Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2525
Views
0
Helpful
1
Replies

Cannot establish L2L VPN between ASA and Juniper

nowcommsupport
Level 1
Level 1

‎06-28-2011 01:11 PM

I am attempting to configure an ASA to form an IPSec L2L tunnel with a Juniper device. Phase one completes OK but phase two fails. I see the following message in the ASA logs:

3|Jun 28 2011|15:52:22|713902|||||Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!

3|Jun 28 2011|15:52:22|713902|||||Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x7aa6c190, mess id 0x8bc2144b)!

3|Jun 28 2011|15:52:22|713061|||||Group = x.x.x.x, IP = x.x.x.x, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface Outside1

I did some research and found a document on Cisco (http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml), that appears to describe the exact issue I am having, stating that this issue is indicative of a dynamic crypto map entry having a LOWER seq number than a static entry and gives an example of a properley numberes crypto map as follows:

crypto dynamic-map cisco 20 set transform-set myset

crypto map mymap 10 match address 100

crypto map mymap 10 set peer 172.16.77.10

crypto map mymap 10 set transform-set myset

crypto map mymap interface outside

crypto map mymap 60000 ipsec-isakmp dynamic cisco

The IPSec config I added is in Bold, the config not in bold already existed:

crypto ipsec transform-set AES esp-aes-256 esp-sha-hmac

crypto ipsec transform-set Shopper_Trans_Set esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYN-MAP 5 set transform-set AES

crypto dynamic-map DYN-MAP 5 set security-association lifetime seconds 86400

crypto map VPN 1 match address Outside1_cryptomap

crypto map VPN 1 set peer X.X.X.X

crypto map VPN 1 set transform-set Shopper_Trans_Set

crypto map VPN 60 ipsec-isakmp dynamic DYN-MAP

crypto map VPN interface Outside2

crypto map VPN interface Outside1

crypto isakmp identity address

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 28800

crypto isakmp policy 65535

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

The sequence numbers seem to follow the rules, so I am confused as to what is wrong.

However I am cocerned that the ASA I am using has two "OUTSIDE" interfaces and am worried the ASA is trying establish through the wrong interface, however my research suggests I would see a message such as:

%ASA-3-713042: IKE Initiator unable to find policy:

Can any one help please !!!!

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-30-2011 05:51 AM

The error message seems to suggest that your crypto ACL does not match the one that Juniper is configured with.

The crypto ACL on the ASA needs to be mirrored image ACL on the Juniper.

Check out the "Outside1_cryptomap" ACl, and make sure that Juniper is configured with the mirror image of that ACL.

From the error message, Juniper seems to be configured with "any to any" ACL for the crypto ACL.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents