01-28-2009 10:23 AM - edited 03-11-2019 07:43 AM
Hello,
I try to do a VPN between ASA 5510 and a router 871.
I have enable the debug on the router 871 and I have these errors.
Router 871#
*Mar 3 05:42:32.971: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.10.100.3, remote x.x.x.194)
*Mar 3 05:42:32.971: ISAKMP: Error while processing SA request: Failed to initialize SA
*Mar 3 05:42:32.971: ISAKMP: Error while processing KMI message 0, error 2.
*Mar 3 05:43:02.975: ISAKMP:(0):deleting SA reason "Death by retransmission P1"state (I) MM_NO_STATE (peer x.x.x.194)
*Mar 3 05:43:02.975: ISAKMP:(0):deleting SA reason "Death by retransmission P1"state (I) MM_NO_STATE (peer x.x.x.194)
*Mar 3 05:44:03.491: ISAKMP:(0):deleting SA reason "Death by retransmission P1"state (I) MM_NO_STATE (peer x.x.x.194)
*Mar 3 05:44:03.491: ISAKMP:(0):deleting SA reason "Death by retransmission P1"state (I) MM_NO_STATE (peer x.x.x.194)
Regards
01-28-2009 02:43 PM
Pascal
It is difficult to know what the problem is from this debug. Perhaps if it ran a bit longer we might see more of the attempt to negotiate and might see the problem.
But I would suggest that symptoms like this frequently are the result of a mismatch in configuration between the peers. I would suggest that you check to make sure that the peer addresses do match. Also check to be sure that the pre shared keys used for ISAKMP negotiation match.
HTH
Rick
01-28-2009 11:07 PM
This is a part of my conf.
ASA5510.
access-list nonat extended permit ip 10.10.0.0 255.255.254.0 10.10.3.0 255.255.255.240
crypto ipsec transform-set avalanche esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec df-bit clear-df outside
crypto map MAP 21 match address nonat
crypto map MAP 21 set peer 10.10.100.3
crypto map MAP 21 set transform-set avalanche
crypto map MAP interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
tunnel-group 10.10.100.3 type ipsec-l2l
tunnel-group 10.10.100.3 ipsec-attributes
pre-shared-key *
Router 871
crypto isakmp policy 11
encr 3 des
authentication pre-share
group 2
crypto isakmp key cisco123 address x.x.x.194
crypto ipsec transform-set sharks esp-des esp-md5-hmac
crypto map nolan 11 ipsec-isakmp
set peer x.x.x.194
set transfor-set sharks
match address 120
interface FastEthernet4
ip address 10.10.100.3 255.255.255.240
duplex auto
speed auto
crypto map nolan
access-list 120 permit ip 10.10.3.0 0.0.0.15 10.10.0.0 0.0.1.255
01-29-2009 06:25 AM
The isakmp policy on the router does not have hash sha defined where as the asa does, trying adding that.
Hope this helps.
01-29-2009 10:02 AM
I have try to add hash sha to the policy of my router but I have the same problem
*Mar 3 05:42:32.971: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.10.100.3, remote x.x.x.194)
*Mar 3 05:42:32.971: ISAKMP: Error while processing SA request: Failed to initialize SA
*Mar 3 05:42:32.971: ISAKMP: Error while processing KMI message 0, error 2.
*Mar 3 05:43:02.975: ISAKMP:(0):deleting SA reason "Death by retransmission P1"state (I) MM_NO_STATE (peer x.x.x.194)
*Mar 3 05:43:02.975: ISAKMP:(0):deleting SA reason "Death by retransmission P1"state (I) MM_NO_STATE (peer x.x.x.194)
*Mar 3 05:44:03.491: ISAKMP:(0):deleting SA reason "Death by retransmission P1"state (I) MM_NO_STATE (peer x.x.x.194)
*Mar 3 05:44:03.491: ISAKMP:(0):deleting SA reason "Death by retransmission P1"state (I) MM_NO_STATE (peer x.x.x.194)
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: