01-08-2009 04:59 AM - edited 02-21-2020 03:12 AM
Hi all.
One of our customers has an asa 5505. We have 4 remote sites working fine (the remote sites have 1841's with the security pack, and have all formed tunnels in OK)
We'ev visited our last site to be configured, set the router up exactly as the others, but we're now getting the below errors, taken from the head office ASA debug log.
The engineer assures me the shared key is correct. What else could be the issue?
5 Jan 08 2009 04:58:41 713904 IP = 81.179.5.13, Received encrypted packet with no matching SA, dropping
4 Jan 08 2009 04:58:41 113019 Group = 81.179.5.13, Username = 81.179.5.13, IP = 81.179.5.13, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
3 Jan 08 2009 04:58:41 713902 Group = 81.179.5.13, IP = 81.179.5.13, Removing peer from correlator table failed, no match!
3 Jan 08 2009 04:58:41 713902 Group = 81.179.5.13, IP = 81.179.5.13, QM FSM error (P2 struct &0x3d584f8, mess id 0x40198ae4)!
5 Jan 08 2009 04:58:41 713904 Group = 81.179.5.13, IP = 81.179.5.13, All IPSec SA proposals found unacceptable!
3 Jan 08 2009 04:58:41 713119 Group = 81.179.5.13, IP = 81.179.5.13, PHASE 1 COMPLETED
6 Jan 08 2009 04:58:41 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = 81.179.5.13
4 Jan 08 2009 04:58:41 713903 Group = 81.179.5.13, IP = 81.179.5.13, Freeing previously allocated memory for authorization-dn-attributes
01-08-2009 05:59 AM
Ok fixed this. The tunnel for this particular site had des configured on the ASA, we're actually using 3des. Rectified now the tunnels formed OK. Can't route anything over it mind.. but thats another story..
01-08-2009 10:10 AM
Huw
DES instead of 3DES would certainly explain the error messages in your original post. If you are able to bring up the tunnel but not to route anything over it, my first suggestion would be to check the access list that identifies traffic for the VPN tunnel for possible omissions/mismatches.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: