Cisco ASA 5510 No Xauth IPSEC Bug
ASA 5510 is the central site FW, multiple IPSEC tunnels present to ASA5505 remotes. One of the remote is acting funny; the ipsec tunnel can be initiated from a ping inside cmd on the ASA5510, but the 5505 cannot initiate the tunnel. Once the tunnel is ip, traffic is 2-way. After checking all the crypto map and no nat acls, and a reboot, I was left diffing (comparing) a working 5505 config with one that was not working. There were no differences other than the ip addresses. Both tunnel setups were identical on the central site ASA5510 as well.
ping inside cmd on the remote ASA5505 would not only fail to bring up the tunnel but an SA was not established either. This told me that ISAKMP was failing (key exchange).
A debug cmd:
debug crypto ipsec
said something to the effect that the 5510 was not able to properly determine the identity of the incoming SA request from the 5505.
The below config on the 5510:
tunnel-group a.b.c.d ipsec-attributes isakmp peer ip a.b.c.d no-xauth
fixed the problem. Basically xauth was enabled for this incoming SA request on the 5510 but its supposed to be OFF by default, and even after entering the above command it did not show up in "sh run" on the 5510.
This was the hardware/software on the 5510 that manifested this bug:
Hardware: ASA5520-K8, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
Setting up the ipsec tunnel attributes as ipsec remote access rather than as l2l seemed to have initiated this problem. Even though the tunnel worked, I rebuilt the commands as l2l and no issue was observed; tunnel could initiate properly in both directions:
This seemed to be the culprit:
tunnel-group XXX type ipsec-ra
where I should have used:
tunnel-group XXX type ipsec-l2l