07-24-2008 12:23 PM - edited 03-11-2019 06:19 AM
Hi Replaced PIX506E by a ASA 5505.
Before I had Site2Site between two PIX506E running 6.3.4
Now on of the is replaced by an ASA 5505 running 8.0.3
Now it happens very often that the IPSEC-Tunnel is disconnected and we got following error messages in ASDM-log:
5|Jul 24 2008 22:09:03|713904: Group = 80.123.148.18, IP = 80.123.148.18, All IPSec SA proposals found unacceptable!
3|Jul 24 2008 22:09:03|713902: Group = 80.123.148.18, IP = 80.123.148.18, QM FSM error (P2 struct &0xd7efa5f0, mess id 0xb06b549f)!
3|Jul 24 2008 22:09:03|713902: Group = 80.123.148.18, IP = 80.123.148.18, Removing peer from correlator table failed, no match!
Afterwards it estabished again.
What couldbe the problem?
As you can see normally the tunnel is upan running, soit seems to be a temporary problem and I have no idea what triggers this:
sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 80.123.148.18
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
glogar-asa# sh crypto ipsec sa
interface: outside
Crypto map tag: glogar-cryptomap, seq num: 33, local addr: 80.121.213.30
access-list nach_enns permit ip 192.168.107.0 255.255.255.0 192.168.207.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.107.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.207.0/255.255.255.0/0/0)
current_peer: 80.123.148.18
#pkts encaps: 28, #pkts encrypt: 28, #pkts digest: 28
#pkts decaps: 36, #pkts decrypt: 36, #pkts verify: 36
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 28, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 80.121.213.30, remote crypto endpt.: 80.123.148.18
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: D8597CC4
inbound esp sas:
spi: 0xEBE8C6A1 (3957900961)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 458752, crypto-map: glogar-cryptomap
sa timing: remaining key lifetime (kB/sec): (4274992/28740)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0xD8597CC4 (3629743300)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 458752, crypto-map: glogar-cryptomap
sa timing: remaining key lifetime (kB/sec): (4274995/28740)
IV size: 16 bytes
replay detection support: Y
Kind Regards
Hubert
07-24-2008 12:46 PM
I think shoud be
crypto map glogar-cryptomap 33 set pfs group2
07-24-2008 01:24 PM
Hi , thanks thats what I already tried , but it seems that this is what I already configured on ASA 8.0.3
crypto map glogar-cryptomap 33 set pfs group2
In the running config I just can see
crypto map glogar-cryptomap 33 set pfs
so I assume pfs group 2 is the default for 8.0.3
Hubert
08-19-2008 08:06 PM
I think the sequence# for dynamic map should be lower that of the static crypto map.
Eddie Tsang
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide