Hi everyone,

I'm having a bit of an odd issue here, and although I've had a good look through netpro I can't seem to find an issue like this that has been resolved.

I have an ASA5510 (version 7.07) in a data centre that runs a number of site to site and RAS VPNs which I have configured previously with no issues. We've been asked to setup a l2l VPN to a 3725 router running 12.4 IOS, on a new site - but the issues I am getting I've never seen before.

On the ASA, when the tunnel attempts to establish I get these entries in the log:

4|Jan 19 2009 12:37:07|113019: Group = 81.X.X.4, Username = 81.X.X.4, IP = 81.X.X.4, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

3|Jan 19 2009 12:37:07|713902: Group = 81.X.X.4, IP = 81.X.X.4, Removing peer from correlator table failed, no match!

3|Jan 19 2009 12:37:07|713902: Group = 81.X.X.4, IP = 81.X.X.4, QM FSM error (P2 struct &0x3ae4180, mess id 0x4a7e9acc)!

5|Jan 19 2009 12:37:07|713904: Group = 81.X.X.4, IP = 81.X.X.4, All IPSec SA proposals found unacceptable!

3|Jan 19 2009 12:37:07|713119: Group = 81.X.X.4, IP = 81.X.X.4, PHASE 1 COMPLETED

6|Jan 19 2009 12:37:07|113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 81.X.X.4

On the router side, we see debug errors such as:

*Mar 1 00:28:13.943: ISAKMP (0:1017): received packet from 92.X.X.210 dport 500 sport 500 Global (R) QM_IDLE

*Mar 1 00:28:13.943: ISAKMP: set new node 669154541 to QM_IDLE

*Mar 1 00:28:13.943: ISAKMP:(1017): processing HASH payload. message ID = 669154541

*Mar 1 00:28:13.943: ISAKMP:(1017): processing DELETE payload. message ID = 669154541

*Mar 1 00:28:13.943: ISAKMP:(1017):peer does not do paranoid keepalives.

*Mar 1 00:28:13.943: ISAKMP:(1017):deleting SA reason "No reason" state (R) QM_IDLE (peer 92.X.X.210)

*Mar 1 00:28:13.943: ISAKMP:(1017):deleting node 669154541 error FALSE reason "Informational (in) state 1"

*Mar 1 00:28:13.943: ISAKMP: set new node -1664882549 to QM_IDLE

*Mar 1 00:28:13.943: ISAKMP:(1017):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Mar 1 00:28:13.943: ISAKMP:(1017):Old State = IKE_P1_COMPLETE New State = IKE_DEST_S

To me it looks as if phase 1 is completing ok, but then phase 2 fails as there are apparently no matching ipsec SA's.

I've gone through the configs of both boxes, and I can't see anything obviously wrong - but then of course I could have missed something.

Here's the important (I think) bits of config from the boxes concerned:

ASA5510:

access-list outside_cryptomap_100 extended permit ip 10.21.0.0 255.255.0.0 10.101.8.0 255.255.255.0

tunnel-group 81.X.X.4 type ipsec-l2l

tunnel-group 81.X.X.4 ipsec-attributes

pre-shared-key *

crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA

crypto map outside_map 100 match address outside_cryptomap_100

crypto map outside_map 100 set peer 81.X.X.4

crypto map outside_map 100 set transform-set ESP-3DES-MD5 ESP-3DES-SHA

crypto map outside_map 100 set security-association lifetime seconds 3600

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 3600

isakmp policy 50 authentication pre-share

isakmp policy 50 encryption 3des

isakmp policy 50 hash sha

isakmp policy 50 group 2

isakmp policy 50 lifetime 86400

And on the router:

crypto isakmp policy 11

encr 3des

authentication pre-share

group 2

crypto isakmp key xxx address 92.X.X.210

crypto isakmp keepalive 3600

!

!

crypto ipsec transform-set xxx esp-des esp-md5-hmac

!

crypto map xxx_holan 11 ipsec-isakmp

set peer 92.X.X.210

set transform-set assura

match address 120

access-list 120 permit ip 10.101.8.0 0.0.0.255 10.21.0.0 0.0.255.255

Thanks in advance for your assistance.

Regards,

-Gordon