07-24-2008 12:23 PM - edited 03-11-2019 06:19 AM
Hi Replaced PIX506E by a ASA 5505.
Before I had Site2Site between two PIX506E running 6.3.4
Now on of the is replaced by an ASA 5505 running 8.0.3
Now it happens very often that the IPSEC-Tunnel is disconnected and we got following error messages in ASDM-log:
5|Jul 24 2008 22:09:03|713904: Group = 80.123.148.18, IP = 80.123.148.18, All IPSec SA proposals found unacceptable!
3|Jul 24 2008 22:09:03|713902: Group = 80.123.148.18, IP = 80.123.148.18, QM FSM error (P2 struct &0xd7efa5f0, mess id 0xb06b549f)!
3|Jul 24 2008 22:09:03|713902: Group = 80.123.148.18, IP = 80.123.148.18, Removing peer from correlator table failed, no match!
Afterwards it estabished again.
What couldbe the problem?
As you can see normally the tunnel is upan running, soit seems to be a temporary problem and I have no idea what triggers this:
sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 80.123.148.18
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
glogar-asa# sh crypto ipsec sa
interface: outside
Crypto map tag: glogar-cryptomap, seq num: 33, local addr: 80.121.213.30
access-list nach_enns permit ip 192.168.107.0 255.255.255.0 192.168.207.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.107.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.207.0/255.255.255.0/0/0)
current_peer: 80.123.148.18
#pkts encaps: 28, #pkts encrypt: 28, #pkts digest: 28
#pkts decaps: 36, #pkts decrypt: 36, #pkts verify: 36
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 28, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 80.121.213.30, remote crypto endpt.: 80.123.148.18
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: D8597CC4
inbound esp sas:
spi: 0xEBE8C6A1 (3957900961)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 458752, crypto-map: glogar-cryptomap
sa timing: remaining key lifetime (kB/sec): (4274992/28740)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0xD8597CC4 (3629743300)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 458752, crypto-map: glogar-cryptomap
sa timing: remaining key lifetime (kB/sec): (4274995/28740)
IV size: 16 bytes
replay detection support: Y
Kind Regards
Hubert
07-24-2008 12:46 PM
I think shoud be
crypto map glogar-cryptomap 33 set pfs group2
07-24-2008 01:24 PM
Hi , thanks thats what I already tried , but it seems that this is what I already configured on ASA 8.0.3
crypto map glogar-cryptomap 33 set pfs group2
In the running config I just can see
crypto map glogar-cryptomap 33 set pfs
so I assume pfs group 2 is the default for 8.0.3
Hubert
08-19-2008 08:06 PM
I think the sequence# for dynamic map should be lower that of the static crypto map.
Eddie Tsang
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: