03-19-2010 01:19 PM
We've been trying to establish a VPN connection from Sonicwall PRO2040 to a ASA5510 without success. I get the following errors on the ASA:
where x.x.x.x is the IP of the Sonicwall, y.y.y.y is the ASA
6 Mar 19 2010 15:44:06 302015 x.x.x.x 500 y.y.y.y 500 Built inbound UDP connection 48318039 for outside:x.x.x.x/500 (x.x.x.x /500) to identity:y.y.y.y/500 (y.y.y.y /500)
4 Mar 19 2010 15:44:29 713903 IP = x.x.x.x, Received Invalid Cookie message for non-existent SA
4 Mar 19 2010 15:44:29 113019 Group = x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: IKE, Duration: 0h:00m:23s, Bytes xmt: 0, Bytes rcv: 0, Reason: Lost Service
3 Mar 19 2010 15:44:29 713123 Group = x.x.x.x, IP = x.x.x.x, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
4 Mar 19 2010 15:44:27 713903 Group = x.x.x.x, IP = x.x.x.x, Information Exchange processing failed
5 Mar 19 2010 15:44:27 713904 Group = x.x.x.x, IP = x.x.x.x, Received an un-encrypted INVALID_COOKIE notify message, dropping
4 Mar 19 2010 15:44:25 713903 Group = x.x.x.x, IP = x.x.x.x, Information Exchange processing failed
5 Mar 19 2010 15:44:25 713904 Group = x.x.x.x, IP = x.x.x.x, Received an un-encrypted INVALID_COOKIE notify message, dropping
4 Mar 19 2010 15:44:23 713903 Group = x.x.x.x, IP = x.x.x.x, Information Exchange processing failed
5 Mar 19 2010 15:44:23 713904 Group = x.x.x.x, IP = x.x.x.x, Received an un-encrypted INVALID_COOKIE notify message, dropping
5 Mar 19 2010 15:44:06 713068 Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: Invalid ID info (18)
5 Mar 19 2010 15:44:06 713119 Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED
6 Mar 19 2010 15:44:06 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = x.x.x.x
6 Mar 19 2010 15:44:06 302015 x.x.x.x 500 y.y.y.y 500 Built inbound UDP connection 48318039 for outside:x.x.x.x/500 (x.x.x.x/500) to identity: y.y.y.y /500 (y.y.y.y /500)
and here's the conf on the ASA:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer x.x.x.x
crypto map outside_map 2 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
!
Can anyone help please? We've checked on the Sonicwall and it seems everything's matching.
Solved! Go to Solution.
03-19-2010 03:45 PM
Since you use ip address, you need to configure "crypto isakmp identity address" instead of "crypto isakmp identity hostname".
Please share debug output when trying to establish the VPN:
- debug crypto isakmp
- debug crypto ipsec
Also, show output after:
- show crypto isa sa
- show crypto ipsec sa
If you may share the configuration of the ASA that would be great. Thanks.
03-19-2010 03:45 PM
Since you use ip address, you need to configure "crypto isakmp identity address" instead of "crypto isakmp identity hostname".
Please share debug output when trying to establish the VPN:
- debug crypto isakmp
- debug crypto ipsec
Also, show output after:
- show crypto isa sa
- show crypto ipsec sa
If you may share the configuration of the ASA that would be great. Thanks.
03-20-2010 06:49 AM
03-20-2010 05:15 PM
Can you confirm that you would like to encrypt traffic between ASA LAN of 192.168.1.0/24 and Sonicwall LAN of 192.168.123.0/24?
If the above statement is correct, you would also need to add the following for the NAT exemption:
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.123.0 255.255.255.0
Assuming both ISAKMP and IPSEC policy matches on both end, the tunnel should work.
If it doesn't, please send through output of:
- debug crypto isakmp
- debug crypto ipsec
Also, show output after:
- show crypto isa sa
- show crypto ipsec sa
Thanks.
03-21-2010 04:10 AM
indeed , that did the trick and the tunnel works.
the 2 lans cannot see each other however, do I just need ACL and/or static routes ?
thanks a lot
03-21-2010 04:14 AM
Have you added the NAT exemption advised earlier?
03-21-2010 04:56 AM
indeed I forgot about it. thanks, everything's ok now.
03-21-2010 05:11 AM
Perfect, thanks for the update.
03-21-2010 05:22 AM
one last question, if i want 192.168.123.0/24 only able to access 192.168.1.100 and 192.168.1.101.
will this do the trick?
access-list inside line 5 extended permit ip 192.168.123.0 255.255.255.0 object-group DM_INLINE_NETWORK_4
access-list inside line 5 extended permit ip 192.168.123.0 255.255.255.0 host 192.168.1.100
access-list inside line 5 extended permit ip 192.168.123.0 255.255.255.0 host 192.168.1.101
access-list inside line 6 extended deny ip 192.168.123.0 255.255.255.0 any
03-21-2010 05:44 AM
No, the inside ACL is for traffic initiated from the inside LAN 192.168.1.0/24 out.
I would configure the following:
access-list inside-out-acl permit ip 192.168.123.0 255.255.255.0 host 192.168.1.100
access-list inside-out-acl permit ip 192.168.123.0 255.255.255.0 host 192.168.1.101
access-list inside-out-acl deny ip 192.168.123.0 255.255.255.0 any
access-list inside-out-acl permit ip any any
access-group inside-out-acl out interface inside
03-21-2010 05:56 AM
thank you. much appreciate it.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: