VPN site2site problem after replacing PIX506E by ASA5505

HUBERT RESCH · ‎07-24-2008

Hi Replaced PIX506E by a ASA 5505.

Before I had Site2Site between two PIX506E running 6.3.4

Now on of the is replaced by an ASA 5505 running 8.0.3

Now it happens very often that the IPSEC-Tunnel is disconnected and we got following error messages in ASDM-log:

5|Jul 24 2008 22:09:03|713904: Group = 80.123.148.18, IP = 80.123.148.18, All IPSec SA proposals found unacceptable!

3|Jul 24 2008 22:09:03|713902: Group = 80.123.148.18, IP = 80.123.148.18, QM FSM error (P2 struct &0xd7efa5f0, mess id 0xb06b549f)!

3|Jul 24 2008 22:09:03|713902: Group = 80.123.148.18, IP = 80.123.148.18, Removing peer from correlator table failed, no match!

Afterwards it estabished again.

What couldbe the problem?

As you can see normally the tunnel is upan running, soit seems to be a temporary problem and I have no idea what triggers this:

sh crypto isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 80.123.148.18

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

glogar-asa# sh crypto ipsec sa

interface: outside

Crypto map tag: glogar-cryptomap, seq num: 33, local addr: 80.121.213.30

access-list nach_enns permit ip 192.168.107.0 255.255.255.0 192.168.207.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.107.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.207.0/255.255.255.0/0/0)

current_peer: 80.123.148.18

#pkts encaps: 28, #pkts encrypt: 28, #pkts digest: 28

#pkts decaps: 36, #pkts decrypt: 36, #pkts verify: 36

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 28, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 80.121.213.30, remote crypto endpt.: 80.123.148.18

path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: D8597CC4

inbound esp sas:

spi: 0xEBE8C6A1 (3957900961)

transform: esp-aes-256 esp-md5-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 458752, crypto-map: glogar-cryptomap

sa timing: remaining key lifetime (kB/sec): (4274992/28740)

IV size: 16 bytes

replay detection support: Y

outbound esp sas:

spi: 0xD8597CC4 (3629743300)

transform: esp-aes-256 esp-md5-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 458752, crypto-map: glogar-cryptomap

sa timing: remaining key lifetime (kB/sec): (4274995/28740)

IV size: 16 bytes

replay detection support: Y

Kind Regards

Hubert

a.alekseev · ‎07-24-2008

I think shoud be

crypto map glogar-cryptomap 33 set pfs group2

HUBERT RESCH · ‎07-24-2008

Hi , thanks thats what I already tried , but it seems that this is what I already configured on ASA 8.0.3

crypto map glogar-cryptomap 33 set pfs group2

In the running config I just can see

crypto map glogar-cryptomap 33 set pfs

so I assume pfs group 2 is the default for 8.0.3

Hubert

edtsang · ‎08-19-2008

I think the sequence# for dynamic map should be lower that of the static crypto map.

Eddie Tsang