ASA5510 + Sonicwall site-to-site VPN not working

Answered Question

We've been trying to establish a VPN connection from Sonicwall PRO2040 to a ASA5510 without success. I get the following errors on the ASA:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

where x.x.x.x is the IP of the Sonicwall, y.y.y.y is the ASA


6              Mar 19 2010        15:44:06               302015  x.x.x.x   500         y.y.y.y   500         Built inbound UDP connection 48318039 for outside:x.x.x.x/500 (x.x.x.x /500) to identity:y.y.y.y/500 (y.y.y.y /500)

4              Mar 19 2010        15:44:29               713903                                                                  IP = x.x.x.x, Received Invalid Cookie message for non-existent SA

4              Mar 19 2010        15:44:29               113019                                                                  Group = x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: IKE, Duration: 0h:00m:23s, Bytes xmt: 0, Bytes rcv: 0, Reason: Lost Service

3              Mar 19 2010        15:44:29               713123                                                                  Group = x.x.x.x, IP = x.x.x.x, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)

4              Mar 19 2010        15:44:27               713903                                                                  Group = x.x.x.x, IP = x.x.x.x, Information Exchange processing failed

5              Mar 19 2010        15:44:27               713904                                                                  Group = x.x.x.x, IP = x.x.x.x, Received an un-encrypted INVALID_COOKIE notify message, dropping

4              Mar 19 2010        15:44:25               713903                                                                  Group = x.x.x.x, IP = x.x.x.x, Information Exchange processing failed

5              Mar 19 2010        15:44:25               713904                                                                  Group = x.x.x.x, IP = x.x.x.x, Received an un-encrypted INVALID_COOKIE notify message, dropping

4              Mar 19 2010        15:44:23               713903                                                                  Group = x.x.x.x, IP = x.x.x.x, Information Exchange processing failed

5              Mar 19 2010        15:44:23               713904                                                                  Group = x.x.x.x, IP = x.x.x.x, Received an un-encrypted INVALID_COOKIE notify message, dropping

5              Mar 19 2010        15:44:06               713068                                                                  Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: Invalid ID info (18)

5              Mar 19 2010        15:44:06               713119                                                                  Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED

6              Mar 19 2010        15:44:06               113009                                                                  AAA retrieved default group policy (DfltGrpPolicy) for user = x.x.x.x

6              Mar 19 2010        15:44:06               302015  x.x.x.x   500         y.y.y.y   500         Built inbound UDP connection 48318039 for outside:x.x.x.x/500 (x.x.x.x/500) to identity: y.y.y.y /500 (y.y.y.y /500)

and here's the conf on the ASA:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000


crypto map outside_map 2 match address outside_cryptomap

crypto map outside_map 2 set peer x.x.x.x

crypto map outside_map 2 set transform-set ESP-AES-256-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside


crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400


tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

!


Can anyone help please? We've checked on the Sonicwall and it seems everything's matching.

Correct Answer by Jennifer Halim about 7 years 6 days ago

Since you use ip address, you need to configure "crypto isakmp identity address" instead of "crypto isakmp identity hostname".


Please share debug output when trying to establish the VPN:

- debug crypto isakmp

- debug crypto ipsec


Also, show output after:

- show crypto isa sa

- show crypto ipsec sa


If you may share the configuration of the ASA that would be great. Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jennifer Halim Fri, 03/19/2010 - 15:45
User Badges:
  • Cisco Employee,

Since you use ip address, you need to configure "crypto isakmp identity address" instead of "crypto isakmp identity hostname".


Please share debug output when trying to establish the VPN:

- debug crypto isakmp

- debug crypto ipsec


Also, show output after:

- show crypto isa sa

- show crypto ipsec sa


If you may share the configuration of the ASA that would be great. Thanks.

Jennifer Halim Sat, 03/20/2010 - 17:15
User Badges:
  • Cisco Employee,

Can you confirm that you would like to encrypt traffic between ASA LAN of 192.168.1.0/24 and Sonicwall LAN of 192.168.123.0/24?


If the above statement is correct, you would also need to add the following for the NAT exemption:


access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.123.0 255.255.255.0


Assuming both ISAKMP and IPSEC policy matches on both end, the tunnel should work.


If it doesn't, please send through output of:

- debug crypto isakmp

- debug crypto ipsec


Also, show  output after:

- show crypto isa sa

- show crypto ipsec sa


Thanks.

one last question, if i want 192.168.123.0/24 only able to access 192.168.1.100 and 192.168.1.101.

will this do the trick?

access-list inside line 5 extended permit ip 192.168.123.0 255.255.255.0 object-group DM_INLINE_NETWORK_4
  access-list inside line 5 extended permit ip 192.168.123.0 255.255.255.0 host 192.168.1.100
  access-list inside line 5 extended permit ip 192.168.123.0 255.255.255.0 host 192.168.1.101
access-list inside line 6 extended deny ip 192.168.123.0 255.255.255.0 any

Jennifer Halim Sun, 03/21/2010 - 05:44
User Badges:
  • Cisco Employee,

No, the inside ACL is for traffic initiated from the inside LAN 192.168.1.0/24 out.


I would configure the following:


access-list inside-out-acl permit ip 192.168.123.0 255.255.255.0 host 192.168.1.100

access-list inside-out-acl permit ip 192.168.123.0 255.255.255.0 host  192.168.1.101

access-list inside-out-acl deny ip 192.168.123.0 255.255.255.0 any

access-list inside-out-acl permit ip any any


access-group inside-out-acl out interface inside

Actions

This Discussion