ASA5510 + Sonicwall site-to-site VPN not working

Answered Question

We've been trying to establish a VPN connection from Sonicwall PRO2040 to a ASA5510 without success. I get the following errors on the ASA:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

where x.x.x.x is the IP of the Sonicwall, y.y.y.y is the ASA


6              Mar 19 2010        15:44:06               302015  x.x.x.x   500         y.y.y.y   500         Built inbound UDP connection 48318039 for outside:x.x.x.x/500 (x.x.x.x /500) to identity:y.y.y.y/500 (y.y.y.y /500)

4              Mar 19 2010        15:44:29               713903                                                                  IP = x.x.x.x, Received Invalid Cookie message for non-existent SA

4              Mar 19 2010        15:44:29               113019                                                                  Group = x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: IKE, Duration: 0h:00m:23s, Bytes xmt: 0, Bytes rcv: 0, Reason: Lost Service

3              Mar 19 2010        15:44:29               713123                                                                  Group = x.x.x.x, IP = x.x.x.x, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)

4              Mar 19 2010        15:44:27               713903                                                                  Group = x.x.x.x, IP = x.x.x.x, Information Exchange processing failed

5              Mar 19 2010        15:44:27               713904                                                                  Group = x.x.x.x, IP = x.x.x.x, Received an un-encrypted INVALID_COOKIE notify message, dropping

4              Mar 19 2010        15:44:25               713903                                                                  Group = x.x.x.x, IP = x.x.x.x, Information Exchange processing failed

5              Mar 19 2010        15:44:25               713904                                                                  Group = x.x.x.x, IP = x.x.x.x, Received an un-encrypted INVALID_COOKIE notify message, dropping

4              Mar 19 2010        15:44:23               713903                                                                  Group = x.x.x.x, IP = x.x.x.x, Information Exchange processing failed

5              Mar 19 2010        15:44:23               713904                                                                  Group = x.x.x.x, IP = x.x.x.x, Received an un-encrypted INVALID_COOKIE notify message, dropping

5              Mar 19 2010        15:44:06               713068                                                                  Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: Invalid ID info (18)

5              Mar 19 2010        15:44:06               713119                                                                  Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED

6              Mar 19 2010        15:44:06               113009                                                                  AAA retrieved default group policy (DfltGrpPolicy) for user = x.x.x.x

6              Mar 19 2010        15:44:06               302015  x.x.x.x   500         y.y.y.y   500         Built inbound UDP connection 48318039 for outside:x.x.x.x/500 (x.x.x.x/500) to identity: y.y.y.y /500 (y.y.y.y /500)

and here's the conf on the ASA:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map outside_map 2 match address outside_cryptomap

crypto map outside_map 2 set peer x.x.x.x

crypto map outside_map 2 set transform-set ESP-AES-256-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

!

Can anyone help please? We've checked on the Sonicwall and it seems everything's matching.

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 8 months ago

Since you use ip address, you need to configure "crypto isakmp identity address" instead of "crypto isakmp identity hostname".

Please share debug output when trying to establish the VPN:

- debug crypto isakmp

- debug crypto ipsec

Also, show output after:

- show crypto isa sa

- show crypto ipsec sa

If you may share the configuration of the ASA that would be great. Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jennifer Halim Fri, 03/19/2010 - 15:45

Since you use ip address, you need to configure "crypto isakmp identity address" instead of "crypto isakmp identity hostname".

Please share debug output when trying to establish the VPN:

- debug crypto isakmp

- debug crypto ipsec

Also, show output after:

- show crypto isa sa

- show crypto ipsec sa

If you may share the configuration of the ASA that would be great. Thanks.

Jennifer Halim Sat, 03/20/2010 - 17:15

Can you confirm that you would like to encrypt traffic between ASA LAN of 192.168.1.0/24 and Sonicwall LAN of 192.168.123.0/24?

If the above statement is correct, you would also need to add the following for the NAT exemption:

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.123.0 255.255.255.0

Assuming both ISAKMP and IPSEC policy matches on both end, the tunnel should work.

If it doesn't, please send through output of:

- debug crypto isakmp

- debug crypto ipsec

Also, show  output after:

- show crypto isa sa

- show crypto ipsec sa

Thanks.

one last question, if i want 192.168.123.0/24 only able to access 192.168.1.100 and 192.168.1.101.

will this do the trick?

access-list inside line 5 extended permit ip 192.168.123.0 255.255.255.0 object-group DM_INLINE_NETWORK_4
  access-list inside line 5 extended permit ip 192.168.123.0 255.255.255.0 host 192.168.1.100
  access-list inside line 5 extended permit ip 192.168.123.0 255.255.255.0 host 192.168.1.101
access-list inside line 6 extended deny ip 192.168.123.0 255.255.255.0 any

Jennifer Halim Sun, 03/21/2010 - 05:44

No, the inside ACL is for traffic initiated from the inside LAN 192.168.1.0/24 out.

I would configure the following:

access-list inside-out-acl permit ip 192.168.123.0 255.255.255.0 host 192.168.1.100

access-list inside-out-acl permit ip 192.168.123.0 255.255.255.0 host  192.168.1.101

access-list inside-out-acl deny ip 192.168.123.0 255.255.255.0 any

access-list inside-out-acl permit ip any any


access-group inside-out-acl out interface inside

Actions

This Discussion