one remote site can't VPN in, getting SA errors (ASA5505)

Unanswered Question
Jan 8th, 2009
User Badges:

Hi all.


One of our customers has an asa 5505. We have 4 remote sites working fine (the remote sites have 1841's with the security pack, and have all formed tunnels in OK)


We'ev visited our last site to be configured, set the router up exactly as the others, but we're now getting the below errors, taken from the head office ASA debug log.


The engineer assures me the shared key is correct. What else could be the issue?


5 Jan 08 2009 04:58:41 713904 IP = 81.179.5.13, Received encrypted packet with no matching SA, dropping

4 Jan 08 2009 04:58:41 113019 Group = 81.179.5.13, Username = 81.179.5.13, IP = 81.179.5.13, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

3 Jan 08 2009 04:58:41 713902 Group = 81.179.5.13, IP = 81.179.5.13, Removing peer from correlator table failed, no match!

3 Jan 08 2009 04:58:41 713902 Group = 81.179.5.13, IP = 81.179.5.13, QM FSM error (P2 struct &0x3d584f8, mess id 0x40198ae4)!

5 Jan 08 2009 04:58:41 713904 Group = 81.179.5.13, IP = 81.179.5.13, All IPSec SA proposals found unacceptable!

3 Jan 08 2009 04:58:41 713119 Group = 81.179.5.13, IP = 81.179.5.13, PHASE 1 COMPLETED

6 Jan 08 2009 04:58:41 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = 81.179.5.13

4 Jan 08 2009 04:58:41 713903 Group = 81.179.5.13, IP = 81.179.5.13, Freeing previously allocated memory for authorization-dn-attributes

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
davieshuw Thu, 01/08/2009 - 05:59
User Badges:

Ok fixed this. The tunnel for this particular site had des configured on the ASA, we're actually using 3des. Rectified now the tunnels formed OK. Can't route anything over it mind.. but thats another story..

Richard Burts Thu, 01/08/2009 - 10:10
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Huw


DES instead of 3DES would certainly explain the error messages in your original post. If you are able to bring up the tunnel but not to route anything over it, my first suggestion would be to check the access list that identifies traffic for the VPN tunnel for possible omissions/mismatches.


HTH


Rick

Actions

This Discussion