Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1191
Views
5
Helpful
9
Replies

Site to Site VPN error

eng.shadi
Level 1
Level 1

‎12-20-2009 12:35 AM

Dears,

i have an issue in the VPN sitte to site, any suggestion please because i tried alot of things to solve it.

the output of  debug crypto isakmp is

Dec 17 06:27:54 [IKEv1]: Group = 194.165.151.195, IP = x.x.x.x, QM FSM error (P2 struct &0x391f9a0, mess id 0x16b73592)!
Dec 17 06:27:54 [IKEv1]: Group = 194.165.151.195, IP = x.x.x.x, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Dec 17 06:27:54 [IKEv1]: Group = 194.165.151.195, IP = x.x.x.x, Removing peer from correlator table failed, no match!

and some times:

Header invalid, missing SA payload! (next payload = 133)

the output of the :

show cry isakmp sa

  Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: x.x.x.x
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

the configuration of the devices of the ASAs:

ASA1:

ASA Version 7.0(8)
!

access-list 101 extended permit ip 192.168.30.0 255.255.255.0 172.22.0.0 255.255.0.0
access-list 101 extended permit ip 192.168.30.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list 101 extended permit ip 192.168.30.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list 102 extended permit ip 192.168.30.0 255.255.255.0 172.22.0.0 255.255.0.0
access-list 102 extended permit ip 192.168.30.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list 102 extended permit ip 192.168.30.0 255.255.255.0 172.16.0.0 255.255.0.0


nat (inside) 0 access-list 101

crypto ipsec transform-set sts esp-3des esp-md5-hmac
crypto ipsec transform-set sts1 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto map vpn 10 match address 102
crypto map vpn 10 set pfs group1
crypto map vpn 10 set peer x.x.x.x
crypto map vpn 10 set transform-set sts1
crypto map vpn 10 set security-association lifetime seconds 28800
crypto map vpn 10 set security-association lifetime kilobytes 4608000
crypto map vpn interface outside


isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *

ASA2:

access-list 600 extended permit ip 172.16.0.0 255.255.0.0 192.168.30.0 255.255.255.0
access-list 600 extended permit ip 172.20.0.0 255.255.0.0 192.168.30.0 255.255.255.0
access-list 600 extended permit ip 172.22.0.0 255.255.0.0 192.168.30.0 255.255.255.0

access-list outside_40_cryptomap extended permit ip 172.22.0.0 255.255.0.0 192.168.30.0 255.255.255.0
access-list outside_40_cryptomap extended permit ip 172.20.0.0 255.255.0.0 192.168.30.0 255.255.255.0
access-list outside_40_cryptomap extended permit ip 172.16.0.0 255.255.0.0 192.168.30.0 255.255.255.0


nat (inside) 0 access-list outside_40_cryptomap

crypto isakmp identity address
crypto isakmp enable outside

crypto isakmp policy 60
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400

crypto ipsec transform-set sts1 esp-des esp-md5-hmac

crypto map vpn 60 match address 600
crypto map vpn 60 set pfs group1
crypto map vpn 60 set peer y.y.y.y
crypto map vpn 60 set transform-set sts1
crypto map vpn interface outside

tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
pre-shared-key *

Labels:
0 Helpful
9 Replies 9

Ivan Martinon
Level 7
Level 7

‎12-21-2009 11:37 AM

Hi Shadi,

Has this VPN worked before or it is always the same problem when trying to bring it up? The message "has no spi" means that your secure session is no longer on, and you would need to re negotiate the tunnel, go ahead and clear the vpn session on both ASAs and try again

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/uz.html#wp1571746

vpn-sessiondb logoff

As well check if both ones have keepalive enabled and correctly set with the period.

0 Helpful

eng.shadi
Level 1
Level 1
In response to Ivan Martinon

‎12-22-2009 12:47 AM

Dear Ivan,

it is a new tunnel. ASA1 is ASA, IOS version is 7.0 (8) but ASA2 is a PIX 515e with version 7.2 (2). the PIX firewall is a hub for 4 VPN tunnels and this tunnel is new tunnel.

when i do debug crypto isakmp,there is no output appeared to us and the tunnel is active. I did reboot yesterday for the two firewalls and still it is not working.

regarding the keepalive, I don't configure it, it is on default values. i cleared the sessions many times but still the tunnel is not working.

actually it is strange case that i have.

thanks Ivan.

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to eng.shadi

‎12-22-2009 10:35 AM

Please get the complete configiuration from both devices, and the following outputs: show crypto isakmp sa, show crypto ipsec sa, try the debug with debub crypto isakmp 25

Ivan

0 Helpful

andrewswanson
Level 7
Level 7
In response to eng.shadi

‎12-22-2009 10:58 AM

hello

your ACL's wild card masks look wrong - shouldn't they read 192.168.30.0 0.0.0.255 and  172.22.0.0 0.0.255.255?

hth

andy

0 Helpful

eng.shadi
Level 1
Level 1
In response to andrewswanson

‎12-22-2009 11:22 PM

Dear Iva,

as you request, please find the attached files.

Thanks for ur support.

37189-ASA1 Forum.txt.zip
0 Helpful

acomiskey
Level 10
Level 10
In response to eng.shadi

‎12-23-2009 06:27 AM

Your crypto acl on the pix for this vpn should only be these 3 lines.

access-list 600 extended permit ip 172.16.0.0 255.255.0.0 192.168.30.0 255.255.255.0
access-list 600 extended permit ip 172.20.0.0 255.255.0.0 192.168.30.0 255.255.255.0
access-list 600 extended permit ip 172.22.0.0 255.255.0.0 192.168.30.0 255.255.255.0

Remove the other 3.

0 Helpful

eng.shadi
Level 1
Level 1
In response to acomiskey

‎12-23-2009 06:42 AM

I removed these access lists yesterday, the access lists are wrong becuase of that i removed it yesterday. but still same issue.

thanks.

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to eng.shadi

‎12-23-2009 08:02 AM

Your problem is the following:

nat (inside) 0 access-list outside_40_cryptomap

access-list outside_40_cryptomap is being used on the nat exempt config, and it is also used on the following crypto map:

crypto map STS 40 match address outside_40_cryptomap

AND the tunnel you are trying to configure is defined after this crypto map, since the traffic for tunnel 600 is included on line outside_40_crypto map this will be the crypto map processed intead of 600.

You should never define the nat exempt list to be one already used for the crypto map of another tunnel, so go ahead and duplicate access-list outside_40_crypto map into another one called something like nonat make sure it has all the lines for all the tunnels (which I believe crypto 40 has) and apply it to the nat (inside) 0 access-list nonat setup.

Then clean your crypto 40 from lines on the acl that do not belong to it. And try again.

eng.shadi
Level 1
Level 1
In response to Ivan Martinon

‎12-23-2009 09:32 AM

This was the issue, it is working now... thnaks alot for your support. :-)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents