cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15311
Views
5
Helpful
10
Replies

ASA5510 + Sonicwall site-to-site VPN not working

kpoon
Level 1
Level 1

We've been trying to establish a VPN connection from Sonicwall PRO2040 to a ASA5510 without success. I get the following errors on the ASA:

where x.x.x.x is the IP of the Sonicwall, y.y.y.y is the ASA


6              Mar 19 2010        15:44:06               302015  x.x.x.x   500         y.y.y.y   500         Built inbound UDP connection 48318039 for outside:x.x.x.x/500 (x.x.x.x /500) to identity:y.y.y.y/500 (y.y.y.y /500)

4              Mar 19 2010        15:44:29               713903                                                                  IP = x.x.x.x, Received Invalid Cookie message for non-existent SA

4              Mar 19 2010        15:44:29               113019                                                                  Group = x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: IKE, Duration: 0h:00m:23s, Bytes xmt: 0, Bytes rcv: 0, Reason: Lost Service

3              Mar 19 2010        15:44:29               713123                                                                  Group = x.x.x.x, IP = x.x.x.x, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)

4              Mar 19 2010        15:44:27               713903                                                                  Group = x.x.x.x, IP = x.x.x.x, Information Exchange processing failed

5              Mar 19 2010        15:44:27               713904                                                                  Group = x.x.x.x, IP = x.x.x.x, Received an un-encrypted INVALID_COOKIE notify message, dropping

4              Mar 19 2010        15:44:25               713903                                                                  Group = x.x.x.x, IP = x.x.x.x, Information Exchange processing failed

5              Mar 19 2010        15:44:25               713904                                                                  Group = x.x.x.x, IP = x.x.x.x, Received an un-encrypted INVALID_COOKIE notify message, dropping

4              Mar 19 2010        15:44:23               713903                                                                  Group = x.x.x.x, IP = x.x.x.x, Information Exchange processing failed

5              Mar 19 2010        15:44:23               713904                                                                  Group = x.x.x.x, IP = x.x.x.x, Received an un-encrypted INVALID_COOKIE notify message, dropping

5              Mar 19 2010        15:44:06               713068                                                                  Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: Invalid ID info (18)

5              Mar 19 2010        15:44:06               713119                                                                  Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED

6              Mar 19 2010        15:44:06               113009                                                                  AAA retrieved default group policy (DfltGrpPolicy) for user = x.x.x.x

6              Mar 19 2010        15:44:06               302015  x.x.x.x   500         y.y.y.y   500         Built inbound UDP connection 48318039 for outside:x.x.x.x/500 (x.x.x.x/500) to identity: y.y.y.y /500 (y.y.y.y /500)

and here's the conf on the ASA:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map outside_map 2 match address outside_cryptomap

crypto map outside_map 2 set peer x.x.x.x

crypto map outside_map 2 set transform-set ESP-AES-256-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

!

Can anyone help please? We've checked on the Sonicwall and it seems everything's matching.

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Since you use ip address, you need to configure "crypto isakmp identity address" instead of "crypto isakmp identity hostname".

Please share debug output when trying to establish the VPN:

- debug crypto isakmp

- debug crypto ipsec

Also, show output after:

- show crypto isa sa

- show crypto ipsec sa

If you may share the configuration of the ASA that would be great. Thanks.

View solution in original post

10 Replies 10

Jennifer Halim
Cisco Employee
Cisco Employee

Since you use ip address, you need to configure "crypto isakmp identity address" instead of "crypto isakmp identity hostname".

Please share debug output when trying to establish the VPN:

- debug crypto isakmp

- debug crypto ipsec

Also, show output after:

- show crypto isa sa

- show crypto ipsec sa

If you may share the configuration of the ASA that would be great. Thanks.

attached is the config file, hope the config file is ok.

thanks.

and i've changed the hostname to address.

I'll test shortly.

Can you confirm that you would like to encrypt traffic between ASA LAN of 192.168.1.0/24 and Sonicwall LAN of 192.168.123.0/24?

If the above statement is correct, you would also need to add the following for the NAT exemption:

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.123.0 255.255.255.0

Assuming both ISAKMP and IPSEC policy matches on both end, the tunnel should work.

If it doesn't, please send through output of:

- debug crypto isakmp

- debug crypto ipsec

Also, show  output after:

- show crypto isa sa

- show crypto ipsec sa

Thanks.

indeed , that did the trick and the tunnel works.

the 2 lans cannot see each other however, do I just need ACL and/or static routes ?

thanks a lot

Have you added the NAT exemption advised earlier?

indeed I forgot about it. thanks, everything's ok now.

Perfect, thanks for the update.

one last question, if i want 192.168.123.0/24 only able to access 192.168.1.100 and 192.168.1.101.

will this do the trick?

access-list inside line 5 extended permit ip 192.168.123.0 255.255.255.0 object-group DM_INLINE_NETWORK_4
  access-list inside line 5 extended permit ip 192.168.123.0 255.255.255.0 host 192.168.1.100
  access-list inside line 5 extended permit ip 192.168.123.0 255.255.255.0 host 192.168.1.101
access-list inside line 6 extended deny ip 192.168.123.0 255.255.255.0 any

No, the inside ACL is for traffic initiated from the inside LAN 192.168.1.0/24 out.

I would configure the following:

access-list inside-out-acl permit ip 192.168.123.0 255.255.255.0 host 192.168.1.100

access-list inside-out-acl permit ip 192.168.123.0 255.255.255.0 host  192.168.1.101

access-list inside-out-acl deny ip 192.168.123.0 255.255.255.0 any

access-list inside-out-acl permit ip any any


access-group inside-out-acl out interface inside

thank you. much appreciate it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: