Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6851
Views
0
Helpful
6
Replies

Help Please - ASA Pre-shared key error - not wrong key!

perfik2006
Level 1
Level 1

‎11-04-2011 09:11 AM

Helllo

I have a cisco asa 5510 running 8.2 and a tunnel connected to what I believe is a Fortinet device.

The errors in my ASDM 6.2 real time log state:

3 Nov 04 2011 12:01:09 713902 IP = 142.46.x.201, Invalid packet detected!

4 Nov 04 2011 12:01:08 713903 Group = 142.46.x.201, IP = 142.46.x.201, Error: Unable to remove PeerTblEntry

3 Nov 04 2011 12:01:08 713902 Group = 142.46.x.201, IP = 142.46.x.201, Removing peer from peer table failed, no match!

6 Nov 04 2011 12:01:08 713905 Group = 142.46.x.201, IP = 142.46.x.201, Rxed Hash is incorrect: Pre-shared key or Digital Signature mismatch

5 Nov 04 2011 12:01:08 713041 IP = 142.46.x.201, IKE Initiator: New Phase 1, Intf NYGHINT, IKE Peer 142.46.x.201  local Proxy Address 192.168.x.0, remote Proxy Address 10.21.x.0,  Crypto map (SSHAEXTERNAL_map3)

These errors just keep repeating but occasionally the tunnel will come up for an unknown reason. I know that the preshared keys match and that all the crypto maps etc are correct. This is the first tunnel on a new ASA and that may be a factor but I am not sure.

Why does the box tell me I have a pre-shared key mismatch when I know I don't? I am not using certificates either, so the Digital Signature piece is not the issue.

Any help would be appreciated, I can post the config if that would help.

Thanks

Labels:
0 Helpful
6 Replies 6

perfik2006
Level 1
Level 1

‎11-04-2011 09:49 AM

Here is the config.

I apologise if there are glaring errors, this is my first ASA and by now with this problem I have had some varied input about various settings.

NYGHASAVPN# sh run

: Saved

:

ASA Version 8.2(1)

!

hostname NYGHASAVPN

domain-name nygh.on.ca

enable password wtf encrypted

passwd rofl encrypted

names

name 10.x.x.98 ASA-EXT

name 205.x.x.1 ASA-INT

name 10.x.x.1 SSHANEXTHOP

!

interface Ethernet0/0

nameif SSHAEXTERNAL

security-level 0

ip address 10.x.x.111 255.255.255.128

!

interface Ethernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

nameif NYGHINT

security-level 100

ip address ASA-INT 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address dhcp setroute

management-only

!

banner exec      WELCOME!!  ---------->  You are entering NORMAL mode. <----------

banner exec          For EXEC mode, please use enable and the EXEC password.

banner login      !*!*!*!*!Welcome to the NYGH ASA VPN appliance!*!*!*!*!

banner login       Please document any changes and make a backup before you start.

banner login         **All changes are logged under the user ID**

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup SSHAEXTERNAL

dns domain-lookup NYGHINT

dns domain-lookup management

dns server-group DefaultDNS

name-server 205.x.x.248

domain-name nygh.on.ca

same-security-traffic permit inter-interface

object-group network echn-net

network-object echn-net2 255.255.255.0

network-object echn-net 255.255.255.128

object-group network NYGHALL

description All NYGH groups except 10.x.x.0 and 1010

network-object nygh1012 255.255.255.0

network-object nygh1013 255.255.255.0

network-object nygh1014 255.255.255.0

network-object nygh1015 255.255.255.0

network-object nygh20512 255.255.255.0

network-object nygh20513 255.255.255.0

network-object nygh20514 255.255.255.0

network-object nygh20515 255.255.255.0

network-object nygh205210 255.255.255.0

object-group network NYBHall

network-object nybh107 255.255.255.0

network-object nybh106 255.255.255.0

object-group network DM_INLINE_NETWORK_4

network-object 10.21.x.0 255.255.255.0

network-object 10.250.x.0 255.255.255.224

access-list NYGHSTAFF standard permit host slaptop

access-list SSHAEXTERNAL_cryptomap_3 extended permit ip 192.168.x.0 255.255.255.0 object-group DM_INLINE_NETWORK_4

access-list SSHAEXTERNAL_cryptomap_3 extended permit ip host 10.250.x.11 any

access-list outside-acl extended permit icmp any any

pager lines 24

logging enable

logging timestamp

logging buffer-size 40960

logging asdm-buffer-size 512

logging asdm informational

logging from-address NYGHASAVPN@ddd

logging recipient-address im@home level errors

logging facility 22

logging host NYGHINT 205.x.x.220

logging ftp-bufferwrap

logging ftp-server 205.x.x.219 /ciscoasa/  ****

mtu SSHAEXTERNAL 1500

mtu NYGHINT 1500

mtu management 1500

ip local pool vpndhcp 205.x.x.206-205.x.x.209 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any SSHAEXTERNAL

icmp permit any NYGHINT

no asdm history enable

arp timeout 14400

global (SSHAEXTERNAL) 101 Ext17221 netmask 255.255.255.255

!

router rip

passive-interface default

!

route NYGHINT 0.0.0.0 0.0.0.0 SSHANEXTHOP 1

routing not the problem...

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

webvpn

  url-list value NYGHBooks

aaa-server ADCRED protocol nt

aaa-server ADCRED (NYGHINT) host x.x.x.x

nt-auth-domain-controller x.x.x.x

aaa authentication enable console ADCRED LOCAL

aaa authentication http console ADCRED LOCAL

aaa authentication serial console ADCRED LOCAL

aaa authentication ssh console ADCRED LOCAL

aaa authentication telnet console ADCRED LOCAL

aaa authorization command LOCAL

http server enable

snmp-server location

snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

auth-prompt prompt Welcome

auth-prompt accept Your credentials have been accepted. Welcome

auth-prompt reject Your credentials have been rejected. Try again, check your spelling, try to remember your password.

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set CCIS esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set SHL esp-aes-256 esp-sha-hmac

crypto ipsec transform-set SIEMENS esp-3des esp-md5-hmac

crypto ipsec transform-set SUNNY esp-aes esp-md5-hmac

crypto ipsec transform-set ECHN esp-aes-256 esp-sha-hmac

crypto ipsec transform-set WTIS esp-aes esp-sha-hmac

crypto ipsec transform-set ACCENTUS esp-3des esp-md5-hmac

crypto ipsec transform-set PHILIPS esp-aes-256 esp-md5-hmac

crypto ipsec transform-set cGTAOLIS esp-aes-256 esp-sha-hmac

crypto ipsec transform-set CCISPROD esp-aes esp-sha-hmac

crypto ipsec transform-set Feinberg esp-aes-256 esp-md5-hmac

crypto ipsec transform-set Feinberg mode transport

crypto ipsec transform-set Feinburg1 esp-aes-256 esp-sha-hmac

crypto ipsec transform-set Feinburg1 mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP

-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map SSHAEXTERNAL_map3 4 match address SSHAEXTERNAL_cryptomap_3

crypto map SSHAEXTERNAL_map3 4 set pfs group5

crypto map SSHAEXTERNAL_map3 4 set peer 142.46.x.201

crypto map SSHAEXTERNAL_map3 4 set transform-set Feinberg Feinburg1 ESP-AES-256-SHA ESP-AES-256-MD5

crypto map SSHAEXTERNAL_map3 4 set security-association lifetime seconds 28800

crypto map SSHAEXTERNAL_map3 4 set phase1-mode aggressive group5

crypto map SSHAEXTERNAL_map3 4 set reverse-route

crypto map SSHAEXTERNAL_map3 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map SSHAEXTERNAL_map3 interface SSHAEXTERNAL

crypto isakmp enable SSHAEXTERNAL

crypto isakmp enable NYGHINT

crypto isakmp policy 1

authentication pre-share

encryption aes

hash md5

group 2

lifetime 86400

crypto isakmp policy 2

authentication pre-share

encryption aes

hash sha

group 2

lifetime 28800

crypto isakmp policy 3

authentication pre-share

encryption aes-256

hash md5

group 5

lifetime 28800

crypto isakmp policy 6

authentication pre-share

encryption aes

hash md5

group 5

lifetime 86400

crypto isakmp policy 7

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 8

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 9

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 28800

crypto isakmp policy 100

authentication pre-share

encryption aes-256

hash md5

group 5

lifetime 86400

telnet slaptop 255.255.255.255 NYGHINT

telnet timeout 45

ssh timeout 45

console timeout 0

dhcp-client client-id interface management

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tftp-server

webvpn

enable SSHAEXTERNAL

enable NYGHINT

smart-tunnel list RDP WINRDP %windir%\system32\mstsc.exe platform windows

group-policy DfltGrpPolicy attributes

banner value This is the default group policy banner.

group-policy NYGHTUNNELGROUP internal

group-policy NYGHTUNNELGROUP attributes

wins-server value x.x.x.x

dns-server value x.x.x.x

vpn-tunnel-protocol IPSec

default-domain value NYGHAD

group-policy NYGHVPNPolicy internal

group-policy NYGHVPNPolicy attributes

banner value NYGHVPN Banner specific to NYGHVPN policy hey ya

vpn-tunnel-protocol svc webvpn

webvpn

  url-list value NYGHBooks

  smart-tunnel enable RDP

group-policy NYGHWizardpolicy internal

group-policy NYGHWizardpolicy attributes

vpn-tunnel-protocol webvpn

webvpn

  url-list value NYGHBooks

username bbrien password uaCZBQknnQyjj6G8 encrypted privilege 15

username bbrien attributes

vpn-group-policy NYGHVPNPolicy

username testwebuser password iQa4p4DfannO6L6v encrypted privilege 5

username testwebuser attributes

vpn-group-policy NYGHVPNPolicy

service-type admin

username test password AmxUDeORS16jpSkB encrypted privilege 0

username test attributes

vpn-group-policy NYGHWizardpolicy

username testvpn password WDnnelLwaGzjjP0y encrypted privilege 0

username testvpn attributes

vpn-group-policy NYGHTUNNELGROUP

username skay password tkVNXd0m3GpaRIU3 encrypted privilege 15

username skay attributes

vpn-group-policy NYGHVPNPolicy

vpn-access-hours none

vpn-idle-timeout none

vpn-session-timeout none

webvpn

  url-list value NYGHBooks

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group ADCRED LOCAL

authentication-server-group (NYGHINT) ADCRED LOCAL

tunnel-group NYGHUSERS type remote-access

tunnel-group NYGHUSERS general-attributes

authentication-server-group ADCRED LOCAL

secondary-authentication-server-group ADCRED LOCAL

default-group-policy NYGHVPNPolicy

tunnel-group nyghwizard1 type remote-access

tunnel-group nyghwizard1 general-attributes

default-group-policy NYGHWizardpolicy

tunnel-group 142.46.x.201 type ipsec-l2l

tunnel-group 142.46.x.201 ipsec-attributes

pre-shared-key *

tunnel-group NYGHTUNNELGROUP type remote-access

tunnel-group NYGHTUNNELGROUP general-attributes

address-pool vpndhcpx

default-group-policy NYGHTUNNELGROUP

tunnel-group NYGHTUNNELGROUP ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:c043b51197axeef3564f7f6a95d

: end

NYGHASAVPN#

0 Helpful

Steven Williams
Level 4
Level 4

‎11-04-2011 09:50 AM

do you have control of the remote device? What are the settings on that device?

0 Helpful

perfik2006
Level 1
Level 1
In response to Steven Williams

‎11-10-2011 04:59 AM

Sorry for the dealy, I do not have access to the remote side device.

0 Helpful

dxtileryii
Level 1
Level 1
In response to perfik2006

‎11-10-2011 09:43 AM

A few things.

1.  Are these both ASAs?

2.  The key could be correct but not compatable with both devices.  Try generating new keys for both sides

3.  What is the actual debug error?

0 Helpful

perfik2006
Level 1
Level 1
In response to dxtileryii

‎11-11-2011 05:27 AM

See my OP, the device I believe is a Fortinet gateway device not an ASA. We have reentered the key to a very basic combination of letters and the @ symbol.

The debug errors are listed in the OP also, but include:

The errors in my ASDM 6.2 real time log state:

3 Nov 04 2011 12:01:09 713902 IP = 142.46.x.201, Invalid packet detected!

4 Nov 04 2011 12:01:08 713903 Group = 142.46.x.201, IP = 142.46.x.201, Error: Unable to remove PeerTblEntry

3 Nov 04 2011 12:01:08 713902 Group = 142.46.x.201, IP = 142.46.x.201, Removing peer from peer table failed, no match!

6 Nov 04 2011 12:01:08 713905 Group = 142.46.x.201, IP = 142.46.x.201, Rxed Hash is incorrect: Pre-shared key or Digital Signature mismatch

5 Nov 04 2011 12:01:08 713041 IP = 142.46.x.201, IKE Initiator: New Phase 1, Intf NYGHINT, IKE Peer 142.46.x.201  local Proxy Address 192.168.x.0, remote Proxy Address 10.21.x.0,  Crypto map (SSHAEXTERNAL_map3)

the bizarre thing is that occasionally the tunnel will sudenly come up.without making any changes.

Any help would be appreciated including if you require the info from the debug.

0 Helpful

dxtileryii
Level 1
Level 1

‎11-11-2011 07:22 AM

Sounds like it is still a phase one error. You really need to confirm that both sides are using the same hash values and DH groups. Double check the transform set choices. Maybe it comes up sometimes because sometimes the sets match properly.

Sent from Cisco Technical Support iPhone App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents