problem establishing site to site vpn between asa and 1811 router

Answered Question
Jan 10th, 2008

I keep getting the following error.

3|Jan 08 2008|15:47:31|710003|192.168.0.45|192.168.0.50|TCP access denied by ACL from 192.168.0.45/3698 to LAN:192.168.0.50/80

3|Jan 08 2008|15:47:28|710003|192.168.0.45|192.168.0.50|TCP access denied by ACL from 192.168.0.45/3698 to LAN:192.168.0.50/80

6|Jan 08 2008|15:47:28|302021|192.168.0.45|192.168.0.50|Teardown ICMP connection for faddr 192.168.0.45/1024 gaddr 192.168.0.50/0 laddr 192.168.0.50/0

6|Jan 08 2008|15:47:28|302020|192.168.0.45|192.168.0.50|Built inbound ICMP connection for faddr 192.168.0.45/1024 gaddr 192.168.0.50/0 laddr 192.168.0.50/0

5|Jan 08 2008|15:47:03|713904|||IP = Public IP, Received encrypted packet with no matching SA, dropping

4|Jan 08 2008|15:47:03|113019|||Group = Public IP, Username = Public IP, IP = Public IP, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

3|Jan 08 2008|15:47:03|713902|||Group = Public IP, IP = Public IP, Removing peer from correlator table failed, no match!

3|Jan 08 2008|15:47:03|713902|||Group = Public IP, IP = Public IP, QM FSM error (P2 struct &0x4969c90, mess id 0xf3d044e8)!

5|Jan 08 2008|15:47:03|713904|||Group = Public IP, IP = Public IP, All IPSec SA proposals found unacceptable!

3|Jan 08 2008|15:47:03|713119|||Group = Public IP, IP = Public IP, PHASE 1 COMPLETED

6|Jan 08 2008|15:47:03|113009|||AAA retrieved default group policy (DfltGrpPolicy) for user = Public IP

4|Jan 08 2008|15:47:03|713903|||Group = Public IP, IP = Public IP, Freeing previously allocated memory for authorization-dn-attributes

I dont think this because of encryption mismatch. Any help is appreciated.

Thanks

nilesh

I have this problem too.
0 votes
Correct Answer by ajagadee about 8 years 11 months ago

You have PFS (Perfect Forward Secrecy) Configured on the ASA and not on the router. This could be one of the reason why the tunnel is failing in Phase 2.

If you do not need PFS, can you do a " no crypto map WAN_map 1 set pfs" from the ASA configuration and bring up the tunnel.

Regards,

Arul

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
ajagadee Thu, 01/10/2008 - 06:45

Looks like your IPSEC policies are not matching. Make sure that the encryption, hashing algorithm, etc., match. Also, the IPSEC Access Lists have to be mirror images of each other. BTW, do you have PFS Configured?

Regards,

Arul

Correct Answer
ajagadee Thu, 01/10/2008 - 08:56

You have PFS (Perfect Forward Secrecy) Configured on the ASA and not on the router. This could be one of the reason why the tunnel is failing in Phase 2.

If you do not need PFS, can you do a " no crypto map WAN_map 1 set pfs" from the ASA configuration and bring up the tunnel.

Regards,

Arul

Actions

This Discussion