03-22-2010 05:46 AM
Hi there,
i try to connect a astaro-firewall per l2l-vpn to an asa5510.
I got allways the following message.
Whats wrong? (cheched the parameters already)
Regards
Marc
asa %ASA-4-713903: Group = x.x.x.x, IP = x.x.x.x, Freeing previously allocated memory for authorization-dn-attributes
asa %ASA-3-713119: Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED
asa %ASA-5-713904: Group = x.x.x.x, IP = x.x.x.x, All IPSec SA proposals found unacceptable!
asa %ASA-3-713902: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x7bc32f0, mess id 0xc5da78b7)!
asa %ASA-3-713902: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!
asa %ASA-3-713231: Group = x.x.x.x, IP = x.x.x.x, Internal Error, ike_lock trying to unlock bit that is not locked for type SA_LOCK_P1_SA_CREATE
asa %ASA-3-713232: Group = x.x.x.x, IP = x.x.x.x, SA lock refCnt = 0, bitmask = 00000000, p1_decrypt_cb = 0, qm_decrypt_cb = 1, qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0, qm_encrypt_cb = 0
asa %ASA-3-713902: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!
asa %ASA-4-113019: Group = x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
Solved! Go to Solution.
03-24-2010 04:21 AM
03-22-2010 01:21 PM
Check your natting and crypto acls. I ran into the same issue months back. Can you post the relevant crypto information for both sides?
03-23-2010 12:39 AM
Hi,
i have no access to the astaro-firewall.
Here is my config:
The host on my side must be natted towards the customer.
access-list POLICY_NAT extended permit ip host
access-list CRYPTO_MAP extended permit ip host
static (inside,outside)
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
crypto map outside_map 220 match address CRYPTO_MAP
crypto map outside_map 220 set pfs group5
crypto map outside_map 220 set peer x.x.x.x
crypto map outside_map 220 set transform-set TSET
crypto map outside_map 220 set security-association lifetime seconds 3600
Regards
Marc
03-23-2010 08:00 AM
I notice that your static entry is numbered 220 - do you have Dynamic maps on the ASA? If so, the dynamic crypto map should have a higher sequence number. Check this first.
Why are you using the "POLICY_NAT" - Why not just exempt the traffic destined to that host or network:
nat (inside) 0 access-list 99
access-list 99 extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 or nat-host to customer-host.
03-24-2010 03:49 AM
Hi,
there are several other vpn-tunnels.
Dynamic maps are located at 65.000ff.
The solution with the static map was an cisco-suggestion. With other customers it worked fine.
I solved this problem by using 3des and md5 without pfs.
Thanx for your advice
Marc
03-24-2010 04:21 AM
Thanks Marc.
Eric
214.298.7610
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: