09-20-2010 01:34 AM - edited 02-21-2020 04:51 PM
PIX# Sep 17 14:58:51 [IKEv1 DEBUG]: IP = Y, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Sep 17 14:58:51 [IKEv1]: IP = Y, Connection landed on tunnel_group
Sep 17 14:58:51 [IKEv1 DEBUG]: Group = X, IP = Y, IKE SA Proposal # 1, Transform # 13 acceptable Matches global IKE entry # 1
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, User (X) authenticated.
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, Received unsupported transaction mode attribute: 5
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, Client Type: WinNT Client Application Version: 5.0.06.0160
Sep 17 14:58:58 [IKEv1]: Group = Xe, Username = X, IP = Y, Assigned private IP address 10.0.1.7 to remote user
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, PHASE 1 COMPLETED
Sep 17 14:58:58 [IKEv1]: IP = Y, Keep-alive type for this connection: DPD
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, Starting P1 rekey timer: 6840 seconds.
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, Received remote Proxy Host data in ID Payload: Address 10.0.1.7, Protocol 0, Port 0
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, Received local IP Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, QM IsRekeyed old sa not found by addr
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, IKE Remote Peer configured for crypto map: outside_dyn_map
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP =Y, processing IPSec SA payload
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, IPSec SA Proposal # 14, Transform # 1 acceptable Matches global IPSec SA entry # 20
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP =Y, IKE: requesting SPI!
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, Overriding Initiator's IPSec rekeying duration from 2147483 to 7200 seconds
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, Transmitting Proxy Id:
Remote host: 10.0.1.7 Protocol 0 Port 0
Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol 0 Port 0
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y Sending RESPONDER LIFETIME notification to Initiator
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, Security negotiation complete for User (slalanne) Responder, Inbound SPI = 0x6
044adb5, Outbound SPI = 0xcd82f95e
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, Starting P2 rekey timer: 6840 seconds.
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, Adding static route for client address: 10.0.1.7
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, PHASE 2 COMPLETED (msgid=c4d80320)
PIX# Sep 17 14:59:40 [IKEv1]: Group = X, Username = X, IP = Y, Connection terminated for peer X. Reason: Peer Terminate Remote Proxy 10.0.1.7, Local Proxy 0.0.0.0Sep 17 14:59:40 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, IKE Deleting SA: Remote Proxy 10.0.1.7, Local Proxy 0.0.0.0
Sep 17 14:59:40 [IKEv1]: IP = Y, Received encrypted packet with no matching SA, dropping
Then the IPSec debug are also normal.
Now this user is logging out and another clients connects normally. the old user tries to connect back in and here are the difference in the debug :
Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, IP = Y, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.0.1.8/255.255.255.255/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, IP = Y,QM FSM error (P2 struct &0x2a5fd68, mess id 0x16b59315)!
Sep 17 14:25:22 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, IKE QM Responder FSM error history (struct &0x2a5fd68) <state>, <event>:
QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BL
D_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_
BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, IP = Y, Removing peer from correlator table failed, no match!
Sep 17 14:25:22 [IKEv1]: IP = Y, Received encrypted packet with no matching SA, dropping
Here is the VPN config ... and I dont see what is the issue :
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 7200
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 7200
crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
access-list outside_cryptomap_dyn_20 extended permit ip any 10.0.1.0 255.255.255.248
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) LOCAL
tunnel-group X type ipsec-ra
tunnel-group X general-attributes
address-pool adresses
authentication-server-group (outside) LOCAL
default-group-policy X
tunnel-group X ipsec-attributes
pre-shared-key *
prompt hostname context
ip local pool adresses 10.0.1.6-10.0.1.40 mask 255.255.255.0
Solved! Go to Solution.
09-20-2010 02:25 AM
please remove the crypto acl from the dynamic crypto map, it causes wierd behaviour
try using split acl instead of acl in dynamic crypto map and let me know how it goes
09-20-2010 02:25 AM
please remove the crypto acl from the dynamic crypto map, it causes wierd behaviour
try using split acl instead of acl in dynamic crypto map and let me know how it goes
09-20-2010 06:56 AM
Thanks for the help but after I seek some configuration example on cisco.com I tried to configure split tunneling , but couldnt really understand about it.
Can you please help ?
I d like to thank you for the previous post
Nicolas
09-20-2010 08:26 AM
this link will help you
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml#s2
configure acl
call it in group-policy attributes
09-21-2010 02:03 AM
Hey there !
Now here is what it looks like !
ccess-list Split_Tunnel_List; 1 elements
access-list Split_Tunnel_List line 1 remark LAN behind ASA
access-list Split_Tunnel_List line 2 standard permit 10.0.0.0 255.255.255.0 (hitcnt=0) 0xc1e1c483
service-policy global_policy global
group-policy X internal
group-policy X attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value oenodev.com
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 7200
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 7200
crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
Should I remove the cryptomap now as u asked ?
tried to connect a second user but still the same log message.
09-21-2010 08:38 AM
yes please remove this
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
and
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 7200
though the second one is not required to be removed, i would like to try with the default value once
09-21-2010 11:57 PM
Thanks a lot ,
The solution seems to work. I still need some feedback from the client.
Many many many thanks for the help provided.
I'll definitely read more books on Security
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: