03-19-2010 01:19 PM
We've been trying to establish a VPN connection from Sonicwall PRO2040 to a ASA5510 without success. I get the following errors on the ASA:
where x.x.x.x is the IP of the Sonicwall, y.y.y.y is the ASA
6 Mar 19 2010 15:44:06 302015 x.x.x.x 500 y.y.y.y 500 Built inbound UDP connection 48318039 for outside:x.x.x.x/500 (x.x.x.x /500) to identity:y.y.y.y/500 (y.y.y.y /500)
4 Mar 19 2010 15:44:29 713903 IP = x.x.x.x, Received Invalid Cookie message for non-existent SA
4 Mar 19 2010 15:44:29 113019 Group = x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: IKE, Duration: 0h:00m:23s, Bytes xmt: 0, Bytes rcv: 0, Reason: Lost Service
3 Mar 19 2010 15:44:29 713123 Group = x.x.x.x, IP = x.x.x.x, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
4 Mar 19 2010 15:44:27 713903 Group = x.x.x.x, IP = x.x.x.x, Information Exchange processing failed
5 Mar 19 2010 15:44:27 713904 Group = x.x.x.x, IP = x.x.x.x, Received an un-encrypted INVALID_COOKIE notify message, dropping
4 Mar 19 2010 15:44:25 713903 Group = x.x.x.x, IP = x.x.x.x, Information Exchange processing failed
5 Mar 19 2010 15:44:25 713904 Group = x.x.x.x, IP = x.x.x.x, Received an un-encrypted INVALID_COOKIE notify message, dropping
4 Mar 19 2010 15:44:23 713903 Group = x.x.x.x, IP = x.x.x.x, Information Exchange processing failed
5 Mar 19 2010 15:44:23 713904 Group = x.x.x.x, IP = x.x.x.x, Received an un-encrypted INVALID_COOKIE notify message, dropping
5 Mar 19 2010 15:44:06 713068 Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: Invalid ID info (18)
5 Mar 19 2010 15:44:06 713119 Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED
6 Mar 19 2010 15:44:06 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = x.x.x.x
6 Mar 19 2010 15:44:06 302015 x.x.x.x 500 y.y.y.y 500 Built inbound UDP connection 48318039 for outside:x.x.x.x/500 (x.x.x.x/500) to identity: y.y.y.y /500 (y.y.y.y /500)
and here's the conf on the ASA:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer x.x.x.x
crypto map outside_map 2 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
!
Can anyone help please? We've checked on the Sonicwall and it seems everything's matching.
Solved! Go to Solution.
03-19-2010 03:45 PM
Since you use ip address, you need to configure "crypto isakmp identity address" instead of "crypto isakmp identity hostname".
Please share debug output when trying to establish the VPN:
- debug crypto isakmp
- debug crypto ipsec
Also, show output after:
- show crypto isa sa
- show crypto ipsec sa
If you may share the configuration of the ASA that would be great. Thanks.
03-19-2010 03:45 PM
Since you use ip address, you need to configure "crypto isakmp identity address" instead of "crypto isakmp identity hostname".
Please share debug output when trying to establish the VPN:
- debug crypto isakmp
- debug crypto ipsec
Also, show output after:
- show crypto isa sa
- show crypto ipsec sa
If you may share the configuration of the ASA that would be great. Thanks.
03-20-2010 06:49 AM
03-20-2010 05:15 PM
Can you confirm that you would like to encrypt traffic between ASA LAN of 192.168.1.0/24 and Sonicwall LAN of 192.168.123.0/24?
If the above statement is correct, you would also need to add the following for the NAT exemption:
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.123.0 255.255.255.0
Assuming both ISAKMP and IPSEC policy matches on both end, the tunnel should work.
If it doesn't, please send through output of:
- debug crypto isakmp
- debug crypto ipsec
Also, show output after:
- show crypto isa sa
- show crypto ipsec sa
Thanks.
03-21-2010 04:10 AM
indeed , that did the trick and the tunnel works.
the 2 lans cannot see each other however, do I just need ACL and/or static routes ?
thanks a lot
03-21-2010 04:14 AM
Have you added the NAT exemption advised earlier?
03-21-2010 04:56 AM
indeed I forgot about it. thanks, everything's ok now.
03-21-2010 05:11 AM
Perfect, thanks for the update.
03-21-2010 05:22 AM
one last question, if i want 192.168.123.0/24 only able to access 192.168.1.100 and 192.168.1.101.
will this do the trick?
access-list inside line 5 extended permit ip 192.168.123.0 255.255.255.0 object-group DM_INLINE_NETWORK_4
access-list inside line 5 extended permit ip 192.168.123.0 255.255.255.0 host 192.168.1.100
access-list inside line 5 extended permit ip 192.168.123.0 255.255.255.0 host 192.168.1.101
access-list inside line 6 extended deny ip 192.168.123.0 255.255.255.0 any
03-21-2010 05:44 AM
No, the inside ACL is for traffic initiated from the inside LAN 192.168.1.0/24 out.
I would configure the following:
access-list inside-out-acl permit ip 192.168.123.0 255.255.255.0 host 192.168.1.100
access-list inside-out-acl permit ip 192.168.123.0 255.255.255.0 host 192.168.1.101
access-list inside-out-acl deny ip 192.168.123.0 255.255.255.0 any
access-list inside-out-acl permit ip any any
access-group inside-out-acl out interface inside
03-21-2010 05:56 AM
thank you. much appreciate it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide