ASA 5510 L2L-VPN: Internal Error...

Answered Question
Mar 22nd, 2010
User Badges:

Hi there,


i try to connect a astaro-firewall per l2l-vpn to an asa5510.


I got allways the following message.


Whats wrong? (cheched the parameters already)


Regards

Marc


asa %ASA-4-713903: Group = x.x.x.x, IP = x.x.x.x, Freeing previously allocated memory for authorization-dn-attributes

asa %ASA-3-713119: Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED

asa %ASA-5-713904: Group = x.x.x.x, IP = x.x.x.x, All IPSec SA proposals found unacceptable!

asa %ASA-3-713902: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x7bc32f0, mess id 0xc5da78b7)!

asa %ASA-3-713902: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!

asa %ASA-3-713231: Group = x.x.x.x, IP = x.x.x.x, Internal Error, ike_lock trying to unlock bit that is not locked for type SA_LOCK_P1_SA_CREATE

asa %ASA-3-713232: Group = x.x.x.x, IP = x.x.x.x, SA lock refCnt = 0, bitmask = 00000000, p1_decrypt_cb = 0, qm_decrypt_cb = 1, qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0, qm_encrypt_cb = 0

asa %ASA-3-713902: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!

asa %ASA-4-113019: Group = x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

Correct Answer by DialerString_2 about 7 years 4 months ago

Thanks Marc.


Eric

214.298.7610

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
DialerString_2 Mon, 03/22/2010 - 13:21
User Badges:
  • Bronze, 100 points or more

Check your natting and crypto acls. I ran into the same issue months back. Can you post the relevant crypto information for both sides?

marcbujack Tue, 03/23/2010 - 00:39
User Badges:

Hi,


i have no access to the astaro-firewall.

Here is my config:


The host on my side must be natted towards the customer.


access-list POLICY_NAT extended permit ip host host

access-list CRYPTO_MAP extended permit ip host host

static (inside,outside) access-list POLICY_NAT


crypto ipsec transform-set TSET esp-3des esp-md5-hmac

crypto map outside_map 220 match address CRYPTO_MAP
crypto map outside_map 220 set pfs group5
crypto map outside_map 220 set peer x.x.x.x
crypto map outside_map 220 set transform-set TSET
crypto map outside_map 220 set security-association lifetime seconds 3600

Regards

Marc

DialerString_2 Tue, 03/23/2010 - 08:00
User Badges:
  • Bronze, 100 points or more

I notice that your static entry is numbered 220 - do you have Dynamic maps on the ASA? If so, the dynamic crypto map should have a higher sequence number. Check this first.


Why are you using the "POLICY_NAT" - Why not just exempt the traffic destined to that host or network:


nat (inside) 0 access-list 99

access-list 99 extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 or nat-host to customer-host.

marcbujack Wed, 03/24/2010 - 03:49
User Badges:

Hi,


there are several other vpn-tunnels.

Dynamic maps are located at 65.000ff.


The solution with the static map was an cisco-suggestion. With other customers it worked fine.


I solved this problem by using 3des and md5 without pfs.


Thanx for your advice

Marc

Correct Answer
DialerString_2 Wed, 03/24/2010 - 04:21
User Badges:
  • Bronze, 100 points or more

Thanks Marc.


Eric

214.298.7610

Actions

This Discussion