Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
291
Views
0
Helpful
1
Replies

rv320 site to site VPN with ASA 5510 not working

cisco_forums
Level 1
Level 1

‎08-01-2014 02:27 PM

I have been banging my head against the wall all day trying to get a site to site tunnel to work from a remote rv320 to an ASA 5510 at the main office. The tunnel will not come up no matter which options I try. Has anyone else gotten a rv320 to establish a site to site ipsec tunnel with an ASA? If so, can you please share the config or the options you chose to make it work?

When debugging the ASA it appears to complete PHASE 1 but then gets an error (Received non-routine Notify message: Invalid ID info) before killing off the tunnel. Any ideas? I am at a loss right now. I have retyped the preshared keys on both sides dozens of times and confirmed the protected subnet information matches for the respective sides.  

More info:
ASA is running 9.1(4)
RV320 is running v1.1.1.06

The debug is as follows:


Aug 01 14:25:36 [IKEv1]IP = 173.xxx.xxx.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 100
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.xxx.xxx.xxx, processing SA payload
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.xxx.xxx.xxx, Oakley proposal is acceptable
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.xxx.xxx.xxx, processing VID payload
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.xxx.xxx.xxx, Received DPD VID
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.xxx.xxx.xxx, processing IKE SA payload
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.xxx.xxx.xxx, IKE SA Proposal # 1, Transform # 0 acceptable  Matches global IKE entry # 2
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.xxx.xxx.xxx, constructing ISAKMP SA payload
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.xxx.xxx.xxx, constructing Fragmentation VID + extended capabilities payload
Aug 01 14:25:36 [IKEv1]IP = 173.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
Aug 01 14:25:36 [IKEv1]IP = 173.xxx.xxx.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.xxx.xxx.xxx, processing ke payload
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.xxx.xxx.xxx, processing ISA_KE payload
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.xxx.xxx.xxx, processing nonce payload
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.xxx.xxx.xxx, constructing ke payload
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.xxx.xxx.xxx, constructing nonce payload
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.xxx.xxx.xxx, constructing Cisco Unity VID payload
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.xxx.xxx.xxx, constructing xauth V6 VID payload
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.xxx.xxx.xxx, Send IOS VID
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.xxx.xxx.xxx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.xxx.xxx.xxx, constructing VID payload
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.xxx.xxx.xxx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Aug 01 14:25:36 [IKEv1]IP = 173.xxx.xxx.xxx, Connection landed on tunnel_group 173.xxx.xxx.xxx
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, Generating keys for Responder...
Aug 01 14:25:36 [IKEv1]IP = 173.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Aug 01 14:25:36 [IKEv1]IP = 173.xxx.xxx.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, processing ID payload
Aug 01 14:25:36 [IKEv1 DECODE]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, ID_IPV4_ADDR ID received
173.xxx.xxx.xxx
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, processing hash payload
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, Computing hash for ISAKMP
Aug 01 14:25:36 [IKEv1]IP = 173.xxx.xxx.xxx, Connection landed on tunnel_group 173.xxx.xxx.xxx
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, constructing ID payload
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, constructing hash payload
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, Computing hash for ISAKMP
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, constructing dpd vid payload
Aug 01 14:25:36 [IKEv1]IP = 173.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 105
Aug 01 14:25:36 [IKEv1]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, PHASE 1 COMPLETED
Aug 01 14:25:36 [IKEv1]IP = 173.xxx.xxx.xxx, Keep-alive type for this connection: DPD
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, Starting P1 rekey timer: 5400 seconds.
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, sending notify message
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, constructing blank hash payload
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, constructing qm hash payload
Aug 01 14:25:36 [IKEv1]IP = 173.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=475a7267) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 88
Aug 01 14:25:36 [IKEv1]IP = 173.xxx.xxx.xxx, IKE_DECODE RECEIVED Message (msgid=98ef5834) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 64
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, processing hash payload
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, processing notify payload
Aug 01 14:25:36 [IKEv1]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, Received non-routine Notify message: Invalid ID info (18)
Aug 01 14:25:51 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, Sending keep-alive of type DPD R-U-THERE (seq number 0x4c4cf221)
Aug 01 14:25:51 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, constructing blank hash payload
Aug 01 14:25:51 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, constructing qm hash payload
Aug 01 14:25:51 [IKEv1]IP = 173.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=ed87a90d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Aug 01 14:25:53 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, Sending keep-alive of type DPD R-U-THERE (seq number 0x4c4cf222)
Aug 01 14:25:53 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, constructing blank hash payload
Aug 01 14:25:53 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, constructing qm hash payload
Aug 01 14:25:53 [IKEv1]IP = 173.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=f982d145) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Aug 01 14:25:55 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, Sending keep-alive of type DPD R-U-THERE (seq number 0x4c4cf223)
Aug 01 14:25:55 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, constructing blank hash payload
Aug 01 14:25:55 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, constructing qm hash payload
Aug 01 14:25:55 [IKEv1]IP = 173.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=d7954333) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Aug 01 14:25:57 [IKEv1]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
Aug 01 14:25:57 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, IKE SA MM:8f621e72 rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tuncnt 0
Aug 01 14:25:57 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, IKE SA MM:8f621e72 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Aug 01 14:25:57 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, sending delete/delete with reason message
Aug 01 14:25:57 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, constructing blank hash payload
Aug 01 14:25:57 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, constructing IKE delete payload
Aug 01 14:25:57 [IKEv1 DEBUG]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, constructing qm hash payload
Aug 01 14:25:57 [IKEv1]IP = 173.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=6f9cc0e2) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Aug 01 14:25:57 [IKEv1]Group = 173.xxx.xxx.xxx, IP = 173.xxx.xxx.xxx, Session is being torn down. Reason: Lost Service

 

Labels:
0 Helpful
1 Reply 1

nkarthikeyan
Level 7
Level 7

‎08-13-2014 03:26 AM

Hi,

 

This means you do not have policies matching between the peers..... might be an ACL or crypto policies.... try changing the policies or crypto ACL's.... crypto acl should be the mirror of each others.... crypto policies for phase 1 and phase 2 also should match.... Also it should be supported on both platforms....

 

Regards

Karthik

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents