site to site vpn with asa 5505 and sonic firewall

Unanswered Question
Aug 28th, 2009

I'm trying to establish a vpn tunnel with a sonic firewall. We've checked both ends for differences and they are the same. PFS has been disabled on both ends. I'm seeing this in the logs.

%ASA-3-713119: Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED

%ASA-5-713068: Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No proposal chosen (14)

%ASA-5-713201: Group = x.x.x.x, IP = x.x.x.x, Duplicate Phase 1 packet detected. No last packet to retransmit.

%ASA-5-713068: Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No proposal chosen (14)

%ASA-3-713902: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x3f02c78, mess id 0x267fd72c)!

%ASA-1-713900: Group = x.x.x.x, IP = x.x.x.x, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

%ASA-3-713902: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
JORGE RODRIGUEZ Sat, 08/29/2009 - 18:58

Hi, I would suggest to debug both isakmp and ipsec to give a bit more details of where could be failing even though your first message says phase 1 completed.. debug will provide some clues.

you probably have seen this link but in case you haven't go over this example

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

if still no joy you can on the asa debug, post output of it .. try from the sonicwall side bring up the tunnel while you have debug on on the asa side.

terminal monitor

logging monitor 7

debug crypto isakmp

debug crypto ipsec

Regards

vironet Mon, 08/31/2009 - 13:51

the problem seems to be in your P2 confgurations (Networks local and remote, tranform set, encryption), Sometimes all other vendors by default use PFS, did you try enable pfs group2,

esossamon Mon, 08/31/2009 - 20:24

from what I've read is the sonicfirewalls have pfs disabled by default but we have confirmed neither end has it enabled.

cnielsw01 Fri, 07/29/2011 - 04:27

I had the same error.

I resolved it by adding the internal route to the sonicwall it was missing :$.

The sonicwall diden't know about the route so it doesn't accept the policy listed by the ASA ore visa versa.

with kind regards,

Niels

Actions

Login or Register to take actions

This Discussion

Posted August 28, 2009 at 1:39 PM
Stats:
Replies:4 Avg. Rating:
Views:3294 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard