01-19-2009 06:37 AM
Hi everyone,
I'm having a bit of an odd issue here, and although I've had a good look through netpro I can't seem to find an issue like this that has been resolved.
I have an ASA5510 (version 7.07) in a data centre that runs a number of site to site and RAS VPNs which I have configured previously with no issues. We've been asked to setup a l2l VPN to a 3725 router running 12.4 IOS, on a new site - but the issues I am getting I've never seen before.
On the ASA, when the tunnel attempts to establish I get these entries in the log:
4|Jan 19 2009 12:37:07|113019: Group = 81.X.X.4, Username = 81.X.X.4, IP = 81.X.X.4, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
3|Jan 19 2009 12:37:07|713902: Group = 81.X.X.4, IP = 81.X.X.4, Removing peer from correlator table failed, no match!
3|Jan 19 2009 12:37:07|713902: Group = 81.X.X.4, IP = 81.X.X.4, QM FSM error (P2 struct &0x3ae4180, mess id 0x4a7e9acc)!
5|Jan 19 2009 12:37:07|713904: Group = 81.X.X.4, IP = 81.X.X.4, All IPSec SA proposals found unacceptable!
3|Jan 19 2009 12:37:07|713119: Group = 81.X.X.4, IP = 81.X.X.4, PHASE 1 COMPLETED
6|Jan 19 2009 12:37:07|113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 81.X.X.4
On the router side, we see debug errors such as:
*Mar 1 00:28:13.943: ISAKMP (0:1017): received packet from 92.X.X.210 dport 500 sport 500 Global (R) QM_IDLE
*Mar 1 00:28:13.943: ISAKMP: set new node 669154541 to QM_IDLE
*Mar 1 00:28:13.943: ISAKMP:(1017): processing HASH payload. message ID = 669154541
*Mar 1 00:28:13.943: ISAKMP:(1017): processing DELETE payload. message ID = 669154541
*Mar 1 00:28:13.943: ISAKMP:(1017):peer does not do paranoid keepalives.
*Mar 1 00:28:13.943: ISAKMP:(1017):deleting SA reason "No reason" state (R) QM_IDLE (peer 92.X.X.210)
*Mar 1 00:28:13.943: ISAKMP:(1017):deleting node 669154541 error FALSE reason "Informational (in) state 1"
*Mar 1 00:28:13.943: ISAKMP: set new node -1664882549 to QM_IDLE
*Mar 1 00:28:13.943: ISAKMP:(1017):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 1 00:28:13.943: ISAKMP:(1017):Old State = IKE_P1_COMPLETE New State = IKE_DEST_S
To me it looks as if phase 1 is completing ok, but then phase 2 fails as there are apparently no matching ipsec SA's.
I've gone through the configs of both boxes, and I can't see anything obviously wrong - but then of course I could have missed something.
Here's the important (I think) bits of config from the boxes concerned:
ASA5510:
access-list outside_cryptomap_100 extended permit ip 10.21.0.0 255.255.0.0 10.101.8.0 255.255.255.0
tunnel-group 81.X.X.4 type ipsec-l2l
tunnel-group 81.X.X.4 ipsec-attributes
pre-shared-key *
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 100 match address outside_cryptomap_100
crypto map outside_map 100 set peer 81.X.X.4
crypto map outside_map 100 set transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto map outside_map 100 set security-association lifetime seconds 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
And on the router:
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
crypto isakmp key xxx address 92.X.X.210
crypto isakmp keepalive 3600
!
!
crypto ipsec transform-set xxx esp-des esp-md5-hmac
!
crypto map xxx_holan 11 ipsec-isakmp
set peer 92.X.X.210
set transform-set assura
match address 120
access-list 120 permit ip 10.101.8.0 0.0.0.255 10.21.0.0 0.0.255.255
Thanks in advance for your assistance.
Regards,
-Gordon
01-19-2009 07:11 AM
Your transform set are not the same:
on the asa : ESP-3DES-MD5 ESP-3DES-SHA
on the router : esp-des esp-md5-hmac
in your asa log, you can see this :
Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: