L2L VPN with MS ISA 2004

Unanswered Question
Nov 15th, 2007

Hi, I am trying to set up a Lan2Lan VPn between an ASA 5510 and a MS ISA Server 2004 machine. The configuration matches on both ends, but I get the following error in the ASA logs:

113019: Group = x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:32s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Error

713902: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!

713902: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x3180ef8, mess id 0x469cca44)!

713068: Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: Invalid ID info (18)

713119: Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED

713903: Group = x.x.x.x, IP = x.x.x.x, Freeing previously allocated memory for authorization-dn-attributes

713041: IP = x.x.x.x, IKE Initiator: New Phase 1, Intf 2, IKE Peer x.x.x.x local Proxy Address 10.10.0.0, remote Proxy Address 192.168.0.0, Crypto map (outside_map)

Please help....

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
elparis Thu, 11/15/2007 - 14:44

Hello,

We need a bit more of information. It seems like phase 2 is failing to complete. To get more information please turn on IPsec debugging via "debug crypto ipsec 128". The attempt to bring up the tunnel by generating interesting traffic and see what messages are generated in the debugging log.

spuntahachart Thu, 11/15/2007 - 14:56

Hi, Thanks for the reply... here is your log:

IPSEC: New embryonic SA created @ 0x035D1808,

SCB: 0x038E41C0,

Direction: inbound

SPI : 0x44691D15

Session ID: 0x0000000A

VPIF num : 0x00000001

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

IPSEC: New embryonic SA created @ 0x035D1808,

SCB: 0x02F44080,

Direction: inbound

SPI : 0xD98C22C8

Session ID: 0x0000000A

VPIF num : 0x00000001

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

IPSEC: New embryonic SA created @ 0x038EBBE0,

SCB: 0x038D73E0,

Direction: inbound

SPI : 0xF94561E9

Session ID: 0x0000000A

VPIF num : 0x00000001

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

IPSEC: New embryonic SA created @ 0x035D1808,

SCB: 0x02F44080,

Direction: inbound

SPI : 0x43F6A2BB

Session ID: 0x0000000A

VPIF num : 0x00000001

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

elparis Thu, 11/15/2007 - 15:24

Sorry, my bad, "debug crypto isakmp 200" will give us the information we need. There's no useful information in the debugging information provided by "debug crypto ipsec" in this case.

spuntahachart Mon, 11/19/2007 - 13:09

Elparis, Thanks you very much for your help in this matter; however, the problem has been solved. It turns out that it was a problem with the ISA server I was trying to connect to. Thanks for your input

elparis Mon, 11/19/2007 - 13:21

Great! Glad to hear everything is working now.

Cheers!

Actions

This Discussion