one remote site can't VPN in, getting SA errors (ASA5505)

Unanswered Question
Jan 8th, 2009

Hi all.

One of our customers has an asa 5505. We have 4 remote sites working fine (the remote sites have 1841's with the security pack, and have all formed tunnels in OK)

We'ev visited our last site to be configured, set the router up exactly as the others, but we're now getting the below errors, taken from the head office ASA debug log.

The engineer assures me the shared key is correct. What else could be the issue?

5 Jan 08 2009 04:58:41 713904 IP = 81.179.5.13, Received encrypted packet with no matching SA, dropping

4 Jan 08 2009 04:58:41 113019 Group = 81.179.5.13, Username = 81.179.5.13, IP = 81.179.5.13, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

3 Jan 08 2009 04:58:41 713902 Group = 81.179.5.13, IP = 81.179.5.13, Removing peer from correlator table failed, no match!

3 Jan 08 2009 04:58:41 713902 Group = 81.179.5.13, IP = 81.179.5.13, QM FSM error (P2 struct &0x3d584f8, mess id 0x40198ae4)!

5 Jan 08 2009 04:58:41 713904 Group = 81.179.5.13, IP = 81.179.5.13, All IPSec SA proposals found unacceptable!

3 Jan 08 2009 04:58:41 713119 Group = 81.179.5.13, IP = 81.179.5.13, PHASE 1 COMPLETED

6 Jan 08 2009 04:58:41 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = 81.179.5.13

4 Jan 08 2009 04:58:41 713903 Group = 81.179.5.13, IP = 81.179.5.13, Freeing previously allocated memory for authorization-dn-attributes

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
davieshuw Thu, 01/08/2009 - 05:59

Ok fixed this. The tunnel for this particular site had des configured on the ASA, we're actually using 3des. Rectified now the tunnels formed OK. Can't route anything over it mind.. but thats another story..

Richard Burts Thu, 01/08/2009 - 10:10

Huw

DES instead of 3DES would certainly explain the error messages in your original post. If you are able to bring up the tunnel but not to route anything over it, my first suggestion would be to check the access list that identifies traffic for the VPN tunnel for possible omissions/mismatches.

HTH

Rick

Actions

This Discussion