[SOLVED] RV320 site to site VPN with ASA 5510 not working

Unanswered Question
Aug 2nd, 2014
User Badges:

I have been banging my head against the wall all day trying to get a site to site tunnel to work from a remote rv320 to an ASA 5510 at the main office. The tunnel will not come up no matter which options I try. Has anyone else gotten a rv320 to establish a site to site ipsec tunnel with an ASA? If so, can you please share the config or the options you chose to make it work?

When debugging the ASA it appears to complete PHASE 1 but then gets an error (Received non-routine Notify message: Invalid ID info) before killing off the tunnel. Any ideas? I am at a loss right now. I have retyped the preshared keys on both sides dozens of times and confirmed the protected subnet information matches for the respective sides.  

More info:
ASA is running 9.1(4)
RV320 is running v1.1.1.06

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cisco_forums Sat, 08/02/2014 - 08:02
User Badges:

I am not sure why, but when I posted my debug to the above post, it seems to dissapear from the forum. I will try to add it here:

Aug 01 14:25:36 [IKEv1]IP = 173.111.111.111, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 100
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.111.111.111, processing SA payload
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.111.111.111, Oakley proposal is acceptable
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.111.111.111, processing VID payload
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.111.111.111, Received DPD VID
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.111.111.111, processing IKE SA payload
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.111.111.111, IKE SA Proposal # 1, Transform # 0 acceptable  Matches global IKE entry # 2
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.111.111.111, constructing ISAKMP SA payload
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.111.111.111, constructing Fragmentation VID + extended capabilities payload
Aug 01 14:25:36 [IKEv1]IP = 173.111.111.111, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
Aug 01 14:25:36 [IKEv1]IP = 173.111.111.111, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.111.111.111, processing ke payload
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.111.111.111, processing ISA_KE payload
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.111.111.111, processing nonce payload
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.111.111.111, constructing ke payload
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.111.111.111, constructing nonce payload
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.111.111.111, constructing Cisco Unity VID payload
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.111.111.111, constructing xauth V6 VID payload
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.111.111.111, Send IOS VID
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.111.111.111, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.111.111.111, constructing VID payload
Aug 01 14:25:36 [IKEv1 DEBUG]IP = 173.111.111.111, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Aug 01 14:25:36 [IKEv1]IP = 173.111.111.111, Connection landed on tunnel_group 173.111.111.111
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, Generating keys for Responder...
Aug 01 14:25:36 [IKEv1]IP = 173.111.111.111, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Aug 01 14:25:36 [IKEv1]IP = 173.111.111.111, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, processing ID payload
Aug 01 14:25:36 [IKEv1 DECODE]Group = 173.111.111.111, IP = 173.111.111.111, ID_IPV4_ADDR ID received
173.111.111.111
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, processing hash payload
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, Computing hash for ISAKMP
Aug 01 14:25:36 [IKEv1]IP = 173.111.111.111, Connection landed on tunnel_group 173.111.111.111
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, constructing ID payload
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, constructing hash payload
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, Computing hash for ISAKMP
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, constructing dpd vid payload
Aug 01 14:25:36 [IKEv1]IP = 173.111.111.111, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 105
Aug 01 14:25:36 [IKEv1]Group = 173.111.111.111, IP = 173.111.111.111, PHASE 1 COMPLETED
Aug 01 14:25:36 [IKEv1]IP = 173.111.111.111, Keep-alive type for this connection: DPD
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, Starting P1 rekey timer: 5400 seconds.
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, sending notify message
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, constructing blank hash payload
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, constructing qm hash payload
Aug 01 14:25:36 [IKEv1]IP = 173.111.111.111, IKE_DECODE SENDING Message (msgid=475a7267) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 88
Aug 01 14:25:36 [IKEv1]IP = 173.111.111.111, IKE_DECODE RECEIVED Message (msgid=98ef5834) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 64
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, processing hash payload
Aug 01 14:25:36 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, processing notify payload
Aug 01 14:25:36 [IKEv1]Group = 173.111.111.111, IP = 173.111.111.111, Received non-routine Notify message: Invalid ID info (18)
Aug 01 14:25:51 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x4c4cf221)
Aug 01 14:25:51 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, constructing blank hash payload
Aug 01 14:25:51 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, constructing qm hash payload
Aug 01 14:25:51 [IKEv1]IP = 173.111.111.111, IKE_DECODE SENDING Message (msgid=ed87a90d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Aug 01 14:25:53 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x4c4cf222)
Aug 01 14:25:53 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, constructing blank hash payload
Aug 01 14:25:53 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, constructing qm hash payload
Aug 01 14:25:53 [IKEv1]IP = 173.111.111.111, IKE_DECODE SENDING Message (msgid=f982d145) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Aug 01 14:25:55 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x4c4cf223)
Aug 01 14:25:55 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, constructing blank hash payload
Aug 01 14:25:55 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, constructing qm hash payload
Aug 01 14:25:55 [IKEv1]IP = 173.111.111.111, IKE_DECODE SENDING Message (msgid=d7954333) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Aug 01 14:25:57 [IKEv1]Group = 173.111.111.111, IP = 173.111.111.111, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
Aug 01 14:25:57 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, IKE SA MM:8f621e72 rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tuncnt 0
Aug 01 14:25:57 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, IKE SA MM:8f621e72 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Aug 01 14:25:57 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, sending delete/delete with reason message
Aug 01 14:25:57 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, constructing blank hash payload
Aug 01 14:25:57 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, constructing IKE delete payload
Aug 01 14:25:57 [IKEv1 DEBUG]Group = 173.111.111.111, IP = 173.111.111.111, constructing qm hash payload
Aug 01 14:25:57 [IKEv1]IP = 173.111.111.111, IKE_DECODE SENDING Message (msgid=6f9cc0e2) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Aug 01 14:25:57 [IKEv1]Group = 173.111.111.111, IP = 173.111.111.111, Session is being torn down. Reason: Lost Service

 

cisco_forums Mon, 08/04/2014 - 14:26
User Badges:

I figured out the issue with the help of Cisco support. I needed to change

crypto isakmp identity hostname

to

crypto isakmp identity auto

This allowed the tunnel to come up successfully.

Actions

This Discussion