07-14-2009 11:26 AM
Hello Experts,
I have an issue setting up site to site VPN between Cisco 2651XM and ASA505.
Here's the config from both the devices.
On Cisco 2651XM
===============
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco12345 address 205.200.8.XXX
!
!
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel to205.200.8.251
set peer 205.200.8.XXX
set transform-set ESP-DES-SHA
match address 102
qos pre-classify
interface Dialer1
ip nbar protocol-discovery
crypto map SDM_CMAP_2
On ASA 5505
===========
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list outside_6_cryptomap_1 extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 6 match address outside_6_cryptomap_1
crypto map outside_map 6 set pfs
crypto map outside_map 6 set peer 205.200.9.xxx
crypto map outside_map 6 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
tunnel-group 205.200.9.203 type ipsec-l2l
tunnel-group 205.200.9.203 ipsec-attributes
pre-shared-key *
Here's the output log from ASA5505
IP = 205.200.9.XXX Received encrypted packet with no matching SA, dropping
Group = 205.200.9.XXX Username = 205.200.9.XXX IP = 205.200.9.XXX Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
Group = 205.200.9.XXX IP = 205.200.9.XXX Removing peer from correlator table failed, no match!
Group = 205.200.9.XXX, IP = 205.200.9.XXX, QM FSM error (P2 struct &0xd7b42260, mess id 0x84b2979c)!
Group = 205.200.9.XXX, IP = 205.200.9.XXX, All IPSec SA proposals found unacceptable!
Group = 205.200.9.XXX, IP = 205.200.9.XXX, PHASE 1 COMPLETED
Please help me out.
OJ
Solved! Go to Solution.
07-14-2009 01:12 PM
Here's an excellent VPN troubleshooting guide-
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
07-14-2009 01:12 PM
Here's an excellent VPN troubleshooting guide-
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
07-14-2009 07:56 PM
Went through the link. Tried doing what relates to my issue but no luck. Any other idea?
07-15-2009 08:30 PM
I found out the issue. It was PFS group issue. Sh crypto map command helped me. It was showing DH1, I changed it to DH2 and the issue was resolved. Thanks for your help though.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: