Site-to -Site tunnel issue

Unanswered Question
Sep 3rd, 2010
User Badges:

Hello expert


i am trying to estabilsh site to site tunnel between ASA 5520 firewall and cisco 2811 router.The tunnel is not coming up with phase 1 getting completed and phase 2 is facing the problem.


i am getting the following error


no proposal chosen ( 14) received non routine notify message


on the same firewall,one more tunnel is working fine and similar is the case for Cisco 2811 router.we tried all possible combination for authentication/encryption/group but no success.Finally we have freezed the config of the tunnel on router with the same as other tunnel which is working on thr router and trying the combination on ASA side to make it up..can you please help me on the same



ASA Side Config

         

Crypto map outside_map 3 match address outside_cryptomap_3

crypto map outside_map 3 set peer a.b.c.d

crypto map outside_map 3 set transform-set ESP-DES-SHA ESP-3DES-MD5 ESP-3DES ESP-DES-MD5 ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside


                        

unnel-group a.b.c.d type ipsec-l2l

tunnel-group a.b.c.d general-attributes

default-group-policy EDGAR_ONLINE

tunnel-group a.b.c.d ipsec-attributes

pre-shared-key ****

!


Router Side Config


crypto isakmp policy 1

encr aes

authentication pre-share

group 2

!


crypto isakmp key **** address x.y.z.w no-xauth

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10

!

!


crypto ipsec transform-set TransSetSun2 esp-aes esp-md5-hmac

!


!


!

crypto map CustMap redundancy replay-interval inbound 800 outbound 10000

crypto map CustMap 30 ipsec-isakmp

set peer x.y.z.w

set transform-set TransSetSun2

match address protect CUST

!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Fri, 09/03/2010 - 10:40
User Badges:
  • Green, 3000 points or more

Hi,


On the ASA replace this line:


no crypto map outside_map 3 set transform-set ESP-DES-SHA ESP-3DES-MD5 ESP-3DES ESP-DES-MD5 ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5


With these two:


crypto ipsec transform-set myset esp-aes esp-md5-hmac


crypto map outside_map 3 set transform-set myset


Try again.


Federico.

sameermunj Fri, 09/03/2010 - 11:06
User Badges:

Thanks for the quick reply


So you want me to remove the extra transform sets and use only one which is required.


will it work now ??? (that was the only problem )


Regards

Sameer

Federico Coto F... Fri, 09/03/2010 - 11:18
User Badges:
  • Green, 3000 points or more

Well...


Phase 2 should match now.. can you test it?

I see you have spi-recovery and redundancy on the crypto map on the router side (are those for a reason)?


Federico.

sameermunj Fri, 09/03/2010 - 19:47
User Badges:

Hi


Need to take client online for this testing...



regarding the router side paramater, we cant change much as it bekongs to our client infrastructure..Corrossponding to those paramaeters do you suggest us to put any extra configuration in ASA.Please let us know accordnigly we will match it..

sameermunj Mon, 09/06/2010 - 00:06
User Badges:

Hi


Theother transoform sets belongs to other tunnel.


Anyway after removing those statement and adding new statements mentioned by you,phase 1 only not coming up...


anything else you suspect,,

Actions

This Discussion