Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
623
Views
5
Helpful
4
Replies

problem establishing site to site vpn between asa and 1811 router

Go to solution
nileshmathure
Level 5
Level 5

‎01-10-2008 06:32 AM - edited ‎02-21-2020 03:28 PM

I keep getting the following error.

3|Jan 08 2008|15:47:31|710003|192.168.0.45|192.168.0.50|TCP access denied by ACL from 192.168.0.45/3698 to LAN:192.168.0.50/80

3|Jan 08 2008|15:47:28|710003|192.168.0.45|192.168.0.50|TCP access denied by ACL from 192.168.0.45/3698 to LAN:192.168.0.50/80

6|Jan 08 2008|15:47:28|302021|192.168.0.45|192.168.0.50|Teardown ICMP connection for faddr 192.168.0.45/1024 gaddr 192.168.0.50/0 laddr 192.168.0.50/0

6|Jan 08 2008|15:47:28|302020|192.168.0.45|192.168.0.50|Built inbound ICMP connection for faddr 192.168.0.45/1024 gaddr 192.168.0.50/0 laddr 192.168.0.50/0

5|Jan 08 2008|15:47:03|713904|||IP = Public IP, Received encrypted packet with no matching SA, dropping

4|Jan 08 2008|15:47:03|113019|||Group = Public IP, Username = Public IP, IP = Public IP, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

3|Jan 08 2008|15:47:03|713902|||Group = Public IP, IP = Public IP, Removing peer from correlator table failed, no match!

3|Jan 08 2008|15:47:03|713902|||Group = Public IP, IP = Public IP, QM FSM error (P2 struct &0x4969c90, mess id 0xf3d044e8)!

5|Jan 08 2008|15:47:03|713904|||Group = Public IP, IP = Public IP, All IPSec SA proposals found unacceptable!

3|Jan 08 2008|15:47:03|713119|||Group = Public IP, IP = Public IP, PHASE 1 COMPLETED

6|Jan 08 2008|15:47:03|113009|||AAA retrieved default group policy (DfltGrpPolicy) for user = Public IP

4|Jan 08 2008|15:47:03|713903|||Group = Public IP, IP = Public IP, Freeing previously allocated memory for authorization-dn-attributes

I dont think this because of encryption mismatch. Any help is appreciated.

Thanks

nilesh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ajagadee
Cisco Employee
Cisco Employee
In response to nileshmathure

‎01-10-2008 08:56 AM

You have PFS (Perfect Forward Secrecy) Configured on the ASA and not on the router. This could be one of the reason why the tunnel is failing in Phase 2.

If you do not need PFS, can you do a " no crypto map WAN_map 1 set pfs" from the ASA configuration and bring up the tunnel.

Regards,

Arul

View solution in original post

4 Replies 4

Go to solution
ajagadee
Cisco Employee
Cisco Employee

‎01-10-2008 06:45 AM

Looks like your IPSEC policies are not matching. Make sure that the encryption, hashing algorithm, etc., match. Also, the IPSEC Access Lists have to be mirror images of each other. BTW, do you have PFS Configured?

Regards,

Arul

0 Helpful

Go to solution
nileshmathure
Level 5
Level 5
In response to ajagadee

‎01-10-2008 08:40 AM

I have attached a file which contains ASA 5500, 1800 router configuration and debug log . I have removed the IP.

Thanks for all your help.

Nilesh

Preview file
10 KB
0 Helpful

Go to solution
ajagadee
Cisco Employee
Cisco Employee
In response to nileshmathure

‎01-10-2008 08:56 AM

You have PFS (Perfect Forward Secrecy) Configured on the ASA and not on the router. This could be one of the reason why the tunnel is failing in Phase 2.

If you do not need PFS, can you do a " no crypto map WAN_map 1 set pfs" from the ASA configuration and bring up the tunnel.

Regards,

Arul

Go to solution
nileshmathure
Level 5
Level 5
In response to ajagadee

‎01-10-2008 09:51 AM

It worked !!! Thank you very much.

Best Regards

nilesh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents