Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5880
Views
0
Helpful
12
Replies

ASA 5520 can not establish IKE phase 2

fgasimzade
Level 4
Level 4

‎06-22-2009 02:49 AM

Trying to establish VPN between two ASA5520

Got stuck at

ciscoasa# sh crypto isa sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 10.254.17.9

Type : user Role : initiator

Rekey : no State : MM_WAIT_MSG2

Looks like IKE phase 2 doesn not go through..

config1:

access-list 110 extended permit ip any any

route outside 0.0.0.0 0.0.0.0 10.254.17.9 1

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map mymap 10 match address 110

crypto map mymap 10 set peer 10.254.17.9

crypto map mymap 10 set transform-set myset

crypto map mymap interface outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

tunnel-group 10.254.17.9 type ipsec-l2l

tunnel-group 10.254.17.9 ipsec-attributes

pre-shared-key *

Config2:

access-list 110 extended permit ip any any

route outside 0.0.0.0 0.0.0.0 10.254.17.10 1

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map mymap 10 match address 110

crypto map mymap 10 set peer 10.254.17.10

crypto map mymap 10 set transform-set myset

crypto map mymap interface outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

tunnel-group 10.254.17.10 type ipsec-l2l

tunnel-group 10.254.17.10 ipsec-attributes

pre-shared-key *

I would appreciate any help..

Labels:
0 Helpful
12 Replies 12

auraza
Cisco Employee
Cisco Employee

‎06-22-2009 06:18 AM

You need "crypto isakmp enable outside" on the ASA's.

0 Helpful

fgasimzade
Level 4
Level 4
In response to auraza

‎06-22-2009 06:42 AM

After I enabled isakmp on the outside interface, I get the following error in debug messages:

Jun 22 07:06:27 [IKEv1 DEBUG]: IP = 10.254.17.9, All SA proposals found unaccept

able

Jun 22 07:06:27 [IKEv1]: IP = 10.254.17.9, Error processing payload: Payload ID:

1

Jun 22 07:06:27 [IKEv1 DEBUG]: IP = 10.254.17.9, IKE MM Initiator FSM error hist

ory (struct &0xc958f6c0) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2, E

V_PROCESS_MSG-->MM_WAIT_MSG2, EV_RCV_MSG-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1

, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_BLD_MSG1, EV_BLD_MSG1-->MM_BLD_MSG

1, EV_CREATE_TMR

Jun 22 07:06:27 [IKEv1 DEBUG]: IP = 10.254.17.9, IKE SA MM:64292783 terminating:

flags 0x01000022, refcnt 0, tuncnt 0

Jun 22 07:06:27 [IKEv1 DEBUG]: IP = 10.254.17.9, sending delete/delete with reas

on message

Jun 22 07:06:27 [IKEv1]: IP = 10.254.17.9, Removing peer from peer table failed,

no match!

Jun 22 07:06:27 [IKEv1]: IP = 10.254.17.9, Error: Unable to remove PeerTblEntry

Jun 22 07:06:51 [IKEv1]: IP = 10.254.17.9, Invalid packet detected!

0 Helpful

auraza
Cisco Employee
Cisco Employee
In response to fgasimzade

‎06-22-2009 06:46 AM

Make sure crypto isakmp enable outside is on both ASA's.

0 Helpful

fgasimzade
Level 4
Level 4
In response to auraza

‎06-22-2009 06:59 AM

It is enabled on both ASA's.

What bothers me is this message

Jun 22 07:53:44 [IKEv1 DEBUG]: IP = 10.254.17.9, All SA proposals found unacceptable

Jun 22 07:53:44 [IKEv1]: IP = 10.254.17.9, Error processing payload: Payload ID:1

Jun 22 07:54:16 [IKEv1]: IP = 10.254.17.9, Invalid packet detected!

0 Helpful

auraza
Cisco Employee
Cisco Employee
In response to fgasimzade

‎06-22-2009 07:04 AM

Please can you post the entire debugs from both ASA's:

debug crypto isakmp 127

debug crypto ipsec 127

Attach the debug as text files.

Also, please change your IPSec crypto ACL (acl 110) to only include the internal subnets, and not any any.

0 Helpful

fgasimzade
Level 4
Level 4
In response to auraza

‎06-22-2009 07:29 AM

This is the output from one of the ASA's. Unfortunatelly, I have no access to the second right now.

Preview file
13 KB
0 Helpful

auraza
Cisco Employee
Cisco Employee
In response to fgasimzade

‎06-22-2009 07:33 AM

We would need to see the debugs from the other side. This debug says that we sent a packet to the ASA, but never got a response back.

0 Helpful

fgasimzade
Level 4
Level 4
In response to auraza

‎06-22-2009 07:39 AM

I will be able to do it tomorrow. Thank you for your help!

0 Helpful

fgasimzade
Level 4
Level 4
In response to auraza

‎06-22-2009 08:28 PM

This is debug from another peer

Preview file
6 KB
0 Helpful

fgasimzade
Level 4
Level 4
In response to auraza

‎06-22-2009 11:50 PM

The issue is solved now.. It is weird, I used 3des instead of des and config worked just fine.. Thank you

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni

‎06-22-2009 06:23 AM

Check this troubleshooting guide-

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

0 Helpful

fgasimzade
Level 4
Level 4
In response to Collin Clark

‎06-22-2009 07:00 AM

Unfortunally, it didnt help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents