ASA 5520 can not establish IKE phase 2

Unanswered Question
Jun 22nd, 2009
User Badges:

Trying to establish VPN between two ASA5520

Got stuck at


ciscoasa# sh crypto isa sa


Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1


1 IKE Peer: 10.254.17.9

Type : user Role : initiator

Rekey : no State : MM_WAIT_MSG2


Looks like IKE phase 2 doesn not go through..


config1:

access-list 110 extended permit ip any any

route outside 0.0.0.0 0.0.0.0 10.254.17.9 1

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map mymap 10 match address 110

crypto map mymap 10 set peer 10.254.17.9

crypto map mymap 10 set transform-set myset

crypto map mymap interface outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

tunnel-group 10.254.17.9 type ipsec-l2l

tunnel-group 10.254.17.9 ipsec-attributes

pre-shared-key *


Config2:

access-list 110 extended permit ip any any

route outside 0.0.0.0 0.0.0.0 10.254.17.10 1

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map mymap 10 match address 110

crypto map mymap 10 set peer 10.254.17.10

crypto map mymap 10 set transform-set myset

crypto map mymap interface outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

tunnel-group 10.254.17.10 type ipsec-l2l

tunnel-group 10.254.17.10 ipsec-attributes

pre-shared-key *


I would appreciate any help..


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
auraza Mon, 06/22/2009 - 06:18
User Badges:
  • Cisco Employee,

You need "crypto isakmp enable outside" on the ASA's.

fgasimzade Mon, 06/22/2009 - 06:42
User Badges:

After I enabled isakmp on the outside interface, I get the following error in debug messages:


Jun 22 07:06:27 [IKEv1 DEBUG]: IP = 10.254.17.9, All SA proposals found unaccept

able

Jun 22 07:06:27 [IKEv1]: IP = 10.254.17.9, Error processing payload: Payload ID:

1

Jun 22 07:06:27 [IKEv1 DEBUG]: IP = 10.254.17.9, IKE MM Initiator FSM error hist

ory (struct &0xc958f6c0) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2, E

V_PROCESS_MSG-->MM_WAIT_MSG2, EV_RCV_MSG-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1

, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_BLD_MSG1, EV_BLD_MSG1-->MM_BLD_MSG

1, EV_CREATE_TMR

Jun 22 07:06:27 [IKEv1 DEBUG]: IP = 10.254.17.9, IKE SA MM:64292783 terminating:

flags 0x01000022, refcnt 0, tuncnt 0

Jun 22 07:06:27 [IKEv1 DEBUG]: IP = 10.254.17.9, sending delete/delete with reas

on message

Jun 22 07:06:27 [IKEv1]: IP = 10.254.17.9, Removing peer from peer table failed,

no match!

Jun 22 07:06:27 [IKEv1]: IP = 10.254.17.9, Error: Unable to remove PeerTblEntry


Jun 22 07:06:51 [IKEv1]: IP = 10.254.17.9, Invalid packet detected!

auraza Mon, 06/22/2009 - 06:46
User Badges:
  • Cisco Employee,

Make sure crypto isakmp enable outside is on both ASA's.

fgasimzade Mon, 06/22/2009 - 06:59
User Badges:

It is enabled on both ASA's.


What bothers me is this message


Jun 22 07:53:44 [IKEv1 DEBUG]: IP = 10.254.17.9, All SA proposals found unacceptable

Jun 22 07:53:44 [IKEv1]: IP = 10.254.17.9, Error processing payload: Payload ID:1

Jun 22 07:54:16 [IKEv1]: IP = 10.254.17.9, Invalid packet detected!


auraza Mon, 06/22/2009 - 07:04
User Badges:
  • Cisco Employee,

Please can you post the entire debugs from both ASA's:

debug crypto isakmp 127

debug crypto ipsec 127


Attach the debug as text files.


Also, please change your IPSec crypto ACL (acl 110) to only include the internal subnets, and not any any.

fgasimzade Mon, 06/22/2009 - 07:29
User Badges:

This is the output from one of the ASA's. Unfortunatelly, I have no access to the second right now.



Attachment: 
auraza Mon, 06/22/2009 - 07:33
User Badges:
  • Cisco Employee,

We would need to see the debugs from the other side. This debug says that we sent a packet to the ASA, but never got a response back.



fgasimzade Mon, 06/22/2009 - 07:39
User Badges:

I will be able to do it tomorrow. Thank you for your help!

fgasimzade Mon, 06/22/2009 - 23:50
User Badges:

The issue is solved now.. It is weird, I used 3des instead of des and config worked just fine.. Thank you

Actions

This Discussion