, err:0
    IKE packet outbound  ok:433, err:0
    SoftExpr:0, HardExpr:0, DPDOper:0, SwapSa:0
    ModpCnt: 59, SaeSucc: 59, SoftwareSucc: 0


there is no traffic is being encrypted or decrypted on our firewall, so there is no lan traffic passing through it

[USG2200]disp ike sa
16:59:11  2014/08/25
current ike sa number: 2
-----------------------------------------------------------------------------
conn-id    peer                    flag          phase vpn
-----------------------------------------------------------------------------
40105      192.168.128.162         NEG           v2:2  public
104        192.168.128.162         NEG           v2:1  public

  flag meaning
  RD--READY    ST--STAYALIVE  RL--REPLACED      FD--FADING
  TO--TIMEOUT  TD--DELETING   NEG--NEGOTIATING  D--DPD

[USG2200]disp ip routing-table
16:59:16  2014/08/25
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
        Destinations : 8        Routes : 8

Destination/Mask    Proto  Pre  Cost     Flags NextHop         Interface

        0.0.0.0/0   Static 60   0          RD  192.168.128.165 GigabitEthernet0/0/0
     10.28.12.0/23  Direct 0    0           D  10.28.12.75     GigabitEthernet0/0/1
    10.28.12.75/32  Direct 0    0           D  127.0.0.1       InLoopBack0
      127.0.0.0/8   Direct 0    0           D  127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct 0    0           D  127.0.0.1       InLoopBack0
    192.168.2.2/32  Direct 0    0           D  127.0.0.1       InLoopBack0
192.168.128.164/30  Direct 0    0           D  192.168.128.166 GigabitEthernet0/0/0
192.168.128.166/32  Direct 0    0           D  127.0.0.1       InLoopBack0

[USG2200]disp acl 3000
16:59:23  2014/08/25
Advanced ACL 3000, 2 rules,not binding with vpn-instance
Acl's step is 5
rule 5 permit ip source 10.28.12.75 0 destination 10.28.11.202 0 (13 times matched)
rule 10 permit ip source 192.168.2.2 0 destination 10.28.11.202 0 (5 times matched)

[USG2200]disp ike peer
16:59:27  2014/08/25

---------------------------
IKE peer: phase1
   Exchange mode: main on phase 1
   Pre-shared key: %$%$_rMuK=kSB2Ccq9MW8VH/.of]%$%$
   Local certificate file name: 
   Proposal: 1
   Local ID type: IP
   Peer IP address: 192.168.128.162
   VPN instance:
   Authentic IP address:
   IP address pool:
   Peer name:
   Peer domain name:
   VPN instance bound to the SA:
   NAT traversal: disable
   SA soft timeout buffer time:
   OCSP check: disable
   OCSP server URL:
   Applied to 1 policy: phase2-10-isakmp
---------------------------





Root Cause

After checking we also saw that there is might be security issue prevent packet from coming to our firewall so could you please do the following:


policy interzone local untrust inbound
policy 0
  action permit
  policy source 192.168.128.162 mask 32

also don’t forget to double check on cisco ASA configuration whether it has same parameter or not
Solution
run interzone policy in our usg and on cisco ASA in order to permit trafic for outgoing and incoming traffic for LAN andvice versa :

policy interzone local untrust inbound
policy 0
  action permit
  policy source 192.168.128.162 mask 32
Suggestions
you have to check firstly when you try to configure IPsec between two peers that your lan traffic need to be encrypted is already have permission to send traffic and recieve traffic from the other side lan

END