Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
586
Views
0
Helpful
5
Replies

L2L VPN with MS ISA 2004

spuntahachart
Level 1
Level 1

‎11-15-2007 02:33 PM - edited ‎03-11-2019 04:31 AM

Hi, I am trying to set up a Lan2Lan VPn between an ASA 5510 and a MS ISA Server 2004 machine. The configuration matches on both ends, but I get the following error in the ASA logs:

113019: Group = x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:32s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Error

713902: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!

713902: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x3180ef8, mess id 0x469cca44)!

713068: Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: Invalid ID info (18)

713119: Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED

713903: Group = x.x.x.x, IP = x.x.x.x, Freeing previously allocated memory for authorization-dn-attributes

713041: IP = x.x.x.x, IKE Initiator: New Phase 1, Intf 2, IKE Peer x.x.x.x local Proxy Address 10.10.0.0, remote Proxy Address 192.168.0.0, Crypto map (outside_map)

Please help....

Labels:
0 Helpful
5 Replies 5

elparis
Cisco Employee
Cisco Employee

‎11-15-2007 02:44 PM

Hello,

We need a bit more of information. It seems like phase 2 is failing to complete. To get more information please turn on IPsec debugging via "debug crypto ipsec 128". The attempt to bring up the tunnel by generating interesting traffic and see what messages are generated in the debugging log.

0 Helpful

spuntahachart
Level 1
Level 1
In response to elparis

‎11-15-2007 02:56 PM

Hi, Thanks for the reply... here is your log:

IPSEC: New embryonic SA created @ 0x035D1808,

SCB: 0x038E41C0,

Direction: inbound

SPI : 0x44691D15

Session ID: 0x0000000A

VPIF num : 0x00000001

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

IPSEC: New embryonic SA created @ 0x035D1808,

SCB: 0x02F44080,

Direction: inbound

SPI : 0xD98C22C8

Session ID: 0x0000000A

VPIF num : 0x00000001

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

IPSEC: New embryonic SA created @ 0x038EBBE0,

SCB: 0x038D73E0,

Direction: inbound

SPI : 0xF94561E9

Session ID: 0x0000000A

VPIF num : 0x00000001

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

IPSEC: New embryonic SA created @ 0x035D1808,

SCB: 0x02F44080,

Direction: inbound

SPI : 0x43F6A2BB

Session ID: 0x0000000A

VPIF num : 0x00000001

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

0 Helpful

elparis
Cisco Employee
Cisco Employee
In response to spuntahachart

‎11-15-2007 03:24 PM

Sorry, my bad, "debug crypto isakmp 200" will give us the information we need. There's no useful information in the debugging information provided by "debug crypto ipsec" in this case.

0 Helpful

spuntahachart
Level 1
Level 1
In response to elparis

‎11-19-2007 01:09 PM

Elparis, Thanks you very much for your help in this matter; however, the problem has been solved. It turns out that it was a problem with the ISA server I was trying to connect to. Thanks for your input

0 Helpful

elparis
Cisco Employee
Cisco Employee
In response to spuntahachart

‎11-19-2007 01:21 PM

Great! Glad to hear everything is working now.

Cheers!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card