01-10-2008 06:32 AM - edited 02-21-2020 03:28 PM
I keep getting the following error.
3|Jan 08 2008|15:47:31|710003|192.168.0.45|192.168.0.50|TCP access denied by ACL from 192.168.0.45/3698 to LAN:192.168.0.50/80
3|Jan 08 2008|15:47:28|710003|192.168.0.45|192.168.0.50|TCP access denied by ACL from 192.168.0.45/3698 to LAN:192.168.0.50/80
6|Jan 08 2008|15:47:28|302021|192.168.0.45|192.168.0.50|Teardown ICMP connection for faddr 192.168.0.45/1024 gaddr 192.168.0.50/0 laddr 192.168.0.50/0
6|Jan 08 2008|15:47:28|302020|192.168.0.45|192.168.0.50|Built inbound ICMP connection for faddr 192.168.0.45/1024 gaddr 192.168.0.50/0 laddr 192.168.0.50/0
5|Jan 08 2008|15:47:03|713904|||IP = Public IP, Received encrypted packet with no matching SA, dropping
4|Jan 08 2008|15:47:03|113019|||Group = Public IP, Username = Public IP, IP = Public IP, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
3|Jan 08 2008|15:47:03|713902|||Group = Public IP, IP = Public IP, Removing peer from correlator table failed, no match!
3|Jan 08 2008|15:47:03|713902|||Group = Public IP, IP = Public IP, QM FSM error (P2 struct &0x4969c90, mess id 0xf3d044e8)!
5|Jan 08 2008|15:47:03|713904|||Group = Public IP, IP = Public IP, All IPSec SA proposals found unacceptable!
3|Jan 08 2008|15:47:03|713119|||Group = Public IP, IP = Public IP, PHASE 1 COMPLETED
6|Jan 08 2008|15:47:03|113009|||AAA retrieved default group policy (DfltGrpPolicy) for user = Public IP
4|Jan 08 2008|15:47:03|713903|||Group = Public IP, IP = Public IP, Freeing previously allocated memory for authorization-dn-attributes
I dont think this because of encryption mismatch. Any help is appreciated.
Thanks
nilesh
Solved! Go to Solution.
01-10-2008 08:56 AM
You have PFS (Perfect Forward Secrecy) Configured on the ASA and not on the router. This could be one of the reason why the tunnel is failing in Phase 2.
If you do not need PFS, can you do a " no crypto map WAN_map 1 set pfs" from the ASA configuration and bring up the tunnel.
Regards,
Arul
01-10-2008 06:45 AM
Looks like your IPSEC policies are not matching. Make sure that the encryption, hashing algorithm, etc., match. Also, the IPSEC Access Lists have to be mirror images of each other. BTW, do you have PFS Configured?
Regards,
Arul
01-10-2008 08:40 AM
01-10-2008 08:56 AM
You have PFS (Perfect Forward Secrecy) Configured on the ASA and not on the router. This could be one of the reason why the tunnel is failing in Phase 2.
If you do not need PFS, can you do a " no crypto map WAN_map 1 set pfs" from the ASA configuration and bring up the tunnel.
Regards,
Arul
01-10-2008 09:51 AM
It worked !!! Thank you very much.
Best Regards
nilesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide