Solved: ASA 5510 L2L-VPN: Internal Error...

marcbujack · ‎03-22-2010

Hi there,

i try to connect a astaro-firewall per l2l-vpn to an asa5510.

I got allways the following message.

Whats wrong? (cheched the parameters already)

Regards

Marc

asa %ASA-4-713903: Group = x.x.x.x, IP = x.x.x.x, Freeing previously allocated memory for authorization-dn-attributes

asa %ASA-3-713119: Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED

asa %ASA-5-713904: Group = x.x.x.x, IP = x.x.x.x, All IPSec SA proposals found unacceptable!

asa %ASA-3-713902: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x7bc32f0, mess id 0xc5da78b7)!

asa %ASA-3-713902: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!

asa %ASA-3-713231: Group = x.x.x.x, IP = x.x.x.x, Internal Error, ike_lock trying to unlock bit that is not locked for type SA_LOCK_P1_SA_CREATE

asa %ASA-3-713232: Group = x.x.x.x, IP = x.x.x.x, SA lock refCnt = 0, bitmask = 00000000, p1_decrypt_cb = 0, qm_decrypt_cb = 1, qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0, qm_encrypt_cb = 0

asa %ASA-3-713902: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!

asa %ASA-4-113019: Group = x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

DialerString_2 · ‎03-24-2010

Thanks Marc.

Eric

214.298.7610

View solution in original post

DialerString_2 · ‎03-22-2010

Check your natting and crypto acls. I ran into the same issue months back. Can you post the relevant crypto information for both sides?

marcbujack · ‎03-23-2010

Hi,

i have no access to the astaro-firewall.

Here is my config:

The host on my side must be natted towards the customer.

access-list POLICY_NAT extended permit ip host host

access-list CRYPTO_MAP extended permit ip host host

static (inside,outside) access-list POLICY_NAT

crypto ipsec transform-set TSET esp-3des esp-md5-hmac

crypto map outside_map 220 match address CRYPTO_MAP
crypto map outside_map 220 set pfs group5
crypto map outside_map 220 set peer x.x.x.x
crypto map outside_map 220 set transform-set TSET
crypto map outside_map 220 set security-association lifetime seconds 3600

Regards

Marc

DialerString_2 · ‎03-23-2010

I notice that your static entry is numbered 220 - do you have Dynamic maps on the ASA? If so, the dynamic crypto map should have a higher sequence number. Check this first.

Why are you using the "POLICY_NAT" - Why not just exempt the traffic destined to that host or network:

nat (inside) 0 access-list 99

access-list 99 extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 or nat-host to customer-host.

marcbujack · ‎03-24-2010

Hi,

there are several other vpn-tunnels.

Dynamic maps are located at 65.000ff.

The solution with the static map was an cisco-suggestion. With other customers it worked fine.

I solved this problem by using 3des and md5 without pfs.

Thanx for your advice

Marc

DialerString_2 · ‎03-24-2010

Thanks Marc.

Eric

214.298.7610